Blame SOURCES/iptables-do_not_set_changed_for_check_options.patch

9c64ad
commit 9b8cb7564a53865bf0e239bbc3e057de70edf65d
9c64ad
Author: Dan Williams <dcbw@redhat.com>
9c64ad
Date:   Sat Feb 25 22:02:03 2017 -0600
9c64ad
9c64ad
    libiptc: don't set_changed() when checking rules with module jumps
9c64ad
    
9c64ad
    Checking a rule that includes a jump to a module-based target currently
9c64ad
    sets the "changed" flag on the handle, which then causes TC_COMMIT() to
9c64ad
    run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path.  This
9c64ad
    seems wrong for simply checking rules, an operation which is documented
9c64ad
    as "...does not alter the existing iptables configuration..." but yet
9c64ad
    it clearly could do so.
9c64ad
    
9c64ad
    Fix that by ensuring that rule check operations for module targets
9c64ad
    don't set the changed flag, and thus exit early from TC_COMMIT().
9c64ad
    
9c64ad
    Signed-off-by: Dan Williams <dcbw@redhat.com>
9c64ad
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9c64ad
9c64ad
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
9c64ad
index 2c66d04..a6e7057 100644
9c64ad
--- a/libiptc/libiptc.c
9c64ad
+++ b/libiptc/libiptc.c
9c64ad
@@ -1686,7 +1686,8 @@ iptcc_standard_map(struct rule_head *r, int verdict)
9c64ad
 
9c64ad
 static int
9c64ad
 iptcc_map_target(struct xtc_handle *const handle,
9c64ad
-	   struct rule_head *r)
9c64ad
+	   struct rule_head *r,
9c64ad
+	   bool dry_run)
9c64ad
 {
9c64ad
 	STRUCT_ENTRY *e = r->entry;
9c64ad
 	STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
9c64ad
@@ -1731,7 +1732,8 @@ iptcc_map_target(struct xtc_handle *const handle,
9c64ad
 	       0,
9c64ad
 	       FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
9c64ad
 	r->type = IPTCC_R_MODULE;
9c64ad
-	set_changed(handle);
9c64ad
+	if (!dry_run)
9c64ad
+		set_changed(handle);
9c64ad
 	return 1;
9c64ad
 }
9c64ad
 
9c64ad
@@ -1781,7 +1783,7 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
9c64ad
 	memcpy(r->entry, e, e->next_offset);
9c64ad
 	r->counter_map.maptype = COUNTER_MAP_SET;
9c64ad
 
9c64ad
-	if (!iptcc_map_target(handle, r)) {
9c64ad
+	if (!iptcc_map_target(handle, r, false)) {
9c64ad
 		free(r);
9c64ad
 		return 0;
9c64ad
 	}
9c64ad
@@ -1831,7 +1833,7 @@ TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
9c64ad
 	memcpy(r->entry, e, e->next_offset);
9c64ad
 	r->counter_map.maptype = COUNTER_MAP_SET;
9c64ad
 
9c64ad
-	if (!iptcc_map_target(handle, r)) {
9c64ad
+	if (!iptcc_map_target(handle, r, false)) {
9c64ad
 		free(r);
9c64ad
 		return 0;
9c64ad
 	}
9c64ad
@@ -1870,7 +1872,7 @@ TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
9c64ad
 	memcpy(r->entry, e, e->next_offset);
9c64ad
 	r->counter_map.maptype = COUNTER_MAP_SET;
9c64ad
 
9c64ad
-	if (!iptcc_map_target(handle, r)) {
9c64ad
+	if (!iptcc_map_target(handle, r, false)) {
9c64ad
 		DEBUGP("unable to map target of rule for chain `%s'\n", chain);
9c64ad
 		free(r);
9c64ad
 		return 0;
9c64ad
@@ -1976,7 +1978,7 @@ static int delete_entry(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *origfw,
9c64ad
 
9c64ad
 	memcpy(r->entry, origfw, origfw->next_offset);
9c64ad
 	r->counter_map.maptype = COUNTER_MAP_NOMAP;
9c64ad
-	if (!iptcc_map_target(handle, r)) {
9c64ad
+	if (!iptcc_map_target(handle, r, dry_run)) {
9c64ad
 		DEBUGP("unable to map target of rule for chain `%s'\n", chain);
9c64ad
 		free(r);
9c64ad
 		return 0;