[arch-commits] Commit in iptables/trunk (ip6tables iptables iptables.conf.d)
Dan McGee
dan at archlinux.org
Sat Jul 23 17:24:57 UTC 2011
Date: Saturday, July 23, 2011 @ 13:24:56
Author: dan
Revision: 132370
Various iptables fixes/cleanups
* Fix FS#24466, don't muck with ip_forward settings in iptables stop
* Remove configurable path to iptables binary, this is stupid as we already hardcode iptables-save and iptables-restore
Modified:
iptables/trunk/ip6tables
iptables/trunk/iptables
iptables/trunk/iptables.conf.d
-----------------+
ip6tables | 25 +++++++++++--------------
iptables | 20 +++++++++-----------
iptables.conf.d | 14 +++++++++-----
3 files changed, 29 insertions(+), 30 deletions(-)
Modified: ip6tables
===================================================================
--- ip6tables 2011-07-23 15:49:06 UTC (rev 132369)
+++ ip6tables 2011-07-23 17:24:56 UTC (rev 132370)
@@ -4,7 +4,6 @@
[ -f /etc/conf.d/iptables ] && . /etc/conf.d/iptables
# Set defaults if settings are missing
-[ -z "$IP6TABLES" ] && IP6TABLES=/usr/sbin/ip6tables
[ -z "$IP6TABLES_CONF" ] && IP6TABLES_CONF=/etc/iptables/ip6tables.rules
. /etc/rc.conf
@@ -12,14 +11,14 @@
case "$1" in
start)
- if [ ! -f $IP6TABLES_CONF ]; then
+ if [ ! -f "$IP6TABLES_CONF" ]; then
echo "Cannot load iptables rules: $IP6TABLES_CONF is missing!" >&2
exit 1
fi
stat_busy "Starting IP6 Tables"
if [ "$IPTABLES_FORWARD" = "1" ]; then
- echo 1 >/proc/sys/net/ipv6/conf/default/forwarding
- echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
+ echo 1 >/proc/sys/net/ipv6/conf/default/forwarding
+ echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
fi
if ck_daemon ip6tables; then
/usr/sbin/ip6tables-restore < $IP6TABLES_CONF
@@ -35,14 +34,12 @@
;;
stop)
stat_busy "Stopping IP6 Tables"
- echo 0 >/proc/sys/net/ipv6/conf/all/forwarding
- echo 0 >/proc/sys/net/ipv6/conf/default/forwarding
if ! ck_daemon ip6tables; then
fail=0
for table in $(cat /proc/net/ip6_tables_names); do
- $IP6TABLES -t $table -F &>/dev/null && \
- $IP6TABLES -t $table -X &>/dev/null && \
- $IP6TABLES -t $table -Z &>/dev/null
+ ip6tables -t $table -F &>/dev/null && \
+ ip6tables -t $table -X &>/dev/null && \
+ ip6tables -t $table -Z &>/dev/null
[ $? -gt 0 ] && fail=1
done
if [ $fail -gt 0 ]; then
@@ -52,23 +49,23 @@
# reset policies
for table in filter mangle raw; do
if grep -qw $table /proc/net/ip6_tables_names; then
- $IP6TABLES -t $table -P OUTPUT ACCEPT
+ ip6tables -t $table -P OUTPUT ACCEPT
fi
done
for table in filter mangle; do
if grep -qw $table /proc/net/ip6_tables_names; then
- $IP6TABLES -t $table -P INPUT ACCEPT
- $IP6TABLES -t $table -P FORWARD ACCEPT
+ ip6tables -t $table -P INPUT ACCEPT
+ ip6tables -t $table -P FORWARD ACCEPT
fi
done
for table in mangle raw; do
if grep -qw $table /proc/net/ip6_tables_names; then
- $IP6TABLES -t $table -P PREROUTING ACCEPT
+ ip6tables -t $table -P PREROUTING ACCEPT
fi
done
for table in mangle; do
