From 730c58d40441a3e02712919ad84548d819a7d1bd Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sat, 31 Oct 2020 16:49:52 -0700 Subject: [PATCH] Update to 1.8.6. Fixes bug #1893453 --- .gitignore | 1 + ...iptables-apply-not-getting-installed.patch | 42 ------------- ...mat-security-fixes-in-libip-6-t_icmp.patch | 60 ------------------- ...ate-don-t-fail-if-help-was-requested.patch | 58 ------------------ ...eck-consistency-with-NFT_CL_FAKE-too.patch | 40 ------------- ...mand-name-in-ip6tables-error-message.patch | 45 -------------- iptables.spec | 12 ++-- sources | 2 +- 8 files changed, 7 insertions(+), 253 deletions(-) delete mode 100644 0001-build-resolve-iptables-apply-not-getting-installed.patch delete mode 100644 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch delete mode 100644 0002-xtables-translate-don-t-fail-if-help-was-requested.patch delete mode 100644 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch delete mode 100644 0004-nft-Fix-command-name-in-ip6tables-error-message.patch diff --git a/.gitignore b/.gitignore index ae4c970..a72e3b2 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /iptables-1.8.3.tar.bz2 /iptables-1.8.4.tar.bz2 /iptables-1.8.5.tar.bz2 +/iptables-1.8.6.tar.bz2 diff --git a/0001-build-resolve-iptables-apply-not-getting-installed.patch b/0001-build-resolve-iptables-apply-not-getting-installed.patch deleted file mode 100644 index 26e08db..0000000 --- a/0001-build-resolve-iptables-apply-not-getting-installed.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 55bb60d8ae717d3bc1cfdd6203604a18f30eb3c3 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Wed, 3 Jun 2020 15:38:48 +0200 -Subject: [PATCH] build: resolve iptables-apply not getting installed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ip6tables-apply gets installed but iptables-apply does not. -That is wrong. - -» make install DESTDIR=$PWD/r -» find r -name "*app*" -r/usr/local/sbin/ip6tables-apply -r/usr/local/share/man/man8/iptables-apply.8 -r/usr/local/share/man/man8/ip6tables-apply.8 - -Fixes: v1.8.5~87 -Signed-off-by: Jan Engelhardt -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b) -Signed-off-by: Phil Sutter ---- - iptables/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/Makefile.am b/iptables/Makefile.am -index dc66b3cc09c08..2024dbf5cb88c 100644 ---- a/iptables/Makefile.am -+++ b/iptables/Makefile.am -@@ -56,7 +56,7 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ - ip6tables-save.8 iptables-extensions.8 \ - iptables-apply.8 ip6tables-apply.8 - --sbin_SCRIPT = iptables-apply -+sbin_SCRIPTS = iptables-apply - - if ENABLE_NFTABLES - man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ --- -2.27.0 - diff --git a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch deleted file mode 100644 index 1bdbbd1..0000000 --- a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= -Date: Wed, 14 Nov 2018 07:35:28 +0100 -Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") -introduced support for gcc feature to check format string against passed -argument. This commit adds missing bits to extenstions's libipt_icmp.c -and libip6t_icmp6.c that were causing build to fail. - -Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") -Signed-off-by: Adam Gołębiowski -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Phil Sutter ---- - extensions/libip6t_icmp6.c | 4 ++-- - extensions/libipt_icmp.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c -index 45a71875722c4..cc7bfaeb72fd7 100644 ---- a/extensions/libip6t_icmp6.c -+++ b/extensions/libip6t_icmp6.c -@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, - type_name = icmp6_type_xlate(icmptype); - - if (type_name) { -- xt_xlate_add(xl, type_name); -+ xt_xlate_add(xl, "%s", type_name); - } else { - for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) - if (icmpv6_codes[i].type == icmptype && -@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, - break; - - if (i != ARRAY_SIZE(icmpv6_codes)) -- xt_xlate_add(xl, icmpv6_codes[i].name); -+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); - else - return 0; - } -diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c -index 5418997668d4c..e76257c54708c 100644 ---- a/extensions/libipt_icmp.c -+++ b/extensions/libipt_icmp.c -@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, - if (icmp_codes[i].type == icmptype && - icmp_codes[i].code_min == code_min && - icmp_codes[i].code_max == code_max) { -- xt_xlate_add(xl, icmp_codes[i].name); -+ xt_xlate_add(xl, "%s", icmp_codes[i].name); - return 1; - } - } --- -2.21.0 - diff --git a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch b/0002-xtables-translate-don-t-fail-if-help-was-requested.patch deleted file mode 100644 index 4fcb549..0000000 --- a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 51730adbe90a17e0d86d5adcab30040fa7e751ed Mon Sep 17 00:00:00 2001 -From: Arturo Borrero Gonzalez -Date: Tue, 16 Jun 2020 11:20:42 +0200 -Subject: [PATCH] xtables-translate: don't fail if help was requested - -If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle -this case in do_command_xlate(). - -Before this patch, you would see: - - user@debian:~$ sudo iptables-translate -h - [..] - nft Unsupported command? - user@debian:~$ echo $? - 1 - -After this patch: - - user@debian:~$ sudo iptables-translate -h - [..] - user@debian:~$ echo $? - 0 - -Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts") -Acked-by: Phil Sutter -Signed-off-by: Arturo Borrero Gonzalez -(cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069) -Signed-off-by: Phil Sutter ---- - iptables/xtables-translate.