From 97407d1230d0860c3660855169def22be7749da7 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 10 Oct 2023 17:33:55 +0200 Subject: [PATCH] iptables-1.8.10-1 - New version 1.8.10 - Drop compat sub-package Resolves: rhbz#2243041 --- .gitignore | 1 + ...s-NAT-Fix-for-Werror-format-security.patch | 30 --- 0002-etc-Drop-xtables.conf.patch | 132 ---------- ...x-for-unknown-argument-error-message.patch | 148 ----------- ...es-Refuse-unselected-targets-options.patch | 232 ------------------ ...-Properly-split-input-in-replay-mode.patch | 31 --- ...bebt_redirect-Fix-target-translation.patch | 48 ---- ...t_redirect-Fix-for-wrong-syntax-in-t.patch | 48 ---- ...t_ip-Do-not-use-ip-dscp-for-translat.patch | 50 ---- ...t_ip-Translation-has-to-match-on-eth.patch | 85 ------- ...the-missing-chunk-types-in-sctp_help.patch | 36 --- ...Add-missing-linux-netfilter-xt_LOG.h.patch | 101 -------- ...-for-deletion-of-new-referenced-rule.patch | 67 ----- ...ables-Fix-checking-existence-of-rule.patch | 33 --- 0014-nft-shared-Drop-unused-include.patch | 29 --- ...rsing-of-inverted-arp-operation-matc.patch | 31 --- ...-t-omit-standard-matches-if-inverted.patch | 42 ---- ...ing-of-option-arguments-in-same-word.patch | 211 ---------------- iptables.spec | 44 +--- sources | 2 +- 20 files changed, 9 insertions(+), 1392 deletions(-) delete mode 100644 0001-extensions-NAT-Fix-for-Werror-format-security.patch delete mode 100644 0002-etc-Drop-xtables.conf.patch delete mode 100644 0003-Proper-fix-for-unknown-argument-error-message.patch delete mode 100644 0004-ebtables-Refuse-unselected-targets-options.patch delete mode 100644 0005-tests-xlate-Properly-split-input-in-replay-mode.patch delete mode 100644 0006-extensions-libebt_redirect-Fix-target-translation.patch delete mode 100644 0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch delete mode 100644 0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch delete mode 100644 0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch delete mode 100644 0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch delete mode 100644 0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch delete mode 100644 0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch delete mode 100644 0013-ip6tables-Fix-checking-existence-of-rule.patch delete mode 100644 0014-nft-shared-Drop-unused-include.patch delete mode 100644 0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch delete mode 100644 0016-arptables-Don-t-omit-standard-matches-if-inverted.patch delete mode 100644 0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch diff --git a/.gitignore b/.gitignore index 141b2e8..4cb5d7a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /iptables-1.8.7.tar.bz2 /iptables-1.8.8.tar.bz2 /iptables-1.8.9.tar.xz +/iptables-1.8.10.tar.xz diff --git a/0001-extensions-NAT-Fix-for-Werror-format-security.patch b/0001-extensions-NAT-Fix-for-Werror-format-security.patch deleted file mode 100644 index cecd191..0000000 --- a/0001-extensions-NAT-Fix-for-Werror-format-security.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ff8eacec604537d98eb912281fa0c5c6a83da717 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 12 Jan 2023 14:38:44 +0100 -Subject: [PATCH] extensions: NAT: Fix for -Werror=format-security - -Have to pass either a string literal or format string to xt_xlate_add(). - -Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE") -Signed-off-by: Phil Sutter -(cherry picked from commit ed4082a7405a5838c205a34c1559e289949200cc) ---- - extensions/libxt_NAT.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c -index da9f22012c5d6..2a6343986d54f 100644 ---- a/extensions/libxt_NAT.c -+++ b/extensions/libxt_NAT.c -@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r, - if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) - return 0; - -- xt_xlate_add(xl, tgt); -+ xt_xlate_add(xl, "%s", tgt); - if (strlen(range_str)) - xt_xlate_add(xl, " to %s", range_str); - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { --- -2.40.0 - diff --git a/0002-etc-Drop-xtables.conf.patch b/0002-etc-Drop-xtables.conf.patch deleted file mode 100644 index e676561..0000000 --- a/0002-etc-Drop-xtables.conf.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 55f3f1743934efa33df1ecbe11b31362fc45b03c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 17 Jan 2023 16:38:43 +0100 -Subject: [PATCH] etc: Drop xtables.conf - -The file is not used since the commit this one fixes. Also it wasn't -installed until recently, when commit 3822a992bc277 ("Makefile: Fix for -'make distcheck'") added it in the wrong spot in an attempt to reduce -differences between tarballs generated by 'make tarball' and 'make -dist'. - -While being at it, drop stale xtables_config_main() prototype from -xtables-multi.h. - -Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf") -Signed-off-by: Phil Sutter -(cherry picked from commit ca8fb6c21b298b3d96db2bfbf9c74d393bdd4728) ---- - Makefile.am | 2 +- - etc/xtables.conf | 74 ---------------------------------------- - iptables/xtables-multi.h | 1 - - 3 files changed, 1 insertion(+), 76 deletions(-) - delete mode 100644 etc/xtables.conf - -diff --git a/Makefile.am b/Makefile.am -index 451c3cb2d5887..299ab46d7b8e2 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -20,7 +20,7 @@ EXTRA_DIST = autogen.sh iptables-test.py xlate-test.py - - if ENABLE_NFTABLES - confdir = $(sysconfdir) --dist_conf_DATA = etc/ethertypes etc/xtables.conf -+dist_conf_DATA = etc/ethertypes - endif - - .PHONY: tarball -diff --git a/etc/xtables.conf b/etc/xtables.conf -deleted file mode 100644 -index 3c54ced043d82..0000000000000 ---- a/etc/xtables.conf -+++ /dev/null -@@ -1,74 +0,0 @@ --family ipv4 { -- table raw { -- chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 -- } -- -- table mangle { -- chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 -- chain INPUT hook NF_INET_LOCAL_IN prio -150 -- chain FORWARD hook NF_INET_FORWARD prio -150 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 -- chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 -- } -- -- table filter { -- chain INPUT hook NF_INET_LOCAL_IN prio 0 -- chain FORWARD hook NF_INET_FORWARD prio 0 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 -- } -- -- table nat { -- chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 -- chain INPUT hook NF_INET_LOCAL_IN prio 100 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio -100 -- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 -- } -- -- table security { -- chain INPUT hook NF_INET_LOCAL_IN prio 50 -- chain FORWARD hook NF_INET_FORWARD prio 50 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 -- } --} -- --family ipv6 { -- table raw { -- chain PREROUTING hook NF_INET_PRE_ROUTING prio -300 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio -300 -- } -- -- table mangle { -- chain PREROUTING hook NF_INET_PRE_ROUTING prio -150 -- chain INPUT hook NF_INET_LOCAL_IN