add a systemd preset file to disable services by default [release 1.8.9-2mamba;Thu Jan 19 2023]

arptables.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=ARP table
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c '/usr/sbin/arptables-restore < /etc/arptables.conf'
+ExecReload=/bin/sh -c '/usr/sbin/arptables-restore < /etc/arptables.conf'
+ExecStop=/bin/sh -c '/usr/sbin/arptables-restore < /dev/null'
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

ebtables.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Ethernet bridge table
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c '/usr/sbin/ebtables-restore < /etc/ebtables.conf'
+ExecReload=/bin/sh -c '/usr/sbin/ebtables-restore < /etc/ebtables.conf'
+ExecStop=/bin/sh -c '/usr/sbin/ebtables-restore < /dev/null'
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

empty.rules

@@ -0,0 +1,6 @@
+# Empty iptables rule file
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT

ip6tables.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+After=iptables.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecReload=/usr/sbin/ip6tables-restore /etc/iptables/ip6tables.rules
+ExecStop=/usr/lib/systemd/scripts/iptables-flush 6
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

iptables-initscript

@@ -1,115 +0,0 @@
-#!/bin/bash
-#
-# iptables -- Startup script to implement /etc/sysconfig/iptables pre-defined rules
-#
-# chkconfig: 2345 25 92
-# description: Automates a packet filtering firewall with iptables.
-# config: /etc/sysconfig/iptables
-#
-# By bero@redhat.com, based on the ipchains script:
-# Script Author: Joshua Jensen <joshua@redhat.com>
-#   -- hacked up by gafton with help from notting
-# Modified by Anton Altaparmakov <aia21@cam.ac.uk>:
-# Modified by Nils Philippsen <nils@redhat.de>
-
-. /etc/sysconfig/rc
-. $rc_functions
-
-NAME=iptables
-IPTABLES=/sbin/$NAME
-IPTABLES_RESTORE=/sbin/iptables-restore
-IPTABLES_SAVE=/sbin/iptables-save
-IPTABLES_CONFIG=/etc/sysconfig/$NAME
-
-[ -x $IPTABLES ] || exit 0
-
-case "$1" in
-   start)
-      # don't do squat if we don't have the config file
-      if [ -f $IPTABLES_CONFIG ]; then
-         # we do _not_ need to flush/clear anything when using 	iptables-restore
-         echo -n $"Applying iptables firewall rules: "
-         grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | \
-         grep -v '^[[:space:]]*$' | \
-         $IPTABLES_RESTORE -c
-         evaluate_retval; echo
-      fi
-      touch /var/lock/subsys/$NAME
-   ;;
-   stop)
-      echo -n $"Setting up default policies to ACCEPT: "
-      $IPTABLES --table mangle --policy PREROUTING ACCEPT &&
-      $IPTABLES --table mangle --policy INPUT ACCEPT &&
-      $IPTABLES --table mangle --policy FORWARD ACCEPT &&
-      $IPTABLES --table mangle --policy OUTPUT ACCEPT &&
-      $IPTABLES --table mangle --policy POSTROUTING ACCEPT &&
-      $IPTABLES --table filter --policy INPUT ACCEPT &&
-      $IPTABLES --table filter --policy OUTPUT ACCEPT &&
-      $IPTABLES --table filter --policy FORWARD ACCEPT &&
-      $IPTABLES --table nat --policy PREROUTING ACCEPT &&
-      $IPTABLES --table nat --policy POSTROUTING ACCEPT &&
-      $IPTABLES --table nat --policy OUTPUT ACCEPT
-      evaluate_retval; echo
-
-      echo -n $"Flushing all chains and deleting all user ones: "
-      for table in filter nat mangle; do
-         $IPTABLES --table $table --flush &&
-         $IPTABLES --table $table --delete-chain &&
-         $IPTABLES --table $table --zero
-      done
-      evaluate_retval; echo
-
-      rm -f /var/lock/subsys/$NAME
-   ;;
-   restart|reload)
-      # "restart" is really just "start" as this isn't a daemon,
-      #  and "start" clears any pre-defined rules anyway.
-      #  This is really only here to make those who expect it happy
-      $0 start
-   ;;
-   condrestart)
-      [ -e /var/lock/subsys/$NAME ] && $0 restart || :
-   ;;
-   status)
-      for table in $(cat /proc/net/ip_tables_names 2>/dev/null); do
-         echo "["$"TABLE:"" $table]"
-         $IPTABLES -t $table --list
-         echo
-      done
-   ;;
-   panic)
-      echo -n $"Setting up default policies to DROP: "
-      $IPTABLES --table mangle --policy PREROUTING DROP &&
-      $IPTABLES --table mangle --policy INPUT DROP &&
-      $IPTABLES --table mangle --policy FORWARD DROP &&
-      $IPTABLES --table mangle --policy OUTPUT DROP &&
-      $IPTABLES --table mangle --policy POSTROUTING DROP &&
-      $IPTABLES --table filter --policy INPUT DROP &&
-      $IPTABLES --table filter --policy OUTPUT DROP &&
-      $IPTABLES --table filter --policy FORWARD DROP &&
-      $IPTABLES --table nat --policy PREROUTING DROP &&
-      $IPTABLES --table nat --policy POSTROUTING DROP &&
-      $IPTABLES --table nat --policy OUTPUT DROP
-      evaluate_retval; echo
-
-      echo -n $"Flushing all chains and deleting all user ones: "
-      for table in filter nat mangle; do
-         $IPTABLES --table $table --flush &&
-         $IPTABLES --table $table --delete-chain &&
-         $IPTABLES --table $table --zero
-      done
-      evaluate_retval; echo
-   ;;
-   save)
-      echo -n $"Saving current rules to"" \`$IPTABLES_CONFIG': "
-      touch $IPTABLES_CONFIG && chmod 600 $IPTABLES_CONFIG &&
-      $IPTABLES_SAVE -c > $IPTABLES_CONFIG 2>/dev/null
-      evaluate_retval; echo
-   ;;
-   *)
-      echo "Usage: ""$0 {start|stop|restart|condrestart|status|panic|save}"
-      exit 1
-   ;;
-esac
-
-exit 0

