iptables-1.8.10-9.el10
* Wed Jul 03 2024 Phil Sutter <psutter@redhat.com> [1.8.10-9.el10] - Sync with RHEL9 package (Phil Sutter)
This commit is contained in:
parent
4d41cd78cb
commit
95a0be6c84
336
0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Normal file
336
0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Normal file
@ -0,0 +1,336 @@
|
|||||||
|
From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Thu, 17 Jun 2021 18:44:28 +0200
|
||||||
|
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151
|
||||||
|
Upstream Status: RHEL-only
|
||||||
|
|
||||||
|
This is RHEL9 trying to friendly kick people towards nftables.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
|
||||||
|
iptables/arptables-nft-save.8 | 14 +++++++++++++-
|
||||||
|
iptables/arptables-nft.8 | 19 ++++++++++++++++++-
|
||||||
|
iptables/ebtables-nft.8 | 15 ++++++++++++++-
|
||||||
|
iptables/iptables-apply.8.in | 14 +++++++++++++-
|
||||||
|
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
|
||||||
|
iptables/iptables-restore.8.in | 17 ++++++++++++++++-
|
||||||
|
iptables/iptables-save.8.in | 15 ++++++++++++++-
|
||||||
|
iptables/iptables.8.in | 17 +++++++++++++++++
|
||||||
|
iptables/xtables-monitor.8.in | 11 +++++++++++
|
||||||
|
10 files changed, 142 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
|
||||||
|
index 09d9082..b1bf029 100644
|
||||||
|
--- a/iptables/arptables-nft-restore.8
|
||||||
|
+++ b/iptables/arptables-nft-restore.8
|
||||||
|
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
|
||||||
|
.SH SYNOPSIS
|
||||||
|
\fBarptables\-restore
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+This tool is
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
.PP
|
||||||
|
.B arptables-restore
|
||||||
|
is used to restore ARP Tables from data specified on STDIN or
|
||||||
|
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
|
||||||
|
.SH AUTHOR
|
||||||
|
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||||
|
.SH SEE ALSO
|
||||||
|
-\fBarptables\-save\fP(8), \fBarptables\fP(8)
|
||||||
|
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||||
|
.PP
|
||||||
|
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
|
||||||
|
index 905e598..49bb0f6 100644
|
||||||
|
--- a/iptables/arptables-nft-save.8
|
||||||
|
+++ b/iptables/arptables-nft-save.8
|
||||||
|
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
|
||||||
|
\fBarptables\-save\fP [\fB\-V\fP]
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.PP
|
||||||
|
+This tool is
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
+.PP
|
||||||
|
.B arptables-save
|
||||||
|
is used to dump the contents of an ARP Table in easily parseable format
|
||||||
|
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
|
||||||
|
@@ -43,5 +55,5 @@ Print version information and exit.
|
||||||
|
.SH AUTHOR
|
||||||
|
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||||
|
.SH SEE ALSO
|
||||||
|
-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
|
||||||
|
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||||
|
.PP
|
||||||
|
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
|
||||||
|
index ea31e08..ec5b993 100644
|
||||||
|
--- a/iptables/arptables-nft.8
|
||||||
|
+++ b/iptables/arptables-nft.8
|
||||||
|
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
|
||||||
|
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
|
||||||
|
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+.PP
|
||||||
|
+This tool is
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
+.PP
|
||||||
|
.B arptables
|
||||||
|
is a user space tool, it is used to set up and maintain the
|
||||||
|
tables of ARP rules in the Linux kernel. These rules inspect
|
||||||
|
@@ -340,9 +353,13 @@ bridges, the same may be achieved using
|
||||||
|
chain in
|
||||||
|
.BR ebtables .
|
||||||
|
|
||||||
|
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
|
||||||
|
+will not receive new features. New setups should use \fBnft\fP(8). Existing
|
||||||
|
+setups should migrate to \fBnft\fP(8) when possible.
|
||||||
|
+
|
||||||
|
.SH MAILINGLISTS
|
||||||
|
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||||
|
.SH SEE ALSO
|
||||||
|
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
|
||||||
|
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
|
||||||
|
.PP
|
||||||
|
.BR "" "See " https://wiki.nftables.org
|
||||||
|
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||||
|
index 0304b50..cfd617a 100644
|
||||||
|
--- a/iptables/ebtables-nft.8
|
||||||
|
+++ b/iptables/ebtables-nft.8
|
||||||
|
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||||
|
.br
|
||||||
|
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+.PP
|
||||||
|
+This tool is
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
+.PP
|
||||||
|
.B ebtables
|
||||||
|
is an application program used to set up and maintain the
|
||||||
|
tables of rules (inside the Linux kernel) that inspect
|
||||||
|
@@ -1083,6 +1096,6 @@ has not been implemented, although
|
||||||
|
might replace them entirely given the inherent atomicity of nftables.
|
||||||
|
Finally, this list is probably not complete.
|
||||||
|
.SH SEE ALSO
|
||||||
|
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
|
||||||
|
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
|
||||||
|
.PP
|
||||||
|
.BR "" "See " https://wiki.nftables.org
|
||||||
|
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
|
||||||
|
index f0ed4e5..7f99a21 100644
|
||||||
|
--- a/iptables/iptables-apply.8.in
|
||||||
|
+++ b/iptables/iptables-apply.8.in
|
||||||
|
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
|
||||||
|
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
.PP
|
||||||
|
+This tool is
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
+.PP
|
||||||
|
iptables\-apply will try to apply a new rulesfile (as output by
|
||||||
|
iptables-save, read by iptables-restore) or run a command to configure
|
||||||
|
iptables and then prompt the user whether the changes are okay. If the
|
||||||
|
@@ -47,7 +59,7 @@ Display usage information.
|
||||||
|
Display version information.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.PP
|
||||||
|
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
|
||||||
|
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
|
||||||
|
.SH LEGALESE
|
||||||
|
.PP
|
||||||
|
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
|
||||||
|
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
|
||||||
|
index 99d89a1..73d40bb 100644
|
||||||
|
--- a/iptables/iptables-extensions.8.tmpl.in
|
||||||
|
+++ b/iptables/iptables-extensions.8.tmpl.in
|
||||||
|
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
|
||||||
|
.PP
|
||||||
|
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
|
||||||
|
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
|
||||||
|
+.SH DESCRIPTION
|
||||||
|
+These tools are
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details. There is also
|
||||||
|
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
|
||||||
|
+to help with the migration.
|
||||||
|
.SH MATCH EXTENSIONS
|
||||||
|
iptables can use extended packet matching modules
|
||||||
|
with the \fB\-m\fP or \fB\-\-match\fP
|
||||||
|
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
|
||||||
|
index aa816f7..353d4dc 100644
|
||||||
|
--- a/iptables/iptables-restore.8.in
|
||||||
|
+++ b/iptables/iptables-restore.8.in
|
||||||
|
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
|
||||||
|
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
|
||||||
|
[\fIfile\fP]
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+These tools are
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details. There is also
|
||||||
|
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
|
||||||
|
+to help with the migration.
|
||||||
|
.PP
|
||||||
|
.B iptables-restore
|
||||||
|
and
|
||||||
|
@@ -82,7 +95,9 @@ from Rusty Russell.
|
||||||
|
.br
|
||||||
|
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
|
||||||
|
.SH SEE ALSO
|
||||||
|
-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8)
|
||||||
|
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
|
||||||
|
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
|
||||||
|
+\fBip6tables\-restore\-translate\fP(8)
|
||||||
|
.PP
|
||||||
|
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||||
|
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||||
|
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
|
||||||
|
index 65c1f28..d47be27 100644
|
||||||
|
--- a/iptables/iptables-save.8.in
|
||||||
|
+++ b/iptables/iptables-save.8.in
|
||||||
|
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
|
||||||
|
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.PP
|
||||||
|
+These tools are
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
+.PP
|
||||||
|
.B iptables-save
|
||||||
|
and
|
||||||
|
.B ip6tables-save
|
||||||
|
@@ -66,7 +78,8 @@ Rusty Russell <rusty@rustcorp.com.au>
|
||||||
|
.br
|
||||||
|
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
|
||||||
|
.SH SEE ALSO
|
||||||
|
-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
|
||||||
|
+\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8),
|
||||||
|
+\fBnft\fP(8)
|
||||||
|
.PP
|
||||||
|
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||||
|
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||||
|
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
|
||||||
|
index ecaa555..4c4a15a 100644
|
||||||
|
--- a/iptables/iptables.8.in
|
||||||
|
+++ b/iptables/iptables.8.in
|
||||||
|
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
|
||||||
|
.PP
|
||||||
|
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+These tools are
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details. There is also
|
||||||
|
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
|
||||||
|
+to help with the migration.
|
||||||
|
+.PP
|
||||||
|
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
|
||||||
|
tables of IPv4 and IPv6 packet
|
||||||
|
filter rules in the Linux kernel. Several different tables
|
||||||
|
@@ -455,6 +469,9 @@ There are several other changes in iptables.
|
||||||
|
\fBiptables\-save\fP(8),
|
||||||
|
\fBiptables\-restore\fP(8),
|
||||||
|
\fBiptables\-extensions\fP(8),
|
||||||
|
+\fBnft\fP(8),
|
||||||
|
+\fBiptables\-translate\fP(8),
|
||||||
|
+\fBip6tables\-translate\fP(8)
|
||||||
|
.PP
|
||||||
|
The packet-filtering-HOWTO details iptables usage for
|
||||||
|
packet filtering, the NAT-HOWTO details NAT,
|
||||||
|
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
|
||||||
|
index a7f22c0..e21d7ff 100644
|
||||||
|
--- a/iptables/xtables-monitor.8.in
|
||||||
|
+++ b/iptables/xtables-monitor.8.in
|
||||||
|
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
|
||||||
|
.PP
|
||||||
|
\
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+This tool is
|
||||||
|
+.B deprecated
|
||||||
|
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||||
|
+features. New setups should use
|
||||||
|
+.BR nft (8).
|
||||||
|
+Existing setups should migrate to
|
||||||
|
+.BR nft (8)
|
||||||
|
+when possible. See
|
||||||
|
+.UR https://red.ht/nft_your_tables
|
||||||
|
+.UE
|
||||||
|
+for details.
|
||||||
|
.PP
|
||||||
|
.B xtables-monitor
|
||||||
|
is used to monitor changes to the ruleset or to show rule evaluation events
|
@ -1,81 +0,0 @@
|
|||||||
From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Thu, 12 Oct 2023 17:27:42 +0200
|
|
||||||
Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL
|
|
||||||
pointer
|
|
||||||
|
|
||||||
Chain rename code missed to adjust the num_chains value which is used to
|
|
||||||
calculate the number of chain index buckets to allocate during an index
|
|
||||||
rebuild. So with the right number of chains present, the last chain in a
|
|
||||||
middle bucket being renamed (and ending up in another bucket) triggers
|
|
||||||
an index rebuild based on false data. The resulting NULL pointer index
|
|
||||||
bucket then causes a segfault upon reinsertion.
|
|
||||||
|
|
||||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
|
|
||||||
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
|
|
||||||
(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620)
|
|
||||||
---
|
|
||||||
.../testcases/chain/0008rename-segfault2_0 | 32 +++++++++++++++++++
|
|
||||||
libiptc/libiptc.c | 4 +++
|
|
||||||
2 files changed, 36 insertions(+)
|
|
||||||
create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
|
|
||||||
|
|
||||||
diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000000..bc473d2511bbd
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
|
|
||||||
@@ -0,0 +1,32 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+#
|
|
||||||
+# Another funny rename bug in libiptc:
|
|
||||||
+# If there is a chain index bucket with only a single chain in it and it is not
|
|
||||||
+# the last one and that chain is renamed, a chain index rebuild is triggered.
|
|
||||||
+# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
|
|
||||||
+# extra index is allocated and remains NULL. The following insert of renamed
|
|
||||||
+# chain then segfaults.
|
|
||||||
+
|
|
||||||
+(
|
|
||||||
+ echo "*filter"
|
|
||||||
+ # first bucket
|
|
||||||
+ for ((i = 0; i < 40; i++)); do
|
|
||||||
+ echo ":chain-a-$i - [0:0]"
|
|
||||||
+ done
|
|
||||||
+ # second bucket
|
|
||||||
+ for ((i = 0; i < 40; i++)); do
|
|
||||||
+ echo ":chain-b-$i - [0:0]"
|
|
||||||
+ done
|
|
||||||
+ # third bucket, just make sure it exists
|
|
||||||
+ echo ":chain-c-0 - [0:0]"
|
|
||||||
+ echo "COMMIT"
|
|
||||||
+) | $XT_MULTI iptables-restore
|
|
||||||
+
|
|
||||||
+# rename all chains of the middle bucket
|
|
||||||
+(
|
|
||||||
+ echo "*filter"
|
|
||||||
+ for ((i = 0; i < 40; i++)); do
|
|
||||||
+ echo "-E chain-b-$i chain-d-$i"
|
|
||||||
+ done
|
|
||||||
+ echo "COMMIT"
|
|
||||||
+) | $XT_MULTI iptables-restore --noflush
|
|
||||||
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
|
|
||||||
index e475063367c26..9712a36353b9a 100644
|
|
||||||
--- a/libiptc/libiptc.c
|
|
||||||
+++ b/libiptc/libiptc.c
|
|
||||||
@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ handle->num_chains--;
|
|
||||||
+
|
|
||||||
/* This only unlinks "c" from the list, thus no free(c) */
|
|
||||||
iptcc_chain_index_delete_chain(c, handle);
|
|
||||||
|
|
||||||
/* Change the name of the chain */
|
|
||||||
strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
|
|
||||||
|
|
||||||
+ handle->num_chains++;
|
|
||||||
+
|
|
||||||
/* Insert sorted into to list again */
|
|
||||||
iptc_insert_chain(handle, c);
|
|
||||||
|
|
@ -1,81 +0,0 @@
|
|||||||
From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florian Westphal <fw@strlen.de>
|
|
||||||
Date: Fri, 3 Nov 2023 17:33:22 +0100
|
|
||||||
Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage
|
|
||||||
|
|
||||||
ARPT_ and IPT_INV flags are not interchangeable, e.g.:
|
|
||||||
define IPT_INV_SRCDEVADDR 0x0080
|
|
||||||
define ARPT_INV_SRCDEVADDR 0x0010
|
|
||||||
|
|
||||||
as these flags can be tested by libarp_foo.so such checks can yield
|
|
||||||
incorrect results.
|
|
||||||
|
|
||||||
Because arptables-nft uses existing code, e.g. xt_mark, it makes
|
|
||||||
sense to unify this completely by converting the last users of
|
|
||||||
ARPT_INV_ constants.
|
|
||||||
|
|
||||||
Note that arptables-legacy does not do run-time module loading via
|
|
||||||
dlopen(). Functionaliy implemented by "extensions" in the
|
|
||||||
arptables-legacy git tree are built-in, so this doesn't break
|
|
||||||
arptables-legacy binaries.
|
|
||||||
|
|
||||||
Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
|
|
||||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68)
|
|
||||||
---
|
|
||||||
extensions/libarpt_mangle.c | 4 ++--
|
|
||||||
iptables/nft-arp.c | 2 +-
|
|
||||||
iptables/xshared.h | 4 +++-
|
|
||||||
3 files changed, 6 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
|
|
||||||
index 765edf34781f3..a846e97ec8f27 100644
|
|
||||||
--- a/extensions/libarpt_mangle.c
|
|
||||||
+++ b/extensions/libarpt_mangle.c
|
|
||||||
@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
|
|
||||||
if (e->arp.arhln_mask == 0)
|
|
||||||
xtables_error(PARAMETER_PROBLEM,
|
|
||||||
"no --h-length defined");
|
|
||||||
- if (e->arp.invflags & ARPT_INV_ARPHLN)
|
|
||||||
+ if (e->arp.invflags & IPT_INV_ARPHLN)
|
|
||||||
xtables_error(PARAMETER_PROBLEM,
|
|
||||||
"! --h-length not allowed for "
|
|
||||||
"--mangle-mac-s");
|
|
||||||
@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
|
|
||||||
if (e->arp.arhln_mask == 0)
|
|
||||||
xtables_error(PARAMETER_PROBLEM,
|
|
||||||
"no --h-length defined");
|
|
||||||
- if (e->arp.invflags & ARPT_INV_ARPHLN)
|
|
||||||
+ if (e->arp.invflags & IPT_INV_ARPHLN)
|
|
||||||
xtables_error(PARAMETER_PROBLEM,
|
|
||||||
"! hln not allowed for --mangle-mac-d");
|
|
||||||
if (e->arp.arhln != 6)
|
|
||||||
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
|
||||||
index aed39ebdd5166..535dd6b83237b 100644
|
|
||||||
--- a/iptables/nft-arp.c
|
|
||||||
+++ b/iptables/nft-arp.c
|
|
||||||
@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
|
|
||||||
&args->d.naddrs);
|
|
||||||
|
|
||||||
if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
|
|
||||||
- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
|
|
||||||
+ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
|
|
||||||
xtables_error(PARAMETER_PROBLEM,
|
|
||||||
"! not allowed with multiple"
|
|
||||||
" source or destination IP addresses");
|
|
||||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
|
||||||
index a200e0d620ad3..5586385456a4d 100644
|
|
||||||
--- a/iptables/xshared.h
|
|
||||||
+++ b/iptables/xshared.h
|
|
||||||
@@ -80,7 +80,9 @@ struct xtables_target;
|
|
||||||
#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
|
|
||||||
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
|
|
||||||
|
|
||||||
-/* define invflags which won't collide with IPT ones */
|
|
||||||
+/* define invflags which won't collide with IPT ones.
|
|
||||||
+ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
|
|
||||||
+ */
|
|
||||||
#define IPT_INV_SRCDEVADDR 0x0080
|
|
||||||
#define IPT_INV_TGTDEVADDR 0x0100
|
|
||||||
#define IPT_INV_ARPHLN 0x0200
|
|
@ -0,0 +1,28 @@
|
|||||||
|
From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Fri, 16 Jul 2021 21:51:49 +0200
|
||||||
|
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558
|
||||||
|
Upstream Status: RHEL-only
|
||||||
|
|
||||||
|
RHEL SELinux policies don't allow setting
|
||||||
|
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
|
||||||
|
'packet_type' attribute (identified via
|
||||||
|
'seinfo -xt | grep packet_type').
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
extensions/libxt_SECMARK.t | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||||
|
index 39d4c09..295e7a7 100644
|
||||||
|
--- a/extensions/libxt_SECMARK.t
|
||||||
|
+++ b/extensions/libxt_SECMARK.t
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
:INPUT,FORWARD,OUTPUT
|
||||||
|
*security
|
||||||
|
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||||
|
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
|
||||||
|
-j SECMARK;;FAIL
|
@ -1,16 +1,26 @@
|
|||||||
From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001
|
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
Date: Tue, 7 Nov 2023 19:12:14 +0100
|
Date: Tue, 7 Nov 2023 23:44:55 +0100
|
||||||
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
|
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
|
||||||
|
|
||||||
Report came from firwalld, but this is actually rather hard to trigger.
|
JIRA: https://issues.redhat.com/browse/RHEL-14147
|
||||||
Since a regular chain line prevents it, typical dump/restore use-cases
|
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||||
are unaffected.
|
|
||||||
|
|
||||||
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
|
commit c1083acea70787eea3f7929fd04718434bb05ba8
|
||||||
Cc: Eric Garver <eric@garver.life>
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
Date: Tue Nov 7 19:12:14 2023 +0100
|
||||||
(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8)
|
|
||||||
|
ebtables: Fix corner-case noflush restore bug
|
||||||
|
|
||||||
|
Report came from firwalld, but this is actually rather hard to trigger.
|
||||||
|
Since a regular chain line prevents it, typical dump/restore use-cases
|
||||||
|
are unaffected.
|
||||||
|
|
||||||
|
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
|
||||||
|
Cc: Eric Garver <eric@garver.life>
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
---
|
---
|
||||||
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
|
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
|
||||||
iptables/xtables-eb.c | 2 ++
|
iptables/xtables-eb.c | 2 ++
|
||||||
@ -19,7 +29,7 @@ Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|||||||
|
|
||||||
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
new file mode 100755
|
new file mode 100755
|
||||||
index 0000000000000..0def0ac58e7be
|
index 0000000..0def0ac
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
|
||||||
@@ -0,0 +1,25 @@
|
@@ -0,0 +1,25 @@
|
||||||
@ -49,7 +59,7 @@ index 0000000000000..0def0ac58e7be
|
|||||||
+COMMIT
|
+COMMIT
|
||||||
+EOF
|
+EOF
|
||||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||||
index 08eec79d80400..a8ad57c735cc5 100644
|
index 08eec79..a8ad57c 100644
|
||||||
--- a/iptables/xtables-eb.c
|
--- a/iptables/xtables-eb.c
|
||||||
+++ b/iptables/xtables-eb.c
|
+++ b/iptables/xtables-eb.c
|
||||||
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
|
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
|
||||||
|
99
0004-nft-Fix-for-broken-recover_rule_compat.patch
Normal file
99
0004-nft-Fix-for-broken-recover_rule_compat.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 18:26:58 +0200
|
||||||
|
Subject: [PATCH] nft: Fix for broken recover_rule_compat()
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-26619
|
||||||
|
Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
|
||||||
|
|
||||||
|
commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Tue Feb 27 18:47:39 2024 +0100
|
||||||
|
|
||||||
|
nft: Fix for broken recover_rule_compat()
|
||||||
|
|
||||||
|
When IPv4 rule generator was changed to emit payload instead of
|
||||||
|
meta expressions for l4proto matches, the code reinserting
|
||||||
|
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
|
||||||
|
zeroing was broken by accident.
|
||||||
|
|
||||||
|
Make rule compat recovery aware of the alternative match, basically
|
||||||
|
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
|
||||||
|
with NFTA_RULE_COMPAT") but add a test case this time to make sure
|
||||||
|
things stay intact.
|
||||||
|
|
||||||
|
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
iptables/nft.c | 27 ++++++++++++++++---
|
||||||
|
.../nft-only/0011-zero-needs-compat_0 | 12 +++++++++
|
||||||
|
2 files changed, 35 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
|
||||||
|
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||||
|
index 97fd4f4..c4caf29 100644
|
||||||
|
--- a/iptables/nft.c
|
||||||
|
+++ b/iptables/nft.c
|
||||||
|
@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
|
||||||
|
return strerror(err);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
|
||||||
|
+{
|
||||||
|
+ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
|
||||||
|
+ uint32_t poff = offsetof(struct iphdr, protocol);
|
||||||
|
+ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
|
||||||
|
+
|
||||||
|
+ if (!strcmp(name, "payload") &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
|
||||||
|
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (!strcmp(name, "meta") &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
|
||||||
|
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int recover_rule_compat(struct nftnl_rule *r)
|
||||||
|
{
|
||||||
|
struct nftnl_expr_iter *iter;
|
||||||
|
@@ -3695,12 +3716,10 @@ next_expr:
|
||||||
|
if (!e)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
|
||||||
|
- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
|
||||||
|
+ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */
|
||||||
|
+ if (l4proto_expr_get_dreg(e, ®) < 0)
|
||||||
|
goto next_expr;
|
||||||
|
|
||||||
|
- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
|
||||||
|
-
|
||||||
|
e = nftnl_expr_iter_next(iter);
|
||||||
|
if (!e)
|
||||||
|
goto out;
|
||||||
|
diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..e276a95
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
|
||||||
|
+for cmd in iptables ip6tables; do
|
||||||
|
+ $XT_MULTI $cmd -t mangle -A PREROUTING $rule
|
||||||
|
+ $XT_MULTI $cmd -t mangle -Z
|
||||||
|
+ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
|
||||||
|
+done
|
@ -1,42 +0,0 @@
|
|||||||
From 37622ca0f4c29c9a06b0d2f3f1abc6695c57d560 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Sun, 19 Nov 2023 13:18:26 +0100
|
|
||||||
Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused
|
|
||||||
|
|
||||||
Drop the boolean, it was meant to disable some existence checks in
|
|
||||||
do_parse() prior to the caching rework. Now that do_parse() runs before
|
|
||||||
any caching is done, the checks in question don't exist anymore so drop
|
|
||||||
this relict.
