Update to 1.8.6. Fixes bug #1893453
This commit is contained in:
Kevin Fenzi
parent
fb677ca83c
commit
730c58d404
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,3 +4,4 @@
|
||||
/iptables-1.8.3.tar.bz2
|
||||
/iptables-1.8.4.tar.bz2
|
||||
/iptables-1.8.5.tar.bz2
|
||||
/iptables-1.8.6.tar.bz2
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From 55bb60d8ae717d3bc1cfdd6203604a18f30eb3c3 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: Wed, 3 Jun 2020 15:38:48 +0200
|
||||
Subject: [PATCH] build: resolve iptables-apply not getting installed
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
ip6tables-apply gets installed but iptables-apply does not.
|
||||
That is wrong.
|
||||
|
||||
» make install DESTDIR=$PWD/r
|
||||
» find r -name "*app*"
|
||||
r/usr/local/sbin/ip6tables-apply
|
||||
r/usr/local/share/man/man8/iptables-apply.8
|
||||
r/usr/local/share/man/man8/ip6tables-apply.8
|
||||
|
||||
Fixes: v1.8.5~87
|
||||
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/Makefile.am | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
|
||||
index dc66b3cc09c08..2024dbf5cb88c 100644
|
||||
--- a/iptables/Makefile.am
|
||||
+++ b/iptables/Makefile.am
|
||||
@@ -56,7 +56,7 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
|
||||
ip6tables-save.8 iptables-extensions.8 \
|
||||
iptables-apply.8 ip6tables-apply.8
|
||||
|
||||
-sbin_SCRIPT = iptables-apply
|
||||
+sbin_SCRIPTS = iptables-apply
|
||||
|
||||
if ENABLE_NFTABLES
|
||||
man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,60 +0,0 @@
|
||||
From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
|
||||
Date: Wed, 14 Nov 2018 07:35:28 +0100
|
||||
Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
|
||||
introduced support for gcc feature to check format string against passed
|
||||
argument. This commit adds missing bits to extenstions's libipt_icmp.c
|
||||
and libip6t_icmp6.c that were causing build to fail.
|
||||
|
||||
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
|
||||
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
extensions/libip6t_icmp6.c | 4 ++--
|
||||
extensions/libipt_icmp.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
|
||||
index 45a71875722c4..cc7bfaeb72fd7 100644
|
||||
--- a/extensions/libip6t_icmp6.c
|
||||
+++ b/extensions/libip6t_icmp6.c
|
||||
@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
|
||||
type_name = icmp6_type_xlate(icmptype);
|
||||
|
||||
if (type_name) {
|
||||
- xt_xlate_add(xl, type_name);
|
||||
+ xt_xlate_add(xl, "%s", type_name);
|
||||
} else {
|
||||
for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
|
||||
if (icmpv6_codes[i].type == icmptype &&
|
||||
@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
|
||||
break;
|
||||
|
||||
if (i != ARRAY_SIZE(icmpv6_codes))
|
||||
- xt_xlate_add(xl, icmpv6_codes[i].name);
|
||||
+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
|
||||
else
|
||||
return 0;
|
||||
}
|
||||
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
|
||||
index 5418997668d4c..e76257c54708c 100644
|
||||
--- a/extensions/libipt_icmp.c
|
||||
+++ b/extensions/libipt_icmp.c
|
||||
@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
|
||||
if (icmp_codes[i].type == icmptype &&
|
||||
icmp_codes[i].code_min == code_min &&
|
||||
icmp_codes[i].code_max == code_max) {
|
||||
- xt_xlate_add(xl, icmp_codes[i].name);
|
||||
+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -1,58 +0,0 @@
|
||||
From 51730adbe90a17e0d86d5adcab30040fa7e751ed Mon Sep 17 00:00:00 2001
|
||||
From: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||
Date: Tue, 16 Jun 2020 11:20:42 +0200
|
||||
Subject: [PATCH] xtables-translate: don't fail if help was requested
|
||||
|
||||
If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle
|
||||
this case in do_command_xlate().
|
||||
|
||||
Before this patch, you would see:
|
||||
|
||||
user@debian:~$ sudo iptables-translate -h
|
||||
[..]
|
||||
nft Unsupported command?
|
||||
user@debian:~$ echo $?
|
||||
1
|
||||
|
||||
After this patch:
|
||||
|
||||
user@debian:~$ sudo iptables-translate -h
|
||||
[..]
|
||||
user@debian:~$ echo $?
|
||||
0
|
||||
|
||||
Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts")
|
||||
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
||||
(cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/xtables-translate.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
|
||||
index 5aa42496b5a48..363c8be15b3fa 100644
|
||||
--- a/iptables/xtables-translate.c
|
||||
+++ b/iptables/xtables-translate.c
|
||||
@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
|
||||
|
||||
cs.restore = restore;
|
||||
|
||||
- if (!restore)
|
||||
+ if (!restore && p.command != CMD_NONE)
|
||||
printf("nft ");
|
||||
|
||||
switch (p.command) {
|
||||
@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
|
||||
break;
|
||||
case CMD_SET_POLICY:
|
||||
break;
|
||||
+ case CMD_NONE:
|
||||
+ ret = 1;
|
||||
+ break;
|
||||
default:
|
||||
/* We should never reach this... */
|
||||
printf("Unsupported command?\n");
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From eacefb728885b5dc51036181de83b2df309d4e6b Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 29 Jul 2020 15:39:31 +0200
|
||||
Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too
|
||||
|
||||
Athough this cache level fetches table names only, it shouldn't skip the
|
||||
consistency check.
|
||||
|
||||
Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/nft-cache.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 638b18bc7e382..434cc10b82ce7 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -511,14 +511,14 @@ retry:
|
||||
if (req->level >= NFT_CL_TABLES)
|
||||
fetch_table_cache(h);
|
||||
if (req->level == NFT_CL_FAKE)
|
||||
- return;
|
||||
+ goto genid_check;
|
||||
if (req->level >= NFT_CL_CHAINS)
|
||||
fetch_chain_cache(h, t, chains);
|
||||
if (req->level >= NFT_CL_SETS)
|
||||
fetch_set_cache(h, t, NULL);
|
||||
if (req->level >= NFT_CL_RULES)
|
||||
fetch_rule_cache(h, t);
|
||||
-
|
||||
+genid_check:
|
||||
mnl_genid_get(h, &genid_check);
|
||||
if (h->nft_genid != genid_check) {
|
||||
flush_cache(h, h->cache, NULL);
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,45 +0,0 @@
|
||||
From dac3434e2e7ea297a3886c662d558305b460670b Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 7 Aug 2020 13:48:28 +0200
|
||||
Subject: [PATCH] nft: Fix command name in ip6tables error message
|
||||
|
||||
Upon errors, ip6tables-nft would prefix its error messages with
|
||||
'iptables:' instead of 'ip6tables:'. Turns out the command name was
|
||||
hard-coded, use 'progname' variable instead.
|
||||
While being at it, merge the two mostly identical fprintf() calls into
|
||||
one.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13)
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
iptables/xtables-standalone.c | 12 ++++--------
|
||||
1 file changed, 4 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
|
||||
index dd6fb7919d2e1..7b71db62f1ea6 100644
|
||||
--- a/iptables/xtables-standalone.c
|
||||
+++ b/iptables/xtables-standalone.c
|
||||
@@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
|
||||
xtables_fini();
|
||||
|
||||
if (!ret) {
|
||||
- if (errno == EINVAL) {
|
||||
- fprintf(stderr, "iptables: %s. "
|
||||
- "Run `dmesg' for more information.\n",
|
||||
- nft_strerror(errno));
|
||||
- } else {
|
||||
- fprintf(stderr, "iptables: %s.\n",
|
||||
- nft_strerror(errno));
|
||||
- }
|
||||
+ fprintf(stderr, "%s: %s.%s\n", progname, nft_strerror(errno),
|
||||
+ (errno == EINVAL ?
|
||||
+ " Run `dmesg' for more information." : ""));
|
||||
+
|
||||
if (errno == EAGAIN)
|
||||
exit(RESOURCE_PROBLEM);
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -18,8 +18,8 @@
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: http://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.5
|
||||
Release: 3%{?dist}
|
||||
Version: 1.8.6
|
||||
Release: 1%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -32,11 +32,6 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
|
||||
Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
|
||||
%endif
|
||||
|
||||
Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch
|
||||
Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch
|
||||
Patch3: 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch
|
||||
Patch4: 0004-nft-Fix-command-name-in-ip6tables-error-message.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic Licence 2.0
|
||||
License: GPLv2 and Artistic Licence 2.0 and ISC
|
||||
@ -448,6 +443,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1
|
||||
- Update to 1.8.6. Fixes bug #1893453
|
||||
|
||||
* Tue Aug 25 15:56:10 GMT 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
|
||||
- nft: cache: Check consistency with NFT_CL_FAKE, too
|
||||
- nft: Fix command name in ip6tables error message
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8
|
||||
SHA512 (iptables-1.8.6.tar.bz2) = d06e4cddb69822c4618664a35877fc5811992936cade2040bb0e4eb25a4d879eadc7c84401c40fb39ffac7888568505adcb1cfe995cd166a15c702237daf6acf
|
||||
|
||||
Loading…
Reference in New Issue
Block a user