summaryrefslogtreecommitdiff
path: root/aports/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'aports/iptables')
-rw-r--r--aports/iptables/APKBUILD10
-rw-r--r--aports/iptables/format-security.patch31
-rw-r--r--aports/iptables/iptables.initd96
3 files changed, 64 insertions, 73 deletions
diff --git a/aports/iptables/APKBUILD b/aports/iptables/APKBUILD
index dcd5234..b9a34a7 100644
--- a/aports/iptables/APKBUILD
+++ b/aports/iptables/APKBUILD
@@ -1,15 +1,14 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=iptables
-pkgver=1.8.9
-pkgrel=1 # base: 2
+pkgver=1.8.10
+pkgrel=0 # base: 3
pkgdesc="Linux kernel firewall, NAT and packet mangling tools"
url="https://www.netfilter.org/projects/iptables/index.html"
arch="all"
license="GPL-2.0-or-later"
makedepends="libnftnl-dev bison flex autoconf automake"
source="https://www.netfilter.org/projects/iptables/files/iptables-$pkgver.tar.xz
- format-security.patch
use-sh-iptables-apply.patch
iptables.initd
iptables.confd
@@ -57,10 +56,9 @@ package() {
}
sha512sums="
-e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70 iptables-1.8.9.tar.xz
-9501cd8572d37a680d46ee0b1e95ede3b3d79ff5e347ca32afb0e5e16b3717ed085c96d2214a3b2e08e10619c3295561d86e18089f18026b7ef20daeeb094587 format-security.patch
+71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153 iptables-1.8.10.tar.xz
ac78898c2acbe66ed8d32a06f41ff08cde7c22c3df6dfec6bc89a912d2cef2bde730de19d25a5407886d567cb0972a0b7bde7e6b18a34c4511495b4dad3b90ad use-sh-iptables-apply.patch
-a37c17a5382c756fcfb183af73af2283f0d09932c5a767241cbab5d784738f6f587f287a0cdf13b4fa74724ecd3a2063a9689ccee84c1bda02e730f63480f74d iptables.initd
+e82fcf10e9fffba37b7e4a11bc901b57d60214f5de4865c61df4add04057b9cb2c1d159b2af809b22e017197f2717b330f05a34a7e97589f48de65606060b1db iptables.initd
85bb1660c2452fdede5ae0a483489a3648a8b327ea658839a1ad8c6405f6526bdf842a62d4df3f6e3cbbb9ad59137d37b39266cee21e252814191964d4c50f44 iptables.confd
1783557fea7350ab43b050e632ccd62eb490f1f2b3ad48e7e3fd53cc66c1a9b93c8df4dd692aca3a0d17658f53eb8b668e60055b113fa3091319f81294a1783b ip6tables.confd
"
diff --git a/aports/iptables/format-security.patch b/aports/iptables/format-security.patch
deleted file mode 100644
index 432aac9..0000000
--- a/aports/iptables/format-security.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Patch-Source: https://git.netfilter.org/iptables/patch/?id=ed4082a7405a5838c205a34c1559e289949200cc
---
-From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Thu, 12 Jan 2023 14:38:44 +0100
-Subject: extensions: NAT: Fix for -Werror=format-security
-
-Have to pass either a string literal or format string to xt_xlate_add().
