Merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 into lp:ubuntu/saucy/iptables
- Saucy (13.10)
- lp-1228525-1134554-1187177
- Merge into saucy
Status: | Superseded |
---|---|
Proposed branch: | lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 |
Merge into: | lp:ubuntu/saucy/iptables |
Diff against target: |
533 lines (+463/-2) 9 files modified
debian/changelog (+30/-0) debian/control (+1/-0) debian/iptables-dev.install (+1/-0) debian/iptables.install (+2/-0) debian/iptables.manpages (+1/-2) debian/nfnl_osf.8 (+80/-0) debian/patches/0201-iptables-xml_man_section.patch (+8/-0) debian/patches/calling-setsockopt-incorrectly.patch (+338/-0) debian/patches/series (+2/-0) |
To merge this branch: | bzr merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Artur Rona (community) | Needs Resubmitting | ||
Daniel Holbach (community) | Needs Information | ||
Review via email: mp+186913@code.launchpad.net |
This proposal has been superseded by a proposal from 2013-09-26.
Commit message
Description of the change
Artur Rona (ari-tczew) wrote : | # |
Well, Ubuntu delta since last merge is unchanged. These changes have been not dropped and they still remain. I didn't mention them, because it's not standard merge from Debian, when the latest revision will be merged. Else it's 'fake merge' - Debian's revision from snapshot/archive has been merged due to fix FTBFS in another package (perlipq). In this case, the 2 lines (in debian/
Also, we're coming to the question: what's more worth? Again copying long d/changelog description about remaining changes only for 2 above mentioned changes lines or just describe that it's non-standard merge? In the next development cycle we can do normal merge iptables from Debian unstable including mentioned remaining changes in d/changelog.
Sorry for misunderstanding, but I'm preparing such as 'fake/non-standard' merge first time. I'm not sure whether there is a documentation for.
BTW, The whole changes can be dropped while merging current iptables from Debian unstable.
Unmerged revisions
- 39. By Artur Rona
-
* Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS
in package perlipq due to missing dependecy: (LP: #1228525)
- debian/control
- debian/iptables- dev.install
* Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from
Debian, version 1.4.20-2: (LP: #1134554)
- debian/iptables. install
- debian/iptables. manpages
- debian/nfnl_osf.8
- 0201-iptables-xml_man_ section. patch
* Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177)
- debian/patches/ calling- setsockopt- incorrectly. patch
[ gregor herrmann ]
* Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_ queue.h" :
ship /usr/include/linux/netfilter _ipv4/ip_ queue.h in iptables-dev;
add Breaks on linux-libc-dev << 3.5
(Closes: #707535)
[ Dominic Hargreaves ]
* Non-maintainer upload
Preview Diff
1 | === modified file 'debian/changelog' |
2 | --- debian/changelog 2013-06-07 09:50:09 +0000 |
3 | +++ debian/changelog 2013-09-21 09:47:55 +0000 |
4 | @@ -1,3 +1,33 @@ |
5 | +iptables (1.4.18-1.1ubuntu1) saucy; urgency=low |
6 | + |
7 | + * Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS |
8 | + in package perlipq due to missing dependecy: (LP: #1228525) |
9 | + - debian/control |
10 | + - debian/iptables-dev.install |
11 | + * Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from |
12 | + Debian, version 1.4.20-2: (LP: #1134554) |
13 | + - debian/iptables.install |
14 | + - debian/iptables.manpages |