iptables-legacy-flush

@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Usage: iptables-flush [6]
+#
+
+iptables=ip$1tables
+if ! type -p "$iptables" &>/dev/null; then
+  echo "error: invalid argument"
+  exit 1
+fi
+
+while read -r table; do
+  tables+=("/usr/share/iptables/empty-$table.rules")
+done <"/proc/net/ip$1_tables_names"
+
+if (( ${#tables[*]} )); then
+  cat "${tables[@]}" | "$iptables-restore"
+fi

iptables-nat.sh

@@ -1,60 +0,0 @@
-#! /bin/bash
-#
-# iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules
-# for IPTABLES on all the network devices marked as local (ZONE=local)
-#
-# Copyright (c) 2003-2004 by Silvan Calarco <silvan.calarco@qilinux.it>
-# Copyright (c) 2003-2006 by Davide Madrisan <davide.madrisan@qilinux.it>
-
-. /etc/sysconfig/rc
-. $rc_functions
-. $rc_networkfunctions
-. /etc/sysconfig/network
-
-get_interfaces_by_zone
-[ ${#ifzone_local[@]} -eq 0 ] && exit 0  # no local interfaces found
-
-# shut down NAT routing and delete any NAT existing chains
-iptables -t nat -P PREROUTING DROP && \
-iptables -t nat -P POSTROUTING DROP && \
-iptables -t nat -P OUTPUT DROP && \
-iptables -t nat -F && \
-iptables -t nat -X
-
-for int_name in ${ifzone_local[@]}; do
-   # get the parameters: int_ip, int_netmask, int_network
-   get_interface_parameters $int_name
-   [ $? -ne 0 ] &&
-    { echo "\
-WARNING: could not determine parameters for interface $int_name.
-         $int_name will not be configured for NAT." 1>&2; 
-      continue; }
-
-   [ -z "$int_network" -a "$natconfig" = 1 ] &&
-    { echo "\
-WARNING: NETWORK variable for interface $int_name not set.
-         $int_name will not be configured for NAT." 1>&2;
-      continue; }
-
-   [ -z "$int_netmask" -a "$natconfig" = 1 ] &&
-    { int_netmask="255.255.255.0";
-      echo "\
-WARNING: NETMASK variable missing for $int_name.
-         Using $int_netmask." 1>&2; }
-
-   # masquerade rules
-   iptables -t nat -N fromprivate.$int_name
-   # packets from the private IP range to another private IP range are untouched.
-   iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT
-   # packets that get here are from the private address range
-   # and are trying to get out to the internet. We NAT them.
-   iptables -t nat -A fromprivate.$int_name -j MASQUERADE
-   # siphon off any packets that are from the private IP range
-   iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name
-done
-
-# packets that get here can just hit the default policy
-iptables -t nat -P PREROUTING ACCEPT && \
-iptables -t nat -P POSTROUTING ACCEPT && \
-iptables -t nat -P OUTPUT ACCEPT
-

iptables-nft-flush

@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Usage: iptables-flush [6]
+#
+
+iptables=ip$1tables
+if ! type -p "$iptables" &>/dev/null; then
+  echo "error: invalid argument"
+  exit 1
+fi
+
+while read -r table; do
+  tables+=("/usr/share/iptables/empty-$table.rules")
+done < <(nft list tables | sed -n "s/table ip$1 //p")
+
+if (( ${#tables[*]} )); then
+  cat "${tables[@]}" | "$iptables-restore"
+fi

iptables.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=IPv4 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecReload=/usr/sbin/iptables-restore /etc/iptables/iptables.rules
+ExecStop=/usr/lib/systemd/scripts/iptables-flush
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

iptables.spec

@@ -1,5 +1,5 @@
 Name:          iptables
-Version:       1.8.8
+Version:       1.8.9
 Release:       2mamba
 Summary:       kernel libraries, user tools/libraries for netfilter/iptables firewalling
 Group:         Network/Security
@@ -7,9 +7,14 @@ Vendor:        openmamba
 Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
 URL:           https://www.netfilter.org/
-Source0:       https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2
-Source1:       iptables-initscript
-Source2:       iptables-nat.sh
+Source0:       https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.xz
+Source1:       iptables.service
+Source2:       ip6tables.service
+Source3:       arptables.service
+Source4:       ebtables.service
+Source5:       empty.rules
+Source6:       iptables-legacy-flush
+Source7:       iptables-nft-flush
 License:       GPL
 ## AUTOBUILDREQ-BEGIN
 BuildRequires: glibc-devel
@@ -17,6 +22,7 @@ BuildRequires: libmnl-devel
 BuildRequires: libnetfilter_conntrack-devel
 BuildRequires: libnfnetlink-devel
 BuildRequires: libnftnl-devel
+BuildRequires: libpcap-devel
 ## AUTOBUILDREQ-END
 BuildRequires: libnftnl-devel >= 1.0.9
 Provides:      iptables-nat
@@ -68,7 +74,12 @@ This package contains the header files needed for development with xtables.
 %setup -q
 
 %build
-%configure
+%configure \
+    --enable-bpf-compiler \
+    --enable-devel \
+    --enable-libipq \
+    --enable-shared
+
 #--sbindir=/sbin --bindir=/sbin
 
 %ifarch arm
@@ -84,8 +95,23 @@ sed -i "/#define HAVE_LINUX_BPF_H/d" config.h
 [ "%{buildroot}" != / ] && rm -rf %{buildroot}
 %makeinstall
 
