From 18074ebc22491d0b58d1c08f88799deea2e4c801 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 16 Jun 2021 11:24:21 +0200
Subject: [PATCH] iptables-1.8.7-10

- Backport fixes from upstream
---
 ...it-gracefully-on-invalid-table-names.patch |   6 +-
 0002-iptables-nft-fix-Z-option.patch          | 104 ++++++++++++++++++
 ...twise-expression-avoidance-detection.patch |  73 ++++++++++++
 ...nsions-sctp-Fix-nftables-translation.patch |  80 ++++++++++++++
 ...leftover-variable-in-xtables_numeric.patch |  33 ++++++
 ...ons-libebt_ip6-Drop-unused-variables.patch |  49 +++++++++
 ...-Fix-memleak-in-xtopt_parse_hostmask.patch |  29 +++++
 ...memleak-in-error-path-of-nft_cmd_new.patch |  34 ++++++
 ...-iptables-apply-Drop-unused-variable.patch |  29 +++++
 iptables.spec                                 |  15 ++-
 10 files changed, 447 insertions(+), 5 deletions(-)
 create mode 100644 0002-iptables-nft-fix-Z-option.patch
 create mode 100644 0003-nft-Fix-bitwise-expression-avoidance-detection.patch
 create mode 100644 0004-extensions-sctp-Fix-nftables-translation.patch
 create mode 100644 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
 create mode 100644 0006-extensions-libebt_ip6-Drop-unused-variables.patch
 create mode 100644 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
 create mode 100644 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
 create mode 100644 0009-iptables-apply-Drop-unused-variable.patch

diff --git a/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch b/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
index ba625a2..93191ca 100644
--- a/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
+++ b/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
@@ -1,4 +1,4 @@
-From 30c1d443896311e69762d6b51b63908ec602574f Mon Sep 17 00:00:00 2001
+From df7ed83da048317d344b34e9c38e31035e508f24 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 28 Jan 2021 01:09:56 +0100
 Subject: [PATCH] ebtables: Exit gracefully on invalid table names
@@ -22,7 +22,7 @@ With this patch in place, output looks much better:
 | Perhaps iptables or your kernel needs to be upgraded.
 
 Signed-off-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Phil Sutter <psutter@redhat.com>
+(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
 ---
  iptables/xtables-eb.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)
@@ -47,5 +47,5 @@ index cfa9317c78e94..5bb34d6d292a9 100644
  			table_set = true;
  			break;
 -- 
-2.28.0
+2.31.1
 
diff --git a/0002-iptables-nft-fix-Z-option.patch b/0002-iptables-nft-fix-Z-option.patch
new file mode 100644
index 0000000..d7f4a6a
--- /dev/null
+++ b/0002-iptables-nft-fix-Z-option.patch
@@ -0,0 +1,104 @@
+From 56f5ee8dee86d4ceaeac7eb6e1eaaa2ac3a1d0f8 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 24 Feb 2021 11:08:02 +0100
+Subject: [PATCH] iptables-nft: fix -Z option
+
+it zeroes the rule counters, so it needs fully populated cache.
+Add a test case to cover this.
+
+Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
+---
+ iptables/nft-cmd.c                            |  2 +-
+ .../testcases/iptables/0007-zero-counters_0   | 64 +++++++++++++++++++
+ 2 files changed, 65 insertions(+), 1 deletion(-)
+ create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index 5d33f1f00f574..f2b935c57dab4 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -185,7 +185,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
+ 	if (!cmd)
+ 		return 0;
+ 
+-	nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
++	nft_cache_level_set(h, NFT_CL_RULES, cmd);
+ 
+ 	return 1;
+ }
+diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+new file mode 100755
+index 0000000000000..36da1907e3b22
+--- /dev/null
++++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
+@@ -0,0 +1,64 @@
++#!/bin/bash
++
++RC=0
++COUNTR=$RANDOM$RANDOM
++
++$XT_MULTI iptables-restore -c <<EOF
++*filter
++:INPUT ACCEPT [1:23]
++:FOO - [0:0]
++[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
++[22:123] -A FOO -m comment --comment one
++[44:123] -A FOO -m comment --comment two
++COMMIT
++EOF
++EXPECT="*filter
++:INPUT ACCEPT [0:0]
++:FORWARD ACCEPT [0:0]
++:OUTPUT ACCEPT [0:0]
++:FOO - [0:0]
++[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
++[0:0] -A FOO -m comment --comment one
++[0:0] -A FOO -m comment --comment two
++COMMIT"
++
++COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
++if [ $COUNTER != "[12:345]" ]; then
++	echo "Counter $COUNTER is wrong, expected 12:345"
++	RC=1
++fi
++
++$XT_MULTI iptables -Z FOO
++COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
++if [ $COUNTER = "[0:0]" ]; then
++	echo "Counter $COUNTER is wrong, should not have been zeroed"
++	RC=1
++fi
++
++for c in one two; do
++	COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
++	if [ $COUNTER != "[0:0]" ]; then
++		echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
++		RC=1
++	fi
++done
++
++$XT_MULTI iptables -Z
++COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
++
++if [ $COUNTER != "[0:0]" ]; then
++	echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
++	RC=1
++fi
++
++diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
++if [ $? -ne 0 ]; then
++	echo "Diff error: counters were not zeroed"
++	RC=1
++fi
++
++$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
++$XT_MULTI iptables -D FOO -m comment --comment one
++$XT_MULTI iptables -D FOO -m comment --comment two
++$XT_MULTI iptables -X FOO
++exit $RC
+-- 
+2.31.1
+
diff --git a/0003-nft-Fix-bitwise-expression-avoidance-detection.patch b/0003-nft-Fix-bitwise-expression-avoidance-detection.patch
new file mode 100644
index 0000000..5cde527
--- /dev/null
+++ b/0003-nft-Fix-bitwise-expression-avoidance-detection.patch
@@ -0,0 +1,73 @@
+From 6c6a870ececab6eac0065e3a1f539f30bfb0cd25 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 19 Feb 2021 16:54:57 +0100
+Subject: [PATCH] nft: Fix bitwise expression avoidance detection
+
+Byte-boundary prefix detection was too sloppy: Any data following the
+first zero-byte was ignored. Add a follow-up loop making sure there are
+no stray bits in the designated host part.
+
+Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
+---
+ iptables/nft-shared.c                         |  4 +++-
+ .../testcases/ip6tables/0004-address-masks_0  | 24 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+ create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
+
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index 10553ab26823b..c1664b50f9383 100644
+--- a/iptables/nft-shared.c
++++ b/iptables/nft-shared.c
+@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
+ {
+ 	const unsigned char *m = mask;
+ 	bool bitwise = false;
+-	int i;
++	int i, j;
+ 
+ 	for (i = 0; i < len; i++) {
+ 		if (m[i] != 0xff) {
+@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
+ 			break;
+ 		}
+ 	}
++	for (j = i + 1; !bitwise && j < len; j++)
++		bitwise = !!m[j];
+ 
+ 	if (!bitwise)
+ 		len = i;
+diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
+new file mode 100755
+index 0000000000000..7eb42f08da975
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
+@@ -0,0 +1,24 @@
++#!/bin/bash
++
++set -e
++
++$XT_MULTI ip6tables-restore <<EOF
++*filter
++-A FORWARD -s feed:babe::/ffff::0
++-A FORWARD -s feed:babe::/ffff:ff00::0
++-A FORWARD -s feed:babe::/ffff:fff0::0
++-A FORWARD -s feed:babe::/ffff:ffff::0
++-A FORWARD -s feed:babe::/0:ffff::0
++-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
++COMMIT
++EOF
++
++EXPECT='-P FORWARD ACCEPT
++-A FORWARD -s feed::/16
++-A FORWARD -s feed:ba00::/24
++-A FORWARD -s feed:bab0::/28
++-A FORWARD -s feed:babe::/32
++-A FORWARD -s 0:babe::/0:ffff::
++-A FORWARD -s feed::babe:0/ffff::ffff:0'
++
++diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
+-- 
+2.31.1
+
diff --git a/0004-extensions-sctp-Fix-nftables-translation.patch b/0004-extensions-sctp-Fix-nftables-translation.patch
new file mode 100644
index 0000000..ce6881c
--- /dev/null
+++ b/0004-extensions-sctp-Fix-nftables-translation.patch
@@ -0,0 +1,80 @@
+From 617564b04485223a313164cc6b6c7febad23f8ad Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 4 May 2021 16:03:24 +0200
+Subject: [PATCH] extensions: sctp: Fix nftables translation
+
+If both sport and dport was present, incorrect nft syntax was generated.
+
+Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
+---
+ extensions/libxt_sctp.c      | 10 ++++------
+ extensions/libxt_sctp.txlate | 10 +++++-----
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index 140de2653b1ef..ee4e99ebf11bf 100644
+--- a/extensions/libxt_sctp.c
++++ b/extensions/libxt_sctp.c
+@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 	if (!einfo->flags)
+ 		return 0;
+ 
+-	xt_xlate_add(xl, "sctp ");
+-
+ 	if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ 		if (einfo->spts[0] != einfo->spts[1])
+-			xt_xlate_add(xl, "sport%s %u-%u",
++			xt_xlate_add(xl, "sctp sport%s %u-%u",
+ 				     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
+ 				     einfo->spts[0], einfo->spts[1]);
+ 		else
+-			xt_xlate_add(xl, "sport%s %u",
++			xt_xlate_add(xl, "sctp sport%s %u",
+ 				     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
+ 				     einfo->spts[0]);
+ 		space = " ";
+@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 
+ 	if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ 		if (einfo->dpts[0] != einfo->dpts[1])
+-			xt_xlate_add(xl, "%sdport%s %u-%u", space,
++			xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0], einfo->dpts[1]);
+ 		else
+-			xt_xlate_add(xl, "%sdport%s %u", space,
++			xt_xlate_add(xl, "%ssctp dport%s %u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0]);
+ 	}
+diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
+index 72f4641ab021c..0d6c59e183675 100644
+--- a/extensions/libxt_sctp.txlate
++++ b/extensions/libxt_sctp.txlate
+@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
+ nft add rule ip filter INPUT sctp dport != 50-56 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
++nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
++nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
++nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
+ 
+ iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
++nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
++nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
+-- 
+2.31.1
+
diff --git a/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch b/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
new file mode 100644
index 0000000..a97305a
--- /dev/null
+++ b/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
@@ -0,0 +1,33 @@
+From bdd9eb3bcce460815eecc39decf0cceb3fb0949b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 Nov 2020 21:04:39 +0100
+Subject: [PATCH] libxtables: Drop leftover variable in
+ xtables_numeric_to_ip6addr()
+
+Variable 'err' was only used in removed debug code, so drop it as well.
+
+Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
+---
+ libxtables/xtables.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index bc42ba8221f3a..6947441fec659 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
+ struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
+ {
+ 	static struct in6_addr ap;
+-	int err;
+ 
+-	if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
++	if (inet_pton(AF_INET6, num, &ap) == 1)
+ 		return &ap;
+ 
+ 	return NULL;
+-- 
+2.31.1
+
diff --git a/0006-extensions-libebt_ip6-Drop-unused-variables.patch b/0006-extensions-libebt_ip6-Drop-unused-variables.patch
new file mode 100644
index 0000000..5b40690
--- /dev/null
+++ b/0006-extensions-libebt_ip6-Drop-unused-variables.patch
@@ -0,0 +1,49 @@
+From 8724e4edb3630f17ddf1897172953f2dc97ef6a1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 Nov 2020 21:13:50 +0100
+Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
+
+They are being assigned to but never read.
+
+Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
+---
+ extensions/libebt_ip6.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
+index b8a5a5d8c3a92..301bed9aadefd 100644
+--- a/extensions/libebt_ip6.c
++++ b/extensions/libebt_ip6.c
+@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
+ static struct in6_addr *numeric_to_addr(const char *num)
+ {
+ 	static struct in6_addr ap;
+-	int err;
+ 
+-	if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
++	if (inet_pton(AF_INET6, num, &ap) == 1)
+ 		return &ap;
+ 	return (struct in6_addr *)NULL;
+ }
+@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
+ 	char buf[256];
+ 	char *p;
+ 	int i;
+-	int err;
+ 
+ 	strncpy(buf, address, sizeof(buf) - 1);
+ 	/* first the mask */
+@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
+ 	if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
+ 		strcpy(buf, "::");
+ 
+-	if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
++	if (inet_pton(AF_INET6, buf, addr) < 1) {
+ 		xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
+ 		return;
+ 	}
+-- 
+2.31.1
+
diff --git a/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch b/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
new file mode 100644
index 0000000..8b7829b
--- /dev/null
+++ b/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
@@ -0,0 +1,29 @@
+From 81e5a32b0369d44a3319b76395ef76950884ecce Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:04:30 +0200
+Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
+
+The allocated hostmask duplicate needs to be freed again.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
+---
+ libxtables/xtoptions.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index d329f2ff7979e..0dcdf607f4678 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
+ 	cb->arg = p;
+ 	xtopt_parse_plenmask(cb);
+ 	cb->arg = orig_arg;
++	free(work);
+ }
+ 
+ static void xtopt_parse_ethermac(struct xt_option_call *cb)
+-- 
+2.31.1
+
diff --git a/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch b/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
new file mode 100644
index 0000000..2006ef2
--- /dev/null
+++ b/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
@@ -0,0 +1,34 @@
+From bf931f3213cc66f798a1a9966220816fd3259a2f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:55:20 +0200
+Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
+
+If rule allocation fails, free the allocated 'cmd' before returning to
+caller.
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
+---
+ iptables/nft-cmd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index f2b935c57dab4..c3f6c14e0b99e 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 
+ 	if (state) {
+ 		rule = nft_rule_new(h, chain, table, state);
+-		if (!rule)
++		if (!rule) {
++			nft_cmd_free(cmd);
+ 			return NULL;
++		}
+ 
+ 		cmd->obj.rule = rule;
+ 
+-- 
+2.31.1
+
diff --git a/0009-iptables-apply-Drop-unused-variable.patch b/0009-iptables-apply-Drop-unused-variable.patch
new file mode 100644
index 0000000..be088c2
--- /dev/null
+++ b/0009-iptables-apply-Drop-unused-variable.patch
@@ -0,0 +1,29 @@
+From fa0569c3d701d929393def1851421a4cacf251cc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 12:50:57 +0200
+Subject: [PATCH] iptables-apply: Drop unused variable
+
+It was assigned to but never read.
+
+Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
+---
+ iptables/iptables-apply | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/iptables/iptables-apply b/iptables/iptables-apply
+index 4683b1b402d08..3a7df5e3cbc1f 100755
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -231,7 +231,6 @@ case "$MODE" in
+ 		"$RUNCMD" &
+ 		CMD_PID=$!
+ 		( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
+-		CMDTIMEOUT_PID=$!
+ 		if ! wait "$CMD_PID"; then
+ 			echo "failed."
+ 			echo "Error: unknown error running command: $RUNCMD" >&2
+-- 
+2.31.1
+
diff --git a/iptables.spec b/iptables.spec
index 368e429..e02c24d 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -11,7 +11,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -20,7 +20,15 @@ Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
 Source6: arptables-nft-helper
 
-Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
+Patch01: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
+Patch02: 0002-iptables-nft-fix-Z-option.patch
+Patch03: 0003-nft-Fix-bitwise-expression-avoidance-detection.patch
+Patch04: 0004-extensions-sctp-Fix-nftables-translation.patch
+Patch05: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
+Patch06: 0006-extensions-libebt_ip6-Drop-unused-variables.patch
+Patch07: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
+Patch08: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
+Patch09: 0009-iptables-apply-Drop-unused-variable.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -418,6 +426,9 @@ fi
 
 
 %changelog
+* Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-10
+- Backport fixes from upstream
+
 * Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9
 - Remove bashisms from arptables-nft-helper