From 95a0be6c84b5da7d2a87c4b8336aff414b41bf3a Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 3 Jul 2024 16:30:13 +0200 Subject: [PATCH] iptables-1.8.10-9.el10 * Wed Jul 03 2024 Phil Sutter [1.8.10-9.el10] - Sync with RHEL9 package (Phil Sutter) --- ...ion-notices-to-all-relevant-man-page.patch | 336 ++++++++++++++++++ ...another-segfault-due-to-chain-index-.patch | 81 ----- ...bles-nft-remove-ARPT_INV-flags-usage.patch | 81 ----- ...RK-Use-a-better-context-in-test-case.patch | 28 ++ ...-Fix-corner-case-noflush-restore-bug.patch | 34 +- ...t-Fix-for-broken-recover_rule_compat.patch | 99 ++++++ ...-struct-xt_cmd_parse-xlate-is-unused.patch | 42 --- ...sions-libxt_sctp-Add-an-extra-assert.patch | 43 +++ ...ants-support-v-update-OPTSTRING_COMM.patch | 31 -- ...n-line-number-formatting-with-legacy.patch | 28 -- ...-man-Do-not-escape-exclamation-marks.patch | 44 --- ...ions-Fix-for-non-CIDR-compatible-hos.patch | 49 --- ...egacy-Fix-for-mandatory-lock-waiting.patch | 114 ------ ...ions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch | 40 --- arptables.service | 12 + ebtables-config | 11 + ebtables-helper | 104 ++++++ ebtables.service | 11 + gating.yaml | 7 + iptables-test.stderr.expect | 35 ++ iptables.spec | 213 ++++++----- 21 files changed, 839 insertions(+), 604 deletions(-) create mode 100644 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch delete mode 100644 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch delete mode 100644 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch create mode 100644 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch create mode 100644 0004-nft-Fix-for-broken-recover_rule_compat.patch delete mode 100644 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch create mode 100644 0005-extensions-libxt_sctp-Add-an-extra-assert.patch delete mode 100644 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch delete mode 100644 0006-ebtables-Align-line-number-formatting-with-legacy.patch delete mode 100644 0007-man-Do-not-escape-exclamation-marks.patch delete mode 100644 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch delete mode 100644 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch delete mode 100644 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch create mode 100644 arptables.service create mode 100644 ebtables-config create mode 100644 ebtables-helper create mode 100644 ebtables.service create mode 100644 gating.yaml create mode 100644 iptables-test.stderr.expect diff --git a/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch b/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch new file mode 100644 index 0000000..07221d2 --- /dev/null +++ b/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch @@ -0,0 +1,336 @@ +From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 17 Jun 2021 18:44:28 +0200 +Subject: [PATCH] doc: Add deprecation notices to all relevant man pages + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151 +Upstream Status: RHEL-only + +This is RHEL9 trying to friendly kick people towards nftables. + +Signed-off-by: Phil Sutter +--- + iptables/arptables-nft-restore.8 | 13 ++++++++++++- + iptables/arptables-nft-save.8 | 14 +++++++++++++- + iptables/arptables-nft.8 | 19 ++++++++++++++++++- + iptables/ebtables-nft.8 | 15 ++++++++++++++- + iptables/iptables-apply.8.in | 14 +++++++++++++- + iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++ + iptables/iptables-restore.8.in | 17 ++++++++++++++++- + iptables/iptables-save.8.in | 15 ++++++++++++++- + iptables/iptables.8.in | 17 +++++++++++++++++ + iptables/xtables-monitor.8.in | 11 +++++++++++ + 10 files changed, 142 insertions(+), 7 deletions(-) + +diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 +index 09d9082..b1bf029 100644 +--- a/iptables/arptables-nft-restore.8 ++++ b/iptables/arptables-nft-restore.8 +@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based) + .SH SYNOPSIS + \fBarptables\-restore + .SH DESCRIPTION ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. + .PP + .B arptables-restore + is used to restore ARP Tables from data specified on STDIN or +@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table. + .SH AUTHOR + Jesper Dangaard Brouer + .SH SEE ALSO +-\fBarptables\-save\fP(8), \fBarptables\fP(8) ++\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8) + .PP +diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 +index 905e598..49bb0f6 100644 +--- a/iptables/arptables-nft-save.8 ++++ b/iptables/arptables-nft-save.8 +@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based) + \fBarptables\-save\fP [\fB\-V\fP] + .SH DESCRIPTION + .PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B arptables-save + is used to dump the contents of an ARP Table in easily parseable format + to STDOUT. Use I/O-redirection provided by your shell to write to a file. +@@ -43,5 +55,5 @@ Print version information and exit. + .SH AUTHOR + Jesper Dangaard Brouer + .SH SEE ALSO +-\fBarptables\-restore\fP(8), \fBarptables\fP(8) ++\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8) + .PP +diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 +index ea31e08..ec5b993 100644 +--- a/iptables/arptables-nft.8 ++++ b/iptables/arptables-nft.8 +@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based) + .BR "arptables " [ "-t table" ] " -P chain target " [ options ] + + .SH DESCRIPTION ++.PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B arptables + is a user space tool, it is used to set up and maintain the + tables of ARP rules in the Linux kernel. These rules inspect +@@ -340,9 +353,13 @@ bridges, the same may be achieved using + chain in + .BR ebtables . + ++This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and ++will not receive new features. New setups should use \fBnft\fP(8). Existing ++setups should migrate to \fBnft\fP(8) when possible. ++ + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH SEE ALSO +-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8) ++.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8) + .PP + .BR "" "See " https://wiki.nftables.org +diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 +index 0304b50..cfd617a 100644 +--- a/iptables/ebtables-nft.8 ++++ b/iptables/ebtables-nft.8 +@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) + .br + + .SH DESCRIPTION ++.PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B ebtables + is an application program used to set up and maintain the + tables of rules (inside the Linux kernel) that inspect +@@ -1083,6 +1096,6 @@ has not been implemented, although + might replace them entirely given the inherent atomicity of nftables. + Finally, this list is probably not complete. + .SH SEE ALSO +-.BR xtables-nft "(8), " iptables "(8), " ip (8) ++.