From 14b45df580668220cf97744df93cb9ee5484a14e Mon Sep 17 00:00:00 2001

From: Oyvind Albrigtsen <oalbrigt@redhat.com>

Date: Thu, 8 Dec 2016 11:18:10 +0100

Subject: [PATCH 1/2] portblock: Use -w (wait) to avoid "insufficient

 privileges" error

---

 heartbeat/portblock | 10 +++++-----

 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/heartbeat/portblock b/heartbeat/portblock

index c480954..e7de217 100755

--- a/heartbeat/portblock

+++ b/heartbeat/portblock

@@ -242,7 +242,7 @@ active_grep_pat()

 chain_isactive()

 {

   PAT=`active_grep_pat "$1" "$2" "$3"`

-  $IPTABLES -n -L INPUT | grep "$PAT" >/dev/null

+  $IPTABLES -w -n -L INPUT | grep "$PAT" >/dev/null

 }

 save_tcp_connections()

@@ -370,13 +370,13 @@ IptablesBLOCK()

     : OK -- chain already active

   else

     if $try_reset ; then

-      $IPTABLES -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

+      $IPTABLES -w -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

       tickle_local

     fi

-    $IPTABLES -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

+    $IPTABLES -w -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

     rc=$?

     if $try_reset ; then

-      $IPTABLES -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

+      $IPTABLES -w -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

     fi

   fi

@@ -389,7 +389,7 @@ IptablesUNBLOCK()

   if

     chain_isactive "$1" "$2" "$3"

   then

-    $IPTABLES -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

+    $IPTABLES -w -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

   else

     : Chain Not active

   fi

From 57d31bc04a0421cf2746830d5e987e52f9f9acd3 Mon Sep 17 00:00:00 2001

From: Oyvind Albrigtsen <oalbrigt@redhat.com>

Date: Fri, 9 Dec 2016 13:57:49 +0100

Subject: [PATCH 2/2] portblock: version check for -w

---

 heartbeat/portblock | 19 ++++++++++++++-----

 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/heartbeat/portblock b/heartbeat/portblock

index e7de217..92f7071 100755

--- a/heartbeat/portblock

+++ b/heartbeat/portblock

@@ -242,7 +242,7 @@ active_grep_pat()

 chain_isactive()

 {

   PAT=`active_grep_pat "$1" "$2" "$3"`

-  $IPTABLES -w -n -L INPUT | grep "$PAT" >/dev/null

+  $IPTABLES $wait -n -L INPUT | grep "$PAT" >/dev/null

 }

 save_tcp_connections()

@@ -370,13 +370,13 @@ IptablesBLOCK()

     : OK -- chain already active

   else

     if $try_reset ; then

-      $IPTABLES -w -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

+      $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

       tickle_local

     fi

-    $IPTABLES -w -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

+    $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

     rc=$?

     if $try_reset ; then

-      $IPTABLES -w -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

+      $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset

     fi

   fi

@@ -389,7 +389,7 @@ IptablesUNBLOCK()

   if

     chain_isactive "$1" "$2" "$3"

   then

-    $IPTABLES -w -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

+    $IPTABLES $wait -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP

   else

     : Chain Not active

   fi

@@ -526,6 +526,15 @@ if [ -z "$OCF_RESKEY_action" ]; then

   exit $OCF_ERR_CONFIGURED

 fi 

+# iptables v1.4.20+ is required to use -w (wait)

+version=$(iptables -V | awk -F ' v' '{print $NF}')

+ocf_version_cmp "$version" "1.4.19.1"

+if [ "$?" -eq "2" ]; then

+    wait="-w"

+else

+    wait=""

+fi

+

 protocol=$OCF_RESKEY_protocol

 portno=$OCF_RESKEY_portno

 action=$OCF_RESKEY_action