Ubuntu
iptables package

Merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 into lp:ubuntu/saucy/iptables

  1. Saucy (13.10)
  2. lp-1228525-1134554-1187177
  3. Merge into saucy
Proposed by Artur Rona
Status: Merged
Merge reported by: Dimitri John Ledkov
Merged at revision: not available
Proposed branch: lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177
Merge into: lp:ubuntu/saucy/iptables
Diff against target: 533 lines (+463/-2)
9 files modified
debian/changelog (+30/-0)
debian/control (+1/-0)
debian/iptables-dev.install (+1/-0)
debian/iptables.install (+2/-0)
debian/iptables.manpages (+1/-2)
debian/nfnl_osf.8 (+80/-0)
debian/patches/0201-iptables-xml_man_section.patch (+8/-0)
debian/patches/calling-setsockopt-incorrectly.patch (+338/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Pending
Daniel Holbach Pending
Artur Rona Pending
Review via email: mp+187859@code.launchpad.net

This proposal supersedes a proposal from 2013-09-21.

To post a comment you must log in.
Revision history for this message
Daniel Holbach (dholbach) wrote : Posted in a previous version of this proposal

Thanks for your work on this.

It seems you're not mentioning the Ubuntu changes from the last merge. Were they all dropped? Are they still relevant?

+ - debian/control: add linuxdoc-tools dep, remove libipq references
+ - debian/rules: compile with --disable-libipq
+ - 9000-howtos.patch: add howtos/ and install them
+ - 9002-libxt_recent-Add-support-for-reap-option.patch: Some changes are
+ upstream, patch needed for additional reap option checks.
+ - debian/iptables.install: install NAT and packetfilter howtos into
+ /usr/share/doc
+ - debian/iptables-dev.doc-base.netfilter-extensions,
+ debian/iptables-dev.doc-base.netfilter-hacking,
+ debian/iptables.doc-base.nat, debian/iptables.doc-base.packet-filter:
+ add howtos
+ - debian/iptables-dev.install: remove usr/share/man/man3 only used with
+ libipq manpages

review: Needs Information
Revision history for this message
Artur Rona (ari-tczew) wrote : Posted in a previous version of this proposal

Well, Ubuntu delta since last merge is unchanged. These changes have been not dropped and they still remain. I didn't mention them, because it's not standard merge from Debian, when the latest revision will be merged. Else it's 'fake merge' - Debian's revision from snapshot/archive has been merged due to fix FTBFS in another package (perlipq). In this case, the 2 lines (in debian/{control;iptables-dev.install}) have been changed. Then I've added following changes to fix next 2 bugs.
Also, we're coming to the question: what's more worth? Again copying long d/changelog description about remaining changes only for 2 above mentioned changes lines or just describe that it's non-standard merge? In the next development cycle we can do normal merge iptables from Debian unstable including mentioned remaining changes in d/changelog.

Sorry for misunderstanding, but I'm preparing such as 'fake/non-standard' merge first time. I'm not sure whether there is a documentation for.

BTW, The whole changes can be dropped while merging current iptables from Debian unstable.

review: Needs Resubmitting
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

"review: Resubmit" -> means that "ari-tczew" has reviewed this proposal and says that submitter should resubmit this merge proposal again using resubmit button on top of the merge proposal.....

Imho, it's ok to do this it's just it's a "cherry-pick"

"Cherry-pick changes from Debian upload 1.4.18-1.1 to fix FTBFS" would be more appropriate. Seems reasonable to pick up all of these fixes for saucy.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2013-06-07 09:50:09 +0000
3+++ debian/changelog 2013-09-26 17:47:06 +0000
4@@ -1,3 +1,33 @@
5+iptables (1.4.18-1.1ubuntu1) saucy; urgency=low
6+
7+ * Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS
8+ in package perlipq due to missing dependecy: (LP: #1228525)
9+ - debian/control
10+ - debian/iptables-dev.install
11+ * Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from
12+ Debian, version 1.4.20-2: (LP: #1134554)
13+ - debian/iptables.install
14+ - debian/iptables.manpages
15+ - debian/nfnl_osf.8
16+ - 0201-iptables-xml_man_section.patch
17+ * Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177)
18+ - debian/patches/calling-setsockopt-incorrectly.patch
19+
20+ -- Artur Rona <ari-tczew@tlen.pl> Fri, 20 Sep 2013 00:26:08 +0200
21+
22+iptables (1.4.18-1.1) unstable; urgency=low
23+
24+ [ gregor herrmann ]
25+ * Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h":
26+ ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev;
27+ add Breaks on linux-libc-dev << 3.5
28+ (Closes: #707535)
29+
30+ [ Dominic Hargreaves ]
31+ * Non-maintainer upload
32+
33+ -- Dominic Hargreaves <dom@earth.li> Sat, 13 Jul 2013 16:09:01 +0100
34+
35 iptables (1.4.18-1ubuntu1) saucy; urgency=low
36
37 [ Chris J Arges ]
38
39=== modified file 'debian/control'
40--- debian/control 2013-06-07 09:50:09 +0000
41+++ debian/control 2013-09-26 17:47:06 +0000
42@@ -34,6 +34,7 @@
43 Priority: optional
44 Depends: ${misc:Depends}, iptables (=${binary:Version})
45 Conflicts: iptables (<<1.4.2-2)
46+Breaks: linux-libc-dev (<< 3.5)
47 Section: devel
48 Description: iptables development files
49 iptables is used to setup, maintain, and inspect the tables of
50
51=== modified file 'debian/iptables-dev.install'
52--- debian/iptables-dev.install 2013-06-07 09:50:09 +0000
53+++ debian/iptables-dev.install 2013-09-26 17:47:06 +0000
54@@ -1,4 +1,5 @@
55 usr/include
56 lib/lib*.so
57 lib/pkgconfig usr/lib
58+include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/
59 howtos/netfilter*html usr/share/doc/iptables-dev/html
60
61=== modified file 'debian/iptables.install'
62--- debian/iptables.install 2013-06-07 09:50:09 +0000
63+++ debian/iptables.install 2013-09-26 17:47:06 +0000
64@@ -5,4 +5,6 @@
65 lib/xtables
66 iptables/iptables-apply usr/sbin
67 iptables/iptables.xslt usr/share/iptables
68+usr/share/man/man8
69+usr/share/man/man1
70 howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html
71
72=== modified file 'debian/iptables.manpages'
73--- debian/iptables.manpages 2012-10-28 09:40:00 +0000
74+++ debian/iptables.manpages 2013-09-26 17:47:06 +0000
75@@ -1,3 +1,2 @@
76 iptables/*.8
77-iptables/*.1
78-utils/*.8
79+debian/*.8
80
81=== added file 'debian/nfnl_osf.8'
82--- debian/nfnl_osf.8 1970-01-01 00:00:00 +0000
83+++ debian/nfnl_osf.8 2013-09-26 17:47:06 +0000
84@@ -0,0 +1,80 @@
85+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
86+.\"
87+.\" Standard preamble:
88+.\" ========================================================================
89+.de Sp \" Vertical space (when we can't use .PP)
90+.if t .sp .5v
91+.if n .sp
92+..
93+.de Vb \" Begin verbatim text
94+.ft CW
95+.nf
96+.ne \\$1
97+..
98+.de Ve \" End verbatim text
99+.ft R
100+.fi
101+..
102+.\" Set up some character translations and predefined strings. \*(-- will
103+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
104+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
105+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
106+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
107+.\" nothing in troff, for use with C<>.
108+.tr \(*W-
109+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
110+.ie n \{\
111+. ds -- \(*W-
112+. ds PI pi
113+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
114+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
115+. ds L" ""
116+. ds R" ""
117+. ds C` ""
118+. ds C' ""
119+'br\}
120+.el\{\
121+. ds -- \|\(em\|
122+. ds PI \(*p
123+. ds L" ``
124+. ds R" ''
125+'br\}
126+.\"
127+.\" Escape single quotes in literal strings from groff's Unicode transform.
128+.ie \n(.g .ds Aq \(aq
129+.el .ds Aq '
130+.\"
131+.\" If the F register is turned on, we'll generate index entries on stderr for
132+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
133+.\" entries marked with X<> in POD. Of course, you'll have to process the
134+.\" output yourself in some meaningful fashion.
135+.ie \nF \{\
136+. de IX
137+. tm Index:\\$1\t\\n%\t"\\$2"
138+..
139+. nr % 0
140+. rr F
141+.\}
142+.el \{\
143+. de IX
144+..
145+.\}
146+.\" ========================================================================
147+.\"
148+.IX Title "NFNL_OSF 8"
149+.TH NFNL_OSF 8 "2012-10-27" "nfnl_osf" "nfnl_osf"
150+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
151+.\" way too many mistakes in technical documents.
152+.if n .ad l
153+.nh
154+.SH "NAME"
155+nfnl_osf \- load and unload os fingerprint database
156+.SH "SYNOPSIS"
157+.IX Header "SYNOPSIS"
158+load and unload osf fingerprint database for the netfilter osf extension
159+.SH "DESCRIPTION"
160+.IX Header "DESCRIPTION"
161+nffl_osf has no official man page. Look at the osf module in \fB\f(BIiptables\-extensions\fB\|(8)\fR for more information.
162+.SH "SEE ALSO"
163+.IX Header "SEE ALSO"
164+\&\fIiptables\-extensions\fR\|(8)
165
166=== added file 'debian/patches/0201-iptables-xml_man_section.patch'
167--- debian/patches/0201-iptables-xml_man_section.patch 1970-01-01 00:00:00 +0000
168+++ debian/patches/0201-iptables-xml_man_section.patch 2013-09-26 17:47:06 +0000
169@@ -0,0 +1,8 @@
170+--- a/iptables/iptables-xml.1
171++++ b/iptables/iptables-xml.1
172+@@ -1,4 +1,4 @@
173+-.TH IPTABLES-XML 8 "Jul 16, 2007" "" ""
174++.TH IPTABLES-XML 1 "Jul 16, 2007" "" ""
175+ .\"
176+ .\" Man page written by Sam Liddicott <azez@ufomechanic.net>
177+ .\" It is based on the iptables-save man page.
178
179=== added file 'debian/patches/calling-setsockopt-incorrectly.patch'
180--- debian/patches/calling-setsockopt-incorrectly.patch 1970-01-01 00:00:00 +0000
181+++ debian/patches/calling-setsockopt-incorrectly.patch 2013-09-26 17:47:06 +0000
182@@ -0,0 +1,338 @@
183+From: Artur Rona <ari-tczew@tlen.pl>
184+Description: Add locking to prevent concurrent instances.
185+Bug-Ubuntu: https://launchpad.net/bugs/1187177
186+Bug-Debian: http://bugs.debian.org/710997
187+Origin: upstream, http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8
188+ http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b
189+Author: Phil Oester <kernel@linuxace.com>,
190+ Pablo Neira Ayuso <pablo@netfilter.org>
191+
192+diff -pruN -x '*~' iptables-1.4.18.orig/include/ip6tables.h iptables-1.4.18/include/ip6tables.h
193+--- iptables-1.4.18.orig/include/ip6tables.h 2013-03-03 22:40:11.000000000 +0100
194++++ iptables-1.4.18/include/ip6tables.h 2013-09-21 09:59:39.000000000 +0200
195+@@ -8,7 +8,7 @@
196+
197+ /* Your shared library should call one of these. */
198+ extern int do_command6(int argc, char *argv[], char **table,
199+- struct xtc_handle **handle);
200++ struct xtc_handle **handle, bool restore);
201+
202+ extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle);
203+ extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle);
204+diff -pruN -x '*~' iptables-1.4.18.orig/include/iptables.h iptables-1.4.18/include/iptables.h
205+--- iptables-1.4.18.orig/include/iptables.h 2013-03-03 22:40:11.000000000 +0100
206++++ iptables-1.4.18/include/iptables.h 2013-09-21 09:59:39.000000000 +0200
207+@@ -8,7 +8,7 @@
208+
209+ /* Your shared library should call one of these. */
210+ extern int do_command4(int argc, char *argv[], char **table,
211+- struct xtc_handle **handle);
212++ struct xtc_handle **handle, bool restore);
213+ extern int delete_chain4(const xt_chainlabel chain, int verbose,
214+ struct xtc_handle *handle);
215+ extern int flush_entries4(const xt_chainlabel chain, int verbose,
216+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.8.in iptables-1.4.18/iptables/ip6tables.8.in
217+--- iptables-1.4.18.orig/iptables/ip6tables.8.in 2013-03-03 22:40:11.000000000 +0100
218++++ iptables-1.4.18/iptables/ip6tables.8.in 2013-09-21 09:59:19.000000000 +0200
219+@@ -363,6 +363,13 @@ For appending, insertion, deletion and r
220+ detailed information on the rule or rules to be printed. \fB\-v\fP may be
221+ specified multiple times to possibly emit more detailed debug statements.
222+ .TP
223++\fB\-w\fP, \fB\-\-wait\fP
224++Wait for the xtables lock.
225++To prevent multiple instances of the program from running concurrently,
226++an attempt will be made to obtain an exclusive lock at launch. By default,
227++the program will exit if the lock cannot be obtained. This option will
228++make the program wait until the exclusive lock can be obtained.
229++.TP
230+ \fB\-n\fP, \fB\-\-numeric\fP
231+ Numeric output.
232+ IP addresses and port numbers will be printed in numeric format.
233+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.c iptables-1.4.18/iptables/ip6tables.c
234+--- iptables-1.4.18.orig/iptables/ip6tables.c 2013-03-03 22:40:11.000000000 +0100
235++++ iptables-1.4.18/iptables/ip6tables.c 2013-09-21 09:59:39.000000000 +0200
236+@@ -102,6 +102,7 @@ static struct option original_opts[] = {
237+ {.name = "numeric", .has_arg = 0, .val = 'n'},
238+ {.name = "out-interface", .has_arg = 1, .val = 'o'},
239+ {.name = "verbose", .has_arg = 0, .val = 'v'},
240++ {.name = "wait", .has_arg = 0, .val = 'w'},
241+ {.name = "exact", .has_arg = 0, .val = 'x'},
242+ {.name = "version", .has_arg = 0, .val = 'V'},
243+ {.name = "help", .has_arg = 2, .val = 'h'},
244+@@ -257,6 +258,7 @@ exit_printhelp(const struct xtables_rule
245+ " network interface name ([+] for wildcard)\n"
246+ " --table -t table table to manipulate (default: `filter')\n"
247+ " --verbose -v verbose mode\n"
248++" --wait -w wait for the xtables lock\n"
249+ " --line-numbers print line numbers when listing\n"
250+ " --exact -x expand numbers (display exact values)\n"
251+ /*"[!] --fragment -f match second or further fragments only\n"*/
252+@@ -1284,7 +1286,8 @@ static void command_match(struct iptable
253+ m->extra_opts, &m->option_offset);
254+ }
255+
256+-int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle)
257++int do_command6(int argc, char *argv[], char **table,
258++ struct xtc_handle **handle, bool restore)
259+ {
260+ struct iptables_command_state cs;
261+ struct ip6t_entry *e = NULL;
262+@@ -1293,6 +1296,7 @@ int do_command6(int argc, char *argv[],
263+ struct in6_addr *smasks = NULL, *dmasks = NULL;
264+
265+ int verbose = 0;
266++ bool wait = false;
267+ const char *chain = NULL;
268+ const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
269+ const char *policy = NULL, *newname = NULL;
270+@@ -1328,7 +1332,7 @@ int do_command6(int argc, char *argv[],
271+
272+ opts = xt_params->orig_opts;
273+ while ((cs.c = getopt_long(argc, argv,
274+- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46",
275++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46",
276+ opts, NULL)) != -1) {
277+ switch (cs.c) {
278+ /*
279+@@ -1573,6 +1577,15 @@ int do_command6(int argc, char *argv[],
280+ verbose++;
281+ break;
282+
283++ case 'w':
284++ if (restore) {
285++ xtables_error(PARAMETER_PROBLEM,
286++ "You cannot use `-w' from "
287++ "ip6tables-restore");
288++ }
289++ wait = true;
290++ break;
291++
292+ case 'm':
293+ command_match(&cs);
294+ break;
295+@@ -1724,6 +1737,14 @@ int do_command6(int argc, char *argv[],
296+ "chain name `%s' too long (must be under %u chars)",
297+ chain, XT_EXTENSION_MAXNAMELEN);
298+
299++ /* Attempt to acquire the xtables lock */
300++ if (!restore && !xtables_lock(wait)) {
301++ fprintf(stderr, "Another app is currently holding the xtables lock. "
302++ "Perhaps you want to use the -w option?\n");
303++ xtables_free_opts(1);
304++ exit(RESOURCE_PROBLEM);
305++ }
306++
307+ /* only allocate handle if we weren't called with a handle */
308+ if (!*handle)
309+ *handle = ip6tc_init(*table);
310+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-restore.c iptables-1.4.18/iptables/ip6tables-restore.c
311+--- iptables-1.4.18.orig/iptables/ip6tables-restore.c 2013-03-03 22:40:11.000000000 +0100
312++++ iptables-1.4.18/iptables/ip6tables-restore.c 2013-09-21 09:59:39.000000000 +0200
313+@@ -438,7 +438,7 @@ int ip6tables_restore_main(int argc, cha
314+ DEBUGP("argv[%u]: %s\n", a, newargv[a]);
315+
316+ ret = do_command6(newargc, newargv,
317+- &newargv[2], &handle);
318++ &newargv[2], &handle, true);
319+
320+ free_argv();
321+ fflush(stdout);
322+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-standalone.c iptables-1.4.18/iptables/ip6tables-standalone.c
323+--- iptables-1.4.18.orig/iptables/ip6tables-standalone.c 2013-03-03 22:40:11.000000000 +0100
324++++ iptables-1.4.18/iptables/ip6tables-standalone.c 2013-09-21 09:59:39.000000000 +0200
325+@@ -58,7 +58,7 @@ ip6tables_main(int argc, char *argv[])
326+ init_extensions6();
327+ #endif
328+
329+- ret = do_command6(argc, argv, &table, &handle);
330++ ret = do_command6(argc, argv, &table, &handle, false);
331+ if (ret) {
332+ ret = ip6tc_commit(handle);
333+ ip6tc_free(handle);
334+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.8.in iptables-1.4.18/iptables/iptables.8.in
335+--- iptables-1.4.18.orig/iptables/iptables.8.in 2013-03-03 22:40:11.000000000 +0100
336++++ iptables-1.4.18/iptables/iptables.8.in 2013-09-21 09:59:19.000000000 +0200
337+@@ -351,6 +351,13 @@ For appending, insertion, deletion and r
338+ detailed information on the rule or rules to be printed. \fB\-v\fP may be
339+ specified multiple times to possibly emit more detailed debug statements.
340+ .TP
341++\fB\-w\fP, \fB\-\-wait\fP
342++Wait for the xtables lock.
343++To prevent multiple instances of the program from running concurrently,
344++an attempt will be made to obtain an exclusive lock at launch. By default,
345++the program will exit if the lock cannot be obtained. This option will
346++make the program wait until the exclusive lock can be obtained.
347++.TP
348+ \fB\-n\fP, \fB\-\-numeric\fP
349+ Numeric output.
350+ IP addresses and port numbers will be printed in numeric format.
351+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.c iptables-1.4.18/iptables/iptables.c
352+--- iptables-1.4.18.orig/iptables/iptables.c 2013-03-03 22:40:11.000000000 +0100
353++++ iptables-1.4.18/iptables/iptables.c 2013-09-21 09:59:39.000000000 +0200
354+@@ -99,6 +99,7 @@ static struct option original_opts[] = {
355+ {.name = "numeric", .has_arg = 0, .val = 'n'},
356+ {.name = "out-interface", .has_arg = 1, .val = 'o'},
357+ {.name = "verbose", .has_arg = 0, .val = 'v'},
358++ {.name = "wait", .has_arg = 0, .val = 'w'},
359+ {.name = "exact", .has_arg = 0, .val = 'x'},
360+ {.name = "fragments", .has_arg = 0, .val = 'f'},
361+ {.name = "version", .has_arg = 0, .val = 'V'},
362+@@ -251,6 +252,7 @@ exit_printhelp(const struct xtables_rule
363+ " network interface name ([+] for wildcard)\n"
364+ " --table -t table table to manipulate (default: `filter')\n"
365+ " --verbose -v verbose mode\n"
366++" --wait -w wait for the xtables lock\n"
367+ " --line-numbers print line numbers when listing\n"
368+ " --exact -x expand numbers (display exact values)\n"
369+ "[!] --fragment -f match second or further fragments only\n"
370+@@ -1280,7 +1282,8 @@ static void command_match(struct iptable
371+ xtables_error(OTHER_PROBLEM, "can't alloc memory!");
372+ }
373+
374+-int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle)
375++int do_command4(int argc, char *argv[], char **table,
376++ struct xtc_handle **handle, bool restore)
377+ {
378+ struct iptables_command_state cs;
379+ struct ipt_entry *e = NULL;
380+@@ -1289,6 +1292,7 @@ int do_command4(int argc, char *argv[],
381+ struct in_addr *daddrs = NULL, *dmasks = NULL;
382+
383+ int verbose = 0;
384++ bool wait = false;
385+ const char *chain = NULL;
386+ const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
387+ const char *policy = NULL, *newname = NULL;
388+@@ -1324,7 +1328,7 @@ int do_command4(int argc, char *argv[],
389+
390+ opts = xt_params->orig_opts;
391+ while ((cs.c = getopt_long(argc, argv,
392+- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46",
393++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46",
394+ opts, NULL)) != -1) {
395+ switch (cs.c) {
396+ /*
397+@@ -1567,6 +1571,15 @@ int do_command4(int argc, char *argv[],
398+ verbose++;
399+ break;
400+
401++ case 'w':
402++ if (restore) {
403++ xtables_error(PARAMETER_PROBLEM,
404++ "You cannot use `-w' from "
405++ "iptables-restore");
406++ }
407++ wait = true;
408++ break;
409++
410+ case 'm':
411+ command_match(&cs);
412+ break;
413+@@ -1721,6 +1734,14 @@ int do_command4(int argc, char *argv[],
414+ "chain name `%s' too long (must be under %u chars)",
415+ chain, XT_EXTENSION_MAXNAMELEN);
416+
417++ /* Attempt to acquire the xtables lock */
418++ if (!restore && !xtables_lock(wait)) {
419++ fprintf(stderr, "Another app is currently holding the xtables lock. "
420++ "Perhaps you want to use the -w option?\n");
421++ xtables_free_opts(1);
422++ exit(RESOURCE_PROBLEM);
423++ }
424++
425+ /* only allocate handle if we weren't called with a handle */
426+ if (!*handle)
427+ *handle = iptc_init(*table);
428+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-restore.c iptables-1.4.18/iptables/iptables-restore.c
429+--- iptables-1.4.18.orig/iptables/iptables-restore.c 2013-03-03 22:40:11.000000000 +0100
430++++ iptables-1.4.18/iptables/iptables-restore.c 2013-09-21 09:59:39.000000000 +0200
431+@@ -438,7 +438,7 @@ iptables_restore_main(int argc, char *ar
432+ DEBUGP("argv[%u]: %s\n", a, newargv[a]);
433+
434+ ret = do_command4(newargc, newargv,
435+- &newargv[2], &handle);
436++ &newargv[2], &handle, true);
437+
438+ free_argv();
439+ fflush(stdout);
440+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-standalone.c iptables-1.4.18/iptables/iptables-standalone.c
441+--- iptables-1.4.18.orig/iptables/iptables-standalone.c 2013-03-03 22:40:11.000000000 +0100
442++++ iptables-1.4.18/iptables/iptables-standalone.c 2013-09-21 09:59:39.000000000 +0200
443+@@ -58,7 +58,7 @@ iptables_main(int argc, char *argv[])
444+ init_extensions4();
445+ #endif
446+
447+- ret = do_command4(argc, argv, &table, &handle);
448++ ret = do_command4(argc, argv, &table, &handle, false);
449+ if (ret) {
450+ ret = iptc_commit(handle);
451+ iptc_free(handle);
452+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.c iptables-1.4.18/iptables/xshared.c
453+--- iptables-1.4.18.orig/iptables/xshared.c 2013-03-03 22:40:11.000000000 +0100
454++++ iptables-1.4.18/iptables/xshared.c 2013-09-21 09:59:19.000000000 +0200
455+@@ -6,9 +6,15 @@
456+ #include <stdio.h>
457+ #include <stdlib.h>
458+ #include <string.h>
459++#include <sys/socket.h>
460++#include <sys/un.h>
461++#include <unistd.h>
462+ #include <xtables.h>
463+ #include "xshared.h"
464+
465++#define XT_SOCKET_NAME "xtables"
466++#define XT_SOCKET_LEN 8
467++
468+ /*
469+ * Print out any special helps. A user might like to be able to add a --help
470+ * to the commandline, and see expected results. So we call help for all
471+@@ -236,3 +242,30 @@ void xs_init_match(struct xtables_match
472+ if (match->init != NULL)
473+ match->init(match->m);
474+ }
475++
476++bool xtables_lock(bool wait)
477++{
478++ int i = 0, ret, xt_socket;
479++ struct sockaddr_un xt_addr;
480++
481++ memset(&xt_addr, 0, sizeof(xt_addr));
482++ xt_addr.sun_family = AF_UNIX;
483++ strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME);
484++ xt_socket = socket(AF_UNIX, SOCK_STREAM, 0);
485++ /* If we can't even create a socket, fall back to prior (lockless) behavior */
486++ if (xt_socket < 0)
487++ return true;
488++
489++ while (1) {
490++ ret = bind(xt_socket, (struct sockaddr*)&xt_addr,
491++ offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN);
492++ if (ret == 0)
493++ return true;
494++ else if (wait == false)
495++ return false;
496++ if (++i % 2 == 0)
497++ fprintf(stderr, "Another app is currently holding the xtables lock; "
498++ "waiting for it to exit...\n");
499++ sleep(1);
500++ }
501++}
502+diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.h iptables-1.4.18/iptables/xshared.h
503+--- iptables-1.4.18.orig/iptables/xshared.h 2013-03-03 22:40:11.000000000 +0100
504++++ iptables-1.4.18/iptables/xshared.h 2013-09-21 09:59:19.000000000 +0200
505+@@ -2,6 +2,7 @@
506+ #define IPTABLES_XSHARED_H 1
507+
508+ #include <limits.h>
509++#include <stdbool.h>
510+ #include <stdint.h>
511+ #include <netinet/in.h>
512+ #include <net/if.h>
513+@@ -83,6 +84,7 @@ extern struct xtables_match *load_proto(
514+ extern int subcmd_main(int, char **, const struct subcommand *);
515+ extern void xs_init_target(struct xtables_target *);
516+ extern void xs_init_match(struct xtables_match *);
517++extern bool xtables_lock(bool wait);
518+
519+ extern const struct xtables_afinfo *afinfo;
520+
521
522=== modified file 'debian/patches/series'
523--- debian/patches/series 2013-06-07 09:50:09 +0000
524+++ debian/patches/series 2013-09-26 17:47:06 +0000
525@@ -1,6 +1,8 @@
526 0101-changelog.patch
527 0102-add_manpages.patch
528+0201-iptables-xml_man_section.patch
529 0503-extension_cppflags.patch
530 0504-configure_dccp_ipvs.patch
531 9000-howtos.patch
532 9002-libxt_recent-Add-support-for-reap-option.patch
533+calling-setsockopt-incorrectly.patch

Subscribers

People subscribed via source and target branches

to all changes: