From 5463f77d3b7c37f6b637e4ab5c70c0eb2fc1aa30 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 24 May 2023 13:03:08 +0200 Subject: [PATCH] iptables-1.8.9-4 - Backport fixes from upstream --- ...s-NAT-Fix-for-Werror-format-security.patch | 7 +- 0002-etc-Drop-xtables.conf.patch | 132 ++++++++++ ...x-for-unknown-argument-error-message.patch | 148 +++++++++++ ...es-Refuse-unselected-targets-options.patch | 232 ++++++++++++++++++ ...-Properly-split-input-in-replay-mode.patch | 31 +++ ...bebt_redirect-Fix-target-translation.patch | 48 ++++ ...t_redirect-Fix-for-wrong-syntax-in-t.patch | 48 ++++ ...t_ip-Do-not-use-ip-dscp-for-translat.patch | 50 ++++ ...t_ip-Translation-has-to-match-on-eth.patch | 85 +++++++ ...the-missing-chunk-types-in-sctp_help.patch | 36 +++ ...Add-missing-linux-netfilter-xt_LOG.h.patch | 101 ++++++++ ...-for-deletion-of-new-referenced-rule.patch | 67 +++++ ...ables-Fix-checking-existence-of-rule.patch | 33 +++ 0014-nft-shared-Drop-unused-include.patch | 29 +++ ...rsing-of-inverted-arp-operation-matc.patch | 31 +++ ...-t-omit-standard-matches-if-inverted.patch | 42 ++++ ...ing-of-option-arguments-in-same-word.patch | 211 ++++++++++++++++ iptables.spec | 23 +- 18 files changed, 1349 insertions(+), 5 deletions(-) create mode 100644 0002-etc-Drop-xtables.conf.patch create mode 100644 0003-Proper-fix-for-unknown-argument-error-message.patch create mode 100644 0004-ebtables-Refuse-unselected-targets-options.patch create mode 100644 0005-tests-xlate-Properly-split-input-in-replay-mode.patch create mode 100644 0006-extensions-libebt_redirect-Fix-target-translation.patch create mode 100644 0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch create mode 100644 0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch create mode 100644 0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch create mode 100644 0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch create mode 100644 0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch create mode 100644 0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch create mode 100644 0013-ip6tables-Fix-checking-existence-of-rule.patch create mode 100644 0014-nft-shared-Drop-unused-include.patch create mode 100644 0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch create mode 100644 0016-arptables-Don-t-omit-standard-matches-if-inverted.patch create mode 100644 0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch diff --git a/0001-extensions-NAT-Fix-for-Werror-format-security.patch b/0001-extensions-NAT-Fix-for-Werror-format-security.patch index ff8adfb..cecd191 100644 --- a/0001-extensions-NAT-Fix-for-Werror-format-security.patch +++ b/0001-extensions-NAT-Fix-for-Werror-format-security.patch @@ -1,12 +1,13 @@ -From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001 +From ff8eacec604537d98eb912281fa0c5c6a83da717 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 12 Jan 2023 14:38:44 +0100 -Subject: [iptables PATCH] extensions: NAT: Fix for -Werror=format-security +Subject: [PATCH] extensions: NAT: Fix for -Werror=format-security Have to pass either a string literal or format string to xt_xlate_add(). Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE") Signed-off-by: Phil Sutter +(cherry picked from commit ed4082a7405a5838c205a34c1559e289949200cc) --- extensions/libxt_NAT.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) @@ -25,5 +26,5 @@ index da9f22012c5d6..2a6343986d54f 100644 xt_xlate_add(xl, " to %s", range_str); if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { -- -2.38.0 +2.40.0 diff --git a/0002-etc-Drop-xtables.conf.patch b/0002-etc-Drop-xtables.conf.patch new file mode 100644 index 0000000..e676561 --- /dev/null +++ b/0002-etc-Drop-xtables.conf.patch @@ -0,0 +1,132 @@ +From 55f3f1743934efa33df1ecbe11b31362fc45b03c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 17 Jan 2023 16:38:43 +0100 +Subject: [PATCH] etc: Drop xtables.conf + +The file is not used since the commit this one fixes. Also it wasn't +installed until recently, when commit 3822a992bc277 ("Makefile: Fix for +'make distcheck'") added it in the wrong spot in an attempt to reduce +differences between tarballs generated by 'make tarball' and 'make +dist'. + +While being at it, drop stale xtables_config_main() prototype from +xtables-multi.h. + +Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf") +Signed-off-by: Phil Sutter +(cherry picked from commit ca8fb6c21b298b3d96db2bfbf9c74d393bdd4728) +--- + Makefile.am | 2 +- + etc/xtables.conf | 74 ---------------------------------------- + iptables/xtables-multi.h | 1 - + 3 files changed, 1 insertion(+), 76 deletions(-) + delete mode 100644 etc/xtables.conf + +diff --git a/Makefile.am b/Makefile.am +index 451c3cb2d5887..299ab46d7b8e2 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -20,7 +20,7 @@ EXTRA_DIST = autogen.sh iptables-test.py xlate-test.py + + if ENABLE_NFTABLES + confdir = $(sysconfdir) +-dist_conf_DATA = etc/ethertypes etc/xtables.conf ++dist_conf_DATA = etc/ethertypes + endif + + .PHONY: tarball +diff --git a/etc/xtables.conf b/etc/xtables.conf +deleted file mode 100644 +index 3c54ced043d82..0000000000000 +--- a/etc/xtables.conf ++++ /dev/null +@@ -1,74 +0,0 @@ +-family ipv4 { +- table raw { +- chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 +- } +- +- table mangle { +- chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 +- chain INPUT hook NF_INET_LOCAL_IN prio -150 +- chain FORWARD hook NF_INET_FORWARD prio -150 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 +- chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 +- } +- +- table filter { +- chain INPUT hook NF_INET_LOCAL_IN prio 0 +- chain FORWARD hook NF_INET_FORWARD prio 0 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 +- } +- +- table nat { +- chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 +- chain INPUT hook NF_INET_LOCAL_IN prio 100 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio -100 +- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 +- } +- +- table security { +- chain INPUT hook NF_INET_LOCAL_IN prio 50 +- chain FORWARD hook NF_INET_FORWARD prio 50 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 +- } +-} +- +-family ipv6 { +- table raw { +- chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 +- } +- +- table mangle { +- chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 +- chain INPUT hook NF_INET_LOCAL_IN prio -150 +- chain FORWARD hook NF_INET_FORWARD prio -150 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 +- chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 +- } +- +- table filter { +- chain INPUT hook NF_INET_LOCAL_IN prio 0 +- chain FORWARD hook NF_INET_FORWARD prio 0 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 +- } +- +- table nat { +- chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 +- chain INPUT hook NF_INET_LOCAL_IN prio 100 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio -100 +- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 +- } +- +- table security { +- chain INPUT hook NF_INET_LOCAL_IN prio 50 +- chain FORWARD hook NF_INET_FORWARD prio 50 +- chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 +- } +-} +- +-family arp { +- table filter { +- chain INPUT hook NF_ARP_IN prio 0 +- chain OUTPUT hook NF_ARP_OUT prio 0 +- } +-} +diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h +index 94c24d5a22c7e..833c11a2ac914 100644 +--- a/iptables/xtables-multi.h ++++ b/iptables/xtables-multi.h +@@ -20,7 +20,6 @@ extern int xtables_arp_save_main(int, char **); + extern int xtables_eb_main(int, char **); + extern int xtables_eb_restore_main(int, char **); + extern int xtables_eb_save_main(int, char **); +-extern int xtables_config_main(int, char **); + extern int xtables_monitor_main(int, char **); + + extern struct xtables_globals arptables_globals; +-- +2.40.0 + diff --git a/0003-Proper-fix-for-unknown-argument-error-message.patch b/0003-Proper-fix-for-unknown-argument-error-message.patch new file mode 100644 index 0000000..d807c54 --- /dev/null +++ b/0003-Proper-fix-for-unknown-argument-error-message.patch @@ -0,0 +1,148 @@ +From 01c76718d85985625ef53fb6b554bd44742ae6ef Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 25 Jan 2023 01:51:43 +0100 +Subject: [PATCH] Proper fix for "unknown argument" error message + +While commit 1b8210f848631 kind of fixed the corner-case of invalid +short-options packed with others, it broke error reporting for +long-options. Revert it and deploy a proper solution: + +When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long +sets the variable 'optopt' to the invalid character's value. Use it for +reporting instead of optind if set. + +To distinguish between invalid options and missing option arguments, +ebtables-translate optstring needs adjustment. + +Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters") +Signed-off-by: Phil Sutter +(cherry picked from commit d6eb6a9fd3878ce4fa01f8d4127f1735988bd07b) +--- + .../testcases/iptables/0009-unknown-arg_0 | 31 +++++++++++++++++++ + iptables/xshared.c | 9 ++++-- + iptables/xtables-eb-translate.c | 8 ++--- + iptables/xtables-eb.c | 17 ++++++---- + 4 files changed, 50 insertions(+), 15 deletions(-) + create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 + +diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 +new file mode 100755 +index 0000000000000..ac6e743966196 +--- /dev/null ++++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 +@@ -0,0 +1,31 @@ ++#!/bin/bash ++ ++rc=0 ++ ++check() { ++ local cmd="$1" ++ local msg="$2" ++ ++ $XT_MULTI $cmd 2>&1 | grep -q "$msg" || { ++ echo "cmd: $XT_MULTI $1" ++ echo "exp: $msg" ++ echo "res: $($XT_MULTI $cmd 2>&1)" ++ rc=1 ++ } ++} ++ ++cmds="iptables ip6tables" ++[[ $XT_MULTI == *xtables-nft-multi ]] && { ++ cmds+=" ebtables" ++ cmds+=" iptables-translate" ++ cmds+=" ip6tables-translate" ++ cmds+=" ebtables-translate" ++} ++ ++for cmd in $cmds; do ++ check "${cmd} --foo" 'unknown option "--foo"' ++ check "${cmd} -A" 'option "-A" requires an argument' ++ check "${cmd} -aL" 'unknown option "-a"' ++done ++ ++exit $rc +diff --git a/iptables/xshared.c b/iptables/xshared.c +index f93529b11a319..ac51fac5ce9ed 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -192,9 +192,12 @@ static int command_default(struct iptables_command_state *cs, + if (cs->c == ':') + xtables_error(PARAMETER_PROBLEM, "option \"%s\" " + "requires an argument", cs->argv[optind-1]); +- if (cs->c == '?') +- xtables_error(PARAMETER_PROBLEM, "unknown option " +- "\"%s\"", cs->argv[optind-1]); ++ if (cs->c == '?') { ++ char optoptstr[3] = {'-', optopt, '\0'}; ++ ++ xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"", ++ optopt ? optoptstr : cs->argv[optind - 1]); ++ } + xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg); + } + +diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c +index 13b6b864a5f24..0c35272051752 100644 +--- a/iptables/xtables-eb-translate.c ++++ b/iptables/xtables-eb-translate.c +@@ -201,7 +201,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char + printf("nft "); + /* Getopt saves the day */ + while ((c = getopt_long(argc, argv, +- "-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { ++ "-:A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { + cs.c = c; + switch (c) { + case 'A': /* Add a rule */ +@@ -491,11 +491,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char + continue; + default: + ebt_check_inverse2(optarg, argc, argv); +- +- if (ebt_command_default(&cs)) +- xtables_error(PARAMETER_PROBLEM, +- "Unknown argument: '%s'", +- argv[optind - 1]); ++ ebt_command_default(&cs); + + if (command != 'A' && command != 'I' && + command != 'D') +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index 7214a767ffe96..412b5cccdc46a 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -640,7 +640,16 @@ int ebt_command_default(struct iptables_command_state *cs) + return 0; + } + } +- return 1; ++ if (cs->c == ':') ++ xtables_error(PARAMETER_PROBLEM, "option \"%s\" " ++ "requires an argument", cs->argv[optind - 1]); ++ if (cs->c == '?') { ++ char optoptstr[3] = {'-', optopt, '\0'}; ++ ++ xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"", ++ optopt ? optoptstr : cs->argv[optind - 1]); ++ } ++ xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg); + } + + int nft_init_eb(struct nft_handle *h, const char *pname) +@@ -1084,11 +1093,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, + continue; + default: + ebt_check_inverse2(optarg, argc, argv); +- +- if (ebt_command_default(&cs)) +- xtables_error(PARAMETER_PROBLEM, +- "Unknown argument: '%s'", +- argv[optind]); ++ ebt_command_default(&cs); + + if (command != 'A' && command != 'I' && + command != 'D' && command != 'C' && command != 14) +-- +2.40.0 + diff --git a/0004-ebtables-Refuse-unselected-targets-options.patch b/0004-ebtables-Refuse-unselected-targets-options.patch new file mode 100644 index 0000000..c41ba45 --- /dev/null +++ b/0004-ebtables-Refuse-unselected-targets-options.patch @@ -0,0 +1,232 @@ +From a53dfa149429c49789947e61c325f9a11e9a83d3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 25 Jan 2023 02:01:56 +0100 +Subject: [PATCH] ebtables: Refuse unselected targets' options + +Unlike legacy, ebtables-nft would allow e.g.: + +| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be + +While the result is correct, it may mislead users into believing +multiple targets are possible per rule. Better follow legacy's behaviour +and reject target options unless they have been "enabled" by a previous +'-j' option. + +To achieve this, one needs to distinguish targets from watchers also +attached to 'xtables_targets' and otherwise behaving like regular +matches. Introduce XTABLES_EXT_WATCHER to mark the two. + +The above works already, but error messages are misleading when using +the now unsupported syntax since target options have been merged +already. Solve this by not pre-loading the targets at all, code will +just fall back to loading ad '-j' parsing time as iptables does. + +Note how this also fixes for 'counter' statement being in wrong position +of ebtables-translate output. + +Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support") +Signed-off-by: Phil Sutter +(cherry picked from commit 27d37863a486352511dac385bde8f3d20526be5b) +--- + extensions/libebt_dnat.txlate | 12 ++++---- + extensions/libebt_log.c | 1 + + extensions/libebt_mark.txlate | 16 +++++----- + extensions/libebt_nflog.c | 1 + + extensions/libebt_snat.txlate | 8 ++--- + include/xtables.h | 1 + + .../ebtables/0002-ebtables-save-restore_0 | 4 +-- + iptables/xtables-eb.c | 29 +++++++------------ + 8 files changed, 33 insertions(+), 39 deletions(-) + +diff --git a/extensions/libebt_dnat.txlate b/extensions/libebt_dnat.txlate +index 9f305c76c954f..531a22aa3e14f 100644 +--- a/extensions/libebt_dnat.txlate ++++ b/extensions/libebt_dnat.txlate +@@ -1,8 +1,8 @@ +-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff +-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter' ++ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff ++nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept' + +-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT +-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter' ++ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT ++nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept' + +-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE +-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter' ++ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE ++nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue' +diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c +index 045062196d20d..9f8d158956802 100644 +--- a/extensions/libebt_log.c ++++ b/extensions/libebt_log.c +@@ -197,6 +197,7 @@ static int brlog_xlate(struct xt_xlate *xl, + static struct xtables_target brlog_target = { + .name = "log", + .revision = 0, ++ .ext_flags = XTABLES_EXT_WATCHER, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_log_info)), +diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate +index d006e8ac94008..4ace1a1f5cfde 100644 +--- a/extensions/libebt_mark.txlate ++++ b/extensions/libebt_mark.txlate +@@ -1,11 +1,11 @@ +-ebtables-translate -A INPUT --mark-set 42 +-nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter' ++ebtables-translate -A INPUT -j mark --mark-set 42 ++nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept' + +-ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN +-nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter' ++ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN ++nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return' + +-ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT +-nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter' ++ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT ++nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept' + +-ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP +-nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter' ++ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP ++nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop' +diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c +index 115e15da45845..762d6d5d8bbe2 100644 +--- a/extensions/libebt_nflog.c ++++ b/extensions/libebt_nflog.c +@@ -146,6 +146,7 @@ static int brnflog_xlate(struct xt_xlate *xl, + static struct xtables_target brnflog_watcher = { + .name = "nflog", + .revision = 0, ++ .ext_flags = XTABLES_EXT_WATCHER, + .version = XTABLES_VERSION, + .family = NFPROTO_BRIDGE, + .size = XT_ALIGN(sizeof(struct ebt_nflog_info)), +diff --git a/extensions/libebt_snat.txlate b/extensions/libebt_snat.txlate +index 857a6052aed1a..37343d3a14754 100644 +--- a/extensions/libebt_snat.txlate ++++ b/extensions/libebt_snat.txlate +@@ -1,5 +1,5 @@ +-ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff +-nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter' ++ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff ++nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept' + +-ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE +-nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter' ++ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE ++nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue' +diff --git a/include/xtables.h b/include/xtables.h +index 4ffc8ec5a17e9..087a1d600f9ae 100644 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -203,6 +203,7 @@ struct xtables_lmap { + + enum xtables_ext_flags { + XTABLES_EXT_ALIAS = 1 << 0, ++ XTABLES_EXT_WATCHER = 1 << 1, + }; + + struct xt_xlate; +diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 +index 1091a4e80bebe..b4f9728bb9b6f 100755 +--- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 ++++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 +@@ -38,7 +38,7 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT + + $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT + $XT_MULTI ebtables -A foo --log +-$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT ++$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT + $XT_MULTI ebtables -A foo --nflog + $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT + $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT +@@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo + $XT_MULTI ebtables -N bar + $XT_MULTI ebtables -P bar RETURN + +-$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT ++$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT + #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01 + + $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index 412b5cccdc46a..3a73e79725489 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -468,14 +468,14 @@ static void ebt_load_match(const char *name) + xtables_error(OTHER_PROBLEM, "Can't alloc memory"); + } + +-static void __ebt_load_watcher(const char *name, const char *typename) ++static void ebt_load_watcher(const char *name) + { + struct xtables_target *watcher; + size_t size; + + watcher = xtables_find_target(name, XTF_TRY_LOAD); + if (!watcher) { +- fprintf(stderr, "Unable to load %s %s\n", name, typename); ++ fprintf(stderr, "Unable to load %s watcher\n", name); + return; + } + +@@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename) + xtables_error(OTHER_PROBLEM, "Can't alloc memory"); + } + +-static void ebt_load_watcher(const char *name) +-{ +- return __ebt_load_watcher(name, "watcher"); +-} +- +-static void ebt_load_target(const char *name) +-{ +- return __ebt_load_watcher(name, "target"); +-} +- + void ebt_load_match_extensions(void) + { + opts = ebt_original_options; +@@ -522,13 +512,6 @@ void ebt_load_match_extensions(void) + + ebt_load_watcher("log"); + ebt_load_watcher("nflog"); +- +- ebt_load_target("mark"); +- ebt_load_target("dnat"); +- ebt_load_target("snat"); +- ebt_load_target("arpreply"); +- ebt_load_target("redirect"); +- ebt_load_target("standard"); + } + + void ebt_add_match(struct xtables_match *m, +@@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs) + + /* Is it a watcher option? */ + for (t = xtables_targets; t; t = t->next) { ++ if (!(t->ext_flags & XTABLES_EXT_WATCHER)) ++ continue; ++ + if (t->parse && + t->parse(cs->c - t->option_offset, cs->argv, + ebt_invert, &t->tflags, NULL, &t->t)) { +@@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, + optind = 0; + opterr = false; + ++ for (t = xtables_targets; t; t = t->next) { ++ t->tflags = 0; ++ t->used = 0; ++ } ++ + /* Getopt saves the day */ + while ((c = getopt_long(argc, argv, EBT_OPTSTRING, + opts, NULL)) != -1) { +-- +2.40.0 + diff --git a/0005-tests-xlate-Properly-split-input-in-replay-mode.patch b/0005-tests-xlate-Properly-split-input-in-replay-mode.patch new file mode 100644 index 0000000..dd58948 --- /dev/null +++ b/0005-tests-xlate-Properly-split-input-in-replay-mode.patch @@ -0,0 +1,31 @@ +From bb7f92a40360b49535dd3675f47cf989755a4978 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 3 Feb 2023 18:48:33 +0100 +Subject: [PATCH] tests: xlate: Properly split input in replay mode + +Source command may contain quotes, using shlex.split() does the right +thing there. + +Fixes: 7705b2daa3bdc ("tests: xlate: Use --check to verify replay") +Signed-off-by: Phil Sutter +(cherry picked from commit 914350a4586d2817ca7c4919c53142562f27bdaf) +--- + xlate-test.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/xlate-test.py b/xlate-test.py +index 4cb1401b71677..217d2f0062682 100755 +--- a/xlate-test.py ++++ b/xlate-test.py +@@ -64,7 +64,7 @@ xtables_nft_multi = 'xtables-nft-multi' + if sourceline.find(';') >= 0: + sourceline, searchline = sourceline.split(';') + +- srcwords = sourceline.split() ++ srcwords = shlex.split(sourceline) + + srccmd = srcwords[0] + ipt = srccmd.split('-')[0] +-- +2.40.0 + diff --git a/0006-extensions-libebt_redirect-Fix-target-translation.patch b/0006-extensions-libebt_redirect-Fix-target-translation.patch new file mode 100644 index 0000000..b2f5481 --- /dev/null +++ b/0006-extensions-libebt_redirect-Fix-target-translation.patch @@ -0,0 +1,48 @@ +From 75d208e729b3256fdbbf31709215d30064389d47 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 31 Jan 2023 22:28:24 +0100 +Subject: [PATCH] extensions: libebt_redirect: Fix target translation + +While EBT_ACCEPT is the default verdict for ebtables targets, omitting +it from translation implicitly converts it into 'continue'. Omit the +non-default EBT_CONTINUE instead. + +Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") +Signed-off-by: Phil Sutter +(cherry picked from commit bb6b243c481f90f7dc4a0bd89187ee2bb823f1f6) +--- + extensions/libebt_redirect.c | 2 +- + extensions/libebt_redirect.txlate | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + create mode 100644 extensions/libebt_redirect.txlate + +diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c +index 4d4c7a02cea89..389f3ccb53f60 100644 +--- a/extensions/libebt_redirect.c ++++ b/extensions/libebt_redirect.c +@@ -84,7 +84,7 @@ static int brredir_xlate(struct xt_xlate *xl, + const struct ebt_redirect_info *red = (const void*)params->target->data; + + xt_xlate_add(xl, "meta set pkttype host"); +- if (red->target != EBT_ACCEPT) ++ if (red->target != EBT_CONTINUE) + xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); + return 1; + } +diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate +new file mode 100644 +index 0000000000000..f0dd5deaf6406 +--- /dev/null ++++ b/extensions/libebt_redirect.txlate +@@ -0,0 +1,8 @@ ++ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect ++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept' ++ ++ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN ++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return' ++ ++ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE ++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host' +-- +2.40.0 + diff --git a/0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch b/0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch new file mode 100644 index 0000000..8f8dcf6 --- /dev/null +++ b/0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch @@ -0,0 +1,48 @@ +From 345fb0551048b4b3c9f3f0a136c952a4ae5bf262 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 31 Jan 2023 23:32:50 +0100 +Subject: [PATCH] extensions: libebt_redirect: Fix for wrong syntax in + translation + +Meta key comes before 'set' in meta statement. + +Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") +Signed-off-by: Phil Sutter +(cherry picked from commit 6d1263002c2a9fc6dfa59c764dee767a084d428d) +--- + extensions/libebt_redirect.c | 2 +- + extensions/libebt_redirect.txlate | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c +index 389f3ccb53f60..7821935e137aa 100644 +--- a/extensions/libebt_redirect.c ++++ b/extensions/libebt_redirect.c +@@ -83,7 +83,7 @@ static int brredir_xlate(struct xt_xlate *xl, + { + const struct ebt_redirect_info *red = (const void*)params->target->data; + +- xt_xlate_add(xl, "meta set pkttype host"); ++ xt_xlate_add(xl, "meta pkttype set host"); + if (red->target != EBT_CONTINUE) + xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); + return 1; +diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate +index f0dd5deaf6406..d073ec774c4fa 100644 +--- a/extensions/libebt_redirect.txlate ++++ b/extensions/libebt_redirect.txlate +@@ -1,8 +1,8 @@ + ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect +-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept' ++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept' + + ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN +-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return' ++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return' + + ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE +-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host' ++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host' +-- +2.40.0 + diff --git a/0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch b/0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch new file mode 100644 index 0000000..ad5a3ee --- /dev/null +++ b/0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch @@ -0,0 +1,50 @@ +From 6177d53b1b5748d64eba68b42b173427815e454f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 3 Feb 2023 18:58:36 +0100 +Subject: [PATCH] extensions: libebt_ip: Do not use 'ip dscp' for translation + +Converting from TOS field match to DSCP one is irreversible, so replay +testing is not possible. Use a raw payload expression to produce +something that translates 1:1 back into an 'ip' match. + +Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") +Signed-off-by: Phil Sutter +(cherry picked from commit 744c56bda974caaa274318d2825b3e43b55bf145) +--- + extensions/libebt_ip.c | 4 ++-- + extensions/libebt_ip.txlate | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c +index fd87dae7e2c62..8b381aa10b5b7 100644 +--- a/extensions/libebt_ip.c ++++ b/extensions/libebt_ip.c +@@ -442,10 +442,10 @@ static int brip_xlate(struct xt_xlate *xl, + brip_xlate_nh(xl, info, EBT_IP_DEST); + + if (info->bitmask & EBT_IP_TOS) { +- xt_xlate_add(xl, "ip dscp "); ++ xt_xlate_add(xl, "@nh,8,8 "); + if (info->invflags & EBT_IP_TOS) + xt_xlate_add(xl, "!= "); +- xt_xlate_add(xl, "0x%02x ", info->tos & 0x3f); /* remove ECN bits */ ++ xt_xlate_add(xl, "0x%02x ", info->tos); + } + if (info->bitmask & EBT_IP_PROTO) { + struct protoent *pe; +diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate +index 75c1db246fb81..562e3157d7b92 100644 +--- a/extensions/libebt_ip.txlate ++++ b/extensions/libebt_ip.txlate +@@ -5,7 +5,7 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 + nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter' + + ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff +-nft 'insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter' ++nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter' + + ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22 + nft 'add rule bridge filter FORWARD tcp dport 22 counter' +-- +2.40.0 + diff --git a/0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch b/0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch new file mode 100644 index 0000000..96cb5ad --- /dev/null +++ b/0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch @@ -0,0 +1,85 @@ +From 1429ad5300d85ae9e3f6114f609afb1ac6808c71 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 3 Feb 2023 17:37:40 +0100 +Subject: [PATCH] extensions: libebt_ip: Translation has to match on ether type + +On one hand, nft refuses th expression in bridge family if layer3 +protocol has not been assured by a previous match. On the other, ebt_ip +kernel module will only match on IPv4 packets, so there might be a +functional change in the translation versus the original. + +Instead of just always emitting an 'ether type' match, decide whether +it's actually needed - explicit "ip " payload matches (or +icmp ones) cause implicit creation of a match on IPv4 by nft. + +Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") +Signed-off-by: Phil Sutter +(cherry picked from commit b860e658200af8fdeced2896a1a6c2f0f0692b70) +--- + extensions/libebt_ip.c | 21 +++++++++++++++++++++ + extensions/libebt_ip.txlate | 6 +++--- + 2 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c +index 8b381aa10b5b7..68f34bff97deb 100644 +--- a/extensions/libebt_ip.c ++++ b/extensions/libebt_ip.c +@@ -432,6 +432,24 @@ static void brip_xlate_nh(struct xt_xlate *xl, + xtables_ipmask_to_numeric(maskp)); + } + ++static bool may_skip_ether_type_dep(uint8_t flags) ++{ ++ /* these convert to "ip (s|d)addr" matches */ ++ if (flags & (EBT_IP_SOURCE | EBT_IP_DEST)) ++ return true; ++ ++ /* icmp match triggers implicit ether type dependency in nft */ ++ if (flags & EBT_IP_ICMP) ++ return true; ++ ++ /* allow if "ip protocol" match is created by brip_xlate() */ ++ if (flags & EBT_IP_PROTO && ++ !(flags & (EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP))) ++ return true; ++ ++ return false; ++} ++ + static int brip_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) + { +@@ -441,6 +459,9 @@ static int brip_xlate(struct xt_xlate *xl, + brip_xlate_nh(xl, info, EBT_IP_SOURCE); + brip_xlate_nh(xl, info, EBT_IP_DEST); + ++ if (!may_skip_ether_type_dep(info->bitmask)) ++ xt_xlate_add(xl, "ether type ip "); ++ + if (info->bitmask & EBT_IP_TOS) { + xt_xlate_add(xl, "@nh,8,8 "); + if (info->invflags & EBT_IP_TOS) +diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate +index 562e3157d7b92..28996832225cb 100644 +--- a/extensions/libebt_ip.txlate ++++ b/extensions/libebt_ip.txlate +@@ -5,13 +5,13 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 + nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter' + + ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff +-nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter' ++nft 'insert rule bridge filter OUTPUT oifname "eth0" ether type ip @nh,8,8 0xff counter' + + ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22 +-nft 'add rule bridge filter FORWARD tcp dport 22 counter' ++nft 'add rule bridge filter FORWARD ether type ip tcp dport 22 counter' + + ebtables-translate -A FORWARD -p ip --ip-proto udp --ip-sport 1024:65535 +-nft 'add rule bridge filter FORWARD udp sport 1024-65535 counter' ++nft 'add rule bridge filter FORWARD ether type ip udp sport 1024-65535 counter' + + ebtables-translate -A FORWARD -p ip --ip-proto 253 + nft 'add rule bridge filter FORWARD ip protocol 253 counter' +-- +2.40.0 + diff --git a/0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch b/0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch new file mode 100644 index 0000000..410a831 --- /dev/null +++ b/0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch @@ -0,0 +1,36 @@ +From 94052918c2fd1508afa15a9a83965755d354d69b Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Tue, 21 Feb 2023 12:19:42 -0500 +Subject: [PATCH] xt_sctp: add the missing chunk types in sctp_help + +Add the missing chunk types in sctp_help(), so that the help cmd can +display these chunk types as below: + + # iptables -p sctp --help + + chunktypes - ... I_DATA RE_CONFIG PAD ... I_FORWARD_TSN ALL NONE + +Fixes: 6b04d9c34e25 ("xt_sctp: support a couple of new chunk types") +Signed-off-by: Xin Long +Signed-off-by: Phil Sutter +(cherry picked from commit f7c8d896f3305471746a8690f73587a65854d8fa) +--- + extensions/libxt_sctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index fe5f5621a033d..6e2b2745dcbd5 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -50,7 +50,7 @@ static void sctp_help(void) + " --dport ...\n" + "[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" + " chunktypes are present\n" +-"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n"); ++"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN ALL NONE\n"); + } + + static const struct option sctp_opts[] = { +-- +2.40.0 + diff --git a/0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch b/0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch new file mode 100644 index 0000000..e0915f5 --- /dev/null +++ b/0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch @@ -0,0 +1,101 @@ +From 3311bf0d0fefd845d8d1d01b178bcd6701473a43 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 22 Feb 2023 16:36:16 +0100 +Subject: [PATCH] include: Add missing linux/netfilter/xt_LOG.h + +When merging IP-version-specific LOG extensions, a dependency to that +header was introduced without caching it. Fix this and drop the now +unused ip{,6}t_LOG.h files. + +Reported-by: Thomas Devoogdt +Fixes: 87e4f1bf0b87b ("extensions: libip*t_LOG: Merge extensions") +Signed-off-by: Phil Sutter +(cherry picked from commit 8030e5444681e16ac2f481ddad73e33fab376147) +--- + include/linux/netfilter/xt_LOG.h | 20 ++++++++++++++++++++ + include/linux/netfilter_ipv4/ipt_LOG.h | 19 ------------------- + include/linux/netfilter_ipv6/ip6t_LOG.h | 19 ------------------- + 3 files changed, 20 insertions(+), 38 deletions(-) + create mode 100644 include/linux/netfilter/xt_LOG.h + delete mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h + delete mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h + +diff --git a/include/linux/netfilter/xt_LOG.h b/include/linux/netfilter/xt_LOG.h +new file mode 100644 +index 0000000000000..167d4ddd2476b +--- /dev/null ++++ b/include/linux/netfilter/xt_LOG.h +@@ -0,0 +1,20 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef _XT_LOG_H ++#define _XT_LOG_H ++ ++/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */ ++#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ ++#define XT_LOG_TCPOPT 0x02 /* Log TCP options */ ++#define XT_LOG_IPOPT 0x04 /* Log IP options */ ++#define XT_LOG_UID 0x08 /* Log UID owning local socket */ ++#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ ++#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */ ++#define XT_LOG_MASK 0x2f ++ ++struct xt_log_info { ++ unsigned char level; ++ unsigned char logflags; ++ char prefix[30]; ++}; ++ ++#endif /* _XT_LOG_H */ +diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h +deleted file mode 100644 +index dcdbadf9fd4a9..0000000000000 +--- a/include/linux/netfilter_ipv4/ipt_LOG.h ++++ /dev/null +@@ -1,19 +0,0 @@ +-#ifndef _IPT_LOG_H +-#define _IPT_LOG_H +- +-/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ +-#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +-#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ +-#define IPT_LOG_IPOPT 0x04 /* Log IP options */ +-#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ +-#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ +-#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ +-#define IPT_LOG_MASK 0x2f +- +-struct ipt_log_info { +- unsigned char level; +- unsigned char logflags; +- char prefix[30]; +-}; +- +-#endif /*_IPT_LOG_H*/ +diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h +deleted file mode 100644 +index 9dd5579e02ec7..0000000000000 +--- a/include/linux/netfilter_ipv6/ip6t_LOG.h ++++ /dev/null +@@ -1,19 +0,0 @@ +-#ifndef _IP6T_LOG_H +-#define _IP6T_LOG_H +- +-/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ +-#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ +-#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ +-#define IP6T_LOG_IPOPT 0x04 /* Log IP options */ +-#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ +-#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ +-#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ +-#define IP6T_LOG_MASK 0x2f +- +-struct ip6t_log_info { +- unsigned char level; +- unsigned char logflags; +- char prefix[30]; +-}; +- +-#endif /*_IPT_LOG_H*/ +-- +2.40.0 + diff --git a/0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch b/0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch new file mode 100644 index 0000000..8b20709 --- /dev/null +++ b/0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch @@ -0,0 +1,67 @@ +From 1d37530ed4a9ece32ed94faa916845a883f8fd05 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Feb 2023 18:09:25 +0100 +Subject: [PATCH] nft-restore: Fix for deletion of new, referenced rule + +Combining multiple corner-cases here: + +* Insert a rule before another new one which is not the first. Triggers + NFTNL_RULE_ID assignment of the latter. + +* Delete the referenced new rule in the same batch again. Causes + overwriting of the previously assigned RULE_ID. + +Consequently, iptables-nft-restore fails during *insert*, because the +reference is dangling. + +Reported-by: Eric Garver +Fixes: 760b35b46e4cc ("nft: Fix for add and delete of same rule in single batch") +Signed-off-by: Phil Sutter +Tested-by: Eric Garver +(cherry picked from commit 5fd85822bd12a02f1a921243f605fc6238d705b4) +--- + iptables/nft.c | 3 ++- + .../ipt-restore/0003-restore-ordering_0 | 16 ++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 63468cf3b1344..5896fd410ca78 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -2343,7 +2343,8 @@ static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r) + + nftnl_rule_list_del(r); + +- if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE)) ++ if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE) && ++ !nftnl_rule_get_u32(r, NFTNL_RULE_ID)) + nftnl_rule_set_u32(r, NFTNL_RULE_ID, ++h->rule_id); + + obj = batch_rule_add(h, NFT_COMPAT_RULE_DELETE, r); +diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 +index 3f1d229e915ff..5482b7ea17298 100755 +--- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 ++++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 +@@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT + -A FORWARD -m comment --comment "rule 3" -j ACCEPT' + + diff -u -Z <(echo -e "$EXPECT") <(ipt_show) ++ ++# test adding, referencing and deleting the same rule in a batch ++ ++$XT_MULTI iptables-restore < +Date: Mon, 3 Apr 2023 23:13:47 +0200 +Subject: [PATCH] ip6tables: Fix checking existence of rule + +Pass the proper entry size when creating a match mask for checking the +existence of a rule. Failing to do so causes wrong results. + +Reported-by: Jonathan Caicedo +Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables") +Signed-off-by: Markus Boehme +Signed-off-by: Phil Sutter +(cherry picked from commit 78850e7dba64a949c440dbdbe557f59409c6db48) +--- + iptables/ip6tables.