From 4ef8aaebbe6d2223197a3ce86a056949368aca86 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 17 Nov 2020 14:27:08 +0100 Subject: [PATCH] iptables-1.8.6-4 - ebtables: Fix for broken chain renaming --- ...tables-Fix-for-broken-chain-renaming.patch | 60 +++++++++++++++++++ iptables.spec | 7 ++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 0001-ebtables-Fix-for-broken-chain-renaming.patch diff --git a/0001-ebtables-Fix-for-broken-chain-renaming.patch b/0001-ebtables-Fix-for-broken-chain-renaming.patch new file mode 100644 index 0000000..b7c0afe --- /dev/null +++ b/0001-ebtables-Fix-for-broken-chain-renaming.patch @@ -0,0 +1,60 @@ +From 55b7c71dce7144f4dc0297c17abf0f04879ee247 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 17 Nov 2020 11:38:27 +0100 +Subject: [iptables PATCH] ebtables: Fix for broken chain renaming + +Loading extensions pollutes 'errno' value, hence before using it to +indicate failure it should be sanitized. This was done by the called +function before the parsing/netlink split and not migrated by accident. +Move it into calling code to clarify the connection. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 3 --- + iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 | 4 ++++ + iptables/xtables-eb.c | 1 + + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 39882a443a974..411e2597205c9 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1896,9 +1896,6 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, + return 0; + } + +- /* Config load changed errno. Ensure genuine info for our callers. */ +- errno = 0; +- + /* Find the old chain to be renamed */ + c = nft_chain_find(h, table, chain); + if (c == NULL) { +diff --git a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 +index 0c1eb4ca66f52..6f11bd12593dd 100755 +--- a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 ++++ b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 +@@ -86,4 +86,8 @@ if [ $? -eq 0 ]; then + exit 1 + fi + ++$XT_MULTI ebtables -t filter -E FOO BAZ || exit 1 ++$XT_MULTI ebtables -t filter -L | grep -q FOO && exit 1 ++$XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1 ++ + $XT_MULTI ebtables -t $t -F || exit 0 +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index 6641a21a72d32..5e4184b8e80de 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -853,6 +853,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, + else if (strchr(argv[optind], ' ') != NULL) + xtables_error(PARAMETER_PROBLEM, "Use of ' ' not allowed in chain names"); + ++ errno = 0; + ret = nft_cmd_chain_user_rename(h, chain, *table, + argv[optind]); + if (ret != 0 && errno == ENOENT) +-- +2.28.0 + diff --git a/iptables.spec b/iptables.spec index 6fd5eef..f80a798 100644 --- a/iptables.spec +++ b/iptables.spec @@ -19,7 +19,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.6 -Release: 3%{?dist} +Release: 4%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -32,6 +32,8 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch %endif +Patch1: 0001-ebtables-Fix-for-broken-chain-renaming.patch + # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 License: GPLv2 and Artistic Licence 2.0 and ISC @@ -442,6 +444,9 @@ fi %changelog +* Tue Nov 17 14:05:30 CET 2020 Phil Sutter - 1.8.6-4 +- ebtables: Fix for broken chain renaming + * Mon Nov 16 13:39:22 CET 2020 Phil Sutter - 1.8.6-3 - Drop obsolete StandardOutput setting from unit file - Remove StandardError setting from unit file, its value is default