resource-agents/portblock-accept-numeric-protocol-from-iptables.patch

From 420e591baa01aca8123cfce9bff3f612a816786e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
 <christoph.boehmwalder@linbit.com>
Date: Wed, 20 Mar 2024 16:42:08 +0100
Subject: [PATCH] portblock: accept numeric protocol from iptables

Usually, using the "-n" flag with "iptables -L" will only enable numeric
display for hosts and port numbers. Protocols are unaffected and are
still shown as "tcp" or "udp", which we rely on in the portblock agent.

iptables version 1.8.9 ships with a regression that breaks this format,
displaying the numeric value of the protocol instead. See this bug
report for more: https://bugzilla.netfilter.org/show_bug.cgi?id=1729

The issue was fixed in the 1.8.10 release, but some distributions
(notably, Debian Bookworm and Fedora 39) have shipped 1.8.9,
effectively breaking the portblock agent.

Since both formats are now in use in the wild, we must work around this
in the resource agent by allowing both the numeric and string
representation of the protocol.
---
 heartbeat/portblock | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/heartbeat/portblock b/heartbeat/portblock
index 06fcc194..7b9f5ca3 100755
--- a/heartbeat/portblock
+++ b/heartbeat/portblock
@@ -266,7 +266,14 @@ active_grep_pat()
     local src=$3
     local dst=$any
   fi
-  echo "^DROP${w}${1}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
+  # iptables 1.8.9 briefly broke the output format, returning the
+  # numeric protocol value instead of a string. Support both variants.
+  if [ "$1" = "tcp" ]; then
+    local prot="(tcp|6)"
+  else
+    local prot="(udp|17)"
+  fi
+  echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
 }
 
 #chain_isactive  {udp|tcp} portno,portno ip chain
@@ -274,7 +281,7 @@ chain_isactive()
 {
   [ "$4" = "OUTPUT" ] && ds="s" || ds="d"
   PAT=$(active_grep_pat "$1" "$2" "$3" "$ds")
-  $IPTABLES $wait -n -L "$4" | grep "$PAT" >/dev/null
+  $IPTABLES $wait -n -L "$4" | grep -qE "$PAT"
 }
 
 # netstat -tn and ss -Htn, split on whitespace and colon,
-- 
2.25.1
portblock: accept numeric protocol from iptables 2024-03-25 10:31:12 +08:00			`From 420e591baa01aca8123cfce9bff3f612a816786e Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=`
			`<christoph.boehmwalder@linbit.com>`
			`Date: Wed, 20 Mar 2024 16:42:08 +0100`
			`Subject: [PATCH] portblock: accept numeric protocol from iptables`

			`Usually, using the "-n" flag with "iptables -L" will only enable numeric`
			`display for hosts and port numbers. Protocols are unaffected and are`
			`still shown as "tcp" or "udp", which we rely on in the portblock agent.`

			`iptables version 1.8.9 ships with a regression that breaks this format,`
			`displaying the numeric value of the protocol instead. See this bug`
			`report for more: https://bugzilla.netfilter.org/show_bug.cgi?id=1729`

			`The issue was fixed in the 1.8.10 release, but some distributions`
			`(notably, Debian Bookworm and Fedora 39) have shipped 1.8.9,`
			`effectively breaking the portblock agent.`

			`Since both formats are now in use in the wild, we must work around this`
			`in the resource agent by allowing both the numeric and string`
			`representation of the protocol.`
			`---`
			`heartbeat/portblock \| 11 +++++++++--`
			`1 file changed, 9 insertions(+), 2 deletions(-)`

			`diff --git a/heartbeat/portblock b/heartbeat/portblock`
			`index 06fcc194..7b9f5ca3 100755`
			`--- a/heartbeat/portblock`
			`+++ b/heartbeat/portblock`
			`@@ -266,7 +266,14 @@ active_grep_pat()`
			`local src=$3`
			`local dst=$any`
			`fi`
			`- echo "^DROP${w}${1}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"`
			`+ # iptables 1.8.9 briefly broke the output format, returning the`
			`+ # numeric protocol value instead of a string. Support both variants.`
			`+ if [ "$1" = "tcp" ]; then`
			`+ local prot="(tcp\|6)"`
			`+ else`
			`+ local prot="(udp\|17)"`
			`+ fi`
			`+ echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"`
			`}`

			`#chain_isactive {udp\|tcp} portno,portno ip chain`
			`@@ -274,7 +281,7 @@ chain_isactive()`
			`{`
			`[ "$4" = "OUTPUT" ] && ds="s" \|\| ds="d"`
			`PAT=$(active_grep_pat "$1" "$2" "$3" "$ds")`
			`- $IPTABLES $wait -n -L "$4" \| grep "$PAT" >/dev/null`
			`+ $IPTABLES $wait -n -L "$4" \| grep -qE "$PAT"`
			`}`

			`# netstat -tn and ss -Htn, split on whitespace and colon,`
			`--`
			`2.25.1`