-#install -D -m 755 %{S:1} %{buildroot}%{_initrddir}/iptables
-#install -D -m 755 %{S:2} %{buildroot}%{_sbindir}/iptables-nat.sh
+install -D -m0644 %{SOURCE1} %{buildroot}%{_unitdir}/iptables.service
+install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/ip6tables.service
+install -D -m0644 %{SOURCE3} %{buildroot}%{_unitdir}/arptables.service
+install -D -m0644 %{SOURCE4} %{buildroot}%{_unitdir}/ebtables.service
+install -D -m0755 %{SOURCE6} %{buildroot}%{_systemd_util_dir}/scripts/iptables-flush
+
+install -D -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/iptables/iptables.rules
+install -D -m0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/iptables/ip6tables.rules
+
+install -d -m0755 %{buildroot}%{_presetdir}
+
+cat > %{buildroot}%{_presetdir}/50-iptables.preset << __EOF
+disable iptables
+disable ip6tables
+disable arptables
+disable ebtables
+__EOF
 
 %clean
 [ "%{buildroot}" != / ] && rm -rf %{buildroot}
@@ -100,7 +126,11 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 
 %files
 %defattr(-,root,root)
+%dir %{_sysconfdir}/iptables
+%config(noreplace) %{_sysconfdir}/iptables/ip6tables.rules
+%config(noreplace) %{_sysconfdir}/iptables/iptables.rules
 %{_sysconfdir}/ethertypes
+%config(noreplace) %{_sysconfdir}/xtables.conf
 %{_bindir}/iptables-xml
 %{_sbindir}/arptables*
 %{_sbindir}/ebtables*
@@ -110,8 +140,15 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 %{_sbindir}/iptables
 %{_sbindir}/iptables-*
 %{_sbindir}/nfnl_osf
+%{_sbindir}/nfbpf_compile
+%{_systemd_util_dir}/scripts/iptables-flush
+%{_presetdir}/50-iptables.preset
+%{_unitdir}/arptables.service
+%{_unitdir}/ebtables.service
+%{_unitdir}/ip6tables.service
+%{_unitdir}/iptables.service
 %dir %{_datadir}/xtables
-%{_datadir}/xtables/pf.os
+%{_datadir}/xtables/*
 %{_mandir}/man1/iptables-*.1*
 %{_mandir}/man8/iptables.8*
 %{_mandir}/man8/iptables-*.8*
@@ -119,6 +156,8 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 %{_mandir}/man8/xtables-*.8*
 %{_mandir}/man8/arptables-nft*.8*
 %{_mandir}/man8/ebtables-nft.8*
+%{_mandir}/man8/ebtables-translate.8*
+%{_mandir}/man8/nfbpf_compile.8*
 
 %files ipv6
 %defattr(-,root,root)
@@ -128,8 +167,10 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 
 %files -n lib%{name}
 %defattr(-,root,root)
+%{_includedir}/libipq.h
 %{_libdir}/libip4tc.so.*
 %{_libdir}/libip6tc.so.*
+%{_libdir}/libipq.so.*
 %dir %{_libdir}/xtables
 %{_libdir}/xtables/libarpt_*.so
 %{_libdir}/xtables/libebt_*.so
@@ -148,12 +189,25 @@ find /etc/rc[0-6].d/ -type l -xtype l -exec rm -f {} \;
 %{_libdir}/libip4tc.so
 %{_libdir}/libip6tc.so
 %{_libdir}/libxtables.so
+%{_libdir}/libipq.so
 %{_libdir}/pkgconfig/xtables.pc
 %{_libdir}/pkgconfig/libiptc.pc
 %{_libdir}/pkgconfig/libip4tc.pc
 %{_libdir}/pkgconfig/libip6tc.pc
+%{_libdir}/pkgconfig/libipq.pc
+%{_mandir}/man3/ipq_*.3*
+%{_mandir}/man3/libipq.3*
 
 %changelog
+* Thu Jan 19 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.9-2mamba
+- add a systemd preset file to disable services by default
+
+* Thu Jan 19 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.9-1mamba
+- update to 1.8.9
+
+* Thu Jan 19 2023 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.8-3mamba
+- added systemd support scripts; rebuilt with --enable-libipq
+
 * Wed Nov 02 2022 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.8-2mamba
 - move libraries to libiptables subpackage