iptables-1.8.10-2.el9

* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
Resolves: RHEL-14147
This commit is contained in:
Phil Sutter 2023-11-07 22:46:55 +00:00
parent e68693c04a
commit 18727bce9f
2 changed files with 78 additions and 1 deletions

View File

@ -0,0 +1,73 @@
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 7 Nov 2023 23:44:55 +0100
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
JIRA: https://issues.redhat.com/browse/RHEL-14147
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
commit c1083acea70787eea3f7929fd04718434bb05ba8
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Nov 7 19:12:14 2023 +0100
ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
iptables/xtables-eb.c | 2 ++
2 files changed, 27 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index 0000000..0def0ac
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <<EOF
+*broute
+-P BROUTING ACCEPT
+*nat
+-P PREROUTING ACCEPT
+COMMIT
+EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79..a8ad57c 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
return NF_BR_LOCAL_OUT;
else if (strcmp(chain, "POSTROUTING") == 0)
return NF_BR_POST_ROUTING;
+ else if (strcmp(chain, "BROUTING") == 0)
+ return NF_BR_BROUTING;
/* placeholder for user defined chain */
return NF_BR_NUMHOOKS;

View File

@ -1,5 +1,5 @@
%define iptables_rpmversion 1.8.10 %define iptables_rpmversion 1.8.10
%define iptables_specrelease 1 %define iptables_specrelease 2
# install init scripts to /usr/libexec with systemd # install init scripts to /usr/libexec with systemd
%global script_path %{_libexecdir}/iptables %global script_path %{_libexecdir}/iptables
@ -35,6 +35,7 @@ Source11: iptables-test.stderr.expect
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic 2.0
@ -453,6 +454,9 @@ fi
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables.8.gz
%changelog %changelog
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9] * Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9]
- spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810] - spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810]
- Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147] - Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147]