Hello community, here is the log from the commit of package iptables for openSUSE:Factory checked in at 2018-02-10 17:55:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/iptables (Old) and /work/SRC/openSUSE:Factory/.iptables.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iptables" Sat Feb 10 17:55:06 2018 rev:60 rq:573925 version:1.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/iptables/iptables.changes 2017-02-08 11:01:09.822048279 +0100 +++ /work/SRC/openSUSE:Factory/.iptables.new/iptables.changes 2018-02-10 17:55:10.934615547 +0100 @@ -1,0 +2,16 @@ +Sat Feb 3 14:02:59 UTC 2018 - [email protected] + +- Update to new upstream release 1.6.2 + * add support for the "srh" match + * add randomize-full for the "MASQUERADE" target + * add rate match mode to the "hashlimit" match + +------------------------------------------------------------------- +Thu Jun 22 15:34:40 UTC 2017 - [email protected] + +- Add iptables-batch-lock.patch: Fix a locking issue of + iptables-batch which can cause it to spuriously fail when other + programs modify the iptables rules in parallel (bnc#1045130). + This can especially affect SuSEfirewall2 during startup. + +------------------------------------------------------------------- Old: ---- iptables-1.6.1.tar.bz2 iptables-1.6.1.tar.bz2.sig New: ---- iptables-1.6.2.tar.bz2 iptables-1.6.2.tar.bz2.sig iptables-batch-lock.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iptables.spec ++++++ --- /var/tmp/diff_new_pack.bNL7Fe/_old 2018-02-10 17:55:11.750586008 +0100 +++ /var/tmp/diff_new_pack.bNL7Fe/_new 2018-02-10 17:55:11.754585864 +0100 @@ -1,7 +1,7 @@ # # spec file for package iptables # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,17 +17,19 @@ Name: iptables -Version: 1.6.1 +Version: 1.6.2 Release: 0 -Summary: IP Packet Filter Administration utilities +Summary: IP packet filter administration utilities License: GPL-2.0 and Artistic-2.0 Group: Productivity/Networking/Security Url: http://netfilter.org/projects/iptables/ +#Git-Clone: git://git.netfilter.org/iptables Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch +Patch5: iptables-batch-lock.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?fedora_version} || 0%{?centos_version} @@ -54,19 +56,19 @@ kernel. %package nft -Summary: NFT Packet Filter Administration utilties in the style of Xtables +Summary: nft packet filter administration utilties in the style of Xtables Group: Productivity/Networking/Security Requires: xtables-plugins = %version-%release Conflicts: ebtables %description nft The programs shipped in this subpackage behave like iptables on the -command line, but instead edit the rules of the NFT packet filter in +command line, but instead edits the rules of the nft packet filter in the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit -all features. +the features. %package -n xtables-plugins -Summary: Match and Target Extension plugins for iptables +Summary: Match and target extension plugins for iptables Group: Productivity/Networking/Security Conflicts: iptables < 1.4.18 @@ -127,7 +129,7 @@ iproute2's m_xt. %package -n libxtables-devel -Summary: Libraries, Headers and Development Man Pages for iptables +Summary: Headers and manpages for iptables Group: Development/Libraries/C and C++ Requires: libxtables12 = %version @@ -141,12 +143,12 @@ %prep %setup -q -%patch -P 3 -P 4 -p1 +%patch -P 3 -P 4 -P 5 -p1 %build # We have the iptables-batch patch, so always regenerate. if true || [ ! -e configure ]; then - ./autogen.sh; + ./autogen.sh fi # bnc#561793 - do not include unclean module in iptables manpage rm -f extensions/libipt_unclean.man @@ -160,7 +162,7 @@ # iptables-apply is not installed by upstream Makefile install -m0755 iptables/iptables-apply %buildroot%_sbindir/ install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/ -rm -f "%buildroot/%_libdir"/*.la; +rm -f "%buildroot/%_libdir"/*.la %if 0%{?suse_version} %fdupes %buildroot/%_prefix %endif @@ -199,6 +201,7 @@ %defattr(-,root,root) %_libdir/xtables/ %_sbindir/nfnl_osf +%_mandir/man8/nfnl_osf.8* %_datadir/xtables/ %files -n libipq0 ++++++ iptables-1.6.1.tar.bz2 -> iptables-1.6.2.tar.bz2 ++++++ ++++ 28074 lines of diff (skipped) ++++++ iptables-batch-lock.patch ++++++ From: Matthias Gerstner <[email protected]> Date: 2017-06-26T10:53:24+0000 - fix a locking issue of iptables-batch which can cause it to spuriously fail when other programs modify the iptables rules in parallel (bnc#1045130). This can especially affect SuSEfirewall2 during startup. --- iptables/iptables-batch.c | 21 +++++++++++++++++++++ iptables/xshared.c | 8 +++++++- 2 files changed, 28 insertions(+), 1 deletion(-) Index: iptables-1.6.2/iptables/iptables-batch.c =================================================================== --- iptables-1.6.2.orig/iptables/iptables-batch.c +++ iptables-1.6.2/iptables/iptables-batch.c @@ -403,6 +403,27 @@ main(int argc, char *argv[]) tables[3].name = "raw"; tables[3].handle = NULL; current_table = &tables[0]; + /* + * We need to lock the complete batch processing against parallel + * modification by other processes. Otherwise, we can end up with + * EAGAIN errors. + * + * The do_command{4,6} function already locks itself, but the complete + * call sequence needs to be locked until the commit is performed. + * + * Sadly, the xtables_lock() implementation is not very cooperative. + * There is no unlock() equivalent. The lock file descriptor is smiply + * left open until the process exits. Thus, we would have deadlocks + * when calling do_command{4,6} the second time. + * + * To prevent this, part of this patch adds logic to avoid taking the + * lock a second time in the same process in xtables_lock() + */ + const struct timeval wait_interval = {.tv_sec = 1}; + if (!xtables_lock_or_exit(-1, &wait_interval)) { + fprintf(stderr, "failed to acquire the xtables lock\n"); + exit(1); + } while((r = getline(&iline, &llen, fp)) != -1) { Index: iptables-1.6.2/iptables/xshared.c =================================================================== --- iptables-1.6.2.orig/iptables/xshared.c +++ iptables-1.6.2/iptables/xshared.c @@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match static int xtables_lock(int wait, struct timeval *wait_interval) { + static bool already_locked = false; struct timeval time_left, wait_time; int fd, i = 0; + if (already_locked) + /* Avoid deadlocks, see iptables-batch.c */ + return true; time_left.tv_sec = wait; time_left.tv_usec = 0; @@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct } if (wait == -1) { - if (flock(fd, LOCK_EX) == 0) + if (flock(fd, LOCK_EX) == 0) { + already_locked = true; return fd; + } fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, strerror(errno));
