diff --git a/.gitignore b/.gitignore index 3a4afb2..19cdd5b 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,3 @@ ebtables-v2.0.9-2.tar.gz /ebtables-v2.0.10-1.tar.gz /ebtables-v2.0.10-2.tar.gz /ebtables-v2.0.10-4.tar.gz -/ebtables-2.0.11.tar.bz2 diff --git a/ebtables-config b/ebtables-config new file mode 100644 index 0000000..69d9289 --- /dev/null +++ b/ebtables-config @@ -0,0 +1,11 @@ +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules if firewall gets stopped +# (e.g. on system shutdown). +EBTABLES_SAVE_ON_STOP="no" + +# Save (and restore) rule counters. +# Value: yes|no, default: no +# Save rule counters when saving a kernel table to a file. If the +# rule counters were saved, they will be restored when restoring the table. +EBTABLES_SAVE_COUNTER="no" diff --git a/ebtables-helper b/ebtables-helper new file mode 100644 index 0000000..0f5bba9 --- /dev/null +++ b/ebtables-helper @@ -0,0 +1,95 @@ +#!/bin/bash + +# Source function library. +. /etc/init.d/functions + +# internal variables +EBTABLES_CONFIG=/etc/sysconfig/ebtables-config +EBTABLES_DATA=/etc/sysconfig/ebtables +EBTABLES_TABLES="filter nat" +if ebtables --version | grep -q '(legacy)'; then + EBTABLES_TABLES+=" broute" +fi +VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables + +# ebtables-config defaults +EBTABLES_SAVE_ON_STOP="no" +EBTABLES_SAVE_ON_RESTART="no" +EBTABLES_SAVE_COUNTER="no" + +# load config if existing +[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG" + +initialize() { + local ret=0 + for table in $EBTABLES_TABLES; do + ebtables -t $table --init-table || ret=1 + done + return $ret +} + +sanitize_dump() { + local drop=false + + export EBTABLES_TABLES + + cat $1 | while read line; do + case $line in + \**) + drop=false + local table="${line#\*}" + local found=false + for t in $EBTABLES_TABLES; do + if [[ $t == $table ]]; then + found=true + break + fi + done + $found || drop=true + ;; + esac + $drop || echo "$line" + done +} + +start() { + if [ -f $EBTABLES_DATA ]; then + echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: " + sanitize_dump $EBTABLES_DATA | ebtables-restore + else + echo -n $"ebtables: no stored ruleset, initializing empty tables: " + initialize + fi + local ret=$? + touch $VAR_SUBSYS_EBTABLES + return $ret +} + +save() { + echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: " + export EBTABLES_SAVE_COUNTER + ebtables-save >$EBTABLES_DATA && success || failure +} + +case $1 in + start) + [ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0 + start && success || failure + RETVAL=$? + ;; + stop) + [ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save + action "ebtables: stopping firewall" initialize + RETVAL=$? + rm -f $VAR_SUBSYS_EBTABLES + ;; + save) + save + ;; + *) + echo "usage: ${0##*/} {start|stop|save}" >&2 + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/ebtables.service b/ebtables.service new file mode 100644 index 0000000..b096f1d --- /dev/null +++ b/ebtables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Ethernet Bridge Filtering tables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/ebtables-helper start +ExecStop=/usr/libexec/ebtables-helper stop + +[Install] +WantedBy=multi-user.target diff --git a/ebtables.spec b/ebtables.spec index 87b84e2..eb96156 100644 --- a/ebtables.spec +++ b/ebtables.spec @@ -1,21 +1,66 @@ +%global ebminor 4 %undefine _ld_as_needed Name: ebtables -Version: 2.0.11 -Release: 21%{?dist} +Version: 2.0.10 +Release: 36%{?dist} Summary: Ethernet Bridge frame table administration tool -# Automatically converted from old format: GPLv2+ - review is highly recommended. -License: GPL-2.0-or-later +License: GPLv2+ URL: http://ebtables.sourceforge.net/ -Source0: ftp://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.bz2 +Source0: http://downloads.sourceforge.net/ebtables/ebtables-v%{version}-%{ebminor}.tar.gz Source1: ebtables-legacy-save +Source2: ebtables-helper +Source3: ebtables.service +Source4: ebtables-config +Patch1: 0001-add-RARP-and-update-iana-url.patch +Patch2: 0002-fix-compilation-warning.patch +Patch3: 0003-add-info-about-Wl-no-as-needed.patch +Patch4: 0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch +Patch5: 0005-Add-noflush-command-line-support-for-ebtables-restor.patch +Patch6: 0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch +Patch7: 0007-Add-kernel-headers-needed-from-v3.16.patch +Patch8: 0008-extensions-Use-stdint-types.patch +Patch9: 0009-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch +Patch10: 0010-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch +Patch11: 0011-ebtables-extensions-Constify-option-struct.patch +Patch12: 0012-Use-flock-for-concurrent-option.patch +Patch13: 0013-Fix-locking-if-LOCKDIR-does-not-exist.patch +Patch14: 0014-include-sync-linux-netfilter_bridge-ebt_ip.h-with-ke.patch +Patch15: 0015-Move-ICMP-type-handling-functions-from-ebt_ip6-to-us.patch +Patch16: 0016-ebt_ip-add-support-for-matching-ICMP-type-and-code.patch +Patch17: 0017-ebt_ip-add-support-for-matching-IGMP-type.patch +Patch18: 0018-extensions-Add-string-filter-to-ebtables.patch +Patch19: 0019-include-Fix-musl-libc-compatibility.patch +Patch20: 0020-ebtables-Fix-build-errors-and-warnings.patch +Patch21: 0021-build-update-ebtables.h-from-kernel-and-drop-local-u.patch +Patch22: 0022-extensions-fix-build-failure-on-fc28.patch +Patch23: 0023-extensions-ebt_string-take-action-if-snprintf-discar.patch +Patch24: 0024-build-drop-install-o-g-root.patch +Patch25: 0025-build-rename-sed-source-files-to-.in.patch +Patch26: 0026-build-use-autoconf-style-placeholders-in-sed-ed-file.patch +Patch27: 0027-extensions-use-__attribute__-constructor-for-autoreg.patch +Patch28: 0028-Add-.gitignore.patch +Patch29: 0029-build-move-to-automake.patch +Patch30: 0030-ebtablesd-avoid-build-warning.patch +Patch31: 0031-extensions-among-Fix-bitmask-check.patch +Patch32: 0032-ebtables-legacy-renaming.patch +Patch33: 0033-ebtables-drop-.spec-file.patch +Patch34: 0034-ebtables-drop-sysvinit-script.patch +Patch35: 0035-Print-IPv6-prefixes-in-CIDR-notation.patch +Patch36: 0036-Adjust-.gitignore-to-renamed-files.patch +Patch37: 0037-extensions-Drop-Makefile.patch +Patch38: 0038-Allow-customizing-lockfile-location-at-configure-tim.patch +Patch39: 0039-extensions-Add-AUDIT-target.patch +Patch40: 0040-Fix-segfault-with-missing-lockfile-directory.patch + +BuildRequires: autogen BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: gcc -BuildRequires: make +BuildRequires: systemd %description Ethernet bridge tables is a firewalling tool to transparently filter network @@ -30,19 +75,10 @@ like iptables. There are no known incompatibility issues. %package legacy Summary: Legacy user space tool to configure bridge netfilter rules in kernel -Requires(post): /usr/sbin/update-alternatives -Requires(post): %{_bindir}/readlink -Requires(postun): /usr/sbin/update-alternatives +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives Conflicts: setup < 2.10.4-1 -%if 0%{?rhel} >= 9 -# RHEL-9 provides ebtables via iptables-nft, but doesn't support ebtables -# alternatives. As such avoid the Provides here so iptables-nft is chosen, not -# ebtables-legacy. -%else Provides: ebtables -%endif - -%sbin_merge_compat %{_prefix}/sbin/ebtables %description legacy Ethernet bridge tables is a firewalling tool to transparently filter network @@ -58,10 +94,31 @@ like iptables. There are no known incompatibility issues. Note that it is considered legacy upstream since nftables provides the same functionality in a much newer code-base. To aid in migration, there is ebtables-nft utility, a drop-in replacement for the legacy one which uses -nftables internally. It is provided by iptables-nft package. +nftables internally. It is provided by iptables-ebtables package. + +%package services +Summary: ebtables systemd services +%{?systemd_ordering} + +%description services +ebtables systemd services + +This package provides the systemd ebtables service that has been split +out of the base package for better integration with alternatives. + +%package compat +Summary: Transitioning helper package for services sub-package split +Obsoletes: ebtables < 2.0.10-32 +Requires: ebtables-legacy = %{version}-%{release} +Requires: ebtables-services = %{version}-%{release} + +%description compat +This package only exists to help transition ebtables users to the +new package split. It will be removed after one distribution release +cycle, please do not reference it or depend on it in any way. %prep -%autosetup -p1 -n ebtables-%{version} +%autosetup -p1 -n ebtables-v%{version}-%{ebminor} # Convert to UTF-8 f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f @@ -72,6 +129,10 @@ f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f %install %make_install +install -D -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/ebtables.service +install -D -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables-helper +install -D -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config +touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables # install ebtables-legacy-save bash script install -m 755 %{SOURCE1} %{buildroot}%{_sbindir}/ebtables-legacy-save @@ -85,8 +146,14 @@ rm -f %{buildroot}%{_sysconfdir}/ethertypes # Drop these binaries (for now at least) rm %{buildroot}/%{_sbindir}/ebtables{d,u} +# Prepare for Alternatives system +touch %{buildroot}%{_sbindir}/ebtables +touch %{buildroot}%{_sbindir}/ebtables-save +touch %{buildroot}%{_sbindir}/ebtables-restore +touch %{buildroot}%{_mandir}/man8/ebtables.8 + %post legacy -pfx=%{_prefix}/sbin/ebtables +pfx=%{_sbindir}/ebtables manpfx=%{_mandir}/man8/ebtables for sfx in "" "-restore" "-save"; do if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then @@ -96,9 +163,7 @@ done if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then rm -f $manpfx.8.gz fi -# drop the extra entry linking to /usr/bin which previous version installed -update-alternatives --remove ebtables /usr/bin/ebtables-legacy 2>/dev/null -update-alternatives --install \ +%{_sbindir}/update-alternatives --install \ $pfx ebtables $pfx-legacy 10 \ --slave $pfx-save ebtables-save $pfx-legacy-save \ --slave $pfx-restore ebtables-restore $pfx-legacy-restore \ @@ -107,107 +172,51 @@ update-alternatives --install \ %postun legacy if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove \ - ebtables %{_prefix}/sbin/ebtables-legacy + ebtables %{_sbindir}/ebtables-legacy fi -# When upgrading ebtables to ebtables-{legacy,services}, +# When upgrading ebtables to ebtables-{legacy,services,compat}, # postun in ebtables thinks it is uninstalled and removes alternatives. # Counter this with a trigger here to have it installed again. %triggerpostun legacy -- ebtables -pfx=%{_prefix}/sbin/ebtables +pfx=%{_sbindir}/ebtables manpfx=%{_mandir}/man8/ebtables -update-alternatives --install \ +%{_sbindir}/update-alternatives --install \ $pfx ebtables $pfx-legacy 10 \ --slave $pfx-save ebtables-save $pfx-legacy-save \ --slave $pfx-restore ebtables-restore $pfx-legacy-restore \ --slave $manpfx.8.gz ebtables-man $manpfx-legacy.8.gz +%post services +%systemd_post ebtables.service + +%preun services +%systemd_preun ebtables.service + +%postun services +%systemd_postun ebtables.service + %files legacy %license COPYING %doc ChangeLog THANKS %{_sbindir}/ebtables-legacy* %{_mandir}/*/ebtables-legacy* %{_libdir}/libebtc.so* -%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables -%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-save -%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-restore -%ghost %attr(0644,root,root) %{_mandir}/man8/ebtables.8.gz +%ghost %{_sbindir}/ebtables +%ghost %{_sbindir}/ebtables-save +%ghost %{_sbindir}/ebtables-restore +%ghost %{_mandir}/man8/ebtables.8.gz + +%files services +%{_unitdir}/ebtables.service +%{_libexecdir}/ebtables-helper +%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config +%ghost %{_sysconfdir}/sysconfig/ebtables + +%files compat %changelog -* Wed Jul 23 2025 Fedora Release Engineering - 2.0.11-21 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Thu Apr 03 2025 Phil Sutter - 2.0.11-20 -- Drop ebtables-services package -- Add fixes/hooks for bin-sbin merge, analogous to iptables.spec - -* Thu Jan 16 2025 Fedora Release Engineering - 2.0.11-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Thu Jul 25 2024 Miroslav Suchý - 2.0.11-18 -- convert license to SPDX - -* Wed Jul 17 2024 Fedora Release Engineering - 2.0.11-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Wed Jan 24 2024 Fedora Release Engineering - 2.0.11-16 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 2.0.11-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Jul 19 2023 Fedora Release Engineering - 2.0.11-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jan 19 2023 Fedora Release Engineering - 2.0.11-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Thu Jul 21 2022 Fedora Release Engineering - 2.0.11-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 2.0.11-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Jul 21 2021 Fedora Release Engineering - 2.0.11-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Tue Jan 26 2021 Eric Garver - 2.0.11-9 -- avoid Provides: ebtables for newer RHEL/ELN builds - -* Tue Jan 26 2021 Fedora Release Engineering - 2.0.11-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Nov 5 2020 Florian Weimer - 2.0.11-7 -- Remove build dependency on autogen - -* Mon Jul 27 2020 Fedora Release Engineering - 2.0.11-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jan 28 2020 Fedora Release Engineering - 2.0.11-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Jan 22 2020 Tom Callaway - 2.0.11-4 -- add Requires(post): %%{_bindir}/readlink (bz1792805) - -* Mon Dec 16 2019 Phil Sutter - 2.0.11-3 -- Fix nft-variant reference in package description - -* Mon Dec 16 2019 Phil Sutter - 2.0.11-2 -- Eliminate implicit dependency on initscripts package - -* Mon Dec 2 2019 Tom Callaway - 2.0.11-1 -- update to 2.0.11 (all of Phil's awesome patches merged) - -* Wed Oct 30 2019 Phil Sutter - 2.0.10-39 -- Make services sub-package obsolete compat to fix upgrade path - -* Tue Oct 22 2019 Phil Sutter - 2.0.10-38 -- Drop compat sub-package again - -* Wed Jul 24 2019 Fedora Release Engineering - 2.0.10-37 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - * Wed Jun 26 2019 Phil Sutter - 2.0.10-36 - Fix segfault with non-existing lock directory diff --git a/sources b/sources index a7bc584..c5a6b45 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (ebtables-2.0.11.tar.bz2) = 43a04c6174c8028c501591ef260526297e0f018016f226e2a3bcf80766fddf53d4605c347554d6da7c4ab5e2131584a18da20916ffddcbf2d26ac93b00c5777f +506742a3d44b9925955425a659c1a8d0 ebtables-v2.0.10-4.tar.gz