15 | + - debian/nfnl_osf.8 |
16 | + - 0201-iptables-xml_man_section.patch |
17 | + * Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177) |
18 | + - debian/patches/calling-setsockopt-incorrectly.patch |
19 | + |
20 | + -- Artur Rona <ari-tczew@tlen.pl> Fri, 20 Sep 2013 00:26:08 +0200 |
21 | + |
22 | +iptables (1.4.18-1.1) unstable; urgency=low |
23 | + |
24 | + [ gregor herrmann ] |
25 | + * Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h": |
26 | + ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev; |
27 | + add Breaks on linux-libc-dev << 3.5 |
28 | + (Closes: #707535) |
29 | + |
30 | + [ Dominic Hargreaves ] |
31 | + * Non-maintainer upload |
32 | + |
33 | + -- Dominic Hargreaves <dom@earth.li> Sat, 13 Jul 2013 16:09:01 +0100 |
34 | + |
35 | iptables (1.4.18-1ubuntu1) saucy; urgency=low |
36 | |
37 | [ Chris J Arges ] |
38 | |
39 | === modified file 'debian/control' |
40 | --- debian/control 2013-06-07 09:50:09 +0000 |
41 | +++ debian/control 2013-09-21 09:47:55 +0000 |
42 | @@ -34,6 +34,7 @@ |
43 | Priority: optional |
44 | Depends: ${misc:Depends}, iptables (=${binary:Version}) |
45 | Conflicts: iptables (<<1.4.2-2) |
46 | +Breaks: linux-libc-dev (<< 3.5) |
47 | Section: devel |
48 | Description: iptables development files |
49 | iptables is used to setup, maintain, and inspect the tables of |
50 | |
51 | === modified file 'debian/iptables-dev.install' |
52 | --- debian/iptables-dev.install 2013-06-07 09:50:09 +0000 |
53 | +++ debian/iptables-dev.install 2013-09-21 09:47:55 +0000 |
54 | @@ -1,4 +1,5 @@ |
55 | usr/include |
56 | lib/lib*.so |
57 | lib/pkgconfig usr/lib |
58 | +include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/ |
59 | howtos/netfilter*html usr/share/doc/iptables-dev/html |
60 | |
61 | === modified file 'debian/iptables.install' |
62 | --- debian/iptables.install 2013-06-07 09:50:09 +0000 |
63 | +++ debian/iptables.install 2013-09-21 09:47:55 +0000 |
64 | @@ -5,4 +5,6 @@ |
65 | lib/xtables |
66 | iptables/iptables-apply usr/sbin |
67 | iptables/iptables.xslt usr/share/iptables |
68 | +usr/share/man/man8 |
69 | +usr/share/man/man1 |
70 | howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html |
71 | |
72 | === modified file 'debian/iptables.manpages' |
73 | --- debian/iptables.manpages 2012-10-28 09:40:00 +0000 |
74 | +++ debian/iptables.manpages 2013-09-21 09:47:55 +0000 |
75 | @@ -1,3 +1,2 @@ |
76 | iptables/*.8 |
77 | -iptables/*.1 |
78 | -utils/*.8 |
79 | +debian/*.8 |
80 | |
81 | === added file 'debian/nfnl_osf.8' |
82 | --- debian/nfnl_osf.8 1970-01-01 00:00:00 +0000 |
83 | +++ debian/nfnl_osf.8 2013-09-21 09:47:55 +0000 |
84 | @@ -0,0 +1,80 @@ |
85 | +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) |
86 | +.\" |
87 | +.\" Standard preamble: |
88 | +.\" ======================================================================== |
89 | +.de Sp \" Vertical space (when we can't use .PP) |
90 | +.if t .sp .5v |
91 | +.if n .sp |
92 | +.. |
93 | +.de Vb \" Begin verbatim text |
94 | +.ft CW |
95 | +.nf |
96 | +.ne \\$1 |
97 | +.. |
98 | +.de Ve \" End verbatim text |
99 | +.ft R |
100 | +.fi |
101 | +.. |
102 | +.\" Set up some character translations and predefined strings. \*(-- will |
103 | +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
104 | +.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
105 | +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
106 | +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
