iptables-1.8.10-9.el10

* Wed Jul 03 2024 Phil Sutter <psutter@redhat.com> [1.8.10-9.el10]
- Sync with RHEL9 package (Phil Sutter)
This commit is contained in:
Phil Sutter 2024-07-03 16:30:13 +02:00
parent 4d41cd78cb
commit 95a0be6c84
21 changed files with 839 additions and 604 deletions

View File

@ -0,0 +1,336 @@
From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 17 Jun 2021 18:44:28 +0200
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151
Upstream Status: RHEL-only
This is RHEL9 trying to friendly kick people towards nftables.
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
iptables/arptables-nft-save.8 | 14 +++++++++++++-
iptables/arptables-nft.8 | 19 ++++++++++++++++++-
iptables/ebtables-nft.8 | 15 ++++++++++++++-
iptables/iptables-apply.8.in | 14 +++++++++++++-
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
iptables/iptables-restore.8.in | 17 ++++++++++++++++-
iptables/iptables-save.8.in | 15 ++++++++++++++-
iptables/iptables.8.in | 17 +++++++++++++++++
iptables/xtables-monitor.8.in | 11 +++++++++++
10 files changed, 142 insertions(+), 7 deletions(-)
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 09d9082..b1bf029 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
.SH SYNOPSIS
\fBarptables\-restore
.SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
.PP
.B arptables-restore
is used to restore ARP Tables from data specified on STDIN or
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
-\fBarptables\-save\fP(8), \fBarptables\fP(8)
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
.PP
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
index 905e598..49bb0f6 100644
--- a/iptables/arptables-nft-save.8
+++ b/iptables/arptables-nft-save.8
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
\fBarptables\-save\fP [\fB\-V\fP]
.SH DESCRIPTION
.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B arptables-save
is used to dump the contents of an ARP Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
@@ -43,5 +55,5 @@ Print version information and exit.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
.PP
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index ea31e08..ec5b993 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
.SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B arptables
is a user space tool, it is used to set up and maintain the
tables of ARP rules in the Linux kernel. These rules inspect
@@ -340,9 +353,13 @@ bridges, the same may be achieved using
chain in
.BR ebtables .
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
+will not receive new features. New setups should use \fBnft\fP(8). Existing
+setups should migrate to \fBnft\fP(8) when possible.
+
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
.PP
.BR "" "See " https://wiki.nftables.org
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 0304b50..cfd617a 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
.br
.SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B ebtables
is an application program used to set up and maintain the
tables of rules (inside the Linux kernel) that inspect
@@ -1083,6 +1096,6 @@ has not been implemented, although
might replace them entirely given the inherent atomicity of nftables.
Finally, this list is probably not complete.
.SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
.PP
.BR "" "See " https://wiki.nftables.org
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
index f0ed4e5..7f99a21 100644
--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
.SH "DESCRIPTION"
.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
iptables\-apply will try to apply a new rulesfile (as output by
iptables-save, read by iptables-restore) or run a command to configure
iptables and then prompt the user whether the changes are okay. If the
@@ -47,7 +59,7 @@ Display usage information.
Display version information.
.SH "SEE ALSO"
.PP
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
.SH LEGALESE
.PP
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
index 99d89a1..73d40bb 100644
--- a/iptables/iptables-extensions.8.tmpl.in
+++ b/iptables/iptables-extensions.8.tmpl.in
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
.PP
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
.SH MATCH EXTENSIONS
iptables can use extended packet matching modules
with the \fB\-m\fP or \fB\-\-match\fP
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index aa816f7..353d4dc 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fIfile\fP]
.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
+to help with the migration.
.PP
.B iptables-restore
and
@@ -82,7 +95,9 @@ from Rusty Russell.
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO
-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
+\fBip6tables\-restore\-translate\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 65c1f28..d47be27 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.SH DESCRIPTION
.PP
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B iptables-save
and
.B ip6tables-save
@@ -66,7 +78,8 @@ Rusty Russell <rusty@rustcorp.com.au>
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
.SH SEE ALSO
-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index ecaa555..4c4a15a 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
.PP
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
+.PP
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
tables of IPv4 and IPv6 packet
filter rules in the Linux kernel. Several different tables
@@ -455,6 +469,9 @@ There are several other changes in iptables.
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
\fBiptables\-extensions\fP(8),
+\fBnft\fP(8),
+\fBiptables\-translate\fP(8),
+\fBip6tables\-translate\fP(8)
.PP
The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT,
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
index a7f22c0..e21d7ff 100644
--- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
.PP
\
.SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
.PP
.B xtables-monitor
is used to monitor changes to the ruleset or to show rule evaluation events

