From 53e82be23acede3bc8369a411cc5bcc00dee7e86 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 22 Jul 2008 15:37:03 +0000 Subject: [PATCH] - fixed TOS value mask problem (rhbz#456244) (upstream patch) - two more cloexec fixes --- iptables-1.4.1-cloexec.patch | 76 ------------------ iptables-1.4.1.1-cloexec.patch | 109 ++++++++++++++++++++++++++ iptables-1.4.1.1-tos_value_mask.patch | 14 ++++ iptables.spec | 10 ++- 4 files changed, 131 insertions(+), 78 deletions(-) delete mode 100644 iptables-1.4.1-cloexec.patch create mode 100644 iptables-1.4.1.1-cloexec.patch create mode 100644 iptables-1.4.1.1-tos_value_mask.patch diff --git a/iptables-1.4.1-cloexec.patch b/iptables-1.4.1-cloexec.patch deleted file mode 100644 index 24a4668..0000000 --- a/iptables-1.4.1-cloexec.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff -up iptables-1.4.1-rc2/ip6tables-restore.c.cloexec iptables-1.4.1-rc2/ip6tables-restore.c ---- iptables-1.4.1-rc2/ip6tables-restore.c.cloexec 2008-05-26 14:15:40.000000000 +0200 -+++ iptables-1.4.1-rc2/ip6tables-restore.c 2008-06-05 13:55:09.000000000 +0200 -@@ -172,7 +172,7 @@ int main(int argc, char *argv[]) - } - - if (optind == argc - 1) { -- in = fopen(argv[optind], "r"); -+ in = fopen(argv[optind], "re"); - if (!in) { - fprintf(stderr, "Can't open %s: %s\n", argv[optind], - strerror(errno)); -diff -up iptables-1.4.1-rc2/ip6tables-save.c.cloexec iptables-1.4.1-rc2/ip6tables-save.c ---- iptables-1.4.1-rc2/ip6tables-save.c.cloexec 2008-05-26 14:15:40.000000000 +0200 -+++ iptables-1.4.1-rc2/ip6tables-save.c 2008-06-05 13:55:09.000000000 +0200 -@@ -40,7 +40,7 @@ static int for_each_table(int (*func)(co - FILE *procfile = NULL; - char tablename[IP6T_TABLE_MAXNAMELEN+1]; - -- procfile = fopen("/proc/net/ip6_tables_names", "r"); -+ procfile = fopen("/proc/net/ip6_tables_names", "re"); - if (!procfile) - exit_error(OTHER_PROBLEM, - "Unable to open /proc/net/ip6_tables_names: %s\n", -diff -up iptables-1.4.1-rc2/iptables-restore.c.cloexec iptables-1.4.1-rc2/iptables-restore.c ---- iptables-1.4.1-rc2/iptables-restore.c.cloexec 2008-05-26 14:15:40.000000000 +0200 -+++ iptables-1.4.1-rc2/iptables-restore.c 2008-06-05 13:55:09.000000000 +0200 -@@ -176,7 +176,7 @@ main(int argc, char *argv[]) - } - - if (optind == argc - 1) { -- in = fopen(argv[optind], "r"); -+ in = fopen(argv[optind], "re"); - if (!in) { - fprintf(stderr, "Can't open %s: %s\n", argv[optind], - strerror(errno)); -diff -up iptables-1.4.1-rc2/iptables-save.c.cloexec iptables-1.4.1-rc2/iptables-save.c ---- iptables-1.4.1-rc2/iptables-save.c.cloexec 2008-05-26 14:15:40.000000000 +0200 -+++ iptables-1.4.1-rc2/iptables-save.c 2008-06-05 13:55:09.000000000 +0200 -@@ -38,7 +38,7 @@ static int for_each_table(int (*func)(co - FILE *procfile = NULL; - char tablename[IPT_TABLE_MAXNAMELEN+1]; - -- procfile = fopen("/proc/net/ip_tables_names", "r"); -+ procfile = fopen("/proc/net/ip_tables_names", "re"); - if (!procfile) - exit_error(OTHER_PROBLEM, - "Unable to open /proc/net/ip_tables_names: %s\n", -diff -up iptables-1.4.1-rc2/iptables-xml.c.cloexec iptables-1.4.1-rc2/iptables-xml.c ---- iptables-1.4.1-rc2/iptables-xml.c.cloexec 2008-05-26 14:15:40.000000000 +0200 -+++ iptables-1.4.1-rc2/iptables-xml.c 2008-06-05 13:55:09.000000000 +0200 -@@ -664,7 +664,7 @@ main(int argc, char *argv[]) - } - - if (optind == argc - 1) { -- in = fopen(argv[optind], "r"); -+ in = fopen(argv[optind], "re"); - if (!in) { - fprintf(stderr, "Can't open %s: %s", argv[optind], - strerror(errno)); -diff -up iptables-1.4.1-rc2/xtables.c.cloexec iptables-1.4.1-rc2/xtables.c ---- iptables-1.4.1-rc2/xtables.c.cloexec 2008-05-26 14:15:40.000000000 +0200 -+++ iptables-1.4.1-rc2/xtables.c 2008-06-05 13:57:49.000000000 +0200 -@@ -498,6 +498,12 @@ static int compatible_revision(const cha - exit(1); - } - -+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { -+ fprintf(stderr, "Could not set close on exec: %s\n", -+ strerror(errno)); -+ exit(1); -+ } -+ - load_xtables_ko(modprobe_program, 1); - - strcpy(rev.name, name); diff --git a/iptables-1.4.1.1-cloexec.patch b/iptables-1.4.1.1-cloexec.patch new file mode 100644 index 0000000..8ad90fa --- /dev/null +++ b/iptables-1.4.1.1-cloexec.patch @@ -0,0 +1,109 @@ +diff -up iptables-1.4.1.1/extensions/libipt_realm.c.cloexec iptables-1.4.1.1/extensions/libipt_realm.c +--- iptables-1.4.1.1/extensions/libipt_realm.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/extensions/libipt_realm.c 2008-07-22 16:46:21.000000000 +0200 +@@ -50,7 +50,7 @@ static void load_realms(void) + int id; + struct realmname *oldnm = NULL, *newnm = NULL; + +- fil = fopen(rfnm, "r"); ++ fil = fopen(rfnm, "re"); + if (!fil) { + rdberr = 1; + return; +@@ -256,7 +256,7 @@ static struct xtables_match realm_mt_reg + .extra_opts = realm_opts, + }; + +-void _init(void) ++void __attribute((constructor)) nf_ext_init(void) + { + xtables_register_match(&realm_mt_reg); + } +diff -up iptables-1.4.1.1/ip6tables-restore.c.cloexec iptables-1.4.1.1/ip6tables-restore.c +--- iptables-1.4.1.1/ip6tables-restore.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/ip6tables-restore.c 2008-07-22 16:46:21.000000000 +0200 +@@ -172,7 +172,7 @@ int main(int argc, char *argv[]) + } + + if (optind == argc - 1) { +- in = fopen(argv[optind], "r"); ++ in = fopen(argv[optind], "re"); + if (!in) { + fprintf(stderr, "Can't open %s: %s\n", argv[optind], + strerror(errno)); +diff -up iptables-1.4.1.1/ip6tables-save.c.cloexec iptables-1.4.1.1/ip6tables-save.c +--- iptables-1.4.1.1/ip6tables-save.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/ip6tables-save.c 2008-07-22 16:46:21.000000000 +0200 +@@ -40,7 +40,7 @@ static int for_each_table(int (*func)(co + FILE *procfile = NULL; + char tablename[IP6T_TABLE_MAXNAMELEN+1]; + +- procfile = fopen("/proc/net/ip6_tables_names", "r"); ++ procfile = fopen("/proc/net/ip6_tables_names", "re"); + if (!procfile) + exit_error(OTHER_PROBLEM, + "Unable to open /proc/net/ip6_tables_names: %s\n", +diff -up iptables-1.4.1.1/iptables-restore.c.cloexec iptables-1.4.1.1/iptables-restore.c +--- iptables-1.4.1.1/iptables-restore.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/iptables-restore.c 2008-07-22 16:46:21.000000000 +0200 +@@ -176,7 +176,7 @@ main(int argc, char *argv[]) + } + + if (optind == argc - 1) { +- in = fopen(argv[optind], "r"); ++ in = fopen(argv[optind], "re"); + if (!in) { + fprintf(stderr, "Can't open %s: %s\n", argv[optind], + strerror(errno)); +diff -up iptables-1.4.1.1/iptables-save.c.cloexec iptables-1.4.1.1/iptables-save.c +--- iptables-1.4.1.1/iptables-save.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/iptables-save.c 2008-07-22 16:46:21.000000000 +0200 +@@ -38,7 +38,7 @@ static int for_each_table(int (*func)(co + FILE *procfile = NULL; + char tablename[IPT_TABLE_MAXNAMELEN+1]; + +- procfile = fopen("/proc/net/ip_tables_names", "r"); ++ procfile = fopen("/proc/net/ip_tables_names", "re"); + if (!procfile) + exit_error(OTHER_PROBLEM, + "Unable to open /proc/net/ip_tables_names: %s\n", +diff -up iptables-1.4.1.1/iptables-xml.c.cloexec iptables-1.4.1.1/iptables-xml.c +--- iptables-1.4.1.1/iptables-xml.