ipset-7.11-10

- Fix patch "Parse port before trying by service name"

Resolves: RHEL-67098

0001-Add-deprecation-notice-to-ipset.8.patch

@@ -43,6 +43,3 @@ index 97cece9fb04b5..d68e9bbc22891 100644
  .SH "AUTHORS"
  Jozsef Kadlecsik wrote ipset, which is based on ippool by
  Joakim Axelsson, Patrick Schaaf and Martin Josefsson.
--- 
-2.31.1
-

0002-lib-split-parser-from-command-execution.patch

@@ -79,6 +79,3 @@ index 6729919657707..3077f9793f841 100644
  	ret = ipset_cmd(session, cmd, ipset->restore_line);
  	D("ret %d", ret);
  	/* In the case of warning, the return code is success */
--- 
-2.38.0
-

0003-lib-Detach-restore-routine-from-parser.patch

@@ -39,6 +39,3 @@ index 3077f9793f841..5232d8b76c46f 100644
  	ret = ipset_cmd(session, cmd, ipset->restore_line);
  	D("ret %d", ret);
  	/* In the case of warning, the return code is success */
--- 
-2.38.0
-

0004-add-ipset-to-nftables-translation-infrastructure.patch

@@ -820,6 +820,3 @@ index ee36a06e595de..6d42b60d2fe9d 100644
  
  	ipset_fini(ipset);
  
--- 
-2.38.0
-

0005-tests-add-tests-ipset-to-nftables.patch

@@ -181,6 +181,3 @@ index 0000000000000..96eba3b0175ea
 +add element inet global bp1 { 22 }
 +add set inet global bim1 { type ipv4_addr . ether_addr; }
 +add element inet global bim1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff }
--- 
-2.38.0
-

0006-Fix-typo-in-ipset-translate-man-page.patch

@@ -27,6 +27,3 @@ index bb4e737e14806..55ce2a99f2cf2 100644
  
  .SH USAGE
  The \fBipset-translate\fP tool reads an IP sets file in the syntax produced by
--- 
-2.38.0
-

0007-Fix-IPv6-sets-nftables-translation.patch

@@ -87,6 +87,3 @@ index 96eba3b0175ea..0152a30811258 100644
  add element inet global bim1 { 1.1.1.1 . aa:bb:cc:dd:ee:ff }
 +add set inet global hn6 { type ipv6_addr; flags interval; }
 +add element inet global hn6 { fe80::/64 }
--- 
-2.38.0
-

0008-ipset-translate-allow-invoking-with-a-path-name.patch

@@ -42,6 +42,3 @@ index 6d42b60d2fe9d..162f477d49cd0 100644
  		ret = ipset_xlate_argv(ipset, argc, argv);
  	} else {
  		ret = ipset_parse_argv(ipset, argc, argv);
--- 
-2.38.0
-

0009-Fix-all-debug-mode-warnings.patch

@@ -166,6 +166,3 @@ index 50f86aee045bc..f57b07413cba5 100644
  		fclose(f);
  
  	return ret;
--- 
-2.38.0
-

0010-Add-missing-function-to-libipset.map-and-bump-librar.patch

@@ -39,6 +39,3 @@ index 12d16a4faf53c..c380f9cde2edc 100644
 +  ipset_xlate_argv;
 +} LIBIPSET_4.10;
 +
--- 
-2.38.0
-