View File

@ -1,81 +0,0 @@
From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Oct 2023 17:27:42 +0200
Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL
pointer
Chain rename code missed to adjust the num_chains value which is used to
calculate the number of chain index buckets to allocate during an index
rebuild. So with the right number of chains present, the last chain in a
middle bucket being renamed (and ending up in another bucket) triggers
an index rebuild based on false data. The resulting NULL pointer index
bucket then causes a segfault upon reinsertion.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620)
---
.../testcases/chain/0008rename-segfault2_0 | 32 +++++++++++++++++++
libiptc/libiptc.c | 4 +++
2 files changed, 36 insertions(+)
create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
new file mode 100755
index 0000000000000..bc473d2511bbd
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Another funny rename bug in libiptc:
+# If there is a chain index bucket with only a single chain in it and it is not
+# the last one and that chain is renamed, a chain index rebuild is triggered.
+# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
+# extra index is allocated and remains NULL. The following insert of renamed
+# chain then segfaults.
+
+(
+ echo "*filter"
+ # first bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-a-$i - [0:0]"
+ done
+ # second bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-b-$i - [0:0]"
+ done
+ # third bucket, just make sure it exists
+ echo ":chain-c-0 - [0:0]"
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore
+
+# rename all chains of the middle bucket
+(
+ echo "*filter"
+ for ((i = 0; i < 40; i++)); do
+ echo "-E chain-b-$i chain-d-$i"
+ done
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore --noflush
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index e475063367c26..9712a36353b9a 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
return 0;
}
+ handle->num_chains--;
+
/* This only unlinks "c" from the list, thus no free(c) */
iptcc_chain_index_delete_chain(c, handle);
/* Change the name of the chain */
strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
+ handle->num_chains++;
+
/* Insert sorted into to list again */
iptc_insert_chain(handle, c);

View File

@ -1,81 +0,0 @@
From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 3 Nov 2023 17:33:22 +0100
Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage
ARPT_ and IPT_INV flags are not interchangeable, e.g.:
define IPT_INV_SRCDEVADDR 0x0080
define ARPT_INV_SRCDEVADDR 0x0010
as these flags can be tested by libarp_foo.so such checks can yield
incorrect results.
Because arptables-nft uses existing code, e.g. xt_mark, it makes
sense to unify this completely by converting the last users of
ARPT_INV_ constants.
Note that arptables-legacy does not do run-time module loading via
dlopen(). Functionaliy implemented by "extensions" in the
arptables-legacy git tree are built-in, so this doesn't break
arptables-legacy binaries.
Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68)
---
extensions/libarpt_mangle.c | 4 ++--
iptables/nft-arp.c | 2 +-
iptables/xshared.h | 4 +++-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
index 765edf34781f3..a846e97ec8f27 100644
--- a/extensions/libarpt_mangle.c
+++ b/extensions/libarpt_mangle.c
@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
- if (e->arp.invflags & ARPT_INV_ARPHLN)
+ if (e->arp.invflags & IPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! --h-length not allowed for "
"--mangle-mac-s");
@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
- if (e->arp.invflags & ARPT_INV_ARPHLN)
+ if (e->arp.invflags & IPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! hln not allowed for --mangle-mac-d");
if (e->arp.arhln != 6)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index aed39ebdd5166..535dd6b83237b 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
&args->d.naddrs);
if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
+ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
xtables_error(PARAMETER_PROBLEM,
"! not allowed with multiple"
" source or destination IP addresses");
diff --git a/iptables/xshared.h b/iptables/xshared.h
index a200e0d620ad3..5586385456a4d 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,9 @@ struct xtables_target;
#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
-/* define invflags which won't collide with IPT ones */
+/* define invflags which won't collide with IPT ones.
+ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
+ */
#define IPT_INV_SRCDEVADDR 0x0080
#define IPT_INV_TGTDEVADDR 0x0100
#define IPT_INV_ARPHLN 0x0200

View File

@ -0,0 +1,28 @@
From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 16 Jul 2021 21:51:49 +0200
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558
Upstream Status: RHEL-only
RHEL SELinux policies don't allow setting
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
'packet_type' attribute (identified via
'seinfo -xt | grep packet_type').
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_SECMARK.t | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
index 39d4c09..295e7a7 100644
--- a/extensions/libxt_SECMARK.t
+++ b/extensions/libxt_SECMARK.t
@@ -1,4 +1,4 @@
:INPUT,FORWARD,OUTPUT
*security
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
-j SECMARK;;FAIL

View File

@ -1,16 +1,26 @@
From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001 From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <psutter@redhat.com>
Date: Tue, 7 Nov 2023 19:12:14 +0100 Date: Tue, 7 Nov 2023 23:44:55 +0100
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger. JIRA: https://issues.redhat.com/browse/RHEL-14147
Since a regular chain line prevents it, typical dump/restore use-cases Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation") commit c1083acea70787eea3f7929fd04718434bb05ba8
Cc: Eric Garver <eric@garver.life> Author: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <phil@nwl.cc> Date: Tue Nov 7 19:12:14 2023 +0100
(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8)
ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++ .../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
iptables/xtables-eb.c | 2 ++ iptables/xtables-eb.c | 2 ++
@ -19,7 +29,7 @@ Signed-off-by: Phil Sutter <phil@nwl.cc>
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755 new file mode 100755
index 0000000000000..0def0ac58e7be index 0000000..0def0ac
--- /dev/null --- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@ @@ -0,0 +1,25 @@
@ -49,7 +59,7 @@ index 0000000000000..0def0ac58e7be
+COMMIT +COMMIT
+EOF +EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79d80400..a8ad57c735cc5 100644 index 08eec79..a8ad57c 100644
--- a/iptables/xtables-eb.c --- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain) @@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)

