Ubuntu
iptables package

Merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 into lp:ubuntu/saucy/iptables

  1. Saucy (13.10)
  2. lp-1228525-1134554-1187177
  3. Merge into saucy
Proposed by Artur Rona
Status: Superseded
Proposed branch: lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177
Merge into: lp:ubuntu/saucy/iptables
Diff against target: 533 lines (+463/-2)
9 files modified
debian/changelog (+30/-0)
debian/control (+1/-0)
debian/iptables-dev.install (+1/-0)
debian/iptables.install (+2/-0)
debian/iptables.manpages (+1/-2)
debian/nfnl_osf.8 (+80/-0)
debian/patches/0201-iptables-xml_man_section.patch (+8/-0)
debian/patches/calling-setsockopt-incorrectly.patch (+338/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177
Reviewer Review Type Date Requested Status
Artur Rona (community) Needs Resubmitting
Daniel Holbach (community) Needs Information
Review via email: mp+186913@code.launchpad.net

This proposal has been superseded by a proposal from 2013-09-26.

To post a comment you must log in.
Revision history for this message
Daniel Holbach (dholbach) wrote :

Thanks for your work on this.

It seems you're not mentioning the Ubuntu changes from the last merge. Were they all dropped? Are they still relevant?

+ - debian/control: add linuxdoc-tools dep, remove libipq references
+ - debian/rules: compile with --disable-libipq
+ - 9000-howtos.patch: add howtos/ and install them
+ - 9002-libxt_recent-Add-support-for-reap-option.patch: Some changes are
+ upstream, patch needed for additional reap option checks.
+ - debian/iptables.install: install NAT and packetfilter howtos into
+ /usr/share/doc
+ - debian/iptables-dev.doc-base.netfilter-extensions,
+ debian/iptables-dev.doc-base.netfilter-hacking,
+ debian/iptables.doc-base.nat, debian/iptables.doc-base.packet-filter:
+ add howtos
+ - debian/iptables-dev.install: remove usr/share/man/man3 only used with
+ libipq manpages

review: Needs Information
Revision history for this message
Artur Rona (ari-tczew) wrote :

Well, Ubuntu delta since last merge is unchanged. These changes have been not dropped and they still remain. I didn't mention them, because it's not standard merge from Debian, when the latest revision will be merged. Else it's 'fake merge' - Debian's revision from snapshot/archive has been merged due to fix FTBFS in another package (perlipq). In this case, the 2 lines (in debian/{control;iptables-dev.install}) have been changed. Then I've added following changes to fix next 2 bugs.
Also, we're coming to the question: what's more worth? Again copying long d/changelog description about remaining changes only for 2 above mentioned changes lines or just describe that it's non-standard merge? In the next development cycle we can do normal merge iptables from Debian unstable including mentioned remaining changes in d/changelog.

Sorry for misunderstanding, but I'm preparing such as 'fake/non-standard' merge first time. I'm not sure whether there is a documentation for.

BTW, The whole changes can be dropped while merging current iptables from Debian unstable.

review: Needs Resubmitting

Unmerged revisions

39. By Artur Rona

* Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS
  in package perlipq due to missing dependecy: (LP: #1228525)
  - debian/control
  - debian/iptables-dev.install
* Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from
  Debian, version 1.4.20-2: (LP: #1134554)
  - debian/iptables.install
  - debian/iptables.manpages
  - debian/nfnl_osf.8
  - 0201-iptables-xml_man_section.patch
* Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177)
  - debian/patches/calling-setsockopt-incorrectly.patch
[ gregor herrmann ]
* Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h":
  ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev;
  add Breaks on linux-libc-dev << 3.5
  (Closes: #707535)
[ Dominic Hargreaves ]
* Non-maintainer upload

