Add ipset service files and subpackage, iptables services subpackage (#1479)

SPECS/ipset/ipset.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=IP sets for iptables
+Before=iptables.service
+Before=ip6tables.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ipset/ipset.start-stop start
+ExecStop=/usr/libexec/ipset/ipset.start-stop stop
+ExecReload=/usr/libexec/ipset/ipset.start-stop reload
+# Save current ipset entries on stop/restart.
+#   Value: yes|no,  default: no
+# Saves all ipsets to /etc/ipset/ipset if ipset gets stopped
+Environment=IPSET_SAVE_ON_STOP=no IPSET_SAVE_ON_RESTART=no
+
+[Install]
+WantedBy=basic.target

SPECS/ipset/ipset.signatures.json

@@ -1,5 +1,7 @@
 {
  "Signatures": {
-  "ipset-7.1.tar.bz2": "7b5eb3b93205c20cdc39e3fc8b6e5f7bb214bf79a7c0c00729dd4a31ce16adc4"
+  "ipset-7.1.tar.bz2": "7b5eb3b93205c20cdc39e3fc8b6e5f7bb214bf79a7c0c00729dd4a31ce16adc4",
+  "ipset.service": "0ab5d263b4272188a2566a9a502368e9812af69cf9f049322226b317d542a534",
+  "ipset.start-stop": "4596d809de30478e92fa840d905703a183aa99e1d1f55a991bf3190b932e3717"
  }
 }

SPECS/ipset/ipset.spec

@@ -1,48 +1,73 @@
-Summary:    administration tool for IP sets
-Name:       ipset
-Version:    7.1
-Release:    2%{?dist}
-License:    GPLv2
-URL:        http://ipset.netfilter.org/
-Source0:    http://ipset.netfilter.org/%{name}-%{version}.tar.bz2
-Group:      System Environment/tools
+Summary:        administration tool for IP sets
+Name:           ipset
+Version:        7.1
+Release:        3%{?dist}
+License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-BuildRequires:    libmnl-devel
-Requires:         libmnl
+Group:          System Environment/tools
+URL:            https://ipset.netfilter.org/
+Source0:        https://ipset.netfilter.org/%{name}-%{version}.tar.bz2
+# Source1 and Source2 are from Fedora 35 (License: MIT)
+# https://src.fedoraproject.org/rpms/ipset/tree/f35
+Source1:        %{name}.service
+Source2:        %{name}.start-stop
+BuildRequires:  libmnl-devel
+Requires:       libmnl
+Provides:       %{name}-libs = %{version}-%{release}
+
 %description
 IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.
 
-If you want to
-
-store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
+If you want to store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
 dynamically update iptables rules against IP addresses or ports without performance penalty;
 express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
 then ipset may be the proper tool for you.
 
 %package devel
-Summary:    Development files for the ipset library
-Group:      Development/Libraries
-Requires:   ipset
+Summary:        Development files for the ipset library
+Group:          Development/Libraries
+Requires:       %{name} = %{version}-%{release}
 
 %description devel
 Libraries and header files for ipset.
 
+%package service
+Summary:        %{name} service for %{name}s
+BuildRequires:  systemd
+Requires:       %{name} = %{version}-%{release}
+Requires:       iptables-services
+Requires(post): systemd
+Requires(postun): systemd
+Requires(preun): systemd
+BuildArch:      noarch
+
+%description service
+This package provides the service %{name}
+
 %prep
-%setup -q
+%autosetup
 
 %build
-./configure \
-    --prefix=%{_prefix} \
-    --bindir=%{_bindir} \
-    --libdir=%{_libdir} \
+%configure \
     --enable-static=no \
     --with-kmod=no
-make %{?_smp_mflags}
+%make_build
 
 %install
-make install DESTDIR=%{buildroot}
-find %{buildroot} -name '*.la' -delete
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+
+# install systemd unit file
+install -d -m 755 %{buildroot}/%{_unitdir}
+install -c -m 644 %{SOURCE1} %{buildroot}/%{_unitdir}
+
+# install supporting script
+install -d -m 755 %{buildroot}%{_libexecdir}/%{name}
+install -c -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/%{name}
+
+# Create directory for configuration
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}
 
 %check
 sed -i 's/tests=\"$tests nethash/#tests=\"$tests nethash/g' tests/runtest.sh
@@ -51,21 +76,26 @@ sed -i 's/tests=\"$tests hash:ip/#tests=\"$tests hash:ip/g' tests/runtest.sh
 sed -i 's/tests=\"$tests hash:net,iface/#tests=\"$tests hash:net,iface/g' tests/runtest.sh
 make tests |& tee %{_specdir}/%{name}-check-log || %{nocheck}
 
+%ldconfig_scriptlets
 
-%post
-/sbin/ldconfig
+%post service
+%systemd_post %{name}.service
 
-%postun
-/sbin/ldconfig
+%preun service
+if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
+    rmmod xt_set 2>/dev/null
+    [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && exit 1
+fi
+%systemd_preun %{name}.service
 
-%clean
-rm -rf %{buildroot}/*
+%postun service
+%systemd_postun_with_restart %{name}.service
 
 %files
 %defattr(-,root,root)
 %license COPYING
 %{_sbindir}/*
-%{_libdir}/libipset.so.*
+%{_libdir}/libipset.so.13*
 %{_mandir}/*
 
 %files devel
@@ -74,17 +104,32 @@ rm -rf %{buildroot}/*
 %{_libdir}/libipset.so
 %{_libdir}/pkgconfig/libipset.pc
 
+%files service
+%{_unitdir}/%{name}.service
+%dir %{_libexecdir}/%{name}
+%attr(0755,root,root) %{_libexecdir}/%{name}/%{name}.start-stop
+%dir %{_sysconfdir}/%{name}
+
 %changelog
+* Thu Sep 30 2021 Thomas Crain <thcrain@microsoft.com> - 7.1-3
+- Add service subpackage from Fedora 35 (license: MIT)
+- Add provides for libs subpackage from main package
+- Lint spec
+
 * Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 7.1-2
 - Added %%license line automatically
 
-*   Mon Mar 16 2020 Henry Beberman <henry.beberman@microsoft.com> 7.1-1
--   Update to 7.1. License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.38-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Sep 06 2018 Ankit Jain <ankitja@vmware.com> 6.38-1
--   Upgrading version to 6.38
-*   Tue Mar 28 2017 Dheeraj Shetty <dheerajs@vmware.com> 6.32-1
--   Upgrading version to 6.32
-*   Wed Aug 3 2016 Xiaolin Li <xiaolinl@vmware.com> 6.29-1
--   Initial build.  First version
+* Mon Mar 16 2020 Henry Beberman <henry.beberman@microsoft.com> - 7.1-1
+- Update to 7.1. License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 6.38-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Sep 06 2018 Ankit Jain <ankitja@vmware.com> - 6.38-1
+- Upgrading version to 6.38
+
+* Tue Mar 28 2017 Dheeraj Shetty <dheerajs@vmware.com> - 6.32-1
+- Upgrading version to 6.32
+
+* Wed Aug 3 2016 Xiaolin Li <xiaolinl@vmware.com> - 6.29-1
+- Initial build. First version

