Compare commits

...

No commits in common. "c8s" and "c10s" have entirely different histories.
c8s ... c10s

18 changed files with 876 additions and 74 deletions

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/ipset-7.1.tar.bz2
/ipset-7.1.tar.bz2
ipset-*.tar.bz2

View File

@ -0,0 +1,23 @@
From 21080dc79c4e9244149aa78f6a8f7fbb6f4b8e81 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@netfilter.org>
Date: Thu, 6 Jun 2024 08:57:11 +0200
Subject: [PATCH] Replace BUG_ON() with WARN_ON_ONCE() according to usage
policy.
---
kernel/net/netfilter/ipset/ip_set_list_set.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/net/netfilter/ipset/ip_set_list_set.c b/kernel/net/netfilter/ipset/ip_set_list_set.c
index fd78e2db06e4f..0d3e5a7331f26 100644
--- a/kernel/net/netfilter/ipset/ip_set_list_set.c
+++ b/kernel/net/netfilter/ipset/ip_set_list_set.c
@@ -432,7 +432,7 @@ list_set_destroy(struct ip_set *set)
{
struct list_set *map = set->data;
- BUG_ON(!list_empty(&map->members));
+ WARN_ON_ONCE(!list_empty(&map->members));
kfree(map);
set->data = NULL;

View File

@ -0,0 +1,54 @@
From f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:16 +0200
Subject: [PATCH] lib: data: Fix for global-buffer-overflow warning by ASAN
After compiling with CFLAGS="-fsanitize=address -g", running the
testsuite triggers the following warning:
| ipmap: Range: Check syntax error: missing range/from-to: FAILED
| Failed test: ../src/ipset 2>.foo.err -N test ipmap
| =================================================================
| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8
| READ of size 32 at 0x55a21e77172a thread T0
| #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
| #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119
| #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349
| #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819
| #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205
| #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344
| #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38
| #7 0x7f1ef224cf09 (/lib64/libc.so.6+0x23f09)
| #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4)
| #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040)
|
| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19
| '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO'
| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10
| '*.LC0' is ascii string 'bitmap:ip'
Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In
contrast to strncpy(), memcpy() does not respect NUL-chars in input but
stubbornly reads as many bytes as specified.
Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
lib/data.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/data.c b/lib/data.c
index c05b20144cdad..64cad7a377302 100644
--- a/lib/data.c
+++ b/lib/data.c
@@ -111,6 +111,9 @@ ipset_strlcpy(char *dst, const char *src, size_t len)
assert(dst);
assert(src);
+ if (strlen(src) < len)
+ len = strlen(src) + 1;
+
memcpy(dst, src, len);
dst[len - 1] = '\0';
}

View File

@ -0,0 +1,38 @@
From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:17 +0200
Subject: [PATCH] lib: ipset: Avoid 'argv' array overstepping
The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
array size. The maximum allowed array index is therefore argc-1.
This fix will leave items in argv non-NULL-terminated, so explicitly
NULL the formerly last entry after shifting.
Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
valgrind. Yet adding debug output printing argv entries being copied
did.
Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
lib/ipset.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/ipset.c b/lib/ipset.c
index c910d88805c28..3bf1c5fcdbc59 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
assert(*argc >= from + 1);
- for (i = from + 1; i <= *argc; i++)
+ for (i = from + 1; i < *argc; i++)
argv[i-1] = argv[i];
- (*argc)--;
+ argv[--(*argc)] = NULL;
return;
}

View File

@ -0,0 +1,354 @@
From 5c9ef9016d2781f6e07a544e34ec9f4a8d65d0e2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:18 +0200
Subject: [PATCH] tests: Reduce testsuite run-time
Where acceptable, batch add set element calls to avoid overhead of
excessive 'ipset' program spawns. On my (slow) testing VM, this patch
reduces a full run of tests/runtest.sh from ~70min down to ~11min.
This might eliminate the situation being tested: resize.sh might be such
a case so batch only 255 'ipset add' calls and continue to repeat these
batched calls 32 times in hopes that it still qualifies as the resizing
stress test tests/hash:ip.t calls it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
---
tests/resize.sh | 4 ++--
tests/resizec.sh | 32 +++++++++++++--------------
tests/resizen.sh | 49 ++++++++++++++++++++---------------------
tests/resizet.sh | 40 ++++++++++++++++-----------------
tests/setlist_resize.sh | 4 ++--
5 files changed, 64 insertions(+), 65 deletions(-)
diff --git a/tests/resize.sh b/tests/resize.sh
index 19b93fb01876c..9069b4970e92d 100755
--- a/tests/resize.sh
+++ b/tests/resize.sh
@@ -9,6 +9,6 @@ set -e
$ipset n resize-test hash:ip hashsize 64
for x in `seq 1 32`; do
for y in `seq 1 255`; do
- $ipset a resize-test 192.168.$x.$y
- done
+ echo "a resize-test 192.168.$x.$y"
+ done | $ipset restore
done
diff --git a/tests/resizec.sh b/tests/resizec.sh
index 28d674769f76f..781acf74c38dd 100755
--- a/tests/resizec.sh
+++ b/tests/resizec.sh
@@ -25,65 +25,65 @@ case "$2" in
$ipset n test hash:ip $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y comment "text $ip$x$sep$y"
+ echo "a test $ip$x$sep$y comment \"text $ip$x$sep$y\""
done
- done
+ done | $ipset restore
;;
ipport)
$ipset n test hash:ip,port $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023 "text $ip$x$sep$y,1023"
+ echo "a test $ip$x$sep$y,1023 \"text $ip$x$sep$y,1023\""
done
- done
+ done | $ipset restore
;;
ipportip)
$ipset n test hash:ip,port,ip $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2 comment "text $ip$x$sep$y,1023,$ip2"
+ echo "a test $ip$x$sep$y,1023,$ip2 comment \"text $ip$x$sep$y,1023,$ip2\""
done
- done
+ done | $ipset restore
;;
ipportnet)
$ipset n test hash:ip,port,net $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net comment "text $ip$x$sep$y,1023,$ip2/$net"
+ echo "a test $ip$x$sep$y,1023,$ip2/$net comment \"text $ip$x$sep$y,1023,$ip2/$net\""
done
- done
+ done | $ipset restore
;;
net)
$ipset n test hash:net $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net comment "text $ip$x$sep$y/$net"
+ echo "a test $ip$x$sep$y/$net comment \"text $ip$x$sep$y/$net\""
done
- done
+ done | $ipset restore
;;
netnet)
$ipset n test hash:net,net $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,$ip$y$sep$x/$net comment "text $ip$x$sep$y/$net,$ip$y$sep$x/$net"
+ echo "a test $ip$x$sep$y/$net,$ip$y$sep$x/$net comment \"text $ip$x$sep$y/$net,$ip$y$sep$x/$net\""
done
- done
+ done | $ipset restore
;;
netport)
$ipset n test hash:net,port $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,1023 comment "text $ip$x$sep$y/$net,1023"
+ echo "a test $ip$x$sep$y/$net,1023 comment \"text $ip$x$sep$y/$net,1023\""
done
- done
+ done | $ipset restore
;;
netiface)
$ipset n test hash:net,iface $1 hashsize 64 comment
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,eth0 comment "text $ip$x$sep$y/$net,eth0"
+ echo "$ipset a test $ip$x$sep$y/$net,eth0 comment \"text $ip$x$sep$y/$net,eth0\""
done
- done
+ done | $ipset restore
;;
esac
$ipset l test | grep ^$ip | while read x y z; do
diff --git a/tests/resizen.sh b/tests/resizen.sh
index 9322bd2a2cfce..13221f7b0894a 100755
--- a/tests/resizen.sh
+++ b/tests/resizen.sh
@@ -25,80 +25,79 @@ case "$2" in
$ipset n test hash:ip,port,net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net nomatch
+ echo "a test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y,1023,$ip2/$net nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netportnet)
