rpm: improve setting iptables rules

Instead of overriding /etc/sysconfig/ip{,6}tables, store qubes rules in
/etc/sysconfig/iptables.qubes and configure the service to use that file
instead. This will prevent conflict on that file and also handle upgrades.
This commit is contained in:
Marek Marczykowski-Górecki 2015-06-19 09:42:55 +02:00
parent b368ffe5c6
commit 0382f84eae

View File

@ -147,10 +147,8 @@ for f in ModemManager.service NetworkManager.service \
cp $RPM_BUILD_ROOT/usr/lib/qubes/init/$f $RPM_BUILD_ROOT/etc/systemd/system/
done
%if %{fedora} < 21
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
%endif
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
%triggerin -- initscripts
if [ -e /etc/init/serial.conf ]; then
@ -161,6 +159,25 @@ fi
sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/pulseaudio.desktop
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/pulseaudio.desktop
%triggerin -- iptables
if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
cat <<EOF >>/etc/sysconfig/iptables-config
### Automatically added by Qubes:
# Override default rules location on Qubes
IPTABLES_DATA=/etc/sysconfig/iptables.qubes
EOF
fi
if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
cat <<EOF >>/etc/sysconfig/ip6tables-config
### Automatically added by Qubes:
# Override default rules location on Qubes
IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
EOF
fi
%post
# disable some Upstart services
@ -268,15 +285,6 @@ if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
done
fi
# Copy ip(|6)tables into place if they do not already exist in filesystem.
# This prevents conflict with iptables-service
if [ ! -f '/etc/sysconfig/iptables' -o $1 = 1 ]; then
cp -p /usr/lib/qubes/init/iptables /etc/sysconfig/iptables
fi
if [ ! -f '/etc/sysconfig/ip6tables' -o $1 = 1 ]; then
cp -p /usr/lib/qubes/init/ip6tables /etc/sysconfig/ip6tables
fi
%if %{fedora} >= 20
# Make sure there is a default locale set so gnome-terminal will start
if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
@ -406,10 +414,8 @@ rm -f %{name}-%{version}
%config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
%config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
%config(noreplace) /etc/sudoers.d/qubes
%if %{fedora} < 21
%config(noreplace) /etc/sysconfig/iptables
%config(noreplace) /etc/sysconfig/ip6tables
%endif
%config(noreplace) /etc/sysconfig/iptables.qubes
%config(noreplace) /etc/sysconfig/ip6tables.qubes
/usr/lib/qubes/init/iptables
/usr/lib/qubes/init/ip6tables
%config(noreplace) /etc/tinyproxy/filter-updates