- fixed leaked file descriptor before fork/exec (rhbz#312191)
- blacklisting is not working, use "install X /bin/(true|false)" test
instead
- return private exit code 150 for disabled ipv6 support
- use script name for output messages
This commit is contained in:
Thomas Woerner
parent
22d082249b
commit
6a95dca65a
30
iptables-1.3.8-cloexec.patch
Normal file
30
iptables-1.3.8-cloexec.patch
Normal file
@ -0,0 +1,30 @@
|
||||
diff -up iptables-1.3.8/ip6tables.c.cloexec iptables-1.3.8/ip6tables.c
|
||||
--- iptables-1.3.8/ip6tables.c.cloexec 2007-10-02 13:42:23.000000000 +0200
|
||||
+++ iptables-1.3.8/ip6tables.c 2007-10-02 13:42:54.000000000 +0200
|
||||
@@ -1121,6 +1121,11 @@ static int compatible_revision(const cha
|
||||
strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
|
||||
+ fprintf(stderr, "Could not set close on exec: %s\n",
|
||||
+ strerror(errno));
|
||||
+ exit(1);
|
||||
+ }
|
||||
|
||||
strcpy(rev.name, name);
|
||||
rev.revision = revision;
|
||||
diff -up iptables-1.3.8/iptables.c.cloexec iptables-1.3.8/iptables.c
|
||||
--- iptables-1.3.8/iptables.c.cloexec 2007-10-02 13:42:09.000000000 +0200
|
||||
+++ iptables-1.3.8/iptables.c 2007-10-02 13:42:25.000000000 +0200
|
||||
@@ -1149,6 +1149,11 @@ static int compatible_revision(const cha
|
||||
strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
|
||||
+ fprintf(stderr, "Could not set close on exec: %s\n",
|
||||
+ strerror(errno));
|
||||
+ exit(1);
|
||||
+ }
|
||||
|
||||
load_iptables_ko(modprobe, 1);
|
||||
|
||||
@ -28,7 +28,7 @@ PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
|
||||
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
|
||||
|
||||
if [ ! -x /sbin/$IPTABLES ]; then
|
||||
echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
|
||||
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
|
||||
exit 5
|
||||
fi
|
||||
|
||||
@ -93,7 +93,7 @@ flush_n_delete() {
|
||||
# Check if firewall is configured (has tables)
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
|
||||
echo -n $"Flushing firewall rules: "
|
||||
echo -n $"${IPTABLES}: Flushing firewall rules: "
|
||||
ret=0
|
||||
# For all tables
|
||||
for i in $NF_TABLES; do
|
||||
@ -126,7 +126,7 @@ set_policy() {
|
||||
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"Setting chains to policy $policy: "
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||
ret=0
|
||||
for i in $tables; do
|
||||
echo -n "$i "
|
||||
@ -171,13 +171,14 @@ start() {
|
||||
# Do not start if there is no config file.
|
||||
[ ! -f "$IPTABLES_DATA" ] && return 6
|
||||
|
||||
if [ "${IPV}" = "ip6" ] \
|
||||
&& grep -qIs "^blacklist\W*${_IPV}" /etc/modprobe.conf /etc/modprobe.d/* ; then
|
||||
echo $"${0##*/}: ${_IPV} is blacklisted."
|
||||
return 6
|
||||
# check if ipv6 module load is deactivated
|
||||
if [ "${_IPV}" = "ipv6" ] \
|
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
|
||||
echo $"${IPTABLES}: ${_IPV} is disabled."
|
||||
return 150
|
||||
fi
|
||||
|
||||
echo -n $"Applying $IPTABLES firewall rules: "
|
||||
echo -n $"${IPTABLES}: Applying firewall rules: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
@ -191,7 +192,7 @@ start() {
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"Loading additional $IPTABLES modules: "
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
@ -214,7 +215,7 @@ stop() {
|
||||
set_policy ACCEPT
|
||||
|
||||
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
|
||||
echo -n $"Unloading $IPTABLES modules: "
|
||||
echo -n $"${IPTABLES}: Unloading modules: "
|
||||
ret=0
|
||||
for mod in ${NF_MODULES[*]}; do
|
||||
rmmod_r $mod
|
||||
@ -223,7 +224,7 @@ stop() {
|
||||
# try to unload remaining netfilter modules used by ipv4 and ipv6
|
||||
# netfilter
|
||||
for mod in ${NF_MODULES_COMMON[*]}; do
|
||||
rmmod_r $mod
|
||||
rmmod_r $mod >/dev/null
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
@ -240,7 +241,7 @@ save() {
|
||||
# Check if firewall is configured (has tables)
|
||||
[ -z "$NF_TABLES" ] && return 6
|
||||
|
||||
echo -n $"Saving firewall rules to $IPTABLES_DATA: "
|
||||
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
@ -271,7 +272,7 @@ save() {
|
||||
|
||||
status() {
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
|
||||
echo $"${0##*/}: Firewall is not running."
|
||||
echo $"${IPTABLES}: Firewall is not running."
|
||||
return 3
|
||||
fi
|
||||
|
||||
@ -279,13 +280,13 @@ status() {
|
||||
# loaded.
|
||||
# Check if iptable modules are loaded
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
echo $"${0##*/}: Firewall modules are not loaded."
|
||||
echo $"${IPTABLES}: Firewall modules are not loaded."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ -z "$NF_TABLES" ]; then
|
||||
echo $"${0##*/}: Firewall is not configured. "
|
||||
echo $"${IPTABLES}: Firewall is not configured. "
|
||||
return 3
|
||||
fi
|
||||
|
||||
@ -345,7 +346,7 @@ case "$1" in
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: ${0##*/} {start|stop|restart|condrestart|status|panic|save}"
|
||||
echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
|
||||
RETVAL=2
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
Version: 1.3.8
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -12,6 +12,7 @@ Patch1: iptables-1.3.8-headers.patch
|
||||
Patch2: iptables-1.3.8-reject_type.patch
|
||||
Patch3: iptables-1.3.8-limit_man.patch
|
||||
Patch4: iptables-1.3.8-typo_latter.patch
|
||||
Patch5: iptables-1.3.8-cloexec.patch
|
||||
Group: System Environment/Base
|
||||
URL: http://www.netfilter.org/
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
@ -62,6 +63,7 @@ stable and may change with every new version. It is therefore unsupported.
|
||||
%patch2 -p1 -b .reject_type
|
||||
%patch3 -p1 -b .limit_man
|
||||
%patch4 -p1 -b .typo_latter
|
||||
%patch5 -p1 -b .cloexec
|
||||
|
||||
# Put it to a reasonable place
|
||||
find . -type f -exec perl -pi -e "s,/usr/local,%{_prefix},g" {} \;
|
||||
@ -153,6 +155,12 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 5 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-6
|
||||
- fixed leaked file descriptor before fork/exec (rhbz#312191)
|
||||
- blacklisting is not working, use "install X /bin/(true|false)" test instead
|
||||
- return private exit code 150 for disabled ipv6 support
|
||||
- use script name for output messages
|
||||
|
||||
* Tue Oct 16 2007 Thomas Woerner <twoerner@redhat.com> 1.3.8-5
|
||||
- fixed error code for stopping a already stopped firewall (rhbz#321751)
|
||||
- moved blacklist test into start
|
||||
|
||||
Loading…
Reference in New Issue
Block a user