107 | +.\" nothing in troff, for use with C<>. |
108 | +.tr \(*W- |
109 | +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
110 | +.ie n \{\ |
111 | +. ds -- \(*W- |
112 | +. ds PI pi |
113 | +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
114 | +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
115 | +. ds L" "" |
116 | +. ds R" "" |
117 | +. ds C` "" |
118 | +. ds C' "" |
119 | +'br\} |
120 | +.el\{\ |
121 | +. ds -- \|\(em\| |
122 | +. ds PI \(*p |
123 | +. ds L" `` |
124 | +. ds R" '' |
125 | +'br\} |
126 | +.\" |
127 | +.\" Escape single quotes in literal strings from groff's Unicode transform. |
128 | +.ie \n(.g .ds Aq \(aq |
129 | +.el .ds Aq ' |
130 | +.\" |
131 | +.\" If the F register is turned on, we'll generate index entries on stderr for |
132 | +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
133 | +.\" entries marked with X<> in POD. Of course, you'll have to process the |
134 | +.\" output yourself in some meaningful fashion. |
135 | +.ie \nF \{\ |
136 | +. de IX |
137 | +. tm Index:\\$1\t\\n%\t"\\$2" |
138 | +.. |
139 | +. nr % 0 |
140 | +. rr F |
141 | +.\} |
142 | +.el \{\ |
143 | +. de IX |
144 | +.. |
145 | +.\} |
146 | +.\" ======================================================================== |
147 | +.\" |
148 | +.IX Title "NFNL_OSF 8" |
149 | +.TH NFNL_OSF 8 "2012-10-27" "nfnl_osf" "nfnl_osf" |
150 | +.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
151 | +.\" way too many mistakes in technical documents. |
152 | +.if n .ad l |
153 | +.nh |
154 | +.SH "NAME" |
155 | +nfnl_osf \- load and unload os fingerprint database |
156 | +.SH "SYNOPSIS" |
157 | +.IX Header "SYNOPSIS" |
158 | +load and unload osf fingerprint database for the netfilter osf extension |
159 | +.SH "DESCRIPTION" |
160 | +.IX Header "DESCRIPTION" |
161 | +nffl_osf has no official man page. Look at the osf module in \fB\f(BIiptables\-extensions\fB\|(8)\fR for more information. |
162 | +.SH "SEE ALSO" |
163 | +.IX Header "SEE ALSO" |
164 | +\&\fIiptables\-extensions\fR\|(8) |
165 | |
166 | === added file 'debian/patches/0201-iptables-xml_man_section.patch' |
167 | --- debian/patches/0201-iptables-xml_man_section.patch 1970-01-01 00:00:00 +0000 |
168 | +++ debian/patches/0201-iptables-xml_man_section.patch 2013-09-21 09:47:55 +0000 |
169 | @@ -0,0 +1,8 @@ |
170 | +--- a/iptables/iptables-xml.1 |
171 | ++++ b/iptables/iptables-xml.1 |
172 | +@@ -1,4 +1,4 @@ |
173 | +-.TH IPTABLES-XML 8 "Jul 16, 2007" "" "" |
174 | ++.TH IPTABLES-XML 1 "Jul 16, 2007" "" "" |
175 | + .\" |
176 | + .\" Man page written by Sam Liddicott <azez@ufomechanic.net> |
177 | + .\" It is based on the iptables-save man page. |
178 | |
179 | === added file 'debian/patches/calling-setsockopt-incorrectly.patch' |
180 | --- debian/patches/calling-setsockopt-incorrectly.patch 1970-01-01 00:00:00 +0000 |
181 | +++ debian/patches/calling-setsockopt-incorrectly.patch 2013-09-21 09:47:55 +0000 |
182 | @@ -0,0 +1,338 @@ |
183 | +From: Artur Rona <ari-tczew@tlen.pl> |
184 | +Description: Add locking to prevent concurrent instances. |
185 | +Bug-Ubuntu: https://launchpad.net/bugs/1187177 |
186 | +Bug-Debian: http://bugs.debian.org/710997 |
187 | +Origin: upstream, http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 |
188 | + http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b |
189 | +Author: Phil Oester <kernel@linuxace.com>, |
190 | + Pablo Neira Ayuso <pablo@netfilter.org> |
191 | + |
