iptables-1.8.10-2.el9

* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9] - ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147] Resolves: RHEL-14147
2023-11-07 22:46:55 +00:00 · 2023-11-07 22:46:55 +00:00 · 18727bce9f
commit 18727bce9f
parent e68693c04a
2 changed files with 78 additions and 1 deletions
--- a/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
+++ b/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
@ -0,0 +1,73 @@
+From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 7 Nov 2023 23:44:55 +0100
+Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
+
+JIRA: https://issues.redhat.com/browse/RHEL-14147
+Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
+
+commit c1083acea70787eea3f7929fd04718434bb05ba8
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Nov 7 19:12:14 2023 +0100
+
+    ebtables: Fix corner-case noflush restore bug
+
+    Report came from firwalld, but this is actually rather hard to trigger.
+    Since a regular chain line prevents it, typical dump/restore use-cases
+    are unaffected.
+
+    Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
+    Cc: Eric Garver <eric@garver.life>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ .../testcases/ebtables/0009-broute-bug_0      | 25 +++++++++++++++++++
+ iptables/xtables-eb.c                         |  2 ++
+ 2 files changed, 27 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
+
+diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
+new file mode 100755
+index 0000000..0def0ac
+--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
+@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+	;;
+*)
+	echo "skip $XT_MULTI"
+	exit 0
+	;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <<EOF
+*broute
+-P BROUTING ACCEPT
+*nat
+-P PREROUTING ACCEPT
+COMMIT
+EOF
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index 08eec79..a8ad57c 100644
+--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
+@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
+ 		return NF_BR_LOCAL_OUT;
+ 	else if (strcmp(chain, "POSTROUTING") == 0)
+ 		return NF_BR_POST_ROUTING;
+	else if (strcmp(chain, "BROUTING") == 0)
+		return NF_BR_BROUTING;
+ 
+ 	/* placeholder for user defined chain */
+ 	return NF_BR_NUMHOOKS;
--- a/iptables.spec
+++ b/iptables.spec
@ -1,5 +1,5 @@
 %define iptables_rpmversion 1.8.10
-%define iptables_specrelease 1
+%define iptables_specrelease 2

 # install init scripts to /usr/libexec with systemd
 %global script_path %{_libexecdir}/iptables
@ -35,6 +35,7 @@ Source11: iptables-test.stderr.expect

 Patch1:             0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch2:             0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
+Patch3:             0003-ebtables-Fix-corner-case-noflush-restore-bug.patch

 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@ -453,6 +454,9 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
+- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
+
 * Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9]
 - spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810]
 - Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147]