11 changed files with 66 additions and 1740 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/iproute2-6.2.0.tar.xz
+SOURCES/iproute2-6.11.0.tar.xz
--- a/.iproute.metadata
+++ b/.iproute.metadata
@ -1 +1 @@
-f4e339800fe15b88cfa516cabcc9e883dda245d7 SOURCES/iproute2-6.2.0.tar.xz
+7617e7896c1aa049fd2c371c7e07c6a6f89f7b3e SOURCES/iproute2-6.11.0.tar.xz
--- a/SOURCES/0001-Update-kernel-headers.patch
+++ b/SOURCES/0001-Update-kernel-headers.patch
@ -1,38 +0,0 @@
 From 6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b Mon Sep 17 00:00:00 2001
 Message-Id: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1683117490.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Wed, 3 May 2023 11:19:24 +0200
 Subject: [PATCH] Update kernel headers
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2188134
 Upstream Status: iproute2-next.git commit 88786cd1
 commit 88786cd1a96a89427bc22061c7736eb2eac31121
 Author: David Ahern <dsahern@kernel.org>
 Date:   Thu Mar 30 09:43:49 2023 -0600
    Update kernel headers
    Update kernel headers to commit:
        da617cd8d906 ("smsc911x: remove superfluous variable init")
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 include/uapi/linux/if_link.h | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
 index 147ad0a3..644d3554 100644
 --- a/include/uapi/linux/if_link.h
 +++ b/include/uapi/linux/if_link.h
@@ -628,6 +628,7 @@ enum {
 	IFLA_MACVLAN_MACADDR_COUNT,
 	IFLA_MACVLAN_BC_QUEUE_LEN,
 	IFLA_MACVLAN_BC_QUEUE_LEN_USED,
 +	IFLA_MACVLAN_BC_CUTOFF,
 	__IFLA_MACVLAN_MAX,
 };
 -- 
 2.40.1
--- a/SOURCES/0002-macvlan-Add-bclim-parameter.patch
+++ b/SOURCES/0002-macvlan-Add-bclim-parameter.patch
@ -1,149 +0,0 @@
 From 1638c2909a2911f981ee437dafde70e5e8d721f8 Mon Sep 17 00:00:00 2001
 Message-Id: <1638c2909a2911f981ee437dafde70e5e8d721f8.1683117490.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1683117490.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1683117490.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Wed, 3 May 2023 11:19:24 +0200
 Subject: [PATCH] macvlan: Add bclim parameter
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2188134
 Upstream Status: iproute2-next.git commit e8a3fb47
 commit e8a3fb470b4e96aa35a2731c7cc175b946c0a62d
 Author: Herbert Xu <herbert@gondor.apana.org.au>
 Date:   Thu Mar 30 11:07:25 2023 +0800
    macvlan: Add bclim parameter
    This patch adds support for setting the broadcast queueing threshold
    on macvlan devices.  This controls which multicast packets will be
    processed in a workqueue instead of inline.
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
     ip/iplink_macvlan.c          |   26 ++++++++++++++++++++++++--
     man/man8/ip-link.8.in        |   18 ++++++++++++++++++
     3 files changed, 43 insertions(+), 2 deletions(-)
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 ip/iplink_macvlan.c   | 26 ++++++++++++++++++++++++--
 man/man8/ip-link.8.in | 18 ++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 diff --git a/ip/iplink_macvlan.c b/ip/iplink_macvlan.c
 index 0f13637d..6bdc76d1 100644
 --- a/ip/iplink_macvlan.c
 +++ b/ip/iplink_macvlan.c
@@ -26,13 +26,14 @@
 static void print_explain(struct link_util *lu, FILE *f)
 {
 	fprintf(f,
 -		"Usage: ... %s mode MODE [flag MODE_FLAG] MODE_OPTS [bcqueuelen BC_QUEUE_LEN]\n"
 +		"Usage: ... %s mode MODE [flag MODE_FLAG] MODE_OPTS [bcqueuelen BC_QUEUE_LEN] [bclim BCLIM]\n"
 		"\n"
 		"MODE: private | vepa | bridge | passthru | source\n"
 		"MODE_FLAG: null | nopromisc | nodst\n"
 		"MODE_OPTS: for mode \"source\":\n"
 		"\tmacaddr { { add | del } <macaddr> | set [ <macaddr> [ <macaddr>  ... ] ] | flush }\n"
 -		"BC_QUEUE_LEN: Length of the rx queue for broadcast/multicast: [0-4294967295]\n",
 +		"BC_QUEUE_LEN: Length of the rx queue for broadcast/multicast: [0-4294967295]\n"
 +		"BCLIM: Threshold for broadcast queueing: 32-bit integer\n",
 		lu->id
 	);
 }
@@ -67,6 +68,12 @@ static int bc_queue_len_arg(const char *arg)
 	return -1;
 }
 +static int bclim_arg(const char *arg)
 +{
 +	fprintf(stderr, "Error: illegal value for \"bclim\": \"%s\"\n", arg);
 +	return -1;
 +}
 +
 static int macvlan_parse_opt(struct link_util *lu, int argc, char **argv,
 			  struct nlmsghdr *n)
 {
@@ -168,6 +175,15 @@ static int macvlan_parse_opt(struct link_util *lu, int argc, char **argv,
 				return bc_queue_len_arg(*argv);
 			}
 			addattr32(n, 1024, IFLA_MACVLAN_BC_QUEUE_LEN, bc_queue_len);
 +		} else if (!strcmp(*argv, "bclim")) {
 +			__s32 bclim;
 +			NEXT_ARG();
 +
 +			if (get_s32(&bclim, *argv, 0)) {
 +				return bclim_arg(*argv);
 +			}
 +			addattr_l(n, 1024, IFLA_MACVLAN_BC_CUTOFF,
 +				  &bclim, sizeof(bclim));
 		} else if (matches(*argv, "help") == 0) {
 			explain(lu);
 			return -1;
@@ -245,6 +261,12 @@ static void macvlan_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[]
 		print_luint(PRINT_ANY, "usedbcqueuelen", "usedbcqueuelen %lu ", bc_queue_len);
 	}
 +	if (tb[IFLA_MACVLAN_BC_CUTOFF] &&
 +		RTA_PAYLOAD(tb[IFLA_MACVLAN_BC_CUTOFF]) >= sizeof(__s32)) {
 +		__s32 bclim = rta_getattr_s32(tb[IFLA_MACVLAN_BC_CUTOFF]);
 +		print_int(PRINT_ANY, "bclim", "bclim %d ", bclim);
 +	}
 +
 	/* in source mode, there are more options to print */
 	if (mode != MACVLAN_MODE_SOURCE)
 diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
 index eeddf493..62aebabd 100644
 --- a/man/man8/ip-link.8.in
 +++ b/man/man8/ip-link.8.in
@@ -1455,6 +1455,7 @@ the following additional arguments are supported:
 .BR mode " { " private " | " vepa " | " bridge " | " passthru
 .RB " [ " nopromisc " ] | " source " [ " nodst " ] } "
 .RB " [ " bcqueuelen " { " LENGTH " } ] "
 +.RB " [ " bclim " " LIMIT " ] "
 .in +8
 .sp
@@ -1513,6 +1514,13 @@ will be the maximum length that any macvlan interface has requested.
 When listing device parameters both the bcqueuelen parameter
 as well as the actual used bcqueuelen are listed to better help
 the user understand the setting.
 +
 +.BR bclim " " LIMIT
 +- Set the threshold for broadcast queueing.
 +.BR LIMIT " must be a 32-bit integer."
 +Setting this to -1 disables broadcast queueing altogether.  Otherwise
 +a multicast address will be queued as broadcast if the number of devices
 +using it is greater than the given value.
 .in -8
 .TP
@@ -2675,6 +2683,9 @@ Update the broadcast/multicast queue length.
 [
 .BI bcqueuelen "  LENGTH  "
 ]
 +[
 +.BI bclim " LIMIT "
 +]
 .in +8
 .BI bcqueuelen " LENGTH "
@@ -2688,6 +2699,13 @@ will be the maximum length that any macvlan interface has requested.
 When listing device parameters both the bcqueuelen parameter
 as well as the actual used bcqueuelen are listed to better help
 the user understand the setting.
 +
 +.BI bclim " LIMIT "
 +- Set the threshold for broadcast queueing.
 +.IR LIMIT " must be a 32-bit integer."
 +Setting this to -1 disables broadcast queueing altogether.  Otherwise
 +a multicast address will be queued as broadcast if the number of devices
 +using it is greater than the given value.
 .in -8
 .TP
 -- 
 2.40.1
--- a/SOURCES/0003-tc-add-missing-separator.patch
+++ b/SOURCES/0003-tc-add-missing-separator.patch
@ -1,43 +0,0 @@
 From 4c2e1768c0d446345796dc058d1e114147a1029a Mon Sep 17 00:00:00 2001
 Message-Id: <4c2e1768c0d446345796dc058d1e114147a1029a.1686090191.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1686090191.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1686090191.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Wed, 7 Jun 2023 00:15:59 +0200
 Subject: [PATCH] tc: add missing separator
 Jira: https://issues.redhat.com/browse/RHEL-487
 Upstream Status: iproute2-next.git commit 4e0e56e0
 commit 4e0e56e0ef05387f7f5d8ab41fe6ec6a1897b26d
 Author: Christian Hesse <mail@eworm.de>
 Date:   Thu Feb 23 11:15:03 2023 +0100
    tc: add missing separator
    This is missing a separator, that was accidently removed
    when JSON was added.
    Fixes: 010a8388aea1 ("tc: Add JSON output to tc-class")
    Signed-off-by: Christian Hesse <mail@eworm.de>
    Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
 ---
 tc/tc_class.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tc/tc_class.c b/tc/tc_class.c
 index c1feb009..096fa2ec 100644
 --- a/tc/tc_class.c
 +++ b/tc/tc_class.c
@@ -356,7 +356,7 @@ int print_class(struct nlmsghdr *n, void *arg)
 		print_string(PRINT_ANY, "parent", "parent %s ", abuf);
 	}
 	if (t->tcm_info)
 -		print_0xhex(PRINT_ANY, "leaf", "leaf %x", t->tcm_info>>16);
 +		print_0xhex(PRINT_ANY, "leaf", "leaf %x: ", t->tcm_info>>16);
 	q = get_qdisc_kind(RTA_DATA(tb[TCA_KIND]));
 	if (tb[TCA_OPTIONS]) {
 -- 
 2.40.1
--- a/SOURCES/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
+++ b/SOURCES/0004-ss-make-is_selinux_enabled-stub-work-like-in-SELinux.patch
@ -1,55 +0,0 @@
 From dcff6d4c73cd9c33b4103a4505ecebe6852f63df Mon Sep 17 00:00:00 2001
 Message-ID: <dcff6d4c73cd9c33b4103a4505ecebe6852f63df.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] ss: make is_selinux_enabled stub work like in SELinux
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit c8970828
 commit c8970828b6509af3ab0f2982da335fb6a6c846af
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:29:59 2023 +0200
    ss: make is_selinux_enabled stub work like in SELinux
    From the is_selinux_enabled() manpage:
    is_selinux_enabled() returns 1 if SELinux is running or 0 if it is not.
    This makes the is_selinux_enabled() stub functions works exactly like
    the SELinux function it is supposed to replace.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 misc/ss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/misc/ss.c b/misc/ss.c
 index de02fccb..d2dffbf8 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -77,7 +77,7 @@
 /* Stubs for SELinux functions */
 static int is_selinux_enabled(void)
 {
 -	return -1;
 +	return 0;
 }
 static int getpidcon(pid_t pid, char **context)
@@ -5684,7 +5684,7 @@ int main(int argc, char *argv[])
 			show_sock_ctx++;
 			/* fall through */
 		case 'Z':
 -			if (is_selinux_enabled() <= 0) {
 +			if (!is_selinux_enabled()) {
 				fprintf(stderr, "ss: SELinux is not enabled.\n");
 				exit(1);
 			}
 -- 
 2.41.0
--- a/SOURCES/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
+++ b/SOURCES/0005-ss-make-SELinux-stub-functions-conformant-to-API-def.patch
@ -1,52 +0,0 @@
 From d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768 Mon Sep 17 00:00:00 2001
 Message-ID: <d59fc35f66f5d0d6e7b3209c21f2c891a2ba0768.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] ss: make SELinux stub functions conformant to API definitions
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit 61c6882c
 commit 61c6882ce21c1247c06cd61783120be0a2e2019c
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:30:00 2023 +0200
    ss: make SELinux stub functions conformant to API definitions
    getfilecon() and security_get_initial_context() use the const qualifier
    for their first paramater in SELinux APIs.
    This commit adds the const qualifier to these functions, making them
    conformant to API definitions.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 misc/ss.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/misc/ss.c b/misc/ss.c
 index d2dffbf8..fe19f489 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -86,13 +86,13 @@ static int getpidcon(pid_t pid, char **context)
 	return -1;
 }
 -static int getfilecon(char *path, char **context)
 +static int getfilecon(const char *path, char **context)
 {
 	*context = NULL;
 	return -1;
 }
 -static int security_get_initial_context(char *name,  char **context)
 +static int security_get_initial_context(const char *name,  char **context)
 {
 	*context = NULL;
 	return -1;
 -- 
 2.41.0
--- a/SOURCES/0006-lib-add-SELinux-include-and-stub-functions.patch
+++ b/SOURCES/0006-lib-add-SELinux-include-and-stub-functions.patch
@ -1,156 +0,0 @@
 From 0e71f7774a764c0a19037b79b71d7146769082ac Mon Sep 17 00:00:00 2001
 Message-ID: <0e71f7774a764c0a19037b79b71d7146769082ac.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] lib: add SELinux include and stub functions
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit e246ebc3
 commit e246ebc3b7f1f438310ad6fd1d5976ba6ccf7a69
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:30:01 2023 +0200
    lib: add SELinux include and stub functions
    ss provides some selinux stub functions, useful when iproute2 is
    compiled without selinux support.
    Move them to lib/ so we can use them in other iproute2 tools.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 include/selinux.h |  9 +++++++++
 lib/Makefile      |  4 ++++
 lib/selinux.c     | 32 ++++++++++++++++++++++++++++++++
 misc/ss.c         | 34 +---------------------------------
 4 files changed, 46 insertions(+), 33 deletions(-)
 create mode 100644 include/selinux.h
 create mode 100644 lib/selinux.c
 diff --git a/include/selinux.h b/include/selinux.h
 new file mode 100644
 index 00000000..499aa966
 --- /dev/null
 +++ b/include/selinux.h
@@ -0,0 +1,9 @@
 +#if HAVE_SELINUX
 +#include <selinux/selinux.h>
 +#else
 +int is_selinux_enabled(void);
 +void freecon(char *context);
 +int getpidcon(pid_t pid, char **context);
 +int getfilecon(const char *path, char **context);
 +int security_get_initial_context(const char *name,  char **context);
 +#endif
 diff --git a/lib/Makefile b/lib/Makefile
 index ddedd37f..aa7bbd2e 100644
 --- a/lib/Makefile
 +++ b/lib/Makefile
@@ -13,6 +13,10 @@ UTILOBJ += bpf_libbpf.o
 endif
 endif
 +ifneq ($(HAVE_SELINUX),y)
 +UTILOBJ += selinux.o
 +endif
 +
 NLOBJ=libgenl.o libnetlink.o
 ifeq ($(HAVE_MNL),y)
 NLOBJ += mnl_utils.o
 diff --git a/lib/selinux.c b/lib/selinux.c
 new file mode 100644
 index 00000000..4e6805fc
 --- /dev/null
 +++ b/lib/selinux.c
@@ -0,0 +1,32 @@
 +#include <stdlib.h>
 +#include <unistd.h>
 +#include "selinux.h"
 +
 +/* Stubs for SELinux functions */
 +int is_selinux_enabled(void)
 +{
 +	return 0;
 +}
 +
 +void freecon(char *context)
 +{
 +	free(context);
 +}
 +
 +int getpidcon(pid_t pid, char **context)
 +{
 +	*context = NULL;
 +	return -1;
 +}
 +
 +int getfilecon(const char *path, char **context)
 +{
 +	*context = NULL;
 +	return -1;
 +}
 +
 +int security_get_initial_context(const char *name,  char **context)
 +{
 +	*context = NULL;
 +	return -1;
 +}
 diff --git a/misc/ss.c b/misc/ss.c
 index fe19f489..6e18bf0c 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -33,6 +33,7 @@
 #include "version.h"
 #include "rt_names.h"
 #include "cg_map.h"
 +#include "selinux.h"
 #include <linux/tcp.h>
 #include <linux/unix_diag.h>
@@ -71,39 +72,6 @@
 #define BUF_CHUNKS_MAX 5	/* Maximum number of allocated buffer chunks */
 #define LEN_ALIGN(x) (((x) + 1) & ~1)
 -#if HAVE_SELINUX
 -#include <selinux/selinux.h>
 -#else
 -/* Stubs for SELinux functions */
 -static int is_selinux_enabled(void)
 -{
 -	return 0;
 -}
 -
 -static int getpidcon(pid_t pid, char **context)
 -{
 -	*context = NULL;
 -	return -1;
 -}
 -
 -static int getfilecon(const char *path, char **context)
 -{
 -	*context = NULL;
 -	return -1;
 -}
 -
 -static int security_get_initial_context(const char *name,  char **context)
 -{
 -	*context = NULL;
 -	return -1;
 -}
 -
 -static void freecon(char *context)
 -{
 -	free(context);
 -}
 -#endif
 -
 int preferred_family = AF_UNSPEC;
 static int show_options;
 int show_details;
 -- 
 2.41.0
--- a/SOURCES/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
+++ b/SOURCES/0007-ip-vrf-make-ipvrf_exec-SELinux-aware.patch
@ -1,81 +0,0 @@
 From 6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2 Mon Sep 17 00:00:00 2001
 Message-ID: <6bfcc5679d601c393e7d6ca6c78c2d7680c3e4f2.1695227714.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1695227714.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Tue, 5 Sep 2023 12:44:19 +0200
 Subject: [PATCH] ip vrf: make ipvrf_exec SELinux-aware
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1780023
 Upstream Status: iproute2-next.git commit 0d0eeaa6
 commit 0d0eeaa6cb9218e57ce910fc3a8991b80da6393e
 Author: Andrea Claudi <aclaudi@redhat.com>
 Date:   Wed Aug 23 19:30:02 2023 +0200
    ip vrf: make ipvrf_exec SELinux-aware
    When using ip vrf and SELinux is enabled, make sure to set the exec file
    context before calling cmd_exec.
    This ensures that the command is executed with the right context,
    falling back to the ifconfig_t context when needed.
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 ---
 include/selinux.h | 1 +
 ip/ipvrf.c        | 6 ++++++
 lib/selinux.c     | 5 +++++
 3 files changed, 12 insertions(+)
 diff --git a/include/selinux.h b/include/selinux.h
 index 499aa966..592c7680 100644
 --- a/include/selinux.h
 +++ b/include/selinux.h
@@ -6,4 +6,5 @@ void freecon(char *context);
 int getpidcon(pid_t pid, char **context);
 int getfilecon(const char *path, char **context);
 int security_get_initial_context(const char *name,  char **context);
 +int setexecfilecon(const char *filename, const char *fallback_type);
 #endif
 diff --git a/ip/ipvrf.c b/ip/ipvrf.c
 index 0718bea8..b0dd2abe 100644
 --- a/ip/ipvrf.c
 +++ b/ip/ipvrf.c
@@ -24,6 +24,7 @@
 #include "utils.h"
 #include "ip_common.h"
 #include "bpf_util.h"
 +#include "selinux.h"
 #define CGRP_PROC_FILE  "/cgroup.procs"
@@ -455,6 +456,11 @@ static int ipvrf_exec(int argc, char **argv)
 		return -1;
 	}
 +	if (is_selinux_enabled() && setexecfilecon(argv[1], "ifconfig_t")) {
 +		fprintf(stderr, "setexecfilecon for \"%s\" failed\n", argv[1]);
 +		return -1;
 +	}
 +
 	return -cmd_exec(argv[1], argv + 1, !!batch_mode, do_switch, argv[0]);
 }
 diff --git a/lib/selinux.c b/lib/selinux.c
 index 4e6805fc..7e5dd16d 100644
 --- a/lib/selinux.c
 +++ b/lib/selinux.c
@@ -30,3 +30,8 @@ int security_get_initial_context(const char *name,  char **context)
 	*context = NULL;
 	return -1;
 }
 +
 +int setexecfilecon(const char *filename, const char *fallback_type)
 +{
 +	return -1;
 +}
 -- 
 2.41.0
--- a/SOURCES/0008-ss-Add-support-for-dumping-TCP-bound-inactive-socket.patch
+++ b/SOURCES/0008-ss-Add-support-for-dumping-TCP-bound-inactive-socket.patch
@ -1,158 +0,0 @@
 From e4e31412a2cdf90a08a7d5ab1a889f27ee13f7c9 Mon Sep 17 00:00:00 2001
 Message-ID: <e4e31412a2cdf90a08a7d5ab1a889f27ee13f7c9.1710441171.git.aclaudi@redhat.com>
 In-Reply-To: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1710441171.git.aclaudi@redhat.com>
 References: <6a3ecf4fd80f7dcecb72b6c83781f5aed463a75b.1710441171.git.aclaudi@redhat.com>
 From: Andrea Claudi <aclaudi@redhat.com>
 Date: Thu, 14 Mar 2024 19:26:55 +0100
 Subject: [PATCH] ss: Add support for dumping TCP bound-inactive sockets.
 JIRA: https://issues.redhat.com/browse/RHEL-21017
 Upstream Status: iproute2.git commit ae447da64975ad02e40a93ccbc440a6477af96c0
 commit ae447da64975ad02e40a93ccbc440a6477af96c0
 Author: Guillaume Nault <gnault@redhat.com>
 Date:   Tue Dec 19 14:18:13 2023 +0100
    ss: Add support for dumping TCP bound-inactive sockets.
    Make ss aware of the new "bound-inactive" pseudo-state for TCP (see
    Linux commit 91051f003948 ("tcp: Dump bound-only sockets in inet_diag.")).
    These are TCP sockets that have been bound, but are neither listening nor
    connecting.
    With this patch, these sockets can now be dumped with:
      * the existing -a (--all) option, to dump all sockets, including
        bound-inactive ones,
      * the new -B (--bound-inactive) option, to dump them exclusively,
      * the new "bound-inactive" state, to be used in a STATE-FILTER.
    Note that the SS_BOUND_INACTIVE state is a pseudo-state used for queries
    only. The kernel returns them as SS_CLOSE.
    The SS_NEW_SYN_RECV pseudo-state is added in this patch only because we
    have to set its entry in the sstate_namel array (in scan_state()). Care
    is taken not to make it visible by users.
    Signed-off-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: David Ahern <dsahern@kernel.org>
 Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
 ---
 man/man8/ss.8 |  7 +++++++
 misc/ss.c     | 20 +++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)
 diff --git a/man/man8/ss.8 b/man/man8/ss.8
 index d413e570..2bc42b85 100644
 --- a/man/man8/ss.8
 +++ b/man/man8/ss.8
@@ -40,6 +40,10 @@ established connections) sockets.
 .B \-l, \-\-listening
 Display only listening sockets (these are omitted by default).
 .TP
 +.B \-B, \-\-bound-inactive
 +Display only TCP bound but inactive (not listening, connecting, etc.) sockets
 +(these are omitted by default).
 +.TP
 .B \-o, \-\-options
 Show timer information. For TCP protocol, the output format is:
 .RS
@@ -458,6 +462,9 @@ states except for
 - opposite to
 .B bucket
 +.B bound-inactive
 +- bound but otherwise inactive sockets (not listening, connecting, etc.)
 +
 .SH EXPRESSION
 .B EXPRESSION
 diff --git a/misc/ss.c b/misc/ss.c
 index 6e18bf0c..232178e6 100644
 --- a/misc/ss.c
 +++ b/misc/ss.c
@@ -210,6 +210,8 @@ enum {
 	SS_LAST_ACK,
 	SS_LISTEN,
 	SS_CLOSING,
 +	SS_NEW_SYN_RECV, /* Kernel only value, not for use in user space */
 +	SS_BOUND_INACTIVE,
 	SS_MAX
 };
@@ -1377,6 +1379,8 @@ static void sock_state_print(struct sockstat *s)
 		[SS_LAST_ACK] = "LAST-ACK",
 		[SS_LISTEN] =	"LISTEN",
 		[SS_CLOSING] = "CLOSING",
 +		[SS_NEW_SYN_RECV] = "UNDEF", /* Never returned by kernel */
 +		[SS_BOUND_INACTIVE] = "UNDEF", /* Never returned by kernel */
 	};
 	switch (s->local.family) {
@@ -5310,6 +5314,7 @@ static void _usage(FILE *dest)
 "   -r, --resolve       resolve host names\n"
 "   -a, --all           display all sockets\n"
 "   -l, --listening     display listening sockets\n"
 +"   -B, --bound-inactive display TCP bound but inactive sockets\n"
 "   -o, --options       show timer information\n"
 "   -e, --extended      show detailed socket information\n"
 "   -m, --memory        show socket memory usage\n"
@@ -5392,9 +5397,17 @@ static int scan_state(const char *state)
 		[SS_LAST_ACK] = "last-ack",
 		[SS_LISTEN] =	"listening",
 		[SS_CLOSING] = "closing",
 +		[SS_NEW_SYN_RECV] = "new-syn-recv",
 +		[SS_BOUND_INACTIVE] = "bound-inactive",
 	};
 	int i;
 +	/* NEW_SYN_RECV is a kernel implementation detail. It shouldn't be used
 +	 * or even be visible by users.
 +	 */
 +	if (strcasecmp(state, "new-syn-recv") == 0)
 +		goto wrong_state;
 +
 	if (strcasecmp(state, "close") == 0 ||
 	    strcasecmp(state, "closed") == 0)
 		return (1<<SS_CLOSE);
@@ -5417,6 +5430,7 @@ static int scan_state(const char *state)
 			return (1<<i);
 	}
 +wrong_state:
 	fprintf(stderr, "ss: wrong state name: %s\n", state);
 	exit(-1);
 }
@@ -5458,6 +5472,7 @@ static const struct option long_opts[] = {
 	{ "vsock", 0, 0, OPT_VSOCK },
 	{ "all", 0, 0, 'a' },
 	{ "listening", 0, 0, 'l' },
 +	{ "bound-inactive", 0, 0, 'B' },
 	{ "ipv4", 0, 0, '4' },
 	{ "ipv6", 0, 0, '6' },
 	{ "packet", 0, 0, '0' },
@@ -5496,7 +5511,7 @@ int main(int argc, char *argv[])
 	int state_filter = 0;
 	while ((ch = getopt_long(argc, argv,
 -				 "dhaletuwxnro460spTbEf:mMiA:D:F:vVzZN:KHSO",
 +				 "dhalBetuwxnro460spTbEf:mMiA:D:F:vVzZN:KHSO",
 				 long_opts, NULL)) != EOF) {
 		switch (ch) {
 		case 'n':
@@ -5561,6 +5576,9 @@ int main(int argc, char *argv[])
 		case 'l':
 			state_filter = (1 << SS_LISTEN) | (1 << SS_CLOSE);
 			break;
 +		case 'B':
 +			state_filter = 1 << SS_BOUND_INACTIVE;
 +			break;
 		case '4':
 			filter_af_set(&current_filter, AF_INET);
 			break;
 -- 
 2.44.0
--- a/SPECS/iproute.spec
+++ b/SPECS/iproute.spec
`@ -1 +1 @@`
	`SOURCES/iproute2-6.2.0.tar.xz`	`SOURCES/iproute2-6.11.0.tar.xz`
`@ -1 +1 @@`
	`f4e339800fe15b88cfa516cabcc9e883dda245d7 SOURCES/iproute2-6.2.0.tar.xz`	`7617e7896c1aa049fd2c371c7e07c6a6f89f7b3e SOURCES/iproute2-6.11.0.tar.xz`