On Friday 2011-04-01 06:27, Maciej Åenczykowski wrote:
>From: Maciej Åenczykowski <maze@xxxxxxxxxx>
>
>(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)
Redhat still has not given a reason as to why this is needed.
>@@ -49,7 +49,7 @@ static void load_realms(void)
> int id;
> struct realmname *oldnm = NULL, *newnm = NULL;
>
>- fil = fopen(rfnm, "r");
>+ fil = fopen(rfnm, "re");
> if (!fil) {
> rdberr = 1;
> return;
>diff --git a/ip6tables-restore.c b/ip6tables-restore.c
>index e9a130f..10c3acf 100644
>--- a/ip6tables-restore.c
>+++ b/ip6tables-restore.c
>@@ -168,7 +168,7 @@ int main(int argc, char *argv[])
> }
>
> if (optind == argc - 1) {
>- in = fopen(argv[optind], "r");
>+ in = fopen(argv[optind], "re");
> if (!in) {
> fprintf(stderr, "Can't open %s: %s\n", argv[optind],
> strerror(errno));
>diff --git a/ip6tables-save.c b/ip6tables-save.c
>index dc189e9..c3b8ec0 100644
>--- a/ip6tables-save.c
>+++ b/ip6tables-save.c
>@@ -41,7 +41,7 @@ static int for_each_table(int (*func)(const char *tablename))
> FILE *procfile = NULL;
> char tablename[IP6T_TABLE_MAXNAMELEN+1];
>
>- procfile = fopen("/proc/net/ip6_tables_names", "r");
>+ procfile = fopen("/proc/net/ip6_tables_names", "re");
> if (!procfile)
> return ret;
>
>diff --git a/iptables-restore.c b/iptables-restore.c
>index 31ce52b..c2cc58c 100644
>--- a/iptables-restore.c
>+++ b/iptables-restore.c
>@@ -174,7 +174,7 @@ main(int argc, char *argv[])
> }
>
> if (optind == argc - 1) {
>- in = fopen(argv[optind], "r");
>+ in = fopen(argv[optind], "re");
> if (!in) {
> fprintf(stderr, "Can't open %s: %s\n", argv[optind],
> strerror(errno));
>diff --git a/iptables-save.c b/iptables-save.c
>index 3bcf422..3e3ec43 100644
>--- a/iptables-save.c
>+++ b/iptables-save.c
>@@ -39,7 +39,7 @@ static int for_each_table(int (*func)(const char *tablename))
> FILE *procfile = NULL;
> char tablename[IPT_TABLE_MAXNAMELEN+1];
>
>- procfile = fopen("/proc/net/ip_tables_names", "r");
>+ procfile = fopen("/proc/net/ip_tables_names", "re");
> if (!procfile)
> return ret;
>
>diff --git a/iptables-xml.c b/iptables-xml.c
>index 8d67056..57c7486 100644
>--- a/iptables-xml.c
>+++ b/iptables-xml.c
>@@ -651,7 +651,7 @@ main(int argc, char *argv[])
> }
>
> if (optind == argc - 1) {
>- in = fopen(argv[optind], "r");
>+ in = fopen(argv[optind], "re");
> if (!in) {
> fprintf(stderr, "Can't open %s: %s", argv[optind],
> strerror(errno));
>diff --git a/xtables.c b/xtables.c
>index 2f00e39..352963f 100644
>--- a/xtables.c
>+++ b/xtables.c
>@@ -300,6 +300,11 @@ static char *get_modprobe(void)
> procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
> if (procfile < 0)
> return NULL;
>+ if (fcntl(procfile, F_SETFD, FD_CLOEXEC) == -1) {
>+ fprintf(stderr, "Could not set close on exec: %s\n",
>+ strerror(errno));
>+ exit(1);
>+ }
>
> ret = malloc(PROCFILE_BUFSIZ);
> if (ret) {
>@@ -697,6 +702,12 @@ static int compatible_revision(const char *name, uint8_t revision, int opt)
> exit(1);
> }
>
>+ if (fcntl(sockfd, F_SETFD, FD_CLOEXEC) == -1) {
>+ fprintf(stderr, "Could not set close on exec: %s\n",
>+ strerror(errno));
>+ exit(1);
>+ }
>+
> xtables_load_ko(xtables_modprobe_program, true);
>
> strcpy(rev.name, name);
>--
>1.7.3.1
>
>--
>To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>the body of a message to majordomo@xxxxxxxxxxxxxxx
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