View File

@ -0,0 +1,99 @@
From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 22 May 2024 18:26:58 +0200
Subject: [PATCH] nft: Fix for broken recover_rule_compat()
JIRA: https://issues.redhat.com/browse/RHEL-26619
Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Feb 27 18:47:39 2024 +0100
nft: Fix for broken recover_rule_compat()
When IPv4 rule generator was changed to emit payload instead of
meta expressions for l4proto matches, the code reinserting
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
zeroing was broken by accident.
Make rule compat recovery aware of the alternative match, basically
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
with NFTA_RULE_COMPAT") but add a test case this time to make sure
things stay intact.
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 27 ++++++++++++++++---
.../nft-only/0011-zero-needs-compat_0 | 12 +++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
diff --git a/iptables/nft.c b/iptables/nft.c
index 97fd4f4..c4caf29 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
return strerror(err);
}
+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
+{
+ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
+ uint32_t poff = offsetof(struct iphdr, protocol);
+ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
+
+ if (!strcmp(name, "payload") &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
+ return 0;
+ }
+ if (!strcmp(name, "meta") &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
+ return 0;
+ }
+ return -1;
+}
+
static int recover_rule_compat(struct nftnl_rule *r)
{
struct nftnl_expr_iter *iter;
@@ -3695,12 +3716,10 @@ next_expr:
if (!e)
goto out;
- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
+ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */
+ if (l4proto_expr_get_dreg(e, &reg) < 0)
goto next_expr;
- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
-
e = nftnl_expr_iter_next(iter);
if (!e)
goto out;
diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
new file mode 100755
index 0000000..e276a95
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+set -e
+
+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
+for cmd in iptables ip6tables; do
+ $XT_MULTI $cmd -t mangle -A PREROUTING $rule
+ $XT_MULTI $cmd -t mangle -Z
+ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
+done

View File

@ -1,42 +0,0 @@
From 37622ca0f4c29c9a06b0d2f3f1abc6695c57d560 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 19 Nov 2023 13:18:26 +0100
Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused
Drop the boolean, it was meant to disable some existence checks in
do_parse() prior to the caching rework. Now that do_parse() runs before
any caching is done, the checks in question don't exist anymore so drop
this relict.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb)
---
iptables/xshared.h | 1 -
iptables/xtables-translate.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 5586385456a4d..c77556a1987dc 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -284,7 +284,6 @@ struct xt_cmd_parse {
bool restore;
int line;
int verbose;
- bool xlate;
struct xt_cmd_parse_ops *ops;
};
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 88e0a6b639494..c019cd2991305 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
.table = *table,
.restore = restore,
.line = line,
- .xlate = true,
.ops = &h->ops->cmd_parse,
};
struct iptables_command_state cs = {

View File

@ -0,0 +1,43 @@
From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 12 Jun 2024 22:49:48 +0200
Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
JIRA: https://issues.redhat.com/browse/RHEL-40928
Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
commit 0234117d24609070f08ef36a11795c3c8e4c19bf
Author: Phil Sutter <phil@nwl.cc>
Date: Fri May 17 15:20:05 2024 +0200
extensions: libxt_sctp: Add an extra assert()
The code is sane, but this keeps popping up in static code analyzers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_sctp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 6e2b274..e8312f0 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -7,6 +7,7 @@
* libipt_ecn.c borrowed heavily from libipt_dscp.c
*
*/
+#include <assert.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
for (i = 7; i >= 0; i--) {
if (chunk_flags_mask & (1 << i)) {
+ assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
if (chunk_flags & (1 << i)) {
printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
} else {

View File

@ -1,31 +0,0 @@
From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 19 Nov 2023 13:25:36 +0100
Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON
Fixes: 51d9d9e081344 ("ebtables: Support verbose mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a)
---
iptables/xshared.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c77556a1987dc..815b9d3e98726 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -75,10 +75,10 @@ struct xtables_globals;
struct xtables_rule_match;
struct xtables_target;
-#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
-#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
-#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
+#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v"
+#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x"
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */
+#define EBT_OPTSTRING OPTSTRING_COMMON "h"
/* define invflags which won't collide with IPT ones.
* arptables-nft does NOT use the legacy ARPT_INV_* defines.

View File

@ -1,28 +0,0 @@
From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 21 Nov 2023 22:58:47 +0100
Subject: [PATCH] ebtables: Align line number formatting with legacy
Legacy ebtables appends a dot to the number printed in first column if
--Ln flag was given.
Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf)
---
iptables/nft-bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index d9a8ad2b0f373..e414ef5584392 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
struct iptables_command_state cs = {};
if (format & FMT_LINENUMBERS)
- printf("%d ", num);
+ printf("%d. ", num);
nft_rule_to_ebtables_command_state(h, r, &cs);
__nft_bridge_save_rule(&cs, format);

