initscript security fixes

7 files changed, 200 insertions, 1 deletions

diff --git a/sys-apps/iptables/ChangeLog b/sys-apps/iptables/ChangeLog
index ab1c8fa41d81..701c35c3cd25 100644
--- a/sys-apps/iptables/ChangeLog
+++ b/sys-apps/iptables/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-apps/iptables
 # Copyright 2002 Gentoo Technologies, Inc.; Distributed under the GPL
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/iptables/ChangeLog,v 1.8 2002/09/02 07:54:59 aliz Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/iptables/ChangeLog,v 1.9 2002/09/08 20:52:24 blocke Exp $
+
+*iptables-1.2.7a-r2
+*iptables-1.2.6a-r3
+
+  08 Sep 2002; Bruce A. Locke <blocke@shivan.org> iptables-1.2.6a-r3.ebuild, iptables-1.2.7a-r2, files/iptables.confd-2, files/iptables.init-2
+  Fix #2335.  Forwarding is disabled on script stop and only turned on 
+  during script start if conf.d/iptables settings are enabled.
 
 *iptables-1.2.6a-r2 (29 Aug 2002)
 
diff --git a/sys-apps/iptables/files/digest-iptables-1.2.6a-r3 b/sys-apps/iptables/files/digest-iptables-1.2.6a-r3
new file mode 100644
index 000000000000..8a58e7463394
--- /dev/null
+++ b/sys-apps/iptables/files/digest-iptables-1.2.6a-r3
@@ -0,0 +1 @@
+MD5 a70089706f9e5c162895ac498ac2e123 iptables-1.2.6a.tar.bz2 294968
diff --git a/sys-apps/iptables/files/digest-iptables-1.2.7a-r1 b/sys-apps/iptables/files/digest-iptables-1.2.7a-r1
new file mode 100644
index 000000000000..557c12876948
--- /dev/null
+++ b/sys-apps/iptables/files/digest-iptables-1.2.7a-r1
@@ -0,0 +1 @@
+MD5 e9de1c98c86a93934c8ada812fc8b286 iptables-1.2.7a.tar.bz2 118127
diff --git a/sys-apps/iptables/files/iptables.confd-2 b/sys-apps/iptables/files/iptables.confd-2
new file mode 100644
index 000000000000..e1f0be880948
--- /dev/null
+++ b/sys-apps/iptables/files/iptables.confd-2
@@ -0,0 +1,10 @@
+
+# Location in which iptables initscript will save set rules on 
+# service shutdown
+IPTABLES_SAVE="/var/lib/iptables/rules-save"
+
+# Change to "yes" to enable forwarding support in the kernel.  Please
+# note that this will override any setting placed in /etc/sysctl.conf.
+ENABLE_FORWARDING_IPv4="no"
+ENABLE_FORWARDING_IPv6="no"
+
diff --git a/sys-apps/iptables/files/iptables.init-2 b/sys-apps/iptables/files/iptables.init-2
new file mode 100644
index 000000000000..f244dd3384b9
--- /dev/null
+++ b/sys-apps/iptables/files/iptables.init-2
@@ -0,0 +1,56 @@
+#!/sbin/runscript
+# Copyright 1999-2002 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License, v2 or
+# later
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/iptables/files/iptables.init-2,v 1.1 2002/09/08 20:52:24 blocke Exp $
+
+depend() {
+	need logger net
+}
+
+start() {
+	ebegin "Loading iptables state and starting firewall"
+	# This variable is set in /etc/conf.d/iptables
+	if [ ! -f ${IPTABLES_SAVE} ]	
+	then
+		einfo "Not starting iptables. First create some rules then run"
+		einfo "iptables-save > ${IPTABLES_SAVE}"
+	else 
+		einfo "Restoring iptables ruleset"
+		/sbin/iptables-restore < ${IPTABLES_SAVE}
+		
+		if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then
+			einfo "Enabling forwarding for ipv4"
+			echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
+		fi
+
+		if [ "${ENABLE_FORWARDING_IPv6}" = "yes" ] ; then
+			einfo "Enabling forwarding for ipv6"
+			echo "1" > /proc/sys/net/ipv6/conf/all/forwarding
+		fi
+	fi
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall and saving iptables state"
+		# This way we don't forget to save changes
+		iptables-save > ${IPTABLES_SAVE}
+
+		# set sane defaults that disable forwarding
+		if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then
+			echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
+		fi
+
+		if [ -f /proc/sys/net/ipv6/conf/all/forwarding ] ; then
+			echo "0" > /proc/sys/net/ipv6/conf/all/forwarding
+		fi
+
+		iptables -F
+		iptables -P INPUT ACCEPT
+		iptables -P FORWARD DROP
+		iptables -P OUTPUT ACCEPT
+
+	eend $?
+}
diff --git a/sys-apps/iptables/iptables-1.2.6a-r3.ebuild b/sys-apps/iptables/iptables-1.2.6a-r3.ebuild
new file mode 100644
index 000000000000..f182a074cfe3
--- /dev/null
+++ b/sys-apps/iptables/iptables-1.2.6a-r3.ebuild
@@ -0,0 +1,64 @@
+# Copyright 1999-2002 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License, v2 or later
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/iptables/iptables-1.2.6a-r3.ebuild,v 1.1 2002/09/08 20:52:24 blocke Exp $
+
+S=${WORKDIR}/${P}
+DESCRIPTION="Kernel 2.4 firewall, NAT and packet mangling tools"
+SRC_URI="http://netfilter.samba.org/files/${P}.tar.bz2"
+HOMEPAGE="http://www.iptables.org"
+KEYWORDS="x86 ppc sparc sparc64"
+SLOT="0"
+# iptables is dependent on kernel sources.  Strange but true.
+DEPEND="virtual/glibc"
+LICENSE="GPL-2"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+	cat ${FILESDIR}/iptables-1.2.6a-imq.diff-3 | patch -p1 || die
+	chmod +x extensions/.IMQ-test*
+	mv Makefile Makefile.orig
+	sed -e "s/-O2/${CFLAGS}/g" -e "s:/usr/local::g" Makefile.orig > Makefile
+}
+
+src_compile() {
+
+	# iptables and libraries are now installed to /sbin and /lib, so that
+	# systems with remote network-mounted /usr filesystems can get their 
+	# network interfaces up and running correctly without /usr.
+	
+	# use make, not emake
+	make \
+		LIBDIR=/lib	\
+		BINDIR=/sbin \
+		MANDIR=/usr/share/man \
+		INCDIR=/usr/include \
+		KERNEL_DIR=/usr/src/linux \
+		|| die
+
+}
+
+src_install() {
+
+	dodir /usr/{lib,share/man/man8,sbin}
+	make \
+		LIBDIR=${D}/lib \
+		BINDIR=${D}/sbin \
+		MANDIR=${D}/usr/share/man \
+		INCDIR=${D}/usr/include \
+		install || die
+
+	dodoc COPYING KNOWN_BUGS
+	keepdir /var/lib/iptables
+	exeinto /etc/init.d
+	newexe ${FILESDIR}/iptables.init-2 iptables
+	insinto /etc/conf.d
+	newins ${FILESDIR}/iptables.confd-2 iptables
+
+}
+
+pkg_postinst() {
+	einfo "This package now includes an initscript which loads and saves"
+	einfo "rules stored in /var/lib/iptables/rules-save"
+	einfo "This location can be changed in /etc/conf.d/iptables"
+}
diff --git a/sys-apps/iptables/iptables-1.2.7a-r1.ebuild b/sys-apps/iptables/iptables-1.2.7a-r1.ebuild
new file mode 100644
index 000000000000..db8b01d90f12
--- /dev/null
+++ b/sys-apps/iptables/iptables-1.2.7a-r1.ebuild
@@ -0,0 +1,60 @@
+# Copyright 1999-2002 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License, v2 or later
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/iptables/iptables-1.2.7a-r1.ebuild,v 1.1 2002/09/08 20:52:24 blocke Exp $
+
+S=${WORKDIR}/${P}
+DESCRIPTION="Kernel 2.4 firewall, NAT and packet mangling tools"
+SRC_URI="http://www.iptables.org/files/${P}.tar.bz2"
+HOMEPAGE="http://www.iptables.org"
+KEYWORDS="x86 ppc sparc sparc64"
+SLOT="0"
+# iptables is dependent on kernel sources.  Strange but true.
+DEPEND="virtual/glibc"
+LICENSE="GPL-2"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+        patch -p1 < ${FILESDIR}/${P}-imq.diff-3 || die
+	chmod +x extensions/.IMQ-test*
+	mv Makefile Makefile.orig
+	sed -e "s/-O2/${CFLAGS}/g" -e "s:/usr/local::g" Makefile.orig > Makefile
+}
+
+src_compile() {
+	# iptables and libraries are now installed to /sbin and /lib, so that
+	# systems with remote network-mounted /usr filesystems can get their 
+	# network interfaces up and running correctly without /usr.
+	
+	# use make, not emake
+	make \
+		LIBDIR=/lib	\
+		BINDIR=/sbin \
+		MANDIR=/usr/share/man \
+		INCDIR=/usr/include \
+		KERNEL_DIR=/usr/src/linux \
+		|| die
+}
+
+src_install() {
+	dodir /usr/{lib,share/man/man8,sbin}
+	make \
+		LIBDIR=${D}/lib \
+		BINDIR=${D}/sbin \
+		MANDIR=${D}/usr/share/man \
+		INCDIR=${D}/usr/include \
+		install || die
+
+	dodoc COPYING KNOWN_BUGS
+	keepdir /var/lib/iptables
+	exeinto /etc/init.d
+	newexe ${FILESDIR}/iptables.init-2 iptables
+	insinto /etc/conf.d
+	newins ${FILESDIR}/iptables.confd-2 iptables
+}
+
+pkg_postinst() {
+	einfo "This package now includes an initscript which loads and saves"
+	einfo "rules stored in /var/lib/iptables/rules-save"
+	einfo "This location can be changed in /etc/conf.d/iptables"
+}