1
0
forked from jengelh/iptables

Accepting request 573925 from security:netfilter

- Update to new upstream release 1.6.2

OBS-URL: https://build.opensuse.org/request/show/573925
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=60
This commit is contained in:
Dominique Leuenberger 2018-02-10 16:55:06 +00:00 committed by Git OBS Bridge
commit 8bb589eea5
7 changed files with 107 additions and 14 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5
size 620890

Binary file not shown.

3
iptables-1.6.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
size 639785

BIN
iptables-1.6.2.tar.bz2.sig Normal file

Binary file not shown.

74
iptables-batch-lock.patch Normal file
View File

@ -0,0 +1,74 @@
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: 2017-06-26T10:53:24+0000
- fix a locking issue of iptables-batch which can cause it to spuriously fail
when other programs modify the iptables rules in parallel (bnc#1045130).
This can especially affect SuSEfirewall2 during startup.
---
iptables/iptables-batch.c | 21 +++++++++++++++++++++
iptables/xshared.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
Index: iptables-1.6.2/iptables/iptables-batch.c
===================================================================
--- iptables-1.6.2.orig/iptables/iptables-batch.c
+++ iptables-1.6.2/iptables/iptables-batch.c
@@ -403,6 +403,27 @@ main(int argc, char *argv[])
tables[3].name = "raw";
tables[3].handle = NULL;
current_table = &tables[0];
+ /*
+ * We need to lock the complete batch processing against parallel
+ * modification by other processes. Otherwise, we can end up with
+ * EAGAIN errors.
+ *
+ * The do_command{4,6} function already locks itself, but the complete
+ * call sequence needs to be locked until the commit is performed.
+ *
+ * Sadly, the xtables_lock() implementation is not very cooperative.
+ * There is no unlock() equivalent. The lock file descriptor is smiply
+ * left open until the process exits. Thus, we would have deadlocks
+ * when calling do_command{4,6} the second time.
+ *
+ * To prevent this, part of this patch adds logic to avoid taking the
+ * lock a second time in the same process in xtables_lock()
+ */
+ const struct timeval wait_interval = {.tv_sec = 1};
+ if (!xtables_lock_or_exit(-1, &wait_interval)) {
+ fprintf(stderr, "failed to acquire the xtables lock\n");
+ exit(1);
+ }
while((r = getline(&iline, &llen, fp)) != -1)
{
Index: iptables-1.6.2/iptables/xshared.c
===================================================================
--- iptables-1.6.2.orig/iptables/xshared.c
+++ iptables-1.6.2/iptables/xshared.c
@@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match
static int xtables_lock(int wait, struct timeval *wait_interval)
{
+ static bool already_locked = false;
struct timeval time_left, wait_time;
int fd, i = 0;
+ if (already_locked)
+ /* Avoid deadlocks, see iptables-batch.c */
+ return true;
time_left.tv_sec = wait;
time_left.tv_usec = 0;
@@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct
}
if (wait == -1) {
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true;
return fd;
+ }
fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
strerror(errno));

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Sat Feb 3 14:02:59 UTC 2018 - jengelh@inai.de
- Update to new upstream release 1.6.2
* add support for the "srh" match
* add randomize-full for the "MASQUERADE" target
* add rate match mode to the "hashlimit" match
-------------------------------------------------------------------
Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com
- Add iptables-batch-lock.patch: Fix a locking issue of
iptables-batch which can cause it to spuriously fail when other
programs modify the iptables rules in parallel (bnc#1045130).
This can especially affect SuSEfirewall2 during startup.
-------------------------------------------------------------------
Fri Jan 27 22:53:14 UTC 2017 - jengelh@inai.de

View File

@ -1,7 +1,7 @@
#
# spec file for package iptables
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,17 +17,19 @@
Name: iptables
Version: 1.6.1
Version: 1.6.2
Release: 0
Summary: IP Packet Filter Administration utilities
Summary: IP packet filter administration utilities
License: GPL-2.0 and Artistic-2.0
Group: Productivity/Networking/Security
Url: http://netfilter.org/projects/iptables/
#Git-Clone: git://git.netfilter.org/iptables
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
Patch3: iptables-batch.patch
Patch4: iptables-apply-mktemp-fix.patch
Patch5: iptables-batch-lock.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?fedora_version} || 0%{?centos_version}
@ -54,19 +56,19 @@ the classic "ip6_tables" and "ip_tables" packet filters in the Linux
kernel.
%package nft
Summary: NFT Packet Filter Administration utilties in the style of Xtables
Summary: nft packet filter administration utilties in the style of Xtables
Group: Productivity/Networking/Security
Requires: xtables-plugins = %version-%release
Conflicts: ebtables
%description nft
The programs shipped in this subpackage behave like iptables on the
command line, but instead edit the rules of the NFT packet filter in
command line, but instead edits the rules of the nft packet filter in
the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
all features.
the features.
%package -n xtables-plugins
Summary: Match and Target Extension plugins for iptables
Summary: Match and target extension plugins for iptables
Group: Productivity/Networking/Security
Conflicts: iptables < 1.4.18
@ -127,7 +129,7 @@ ip6tables, their extensions, and for external integration for e.g.
iproute2's m_xt.
%package -n libxtables-devel
Summary: Libraries, Headers and Development Man Pages for iptables
Summary: Headers and manpages for iptables
Group: Development/Libraries/C and C++
Requires: libxtables12 = %version
@ -141,12 +143,12 @@ xtables --variable=xtlibdir).
%prep
%setup -q
%patch -P 3 -P 4 -p1
%patch -P 3 -P 4 -P 5 -p1
%build
# We have the iptables-batch patch, so always regenerate.
if true || [ ! -e configure ]; then
./autogen.sh;
./autogen.sh
fi
# bnc#561793 - do not include unclean module in iptables manpage
rm -f extensions/libipt_unclean.man
@ -160,7 +162,7 @@ make DESTDIR=%buildroot install
# iptables-apply is not installed by upstream Makefile
install -m0755 iptables/iptables-apply %buildroot%_sbindir/
install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
rm -f "%buildroot/%_libdir"/*.la;
rm -f "%buildroot/%_libdir"/*.la
%if 0%{?suse_version}
%fdupes %buildroot/%_prefix
%endif
@ -199,6 +201,7 @@ rm -f "%buildroot/%_libdir"/*.la;
%defattr(-,root,root)
%_libdir/xtables/
%_sbindir/nfnl_osf
%_mandir/man8/nfnl_osf.8*
%_datadir/xtables/
%files -n libipq0