portblock: accept numeric protocol from iptables

portblock-accept-numeric-protocol-from-iptables.patch

@@ -0,0 +1,57 @@
+From 420e591baa01aca8123cfce9bff3f612a816786e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
+ <christoph.boehmwalder@linbit.com>
+Date: Wed, 20 Mar 2024 16:42:08 +0100
+Subject: [PATCH] portblock: accept numeric protocol from iptables
+
+Usually, using the "-n" flag with "iptables -L" will only enable numeric
+display for hosts and port numbers. Protocols are unaffected and are
+still shown as "tcp" or "udp", which we rely on in the portblock agent.
+
+iptables version 1.8.9 ships with a regression that breaks this format,
+displaying the numeric value of the protocol instead. See this bug
+report for more: https://bugzilla.netfilter.org/show_bug.cgi?id=1729
+
+The issue was fixed in the 1.8.10 release, but some distributions
+(notably, Debian Bookworm and Fedora 39) have shipped 1.8.9,
+effectively breaking the portblock agent.
+
+Since both formats are now in use in the wild, we must work around this
+in the resource agent by allowing both the numeric and string
+representation of the protocol.
+---
+ heartbeat/portblock | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/heartbeat/portblock b/heartbeat/portblock
+index 06fcc194..7b9f5ca3 100755
+--- a/heartbeat/portblock
++++ b/heartbeat/portblock
+@@ -266,7 +266,14 @@ active_grep_pat()
+     local src=$3
+     local dst=$any
+   fi
+-  echo "^DROP${w}${1}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
++  # iptables 1.8.9 briefly broke the output format, returning the
++  # numeric protocol value instead of a string. Support both variants.
++  if [ "$1" = "tcp" ]; then
++    local prot="(tcp|6)"
++  else
++    local prot="(udp|17)"
++  fi
++  echo "^DROP${w}${prot}${w}--${w}${src}${w}${dst}${w}multiport${w}${4}ports${w}${2}$"
+ }
+ 
+ #chain_isactive  {udp|tcp} portno,portno ip chain
+@@ -274,7 +281,7 @@ chain_isactive()
+ {
+   [ "$4" = "OUTPUT" ] && ds="s" || ds="d"
+   PAT=$(active_grep_pat "$1" "$2" "$3" "$ds")
+-  $IPTABLES $wait -n -L "$4" | grep "$PAT" >/dev/null
++  $IPTABLES $wait -n -L "$4" | grep -qE "$PAT"
+ }
+ 
+ # netstat -tn and ss -Htn, split on whitespace and colon,
+-- 
+2.25.1
+

resource-agents.spec

@@ -1,7 +1,7 @@
 Name:                resource-agents
 Summary:             Open Source HA Reusable Cluster Resource Scripts
 Version:             4.13.0
-Release:             10
+Release:             11
 License:             GPLv2+ and LGPLv2+
 URL:                 https://github.com/ClusterLabs/resource-agents
 Source0:             https://github.com/ClusterLabs/resource-agents/archive/v%{version}.tar.gz
@@ -15,6 +15,7 @@ Patch0006:	     Don-t-build-with-ansi-by-default.patch
 Patch0007:           Fix-docker-RA-behavior-when-Docker-isn-t-running.patch
 Patch0008:           Low-IPaddr2-Remove-stray-backslash.patch
 Patch0009:           Doc-Delay-Drop-old-comments.patch
+Patch0010:	     portblock-accept-numeric-protocol-from-iptables.patch
 Obsoletes:           heartbeat-resources <= %{version}
 Provides:            heartbeat-resources = %{version}
 BuildRequires:       automake autoconf pkgconfig gcc perl-interpreter perl-generators python3-devel
@@ -112,6 +113,9 @@ export CFLAGS="$(echo '%{optflags}')"
 %{_mandir}/man8/{ocf-tester.8*,ldirectord.8*}
 
 %changelog
+* Mon Mar 25 2024 bixiaoyan <bixiaoyan@kylinos.cn> - 4.13.0-11
+- portblock: accept numeric protocol from iptables
+
 * Thu Mar 14 2024 zouzhimin <zouzhimin@kylinos.cn> - 4.13.0-10
 - Doc: Delay: Drop old comments