From 74f361e244fd6c2403ab5b32bbcd8e9f259c2e4a Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 10 Jan 2011 17:05:15 +0100
Subject: [PATCH] - new version 1.4.10 with all new features of 2.6.36   - all:
 consistent syntax use in struct option   - build: fix static linking   - doc:
 let man(1) autoalign the text in xt_cpu   - doc: remove extra empty line from
 xt_cpu   - doc: minimal spelling updates to xt_cpu   - doc: consistent use of
 markup   - extensions: libxt_quota: don't ignore the quota value on deletion 
  - extensions: REDIRECT: add random help   - extensions: add xt_cpu match   -
 extensions: add idletimer xt target extension   - extensions:
 libxt_IDLETIMER: use xtables_param_act when checking options   - extensions:
 libxt_CHECKSUM extension   - extensions: libipt_LOG/libip6t_LOG: support
 macdecode option   - extensions: fix compilation of the new CHECKSUM target  
 - extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs   -
 iptables-xml: resolve compiler warnings   - iptables: limit chain name length
 to be consistent with targets   - libiptc: add Libs.private to pkgconfig
 files   - libiptc: build with -Wl,--no-as-needed   - xtables: remove
 unnecessary cast - dropped xt_CHECKSUM, added upstream

---
 iptables-1.4.10-cloexec.patch | 150 ++++++++++++++++++++++++++++++++++
 iptables.spec                 |  32 ++++++--
 sources                       |   2 +-
 3 files changed, 178 insertions(+), 6 deletions(-)
 create mode 100644 iptables-1.4.10-cloexec.patch

diff --git a/iptables-1.4.10-cloexec.patch b/iptables-1.4.10-cloexec.patch
new file mode 100644
index 0000000..78007b2
--- /dev/null
+++ b/iptables-1.4.10-cloexec.patch
@@ -0,0 +1,150 @@
+diff -up iptables-1.4.10/extensions/libipt_realm.c.cloexec iptables-1.4.10/extensions/libipt_realm.c
+--- iptables-1.4.10/extensions/libipt_realm.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/extensions/libipt_realm.c	2011-01-10 13:23:31.373335720 +0100
+@@ -49,7 +49,7 @@ static void load_realms(void)
+ 	int id;
+ 	struct realmname *oldnm = NULL, *newnm = NULL;
+ 
+-	fil = fopen(rfnm, "r");
++	fil = fopen(rfnm, "re");
+ 	if (!fil) {
+ 		rdberr = 1;
+ 		return;
+diff -up iptables-1.4.10/extensions/libxt_set.h.cloexec iptables-1.4.10/extensions/libxt_set.h
+--- iptables-1.4.10/extensions/libxt_set.h.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/extensions/libxt_set.h	2011-01-10 13:23:31.374335743 +0100
+@@ -2,6 +2,7 @@
+ #define _LIBXT_SET_H
+ 
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <errno.h>
+@@ -23,6 +24,12 @@ get_version(unsigned *version)
+ 		xtables_error(OTHER_PROBLEM,
+ 			      "Can't open socket to ipset.\n");
+ 
++	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
++		xtables_error(OTHER_PROBLEM,
++			      "Could not set close on exec: %s\n",
++			      strerror(errno));
++	}
++
+ 	req_version.op = IP_SET_OP_VERSION;
+ 	res = getsockopt(sockfd, SOL_IP, SO_IP_SET, &req_version, &size);
+ 	if (res != 0)
+diff -up iptables-1.4.10/ip6tables-restore.c.cloexec iptables-1.4.10/ip6tables-restore.c
+--- iptables-1.4.10/ip6tables-restore.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/ip6tables-restore.c	2011-01-10 13:23:31.380335880 +0100
+@@ -169,7 +169,7 @@ int main(int argc, char *argv[])
+ 	}
+ 
+ 	if (optind == argc - 1) {
+-		in = fopen(argv[optind], "r");
++		in = fopen(argv[optind], "re");
+ 		if (!in) {
+ 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
+ 				strerror(errno));
+diff -up iptables-1.4.10/ip6tables-save.c.cloexec iptables-1.4.10/ip6tables-save.c
+--- iptables-1.4.10/ip6tables-save.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/ip6tables-save.c	2011-01-10 13:23:31.381335904 +0100
+@@ -41,7 +41,7 @@ static int for_each_table(int (*func)(co
+ 	FILE *procfile = NULL;
+ 	char tablename[IP6T_TABLE_MAXNAMELEN+1];
+ 
+-	procfile = fopen("/proc/net/ip6_tables_names", "r");
++	procfile = fopen("/proc/net/ip6_tables_names", "re");
+ 	if (!procfile)
+ 		return ret;
+ 
+diff -up iptables-1.4.10/iptables-restore.c.cloexec iptables-1.4.10/iptables-restore.c
+--- iptables-1.4.10/iptables-restore.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/iptables-restore.c	2011-01-10 13:23:31.383335950 +0100
+@@ -175,7 +175,7 @@ main(int argc, char *argv[])
+ 	}
+ 
+ 	if (optind == argc - 1) {
+-		in = fopen(argv[optind], "r");
++		in = fopen(argv[optind], "re");
+ 		if (!in) {
+ 			fprintf(stderr, "Can't open %s: %s\n", argv[optind],
+ 				strerror(errno));
+diff -up iptables-1.4.10/iptables-save.c.cloexec iptables-1.4.10/iptables-save.c
+--- iptables-1.4.10/iptables-save.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/iptables-save.c	2011-01-10 13:23:31.383335950 +0100
+@@ -39,7 +39,7 @@ static int for_each_table(int (*func)(co
+ 	FILE *procfile = NULL;
+ 	char tablename[IPT_TABLE_MAXNAMELEN+1];
+ 
+-	procfile = fopen("/proc/net/ip_tables_names", "r");
++	procfile = fopen("/proc/net/ip_tables_names", "re");
+ 	if (!procfile)
+ 		return ret;
+ 
+diff -up iptables-1.4.10/iptables-xml.c.cloexec iptables-1.4.10/iptables-xml.c
+--- iptables-1.4.10/iptables-xml.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/iptables-xml.c	2011-01-10 13:23:31.385335996 +0100
+@@ -653,7 +653,7 @@ main(int argc, char *argv[])
+ 	}
+ 
+ 	if (optind == argc - 1) {
+-		in = fopen(argv[optind], "r");
++		in = fopen(argv[optind], "re");
+ 		if (!in) {
+ 			fprintf(stderr, "Can't open %s: %s", argv[optind],
+ 				strerror(errno));
+diff -up iptables-1.4.10/libiptc/libiptc.c.cloexec iptables-1.4.10/libiptc/libiptc.c
+--- iptables-1.4.10/libiptc/libiptc.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/libiptc/libiptc.c	2011-01-10 13:23:31.387336042 +0100
+@@ -29,6 +29,8 @@
+  * 	- performance work: speedup initial ruleset parsing.
+  * 	- sponsored by ComX Networks A/S (http://www.comx.dk/)
+  */
++#include <unistd.h>
++#include <fcntl.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <xtables.h>
+@@ -1328,6 +1330,12 @@ TC_INIT(const char *tablename)
+ 	if (sockfd < 0)
+ 		return NULL;
+ 
++	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
++		fprintf(stderr, "Could not set close on exec: %s\n",
++			strerror(errno));
++		abort();
++	}
++
+ retry:
+ 	s = sizeof(info);
+ 
+diff -up iptables-1.4.10/xtables.c.cloexec iptables-1.4.10/xtables.c
+--- iptables-1.4.10/xtables.c.cloexec	2010-10-29 16:37:22.000000000 +0200
++++ iptables-1.4.10/xtables.c	2011-01-10 13:25:06.548552918 +0100
+@@ -285,6 +285,12 @@ static char *get_modprobe(void)
+ 	if (procfile < 0)
+ 		return NULL;
+ 
++	if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) {
++		fprintf(stderr, "Could not set close on exec: %s\n",
++			strerror(errno));
++		exit(1);
++	}
++
+ 	ret = malloc(PROCFILE_BUFSIZ);
+ 	if (ret) {
+ 		memset(ret, 0, PROCFILE_BUFSIZ);
+@@ -680,6 +686,12 @@ static int compatible_revision(const cha
+ 		exit(1);
+ 	}
+ 
++	if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
++		fprintf(stderr, "Could not set close on exec: %s\n",
++			strerror(errno));
++		exit(1);
++	}
++
+ 	xtables_load_ko(xtables_modprobe_program, true);
+ 
+ 	strcpy(rev.name, name);
diff --git a/iptables.spec b/iptables.spec
index df35e90..a955153 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -1,12 +1,11 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-Version: 1.4.9
-Release: 2%{?dist}
+Version: 1.4.10
+Release: 1%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
-Patch5: iptables-1.4.9-cloexec.patch
-Patch6: iptables-1.4.7-xt_CHECKSUM.patch
+Patch5: iptables-1.4.10-cloexec.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -53,7 +52,6 @@ stable and may change with every new version. It is therefore unsupported.
 %prep
 %setup -q
 %patch5 -p1 -b .cloexec
-%patch6 -p1 -b .xt_CHECKSUM
 
 %build
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" \
@@ -165,6 +163,30 @@ fi
 %{_libdir}/pkgconfig/xtables.pc
 
 %changelog
+* Mon Jan 10 2011 Thomas Woerner <twoerner@redhat.com> 1.4.10-1
+- new version 1.4.10 with all new features of 2.6.36
+  - all: consistent syntax use in struct option
+  - build: fix static linking
+  - doc: let man(1) autoalign the text in xt_cpu
+  - doc: remove extra empty line from xt_cpu
+  - doc: minimal spelling updates to xt_cpu
+  - doc: consistent use of markup
+  - extensions: libxt_quota: don't ignore the quota value on deletion
+  - extensions: REDIRECT: add random help
+  - extensions: add xt_cpu match
+  - extensions: add idletimer xt target extension
+  - extensions: libxt_IDLETIMER: use xtables_param_act when checking options
+  - extensions: libxt_CHECKSUM extension
+  - extensions: libipt_LOG/libip6t_LOG: support macdecode option
+  - extensions: fix compilation of the new CHECKSUM target
+  - extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs
+  - iptables-xml: resolve compiler warnings
+  - iptables: limit chain name length to be consistent with targets
+  - libiptc: add Libs.private to pkgconfig files
+  - libiptc: build with -Wl,--no-as-needed
+  - xtables: remove unnecessary cast
+- dropped xt_CHECKSUM, added upstream
+
 * Tue Oct 12 2010 Thomas Woerner <twoerner@redhat.com> 1.4.9-2
 - added xt_CHECKSUM patch from Michael S. Tsirkin (rhbz#612587)
 
diff --git a/sources b/sources
index 6127307..a3636d6 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-db1312f7ce5a4c11dc981a2ac76b26e8  iptables-1.4.9.tar.bz2
+f382fe693f0b59d87bd47bea65eca198  iptables-1.4.10.tar.bz2