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2013-06-07 09:50:09 +0000
3+++ debian/changelog 2013-09-21 09:47:55 +0000
4@@ -1,3 +1,33 @@
5+iptables (1.4.18-1.1ubuntu1) saucy; urgency=low
6+
7+ * Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS
8+ in package perlipq due to missing dependecy: (LP: #1228525)
9+ - debian/control
10+ - debian/iptables-dev.install
11+ * Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from
12+ Debian, version 1.4.20-2: (LP: #1134554)
13+ - debian/iptables.install
14+ - debian/iptables.manpages
15+ - debian/nfnl_osf.8
16+ - 0201-iptables-xml_man_section.patch
17+ * Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177)
18+ - debian/patches/calling-setsockopt-incorrectly.patch
19+
20+ -- Artur Rona <ari-tczew@tlen.pl> Fri, 20 Sep 2013 00:26:08 +0200
21+
22+iptables (1.4.18-1.1) unstable; urgency=low
23+
24+ [ gregor herrmann ]
25+ * Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h":
26+ ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev;
27+ add Breaks on linux-libc-dev << 3.5
28+ (Closes: #707535)
29+
30+ [ Dominic Hargreaves ]
31+ * Non-maintainer upload
32+
33+ -- Dominic Hargreaves <dom@earth.li> Sat, 13 Jul 2013 16:09:01 +0100
34+
35 iptables (1.4.18-1ubuntu1) saucy; urgency=low
36
37 [ Chris J Arges ]
38
39=== modified file 'debian/control'
40--- debian/control 2013-06-07 09:50:09 +0000
41+++ debian/control 2013-09-21 09:47:55 +0000
42@@ -34,6 +34,7 @@
43 Priority: optional
44 Depends: ${misc:Depends}, iptables (=${binary:Version})
45 Conflicts: iptables (<<1.4.2-2)
46+Breaks: linux-libc-dev (<< 3.5)
47 Section: devel
48 Description: iptables development files
49 iptables is used to setup, maintain, and inspect the tables of
50
51=== modified file 'debian/iptables-dev.install'
52--- debian/iptables-dev.install 2013-06-07 09:50:09 +0000
53+++ debian/iptables-dev.install 2013-09-21 09:47:55 +0000
54@@ -1,4 +1,5 @@
55 usr/include
56 lib/lib*.so
57 lib/pkgconfig usr/lib
58+include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/
59 howtos/netfilter*html usr/share/doc/iptables-dev/html
60
61=== modified file 'debian/iptables.install'
62--- debian/iptables.install 2013-06-07 09:50:09 +0000
63+++ debian/iptables.install 2013-09-21 09:47:55 +0000
64@@ -5,4 +5,6 @@
65 lib/xtables
66 iptables/iptables-apply usr/sbin
67 iptables/iptables.xslt usr/share/iptables
68+usr/share/man/man8
69+usr/share/man/man1
70 howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html
71
72=== modified file 'debian/iptables.manpages'
73--- debian/iptables.manpages 2012-10-28 09:40:00 +0000
74+++ debian/iptables.manpages 2013-09-21 09:47:55 +0000
75@@ -1,3 +1,2 @@
76 iptables/*.8
77-iptables/*.1
78-utils/*.8
79+debian/*.8
80
81=== added file 'debian/nfnl_osf.8'
82--- debian/nfnl_osf.8 1970-01-01 00:00:00 +0000
83+++ debian/nfnl_osf.8 2013-09-21 09:47:55 +0000
84@@ -0,0 +1,80 @@
85+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
86+.\"
87+.\" Standard preamble:
88+.\" ========================================================================
89+.de Sp \" Vertical space (when we can't use .PP)
90+.if t .sp .5v
91+.if n .sp
92+..
93+.de Vb \" Begin verbatim text
94+.ft CW
95+.nf
96+.ne \\$1
97+..
98+.de Ve \" End verbatim text
99+.ft R
100+.fi
101+..
102+.\" Set up some character translations and predefined strings. \*(-- will
103+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
104+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
105+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
106+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
