iptables-1.8.7-12.el9

- arptables-nft-helper: Remove bashisms
- ebtables-helper: Drop unused variable, add a missing quote
- extensions: libxt_string: Avoid buffer size warning for strncpy()
- libxtables: Introduce xtables_strdup() and use it everywhere
- extensions: libebt_ip6: Use xtables_ip6parse_any()
- iptables-apply: Drop unused variable
- nft: Avoid buffer size warnings copying iface names
- nft: Avoid memleak in error path of nft_cmd_new()
- libxtables: Fix memleak in xtopt_parse_hostmask()
- extensions: libebt_ip6: Drop unused variables
- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()

Resolves: RHBZ#1938745

0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch

@@ -0,0 +1,33 @@
+From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 Nov 2020 21:04:39 +0100
+Subject: [PATCH] libxtables: Drop leftover variable in
+ xtables_numeric_to_ip6addr()
+
+Variable 'err' was only used in removed debug code, so drop it as well.
+
+Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
+---
+ libxtables/xtables.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index bc42ba8221f3a..6947441fec659 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
+ struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
+ {
+ 	static struct in6_addr ap;
+-	int err;
+ 
+-	if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
++	if (inet_pton(AF_INET6, num, &ap) == 1)
+ 		return &ap;
+ 
+ 	return NULL;
+-- 
+2.31.1
+

0006-extensions-libebt_ip6-Drop-unused-variables.patch

@@ -0,0 +1,49 @@
+From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 Nov 2020 21:13:50 +0100
+Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
+
+They are being assigned to but never read.
+
+Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
+---
+ extensions/libebt_ip6.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
+index b8a5a5d8c3a92..301bed9aadefd 100644
+--- a/extensions/libebt_ip6.c
++++ b/extensions/libebt_ip6.c
+@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
+ static struct in6_addr *numeric_to_addr(const char *num)
+ {
+ 	static struct in6_addr ap;
+-	int err;
+ 
+-	if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
++	if (inet_pton(AF_INET6, num, &ap) == 1)
+ 		return &ap;
+ 	return (struct in6_addr *)NULL;
+ }
+@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
+ 	char buf[256];
+ 	char *p;
+ 	int i;
+-	int err;
+ 
+ 	strncpy(buf, address, sizeof(buf) - 1);
+ 	/* first the mask */
+@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
+ 	if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
+ 		strcpy(buf, "::");
+ 
+-	if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
++	if (inet_pton(AF_INET6, buf, addr) < 1) {
+ 		xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
+ 		return;
+ 	}
+-- 
+2.31.1
+

0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch

@@ -0,0 +1,29 @@
+From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:04:30 +0200
+Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
+
+The allocated hostmask duplicate needs to be freed again.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
+---
+ libxtables/xtoptions.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index d329f2ff7979e..0dcdf607f4678 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
+ 	cb->arg = p;
+ 	xtopt_parse_plenmask(cb);
+ 	cb->arg = orig_arg;
++	free(work);
+ }
+ 
+ static void xtopt_parse_ethermac(struct xt_option_call *cb)
+-- 
+2.31.1
+

0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch

@@ -0,0 +1,34 @@
+From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:55:20 +0200
+Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
+
+If rule allocation fails, free the allocated 'cmd' before returning to
+caller.
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
+---
+ iptables/nft-cmd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index 5d33f1f00f574..9b0c964847615 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 
+ 	if (state) {
+ 		rule = nft_rule_new(h, chain, table, state);
+-		if (!rule)
++		if (!rule) {
++			nft_cmd_free(cmd);
+ 			return NULL;
++		}
+ 
+ 		cmd->obj.rule = rule;
+ 
+-- 
+2.31.1
+

