Merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 into lp:ubuntu/saucy/iptables
- Saucy (13.10)
- lp-1228525-1134554-1187177
- Merge into saucy
Status: | Merged |
---|---|
Merge reported by: | Dimitri John Ledkov |
Merged at revision: | not available |
Proposed branch: | lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 |
Merge into: | lp:ubuntu/saucy/iptables |
Diff against target: |
533 lines (+463/-2) 9 files modified
debian/changelog (+30/-0) debian/control (+1/-0) debian/iptables-dev.install (+1/-0) debian/iptables.install (+2/-0) debian/iptables.manpages (+1/-2) debian/nfnl_osf.8 (+80/-0) debian/patches/0201-iptables-xml_man_section.patch (+8/-0) debian/patches/calling-setsockopt-incorrectly.patch (+338/-0) debian/patches/series (+2/-0) |
To merge this branch: | bzr merge lp:~ari-tczew/ubuntu/saucy/iptables/lp-1228525-1134554-1187177 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Sponsors | Pending | ||
Daniel Holbach | Pending | ||
Artur Rona | Pending | ||
Review via email: mp+187859@code.launchpad.net |
This proposal supersedes a proposal from 2013-09-21.
Commit message
Description of the change
Daniel Holbach (dholbach) wrote : Posted in a previous version of this proposal | # |
Artur Rona (ari-tczew) wrote : Posted in a previous version of this proposal | # |
Well, Ubuntu delta since last merge is unchanged. These changes have been not dropped and they still remain. I didn't mention them, because it's not standard merge from Debian, when the latest revision will be merged. Else it's 'fake merge' - Debian's revision from snapshot/archive has been merged due to fix FTBFS in another package (perlipq). In this case, the 2 lines (in debian/
Also, we're coming to the question: what's more worth? Again copying long d/changelog description about remaining changes only for 2 above mentioned changes lines or just describe that it's non-standard merge? In the next development cycle we can do normal merge iptables from Debian unstable including mentioned remaining changes in d/changelog.
Sorry for misunderstanding, but I'm preparing such as 'fake/non-standard' merge first time. I'm not sure whether there is a documentation for.
BTW, The whole changes can be dropped while merging current iptables from Debian unstable.
Dimitri John Ledkov (xnox) wrote : | # |
"review: Resubmit" -> means that "ari-tczew" has reviewed this proposal and says that submitter should resubmit this merge proposal again using resubmit button on top of the merge proposal.....
Imho, it's ok to do this it's just it's a "cherry-pick"
"Cherry-pick changes from Debian upload 1.4.18-1.1 to fix FTBFS" would be more appropriate. Seems reasonable to pick up all of these fixes for saucy.
Preview Diff
1 | === modified file 'debian/changelog' |
2 | --- debian/changelog 2013-06-07 09:50:09 +0000 |
3 | +++ debian/changelog 2013-09-26 17:47:06 +0000 |
4 | @@ -1,3 +1,33 @@ |
5 | +iptables (1.4.18-1.1ubuntu1) saucy; urgency=low |
6 | + |
7 | + * Merge changes from Debian, version 1.4.18-1.1 to fix FTBFS |
8 | + in package perlipq due to missing dependecy: (LP: #1228525) |
9 | + - debian/control |
10 | + - debian/iptables-dev.install |
11 | + * Fix unresolved @PACKAGE_VERSION@ in manpage. Cherry-pick from |
12 | + Debian, version 1.4.20-2: (LP: #1134554) |
13 | + - debian/iptables.install |
14 | + - debian/iptables.manpages |
15 | + - debian/nfnl_osf.8 |
16 | + - 0201-iptables-xml_man_section.patch |
17 | + * Fix incorrectly calling setsockopt, cherry-pick: (LP: #1187177) |
18 | + - debian/patches/calling-setsockopt-incorrectly.patch |
19 | + |
20 | + -- Artur Rona <ari-tczew@tlen.pl> Fri, 20 Sep 2013 00:26:08 +0200 |
21 | + |
22 | +iptables (1.4.18-1.1) unstable; urgency=low |
23 | + |
24 | + [ gregor herrmann ] |
25 | + * Fix "libipq.h includes non-existing linux/netfilter_ipv4/ip_queue.h": |
26 | + ship /usr/include/linux/netfilter_ipv4/ip_queue.h in iptables-dev; |
27 | + add Breaks on linux-libc-dev << 3.5 |
28 | + (Closes: #707535) |
29 | + |
30 | + [ Dominic Hargreaves ] |
31 | + * Non-maintainer upload |
32 | + |
33 | + -- Dominic Hargreaves <dom@earth.li> Sat, 13 Jul 2013 16:09:01 +0100 |
34 | + |
35 | iptables (1.4.18-1ubuntu1) saucy; urgency=low |
36 | |
37 | [ Chris J Arges ] |
38 | |
39 | === modified file 'debian/control' |
40 | --- debian/control 2013-06-07 09:50:09 +0000 |
41 | +++ debian/control 2013-09-26 17:47:06 +0000 |
42 | @@ -34,6 +34,7 @@ |
43 | Priority: optional |
44 | Depends: ${misc:Depends}, iptables (=${binary:Version}) |
45 | Conflicts: iptables (<<1.4.2-2) |
46 | +Breaks: linux-libc-dev (<< 3.5) |
47 | Section: devel |
48 | Description: iptables development files |
49 | iptables is used to setup, maintain, and inspect the tables of |
50 | |
51 | === modified file 'debian/iptables-dev.install' |
52 | --- debian/iptables-dev.install 2013-06-07 09:50:09 +0000 |
53 | +++ debian/iptables-dev.install 2013-09-26 17:47:06 +0000 |
54 | @@ -1,4 +1,5 @@ |
55 | usr/include |
56 | lib/lib*.so |
57 | lib/pkgconfig usr/lib |
58 | +include/linux/netfilter_ipv4/ip_queue.h usr/include/linux/netfilter_ipv4/ |
59 | howtos/netfilter*html usr/share/doc/iptables-dev/html |
60 | |
61 | === modified file 'debian/iptables.install' |
62 | --- debian/iptables.install 2013-06-07 09:50:09 +0000 |
63 | +++ debian/iptables.install 2013-09-26 17:47:06 +0000 |
64 | @@ -5,4 +5,6 @@ |
65 | lib/xtables |
66 | iptables/iptables-apply usr/sbin |
67 | iptables/iptables.xslt usr/share/iptables |
68 | +usr/share/man/man8 |
69 | +usr/share/man/man1 |
70 | howtos/NAT*html debian/tmp/howtos/packet*html usr/share/doc/iptables/html |
71 | |
72 | === modified file 'debian/iptables.manpages' |
73 | --- debian/iptables.manpages 2012-10-28 09:40:00 +0000 |
74 | +++ debian/iptables.manpages 2013-09-26 17:47:06 +0000 |
75 | @@ -1,3 +1,2 @@ |
76 | iptables/*.8 |
77 | -iptables/*.1 |
78 | -utils/*.8 |
79 | +debian/*.8 |
80 | |
81 | === added file 'debian/nfnl_osf.8' |
82 | --- debian/nfnl_osf.8 1970-01-01 00:00:00 +0000 |
83 | +++ debian/nfnl_osf.8 2013-09-26 17:47:06 +0000 |
84 | @@ -0,0 +1,80 @@ |
85 | +.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) |
86 | +.\" |
87 | +.\" Standard preamble: |
88 | +.\" ======================================================================== |
89 | +.de Sp \" Vertical space (when we can't use .PP) |
90 | +.if t .sp .5v |
91 | +.if n .sp |
92 | +.. |
93 | +.de Vb \" Begin verbatim text |
94 | +.ft CW |
95 | +.nf |
96 | +.ne \\$1 |
97 | +.. |
98 | +.de Ve \" End verbatim text |
99 | +.ft R |
100 | +.fi |
101 | +.. |
102 | +.\" Set up some character translations and predefined strings. \*(-- will |
103 | +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
104 | +.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
105 | +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
106 | +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
107 | +.\" nothing in troff, for use with C<>. |
108 | +.tr \(*W- |
109 | +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
110 | +.ie n \{\ |
111 | +. ds -- \(*W- |
112 | +. ds PI pi |
113 | +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
114 | +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
115 | +. ds L" "" |
116 | +. ds R" "" |
117 | +. ds C` "" |
118 | +. ds C' "" |
119 | +'br\} |
120 | +.el\{\ |
121 | +. ds -- \|\(em\| |
122 | +. ds PI \(*p |
123 | +. ds L" `` |
124 | +. ds R" '' |
125 | +'br\} |
126 | +.\" |
127 | +.\" Escape single quotes in literal strings from groff's Unicode transform. |
128 | +.ie \n(.g .ds Aq \(aq |
129 | +.el .ds Aq ' |
130 | +.\" |
131 | +.\" If the F register is turned on, we'll generate index entries on stderr for |
132 | +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
133 | +.\" entries marked with X<> in POD. Of course, you'll have to process the |
134 | +.\" output yourself in some meaningful fashion. |
135 | +.ie \nF \{\ |
136 | +. de IX |
137 | +. tm Index:\\$1\t\\n%\t"\\$2" |
138 | +.. |
139 | +. nr % 0 |
140 | +. rr F |
141 | +.\} |
142 | +.el \{\ |
143 | +. de IX |
144 | +.. |
145 | +.\} |
146 | +.\" ======================================================================== |
147 | +.\" |
148 | +.IX Title "NFNL_OSF 8" |
149 | +.TH NFNL_OSF 8 "2012-10-27" "nfnl_osf" "nfnl_osf" |
150 | +.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
151 | +.\" way too many mistakes in technical documents. |
152 | +.if n .ad l |
153 | +.nh |
154 | +.SH "NAME" |
155 | +nfnl_osf \- load and unload os fingerprint database |
156 | +.SH "SYNOPSIS" |
157 | +.IX Header "SYNOPSIS" |
158 | +load and unload osf fingerprint database for the netfilter osf extension |
159 | +.SH "DESCRIPTION" |
160 | +.IX Header "DESCRIPTION" |
161 | +nffl_osf has no official man page. Look at the osf module in \fB\f(BIiptables\-extensions\fB\|(8)\fR for more information. |
162 | +.SH "SEE ALSO" |
163 | +.IX Header "SEE ALSO" |
164 | +\&\fIiptables\-extensions\fR\|(8) |
165 | |
166 | === added file 'debian/patches/0201-iptables-xml_man_section.patch' |
167 | --- debian/patches/0201-iptables-xml_man_section.patch 1970-01-01 00:00:00 +0000 |
168 | +++ debian/patches/0201-iptables-xml_man_section.patch 2013-09-26 17:47:06 +0000 |
169 | @@ -0,0 +1,8 @@ |
170 | +--- a/iptables/iptables-xml.1 |
171 | ++++ b/iptables/iptables-xml.1 |
172 | +@@ -1,4 +1,4 @@ |
173 | +-.TH IPTABLES-XML 8 "Jul 16, 2007" "" "" |
174 | ++.TH IPTABLES-XML 1 "Jul 16, 2007" "" "" |
175 | + .\" |
176 | + .\" Man page written by Sam Liddicott <azez@ufomechanic.net> |
177 | + .\" It is based on the iptables-save man page. |
178 | |
179 | === added file 'debian/patches/calling-setsockopt-incorrectly.patch' |
180 | --- debian/patches/calling-setsockopt-incorrectly.patch 1970-01-01 00:00:00 +0000 |
181 | +++ debian/patches/calling-setsockopt-incorrectly.patch 2013-09-26 17:47:06 +0000 |
182 | @@ -0,0 +1,338 @@ |
183 | +From: Artur Rona <ari-tczew@tlen.pl> |
184 | +Description: Add locking to prevent concurrent instances. |
185 | +Bug-Ubuntu: https://launchpad.net/bugs/1187177 |
186 | +Bug-Debian: http://bugs.debian.org/710997 |
187 | +Origin: upstream, http://git.netfilter.org/iptables/commit/?id=93587a04d0f2511e108bbc4d87a8b9d28a5c5dd8 |
188 | + http://git.netfilter.org/iptables/commit/?id=d7aeda5ed45ac7ca959f12180690caa371b5b14b |
189 | +Author: Phil Oester <kernel@linuxace.com>, |
190 | + Pablo Neira Ayuso <pablo@netfilter.org> |
191 | + |
192 | +diff -pruN -x '*~' iptables-1.4.18.orig/include/ip6tables.h iptables-1.4.18/include/ip6tables.h |
193 | +--- iptables-1.4.18.orig/include/ip6tables.h 2013-03-03 22:40:11.000000000 +0100 |
194 | ++++ iptables-1.4.18/include/ip6tables.h 2013-09-21 09:59:39.000000000 +0200 |
195 | +@@ -8,7 +8,7 @@ |
196 | + |
197 | + /* Your shared library should call one of these. */ |
198 | + extern int do_command6(int argc, char *argv[], char **table, |
199 | +- struct xtc_handle **handle); |
200 | ++ struct xtc_handle **handle, bool restore); |
201 | + |
202 | + extern int for_each_chain6(int (*fn)(const xt_chainlabel, int, struct xtc_handle *), int verbose, int builtinstoo, struct xtc_handle *handle); |
203 | + extern int flush_entries6(const xt_chainlabel chain, int verbose, struct xtc_handle *handle); |
204 | +diff -pruN -x '*~' iptables-1.4.18.orig/include/iptables.h iptables-1.4.18/include/iptables.h |
205 | +--- iptables-1.4.18.orig/include/iptables.h 2013-03-03 22:40:11.000000000 +0100 |
206 | ++++ iptables-1.4.18/include/iptables.h 2013-09-21 09:59:39.000000000 +0200 |
207 | +@@ -8,7 +8,7 @@ |
208 | + |
209 | + /* Your shared library should call one of these. */ |
210 | + extern int do_command4(int argc, char *argv[], char **table, |
211 | +- struct xtc_handle **handle); |
212 | ++ struct xtc_handle **handle, bool restore); |
213 | + extern int delete_chain4(const xt_chainlabel chain, int verbose, |
214 | + struct xtc_handle *handle); |
215 | + extern int flush_entries4(const xt_chainlabel chain, int verbose, |
216 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.8.in iptables-1.4.18/iptables/ip6tables.8.in |
217 | +--- iptables-1.4.18.orig/iptables/ip6tables.8.in 2013-03-03 22:40:11.000000000 +0100 |
218 | ++++ iptables-1.4.18/iptables/ip6tables.8.in 2013-09-21 09:59:19.000000000 +0200 |
219 | +@@ -363,6 +363,13 @@ For appending, insertion, deletion and r |
220 | + detailed information on the rule or rules to be printed. \fB\-v\fP may be |
221 | + specified multiple times to possibly emit more detailed debug statements. |
222 | + .TP |
223 | ++\fB\-w\fP, \fB\-\-wait\fP |
224 | ++Wait for the xtables lock. |
225 | ++To prevent multiple instances of the program from running concurrently, |
226 | ++an attempt will be made to obtain an exclusive lock at launch. By default, |
227 | ++the program will exit if the lock cannot be obtained. This option will |
228 | ++make the program wait until the exclusive lock can be obtained. |
229 | ++.TP |
230 | + \fB\-n\fP, \fB\-\-numeric\fP |
231 | + Numeric output. |
232 | + IP addresses and port numbers will be printed in numeric format. |
233 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables.c iptables-1.4.18/iptables/ip6tables.c |
234 | +--- iptables-1.4.18.orig/iptables/ip6tables.c 2013-03-03 22:40:11.000000000 +0100 |
235 | ++++ iptables-1.4.18/iptables/ip6tables.c 2013-09-21 09:59:39.000000000 +0200 |
236 | +@@ -102,6 +102,7 @@ static struct option original_opts[] = { |
237 | + {.name = "numeric", .has_arg = 0, .val = 'n'}, |
238 | + {.name = "out-interface", .has_arg = 1, .val = 'o'}, |
239 | + {.name = "verbose", .has_arg = 0, .val = 'v'}, |
240 | ++ {.name = "wait", .has_arg = 0, .val = 'w'}, |
241 | + {.name = "exact", .has_arg = 0, .val = 'x'}, |
242 | + {.name = "version", .has_arg = 0, .val = 'V'}, |
243 | + {.name = "help", .has_arg = 2, .val = 'h'}, |
244 | +@@ -257,6 +258,7 @@ exit_printhelp(const struct xtables_rule |
245 | + " network interface name ([+] for wildcard)\n" |
246 | + " --table -t table table to manipulate (default: `filter')\n" |
247 | + " --verbose -v verbose mode\n" |
248 | ++" --wait -w wait for the xtables lock\n" |
249 | + " --line-numbers print line numbers when listing\n" |
250 | + " --exact -x expand numbers (display exact values)\n" |
251 | + /*"[!] --fragment -f match second or further fragments only\n"*/ |
252 | +@@ -1284,7 +1286,8 @@ static void command_match(struct iptable |
253 | + m->extra_opts, &m->option_offset); |
254 | + } |
255 | + |
256 | +-int do_command6(int argc, char *argv[], char **table, struct xtc_handle **handle) |
257 | ++int do_command6(int argc, char *argv[], char **table, |
258 | ++ struct xtc_handle **handle, bool restore) |
259 | + { |
260 | + struct iptables_command_state cs; |
261 | + struct ip6t_entry *e = NULL; |
262 | +@@ -1293,6 +1296,7 @@ int do_command6(int argc, char *argv[], |
263 | + struct in6_addr *smasks = NULL, *dmasks = NULL; |
264 | + |
265 | + int verbose = 0; |
266 | ++ bool wait = false; |
267 | + const char *chain = NULL; |
268 | + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; |
269 | + const char *policy = NULL, *newname = NULL; |
270 | +@@ -1328,7 +1332,7 @@ int do_command6(int argc, char *argv[], |
271 | + |
272 | + opts = xt_params->orig_opts; |
273 | + while ((cs.c = getopt_long(argc, argv, |
274 | +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46", |
275 | ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46", |
276 | + opts, NULL)) != -1) { |
277 | + switch (cs.c) { |
278 | + /* |
279 | +@@ -1573,6 +1577,15 @@ int do_command6(int argc, char *argv[], |
280 | + verbose++; |
281 | + break; |
282 | + |
283 | ++ case 'w': |
284 | ++ if (restore) { |
285 | ++ xtables_error(PARAMETER_PROBLEM, |
286 | ++ "You cannot use `-w' from " |
287 | ++ "ip6tables-restore"); |
288 | ++ } |
289 | ++ wait = true; |
290 | ++ break; |
291 | ++ |
292 | + case 'm': |
293 | + command_match(&cs); |
294 | + break; |
295 | +@@ -1724,6 +1737,14 @@ int do_command6(int argc, char *argv[], |
296 | + "chain name `%s' too long (must be under %u chars)", |
297 | + chain, XT_EXTENSION_MAXNAMELEN); |
298 | + |
299 | ++ /* Attempt to acquire the xtables lock */ |
300 | ++ if (!restore && !xtables_lock(wait)) { |
301 | ++ fprintf(stderr, "Another app is currently holding the xtables lock. " |
302 | ++ "Perhaps you want to use the -w option?\n"); |
303 | ++ xtables_free_opts(1); |
304 | ++ exit(RESOURCE_PROBLEM); |
305 | ++ } |
306 | ++ |
307 | + /* only allocate handle if we weren't called with a handle */ |
308 | + if (!*handle) |
309 | + *handle = ip6tc_init(*table); |
310 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-restore.c iptables-1.4.18/iptables/ip6tables-restore.c |
311 | +--- iptables-1.4.18.orig/iptables/ip6tables-restore.c 2013-03-03 22:40:11.000000000 +0100 |
312 | ++++ iptables-1.4.18/iptables/ip6tables-restore.c 2013-09-21 09:59:39.000000000 +0200 |
313 | +@@ -438,7 +438,7 @@ int ip6tables_restore_main(int argc, cha |
314 | + DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
315 | + |
316 | + ret = do_command6(newargc, newargv, |
317 | +- &newargv[2], &handle); |
318 | ++ &newargv[2], &handle, true); |
319 | + |
320 | + free_argv(); |
321 | + fflush(stdout); |
322 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/ip6tables-standalone.c iptables-1.4.18/iptables/ip6tables-standalone.c |
323 | +--- iptables-1.4.18.orig/iptables/ip6tables-standalone.c 2013-03-03 22:40:11.000000000 +0100 |
324 | ++++ iptables-1.4.18/iptables/ip6tables-standalone.c 2013-09-21 09:59:39.000000000 +0200 |
325 | +@@ -58,7 +58,7 @@ ip6tables_main(int argc, char *argv[]) |
326 | + init_extensions6(); |
327 | + #endif |
328 | + |
329 | +- ret = do_command6(argc, argv, &table, &handle); |
330 | ++ ret = do_command6(argc, argv, &table, &handle, false); |
331 | + if (ret) { |
332 | + ret = ip6tc_commit(handle); |
333 | + ip6tc_free(handle); |
334 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.8.in iptables-1.4.18/iptables/iptables.8.in |
335 | +--- iptables-1.4.18.orig/iptables/iptables.8.in 2013-03-03 22:40:11.000000000 +0100 |
336 | ++++ iptables-1.4.18/iptables/iptables.8.in 2013-09-21 09:59:19.000000000 +0200 |
337 | +@@ -351,6 +351,13 @@ For appending, insertion, deletion and r |
338 | + detailed information on the rule or rules to be printed. \fB\-v\fP may be |
339 | + specified multiple times to possibly emit more detailed debug statements. |
340 | + .TP |
341 | ++\fB\-w\fP, \fB\-\-wait\fP |
342 | ++Wait for the xtables lock. |
343 | ++To prevent multiple instances of the program from running concurrently, |
344 | ++an attempt will be made to obtain an exclusive lock at launch. By default, |
345 | ++the program will exit if the lock cannot be obtained. This option will |
346 | ++make the program wait until the exclusive lock can be obtained. |
347 | ++.TP |
348 | + \fB\-n\fP, \fB\-\-numeric\fP |
349 | + Numeric output. |
350 | + IP addresses and port numbers will be printed in numeric format. |
351 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables.c iptables-1.4.18/iptables/iptables.c |
352 | +--- iptables-1.4.18.orig/iptables/iptables.c 2013-03-03 22:40:11.000000000 +0100 |
353 | ++++ iptables-1.4.18/iptables/iptables.c 2013-09-21 09:59:39.000000000 +0200 |
354 | +@@ -99,6 +99,7 @@ static struct option original_opts[] = { |
355 | + {.name = "numeric", .has_arg = 0, .val = 'n'}, |
356 | + {.name = "out-interface", .has_arg = 1, .val = 'o'}, |
357 | + {.name = "verbose", .has_arg = 0, .val = 'v'}, |
358 | ++ {.name = "wait", .has_arg = 0, .val = 'w'}, |
359 | + {.name = "exact", .has_arg = 0, .val = 'x'}, |
360 | + {.name = "fragments", .has_arg = 0, .val = 'f'}, |
361 | + {.name = "version", .has_arg = 0, .val = 'V'}, |
362 | +@@ -251,6 +252,7 @@ exit_printhelp(const struct xtables_rule |
363 | + " network interface name ([+] for wildcard)\n" |
364 | + " --table -t table table to manipulate (default: `filter')\n" |
365 | + " --verbose -v verbose mode\n" |
366 | ++" --wait -w wait for the xtables lock\n" |
367 | + " --line-numbers print line numbers when listing\n" |
368 | + " --exact -x expand numbers (display exact values)\n" |
369 | + "[!] --fragment -f match second or further fragments only\n" |
370 | +@@ -1280,7 +1282,8 @@ static void command_match(struct iptable |
371 | + xtables_error(OTHER_PROBLEM, "can't alloc memory!"); |
372 | + } |
373 | + |
374 | +-int do_command4(int argc, char *argv[], char **table, struct xtc_handle **handle) |
375 | ++int do_command4(int argc, char *argv[], char **table, |
376 | ++ struct xtc_handle **handle, bool restore) |
377 | + { |
378 | + struct iptables_command_state cs; |
379 | + struct ipt_entry *e = NULL; |
380 | +@@ -1289,6 +1292,7 @@ int do_command4(int argc, char *argv[], |
381 | + struct in_addr *daddrs = NULL, *dmasks = NULL; |
382 | + |
383 | + int verbose = 0; |
384 | ++ bool wait = false; |
385 | + const char *chain = NULL; |
386 | + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; |
387 | + const char *policy = NULL, *newname = NULL; |
388 | +@@ -1324,7 +1328,7 @@ int do_command4(int argc, char *argv[], |
389 | + |
390 | + opts = xt_params->orig_opts; |
391 | + while ((cs.c = getopt_long(argc, argv, |
392 | +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46", |
393 | ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46", |
394 | + opts, NULL)) != -1) { |
395 | + switch (cs.c) { |
396 | + /* |
397 | +@@ -1567,6 +1571,15 @@ int do_command4(int argc, char *argv[], |
398 | + verbose++; |
399 | + break; |
400 | + |
401 | ++ case 'w': |
402 | ++ if (restore) { |
403 | ++ xtables_error(PARAMETER_PROBLEM, |
404 | ++ "You cannot use `-w' from " |
405 | ++ "iptables-restore"); |
406 | ++ } |
407 | ++ wait = true; |
408 | ++ break; |
409 | ++ |
410 | + case 'm': |
411 | + command_match(&cs); |
412 | + break; |
413 | +@@ -1721,6 +1734,14 @@ int do_command4(int argc, char *argv[], |
414 | + "chain name `%s' too long (must be under %u chars)", |
415 | + chain, XT_EXTENSION_MAXNAMELEN); |
416 | + |
417 | ++ /* Attempt to acquire the xtables lock */ |
418 | ++ if (!restore && !xtables_lock(wait)) { |
419 | ++ fprintf(stderr, "Another app is currently holding the xtables lock. " |
420 | ++ "Perhaps you want to use the -w option?\n"); |
421 | ++ xtables_free_opts(1); |
422 | ++ exit(RESOURCE_PROBLEM); |
423 | ++ } |
424 | ++ |
425 | + /* only allocate handle if we weren't called with a handle */ |
426 | + if (!*handle) |
427 | + *handle = iptc_init(*table); |
428 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-restore.c iptables-1.4.18/iptables/iptables-restore.c |
429 | +--- iptables-1.4.18.orig/iptables/iptables-restore.c 2013-03-03 22:40:11.000000000 +0100 |
430 | ++++ iptables-1.4.18/iptables/iptables-restore.c 2013-09-21 09:59:39.000000000 +0200 |
431 | +@@ -438,7 +438,7 @@ iptables_restore_main(int argc, char *ar |
432 | + DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
433 | + |
434 | + ret = do_command4(newargc, newargv, |
435 | +- &newargv[2], &handle); |
436 | ++ &newargv[2], &handle, true); |
437 | + |
438 | + free_argv(); |
439 | + fflush(stdout); |
440 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/iptables-standalone.c iptables-1.4.18/iptables/iptables-standalone.c |
441 | +--- iptables-1.4.18.orig/iptables/iptables-standalone.c 2013-03-03 22:40:11.000000000 +0100 |
442 | ++++ iptables-1.4.18/iptables/iptables-standalone.c 2013-09-21 09:59:39.000000000 +0200 |
443 | +@@ -58,7 +58,7 @@ iptables_main(int argc, char *argv[]) |
444 | + init_extensions4(); |
445 | + #endif |
446 | + |
447 | +- ret = do_command4(argc, argv, &table, &handle); |
448 | ++ ret = do_command4(argc, argv, &table, &handle, false); |
449 | + if (ret) { |
450 | + ret = iptc_commit(handle); |
451 | + iptc_free(handle); |
452 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.c iptables-1.4.18/iptables/xshared.c |
453 | +--- iptables-1.4.18.orig/iptables/xshared.c 2013-03-03 22:40:11.000000000 +0100 |
454 | ++++ iptables-1.4.18/iptables/xshared.c 2013-09-21 09:59:19.000000000 +0200 |
455 | +@@ -6,9 +6,15 @@ |
456 | + #include <stdio.h> |
457 | + #include <stdlib.h> |
458 | + #include <string.h> |
459 | ++#include <sys/socket.h> |
460 | ++#include <sys/un.h> |
461 | ++#include <unistd.h> |
462 | + #include <xtables.h> |
463 | + #include "xshared.h" |
464 | + |
465 | ++#define XT_SOCKET_NAME "xtables" |
466 | ++#define XT_SOCKET_LEN 8 |
467 | ++ |
468 | + /* |
469 | + * Print out any special helps. A user might like to be able to add a --help |
470 | + * to the commandline, and see expected results. So we call help for all |
471 | +@@ -236,3 +242,30 @@ void xs_init_match(struct xtables_match |
472 | + if (match->init != NULL) |
473 | + match->init(match->m); |
474 | + } |
475 | ++ |
476 | ++bool xtables_lock(bool wait) |
477 | ++{ |
478 | ++ int i = 0, ret, xt_socket; |
479 | ++ struct sockaddr_un xt_addr; |
480 | ++ |
481 | ++ memset(&xt_addr, 0, sizeof(xt_addr)); |
482 | ++ xt_addr.sun_family = AF_UNIX; |
483 | ++ strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME); |
484 | ++ xt_socket = socket(AF_UNIX, SOCK_STREAM, 0); |
485 | ++ /* If we can't even create a socket, fall back to prior (lockless) behavior */ |
486 | ++ if (xt_socket < 0) |
487 | ++ return true; |
488 | ++ |
489 | ++ while (1) { |
490 | ++ ret = bind(xt_socket, (struct sockaddr*)&xt_addr, |
491 | ++ offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); |
492 | ++ if (ret == 0) |
493 | ++ return true; |
494 | ++ else if (wait == false) |
495 | ++ return false; |
496 | ++ if (++i % 2 == 0) |
497 | ++ fprintf(stderr, "Another app is currently holding the xtables lock; " |
498 | ++ "waiting for it to exit...\n"); |
499 | ++ sleep(1); |
500 | ++ } |
501 | ++} |
502 | +diff -pruN -x '*~' iptables-1.4.18.orig/iptables/xshared.h iptables-1.4.18/iptables/xshared.h |
503 | +--- iptables-1.4.18.orig/iptables/xshared.h 2013-03-03 22:40:11.000000000 +0100 |
504 | ++++ iptables-1.4.18/iptables/xshared.h 2013-09-21 09:59:19.000000000 +0200 |
505 | +@@ -2,6 +2,7 @@ |
506 | + #define IPTABLES_XSHARED_H 1 |
507 | + |
508 | + #include <limits.h> |
509 | ++#include <stdbool.h> |
510 | + #include <stdint.h> |
511 | + #include <netinet/in.h> |
512 | + #include <net/if.h> |
513 | +@@ -83,6 +84,7 @@ extern struct xtables_match *load_proto( |
514 | + extern int subcmd_main(int, char **, const struct subcommand *); |
515 | + extern void xs_init_target(struct xtables_target *); |
516 | + extern void xs_init_match(struct xtables_match *); |
517 | ++extern bool xtables_lock(bool wait); |
518 | + |
519 | + extern const struct xtables_afinfo *afinfo; |
520 | + |
521 | |
522 | === modified file 'debian/patches/series' |
523 | --- debian/patches/series 2013-06-07 09:50:09 +0000 |
524 | +++ debian/patches/series 2013-09-26 17:47:06 +0000 |
525 | @@ -1,6 +1,8 @@ |
526 | 0101-changelog.patch |
527 | 0102-add_manpages.patch |
528 | +0201-iptables-xml_man_section.patch |
529 | 0503-extension_cppflags.patch |
530 | 0504-configure_dccp_ipvs.patch |
531 | 9000-howtos.patch |
532 | 9002-libxt_recent-Add-support-for-reap-option.patch |
533 | +calling-setsockopt-incorrectly.patch |
Thanks for your work on this.
It seems you're not mentioning the Ubuntu changes from the last merge. Were they all dropped? Are they still relevant?
+ - debian/control: add linuxdoc-tools dep, remove libipq references recent- Add-support- for-reap- option. patch: Some changes are iptables. install: install NAT and packetfilter howtos into iptables- dev.doc- base.netfilter- extensions, iptables- dev.doc- base.netfilter- hacking, iptables. doc-base. nat, debian/ iptables. doc-base. packet- filter: iptables- dev.install: remove usr/share/man/man3 only used with
+ - debian/rules: compile with --disable-libipq
+ - 9000-howtos.patch: add howtos/ and install them
+ - 9002-libxt_
+ upstream, patch needed for additional reap option checks.
+ - debian/
+ /usr/share/doc
+ - debian/
+ debian/
+ debian/
+ add howtos
+ - debian/
+ libipq manpages