Accepting request 573925 from security:netfilter

- Update to new upstream release 1.6.2 OBS-URL: https://build.opensuse.org/request/show/573925 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=60
2018-02-10 16:55:06 +00:00 · 2018-02-10 16:55:06 +00:00 · 8bb589eea5
commit 8bb589eea5
parent dc12d74a55 7ace5d1445
7 changed files with 107 additions and 14 deletions
--- a/iptables-1.6.1.tar.bz2
+++ b/iptables-1.6.1.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5
-size 620890
--- a/iptables-1.6.1.tar.bz2.sig
+++ b/iptables-1.6.1.tar.bz2.sig
--- a/iptables-1.6.2.tar.bz2
+++ b/iptables-1.6.2.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
+size 639785
--- a/iptables-1.6.2.tar.bz2.sig
+++ b/iptables-1.6.2.tar.bz2.sig
--- a/iptables-batch-lock.patch
+++ b/iptables-batch-lock.patch
@ -0,0 +1,74 @@
+From: Matthias Gerstner <matthias.gerstner@suse.com>
+Date: 2017-06-26T10:53:24+0000
+
+- fix a locking issue of iptables-batch which can cause it to spuriously fail
+  when other programs modify the iptables rules in parallel (bnc#1045130).
+  This can especially affect SuSEfirewall2 during startup.
+
+---
+ iptables/iptables-batch.c |   21 +++++++++++++++++++++
+ iptables/xshared.c        |    8 +++++++-
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+Index: iptables-1.6.2/iptables/iptables-batch.c
+===================================================================
+--- iptables-1.6.2.orig/iptables/iptables-batch.c
+++ iptables-1.6.2/iptables/iptables-batch.c
+@@ -403,6 +403,27 @@ main(int argc, char *argv[])
+ 	tables[3].name = "raw";
+ 	tables[3].handle = NULL;
+ 	current_table = &tables[0];
+	/*
+	 * We need to lock the complete batch processing against parallel
+	 * modification by other processes. Otherwise, we can end up with
+	 * EAGAIN errors.
+	 *
+	 * The do_command{4,6} function already locks itself, but the complete
+	 * call sequence needs to be locked until the commit is performed.
+	 *
+	 * Sadly, the xtables_lock() implementation is not very cooperative.
+	 * There is no unlock() equivalent. The lock file descriptor is smiply
+	 * left open until the process exits. Thus, we would have deadlocks
+	 * when calling do_command{4,6} the second time.
+	 *
+	 * To prevent this, part of this patch adds logic to avoid taking the
+	 * lock a second time in the same process in xtables_lock()
+	 */
+	const struct timeval wait_interval = {.tv_sec = 1};
+	if (!xtables_lock_or_exit(-1, &wait_interval)) {
+		fprintf(stderr, "failed to acquire the xtables lock\n");
+		exit(1);
+	}
+ 
+ 	while((r = getline(&iline, &llen, fp)) != -1)
+ 	{
+Index: iptables-1.6.2/iptables/xshared.c
+===================================================================
+--- iptables-1.6.2.orig/iptables/xshared.c
+++ iptables-1.6.2/iptables/xshared.c
+@@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match
+ 
+ static int xtables_lock(int wait, struct timeval *wait_interval)
+ {
+	static bool already_locked = false;
+ 	struct timeval time_left, wait_time;
+ 	int fd, i = 0;
+ 
+	if (already_locked)
+		/* Avoid deadlocks, see iptables-batch.c */
+		return true;
+ 	time_left.tv_sec = wait;
+ 	time_left.tv_usec = 0;
+ 
+@@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct
+ 	}
+ 
+ 	if (wait == -1) {
+-		if (flock(fd, LOCK_EX) == 0)
+		if (flock(fd, LOCK_EX) == 0) {
+			already_locked = true;
+ 			return fd;
+		}
+ 
+ 		fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
+ 			strerror(errno));
--- a/iptables.changes
+++ b/iptables.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Sat Feb  3 14:02:59 UTC 2018 - jengelh@inai.de
+
+- Update to new upstream release 1.6.2
+  * add support for the "srh" match
+  * add randomize-full for the "MASQUERADE" target
+  * add rate match mode to the "hashlimit" match
+
+-------------------------------------------------------------------
+Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com
+
+- Add iptables-batch-lock.patch: Fix a locking issue of
+  iptables-batch which can cause it to spuriously fail when other
+  programs modify the iptables rules in parallel (bnc#1045130).
+  This can especially affect SuSEfirewall2 during startup.
+
 -------------------------------------------------------------------
 Fri Jan 27 22:53:14 UTC 2017 - jengelh@inai.de

