jengelh/iptables
SHA256
1
0
Fork 1
forked from pool/iptables
Code Pull Requests Activity

- Update to release 1.8.8

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=151
This commit is contained in:
Jan Engelhardt 2022-05-13 16:00:07 +00:00 committed by Git OBS Bridge
parent 6b5e17d380
commit a0ae64b6a1
7 changed files with 42 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
iptables-1.8.7.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0
size 717862

BIN
iptables-1.8.7.tar.bz2.sig
View File

Binary file not shown.

3
iptables-1.8.8.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:71c75889dc710676631553eb1511da0177bbaaf1b551265b912d236c3f51859f
size 746985

BIN
iptables-1.8.8.tar.bz2.sig Normal file
View File

Binary file not shown.

36
iptables-batch-lock.patch
View File

@ -10,10 +10,10 @@ Date: 2017-06-26T10:53:24+0000
iptables/xshared.c | 8 +++++++- iptables/xshared.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletion(-) 2 files changed, 28 insertions(+), 1 deletion(-)
Index: iptables-1.8.6/iptables/iptables-batch.c Index: iptables-1.8.8/iptables/iptables-batch.c
=================================================================== ===================================================================
--- iptables-1.8.6.orig/iptables/iptables-batch.c --- iptables-1.8.8.orig/iptables/iptables-batch.c
+++ iptables-1.8.6/iptables/iptables-batch.c +++ iptables-1.8.8/iptables/iptables-batch.c
@@ -403,6 +403,27 @@ main(int argc, char *argv[]) @@ -403,6 +403,27 @@ main(int argc, char *argv[])
tables[3].name = "raw"; tables[3].name = "raw";
tables[3].handle = NULL; tables[3].handle = NULL;
@ -27,7 +27,7 @@ Index: iptables-1.8.6/iptables/iptables-batch.c
+ * call sequence needs to be locked until the commit is performed. + * call sequence needs to be locked until the commit is performed.
+ * + *
+ * Sadly, the xtables_lock() implementation is not very cooperative. + * Sadly, the xtables_lock() implementation is not very cooperative.
+ * There is no unlock() equivalent. The lock file descriptor is smiply + * There is no unlock() equivalent. The lock file descriptor is simply
+ * left open until the process exits. Thus, we would have deadlocks + * left open until the process exits. Thus, we would have deadlocks
+ * when calling do_command{4,6} the second time. + * when calling do_command{4,6} the second time.
+ * + *
@ -42,34 +42,34 @@ Index: iptables-1.8.6/iptables/iptables-batch.c
while((r = getline(&iline, &llen, fp)) != -1) while((r = getline(&iline, &llen, fp)) != -1)
{ {
Index: iptables-1.8.6/iptables/xshared.c Index: iptables-1.8.8/iptables/xshared.c
=================================================================== ===================================================================
--- iptables-1.8.6.orig/iptables/xshared.c --- iptables-1.8.8.orig/iptables/xshared.c
+++ iptables-1.8.6/iptables/xshared.c +++ iptables-1.8.8/iptables/xshared.c
@@ -248,10 +248,14 @@ void xs_init_match(struct xtables_match @@ -262,10 +262,14 @@ static void alarm_ignore(int i) {
static int xtables_lock(int wait, struct timeval *wait_interval) static int xtables_lock(int wait)
{ {
+ static bool already_locked = false; + static bool already_locked = false;
struct timeval time_left, wait_time; struct sigaction sigact_alarm;
const char *lock_file; const char *lock_file;
int fd, i = 0; int fd;
+ if (already_locked) + if (already_locked)
+ /* Avoid deadlocks, see iptables-batch.c */ + /* Avoid deadlocks, see iptables-batch.c */
+ return true; + return true;
time_left.tv_sec = wait; lock_file = getenv("XTABLES_LOCKFILE");
time_left.tv_usec = 0; if (lock_file == NULL || lock_file[0] == '\0')
lock_file = XT_LOCK_NAME;
@@ -267,8 +271,10 @@ static int xtables_lock(int wait, struct @@ -285,8 +289,10 @@ static int xtables_lock(int wait)
alarm(wait);
} }
if (wait == -1) {
- if (flock(fd, LOCK_EX) == 0) - if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX) == 0) { + if (flock(fd, LOCK_EX) == 0) {
+ already_locked = true; + already_locked = true;
return fd; return fd;
+ } + }
fprintf(stderr, "Can't lock %s: %s\n", lock_file, if (errno == EINTR) {
strerror(errno)); errno = EWOULDBLOCK;

14
iptables.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri May 13 15:39:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Update to release 1.8.8
* Add iptables-translate support for: sctp match's
--chunk-types option, connlimit match, multiport match's
--ports option, and the tcpmss match.
* Reject setuid executables in libxtables for safety reasons
* Extended arptables-nft with -C, -I, -R, -S cmomands and the
"-c N,M" counter syntax.
* Debug output in iptables-restore (all variants), iptables-nft
and ebtables-nft when specifying -v multiple times
* Improved performance of iptables-save and -restore
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Dec 30 15:05:20 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com> Thu Dec 30 15:05:20 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>

4
iptables.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package iptables # spec file for package iptables
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -23,7 +23,7 @@
%endif %endif
Name: iptables Name: iptables
Version: 1.8.7 Version: 1.8.8
Release: 0 Release: 0
Summary: IP packet filter administration utilities Summary: IP packet filter administration utilities
License: Artistic-2.0 AND GPL-2.0-only License: Artistic-2.0 AND GPL-2.0-only