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) + .PP + .BR "" "See " https://wiki.nftables.org +diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in +index f0ed4e5..7f99a21 100644 +--- a/iptables/iptables-apply.8.in ++++ b/iptables/iptables-apply.8.in +@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely + \fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP + .SH "DESCRIPTION" + .PP ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + iptables\-apply will try to apply a new rulesfile (as output by + iptables-save, read by iptables-restore) or run a command to configure + iptables and then prompt the user whether the changes are okay. If the +@@ -47,7 +59,7 @@ Display usage information. + Display version information. + .SH "SEE ALSO" + .PP +-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8). ++\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8). + .SH LEGALESE + .PP + Original iptables-apply - Copyright 2006 Martin F. Krafft . +diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in +index 99d89a1..73d40bb 100644 +--- a/iptables/iptables-extensions.8.tmpl.in ++++ b/iptables/iptables-extensions.8.tmpl.in +@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio + .PP + \fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]] + [\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...] ++.SH DESCRIPTION ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. There is also ++.BR iptables\-translate (8)/ ip6tables\-translate (8) ++to help with the migration. + .SH MATCH EXTENSIONS + iptables can use extended packet matching modules + with the \fB\-m\fP or \fB\-\-match\fP +diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in +index aa816f7..353d4dc 100644 +--- a/iptables/iptables-restore.8.in ++++ b/iptables/iptables-restore.8.in +@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables + [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] + [\fIfile\fP] + .SH DESCRIPTION ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. There is also ++.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8) ++to help with the migration. + .PP + .B iptables-restore + and +@@ -82,7 +95,9 @@ from Rusty Russell. + .br + Andras Kis-Szabo contributed ip6tables-restore. + .SH SEE ALSO +-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8) ++\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8), ++\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8), ++\fBip6tables\-restore\-translate\fP(8) + .PP + The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, + which details NAT, and the netfilter-hacking-HOWTO which details the +diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in +index 65c1f28..d47be27 100644 +--- a/iptables/iptables-save.8.in ++++ b/iptables/iptables-save.8.in +@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules + [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] + .SH DESCRIPTION + .PP ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. ++.PP + .B iptables-save + and + .B ip6tables-save +@@ -66,7 +78,8 @@ Rusty Russell + .br + Andras Kis-Szabo contributed ip6tables-save. + .SH SEE ALSO +-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8) ++\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8), ++\fBnft\fP(8) + .PP + The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, + which details NAT, and the netfilter-hacking-HOWTO which details the +diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in +index ecaa555..4c4a15a 100644 +--- a/iptables/iptables.8.in ++++ b/iptables/iptables.8.in +@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] + .PP + target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP] + .SH DESCRIPTION ++These tools are ++.B deprecated ++in Red Hat Enterprise Linux. They are maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. There is also ++.BR iptables\-translate (8)/ ip6tables\-translate (8) ++to help with the migration. ++.PP + \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the + tables of IPv4 and IPv6 packet + filter rules in the Linux kernel. Several different tables +@@ -455,6 +469,9 @@ There are several other changes in iptables. + \fBiptables\-save\fP(8), + \fBiptables\-restore\fP(8), + \fBiptables\-extensions\fP(8), ++\fBnft\fP(8), ++\fBiptables\-translate\fP(8), ++\fBip6tables\-translate\fP(8) + .PP + The packet-filtering-HOWTO details iptables usage for + packet filtering, the NAT-HOWTO details NAT, +diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in +index a7f22c0..e21d7ff 100644 +--- a/iptables/xtables-monitor.8.in ++++ b/iptables/xtables-monitor.8.in +@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events + .PP + \ + .SH DESCRIPTION ++This tool is ++.B deprecated ++in Red Hat Enterprise Linux. It is maintenance only and will not receive new ++features. New setups should use ++.BR nft (8). ++Existing setups should migrate to ++.BR nft (8) ++when possible. See ++.UR https://red.ht/nft_your_tables ++.UE ++for details. + .PP + .B xtables-monitor + is used to monitor changes to the ruleset or to show rule evaluation events diff --git a/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch b/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch deleted file mode 100644 index 35b5973..0000000 --- a/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 12 Oct 2023 17:27:42 +0200 -Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL - pointer - -Chain rename code missed to adjust the num_chains value which is used to -calculate the number of chain index buckets to allocate during an index -rebuild. So with the right number of chains present, the last chain in a -middle bucket being renamed (and ending up in another bucket) triggers -an index rebuild based on false data. The resulting NULL pointer index -bucket then causes a segfault upon reinsertion. - -Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713 -Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") -(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620) ---- - .../testcases/chain/0008rename-segfault2_0 | 32 +++++++++++++++++++ - libiptc/libiptc.c | 4 +++ - 2 files changed, 36 insertions(+) - create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0 - -diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 -new file mode 100755 -index 0000000000000..bc473d2511bbd ---- /dev/null -+++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 -@@ -0,0 +1,32 @@ -+#!