0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch

@@ -0,0 +1,56 @@
+From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:58:06 +0200
+Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
+
+The call to strncpy() is actually not needed: source buffer is only
+IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
+avoid compiler warnings due to size parameter matching the destination
+buffer size by performing the copy using (dumb) memcpy() instead.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
+---
+ iptables/nft-ipv4.c | 4 ++--
+ iptables/nft-ipv6.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
+index a5b835b1f681d..34f94bd8cc24a 100644
+--- a/iptables/nft-ipv4.c
++++ b/iptables/nft-ipv4.c
+@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
+ 	 */
+ 	cs->fw.ip.invflags = args->invflags;
+ 
+-	strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
++	memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
+ 	memcpy(cs->fw.ip.iniface_mask,
+ 	       args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
+ 
+-	strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
++	memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
+ 	memcpy(cs->fw.ip.outiface_mask,
+ 	       args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
+ 
+diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
+index 46008fc5e762a..d9c9400ad7dc3 100644
+--- a/iptables/nft-ipv6.c
++++ b/iptables/nft-ipv6.c
+@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
+ 	 */
+ 	cs->fw6.ipv6.invflags = args->invflags;
+ 
+-	strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
++	memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
+ 	memcpy(cs->fw6.ipv6.iniface_mask,
+ 	       args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
+ 
+-	strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
++	memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
+ 	memcpy(cs->fw6.ipv6.outiface_mask,
+ 	       args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
+ 
+-- 
+2.31.1
+

0010-iptables-apply-Drop-unused-variable.patch

@@ -0,0 +1,29 @@
+From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 12:50:57 +0200
+Subject: [PATCH] iptables-apply: Drop unused variable
+
+It was assigned to but never read.
+
+Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
+---
+ iptables/iptables-apply | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/iptables/iptables-apply b/iptables/iptables-apply
+index 4683b1b402d08..3a7df5e3cbc1f 100755
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -231,7 +231,6 @@ case "$MODE" in
+ 		"$RUNCMD" &
+ 		CMD_PID=$!
+ 		( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
+-		CMDTIMEOUT_PID=$!
+ 		if ! wait "$CMD_PID"; then
+ 			echo "failed."
+ 			echo "Error: unknown error running command: $RUNCMD" >&2
+-- 
+2.31.1
+

0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch

@@ -0,0 +1,109 @@
+From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 14:04:43 +0200
+Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
+
+The code was almost identical and suffered from the same problem as
+fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
+corruption bugs").
+
+The only functional change this involves is ebt_parse_ip6_address() will
+now accept hostnames as well.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
+---
+ extensions/libebt_ip6.c | 74 ++++++-----------------------------------
+ 1 file changed, 10 insertions(+), 64 deletions(-)
+
+diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
+index 301bed9aadefd..3cc39271d4658 100644
+--- a/extensions/libebt_ip6.c
++++ b/extensions/libebt_ip6.c
+@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
+ 	memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
+ }
+ 
+-static struct in6_addr *numeric_to_addr(const char *num)
++/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
++static void ebt_parse_ip6_address(char *address,
++				  struct in6_addr *addr, struct in6_addr *msk)
+ {
+-	static struct in6_addr ap;
+-
+-	if (inet_pton(AF_INET6, num, &ap) == 1)
+-		return &ap;
+-	return (struct in6_addr *)NULL;
+-}
+-
+-static struct in6_addr *parse_ip6_mask(char *mask)
+-{
+-	static struct in6_addr maskaddr;
+ 	struct in6_addr *addrp;
+-	unsigned int bits;
+-
+-	if (mask == NULL) {
+-		/* no mask at all defaults to 128 bits */
+-		memset(&maskaddr, 0xff, sizeof maskaddr);
+-		return &maskaddr;
+-	}
+-	if ((addrp = numeric_to_addr(mask)) != NULL)
+-		return addrp;
+-	if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
+-		xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
+-	if (bits != 0) {
+-		char *p = (char *)&maskaddr;
+-		memset(p, 0xff, bits / 8);
+-		memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
+-		p[bits / 8] = 0xff << (8 - (bits & 7));
+-		return &maskaddr;
+-	}
++	unsigned int naddrs;
+ 
+-	memset(&maskaddr, 0, sizeof maskaddr);
+-	return &maskaddr;
+-}
+-
+-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
+- * The string pointed to by address can be altered. */
+-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
+-{
+-	struct in6_addr *tmp_addr;
+-	char buf[256];
+-	char *p;
+-	int i;
+-
+-	strncpy(buf, address, sizeof(buf) - 1);
+-	/* first the mask */
+-	buf[sizeof(buf) - 1] = '\0';
+-	if ((p = strrchr(buf, '/')) != NULL) {
+-		*p = '\0';
+-		tmp_addr = parse_ip6_mask(p + 1);
+-	} else
+-		tmp_addr = parse_ip6_mask(NULL);
+-
+-	*msk = *tmp_addr;
+-
+-	/* if a null mask is given, the name is ignored, like in "any/0" */
+-	if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
+-		strcpy(buf, "::");
+-
+-	if (inet_pton(AF_INET6, buf, addr) < 1) {
+-		xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
+-		return;
+-	}
+-
+-	for (i = 0; i < 4; i++)
+-		addr->s6_addr32[i] &= msk->s6_addr32[i];
++	xtables_ip6parse_any(address, &addrp, msk, &naddrs);
++	if (naddrs != 1)
++		xtables_error(PARAMETER_PROBLEM,
++			      "Invalid IPv6 Address '%s' specified", address);
++	memcpy(addr, addrp, sizeof(*addr));
++	free(addrp);
+ }
+ 
+ #define OPT_SOURCE 0x01
+-- 
+2.31.1
+

0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch

@@ -0,0 +1,554 @@
+From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 12:56:06 +0200
+Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
+
+This wraps strdup(), checking for errors.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
+---
+ extensions/libebt_ip.c          |  3 ++-
+ extensions/libebt_ip6.c         |  2 +-
+ extensions/libebt_stp.c         |  3 ++-
+ extensions/libip6t_DNAT.c       |  4 +---
+ extensions/libip6t_SNAT.c       |  4 +---
+ extensions/libip6t_dst.c        |  8 +++-----
+ extensions/libip6t_hbh.c        |  7 +++----
+ extensions/libip6t_ipv6header.c |  2 +-
+ extensions/libip6t_mh.c         |  2 +-
+ extensions/libip6t_rt.c         |  7 +++----
+ extensions/libipt_DNAT.c        |  8 ++------
+ extensions/libipt_SNAT.c        |  4 +---
+ extensions/libxt_dccp.c         |  2 +-
+ extensions/libxt_hashlimit.c    |  5 +----
+ extensions/libxt_iprange.c      |  4 +---
+ extensions/libxt_multiport.c    |  6 ++----
+ extensions/libxt_sctp.c         |  4 ++--
+ extensions/libxt_set.h          |  4 ++--
+ extensions/libxt_tcp.c          |  4 ++--
+ include/xtables.h               |  1 +
+ iptables/iptables-xml.c         |  4 ++--
+ iptables/nft-cache.c            |  4 ++--
+ iptables/nft-cmd.c              | 13 +++++++------
+ iptables/xshared.c              |  2 +-
+ libxtables/xtables.c            | 12 ++++++++++++
+ libxtables/xtoptions.c          | 14 +++-----------
+ 26 files changed, 60 insertions(+), 73 deletions(-)
+
+diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
+index acb9bfcdbbd9f..51649ffb3c305 100644
+--- a/extensions/libebt_ip.c
++++ b/extensions/libebt_ip.c
+@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
+ 	char *buffer;
+ 	char *cp;
+ 
+-	buffer = strdup(portstring);
++	buffer = xtables_strdup(portstring);
++
+ 	if ((cp = strchr(buffer, ':')) == NULL)
+ 		ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
+ 	else {
+diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
+index 3cc39271d4658..a686a285c3cb8 100644
+--- a/extensions/libebt_ip6.c
++++ b/extensions/libebt_ip6.c
+@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
+ 	char *buffer;
+ 	char *cp;
+ 
+-	buffer = strdup(portstring);
++	buffer = xtables_strdup(portstring);
+ 	if ((cp = strchr(buffer, ':')) == NULL)
+ 		ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
+ 	else {
+diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
+index 81ba572c33c1a..3e9e24474eb61 100644
+--- a/extensions/libebt_stp.c
++++ b/extensions/libebt_stp.c
+@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
+ 	uint32_t low_nr, upp_nr;
+ 	int ret = 0;
+ 
+-	buffer = strdup(portstring);
++	buffer = xtables_strdup(portstring);
++
+ 	if ((cp = strchr(buffer, ':')) == NULL) {
+ 		low_nr = strtoul(buffer, &end, 10);
+ 		if (*end || low_nr < min || low_nr > max) {
+diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
+index 89c5ceb153250..f1ad81436316b 100644
+--- a/extensions/libip6t_DNAT.c
++++ b/extensions/libip6t_DNAT.c
+@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
+ 	char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
+ 	const struct in6_addr *ip;
+ 
+-	arg = strdup(orig_arg);
+-	if (arg == NULL)
+-		xtables_error(RESOURCE_PROBLEM, "strdup");
++	arg = xtables_strdup(orig_arg);
+ 
+ 	start = strchr(arg, '[');
+ 	if (start == NULL) {
+diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
+index 7d74b3d76a93c..6d19614c7c708 100644
+--- a/extensions/libip6t_SNAT.c
++++ b/extensions/libip6t_SNAT.c
+@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
+ 	char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
+ 	const struct in6_addr *ip;
+ 
+-	arg = strdup(orig_arg);
+-	if (arg == NULL)
+-		xtables_error(RESOURCE_PROBLEM, "strdup");
++	arg = xtables_strdup(orig_arg);
+ 
+ 	start = strchr(arg, '[');
+ 	if (start == NULL) {
+diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
+index fe7e3403468ce..bf0e3e436665d 100644
+--- a/extensions/libip6t_dst.c
++++ b/extensions/libip6t_dst.c
+@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
+ {
+         char *buffer, *cp, *next, *range;
+         unsigned int i;
+-	
+-	buffer = strdup(optsstr);
+-        if (!buffer)
+-		xtables_error(OTHER_PROBLEM, "strdup failed");
+-			
++
++	buffer = xtables_strdup(optsstr);
++
+         for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
+         {
+                 next = strchr(cp, ',');
+diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
+index 4cebecfd3d2f5..74e87cda7eea1 100644
+--- a/extensions/libip6t_hbh.c
++++ b/extensions/libip6t_hbh.c
+@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
+ {
+         char *buffer, *cp, *next, *range;
+         unsigned int i;
+-	
+-	buffer = strdup(optsstr);
+-	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+-			
++
++	buffer = xtables_strdup(optsstr);
++
+         for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
+         {
+                 next=strchr(cp, ',');
+diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
+index 6f03087bb79d8..9e34562966f8b 100644
+--- a/extensions/libip6t_ipv6header.c
++++ b/extensions/libip6t_ipv6header.c
+@@ -147,7 +147,7 @@ parse_header(const char *flags) {
+         char *ptr;
+         char *buffer;
+ 
+-        buffer = strdup(flags);
++        buffer = xtables_strdup(flags);
+ 
+         for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) 
+ 		ret |= add_proto_to_mask(name_to_proto(ptr));
+diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
+index f4c0fd9fc0bca..64675405ac724 100644
+--- a/extensions/libip6t_mh.c
++++ b/extensions/libip6t_mh.c
+@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
+ 	char *buffer;
+ 	char *cp;
+ 
+-	buffer = strdup(mhtype);
++	buffer = xtables_strdup(mhtype);
+ 	if ((cp = strchr(buffer, ':')) == NULL)
+ 		types[0] = types[1] = name_to_type(buffer);
+ 	else {
+diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
+index 3cb3b249d8995..9708b5a0c42f3 100644
+--- a/extensions/libip6t_rt.c
++++ b/extensions/libip6t_rt.c
+@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
+ {
+         char *buffer, *cp, *next;
+         unsigned int i;
+-	
+-	buffer = strdup(addrstr);
+-	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+-			
++
++	buffer = xtables_strdup(addrstr);
++
+         for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
+         {
+                 next=strchr(cp, ',');
+diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
+index 4907a2e83d066..5b33fd23f6e36 100644
+--- a/extensions/libipt_DNAT.c
++++ b/extensions/libipt_DNAT.c
+@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
+ 	char *arg, *colon, *dash, *error;
+ 	const struct in_addr *ip;
+ 
+-	arg = strdup(orig_arg);
+-	if (arg == NULL)
+-		xtables_error(RESOURCE_PROBLEM, "strdup");
++	arg = xtables_strdup(orig_arg);
+ 	memset(&range, 0, sizeof(range));
+ 	colon = strchr(arg, ':');
+ 
+@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
+ 	char *arg, *colon, *dash, *error;
+ 	const struct in_addr *ip;
+ 
+-	arg = strdup(orig_arg);
+-	if (arg == NULL)
+-		xtables_error(RESOURCE_PROBLEM, "strdup");
++	arg = xtables_strdup(orig_arg);
+ 
+ 	colon = strchr(arg, ':');
+ 	if (colon) {
+diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
+index e92d811c2bc93..c655439ec9192 100644
+--- a/extensions/libipt_SNAT.c
++++ b/extensions/libipt_SNAT.c
+@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
+ 	char *arg, *colon, *dash, *error;
+ 	const struct in_addr *ip;
+ 
+-	arg = strdup(orig_arg);
+-	if (arg == NULL)
+-		xtables_error(RESOURCE_PROBLEM, "strdup");
++	arg = xtables_strdup(orig_arg);
+ 	memset(&range, 0, sizeof(range));
+ 	colon = strchr(arg, ':');
+ 
+diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
+index aea3e20be4818..abd420fcc0032 100644
+--- a/extensions/libxt_dccp.c
++++ b/extensions/libxt_dccp.c
+@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
+ 	uint16_t typemask = 0;
+ 	char *ptr, *buffer;
+ 
+-	buffer = strdup(typestring);
++	buffer = xtables_strdup(typestring);
+ 
+ 	for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
+ 		unsigned int i;
+diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
+index 7f1d2a402c4fd..3f3c43010ee2a 100644
+--- a/extensions/libxt_hashlimit.c
++++ b/extensions/libxt_hashlimit.c
+@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
+ static int parse_mode(uint32_t *mode, const char *option_arg)
+ {
+ 	char *tok;
+-	char *arg = strdup(option_arg);
+-
+-	if (!arg)
+-		return -1;
++	char *arg = xtables_strdup(option_arg);
+ 
+ 	for (tok = strtok(arg, ",|");
+ 	     tok;
+diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
+index 8be2481497b8d..04ce7b364f1c6 100644
+--- a/extensions/libxt_iprange.c
++++ b/extensions/libxt_iprange.c
+@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
+ static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
+ 				uint8_t family, const char *optname)
+ {
+-	char *arg = strdup(oarg);
++	char *arg = xtables_strdup(oarg);
+ 	char *dash;
+ 
+-	if (arg == NULL)
+-		xtables_error(RESOURCE_PROBLEM, "strdup");
+ 	dash = strchr(arg, '-');
+ 	if (dash == NULL) {
+ 		iprange_parse_spec(arg, arg, range, family, optname);
+diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
+index 07ad4cfd4e519..4a42fa38238b9 100644
+--- a/extensions/libxt_multiport.c
++++ b/extensions/libxt_multiport.c
+@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
+ 	char *buffer, *cp, *next;
+ 	unsigned int i;
+ 
+-	buffer = strdup(portstring);
+-	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
++	buffer = xtables_strdup(portstring);
+ 
+ 	for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+ 	{
+@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
+ 	char *buffer, *cp, *next, *range;
+ 	unsigned int i;
+ 
+-	buffer = strdup(portstring);
+-	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
++	buffer = xtables_strdup(portstring);
+ 
+ 	for (i=0; i<XT_MULTI_PORTS; i++)
+ 		multiinfo->pflags[i] = 0;
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index 140de2653b1ef..59b34684cc7f7 100644
+--- a/extensions/libxt_sctp.c
++++ b/extensions/libxt_sctp.c
+@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
+ 	char *buffer;
+ 	char *cp;
+ 
+-	buffer = strdup(portstring);
++	buffer = xtables_strdup(portstring);
+ 	DEBUGP("%s\n", portstring);
+ 	if ((cp = strchr(buffer, ':')) == NULL) {
+ 		ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
+@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
+ 	int found = 0;
+ 	char *chunk_flags;
+ 
+-	buffer = strdup(chunks);
++	buffer = xtables_strdup(chunks);
+ 	DEBUGP("Buffer: %s\n", buffer);
+ 
+ 	SCTP_CHUNKMAP_RESET(einfo->chunkmap);
+diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
+index 41dfbd30fc7c1..ad895a7504d9d 100644
+--- a/extensions/libxt_set.h
++++ b/extensions/libxt_set.h
+@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
+ static void
+ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
+ {
+-	char *saved = strdup(opt_arg);
++	char *saved = xtables_strdup(opt_arg);
+ 	char *ptr, *tmp = saved;
+ 	int i = 0;
+ 	
+@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
+ static void
+ parse_dirs(const char *opt_arg, struct xt_set_info *info)
+ {
+-	char *saved = strdup(opt_arg);
++	char *saved = xtables_strdup(opt_arg);
+ 	char *ptr, *tmp = saved;
+ 	
+ 	while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
+diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
+index 58f3c0a0c3c28..383e4db5b5e23 100644
+--- a/extensions/libxt_tcp.c
++++ b/extensions/libxt_tcp.c
+@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
+ 	char *buffer;
+ 	char *cp;
+ 
+-	buffer = strdup(portstring);
++	buffer = xtables_strdup(portstring);
+ 	if ((cp = strchr(buffer, ':')) == NULL)
+ 		ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
+ 	else {
+@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
+ 	char *ptr;
+ 	char *buffer;
+ 
+-	buffer = strdup(flags);
++	buffer = xtables_strdup(flags);
+ 
+ 	for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
+ 		unsigned int i;
+diff --git a/include/xtables.h b/include/xtables.h
+index df1eaee326643..107ad7d65e6fc 100644
+--- a/include/xtables.h
++++ b/include/xtables.h
+@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
+ extern void *xtables_calloc(size_t, size_t);
+ extern void *xtables_malloc(size_t);
+ extern void *xtables_realloc(void *, size_t);
++char *xtables_strdup(const char *);
+ 
+ extern int xtables_insmod(const char *, const char *, bool);
+ extern int xtables_load_ko(const char *, bool);
+diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
+index 98d03dda98d2b..6cf059fb67292 100644
+--- a/iptables/iptables-xml.c
++++ b/iptables/iptables-xml.c
+@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
+ 			   "%s: line %u chain name invalid\n",
+ 			   prog_name, line);
+ 
+-	chains[nextChain].chain = strdup(chain);
+-	chains[nextChain].policy = strdup(policy);
++	chains[nextChain].chain = xtables_strdup(chain);
++	chains[nextChain].policy = xtables_strdup(policy);
+ 	chains[nextChain].count = *ctr;
+ 	chains[nextChain].created = 0;
+ 	nextChain++;
+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
+index 6b6e6da40a826..7fd78654b280a 100644
+--- a/iptables/nft-cache.c
++++ b/iptables/nft-cache.c
+@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
+ 	}
+ 
+ 	new = xtables_malloc(sizeof(*new));
+-	new->name = strdup(name);
++	new->name = xtables_strdup(name);
+ 	list_add_tail(&new->head, pos ? &pos->head : list);
+ }
+ 
+@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
+ 		return;
+ 
+ 	if (!req->table)
+-		req->table = strdup(cmd->table);
++		req->table = xtables_strdup(cmd->table);
+ 	else
+ 		assert(!strcmp(req->table, cmd->table));
+ 
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index 9b0c964847615..8dccdd734b156 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -11,6 +11,7 @@
+ 
+ #include <stdlib.h>
+ #include <string.h>
++#include <xtables.h>
+ #include "nft.h"
+ #include "nft-cmd.h"
+ 
+@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 		return NULL;
+ 
+ 	cmd->command = command;
+-	cmd->table = strdup(table);
++	cmd->table = xtables_strdup(table);
+ 	if (chain)
+-		cmd->chain = strdup(chain);
++		cmd->chain = xtables_strdup(chain);
+ 	cmd->rulenum = rulenum;
+ 	cmd->verbose = verbose;
+ 
+@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 		cmd->obj.rule = rule;
+ 
+ 		if (!state->target && strlen(state->jumpto) > 0)
+-			cmd->jumpto = strdup(state->jumpto);
++			cmd->jumpto = xtables_strdup(state->jumpto);
+ 	}
+ 
+ 	list_add_tail(&cmd->head, &h->cmd_list);
+@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
+ 	if (!cmd)
+ 		return 0;
+ 
+-	cmd->rename = strdup(newname);
++	cmd->rename = xtables_strdup(newname);
+ 
+ 	nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
+ 
+@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
+ 	if (!cmd)
+ 		return 0;
+ 
+-	cmd->policy = strdup(policy);
++	cmd->policy = xtables_strdup(policy);
+ 	if (counters)
+ 		cmd->counters = *counters;
+ 
+@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
+ 	if (!cmd)
+ 		return 0;
+ 
+-	cmd->policy = strdup(policy);
++	cmd->policy = xtables_strdup(policy);
+ 
+ 	nft_cache_level_set(h, NFT_CL_RULES, cmd);
+ 
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 9a1f465a5a6d3..4027d9240215e 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
+ 		xtables_error(PARAMETER_PROBLEM,
+ 			      "Trying to store NULL argument\n");
+ 
+-	store->argv[store->argc] = strdup(what);
++	store->argv[store->argc] = xtables_strdup(what);
+ 	store->argvattr[store->argc] = quoted;
+ 	store->argv[++store->argc] = NULL;
+ }
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index 6947441fec659..1931e3896262a 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
+ 	return p;
+ }
+ 
++char *xtables_strdup(const char *s)
++{
++	char *dup = strdup(s);
++
++	if (!dup) {
++		perror("ip[6]tables: strdup failed");
++		exit(1);
++	}
++
++	return dup;
++}
++
+ static char *get_modprobe(void)
+ {
+ 	int procfile;
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index 0dcdf607f4678..9d3ac5c8066cb 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
+ 	unsigned int maxiter;
+ 	int value;
+ 
+-	wp_arg = lo_arg = strdup(cb->arg);
+-	if (lo_arg == NULL)
+-		xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
++	wp_arg = lo_arg = xtables_strdup(cb->arg);
+ 
+ 	maxiter = entry->size / esize;
+ 	if (maxiter == 0)
+@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
+ 		xtopt_parse_host(cb);
+ 		return;
+ 	}
+-	work = strdup(orig_arg);
+-	if (work == NULL)
+-		xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
++	work = xtables_strdup(orig_arg);
+ 	p = strchr(work, '/'); /* by def this can't be NULL now */
+ 	*p++ = '\0';
+ 	/*
+@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
+ 			goto out;
+ 		}
+ 		lmap_this->id   = id;
+-		lmap_this->name = strdup(cur);
+-		if (lmap_this->name == NULL) {
+-			free(lmap_this);
+-			goto out;
+-		}
++		lmap_this->name = xtables_strdup(cur);
+ 		lmap_this->next = NULL;
+ 
+ 		if (lmap_prev != NULL)
+-- 
+2.31.1
+

0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch

@@ -0,0 +1,31 @@
+From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 15:15:37 +0200
+Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
+ strncpy()
+
+If the target buffer does not need to be null-terminated, one may simply
+use memcpy() and thereby avoid any compiler warnings.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
+---
+ extensions/libxt_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
+index 7c6366cbbf1b3..739a8e7fd66b6 100644
+--- a/extensions/libxt_string.c
++++ b/extensions/libxt_string.c
+@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
+ {	
+ 	/* xt_string does not need \0 at the end of the pattern */
+ 	if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
+-		strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
++		memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
+ 		info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
+ 		return;
+ 	}
+-- 
+2.31.1
+

arptables-nft-helper

@@ -5,12 +5,12 @@ ARPTABLES_CONFIG=/etc/sysconfig/arptables
 # compat for removed initscripts dependency
 
 success() {
-	echo -n "[  OK  ]"
+	echo "[  OK  ]"
 	return 0
 }
 
 failure() {
-	echo -n "[FAILED]"
+	echo "[FAILED]"
 	return 1
 }
 
@@ -21,31 +21,28 @@ start() {
 
 	# don't do squat if we don't have the config file
 	if [ -f $ARPTABLES_CONFIG ]; then
-		echo -n $"Applying arptables firewall rules: "
+		printf "Applying arptables firewall rules: "
 		/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
 			success || \
 			failure
-		echo
 		touch /var/lock/subsys/arptables
 	else
 		failure
-		echo
-		echo $"Configuration file /etc/sysconfig/arptables missing"
+		echo "Configuration file /etc/sysconfig/arptables missing"
 		exit 6
 	fi
 }
 
 stop() {
-	echo -n $"Removing user defined chains:"
+	printf "Removing user defined chains: "
 	arptables -X && success || failure
-	echo -n $"Flushing all chains:"
+	printf "Flushing all chains: "
 	arptables -F && success || failure
-	echo -n $"Resetting built-in chains to the default ACCEPT policy:"
+	printf "Resetting built-in chains to the default ACCEPT policy: "
 	arptables -P INPUT ACCEPT && \
 		arptables -P OUTPUT ACCEPT && \
 		success || \
 		failure
-	echo
 	rm -f /var/lock/subsys/arptables
 }
 

ebtables-helper

@@ -23,7 +23,6 @@ VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
 
 # ebtables-config defaults
 EBTABLES_SAVE_ON_STOP="no"
-EBTABLES_SAVE_ON_RESTART="no"
 EBTABLES_SAVE_COUNTER="no"
 
 # load config if existing
@@ -49,7 +48,7 @@ sanitize_dump() {
 			local table="${line#\*}"
 			local found=false
 			for t in $EBTABLES_TABLES; do
-				if [[ $t == $table ]]; then
+				if [[ $t == "$table" ]]; then
 					found=true
 					break
 				fi

iptables.spec

@@ -11,7 +11,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 11%{?dist}
+Release: 12%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -28,6 +28,15 @@ Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
 Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
 Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
 Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
+Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
+Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch
+Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
+Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
+Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch
+Patch10: 0010-iptables-apply-Drop-unused-variable.patch
+Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
+Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
+Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -423,6 +432,19 @@ fi
 
 
 %changelog
+* Thu Jun 10 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-12
+- arptables-nft-helper: Remove bashisms
+- ebtables-helper: Drop unused variable, add a missing quote
+- extensions: libxt_string: Avoid buffer size warning for strncpy()
+- libxtables: Introduce xtables_strdup() and use it everywhere
+- extensions: libebt_ip6: Use xtables_ip6parse_any()
+- iptables-apply: Drop unused variable
+- nft: Avoid buffer size warnings copying iface names
+- nft: Avoid memleak in error path of nft_cmd_new()
+- libxtables: Fix memleak in xtopt_parse_hostmask()
+- extensions: libebt_ip6: Drop unused variables
+- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
+
 * Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
 - Fix License name in spec file
 - Eliminate inet_aton() and inet_ntoa()