107+.\" nothing in troff, for use with C<>.
108+.tr \(*W-
109+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
110+.ie n \{\
111+. ds -- \(*W-
112+. ds PI pi
113+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
114+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
115+. ds L" ""
116+. ds R" ""
117+. ds C` ""
118+. ds C' ""
119+'br\}
120+.el\{\
121+. ds -- \|\(em\|
122+. ds PI \(*p
123+. ds L" ``
124+. ds R" ''
125+'br\}
126+.\"
127+.\" Escape single quotes in literal strings from groff's Unicode transform.
128+.ie \n(.g .ds Aq \(aq
129+.el .ds Aq '
130+.\"
131+.\" If the F register is turned on, we'll generate index entries on stderr for
132+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
133+.\" entries marked with X<> in POD. Of course, you'll have to process the
134+.\" output yourself in some meaningful fashion.
135+.ie \nF \{\
136+. de IX
137+. tm Index:\\$1\t\\n%\t"\\$2"
138+..
139+. nr % 0
140+. rr F
141+.\}
142+.el \{\
143+. de IX
144+..
145+.\}
146+.\" ========================================================================
147+.\"
148+.IX Title "NFNL_OSF 8"
149+.TH NFNL_OSF 8 "2012-10-27" "nfnl_osf" "nfnl_osf"
150+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
151+.\" way too many mistakes in technical documents.
152+.if n .ad l
153+.nh
154+.SH "NAME"
155+nfnl_osf \- load and unload os fingerprint database
156+.SH "SYNOPSIS"
157+.IX Header "SYNOPSIS"
158+load and unload osf fingerprint database for the netfilter osf extension
159+.SH "DESCRIPTION"
160+.IX Header "DESCRIPTION"
161+nffl_osf has no official man page. Look at the osf module in \fB\f(BIiptables\-extensions\fB\|(8)\fR for more information.
162+.SH "SEE ALSO"
163+.IX Header "SEE ALSO"
164+\&\fIiptables\-extensions\fR\|(8)
165
166=== added file 'debian/patches/0201-iptables-xml_man_section.patch'
167--- debian/patches/0201-iptables-xml_man_section.patch 1970-01-01 00:00:00 +0000
168+++ debian/patches/0201-iptables-xml_man_section.patch 2013-09-21 09:47:55 +0000
169@@ -0,0 +1,8 @@
170+--- a/iptables/iptables-xml.1
171++++ b/iptables/iptables-xml.1
172+@@ -1,4 +1,4 @@
173+-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
174++.TH IPTABLES-XML 1 "Jul 16, 2007" "" ""
175+ .\"
176+ .\" Man page written by Sam Liddicott <azez@ufomechanic.net>
177+ .\" It is based on the iptables-save man page.
178
179=== added file 'debian/patches/calling-setsockopt-incorrectly.patch'
180--- debian/patches/calling-setsockopt-incorrectly.patch 1970-01-01 00:00:00 +0000
181+++ debian/patches/calling-setsockopt-incorrectly.patch 2013-09-21 09:47:55 +0000
182@@ -0,0 +1,338 @@
183+From: Artur Rona <ari-tczew@tlen.pl>
184+Description: Add locking to prevent concurrent instances.
185+Bug-Ubuntu: https://launchpad.net/bugs/1187177
186+Bug-Debian: http://bugs.debian.org/710997
187+Origin: upstream, http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8
188+ http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b
189+Author: Phil Oester <kernel@linuxace.com>,
190+ Pablo Neira Ayuso <pablo@netfilter.org>
191+
192+diff -pruN -x '*~' iptables-1.4.18.orig/include/ip6tables.h iptables-1.4.18/include/ip6tables.h
193+--- iptables-1.4.18.orig/include/ip6tables.h 2013-03-03 22:40:11.000000000 +0100
194++++ iptables-1.4.18/include/ip6tables.h 2013-09-21 09:59:39.000000000 +0200
195+@@ -8,7 +8,7 @@
196+
197+ /* Your shared library should call one of these. */
198+ extern int do_command6(int argc, char *argv[], char **table,
199+- struct xtc_handle **handle);
200++ struct xtc_handle **handle, bool restore);
201+
202+ extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle);