SPECS/ipset/ipset.start-stop

@@ -0,0 +1,209 @@
+#!/bin/bash
+#
+# ipset      Start and stop ipset firewall sets
+#
+# config: /etc/ipset/ipset
+#
+
+IPSET=ipset
+IPSET_BIN=/usr/sbin/${IPSET}
+IPSET_DATA=/etc/${IPSET}/${IPSET}
+
+IPTABLES_CONFIG=/etc/sysconfig/iptables-config
+IP6TABLES_CONFIG=${IPTABLES_CONFIG/iptables/ip6tables}
+
+TMP_FIFO=/tmp/${IPSET}.$$
+
+if [[ ! -x ${IPSET_BIN} ]]; then
+	echo "${IPSET_BIN} does not exist."
+	exit 5
+fi
+
+CLEAN_FILES=TMP_FIFO
+trap "rm -f \$CLEAN_FILES" EXIT
+
+# Default ipset configuration:
+[[ -z $IPSET_SAVE_ON_STOP ]] && IPSET_SAVE_ON_STOP=no		# Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_STOP
+[[ -z $IPSET_SAVE_ON_RESTART ]] && IPSET_SAVE_ON_RESTART=no	# Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_RESTART
+
+# Load iptables configuration(s)
+[[ -f "$IPTABLES_CONFIG" ]] && . "$IPTABLES_CONFIG"
+[[ -f "$IP6TABLES_CONFIG" ]] && . "$IP6TABLES_CONFIG"
+
+# It doesn't make sense to save iptables config and not our config
+[[ ${IPTABLES_SAVE_ON_STOP} = yes || ${IP6TABLES_SAVE_ON_STOP} = yes ]] && IPSET_SAVE_ON_STOP=yes
+[[ ${IPTABLES_SAVE_ON_RESTART} = yes || ${IP6TABLES_SAVE_ON_RESTART} = yes ]] && IPSET_SAVE_ON_RESTART=yes
+
+check_can_unload() {
+    # If the xt_set module is loaded and can't be unloaded, then iptables is
+    # using ipsets, so refuse to stop the service.
+    if [[ -n $(lsmod | grep "^xt_set ") ]]; then
+	rmmod xt_set 2>/dev/null
+	[[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && return 1
+    fi
+
+    return 0
+}
+
+flush_n_delete() {
+    local ret=0 set
+
+    # Flush sets
+    ${IPSET_BIN} flush
+    let ret+=$?
+
+    # Delete ipset sets. If we don't do them individually, then none
+    # will be deleted unless they all can be.
+    for set in $(${IPSET_BIN} list -name); do
+	    ${IPSET_BIN} destroy 2>/dev/null
+	    [[ $? -ne 0 ]] && ret=1
+    done
+
+    return $ret
+}
+
+start_clean()
+{
+    mkfifo -m go= "${TMP_FIFO}"
+    [[ $? -ne 0 ]] && return 1
+
+    # Get the lists of sets in current(old) config and new config
+    old_sets="$(${IPSET_BIN} list -name | sort -u)"
+    new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)"
+
+    # List of sets no longer wanted
+    drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}"  &
+		  printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" -
+		)"
+
+    # Get rid of sets no longer needed
+    # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time
+    for dset in $drop_sets; do
+	ipset destroy $dset 2>/dev/null
+	# If it won't go - ? in use by iptables, just clear it
+	[[ $? -ne 0 ]] && ipset flush $dset
+    done
+
+    # Now delete the set members no longer required
+    ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} &
+      grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \
+      | ${IPSET_BIN} restore -!
+
+    # At last we can add the set members we haven't got
+    ipset restore -! <${IPSET_DATA}
+
+    rm ${TMP_FIFO}
+
+    return 0
+}
+
+start() {
+    # Do not start if there is no config file.
+    [[ ! -f "$IPSET_DATA" ]] && echo "Loaded with no configuration" && return 0
+
+    # We can skip the first bit and do a simple load if
+    # there is no current ipset configuration
+    res=1
+    if [[ -n $(${IPSET_BIN} list -name) ]]; then
+	# The following may fail for some bizarre reason
+	start_clean
+	res=$?
+
+	[[ $res -ne 0 ]] && echo "Some old configuration may remain"
+    fi
+
+    # res -ne 0 => either start_clean failed, or we didn't need to run it
+    if [[ $res -ne 0 ]]; then
+	# This is the easy way to start but would leave any old
+	# entries still configured. Still, better than nothing -
+	# but fine if we had no config
+	${IPSET_BIN} restore -! <${IPSET_DATA}
+	res=$?
+    fi
+
+    if [[ $res -ne 0 ]]; then
+	return 1
+    fi
+
+    return 0
+}
+
+stop() {
+    # Nothing to stop if ip_set module is not loaded.
+    lsmod | grep -q "^ip_set "
+    [[ $? -ne 0 ]] && return 6
+
+    flush_n_delete
+    [[ $? -ne 0 ]] && echo Warning: Not all sets were flushed/deleted
+
+    return 0
+}
+
+save() {
+    # Do not save if ip_set module is not loaded.
+    lsmod | grep -q "^ip_set "
+    [[ $? -ne 0 ]] && return 6
+
+    [[ -z $(${IPSET_BIN} list -name) ]] && return 0
+
+    ret=0
+    TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \
+	&& CLEAN_FILES+=" $TMP_FILE" \
+	&& chmod 600 "$TMP_FILE" \
+	&& ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \
+	&& [[ -s $TMP_FILE ]] \
+	|| ret=1
+
+    if [[ $ret -eq 0 ]]; then
+	# No need to do anything if the files are the same
+	if [[ ! -f $IPSET_DATA ]]; then
+	    mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1
+	else
+	    diff -q $TMP_FILE $IPSET_DATA >/dev/null
+	
+	    if [[ $? -ne 0 ]]; then
+		if [[ -f $IPSET_DATA ]]; then
+		    cp -f --preserve=timestamps $IPSET_DATA $IPSET_DATA.save \
+			&& chmod 600 $IPSET_DATA.save \
+			|| ret=1
+		fi
+		if [[ $ret -eq 0 ]]; then
+		    cp -f --preserve=timestamps $TMP_FILE $IPSET_DATA \
+			&& chmod 600 $IPSET_DATA \
+			|| ret=1
+		fi
+	    fi
+	fi
+    fi
+
+    rm -f $TMP_FILE
+    return $ret
+}
+
+
+case "$1" in
+    start)
+	start
+	RETVAL=$?
+	;;
+    stop)
+	check_can_unload || exit 1
+	[[ $IPSET_SAVE_ON_STOP = yes ]] && save
+	stop
+	RETVAL=$?
+	[[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0
+	;;
+    reload)
+	[[ $IPSET_SAVE_ON_RESTART = yes ]] && save
+	stop
+	RETVAL=$?
+	[[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0
+	start
+	RETVAL=$?
+	;;
+    *)
+	echo "Usage: $IPSET {start|stop|reload}" >&2
+	exit 1
+esac
+
+exit $RETVAL