0011-Fix-patch-Parse-port-before-trying-by-service-name.patch

@@ -0,0 +1,132 @@
+From f10989a4eef5dbf3f53033f2a418c5339f50200c Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+Date: Sat, 26 Jun 2021 22:14:38 +0200
+Subject: [PATCH] Fix patch "Parse port before trying by service name"
+
+The patch broke parsing service names: number parsing failures
+are hard errors which erase data, thus making impossible to
+parse input as a string. Fix it by enabling soft (warning)
+failures in the case of port number parsing.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+(cherry picked from commit fd7d97c57e9dbe215c71be5a2fe049a1f905fddb)
+---
+ lib/parse.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/lib/parse.c b/lib/parse.c
+index f3f2d113457af..9cba252f33129 100644
+--- a/lib/parse.c
++++ b/lib/parse.c
+@@ -41,6 +41,9 @@
+ #define syntax_err(fmt, args...) \
+ 	ipset_err(session, "Syntax error: " fmt , ## args)
+ 
++#define syntax_err_ll(errtype, fmt, args...) \
++	ipset_session_report(session, errtype, "Syntax error: " fmt , ## args)
++
+ static char *
+ ipset_strchr(const char *str, const char *sep)
+ {
+@@ -87,7 +90,8 @@ string_to_number_ll(struct ipset_session *session,
+ 		    const char *str,
+ 		    unsigned long long min,
+ 		    unsigned long long max,
+-		    unsigned long long *ret)
++		    unsigned long long *ret,
++		    enum ipset_err_type errtype)
+ {
+ 	unsigned long long number = 0;
+ 	char *end;
+@@ -104,13 +108,13 @@ string_to_number_ll(struct ipset_session *session,
+ 			errno = ERANGE;
+ 	}
+ 	if (errno == ERANGE && max)
+-		return syntax_err("'%s' is out of range %llu-%llu",
+-				  str, min, max);
++		return syntax_err_ll(errtype, "'%s' is out of range %llu-%llu",
++				     str, min, max);
+ 	else if (errno == ERANGE)
+-		return syntax_err("'%s' is out of range %llu-%llu",
+-				  str, min, ULLONG_MAX);
++		return syntax_err_ll(errtype, "'%s' is out of range %llu-%llu",
++				     str, min, ULLONG_MAX);
+ 	else
+-		return syntax_err("'%s' is invalid as number", str);
++		return syntax_err_ll(errtype, "'%s' is invalid as number", str);
+ }
+ 
+ static int
+@@ -120,7 +124,7 @@ string_to_u8(struct ipset_session *session,
+ 	int err;
+ 	unsigned long long num = 0;
+ 
+-	err = string_to_number_ll(session, str, 0, 255, &num);
++	err = string_to_number_ll(session, str, 0, 255, &num, IPSET_ERROR);
+ 	*ret = num;
+ 
+ 	return err;
+@@ -141,12 +145,13 @@ string_to_cidr(struct ipset_session *session,
+ 
+ static int
+ string_to_u16(struct ipset_session *session,
+-	      const char *str, uint16_t *ret)
++	      const char *str, uint16_t *ret,
++	      enum ipset_err_type errtype)
+ {
+ 	int err;
+ 	unsigned long long num = 0;
+ 
+-	err = string_to_number_ll(session, str, 0, USHRT_MAX, &num);
++	err = string_to_number_ll(session, str, 0, USHRT_MAX, &num, errtype);
+ 	*ret = num;
+ 
+ 	return err;
+@@ -159,7 +164,8 @@ string_to_u32(struct ipset_session *session,
+ 	int err;
+ 	unsigned long long num = 0;
+ 
+-	err = string_to_number_ll(session, str, 0, UINT_MAX, &num);
++	err = string_to_number_ll(session, str, 0, UINT_MAX, &num,
++				  IPSET_ERROR);
+ 	*ret = num;
+ 
+ 	return err;
+@@ -319,7 +325,7 @@ ipset_parse_port(struct ipset_session *session,
+ 	assert(opt == IPSET_OPT_PORT || opt == IPSET_OPT_PORT_TO);
+ 	assert(str);
+ 
+-	if (string_to_u16(session, str, &port) == 0) {
++	if (string_to_u16(session, str, &port, IPSET_WARNING) == 0) {
+ 		return ipset_session_data_set(session, opt, &port);
+ 	}
+ 	/* Error is stored as warning in session report */
+@@ -1335,7 +1341,8 @@ ipset_parse_timeout(struct ipset_session *session,
+ 	assert(opt == IPSET_OPT_TIMEOUT);
+ 	assert(str);
+ 
+-	err = string_to_number_ll(session, str, 0, (UINT_MAX>>1)/1000, &llnum);
++	err = string_to_number_ll(session, str, 0, (UINT_MAX>>1)/1000, &llnum,
++				  IPSET_ERROR);
+ 	if (err == 0) {
+ 		/* Timeout is expected to be 32bits wide, so we have
+ 		   to convert it here */
+@@ -1579,7 +1586,8 @@ ipset_parse_uint64(struct ipset_session *session,
+ 	assert(session);
+ 	assert(str);
+ 
+-	err = string_to_number_ll(session, str, 0, ULLONG_MAX - 1, &value);
++	err = string_to_number_ll(session, str, 0, ULLONG_MAX - 1, &value,
++				  IPSET_ERROR);
+ 	if (err)
+ 		return err;
+ 
+@@ -1623,7 +1631,7 @@ ipset_parse_uint16(struct ipset_session *session,
+ 	assert(session);
+ 	assert(str);
+ 
+-	err = string_to_u16(session, str, &value);
++	err = string_to_u16(session, str, &value, IPSET_ERROR);
+ 	if (err == 0)
+ 		return ipset_session_data_set(session, opt, &value);
+ 

ipset.spec

@@ -3,7 +3,7 @@
 
 Name:             ipset
 Version:          7.11
-Release:          9%{?dist}
+Release:          10%{?dist}
 Summary:          Manage Linux IP sets
 
 License:          GPLv2
@@ -24,6 +24,7 @@ Patch7:           0007-Fix-IPv6-sets-nftables-translation.patch
 Patch8:           0008-ipset-translate-allow-invoking-with-a-path-name.patch
 Patch9:           0009-Fix-all-debug-mode-warnings.patch
 Patch10:          0010-Add-missing-function-to-libipset.map-and-bump-librar.patch
+Patch11:          0011-Fix-patch-Parse-port-before-trying-by-service-name.patch
 
 BuildRequires:    libmnl-devel
 BuildRequires:    automake
@@ -183,6 +184,9 @@ fi
 
 
 %changelog
+* Wed Nov 13 2024 Phil Sutter <psutter@redhat.com> - 7.11-10
+- Fix patch "Parse port before trying by service name"
+
 * Thu Jun 20 2024 Phil Sutter <psutter@redhat.com> - 7.11-9
 - Fix for wrong comment in ipset-config file