import iptables-1.8.4-22.el8

SOURCES/0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch

@@ -0,0 +1,130 @@
+From 947e9c06a863c47e91a46d2cce90c677a90e4d09 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 28 Jul 2021 17:53:53 +0200
+Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options
+
+Drop any reference to them (and the environment variable) but list them
+in BUGS section hinting at ebtables-save and -restore tools.
+
+Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39)
+---
+ iptables/ebtables-nft.8 | 64 ++++++-----------------------------------
+ 1 file changed, 8 insertions(+), 56 deletions(-)
+
+diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
+index 1fa5ad9388cc0..08e9766f2cc74 100644
+--- a/iptables/ebtables-nft.8
++++ b/iptables/ebtables-nft.8
+@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
+ .br
+ .BR "ebtables " [ -t " table ] " --init-table
+ .br
+-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
+-.br
+-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
+-.br
+-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
+-.br
+ 
+ .SH DESCRIPTION
+ .B ebtables
+@@ -149,11 +143,9 @@ a table, the commands apply to the default filter table.
+ Only one command may be used on the command line at a time, except when
+ the commands
+ .BR -L " and " -Z
+-are combined, the commands
++are combined or the commands
+ .BR -N " and " -P
+-are combined, or when
+-.B --atomic-file
+-is used.
++are combined.
+ .TP
+ .B "-A, --append"
+ Append a rule to the end of the selected chain.
+@@ -313,39 +305,6 @@ of the ebtables kernel table.
+ .TP
+ .B "--init-table"
+ Replace the current table data by the initial table data.
+-.TP
+-.B "--atomic-init"
+-Copy the kernel's initial data of the table to the specified
+-file. This can be used as the first action, after which rules are added
+-to the file. The file can be specified using the
+-.B --atomic-file
+-command or through the
+-.IR EBTABLES_ATOMIC_FILE " environment variable."
+-.TP
+-.B "--atomic-save"
+-Copy the kernel's current data of the table to the specified
+-file. This can be used as the first action, after which rules are added
+-to the file. The file can be specified using the
+-.B --atomic-file
+-command or through the
+-.IR EBTABLES_ATOMIC_FILE " environment variable."
+-.TP
+-.B "--atomic-commit"
+-Replace the kernel table data with the data contained in the specified
+-file. This is a useful command that allows you to load all your rules of a
+-certain table into the kernel at once, saving the kernel a lot of precious
+-time and allowing atomic updates of the tables. The file which contains
+-the table data is constructed by using either the
+-.B "--atomic-init"
+-or the
+-.B "--atomic-save"
+-command to generate a starting file. After that, using the
+-.B "--atomic-file"
+-command when constructing rules or setting the
+-.IR EBTABLES_ATOMIC_FILE " environment variable"
+-allows you to extend the file and build the complete table before
+-committing it to the kernel. This command can be very useful in boot scripts
+-to populate the ebtables tables in a fast way.
+ .SS MISCELLANOUS COMMANDS
+ .TP
+ .B "-V, --version"
+@@ -371,16 +330,6 @@ a target extension (see
+ .BR "TARGET EXTENSIONS" ")"
+ or a user-defined chain name.
+ .TP
+-.B --atomic-file "\fIfile\fP"
+-Let the command operate on the specified
+-.IR file .
+-The data of the table to
+-operate on will be extracted from the file and the result of the operation
+-will be saved back into the file. If specified, this option should come
+-before the command specification. An alternative that should be preferred,
+-is setting the
+-.IR EBTABLES_ATOMIC_FILE " environment variable."
+-.TP
+ .B -M, --modprobe "\fIprogram\fP"
+ When talking to the kernel, use this
+ .I program
+@@ -1100,8 +1049,6 @@ arp message and the hardware address length in the arp header is 6 bytes.
+ .br
+ .SH FILES
+ .I /etc/ethertypes
+-.SH ENVIRONMENT VARIABLES
+-.I EBTABLES_ATOMIC_FILE
+ .SH MAILINGLISTS
+ .BR "" "See " http://netfilter.org/mailinglists.html
+ .SH BUGS
+@@ -1109,7 +1056,12 @@ The version of ebtables this man page ships with does not support the
+ .B broute
+ table. Also there is no support for
+ .B string
+-match. And finally, this list is probably not complete.
++match. Further, support for atomic-options
++.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit )
++has not been implemented, although
++.BR ebtables-save " and " ebtables-restore
++might replace them entirely given the inherent atomicity of nftables.
++Finally, this list is probably not complete.
+ .SH SEE ALSO
+ .BR xtables-nft "(8), " iptables "(8), " ip (8)
+ .PP
+-- 
+2.33.0
+