-
-Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
----
- extensions/libxt_NAT.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
-index da9f2201..2a634398 100644
---- a/extensions/libxt_NAT.c
-+++ b/extensions/libxt_NAT.c
-@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
- if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
- return 0;
-
-- xt_xlate_add(xl, tgt);
-+ xt_xlate_add(xl, "%s", tgt);
- if (strlen(range_str))
- xt_xlate_add(xl, " to %s", range_str);
- if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
---
-cgit v1.2.3
-
diff --git a/aports/iptables/iptables.initd b/aports/iptables/iptables.initd
index 0f906ee..2cc4227 100644
--- a/aports/iptables/iptables.initd
+++ b/aports/iptables/iptables.initd
@@ -8,22 +8,26 @@ description_save="Save firewall state"
description_panic="Drop all packets"
description_reload="Reload configuration"
-extra_commands="save panic"
+extra_commands="check save panic"
extra_started_commands="reload"
iptables_name=${SVCNAME}
-if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
- iptables_name="iptables"
-fi
+case "$iptables_name" in
+ iptables|ip6tables) ;;
+ *) iptables_name="iptables" ;;
+esac
iptables_bin="/sbin/${iptables_name}"
case ${iptables_name} in
- iptables) iptables_proc="/proc/net/ip_tables_names"
- iptables_save=${IPTABLES_SAVE}
- sysctl_ipfwd=net.ipv4.ip_forward;;
- ip6tables) iptables_proc="/proc/net/ip6_tables_names"
- iptables_save=${IP6TABLES_SAVE}
- sysctl_ipfwd=net.ipv6.conf.all.forwarding;;
+ iptables)
+ #shellcheck disable=SC2153
+ iptables_save="${IPTABLES_SAVE}"
+ sysctl_ipfwd=net.ipv4.ip_forward
+ ;;
+ ip6tables)
+ iptables_save="${IP6TABLES_SAVE}"
+ sysctl_ipfwd=net.ipv6.conf.all.forwarding
+ ;;
esac
depend() {
@@ -43,18 +47,15 @@ set_table_policy() {
esac
local chain
for chain in ${chains} ; do
- ${iptables_bin} -w 5 -t ${table} -P ${chain} ${policy}
+ ${iptables_bin} --wait 5 --table "${table}" --policy "${chain}" "${policy}"
done
}
-checkkernel() {
- if [ ! -e ${iptables_proc} ] ; then
- eerror "Your kernel lacks ${iptables_name} support, please load"
- eerror "appropriate modules and try again."
- return 1
- fi
- return 0
+get_tables() {
+ # shellcheck disable=SC2086
+ ${iptables_bin}-save | /bin/sed -n 's/^\*//p'
}
+
checkconfig() {
if [ ! -f ${iptables_save} ] ; then
eerror "Not starting ${iptables_name}. First create some rules then run:"
@@ -67,6 +68,7 @@ checkconfig() {
start() {
checkconfig || return 1
ebegin "Loading ${iptables_name} state and starting firewall"
+ # shellcheck disable=SC2086
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
eend $?
if yesno "${IPFORWARD}"; then
@@ -85,51 +87,73 @@ stop() {
if yesno "${SAVE_ON_STOP}"; then
save || return 1
fi
- checkkernel || return 1
ebegin "Stopping firewall"
local a
- for a in $(cat ${iptables_proc}) ; do
- set_table_policy $a ACCEPT
+ for a in $(get_tables) ; do
+ set_table_policy "$a" ACCEPT
- ${iptables_bin} -w 5 -F -t $a
- ${iptables_bin} -w 5 -X -t $a
+ ${iptables_bin} --wait 5 --flush --table "$a"
+ ${iptables_bin} --wait 5 --delete-chain --table "$a"
done
eend $?
}
reload() {
- checkkernel || return 1
+ checkrules || return 1
ebegin "Flushing firewall"
local a
- for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} -w 5 -F -t $a
- ${iptables_bin} -w 5 -X -t $a
+ for a in $(get_tables) ; do
+ ${iptables_bin} --wait 5 --flush --table "$a"
+ ${iptables_bin} --wait 5 --delete-chain --table "$a"
done
eend $?
start
}
+checkrules() {
+ ebegin "Checking rules"
+ # shellcheck disable=SC2086
+ ${iptables_bin}-restore --test ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
+ eend $?
+}
+
+check() {
+ # Short name for users of init.d script.
+ checkrules
+}
+
save() {
ebegin "Saving ${iptables_name} state"
checkpath -fm 0600 "${iptables_save}"
- ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
- eend $?
+ local exitcode tmp
+
+ tmp="$(mktemp)"
+ # shellcheck disable=SC2086
+ ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${tmp}"
+ exitcode=$?
+ if [ "$exitcode" -eq 0 ]; then
+ # command succeeded, so overwrite
+ mv "${tmp}" "${iptables_save}"
+ else
+ ewarn "${iptables_bin}-save failed!"
+ rm -f "${tmp}"
+ fi
+ eend $exitcode
}
panic() {
- checkkernel || return 1
- if service_started ${iptables_name}; then
- rc-service ${iptables_name} stop
+ if service_started "${iptables_name}"; then
+ rc-service "${iptables_name}" stop
fi
local a
ebegin "Dropping all packets"
- for a in $(cat ${iptables_proc}) ; do
- ${iptables_bin} -w 5 -F -t $a
- ${iptables_bin} -w 5 -X -t $a
+ for a in $(get_tables) ; do
+ ${iptables_bin} --wait 5 --flush --table "$a"
+ ${iptables_bin} --wait 5 --delete-chain --table "$a"
- set_table_policy $a DROP
+ set_table_policy "$a" DROP
done
eend $?
}