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 345af4519bfe7..9afc32c1a21ed 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -331,7 +331,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw, + int ret = 1; + unsigned char *mask; + +- mask = make_delete_mask(matches, target, sizeof(fw)); ++ mask = make_delete_mask(matches, target, sizeof(*fw)); + for (i = 0; i < nsaddrs; i++) { + fw->ipv6.src = saddrs[i]; + fw->ipv6.smsk = smasks[i]; +-- +2.40.0 + diff --git a/0014-nft-shared-Drop-unused-include.patch b/0014-nft-shared-Drop-unused-include.patch new file mode 100644 index 0000000..c4274ca --- /dev/null +++ b/0014-nft-shared-Drop-unused-include.patch @@ -0,0 +1,29 @@ +From 1bf20a3bd929060cb9afdd798292f0463243e26d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 29 Mar 2023 16:22:16 +0200 +Subject: [PATCH] nft-shared: Drop unused include + +Code does not refer to struct xt_comment_info anymore. + +Fixes: 3bb497c61d743 ("xtables: Fix for deleting rules with comment") +Signed-off-by: Phil Sutter +(cherry picked from commit 465470184950d9035dcd1101c1f413f8a2051427) +--- + iptables/nft-shared.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c +index 4a7b5406892c4..4ba44a4aa4d17 100644 +--- a/iptables/nft-shared.c ++++ b/iptables/nft-shared.c +@@ -22,7 +22,6 @@ + #include + + #include +-#include + #include + #include + #include +-- +2.40.0 + diff --git a/0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch b/0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch new file mode 100644 index 0000000..5474f8a --- /dev/null +++ b/0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch @@ -0,0 +1,31 @@ +From 9a4b3bde58819e55a2d852800e87e66629a87081 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 28 Apr 2023 14:33:43 +0200 +Subject: [PATCH] arptables: Fix parsing of inverted 'arp operation' match + +The wrong bit was set in 'invflags', probably due to copy'n'paste from +the previous case. + +Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables") +Signed-off-by: Phil Sutter +(cherry picked from commit 092e4b022152addc94524e2ba0cb608dac1a3a08) +--- + iptables/nft-arp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index 210f43d2cefbe..8fae5adc50216 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -244,7 +244,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, + fw->arp.arhln = ar_hln; + fw->arp.arhln_mask = 0xff; + if (inv) +- fw->arp.invflags |= IPT_INV_ARPOP; ++ fw->arp.invflags |= IPT_INV_ARPHLN; + break; + case offsetof(struct arphdr, ar_pln): + get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv); +-- +2.40.0 + diff --git a/0016-arptables-Don-t-omit-standard-matches-if-inverted.patch b/0016-arptables-Don-t-omit-standard-matches-if-inverted.patch new file mode 100644 index 0000000..1efb846 --- /dev/null +++ b/0016-arptables-Don-t-omit-standard-matches-if-inverted.patch @@ -0,0 +1,42 @@ +From a900100d6d4be7c52e4cfd1ab06ce3ac626d71a1 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 28 Apr 2023 14:37:47 +0200 +Subject: [PATCH] arptables: Don't omit standard matches if inverted + +Inverted --h-len and --h-type matches were omitted from output by +accident if they matched on their standard value. + +Fixes: 84331e3ed3f8e ("arptables-nft: Don't print default h-len/h-type values") +Signed-off-by: Phil Sutter +(cherry picked from commit 79f93b0943fa0e46ba29bb476362634509eb594e) +--- + iptables/nft-arp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index 8fae5adc50216..df3ad430cf701 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -408,7 +408,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, + + after_devdst: + +- if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) { ++ if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6 || ++ fw->arp.invflags & IPT_INV_ARPHLN) { + printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHLN + ? "! " : ""); + printf("--h-length %d", fw->arp.arhln); +@@ -432,7 +433,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, + sep = " "; + } + +- if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) { ++ if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1) || ++ fw->arp.invflags & IPT_INV_ARPHRD) { + uint16_t tmp = ntohs(fw->arp.arhrd); + + printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHRD +-- +2.40.0 + diff --git a/0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch b/0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch new file mode 100644 index 0000000..9c5cbd2 --- /dev/null +++ b/0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch @@ -0,0 +1,211 @@ +From 174ef8164bc3b1f9454f77b3747f1591ea5b5a9f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 28 Apr 2023 14:41:08 +0200 +Subject: [PATCH] xshared: Fix parsing of option arguments in same word + +When merging commandline parsers, a decision between 'argv[optind - 1]' +and 'optarg' had to be made in some spots. While the implementation of +check_inverse() required the former, use of the latter allows for the +common syntax of '--opt=arg' or even '-oarg' as 'optarg' will point at +the suffix while 'argv[optind - 1]' will just point at the following +option. + +Fix the mess by making check_inverse() update optarg pointer if needed +so calling code may refer to and always correct 'optarg'. + +Fixes: 0af80a91b0a98 ("nft: Merge xtables-arp-standalone.c into xtables-standalone.c") +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1677 +Signed-off-by: Phil Sutter +(cherry picked from commit 90a7a183a208b691810b8519cc57d3d9d3b7eb60) +--- + extensions/libarpt_standard.t | 2 ++ + extensions/libxt_standard.t | 3 ++ + iptables/xshared.c | 61 +++++++++++++++++------------------ + 3 files changed, 35 insertions(+), 31 deletions(-) + +diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t +index e84a00b780488..007fa2b8335e8 100644 +--- a/extensions/libarpt_standard.t ++++ b/extensions/libarpt_standard.t +@@ -12,3 +12,5 @@ + -i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK + --source-mac Unicast;--src-mac 00:00:00:00:00:00/01:00:00:00:00:00;OK + ! --src-mac Multicast;! --src-mac 01:00:00:00:00:00/01:00:00:00:00:00;OK ++--src-mac=01:02:03:04:05:06 --dst-mac=07:08:09:0A:0B:0C --h-length=6 --opcode=Request --h-type=Ethernet --proto-type=ipv4;--src-mac 01:02:03:04:05:06 --dst-mac 07:08:09:0a:0b:0c --opcode 1 --proto-type 0x800;OK ++--src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 1 ! --proto-type 0x800;OK +diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t +index 56d6da2e5884e..6ed978e442b80 100644 +--- a/extensions/libxt_standard.t ++++ b/extensions/libxt_standard.t +@@ -21,3 +21,6 @@ + -s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK + -s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK + -s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK ++:FORWARD ++--protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK ++-ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK +diff --git a/iptables/xshared.c b/iptables/xshared.c +index ac51fac5ce9ed..17aed04e02b09 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1318,7 +1318,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) + } + + static void check_inverse(struct xtables_args *args, const char option[], +- bool *invert, int *optidx, int argc) ++ bool *invert, int argc, char **argv) + { + switch (args->family) { + case NFPROTO_ARP: +@@ -1337,12 +1337,11 @@ static void check_inverse(struct xtables_args *args, const char option[], + xtables_error(PARAMETER_PROBLEM, + "Multiple `!' flags not allowed"); + *invert = true; +- if (optidx) { +- *optidx = *optidx + 1; +- if (argc && *optidx > argc) +- xtables_error(PARAMETER_PROBLEM, +- "no argument following `!'"); +- } ++ optind++; ++ if (optind > argc) ++ xtables_error(PARAMETER_PROBLEM, "no argument following `!'"); ++ ++ optarg = argv[optind - 1]; + } + + static const char *optstring_lookup(int family) +@@ -1555,16 +1554,16 @@ void do_parse(int argc, char *argv[], + * Option selection + */ + case 'p': +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_PROTOCOL, + &args->invflags, invert); + + /* Canonicalize into lower case */ +- for (cs->protocol = argv[optind - 1]; ++ for (cs->protocol = optarg; + *cs->protocol; cs->protocol++) + *cs->protocol = tolower(*cs->protocol); + +- cs->protocol = argv[optind - 1]; ++ cs->protocol = optarg; + args->proto = xtables_parse_protocol(cs->protocol); + + if (args->proto == 0 && +@@ -1578,17 +1577,17 @@ void do_parse(int argc, char *argv[], + break; + + case 's': +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_SOURCE, + &args->invflags, invert); +- args->shostnetworkmask = argv[optind - 1]; ++ args->shostnetworkmask = optarg; + break; + + case 'd': +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_DESTINATION, + &args->invflags, invert); +- args->dhostnetworkmask = argv[optind - 1]; ++ args->dhostnetworkmask = optarg; + break; + + #ifdef IPT_F_GOTO +@@ -1601,71 +1600,71 @@ void do_parse(int argc, char *argv[], + #endif + + case 2:/* src-mac */ +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_S_MAC, &args->invflags, + invert); +- args->src_mac = argv[optind - 1]; ++ args->src_mac = optarg; + break; + + case 3:/* dst-mac */ +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_D_MAC, &args->invflags, + invert); +- args->dst_mac = argv[optind - 1]; ++ args->dst_mac = optarg; + break; + + case 'l':/* hardware length */ +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_H_LENGTH, &args->invflags, + invert); +- args->arp_hlen = argv[optind - 1]; ++ args->arp_hlen = optarg; + break; + + case 8: /* was never supported, not even in arptables-legacy */ + xtables_error(PARAMETER_PROBLEM, "not supported"); + case 4:/* opcode */ +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_OPCODE, &args->invflags, + invert); +- args->arp_opcode = argv[optind - 1]; ++ args->arp_opcode = optarg; + break; + + case 5:/* h-type */ +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_H_TYPE, &args->invflags, + invert); +- args->arp_htype = argv[optind - 1]; ++ args->arp_htype = optarg; + break; + + case 6:/* proto-type */ +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_P_TYPE, &args->invflags, + invert); +- args->arp_ptype = argv[optind - 1]; ++ args->arp_ptype = optarg; + break; + + case 'j': + set_option(&cs->options, OPT_JUMP, &args->invflags, + invert); +- command_jump(cs, argv[optind - 1]); ++ command_jump(cs, optarg); + break; + + case 'i': + check_empty_interface(args, optarg); +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_VIANAMEIN, + &args->invflags, invert); +- xtables_parse_interface(argv[optind - 1], ++ xtables_parse_interface(optarg, + args->iniface, + args->iniface_mask); + break; + + case 'o': + check_empty_interface(args, optarg); +- check_inverse(args, optarg, &invert, &optind, argc); ++ check_inverse(args, optarg, &invert, argc, argv); + set_option(&cs->options, OPT_VIANAMEOUT, + &args->invflags, invert); +- xtables_parse_interface(argv[optind - 1], ++ xtables_parse_interface(optarg, + args->outiface, + args->outiface_mask); + break; +-- +2.40.0 + diff --git a/iptables.spec b/iptables.spec index 1a8054f..d779895 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.9 -Release: 3%{?dist} +Release: 4%{?dist} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -20,7 +20,23 @@ Source4: sysconfig_iptables Source5: sysconfig_ip6tables Source6: arptables-nft-helper -Patch01: 0001-extensions-NAT-Fix-for-Werror-format-security.patch +Patch001: 0001-extensions-NAT-Fix-for-Werror-format-security.patch +Patch002: 0002-etc-Drop-xtables.conf.patch +Patch003: 0003-Proper-fix-for-unknown-argument-error-message.patch +Patch004: 0004-ebtables-Refuse-unselected-targets-options.patch +Patch005: 0005-tests-xlate-Properly-split-input-in-replay-mode.patch +Patch006: 0006-extensions-libebt_redirect-Fix-target-translation.patch +Patch007: 0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch +Patch008: 0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch +Patch009: 0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch +Patch010: 0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch +Patch011: 0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch +Patch012: 0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch +Patch013: 0013-ip6tables-Fix-checking-existence-of-rule.patch +Patch014: 0014-nft-shared-Drop-unused-include.patch +Patch015: 0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch +Patch016: 0016-arptables-Don-t-omit-standard-matches-if-inverted.patch +Patch017: 0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -431,6 +447,9 @@ fi %changelog +* Wed May 24 2023 Phil Sutter - 1.8.9-4 +- Backport fixes from upstream + * Thu Apr 20 2023 Phil Sutter - 1.8.9-3 - Support %%_excludedocs macro in alternatives installation