if grep -qw $table /proc/net/ip6_tables_names; then
- $IP6TABLES -t $table -P POSTROUTING ACCEPT
+ ip6tables -t $table -P POSTROUTING ACCEPT
fi
done
stat_done
Modified: iptables
===================================================================
--- iptables 2011-07-23 15:49:06 UTC (rev 132369)
+++ iptables 2011-07-23 17:24:56 UTC (rev 132370)
@@ -4,7 +4,6 @@
[ -f /etc/conf.d/iptables ] && . /etc/conf.d/iptables
# Set defaults if settings are missing
-[ -z "$IPTABLES" ] && IPTABLES=/usr/sbin/iptables
[ -z "$IPTABLES_CONF" ] && IPTABLES_CONF=/etc/iptables/iptables.rules
. /etc/rc.conf
@@ -12,7 +11,7 @@
case "$1" in
start)
- if [ ! -f $IPTABLES_CONF ]; then
+ if [ ! -f "$IPTABLES_CONF" ]; then
echo "Cannot load iptables rules: $IPTABLES_CONF is missing!" >&2
exit 1
fi
@@ -34,13 +33,12 @@
;;
stop)
stat_busy "Stopping IP Tables"
- echo 0 >/proc/sys/net/ipv4/ip_forward
if ! ck_daemon iptables; then
fail=0
for table in $(cat /proc/net/ip_tables_names); do
- $IPTABLES -t $table -F &>/dev/null && \
- $IPTABLES -t $table -X &>/dev/null && \
- $IPTABLES -t $table -Z &>/dev/null
+ iptables -t $table -F &>/dev/null && \
+ iptables -t $table -X &>/dev/null && \
+ iptables -t $table -Z &>/dev/null
[ $? -gt 0 ] && fail=1
done
if [ $fail -gt 0 ]; then
@@ -50,23 +48,23 @@
# reset policies
for table in filter nat mangle raw; do
if grep -qw $table /proc/net/ip_tables_names; then
- $IPTABLES -t $table -P OUTPUT ACCEPT
+ iptables -t $table -P OUTPUT ACCEPT
fi
done
for table in filter mangle; do
if grep -qw $table /proc/net/ip_tables_names; then
- $IPTABLES -t $table -P INPUT ACCEPT
- $IPTABLES -t $table -P FORWARD ACCEPT
+ iptables -t $table -P INPUT ACCEPT
+ iptables -t $table -P FORWARD ACCEPT
fi
done
for table in nat mangle raw; do
if grep -qw $table /proc/net/ip_tables_names; then
- $IPTABLES -t $table -P PREROUTING ACCEPT
+ iptables -t $table -P PREROUTING ACCEPT
fi
done
for table in nat mangle; do
if grep -qw $table /proc/net/ip_tables_names; then
- $IPTABLES -t $table -P POSTROUTING ACCEPT
+ iptables -t $table -P POSTROUTING ACCEPT
fi
done
stat_done
Modified: iptables.conf.d
===================================================================
--- iptables.conf.d 2011-07-23 15:49:06 UTC (rev 132369)
+++ iptables.conf.d 2011-07-23 17:24:56 UTC (rev 132370)
@@ -1,8 +1,12 @@
# Configuration for iptables rules
-
-IPTABLES=/usr/sbin/iptables
-IP6TABLES=/usr/sbin/ip6tables
-
IPTABLES_CONF=/etc/iptables/iptables.rules
IP6TABLES_CONF=/etc/iptables/ip6tables.rules
-IPTABLES_FORWARD=0 # enable IP forwarding?
+
+# Enable IP forwarding (both IPv4 and IPv6)
+# NOTE: this is not the recommended way to do this, and is supported only for
+# backward compatibility. Instead, use /etc/sysctl.conf and set the following
+# options:
+# * net.ipv4.ip_forward=1
+# * net.ipv6.conf.default.forwarding=1
+# * net.ipv6.conf.all.forwarding=1
+#IPTABLES_FORWARD=0
More information about the arch-commits
mailing list