203+ extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle);
204+diff -pruN -x '*~' iptables-1.4.18.orig/include/iptables.h iptables-1.4.18/include/iptables.h
205+--- iptables-1.4.18.orig/include/iptables.h 2013-03-03 22:40:11.000000000 +0100
206++++ iptables-1.4.18/include/iptables.h 2013-09-21 09:59:39.000000000 +0200
207+@@ -8,7 +8,7 @@
208+
209+ /* Your shared library should call one of these. */
210+ extern int do_command4(int argc, char *argv[], char **table,
211+- struct xtc_handle **handle);
212++ struct xtc_handle **handle, bool restore);
213+ extern int delete_chain4(const xt_chainlabel chain, int verbose,
214+ struct xtc_handle *handle);
215+ extern int flush_entries4(const xt_chainlabel chain, int verbose,
216+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.8.in iptables-1.4.18/iptables/ip6tables.8.in
217+--- iptables-1.4.18.orig/iptables/ip6tables.8.in 2013-03-03 22:40:11.000000000 +0100
218++++ iptables-1.4.18/iptables/ip6tables.8.in 2013-09-21 09:59:19.000000000 +0200
219+@@ -363,6 +363,13 @@ For appending, insertion, deletion and r
220+ detailed information on the rule or rules to be printed. \fB\-v\fP may be
221+ specified multiple times to possibly emit more detailed debug statements.
222+ .TP
223++\fB\-w\fP, \fB\-\-wait\fP
224++Wait for the xtables lock.
225++To prevent multiple instances of the program from running concurrently,
226++an attempt will be made to obtain an exclusive lock at launch. By default,
227++the program will exit if the lock cannot be obtained. This option will
228++make the program wait until the exclusive lock can be obtained.
229++.TP
230+ \fB\-n\fP, \fB\-\-numeric\fP
231+ Numeric output.
232+ IP addresses and port numbers will be printed in numeric format.
233+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.c iptables-1.4.18/iptables/ip6tables.c
234+--- iptables-1.4.18.orig/iptables/ip6tables.c 2013-03-03 22:40:11.000000000 +0100
235++++ iptables-1.4.18/iptables/ip6tables.c 2013-09-21 09:59:39.000000000 +0200
236+@@ -102,6 +102,7 @@ static struct option original_opts[] = {
237+ {.name = "numeric", .has_arg = 0, .val = 'n'},
238+ {.name = "out-interface", .has_arg = 1, .val = 'o'},
239+ {.name = "verbose", .has_arg = 0, .val = 'v'},
240++ {.name = "wait", .has_arg = 0, .val = 'w'},
241+ {.name = "exact", .has_arg = 0, .val = 'x'},
242+ {.name = "version", .has_arg = 0, .val = 'V'},
243+ {.name = "help", .has_arg = 2, .val = 'h'},
244+@@ -257,6 +258,7 @@ exit_printhelp(const struct xtables_rule
245+ " network interface name ([+] for wildcard)\n"
246+ " --table -t table table to manipulate (default: `filter')\n"
247+ " --verbose -v verbose mode\n"
248++" --wait -w wait for the xtables lock\n"
249+ " --line-numbers print line numbers when listing\n"
250+ " --exact -x expand numbers (display exact values)\n"
251+ /*"[!] --fragment -f match second or further fragments only\n"*/
252+@@ -1284,7 +1286,8 @@ static void command_match(struct iptable
253+ m->extra_opts, &m->option_offset);
254+ }
255+
256+-int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle)
257++int do_command6(int argc, char *argv[], char **table,
258++ struct xtc_handle **handle, bool restore)
259+ {
260+ struct iptables_command_state cs;
261+ struct ip6t_entry *e = NULL;
262+@@ -1293,6 +1296,7 @@ int do_command6(int argc, char *argv[],
263+ struct in6_addr *smasks = NULL, *dmasks = NULL;
264+
265+ int verbose = 0;
266++ bool wait = false;
267+ const char *chain = NULL;
268+ const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
269+ const char *policy = NULL, *newname = NULL;
270+@@ -1328,7 +1332,7 @@ int do_command6(int argc, char *argv[],
271+
272+ opts = xt_params->orig_opts;
273+ while ((cs.c = getopt_long(argc, argv,
274+- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46",
275++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46",
276+ opts, NULL)) != -1) {
277+ switch (cs.c) {
278+ /*
279+@@ -1573,6 +1577,15 @@ int do_command6(int argc, char *argv[],
280+ verbose++;
281+ break;
282+
283++ case 'w':
284++ if (restore) {
285++ xtables_error(PARAMETER_PROBLEM,
286++ "You cannot use `-w' from "
287++ "ip6tables-restore");
288++ }
289++ wait = true;
290++ break;
291++
292+ case 'm':
293+ command_match(&cs);
294+ break;
295+@@ -1724,6 +1737,14 @@ int do_command6(int argc, char *argv[],
296+ "chain name `%s' too long (must be under %u chars)",
297+ chain, XT_EXTENSION_MAXNAMELEN);
298+
299++ /* Attempt to acquire the xtables lock */
300++ if (!restore && !xtables_lock(wait)) {
301++ fprintf(stderr, "Another app is currently holding the xtables lock. "
302++ "Perhaps you want to use the -w option?\n");
303++ xtables_free_opts(1);
304++ exit(RESOURCE_PROBLEM);
305++ }
306++
307+ /* only allocate handle if we weren't called with a handle */
308+ if (!*handle)
309+ *handle = ip6tc_init(*table);
310+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-restore.c iptables-1.4.18/iptables/ip6tables-restore.c
311+--- iptables-1.4.18.orig/iptables/ip6tables-restore.c 2013-03-03 22:40:11.000000000 +0100
312++++ iptables-1.4.18/iptables/ip6tables-restore.c 2013-09-21 09:59:39.000000000 +0200
313+@@ -438,7 +438,7 @@ int ip6tables_restore_main(int argc, cha
314+ DEBUGP("argv[%u]: %s\n", a, newargv[a]);
315+
316+ ret = do_command6(newargc, newargv,
317+- &newargv[2], &handle);
318++ &newargv[2], &handle, true);
319+
320+ free_argv();
321+ fflush(stdout);
322+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-standalone.c iptables-1.4.18/iptables/ip6tables-standalone.c
323+--- iptables-1.4.18.orig/iptables/ip6tables-standalone.c 2013-03-03 22:40:11.000000000 +0100
324++++ iptables-1.4.18/iptables/ip6tables-standalone.c 2013-09-21 09:59:39.000000000 +0200
325+@@ -58,7 +58,7 @@ ip6tables_main(int argc, char *argv[])
326+ init_extensions6();
327+ #endif
328+
329+- ret = do_command6(argc, argv, &table, &handle);
330++ ret = do_command6(argc, argv, &table, &handle, false);
331+ if (ret) {
332+ ret = ip6tc_commit(handle);
333+ ip6tc_free(handle);
334+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.8.in iptables-1.4.18/iptables/iptables.8.in
335+--- iptables-1.4.18.orig/iptables/iptables.8.in 2013-03-03 22:40:11.000000000 +0100
336++++ iptables-1.4.18/iptables/iptables.8.in 2013-09-21 09:59:19.000000000 +0200
337+@@ -351,6 +351,13 @@ For appending, insertion, deletion and r
338+ detailed information on the rule or rules to be printed. \fB\-v\fP may be
339+ specified multiple times to possibly emit more detailed debug statements.
340+ .TP
341++\fB\-w\fP, \fB\-\-wait\fP
342++Wait for the xtables lock.
343++To prevent multiple instances of the program from running concurrently,
344++an attempt will be made to obtain an exclusive lock at launch. By default,
345++the program will exit if the lock cannot be obtained. This option will
346++make the program wait until the exclusive lock can be obtained.
347++.TP
348+ \fB\-n\fP, \fB\-\-numeric\fP
349+ Numeric output.
350+ IP addresses and port numbers will be printed in numeric format.
351+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.c iptables-1.4.18/iptables/iptables.c
352+--- iptables-1.4.18.orig/iptables/iptables.c 2013-03-03 22:40:11.000000000 +0100