SPECS/iptables/iptables.spec

@@ -1,7 +1,7 @@
 Summary:        Linux kernel packet control tool
 Name:           iptables
 Version:        1.8.3
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,8 +17,10 @@ BuildRequires:  jansson-devel
 BuildRequires:  libmnl-devel
 BuildRequires:  libnftnl-devel
 BuildRequires:  systemd
-Requires:       systemd
 Requires:       iana-etc
+Requires:       systemd
+Provides:       %{name}-services = %{version}-%{release}
+
 %description
 The next part of this chapter deals with firewalls. The principal
 firewall tool for Linux is Iptables. You will need to install
@@ -32,7 +34,7 @@ Requires:       %{name} = %{version}-%{release}
 It contains the libraries and header files to create applications.
 
 %prep
-%setup -q
+%autosetup
 
 %build
 %configure \
@@ -47,8 +49,7 @@ It contains the libraries and header files to create applications.
 make V=0
 
 %install
-[ %{buildroot} != "/"] && rm -rf %{buildroot}/*
-make DESTDIR=%{buildroot} install
+%make_install
 ln -sfv ../../sbin/xtables-multi %{buildroot}%{_libdir}/iptables-xml
 #   Install daemon scripts
 install -vdm755 %{buildroot}%{_unitdir}
@@ -74,9 +75,6 @@ find %{buildroot} -type f -name "*.la" -delete -print
 /sbin/ldconfig
 %systemd_postun_with_restart iptables.service
 
-%clean
-rm -rf %{buildroot}/*
-
 %files
 %defattr(-,root,root)
 %license COPYING
@@ -100,6 +98,10 @@ rm -rf %{buildroot}/*
 %{_mandir}/man3/*
 
 %changelog
+* Thu Sep 30 2021 Thomas Crain <thcrain@microsoft.com> - 1.8.3-7
+- Add provides from main package for services subpackage
+- Lint spec
+
 * Mon Jun 21 2021 Rachel Menge <rachelmenge@microsoft.com> - 1.8.3-6
 - Add dependency on iana-etc (JOSLOBO 7/26: bumped dash version for merge)