diff --git a/iptables-1.6.1.tar.bz2 b/iptables-1.6.1.tar.bz2 deleted file mode 100644 index 7a5ad4c..0000000 --- a/iptables-1.6.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5 -size 620890 diff --git a/iptables-1.6.1.tar.bz2.sig b/iptables-1.6.1.tar.bz2.sig deleted file mode 100644 index 4fd5598..0000000 Binary files a/iptables-1.6.1.tar.bz2.sig and /dev/null differ diff --git a/iptables-1.6.2.tar.bz2 b/iptables-1.6.2.tar.bz2 new file mode 100644 index 0000000..2d4ae79 --- /dev/null +++ b/iptables-1.6.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733 +size 639785 diff --git a/iptables-1.6.2.tar.bz2.sig b/iptables-1.6.2.tar.bz2.sig new file mode 100644 index 0000000..9e4819d Binary files /dev/null and b/iptables-1.6.2.tar.bz2.sig differ diff --git a/iptables-batch-lock.patch b/iptables-batch-lock.patch new file mode 100644 index 0000000..4f3b0c7 --- /dev/null +++ b/iptables-batch-lock.patch @@ -0,0 +1,74 @@ +From: Matthias Gerstner +Date: 2017-06-26T10:53:24+0000 + +- fix a locking issue of iptables-batch which can cause it to spuriously fail + when other programs modify the iptables rules in parallel (bnc#1045130). + This can especially affect SuSEfirewall2 during startup. + +--- + iptables/iptables-batch.c | 21 +++++++++++++++++++++ + iptables/xshared.c | 8 +++++++- + 2 files changed, 28 insertions(+), 1 deletion(-) + +Index: iptables-1.6.2/iptables/iptables-batch.c +=================================================================== +--- iptables-1.6.2.orig/iptables/iptables-batch.c ++++ iptables-1.6.2/iptables/iptables-batch.c +@@ -403,6 +403,27 @@ main(int argc, char *argv[]) + tables[3].name = "raw"; + tables[3].handle = NULL; + current_table = &tables[0]; ++ /* ++ * We need to lock the complete batch processing against parallel ++ * modification by other processes. Otherwise, we can end up with ++ * EAGAIN errors. ++ * ++ * The do_command{4,6} function already locks itself, but the complete ++ * call sequence needs to be locked until the commit is performed. ++ * ++ * Sadly, the xtables_lock() implementation is not very cooperative. ++ * There is no unlock() equivalent. The lock file descriptor is smiply ++ * left open until the process exits. Thus, we would have deadlocks ++ * when calling do_command{4,6} the second time. ++ * ++ * To prevent this, part of this patch adds logic to avoid taking the ++ * lock a second time in the same process in xtables_lock() ++ */ ++ const struct timeval wait_interval = {.tv_sec = 1}; ++ if (!xtables_lock_or_exit(-1, &wait_interval)) { ++ fprintf(stderr, "failed to acquire the xtables lock\n"); ++ exit(1); ++ } + + while((r = getline(&iline, &llen, fp)) != -1) + { +Index: iptables-1.6.2/iptables/xshared.c +=================================================================== +--- iptables-1.6.2.orig/iptables/xshared.c ++++ iptables-1.6.2/iptables/xshared.c +@@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match + + static int xtables_lock(int wait, struct timeval *wait_interval) + { ++ static bool already_locked = false; + struct timeval time_left, wait_time; + int fd, i = 0; + ++ if (already_locked) ++ /* Avoid deadlocks, see iptables-batch.c */ ++ return true; + time_left.tv_sec = wait; + time_left.tv_usec = 0; + +@@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct + } + + if (wait == -1) { +- if (flock(fd, LOCK_EX) == 0) ++ if (flock(fd, LOCK_EX) == 0) { ++ already_locked = true; + return fd; ++ } + + fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, + strerror(errno)); diff --git a/iptables.changes b/iptables.changes index 9ea32a1..4db318c 100644 --- a/iptables.changes +++ b/iptables.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Sat Feb 3 14:02:59 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 1.6.2 + * add support for the "srh" match + * add randomize-full for the "MASQUERADE" target + * add rate match mode to the "hashlimit" match + +------------------------------------------------------------------- +Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com + +- Add iptables-batch-lock.patch: Fix a locking issue of + iptables-batch which can cause it to spuriously fail when other + programs modify the iptables rules in parallel (bnc#1045130). + This can especially affect SuSEfirewall2 during startup. + ------------------------------------------------------------------- Fri Jan 27 22:53:14 UTC 2017 - jengelh@inai.de diff --git a/iptables.spec b/iptables.spec index 106955b..f17a502 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,7 +1,7 @@ # # spec file for package iptables # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,17 +17,19 @@ Name: iptables -Version: 1.6.1 +Version: 1.6.2 Release: 0 -Summary: IP Packet Filter Administration utilities +Summary: IP packet filter administration utilities License: GPL-2.0 and Artistic-2.0 Group: Productivity/Networking/Security Url: http://netfilter.org/projects/iptables/ +#Git-Clone: git://git.netfilter.org/iptables Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch +Patch5: iptables-batch-lock.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?fedora_version} || 0%{?centos_version} @@ -54,19 +56,19 @@ the classic "ip6_tables" and "ip_tables" packet filters in the Linux kernel. %package nft -Summary: NFT Packet Filter Administration utilties in the style of Xtables +Summary: nft packet filter administration utilties in the style of Xtables Group: Productivity/Networking/Security Requires: xtables-plugins = %version-%release Conflicts: ebtables %description nft The programs shipped in this subpackage behave like iptables on the -command line, but instead edit the rules of the NFT packet filter in +command line, but instead edits the rules of the nft packet filter in the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit -all features. +the features. %package -n xtables-plugins -Summary: Match and Target Extension plugins for iptables +Summary: Match and target extension plugins for iptables Group: Productivity/Networking/Security Conflicts: iptables < 1.4.18 @@ -127,7 +129,7 @@ ip6tables, their extensions, and for external integration for e.g. iproute2's m_xt. %package -n libxtables-devel -Summary: Libraries, Headers and Development Man Pages for iptables +Summary: Headers and manpages for iptables Group: Development/Libraries/C and C++ Requires: libxtables12 = %version @@ -141,12 +143,12 @@ xtables --variable=xtlibdir). %prep %setup -q -%patch -P 3 -P 4 -p1 +%patch -P 3 -P 4 -P 5 -p1 %build # We have the iptables-batch patch, so always regenerate. if true || [ ! -e configure ]; then - ./autogen.sh; + ./autogen.sh fi # bnc#561793 - do not include unclean module in iptables manpage rm -f extensions/libipt_unclean.man @@ -160,7 +162,7 @@ make DESTDIR=%buildroot install # iptables-apply is not installed by upstream Makefile install -m0755 iptables/iptables-apply %buildroot%_sbindir/ install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/ -rm -f "%buildroot/%_libdir"/*.la; +rm -f "%buildroot/%_libdir"/*.la %if 0%{?suse_version} %fdupes %buildroot/%_prefix %endif @@ -199,6 +201,7 @@ rm -f "%buildroot/%_libdir"/*.la; %defattr(-,root,root) %_libdir/xtables/ %_sbindir/nfnl_osf +%_mandir/man8/nfnl_osf.8* %_datadir/xtables/ %files -n libipq0