prio -150 -- chain FORWARD hook NF_INET_FORWARD prio -150 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio -150 -- chain POSTROUTING hook NF_INET_POST_ROUTING prio -150 -- } -- -- table filter { -- chain INPUT hook NF_INET_LOCAL_IN prio 0 -- chain FORWARD hook NF_INET_FORWARD prio 0 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio 0 -- } -- -- table nat { -- chain PREROUTING hook NF_INET_PRE_ROUTING prio -100 -- chain INPUT hook NF_INET_LOCAL_IN prio 100 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio -100 -- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100 -- } -- -- table security { -- chain INPUT hook NF_INET_LOCAL_IN prio 50 -- chain FORWARD hook NF_INET_FORWARD prio 50 -- chain OUTPUT hook NF_INET_LOCAL_OUT prio 50 -- } --} -- --family arp { -- table filter { -- chain INPUT hook NF_ARP_IN prio 0 -- chain OUTPUT hook NF_ARP_OUT prio 0 -- } --} -diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h -index 94c24d5a22c7e..833c11a2ac914 100644 ---- a/iptables/xtables-multi.h -+++ b/iptables/xtables-multi.h -@@ -20,7 +20,6 @@ extern int xtables_arp_save_main(int, char **); - extern int xtables_eb_main(int, char **); - extern int xtables_eb_restore_main(int, char **); - extern int xtables_eb_save_main(int, char **); --extern int xtables_config_main(int, char **); - extern int xtables_monitor_main(int, char **); - - extern struct xtables_globals arptables_globals; --- -2.40.0 - diff --git a/0003-Proper-fix-for-unknown-argument-error-message.patch b/0003-Proper-fix-for-unknown-argument-error-message.patch deleted file mode 100644 index d807c54..0000000 --- a/0003-Proper-fix-for-unknown-argument-error-message.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 01c76718d85985625ef53fb6b554bd44742ae6ef Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 25 Jan 2023 01:51:43 +0100 -Subject: [PATCH] Proper fix for "unknown argument" error message - -While commit 1b8210f848631 kind of fixed the corner-case of invalid -short-options packed with others, it broke error reporting for -long-options. Revert it and deploy a proper solution: - -When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long -sets the variable 'optopt' to the invalid character's value. Use it for -reporting instead of optind if set. - -To distinguish between invalid options and missing option arguments, -ebtables-translate optstring needs adjustment. - -Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters") -Signed-off-by: Phil Sutter -(cherry picked from commit d6eb6a9fd3878ce4fa01f8d4127f1735988bd07b) ---- - .../testcases/iptables/0009-unknown-arg_0 | 31 +++++++++++++++++++ - iptables/xshared.c | 9 ++++-- - iptables/xtables-eb-translate.c | 8 ++--- - iptables/xtables-eb.c | 17 ++++++---- - 4 files changed, 50 insertions(+), 15 deletions(-) - create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 - -diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 -new file mode 100755 -index 0000000000000..ac6e743966196 ---- /dev/null -+++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 -@@ -0,0 +1,31 @@ -+#!/bin/bash -+ -+rc=0 -+ -+check() { -+ local cmd="$1" -+ local msg="$2" -+ -+ $XT_MULTI $cmd 2>&1 | grep -q "$msg" || { -+ echo "cmd: $XT_MULTI $1" -+ echo "exp: $msg" -+ echo "res: $($XT_MULTI $cmd 2>&1)" -+ rc=1 -+ } -+} -+ -+cmds="iptables ip6tables" -+[[ $XT_MULTI == *xtables-nft-multi ]] && { -+ cmds+=" ebtables" -+ cmds+=" iptables-translate" -+ cmds+=" ip6tables-translate" -+ cmds+=" ebtables-translate" -+} -+ -+for cmd in $cmds; do -+ check "${cmd} --foo" 'unknown option "--foo"' -+ check "${cmd} -A" 'option "-A" requires an argument' -+ check "${cmd} -aL" 'unknown option "-a"' -+done -+ -+exit $rc -diff --git a/iptables/xshared.c b/iptables/xshared.c -index f93529b11a319..ac51fac5ce9ed 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -192,9 +192,12 @@ static int command_default(struct iptables_command_state *cs, - if (cs->c == ':') - xtables_error(PARAMETER_PROBLEM, "option \"%s\" " - "requires an argument", cs->argv[optind-1]); -- if (cs->c == '?') -- xtables_error(PARAMETER_PROBLEM, "unknown option " -- "\"%s\"", cs->argv[optind-1]); -+ if (cs->c == '?') { -+ char optoptstr[3] = {'-', optopt, '\0'}; -+ -+ xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"", -+ optopt ? optoptstr : cs->argv[optind - 1]); -+ } - xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg); - } - -diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c -index 13b6b864a5f24..0c35272051752 100644 ---- a/iptables/xtables-eb-translate.c -+++ b/iptables/xtables-eb-translate.c -@@ -201,7 +201,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char - printf("nft "); - /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, -- "-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { -+ "-:A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) { - cs.c = c; - switch (c) { - case 'A': /* Add a rule */ -@@ -491,11 +491,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char - continue; - default: - ebt_check_inverse2(optarg, argc, argv); -- -- if (ebt_command_default(&cs)) -- xtables_error(PARAMETER_PROBLEM, -- "Unknown argument: '%s'", -- argv[optind - 1]); -+ ebt_command_default(&cs); - - if (command != 'A' && command != 'I' && - command != 'D') -diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index 7214a767ffe96..412b5cccdc46a 100644 ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -640,7 +640,16 @@ int ebt_command_default(struct iptables_command_state *cs) - return 0; - } - } -- return 1; -+ if (cs->c == ':') -+ xtables_error(PARAMETER_PROBLEM, "option \"%s\" " -+ "requires an argument", cs->argv[optind - 1]); -+ if (cs->c == '?') { -+ char optoptstr[3] = {'-', optopt, '\0'}; -+ -+ xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"", -+ optopt ? optoptstr : cs->argv[optind - 1]); -+ } -+ xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg); - } - - int nft_init_eb(struct nft_handle *h, const char *pname) -@@ -1084,11 +1093,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, - continue; - default: - ebt_check_inverse2(optarg, argc, argv); -- -- if (ebt_command_default(&cs)) -- xtables_error(PARAMETER_PROBLEM, -- "Unknown argument: '%s'", -- argv[optind]); -+ ebt_command_default(&cs); - - if (command != 'A' && command != 'I' && - command != 'D' && command != 'C' && command != 14) --- -2.40.0 - diff --git a/0004-ebtables-Refuse-unselected-targets-options.patch b/0004-ebtables-Refuse-unselected-targets-options.patch deleted file mode 100644 index c41ba45..0000000 --- a/0004-ebtables-Refuse-unselected-targets-options.patch +++ /dev/null @@ -1,232 +0,0 @@ -From a53dfa149429c49789947e61c325f9a11e9a83d3 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 25 Jan 2023 02:01:56 +0100 -Subject: [PATCH] ebtables: Refuse unselected targets' options - -Unlike legacy, ebtables-nft would allow e.g.: - -| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be - -While the result is correct, it may mislead users into believing -multiple targets are possible per rule. Better follow legacy's behaviour -and reject target options unless they have been "enabled" by a previous -'-j' option. - -To achieve this, one needs to distinguish targets from watchers also -attached to 'xtables_targets' and otherwise behaving like regular -matches. Introduce XTABLES_EXT_WATCHER to mark the two. - -The above works already, but error messages are misleading when using -the now unsupported syntax since target options have been merged -already. Solve this by not pre-loading the targets at all, code will -just fall back to loading ad '-j' parsing time as iptables does. - -Note how this also fixes for 'counter' statement being in wrong position -of ebtables-translate output. - -Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support") -Signed-off-by: Phil Sutter -(cherry picked from commit 27d37863a486352511dac385bde8f3d20526be5b) ---- - extensions/libebt_dnat.txlate | 12 ++++---- - extensions/libebt_log.c | 1 + - extensions/libebt_mark.txlate | 16 +++++----- - extensions/libebt_nflog.c | 1 + - extensions/libebt_snat.txlate | 8 ++--- - include/xtables.h | 1 + - .../ebtables/0002-ebtables-save-restore_0 | 4 +-- - iptables/xtables-eb.c | 29 +++++++------------ - 8 files changed, 33 insertions(+), 39 deletions(-) - -diff --git a/extensions/libebt_dnat.txlate b/extensions/libebt_dnat.txlate -index 9f305c76c954f..531a22aa3e14f 100644 ---- a/extensions/libebt_dnat.txlate -+++ b/extensions/libebt_dnat.txlate -@@ -1,8 +1,8 @@ --ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter' -+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff -+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept' - --ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT --nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter' -+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT -+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept' - --ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE --nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter' -+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE -+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue' -diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c -index 045062196d20d..9f8d158956802 100644 ---- a/extensions/libebt_log.c -+++ b/extensions/libebt_log.c -@@ -197,6 +197,7 @@ static int brlog_xlate(struct xt_xlate *xl, - static struct xtables_target brlog_target = { - .name = "log", - .revision = 0, -+ .ext_flags = XTABLES_EXT_WATCHER, - .version = XTABLES_VERSION, - .family = NFPROTO_BRIDGE, - .size = XT_ALIGN(sizeof(struct ebt_log_info)), -diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate -index d006e8ac94008..4ace1a1f5cfde 100644 ---- a/extensions/libebt_mark.txlate -+++ b/extensions/libebt_mark.txlate -@@ -1,11 +1,11 @@ --ebtables-translate -A INPUT --mark-set 42 --nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter' -+ebtables-translate -A INPUT -j mark --mark-set 42 -+nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept' - --ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN --nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter' -+ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN -+nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return' - --ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT --nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter' -+ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT -+nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept' - --ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP --nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter' -+ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP -+nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop' -diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c -index 115e15da45845..762d6d5d8bbe2 100644 ---- a/extensions/libebt_nflog.c -+++ b/extensions/libebt_nflog.c -@@ -146,6 +146,7 @@ static int brnflog_xlate(struct xt_xlate *xl, - static struct xtables_target brnflog_watcher = { - .name = "nflog", - .revision = 0, -+ .ext_flags = XTABLES_EXT_WATCHER, - .version = XTABLES_VERSION, - .family = NFPROTO_BRIDGE, - .size = XT_ALIGN(sizeof(struct ebt_nflog_info)), -diff --git a/extensions/libebt_snat.txlate b/extensions/libebt_snat.txlate -index 857a6052aed1a..37343d3a14754 100644 ---- a/extensions/libebt_snat.txlate -+++ b/extensions/libebt_snat.txlate -@@ -1,5 +1,5 @@ --ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff --nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter' -+ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff -+nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept' - --ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE --nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter' -+ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE -+nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue' -diff --git a/include/xtables.h b/include/xtables.h -index 4ffc8ec5a17e9..087a1d600f9ae 100644 ---- a/include/xtables.h -+++ b/include/xtables.h -@@ -203,6 +203,7 @@ struct xtables_lmap { - - enum xtables_ext_flags { - XTABLES_EXT_ALIAS = 1 << 0, -+ XTABLES_EXT_WATCHER = 1 << 1, - }; - - struct xt_xlate; -diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 -index 1091a4e80bebe..b4f9728bb9b6f 100755 ---- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 -+++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 -@@ -38,7 +38,7 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT - - $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT - $XT_MULTI ebtables -A foo --log --$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT -+$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT - $XT_MULTI ebtables -A foo --nflog - $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT - $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT -@@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo - $XT_MULTI ebtables -N bar - $XT_MULTI ebtables -P bar RETURN - --$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT -+$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT - #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01 - - $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT -diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index 412b5cccdc46a..3a73e79725489 100644 ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -468,14 +468,14 @@ static void ebt_load_match(const char *name) - xtables_error(OTHER_PROBLEM, "Can't alloc memory"); - } - --static void __ebt_load_watcher(const char *name, const char *typename) -+static void ebt_load_watcher(const char *name) - { - struct xtables_target *watcher; - size_t size; - - watcher = xtables_find_target(name, XTF_TRY_LOAD); - if (!watcher) { -- fprintf(stderr, "Unable to load %s %s\n", name, typename); -+ fprintf(stderr, "Unable to load %s watcher\n", name); - return; - } - -@@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename) - xtables_error(OTHER_PROBLEM, "Can't alloc memory"); - } - --static void ebt_load_watcher(const char *name) --{ -- return __ebt_load_watcher(name, "watcher"); --} -- --static void ebt_load_target(const char *name) --{ -- return __ebt_load_watcher(name, "target"); --} -- - void ebt_load_match_extensions(void) - { - opts = ebt_original_options; -@@ -522,13 +512,6 @@ void ebt_load_match_extensions(void) - - ebt_load_watcher("log"); - ebt_load_watcher("nflog"); -- -- ebt_load_target("mark"); -- ebt_load_target("dnat"); -- ebt_load_target("snat"); -- ebt_load_target("arpreply"); -- ebt_load_target("redirect"); -- ebt_load_target("standard"); - } - - void ebt_add_match(struct xtables_match *m, -@@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs) - - /* Is it a watcher option? */ - for (t = xtables_targets; t; t = t->next) { -+ if (!