/bin/bash -+# -+# Another funny rename bug in libiptc: -+# If there is a chain index bucket with only a single chain in it and it is not -+# the last one and that chain is renamed, a chain index rebuild is triggered. -+# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an -+# extra index is allocated and remains NULL. The following insert of renamed -+# chain then segfaults. -+ -+( -+ echo "*filter" -+ # first bucket -+ for ((i = 0; i < 40; i++)); do -+ echo ":chain-a-$i - [0:0]" -+ done -+ # second bucket -+ for ((i = 0; i < 40; i++)); do -+ echo ":chain-b-$i - [0:0]" -+ done -+ # third bucket, just make sure it exists -+ echo ":chain-c-0 - [0:0]" -+ echo "COMMIT" -+) | $XT_MULTI iptables-restore -+ -+# rename all chains of the middle bucket -+( -+ echo "*filter" -+ for ((i = 0; i < 40; i++)); do -+ echo "-E chain-b-$i chain-d-$i" -+ done -+ echo "COMMIT" -+) | $XT_MULTI iptables-restore --noflush -diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c -index e475063367c26..9712a36353b9a 100644 ---- a/libiptc/libiptc.c -+++ b/libiptc/libiptc.c -@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, - return 0; - } - -+ handle->num_chains--; -+ - /* This only unlinks "c" from the list, thus no free(c) */ - iptcc_chain_index_delete_chain(c, handle); - - /* Change the name of the chain */ - strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1); - -+ handle->num_chains++; -+ - /* Insert sorted into to list again */ - iptc_insert_chain(handle, c); - diff --git a/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch b/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch deleted file mode 100644 index c384e4b..0000000 --- a/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Fri, 3 Nov 2023 17:33:22 +0100 -Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage - -ARPT_ and IPT_INV flags are not interchangeable, e.g.: -define IPT_INV_SRCDEVADDR 0x0080 -define ARPT_INV_SRCDEVADDR 0x0010 - -as these flags can be tested by libarp_foo.so such checks can yield -incorrect results. - -Because arptables-nft uses existing code, e.g. xt_mark, it makes -sense to unify this completely by converting the last users of -ARPT_INV_ constants. - -Note that arptables-legacy does not do run-time module loading via -dlopen(). Functionaliy implemented by "extensions" in the -arptables-legacy git tree are built-in, so this doesn't break -arptables-legacy binaries. - -Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*") -Signed-off-by: Florian Westphal -Signed-off-by: Phil Sutter -(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68) ---- - extensions/libarpt_mangle.c | 4 ++-- - iptables/nft-arp.c | 2 +- - iptables/xshared.h | 4 +++- - 3 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c -index 765edf34781f3..a846e97ec8f27 100644 ---- a/extensions/libarpt_mangle.c -+++ b/extensions/libarpt_mangle.c -@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, - if (e->arp.arhln_mask == 0) - xtables_error(PARAMETER_PROBLEM, - "no --h-length defined"); -- if (e->arp.invflags & ARPT_INV_ARPHLN) -+ if (e->arp.invflags & IPT_INV_ARPHLN) - xtables_error(PARAMETER_PROBLEM, - "! --h-length not allowed for " - "--mangle-mac-s"); -@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, - if (e->arp.arhln_mask == 0) - xtables_error(PARAMETER_PROBLEM, - "no --h-length defined"); -- if (e->arp.invflags & ARPT_INV_ARPHLN) -+ if (e->arp.invflags & IPT_INV_ARPHLN) - xtables_error(PARAMETER_PROBLEM, - "! hln not allowed for --mangle-mac-d"); - if (e->arp.arhln != 6) -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index aed39ebdd5166..535dd6b83237b 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command, - &args->d.naddrs); - - if ((args->s.naddrs > 1 || args->d.naddrs > 1) && -- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) -+ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) - xtables_error(PARAMETER_PROBLEM, - "! not allowed with multiple" - " source or destination IP addresses"); -diff --git a/iptables/xshared.h b/iptables/xshared.h -index a200e0d620ad3..5586385456a4d 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -80,7 +80,9 @@ struct xtables_target; - #define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ - #define EBT_OPTSTRING OPTSTRING_COMMON "hv" - --/* define invflags which won't collide with IPT ones */ -+/* define invflags which won't collide with IPT ones. -+ * arptables-nft does NOT use the legacy ARPT_INV_* defines. -+ */ - #define IPT_INV_SRCDEVADDR 0x0080 - #define IPT_INV_TGTDEVADDR 0x0100 - #define IPT_INV_ARPHLN 0x0200 diff --git a/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch b/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch new file mode 100644 index 0000000..5086dc5 --- /dev/null +++ b/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch @@ -0,0 +1,28 @@ +From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 16 Jul 2021 21:51:49 +0200 +Subject: [PATCH] extensions: SECMARK: Use a better context in test case + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558 +Upstream Status: RHEL-only + +RHEL SELinux policies don't allow setting +system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has +'packet_type' attribute (identified via +'seinfo -xt | grep packet_type'). + +Signed-off-by: Phil Sutter +--- + extensions/libxt_SECMARK.t | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t +index 39d4c09..295e7a7 100644 +--- a/extensions/libxt_SECMARK.t ++++ b/extensions/libxt_SECMARK.t +@@ -1,4 +1,4 @@ + :INPUT,FORWARD,OUTPUT + *security +--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK ++-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK + -j SECMARK;;FAIL diff --git a/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch b/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch index 3386925..9b28f86 100644 --- a/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch +++ b/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch @@ -1,16 +1,26 @@ -From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 7 Nov 2023 19:12:14 +0100 +From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 7 Nov 2023 23:44:55 +0100 Subject: [PATCH] ebtables: Fix corner-case noflush restore bug -Report came from firwalld, but this is actually rather hard to trigger. -Since a regular chain line prevents it, typical dump/restore use-cases -are unaffected. +JIRA: https://issues.redhat.com/browse/RHEL-14147 +Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8 -Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation") -Cc: Eric Garver -Signed-off-by: Phil Sutter -(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8) +commit c1083acea70787eea3f7929fd04718434bb05ba8 +Author: Phil Sutter +Date: Tue Nov 7 19:12:14 2023 +0100 + + ebtables: Fix corner-case noflush restore bug + + Report came from firwalld, but this is actually rather hard to trigger. + Since a regular chain line prevents it, typical dump/restore use-cases + are unaffected. + + Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation") + Cc: Eric Garver + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter --- .../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++ iptables/xtables-eb.c | 2 ++ @@ -19,7 +29,7 @@ Signed-off-by: Phil Sutter diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 new file mode 100755 -index 0000000000000..0def0ac58e7be +index 0000000..0def0ac --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 @@ -0,0 +1,25 @@ @@ -49,7 +59,7 @@ index 0000000000000..0def0ac58e7be +COMMIT +EOF diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index 08eec79d80400..a8ad57c735cc5 100644 +index 08eec79..a8ad57c 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain) diff --git a/0004-nft-Fix-for-broken-recover_rule_compat.patch b/0004-nft-Fix-for-broken-recover_rule_compat.patch new file mode 100644 index 0000000..fb7e80e --- /dev/null +++ b/0004-nft-Fix-for-broken-recover_rule_compat.patch @@ -0,0 +1,99 @@ +From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 22 May 2024 18:26:58 +0200 +Subject: [PATCH] nft: Fix for broken recover_rule_compat() + +JIRA: https://issues.redhat.com/browse/RHEL-26619 +Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305 + +commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305 +Author: Phil Sutter +Date: Tue Feb 27 18:47:39 2024 +0100 + + nft: Fix for broken recover_rule_compat() + + When IPv4 rule generator was changed to emit payload instead of + meta expressions for l4proto matches, the code reinserting + NFTNL_RULE_COMPAT_* attributes into rules being reused for counter + zeroing was broken by accident. + + Make rule compat recovery aware of the alternative match, basically + reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules + with NFTA_RULE_COMPAT") but add a test case this time to make sure + things stay intact. + + Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 27 ++++++++++++++++--- + .../nft-only/0011-zero-needs-compat_0 | 12 +++++++++ + 2 files changed, 35 insertions(+), 4 deletions(-) + create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 + +diff --git a/iptables/nft.c b/iptables/nft.c +index 97fd4f4..c4caf29 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err) + return strerror(err); + } + ++static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp) ++{ ++ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME); ++ uint32_t poff = offsetof(struct iphdr, protocol); ++ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER; ++ ++ if (!strcmp(name, "payload") && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) { ++ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG); ++ return 0; ++ } ++ if (!strcmp(name, "meta") && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) { ++ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); ++ return 0; ++ } ++ return -1; ++} ++ + static int recover_rule_compat(struct nftnl_rule *r) + { + struct nftnl_expr_iter *iter; +@@ -3695,12 +3716,10 @@ next_expr: + if (!e) + goto out; + +- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) || +- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO) ++ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */ ++ if (l4proto_expr_get_dreg(e, ®) < 0) + goto next_expr; + +- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); +- + e = nftnl_expr_iter_next(iter); + if (!e) + goto out; +diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 +new file mode 100755 +index 0000000..e276a95 +--- /dev/null ++++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 +@@ -0,0 +1,12 @@ ++#!/bin/bash ++ ++[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } ++ ++set -e ++ ++rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080" ++for cmd in iptables ip6tables; do ++ $XT_MULTI $cmd -t mangle -A PREROUTING $rule ++ $XT_MULTI $cmd -t mangle -Z ++ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}" ++done diff --git a/0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch b/0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch deleted file mode 100644 index 695e9f0..0000000 --- a/0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 37622ca0f4c29c9a06b0d2f3f1abc6695c57d560 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Sun, 19 Nov 2023 13:18:26 +0100 -Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused - -Drop the boolean, it was meant to disable some existence checks in -do_parse() prior to the caching rework. Now that do_parse() runs before -any caching is done, the checks in question don't exist anymore so drop -this relict. - -Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") -Signed-off-by: Phil Sutter -(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb) ---- - iptables/xshared.h | 1 - - iptables/xtables-translate.c | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 5586385456a4d..c77556a1987dc 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -284,7 +284,6 @@ struct xt_cmd_parse { - bool restore; - int line; - int verbose; -- bool xlate; - struct xt_cmd_parse_ops *ops; - }; - -diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c -index 88e0a6b639494..c019cd2991305 100644 ---- a/iptables/xtables-translate.c -+++ b/iptables/xtables-translate.c -@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], - .table = *table, - .restore = restore, - .line = line, -- .xlate = true, - .ops = &h->ops->cmd_parse, - }; - struct iptables_command_state cs = { diff --git a/0005-extensions-libxt_sctp-Add-an-extra-assert.patch b/0005-extensions-libxt_sctp-Add-an-extra-assert.patch new file mode 100644 index 0000000..47fe875 --- /dev/null +++ b/0005-extensions-libxt_sctp-Add-an-extra-assert.patch @@ -0,0 +1,43 @@ +From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 12 Jun 2024 22:49:48 +0200 +Subject: [PATCH] extensions: libxt_sctp: Add an extra assert() + +JIRA: https://issues.redhat.com/browse/RHEL-40928 +Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf + +commit 0234117d24609070f08ef36a11795c3c8e4c19bf +Author: Phil Sutter +Date: Fri May 17 15:20:05 2024 +0200 + + extensions: libxt_sctp: Add an extra assert() + + The code is sane, but this keeps popping up in static code analyzers. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + extensions/libxt_sctp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index 6e2b274..e8312f0 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -7,6 +7,7 @@ + * libipt_ecn.c borrowed heavily from libipt_dscp.c + * + */ ++#include + #include + #include + #include +@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma + + for (i = 7; i >= 0; i--) { + if (chunk_flags_mask & (1 << i)) { ++ assert(chunknum < ARRAY_SIZE(sctp_chunk_names)); + if (chunk_flags & (1 << i)) { + printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); + } else { diff --git a/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch b/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch deleted file mode 100644 index c743e75..0000000 --- a/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Sun, 19 Nov 2023 13:25:36 +0100 -Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON - -Fixes: 51d9d9e081344 ("ebtables: Support verbose mode") -Signed-off-by: Phil Sutter -(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a) ---- - iptables/xshared.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index c77556a1987dc..815b9d3e98726 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -75,10 +75,10 @@ struct xtables_globals; - struct xtables_rule_match; - struct xtables_target; - --#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" --#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" --#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ --#define EBT_OPTSTRING OPTSTRING_COMMON "hv" -+#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v" -+#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x" -+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */ -+#define EBT_OPTSTRING OPTSTRING_COMMON "h" - - /* define invflags which won't collide with IPT ones. - * arptables-nft does NOT use the legacy ARPT_INV_* defines. diff --git a/0006-ebtables-Align-line-number-formatting-with-legacy.patch b/0006-ebtables-Align-line-number-formatting-with-legacy.patch deleted file mode 100644 index 07bea3a..0000000 --- a/0006-ebtables-Align-line-number-formatting-with-legacy.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Nov 2023 22:58:47 +0100 -Subject: [PATCH] ebtables: Align line number formatting with legacy - -Legacy ebtables appends a dot to the number printed in first column if ---Ln flag was given. - -Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat") -Signed-off-by: Phil Sutter -(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf) ---- - iptables/nft-bridge.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c -index d9a8ad2b0f373..e414ef5584392 100644 ---- a/iptables/nft-bridge.c -+++ b/iptables/nft-bridge.c -@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state cs = {}; - - if (format & FMT_LINENUMBERS) -- printf("%d ", num); -+ printf("%d. ", num); - - nft_rule_to_ebtables_command_state(h, r, &cs); - __nft_bridge_save_rule(&cs, format); diff --git a/0007-man-Do-not-escape-exclamation-marks.patch b/0007-man-Do-not-escape-exclamation-marks.patch deleted file mode 100644 index b088c63..0000000 --- a/0007-man-Do-not-escape-exclamation-marks.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 28 Nov 2023 13:29:17 +0100 -Subject: [PATCH] man: Do not escape exclamation marks - -This appears to be not necessary, also mandoc complains about it: - -| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \! - -Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage") -Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage") -Signed-off-by: Phil Sutter -(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a) ---- - extensions/libip6t_DNPT.man | 2 +- - extensions/libip6t_SNPT.man | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man -index 9b060f5b7179b..72c6ae5d422a2 100644 ---- a/extensions/libip6t_DNPT.man -+++ b/extensions/libip6t_DNPT.man -@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length - .PP - You have to use the SNPT target to undo the translation. Example: - .IP --ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 -+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0 - \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 - .IP - ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 -diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man -index 97e0071b43cc1..0c926978377a7 100644 ---- a/extensions/libip6t_SNPT.man -+++ b/extensions/libip6t_SNPT.man -@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length - .PP - You have to use the DNPT target to undo the translation. Example: - .IP --ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 -+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0 - \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 - .IP - ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 diff --git a/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch b/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch deleted file mode 100644 index c0bbec2..0000000 --- a/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 28 Nov 2023 20:21:49 +0100 -Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks - -In order to parse the mask, xtopt_parse_hostmask() calls -xtopt_parse_plenmask() thereby limiting netmask support to prefix -lengths (alternatively specified in IP address notation). - -In order to lift this impractical restriction, make -xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may -fall back to xtopt_parse_mask() which correctly initializes val.hmask -itself and indicates non-CIDR-compatible masks by setting val.hlen to --1. - -So in order to support these odd masks, it is sufficient for -xtopt_parse_plenmask() to skip its mask building from val.hlen value and -take whatever val.hmask contains. - -Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") -Signed-off-by: Phil Sutter -(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232) ---- - libxtables/xtoptions.