|
|
||||||
|
|
||||||
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb)
|
|
||||||
---
|
|
||||||
iptables/xshared.h | 1 -
|
|
||||||
iptables/xtables-translate.c | 1 -
|
|
||||||
2 files changed, 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
|
||||||
index 5586385456a4d..c77556a1987dc 100644
|
|
||||||
--- a/iptables/xshared.h
|
|
||||||
+++ b/iptables/xshared.h
|
|
||||||
@@ -284,7 +284,6 @@ struct xt_cmd_parse {
|
|
||||||
bool restore;
|
|
||||||
int line;
|
|
||||||
int verbose;
|
|
||||||
- bool xlate;
|
|
||||||
struct xt_cmd_parse_ops *ops;
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
|
|
||||||
index 88e0a6b639494..c019cd2991305 100644
|
|
||||||
--- a/iptables/xtables-translate.c
|
|
||||||
+++ b/iptables/xtables-translate.c
|
|
||||||
@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
|
|
||||||
.table = *table,
|
|
||||||
.restore = restore,
|
|
||||||
.line = line,
|
|
||||||
- .xlate = true,
|
|
||||||
.ops = &h->ops->cmd_parse,
|
|
||||||
};
|
|
||||||
struct iptables_command_state cs = {
|
|
43
0005-extensions-libxt_sctp-Add-an-extra-assert.patch
Normal file
43
0005-extensions-libxt_sctp-Add-an-extra-assert.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 12 Jun 2024 22:49:48 +0200
|
||||||
|
Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-40928
|
||||||
|
Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
|
||||||
|
|
||||||
|
commit 0234117d24609070f08ef36a11795c3c8e4c19bf
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri May 17 15:20:05 2024 +0200
|
||||||
|
|
||||||
|
extensions: libxt_sctp: Add an extra assert()
|
||||||
|
|
||||||
|
The code is sane, but this keeps popping up in static code analyzers.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
extensions/libxt_sctp.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||||
|
index 6e2b274..e8312f0 100644
|
||||||
|
--- a/extensions/libxt_sctp.c
|
||||||
|
+++ b/extensions/libxt_sctp.c
|
||||||
|
@@ -7,6 +7,7 @@
|
||||||
|
* libipt_ecn.c borrowed heavily from libipt_dscp.c
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
+#include <assert.h>
|
||||||
|
#include <stdbool.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
|
||||||
|
|
||||||
|
for (i = 7; i >= 0; i--) {
|
||||||
|
if (chunk_flags_mask & (1 << i)) {
|
||||||
|
+ assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
|
||||||
|
if (chunk_flags & (1 << i)) {
|
||||||
|
printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
|
||||||
|
} else {
|
@ -1,31 +0,0 @@
|
|||||||
From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Sun, 19 Nov 2023 13:25:36 +0100
|
|
||||||
Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON
|
|
||||||
|
|
||||||
Fixes: 51d9d9e081344 ("ebtables: Support verbose mode")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a)
|
|
||||||
---
|
|
||||||
iptables/xshared.h | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
|
||||||
index c77556a1987dc..815b9d3e98726 100644
|
|
||||||
--- a/iptables/xshared.h
|
|
||||||
+++ b/iptables/xshared.h
|
|
||||||
@@ -75,10 +75,10 @@ struct xtables_globals;
|
|
||||||
struct xtables_rule_match;
|
|
||||||
struct xtables_target;
|
|
||||||
|
|
||||||
-#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
|
|
||||||
-#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
|
|
||||||
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
|
|
||||||
-#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
|
|
||||||
+#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v"
|
|
||||||
+#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x"
|
|
||||||
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */
|
|
||||||
+#define EBT_OPTSTRING OPTSTRING_COMMON "h"
|
|
||||||
|
|
||||||
/* define invflags which won't collide with IPT ones.
|
|
||||||
* arptables-nft does NOT use the legacy ARPT_INV_* defines.
|
|
@ -1,28 +0,0 @@
|
|||||||
From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue, 21 Nov 2023 22:58:47 +0100
|
|
||||||
Subject: [PATCH] ebtables: Align line number formatting with legacy
|
|
||||||
|
|
||||||
Legacy ebtables appends a dot to the number printed in first column if
|
|
||||||
--Ln flag was given.
|
|
||||||
|
|
||||||
Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf)
|
|
||||||
---
|
|
||||||
iptables/nft-bridge.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
|
|
||||||
index d9a8ad2b0f373..e414ef5584392 100644
|
|
||||||
--- a/iptables/nft-bridge.c
|
|
||||||
+++ b/iptables/nft-bridge.c
|
|
||||||
@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
|
|
||||||
struct iptables_command_state cs = {};
|
|
||||||
|
|
||||||
if (format & FMT_LINENUMBERS)
|
|
||||||
- printf("%d ", num);
|
|
||||||
+ printf("%d. ", num);
|
|
||||||
|
|
||||||
nft_rule_to_ebtables_command_state(h, r, &cs);
|
|
||||||
__nft_bridge_save_rule(&cs, format);
|
|
@ -1,44 +0,0 @@
|
|||||||
From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue, 28 Nov 2023 13:29:17 +0100
|
|
||||||
Subject: [PATCH] man: Do not escape exclamation marks
|
|
||||||
|
|
||||||
This appears to be not necessary, also mandoc complains about it:
|
|
||||||
|
|
||||||
| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!
|
|
||||||
|
|
||||||
Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
|
|
||||||
Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a)
|
|
||||||
---
|
|
||||||
extensions/libip6t_DNPT.man | 2 +-
|
|
||||||
extensions/libip6t_SNPT.man | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
|
|
||||||
index 9b060f5b7179b..72c6ae5d422a2 100644
|
|
||||||
--- a/extensions/libip6t_DNPT.man
|
|
||||||
+++ b/extensions/libip6t_DNPT.man
|
|
||||||
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
|
|
||||||
.PP
|
|
||||||
You have to use the SNPT target to undo the translation. Example:
|
|
||||||
.IP
|
|
||||||
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
|
|
||||||
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
|
|
||||||
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
|
|
||||||
.IP
|
|
||||||
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
|
|
||||||
diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
|
|
||||||
index 97e0071b43cc1..0c926978377a7 100644
|
|
||||||
--- a/extensions/libip6t_SNPT.man
|
|
||||||
+++ b/extensions/libip6t_SNPT.man
|
|
||||||
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
|
|
||||||
.PP
|
|
||||||
You have to use the DNPT target to undo the translation. Example:
|
|
||||||
.IP
|
|
||||||
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
|
|
||||||
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
|
|
||||||
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
|
|
||||||
.IP
|
|
||||||
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
|
|
@ -1,49 +0,0 @@
|
|||||||
From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue, 28 Nov 2023 20:21:49 +0100
|
|
||||||
Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
|
|
||||||
|
|
||||||
In order to parse the mask, xtopt_parse_hostmask() calls
|
|
||||||
xtopt_parse_plenmask() thereby limiting netmask support to prefix
|
|
||||||
lengths (alternatively specified in IP address notation).
|
|
||||||
|
|
||||||
In order to lift this impractical restriction, make
|
|
||||||
xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
|
|
||||||
fall back to xtopt_parse_mask() which correctly initializes val.hmask
|
|
||||||
itself and indicates non-CIDR-compatible masks by setting val.hlen to
|
|
||||||
-1.
|
|
||||||
|
|
||||||
So in order to support these odd masks, it is sufficient for
|
|
||||||
xtopt_parse_plenmask() to skip its mask building from val.hlen value and
|
|
||||||
take whatever val.hmask contains.
|
|
||||||
|
|
||||||
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232)
|
|
||||||
---
|
|
||||||
libxtables/xtoptions.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
|
||||||
index b16bbfbe32311..d91a78f470eda 100644
|
|
||||||
--- a/libxtables/xtoptions.c
|
|
||||||
+++ b/libxtables/xtoptions.c
|
|
||||||
@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
|
|
||||||
|
|
||||||
xtopt_parse_plen(cb);
|
|
||||||
|
|
||||||
+ /* may not be convertible to CIDR notation */
|
|
||||||
+ if (cb->val.hlen == (uint8_t)-1)
|
|
||||||
+ goto out_put;
|
|
||||||
+
|
|
||||||
memset(mask, 0xFF, sizeof(union nf_inet_addr));
|
|
||||||
/* This shifting is AF-independent. */
|
|
||||||
if (cb->val.hlen == 0) {
|
|
||||||
@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
|
|
||||||
mask[1] = htonl(mask[1]);
|
|
||||||
mask[2] = htonl(mask[2]);
|
|
||||||
mask[3] = htonl(mask[3]);
|
|
||||||
+out_put:
|
|
||||||
if (entry->flags & XTOPT_PUT)
|
|
||||||
memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
|
|
||||||
}
|
|
@ -1,114 +0,0 @@
|
|||||||
From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Tue, 19 Dec 2023 00:56:07 +0100
|
|
||||||
Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting
|
|
||||||
|
|
||||||
Parameter 'wait' passed to xtables_lock() signals three modes of
|
|
||||||
operation, depending on its value:
|
|
||||||
|
|
||||||
0: --wait not specified, do not wait if lock is busy
|
|
||||||
-1: --wait specified without value, wait indefinitely until lock becomes
|
|
||||||
free
|
|
||||||
>0: Wait for 'wait' seconds for lock to become free, abort otherwise
|
|
||||||
|
|
||||||
Since fixed commit, the first two cases were treated the same apart from
|
|
||||||
calling alarm(0), but that is a nop if no alarm is pending. Fix the code
|
|
||||||
by requesting a non-blocking flock() in the second case. While at it,
|
|
||||||
restrict the alarm setup to the third case only.
