rpms/iptables/devel iptables-1.3.8-cloexec.patch, NONE, 1.1 iptables.init, 1.18, 1.19 iptables.spec, 1.56, 1.57

Mon Nov 5 16:41:59 UTC 2007

Author: twoerner

Update of /cvs/pkgs/rpms/iptables/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28041

Modified Files:
	iptables.init iptables.spec 
Added Files:
	iptables-1.3.8-cloexec.patch 
Log Message:
- fixed leaked file descriptor before fork/exec (rhbz#312191)
- blacklisting is not working, use "install X /bin/(true|false)" test instead
- return private exit code 150 for disabled ipv6 support
- use script name for output messages



iptables-1.3.8-cloexec.patch:

--- NEW FILE iptables-1.3.8-cloexec.patch ---
diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c
--- iptables-1.3.8/ip6tables.c.cloexec	2007-10-02 13:42:23.000000000 +0200
+++ iptables-1.3.8/ip6tables.c	2007-10-02 13:42:54.000000000 +0200
@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha
 			strerror(errno));
 		exit(1);
 	}
+	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+		fprintf(stderr, "Could not set close on exec: %s\n",
+			strerror(errno));
+		exit(1);
+	}
 
 	strcpy(rev.name, name);
 	rev.revision = revision;
diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c
--- iptables-1.3.8/iptables.c.cloexec	2007-10-02 13:42:09.000000000 +0200
+++ iptables-1.3.8/iptables.c	2007-10-02 13:42:25.000000000 +0200
@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha
 			strerror(errno));
 		exit(1);
 	}
+	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
+		fprintf(stderr, "Could not set close on exec: %s\n",
+			strerror(errno));
+		exit(1);
+	}
 
 	load_iptables_ko(modprobe, 1);
 


Index: iptables.init
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/devel/iptables.init,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- iptables.init	16 Oct 2007 15:30:01 -0000	1.18
+++ iptables.init	5 Nov 2007 16:41:26 -0000	1.19
@@ -28,7 +28,7 @@
 VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
 
 if [ ! -x /sbin/$IPTABLES ]; then
-    echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
+    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
     exit 5
 fi
 
@@ -93,7 +93,7 @@
     # Check if firewall is configured (has tables)
     [ -z "$NF_TABLES" ] && return 1
 
-    echo -n $"Flushing firewall rules: "
+    echo -n $"${IPTABLES}: Flushing firewall rules: "
     ret=0
     # For all tables
     for i in $NF_TABLES; do
@@ -126,7 +126,7 @@
     tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
     [ -z "$tables" ] && return 1
 
-    echo -n $"Setting chains to policy $policy: "
+    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
     ret=0
     for i in $tables; do
 	echo -n "$i "
@@ -171,13 +171,14 @@
     # Do not start if there is no config file.
     [ ! -f "$IPTABLES_DATA" ] && return 6
 
-    if [ "${IPV}" = "ip6" ] \
-	&& grep -qIs "^blacklist\W*${_IPV}" /etc/modprobe.conf /etc/modprobe.d/* ; then
-	echo $"${0##*/}: ${_IPV} is blacklisted."
-	return 6
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
     fi
 
-    echo -n $"Applying $IPTABLES firewall rules: "
+    echo -n $"${IPTABLES}: Applying firewall rules: "
 
     OPT=
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
@@ -191,7 +192,7 @@
     
     # Load additional modules (helpers)
     if [ -n "$IPTABLES_MODULES" ]; then
-	echo -n $"Loading additional $IPTABLES modules: "
+	echo -n $"${IPTABLES}: Loading additional modules: "
 	ret=0
 	for mod in $IPTABLES_MODULES; do
 	    echo -n "$mod "
@@ -214,7 +215,7 @@
     set_policy ACCEPT
     
     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
-	echo -n $"Unloading $IPTABLES modules: "
+	echo -n $"${IPTABLES}: Unloading modules: "
 	ret=0
 	for mod in ${NF_MODULES[*]}; do
 	    rmmod_r $mod
@@ -223,7 +224,7 @@
 	# try to unload remaining netfilter modules used by ipv4 and ipv6 
 	# netfilter
 	for mod in ${NF_MODULES_COMMON[*]}; do
-	    rmmod_r $mod
+	    rmmod_r $mod >/dev/null
 	done
 	[ $ret -eq 0 ] && success || failure
 	echo
@@ -240,7 +241,7 @@
     # Check if firewall is configured (has tables)
     [ -z "$NF_TABLES" ] && return 6
 
-    echo -n $"Saving firewall rules to $IPTABLES_DATA: "
+    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
 
     OPT=
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
@@ -271,7 +272,7 @@
 
 status() {
     if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
-	echo $"${0##*/}: Firewall is not running."
+	echo $"${IPTABLES}: Firewall is not running."
 	return 3
     fi
 
@@ -279,13 +280,13 @@
     # loaded.
     # Check if iptable modules are loaded
     if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
-	echo $"${0##*/}: Firewall modules are not loaded."
+	echo $"${IPTABLES}: Firewall modules are not loaded."
 	return 3
     fi
 
     # Check if firewall is configured (has tables)
     if [ -z "$NF_TABLES" ]; then
-	echo $"${0##*/}: Firewall is not configured. "
+	echo $"${IPTABLES}: Firewall is not configured. "
 	return 3
     fi
 
@@ -345,7 +346,7 @@
 	RETVAL=$?
 	;;
     *)
-	echo $"Usage: ${0##*/} {start|stop|restart|condrestart|status|panic|save}"
+	echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
 	RETVAL=2
 	;;
 esac


Index: iptables.spec
===================================================================
RCS file: /cvs/pkgs/rpms/iptables/devel/iptables.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- iptables.spec	16 Oct 2007 15:30:01 -0000	1.56
+++ iptables.spec	5 Nov 2007 16:41:26 -0000	1.57
@@ -3,7 +3,7 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.3.8
-Release: 5%{?dist}
+Release: 6%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -12,6 +12,7 @@
 Patch2: iptables-1.3.8-reject_type.patch
 Patch3: iptables-1.3.8-limit_man.patch
 Patch4: iptables-1.3.8-typo_latter.patch
+Patch5: iptables-1.3.8-cloexec.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -62,6 +63,7 @@
 %patch2 -p1 -b .reject_type
 %patch3 -p1 -b .limit_man
 %patch4 -p1 -b .typo_latter
+%patch5 -p1 -b .cloexec
 
 # Put it to a reasonable place
 find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
@@ -153,6 +155,12 @@
 %endif
 
 %changelog
+* Mon Nov  5 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-6
+- fixed leaked file descriptor before fork/exec (rhbz#312191)
+- blacklisting is not working, use "install X /bin/(true|false)" test instead
+- return private exit code 150 for disabled ipv6 support
+- use script name for output messages
+
 * Tue Oct 16 2007 Thomas Woerner <twoerner at redhat.com> 1.3.8-5
 - fixed error code for stopping a already stopped firewall (rhbz#321751)
 - moved blacklist test into start


