[packages/ufw] up to 0.35
glen
glen at pld-linux.org
Fri Jun 17 11:57:55 CEST 2016
commit 889f47713511774592f5a48998c054ec1c546ec3
Author: Elan Ruusamäe <glen at delfi.ee>
Date: Fri Jun 17 12:57:38 2016 +0300
up to 0.35
conntrack.patch | 187 --------------------------------------------------------
sysconfig.patch | 25 ++++----
ufw.spec | 21 +++----
3 files changed, 20 insertions(+), 213 deletions(-)
---
diff --git a/ufw.spec b/ufw.spec
index 6686a80..5bc7512 100644
--- a/ufw.spec
+++ b/ufw.spec
@@ -1,18 +1,17 @@
Summary: Uncomplicated Firewall
Name: ufw
-Version: 0.33
-Release: 2
+Version: 0.35
+Release: 1
License: GPL v3+
Group: Networking/Admin
-Source0: http://launchpad.net/ufw/0.33/%{version}/+download/%{name}-%{version}.tar.gz
-# Source0-md5: 3747b453d76709e5a99da209fc0bb5f5
+Source0: http://launchpad.net/ufw/%{version}/%{version}/+download/%{name}-%{version}.tar.gz
+# Source0-md5: b7cd2dd4e4e98e46df125fee06edff92
Patch0: sysconfig.patch
Patch1: dont-check-iptables.patch
-Patch2: conntrack.patch
URL: http://launchpad.net/ufw
BuildRequires: python-devel >= 1:2.6
BuildRequires: rpm-pythonprov
-BuildRequires: rpmbuild(macros) >= 1.219
+BuildRequires: rpmbuild(macros) >= 1.714
BuildRequires: sed >= 4.0
Requires: iptables >= 1.4.16
Requires: iptables-init
@@ -30,7 +29,6 @@ manipulating the firewall.
%setup -q
%patch0 -p1
%patch1 -p1
-%patch2 -p1
%{__sed} -i -re 's,#! /usr/bin/env ,#!,' setup.py
@@ -47,10 +45,7 @@ grep -rl /etc/default/ufw . | xargs %{__sed} -i -e 's,/etc/default/ufw,/etc/sysc
%install
rm -rf $RPM_BUILD_ROOT
-%{__python} setup.py install \
- --optimize=2 \
- --root=$RPM_BUILD_ROOT
-
+%py_install
%py_postclean
%clean
@@ -63,6 +58,8 @@ rm -rf $RPM_BUILD_ROOT
%dir %{_sysconfdir}/ufw
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ufw/*.conf
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ufw/*.rules
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ufw/after.init
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ufw/before.init
%dir %{_sysconfdir}/ufw/applications.d
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ufw/applications.d/*
@@ -73,8 +70,6 @@ rm -rf $RPM_BUILD_ROOT
%dir /lib/ufw
%attr(755,root,root) /lib/ufw/ufw-init
/lib/ufw/ufw-init-functions
-/lib/ufw/user.rules
-/lib/ufw/user6.rules
%dir %{py_sitescriptdir}/ufw
%{py_sitescriptdir}/ufw/*.py[co]
%{py_sitescriptdir}/ufw-%{version}-py*.egg-info
diff --git a/conntrack.patch b/conntrack.patch
deleted file mode 100644
index 36eee8e..0000000
--- a/conntrack.patch
+++ /dev/null
@@ -1,187 +0,0 @@
-use conntrack instead of state
-https://bugs.launchpad.net/ufw/+bug/1065297
-diff -urp ufw-0.33.orig/conf/before6.rules ufw-0.33/conf/before6.rules
---- ufw-0.33.orig/conf/before6.rules 2012-10-10 22:26:26.021931270 +0200
-+++ ufw-0.33/conf/before6.rules 2012-10-10 22:38:58.803605951 +0200
-@@ -34,16 +34,16 @@
- -A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-
- # quickly process packets for which we already have a connection
---A ufw6-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
---A ufw6-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-+-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-+-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- # for multicast ping replies from link-local addresses (these don't have an
- # associated connection and would otherwise be marked INVALID)
- -A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT
-
- # drop INVALID packets (logs these in loglevel medium and higher)
---A ufw6-before-input -m state --state INVALID -j ufw6-logging-deny
---A ufw6-before-input -m state --state INVALID -j DROP
-+-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-+-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
-
- # ok icmp codes
- -A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-diff -urp ufw-0.33.orig/conf/before.rules ufw-0.33/conf/before.rules
---- ufw-0.33.orig/conf/before.rules 2012-10-10 22:26:26.021931270 +0200
-+++ ufw-0.33/conf/before.rules 2012-10-10 22:38:17.442349148 +0200
-@@ -22,12 +22,12 @@
- -A ufw-before-output -o lo -j ACCEPT
-
- # quickly process packets for which we already have a connection
---A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
---A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-+-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-+-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
- # drop INVALID packets (logs these in loglevel medium and higher)
---A ufw-before-input -m state --state INVALID -j ufw-logging-deny
---A ufw-before-input -m state --state INVALID -j DROP
-+-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-+-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-
- # ok icmp codes
- -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-diff -urp ufw-0.33.orig/doc/ufw-framework.8 ufw-0.33/doc/ufw-framework.8
---- ufw-0.33.orig/doc/ufw-framework.8 2012-10-10 22:26:26.020931143 +0200
-+++ ufw-0.33/doc/ufw-framework.8 2012-10-10 23:06:21.407372442 +0200
-@@ -167,9 +167,9 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to
- net.ipv4.ip_forward=1
- .TP
- Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
-- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
-- \-j ACCEPT
-- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
-+ \-A ufw\-before\-forward \-m conntrack \\
-+ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT
-+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
- \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
- .TP
- Add to the end of #CONFIG_PREFIX#/ufw/before.rules, after the *filter section:
-@@ -209,13 +209,13 @@ Edit #CONFIG_PREFIX#/ufw/sysctl.conf to
- net.ipv4.ip_forward=1
- .TP
- Add to the *filter section of #CONFIG_PREFIX#/ufw/before.rules:
-- \-A ufw\-before\-forward \-m state \-\-state RELATED,ESTABLISHED \\
-- \-j ACCEPT
-+ \-A ufw\-before\-forward \-m conntrack \\
-+ \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT
-
-- \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \-m state \\
-- \-\-state NEW \-j ACCEPT
-+ \-A ufw\-before\-forward \-i eth1 \-s 10.0.0.0/8 \-o eth0 \\
-+ \-m conntrack \-\-ctstate NEW \-j ACCEPT
-
-- \-A ufw\-before\-forward \-m state \-\-state NEW \-i eth0 \\
-+ \-A ufw\-before\-forward \-m conntrack \-\-ctstate NEW \-i eth0 \\
- \-d 10.0.0.2 \-p tcp \-\-dport 80 \-j ACCEPT
-
- \-A ufw\-before\-forward \-o eth0 \-d 10.0.0.0/8 \-j REJECT
-diff -urp ufw-0.33.orig/src/backend_iptables.py ufw-0.33/src/backend_iptables.py
---- ufw-0.33.orig/src/backend_iptables.py 2012-10-10 22:26:26.022931397 +0200
-+++ ufw-0.33/src/backend_iptables.py 2012-10-10 22:29:53.981361845 +0200
-@@ -558,7 +558,7 @@ class UFWBackendIptables(ufw.backend.UFW
- lstr = '%s -j LOG --log-prefix "[UFW %s] "' % (limit_args, \
- policy)
- if not pat_logall.search(s):
-- lstr = '-m state --state NEW ' + lstr
-+ lstr = '-m conntrack --ctstate NEW ' + lstr
- snippets[i] = pat_log.sub(r'\1-j \2\4', s)
- snippets.insert(i, pat_log.sub(r'\1-j ' + prefix + \
- '-user-logging-' + suffix, s))
-@@ -574,9 +574,9 @@ class UFWBackendIptables(ufw.backend.UFW
- pat_limit = re.compile(r' -j LIMIT')
- for i, s in enumerate(snippets):
- if pat_limit.search(s):
-- tmp1 = pat_limit.sub(' -m state --state NEW -m recent --set', \
-+ tmp1 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent --set', \
- s)
-- tmp2 = pat_limit.sub(' -m state --state NEW -m recent' + \
-+ tmp2 = pat_limit.sub(' -m conntrack --ctstate NEW -m recent' + \
- ' --update --seconds 30 --hitcount 6' + \
- ' -j ' + prefix + '-user-limit', s)
- tmp3 = pat_limit.sub(' -j ' + prefix + '-user-limit-accept', s)
-@@ -1196,12 +1196,12 @@ class UFWBackendIptables(ufw.backend.UFW
- prefix = "[UFW BLOCK] "
- if self.loglevels[level] < self.loglevels["medium"]:
- # only log INVALID in medium and higher
-- rules_t.append([c, ['-I', c, '-m', 'state', \
-- '--state', 'INVALID', \
-+ rules_t.append([c, ['-I', c, '-m', 'conntrack', \
-+ '--ctstate', 'INVALID', \
- '-j', 'RETURN'] + largs, ''])
- else:
-- rules_t.append([c, ['-A', c, '-m', 'state', \
-- '--state', 'INVALID', \
-+ rules_t.append([c, ['-A', c, '-m', 'conntrack', \
-+ '--ctstate', 'INVALID', \
- '-j', 'LOG', \
- '--log-prefix', \
- "[UFW AUDIT INVALID] "] + \
-@@ -1220,7 +1220,7 @@ class UFWBackendIptables(ufw.backend.UFW
-
- # loglevel medium logs all new packets with limit
- if self.loglevels[level] < self.loglevels["high"]:
-- largs = ['-m', 'state', '--state', 'NEW'] + limit_args
-+ largs = ['-m', 'conntrack', '--ctstate', 'NEW'] + limit_args
-
- prefix = "[UFW AUDIT] "
- for c in self.chains['before']:
-diff -urp ufw-0.33.orig/src/ufw-init-functions ufw-0.33/src/ufw-init-functions
---- ufw-0.33.orig/src/ufw-init-functions 2012-10-10 22:26:26.023931524 +0200
-+++ ufw-0.33/src/ufw-init-functions 2012-10-10 22:48:38.305257627 +0200
-@@ -251,15 +251,15 @@ ufw_start() {
- # add tracking policy
- if [ "$DEFAULT_INPUT_POLICY" = "ACCEPT" ]; then
- printf "*filter\n"\
--"-A ufw${type}-track-input -p tcp -m state --state NEW -j ACCEPT\n"\
--"-A ufw${type}-track-input -p udp -m state --state NEW -j ACCEPT\n"\
-+"-A ufw${type}-track-input -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
-+"-A ufw${type}-track-input -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
- "COMMIT\n" | $exe-restore -n || error="yes"
- fi
-
- if [ "$DEFAULT_OUTPUT_POLICY" = "ACCEPT" ]; then
- printf "*filter\n"\
--"-A ufw${type}-track-output -p tcp -m state --state NEW -j ACCEPT\n"\
--"-A ufw${type}-track-output -p udp -m state --state NEW -j ACCEPT\n"\
-+"-A ufw${type}-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT\n"\
-+"-A ufw${type}-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT\n"\
- "COMMIT\n" | $exe-restore -n || error="yes"
- fi
-
-diff -urp ufw-0.33.orig/tests/check-requirements ufw-0.33/tests/check-requirements
---- ufw-0.33.orig/tests/check-requirements 2012-10-10 22:26:25.944921482 +0200
-+++ ufw-0.33/tests/check-requirements 2012-10-10 22:41:54.378920671 +0200
-@@ -167,24 +167,24 @@ for i in "" 6; do
- done
-
- echo -n "hashlimit: "
-- runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m state --state NEW -j ACCEPT
-+ runcmd $exe -A $c -m hashlimit -m tcp -p tcp --dport 22 --hashlimit 1/min --hashlimit-mode srcip --hashlimit-name ssh -m conntrack --ctstate NEW -j ACCEPT
-
- echo -n "limit: "
- runcmd $exe -A $c -m limit --limit 3/min --limit-burst 10 -j ACCEPT
-
- for j in NEW RELATED ESTABLISHED INVALID; do
- echo -n "state ($j): "
-- runcmd $exe -A $c -m state --state $j
-+ runcmd $exe -A $c -m conntrack --ctstate $j
- done
-
- echo -n "state (new, recent set): "
-- runcmd runtime $exe -A $c -m state --state NEW -m recent --set
-+ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --set
-
- echo -n "state (new, recent update): "
-- runcmd runtime $exe -A $c -m state --state NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
-+ runcmd runtime $exe -A $c -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j ACCEPT
-
- echo -n "state (new, limit): "
-- runcmd $exe -A $c -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
-+ runcmd $exe -A $c -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j ACCEPT
-
- echo -n "interface (input): "
- runcmd $exe -A $c -i eth0 -j ACCEPT
diff --git a/sysconfig.patch b/sysconfig.patch
index 84eebb3..40bbc76 100644
--- a/sysconfig.patch
+++ b/sysconfig.patch
@@ -9,26 +9,25 @@
ufwconf = os.path.join(confdir, 'ufw', 'ufw.conf')
sysctl = os.path.join(confdir, 'ufw', 'sysctl.conf')
before_rules = os.path.join(confdir, 'ufw', 'before.rules')
---- ufw-0.33.n/src/backend.py 2012-08-18 00:12:49.000000000 +0300
-+++ ufw-0.33/src/backend.py 2013-09-16 11:29:34.819300854 +0300
-@@ -32,8 +32,8 @@
- self.dryrun = dryrun
- self.rules = []
+--- ufw-0.35/src/backend.py~ 2016-02-18 07:26:44.000000000 +0200
++++ ufw-0.35/src/backend.py 2016-06-17 12:53:04.165668850 +0300
+@@ -37,7 +37,7 @@
self.rules6 = []
-- self.files = {'defaults': os.path.join(config_dir, 'default/ufw'),
-+ self.files = {'defaults': os.path.join(config_dir, 'sysconfig/ufw'),
- 'conf': os.path.join(config_dir, 'ufw/ufw.conf'),
- 'apps': os.path.join(config_dir, 'ufw/applications.d') }
+ p = _findpath(ufw.common.config_dir, datadir)
+- self.files = {'defaults': os.path.join(p, 'default/ufw'),
++ self.files = {'defaults': os.path.join(p, 'sysconfig/ufw'),
+ 'conf': os.path.join(p, 'ufw/ufw.conf'),
+ 'apps': os.path.join(p, 'ufw/applications.d') }
if extra_files != None:
---- ufw-0.33.n/src/ufw-init-functions 2012-08-18 00:12:49.000000000 +0300
-+++ ufw-0.33/src/ufw-init-functions 2013-09-16 11:29:34.819300854 +0300
+--- ufw-0.35/src/ufw-init-functions~ 2016-02-18 07:26:44.000000000 +0200
++++ ufw-0.35/src/ufw-init-functions 2016-06-17 12:53:34.520564916 +0300
@@ -20,7 +20,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin"
--for s in "#CONFIG_PREFIX#/default/ufw" "#CONFIG_PREFIX#/ufw/ufw.conf" ; do
-+for s in "#CONFIG_PREFIX#/sysconfig/ufw" "#CONFIG_PREFIX#/ufw/ufw.conf" ; do
+-for s in "${DATA_DIR}#CONFIG_PREFIX#/default/ufw" "${DATA_DIR}#CONFIG_PREFIX#/ufw/ufw.conf" ; do
++for s in "${DATA_DIR}#CONFIG_PREFIX#/sysconfig/ufw" "${DATA_DIR}#CONFIG_PREFIX#/ufw/ufw.conf" ; do
if [ -s "$s" ]; then
. "$s"
else
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/ufw.git/commitdiff/889f47713511774592f5a48998c054ec1c546ec3
More information about the pld-cvs-commit
mailing list