1
0
forked from jengelh/iptables
Jan Engelhardt 2018-02-03 14:28:48 +00:00 committed by Git OBS Bridge
parent 1926c173b5
commit 9ebef7d7fe
7 changed files with 63 additions and 56 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5
size 620890

Binary file not shown.

3
iptables-1.6.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
size 639785

BIN
iptables-1.6.2.tar.bz2.sig Normal file

Binary file not shown.

View File

@ -1,70 +1,67 @@
Index: iptables-1.6.1/iptables/iptables-batch.c ---
iptables/iptables-batch.c | 21 +++++++++++++++++++++
iptables/xshared.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletion(-)
Index: iptables-1.6.2/iptables/iptables-batch.c
=================================================================== ===================================================================
--- iptables-1.6.1.orig/iptables/iptables-batch.c --- iptables-1.6.2.orig/iptables/iptables-batch.c
+++ iptables-1.6.1/iptables/iptables-batch.c +++ iptables-1.6.2/iptables/iptables-batch.c
@@ -404,6 +404,34 @@ main(int argc, char *argv[]) @@ -403,6 +403,27 @@ main(int argc, char *argv[])
tables[3].name = "raw";
tables[3].handle = NULL; tables[3].handle = NULL;
current_table = &tables[0]; current_table = &tables[0];
+ /* + /*
+ * we need to lock the complete batch processing against parallel + * We need to lock the complete batch processing against parallel
+ * modification by other processes. Otherwise we can end up with + * modification by other processes. Otherwise, we can end up with
+ * EAGAIN errors. + * EAGAIN errors.
+ * + *
+ * the do_command{4,6} function already locks itself, but the + * The do_command{4,6} function already locks itself, but the complete
+ * complete call sequence needs to be locked until the commit is + * call sequence needs to be locked until the commit is performed.
+ * performed.
+ * + *
+ * sadly the xtables_lock() implementation is not very cooperative. + * Sadly, the xtables_lock() implementation is not very cooperative.
+ * There's no unlock() equivalent. The lock file descriptor is smiply + * There is no unlock() equivalent. The lock file descriptor is smiply
+ * left open until the process exits. Thus we'd have deadlocks when + * left open until the process exits. Thus, we would have deadlocks
+ * calling do_command{4,6} the second time. + * when calling do_command{4,6} the second time.
+ * + *
+ * To prevent this, part of this patch adds logic to avoid taking the + * To prevent this, part of this patch adds logic to avoid taking the
+ * lock a second time in the same process in xtables_lock() + * lock a second time in the same process in xtables_lock()
+ */ + */
+ + const struct timeval wait_interval = {.tv_sec = 1};
+ const struct timeval wait_interval = { + if (!xtables_lock_or_exit(-1, &wait_interval)) {
+ .tv_sec = 1,
+ };
+
+ if( xtables_lock(-1, &wait_interval) != true )
+ {
+ fprintf(stderr, "failed to acquire the xtables lock\n"); + fprintf(stderr, "failed to acquire the xtables lock\n");
+ exit(1); + exit(1);
+ } + }
+
while((r = getline(&iline, &llen, fp)) != -1) while((r = getline(&iline, &llen, fp)) != -1)
{ {
if(llen < 1 || !*iline) Index: iptables-1.6.2/iptables/xshared.c
Index: iptables-1.6.1/iptables/xshared.c
=================================================================== ===================================================================
--- iptables-1.6.1.orig/iptables/xshared.c --- iptables-1.6.2.orig/iptables/xshared.c
+++ iptables-1.6.1/iptables/xshared.c +++ iptables-1.6.2/iptables/xshared.c
@@ -250,8 +250,14 @@ void xs_init_match(struct xtables_match @@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match
bool xtables_lock(int wait, struct timeval *wait_interval)
static int xtables_lock(int wait, struct timeval *wait_interval)
{ {
struct timeval time_left, wait_time, waited_time;
+ static bool already_locked = false; + static bool already_locked = false;
struct timeval time_left, wait_time;
int fd, i = 0; int fd, i = 0;
+ if( already_locked ) { + if (already_locked)
+ // avoid dead-locks, see iptables-batch.c + /* Avoid deadlocks, see iptables-batch.c */
+ return true; + return true;
+ }
+
time_left.tv_sec = wait; time_left.tv_sec = wait;
time_left.tv_usec = 0; time_left.tv_usec = 0;
waited_time.tv_sec = 0;
@@ -262,8 +268,10 @@ bool xtables_lock(int wait, struct timev
return true;
while (1) { @@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct
- if (flock(fd, LOCK_EX | LOCK_NB) == 0) }
+ if (flock(fd, LOCK_EX | LOCK_NB) == 0) {
if (wait == -1) {
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true; + already_locked = true;
return true; return fd;
+ } + }
if (++i % 10 == 0) {
if (wait != -1) fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
fprintf(stderr, "Another app is currently holding the xtables lock; " strerror(errno));

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Sat Feb 3 14:02:59 UTC 2018 - jengelh@inai.de
- Update to new upstream release 1.6.2
* add support for the "srh" match
* add randomize-full for the "MASQUERADE" target
* add rate match mode to the "hashlimit" match
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com

View File

@ -1,7 +1,7 @@
# #
# spec file for package iptables # spec file for package iptables
# #
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -17,12 +17,13 @@
Name: iptables Name: iptables
Version: 1.6.1 Version: 1.6.2
Release: 0 Release: 0
Summary: IP Packet Filter Administration utilities Summary: IP packet filter administration utilities
License: GPL-2.0 and Artistic-2.0 License: GPL-2.0 and Artistic-2.0
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Url: http://netfilter.org/projects/iptables/ Url: http://netfilter.org/projects/iptables/
#Git-Clone: git://git.netfilter.org/iptables
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring Source3: %name.keyring
@ -55,19 +56,19 @@ the classic "ip6_tables" and "ip_tables" packet filters in the Linux
kernel. kernel.
%package nft %package nft
Summary: NFT Packet Filter Administration utilties in the style of Xtables Summary: nft packet filter administration utilties in the style of Xtables
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Requires: xtables-plugins = %version-%release Requires: xtables-plugins = %version-%release
Conflicts: ebtables Conflicts: ebtables
%description nft %description nft
The programs shipped in this subpackage behave like iptables on the The programs shipped in this subpackage behave like iptables on the
command line, but instead edit the rules of the NFT packet filter in command line, but instead edits the rules of the nft packet filter in
the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
all features. the features.
%package -n xtables-plugins %package -n xtables-plugins
Summary: Match and Target Extension plugins for iptables Summary: Match and target extension plugins for iptables
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Conflicts: iptables < 1.4.18 Conflicts: iptables < 1.4.18
@ -128,7 +129,7 @@ ip6tables, their extensions, and for external integration for e.g.
iproute2's m_xt. iproute2's m_xt.
%package -n libxtables-devel %package -n libxtables-devel
Summary: Libraries, Headers and Development Man Pages for iptables Summary: Headers and manpages for iptables
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: libxtables12 = %version Requires: libxtables12 = %version
@ -147,7 +148,7 @@ xtables --variable=xtlibdir).
%build %build
# We have the iptables-batch patch, so always regenerate. # We have the iptables-batch patch, so always regenerate.
if true || [ ! -e configure ]; then if true || [ ! -e configure ]; then
./autogen.sh; ./autogen.sh
fi fi
# bnc#561793 - do not include unclean module in iptables manpage # bnc#561793 - do not include unclean module in iptables manpage
rm -f extensions/libipt_unclean.man rm -f extensions/libipt_unclean.man
@ -161,7 +162,7 @@ make DESTDIR=%buildroot install
# iptables-apply is not installed by upstream Makefile # iptables-apply is not installed by upstream Makefile
install -m0755 iptables/iptables-apply %buildroot%_sbindir/ install -m0755 iptables/iptables-apply %buildroot%_sbindir/
install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/ install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
rm -f "%buildroot/%_libdir"/*.la; rm -f "%buildroot/%_libdir"/*.la
%if 0%{?suse_version} %if 0%{?suse_version}
%fdupes %buildroot/%_prefix %fdupes %buildroot/%_prefix
%endif %endif
@ -200,6 +201,7 @@ rm -f "%buildroot/%_libdir"/*.la;
%defattr(-,root,root) %defattr(-,root,root)
%_libdir/xtables/ %_libdir/xtables/
%_sbindir/nfnl_osf %_sbindir/nfnl_osf
%_mandir/man8/nfnl_osf.8*
%_datadir/xtables/ %_datadir/xtables/
%files -n libipq0 %files -n libipq0