import iptables-1.8.4-22.el8

SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch

@@ -0,0 +1,47 @@
+From 41660ba1faea8b7ebd71e94c70ef175a75ab91cc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 8 Nov 2021 17:03:21 +0100
+Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=1000
+
+In an attempt to fix for failing hashlimit tests with HZ=100, the
+expected failures were changed so they are expected to pass and the
+parameters changed to seemingly fix them. Yet while the new parameters
+worked on HZ=100 systems, with higher tick rates they didn't so the
+observed problem moved from the test failing on HZ=100 to failing on
+HZ=1000 instead.
+
+Kernel's error message "try lower: 864000000/5" turned out to be a red
+herring: The burst value does not act as a dividor but a multiplier
+instead, so in order to lower the overflow-checked value, a lower burst
+value must be chosen. Inded, using a burst value of 1 makes the kernel
+accept the rule in both HZ=100 and HZ=1000 configurations.
+
+Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 1eab8e83aec0e6965f11f8cad460add1caeae629)
+---
+ extensions/libxt_hashlimit.t | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t
+index 8369933786f68..206d92935f2e2 100644
+--- a/extensions/libxt_hashlimit.t
++++ b/extensions/libxt_hashlimit.t
+@@ -3,12 +3,12 @@
+ -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+--m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
++-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
++-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+-- 
+2.33.0
+

SPECS/iptables.spec

@@ -17,7 +17,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.4
-Release: 21%{?dist}
+Release: 22%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -95,6 +95,7 @@ Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch
 Patch59: 0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
 Patch60: 0060-ebtables-Dump-atomic-waste.patch
 Patch61: 0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch
+Patch62: 0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -503,6 +504,9 @@ done
 %doc %{_mandir}/man8/ebtables*.8*
 
 %changelog
+* Mon Nov 29 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-22
+- extensions: hashlimit: Fix tests with HZ=1000
+
 * Thu Oct 07 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-21
 - extensions: hashlimit: Fix tests with HZ=100
 - ebtables: Dump atomic waste