iptables-1.8.10-2.el9
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9] - ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147] Resolves: RHEL-14147
This commit is contained in:
parent
e68693c04a
commit
18727bce9f
73
0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
Normal file
73
0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Tue, 7 Nov 2023 23:44:55 +0100
|
||||||
|
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-14147
|
||||||
|
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||||
|
|
||||||
|
commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Tue Nov 7 19:12:14 2023 +0100
|
||||||
|
|
||||||
|
ebtables: Fix corner-case noflush restore bug
|
||||||
|
|
||||||
|
Report came from firwalld, but this is actually rather hard to trigger.
|
||||||
|
Since a regular chain line prevents it, typical dump/restore use-cases
|
||||||
|
are unaffected.
|
||||||
|
|
||||||
|
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
|
||||||
|
Cc: Eric Garver <eric@garver.life>
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
|
||||||
|
iptables/xtables-eb.c | 2 ++
|
||||||
|
2 files changed, 27 insertions(+)
|
||||||
|
create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
|
|
||||||
|
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..0def0ac
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+#
|
||||||
|
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
|
||||||
|
+# - with --noflush
|
||||||
|
+# - a second table after the broute one
|
||||||
|
+# - A policy command but no chain line for BROUTING chain
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+case "$XT_MULTI" in
|
||||||
|
+*xtables-nft-multi)
|
||||||
|
+ ;;
|
||||||
|
+*)
|
||||||
|
+ echo "skip $XT_MULTI"
|
||||||
|
+ exit 0
|
||||||
|
+ ;;
|
||||||
|
+esac
|
||||||
|
+
|
||||||
|
+$XT_MULTI ebtables-restore --noflush <<EOF
|
||||||
|
+*broute
|
||||||
|
+-P BROUTING ACCEPT
|
||||||
|
+*nat
|
||||||
|
+-P PREROUTING ACCEPT
|
||||||
|
+COMMIT
|
||||||
|
+EOF
|
||||||
|
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||||
|
index 08eec79..a8ad57c 100644
|
||||||
|
--- a/iptables/xtables-eb.c
|
||||||
|
+++ b/iptables/xtables-eb.c
|
||||||
|
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
|
||||||
|
return NF_BR_LOCAL_OUT;
|
||||||
|
else if (strcmp(chain, "POSTROUTING") == 0)
|
||||||
|
return NF_BR_POST_ROUTING;
|
||||||
|
+ else if (strcmp(chain, "BROUTING") == 0)
|
||||||
|
+ return NF_BR_BROUTING;
|
||||||
|
|
||||||
|
/* placeholder for user defined chain */
|
||||||
|
return NF_BR_NUMHOOKS;
|
@ -1,5 +1,5 @@
|
|||||||
%define iptables_rpmversion 1.8.10
|
%define iptables_rpmversion 1.8.10
|
||||||
%define iptables_specrelease 1
|
%define iptables_specrelease 2
|
||||||
|
|
||||||
# install init scripts to /usr/libexec with systemd
|
# install init scripts to /usr/libexec with systemd
|
||||||
%global script_path %{_libexecdir}/iptables
|
%global script_path %{_libexecdir}/iptables
|
||||||
@ -35,6 +35,7 @@ Source11: iptables-test.stderr.expect
|
|||||||
|
|
||||||
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||||
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||||
|
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
|
||||||
|
|
||||||
# pf.os: ISC license
|
# pf.os: ISC license
|
||||||
# iptables-apply: Artistic 2.0
|
# iptables-apply: Artistic 2.0
|
||||||
@ -453,6 +454,9 @@ fi
|
|||||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
|
||||||
|
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
|
||||||
|
|
||||||
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9]
|
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9]
|
||||||
- spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810]
|
- spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810]
|
||||||
- Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147]
|
- Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147]
|
||||||
|
Loading…
Reference in New Issue
Block a user