diff options
Diffstat (limited to 'aports/iptables')
-rw-r--r-- | aports/iptables/APKBUILD | 10 | ||||
-rw-r--r-- | aports/iptables/format-security.patch | 31 | ||||
-rw-r--r-- | aports/iptables/iptables.initd | 96 |
3 files changed, 64 insertions, 73 deletions
diff --git a/aports/iptables/APKBUILD b/aports/iptables/APKBUILD index dcd5234..b9a34a7 100644 --- a/aports/iptables/APKBUILD +++ b/aports/iptables/APKBUILD @@ -1,15 +1,14 @@ # Maintainer: Gabor Pali <pali.gabor@gmail.com> pkgname=iptables -pkgver=1.8.9 -pkgrel=1 # base: 2 +pkgver=1.8.10 +pkgrel=0 # base: 3 pkgdesc="Linux kernel firewall, NAT and packet mangling tools" url="https://www.netfilter.org/projects/iptables/index.html" arch="all" license="GPL-2.0-or-later" makedepends="libnftnl-dev bison flex autoconf automake" source="https://www.netfilter.org/projects/iptables/files/iptables-$pkgver.tar.xz - format-security.patch use-sh-iptables-apply.patch iptables.initd iptables.confd @@ -57,10 +56,9 @@ package() { } sha512sums=" -e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70 iptables-1.8.9.tar.xz -9501cd8572d37a680d46ee0b1e95ede3b3d79ff5e347ca32afb0e5e16b3717ed085c96d2214a3b2e08e10619c3295561d86e18089f18026b7ef20daeeb094587 format-security.patch +71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153 iptables-1.8.10.tar.xz ac78898c2acbe66ed8d32a06f41ff08cde7c22c3df6dfec6bc89a912d2cef2bde730de19d25a5407886d567cb0972a0b7bde7e6b18a34c4511495b4dad3b90ad use-sh-iptables-apply.patch -a37c17a5382c756fcfb183af73af2283f0d09932c5a767241cbab5d784738f6f587f287a0cdf13b4fa74724ecd3a2063a9689ccee84c1bda02e730f63480f74d iptables.initd +e82fcf10e9fffba37b7e4a11bc901b57d60214f5de4865c61df4add04057b9cb2c1d159b2af809b22e017197f2717b330f05a34a7e97589f48de65606060b1db iptables.initd 85bb1660c2452fdede5ae0a483489a3648a8b327ea658839a1ad8c6405f6526bdf842a62d4df3f6e3cbbb9ad59137d37b39266cee21e252814191964d4c50f44 iptables.confd 1783557fea7350ab43b050e632ccd62eb490f1f2b3ad48e7e3fd53cc66c1a9b93c8df4dd692aca3a0d17658f53eb8b668e60055b113fa3091319f81294a1783b ip6tables.confd " diff --git a/aports/iptables/format-security.patch b/aports/iptables/format-security.patch deleted file mode 100644 index 432aac9..0000000 --- a/aports/iptables/format-security.patch +++ /dev/null @@ -1,31 +0,0 @@ -Patch-Source: https://git.netfilter.org/iptables/patch/?id=ed4082a7405a5838c205a34c1559e289949200cc --- -From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001 -From: Phil Sutter <phil@nwl.cc> -Date: Thu, 12 Jan 2023 14:38:44 +0100 -Subject: extensions: NAT: Fix for -Werror=format-security - -Have to pass either a string literal or format string to xt_xlate_add(). - -Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE") -Signed-off-by: Phil Sutter <phil@nwl.cc> ---- - extensions/libxt_NAT.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c -index da9f2201..2a634398 100644 ---- a/extensions/libxt_NAT.c -+++ b/extensions/libxt_NAT.c -@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r, - if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) - return 0; - -- xt_xlate_add(xl, tgt); -+ xt_xlate_add(xl, "%s", tgt); - if (strlen(range_str)) - xt_xlate_add(xl, " to %s", range_str); - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { --- -cgit v1.2.3 - diff --git a/aports/iptables/iptables.initd b/aports/iptables/iptables.initd index 0f906ee..2cc4227 100644 --- a/aports/iptables/iptables.initd +++ b/aports/iptables/iptables.initd @@ -8,22 +8,26 @@ description_save="Save firewall state" description_panic="Drop all packets" description_reload="Reload configuration" -extra_commands="save panic" +extra_commands="check save panic" extra_started_commands="reload" iptables_name=${SVCNAME} -if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then - iptables_name="iptables" -fi +case "$iptables_name" in + iptables|ip6tables) ;; + *) iptables_name="iptables" ;; +esac iptables_bin="/sbin/${iptables_name}" case ${iptables_name} in - iptables) iptables_proc="/proc/net/ip_tables_names" - iptables_save=${IPTABLES_SAVE} - sysctl_ipfwd=net.ipv4.ip_forward;; - ip6tables) iptables_proc="/proc/net/ip6_tables_names" - iptables_save=${IP6TABLES_SAVE} - sysctl_ipfwd=net.ipv6.conf.all.forwarding;; + iptables) + #shellcheck disable=SC2153 + iptables_save="${IPTABLES_SAVE}" + sysctl_ipfwd=net.ipv4.ip_forward + ;; + ip6tables) + iptables_save="${IP6TABLES_SAVE}" + sysctl_ipfwd=net.ipv6.conf.all.forwarding + ;; esac depend() { @@ -43,18 +47,15 @@ set_table_policy() { esac local chain for chain in ${chains} ; do - ${iptables_bin} -w 5 -t ${table} -P ${chain} ${policy} + ${iptables_bin} --wait 5 --table "${table}" --policy "${chain}" "${policy}" done } -checkkernel() { - if [ ! -e ${iptables_proc} ] ; then - eerror "Your kernel lacks ${iptables_name} support, please load" - eerror "appropriate modules and try again." - return 1 - fi - return 0 +get_tables() { + # shellcheck disable=SC2086 + ${iptables_bin}-save | /bin/sed -n 's/^\*//p' } + checkconfig() { if [ ! -f ${iptables_save} ] ; then eerror "Not starting ${iptables_name}. First create some rules then run:" @@ -67,6 +68,7 @@ checkconfig() { start() { checkconfig || return 1 ebegin "Loading ${iptables_name} state and starting firewall" + # shellcheck disable=SC2086 ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" eend $? if yesno "${IPFORWARD}"; then @@ -85,51 +87,73 @@ stop() { if yesno "${SAVE_ON_STOP}"; then save || return 1 fi - checkkernel || return 1 ebegin "Stopping firewall" local a - for a in $(cat ${iptables_proc}) ; do - set_table_policy $a ACCEPT + for a in $(get_tables) ; do + set_table_policy "$a" ACCEPT - ${iptables_bin} -w 5 -F -t $a - ${iptables_bin} -w 5 -X -t $a + ${iptables_bin} --wait 5 --flush --table "$a" + ${iptables_bin} --wait 5 --delete-chain --table "$a" done eend $? } reload() { - checkkernel || return 1 + checkrules || return 1 ebegin "Flushing firewall" local a - for a in $(cat ${iptables_proc}) ; do - ${iptables_bin} -w 5 -F -t $a - ${iptables_bin} -w 5 -X -t $a + for a in $(get_tables) ; do + ${iptables_bin} --wait 5 --flush --table "$a" + ${iptables_bin} --wait 5 --delete-chain --table "$a" done eend $? start } +checkrules() { + ebegin "Checking rules" + # shellcheck disable=SC2086 + ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +check() { + # Short name for users of init.d script. + checkrules +} + save() { ebegin "Saving ${iptables_name} state" checkpath -fm 0600 "${iptables_save}" - ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" - eend $? + local exitcode tmp + + tmp="$(mktemp)" + # shellcheck disable=SC2086 + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${tmp}" + exitcode=$? + if [ "$exitcode" -eq 0 ]; then + # command succeeded, so overwrite + mv "${tmp}" "${iptables_save}" + else + ewarn "${iptables_bin}-save failed!" + rm -f "${tmp}" + fi + eend $exitcode } panic() { - checkkernel || return 1 - if service_started ${iptables_name}; then - rc-service ${iptables_name} stop + if service_started "${iptables_name}"; then + rc-service "${iptables_name}" stop fi local a ebegin "Dropping all packets" - for a in $(cat ${iptables_proc}) ; do - ${iptables_bin} -w 5 -F -t $a - ${iptables_bin} -w 5 -X -t $a + for a in $(get_tables) ; do + ${iptables_bin} --wait 5 --flush --table "$a" + ${iptables_bin} --wait 5 --delete-chain --table "$a" - set_table_policy $a DROP + set_table_policy "$a" DROP done eend $? } |