From 06f3db1de8bebf4a3fb2e5982b7beb0e57a788b5 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Tue, 7 Oct 2014 21:42:36 -0400
Subject: [PATCH] [server] restore shell stderr redirect when execvpe() is not
 available

---
 server/fw_util_iptables.h | 42 ++++++++++++++++++++++-----------------
 1 file changed, 24 insertions(+), 18 deletions(-)

diff --git a/server/fw_util_iptables.h b/server/fw_util_iptables.h
index 5f08880e..b5529499 100644
--- a/server/fw_util_iptables.h
+++ b/server/fw_util_iptables.h
@@ -33,27 +33,33 @@
 
 #define SNAT_TARGET_BUFSIZE         64
 
+#if HAVE_EXECVPE
+  #define SH_REDIR "" /* the shell is not used when execvpe() is available */
+#else
+  #define SH_REDIR " 2>&1"
+#endif
+
 /* iptables command args
 */
 #define IPT_CHK_RULE_ARGS       "-C %s %s"
-#define IPT_RULE_ARGS           "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s"
-#define IPT_OUT_RULE_ARGS       "-t %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s"
-#define IPT_FWD_RULE_ARGS       "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s"
-#define IPT_DNAT_RULE_ARGS      "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i"
-#define IPT_SNAT_RULE_ARGS      "-t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s"
-#define IPT_TMP_COMMENT_ARGS    "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s"
-#define IPT_TMP_CHK_RULE_ARGS   "-t %s -I %s %i -s 127.0.0.2 -p udp -j %s"
-#define IPT_TMP_VERIFY_CHK_ARGS "-t %s -C %s -s 127.0.0.2 -p udp -j %s"
-#define IPT_DEL_RULE_ARGS       "-t %s -D %s %i"
-#define IPT_NEW_CHAIN_ARGS      "-t %s -N %s"
-#define IPT_FLUSH_CHAIN_ARGS    "-t %s -F %s"
-#define IPT_CHAIN_EXISTS_ARGS   "-t %s -L %s -n"
-#define IPT_DEL_CHAIN_ARGS      "-t %s -X %s"
-#define IPT_CHK_JUMP_RULE_ARGS  "-t %s -j %s"
-#define IPT_ADD_JUMP_RULE_ARGS  "-t %s -I %s %i -j %s"
-#define IPT_DEL_JUMP_RULE_ARGS  "-t %s -D %s -j %s"  /* let iptables work out the rule number */
-#define IPT_LIST_RULES_ARGS     "-t %s -L %s --line-numbers -n"
-#define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers"
+#define IPT_RULE_ARGS           "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
+#define IPT_OUT_RULE_ARGS       "-t %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
+#define IPT_FWD_RULE_ARGS       "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
+#define IPT_DNAT_RULE_ARGS      "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
+#define IPT_SNAT_RULE_ARGS      "-t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s" SH_REDIR
+#define IPT_TMP_COMMENT_ARGS    "-t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s" SH_REDIR
+#define IPT_TMP_CHK_RULE_ARGS   "-t %s -I %s %i -s 127.0.0.2 -p udp -j %s" SH_REDIR
+#define IPT_TMP_VERIFY_CHK_ARGS "-t %s -C %s -s 127.0.0.2 -p udp -j %s" SH_REDIR
+#define IPT_DEL_RULE_ARGS       "-t %s -D %s %i" SH_REDIR
+#define IPT_NEW_CHAIN_ARGS      "-t %s -N %s" SH_REDIR
+#define IPT_FLUSH_CHAIN_ARGS    "-t %s -F %s" SH_REDIR
+#define IPT_CHAIN_EXISTS_ARGS   "-t %s -L %s -n" SH_REDIR
+#define IPT_DEL_CHAIN_ARGS      "-t %s -X %s" SH_REDIR
+#define IPT_CHK_JUMP_RULE_ARGS  "-t %s -j %s" SH_REDIR
+#define IPT_ADD_JUMP_RULE_ARGS  "-t %s -I %s %i -j %s" SH_REDIR
+#define IPT_DEL_JUMP_RULE_ARGS  "-t %s -D %s -j %s" SH_REDIR /* let iptables work out the rule number */
+#define IPT_LIST_RULES_ARGS     "-t %s -L %s --line-numbers -n" SH_REDIR
+#define IPT_LIST_ALL_RULES_ARGS "-t %s -v -n -L --line-numbers" SH_REDIR
 
 int validate_ipt_chain_conf(const char * const chain_str);