diff --git a/ebtables-config b/ebtables-config new file mode 100644 index 0000000..69d9289 --- /dev/null +++ b/ebtables-config @@ -0,0 +1,11 @@ +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules if firewall gets stopped +# (e.g. on system shutdown). +EBTABLES_SAVE_ON_STOP="no" + +# Save (and restore) rule counters. +# Value: yes|no, default: no +# Save rule counters when saving a kernel table to a file. If the +# rule counters were saved, they will be restored when restoring the table. +EBTABLES_SAVE_COUNTER="no" diff --git a/ebtables-helper b/ebtables-helper new file mode 100644 index 0000000..f1dee08 --- /dev/null +++ b/ebtables-helper @@ -0,0 +1,105 @@ +#!/bin/bash + +# compat for removed initscripts dependency + +success() { + echo "[ OK ]" + return 0 +} + +failure() { + echo "[FAILED]" + return 1 +} + +# internal variables +EBTABLES_CONFIG=/etc/sysconfig/ebtables-config +EBTABLES_DATA=/etc/sysconfig/ebtables +EBTABLES_TABLES="filter nat" +if ebtables --version | grep -q '(legacy)'; then + EBTABLES_TABLES+=" broute" +fi +VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables + +# ebtables-config defaults +EBTABLES_SAVE_ON_STOP="no" +EBTABLES_SAVE_ON_RESTART="no" +EBTABLES_SAVE_COUNTER="no" + +# load config if existing +[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG" + +initialize() { + local ret=0 + for table in $EBTABLES_TABLES; do + ebtables -t $table --init-table || ret=1 + done + return $ret +} + +sanitize_dump() { + local drop=false + + export EBTABLES_TABLES + + cat $1 | while read line; do + case $line in + \**) + drop=false + local table="${line#\*}" + local found=false + for t in $EBTABLES_TABLES; do + if [[ $t == $table ]]; then + found=true + break + fi + done + $found || drop=true + ;; + esac + $drop || echo "$line" + done +} + +start() { + if [ -f $EBTABLES_DATA ]; then + echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: " + sanitize_dump $EBTABLES_DATA | ebtables-restore + else + echo -n $"ebtables: no stored ruleset, initializing empty tables: " + initialize + fi + local ret=$? + touch $VAR_SUBSYS_EBTABLES + return $ret +} + +save() { + echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: " + export EBTABLES_SAVE_COUNTER + ebtables-save >$EBTABLES_DATA && success || failure +} + +case $1 in + start) + [ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0 + start && success || failure + RETVAL=$? + ;; + stop) + [ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save + echo -n $"ebtables: stopping firewall: " + initialize && success || failure + RETVAL=$? + rm -f $VAR_SUBSYS_EBTABLES + ;; + save) + save + ;; + *) + echo "usage: ${0##*/} {start|stop|save}" >&2 + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/ebtables.service b/ebtables.service new file mode 100644 index 0000000..b096f1d --- /dev/null +++ b/ebtables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Ethernet Bridge Filtering tables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/ebtables-helper start +ExecStop=/usr/libexec/ebtables-helper stop + +[Install] +WantedBy=multi-user.target diff --git a/ebtables.spec b/ebtables.spec index 87b84e2..0151821 100644 --- a/ebtables.spec +++ b/ebtables.spec @@ -2,20 +2,23 @@ Name: ebtables Version: 2.0.11 -Release: 21%{?dist} +Release: 10%{?dist} Summary: Ethernet Bridge frame table administration tool -# Automatically converted from old format: GPLv2+ - review is highly recommended. -License: GPL-2.0-or-later +License: GPLv2+ URL: http://ebtables.sourceforge.net/ Source0: ftp://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.bz2 Source1: ebtables-legacy-save +Source2: ebtables-helper +Source3: ebtables.service +Source4: ebtables-config BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: gcc -BuildRequires: make +BuildRequires: systemd +BuildRequires: make %description Ethernet bridge tables is a firewalling tool to transparently filter network @@ -30,9 +33,9 @@ like iptables. There are no known incompatibility issues. %package legacy Summary: Legacy user space tool to configure bridge netfilter rules in kernel -Requires(post): /usr/sbin/update-alternatives +Requires(post): %{_sbindir}/update-alternatives Requires(post): %{_bindir}/readlink -Requires(postun): /usr/sbin/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives Conflicts: setup < 2.10.4-1 %if 0%{?rhel} >= 9 # RHEL-9 provides ebtables via iptables-nft, but doesn't support ebtables @@ -42,8 +45,6 @@ Conflicts: setup < 2.10.4-1 Provides: ebtables %endif -%sbin_merge_compat %{_prefix}/sbin/ebtables - %description legacy Ethernet bridge tables is a firewalling tool to transparently filter network traffic passing a bridge. The filtering possibilities are limited to link @@ -60,6 +61,17 @@ functionality in a much newer code-base. To aid in migration, there is ebtables-nft utility, a drop-in replacement for the legacy one which uses nftables internally. It is provided by iptables-nft package. +%package services +Summary: ebtables systemd services +%{?systemd_ordering} +Obsoletes: ebtables-compat < 2.0.10-39 + +%description services +ebtables systemd services + +This package provides the systemd ebtables service that has been split +out of the base package for better integration with alternatives. + %prep %autosetup -p1 -n ebtables-%{version} # Convert to UTF-8 @@ -72,6 +84,10 @@ f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f %install %make_install +install -D -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/ebtables.service +install -D -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables-helper +install -D -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config +touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables # install ebtables-legacy-save bash script install -m 755 %{SOURCE1} %{buildroot}%{_sbindir}/ebtables-legacy-save @@ -85,8 +101,14 @@ rm -f %{buildroot}%{_sysconfdir}/ethertypes # Drop these binaries (for now at least) rm %{buildroot}/%{_sbindir}/ebtables{d,u} +# Prepare for Alternatives system +touch %{buildroot}%{_sbindir}/ebtables +touch %{buildroot}%{_sbindir}/ebtables-save +touch %{buildroot}%{_sbindir}/ebtables-restore +touch %{buildroot}%{_mandir}/man8/ebtables.8 + %post legacy -pfx=%{_prefix}/sbin/ebtables +pfx=%{_sbindir}/ebtables manpfx=%{_mandir}/man8/ebtables for sfx in "" "-restore" "-save"; do if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then @@ -96,9 +118,7 @@ done if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then rm -f $manpfx.8.gz fi -# drop the extra entry linking to /usr/bin which previous version installed -update-alternatives --remove ebtables /usr/bin/ebtables-legacy 2>/dev/null -update-alternatives --install \ +%{_sbindir}/update-alternatives --install \ $pfx ebtables $pfx-legacy 10 \ --slave $pfx-save ebtables-save $pfx-legacy-save \ --slave $pfx-restore ebtables-restore $pfx-legacy-restore \ @@ -107,68 +127,49 @@ update-alternatives --install \ %postun legacy if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove \ - ebtables %{_prefix}/sbin/ebtables-legacy + ebtables %{_sbindir}/ebtables-legacy fi # When upgrading ebtables to ebtables-{legacy,services}, # postun in ebtables thinks it is uninstalled and removes alternatives. # Counter this with a trigger here to have it installed again. %triggerpostun legacy -- ebtables -pfx=%{_prefix}/sbin/ebtables +pfx=%{_sbindir}/ebtables manpfx=%{_mandir}/man8/ebtables -update-alternatives --install \ +%{_sbindir}/update-alternatives --install \ $pfx ebtables $pfx-legacy 10 \ --slave $pfx-save ebtables-save $pfx-legacy-save \ --slave $pfx-restore ebtables-restore $pfx-legacy-restore \ --slave $manpfx.8.gz ebtables-man $manpfx-legacy.8.gz +%post services +%systemd_post ebtables.service + +%preun services +%systemd_preun ebtables.service + +%postun services +%systemd_postun ebtables.service + %files legacy %license COPYING %doc ChangeLog THANKS %{_sbindir}/ebtables-legacy* %{_mandir}/*/ebtables-legacy* %{_libdir}/libebtc.so* -%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables -%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-save -%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-restore -%ghost %attr(0644,root,root) %{_mandir}/man8/ebtables.8.gz +%ghost %{_sbindir}/ebtables +%ghost %{_sbindir}/ebtables-save +%ghost %{_sbindir}/ebtables-restore +%ghost %{_mandir}/man8/ebtables.8.gz + +%files services +%{_unitdir}/ebtables.service +%{_libexecdir}/ebtables-helper +%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config +%ghost %{_sysconfdir}/sysconfig/ebtables %changelog -* Wed Jul 23 2025 Fedora Release Engineering - 2.0.11-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Thu Apr 03 2025 Phil Sutter - 2.0.11-20 -- Drop ebtables-services package -- Add fixes/hooks for bin-sbin merge, analogous to iptables.spec - -* Thu Jan 16 2025 Fedora Release Engineering - 2.0.11-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Thu Jul 25 2024 Miroslav Suchý - 2.0.11-18 -- convert license to SPDX - -* Wed Jul 17 2024 Fedora Release Engineering - 2.0.11-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Wed Jan 24 2024 Fedora Release Engineering - 2.0.11-16 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 2.0.11-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Jul 19 2023 Fedora Release Engineering - 2.0.11-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jan 19 2023 Fedora Release Engineering - 2.0.11-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Thu Jul 21 2022 Fedora Release Engineering - 2.0.11-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 2.0.11-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - * Wed Jul 21 2021 Fedora Release Engineering - 2.0.11-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild