ipset 2.1.1 released

diff --git a/ChangeLog b/ChangeLog
index e24b6f4a685ba3f347b85218315d9e647a53c8d3..73056566b2224700c23ee8f568771e19a72916ab 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2.1.1
+ - Locking bug in ip_set_nethash.c (Clifford Wolf and Rob Carlson)
+ - Makefile contained an unnecessary variable in IPSET_LIB_DIR (Clifford
+   Wolf)
+ - Safety checkings of restore in ipset was incomplete (Robin H. Johnson)
+ - More careful resizing by avoiding locking completely
+ - stdin stored internally in a temporary file, so we can feed 'ipset -R'
+   from a pipe
+
 2.1
  - Lock debugging used with debugless lock definiton (Piotr Chytla and
    others).

diff --git a/Makefile b/Makefile
index 6f0539beb37407874bebf5c9f6c3c77d1e397ee8..39fe31763426eeaf6af3d4564b3ebf88a85899d9 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -8,14 +8,14 @@ ifndef KERNEL_DIR
 KERNEL_DIR=/usr/src/linux
 endif
 
-IPSET_VERSION:=2.1.0
+IPSET_VERSION:=2.1.1
 
 PREFIX:=/usr/local
 LIBDIR:=$(PREFIX)/lib
 BINDIR:=$(PREFIX)/sbin
 MANDIR:=$(PREFIX)/man
 INCDIR:=$(PREFIX)/include
-IPSET_LIB_DIR:=$(DESTDIR)$(LIBDIR)/ipset
+IPSET_LIB_DIR:=$(LIBDIR)/ipset
 
 # directory for new iptables releases
 RELEASE_DIR:=/tmp
@@ -35,7 +35,7 @@ all: $(PROGRAMS) $(SHARED_LIBS)
 install: all $(INSTALL)
 
 clean: $(EXTRA_CLEANS)
-       rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o
+       rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o *~
 
 #The ipset(8) self
 ipset.o: ipset.c

diff --git a/ipset.8 b/ipset.8
index f2c2f0208cb92f76b93c0315ed328b04463081d9..663d282f481eb27aa837f7351fe1a2fdb0f9f4bb 100644 (file)
--- a/ipset.8
+++ b/ipset.8
@@ -117,7 +117,7 @@ is specified to stdout in a format that --restore can read.
 .TP
 .BI "-R, --restore "
 Restore a saved session generated by --save. The saved session
-is read from stdin which is required to be rewindable.
+can be fed from stdin.
 .TP
 .BI "-A, --add " "\fIsetname\fP \fIIP\fP"
 Add an IP to a set.

diff --git a/ipset.c b/ipset.c
index 58498923c2bfda8b69344ff83b87e2c20efc8f96..a1697f374f86151c503e389dbcf75d0113d25a01 100644 (file)
--- a/ipset.c
+++ b/ipset.c
@@ -11,9 +11,12 @@
 #include <string.h>
 #include <errno.h>
 #include <time.h>
-#include <sys/socket.h>
 #include <ctype.h>
 #include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <arpa/inet.h>
 #include <stdarg.h>
 #include <netdb.h>
@@ -42,6 +45,8 @@ struct ip_set_restore *restore_set = NULL;
 size_t restore_offset = 0, restore_size;
 unsigned line = 0;
 
+#define TEMPFILE_PATTERN       "/ipsetXXXXXX"
+
 #ifdef IPSET_DEBUG
 int option_debug = 0;
 #endif
@@ -1220,10 +1225,44 @@ static void build_argv(int line, char *buffer) {
        }
 }
 
