rpms/iptables/devel iptables-1.3.8-cloexec.patch, NONE, 1.1 iptables.init, 1.18, 1.19 iptables.spec, 1.56, 1.57
Thomas Woerner (twoerner)
fedora-extras-commits at redhat.com
Mon Nov 5 16:41:59 UTC 2007
Author: twoerner
Update of /cvs/pkgs/rpms/iptables/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28041
Modified Files:
iptables.init iptables.spec
Added Files:
iptables-1.3.8-cloexec.patch
Log Message:
- fixed leaked file descriptor before fork/exec (rhbz#312191)
- blacklisting is not working, use "install X /bin/(true|false)" test instead
- return private exit code 150 for disabled ipv6 support
- use script name for output messages
iptables-1.3.8-cloexec.patch:
--- NEW FILE iptables-1.3.8-cloexec.patch ---
diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c
--- iptables-1.3.8/ip6tables.c.cloexec 2007-10-02 13:42:23.000000000 +0200
+++ iptables-1.3.8/ip6tables.c 2007-10-02 13:42:54.000000000 +0200
@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha
strerror(errno));
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
strcpy(rev.name, name);
rev.revision = revision;
diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c
--- iptables-1.3.8/iptables.c.cloexec 2007-10-02 13:42:09.000000000 +0200
+++ iptables-1.3.8/iptables.c 2007-10-02 13:42:25.000000000 +0200
@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha
strerror(errno));
exit(1);
}
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+ fprintf(stderr, "Could not set close on exec: %s\n",
+ strerror(errno));
+ exit(1);
+ }
load_iptables_ko(modprobe, 1);
Index: iptables.init
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/devel/iptables.init,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- iptables.init 16 Oct 2007 15:30:01 -0000 1.18
+++ iptables.init 5 Nov 2007 16:41:26 -0000 1.19
@@ -28,7 +28,7 @@
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
if [ ! -x /sbin/$IPTABLES ]; then
- echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
+ echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
@@ -93,7 +93,7 @@
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1
- echo -n $"Flushing firewall rules: "
+ echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=0
# For all tables
for i in $NF_TABLES; do
@@ -126,7 +126,7 @@
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1
- echo -n $"Setting chains to policy $policy: "
+ echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
@@ -171,13 +171,14 @@
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
- if [ "${IPV}" = "ip6" ] \
- && grep -qIs "^blacklist\W*${_IPV}" /etc/modprobe.conf /etc/modprobe.d/* ; then
- echo $"${0##*/}: ${_IPV} is blacklisted."
- return 6
+ # check if ipv6 module load is deactivated
+ if [ "${_IPV}" = "ipv6" ] \
+ && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+ echo $"${IPTABLES}: ${_IPV} is disabled."
+ return 150
fi
- echo -n $"Applying $IPTABLES firewall rules: "
+ echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
@@ -191,7 +192,7 @@
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
- echo -n $"Loading additional $IPTABLES modules: "
+ echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
@@ -214,7 +215,7 @@
set_policy ACCEPT
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
- echo -n $"Unloading $IPTABLES modules: "
+ echo -n $"${IPTABLES}: Unloading modules: "
ret=0
for mod in ${NF_MODULES[*]}; do
rmmod_r $mod
@@ -223,7 +224,7 @@
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
for mod in ${NF_MODULES_COMMON[*]}; do
- rmmod_r $mod
+ rmmod_r $mod >/dev/null
done
[ $ret -eq 0 ] && success || failure
echo
@@ -240,7 +241,7 @@
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 6
- echo -n $"Saving firewall rules to $IPTABLES_DATA: "
+ echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
@@ -271,7 +272,7 @@
status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
- echo $"${0##*/}: Firewall is not running."
+ echo $"${IPTABLES}: Firewall is not running."
return 3
fi
@@ -279,13 +280,13 @@
# loaded.
# Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
- echo $"${0##*/}: Firewall modules are not loaded."
+ echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
- echo $"${0##*/}: Firewall is not configured. "
+ echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
@@ -345,7 +346,7 @@
RETVAL=$?
;;
*)
- echo $"Usage: ${0##*/} {start|stop|restart|condrestart|status|panic|save}"
+ echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
Index: iptables.spec
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/devel/iptables.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- iptables.spec 16 Oct 2007 15:30:01 -0000 1.56
+++ iptables.spec 5 Nov 2007 16:41:26 -0000 1.57
@@ -3,7 +3,7 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.3.8
-Release: 5%{?dist}
+Release: 6%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@@ -12,6 +12,7 @@
Patch2: iptables-1.3.8-reject_type.patch
Patch3: iptables-1.3.8-limit_man.patch
Patch4: iptables-1.3.8-typo_latter.patch
+Patch5: iptables-1.3.8-cloexec.patch
Group: System Environment/Base
URL: http://www.netfilter.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -62,6 +63,7 @@
%patch2 -p1 -b .reject_type
%patch3 -p1 -b .limit_man
%patch4 -p1 -b .typo_latter
+%patch5 -p1 -b .cloexec
# Put it to a reasonable place
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
@@ -153,6 +155,12 @@
%endif
%changelog
+* Mon Nov 5 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-6
+- fixed leaked file descriptor before fork/exec (rhbz#312191)
+- blacklisting is not working, use "install X /bin/(true|false)" test instead
+- return private exit code 150 for disabled ipv6 support
+- use script name for output messages
+
* Tue Oct 16 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-5
- fixed error code for stopping a already stopped firewall (rhbz#321751)
- moved blacklist test into start
More information about the scm-commits
mailing list