(t->ext_flags & XTABLES_EXT_WATCHER)) -+ continue; -+ - if (t->parse && - t->parse(cs->c - t->option_offset, cs->argv, - ebt_invert, &t->tflags, NULL, &t->t)) { -@@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, - optind = 0; - opterr = false; - -+ for (t = xtables_targets; t; t = t->next) { -+ t->tflags = 0; -+ t->used = 0; -+ } -+ - /* Getopt saves the day */ - while ((c = getopt_long(argc, argv, EBT_OPTSTRING, - opts, NULL)) != -1) { --- -2.40.0 - diff --git a/0005-tests-xlate-Properly-split-input-in-replay-mode.patch b/0005-tests-xlate-Properly-split-input-in-replay-mode.patch deleted file mode 100644 index dd58948..0000000 --- a/0005-tests-xlate-Properly-split-input-in-replay-mode.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bb7f92a40360b49535dd3675f47cf989755a4978 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 3 Feb 2023 18:48:33 +0100 -Subject: [PATCH] tests: xlate: Properly split input in replay mode - -Source command may contain quotes, using shlex.split() does the right -thing there. - -Fixes: 7705b2daa3bdc ("tests: xlate: Use --check to verify replay") -Signed-off-by: Phil Sutter -(cherry picked from commit 914350a4586d2817ca7c4919c53142562f27bdaf) ---- - xlate-test.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xlate-test.py b/xlate-test.py -index 4cb1401b71677..217d2f0062682 100755 ---- a/xlate-test.py -+++ b/xlate-test.py -@@ -64,7 +64,7 @@ xtables_nft_multi = 'xtables-nft-multi' - if sourceline.find(';') >= 0: - sourceline, searchline = sourceline.split(';') - -- srcwords = sourceline.split() -+ srcwords = shlex.split(sourceline) - - srccmd = srcwords[0] - ipt = srccmd.split('-')[0] --- -2.40.0 - diff --git a/0006-extensions-libebt_redirect-Fix-target-translation.patch b/0006-extensions-libebt_redirect-Fix-target-translation.patch deleted file mode 100644 index b2f5481..0000000 --- a/0006-extensions-libebt_redirect-Fix-target-translation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 75d208e729b3256fdbbf31709215d30064389d47 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 31 Jan 2023 22:28:24 +0100 -Subject: [PATCH] extensions: libebt_redirect: Fix target translation - -While EBT_ACCEPT is the default verdict for ebtables targets, omitting -it from translation implicitly converts it into 'continue'. Omit the -non-default EBT_CONTINUE instead. - -Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") -Signed-off-by: Phil Sutter -(cherry picked from commit bb6b243c481f90f7dc4a0bd89187ee2bb823f1f6) ---- - extensions/libebt_redirect.c | 2 +- - extensions/libebt_redirect.txlate | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - create mode 100644 extensions/libebt_redirect.txlate - -diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c -index 4d4c7a02cea89..389f3ccb53f60 100644 ---- a/extensions/libebt_redirect.c -+++ b/extensions/libebt_redirect.c -@@ -84,7 +84,7 @@ static int brredir_xlate(struct xt_xlate *xl, - const struct ebt_redirect_info *red = (const void*)params->target->data; - - xt_xlate_add(xl, "meta set pkttype host"); -- if (red->target != EBT_ACCEPT) -+ if (red->target != EBT_CONTINUE) - xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); - return 1; - } -diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate -new file mode 100644 -index 0000000000000..f0dd5deaf6406 ---- /dev/null -+++ b/extensions/libebt_redirect.txlate -@@ -0,0 +1,8 @@ -+ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect -+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept' -+ -+ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN -+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return' -+ -+ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE -+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host' --- -2.40.0 - diff --git a/0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch b/0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch deleted file mode 100644 index 8f8dcf6..0000000 --- a/0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 345fb0551048b4b3c9f3f0a136c952a4ae5bf262 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 31 Jan 2023 23:32:50 +0100 -Subject: [PATCH] extensions: libebt_redirect: Fix for wrong syntax in - translation - -Meta key comes before 'set' in meta statement. - -Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension") -Signed-off-by: Phil Sutter -(cherry picked from commit 6d1263002c2a9fc6dfa59c764dee767a084d428d) ---- - extensions/libebt_redirect.c | 2 +- - extensions/libebt_redirect.txlate | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c -index 389f3ccb53f60..7821935e137aa 100644 ---- a/extensions/libebt_redirect.c -+++ b/extensions/libebt_redirect.c -@@ -83,7 +83,7 @@ static int brredir_xlate(struct xt_xlate *xl, - { - const struct ebt_redirect_info *red = (const void*)params->target->data; - -- xt_xlate_add(xl, "meta set pkttype host"); -+ xt_xlate_add(xl, "meta pkttype set host"); - if (red->target != EBT_CONTINUE) - xt_xlate_add(xl, " %s ", brredir_verdict(red->target)); - return 1; -diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate -index f0dd5deaf6406..d073ec774c4fa 100644 ---- a/extensions/libebt_redirect.txlate -+++ b/extensions/libebt_redirect.txlate -@@ -1,8 +1,8 @@ - ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept' -+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept' - - ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN --nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return' -+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return' - - ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE --nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host' -+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host' --- -2.40.0 - diff --git a/0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch b/0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch deleted file mode 100644 index ad5a3ee..0000000 --- a/0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 6177d53b1b5748d64eba68b42b173427815e454f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 3 Feb 2023 18:58:36 +0100 -Subject: [PATCH] extensions: libebt_ip: Do not use 'ip dscp' for translation - -Converting from TOS field match to DSCP one is irreversible, so replay -testing is not possible. Use a raw payload expression to produce -something that translates 1:1 back into an 'ip' match. - -Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") -Signed-off-by: Phil Sutter -(cherry picked from commit 744c56bda974caaa274318d2825b3e43b55bf145) ---- - extensions/libebt_ip.c | 4 ++-- - extensions/libebt_ip.txlate | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c -index fd87dae7e2c62..8b381aa10b5b7 100644 ---- a/extensions/libebt_ip.c -+++ b/extensions/libebt_ip.c -@@ -442,10 +442,10 @@ static int brip_xlate(struct xt_xlate *xl, - brip_xlate_nh(xl, info, EBT_IP_DEST); - - if (info->bitmask & EBT_IP_TOS) { -- xt_xlate_add(xl, "ip dscp "); -+ xt_xlate_add(xl, "@nh,8,8 "); - if (info->invflags & EBT_IP_TOS) - xt_xlate_add(xl, "!