353++++ iptables-1.4.18/iptables/iptables.c 2013-09-21 09:59:39.000000000 +0200
354+@@ -99,6 +99,7 @@ static struct option original_opts[] = {
355+ {.name = "numeric", .has_arg = 0, .val = 'n'},
356+ {.name = "out-interface", .has_arg = 1, .val = 'o'},
357+ {.name = "verbose", .has_arg = 0, .val = 'v'},
358++ {.name = "wait", .has_arg = 0, .val = 'w'},
359+ {.name = "exact", .has_arg = 0, .val = 'x'},
360+ {.name = "fragments", .has_arg = 0, .val = 'f'},
361+ {.name = "version", .has_arg = 0, .val = 'V'},
362+@@ -251,6 +252,7 @@ exit_printhelp(const struct xtables_rule
363+ " network interface name ([+] for wildcard)\n"
364+ " --table -t table table to manipulate (default: `filter')\n"
365+ " --verbose -v verbose mode\n"
366++" --wait -w wait for the xtables lock\n"
367+ " --line-numbers print line numbers when listing\n"
368+ " --exact -x expand numbers (display exact values)\n"
369+ "[!] --fragment -f match second or further fragments only\n"
370+@@ -1280,7 +1282,8 @@ static void command_match(struct iptable
371+ xtables_error(OTHER_PROBLEM, "can't alloc memory!");
372+ }
373+
374+-int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle)
375++int do_command4(int argc, char *argv[], char **table,
376++ struct xtc_handle **handle, bool restore)
377+ {
378+ struct iptables_command_state cs;
379+ struct ipt_entry *e = NULL;
380+@@ -1289,6 +1292,7 @@ int do_command4(int argc, char *argv[],
381+ struct in_addr *daddrs = NULL, *dmasks = NULL;
382+
383+ int verbose = 0;
384++ bool wait = false;
385+ const char *chain = NULL;
386+ const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
387+ const char *policy = NULL, *newname = NULL;
388+@@ -1324,7 +1328,7 @@ int do_command4(int argc, char *argv[],
389+
390+ opts = xt_params->orig_opts;
391+ while ((cs.c = getopt_long(argc, argv,
392+- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46",
393++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46",
394+ opts, NULL)) != -1) {
395+ switch (cs.c) {
396+ /*
397+@@ -1567,6 +1571,15 @@ int do_command4(int argc, char *argv[],
398+ verbose++;
399+ break;
400+
401++ case 'w':
402++ if (restore) {
403++ xtables_error(PARAMETER_PROBLEM,
404++ "You cannot use `-w' from "
405++ "iptables-restore");
406++ }
407++ wait = true;
408++ break;
409++
410+ case 'm':
411+ command_match(&cs);
412+ break;
413+@@ -1721,6 +1734,14 @@ int do_command4(int argc, char *argv[],
414+ "chain name `%s' too long (must be under %u chars)",
415+ chain, XT_EXTENSION_MAXNAMELEN);
416+
417++ /* Attempt to acquire the xtables lock */
418++ if (!restore && !xtables_lock(wait)) {
419++ fprintf(stderr, "Another app is currently holding the xtables lock. "
420++ "Perhaps you want to use the -w option?\n");
421++ xtables_free_opts(1);
422++ exit(RESOURCE_PROBLEM);
423++ }
424++
425+ /* only allocate handle if we weren't called with a handle */
426+ if (!*handle)
427+ *handle = iptc_init(*table);
428+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-restore.c iptables-1.4.18/iptables/iptables-restore.c
429+--- iptables-1.4.18.orig/iptables/iptables-restore.c 2013-03-03 22:40:11.000000000 +0100
430++++ iptables-1.4.18/iptables/iptables-restore.c 2013-09-21 09:59:39.000000000 +0200
431+@@ -438,7 +438,7 @@ iptables_restore_main(int argc, char *ar
432+ DEBUGP("argv[%u]: %s\n", a, newargv[a]);
433+
434+ ret = do_command4(newargc, newargv,
435+- &newargv[2], &handle);
436++ &newargv[2], &handle, true);
437+
438+ free_argv();
439+ fflush(stdout);
440+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-standalone.c iptables-1.4.18/iptables/iptables-standalone.c