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/iptables-xml.c 2008-07-22 16:46:21.000000000 +0200 +@@ -664,7 +664,7 @@ main(int argc, char *argv[]) + } + + if (optind == argc - 1) { +- in = fopen(argv[optind], "r"); ++ in = fopen(argv[optind], "re"); + if (!in) { + fprintf(stderr, "Can't open %s: %s", argv[optind], + strerror(errno)); +diff -up iptables-1.4.1.1/xtables.c.cloexec iptables-1.4.1.1/xtables.c +--- iptables-1.4.1.1/xtables.c.cloexec 2008-06-16 15:12:40.000000000 +0200 ++++ iptables-1.4.1.1/xtables.c 2008-07-22 16:47:23.000000000 +0200 +@@ -85,6 +85,11 @@ static char *get_modprobe(void) + procfile = open(PROC_SYS_MODPROBE, O_RDONLY); + if (procfile < 0) + return NULL; ++ if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) { ++ fprintf(stderr, "Could not set close on exec: %s\n", ++ strerror(errno)); ++ exit(1); ++ } + + ret = (char *) malloc(PROCFILE_BUFSIZ); + if (ret) { +@@ -498,6 +503,12 @@ static int compatible_revision(const cha + exit(1); + } + ++ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { ++ fprintf(stderr, "Could not set close on exec: %s\n", ++ strerror(errno)); ++ exit(1); ++ } ++ + load_xtables_ko(modprobe_program, 1); + + strcpy(rev.name, name); diff --git a/iptables-1.4.1.1-tos_value_mask.patch b/iptables-1.4.1.1-tos_value_mask.patch new file mode 100644 index 0000000..1fc6f62 --- /dev/null +++ b/iptables-1.4.1.1-tos_value_mask.patch @@ -0,0 +1,14 @@ +diff -up iptables-1.4.1.1/extensions/tos_values.c.tos_value_mask iptables-1.4.1.1/extensions/tos_values.c +--- iptables-1.4.1.1/extensions/tos_values.c.tos_value_mask 2008-07-22 16:48:36.000000000 +0200 ++++ iptables-1.4.1.1/extensions/tos_values.c 2008-07-22 17:23:46.000000000 +0200 +@@ -56,8 +56,9 @@ static bool tos_parse_symbolic(const cha + { + const unsigned int max = 255; + const struct tos_symbol_info *symbol; ++ char *tmp; + +- if (strtonum(str, NULL, NULL, 0, max)) ++ if (strtonum(str, &tmp, NULL, 0, max)) + return tos_parse_numeric(str, tvm, max); + + /* Do not consider ECN bits */ diff --git a/iptables.spec b/iptables.spec index c7873d0..b2e0694 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,13 +1,14 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.1.1 -Release: 1%{?dist} +Release: 2%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config Patch4: iptables-1.3.8-typo_latter.patch -Patch5: iptables-1.4.1-cloexec.patch +Patch5: iptables-1.4.1.1-cloexec.patch Patch8: iptables-1.4.1-nf_ext_init.patch +Patch9: iptables-1.4.1.1-tos_value_mask.patch Group: System Environment/Base URL: http://www.netfilter.org/ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -55,6 +56,7 @@ stable and may change with every new version. It is therefore unsupported. %patch4 -p1 -b .typo_latter %patch5 -p1 -b .cloexec %patch8 -p1 -b .nf_ext_init +%patch9 -p1 -b .tos_value_mask # fix constructor names, see also nf_ext_init patch perl -pi -e "s/void _init\(/void __attribute\(\(constructor\)\) nf_ext_init\(/g" extensions/*.c @@ -131,6 +133,10 @@ fi %{_mandir}/man3/* %changelog +* Tue Jul 22 2008 Thomas Woerner 1.4.1.1-2 +- fixed TOS value mask problem (rhbz#456244) (upstream patch) +- two more cloexec fixes + * Tue Jul 1 2008 Thomas Woerner 1.4.1.1-1 - upstream bug fix release 1.4.1.1 - dropped extra patch for 1.4.1 - not needed anymore