= "); -- xt_xlate_add(xl, "0x%02x ", info->tos & 0x3f); /* remove ECN bits */ -+ xt_xlate_add(xl, "0x%02x ", info->tos); - } - if (info->bitmask & EBT_IP_PROTO) { - struct protoent *pe; -diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate -index 75c1db246fb81..562e3157d7b92 100644 ---- a/extensions/libebt_ip.txlate -+++ b/extensions/libebt_ip.txlate -@@ -5,7 +5,7 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 - nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter' - - ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff --nft 'insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter' -+nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter' - - ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22 - nft 'add rule bridge filter FORWARD tcp dport 22 counter' --- -2.40.0 - diff --git a/0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch b/0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch deleted file mode 100644 index 96cb5ad..0000000 --- a/0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 1429ad5300d85ae9e3f6114f609afb1ac6808c71 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 3 Feb 2023 17:37:40 +0100 -Subject: [PATCH] extensions: libebt_ip: Translation has to match on ether type - -On one hand, nft refuses th expression in bridge family if layer3 -protocol has not been assured by a previous match. On the other, ebt_ip -kernel module will only match on IPv4 packets, so there might be a -functional change in the translation versus the original. - -Instead of just always emitting an 'ether type' match, decide whether -it's actually needed - explicit "ip " payload matches (or -icmp ones) cause implicit creation of a match on IPv4 by nft. - -Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations") -Signed-off-by: Phil Sutter -(cherry picked from commit b860e658200af8fdeced2896a1a6c2f0f0692b70) ---- - extensions/libebt_ip.c | 21 +++++++++++++++++++++ - extensions/libebt_ip.txlate | 6 +++--- - 2 files changed, 24 insertions(+), 3 deletions(-) - -diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c -index 8b381aa10b5b7..68f34bff97deb 100644 ---- a/extensions/libebt_ip.c -+++ b/extensions/libebt_ip.c -@@ -432,6 +432,24 @@ static void brip_xlate_nh(struct xt_xlate *xl, - xtables_ipmask_to_numeric(maskp)); - } - -+static bool may_skip_ether_type_dep(uint8_t flags) -+{ -+ /* these convert to "ip (s|d)addr" matches */ -+ if (flags & (EBT_IP_SOURCE | EBT_IP_DEST)) -+ return true; -+ -+ /* icmp match triggers implicit ether type dependency in nft */ -+ if (flags & EBT_IP_ICMP) -+ return true; -+ -+ /* allow if "ip protocol" match is created by brip_xlate() */ -+ if (flags & EBT_IP_PROTO && -+ !(flags & (EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP))) -+ return true; -+ -+ return false; -+} -+ - static int brip_xlate(struct xt_xlate *xl, - const struct xt_xlate_mt_params *params) - { -@@ -441,6 +459,9 @@ static int brip_xlate(struct xt_xlate *xl, - brip_xlate_nh(xl, info, EBT_IP_SOURCE); - brip_xlate_nh(xl, info, EBT_IP_DEST); - -+ if (!may_skip_ether_type_dep(info->bitmask)) -+ xt_xlate_add(xl, "ether type ip "); -+ - if (info->bitmask & EBT_IP_TOS) { - xt_xlate_add(xl, "@nh,8,8 "); - if (info->invflags & EBT_IP_TOS) -diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate -index 562e3157d7b92..28996832225cb 100644 ---- a/extensions/libebt_ip.txlate -+++ b/extensions/libebt_ip.txlate -@@ -5,13 +5,13 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 - nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter' - - ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff --nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter' -+nft 'insert rule bridge filter OUTPUT oifname "eth0" ether type ip @nh,8,8 0xff counter' - - ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22 --nft 'add rule bridge filter FORWARD tcp dport 22 counter' -+nft 'add rule bridge filter FORWARD ether type ip tcp dport 22 counter' - - ebtables-translate -A FORWARD -p ip --ip-proto udp --ip-sport 1024:65535 --nft 'add rule bridge filter FORWARD udp sport 1024-65535 counter' -+nft 'add rule bridge filter FORWARD ether type ip udp sport 1024-65535 counter' - - ebtables-translate -A FORWARD -p ip --ip-proto 253 - nft 'add rule bridge filter FORWARD ip protocol 253 counter' --- -2.40.0 - diff --git a/0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch b/0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch deleted file mode 100644 index 410a831..0000000 --- a/0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 94052918c2fd1508afa15a9a83965755d354d69b Mon Sep 17 00:00:00 2001 -From: Xin Long -Date: Tue, 21 Feb 2023 12:19:42 -0500 -Subject: [PATCH] xt_sctp: add the missing chunk types in sctp_help - -Add the missing chunk types in sctp_help(), so that the help cmd can -display these chunk types as below: - - # iptables -p sctp --help - - chunktypes - ... I_DATA RE_CONFIG PAD ... I_FORWARD_TSN ALL NONE - -Fixes: 6b04d9c34e25 ("xt_sctp: support a couple of new chunk types") -Signed-off-by: Xin Long -Signed-off-by: Phil Sutter -(cherry picked from commit f7c8d896f3305471746a8690f73587a65854d8fa) ---- - extensions/libxt_sctp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c -index fe5f5621a033d..6e2b2745dcbd5 100644 ---- a/extensions/libxt_sctp.c -+++ b/extensions/libxt_sctp.c -@@ -50,7 +50,7 @@ static void sctp_help(void) - " --dport ...