+static FILE *create_tempfile(void)
+{
+       char buffer[1024];      
+       char *tmpdir = NULL;
+       char *filename;
+       int fd;
+       FILE *file;
+       
+       if (!(tmpdir = getenv("TMPDIR")) && !(tmpdir = getenv("TMP")))
+               tmpdir = "/tmp";
+       filename = malloc(strlen(tmpdir) + strlen(TEMPFILE_PATTERN) + 1);
+       if (!filename)
+               exit_error(OTHER_PROBLEM, "Could not malloc temporary filename.");
+       strcpy(filename, tmpdir);
+       strcpy(filename, TEMPFILE_PATTERN);
+       
+       (void) umask(077);      /* Create with restrictive permissions */
+       fd = mkstemp(filename);
+       if (fd == -1)
+               exit_error(OTHER_PROBLEM, "Could not create temporary file.");
+       if (!(file = fdopen(fd, "r+")))
+               exit_error(OTHER_PROBLEM, "Could not open temporary file.");
+       if (unlink(filename) == -1)
+               exit_error(OTHER_PROBLEM, "Could not unlink temporary file.");
+       free(filename);
+
+       while (fgets(buffer, sizeof(buffer), stdin)) {
+               fputs(buffer, file);
+       }
+       fseek(file, 0L, SEEK_SET);
+
+       return file;
+}
+
 /*
  * Performs a restore from a file
  */
-static void set_restore(FILE *in, char *argv0)
+static void set_restore(char *argv0)
 {
        char buffer[1024];      
        char *ptr, *name = NULL;
@@ -1232,8 +1271,12 @@ static void set_restore(FILE *in, char *argv0)
        struct settype *settype = NULL;
        struct ip_set_req_setnames *header;
        ip_set_id_t index;
+       FILE *in;
        int res;
        
+       /* Create and store stdin in temporary file */
+       in = create_tempfile();
+       
        /* Load existing sets from kernel */
        load_set_list(IPSET_TOKEN_ALL, &index,
                      IP_SET_OP_LIST_SIZE, CMD_RESTORE);
@@ -1286,7 +1329,7 @@ static void set_restore(FILE *in, char *argv0)
                                exit_error(PARAMETER_PROBLEM,
                                           "Missing settype in line %u\n",
                                           line);
-                       if (restore)
+                       if (bindings)
                                exit_error(PARAMETER_PROBLEM,
                                           "Invalid line %u: create must precede bindings\n",
                                           line);
@@ -1297,12 +1340,13 @@ static void set_restore(FILE *in, char *argv0)
                        break; 
                }
                case 'A': {
-                       if (strncmp(name, ptr, sizeof(name)) != 0)
+                       if (name == NULL
+                           || strncmp(name, ptr, sizeof(name)) != 0)
                                exit_error(PARAMETER_PROBLEM,
                                           "Add IP to set %s in line %u without "
                                           "preceding corresponding create set line\n",
                                           ptr, line);
-                       if (restore)
+                       if (bindings)
                                exit_error(PARAMETER_PROBLEM,
                                           "Invalid line %u: adding entries must precede bindings\n",
                                           line);
@@ -1335,10 +1379,7 @@ static void set_restore(FILE *in, char *argv0)
        restore_offset = sizeof(struct ip_set_req_setnames);
 
        /* Rewind to scan the file again */
-       res = fseek(in, 0L, SEEK_SET);
-       if (res)
-               exit_error(PARAMETER_PROBLEM,
-                          "Cannot rewind stdin: %s", strerror(errno));
+       fseek(in, 0L, SEEK_SET);
        first_pass = line;
        line = 0;
        
@@ -1848,8 +1889,6 @@ int parse_commandline(int argc, char *argv[])
        unsigned options = 0;
        int c;
        
-       FILE *in = stdin;               /* -R */
-
        char *name = NULL;              /* All except -H, -R */
        char *newname = NULL;           /* -E, -W */
        char *adt = NULL;               /* -A, -D, -T, -B, -U */
@@ -2110,7 +2149,7 @@ int parse_commandline(int argc, char *argv[])
                break;
 
        case CMD_RESTORE:
-               set_restore(in, argv[0]);
+               set_restore(argv[0]);
                break;
 
        case CMD_ADD: