From 17f0287b898c744f0d0ced45d23e3f4eb426b418 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 11 Oct 2021 17:31:01 +0200
Subject: [PATCH] iptables-1.8.7-26.el9

- tests/shell: Assert non-verbose mode is silent
- nft: Fix for non-verbose check command

Resolves: rhbz#1989466
---
 ...ft-Fix-for-non-verbose-check-command.patch | 31 +++++++++++++++
 ...ll-Assert-non-verbose-mode-is-silent.patch | 39 +++++++++++++++++++
 iptables.spec                                 |  8 +++-
 3 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 0023-nft-Fix-for-non-verbose-check-command.patch
 create mode 100644 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch

diff --git a/0023-nft-Fix-for-non-verbose-check-command.patch b/0023-nft-Fix-for-non-verbose-check-command.patch
new file mode 100644
index 0000000..da2f873
--- /dev/null
+++ b/0023-nft-Fix-for-non-verbose-check-command.patch
@@ -0,0 +1,31 @@
+From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 3 Aug 2021 10:55:20 +0200
+Subject: [PATCH] nft: Fix for non-verbose check command
+
+Check command was unconditionally verbose since v1.8.5. Make it respect
+--verbose option again.
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0)
+---
+ iptables/nft.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 83054e528cae1..a470939db54fb 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h)
+ 		case NFT_COMPAT_RULE_CHECK:
+ 			assert_chain_exists(h, cmd->table, cmd->jumpto);
+ 			ret = nft_rule_check(h, cmd->chain, cmd->table,
+-					     cmd->obj.rule, cmd->rulenum);
++					     cmd->obj.rule, cmd->verbose);
+ 			break;
+ 		case NFT_COMPAT_RULE_ZERO:
+ 			ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
+-- 
+2.33.0
+
diff --git a/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch b/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
new file mode 100644
index 0000000..3b6b62f
--- /dev/null
+++ b/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
@@ -0,0 +1,39 @@
+From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 3 Aug 2021 11:32:34 +0200
+Subject: [PATCH] tests/shell: Assert non-verbose mode is silent
+
+Unexpected output from iptables commands might mess up error-checking in
+scripts for instance, so do a quick test of the most common commands.
+
+Note: Test adds two rules to make sure flush command operates on a
+non-empty chain.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2)
+---
+ .../shell/testcases/iptables/0002-verbose-output_0    | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
+index b1ef91f61f481..5d2af4c8d2ab2 100755
+--- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
++++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
+@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar)
+ diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar)
+ 
+ diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar)
++
++# make sure non-verbose mode is silent
++diff -u <(echo -n "") <(
++	$XT_MULTI iptables -N foobar
++	$XT_MULTI iptables -A foobar $RULE1
++	$XT_MULTI iptables -A foobar $RULE2
++	$XT_MULTI iptables -C foobar $RULE1
++	$XT_MULTI iptables -D foobar $RULE2
++	$XT_MULTI iptables -F foobar
++	$XT_MULTI iptables -X foobar
++)
+-- 
+2.33.0
+
diff --git a/iptables.spec b/iptables.spec
index fd6b09e..b5a012f 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -16,7 +16,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 25%{?dist}
+Release: 26%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -51,6 +51,8 @@ Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
 Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch
 Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
 Patch22: 0022-ebtables-Dump-atomic-waste.patch
+Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
+Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -466,6 +468,10 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz
 
 %changelog
+* Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26
+- tests/shell: Assert non-verbose mode is silent
+- nft: Fix for non-verbose check command
+
 * Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-25
 - ebtables: Dump atomic waste
 - doc: ebtables-nft.8: Adjust for missing atomic-options