|
|
||||||
|
|
||||||
Cc: Jethro Beekman <jethro@fortanix.com>
|
|
||||||
Cc: howardjohn@google.com
|
|
||||||
Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>
|
|
||||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728
|
|
||||||
Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals")
|
|
||||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
||||||
(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9)
|
|
||||||
---
|
|
||||||
.../shell/testcases/iptables/0010-wait_0 | 55 +++++++++++++++++++
|
|
||||||
iptables/xshared.c | 4 +-
|
|
||||||
2 files changed, 57 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0
|
|
||||||
|
|
||||||
diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000000..4481f966ce435
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/iptables/tests/shell/testcases/iptables/0010-wait_0
|
|
||||||
@@ -0,0 +1,55 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+case "$XT_MULTI" in
|
|
||||||
+*xtables-legacy-multi)
|
|
||||||
+ ;;
|
|
||||||
+*)
|
|
||||||
+ echo skip $XT_MULTI
|
|
||||||
+ exit 0
|
|
||||||
+ ;;
|
|
||||||
+esac
|
|
||||||
+
|
|
||||||
+coproc RESTORE { $XT_MULTI iptables-restore; }
|
|
||||||
+echo "*filter" >&${RESTORE[1]}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+$XT_MULTI iptables -A FORWARD -j ACCEPT &
|
|
||||||
+ipt_pid=$!
|
|
||||||
+
|
|
||||||
+waitpid -t 1 $ipt_pid
|
|
||||||
+[[ $? -eq 3 ]] && {
|
|
||||||
+ echo "process waits when it should not"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+wait $ipt_pid
|
|
||||||
+[[ $? -eq 0 ]] && {
|
|
||||||
+ echo "process exited 0 despite busy lock"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+t0=$(date +%s)
|
|
||||||
+$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT
|
|
||||||
+t1=$(date +%s)
|
|
||||||
+[[ $((t1 - t0)) -ge 3 ]] || {
|
|
||||||
+ echo "wait time not expired"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+$XT_MULTI iptables -w -A FORWARD -j ACCEPT &
|
|
||||||
+ipt_pid=$!
|
|
||||||
+
|
|
||||||
+waitpid -t 3 $ipt_pid
|
|
||||||
+[[ $? -eq 3 ]] || {
|
|
||||||
+ echo "no indefinite wait"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+kill $ipt_pid
|
|
||||||
+waitpid -t 3 $ipt_pid
|
|
||||||
+[[ $? -eq 3 ]] && {
|
|
||||||
+ echo "killed waiting iptables call did not exit in time"
|
|
||||||
+ exit 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+kill $RESTORE_PID
|
|
||||||
+wait
|
|
||||||
+exit 0
|
|
||||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
||||||
index 5f75a0a57a023..690502c457dd0 100644
|
|
||||||
--- a/iptables/xshared.c
|
|
||||||
+++ b/iptables/xshared.c
|
|
||||||
@@ -270,7 +270,7 @@ static int xtables_lock(int wait)
|
|
||||||
return XT_LOCK_FAILED;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (wait != -1) {
|
|
||||||
+ if (wait > 0) {
|
|
||||||
sigact_alarm.sa_handler = alarm_ignore;
|
|
||||||
sigact_alarm.sa_flags = SA_RESETHAND;
|
|
||||||
sigemptyset(&sigact_alarm.sa_mask);
|
|
||||||
@@ -278,7 +278,7 @@ static int xtables_lock(int wait)
|
|
||||||
alarm(wait);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (flock(fd, LOCK_EX) == 0)
|
|
||||||
+ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0)
|
|
||||||
return fd;
|
|
||||||
|
|
||||||
if (errno == EINTR) {
|
|
@ -1,40 +0,0 @@
|
|||||||
From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Phil Sutter <phil@nwl.cc>
|
|
||||||
Date: Sun, 17 Dec 2023 13:02:36 +0100
|
|
||||||
Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
|
|
||||||
|
|
||||||
Do as the comment in xtopt_parse_hostmask() claims and omit
|
|
||||||
XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
|
|
||||||
will catch the incompatibility.
|
|
||||||
|
|
||||||
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
|
|
||||||
(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31)
|
|
||||||
---
|
|
||||||
include/xtables.h | 1 -
|
|
||||||
libxtables/xtoptions.c | 1 -
|
|
||||||
2 files changed, 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/xtables.h b/include/xtables.h
|
|
||||||
index 087a1d600f9ae..9def9b43b6e58 100644
|
|
||||||
--- a/include/xtables.h
|
|
||||||
+++ b/include/xtables.h
|
|
||||||
@@ -61,7 +61,6 @@ struct in_addr;
|
|
||||||
* %XTTYPE_SYSLOGLEVEL: syslog level by name or number
|
|
||||||
* %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr)
|
|
||||||
* %XTTYPE_HOSTMASK: one host or address, with an optional prefix length
|
|
||||||
- * (ptr: union nf_inet_addr; only host portion is stored)
|
|
||||||
* %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t)
|
|
||||||
* %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO)
|
|
||||||
* %XTTYPE_PORTRC: colon-separated port range (names acceptable),
|
|
||||||
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
|
||||||
index d91a78f470eda..ba68056dc99f7 100644
|
|
||||||
--- a/libxtables/xtoptions.c
|
|
||||||
+++ b/libxtables/xtoptions.c
|
|
||||||
@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = {
|
|
||||||
[XTTYPE_STRING] = -1,
|
|
||||||
[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
|
|
||||||
[XTTYPE_HOST] = sizeof(union nf_inet_addr),
|
|
||||||
- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr),
|
|
||||||
[XTTYPE_PROTOCOL] = sizeof(uint8_t),
|
|
||||||
[XTTYPE_PORT] = sizeof(uint16_t),
|
|
||||||
[XTTYPE_PORTRC] = sizeof(uint16_t[2]),
|
|
12
arptables.service
Normal file
12
arptables.service
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Automates a packet filtering firewall with arptables
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/libexec/arptables-helper start
|
||||||
|
ExecStop=/usr/libexec/arptables-helper stop
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
11
ebtables-config
Normal file
11
ebtables-config
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
# Save current firewall rules on stop.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Saves all firewall rules if firewall gets stopped
|
||||||
|
# (e.g. on system shutdown).
|
||||||
|
EBTABLES_SAVE_ON_STOP="no"
|
||||||
|
|
||||||
|
# Save (and restore) rule counters.
|
||||||
|
# Value: yes|no, default: no
|
||||||
|
# Save rule counters when saving a kernel table to a file. If the
|
||||||
|
# rule counters were saved, they will be restored when restoring the table.
|
||||||
|
EBTABLES_SAVE_COUNTER="no"
|
104
ebtables-helper
Normal file
104
ebtables-helper
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# compat for removed initscripts dependency
|
||||||
|
|
||||||
|
success() {
|
||||||
|
echo "[ OK ]"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
failure() {
|
||||||
|
echo "[FAILED]"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# internal variables
|
||||||
|
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
|
||||||
|
EBTABLES_DATA=/etc/sysconfig/ebtables
|
||||||
|
EBTABLES_TABLES="filter nat"
|
||||||
|
if ebtables --version | grep -q '(legacy)'; then
|
||||||
|
EBTABLES_TABLES+=" broute"
|
||||||
|
fi
|
||||||
|
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
|
||||||
|
|
||||||
|
# ebtables-config defaults
|
||||||
|
EBTABLES_SAVE_ON_STOP="no"
|
||||||
|
EBTABLES_SAVE_COUNTER="no"
|
||||||
|
|
||||||
|
# load config if existing
|
||||||
|
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
|
||||||
|
|
||||||
|
initialize() {
|
||||||
|
local ret=0
|
||||||
|
for table in $EBTABLES_TABLES; do
|
||||||
|
ebtables -t $table --init-table || ret=1
|
||||||
|
done
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
sanitize_dump() {
|
||||||
|
local drop=false
|
||||||
|
|
||||||
|
export EBTABLES_TABLES
|
||||||
|
|
||||||
|
cat $1 | while read line; do
|
||||||
|
case $line in
|
||||||
|
\**)
|
||||||
|
drop=false
|
||||||
|
local table="${line#\*}"
|
||||||
|
local found=false
|
||||||
|
for t in $EBTABLES_TABLES; do
|
||||||
|
if [[ $t == "$table" ]]; then
|
||||||
|
found=true
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
$found || drop=true
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
$drop || echo "$line"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
start() {
|
||||||
|
if [ -f $EBTABLES_DATA ]; then
|
||||||
|
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
|
||||||
|
sanitize_dump $EBTABLES_DATA | ebtables-restore
|
||||||
|
else
|
||||||
|
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
|
||||||
|
initialize
|
||||||
|
fi
|
||||||
|
local ret=$?
