From 6a95dca65a2662261d8c540a3738b7952d40ab11 Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Mon, 5 Nov 2007 16:41:26 +0000 Subject: [PATCH] - fixed leaked file descriptor before fork/exec (rhbz#312191) - blacklisting is not working, use "install X /bin/(true|false)" test instead - return private exit code 150 for disabled ipv6 support - use script name for output messages --- iptables-1.3.8-cloexec.patch | 30 ++++++++++++++++++++++++++++++ iptables.init | 33 +++++++++++++++++---------------- iptables.spec | 10 +++++++++- 3 files changed, 56 insertions(+), 17 deletions(-) create mode 100644 iptables-1.3.8-cloexec.patch diff --git a/iptables-1.3.8-cloexec.patch b/iptables-1.3.8-cloexec.patch new file mode 100644 index 0000000..26a937e --- /dev/null +++ b/iptables-1.3.8-cloexec.patch @@ -0,0 +1,30 @@ +diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c +--- iptables-1.3.8/ip6tables.c.cloexec 2007-10-02 13:42:23.000000000 +0200 ++++ iptables-1.3.8/ip6tables.c 2007-10-02 13:42:54.000000000 +0200 +@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha + strerror(errno)); + exit(1); + } ++ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { ++ fprintf(stderr, "Could not set close on exec: %s\n", ++ strerror(errno)); ++ exit(1); ++ } + + strcpy(rev.name, name); + rev.revision = revision; +diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c +--- iptables-1.3.8/iptables.c.cloexec 2007-10-02 13:42:09.000000000 +0200 ++++ iptables-1.3.8/iptables.c 2007-10-02 13:42:25.000000000 +0200 +@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha + strerror(errno)); + exit(1); + } ++ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) { ++ fprintf(stderr, "Could not set close on exec: %s\n", ++ strerror(errno)); ++ exit(1); ++ } + + load_iptables_ko(modprobe, 1); + diff --git a/iptables.init b/iptables.init index f44f89b..684ca79 100755 --- a/iptables.init +++ b/iptables.init @@ -28,7 +28,7 @@ PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES if [ ! -x /sbin/$IPTABLES ]; then - echo -n $"/sbin/$IPTABLES does not exist."; warning; echo + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo exit 5 fi @@ -93,7 +93,7 @@ flush_n_delete() { # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 - echo -n $"Flushing firewall rules: " + echo -n $"${IPTABLES}: Flushing firewall rules: " ret=0 # For all tables for i in $NF_TABLES; do @@ -126,7 +126,7 @@ set_policy() { tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 - echo -n $"Setting chains to policy $policy: " + echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " @@ -171,13 +171,14 @@ start() { # Do not start if there is no config file. [ ! -f "$IPTABLES_DATA" ] && return 6 - if [ "${IPV}" = "ip6" ] \ - && grep -qIs "^blacklist\W*${_IPV}" /etc/modprobe.conf /etc/modprobe.d/* ; then - echo $"${0##*/}: ${_IPV} is blacklisted." - return 6 + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 fi - echo -n $"Applying $IPTABLES firewall rules: " + echo -n $"${IPTABLES}: Applying firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" @@ -191,7 +192,7 @@ start() { # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then - echo -n $"Loading additional $IPTABLES modules: " + echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " @@ -214,7 +215,7 @@ stop() { set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then - echo -n $"Unloading $IPTABLES modules: " + echo -n $"${IPTABLES}: Unloading modules: " ret=0 for mod in ${NF_MODULES[*]}; do rmmod_r $mod @@ -223,7 +224,7 @@ stop() { # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in ${NF_MODULES_COMMON[*]}; do - rmmod_r $mod + rmmod_r $mod >/dev/null done [ $ret -eq 0 ] && success || failure echo @@ -240,7 +241,7 @@ save() { # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 6 - echo -n $"Saving firewall rules to $IPTABLES_DATA: " + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" @@ -271,7 +272,7 @@ save() { status() { if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then - echo $"${0##*/}: Firewall is not running." + echo $"${IPTABLES}: Firewall is not running." return 3 fi @@ -279,13 +280,13 @@ status() { # loaded. # Check if iptable modules are loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then - echo $"${0##*/}: Firewall modules are not loaded." + echo $"${IPTABLES}: Firewall modules are not loaded." return 3 fi # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then - echo $"${0##*/}: Firewall is not configured. " + echo $"${IPTABLES}: Firewall is not configured. " return 3 fi @@ -345,7 +346,7 @@ case "$1" in RETVAL=$? ;; *) - echo $"Usage: ${0##*/} {start|stop|restart|condrestart|status|panic|save}" + echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}" RETVAL=2 ;; esac diff --git a/iptables.spec b/iptables.spec index e3b387c..72b8d2b 100644 --- a/iptables.spec +++ b/iptables.spec @@ -3,7 +3,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.3.8 -Release: 5%{?dist} +Release: 6%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -12,6 +12,7 @@ Patch1: iptables-1.3.8-headers.patch Patch2: iptables-1.3.8-reject_type.patch Patch3: iptables-1.3.8-limit_man.patch Patch4: iptables-1.3.8-typo_latter.patch +Patch5: iptables-1.3.8-cloexec.patch Group: System Environment/Base URL: http://www.netfilter.org/ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -62,6 +63,7 @@ stable and may change with every new version. It is therefore unsupported. %patch2 -p1 -b .reject_type %patch3 -p1 -b .limit_man %patch4 -p1 -b .typo_latter +%patch5 -p1 -b .cloexec # Put it to a reasonable place find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \; @@ -153,6 +155,12 @@ fi %endif %changelog +* Mon Nov 5 2007 Thomas Woerner 1.3.8-6 +- fixed leaked file descriptor before fork/exec (rhbz#312191) +- blacklisting is not working, use "install X /bin/(true|false)" test instead +- return private exit code 150 for disabled ipv6 support +- use script name for output messages + * Tue Oct 16 2007 Thomas Woerner 1.3.8-5 - fixed error code for stopping a already stopped firewall (rhbz#321751) - moved blacklist test into start