From 14b45df580668220cf97744df93cb9ee5484a14e Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Thu, 8 Dec 2016 11:18:10 +0100 Subject: [PATCH 1/2] portblock: Use -w (wait) to avoid "insufficient privileges" error --- heartbeat/portblock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/heartbeat/portblock b/heartbeat/portblock index c480954..e7de217 100755 --- a/heartbeat/portblock +++ b/heartbeat/portblock @@ -242,7 +242,7 @@ active_grep_pat() chain_isactive() { PAT=`active_grep_pat "$1" "$2" "$3"` - $IPTABLES -n -L INPUT | grep "$PAT" >/dev/null + $IPTABLES -w -n -L INPUT | grep "$PAT" >/dev/null } save_tcp_connections() @@ -370,13 +370,13 @@ IptablesBLOCK() : OK -- chain already active else if $try_reset ; then - $IPTABLES -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset + $IPTABLES -w -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset tickle_local fi - $IPTABLES -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP + $IPTABLES -w -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP rc=$? if $try_reset ; then - $IPTABLES -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset + $IPTABLES -w -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset fi fi @@ -389,7 +389,7 @@ IptablesUNBLOCK() if chain_isactive "$1" "$2" "$3" then - $IPTABLES -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP + $IPTABLES -w -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP else : Chain Not active fi From 57d31bc04a0421cf2746830d5e987e52f9f9acd3 Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Fri, 9 Dec 2016 13:57:49 +0100 Subject: [PATCH 2/2] portblock: version check for -w --- heartbeat/portblock | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/heartbeat/portblock b/heartbeat/portblock index e7de217..92f7071 100755 --- a/heartbeat/portblock +++ b/heartbeat/portblock @@ -242,7 +242,7 @@ active_grep_pat() chain_isactive() { PAT=`active_grep_pat "$1" "$2" "$3"` - $IPTABLES -w -n -L INPUT | grep "$PAT" >/dev/null + $IPTABLES $wait -n -L INPUT | grep "$PAT" >/dev/null } save_tcp_connections() @@ -370,13 +370,13 @@ IptablesBLOCK() : OK -- chain already active else if $try_reset ; then - $IPTABLES -w -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset + $IPTABLES $wait -I OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset tickle_local fi - $IPTABLES -w -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP + $IPTABLES $wait -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP rc=$? if $try_reset ; then - $IPTABLES -w -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset + $IPTABLES $wait -D OUTPUT -p "$1" -s "$3" -m multiport --sports "$2" -j REJECT --reject-with tcp-reset fi fi @@ -389,7 +389,7 @@ IptablesUNBLOCK() if chain_isactive "$1" "$2" "$3" then - $IPTABLES -w -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP + $IPTABLES $wait -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP else : Chain Not active fi @@ -526,6 +526,15 @@ if [ -z "$OCF_RESKEY_action" ]; then exit $OCF_ERR_CONFIGURED fi +# iptables v1.4.20+ is required to use -w (wait) +version=$(iptables -V | awk -F ' v' '{print $NF}') +ocf_version_cmp "$version" "1.4.19.1" +if [ "$?" -eq "2" ]; then + wait="-w" +else + wait="" +fi + protocol=$OCF_RESKEY_protocol portno=$OCF_RESKEY_portno action=$OCF_RESKEY_action