Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 147236 Details for
Bug 227011
RFE: Allow several sets of independently managed iptables rules
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
iptables-init-script-separate-rules-config.patch
iptables-init-script-separate-rules-config.patch (text/plain), 4.81 KB, created by
Mark McLoughlin
on 2007-02-02 16:31:18 UTC
(
hide
)
Description:
iptables-init-script-separate-rules-config.patch
Filename:
MIME Type:
Creator:
Mark McLoughlin
Created:
2007-02-02 16:31:18 UTC
Size:
4.81 KB
patch
obsolete
>--- iptables.orig 2007-01-08 14:31:15.000000000 +0000 >+++ iptables 2007-02-02 15:34:17.000000000 +0000 >@@ -13,6 +13,8 @@ > > IPTABLES=iptables > IPTABLES_DATA=/etc/sysconfig/$IPTABLES >+IPTABLES_SAVED=/etc/sysconfig/$IPTABLES-saved >+IPTABLES_DIR=/etc/sysconfig/$IPTABLES.d/ > IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config > IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 > PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names >@@ -106,19 +108,25 @@ > > set_policy() { > # Set policy for configured tables. >- policy=$1 >+ policy=$1; shift >+ tables=$@ > >- # Check if iptable module is loaded >- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 >+ if [ -z "$tables" ] ; then >+ # Check if iptable module is loaded >+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 >+ >+ # Check if firewall is configured (has tables) >+ tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` >+ [ -z "$tables" ] && return 1 > >- # Check if firewall is configured (has tables) >- tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` >- [ -z "$tables" ] && return 1 >+ echo -n $"Setting chains to policy $policy: " >+ else >+ keepquiet="yes" >+ fi > >- echo -n $"Setting chains to policy $policy: " > ret=0 > for i in $tables; do >- echo -n "$i " >+ [ -z "$keepquiet" ] && echo -n "$i " > case "$i" in > raw) > $IPTABLES -t raw -P PREROUTING $policy \ >@@ -151,25 +159,65 @@ > esac > done > >- [ $ret -eq 0 ] && success || failure >- echo >+ if [ -z "$keepquiet" ] ; then >+ [ $ret -eq 0 ] && success || failure >+ echo >+ fi > return $ret > } > >-start() { >- # Do not start if there is no config file. >- [ -f "$IPTABLES_DATA" ] || return 1 >+load_tables() { >+ if [ "$1" = "-c" ]; then >+ OPT="-c"; shift >+ fi >+ tables=$@ >+ >+ ret=0 >+ >+ set_policy ACCEPT $tables || ret+=1 > >+ for table in $tables; do >+ for path in $IPTABLES_DIR/$table/*.chain; do >+ [ ! -f "$path" ] || is_ignored_file "$path" && continue >+ chain=$(basename "${path%.chain}") >+ $IPTABLES -t $table -N "$chain" || ret+=1 >+ while read line ; do >+ iptables -t $table -A "${chain}" ${line} || ret+=1 >+ done < "$path" >+ done >+ done >+ >+ for chain in $IPTABLES_FILTER_INPUT_CHAINS ; do >+ $IPTABLES -t filter -A INPUT -j $chain || ret+=1 >+ done >+ for chain in $IPTABLES_FILTER_FORWARD_CHAINS ; do >+ $IPTABLES -t filter -A FORWARD -j $chain || ret+=1 >+ done >+ for chain in $IPTABLES_NAT_PREROUTING_CHAINS ; do >+ $IPTABLES -t nat -A PREROUTING -j $chain || ret+=1 >+ done >+ for chain in $IPTABLES_NAT_POSTROUTING_CHAINS ; do >+ $IPTABLES -t nat -A POSTROUTING -j $chain || ret+=1 >+ done >+ >+ [ $ret -eq 0 ] && success || failure >+} >+ >+start() { > echo -n $"Applying $IPTABLES firewall rules: " > > OPT= > [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" > >- $IPTABLES-restore $OPT $IPTABLES_DATA >- if [ $? -eq 0 ]; then >- success; echo >+ if [ -f "$IPTABLES_DATA" ] ; then >+ $IPTABLES-restore $OPT $IPTABLES_DATA >+ if [ $? -eq 0 ]; then >+ success; echo >+ else >+ failure; echo; return 1 >+ fi > else >- failure; echo; return 1 >+ load_tables $OPT filter nat > fi > > # Load additional modules (helpers) >@@ -211,6 +259,23 @@ > return $ret > } > >+iptables_save() { >+ OPT= >+ [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" >+ >+ IGNORE_OPTS="" >+ for chain in $IPTABLES_FILTER_INPUT_CHAINS \ >+ $IPTABLES_FILTER_FORWARD_CHAINS \ >+ $IPTABLES_NAT_PREROUTING_CHAINS \ >+ $IPTABLES_NAT_POSTROUTING_CHAINS ; do >+ # FIXME: we'd need to implement this >+ # IGNORE_OPTS="--ignore $chain " >+ IGNORE_OPTS="" >+ done >+ >+ $IPTABLES-save $OPT $IGNORE_OPTS >+} >+ > save() { > # Check if iptable module is loaded > [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 >@@ -219,26 +284,28 @@ > tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` > [ -z "$tables" ] && return 1 > >- echo -n $"Saving firewall rules to $IPTABLES_DATA: " >- >- OPT= >- [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" >+ echo -n $"Saving firewall rules to $IPTABLES_SAVED: " > > ret=0 > TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ > && chmod 600 "$TMP_FILE" \ >- && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ >+ && iptables_save > $TMP_FILE 2>/dev/null \ > && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ > || ret=1 > if [ $ret -eq 0 ]; then > if [ -e $IPTABLES_DATA ]; then >- cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ >+ mv -f $IPTABLES_DATA $IPTABLES_DATA.save \ > && chmod 600 $IPTABLES_DATA.save \ > || ret=1 > fi >+ if [ $ret -eq 0 -a -e $IPTABLES_SAVED ]; then >+ cp -f $IPTABLES_SAVED $IPTABLES_SAVED.save \ >+ && chmod 600 $IPTABLES_SAVED.save \ >+ || ret=1 >+ fi > if [ $ret -eq 0 ]; then >- cp -f $TMP_FILE $IPTABLES_DATA \ >- && chmod 600 $IPTABLES_DATA \ >+ cp -f $TMP_FILE $IPTABLES_SAVED \ >+ && chmod 600 $IPTABLES_SAVED \ > || ret=1 > fi > fi
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=147236">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 227011
: 147236