192 | +diff -pruN -x '*~' iptables-1.4.18.orig/include/ip6tables.h iptables-1.4.18/include/ip6tables.h |
193 | +--- iptables-1.4.18.orig/include/ip6tables.h 2013-03-03 22:40:11.000000000 +0100 |
194 | ++++ iptables-1.4.18/include/ip6tables.h 2013-09-21 09:59:39.000000000 +0200 |
195 | +@@ -8,7 +8,7 @@ |
196 | + |
197 | + /* Your shared library should call one of these. */ |
198 | + extern int do_command6(int argc, char *argv[], char **table, |
199 | +- struct xtc_handle **handle); |
200 | ++ struct xtc_handle **handle, bool restore); |
201 | + |
202 | + extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle); |
203 | + extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); |
204 | +diff -pruN -x '*~' iptables-1.4.18.orig/include/iptables.h iptables-1.4.18/include/iptables.h |
205 | +--- iptables-1.4.18.orig/include/iptables.h 2013-03-03 22:40:11.000000000 +0100 |
206 | ++++ iptables-1.4.18/include/iptables.h 2013-09-21 09:59:39.000000000 +0200 |
207 | +@@ -8,7 +8,7 @@ |
208 | + |
209 | + /* Your shared library should call one of these. */ |
210 | + extern int do_command4(int argc, char *argv[], char **table, |
211 | +- struct xtc_handle **handle); |
212 | ++ struct xtc_handle **handle, bool restore); |
213 | + extern int delete_chain4(const xt_chainlabel chain, int verbose, |
214 | + struct xtc_handle *handle); |
215 | + extern int flush_entries4(const xt_chainlabel chain, int verbose, |
216 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.8.in iptables-1.4.18/iptables/ip6tables.8.in |
217 | +--- iptables-1.4.18.orig/iptables/ip6tables.8.in 2013-03-03 22:40:11.000000000 +0100 |
218 | ++++ iptables-1.4.18/iptables/ip6tables.8.in 2013-09-21 09:59:19.000000000 +0200 |
219 | +@@ -363,6 +363,13 @@ For appending, insertion, deletion and r |
220 | + detailed information on the rule or rules to be printed. \fB\-v\fP may be |
221 | + specified multiple times to possibly emit more detailed debug statements. |
222 | + .TP |
223 | ++\fB\-w\fP, \fB\-\-wait\fP |
224 | ++Wait for the xtables lock. |
225 | ++To prevent multiple instances of the program from running concurrently, |
226 | ++an attempt will be made to obtain an exclusive lock at launch. By default, |
227 | ++the program will exit if the lock cannot be obtained. This option will |
228 | ++make the program wait until the exclusive lock can be obtained. |
229 | ++.TP |
230 | + \fB\-n\fP, \fB\-\-numeric\fP |
231 | + Numeric output. |
232 | + IP addresses and port numbers will be printed in numeric format. |
233 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.c iptables-1.4.18/iptables/ip6tables.c |
234 | +--- iptables-1.4.18.orig/iptables/ip6tables.c 2013-03-03 22:40:11.000000000 +0100 |
235 | ++++ iptables-1.4.18/iptables/ip6tables.c 2013-09-21 09:59:39.000000000 +0200 |
236 | +@@ -102,6 +102,7 @@ static struct option original_opts[] = { |
237 | + {.name = "numeric", .has_arg = 0, .val = 'n'}, |
238 | + {.name = "out-interface", .has_arg = 1, .val = 'o'}, |
239 | + {.name = "verbose", .has_arg = 0, .val = 'v'}, |
240 | ++ {.name = "wait", .has_arg = 0, .val = 'w'}, |
241 | + {.name = "exact", .has_arg = 0, .val = 'x'}, |
242 | + {.name = "version", .has_arg = 0, .val = 'V'}, |
243 | + {.name = "help", .has_arg = 2, .val = 'h'}, |
244 | +@@ -257,6 +258,7 @@ exit_printhelp(const struct xtables_rule |
245 | + " network interface name ([+] for wildcard)\n" |
246 | + " --table -t table table to manipulate (default: `filter')\n" |
