diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile index 6e99960ec..d7470f23b 100644 --- a/package/network/config/firewall/Makefile +++ b/package/network/config/firewall/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall -PKG_RELEASE:=3 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git -PKG_SOURCE_DATE:=2022-02-17 -PKG_SOURCE_VERSION:=4cd7d4f36bea731bf901cb067456f1d460294926 -PKG_MIRROR_HASH:=ce9e8ac1bcf22afbb0a80c3da1a8e8e887851299681097e3dfbfc347f2c4c80f +PKG_SOURCE_DATE:=2021-03-23 +PKG_SOURCE_VERSION:=61db17edddb1f05e8107f0dbef6f7d060ce67483 +PKG_MIRROR_HASH:=b2eb09816640e14e2dae21fb54ea05c33858fe0004844fe8d99e541a2e19e9c0 PKG_MAINTAINER:=Jo-Philipp Wich PKG_LICENSE:=ISC diff --git a/package/network/config/firewall/patches/001-firewall3-fix-locking-issue.patch b/package/network/config/firewall/patches/001-firewall3-fix-locking-issue.patch new file mode 100644 index 000000000..8657b5c71 --- /dev/null +++ b/package/network/config/firewall/patches/001-firewall3-fix-locking-issue.patch @@ -0,0 +1,38 @@ +From df1306a96127e91ff2d513a0a67345baaf61d113 Mon Sep 17 00:00:00 2001 +From: Florian Eckert +Date: Fri, 19 Nov 2021 09:51:02 +0100 +Subject: [PATCH] firewall3: fix locking issue + +By calling the command 'fw3 reload' several times at the same time, I +noticed that the locking was not working properly. It happened from time +to time that some firewall rules were present twice in the system! + +By removing the 'unlink' systemcall, this error no longer occurred on my +systems. + +Since fw3 does not run as a service, it makes no sense to delete this +lock file every time a filehandler is no longer open on this lock file, +because fw3 binary is not running. + +If fw3 does run as a service then we can remove this lock file on +service stop. But this is not the case for fw3. + +Signed-off-by: Florian Eckert +--- + utils.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/utils.c b/utils.c +index 17d5bf9..92e966c 100644 +--- a/utils.c ++++ b/utils.c +@@ -397,7 +397,6 @@ fw3_unlock_path(int *fd, const char *lockpath) + warn("Cannot release exclusive lock: %s", strerror(errno)); + + close(*fd); +- unlink(FW3_LOCKFILE); + + *fd = -1; + } +-- +2.30.2 diff --git a/package/network/config/firewall/patches/100-fullconenat.patch b/package/network/config/firewall/patches/100-fullconenat.patch index 6211b44df..d69e7129e 100644 --- a/package/network/config/firewall/patches/100-fullconenat.patch +++ b/package/network/config/firewall/patches/100-fullconenat.patch @@ -1,7 +1,7 @@ index 85a3750..9fac9b1 100644 --- a/defaults.c +++ b/defaults.c -@@ -48,7 +48,9 @@ const struct fw3_option fw3_flag_opts[] +@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("synflood_protect", bool, defaults, syn_flood), FW3_OPT("synflood_rate", limit, defaults, syn_flood_rate), FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst), @@ -12,19 +12,23 @@ index 85a3750..9fac9b1 100644 FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies), FW3_OPT("tcp_ecn", int, defaults, tcp_ecn), FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling), +diff --git a/options.h b/options.h +index 6edd174..c02eb97 100644 --- a/options.h +++ b/options.h -@@ -297,6 +297,7 @@ struct fw3_defaults - enum fw3_reject_code any_reject_code; +@@ -267,6 +267,7 @@ struct fw3_defaults + bool drop_invalid; bool syn_flood; + bool fullcone; struct fw3_limit syn_flood_rate; bool tcp_syncookies; +diff --git a/zones.c b/zones.c +index 2aa7473..57eead0 100644 --- a/zones.c +++ b/zones.c -@@ -670,6 +670,7 @@ print_zone_rule(struct fw3_ipt_handle *h +@@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h struct fw3_address *msrc; struct fw3_address *mdest; struct fw3_ipt_rule *r; @@ -32,7 +36,7 @@ index 85a3750..9fac9b1 100644 if (!fw3_is_family(zone, handle->family)) return; -@@ -755,8 +756,22 @@ print_zone_rule(struct fw3_ipt_handle *h +@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h { r = fw3_ipt_rule_new(handle); fw3_ipt_rule_src_dest(r, msrc, mdest);