rpm: improve setting iptables rules
Instead of overriding /etc/sysconfig/ip{,6}tables, store qubes rules in
/etc/sysconfig/iptables.qubes and configure the service to use that file
instead. This will prevent conflict on that file and also handle upgrades.
This commit is contained in:
Marek Marczykowski-Górecki
parent
b368ffe5c6
commit
0382f84eae
@ -147,10 +147,8 @@ for f in ModemManager.service NetworkManager.service \
|
|||||||
cp $RPM_BUILD_ROOT/usr/lib/qubes/init/$f $RPM_BUILD_ROOT/etc/systemd/system/
|
cp $RPM_BUILD_ROOT/usr/lib/qubes/init/$f $RPM_BUILD_ROOT/etc/systemd/system/
|
||||||
done
|
done
|
||||||
|
|
||||||
%if %{fedora} < 21
|
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
|
||||||
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
|
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
|
||||||
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%triggerin -- initscripts
|
%triggerin -- initscripts
|
||||||
if [ -e /etc/init/serial.conf ]; then
|
if [ -e /etc/init/serial.conf ]; then
|
||||||
@ -161,6 +159,25 @@ fi
|
|||||||
sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/pulseaudio.desktop
|
sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/pulseaudio.desktop
|
||||||
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/pulseaudio.desktop
|
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/pulseaudio.desktop
|
||||||
|
|
||||||
|
%triggerin -- iptables
|
||||||
|
if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
|
||||||
|
cat <<EOF >>/etc/sysconfig/iptables-config
|
||||||
|
|
||||||
|
### Automatically added by Qubes:
|
||||||
|
# Override default rules location on Qubes
|
||||||
|
IPTABLES_DATA=/etc/sysconfig/iptables.qubes
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
|
||||||
|
cat <<EOF >>/etc/sysconfig/ip6tables-config
|
||||||
|
|
||||||
|
### Automatically added by Qubes:
|
||||||
|
# Override default rules location on Qubes
|
||||||
|
IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
%post
|
%post
|
||||||
|
|
||||||
# disable some Upstart services
|
# disable some Upstart services
|
||||||
@ -268,15 +285,6 @@ if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Copy ip(|6)tables into place if they do not already exist in filesystem.
|
|
||||||
# This prevents conflict with iptables-service
|
|
||||||
if [ ! -f '/etc/sysconfig/iptables' -o $1 = 1 ]; then
|
|
||||||
cp -p /usr/lib/qubes/init/iptables /etc/sysconfig/iptables
|
|
||||||
fi
|
|
||||||
if [ ! -f '/etc/sysconfig/ip6tables' -o $1 = 1 ]; then
|
|
||||||
cp -p /usr/lib/qubes/init/ip6tables /etc/sysconfig/ip6tables
|
|
||||||
fi
|
|
||||||
|
|
||||||
%if %{fedora} >= 20
|
%if %{fedora} >= 20
|
||||||
# Make sure there is a default locale set so gnome-terminal will start
|
# Make sure there is a default locale set so gnome-terminal will start
|
||||||
if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
|
if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
|
||||||
@ -406,10 +414,8 @@ rm -f %{name}-%{version}
|
|||||||
%config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
|
%config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
|
||||||
%config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
|
%config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
|
||||||
%config(noreplace) /etc/sudoers.d/qubes
|
%config(noreplace) /etc/sudoers.d/qubes
|
||||||
%if %{fedora} < 21
|
%config(noreplace) /etc/sysconfig/iptables.qubes
|
||||||
%config(noreplace) /etc/sysconfig/iptables
|
%config(noreplace) /etc/sysconfig/ip6tables.qubes
|
||||||
%config(noreplace) /etc/sysconfig/ip6tables
|
|
||||||
%endif
|
|
||||||
/usr/lib/qubes/init/iptables
|
/usr/lib/qubes/init/iptables
|
||||||
/usr/lib/qubes/init/ip6tables
|
/usr/lib/qubes/init/ip6tables
|
||||||
%config(noreplace) /etc/tinyproxy/filter-updates
|
%config(noreplace) /etc/tinyproxy/filter-updates
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user