diff --git a/srcpkgs/iptables-devel b/srcpkgs/iptables-devel new file mode 120000 index 00000000000..59cead781ec --- /dev/null +++ b/srcpkgs/iptables-devel @@ -0,0 +1 @@ +iptables \ No newline at end of file diff --git a/srcpkgs/iptables/depends b/srcpkgs/iptables/depends new file mode 100644 index 00000000000..47e467b26ab --- /dev/null +++ b/srcpkgs/iptables/depends @@ -0,0 +1,2 @@ +abi_depends=">=1.4.7" +api_depends="${abi_depends}" diff --git a/srcpkgs/iptables/files/empty.rules b/srcpkgs/iptables/files/empty.rules new file mode 100644 index 00000000000..e24e1aa30f7 --- /dev/null +++ b/srcpkgs/iptables/files/empty.rules @@ -0,0 +1,6 @@ +# Empty iptables rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT diff --git a/srcpkgs/iptables/files/ip6tables.confd b/srcpkgs/iptables/files/ip6tables.confd new file mode 100644 index 00000000000..93c0bc89b38 --- /dev/null +++ b/srcpkgs/iptables/files/ip6tables.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/ip6tables + +# Location in which iptables initscript will save set rules on +# service shutdown +IP6TABLES_SAVE="/var/lib/ip6tables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" diff --git a/srcpkgs/iptables/files/iptables.confd b/srcpkgs/iptables/files/iptables.confd new file mode 100644 index 00000000000..91287debdbc --- /dev/null +++ b/srcpkgs/iptables/files/iptables.confd @@ -0,0 +1,11 @@ +# /etc/conf.d/iptables + +# Location in which iptables initscript will save set rules on +# service shutdown +IPTABLES_SAVE="/var/lib/iptables/rules-save" + +# Options to pass to iptables-save and iptables-restore +SAVE_RESTORE_OPTIONS="-c" + +# Save state on stopping iptables +SAVE_ON_STOP="yes" diff --git a/srcpkgs/iptables/files/iptables.rc b/srcpkgs/iptables/files/iptables.rc new file mode 100644 index 00000000000..c50f955981d --- /dev/null +++ b/srcpkgs/iptables/files/iptables.rc @@ -0,0 +1,114 @@ +#!/sbin/runscript +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/www/viewcvs.gentoo.org/raw_cvs/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.6 2007/03/12 21:49:04 vapier Exp $ + +opts="save reload panic" + +iptables_name=${SVCNAME} +if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then + iptables_name="iptables" +fi + +iptables_bin="/sbin/${iptables_name}" +case ${iptables_name} in + iptables) iptables_proc="/proc/net/ip_tables_names" + iptables_save=${IPTABLES_SAVE};; + ip6tables) iptables_proc="/proc/net/ip6_tables_names" + iptables_save=${IP6TABLES_SAVE};; +esac + +depend() { + before net + use logger +} + +set_table_policy() { + local chains table=$1 policy=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -P ${chain} ${policy} + done +} + +checkkernel() { + if [ ! -e ${iptables_proc} ] ; then + eerror "Your kernel lacks ${iptables_name} support, please load" + eerror "appropriate modules and try again." + return 1 + fi + return 0 +} +checkconfig() { + if [ ! -f ${iptables_save} ] ; then + eerror "Not starting ${iptables_name}. First create some rules then run:" + eerror "/etc/init.d/${iptables_name} save" + return 1 + fi + return 0 +} + +start() { + checkconfig || return 1 + ebegin "Loading ${iptables_name} state and starting firewall" + ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}" + eend $? +} + +stop() { + if [ "${SAVE_ON_STOP}" = "yes" ] ; then + save || return 1 + fi + checkkernel || return 1 + ebegin "Stopping firewall" + local a + for a in $(cat ${iptables_proc}) ; do + set_table_policy $a ACCEPT + + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? +} + +reload() { + checkkernel || return 1 + ebegin "Flushing firewall" + local a + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + done + eend $? + + start +} + +save() { + ebegin "Saving ${iptables_name} state" + touch "${iptables_save}" + chmod 0600 "${iptables_save}" + ${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}" + eend $? +} + +panic() { + checkkernel || return 1 + service_started ${iptables_name} && svc_stop + + local a + ebegin "Dropping all packets" + for a in $(cat ${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + + set_table_policy $a DROP + done + eend $? +} diff --git a/srcpkgs/iptables/files/simple_firewall.rules b/srcpkgs/iptables/files/simple_firewall.rules new file mode 100644 index 00000000000..e1604cc36f4 --- /dev/null +++ b/srcpkgs/iptables/files/simple_firewall.rules @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -p icmp -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -j REJECT --reject-with icmp-proto-unreachable +COMMIT diff --git a/srcpkgs/iptables/iptables-devel.template b/srcpkgs/iptables/iptables-devel.template new file mode 100644 index 00000000000..93f4bb6230a --- /dev/null +++ b/srcpkgs/iptables/iptables-devel.template @@ -0,0 +1,19 @@ +# Template file for 'iptables-devel'. +# +short_desc="${sourcepkg} (development files)" +long_desc="${long_desc} + + This package contains files for development, headers, static libs, etc." + +Add_dependency run glibc-devel +Add_dependency run kernel-headers +Add_dependency run iptables + +do_install() +{ + mkdir -p ${DESTDIR}/usr/lib ${DESTDIR}/usr/share/man + mv ${SRCPKGDESTDIR}/usr/include ${DESTDIR}/usr + mv ${SRCPKGDESTDIR}/usr/lib/lib*.so ${DESTDIR}/usr/lib + mv ${SRCPKGDESTDIR}/usr/lib/pkgconfig ${DESTDIR}/usr/lib + mv ${SRCPKGDESTDIR}/usr/share/man/man3 ${DESTDIR}/usr/share/man +} diff --git a/srcpkgs/iptables/template b/srcpkgs/iptables/template new file mode 100644 index 00000000000..004e7ba60d7 --- /dev/null +++ b/srcpkgs/iptables/template @@ -0,0 +1,51 @@ +# Template file for 'iptables' +pkgname=iptables +version=1.4.7 +distfiles="http://www.iptables.org/projects/iptables/files/$pkgname-$version.tar.bz2" +build_style=gnu_configure +configure_args="--enable-devel --enable-libipq --sbindir=/sbin +--with-kernel=/usr/src/kernel-headers-$(${XBPS_PKGDB_CMD} version kernel-headers)" +short_desc="Linux IPv[46] packet filtering ruleset" +maintainer="Juan RP " +checksum=9f61f389cabdde79e26ca78c336db1b6373b67f80f7cfcb3e9d9ff520b325452 +long_desc=" + iptables is the userspace command line program used to configure the Linux + 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system + administrators. + + Since Network Address Translation is also configured from the packet filter + ruleset, iptables is used for this, too. + + The iptables package also includes ip6tables. ip6tables is used for + configuring the IPv6 packet filter." + +openrc_services="iptables default" +conf_files=" +/etc/conf.d/iptables +/etc/conf.d/ip6tables" + +subpackages="$pkgname-devel" + +Add_dependency run glibc +Add_dependency build kernel-headers + +pre_configure() +{ + sed -i '87 i libxt_RATEEST.so: libxt_RATEEST.oo' \ + ${wrksrc}/extensions/GNUmakefile.in + sed -i '88 i \\t${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -lm -shared ${LDFLAGS} -o $@ $<;\n' \ + ${wrksrc}/extensions/GNUmakefile.in +} + +post_install() +{ + install -d ${DESTDIR}/etc/{conf.d,iptables} + install -m644 ${FILESDIR}/iptables.confd ${DESTDIR}/etc/conf.d/iptables + install -m644 ${FILESDIR}/ip6tables.confd \ + ${DESTDIR}/etc/conf.d/ip6tables + install -D -m755 ${FILESDIR}/iptables.rc \ + ${DESTDIR}/etc/init.d/iptables + install -m644 ${FILESDIR}/*.rules ${DESTDIR}/etc/iptables + install -d ${DESTDIR}/var/lib/iptables + touch -f ${DESTDIR}/var/lib/iptables/.empty_on_purpose +} diff --git a/xbps-src/common/mapping_shlib_binpkg.txt b/xbps-src/common/mapping_shlib_binpkg.txt index 9fa50d106e7..1ebf54bd74e 100644 --- a/xbps-src/common/mapping_shlib_binpkg.txt +++ b/xbps-src/common/mapping_shlib_binpkg.txt @@ -556,3 +556,8 @@ libegroupwise-1.2.so.13 evolution-data-server evolution-data-server-devel libgdata-1.2.so evolution-data-server evolution-data-server-devel libgdata-google-1.2.so evolution-data-server evolution-data-server-devel libpcap.so libpcap libpcap-devel +libiptc.so iptables iptables-devel +libip6tc.so iptables iptables-devel +libxtables.so iptables iptables-devel +libip4tc.so iptables iptables-devel +libipq.so iptables iptables-devel