\n" - "[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n" - " chunktypes are present\n" --"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n"); -+"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN ALL NONE\n"); - } - - static const struct option sctp_opts[] = { --- -2.40.0 - diff --git a/0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch b/0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch deleted file mode 100644 index e0915f5..0000000 --- a/0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 3311bf0d0fefd845d8d1d01b178bcd6701473a43 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 22 Feb 2023 16:36:16 +0100 -Subject: [PATCH] include: Add missing linux/netfilter/xt_LOG.h - -When merging IP-version-specific LOG extensions, a dependency to that -header was introduced without caching it. Fix this and drop the now -unused ip{,6}t_LOG.h files. - -Reported-by: Thomas Devoogdt -Fixes: 87e4f1bf0b87b ("extensions: libip*t_LOG: Merge extensions") -Signed-off-by: Phil Sutter -(cherry picked from commit 8030e5444681e16ac2f481ddad73e33fab376147) ---- - include/linux/netfilter/xt_LOG.h | 20 ++++++++++++++++++++ - include/linux/netfilter_ipv4/ipt_LOG.h | 19 ------------------- - include/linux/netfilter_ipv6/ip6t_LOG.h | 19 ------------------- - 3 files changed, 20 insertions(+), 38 deletions(-) - create mode 100644 include/linux/netfilter/xt_LOG.h - delete mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h - delete mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h - -diff --git a/include/linux/netfilter/xt_LOG.h b/include/linux/netfilter/xt_LOG.h -new file mode 100644 -index 0000000000000..167d4ddd2476b ---- /dev/null -+++ b/include/linux/netfilter/xt_LOG.h -@@ -0,0 +1,20 @@ -+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ -+#ifndef _XT_LOG_H -+#define _XT_LOG_H -+ -+/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */ -+#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ -+#define XT_LOG_TCPOPT 0x02 /* Log TCP options */ -+#define XT_LOG_IPOPT 0x04 /* Log IP options */ -+#define XT_LOG_UID 0x08 /* Log UID owning local socket */ -+#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ -+#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */ -+#define XT_LOG_MASK 0x2f -+ -+struct xt_log_info { -+ unsigned char level; -+ unsigned char logflags; -+ char prefix[30]; -+}; -+ -+#endif /* _XT_LOG_H */ -diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h -deleted file mode 100644 -index dcdbadf9fd4a9..0000000000000 ---- a/include/linux/netfilter_ipv4/ipt_LOG.h -+++ /dev/null -@@ -1,19 +0,0 @@ --#ifndef _IPT_LOG_H --#define _IPT_LOG_H -- --/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ --#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ --#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */ --#define IPT_LOG_IPOPT 0x04 /* Log IP options */ --#define IPT_LOG_UID 0x08 /* Log UID owning local socket */ --#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */ --#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */ --#define IPT_LOG_MASK 0x2f -- --struct ipt_log_info { -- unsigned char level; -- unsigned char logflags; -- char prefix[30]; --}; -- --#endif /*_IPT_LOG_H*/ -diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h -deleted file mode 100644 -index 9dd5579e02ec7..0000000000000 ---- a/include/linux/netfilter_ipv6/ip6t_LOG.h -+++ /dev/null -@@ -1,19 +0,0 @@ --#ifndef _IP6T_LOG_H --#define _IP6T_LOG_H -- --/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */ --#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */ --#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */ --#define IP6T_LOG_IPOPT 0x04 /* Log IP options */ --#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */ --#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */ --#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */ --#define IP6T_LOG_MASK 0x2f -- --struct ip6t_log_info { -- unsigned char level; -- unsigned char logflags; -- char prefix[30]; --}; -- --#endif /*_IPT_LOG_H*/ --- -2.40.0 - diff --git a/0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch b/0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch deleted file mode 100644 index 8b20709..0000000 --- a/0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 1d37530ed4a9ece32ed94faa916845a883f8fd05 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 28 Feb 2023 18:09:25 +0100 -Subject: [PATCH] nft-restore: Fix for deletion of new, referenced rule - -Combining multiple corner-cases here: - -* Insert a rule before another new one which is not the first. Triggers - NFTNL_RULE_ID assignment of the latter. - -* Delete the referenced new rule in the same batch again. Causes - overwriting of the previously assigned RULE_ID. - -Consequently, iptables-nft-restore fails during *insert*, because the -reference is dangling. - -Reported-by: Eric Garver -Fixes: 760b35b46e4cc ("nft: Fix for add and delete of same rule in single batch") -Signed-off-by: Phil Sutter -Tested-by: Eric Garver -(cherry picked from commit 5fd85822bd12a02f1a921243f605fc6238d705b4) ---- - iptables/nft.c | 3 ++- - .../ipt-restore/0003-restore-ordering_0 | 16 ++++++++++++++++ - 2 files changed, 18 insertions(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 63468cf3b1344..5896fd410ca78 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -2343,7 +2343,8 @@ static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r) - - nftnl_rule_list_del(r); - -- if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE)) -+ if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE) && -+ !nftnl_rule_get_u32(r, NFTNL_RULE_ID)) - nftnl_rule_set_u32(r, NFTNL_RULE_ID, ++h->rule_id); - - obj = batch_rule_add(h, NFT_COMPAT_RULE_DELETE, r); -diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 -index 3f1d229e915ff..5482b7ea17298 100755 ---- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 -+++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 -@@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT - -A FORWARD -m comment --comment "rule 3" -j ACCEPT' - - diff -u -Z <(echo -e "$EXPECT") <(ipt_show) -+ -+# test adding, referencing and deleting the same rule in a batch -+ -+$XT_MULTI iptables-restore < -Date: Mon, 3 Apr 2023 23:13:47 +0200 -Subject: [PATCH] ip6tables: Fix checking existence of rule - -Pass the proper entry size when creating a match mask for checking the -existence of a rule. Failing to do so causes wrong results. - -Reported-by: Jonathan Caicedo -Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables") -Signed-off-by: Markus Boehme -Signed-off-by: Phil Sutter -(cherry picked from commit 78850e7dba64a949c440dbdbe557f59409c6db48) ---- - iptables/ip6tables.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c -index 345af4519bfe7..9afc32c1a21ed 100644 ---- a/iptables/ip6tables.c -+++ b/iptables/ip6tables.c -@@ -331,7 +331,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw, - int ret = 1; - unsigned char *mask; - -- mask = make_delete_mask(matches, target, sizeof(fw)); -+ mask = make_delete_mask(matches, target, sizeof(*fw)); - for (i = 0; i < nsaddrs; i++) { - fw->ipv6.src = saddrs[i]; - fw->ipv6.smsk = smasks[i]; --- -2.40.0 - diff --git a/0014-nft-shared-Drop-unused-include.patch b/0014-nft-shared-Drop-unused-include.patch deleted file mode 100644 index c4274ca..0000000 --- a/0014-nft-shared-Drop-unused-include.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1bf20a3bd929060cb9afdd798292f0463243e26d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 29 Mar 2023 16:22:16 +0200 -Subject: [PATCH] nft-shared: Drop unused include - -Code does not refer to struct xt_comment_info anymore. - -Fixes: 3bb497c61d743 ("xtables: Fix for deleting rules with comment") -Signed-off-by: Phil Sutter -(cherry picked from commit 465470184950d9035dcd1101c1f413f8a2051427) ---- - iptables/nft-shared.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c -index 4a7b5406892c4..4ba44a4aa4d17 100644 ---- a/iptables/nft-shared.c -+++ b/iptables/nft-shared.c -@@ -22,7 +22,6 @@ - #include - - #include --#include - #include - #include - #include --- -2.40.0 - diff --git a/0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch b/0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch deleted file mode 100644 index 5474f8a..0000000 --- a/0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9a4b3bde58819e55a2d852800e87e66629a87081 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 28 Apr 2023 14:33:43 +0200 -Subject: [PATCH] arptables: Fix parsing of inverted 'arp operation' match - -The wrong bit was set in 'invflags', probably due to copy'n'paste from -the previous case. - -Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables") -Signed-off-by: Phil Sutter -(cherry picked from commit 092e4b022152addc94524e2ba0cb608dac1a3a08) ---- - iptables/nft-arp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index 210f43d2cefbe..8fae5adc50216 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -244,7 +244,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, - fw->arp.arhln = ar_hln; - fw->arp.arhln_mask = 0xff; - if (inv) -- fw->arp.invflags |= IPT_INV_ARPOP; -+ fw->arp.invflags |= IPT_INV_ARPHLN; - break; - case offsetof(struct arphdr, ar_pln): - get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv); --- -2.40.0 - diff --git a/0016-arptables-Don-t-omit-standard-matches-if-inverted.patch b/0016-arptables-Don-t-omit-standard-matches-if-inverted.patch deleted file mode 100644 index 1efb846..0000000 --- a/0016-arptables-Don-t-omit-standard-matches-if-inverted.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a900100d6d4be7c52e4cfd1ab06ce3ac626d71a1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 28 Apr 2023 14:37:47 +0200 -Subject: [PATCH] arptables: Don't omit standard matches if inverted - -Inverted --h-len and --h-type matches were omitted from output by -accident if they matched on their standard value. - -Fixes: 84331e3ed3f8e ("arptables-nft: Don't print default h-len/h-type values") -Signed-off-by: Phil Sutter -(cherry picked from commit 79f93b0943fa0e46ba29bb476362634509eb594e) ---- - iptables/nft-arp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index 8fae5adc50216..df3ad430cf701 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -408,7 +408,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - - after_devdst: - -- if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) { -+ if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6 || -+ fw->arp.invflags & IPT_INV_ARPHLN) { - printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHLN - ? "! " : ""); - printf("--h-length %d", fw->arp.arhln); -@@ -432,7 +433,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - sep = " "; - } - -- if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) { -+ if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1) || -+ fw->arp.invflags & IPT_INV_ARPHRD) { - uint16_t tmp = ntohs(fw->arp.arhrd); - - printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHRD --- -2.40.0 - diff --git a/0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch b/0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch deleted file mode 100644 index 9c5cbd2..0000000 --- a/0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 174ef8164bc3b1f9454f77b3747f1591ea5b5a9f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 28 Apr 2023 14:41:08 +0200 -Subject: [PATCH] xshared: Fix parsing of option arguments in same word - -When merging commandline parsers, a decision between 'argv[optind - 1]' -and 'optarg' had to be made in some spots. While the implementation of -check_inverse() required the former, use of the latter allows for the -common syntax of '--opt=arg' or even '-oarg' as 'optarg' will point at -the suffix while 'argv[optind - 1]' will just point at the following -option. - -Fix the mess by making check_inverse() update optarg pointer if needed -so calling code may refer to and always correct 'optarg'. - -Fixes: 0af80a91b0a98 ("nft: Merge xtables-arp-standalone.c into xtables-standalone.c") -Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1677 -Signed-off-by: Phil Sutter -(cherry picked from commit 90a7a183a208b691810b8519cc57d3d9d3b7eb60) ---- - extensions/libarpt_standard.t | 2 ++ - extensions/libxt_standard.t | 3 ++ - iptables/xshared.c | 61 +++++++++++++++++------------------ - 3 files changed, 35 insertions(+), 31 deletions(-) - -diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t -index e84a00b780488..007fa2b8335e8 100644 ---- a/extensions/libarpt_standard.t -+++ b/extensions/libarpt_standard.t -@@ -12,3 +12,5 @@ - -i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK - --source-mac Unicast;--src-mac 00:00:00:00:00:00/01:00:00:00:00:00;OK - ! --src-mac Multicast;! --src-mac 01:00:00:00:00:00/01:00:00:00:00:00;OK -+--src-mac=01:02:03:04:05:06 --dst-mac=07:08:09:0A:0B:0C --h-length=6 --opcode=Request --h-type=Ethernet --proto-type=ipv4;--src-mac 01:02:03:04:05:06 --dst-mac 07:08:09:0a:0b:0c --opcode 1 --proto-type 0x800;OK -+--src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 1 ! --proto-type 0x800;OK -diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t -index 56d6da2e5884e..6ed978e442b80 100644 ---- a/extensions/libxt_standard.t -+++ b/extensions/libxt_standard.t -@@ -21,3 +21,6 @@ - -s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK - -s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK - -s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK -+:FORWARD -+--protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK -+-ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK -diff --git a/iptables/xshared.c b/iptables/xshared.c -index ac51fac5ce9ed..17aed04e02b09 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -1318,7 +1318,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) - } - - static void check_inverse(struct xtables_args *args, const char option[], -- bool *invert, int *optidx, int argc) -+ bool *invert, int argc, char **argv) - { - switch (args->family) { - case NFPROTO_ARP: -@@ -1337,12 +1337,11 @@ static void check_inverse(struct xtables_args *args, const char option[], - xtables_error(PARAMETER_PROBLEM, - "Multiple `!' flags not allowed"); - *invert = true; -- if (optidx) { -- *optidx = *optidx + 1; -- if (argc && *optidx > argc) -- xtables_error(PARAMETER_PROBLEM, -- "no argument following `!'"); -- } -+ optind++; -+ if (optind > argc) -+ xtables_error(PARAMETER_PROBLEM, "no argument following `!'"); -+ -+ optarg = argv[optind - 1]; - } - - static const char *optstring_lookup(int family) -@@ -1555,16 +1554,16 @@ void do_parse(int argc, char *argv[], - * Option selection - */ - case 'p': -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_PROTOCOL, - &args->invflags, invert); - - /* Canonicalize into lower case */ -- for (cs->protocol = argv[optind - 1]; -+ for (cs->protocol = optarg; - *cs->protocol; cs->protocol++) - *cs->protocol = tolower(*cs->protocol); - -- cs->protocol = argv[optind - 1]; -+ cs->protocol = optarg; - args->proto = xtables_parse_protocol(cs->protocol); - - if (args->proto == 0 && -@@ -1578,17 +1577,17 @@ void do_parse(int argc, char *argv[], - break; - - case 's': -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_SOURCE, - &args->invflags, invert); -- args->shostnetworkmask = argv[optind - 1]; -+ args->shostnetworkmask = optarg; - break; - - case 'd': -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_DESTINATION, - &args->invflags, invert); -- args->dhostnetworkmask = argv[optind - 1]; -+ args->dhostnetworkmask = optarg; - break; - - #ifdef IPT_F_GOTO -@@ -1601,71 +1600,71 @@ void do_parse(int argc, char *argv[], - #endif - - case 2:/* src-mac */ -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_S_MAC, &args->invflags, - invert); -- args->src_mac = argv[optind - 1]; -+ args->src_mac = optarg; - break; - - case 3:/* dst-mac */ -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_D_MAC, &args->invflags, - invert); -- args->dst_mac = argv[optind - 1]; -+ args->dst_mac = optarg; - break; - - case 'l':/* hardware length */ -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_H_LENGTH, &args->invflags, - invert); -- args->arp_hlen = argv[optind - 1]; -+ args->arp_hlen = optarg; - break; - - case 8: /* was never supported, not even in arptables-legacy */ - xtables_error(PARAMETER_PROBLEM, "not supported"); - case 4:/* opcode */ -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_OPCODE, &args->invflags, - invert); -- args->arp_opcode = argv[optind - 1]; -+ args->arp_opcode = optarg; - break; - - case 5:/* h-type */ -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_H_TYPE, &args->invflags, - invert); -- args->arp_htype = argv[optind - 1]; -+ args->arp_htype = optarg; - break; - - case 6:/* proto-type */ -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_P_TYPE, &args->invflags, - invert); -- args->arp_ptype = argv[optind - 1]; -+ args->arp_ptype = optarg; - break; - - case 'j': - set_option(&cs->options, OPT_JUMP, &args->invflags, - invert); -- command_jump(cs, argv[optind - 1]); -+ command_jump(cs, optarg); - break; - - case 'i': - check_empty_interface(args, optarg); -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_VIANAMEIN, - &args->invflags, invert); -- xtables_parse_interface(argv[optind - 1], -+ xtables_parse_interface(optarg, - args->iniface, - args->iniface_mask); - break; - - case 'o': - check_empty_interface(args, optarg); -- check_inverse(args, optarg, &invert, &optind, argc); -+ check_inverse(args, optarg, &invert, argc, argv); - set_option(&cs->options, OPT_VIANAMEOUT, - &args->invflags, invert); -- xtables_parse_interface(argv[optind - 1], -+ xtables_parse_interface(optarg, - args->outiface, - args->outiface_mask); - break; --- -2.40.0 - diff --git a/iptables.spec b/iptables.spec index 57a50f4..e37c5e6 100644 --- a/iptables.spec +++ b/iptables.spec @@ -10,8 +10,8 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables -Version: 1.8.9 -Release: 6%{?dist} +Version: 1.8.10 +Release: 1%{?dist} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -20,24 +20,6 @@ Source4: sysconfig_iptables Source5: sysconfig_ip6tables Source6: arptables-nft-helper -Patch001: 0001-extensions-NAT-Fix-for-Werror-format-security.patch -Patch002: 0002-etc-Drop-xtables.conf.patch -Patch003: 0003-Proper-fix-for-unknown-argument-error-message.patch -Patch004: 0004-ebtables-Refuse-unselected-targets-options.patch -Patch005: 0005-tests-xlate-Properly-split-input-in-replay-mode.patch -Patch006: 0006-extensions-libebt_redirect-Fix-target-translation.patch -Patch007: 0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch -Patch008: 0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch -Patch009: 0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch -Patch010: 0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch -Patch011: 0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch -Patch012: 0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch -Patch013: 0013-ip6tables-Fix-checking-existence-of-rule.patch -Patch014: 0014-nft-shared-Drop-unused-include.patch -Patch015: 0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch -Patch016: 0016-arptables-Don-t-omit-standard-matches-if-inverted.patch -Patch017: 0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch - # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 License: GPL-2.0-only AND Artistic-2.0 AND ISC @@ -54,7 +36,7 @@ BuildRequires: bison BuildRequires: flex BuildRequires: gcc BuildRequires: pkgconfig(libmnl) >= 1.0 -BuildRequires: pkgconfig(libnftnl) >= 1.1.6 +BuildRequires: pkgconfig(libnftnl) >= 1.2.6 # libpcap-devel for nfbpf_compile BuildRequires: libpcap-devel BuildRequires: autoconf @@ -67,17 +49,6 @@ The iptables utility controls the network packet filtering code in the Linux kernel. If you need to set up firewalls and/or IP masquerading, you should install this package. -%package compat -Summary: Temporary transitioning package -Obsoletes: %{name} < 1.8.7-4 -Requires: %{name}-legacy = %{version}-%{release} -Requires: %{name}-utils = %{version}-%{release} - -%description compat -This package only exists to help transition iptables users to the new -package split. It will be removed after one distribution release cycle, please -do not reference it or depend on it in any way. - %package legacy Summary: Legacy tools for managing Linux kernel packet filtering capabilities Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release} @@ -252,9 +223,6 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/ebtables.8 -# Drop xtables.conf, it's not used -rm -f %{buildroot}%{_sysconfdir}/xtables.conf - # fix absolute symlink rm -f %{buildroot}%{_bindir}/iptables-xml ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml @@ -371,8 +339,6 @@ if [ $1 -eq 0 ]; then done fi -%files compat - %files legacy %{_sbindir}/ip{,6}tables-legacy* %{_sbindir}/xtables-legacy-multi @@ -447,6 +413,10 @@ fi %changelog +* Tue Oct 10 2023 Phil Sutter - 1.8.10-1 +- New version 1.8.10 +- Drop compat sub-package + * Tue Aug 15 2023 Phil Sutter - 1.8.9-6 - Convert license to SPDX format diff --git a/sources b/sources index fef1030..59e259b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (iptables-1.8.9.tar.xz) = e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70 +SHA512 (iptables-1.8.10.tar.xz) = 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153