View File

@ -1,44 +0,0 @@
From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 13:29:17 +0100
Subject: [PATCH] man: Do not escape exclamation marks
This appears to be not necessary, also mandoc complains about it:
| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!
Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a)
---
extensions/libip6t_DNPT.man | 2 +-
extensions/libip6t_SNPT.man | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
index 9b060f5b7179b..72c6ae5d422a2 100644
--- a/extensions/libip6t_DNPT.man
+++ b/extensions/libip6t_DNPT.man
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
.PP
You have to use the SNPT target to undo the translation. Example:
.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
.IP
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
index 97e0071b43cc1..0c926978377a7 100644
--- a/extensions/libip6t_SNPT.man
+++ b/extensions/libip6t_SNPT.man
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
.PP
You have to use the DNPT target to undo the translation. Example:
.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
.IP
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64

View File

@ -1,49 +0,0 @@
From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 20:21:49 +0100
Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
In order to parse the mask, xtopt_parse_hostmask() calls
xtopt_parse_plenmask() thereby limiting netmask support to prefix
lengths (alternatively specified in IP address notation).
In order to lift this impractical restriction, make
xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
fall back to xtopt_parse_mask() which correctly initializes val.hmask
itself and indicates non-CIDR-compatible masks by setting val.hlen to
-1.
So in order to support these odd masks, it is sufficient for
xtopt_parse_plenmask() to skip its mask building from val.hlen value and
take whatever val.hmask contains.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232)
---
libxtables/xtoptions.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index b16bbfbe32311..d91a78f470eda 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
xtopt_parse_plen(cb);
+ /* may not be convertible to CIDR notation */
+ if (cb->val.hlen == (uint8_t)-1)
+ goto out_put;
+
memset(mask, 0xFF, sizeof(union nf_inet_addr));
/* This shifting is AF-independent. */
if (cb->val.hlen == 0) {
@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
mask[1] = htonl(mask[1]);
mask[2] = htonl(mask[2]);
mask[3] = htonl(mask[3]);
+out_put:
if (entry->flags & XTOPT_PUT)
memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
}

View File

@ -1,114 +0,0 @@
From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 19 Dec 2023 00:56:07 +0100
Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting
Parameter 'wait' passed to xtables_lock() signals three modes of
operation, depending on its value:
0: --wait not specified, do not wait if lock is busy
-1: --wait specified without value, wait indefinitely until lock becomes
free
>0: Wait for 'wait' seconds for lock to become free, abort otherwise
Since fixed commit, the first two cases were treated the same apart from
calling alarm(0), but that is a nop if no alarm is pending. Fix the code
by requesting a non-blocking flock() in the second case. While at it,
restrict the alarm setup to the third case only.
Cc: Jethro Beekman <jethro@fortanix.com>
Cc: howardjohn@google.com
Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728
Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9)
---
.../shell/testcases/iptables/0010-wait_0 | 55 +++++++++++++++++++
iptables/xshared.c | 4 +-
2 files changed, 57 insertions(+), 2 deletions(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0
diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0
new file mode 100755
index 0000000000000..4481f966ce435
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0010-wait_0
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+case "$XT_MULTI" in
+*xtables-legacy-multi)
+ ;;
+*)
+ echo skip $XT_MULTI
+ exit 0
+ ;;
+esac
+
+coproc RESTORE { $XT_MULTI iptables-restore; }
+echo "*filter" >&${RESTORE[1]}
+
+
+$XT_MULTI iptables -A FORWARD -j ACCEPT &
+ipt_pid=$!
+
+waitpid -t 1 $ipt_pid
+[[ $? -eq 3 ]] && {
+ echo "process waits when it should not"
+ exit 1
+}
+wait $ipt_pid
+[[ $? -eq 0 ]] && {
+ echo "process exited 0 despite busy lock"
+ exit 1
+}
+
+t0=$(date +%s)
+$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT
+t1=$(date +%s)
+[[ $((t1 - t0)) -ge 3 ]] || {
+ echo "wait time not expired"
+ exit 1
+}
+
+$XT_MULTI iptables -w -A FORWARD -j ACCEPT &
+ipt_pid=$!
+
+waitpid -t 3 $ipt_pid
+[[ $? -eq 3 ]] || {
+ echo "no indefinite wait"
+ exit 1
+}
+kill $ipt_pid
+waitpid -t 3 $ipt_pid
+[[ $? -eq 3 ]] && {
+ echo "killed waiting iptables call did not exit in time"
+ exit 1
+}
+
+kill $RESTORE_PID
+wait
+exit 0
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 5f75a0a57a023..690502c457dd0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -270,7 +270,7 @@ static int xtables_lock(int wait)
return XT_LOCK_FAILED;
}
- if (wait != -1) {
+ if (wait > 0) {
sigact_alarm.sa_handler = alarm_ignore;
sigact_alarm.sa_flags = SA_RESETHAND;
sigemptyset(&sigact_alarm.sa_mask);
@@ -278,7 +278,7 @@ static int xtables_lock(int wait)
alarm(wait);
}
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0)
return fd;
if (errno == EINTR) {

