Date: Saturday, May 14, 2022 @ 09:48:44 Author: arojas Revision: 445459
archrelease: copy trunk to testing-x86_64 Added: iptables/repos/testing-x86_64/ iptables/repos/testing-x86_64/PKGBUILD (from rev 445458, iptables/trunk/PKGBUILD) iptables/repos/testing-x86_64/arptables.service (from rev 445458, iptables/trunk/arptables.service) iptables/repos/testing-x86_64/ebtables.service (from rev 445458, iptables/trunk/ebtables.service) iptables/repos/testing-x86_64/empty-filter.rules (from rev 445458, iptables/trunk/empty-filter.rules) iptables/repos/testing-x86_64/empty-mangle.rules (from rev 445458, iptables/trunk/empty-mangle.rules) iptables/repos/testing-x86_64/empty-nat.rules (from rev 445458, iptables/trunk/empty-nat.rules) iptables/repos/testing-x86_64/empty-raw.rules (from rev 445458, iptables/trunk/empty-raw.rules) iptables/repos/testing-x86_64/empty-security.rules (from rev 445458, iptables/trunk/empty-security.rules) iptables/repos/testing-x86_64/empty.rules (from rev 445458, iptables/trunk/empty.rules) iptables/repos/testing-x86_64/ip6tables.service (from rev 445458, iptables/trunk/ip6tables.service) iptables/repos/testing-x86_64/iptables-legacy-flush (from rev 445458, iptables/trunk/iptables-legacy-flush) iptables/repos/testing-x86_64/iptables-nft-flush (from rev 445458, iptables/trunk/iptables-nft-flush) iptables/repos/testing-x86_64/iptables.service (from rev 445458, iptables/trunk/iptables.service) iptables/repos/testing-x86_64/simple_firewall.rules (from rev 445458, iptables/trunk/simple_firewall.rules) -----------------------+ PKGBUILD | 103 ++++++++++++++++++++++++++++++++++++++++++++++++ arptables.service | 14 ++++++ ebtables.service | 14 ++++++ empty-filter.rules | 6 ++ empty-mangle.rules | 8 +++ empty-nat.rules | 7 +++ empty-raw.rules | 5 ++ empty-security.rules | 6 ++ empty.rules | 6 ++ ip6tables.service | 15 ++++++ iptables-legacy-flush | 18 ++++++++ iptables-nft-flush | 18 ++++++++ iptables.service | 14 ++++++ simple_firewall.rules | 11 +++++ 14 files changed, 245 insertions(+) Copied: iptables/repos/testing-x86_64/PKGBUILD (from rev 445458, iptables/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,103 @@ +# Maintainer: Ronald van Haren <ronald.archlinux.org> +# Contributor: Thomas Baechler <tho...@archlinux.org> + +pkgbase=iptables +pkgname=(iptables iptables-nft) +pkgver=1.8.8 +pkgrel=1 +epoch=1 +pkgdesc='Linux kernel packet control tool' +arch=(x86_64) +license=(GPL2) +url='https://www.netfilter.org/projects/iptables/index.html' +depends=(libnftnl libpcap libnfnetlink libnetfilter_conntrack bash) +makedepends=(linux-api-headers) +backup=(etc/ethertypes etc/iptables/{ip,ip6}tables.rules) +source=(https://www.netfilter.org/projects/iptables/files/$pkgbase-$pkgver.tar.bz2{,.sig} + empty.rules simple_firewall.rules empty-{filter,mangle,nat,raw,security}.rules + {arp,eb,ip,ip6}tables.service iptables-{legacy,nft}-flush + iptables-format-security.patch::https://git.netfilter.org/iptables/patch/?id=b72eb12e) +sha1sums=('98783621a5e58ff55f83b1350523f3de41af621d' + 'SKIP' + '83b3363878e3660ce23b2ad325b53cbd6c796ecf' + 'f085a71f467e4d7cb2cf094d9369b0bcc4bab6ec' + 'd9f9f06b46b4187648e860afa0552335aafe3ce4' + 'c45b738b5ec4cfb11611b984c21a83b91a2d58f3' + '1694d79b3e6e9d9d543f6a6e75fed06066c9a6c6' + '7db53bb882f62f6c677cc8559cff83d8bae2ef73' + 'ebbd1424a1564fd45f455a81c61ce348f0a14c2e' + '95b0ee26f03132a948fea9f2136b2e2e6a4b40fe' + 'b668ba50d55030c68431a95756bc1f291d74b2b2' + '8d66d21fa4cbfe2a80478301af94ba54f65e4ea0' + '9cec592787e32451f58fa608ea057870e07aa704' + 'd10af7780d1634778d898c709e2d950aa1561856' + '15c1684f3e671f4d0ede639a7c9c08e1a841511c' + 'df4b0a31dfa01cff65926d439ab1475f246d4e74') +validpgpkeys=('C09DB2063F1D7034BA6152ADAB4655A126D292E4' + '37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team + +prepare() { + mkdir build + cd $pkgbase-$pkgver + + # use system one + rm include/linux/types.h + + ln -rs libiptc/linux_list.h include/libiptc + patch -p1 -i ../iptables-format-security.patch # Fix build with -Werror=format-security +} + +build() { + cd build + ../$pkgbase-$pkgver/configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib \ + --enable-bpf-compiler \ + --enable-devel \ + --enable-libipq \ + --enable-shared + sed -e 's/ -shared / -Wl,-O1,--as-needed\0/g' -i libtool + make +} + +package_iptables() { + pkgdesc+=' (using legacy interface)' + _package legacy +} + +package_iptables-nft() { + pkgdesc+=' (using nft interface)' + depends+=(nftables) + provides=(iptables arptables ebtables) + conflicts=(iptables arptables ebtables) + backup+=(etc/{arp,eb}tables.conf) + + _package nft + + install -Dt "$pkgdir/usr/lib/systemd/system" -m644 {arp,eb}tables.service + touch "$pkgdir"/etc/{arp,eb}tables.conf +} + +_package() { + DESTDIR="$pkgdir" make -C build install + + for _x in {arp,eb,ip,ip6}tables{,-restore,-save} iptables-apply iptables-xml; do + if [[ $1 = nft || $_x = ip* ]]; then + ln -sf xtables-$1-multi "$pkgdir/usr/bin/$_x" + else + rm "$pkgdir/usr/bin/$_x" + fi + done + + install -Dt "$pkgdir/usr/lib/systemd/system" -m644 {ip,ip6}tables.service + install -D iptables-$1-flush "$pkgdir/usr/lib/systemd/scripts/iptables-flush" + + install -Dm644 empty.rules "$pkgdir/etc/iptables/iptables.rules" + install -Dm644 empty.rules "$pkgdir/etc/iptables/ip6tables.rules" + install -Dt "$pkgdir/usr/share/iptables" -m644 *.rules + ln -srt "$pkgdir/etc/iptables" "$pkgdir"/usr/share/iptables/{empty,simple_firewall}.rules +} + +# vim:set sw=2 et: Copied: iptables/repos/testing-x86_64/arptables.service (from rev 445458, iptables/trunk/arptables.service) =================================================================== --- testing-x86_64/arptables.service (rev 0) +++ testing-x86_64/arptables.service 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,14 @@ +[Unit] +Description=ARP table +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'arptables-restore < /etc/arptables.conf' +ExecReload=/bin/sh -c 'arptables-restore < /etc/arptables.conf' +ExecStop=/bin/sh -c 'arptables-restore < /dev/null' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target Copied: iptables/repos/testing-x86_64/ebtables.service (from rev 445458, iptables/trunk/ebtables.service) =================================================================== --- testing-x86_64/ebtables.service (rev 0) +++ testing-x86_64/ebtables.service 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,14 @@ +[Unit] +Description=Ethernet bridge table +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'ebtables-restore < /etc/ebtables.conf' +ExecReload=/bin/sh -c 'ebtables-restore < /etc/ebtables.conf' +ExecStop=/bin/sh -c 'ebtables-restore < /dev/null' +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target Copied: iptables/repos/testing-x86_64/empty-filter.rules (from rev 445458, iptables/trunk/empty-filter.rules) =================================================================== --- testing-x86_64/empty-filter.rules (rev 0) +++ testing-x86_64/empty-filter.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,6 @@ +# Empty iptables filter table rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT Copied: iptables/repos/testing-x86_64/empty-mangle.rules (from rev 445458, iptables/trunk/empty-mangle.rules) =================================================================== --- testing-x86_64/empty-mangle.rules (rev 0) +++ testing-x86_64/empty-mangle.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,8 @@ +# Empty iptables mangle table rules file +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT Copied: iptables/repos/testing-x86_64/empty-nat.rules (from rev 445458, iptables/trunk/empty-nat.rules) =================================================================== --- testing-x86_64/empty-nat.rules (rev 0) +++ testing-x86_64/empty-nat.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,7 @@ +# Empty iptables nat table rules file +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT Copied: iptables/repos/testing-x86_64/empty-raw.rules (from rev 445458, iptables/trunk/empty-raw.rules) =================================================================== --- testing-x86_64/empty-raw.rules (rev 0) +++ testing-x86_64/empty-raw.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,5 @@ +# Empty iptables raw table rules file +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT Copied: iptables/repos/testing-x86_64/empty-security.rules (from rev 445458, iptables/trunk/empty-security.rules) =================================================================== --- testing-x86_64/empty-security.rules (rev 0) +++ testing-x86_64/empty-security.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,6 @@ +# Empty iptables security table rules file +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT Copied: iptables/repos/testing-x86_64/empty.rules (from rev 445458, iptables/trunk/empty.rules) =================================================================== --- testing-x86_64/empty.rules (rev 0) +++ testing-x86_64/empty.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,6 @@ +# Empty iptables rule file +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT Copied: iptables/repos/testing-x86_64/ip6tables.service (from rev 445458, iptables/trunk/ip6tables.service) =================================================================== --- testing-x86_64/ip6tables.service (rev 0) +++ testing-x86_64/ip6tables.service 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,15 @@ +[Unit] +Description=IPv6 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target +After=iptables.service + +[Service] +Type=oneshot +ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecReload=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules +ExecStop=/usr/lib/systemd/scripts/iptables-flush 6 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target Copied: iptables/repos/testing-x86_64/iptables-legacy-flush (from rev 445458, iptables/trunk/iptables-legacy-flush) =================================================================== --- testing-x86_64/iptables-legacy-flush (rev 0) +++ testing-x86_64/iptables-legacy-flush 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done <"/proc/net/ip$1_tables_names" + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi Copied: iptables/repos/testing-x86_64/iptables-nft-flush (from rev 445458, iptables/trunk/iptables-nft-flush) =================================================================== --- testing-x86_64/iptables-nft-flush (rev 0) +++ testing-x86_64/iptables-nft-flush 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Usage: iptables-flush [6] +# + +iptables=ip$1tables +if ! type -p "$iptables" &>/dev/null; then + echo "error: invalid argument" + exit 1 +fi + +while read -r table; do + tables+=("/usr/share/iptables/empty-$table.rules") +done < <(nft list tables | sed -n "s/table ip$1 //p") + +if (( ${#tables[*]} )); then + cat "${tables[@]}" | "$iptables-restore" +fi Copied: iptables/repos/testing-x86_64/iptables.service (from rev 445458, iptables/trunk/iptables.service) =================================================================== --- testing-x86_64/iptables.service (rev 0) +++ testing-x86_64/iptables.service 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,14 @@ +[Unit] +Description=IPv4 Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules +ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules +ExecStop=/usr/lib/systemd/scripts/iptables-flush +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target Copied: iptables/repos/testing-x86_64/simple_firewall.rules (from rev 445458, iptables/trunk/simple_firewall.rules) =================================================================== --- testing-x86_64/simple_firewall.rules (rev 0) +++ testing-x86_64/simple_firewall.rules 2022-05-14 09:48:44 UTC (rev 445459) @@ -0,0 +1,11 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -p icmp -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -j REJECT --reject-with icmp-proto-unreachable +COMMIT