|
||||||
|
touch $VAR_SUBSYS_EBTABLES
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
save() {
|
||||||
|
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
|
||||||
|
export EBTABLES_SAVE_COUNTER
|
||||||
|
ebtables-save >$EBTABLES_DATA && success || failure
|
||||||
|
}
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
start)
|
||||||
|
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
|
||||||
|
start && success || failure
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||||
|
echo -n $"ebtables: stopping firewall: "
|
||||||
|
initialize && success || failure
|
||||||
|
RETVAL=$?
|
||||||
|
rm -f $VAR_SUBSYS_EBTABLES
|
||||||
|
;;
|
||||||
|
save)
|
||||||
|
save
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "usage: ${0##*/} {start|stop|save}" >&2
|
||||||
|
RETVAL=2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $RETVAL
|
11
ebtables.service
Normal file
11
ebtables.service
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Ethernet Bridge Filtering tables
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/libexec/ebtables-helper start
|
||||||
|
ExecStop=/usr/libexec/ebtables-helper stop
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
7
gating.yaml
Normal file
7
gating.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-10
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
# - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-gating.functional}
|
35
iptables-test.stderr.expect
Normal file
35
iptables-test.stderr.expect
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
|
||||||
|
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
|
||||||
|
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
|
||||||
|
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
|
||||||
|
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
|
||||||
|
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
|
||||||
|
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
|
||||||
|
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
|
||||||
|
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
|
||||||
|
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
|
213
iptables.spec
213
iptables.spec
@ -1,3 +1,6 @@
|
|||||||
|
%define iptables_rpmversion 1.8.10
|
||||||
|
%define iptables_specrelease 9
|
||||||
|
|
||||||
# install init scripts to /usr/libexec with systemd
|
# install init scripts to /usr/libexec with systemd
|
||||||
%global script_path %{_libexecdir}/iptables
|
%global script_path %{_libexecdir}/iptables
|
||||||
|
|
||||||
@ -7,11 +10,16 @@
|
|||||||
%global iptc_so_ver 0
|
%global iptc_so_ver 0
|
||||||
%global ipXtc_so_ver 2
|
%global ipXtc_so_ver 2
|
||||||
|
|
||||||
|
# build legacy sub-packages only on non-rhel distributions
|
||||||
|
%global do_legacy_pkg ! 0%{?rhel}
|
||||||
|
|
||||||
|
%define _unpackaged_files_terminate_build 0
|
||||||
|
|
||||||
Name: iptables
|
Name: iptables
|
||||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||||
URL: https://www.netfilter.org/projects/iptables
|
URL: https://www.netfilter.org/projects/iptables
|
||||||
Version: 1.8.10
|
Version: %{iptables_rpmversion}
|
||||||
Release: 8%{?dist}
|
Release: %{iptables_specrelease}%{?dist}%{?buildid}
|
||||||
Source: %{url}/files/%{name}-%{version}.tar.xz
|
Source: %{url}/files/%{name}-%{version}.tar.xz
|
||||||
Source1: iptables.init
|
Source1: iptables.init
|
||||||
Source2: iptables-config
|
Source2: iptables-config
|
||||||
@ -19,17 +27,17 @@ Source3: iptables.service
|
|||||||
Source4: sysconfig_iptables
|
Source4: sysconfig_iptables
|
||||||
Source5: sysconfig_ip6tables
|
Source5: sysconfig_ip6tables
|
||||||
Source6: arptables-nft-helper
|
Source6: arptables-nft-helper
|
||||||
|
Source7: arptables.service
|
||||||
|
Source8: ebtables-helper
|
||||||
|
Source9: ebtables.service
|
||||||
|
Source10: ebtables-config
|
||||||
|
Source11: iptables-test.stderr.expect
|
||||||
|
|
||||||
Patch001: 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch
|
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||||
Patch002: 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch
|
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||||
Patch003: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
|
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
|
||||||
Patch004: 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch
|
Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch
|
||||||
Patch005: 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch
|
Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch
|
||||||
Patch006: 0006-ebtables-Align-line-number-formatting-with-legacy.patch
|
|
||||||
Patch007: 0007-man-Do-not-escape-exclamation-marks.patch
|
|
||||||
Patch008: 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch
|
|
||||||
Patch009: 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch
|
|
||||||
Patch010: 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch
|
|
||||||
|
|
||||||
# pf.os: ISC license
|
# pf.os: ISC license
|
||||||
# iptables-apply: Artistic Licence 2.0
|
# iptables-apply: Artistic Licence 2.0
|
||||||
@ -37,7 +45,7 @@ License: GPL-2.0-only AND Artistic-2.0 AND ISC
|
|||||||
|
|
||||||
# libnetfilter_conntrack is needed for xt_connlabel
|
# libnetfilter_conntrack is needed for xt_connlabel
|
||||||
BuildRequires: pkgconfig(libnetfilter_conntrack)
|
BuildRequires: pkgconfig(libnetfilter_conntrack)
|
||||||
# libnfnetlink-devel is requires for nfnl_osf
|
# libnfnetlink-devel is required for nfnl_osf
|
||||||
BuildRequires: pkgconfig(libnfnetlink)
|
BuildRequires: pkgconfig(libnfnetlink)
|
||||||
BuildRequires: libselinux-devel
|
BuildRequires: libselinux-devel
|
||||||
BuildRequires: kernel-headers
|
BuildRequires: kernel-headers
|
||||||
@ -65,13 +73,10 @@ Summary: Legacy tools for managing Linux kernel packet filtering capabilities
|
|||||||
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
Conflicts: setup < 2.10.4-1
|
Conflicts: setup < 2.10.4-1
|
||||||
Requires(post): /usr/sbin/update-alternatives
|
Requires(post): %{_sbindir}/update-alternatives
|
||||||
Requires(postun): /usr/sbin/update-alternatives
|
Requires(postun): %{_sbindir}/update-alternatives
|
||||||
%if 0%{?rhel} < 9
|
Obsoletes: %{name} < %{version}-%{release}
|
||||||
Provides: iptables
|
Provides: iptables
|
||||||
%endif
|
|
||||||
Provides: %{name}-compat = %{version}-%{release}
|
|
||||||
Obsoletes: %{name}-compat < 1.8.9-7
|
|
||||||
|
|
||||||
%description legacy
|
%description legacy
|
||||||
The iptables utility controls the network packet filtering code in the
|
The iptables utility controls the network packet filtering code in the
|
||||||
@ -91,6 +96,7 @@ and logic for those is kept in per-extension shared object files.
|
|||||||
|
|
||||||
%package legacy-libs
|
%package legacy-libs
|
||||||
Summary: iptables legacy libraries
|
Summary: iptables legacy libraries
|
||||||
|
Obsoletes: %{name}-libs < %{version}-%{release}
|
||||||
|
|
||||||
%description legacy-libs
|
%description legacy-libs
|
||||||
iptables libraries.
|
iptables libraries.
|
||||||
@ -104,8 +110,6 @@ For more information about this, please have a look at
|
|||||||
%package devel
|
%package devel
|
||||||
Summary: Development package for iptables
|
Summary: Development package for iptables
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
# XXX: Drop this after two releases or so
|
|
||||||
Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release}
|
|
||||||
Requires: pkgconfig
|
Requires: pkgconfig
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
@ -125,12 +129,7 @@ stable and may change with every new version. It is therefore unsupported.
|
|||||||
%package services
|
%package services
|
||||||
Summary: iptables and ip6tables services for iptables
|
Summary: iptables and ip6tables services for iptables
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
Requires: %{name}-utils = %{version}-%{release}
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
# obsolete old main package
|
|
||||||
Obsoletes: %{name} < 1.4.16.1
|
|
||||||
# obsolete ipv6 sub package
|
|
||||||
Obsoletes: %{name}-ipv6 < 1.4.11.1
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
%description services
|
%description services
|
||||||
@ -139,6 +138,27 @@ iptables services for IPv4 and IPv6
|
|||||||
This package provides the services iptables and ip6tables that have been split
|
This package provides the services iptables and ip6tables that have been split
|
||||||
out of the base package since they are not active by default anymore.
|
out of the base package since they are not active by default anymore.
|
||||||
|
|
||||||
|
%package nft-services
|
||||||
|
Summary: Services for nft-variants of iptables, ebtables and arptables
|
||||||
|
Requires: %{name}-nft = %{version}-%{release}
|
||||||
|
Conflicts: arptables-services
|
||||||
|
Conflicts: ebtables-services
|
||||||
|
Provides: iptables-services = %{version}-%{release}
|
||||||
|
Provides: arptables-services
|
||||||
|
Provides: ebtables-services
|
||||||
|
Obsoletes: iptables-services <= 1.8.4
|
||||||
|
Obsoletes: iptables-arptables <= 1.8.4
|
||||||
|
Obsoletes: iptables-ebtables <= 1.8.4
|
||||||
|
Obsoletes: iptables-nft-compat <= 1.8.7-19
|
||||||
|
%{?systemd_ordering}
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description nft-services
|
||||||
|
Services for nft-variants of iptables, ebtables and arptables
|
||||||
|
|
||||||
|
This package provides the services iptables, ip6tables, arptables and ebtables
|
||||||
|
for use with iptables-nft which provides nft-variants of these tools.
|
||||||
|
|
||||||
%package utils
|
%package utils
|
||||||
Summary: iptables and ip6tables misc utilities
|
Summary: iptables and ip6tables misc utilities
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
@ -153,20 +173,21 @@ a safer way to update iptables remotely.
|
|||||||
%package nft
|
%package nft
|
||||||
Summary: nftables compatibility for iptables, arptables and ebtables
|
Summary: nftables compatibility for iptables, arptables and ebtables
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
Requires(post): /usr/sbin/update-alternatives
|
Requires(post): %{_sbindir}/update-alternatives
|
||||||
Requires(post): /usr/bin/readlink
|
Requires(post): %{_bindir}/readlink
|
||||||
Requires(postun): /usr/sbin/update-alternatives
|
Requires(postun): %{_sbindir}/update-alternatives
|
||||||
Obsoletes: iptables-compat < 1.6.2-4
|
|
||||||
Provides: arptables-helper
|
Provides: arptables-helper
|
||||||
Provides: iptables
|
Provides: iptables
|
||||||
Provides: arptables
|
Provides: arptables
|
||||||
Provides: ebtables
|
Provides: ebtables
|
||||||
|
Obsoletes: iptables <= 1.8.4
|
||||||
|
|
||||||
%description nft
|
%description nft
|
||||||
nftables compatibility for iptables, arptables and ebtables.
|
nftables compatibility for iptables, arptables and ebtables.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%autosetup -p1
|
||||||
|
cp %{SOURCE11} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
./autogen.sh
|
./autogen.sh
|
||||||
@ -227,25 +248,45 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables
|
|||||||
# Remove /etc/ethertypes (now part of setup)
|
# Remove /etc/ethertypes (now part of setup)
|
||||||
rm -f %{buildroot}%{_sysconfdir}/ethertypes
|
rm -f %{buildroot}%{_sysconfdir}/ethertypes
|
||||||
|
|
||||||
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
|
# extra sources for arptables
|
||||||
touch %{buildroot}%{_libexecdir}/arptables-helper
|
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper
|
||||||
|
install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
|
||||||
|
touch %{buildroot}%{_sysconfdir}/sysconfig/arptables
|
||||||
|
|
||||||
|
# extra sources for ebtables
|
||||||
|
install -p %{SOURCE9} %{buildroot}%{_unitdir}/
|
||||||
|
install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper
|
||||||
|
install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
|
||||||
|
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables
|
||||||
|
|
||||||
# prepare for alternatives
|
# prepare for alternatives
|
||||||
|
touch %{buildroot}%{_libexecdir}/arptables-helper
|
||||||
touch %{buildroot}%{_mandir}/man8/arptables.8
|
touch %{buildroot}%{_mandir}/man8/arptables.8
|
||||||
touch %{buildroot}%{_mandir}/man8/arptables-save.8
|
touch %{buildroot}%{_mandir}/man8/arptables-save.8
|
||||||
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
|
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
|
||||||
touch %{buildroot}%{_mandir}/man8/ebtables.8
|
touch %{buildroot}%{_mandir}/man8/ebtables.8
|
||||||
|
|
||||||
# fix absolute symlink
|
# add symlinks for compatibility to merged extensions
|
||||||
rm -f %{buildroot}%{_bindir}/iptables-xml
|
link_ext() { # (target, link)
|
||||||
ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml
|
local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so"
|
||||||
|
local targetname="${1}.so"
|
||||||
|
local link="%{buildroot}%{_libdir}/xtables/${2}.so"
|
||||||
|
[[ -e "$link" ]] && return 0
|
||||||
|
[[ -e "$targetfile" ]] || return 0
|
||||||
|
ln -s $targetname $link
|
||||||
|
}
|
||||||
|
for fam in ip ip6; do
|
||||||
|
link_ext libxt_LOG lib${fam}t_LOG
|
||||||
|
link_ext libxt_NAT lib${fam}t_SNAT
|
||||||
|
link_ext libxt_NAT lib${fam}t_MASQUERADE
|
||||||
|
done
|
||||||
|
|
||||||
%ldconfig_scriptlets
|
%ldconfig_scriptlets
|
||||||
|
|
||||||
%post legacy
|
%post legacy
|
||||||
pfx=%{_sbindir}/iptables
|
pfx=%{_sbindir}/iptables
|
||||||
pfx6=%{_sbindir}/ip6tables
|
pfx6=%{_sbindir}/ip6tables
|
||||||
/usr/sbin/update-alternatives --install \
|
%{_sbindir}/update-alternatives --install \
|
||||||
$pfx iptables $pfx-legacy 10 \
|
$pfx iptables $pfx-legacy 10 \
|
||||||
--slave $pfx6 ip6tables $pfx6-legacy \
|
--slave $pfx6 ip6tables $pfx6-legacy \
|
||||||
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
|
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
|
||||||
@ -255,33 +296,10 @@ pfx6=%{_sbindir}/ip6tables
|
|||||||
|
|
||||||
%postun legacy
|
%postun legacy
|
||||||
if [ $1 -eq 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
/usr/sbin/update-alternatives --remove \
|
%{_sbindir}/update-alternatives --remove \
|
||||||
iptables %{_sbindir}/iptables-legacy
|
iptables %{_sbindir}/iptables-legacy
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# iptables-1.8.0-1 introduced the use of alternatives
|
|
||||||
# when upgrading, its %postun script runs due to the package renaming
|
|
||||||
# fix this by repeating the install into alternatives
|
|
||||||
# also keep the old alternatives configuration to not change the system
|
|
||||||
%triggerun legacy -- iptables > 1.8.0
|
|
||||||
alternatives --list | awk '/^iptables/{print $3; exit}' \
|
|
||||||
>/var/tmp/alternatives.iptables.current
|
|
||||||
cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup
|
|
||||||
|
|
||||||
%triggerpostun legacy -- iptables > 1.8.0
|
|
||||||
pfx=%{_sbindir}/iptables
|
|
||||||
pfx6=%{_sbindir}/ip6tables
|
|
||||||
/usr/sbin/update-alternatives --install \
|
|
||||||
$pfx iptables $pfx-legacy 10 \
|
|
||||||
--slave $pfx6 ip6tables $pfx6-legacy \
|
|
||||||
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
|
|
||||||
--slave $pfx-save iptables-save $pfx-legacy-save \
|
|
||||||
--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
|
|
||||||
--slave $pfx6-save ip6tables-save $pfx6-legacy-save
|
|
||||||
alternatives --set iptables $(</var/tmp/alternatives.iptables.current)
|
|
||||||
rm /var/tmp/alternatives.iptables.current
|
|
||||||
mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
|
|
||||||
|
|
||||||
%post services
|
%post services
|
||||||
%systemd_post iptables.service ip6tables.service
|
%systemd_post iptables.service ip6tables.service
|
||||||
|
|
||||||
@ -292,12 +310,25 @@ mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
|
|||||||
%?ldconfig
|
%?ldconfig
|
||||||
%systemd_postun iptables.service ip6tables.service
|
%systemd_postun iptables.service ip6tables.service
|
||||||
|
|
||||||
|
%post nft-services
|
||||||
|
%systemd_post iptables.service ip6tables.service
|
||||||
|
%systemd_post arptables.service ebtables.service
|
||||||
|
|
||||||
|
%preun nft-services
|
||||||
|
%systemd_preun iptables.service ip6tables.service
|
||||||
|
%systemd_preun arptables.service ebtables.service
|
||||||
|
|
||||||
|
%postun nft-services
|
||||||
|
%?ldconfig
|
||||||
|
%systemd_postun iptables.service ip6tables.service
|
||||||
|
%systemd_postun arptables.service ebtables.service
|
||||||
|
|
||||||
%post -e nft
|
%post -e nft
|
||||||
[[ %%{_excludedocs} == 1 ]] || do_man=true
|
[[ %%{_excludedocs} == 1 ]] || do_man=true
|
||||||
|
|
||||||
pfx=%{_sbindir}/iptables
|
pfx=%{_sbindir}/iptables
|
||||||
pfx6=%{_sbindir}/ip6tables
|
pfx6=%{_sbindir}/ip6tables
|
||||||
/usr/sbin/update-alternatives --install \
|
%{_sbindir}/update-alternatives --install \
|
||||||
$pfx iptables $pfx-nft 10 \
|
$pfx iptables $pfx-nft 10 \
|
||||||
--slave $pfx6 ip6tables $pfx6-nft \
|
--slave $pfx6 ip6tables $pfx6-nft \
|
||||||
--slave $pfx-restore iptables-restore $pfx-nft-restore \
|
--slave $pfx-restore iptables-restore $pfx-nft-restore \
|
||||||
@ -315,7 +346,7 @@ done
|
|||||||
if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
|
if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
|
||||||
rm -f $manpfx.8.gz
|
rm -f $manpfx.8.gz
|
||||||
fi
|
fi
|
||||||
/usr/sbin/update-alternatives --install \
|
%{_sbindir}/update-alternatives --install \
|
||||||
$pfx ebtables $pfx-nft 10 \
|
$pfx ebtables $pfx-nft 10 \
|
||||||
--slave $pfx-save ebtables-save $pfx-nft-save \
|
--slave $pfx-save ebtables-save $pfx-nft-save \
|
||||||
--slave $pfx-restore ebtables-restore $pfx-nft-restore \
|
--slave $pfx-restore ebtables-restore $pfx-nft-restore \
|
||||||
@ -335,7 +366,7 @@ done
|
|||||||
if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
|
if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
|
||||||
rm -f $lepfx-helper
|
rm -f $lepfx-helper
|
||||||
fi
|
fi
|
||||||
/usr/sbin/update-alternatives --install \
|
%{_sbindir}/update-alternatives --install \
|
||||||
$pfx arptables $pfx-nft 10 \
|
$pfx arptables $pfx-nft 10 \
|
||||||
--slave $pfx-save arptables-save $pfx-nft-save \
|
--slave $pfx-save arptables-save $pfx-nft-save \
|
||||||
--slave $pfx-restore arptables-restore $pfx-nft-restore \
|
--slave $pfx-restore arptables-restore $pfx-nft-restore \
|
||||||
@ -347,37 +378,25 @@ fi
|
|||||||
%postun nft
|
%postun nft
|
||||||
if [ $1 -eq 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
for cmd in iptables ebtables arptables; do
|
for cmd in iptables ebtables arptables; do
|
||||||
/usr/sbin/update-alternatives --remove \
|
%{_sbindir}/update-alternatives --remove \
|
||||||
$cmd %{_sbindir}/$cmd-nft
|
$cmd %{_sbindir}/$cmd-nft
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
%if %{do_legacy_pkg}
|
||||||
|
|
||||||
%files legacy
|
%files legacy
|
||||||
%{_sbindir}/ip{,6}tables-legacy*
|
%{_sbindir}/ip{,6}tables-legacy*
|
||||||
%{_sbindir}/xtables-legacy-multi
|
%{_sbindir}/xtables-legacy-multi
|
||||||
%{_bindir}/iptables-xml
|
%{_bindir}/iptables-xml
|
||||||
%{_mandir}/man1/iptables-xml*
|
%{_mandir}/man1/iptables-xml*
|
||||||
%{_mandir}/man8/xtables-legacy*
|
%{_mandir}/man8/xtables-legacy*
|
||||||
%{_datadir}/xtables/iptables.xslt
|
|
||||||
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
|
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
|
||||||
|
|
||||||
%files libs
|
|
||||||
%license COPYING
|
|
||||||
%{_libdir}/libxtables.so.12*
|
|
||||||
%dir %{_libdir}/xtables
|
|
||||||
%{_libdir}/xtables/lib{ip,ip6,x}t*
|
|
||||||
%{_mandir}/man8/ip{,6}tables.8.gz
|
|
||||||
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
|
|
||||||
|
|
||||||
%files legacy-libs
|
%files legacy-libs
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
|
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
|
||||||
|
|
||||||
%files devel
|
|
||||||
%{_includedir}/xtables{,-version}.h
|
|
||||||
%{_libdir}/libxtables.so
|
|
||||||
%{_libdir}/pkgconfig/xtables.pc
|
|
||||||
|
|
||||||
%files legacy-devel
|
%files legacy-devel
|
||||||
%dir %{_includedir}/libiptc
|
%dir %{_includedir}/libiptc
|
||||||
%{_includedir}/libiptc/*.h
|
%{_includedir}/libiptc/*.h
|
||||||
@ -392,6 +411,35 @@ fi
|
|||||||
%dir %{legacy_actions}/ip{,6}tables
|
%dir %{legacy_actions}/ip{,6}tables
|
||||||
%{legacy_actions}/ip{,6}tables/{save,panic}
|
%{legacy_actions}/ip{,6}tables/{save,panic}
|
||||||
|
|
||||||
|
# do_legacy_pkg
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files nft-services
|
||||||
|
%{_unitdir}/{arp,eb}tables.service
|
||||||
|
%{_libexecdir}/ebtables-helper
|
||||||
|
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
|
||||||
|
%ghost %{_sysconfdir}/sysconfig/arptables
|
||||||
|
%ghost %{_sysconfdir}/sysconfig/ebtables
|
||||||
|
%dir %{script_path}
|
||||||
|
%{script_path}/ip{,6}tables.init
|
||||||
|
%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
|
||||||
|
%{_unitdir}/ip{,6}tables.service
|
||||||
|
%dir %{legacy_actions}/ip{,6}tables
|
||||||
|
%{legacy_actions}/ip{,6}tables/{save,panic}
|
||||||
|
|
||||||
|
%files libs
|
||||||
|
%license COPYING
|
||||||
|
%{_libdir}/libxtables.so.12*
|
||||||
|
%dir %{_libdir}/xtables
|
||||||
|
%{_libdir}/xtables/lib{ip,ip6,x}t*
|
||||||
|
%{_mandir}/man8/ip{,6}tables.8.gz
|
||||||
|
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_includedir}/xtables{,-version}.h
|
||||||
|
%{_libdir}/libxtables.so
|
||||||
|
%{_libdir}/pkgconfig/xtables.pc
|
||||||
|
|
||||||
%files utils
|
%files utils
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%{_sbindir}/nfnl_osf
|
%{_sbindir}/nfnl_osf
|
||||||
@ -407,9 +455,9 @@ fi
|
|||||||
%{_sbindir}/ip{,6}tables-nft*
|
%{_sbindir}/ip{,6}tables-nft*
|
||||||
%{_sbindir}/ip{,6}tables{,-restore}-translate
|
%{_sbindir}/ip{,6}tables{,-restore}-translate
|
||||||
%{_sbindir}/{eb,arp}tables-nft*
|
%{_sbindir}/{eb,arp}tables-nft*
|
||||||
|
%{_sbindir}/ebtables-translate
|
||||||
%{_sbindir}/xtables-nft-multi
|
%{_sbindir}/xtables-nft-multi
|
||||||
%{_sbindir}/xtables-monitor
|
%{_sbindir}/xtables-monitor
|
||||||
%{_sbindir}/ebtables-translate
|
|
||||||
%dir %{_libdir}/xtables
|
%dir %{_libdir}/xtables
|
||||||
%{_libdir}/xtables/lib{arp,eb}t*
|
%{_libdir}/xtables/lib{arp,eb}t*
|
||||||
%{_libexecdir}/arptables-nft-helper
|
%{_libexecdir}/arptables-nft-helper
|
||||||
@ -417,15 +465,16 @@ fi
|
|||||||
%{_mandir}/man8/xtables-translate*
|
%{_mandir}/man8/xtables-translate*
|
||||||
%{_mandir}/man8/*-nft*
|
%{_mandir}/man8/*-nft*
|
||||||
%{_mandir}/man8/ip{,6}tables{,-restore}-translate*
|
%{_mandir}/man8/ip{,6}tables{,-restore}-translate*
|
||||||
%{_mandir}/man8/ebtables-translate*
|
|
||||||
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
|
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
|
||||||
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
|
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
|
||||||
%ghost %{_libexecdir}/arptables-helper
|
%ghost %{_libexecdir}/arptables-helper
|
||||||
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
|
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
|
||||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 03 2024 Phil Sutter <psutter@redhat.com> [1.8.10-9.el10]
|
||||||
|
- Sync with RHEL9 package (Phil Sutter)
|
||||||
|
|
||||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.10-8
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.10-8
|
||||||
- Bump release for June 2024 mass rebuild
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user