* ipset socket not closed
@ 2010-05-14 16:23 krunal patel
2010-05-14 18:34 ` Jan Engelhardt
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: krunal patel @ 2010-05-14 16:23 UTC (permalink / raw)
To: netfilter-devel
Hi,
I found a bug in libipt_set.h. When iptables communicate with ipset,
socket is created but not closed. I wanted to apply more then 700
iptables rule in one shot and all are having -m set option. I did
iptables-restore and found error "Can't open socket to ipset."
After closing socket I am able to do iptables-restore.
patch:
--- iptables-1.4.2/extensions/libipt_set.h 2010-05-14
18:32:50.000000000 +0530
+++ iptables-1.4.2/extensions/libipt_set.h 2010-05-14
18:44:49.000000000 +0530
@@ -41,13 +41,14 @@
static int get_set_getsockopt(void *data, socklen_t * size)
{
- int sockfd = -1;
+ int sockfd = -1, res = -1;
sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sockfd < 0)
exit_error(OTHER_PROBLEM,
"Can't open socket to ipset.\n");
/* Send! */
- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+ return res;
}
Regards,
Krunal
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ipset socket not closed
2010-05-14 16:23 ipset socket not closed krunal patel
@ 2010-05-14 18:34 ` Jan Engelhardt
2010-05-15 6:39 ` krunal patel
2010-05-18 13:18 ` Jozsef Kadlecsik
2 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2010-05-14 18:34 UTC (permalink / raw)
To: krunal patel; +Cc: netfilter-devel
On Friday 2010-05-14 18:23, krunal patel wrote:
>Hi,
>I found a bug in libipt_set.h. When iptables communicate with ipset,
>socket is created but not closed. I wanted to apply more then 700
>iptables rule in one shot and all are having -m set option. I did
>iptables-restore and found error "Can't open socket to ipset."
>After closing socket I am able to do iptables-restore.
>patch:
>
>--- iptables-1.4.2/extensions/libipt_set.h 2010-05-14
>18:32:50.000000000 +0530
>+++ iptables-1.4.2/extensions/libipt_set.h 2010-05-14
>18:44:49.000000000 +0530
>@@ -41,13 +41,14 @@
>
> static int get_set_getsockopt(void *data, socklen_t * size)
> {
>- int sockfd = -1;
>+ int sockfd = -1, res = -1;
> sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> if (sockfd < 0)
> exit_error(OTHER_PROBLEM,
> "Can't open socket to ipset.\n");
> /* Send! */
>- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
>+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
>+ return res;
> }
I don't see a close...
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ipset socket not closed
2010-05-14 16:23 ipset socket not closed krunal patel
2010-05-14 18:34 ` Jan Engelhardt
@ 2010-05-15 6:39 ` krunal patel
2010-05-18 13:18 ` Jozsef Kadlecsik
2 siblings, 0 replies; 4+ messages in thread
From: krunal patel @ 2010-05-15 6:39 UTC (permalink / raw)
To: netfilter-devel
sorry
--- extensions/libipt_set.h 2010-05-15 12:38:08.000000000 +0530
+++ extensions/libipt_set.h 2010-05-15 12:38:53.000000000 +0530
@@ -41,13 +41,15 @@
static int get_set_getsockopt(void *data, socklen_t * size)
{
- int sockfd = -1;
+ int sockfd = -1, res = -1;
sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sockfd < 0)
exit_error(OTHER_PROBLEM,
"Can't open socket to ipset.\n");
/* Send! */
- return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+ res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
+ close(sockfd);
+ return res;
}
On Fri, May 14, 2010 at 9:53 PM, krunal patel <krunal.raj@gmail.com> wrote:
> Hi,
> I found a bug in libipt_set.h. When iptables communicate with ipset,
> socket is created but not closed. I wanted to apply more then 700
> iptables rule in one shot and all are having -m set option. I did
> iptables-restore and found error "Can't open socket to ipset."
> After closing socket I am able to do iptables-restore.
> patch:
>
> --- iptables-1.4.2/extensions/libipt_set.h 2010-05-14
> 18:32:50.000000000 +0530
> +++ iptables-1.4.2/extensions/libipt_set.h 2010-05-14
> 18:44:49.000000000 +0530
> @@ -41,13 +41,14 @@
>
> static int get_set_getsockopt(void *data, socklen_t * size)
> {
> - int sockfd = -1;
> + int sockfd = -1, res = -1;
> sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> if (sockfd < 0)
> exit_error(OTHER_PROBLEM,
> "Can't open socket to ipset.\n");
> /* Send! */
> - return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
> + res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
> + return res;
> }
> Regards,
> Krunal
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ipset socket not closed
2010-05-14 16:23 ipset socket not closed krunal patel
2010-05-14 18:34 ` Jan Engelhardt
2010-05-15 6:39 ` krunal patel
@ 2010-05-18 13:18 ` Jozsef Kadlecsik
2 siblings, 0 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2010-05-18 13:18 UTC (permalink / raw)
To: krunal patel; +Cc: netfilter-devel
[-- Attachment #1: Type: TEXT/PLAIN, Size: 1517 bytes --]
Hi,
On Fri, 14 May 2010, krunal patel wrote:
> I found a bug in libipt_set.h. When iptables communicate with ipset,
> socket is created but not closed. I wanted to apply more then 700
> iptables rule in one shot and all are having -m set option. I did
> iptables-restore and found error "Can't open socket to ipset."
> After closing socket I am able to do iptables-restore.
> patch:
>
> --- iptables-1.4.2/extensions/libipt_set.h 2010-05-14
> 18:32:50.000000000 +0530
> +++ iptables-1.4.2/extensions/libipt_set.h 2010-05-14
> 18:44:49.000000000 +0530
> @@ -41,13 +41,14 @@
>
> static int get_set_getsockopt(void *data, socklen_t * size)
> {
> - int sockfd = -1;
> + int sockfd = -1, res = -1;
> sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> if (sockfd < 0)
> exit_error(OTHER_PROBLEM,
> "Can't open socket to ipset.\n");
> /* Send! */
> - return getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
> + res = getsockopt(sockfd, SOL_IP, SO_IP_SET, data, size);
> + return res;
> }
This is an old iptables version, the bug had been fixed almost a year
ago. Please check the recent version when reporting bugs.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-05-18 13:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-14 16:23 ipset socket not closed krunal patel
2010-05-14 18:34 ` Jan Engelhardt
2010-05-15 6:39 ` krunal patel
2010-05-18 13:18 ` Jozsef Kadlecsik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).