1
0
forked from jengelh/iptables
Jan Engelhardt 2018-02-03 14:28:48 +00:00 committed by Git OBS Bridge
parent 1926c173b5
commit 9ebef7d7fe
7 changed files with 63 additions and 56 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5
size 620890

Binary file not shown.

3
iptables-1.6.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
size 639785

BIN
iptables-1.6.2.tar.bz2.sig Normal file

Binary file not shown.

View File

@ -1,70 +1,67 @@
Index: iptables-1.6.1/iptables/iptables-batch.c
---
iptables/iptables-batch.c | 21 +++++++++++++++++++++
iptables/xshared.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
Index: iptables-1.6.2/iptables/iptables-batch.c
===================================================================
--- iptables-1.6.1.orig/iptables/iptables-batch.c
+++ iptables-1.6.1/iptables/iptables-batch.c
@@ -404,6 +404,34 @@ main(int argc, char *argv[])
--- iptables-1.6.2.orig/iptables/iptables-batch.c
+++ iptables-1.6.2/iptables/iptables-batch.c
@@ -403,6 +403,27 @@ main(int argc, char *argv[])
tables[3].name = "raw";
tables[3].handle = NULL;
current_table = &tables[0];
+ /*
+ * we need to lock the complete batch processing against parallel
+ * modification by other processes. Otherwise we can end up with
+ * We need to lock the complete batch processing against parallel
+ * modification by other processes. Otherwise, we can end up with
+ * EAGAIN errors.
+ *
+ * the do_command{4,6} function already locks itself, but the
+ * complete call sequence needs to be locked until the commit is
+ * performed.
+ * The do_command{4,6} function already locks itself, but the complete
+ * call sequence needs to be locked until the commit is performed.
+ *
+ * sadly the xtables_lock() implementation is not very cooperative.
+ * There's no unlock() equivalent. The lock file descriptor is smiply
+ * left open until the process exits. Thus we'd have deadlocks when
+ * calling do_command{4,6} the second time.
+ * Sadly, the xtables_lock() implementation is not very cooperative.
+ * There is no unlock() equivalent. The lock file descriptor is smiply
+ * left open until the process exits. Thus, we would have deadlocks
+ * when calling do_command{4,6} the second time.
+ *
+ * To prevent this, part of this patch adds logic to avoid taking the
+ * lock a second time in the same process in xtables_lock()
+ */
+
+ const struct timeval wait_interval = {
+ .tv_sec = 1,
+ };
+
+ if( xtables_lock(-1, &wait_interval) != true )
+ {
+ const struct timeval wait_interval = {.tv_sec = 1};
+ if (!xtables_lock_or_exit(-1, &wait_interval)) {
+ fprintf(stderr, "failed to acquire the xtables lock\n");
+ exit(1);
+ }
+
while((r = getline(&iline, &llen, fp)) != -1)
{
if(llen < 1 || !*iline)
Index: iptables-1.6.1/iptables/xshared.c
Index: iptables-1.6.2/iptables/xshared.c
===================================================================
--- iptables-1.6.1.orig/iptables/xshared.c
+++ iptables-1.6.1/iptables/xshared.c
@@ -250,8 +250,14 @@ void xs_init_match(struct xtables_match
bool xtables_lock(int wait, struct timeval *wait_interval)
--- iptables-1.6.2.orig/iptables/xshared.c
+++ iptables-1.6.2/iptables/xshared.c
@@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match
static int xtables_lock(int wait, struct timeval *wait_interval)
{
struct timeval time_left, wait_time, waited_time;
+ static bool already_locked = false;
struct timeval time_left, wait_time;
int fd, i = 0;
+ if( already_locked ) {
+ // avoid dead-locks, see iptables-batch.c
+ if (already_locked)
+ /* Avoid deadlocks, see iptables-batch.c */
+ return true;
+ }
+
time_left.tv_sec = wait;
time_left.tv_usec = 0;
waited_time.tv_sec = 0;
@@ -262,8 +268,10 @@ bool xtables_lock(int wait, struct timev
return true;
while (1) {
- if (flock(fd, LOCK_EX | LOCK_NB) == 0)
+ if (flock(fd, LOCK_EX | LOCK_NB) == 0) {
@@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct
}
if (wait == -1) {
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true;
return true;
return fd;
+ }
if (++i % 10 == 0) {
if (wait != -1)
fprintf(stderr, "Another app is currently holding the xtables lock; "
fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
strerror(errno));

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Sat Feb 3 14:02:59 UTC 2018 - jengelh@inai.de
- Update to new upstream release 1.6.2
* add support for the "srh" match
* add randomize-full for the "MASQUERADE" target
* add rate match mode to the "hashlimit" match
-------------------------------------------------------------------
Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package iptables
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,12 +17,13 @@
Name: iptables
Version: 1.6.1
Version: 1.6.2
Release: 0
Summary: IP Packet Filter Administration utilities
Summary: IP packet filter administration utilities
License: GPL-2.0 and Artistic-2.0
Group: Productivity/Networking/Security
Url: http://netfilter.org/projects/iptables/
#Git-Clone: git://git.netfilter.org/iptables
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
@ -55,19 +56,19 @@ the classic "ip6_tables" and "ip_tables" packet filters in the Linux
kernel.
%package nft
Summary: NFT Packet Filter Administration utilties in the style of Xtables
Summary: nft packet filter administration utilties in the style of Xtables
Group: Productivity/Networking/Security
Requires: xtables-plugins = %version-%release
Conflicts: ebtables
%description nft
The programs shipped in this subpackage behave like iptables on the
command line, but instead edit the rules of the NFT packet filter in
command line, but instead edits the rules of the nft packet filter in
the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
all features.
the features.
%package -n xtables-plugins
Summary: Match and Target Extension plugins for iptables
Summary: Match and target extension plugins for iptables
Group: Productivity/Networking/Security
Conflicts: iptables < 1.4.18
@ -128,7 +129,7 @@ ip6tables, their extensions, and for external integration for e.g.
iproute2's m_xt.
%package -n libxtables-devel
Summary: Libraries, Headers and Development Man Pages for iptables
Summary: Headers and manpages for iptables
Group: Development/Libraries/C and C++
Requires: libxtables12 = %version
@ -147,7 +148,7 @@ xtables --variable=xtlibdir).
%build
# We have the iptables-batch patch, so always regenerate.
if true || [ ! -e configure ]; then
./autogen.sh;
./autogen.sh
fi
# bnc#561793 - do not include unclean module in iptables manpage
rm -f extensions/libipt_unclean.man
@ -161,7 +162,7 @@ make DESTDIR=%buildroot install
# iptables-apply is not installed by upstream Makefile
install -m0755 iptables/iptables-apply %buildroot%_sbindir/
install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
rm -f "%buildroot/%_libdir"/*.la;
rm -f "%buildroot/%_libdir"/*.la
%if 0%{?suse_version}
%fdupes %buildroot/%_prefix
%endif
@ -200,6 +201,7 @@ rm -f "%buildroot/%_libdir"/*.la;
%defattr(-,root,root)
%_libdir/xtables/
%_sbindir/nfnl_osf
%_mandir/man8/nfnl_osf.8*
%_datadir/xtables/
%files -n libipq0