$ipset n test hash:net,port,net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net nomatch
+ echo "a test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y,1023,$ip2/$net nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y,1023,$ip2/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
net)
$ipset n test hash:net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net nomatch
+ echo "a test $ip$x$sep$y/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netnet)
$ipset n test hash:net,net $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch
+ echo "a test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch \
- 2>/dev/null
+ echo "t test $ip$x$sep$y/$net,$ip$y$sep$x/$net nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netport)
$ipset n test hash:net,port $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,1023 nomatch
+ echo "a test $ip$x$sep$y/$net,1023 nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net,1023 nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y/$net,1023 nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
netiface)
$ipset n test hash:net,iface $1 hashsize 64
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,eth0 nomatch
+ echo "a test $ip$x$sep$y/$net,eth0 nomatch"
done
- done
+ done | $ipset restore
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset t test $ip$x$sep$y/$net,eth0 nomatch 2>/dev/null
+ echo "t test $ip$x$sep$y/$net,eth0 nomatch"
done
- done
+ done | $ipset restore 2>/dev/null
;;
esac
$ipset x
diff --git a/tests/resizet.sh b/tests/resizet.sh
index eed4abf2bd86e..e8fdd732435ab 100755
--- a/tests/resizet.sh
+++ b/tests/resizet.sh
@@ -25,81 +25,81 @@ case "$2" in
$ipset n test hash:ip $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y
+ echo "a test $ip$x$sep$y"
done
- done
+ done | $ipset restore
;;
ipmark)
$ipset n test hash:ip,mark $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023
+ echo "a test $ip$x$sep$y,1023"
done
- done
+ done | $ipset restore
;;
ipport)
$ipset n test hash:ip,port $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023
+ echo "a test $ip$x$sep$y,1023"
done
- done
+ done | $ipset restore
;;
ipportip)
$ipset n test hash:ip,port,ip $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2
+ echo "a test $ip$x$sep$y,1023,$ip2"
done
- done
+ done | $ipset restore
;;
ipportnet)
$ipset n test hash:ip,port,net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y,1023,$ip2/$net
+ echo "a test $ip$x$sep$y,1023,$ip2/$net"
done
- done
+ done | $ipset restore
;;
netportnet)
$ipset n test hash:net,port,net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 128`; do
- $ipset a test $ip$x$sep$y/$net,1023,$ip$y$sep$x/$net
+ echo "a test $ip$x$sep$y/$net,1023,$ip$y$sep$x/$net"
done
- done
+ done | $ipset restore
;;
net)
$ipset n test hash:net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net
+ echo "a test $ip$x$sep$y/$net"
done
- done
+ done | $ipset restore
;;
netnet)
$ipset n test hash:net,net $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,$ip$y$sep$x/$net
+ echo "a test $ip$x$sep$y/$net,$ip$y$sep$x/$net"
done
- done
+ done | $ipset restore
;;
netport)
$ipset n test hash:net,port $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,1023
+ echo "a test $ip$x$sep$y/$net,1023"
done
- done
+ done | $ipset restore
;;
netiface)
$ipset n test hash:net,iface $1 hashsize 64 timeout 100
for x in `seq 0 16`; do
for y in `seq 0 255`; do
- $ipset a test $ip$x$sep$y/$net,eth0
+ echo "a test $ip$x$sep$y/$net,eth0"
done
- done
+ done | $ipset restore
;;
esac
$ipset l test | grep ^$ip | while read x y z; do
diff --git a/tests/setlist_resize.sh b/tests/setlist_resize.sh
index 1c2be327b841a..acb33e3ba0f08 100755
--- a/tests/setlist_resize.sh
+++ b/tests/setlist_resize.sh
@@ -25,9 +25,9 @@ rmmod ip_set >/dev/null 2>&1
create() {
n=$1
while [ $n -le 1024 ]; do
- $ipset c test$n hash:ip
+ echo "c test$n hash:ip"
n=$((n+2))
- done
+ done | $ipset restore
}
for x in `seq 1 $loop`; do

1
ci.fmf Normal file
View File

@ -0,0 +1 @@
resultsdb-testcase: separate

View File

@ -1,7 +1,7 @@
# Gating rhel
--- !Policy
product_versions:
- rhel-8
- rhel-10
decision_context: osci_compose_gate
rules:
# - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-gating.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-gating.functional}

View File

@ -1,5 +1,5 @@
# Save current ipsets on stop.
# Value: yes|no, default: no
# Saves all ipsets to /etc/ipset/ipset if service gets stopped
# Saves all ipsets to /etc/sysconfig/ipset.d/ if service gets stopped
# (e.g. on system shutdown).
IPSET_SAVE_ON_STOP="no"

View File

@ -2,23 +2,35 @@
%define legacy_actions %{_libexecdir}/initscripts/legacy-actions
Name: ipset
Version: 7.1
Release: 1%{?dist}
Version: 7.22
Release: 6%{?dist}
Summary: Manage Linux IP sets
License: GPLv2
License: GPL-2.0-only
URL: http://ipset.netfilter.org/
Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2
Source0: %{url}/%{name}-%{version}.tar.bz2
Source1: %{name}.service
Source2: %{name}.start-stop
Source3: %{name}-config
Source4: %{name}.save-legacy
Patch001: 0001-Replace-BUG_ON-with-WARN_ON_ONCE-according-to-usage-.patch
Patch002: 0002-lib-data-Fix-for-global-buffer-overflow-warning-by-A.patch
Patch003: 0003-lib-ipset-Avoid-argv-array-overstepping.patch
Patch004: 0004-tests-Reduce-testsuite-run-time.patch
BuildRequires: libmnl-devel
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: make
BuildRequires: libtool
BuildRequires: libtool-ltdl-devel
# An explicit requirement is needed here, to avoid cases where a user would
# explicitly update only one of the two (e.g 'yum update ipset')
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# RHEL10 moved ipset-specific kernel modules into extra package
Requires: kernel-modules-extra
%description
IP sets are a framework inside the Linux kernel since version 2.4.x, which can
@ -47,6 +59,7 @@ This package contains the libraries which provide the IP sets funcionality.
%package devel
Summary: Development files for %{name}
Requires: %{name}-libs%{?_isa} == %{version}-%{release}
Requires: kernel-headers
%description devel
This package contains the files required to develop software using the %{name}
@ -57,7 +70,7 @@ libraries.
Summary: %{name} service for %{name}s
Requires: %{name} = %{version}-%{release}
BuildRequires: systemd
Requires: iptables-services
Requires: iptables-nft-services
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@ -69,10 +82,11 @@ out of the base package since it is not active by default.
%prep
%setup -q
%autosetup -p1
%build
./autogen.sh
%configure --enable-static=no --with-kmod=no
# Just to make absolutely sure we are not building the bundled kernel module
@ -83,11 +97,11 @@ rm -fr kernel
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR=%{buildroot}
%make_install
find %{buildroot} -name '*.la' -exec rm -f '{}' \;
# install systemd unit file
@ -109,6 +123,9 @@ install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/ipset/save
# Create directory for configuration
mkdir -p %{buildroot}%{_sysconfdir}/%{name}
# Turn absolute symlink into a relative one
ln -sf %{name} %{buildroot}/%{_sbindir}/%{name}-translate
%preun
if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
@ -117,13 +134,23 @@ if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
fi
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%ldconfig_scriptlets libs
%post service
%systemd_post %{name}.service
if [[ -f /etc/ipset/ipset ]] && [[ ! -f /etc/sysconfig/ipset ]]; then
mv /etc/ipset/ipset /etc/sysconfig/ipset
ln -s /etc/sysconfig/ipset /etc/ipset/ipset
echo "Warning: ipset save location has moved to /etc/sysconfig"
fi
[[ -f /etc/sysconfig/iptables-config ]] && . /etc/sysconfig/iptables-config
[[ -f /etc/sysconfig/ip6tables-config ]] && . /etc/sysconfig/ip6tables-config
if [[ ${IPTABLES_SAVE_ON_STOP} == yes ]] || \
[[ ${IP6TABLES_SAVE_ON_STOP} == yes ]]; then
echo "Warning: ipset no longer saves automatically when iptables does"
echo " must enable explicitly in /etc/sysconfig/ipset-config"
fi
%preun service
if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
@ -135,35 +162,23 @@ fi
%postun service
%systemd_postun_with_restart %{name}.service
%triggerin service -- ipset-service < 6.38-1.el7
# Before 6.38-1, ipset.start-stop keeps a backup of previously saved sets, but
# doesn't touch the /etc/sysconfig/ipset.d/.saved flag. Remove the backup on
# upgrade, so that we use the current version of saved sets
rm -f /etc/sysconfig/ipset.save || :
exit 0
%triggerun service -- ipset-service < 6.38-1.el7
# Up to 6.29-1, ipset.start-stop uses a single data file
for f in /etc/sysconfig/ipset.d/*; do
[ "${f}" = "/etc/sysconfig/ipset.d/*" ] && break
cat ${f} >> /etc/sysconfig/ipset || :
done
exit 0
%files
%doc COPYING ChangeLog
%doc %{_mandir}/man8/%{name}.8.gz
%doc ChangeLog
%license COPYING
%{_mandir}/man8/%{name}*.8.*
%{_sbindir}/%{name}
%{_sbindir}/%{name}-translate
%files libs
%doc COPYING
%license COPYING
%{_libdir}/lib%{name}.so.13*
%doc %{_mandir}/man3/lib%{name}.3.gz
%files devel
%{_includedir}/lib%{name}
%{_libdir}/lib%{name}.so
%{_libdir}/pkgconfig/lib%{name}.pc
%{_mandir}/man3/libipset.3.*
%files service
%{_unitdir}/%{name}.service
@ -176,46 +191,141 @@ exit 0
%changelog
* Sun May 26 2019 Stefano Brivio <sbrivio@redhat.com> - 7.1-1
- Rebase to 7.1 (RHBZ#1649090):
- Add compatibility support for strscpy()
- Correct the manpage about the sort option
- Add missing functions to libipset.map
- configure.ac: Fix build regression on RHEL/CentOS/SL (Serhey Popovych)
- Implement sorting for hash types in the ipset tool
- Fix to list/save into file specified by option (reported by Isaac Good)
- Introduction of new commands and protocol version 7, updated kernel include files
- Add compatibility support for async in pernet_operations
- Use more robust awk patterns to check for backward compatibility
- Prepare the ipset tool to handle multiple protocol version
- Fix warning message handlin
- Correct to test null valued entry in hash:net6,port,net6 test
- Library reworked to support embedding ipset completely
- Add compatibility to support kvcalloc()
- Validate string type attributes in attr2data() (Stefano Brivio)
- manpage: Add comment about matching on destination MAC address (Stefano Brivio)
(RHBZ#1649079)
- Add compatibility to support is_zero_ether_addr()
- Fix use-after-free in ipset_parse_name_compat() (Stefano Brivio) (RHBZ#1649085)
- Fix leak in build_argv() on line parsing error (Stefano Brivio) (RHBZ#1649085)
- Simplify return statement in ipset_mnl_query() (Stefano Brivio) (RHBZ#1649085)
- tests/check_klog.sh: Try dmesg too, don't let shell terminate script (Stefano Brivio)
- Fixes:
- Fix all shellcheck warnings in init script (RHBZ#1649085)
- Make error reporting consistent, introduce different severities (RHBZ#1683711)
- While restoring, on invalid entries, remove them and retry (RHBZ#1683713)
- Fix covscan SC2166 warning in init script (RHBZ#1649085)
* Fri Nov 08 2024 Phil Sutter <psutter@redhat.com> - 7.22-6
- Bump for sidetag build
* Tue Nov 13 2018 Stefano Brivio <sbrivio@redhat.com> - 6.38-3
- Fix loading of sets with dependencies on other sets (RHBZ#1647096), and
hardcode 6.38-1.el7 for ipset-service upgrade and downgrade triggers, so that
we don't run into issues with z-stream updates
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 7.22-5
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Oct 08 2018 Stefano Brivio <sbrivio@redhat.com> - 6.38-2
- Drop ipset-devel dependency on kernel-devel (RHBZ#163175)
* Thu Oct 10 2024 Phil Sutter <psutter@redhat.com> - 7.22-4
- Add legacy actions for service save support
- ipset-services to depend on iptables-nft-services
- Require kernel-modules-extra
* Tue Aug 14 2018 Stefano Brivio <sbrivio@redhat.com> - 6.38-1
- Update to 6.38, source from RHEL7 6.38-2 (RHBZ#1615967)
* Tue Sep 10 2024 Phil Sutter <psutter@redhat.com> - 7.22-3
- Bump release to trigger CI
* Thu Aug 29 2024 Phil Sutter <psutter@redhat.com> - 7.22-2
- Bump release to trigger CI
* Thu Aug 01 2024 Phil Sutter <psutter@redhat.com> - 7.22-1
- Turn absolute ipset-translate symlink into a relative one
- Rebase onto 7.22 plus fixes
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 7.21-2
- Bump release for June 2024 mass rebuild
* Mon Feb 12 2024 Nicolas Chauvet <kwizart@gmail.com> - 7.21-1
- Update to 7.21
* Thu Feb 01 2024 Nicolas Chauvet <kwizart@gmail.com> - 7.20-1
- Update to 7.20
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7.19-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7.19-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Oct 23 2023 Nicolas Chauvet <kwizart@gmail.com> - 7.19-1
- Update to 7.19
* Fri Aug 11 2023 Phil Sutter <psutter@redhat.com> - 7.17-7
- Convert license to SPDX format
* Fri Aug 11 2023 Phil Sutter <psutter@redhat.com> - 7.17-6
- Convert license to SPDX format
* Fri Aug 11 2023 Phil Sutter <psutter@redhat.com> - 7.17-5
- Convert license to SPDX format
* Fri Aug 11 2023 Phil Sutter <psutter@redhat.com> - 7.17-4
- Convert license to SPDX format
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7.17-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 02 2023 Nicolas Chauvet <kwizart@gmail.com> - 7.17-1
- Update to 7.17
* Fri Dec 02 2022 Nicolas Chauvet <kwizart@gmail.com> - 7.16-1
- Update to 7.16
* Tue Aug 23 2022 Nicolas Chauvet <kwizart@gmail.com> - 7.15-5
- Backport upstream patches - rhbz#2117654
ipset-translate does not work with IPv6 sets
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.15-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Mar 15 2022 Phil Sutter <psutter@redhat.com> - 7.15-3
- Use the advanced init script from Centos9Stream
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.15-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Aug 16 2021 Nicolas Chauvet <kwizart@gmail.com> - 7.15-1
- Update to 7.15
* Wed Jul 28 2021 Nicolas Chauvet <kwizart@gmail.com> - 7.14-1
- Update to 7.14
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7.11-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Mon Mar 01 2021 Nicolas Chauvet <kwizart@gmail.com> - 7.11-1
- Update to 7.11
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Dec 21 2020 Nicolas Chauvet <kwizart@gmail.com> - 7.10-1
- Update to 7.10
* Wed Dec 16 2020 Nicolas Chauvet <kwizart@gmail.com> - 7.9-1
- Update to 7.9
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Feb 24 2020 Nicolas Chauvet <kwizart@gmail.com> - 7.6-1
- Update to 7.6
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 10 2020 Nicolas Chauvet <kwizart@gmail.com> - 7.5-1
- Update to 7.5
* Mon Nov 04 2019 Eric Garver <eric@garver.life> - 7.4-1
- Update to 7.4
* Mon Aug 19 2019 Nicolas Chauvet <kwizart@gmail.com> - 7.3-1
- Update to 7.3
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jul 11 2019 Nicolas Chauvet <kwizart@gmail.com> - 7.2-1
- Update to 7.2
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.38-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 13 2018 Nicolas Chauvet <kwizart@gmail.com> - 6.38-1
- Update to 6.38
- Clean-up spec
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.35-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Feb 12 2018 Eric Garver <egarver@redhat.com> - 6.35-3
- Patch for missing header file (RHBZ#1543596)

View File

@ -257,7 +257,13 @@ load() {
CLEAN_FILES="${CLEAN_FILES} ${mangled}"
chmod 600 "${mangled}"
awk '/^(add|create) ('"${conflicts}"')/ { printf "%s ",$1; system("echo '${salt}'" $2 " | md5sum | head -c31"); $1=""; $2=""; print; next} {print}' "${merged}" > "${mangled}"
cat "${merged}" > "${mangled}"
IFS='|'
for set in ${conflicts}; do
new_name=$(echo "${salt}${set}" | md5sum | head -c31)
echo "s/^(add|create) $set /\1 $new_name /"
done | sed -i -r -f - "${mangled}"
unset IFS
if ! ipset_restore "${mangled}"; then
err "Failed to restore configured sets"
exit 1

10
plans/tier1-gating.fmf Normal file
View File

@ -0,0 +1,10 @@
summary: Internal Tier1-gating beakerlib tests
discover:
how: fmf
url: git://pkgs.devel.redhat.com/tests/ipset
filter: 'tag: CI-gating & tag: -destructive'
execute:
how: tmt
adjust:
enabled: false
when: distro == centos-stream or distro == fedora

6
rpminspect.yaml Normal file
View File

@ -0,0 +1,6 @@
badfuncs:
allowed:
/usr/lib*/libipset.so.*:
# Upstream maintainer deliberately chose this over getaddrinfo, see
# commit c52cf6000923b ("Use gethostbyname2 instead of getaddrinfo")
- gethostbyname2

View File

@ -1 +1 @@
SHA512 (ipset-7.1.tar.bz2) = eae9bd83f6675754af8ca443a82e0a1c9d47f60f6bf2a7a405a695223cc17063d5d4eb79428fe21a1f0a867109dfaf8ad8071b45e92191ec108b2cd2382fa854
SHA512 (ipset-7.22.tar.bz2) = e375a9110eb7974480147c57eb2cff4bdd03c7704cdae006a3d254cc80fada587aa8aee25a86f7cab29db83f5e283c5f9a47a314297317660ebba5097f623d79

View File

@ -0,0 +1,36 @@
# SPDX-License-Identifier: LGPL-2.1+
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/ipset
# Description: Test if ipset working ok
# Author: Susant Sahani<susant@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/ipset
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile iperf3d.service
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Susant Sahani<susant@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test ipset sanity" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: ipset " >> $(METADATA)
@echo "Requires: ipset iperf3 systemd iptables kernel-modules-extra" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -Fedora29" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,10 @@
[Unit]
Description=iperf3d tests for ipset
After=multi-user.target network.target
[Service]
Type=simple
ExecStart=/usr/bin/iperf3 -s -d --bind 192.168.225.32 --port 55555 -V
[Install]
WantedBy=multi-user.target

140
tests/sanity-tests/runtest.sh Executable file
View File

@ -0,0 +1,140 @@
#!/bin/bash
# SPDX-License-Identifier: LGPL-2.1+
# ~~~
# runtest.sh of ipset
# Description: ipset tests.
#
# Author: Susant Sahani <susant@redhat.com>
# Copyright (c) 2018 Red Hat, Inc.
# ~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="ipset"
SERVICE_UNITDIR="/var/run/systemd/system"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlAssertRpm kernel-modules-extra-$(uname -r)
rlRun "systemctl stop firewalld" 0,5
rlRun "[ -e /sys/class/net/veth-test ] && ip link del veth-test" 0,1
rlRun "cp iperf3d.service $SERVICE_UNITDIR"
rlRun "systemctl daemon-reload"
rlRun "ip link add veth-test type veth peer name veth-peer"
rlRun "ip link set veth-test addr 02:01:02:03:04:08"
rlRun "ip link set veth-peer addr 02:01:02:03:04:09"
rlRun "ip addr add 192.168.225.32/24 dev veth-test"
rlRun "ip addr add 192.168.225.33/24 dev veth-peer"
rlRun "ip link set veth-test up"
rlRun "ip link set veth-peer up"
rlPhaseEnd
rlPhaseStartTest "test_ipset_bitmap_ip_netfilter"
rlRun "ipset create testnetiperf hash:ip"
rlRun "ipset add testnetiperf 192.168.225.32"
rlRun "ipset add testnetiperf 192.168.225.33"
rlRun "ipset test testnetiperf 192.168.225.32"
rlRun "ipset test testnetiperf 192.168.225.33"
rlRun "systemctl start iperf3d.service"
sleep 1
rlRun "iperf3 -c 192.168.225.32 -p 55555 --connect-timeout 5"
rlRun "iptables -I INPUT -m set --match-set testnetiperf src -j DROP"
rlRun "iperf3 -c 192.168.225.32 -p 55555 --connect-timeout 5" 1
rlRun "systemctl stop iperf3d.service"
rlRun "iptables --delete INPUT -m set --match-set testnetiperf src -j DROP"
rlRun "ipset destroy testnetiperf"
rlPhaseEnd
rlPhaseStartTest "test_ipset_add_bitmap_ip"
rlRun "ipset create testnet hash:ip"
rlRun "ipset add testnet 192.168.11.12"
rlRun "ipset add testnet 192.168.11.13"
rlRun "ipset add testnet 192.168.11.14"
rlRun "ipset add testnet 192.168.11.15"
rlRun "ipset test testnet 192.168.11.12"
rlRun "ipset test testnet 192.168.11.13"
rlRun "ipset test testnet 192.168.11.14"
rlRun "ipset test testnet 192.168.11.15"
rlRun "ipset destroy testnet"
rlPhaseEnd
rlPhaseStartTest "test_ipset_delete_bitmap_ip"
rlRun "ipset create testnet hash:ip"
rlRun "ipset add testnet 192.168.11.12"
rlRun "ipset add testnet 192.168.11.13"
rlRun "ipset test testnet 192.168.11.12"
rlRun "ipset test testnet 192.168.11.13"
rlRun "ipset del testnet 192.168.11.12"
rlRun "ipset test testnet 192.168.11.12" 1
rlRun "ipset destroy testnet"
rlPhaseEnd
rlPhaseStartTest "test_ipset_hash_bitmap_mac"
rlRun "ipset create testmac hash:mac"
rlRun "ipset add testmac 02:01:02:03:04:09"
rlRun "ipset test testmac 02:01:02:03:04:09"
rlRun "ipset del testmac 02:01:02:03:04:09"
rlRun "ipset test testmac 02:01:02:03:04:09" 1
rlRun "ipset destroy testmac"
rlPhaseEnd
rlPhaseStartTest "test_ipset_hash_bitmap_ipport"
rlRun "ipset create testipport hash:ip,mac"
rlRun "ipset add testipport 1.1.1.1,02:01:02:03:04:09"
rlRun "ipset test testipport 1.1.1.1,02:01:02:03:04:09"
rlRun "ipset del testipport 1.1.1.1,02:01:02:03:04:09"
rlRun "ipset test testipport 1.1.1.1,02:01:02:03:04:09" 1
rlRun "ipset destroy testipport"
rlPhaseEnd
rlPhaseStartTest "test_ipset_hash_bitmap_ipport"
rlRun "ipset create testipport hash:ip,port"
rlRun "ipset add testipport 192.168.1.1,udp:53"
rlRun "ipset add testipport 192.168.1.1,5555"
rlRun "ipset test testipport 192.168.1.1,udp:53"
rlRun "ipset test testipport 192.168.1.1,5555"
rlRun "ipset del testipport 192.168.1.1,5555"
rlRun "ipset test testipport 192.168.1.1,5555" 1
rlRun "ipset destroy testipport"
rlPhaseEnd
rlPhaseStartTest "test_ipset_hash_bitmap_ipportip"
rlRun "ipset create testipportip hash:ip,port,ip"
rlRun "ipset add testipportip 192.168.1.1,80,10.0.0.1"
rlRun "ipset add testipportip 192.168.1.2,80,10.0.0.2"
rlRun "ipset test testipportip 192.168.1.1,80,10.0.0.1"
rlRun "ipset test testipportip 192.168.1.1,80,10.0.0.1"
rlRun "ipset del testipportip 192.168.1.1,80,10.0.0.1"
rlRun "ipset test testipportip 192.168.1.1,80,10.0.0.1" 1
rlRun "ipset destroy testipportip"
rlPhaseEnd
rlPhaseStartTest "test_ipset_hash_bitmap_netiface"
rlRun "ipset create testnetiface hash:net,iface"
rlRun "ipset add testnetiface 192.168.0/24,veth-test"
rlRun "ipset add testnetiface 192.167.0/24,veth-peer"
rlRun "ipset test testnetiface 192.168.0/24,veth-test"
rlRun "ipset test testnetiface 192.167.0/24,veth-peer"
rlRun "ipset del testnetiface 192.168.0/24,veth-test"
rlRun "ipset test testnetiface 192.168.0/24,veth-test" 1
rlRun "ipset destroy testnetiface"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "ip link del veth-test"
rlRun "rm $SERVICE_UNITDIR/iperf3d.service"
rlRun "systemctl daemon-reload"
rlLog "ipset tests done"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd
rlGetTestState

14
tests/tests.yml Normal file
View File

@ -0,0 +1,14 @@
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- sanity-tests
required_packages:
- ipset
- iptables
- systemd
- iproute
- iperf3
- kernel-modules-extra