247 | + " --verbose -v verbose mode\n" |
248 | ++" --wait -w wait for the xtables lock\n" |
249 | + " --line-numbers print line numbers when listing\n" |
250 | + " --exact -x expand numbers (display exact values)\n" |
251 | + /*"[!] --fragment -f match second or further fragments only\n"*/ |
252 | +@@ -1284,7 +1286,8 @@ static void command_match(struct iptable |
253 | + m->extra_opts, &m->option_offset); |
254 | + } |
255 | + |
256 | +-int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle) |
257 | ++int do_command6(int argc, char *argv[], char **table, |
258 | ++ struct xtc_handle **handle, bool restore) |
259 | + { |
260 | + struct iptables_command_state cs; |
261 | + struct ip6t_entry *e = NULL; |
262 | +@@ -1293,6 +1296,7 @@ int do_command6(int argc, char *argv[], |
263 | + struct in6_addr *smasks = NULL, *dmasks = NULL; |
264 | + |
265 | + int verbose = 0; |
266 | ++ bool wait = false; |
267 | + const char *chain = NULL; |
268 | + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; |
269 | + const char *policy = NULL, *newname = NULL; |
270 | +@@ -1328,7 +1332,7 @@ int do_command6(int argc, char *argv[], |
271 | + |
272 | + opts = xt_params->orig_opts; |
273 | + while ((cs.c = getopt_long(argc, argv, |
274 | +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46", |
275 | ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46", |
276 | + opts, NULL)) != -1) { |
277 | + switch (cs.c) { |
278 | + /* |
279 | +@@ -1573,6 +1577,15 @@ int do_command6(int argc, char *argv[], |
280 | + verbose++; |
281 | + break; |
282 | + |
283 | ++ case 'w': |
284 | ++ if (restore) { |
285 | ++ xtables_error(PARAMETER_PROBLEM, |
286 | ++ "You cannot use `-w' from " |
287 | ++ "ip6tables-restore"); |
288 | ++ } |
289 | ++ wait = true; |
290 | ++ break; |
291 | ++ |
292 | + case 'm': |
293 | + command_match(&cs); |
294 | + break; |
295 | +@@ -1724,6 +1737,14 @@ int do_command6(int argc, char *argv[], |
296 | + "chain name `%s' too long (must be under %u chars)", |
297 | + chain, XT_EXTENSION_MAXNAMELEN); |
298 | + |
299 | ++ /* Attempt to acquire the xtables lock */ |
300 | ++ if (!restore && !xtables_lock(wait)) { |
301 | ++ fprintf(stderr, "Another app is currently holding the xtables lock. " |
302 | ++ "Perhaps you want to use the -w option?\n"); |
303 | ++ xtables_free_opts(1); |
304 | ++ exit(RESOURCE_PROBLEM); |
305 | ++ } |
306 | ++ |
307 | + /* only allocate handle if we weren't called with a handle */ |
308 | + if (!*handle) |
309 | + *handle = ip6tc_init(*table); |
310 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-restore.c iptables-1.4.18/iptables/ip6tables-restore.c |
311 | +--- iptables-1.4.18.orig/iptables/ip6tables-restore.c 2013-03-03 22:40:11.000000000 +0100 |
312 | ++++ iptables-1.4.18/iptables/ip6tables-restore.c 2013-09-21 09:59:39.000000000 +0200 |
313 | +@@ -438,7 +438,7 @@ int ip6tables_restore_main(int argc, cha |
314 | + DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
315 | + |
316 | + ret = do_command6(newargc, newargv, |
317 | +- &newargv[2], &handle); |
318 | ++ &newargv[2], &handle, true); |
319 | + |
320 | + free_argv(); |
321 | + fflush(stdout); |
322 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-standalone.c iptables-1.4.18/iptables/ip6tables-standalone.c |
323 | +--- iptables-1.4.18.orig/iptables/ip6tables-standalone.c 2013-03-03 22:40:11.000000000 +0100 |
324 | ++++ iptables-1.4.18/iptables/ip6tables-standalone.c 2013-09-21 09:59:39.000000000 +0200 |