--- a/iptables.spec
+++ b/iptables.spec
@ -1,7 +1,7 @@
 #
 # spec file for package iptables
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,17 +17,19 @@


 Name:           iptables
-Version:        1.6.1
+Version:        1.6.2
 Release:        0
-Summary:        IP Packet Filter Administration utilities
+Summary:        IP packet filter administration utilities
 License:        GPL-2.0 and Artistic-2.0
 Group:          Productivity/Networking/Security
 Url:            http://netfilter.org/projects/iptables/
+#Git-Clone:     git://git.netfilter.org/iptables
 Source:         http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
 Source2:        http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
 Source3:        %name.keyring
 Patch3:         iptables-batch.patch
 Patch4:         iptables-apply-mktemp-fix.patch
+Patch5:         iptables-batch-lock.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?fedora_version} || 0%{?centos_version}
@ -54,19 +56,19 @@ the classic "ip6_tables" and "ip_tables" packet filters in the Linux
 kernel.

 %package nft
-Summary:        NFT Packet Filter Administration utilties in the style of Xtables
+Summary:        nft packet filter administration utilties in the style of Xtables
 Group:          Productivity/Networking/Security
 Requires:       xtables-plugins = %version-%release
 Conflicts:      ebtables

 %description nft
 The programs shipped in this subpackage behave like iptables on the
-command line, but instead edit the rules of the NFT packet filter in
+command line, but instead edits the rules of the nft packet filter in
 the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
-all features.
+the features.

 %package -n xtables-plugins
-Summary:        Match and Target Extension plugins for iptables
+Summary:        Match and target extension plugins for iptables
 Group:          Productivity/Networking/Security
 Conflicts:      iptables < 1.4.18

@ -127,7 +129,7 @@ ip6tables, their extensions, and for external integration for e.g.
 iproute2's m_xt.

 %package -n libxtables-devel
-Summary:        Libraries, Headers and Development Man Pages for iptables
+Summary:        Headers and manpages for iptables
 Group:          Development/Libraries/C and C++
 Requires:       libxtables12 = %version

@ -141,12 +143,12 @@ xtables --variable=xtlibdir).

 %prep
 %setup -q
-%patch -P 3 -P 4 -p1
+%patch -P 3 -P 4 -P 5 -p1

 %build
 # We have the iptables-batch patch, so always regenerate.
 if true || [ ! -e configure ]; then
-	./autogen.sh;
+	./autogen.sh
 fi
 # bnc#561793 - do not include unclean module in iptables manpage
 rm -f extensions/libipt_unclean.man
@ -160,7 +162,7 @@ make DESTDIR=%buildroot install
 # iptables-apply is not installed by upstream Makefile
 install -m0755 iptables/iptables-apply %buildroot%_sbindir/
 install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
-rm -f "%buildroot/%_libdir"/*.la;
+rm -f "%buildroot/%_libdir"/*.la
 %if 0%{?suse_version}
 %fdupes %buildroot/%_prefix
 %endif
@ -199,6 +201,7 @@ rm -f "%buildroot/%_libdir"/*.la;
 %defattr(-,root,root)
 %_libdir/xtables/
 %_sbindir/nfnl_osf
+%_mandir/man8/nfnl_osf.8*
 %_datadir/xtables/

 %files -n libipq0