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index b16bbfbe32311..d91a78f470eda 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) - - xtopt_parse_plen(cb); - -+ /* may not be convertible to CIDR notation */ -+ if (cb->val.hlen == (uint8_t)-1) -+ goto out_put; -+ - memset(mask, 0xFF, sizeof(union nf_inet_addr)); - /* This shifting is AF-independent. */ - if (cb->val.hlen == 0) { -@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) - mask[1] = htonl(mask[1]); - mask[2] = htonl(mask[2]); - mask[3] = htonl(mask[3]); -+out_put: - if (entry->flags & XTOPT_PUT) - memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); - } diff --git a/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch b/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch deleted file mode 100644 index 7745634..0000000 --- a/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 19 Dec 2023 00:56:07 +0100 -Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting - -Parameter 'wait' passed to xtables_lock() signals three modes of -operation, depending on its value: - - 0: --wait not specified, do not wait if lock is busy --1: --wait specified without value, wait indefinitely until lock becomes - free ->0: Wait for 'wait' seconds for lock to become free, abort otherwise - -Since fixed commit, the first two cases were treated the same apart from -calling alarm(0), but that is a nop if no alarm is pending. Fix the code -by requesting a non-blocking flock() in the second case. While at it, -restrict the alarm setup to the third case only. - -Cc: Jethro Beekman -Cc: howardjohn@google.com -Cc: Antonio Ojea -Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728 -Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals") -Signed-off-by: Phil Sutter -(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9) ---- - .../shell/testcases/iptables/0010-wait_0 | 55 +++++++++++++++++++ - iptables/xshared.c | 4 +- - 2 files changed, 57 insertions(+), 2 deletions(-) - create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0 - -diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 -new file mode 100755 -index 0000000000000..4481f966ce435 ---- /dev/null -+++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 -@@ -0,0 +1,55 @@ -+#!/bin/bash -+ -+case "$XT_MULTI" in -+*xtables-legacy-multi) -+ ;; -+*) -+ echo skip $XT_MULTI -+ exit 0 -+ ;; -+esac -+ -+coproc RESTORE { $XT_MULTI iptables-restore; } -+echo "*filter" >&${RESTORE[1]} -+ -+ -+$XT_MULTI iptables -A FORWARD -j ACCEPT & -+ipt_pid=$! -+ -+waitpid -t 1 $ipt_pid -+[[ $? -eq 3 ]] && { -+ echo "process waits when it should not" -+ exit 1 -+} -+wait $ipt_pid -+[[ $? -eq 0 ]] && { -+ echo "process exited 0 despite busy lock" -+ exit 1 -+} -+ -+t0=$(date +%s) -+$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT -+t1=$(date +%s) -+[[ $((t1 - t0)) -ge 3 ]] || { -+ echo "wait time not expired" -+ exit 1 -+} -+ -+$XT_MULTI iptables -w -A FORWARD -j ACCEPT & -+ipt_pid=$! -+ -+waitpid -t 3 $ipt_pid -+[[ $? -eq 3 ]] || { -+ echo "no indefinite wait" -+ exit 1 -+} -+kill $ipt_pid -+waitpid -t 3 $ipt_pid -+[[ $? -eq 3 ]] && { -+ echo "killed waiting iptables call did not exit in time" -+ exit 1 -+} -+ -+kill $RESTORE_PID -+wait -+exit 0 -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 5f75a0a57a023..690502c457dd0 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -270,7 +270,7 @@ static int xtables_lock(int wait) - return XT_LOCK_FAILED; - } - -- if (wait != -1) { -+ if (wait > 0) { - sigact_alarm.sa_handler = alarm_ignore; - sigact_alarm.sa_flags = SA_RESETHAND; - sigemptyset(&sigact_alarm.sa_mask); -@@ -278,7 +278,7 @@ static int xtables_lock(int wait) - alarm(wait); - } - -- if (flock(fd, LOCK_EX) == 0) -+ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0) - return fd; - - if (errno == EINTR) { diff --git a/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch b/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch deleted file mode 100644 index ea88fa3..0000000 --- a/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Sun, 17 Dec 2023 13:02:36 +0100 -Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK - -Do as the comment in xtopt_parse_hostmask() claims and omit -XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate() -will catch the incompatibility. - -Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") -(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31) ---- - include/xtables.h | 1 - - libxtables/xtoptions.c | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/include/xtables.h b/include/xtables.h -index 087a1d600f9ae..9def9b43b6e58 100644 ---- a/include/xtables.h -+++ b/include/xtables.h -@@ -61,7 +61,6 @@ struct in_addr; - * %XTTYPE_SYSLOGLEVEL: syslog level by name or number - * %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr) - * %XTTYPE_HOSTMASK: one host or address, with an optional prefix length -- * (ptr: union nf_inet_addr; only host portion is stored) - * %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t) - * %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO) - * %XTTYPE_PORTRC: colon-separated port range (names acceptable), -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index d91a78f470eda..ba68056dc99f7 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = { - [XTTYPE_STRING] = -1, - [XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t), - [XTTYPE_HOST] = sizeof(union nf_inet_addr), -- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr), - [XTTYPE_PROTOCOL] = sizeof(uint8_t), - [XTTYPE_PORT] = sizeof(uint16_t), - [XTTYPE_PORTRC] = sizeof(uint16_t[2]), diff --git a/arptables.service b/arptables.service new file mode 100644 index 0000000..df6c7d6 --- /dev/null +++ b/arptables.service @@ -0,0 +1,12 @@ +[Unit] +Description=Automates a packet filtering firewall with arptables +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/arptables-helper start +ExecStop=/usr/libexec/arptables-helper stop +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ebtables-config b/ebtables-config new file mode 100644 index 0000000..69d9289 --- /dev/null +++ b/ebtables-config @@ -0,0 +1,11 @@ +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules if firewall gets stopped +# (e.g. on system shutdown). +EBTABLES_SAVE_ON_STOP="no" + +# Save (and restore) rule counters. +# Value: yes|no, default: no +# Save rule counters when saving a kernel table to a file. If the +# rule counters were saved, they will be restored when restoring the table. +EBTABLES_SAVE_COUNTER="no" diff --git a/ebtables-helper b/ebtables-helper new file mode 100644 index 0000000..4773a73 --- /dev/null +++ b/ebtables-helper @@ -0,0 +1,104 @@ +#!/bin/bash + +# compat for removed initscripts dependency + +success() { + echo "[ OK ]" + return 0 +} + +failure() { + echo "[FAILED]" + return 1 +} + +# internal variables +EBTABLES_CONFIG=/etc/sysconfig/ebtables-config +EBTABLES_DATA=/etc/sysconfig/ebtables +EBTABLES_TABLES="filter nat" +if ebtables --version | grep -q '(legacy)'; then + EBTABLES_TABLES+=" broute" +fi +VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables + +# ebtables-config defaults +EBTABLES_SAVE_ON_STOP="no" +EBTABLES_SAVE_COUNTER="no" + +# load config if existing +[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG" + +initialize() { + local ret=0 + for table in $EBTABLES_TABLES; do + ebtables -t $table --init-table || ret=1 + done + return $ret +} + +sanitize_dump() { + local drop=false + + export EBTABLES_TABLES + + cat $1 | while read line; do + case $line in + \**) + drop=false + local table="${line#\*}" + local found=false + for t in $EBTABLES_TABLES; do + if [[ $t == "$table" ]]; then + found=true + break + fi + done + $found || drop=true + ;; + esac + $drop || echo "$line" + done +} + +start() { + if [ -f $EBTABLES_DATA ]; then + echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: " + sanitize_dump $EBTABLES_DATA | ebtables-restore + else + echo -n $"ebtables: no stored ruleset, initializing empty tables: " + initialize + fi + local ret=$? + touch $VAR_SUBSYS_EBTABLES + return $ret +} + +save() { + echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: " + export EBTABLES_SAVE_COUNTER + ebtables-save >$EBTABLES_DATA && success || failure +} + +case $1 in + start) + [ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0 + start && success || failure + RETVAL=$? + ;; + stop) + [ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save + echo -n $"ebtables: stopping firewall: " + initialize && success || failure + RETVAL=$? + rm -f $VAR_SUBSYS_EBTABLES + ;; + save) + save + ;; + *) + echo "usage: ${0##*/} {start|stop|save}" >&2 + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/ebtables.service b/ebtables.service new file mode 100644 index 0000000..b096f1d --- /dev/null +++ b/ebtables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Ethernet Bridge Filtering tables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/ebtables-helper start +ExecStop=/usr/libexec/ebtables-helper stop + +[Install] +WantedBy=multi-user.target diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..e0a3a8f --- /dev/null +++ b/gating.yaml @@ -0,0 +1,7 @@ +--- !Policy +product_versions: + - rhel-10 +decision_context: osci_compose_gate +rules: +# - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-gating.functional} diff --git a/iptables-test.stderr.expect b/iptables-test.stderr.expect new file mode 100644 index 0000000..fb27f35 --- /dev/null +++ b/iptables-test.stderr.expect @@ -0,0 +1,35 @@ +extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17) +extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8) +extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8) +extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8) +extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1) +extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1) +extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1) +extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4) +extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4) +extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4) +extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0) +extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17) +extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8) +extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8) +extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8) +extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1) +extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1) +extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1) +extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4) +extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4) +extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4) +extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0) +extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0) +extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0) +extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0) +extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0) +extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh) +extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo") +extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink) +extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP) +extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT) +extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz) +extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05) +extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00) +extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1") diff --git a/iptables.spec b/iptables.spec index de0476f..e394923 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,3 +1,6 @@ +%define iptables_rpmversion 1.8.10 +%define iptables_specrelease 9 + # install init scripts to /usr/libexec with systemd %global script_path %{_libexecdir}/iptables @@ -7,11 +10,16 @@ %global iptc_so_ver 0 %global ipXtc_so_ver 2 +# build legacy sub-packages only on non-rhel distributions +%global do_legacy_pkg ! 0%{?rhel} + +%define _unpackaged_files_terminate_build 0 + Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables -Version: 1.8.10 -Release: 8%{?dist} +Version: %{iptables_rpmversion} +Release: %{iptables_specrelease}%{?dist}%{?buildid} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -19,17 +27,17 @@ Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables Source6: arptables-nft-helper +Source7: arptables.service +Source8: ebtables-helper +Source9: ebtables.service +Source10: ebtables-config +Source11: iptables-test.stderr.expect -Patch001: 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch -Patch002: 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch -Patch003: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch -Patch004: 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch -Patch005: 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch -Patch006: 0006-ebtables-Align-line-number-formatting-with-legacy.patch -Patch007: 0007-man-Do-not-escape-exclamation-marks.patch -Patch008: 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch -Patch009: 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch -Patch010: 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch +Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch +Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch +Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch +Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -37,7 +45,7 @@ License: GPL-2.0-only AND Artistic-2.0 AND ISC # libnetfilter_conntrack is needed for xt_connlabel BuildRequires: pkgconfig(libnetfilter_conntrack) -# libnfnetlink-devel is requires for nfnl_osf +# libnfnetlink-devel is required for nfnl_osf BuildRequires: pkgconfig(libnfnetlink) BuildRequires: libselinux-devel BuildRequires: kernel-headers @@ -65,13 +73,10 @@ Summary: Legacy tools for managing Linux kernel packet filtering capabilities Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release} Conflicts: setup < 2.10.4-1 -Requires(post): /usr/sbin/update-alternatives -Requires(postun): /usr/sbin/update-alternatives -%if 0%{?rhel} < 9 +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Obsoletes: %{name} < %{version}-%{release} Provides: iptables -%endif -Provides: %{name}-compat = %{version}-%{release} -Obsoletes: %{name}-compat < 1.8.9-7 %description legacy The iptables utility controls the network packet filtering code in the @@ -91,6 +96,7 @@ and logic for those is kept in per-extension shared object files. %package legacy-libs Summary: iptables legacy libraries +Obsoletes: %{name}-libs < %{version}-%{release} %description legacy-libs iptables libraries. @@ -104,8 +110,6 @@ For more information about this, please have a look at %package devel Summary: Development package for iptables Requires: %{name}-libs%{?_isa} = %{version}-%{release} -# XXX: Drop this after two releases or so -Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release} Requires: pkgconfig %description devel @@ -125,12 +129,7 @@ stable and may change with every new version. It is therefore unsupported. %package services Summary: iptables and ip6tables services for iptables Requires: %{name} = %{version}-%{release} -Requires: %{name}-utils = %{version}-%{release} %{?systemd_ordering} -# obsolete old main package -Obsoletes: %{name} < 1.4.16.1 -# obsolete ipv6 sub package -Obsoletes: %{name}-ipv6 < 1.4.11.1 BuildArch: noarch %description services @@ -139,6 +138,27 @@ iptables services for IPv4 and IPv6 This package provides the services iptables and ip6tables that have been split out of the base package since they are not active by default anymore. +%package nft-services +Summary: Services for nft-variants of iptables, ebtables and arptables +Requires: %{name}-nft = %{version}-%{release} +Conflicts: arptables-services +Conflicts: ebtables-services +Provides: iptables-services = %{version}-%{release} +Provides: arptables-services +Provides: ebtables-services +Obsoletes: iptables-services <= 1.8.4 +Obsoletes: iptables-arptables <= 1.8.4 +Obsoletes: iptables-ebtables <= 1.8.4 +Obsoletes: iptables-nft-compat <= 1.8.7-19 +%{?systemd_ordering} +BuildArch: noarch + +%description nft-services +Services for nft-variants of iptables, ebtables and arptables + +This package provides the services iptables, ip6tables, arptables and ebtables +for use with iptables-nft which provides nft-variants of these tools. + %package utils Summary: iptables and ip6tables misc utilities Requires: %{name} = %{version}-%{release} @@ -153,20 +173,21 @@ a safer way to update iptables remotely. %package nft Summary: nftables compatibility for iptables, arptables and ebtables Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires(post): /usr/sbin/update-alternatives -Requires(post): /usr/bin/readlink -Requires(postun): /usr/sbin/update-alternatives -Obsoletes: iptables-compat < 1.6.2-4 +Requires(post): %{_sbindir}/update-alternatives +Requires(post): %{_bindir}/readlink +Requires(postun): %{_sbindir}/update-alternatives Provides: arptables-helper Provides: iptables Provides: arptables Provides: ebtables +Obsoletes: iptables <= 1.8.4 %description nft nftables compatibility for iptables, arptables and ebtables. %prep %autosetup -p1 +cp %{SOURCE11} . %build ./autogen.sh @@ -227,25 +248,45 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables # Remove /etc/ethertypes (now part of setup) rm -f %{buildroot}%{_sysconfdir}/ethertypes -install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/ -touch %{buildroot}%{_libexecdir}/arptables-helper +# extra sources for arptables +install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper +install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service +touch %{buildroot}%{_sysconfdir}/sysconfig/arptables + +# extra sources for ebtables +install -p %{SOURCE9} %{buildroot}%{_unitdir}/ +install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper +install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config +touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables # prepare for alternatives +touch %{buildroot}%{_libexecdir}/arptables-helper touch %{buildroot}%{_mandir}/man8/arptables.8 touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/ebtables.8 -# fix absolute symlink -rm -f %{buildroot}%{_bindir}/iptables-xml -ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml +# add symlinks for compatibility to merged extensions +link_ext() { # (target, link) + local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so" + local targetname="${1}.so" + local link="%{buildroot}%{_libdir}/xtables/${2}.so" + [[ -e "$link" ]] && return 0 + [[ -e "$targetfile" ]] || return 0 + ln -s $targetname $link +} +for fam in ip ip6; do + link_ext libxt_LOG lib${fam}t_LOG + link_ext libxt_NAT lib${fam}t_SNAT + link_ext libxt_NAT lib${fam}t_MASQUERADE +done %ldconfig_scriptlets %post legacy pfx=%{_sbindir}/iptables pfx6=%{_sbindir}/ip6tables -/usr/sbin/update-alternatives --install \ +%{_sbindir}/update-alternatives --install \ $pfx iptables $pfx-legacy 10 \ --slave $pfx6 ip6tables $pfx6-legacy \ --slave $pfx-restore iptables-restore $pfx-legacy-restore \ @@ -255,33 +296,10 @@ pfx6=%{_sbindir}/ip6tables %postun legacy if [ $1 -eq 0 ]; then - /usr/sbin/update-alternatives --remove \ + %{_sbindir}/update-alternatives --remove \ iptables %{_sbindir}/iptables-legacy fi -# iptables-1.8.0-1 introduced the use of alternatives -# when upgrading, its %postun script runs due to the package renaming -# fix this by repeating the install into alternatives -# also keep the old alternatives configuration to not change the system -%triggerun legacy -- iptables > 1.8.0 -alternatives --list | awk '/^iptables/{print $3; exit}' \ - >/var/tmp/alternatives.iptables.current -cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup - -%triggerpostun legacy -- iptables > 1.8.0 -pfx=%{_sbindir}/iptables -pfx6=%{_sbindir}/ip6tables -/usr/sbin/update-alternatives --install \ - $pfx iptables $pfx-legacy 10 \ - --slave $pfx6 ip6tables $pfx6-legacy \ - --slave $pfx-restore iptables-restore $pfx-legacy-restore \ - --slave $pfx-save iptables-save $pfx-legacy-save \ - --slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \ - --slave $pfx6-save ip6tables-save $pfx6-legacy-save -alternatives --set iptables $( [1.8.10-9.el10] +- Sync with RHEL9 package (Phil Sutter) + * Mon Jun 24 2024 Troy Dawson - 1.8.10-8 - Bump release for June 2024 mass rebuild