325 | +@@ -58,7 +58,7 @@ ip6tables_main(int argc, char *argv[]) |
326 | + init_extensions6(); |
327 | + #endif |
328 | + |
329 | +- ret = do_command6(argc, argv, &table, &handle); |
330 | ++ ret = do_command6(argc, argv, &table, &handle, false); |
331 | + if (ret) { |
332 | + ret = ip6tc_commit(handle); |
333 | + ip6tc_free(handle); |
334 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.8.in iptables-1.4.18/iptables/iptables.8.in |
335 | +--- iptables-1.4.18.orig/iptables/iptables.8.in 2013-03-03 22:40:11.000000000 +0100 |
336 | ++++ iptables-1.4.18/iptables/iptables.8.in 2013-09-21 09:59:19.000000000 +0200 |
337 | +@@ -351,6 +351,13 @@ For appending, insertion, deletion and r |
338 | + detailed information on the rule or rules to be printed. \fB\-v\fP may be |
339 | + specified multiple times to possibly emit more detailed debug statements. |
340 | + .TP |
341 | ++\fB\-w\fP, \fB\-\-wait\fP |
342 | ++Wait for the xtables lock. |
343 | ++To prevent multiple instances of the program from running concurrently, |
344 | ++an attempt will be made to obtain an exclusive lock at launch. By default, |
345 | ++the program will exit if the lock cannot be obtained. This option will |
346 | ++make the program wait until the exclusive lock can be obtained. |
347 | ++.TP |
348 | + \fB\-n\fP, \fB\-\-numeric\fP |
349 | + Numeric output. |
350 | + IP addresses and port numbers will be printed in numeric format. |
351 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.c iptables-1.4.18/iptables/iptables.c |
352 | +--- iptables-1.4.18.orig/iptables/iptables.c 2013-03-03 22:40:11.000000000 +0100 |
353 | ++++ iptables-1.4.18/iptables/iptables.c 2013-09-21 09:59:39.000000000 +0200 |
354 | +@@ -99,6 +99,7 @@ static struct option original_opts[] = { |
355 | + {.name = "numeric", .has_arg = 0, .val = 'n'}, |
356 | + {.name = "out-interface", .has_arg = 1, .val = 'o'}, |
357 | + {.name = "verbose", .has_arg = 0, .val = 'v'}, |
358 | ++ {.name = "wait", .has_arg = 0, .val = 'w'}, |
359 | + {.name = "exact", .has_arg = 0, .val = 'x'}, |
360 | + {.name = "fragments", .has_arg = 0, .val = 'f'}, |
361 | + {.name = "version", .has_arg = 0, .val = 'V'}, |
362 | +@@ -251,6 +252,7 @@ exit_printhelp(const struct xtables_rule |
363 | + " network interface name ([+] for wildcard)\n" |
364 | + " --table -t table table to manipulate (default: `filter')\n" |
365 | + " --verbose -v verbose mode\n" |
366 | ++" --wait -w wait for the xtables lock\n" |
367 | + " --line-numbers print line numbers when listing\n" |
368 | + " --exact -x expand numbers (display exact values)\n" |
369 | + "[!] --fragment -f match second or further fragments only\n" |
370 | +@@ -1280,7 +1282,8 @@ static void command_match(struct iptable |
371 | + xtables_error(OTHER_PROBLEM, "can't alloc memory!"); |
372 | + } |
373 | + |
374 | +-int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle) |
375 | ++int do_command4(int argc, char *argv[], char **table, |
376 | ++ struct xtc_handle **handle, bool restore) |
377 | + { |
378 | + struct iptables_command_state cs; |
379 | + struct ipt_entry *e = NULL; |
380 | +@@ -1289,6 +1292,7 @@ int do_command4(int argc, char *argv[], |
381 | + struct in_addr *daddrs = NULL, *dmasks = NULL; |
382 | + |
383 | + int verbose = 0; |
384 | ++ bool wait = false; |
385 | + const char *chain = NULL; |
386 | + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; |
387 | + const char *policy = NULL, *newname = NULL; |
388 | +@@ -1324,7 +1328,7 @@ int do_command4(int argc, char *argv[], |
389 | + |
390 | + opts = xt_params->orig_opts; |
391 | + while ((cs.c = getopt_long(argc, argv, |
392 | +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46", |
393 | ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46", |
394 | + opts, NULL)) != -1) { |
395 | + switch (cs.c) { |
396 | + /* |
397 | +@@ -1567,6 +1571,15 @@ int do_command4(int argc, char *argv[], |
398 | + verbose++; |
399 | + break; |
400 | + |
401 | ++ case 'w': |
402 | ++ if (restore) { |
403 | ++ xtables_error(PARAMETER_PROBLEM, |
404 | ++ "You cannot use `-w' from " |
405 | ++ "iptables-restore"); |
406 | ++ } |
407 | ++ wait = true; |
408 | ++ break; |
409 | ++ |
410 | + case 'm': |
411 | + command_match(&cs); |
412 | + break; |
413 | +@@ -1721,6 +1734,14 @@ int do_command4(int argc, char *argv[], |
414 | + "chain name `%s' too long (must be under %u chars)", |
415 | + chain, XT_EXTENSION_MAXNAMELEN); |
416 | + |
417 | ++ /* Attempt to acquire the xtables lock */ |
418 | ++ if (!restore && !xtables_lock(wait)) { |
419 | ++ fprintf(stderr, "Another app is currently holding the xtables lock. " |
420 | ++ "Perhaps you want to use the -w option?\n"); |
421 | ++ xtables_free_opts(1); |
422 | ++ exit(RESOURCE_PROBLEM); |
423 | ++ } |
424 | ++ |
425 | + /* only allocate handle if we weren't called with a handle */ |
426 | + if (!*handle) |
427 | + *handle = iptc_init(*table); |
428 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-restore.c iptables-1.4.18/iptables/iptables-restore.c |
429 | +--- iptables-1.4.18.orig/iptables/iptables-restore.c 2013-03-03 22:40:11.000000000 +0100 |
430 | ++++ iptables-1.4.18/iptables/iptables-restore.c 2013-09-21 09:59:39.000000000 +0200 |
431 | +@@ -438,7 +438,7 @@ iptables_restore_main(int argc, char *ar |
432 | + DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
433 | + |
434 | + ret = do_command4(newargc, newargv, |
435 | +- &newargv[2], &handle); |
436 | ++ &newargv[2], &handle, true); |
437 | + |
438 | + free_argv(); |
439 | + fflush(stdout); |
440 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-standalone.c iptables-1.4.18/iptables/iptables-standalone.c |
441 | +--- iptables-1.4.18.orig/iptables/iptables-standalone.c 2013-03-03 22:40:11.000000000 +0100 |
442 | ++++ iptables-1.4.18/iptables/iptables-standalone.c 2013-09-21 09:59:39.000000000 +0200 |
443 | +@@ -58,7 +58,7 @@ iptables_main(int argc, char *argv[]) |
444 | + init_extensions4(); |
445 | + #endif |
446 | + |
447 | +- ret = do_command4(argc, argv, &table, &handle); |
448 | ++ ret = do_command4(argc, argv, &table, &handle, false); |
449 | + if (ret) { |
450 | + ret = iptc_commit(handle); |
451 | + iptc_free(handle); |
452 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.c iptables-1.4.18/iptables/xshared.c |
453 | +--- iptables-1.4.18.orig/iptables/xshared.c 2013-03-03 22:40:11.000000000 +0100 |
454 | ++++ iptables-1.4.18/iptables/xshared.c 2013-09-21 09:59:19.000000000 +0200 |
455 | +@@ -6,9 +6,15 @@ |
456 | + #include <stdio.h> |
457 | + #include <stdlib.h> |
458 | + #include <string.h> |
459 | ++#include <sys/socket.h> |
460 | ++#include <sys/un.h> |
461 | ++#include <unistd.h> |
462 | + #include <xtables.h> |
463 | + #include "xshared.h" |
464 | + |
465 | ++#define XT_SOCKET_NAME "xtables" |
466 | ++#define XT_SOCKET_LEN 8 |
467 | ++ |
468 | + /* |
469 | + * Print out any special helps. A user might like to be able to add a --help |
470 | + * to the commandline, and see expected results. So we call help for all |
471 | +@@ -236,3 +242,30 @@ void xs_init_match(struct xtables_match |
472 | + if (match->init != NULL) |
473 | + match->init(match->m); |
474 | + } |
475 | ++ |
476 | ++bool xtables_lock(bool wait) |
477 | ++{ |
478 | ++ int i = 0, ret, xt_socket; |
479 | ++ struct sockaddr_un xt_addr; |
480 | ++ |
481 | ++ memset(&xt_addr, 0, sizeof(xt_addr)); |
482 | ++ xt_addr.sun_family = AF_UNIX; |
483 | ++ strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME); |
484 | ++ xt_socket = socket(AF_UNIX, SOCK_STREAM, 0); |
485 | ++ /* If we can't even create a socket, fall back to prior (lockless) behavior */ |
486 | ++ if (xt_socket < 0) |
487 | ++ return true; |
488 | ++ |
489 | ++ while (1) { |
490 | ++ ret = bind(xt_socket, (struct sockaddr*)&xt_addr, |
491 | ++ offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); |
492 | ++ if (ret == 0) |
493 | ++ return true; |
494 | ++ else if (wait == false) |
495 | ++ return false; |
496 | ++ if (++i % 2 == 0) |
497 | ++ fprintf(stderr, "Another app is currently holding the xtables lock; " |
498 | ++ "waiting for it to exit...\n"); |
499 | ++ sleep(1); |
500 | ++ } |
501 | ++} |
502 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.h iptables-1.4.18/iptables/xshared.h |
503 | +--- iptables-1.4.18.orig/iptables/xshared.h 2013-03-03 22:40:11.000000000 +0100 |
504 | ++++ iptables-1.4.18/iptables/xshared.h 2013-09-21 09:59:19.000000000 +0200 |
505 | +@@ -2,6 +2,7 @@ |
506 | + #define IPTABLES_XSHARED_H 1 |
507 | + |
508 | + #include <limits.h> |
509 | ++#include <stdbool.h> |
510 | + #include <stdint.h> |
511 | + #include <netinet/in.h> |
512 | + #include <net/if.h> |
513 | +@@ -83,6 +84,7 @@ extern struct xtables_match *load_proto( |
514 | + extern int subcmd_main(int, char **, const struct subcommand *); |
515 | + extern void xs_init_target(struct xtables_target *); |
516 | + extern void xs_init_match(struct xtables_match *); |
517 | ++extern bool xtables_lock(bool wait); |
518 | + |
519 | + extern const struct xtables_afinfo *afinfo; |
520 | + |
521 | |
522 | === modified file 'debian/patches/series' |
523 | --- debian/patches/series 2013-06-07 09:50:09 +0000 |
524 | +++ debian/patches/series 2013-09-21 09:47:55 +0000 |
525 | @@ -1,6 +1,8 @@ |
526 | 0101-changelog.patch |
527 | 0102-add_manpages.patch |
528 | +0201-iptables-xml_man_section.patch |
529 | 0503-extension_cppflags.patch |
530 | 0504-configure_dccp_ipvs.patch |
531 | 9000-howtos.patch |
532 | 9002-libxt_recent-Add-support-for-reap-option.patch |
533 | +calling-setsockopt-incorrectly.patch |
Thanks for your work on this.
It seems you're not mentioning the Ubuntu changes from the last merge. Were they all dropped? Are they still relevant?
+ - debian/control: add linuxdoc-tools dep, remove libipq references recent- Add-support- for-reap- option. patch: Some changes are iptables. install: install NAT and packetfilter howtos into iptables- dev.doc- base.netfilter- extensions, iptables- dev.doc- base.netfilter- hacking, iptables. doc-base. nat, debian/ iptables. doc-base. packet- filter: iptables- dev.install: remove usr/share/man/man3 only used with
+ - debian/rules: compile with --disable-libipq
+ - 9000-howtos.patch: add howtos/ and install them
+ - 9002-libxt_
+ upstream, patch needed for additional reap option checks.
+ - debian/
+ /usr/share/doc
+ - debian/
+ debian/
+ debian/
+ add howtos
+ - debian/
+ libipq manpages