import iptables-1.8.7-28.el9

SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch

@@ -0,0 +1,177 @@
+From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 29 Apr 2021 15:28:59 +0200
+Subject: [PATCH] extensions: SECMARK: Implement revision 1
+
+The changed data structure for communication with kernel allows to
+exclude the field 'secid' which is populated on kernel side. Thus
+this fixes the formerly always failing extension comparison breaking
+rule check and rule delete by content.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
+---
+ extensions/libxt_SECMARK.c           | 90 +++++++++++++++++++++-------
+ extensions/libxt_SECMARK.t           |  4 ++
+ include/linux/netfilter/xt_SECMARK.h |  6 ++
+ 3 files changed, 80 insertions(+), 20 deletions(-)
+ create mode 100644 extensions/libxt_SECMARK.t
+
+diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
+index 6ba8606355daa..24249bd618ffe 100644
+--- a/extensions/libxt_SECMARK.c
++++ b/extensions/libxt_SECMARK.c
+@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
+ 	XTOPT_TABLEEND,
+ };
+ 
++static const struct xt_option_entry SECMARK_opts_v1[] = {
++	{.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
++	 .flags = XTOPT_MAND | XTOPT_PUT,
++	 XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
++	XTOPT_TABLEEND,
++};
++
+ static void SECMARK_parse(struct xt_option_call *cb)
+ {
+ 	struct xt_secmark_target_info *info = cb->data;
+@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
+ 	info->mode = SECMARK_MODE_SEL;
+ }
+ 
+-static void print_secmark(const struct xt_secmark_target_info *info)
++static void SECMARK_parse_v1(struct xt_option_call *cb)
++{
++	struct xt_secmark_target_info_v1 *info = cb->data;
++
++	xtables_option_parse(cb);
++	info->mode = SECMARK_MODE_SEL;
++}
++
++static void print_secmark(__u8 mode, const char *secctx)
+ {
+-	switch (info->mode) {
++	switch (mode) {
+ 	case SECMARK_MODE_SEL:
+-		printf("selctx %s", info->secctx);
++		printf("selctx %s", secctx);
+ 		break;
+-	
++
+ 	default:
+-		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
++		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
+ 	}
+ }
+ 
+@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
+ 		(struct xt_secmark_target_info*)(target)->data;
+ 
+ 	printf(" SECMARK ");
+-	print_secmark(info);
++	print_secmark(info->mode, info->secctx);
++}
++
++static void SECMARK_print_v1(const void *ip,
++			     const struct xt_entry_target *target, int numeric)
++{
++	const struct xt_secmark_target_info_v1 *info =
++		(struct xt_secmark_target_info_v1 *)(target)->data;
++
++	printf(" SECMARK ");
++	print_secmark(info->mode, info->secctx);
+ }
+ 
+ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
+@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
+ 		(struct xt_secmark_target_info*)target->data;
+ 
+ 	printf(" --");
+-	print_secmark(info);
++	print_secmark(info->mode, info->secctx);
+ }
+ 
+-static struct xtables_target secmark_target = {
+-	.family		= NFPROTO_UNSPEC,
+-	.name		= "SECMARK",
+-	.version	= XTABLES_VERSION,
+-	.revision	= 0,
+-	.size		= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+-	.userspacesize	= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+-	.help		= SECMARK_help,
+-	.print		= SECMARK_print,
+-	.save		= SECMARK_save,
+-	.x6_parse	= SECMARK_parse,
+-	.x6_options	= SECMARK_opts,
++static void SECMARK_save_v1(const void *ip,
++			    const struct xt_entry_target *target)
++{
++	const struct xt_secmark_target_info_v1 *info =
++		(struct xt_secmark_target_info_v1 *)target->data;
++
++	printf(" --");
++	print_secmark(info->mode, info->secctx);
++}
++
++static struct xtables_target secmark_tg_reg[] = {
++	{
++		.family		= NFPROTO_UNSPEC,
++		.name		= "SECMARK",
++		.version	= XTABLES_VERSION,
++		.revision	= 0,
++		.size		= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
++		.userspacesize	= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
++		.help		= SECMARK_help,
++		.print		= SECMARK_print,
++		.save		= SECMARK_save,
++		.x6_parse	= SECMARK_parse,
++		.x6_options	= SECMARK_opts,
++	},
++	{
++		.family		= NFPROTO_UNSPEC,
++		.name		= "SECMARK",
++		.version	= XTABLES_VERSION,
++		.revision	= 1,
++		.size		= XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
++		.userspacesize	= XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
++		.help		= SECMARK_help,
++		.print		= SECMARK_print_v1,
++		.save		= SECMARK_save_v1,
++		.x6_parse	= SECMARK_parse_v1,
++		.x6_options	= SECMARK_opts_v1,
++	}
+ };
+ 
+ void _init(void)
+ {
+-	xtables_register_target(&secmark_target);
++	xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
+ }
+diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
+new file mode 100644
+index 0000000000000..39d4c09348bf4
+--- /dev/null
++++ b/extensions/libxt_SECMARK.t
+@@ -0,0 +1,4 @@
++:INPUT,FORWARD,OUTPUT
++*security
++-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
++-j SECMARK;;FAIL
+diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
+index 989092bd6274b..31760a286a854 100644
+--- a/include/linux/netfilter/xt_SECMARK.h
++++ b/include/linux/netfilter/xt_SECMARK.h
+@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
+ 	char secctx[SECMARK_SECCTX_MAX];
+ };
+ 
++struct xt_secmark_target_info_v1 {
++	__u8 mode;
++	char secctx[SECMARK_SECCTX_MAX];
++	__u32 secid;
++};
++
+ #endif /*_XT_SECMARK_H_target */
+-- 
+2.34.1
+

SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch

@@ -0,0 +1,26 @@
+From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 16 Jul 2021 21:51:49 +0200
+Subject: [PATCH] extensions: SECMARK: Use a better context in test case
+
+RHEL SELinux policies don't allow setting
+system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
+'packet_type' attribute (identified via
+'seinfo -xt | grep packet_type').
+---
+ extensions/libxt_SECMARK.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
+index 39d4c09348bf4..295e7a7244902 100644
+--- a/extensions/libxt_SECMARK.t
++++ b/extensions/libxt_SECMARK.t
+@@ -1,4 +1,4 @@
+ :INPUT,FORWARD,OUTPUT
+ *security
+--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
++-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
+ -j SECMARK;;FAIL
+-- 
+2.34.1
+

SPECS/iptables.spec

@@ -16,7 +16,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 26%{?dist}
+Release: 28%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -53,6 +53,8 @@ Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
 Patch22: 0022-ebtables-Dump-atomic-waste.patch
 Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
 Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
+Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch
+Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -468,6 +470,12 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz
 
 %changelog
+* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28
+- extensions: SECMARK: Use a better context in test case
+
+* Fri Jan 28 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-27
+- extensions: SECMARK: Implement revision 1
+
 * Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26
 - tests/shell: Assert non-verbose mode is silent
 - nft: Fix for non-verbose check command