View File

@ -1,40 +0,0 @@
From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 17 Dec 2023 13:02:36 +0100
Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
Do as the comment in xtopt_parse_hostmask() claims and omit
XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
will catch the incompatibility.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31)
---
include/xtables.h | 1 -
libxtables/xtoptions.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/include/xtables.h b/include/xtables.h
index 087a1d600f9ae..9def9b43b6e58 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -61,7 +61,6 @@ struct in_addr;
* %XTTYPE_SYSLOGLEVEL: syslog level by name or number
* %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr)
* %XTTYPE_HOSTMASK: one host or address, with an optional prefix length
- * (ptr: union nf_inet_addr; only host portion is stored)
* %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t)
* %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO)
* %XTTYPE_PORTRC: colon-separated port range (names acceptable),
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d91a78f470eda..ba68056dc99f7 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = {
[XTTYPE_STRING] = -1,
[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
[XTTYPE_HOST] = sizeof(union nf_inet_addr),
- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr),
[XTTYPE_PROTOCOL] = sizeof(uint8_t),
[XTTYPE_PORT] = sizeof(uint16_t),
[XTTYPE_PORTRC] = sizeof(uint16_t[2]),

12
arptables.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Automates a packet filtering firewall with arptables
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/libexec/arptables-helper start
ExecStop=/usr/libexec/arptables-helper stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

11
ebtables-config Normal file
View File

@ -0,0 +1,11 @@
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets stopped
# (e.g. on system shutdown).
EBTABLES_SAVE_ON_STOP="no"
# Save (and restore) rule counters.
# Value: yes|no, default: no
# Save rule counters when saving a kernel table to a file. If the
# rule counters were saved, they will be restored when restoring the table.
EBTABLES_SAVE_COUNTER="no"

104
ebtables-helper Normal file
View File

@ -0,0 +1,104 @@
#!/bin/bash
# compat for removed initscripts dependency
success() {
echo "[ OK ]"
return 0
}
failure() {
echo "[FAILED]"
return 1
}
# internal variables
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
EBTABLES_DATA=/etc/sysconfig/ebtables
EBTABLES_TABLES="filter nat"
if ebtables --version | grep -q '(legacy)'; then
EBTABLES_TABLES+=" broute"
fi
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
# ebtables-config defaults
EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_COUNTER="no"
# load config if existing
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
initialize() {
local ret=0
for table in $EBTABLES_TABLES; do
ebtables -t $table --init-table || ret=1
done
return $ret
}
sanitize_dump() {
local drop=false
export EBTABLES_TABLES
cat $1 | while read line; do
case $line in
\**)
drop=false
local table="${line#\*}"
local found=false
for t in $EBTABLES_TABLES; do
if [[ $t == "$table" ]]; then
found=true
break
fi
done
$found || drop=true
;;
esac
$drop || echo "$line"
done
}
start() {
if [ -f $EBTABLES_DATA ]; then
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
sanitize_dump $EBTABLES_DATA | ebtables-restore
else
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
initialize
fi
local ret=$?
touch $VAR_SUBSYS_EBTABLES
return $ret
}
save() {
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
export EBTABLES_SAVE_COUNTER
ebtables-save >$EBTABLES_DATA && success || failure
}
case $1 in
start)
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
start && success || failure
RETVAL=$?
;;
stop)
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
echo -n $"ebtables: stopping firewall: "
initialize && success || failure
RETVAL=$?
rm -f $VAR_SUBSYS_EBTABLES
;;
save)
save
;;
*)
echo "usage: ${0##*/} {start|stop|save}" >&2
RETVAL=2
;;
esac
exit $RETVAL

11
ebtables.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Ethernet Bridge Filtering tables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ebtables-helper start
ExecStop=/usr/libexec/ebtables-helper stop
[Install]
WantedBy=multi-user.target

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
# - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-gating.functional}

View File

@ -0,0 +1,35 @@
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")

View File

@ -1,3 +1,6 @@
%define iptables_rpmversion 1.8.10
%define iptables_specrelease 9
# install init scripts to /usr/libexec with systemd # install init scripts to /usr/libexec with systemd
%global script_path %{_libexecdir}/iptables %global script_path %{_libexecdir}/iptables
@ -7,11 +10,16 @@
%global iptc_so_ver 0 %global iptc_so_ver 0
%global ipXtc_so_ver 2 %global ipXtc_so_ver 2
# build legacy sub-packages only on non-rhel distributions
%global do_legacy_pkg ! 0%{?rhel}
%define _unpackaged_files_terminate_build 0
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.10 Version: %{iptables_rpmversion}
Release: 8%{?dist} Release: %{iptables_specrelease}%{?dist}%{?buildid}
Source: %{url}/files/%{name}-%{version}.tar.xz Source: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -19,17 +27,17 @@ Source3: iptables.service
Source4: sysconfig_iptables Source4: sysconfig_iptables
Source5: sysconfig_ip6tables Source5: sysconfig_ip6tables
Source6: arptables-nft-helper Source6: arptables-nft-helper
Source7: arptables.service
Source8: ebtables-helper
Source9: ebtables.service
Source10: ebtables-config
Source11: iptables-test.stderr.expect
Patch001: 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch002: 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch003: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
Patch004: 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch
Patch005: 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch
Patch006: 0006-ebtables-Align-line-number-formatting-with-legacy.patch
Patch007: 0007-man-Do-not-escape-exclamation-marks.patch
Patch008: 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch
Patch009: 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch
Patch010: 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic Licence 2.0 # iptables-apply: Artistic Licence 2.0
@ -37,7 +45,7 @@ License: GPL-2.0-only AND Artistic-2.0 AND ISC
# libnetfilter_conntrack is needed for xt_connlabel # libnetfilter_conntrack is needed for xt_connlabel
BuildRequires: pkgconfig(libnetfilter_conntrack) BuildRequires: pkgconfig(libnetfilter_conntrack)
# libnfnetlink-devel is requires for nfnl_osf # libnfnetlink-devel is required for nfnl_osf
BuildRequires: pkgconfig(libnfnetlink) BuildRequires: pkgconfig(libnfnetlink)
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: kernel-headers BuildRequires: kernel-headers
@ -65,13 +73,10 @@ Summary: Legacy tools for managing Linux kernel packet filtering capabilities
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release} Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Conflicts: setup < 2.10.4-1 Conflicts: setup < 2.10.4-1
Requires(post): /usr/sbin/update-alternatives Requires(post): %{_sbindir}/update-alternatives
Requires(postun): /usr/sbin/update-alternatives Requires(postun): %{_sbindir}/update-alternatives
%if 0%{?rhel} < 9 Obsoletes: %{name} < %{version}-%{release}
Provides: iptables Provides: iptables
%endif
Provides: %{name}-compat = %{version}-%{release}
Obsoletes: %{name}-compat < 1.8.9-7
%description legacy %description legacy
The iptables utility controls the network packet filtering code in the The iptables utility controls the network packet filtering code in the
@ -91,6 +96,7 @@ and logic for those is kept in per-extension shared object files.
%package legacy-libs %package legacy-libs
Summary: iptables legacy libraries Summary: iptables legacy libraries
Obsoletes: %{name}-libs < %{version}-%{release}
%description legacy-libs %description legacy-libs
iptables libraries. iptables libraries.
@ -104,8 +110,6 @@ For more information about this, please have a look at
%package devel %package devel
Summary: Development package for iptables Summary: Development package for iptables
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# XXX: Drop this after two releases or so
Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release}
Requires: pkgconfig Requires: pkgconfig
%description devel %description devel
@ -125,12 +129,7 @@ stable and may change with every new version. It is therefore unsupported.
%package services %package services
Summary: iptables and ip6tables services for iptables Summary: iptables and ip6tables services for iptables
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires: %{name}-utils = %{version}-%{release}
%{?systemd_ordering} %{?systemd_ordering}
# obsolete old main package
Obsoletes: %{name} < 1.4.16.1
# obsolete ipv6 sub package
Obsoletes: %{name}-ipv6 < 1.4.11.1
BuildArch: noarch BuildArch: noarch
%description services %description services
@ -139,6 +138,27 @@ iptables services for IPv4 and IPv6
This package provides the services iptables and ip6tables that have been split This package provides the services iptables and ip6tables that have been split
out of the base package since they are not active by default anymore. out of the base package since they are not active by default anymore.
%package nft-services
Summary: Services for nft-variants of iptables, ebtables and arptables
Requires: %{name}-nft = %{version}-%{release}
Conflicts: arptables-services
Conflicts: ebtables-services
Provides: iptables-services = %{version}-%{release}
Provides: arptables-services
Provides: ebtables-services
Obsoletes: iptables-services <= 1.8.4
Obsoletes: iptables-arptables <= 1.8.4
Obsoletes: iptables-ebtables <= 1.8.4
Obsoletes: iptables-nft-compat <= 1.8.7-19
%{?systemd_ordering}
BuildArch: noarch
%description nft-services
Services for nft-variants of iptables, ebtables and arptables
This package provides the services iptables, ip6tables, arptables and ebtables
for use with iptables-nft which provides nft-variants of these tools.
%package utils %package utils
Summary: iptables and ip6tables misc utilities Summary: iptables and ip6tables misc utilities
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
@ -153,20 +173,21 @@ a safer way to update iptables remotely.
%package nft %package nft
Summary: nftables compatibility for iptables, arptables and ebtables Summary: nftables compatibility for iptables, arptables and ebtables
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(post): /usr/sbin/update-alternatives Requires(post): %{_sbindir}/update-alternatives
Requires(post): /usr/bin/readlink Requires(post): %{_bindir}/readlink
Requires(postun): /usr/sbin/update-alternatives Requires(postun): %{_sbindir}/update-alternatives
Obsoletes: iptables-compat < 1.6.2-4
Provides: arptables-helper Provides: arptables-helper
Provides: iptables Provides: iptables
Provides: arptables Provides: arptables
Provides: ebtables Provides: ebtables
Obsoletes: iptables <= 1.8.4
%description nft %description nft
nftables compatibility for iptables, arptables and ebtables. nftables compatibility for iptables, arptables and ebtables.
%prep %prep
%autosetup -p1 %autosetup -p1
cp %{SOURCE11} .
%build %build
./autogen.sh ./autogen.sh
@ -227,25 +248,45 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables
# Remove /etc/ethertypes (now part of setup) # Remove /etc/ethertypes (now part of setup)
rm -f %{buildroot}%{_sysconfdir}/ethertypes rm -f %{buildroot}%{_sysconfdir}/ethertypes
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/ # extra sources for arptables
touch %{buildroot}%{_libexecdir}/arptables-helper install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper
install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
touch %{buildroot}%{_sysconfdir}/sysconfig/arptables
# extra sources for ebtables
install -p %{SOURCE9} %{buildroot}%{_unitdir}/
install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper
install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables
# prepare for alternatives # prepare for alternatives
touch %{buildroot}%{_libexecdir}/arptables-helper
touch %{buildroot}%{_mandir}/man8/arptables.8 touch %{buildroot}%{_mandir}/man8/arptables.8
touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-save.8
touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
touch %{buildroot}%{_mandir}/man8/ebtables.8 touch %{buildroot}%{_mandir}/man8/ebtables.8
# fix absolute symlink # add symlinks for compatibility to merged extensions
rm -f %{buildroot}%{_bindir}/iptables-xml link_ext() { # (target, link)
ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so"
local targetname="${1}.so"
local link="%{buildroot}%{_libdir}/xtables/${2}.so"
[[ -e "$link" ]] && return 0
[[ -e "$targetfile" ]] || return 0
ln -s $targetname $link
}
for fam in ip ip6; do
link_ext libxt_LOG lib${fam}t_LOG
link_ext libxt_NAT lib${fam}t_SNAT
link_ext libxt_NAT lib${fam}t_MASQUERADE
done
%ldconfig_scriptlets %ldconfig_scriptlets
%post legacy %post legacy
pfx=%{_sbindir}/iptables pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables pfx6=%{_sbindir}/ip6tables
/usr/sbin/update-alternatives --install \ %{_sbindir}/update-alternatives --install \
$pfx iptables $pfx-legacy 10 \ $pfx iptables $pfx-legacy 10 \
--slave $pfx6 ip6tables $pfx6-legacy \ --slave $pfx6 ip6tables $pfx6-legacy \
--slave $pfx-restore iptables-restore $pfx-legacy-restore \ --slave $pfx-restore iptables-restore $pfx-legacy-restore \
@ -255,33 +296,10 @@ pfx6=%{_sbindir}/ip6tables
%postun legacy %postun legacy
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
/usr/sbin/update-alternatives --remove \ %{_sbindir}/update-alternatives --remove \
iptables %{_sbindir}/iptables-legacy iptables %{_sbindir}/iptables-legacy
fi fi
# iptables-1.8.0-1 introduced the use of alternatives
# when upgrading, its %postun script runs due to the package renaming
# fix this by repeating the install into alternatives
# also keep the old alternatives configuration to not change the system
%triggerun legacy -- iptables > 1.8.0
alternatives --list | awk '/^iptables/{print $3; exit}' \
>/var/tmp/alternatives.iptables.current
cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup
%triggerpostun legacy -- iptables > 1.8.0
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
/usr/sbin/update-alternatives --install \
$pfx iptables $pfx-legacy 10 \
--slave $pfx6 ip6tables $pfx6-legacy \
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
--slave $pfx-save iptables-save $pfx-legacy-save \
--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
--slave $pfx6-save ip6tables-save $pfx6-legacy-save
alternatives --set iptables $(</var/tmp/alternatives.iptables.current)
rm /var/tmp/alternatives.iptables.current
mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
%post services %post services
%systemd_post iptables.service ip6tables.service %systemd_post iptables.service ip6tables.service
@ -292,12 +310,25 @@ mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
%?ldconfig %?ldconfig
%systemd_postun iptables.service ip6tables.service %systemd_postun iptables.service ip6tables.service
%post nft-services
%systemd_post iptables.service ip6tables.service
%systemd_post arptables.service ebtables.service
%preun nft-services
%systemd_preun iptables.service ip6tables.service
%systemd_preun arptables.service ebtables.service
%postun nft-services
%?ldconfig
%systemd_postun iptables.service ip6tables.service
%systemd_postun arptables.service ebtables.service
%post -e nft %post -e nft
[[ %%{_excludedocs} == 1 ]] || do_man=true [[ %%{_excludedocs} == 1 ]] || do_man=true
pfx=%{_sbindir}/iptables pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables pfx6=%{_sbindir}/ip6tables
/usr/sbin/update-alternatives --install \ %{_sbindir}/update-alternatives --install \
$pfx iptables $pfx-nft 10 \ $pfx iptables $pfx-nft 10 \
--slave $pfx6 ip6tables $pfx6-nft \ --slave $pfx6 ip6tables $pfx6-nft \
--slave $pfx-restore iptables-restore $pfx-nft-restore \ --slave $pfx-restore iptables-restore $pfx-nft-restore \
@ -315,7 +346,7 @@ done
if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
rm -f $manpfx.8.gz rm -f $manpfx.8.gz
fi fi
/usr/sbin/update-alternatives --install \ %{_sbindir}/update-alternatives --install \
$pfx ebtables $pfx-nft 10 \ $pfx ebtables $pfx-nft 10 \
--slave $pfx-save ebtables-save $pfx-nft-save \ --slave $pfx-save ebtables-save $pfx-nft-save \
--slave $pfx-restore ebtables-restore $pfx-nft-restore \ --slave $pfx-restore ebtables-restore $pfx-nft-restore \
@ -335,7 +366,7 @@ done
if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
rm -f $lepfx-helper rm -f $lepfx-helper
fi fi
/usr/sbin/update-alternatives --install \ %{_sbindir}/update-alternatives --install \
$pfx arptables $pfx-nft 10 \ $pfx arptables $pfx-nft 10 \
--slave $pfx-save arptables-save $pfx-nft-save \ --slave $pfx-save arptables-save $pfx-nft-save \
--slave $pfx-restore arptables-restore $pfx-nft-restore \ --slave $pfx-restore arptables-restore $pfx-nft-restore \
@ -347,37 +378,25 @@ fi
%postun nft %postun nft
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
for cmd in iptables ebtables arptables; do for cmd in iptables ebtables arptables; do
/usr/sbin/update-alternatives --remove \ %{_sbindir}/update-alternatives --remove \
$cmd %{_sbindir}/$cmd-nft $cmd %{_sbindir}/$cmd-nft
done done
fi fi
%if %{do_legacy_pkg}
%files legacy %files legacy
%{_sbindir}/ip{,6}tables-legacy* %{_sbindir}/ip{,6}tables-legacy*
%{_sbindir}/xtables-legacy-multi %{_sbindir}/xtables-legacy-multi
%{_bindir}/iptables-xml %{_bindir}/iptables-xml
%{_mandir}/man1/iptables-xml* %{_mandir}/man1/iptables-xml*
%{_mandir}/man8/xtables-legacy* %{_mandir}/man8/xtables-legacy*
%{_datadir}/xtables/iptables.xslt
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore} %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%files libs
%license COPYING
%{_libdir}/libxtables.so.12*
%dir %{_libdir}/xtables
%{_libdir}/xtables/lib{ip,ip6,x}t*
%{_mandir}/man8/ip{,6}tables.8.gz
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
%files legacy-libs %files legacy-libs
%license COPYING %license COPYING
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}* %{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
%files devel
%{_includedir}/xtables{,-version}.h
%{_libdir}/libxtables.so
%{_libdir}/pkgconfig/xtables.pc
%files legacy-devel %files legacy-devel
%dir %{_includedir}/libiptc %dir %{_includedir}/libiptc
%{_includedir}/libiptc/*.h %{_includedir}/libiptc/*.h
@ -392,6 +411,35 @@ fi
%dir %{legacy_actions}/ip{,6}tables %dir %{legacy_actions}/ip{,6}tables
%{legacy_actions}/ip{,6}tables/{save,panic} %{legacy_actions}/ip{,6}tables/{save,panic}
# do_legacy_pkg
%endif
%files nft-services
%{_unitdir}/{arp,eb}tables.service
%{_libexecdir}/ebtables-helper
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
%ghost %{_sysconfdir}/sysconfig/arptables
%ghost %{_sysconfdir}/sysconfig/ebtables
%dir %{script_path}
%{script_path}/ip{,6}tables.init
%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
%{_unitdir}/ip{,6}tables.service
%dir %{legacy_actions}/ip{,6}tables
%{legacy_actions}/ip{,6}tables/{save,panic}
%files libs
%license COPYING
%{_libdir}/libxtables.so.12*
%dir %{_libdir}/xtables
%{_libdir}/xtables/lib{ip,ip6,x}t*
%{_mandir}/man8/ip{,6}tables.8.gz
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
%files devel
%{_includedir}/xtables{,-version}.h
%{_libdir}/libxtables.so
%{_libdir}/pkgconfig/xtables.pc
%files utils %files utils
%license COPYING %license COPYING
%{_sbindir}/nfnl_osf %{_sbindir}/nfnl_osf
@ -407,9 +455,9 @@ fi
%{_sbindir}/ip{,6}tables-nft* %{_sbindir}/ip{,6}tables-nft*
%{_sbindir}/ip{,6}tables{,-restore}-translate %{_sbindir}/ip{,6}tables{,-restore}-translate
%{_sbindir}/{eb,arp}tables-nft* %{_sbindir}/{eb,arp}tables-nft*
%{_sbindir}/ebtables-translate
%{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-nft-multi
%{_sbindir}/xtables-monitor %{_sbindir}/xtables-monitor
%{_sbindir}/ebtables-translate
%dir %{_libdir}/xtables %dir %{_libdir}/xtables
%{_libdir}/xtables/lib{arp,eb}t* %{_libdir}/xtables/lib{arp,eb}t*
%{_libexecdir}/arptables-nft-helper %{_libexecdir}/arptables-nft-helper
@ -417,15 +465,16 @@ fi
%{_mandir}/man8/xtables-translate* %{_mandir}/man8/xtables-translate*
%{_mandir}/man8/*-nft* %{_mandir}/man8/*-nft*
%{_mandir}/man8/ip{,6}tables{,-restore}-translate* %{_mandir}/man8/ip{,6}tables{,-restore}-translate*
%{_mandir}/man8/ebtables-translate*
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore} %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore} %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
%ghost %{_libexecdir}/arptables-helper %ghost %{_libexecdir}/arptables-helper
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
%changelog %changelog
* Wed Jul 03 2024 Phil Sutter <psutter@redhat.com> [1.8.10-9.el10]
- Sync with RHEL9 package (Phil Sutter)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.10-8 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.10-8
- Bump release for June 2024 mass rebuild - Bump release for June 2024 mass rebuild