441+--- iptables-1.4.18.orig/iptables/iptables-standalone.c 2013-03-03 22:40:11.000000000 +0100
442++++ iptables-1.4.18/iptables/iptables-standalone.c 2013-09-21 09:59:39.000000000 +0200
443+@@ -58,7 +58,7 @@ iptables_main(int argc, char *argv[])
444+ init_extensions4();
445+ #endif
446+
447+- ret = do_command4(argc, argv, &table, &handle);
448++ ret = do_command4(argc, argv, &table, &handle, false);
449+ if (ret) {
450+ ret = iptc_commit(handle);
451+ iptc_free(handle);
452+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.c iptables-1.4.18/iptables/xshared.c
453+--- iptables-1.4.18.orig/iptables/xshared.c 2013-03-03 22:40:11.000000000 +0100
454++++ iptables-1.4.18/iptables/xshared.c 2013-09-21 09:59:19.000000000 +0200
455+@@ -6,9 +6,15 @@
456+ #include <stdio.h>
457+ #include <stdlib.h>
458+ #include <string.h>
459++#include <sys/socket.h>
460++#include <sys/un.h>
461++#include <unistd.h>
462+ #include <xtables.h>
463+ #include "xshared.h"
464+
465++#define XT_SOCKET_NAME "xtables"
466++#define XT_SOCKET_LEN 8
467++
468+ /*
469+ * Print out any special helps. A user might like to be able to add a --help
470+ * to the commandline, and see expected results. So we call help for all
471+@@ -236,3 +242,30 @@ void xs_init_match(struct xtables_match
472+ if (match->init != NULL)
473+ match->init(match->m);
474+ }
475++
476++bool xtables_lock(bool wait)
477++{
478++ int i = 0, ret, xt_socket;
479++ struct sockaddr_un xt_addr;
480++
481++ memset(&xt_addr, 0, sizeof(xt_addr));
482++ xt_addr.sun_family = AF_UNIX;
483++ strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME);
484++ xt_socket = socket(AF_UNIX, SOCK_STREAM, 0);
485++ /* If we can't even create a socket, fall back to prior (lockless) behavior */
486++ if (xt_socket < 0)
487++ return true;
488++
489++ while (1) {
490++ ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
491++ offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN);
492++ if (ret == 0)
493++ return true;
494++ else if (wait == false)
495++ return false;
496++ if (++i % 2 == 0)
497++ fprintf(stderr, "Another app is currently holding the xtables lock; "
498++ "waiting for it to exit...\n");
499++ sleep(1);
500++ }
501++}
502+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.h iptables-1.4.18/iptables/xshared.h
503+--- iptables-1.4.18.orig/iptables/xshared.h 2013-03-03 22:40:11.000000000 +0100
504++++ iptables-1.4.18/iptables/xshared.h 2013-09-21 09:59:19.000000000 +0200
505+@@ -2,6 +2,7 @@
506+ #define IPTABLES_XSHARED_H 1
507+
508+ #include <limits.h>
509++#include <stdbool.h>
510+ #include <stdint.h>
511+ #include <netinet/in.h>
512+ #include <net/if.h>
513+@@ -83,6 +84,7 @@ extern struct xtables_match *load_proto(
514+ extern int subcmd_main(int, char **, const struct subcommand *);
515+ extern void xs_init_target(struct xtables_target *);
516+ extern void xs_init_match(struct xtables_match *);
517++extern bool xtables_lock(bool wait);
518+
519+ extern const struct xtables_afinfo *afinfo;
520+
521
522=== modified file 'debian/patches/series'
523--- debian/patches/series 2013-06-07 09:50:09 +0000
524+++ debian/patches/series 2013-09-21 09:47:55 +0000
525@@ -1,6 +1,8 @@
526 0101-changelog.patch
527 0102-add_manpages.patch
528+0201-iptables-xml_man_section.patch
529 0503-extension_cppflags.patch
530 0504-configure_dccp_ipvs.patch
531 9000-howtos.patch
532 9002-libxt_recent-Add-support-for-reap-option.patch
533+calling-setsockopt-incorrectly.patch

Subscribers

People subscribed via source and target branches

to all changes: