summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/emailAddress=kadlec@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/emailAddress=kadlec@netfilter.org>2005-04-05 08:03:33 +0000
committer/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/emailAddress=kadlec@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/emailAddress=kadlec@netfilter.org>2005-04-05 08:03:33 +0000
commit2a389d744d8957692eb7554402c1f99e161d8a71 (patch)
treef122ce6add56f8fabfd4fabd3dbc5309b4a9df79
parent98345bbd0ede53c5d17593262acf1f9ec236bf83 (diff)
ipset 2.1.1 released
-rw-r--r--ChangeLog9
-rw-r--r--Makefile6
-rw-r--r--ipset.82
-rw-r--r--ipset.c63
4 files changed, 64 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index e24b6f4..7305656 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2.1.1
+ - Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
+ - Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford
+ Wolf)
+ - Safety checkings of restore in ipset was incomplete (Robin H. Johnson)
+ - More careful resizing by avoiding locking completely
+ - stdin stored internally in a temporary file, so we can feed 'ipset -R'
+ from a pipe
+
2.1
- Lock debugging used with debugless lock definiton (Piotr Chytla and
others).
diff --git a/Makefile b/Makefile
index 6f0539b..39fe317 100644
--- a/Makefile
+++ b/Makefile
@@ -8,14 +8,14 @@ ifndef KERNEL_DIR
KERNEL_DIR=/usr/src/linux
endif
-IPSET_VERSION:=2.1.0
+IPSET_VERSION:=2.1.1
PREFIX:=/usr/local
LIBDIR:=$(PREFIX)/lib
BINDIR:=$(PREFIX)/sbin
MANDIR:=$(PREFIX)/man
INCDIR:=$(PREFIX)/include
-IPSET_LIB_DIR:=$(DESTDIR)$(LIBDIR)/ipset
+IPSET_LIB_DIR:=$(LIBDIR)/ipset
# directory for new iptables releases
RELEASE_DIR:=/tmp
@@ -35,7 +35,7 @@ all: $(PROGRAMS) $(SHARED_LIBS)
install: all $(INSTALL)
clean: $(EXTRA_CLEANS)
- rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o
+ rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o *~
#The ipset(8) self
ipset.o: ipset.c
diff --git a/ipset.8 b/ipset.8
index f2c2f02..663d282 100644
--- a/ipset.8
+++ b/ipset.8
@@ -117,7 +117,7 @@ is specified to stdout in a format that --restore can read.
.TP
.BI "-R, --restore "
Restore a saved session generated by --save. The saved session
-is read from stdin which is required to be rewindable.
+can be fed from stdin.
.TP
.BI "-A, --add " "\fIsetname\fP \fIIP\fP"
Add an IP to a set.
diff --git a/ipset.c b/ipset.c
index 5849892..a1697f3 100644
--- a/ipset.c
+++ b/ipset.c
@@ -11,9 +11,12 @@
#include <string.h>
#include <errno.h>
#include <time.h>
-#include <sys/socket.h>
#include <ctype.h>
#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
#include <arpa/inet.h>
#include <stdarg.h>
#include <netdb.h>
@@ -42,6 +45,8 @@ struct ip_set_restore *restore_set = NULL;
size_t restore_offset = 0, restore_size;
unsigned line = 0;
+#define TEMPFILE_PATTERN "/ipsetXXXXXX"
+
#ifdef IPSET_DEBUG
int option_debug = 0;
#endif
@@ -1220,10 +1225,44 @@ static void build_argv(int line, char *buffer) {
}
}
+static FILE *create_tempfile(void)
+{
+ char buffer[1024];
+ char *tmpdir = NULL;
+ char *filename;
+ int fd;
+ FILE *file;
+
+ if (!(tmpdir = getenv("TMPDIR")) && !(tmpdir = getenv("TMP")))
+ tmpdir = "/tmp";
+ filename = malloc(strlen(tmpdir) + strlen(TEMPFILE_PATTERN) + 1);
+ if (!filename)
+ exit_error(OTHER_PROBLEM, "Could not malloc temporary filename.");
+ strcpy(filename, tmpdir);
+ strcpy(filename, TEMPFILE_PATTERN);
+
+ (void) umask(077); /* Create with restrictive permissions */
+ fd = mkstemp(filename);
+ if (fd == -1)
+ exit_error(OTHER_PROBLEM, "Could not create temporary file.");
+ if (!(file = fdopen(fd, "r+")))
+ exit_error(OTHER_PROBLEM, "Could not open temporary file.");
+ if (unlink(filename) == -1)
+ exit_error(OTHER_PROBLEM, "Could not unlink temporary file.");
+ free(filename);
+
+ while (fgets(buffer, sizeof(buffer), stdin)) {
+ fputs(buffer, file);
+ }
+ fseek(file, 0L, SEEK_SET);
+
+ return file;
+}
+
/*
* Performs a restore from a file
*/
-static void set_restore(FILE *in, char *argv0)
+static void set_restore(char *argv0)
{
char buffer[1024];
char *ptr, *name = NULL;
@@ -1232,8 +1271,12 @@ static void set_restore(FILE *in, char *argv0)
struct settype *settype = NULL;
struct ip_set_req_setnames *header;
ip_set_id_t index;
+ FILE *in;
int res;
+ /* Create and store stdin in temporary file */
+ in = create_tempfile();
+
/* Load existing sets from kernel */
load_set_list(IPSET_TOKEN_ALL, &index,
IP_SET_OP_LIST_SIZE, CMD_RESTORE);
@@ -1286,7 +1329,7 @@ static void set_restore(FILE *in, char *argv0)
exit_error(PARAMETER_PROBLEM,
"Missing settype in line %u\n",
line);
- if (restore)
+ if (bindings)
exit_error(PARAMETER_PROBLEM,
"Invalid line %u: create must precede bindings\n",
line);
@@ -1297,12 +1340,13 @@ static void set_restore(FILE *in, char *argv0)
break;
}
case 'A': {
- if (strncmp(name, ptr, sizeof(name)) != 0)
+ if (name == NULL
+ || strncmp(name, ptr, sizeof(name)) != 0)
exit_error(PARAMETER_PROBLEM,
"Add IP to set %s in line %u without "
"preceding corresponding create set line\n",
ptr, line);
- if (restore)
+ if (bindings)
exit_error(PARAMETER_PROBLEM,
"Invalid line %u: adding entries must precede bindings\n",
line);
@@ -1335,10 +1379,7 @@ static void set_restore(FILE *in, char *argv0)
restore_offset = sizeof(struct ip_set_req_setnames);
/* Rewind to scan the file again */
- res = fseek(in, 0L, SEEK_SET);
- if (res)
- exit_error(PARAMETER_PROBLEM,
- "Cannot rewind stdin: %s", strerror(errno));
+ fseek(in, 0L, SEEK_SET);
first_pass = line;
line = 0;
@@ -1848,8 +1889,6 @@ int parse_commandline(int argc, char *argv[])
unsigned options = 0;
int c;
- FILE *in = stdin; /* -R */
-
char *name = NULL; /* All except -H, -R */
char *newname = NULL; /* -E, -W */
char *adt = NULL; /* -A, -D, -T, -B, -U */
@@ -2110,7 +2149,7 @@ int parse_commandline(int argc, char *argv[])
break;
case CMD_RESTORE:
- set_restore(in, argv[0]);
+ set_restore(argv[0]);
break;
case CMD_ADD: