iptables-1.8.7-11.el9

- Fix License name in spec file
- Eliminate inet_aton() and inet_ntoa()
- nft-arp: Make use of ipv4_addr_to_string()
- Make legacy sub-packages obsolete older non-legacy ones
- Fix dates in changelog
- iptables.init: Fix functionality for iptables-nft
- iptables.init: Ignore sysctl files not suffixed '.conf'
- iptables.init: Drop unused NEW_MODUTILS check
- iptables.init: Drop some trailing whitespace

Resolves: RHBZ#1954581, RHBZ#1958262

0001-ebtables-Exit-gracefully-on-invalid-table-names.patch

@@ -1,4 +1,4 @@
-From 30c1d443896311e69762d6b51b63908ec602574f Mon Sep 17 00:00:00 2001
+From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 28 Jan 2021 01:09:56 +0100
 Subject: [PATCH] ebtables: Exit gracefully on invalid table names
@@ -22,7 +22,7 @@ With this patch in place, output looks much better:
 | Perhaps iptables or your kernel needs to be upgraded.
 
 Signed-off-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Phil Sutter <psutter@redhat.com>
+(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
 ---
  iptables/xtables-eb.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)
@@ -47,5 +47,5 @@ index cfa9317c78e94..5bb34d6d292a9 100644
  			table_set = true;
  			break;
 -- 
-2.28.0
+2.31.1
 

0002-xtables-translate-Fix-translation-of-odd-netmasks.patch

@@ -0,0 +1,196 @@
+From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 2 Mar 2021 14:50:07 +0100
+Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
+
+Iptables supports netmasks which are not prefixes to match on (or
+ignore) arbitrary bits in an address. Yet nftables' prefix notation is
+available for real prefixes only, so translation is not as trivial -
+print bitmask syntax for those cases.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
+---
+ extensions/generic.txlate   | 48 +++++++++++++++++++++++++++++++++++++
+ extensions/libxt_standard.t | 12 ++++++++++
+ iptables/nft-ipv4.c         | 42 ++++++++++++++++++++++----------
+ iptables/nft-ipv6.c         | 19 ++++++++++++---
+ 4 files changed, 106 insertions(+), 15 deletions(-)
+
+diff --git a/extensions/generic.txlate b/extensions/generic.txlate
+index 0e256c3727559..9ae9a5b54c1b9 100644
+--- a/extensions/generic.txlate
++++ b/extensions/generic.txlate
+@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
+ iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
+ nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
+ 
++iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
++nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
++
++iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
++nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
++
++iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
++nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
++
++iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
++nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
++
++iptables-translate -I INPUT -s 0.0.0.0/16
++nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
++
++iptables-translate -I INPUT -s 0.0.0.0/0
++nft insert rule ip filter INPUT counter
++
++iptables-translate -I INPUT ! -s 0.0.0.0/0
++nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
++
++ip6tables-translate -I INPUT -i iifname -s feed::/16
++nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
++
++ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
++nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
++
++ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
++nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
++
++ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
++nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
++
++ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
++nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
++
++ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
++nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
++
++ip6tables-translate -I INPUT -s ::/16
++nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
++
++ip6tables-translate -I INPUT -s ::/0
++nft insert rule ip6 filter INPUT counter
++
++ip6tables-translate -I INPUT ! -s ::/0
++nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
++
+ ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
+ nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
+ 
+diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
+index 4313f7b7bac9d..56d6da2e5884e 100644
+--- a/extensions/libxt_standard.t
++++ b/extensions/libxt_standard.t
+@@ -9,3 +9,15 @@
+ -j ACCEPT;=;OK
+ -j RETURN;=;OK
+ ! -p 0 -j ACCEPT;=;FAIL
++-s 10.11.12.13/8;-s 10.0.0.0/8;OK
++-s 10.11.12.13/9;-s 10.0.0.0/9;OK
++-s 10.11.12.13/10;-s 10.0.0.0/10;OK
++-s 10.11.12.13/11;-s 10.0.0.0/11;OK
++-s 10.11.12.13/12;-s 10.0.0.0/12;OK
++-s 10.11.12.13/30;-s 10.11.12.12/30;OK
++-s 10.11.12.13/31;-s 10.11.12.12/31;OK
++-s 10.11.12.13/32;-s 10.11.12.13/32;OK
++-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
++-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
++-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
++-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
+diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
+index fdc15c6f04066..0d32a30010519 100644
+--- a/iptables/nft-ipv4.c
++++ b/iptables/nft-ipv4.c
+@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
+ 			      " source or destination IP addresses");
+ }
+ 
++static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
++			    const struct in_addr *mask,
++			    bool inv, struct xt_xlate *xl)
++{
++	const char *op = inv ? "!= " : "";
++	int cidr;
++
++	if (!inv && !addr->s_addr && !mask->s_addr)
++		return;
++
++	cidr = xtables_ipmask_to_cidr(mask);
++	switch (cidr) {
++	case -1:
++		/* inet_ntoa() is not reentrant */
++		xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
++		xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
++		break;
++	case 32:
++		xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
++		break;
++	default:
++		xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
++			     cidr);
++	}
++}
++
+ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
+ {
+ 	const struct iptables_command_state *cs = data;
+@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
+ 		}
+ 	}
+ 
+-	if (cs->fw.ip.src.s_addr != 0) {
+-		xt_xlate_add(xl, "ip saddr %s%s%s ",
+-			   cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
+-			   inet_ntoa(cs->fw.ip.src),
+-			   xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
+-	}
+-	if (cs->fw.ip.dst.s_addr != 0) {
+-		xt_xlate_add(xl, "ip daddr %s%s%s ",
+-			   cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
+-			   inet_ntoa(cs->fw.ip.dst),
+-			   xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
+-	}
++	xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
++			cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
++	xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
++			cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
+ 
+ 	ret = xlate_matches(cs, xl);
+ 	if (!ret)
+diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
+index 130ad3e6e7c44..46008fc5e762a 100644
+--- a/iptables/nft-ipv6.c
++++ b/iptables/nft-ipv6.c
+@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
+ 			    const struct in6_addr *mask,
+ 			    int invert, struct xt_xlate *xl)
+ {
++	const char *op = invert ? "!= " : "";
+ 	char addr_str[INET6_ADDRSTRLEN];
++	int cidr;
+ 
+-	if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
++	if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
+ 		return;
+ 
+ 	inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
+-	xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
+-			xtables_ip6mask_to_numeric(mask));
++	cidr = xtables_ip6mask_to_cidr(mask);
++	switch (cidr) {
++	case -1:
++		xt_xlate_add(xl, "%s & %s %s %s ", selector,
++			     xtables_ip6addr_to_numeric(mask),
++			     invert ? "!=" : "==", addr_str);
++		break;
++	case 128:
++		xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
++		break;
++	default:
++		xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
++	}
+ }
+ 
+ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
+-- 
+2.31.1
+

0003-Eliminate-inet_aton-and-inet_ntoa.patch

@@ -0,0 +1,120 @@
+From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 27 Apr 2021 09:12:53 +0200
+Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
+
+Both functions are obsolete, replace them by equivalent calls to
+inet_pton() and inet_ntop().
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
+---
+ extensions/libebt_among.c |  6 ++++--
+ iptables/nft-ipv4.c       | 23 ++++++++++++++---------
+ 2 files changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
+index 2b9a1b6566684..7eb898f984bba 100644
+--- a/extensions/libebt_among.c
++++ b/extensions/libebt_among.c
+@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
+ 	if (sep) {
+ 		*sep = '\0';
+ 
+-		if (!inet_aton(sep + 1, &pair->in))
++		if (!inet_pton(AF_INET, sep + 1, &pair->in))
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "Invalid IP address '%s'\n", sep + 1);
+ 	}
+@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
+ 			    int cnt, bool inv, bool have_ip)
+ {
+ 	const char *isep = inv ? "! " : "";
++	char abuf[INET_ADDRSTRLEN];
+ 	int i;
+ 
+ 	for (i = 0; i < cnt; i++) {
+@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
+ 
+ 		printf("%s", ether_ntoa(&pairs[i].ether));
+ 		if (pairs[i].in.s_addr != INADDR_ANY)
+-			printf("=%s", inet_ntoa(pairs[i].in));
++			printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
++						abuf, sizeof(abuf)));
+ 	}
+ 	printf(" ");
+ }
+diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
+index 0d32a30010519..a5b835b1f681d 100644
+--- a/iptables/nft-ipv4.c
++++ b/iptables/nft-ipv4.c
+@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
+ 
+ static const char *mask_to_str(uint32_t mask)
+ {
+-	static char mask_str[sizeof("255.255.255.255")];
++	static char mask_str[INET_ADDRSTRLEN];
+ 	uint32_t bits, hmask = ntohl(mask);
+ 	struct in_addr mask_addr = {
+ 		.s_addr = mask,
+@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
+ 	if (i >= 0)
+ 		sprintf(mask_str, "%u", i);
+ 	else
+-		sprintf(mask_str, "%s", inet_ntoa(mask_addr));
++		inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
+ 
+ 	return mask_str;
+ }
+@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
+ static void save_ipv4_addr(char letter, const struct in_addr *addr,
+ 			   uint32_t mask, int invert)
+ {
++	char addrbuf[INET_ADDRSTRLEN];
++
+ 	if (!mask && !invert && !addr->s_addr)
+ 		return;
+ 
+-	printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
++	printf("%s-%c %s/%s ", invert ? "! " : "", letter,
++	       inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
+ 	       mask_to_str(mask));
+ }
+ 
+@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
+ 			    const struct in_addr *mask,
+ 			    bool inv, struct xt_xlate *xl)
+ {
++	char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
+ 	const char *op = inv ? "!= " : "";
+ 	int cidr;
+ 
+ 	if (!inv && !addr->s_addr && !mask->s_addr)
+ 		return;
+ 
++	inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
++
+ 	cidr = xtables_ipmask_to_cidr(mask);
+ 	switch (cidr) {
+ 	case -1:
+-		/* inet_ntoa() is not reentrant */
+-		xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
+-		xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
++		xt_xlate_add(xl, "%s & %s %s %s ", selector,
++			     inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
++			     inv ? "!=" : "==", abuf);
+ 		break;
+ 	case 32:
+-		xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
++		xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
+ 		break;
+ 	default:
+-		xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
+-			     cidr);
++		xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
+ 	}
+ }
+ 
+-- 
+2.31.1
+

0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch

@@ -0,0 +1,181 @@
+From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 27 Apr 2021 10:02:34 +0200
+Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
+
+This eliminates quite a bit of redundant code apart from also dropping
+use of obsolete function gethostbyaddr().
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
+---
+ iptables/nft-arp.c | 99 ++++------------------------------------------
+ iptables/xshared.c |  6 +--
+ iptables/xshared.h |  3 ++
+ 3 files changed, 14 insertions(+), 94 deletions(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index c82ffdc95e300..2a9387a18dffe 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -42,78 +42,6 @@ char *arp_opcodes[] =
+ 	"ARP_NAK",
+ };
+ 
+-static char *
+-addr_to_dotted(const struct in_addr *addrp)
+-{
+-	static char buf[20];
+-	const unsigned char *bytep;
+-
+-	bytep = (const unsigned char *) &(addrp->s_addr);
+-	sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
+-	return buf;
+-}
+-
+-static char *
+-addr_to_host(const struct in_addr *addr)
+-{
+-	struct hostent *host;
+-
+-	if ((host = gethostbyaddr((char *) addr,
+-					sizeof(struct in_addr), AF_INET)) != NULL)
+-		return (char *) host->h_name;
+-
+-	return (char *) NULL;
+-}
+-
+-static char *
+-addr_to_network(const struct in_addr *addr)
+-{
+-	struct netent *net;
+-
+-	if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
+-		return (char *) net->n_name;
+-
+-	return (char *) NULL;
+-}
+-
+-static char *
+-addr_to_anyname(const struct in_addr *addr)
+-{
+-	char *name;
+-
+-	if ((name = addr_to_host(addr)) != NULL ||
+-		(name = addr_to_network(addr)) != NULL)
+-		return name;
+-
+-	return addr_to_dotted(addr);
+-}
+-
+-static char *
+-mask_to_dotted(const struct in_addr *mask)
+-{
+-	int i;
+-	static char buf[22];
+-	u_int32_t maskaddr, bits;
+-
+-	maskaddr = ntohl(mask->s_addr);
+-
+-	if (maskaddr == 0xFFFFFFFFL)
+-		/* we don't want to see "/32" */
+-		return "";
+-
+-	i = 32;
+-	bits = 0xFFFFFFFEL;
+-	while (--i >= 0 && maskaddr != bits)
+-		bits <<= 1;
+-	if (i >= 0)
+-		sprintf(buf, "/%d", i);
+-	else
+-		/* mask was not a decent combination of 1's and 0's */
+-		snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
+-
+-	return buf;
+-}
+-
+ static bool need_devaddr(struct arpt_devaddr_info *info)
+ {
+ 	int i;
+@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
+ 				       unsigned int format)
+ {
+ 	const struct arpt_entry *fw = &cs->arp;
+-	char buf[BUFSIZ];
+ 	char iface[IFNAMSIZ+2];
+ 	const char *sep = "";
+ 	int print_iface = 0;
+@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
+ 	}
+ 
+ 	if (fw->arp.smsk.s_addr != 0L) {
+-		printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
+-			? "! " : "");
+-		if (format & FMT_NUMERIC)
+-			sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
+-		else
+-			sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
+-		strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
+-			sizeof(buf) - strlen(buf) - 1);
+-		printf("-s %s", buf);
++		printf("%s%s-s %s", sep,
++		       fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
++		       ipv4_addr_to_string(&fw->arp.src,
++					   &fw->arp.smsk, format));
+ 		sep = " ";
+ 	}
+ 
+@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
+ after_devsrc:
+ 
+ 	if (fw->arp.tmsk.s_addr != 0L) {
+-		printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
+-			? "! " : "");
+-		if (format & FMT_NUMERIC)
+-			sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
+-		else
+-			sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
+-		strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
+-			sizeof(buf) - strlen(buf) - 1);
+-		printf("-d %s", buf);
++		printf("%s%s-d %s", sep,
++		       fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
++		       ipv4_addr_to_string(&fw->arp.tgt,
++					   &fw->arp.tmsk, format));
+ 		sep = " ";
+ 	}
+ 
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 71f689901e1d4..9a1f465a5a6d3 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store)
+ }
+ #endif
+ 
+-static const char *ipv4_addr_to_string(const struct in_addr *addr,
+-				       const struct in_addr *mask,
+-				       unsigned int format)
++const char *ipv4_addr_to_string(const struct in_addr *addr,
++				const struct in_addr *mask,
++				unsigned int format)
+ {
+ 	static char buf[BUFSIZ];
+ 
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index 9159b2b1f3768..1e86aba8b2375 100644
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
+ #  define debug_print_argv(...) /* nothing */
+ #endif
+ 
++const char *ipv4_addr_to_string(const struct in_addr *addr,
++				const struct in_addr *mask,
++				unsigned int format);
+ void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
+ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
+ 
+-- 
+2.31.1
+

iptables.init

@@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then
     exit 5
 fi
 
-# Old or new modutils
-/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
-    && NEW_MODUTILS=1 \
-    || NEW_MODUTILS=0
-
 # Default firewall configuration:
 IPTABLES_MODULES=""
 IPTABLES_SAVE_ON_STOP="no"
@@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000
 # Load firewall configuration.
 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
 
+is_iptables_nft() {
+	iptables --version | grep -q '(nf_tables)'
+}
+
+netfilter_active() {
+	is_iptables_nft && return 0
+	[ -e "$PROC_IPTABLES_NAMES" ]
+}
+
+netfilter_tables() {
+	netfilter_active || return 1
+	is_iptables_nft && {
+		# explicitly omit security table from this list as
+		# it should be reserved for SELinux use
+		echo "raw mangle filter nat"
+		return 0
+	}
+	cat "$PROC_IPTABLES_NAMES" 2>/dev/null
+}
+
 # Get active tables
-NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+NF_TABLES=$(netfilter_tables)
 
 
 flush_n_delete() {
     # Flush firewall rules and delete chains.
-    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+    netfilter_active || return 0
 
     # Check if firewall is configured (has tables)
     [ -z "$NF_TABLES" ] && return 1
@@ -113,10 +128,10 @@ set_policy() {
     policy=$1
 
     # Check if iptable module is loaded
-    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+    netfilter_active || return 0
 
     # Check if firewall is configured (has tables)
-    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
+    tables=$(netfilter_tables)
     [ -z "$tables" ] && return 1
 
     echo -n $"${IPTABLES}: Setting chains to policy $policy: "
@@ -166,7 +181,7 @@ load_sysctl() {
         echo -n $"Loading sysctl settings: "
         ret=0
         for item in $IPTABLES_SYSCTL_LOAD_LIST; do
-            fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
+            fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
             let ret+=$?;
         done
         [ $ret -eq 0 ] && success || failure
@@ -217,7 +232,7 @@ start() {
 	    return 1
 	fi
     fi
-    
+ 
     # Load additional modules (helpers)
     if [ -n "$IPTABLES_MODULES" ]; then
 	echo -n $"${IPTABLES}: Loading additional modules: "
@@ -230,7 +245,7 @@ start() {
 	[ $ret -eq 0 ] && success || failure
 	echo
     fi
-    
+ 
     # Load sysctl settings
     load_sysctl
 
@@ -240,7 +255,7 @@ start() {
 
 stop() {
     # Do not stop if iptables module is not loaded.
-    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+    netfilter_active || return 0
 
     # Set default chain policy to ACCEPT, in order to not break shutdown
     # on systems where the default policy is DROP and root device is
@@ -248,14 +263,14 @@ stop() {
     set_policy ACCEPT
     # And then, flush the rules and delete chains
     flush_n_delete
-    
+
     rm -f $VAR_SUBSYS_IPTABLES
     return $ret
 }
 
 save() {
     # Check if iptable module is loaded
-    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+    if ! netfilter_active; then
 	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
 	return 0
     fi
@@ -298,7 +313,7 @@ save() {
 }
 
 status() {
-    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
 	echo $"${IPTABLES}: Firewall is not running."
 	return 3
     fi
@@ -306,7 +321,7 @@ status() {
     # Do not print status if lockfile is missing and iptables modules are not 
     # loaded.
     # Check if iptable modules are loaded
-    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+    if ! netfilter_active; then
 	echo $"${IPTABLES}: Firewall modules are not loaded."
 	return 3
     fi
@@ -319,7 +334,7 @@ status() {
 
     NUM=
     [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
-    VERBOSE= 
+    VERBOSE=
     [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
     COUNT=
     [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

iptables.spec

@@ -11,7 +11,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 10%{?dist}
+Release: 11%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -25,10 +25,13 @@ Source9: ebtables.service
 Source10: ebtables-config
 
 Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
+Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
+Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
+Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
 
 # pf.os: ISC license
-# iptables-apply: Artistic Licence 2.0
-License: GPLv2 and Artistic Licence 2.0 and ISC
+# iptables-apply: Artistic 2.0
+License: GPLv2 and Artistic 2.0 and ISC
 
 # libnetfilter_conntrack is needed for xt_connlabel
 BuildRequires: pkgconfig(libnetfilter_conntrack)
@@ -62,6 +65,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Conflicts: setup < 2.10.4-1
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
+Obsoletes: %{name} < %{version}-%{release}
 %if 0%{?rhel} < 9
 Provides:	iptables
 %endif
@@ -84,6 +88,7 @@ and logic for those is kept in per-extension shared object files.
 
 %package legacy-libs
 Summary: iptables legacy libraries
+Obsoletes: %{name}-libs < %{version}-%{release}
 
 %description legacy-libs
 iptables libraries.
@@ -418,6 +423,17 @@ fi
 
 
 %changelog
+* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
+- Fix License name in spec file
+- Eliminate inet_aton() and inet_ntoa()
+- nft-arp: Make use of ipv4_addr_to_string()
+- Make legacy sub-packages obsolete older non-legacy ones
+- Fix dates in changelog
+- iptables.init: Fix functionality for iptables-nft
+- iptables.init: Ignore sysctl files not suffixed '.conf'
+- iptables.init: Drop unused NEW_MODUTILS check
+- iptables.init: Drop some trailing whitespace
+
 * Fri Apr 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-10
 - Add provides to iptables-nft-services
 
@@ -460,13 +476,13 @@ fi
 * Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1
 - Update to 1.8.7. Fixes rhbz#1916948
 
-* Thu Nov 19 17:32:24 CET 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5
+* Thu Nov 19 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5
 - Use make macros
 
-* Tue Nov 17 14:05:30 CET 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4
+* Tue Nov 17 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4
 - ebtables: Fix for broken chain renaming
 
-* Mon Nov 16 13:39:22 CET 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3
+* Mon Nov 16 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3
 - Drop obsolete StandardOutput setting from unit file
 - Remove StandardError setting from unit file, its value is default
 
@@ -476,7 +492,7 @@ fi
 * Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1
 - Update to 1.8.6. Fixes bug #1893453
 
-* Tue Aug 25 15:56:10 GMT 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
+* Tue Aug 25 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
 - nft: cache: Check consistency with NFT_CL_FAKE, too
 - nft: Fix command name in ip6tables error message