SOURCES/0060-ebtables-Dump-atomic-waste.patch

@@ -0,0 +1,102 @@
+From c1eaf1738533eeec3dc1bdc2285dbf28c68d5042 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 30 Jul 2021 12:25:10 +0200
+Subject: [PATCH] ebtables: Dump atomic waste
+
+With ebtables-nft.8 now educating people about the missing
+functionality, get rid of atomic remains in source code. This eliminates
+mostly comments except for --atomic-commit which was treated as alias of
+--init-table. People not using the latter are probably trying to
+atomic-commit from an atomic-file which in turn is not supported, so no
+point keeping it.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0)
+---
+ iptables/xtables-eb.c | 53 -------------------------------------------
+ 1 file changed, 53 deletions(-)
+
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index c006bc95ac681..b836616ed0259 100644
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -262,10 +262,6 @@ struct option ebt_original_options[] =
+ 	{ "new-chain"      , required_argument, 0, 'N' },
+ 	{ "rename-chain"   , required_argument, 0, 'E' },
+ 	{ "delete-chain"   , optional_argument, 0, 'X' },
+-	{ "atomic-init"    , no_argument      , 0, 7   },
+-	{ "atomic-commit"  , no_argument      , 0, 8   },
+-	{ "atomic-file"    , required_argument, 0, 9   },
+-	{ "atomic-save"    , no_argument      , 0, 10  },
+ 	{ "init-table"     , no_argument      , 0, 11  },
+ 	{ "concurrent"     , no_argument      , 0, 13  },
+ 	{ 0 }
+@@ -371,10 +367,6 @@ static void print_help(const struct xtables_target *t,
+ "--new-chain -N chain          : create a user defined chain\n"
+ "--rename-chain -E old new     : rename a chain\n"
+ "--delete-chain -X [chain]     : delete a user defined chain\n"
+-"--atomic-commit               : update the kernel w/t table contained in <FILE>\n"
+-"--atomic-init                 : put the initial kernel table into <FILE>\n"
+-"--atomic-save                 : put the current kernel table into <FILE>\n"
+-"--atomic-file file            : set <FILE> to file\n\n"
+ "Options:\n"
+ "--proto  -p [!] proto         : protocol hexadecimal, by name or LENGTH\n"
+ "--src    -s [!] address[/mask]: source mac address\n"
+@@ -1116,54 +1108,9 @@ print_zero:
+ 					       "Use --Lmac2 with -L");
+ 			flags |= LIST_MAC2;
+ 			break;
+-		case 8 : /* atomic-commit */
+-/*
+-			replace->command = c;
+-			if (OPT_COMMANDS)
+-				ebt_print_error2("Multiple commands are not allowed");
+-			replace->flags |= OPT_COMMAND;
+-			if (!replace->filename)
+-				ebt_print_error2("No atomic file specified");*/
+-			/* Get the information from the file */
+-			/*ebt_get_table(replace, 0);*/
+-			/* We don't want the kernel giving us its counters,
+-			 * they would overwrite the counters extracted from
+-			 * the file */
+-			/*replace->num_counters = 0;*/
+-			/* Make sure the table will be written to the kernel */
+-			/*free(replace->filename);
+-			replace->filename = NULL;
+-			break;*/
+-		/*case 7 :*/ /* atomic-init */
+-		/*case 10:*/ /* atomic-save */
+ 		case 11: /* init-table */
+ 			nft_table_flush(h, *table);
+ 			return 1;
+-		/*
+-			replace->command = c;
+-			if (OPT_COMMANDS)
+-				ebt_print_error2("Multiple commands are not allowed");
+-			if (c != 11 && !replace->filename)
+-				ebt_print_error2("No atomic file specified");
+-			replace->flags |= OPT_COMMAND;
+-			{
+-				char *tmp = replace->filename;*/
+-
+-				/* Get the kernel table */
+-				/*replace->filename = NULL;
+-				ebt_get_kernel_table(replace, c == 10 ? 0 : 1);
+-				replace->filename = tmp;
+-			}
+-			break;
+-		case 9 :*/ /* atomic */
+-			/*
+-			if (OPT_COMMANDS)
+-				ebt_print_error2("--atomic has to come before the command");*/
+-			/* A possible memory leak here, but this is not
+-			 * executed in daemon mode */
+-			/*replace->filename = (char *)malloc(strlen(optarg) + 1);
+-			strcpy(replace->filename, optarg);
+-			break; */
+ 		case 13 :
+ 			break;
+ 		case 1 :
+-- 
+2.33.0
+

SOURCES/0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch

@@ -0,0 +1,41 @@
+From ec4a91ac53e4dba210daa9bb3af9e09532c86b06 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 9 Aug 2021 18:48:58 +0200
+Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=100
+
+With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not
+overflow in kernel, making the test unstable depending on kernel config.
+Change it to not overflow with 1000Hz either by increasing the burst
+value by a factor of 100.
+
+Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit bef9dc575625a98a5e6ed8ca37e49031cdba5937)
+---
+ extensions/libxt_hashlimit.t | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t
+index ccd0d1e6a2a1a..8369933786f68 100644
+--- a/extensions/libxt_hashlimit.t
++++ b/extensions/libxt_hashlimit.t
+@@ -3,14 +3,12 @@
+ -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
+--m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
++-m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
+--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
++-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+-- 
+2.33.0
+

SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch

@@ -0,0 +1,47 @@
+From 41660ba1faea8b7ebd71e94c70ef175a75ab91cc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Mon, 8 Nov 2021 17:03:21 +0100
+Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=1000
+
+In an attempt to fix for failing hashlimit tests with HZ=100, the
+expected failures were changed so they are expected to pass and the
+parameters changed to seemingly fix them. Yet while the new parameters
+worked on HZ=100 systems, with higher tick rates they didn't so the
+observed problem moved from the test failing on HZ=100 to failing on
+HZ=1000 instead.
+
+Kernel's error message "try lower: 864000000/5" turned out to be a red
+herring: The burst value does not act as a dividor but a multiplier
+instead, so in order to lower the overflow-checked value, a lower burst
+value must be chosen. Inded, using a burst value of 1 makes the kernel
+accept the rule in both HZ=100 and HZ=1000 configurations.
+
+Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 1eab8e83aec0e6965f11f8cad460add1caeae629)
+---
+ extensions/libxt_hashlimit.t | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t
+index 8369933786f68..206d92935f2e2 100644
+--- a/extensions/libxt_hashlimit.t
++++ b/extensions/libxt_hashlimit.t
+@@ -3,12 +3,12 @@
+ -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+--m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
++-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
+--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
++-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+ -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
+-- 
+2.33.0
+

SPECS/iptables.spec

@@ -17,7 +17,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.4
-Release: 20%{?dist}
+Release: 22%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -92,6 +92,10 @@ Patch55: 0055-extensions-sctp-Fix-nftables-translation.patch
 Patch56: 0056-extensions-sctp-Translate-chunk-types-option.patch
 Patch57: 0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch
 Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch
+Patch59: 0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
+Patch60: 0060-ebtables-Dump-atomic-waste.patch
+Patch61: 0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch
+Patch62: 0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -500,6 +504,14 @@ done
 %doc %{_mandir}/man8/ebtables*.8*
 
 %changelog
+* Mon Nov 29 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-22
+- extensions: hashlimit: Fix tests with HZ=1000
+
+* Thu Oct 07 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-21
+- extensions: hashlimit: Fix tests with HZ=100
+- ebtables: Dump atomic waste
+- doc: ebtables-nft.8: Adjust for missing atomic-options
+
 * Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-20
 - extensions: SECMARK: Use a better context in test case
 - extensions: sctp: Translate --chunk-types option