From 82862aa2714184ec0e2fe3a5b863c37b533e4c26 Mon Sep 17 00:00:00 2001 From: bixiaoyan Date: Mon, 25 Mar 2024 10:31:12 +0800 Subject: [PATCH] portblock: accept numeric protocol from iptables (cherry picked from commit 4ea808a7231747e4d348b817664de6cd313d3b9e) --- ...ccept-numeric-protocol-from-iptables.patch | 57 +++++++++++++++++++ resource-agents.spec | 6 +- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 portblock-accept-numeric-protocol-from-iptables.patch diff --git a/portblock-accept-numeric-protocol-from-iptables.patch b/portblock-accept-numeric-protocol-from-iptables.patch new file mode 100644 index 0000000..f8ecfe3 --- /dev/null +++ b/portblock-accept-numeric-protocol-from-iptables.patch @@ -0,0 +1,57 @@ +From 420e591baa01aca8123cfce9bff3f612a816786e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?= + +Date: Wed, 20 Mar 2024 16:42:08 +0100 +Subject: [PATCH] portblock: accept numeric protocol from iptables + +Usually, using the "-n" flag with "iptables -L" will only enable numeric +display for hosts and port numbers. Protocols are unaffected and are +still shown as "tcp" or "udp", which we rely on in the portblock agent. + +iptables version 1.8.9 ships with a regression that breaks this format, +displaying the numeric value of the protocol instead. See this bug +report for more: https://bugzilla.netfilter.org/show_bug.cgi?id=1729 + +The issue was fixed in the 1.8.10 release, but some distributions +(notably, Debian Bookworm and Fedora 39) have shipped 1.8.9, +effectively breaking the portblock agent. + +Since both formats are now in use in the wild, we must work around this +in the resource agent by allowing both the numeric and string +representation of the protocol. +--- + heartbeat/portblock | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/heartbeat/portblock b/heartbeat/portblock +index 06fcc194..7b9f5ca3 100755 +--- a/heartbeat/portblock ++++ b/heartbeat/portblock +@@ -266,7 +266,14 @@ active_grep_pat() + local src=$3 + local dst=$any + fi +- echo "^DROP${w}${1}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$" ++ # iptables 1.8.9 briefly broke the output format, returning the ++ # numeric protocol value instead of a string. Support both variants. ++ if [ "$1" = "tcp" ]; then ++ local prot="(tcp|6)" ++ else ++ local prot="(udp|17)" ++ fi ++ echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$" + } + + #chain_isactive {udp|tcp} portno,portno ip chain +@@ -274,7 +281,7 @@ chain_isactive() + { + [ "$4" = "OUTPUT" ] && ds="s" || ds="d" + PAT=$(active_grep_pat "$1" "$2" "$3" "$ds") +- $IPTABLES $wait -n -L "$4" | grep "$PAT" >/dev/null ++ $IPTABLES $wait -n -L "$4" | grep -qE "$PAT" + } + + # netstat -tn and ss -Htn, split on whitespace and colon, +-- +2.25.1 + diff --git a/resource-agents.spec b/resource-agents.spec index 53660af..1f01bf9 100644 --- a/resource-agents.spec +++ b/resource-agents.spec @@ -1,7 +1,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.13.0 -Release: 10 +Release: 11 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents Source0: https://github.com/ClusterLabs/resource-agents/archive/v%{version}.tar.gz @@ -15,6 +15,7 @@ Patch0006: Don-t-build-with-ansi-by-default.patch Patch0007: Fix-docker-RA-behavior-when-Docker-isn-t-running.patch Patch0008: Low-IPaddr2-Remove-stray-backslash.patch Patch0009: Doc-Delay-Drop-old-comments.patch +Patch0010: portblock-accept-numeric-protocol-from-iptables.patch Obsoletes: heartbeat-resources <= %{version} Provides: heartbeat-resources = %{version} BuildRequires: automake autoconf pkgconfig gcc perl-interpreter perl-generators python3-devel @@ -112,6 +113,9 @@ export CFLAGS="$(echo '%{optflags}')" %{_mandir}/man8/{ocf-tester.8*,ldirectord.8*} %changelog +* Mon Mar 25 2024 bixiaoyan - 4.13.0-11 +- portblock: accept numeric protocol from iptables + * Thu Mar 14 2024 zouzhimin - 4.13.0-10 - Doc: Delay: Drop old comments -- Gitee