packages: iptables/ip6tables.init, iptables/iptables.init, iptables/iptable...

Wed Apr 18 11:28:55 CEST 2012

Author: baggins                      Date: Wed Apr 18 09:28:55 2012 GMT
Module: packages                      Tag: HEAD
---- Log message:
- add a bit of configurability to init scripts

---- Files affected:
packages/iptables:
   ip6tables.init (1.17 -> 1.18) , iptables.init (1.14 -> 1.15) , iptables.spec (1.312 -> 1.313) , ip6tables-config (NONE -> 1.1)  (NEW), iptables-config (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/iptables/ip6tables.init
diff -u packages/iptables/ip6tables.init:1.17 packages/iptables/ip6tables.init:1.18

--- packages/iptables/ip6tables.init:1.17	Fri Aug 12 22:03:25 2011
+++ packages/iptables/ip6tables.init	Wed Apr 18 11:28:50 2012
@@ -35,6 +35,15 @@
 	exit 0
 fi
 
+IP6TABLES_SAVE_ON_STOP="no"
+IP6TABLES_SAVE_COUNTER="no"
+IP6TABLES_STATUS_NUMERIC="yes"
+IP6TABLES_STATUS_VERBOSE="no"
+IP6TABLES_STATUS_LINENUMBERS="yes"
+[ -f /etc/sysconfig/ip6tables-config ] && . /etc/sysconfig/ip6tables-config
+_SAVEOPT=
+is_yes $IP6TABLES_SAVE_COUNTER && _SAVEOPT="-c"
+
 iftable() {
 	if fgrep -qsx $1 /proc/net/ip6_tables_names; then
 		ip6tables -t "$@"
@@ -67,7 +76,7 @@
 		for i in $tables; do ip6tables -t $i -Z; done
 
 		show "Applying ip6tables firewall rules"
-		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore -c && \
+		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/ip6tables-restore $_SAVEOPT && \
 			ok || fail
 		touch /var/lock/subsys/ip6tables
 	fi
@@ -105,24 +114,32 @@
 	rm -f /var/lock/subsys/ip6tables
 }
 
+save() {
+	show "Saving current rules to %s" $IPTABLES_CONFIG
+	touch $IPTABLES_CONFIG
+	chmod 600 $IPTABLES_CONFIG
+	/usr/sbin/ip6tables-save $_SAVEOPT > $IPTABLES_CONFIG  2>/dev/null && ok || fail
+}
+
 upstart_controlled --except status panic load save clear
 
 case "$1" in
   start|load)
 	start
 	;;
-
-  stop|clear)
+  stop)
+	is_yes $IP6TABLES_SAVE_ON_STOP && save
+	stop
+	;;
+  clear)
 	stop
 	;;
-
   restart|force-reload)
 	# "restart" is really just "start" as this isn't a daemon,
 	#  and "start" clears any pre-defined rules anyway.
 	#  This is really only here to make those who expect it happy
 	start
 	;;
-
   panic)
 	show "Changing target policies to DROP"
 	iftable filter -P INPUT DROP && \
@@ -153,22 +170,19 @@
 	iftable mangle -X OUTPUT && \
 	ok || fail
 	;;
-
   save)
-	show "Saving current rules to %s" $IPTABLES_CONFIG
-	touch $IPTABLES_CONFIG
-	chmod 600 $IPTABLES_CONFIG
-	/usr/sbin/ip6tables-save -c > $IPTABLES_CONFIG  2>/dev/null && ok || fail
+	save
 	;;
-
   status)
+	is_yes $IP6TABLES_STATUS_NUMERIC && _NUMERIC="-n"
+	is_yes $IP6TABLES_STATUS_VERBOSE && _VERBOSE="--verbose"
+	is_yes $IP6TABLES_STATUS_LINENUMBERS && _LINES="--line-numbers"
 	tables=`cat /proc/net/ip6_tables_names 2>/dev/null`
 	for table in $tables; do
 		echo "Table: $table"
-		ip6tables -t $table -n --list
+		ip6tables -t $table -n --list $_NUMERIC $_VERBOSE $_LINES
 	done
 	;;
-
   *)
 	msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"
 	exit 3

================================================================
Index: packages/iptables/iptables.init
diff -u packages/iptables/iptables.init:1.14 packages/iptables/iptables.init:1.15
--- packages/iptables/iptables.init:1.14	Thu Jan 27 23:27:00 2011
+++ packages/iptables/iptables.init	Wed Apr 18 11:28:50 2012
@@ -35,6 +35,15 @@
 	exit 0
 fi
 
+IPTABLES_SAVE_ON_STOP="no"
+IPTABLES_SAVE_COUNTER="no"
+IPTABLES_STATUS_NUMERIC="yes"
+IPTABLES_STATUS_VERBOSE="no"
+IPTABLES_STATUS_LINENUMBERS="yes"
+[ -f /etc/sysconfig/iptables-config ] && . /etc/sysconfig/iptables-config
+_SAVEOPT=
+is_yes $IPTABLES_SAVE_COUNTER && _SAVEOPT="-c"
+
 iftable() {
 	if fgrep -qsx $1 /proc/net/ip_tables_names; then
 		iptables -t "$@"
@@ -67,7 +76,7 @@
 		for i in $tables; do iptables -t $i -Z; done
 
 		show "Applying iptables firewall rules"
-		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore -c && \
+		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore $_SAVEOPT && \
 			ok || \
 			fail
 		touch /var/lock/subsys/iptables
@@ -106,24 +115,32 @@
 	rm -f /var/lock/subsys/iptables
 }
 
+save() {
+	show "Saving current rules to %s" $IPTABLES_CONFIG
+	touch $IPTABLES_CONFIG
+	chmod 600 $IPTABLES_CONFIG
+	/usr/sbin/iptables-save $_SAVEOPT > $IPTABLES_CONFIG  2>/dev/null && ok || fail
+}
+
 upstart_controlled --except status panic load save clear
 
 case "$1" in
   start|load)
 	start
 	;;
-
-  stop|clear)
+  stop)
+	is_yes $IPTABLES_SAVE_ON_STOP && save
+	stop
+	;;
+  clear)
 	stop
 	;;
-
   restart|force-reload)
 	# "restart" is really just "start" as this isn't a daemon,
 	#  and "start" clears any pre-defined rules anyway.
 	#  This is really only here to make those who expect it happy
 	start
 	;;
-
   panic)
 	show "Changing target policies to DROP"
 	iftable filter -P INPUT DROP && \
@@ -154,22 +171,19 @@
 	iftable mangle -X OUTPUT && \
 	ok || fail
 	;;
-
   save)
-	show "Saving current rules to %s" $IPTABLES_CONFIG
-	touch $IPTABLES_CONFIG
-	chmod 600 $IPTABLES_CONFIG
-	/usr/sbin/iptables-save -c > $IPTABLES_CONFIG  2>/dev/null && ok || fail
+	save
 	;;
-
   status)
+	is_yes $IPTABLES_STATUS_NUMERIC && _NUMERIC="-n"
+	is_yes $IPTABLES_STATUS_VERBOSE && _VERBOSE="--verbose"
+	is_yes $IPTABLES_STATUS_LINENUMBERS && _LINES="--line-numbers"
 	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
 	for table in $tables; do
 		echo "Table: $table"
-		iptables -t $table -n --list
+		iptables -t $table -n --list $_NUMERIC $_VERBOSE $_LINES
 	done
 	;;
-
   *)
 	msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"
 	exit 3

================================================================
Index: packages/iptables/iptables.spec
diff -u packages/iptables/iptables.spec:1.312 packages/iptables/iptables.spec:1.313
--- packages/iptables/iptables.spec:1.312	Sat Mar 31 10:31:26 2012
+++ packages/iptables/iptables.spec	Wed Apr 18 11:28:50 2012
@@ -45,6 +45,8 @@
 Source3:	%{name6}.init
 Source4:	%{name}.upstart
 Source5:	%{name6}.upstart
+Source6:	%{name}-config
+Source7:	%{name6}-config
 # --- GENERAL CHANGES (patches<10):
 Patch0:		%{name}-man.patch
 # additional utils; off by default
@@ -222,7 +224,8 @@
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{/etc/rc.d/init.d,%{_includedir},%{_libdir},%{_mandir}/man3}
+install -d $RPM_BUILD_ROOT/etc/{rc.d/init.d,sysconfig} \
+	$RPM_BUILD_ROOT{%{_includedir},%{_libdir},%{_mandir}/man3}
 
 %{__make} install \
 	DESTDIR=$RPM_BUILD_ROOT \
@@ -236,6 +239,9 @@
 cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/init/%{name}.conf
 cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/init/%{name6}.conf
 
+install -p %{SOURCE6} $RPM_BUILD_ROOT/etc/sysconfig/%{name}-config
+install -p %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/%{name6}-config
+
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -426,6 +432,8 @@
 
 %files init
 %defattr(644,root,root,755)
+%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name}-config
+%config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/%{name6}-config
 %attr(754,root,root) /etc/rc.d/init.d/iptables
 %attr(754,root,root) /etc/rc.d/init.d/ip6tables
 %config(noreplace) %verify(not md5 mtime size) /etc/init/%{name}.conf
@@ -437,6 +445,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.313  2012/04/18 09:28:50  baggins
+- add a bit of configurability to init scripts
+
 Revision 1.312  2012/03/31 08:31:26  arekm
 - up to 1.4.13
 

================================================================
Index: packages/iptables/ip6tables-config
diff -u /dev/null packages/iptables/ip6tables-config:1.1
--- /dev/null	Wed Apr 18 11:28:55 2012
+++ packages/iptables/ip6tables-config	Wed Apr 18 11:28:50 2012
@@ -0,0 +1,28 @@
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/ip6tables if firewall gets stopped
+# (e.g. on system shutdown).
+IP6TABLES_SAVE_ON_STOP="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/ip6tables if
+# 'service ip6tables save' is called or on stop or restart if SAVE_ON_STOP
+# is enabled.
+IP6TABLES_SAVE_COUNTER="yes"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IPv6 addresses and port numbers in numeric format in the status output.
+IP6TABLES_STATUS_NUMERIC="no"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IP6TABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IP6TABLES_STATUS_LINENUMBERS="no"

================================================================
Index: packages/iptables/iptables-config
diff -u /dev/null packages/iptables/iptables-config:1.1
--- /dev/null	Wed Apr 18 11:28:55 2012
+++ packages/iptables/iptables-config	Wed Apr 18 11:28:50 2012
@@ -0,0 +1,28 @@
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
+IPTABLES_SAVE_ON_STOP="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: yes
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP
+# is enabled.
+IPTABLES_SAVE_COUNTER="yes"
+
+# Numeric status output
+#   Value: yes|no,  default: no
+# Print IP addresses and port numbers in numeric format in the status output.
+IPTABLES_STATUS_NUMERIC="no"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IPTABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: no
+# Print a counter/number for every rule in the status output.
+IPTABLES_STATUS_LINENUMBERS="no"
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/packages/iptables/ip6tables.init?r1=1.17&r2=1.18
    http://cvs.pld-linux.org/packages/iptables/iptables.init?r1=1.14&r2=1.15
    http://cvs.pld-linux.org/packages/iptables/iptables.spec?r1=1.312&r2=1.313