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c -index 5aa42496b5a48..363c8be15b3fa 100644 ---- a/iptables/xtables-translate.c -+++ b/iptables/xtables-translate.c -@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], - - cs.restore = restore; - -- if (!restore) -+ if (!restore && p.command != CMD_NONE) - printf("nft "); - - switch (p.command) { -@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], - break; - case CMD_SET_POLICY: - break; -+ case CMD_NONE: -+ ret = 1; -+ break; - default: - /* We should never reach this... */ - printf("Unsupported command?\n"); --- -2.27.0 - diff --git a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch deleted file mode 100644 index abe95fe..0000000 --- a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch +++ /dev/null @@ -1,40 +0,0 @@ -From eacefb728885b5dc51036181de83b2df309d4e6b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 29 Jul 2020 15:39:31 +0200 -Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too - -Athough this cache level fetches table names only, it shouldn't skip the -consistency check. - -Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check") -Signed-off-by: Phil Sutter -(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd) -Signed-off-by: Phil Sutter ---- - iptables/nft-cache.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 638b18bc7e382..434cc10b82ce7 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -511,14 +511,14 @@ retry: - if (req->level >= NFT_CL_TABLES) - fetch_table_cache(h); - if (req->level == NFT_CL_FAKE) -- return; -+ goto genid_check; - if (req->level >= NFT_CL_CHAINS) - fetch_chain_cache(h, t, chains); - if (req->level >= NFT_CL_SETS) - fetch_set_cache(h, t, NULL); - if (req->level >= NFT_CL_RULES) - fetch_rule_cache(h, t); -- -+genid_check: - mnl_genid_get(h, &genid_check); - if (h->nft_genid != genid_check) { - flush_cache(h, h->cache, NULL); --- -2.27.0 - diff --git a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch deleted file mode 100644 index b9a83f6..0000000 --- a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch +++ /dev/null @@ -1,45 +0,0 @@ -From dac3434e2e7ea297a3886c662d558305b460670b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 7 Aug 2020 13:48:28 +0200 -Subject: [PATCH] nft: Fix command name in ip6tables error message - -Upon errors, ip6tables-nft would prefix its error messages with -'iptables:' instead of 'ip6tables:'. Turns out the command name was -hard-coded, use 'progname' variable instead. -While being at it, merge the two mostly identical fprintf() calls into -one. - -Signed-off-by: Phil Sutter -Acked-by: Pablo Neira Ayuso -(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13) -Signed-off-by: Phil Sutter ---- - iptables/xtables-standalone.c | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c -index dd6fb7919d2e1..7b71db62f1ea6 100644 ---- a/iptables/xtables-standalone.c -+++ b/iptables/xtables-standalone.c -@@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[]) - xtables_fini(); - - if (!ret) { -- if (errno == EINVAL) { -- fprintf(stderr, "iptables: %s. " -- "Run `dmesg' for more information.\n", -- nft_strerror(errno)); -- } else { -- fprintf(stderr, "iptables: %s.\n", -- nft_strerror(errno)); -- } -+ fprintf(stderr, "%s: %s.%s\n", progname, nft_strerror(errno), -+ (errno == EINVAL ? -+ " Run `dmesg' for more information." : "")); -+ - if (errno == EAGAIN) - exit(RESOURCE_PROBLEM); - } --- -2.27.0 - diff --git a/iptables.spec b/iptables.spec index 42ce8c2..21cd8f1 100644 --- a/iptables.spec +++ b/iptables.spec @@ -18,8 +18,8 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables -Version: 1.8.5 -Release: 3%{?dist} +Version: 1.8.6 +Release: 1%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -32,11 +32,6 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch %endif -Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch -Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch -Patch3: 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch -Patch4: 0004-nft-Fix-command-name-in-ip6tables-error-message.patch - # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 License: GPLv2 and Artistic Licence 2.0 and ISC @@ -448,6 +443,9 @@ fi %changelog +* Sat Oct 31 2020 Kevin Fenzi - 1.8.6-1 +- Update to 1.8.6. Fixes bug #1893453 + * Tue Aug 25 15:56:10 GMT 2020 Phil Sutter - 1.8.5-3 - nft: cache: Check consistency with NFT_CL_FAKE, too - nft: Fix command name in ip6tables error message diff --git a/sources b/sources index a7e9f94..ece3ae2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8 +SHA512 (iptables-1.8.6.tar.bz2) = d06e4cddb69822c4618664a35877fc5811992936cade2040bb0e4eb25a4d879eadc7c84401c40fb39ffac7888568505adcb1cfe995cd166a15c702237daf6acf