import iptables-1.8.7-26.el9
This commit is contained in:
parent
625178622b
commit
afe73678d8
@ -0,0 +1,31 @@
|
||||
From 000c159641522abf56ccb4deebfc558e8bb41302 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 31 Aug 2021 12:26:20 +0200
|
||||
Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add()
|
||||
|
||||
The function called malloc() without checking for memory allocation
|
||||
failure. Simply replace the call by xtables_malloc() to fix that.
|
||||
|
||||
Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93)
|
||||
---
|
||||
iptables/nft.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index f1deb82f87576..83054e528cae1 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -143,7 +143,7 @@ struct mnl_err {
|
||||
static void mnl_err_list_node_add(struct list_head *err_list, int error,
|
||||
int seqnum)
|
||||
{
|
||||
- struct mnl_err *err = malloc(sizeof(struct mnl_err));
|
||||
+ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err));
|
||||
|
||||
err->seqnum = seqnum;
|
||||
err->err = error;
|
||||
--
|
||||
2.33.0
|
||||
|
@ -0,0 +1,130 @@
|
||||
From f73416517ac7bb6868ff4c0199fcd4327c9dffa5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 28 Jul 2021 17:53:53 +0200
|
||||
Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options
|
||||
|
||||
Drop any reference to them (and the environment variable) but list them
|
||||
in BUGS section hinting at ebtables-save and -restore tools.
|
||||
|
||||
Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39)
|
||||
---
|
||||
iptables/ebtables-nft.8 | 64 ++++++-----------------------------------
|
||||
1 file changed, 8 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index 5bdc0bb8a939e..85f6738d7d1aa 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
.br
|
||||
.BR "ebtables " [ -t " table ] " --init-table
|
||||
.br
|
||||
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
|
||||
-.br
|
||||
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
|
||||
-.br
|
||||
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
|
||||
-.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
@@ -162,11 +156,9 @@ a table, the commands apply to the default filter table.
|
||||
Only one command may be used on the command line at a time, except when
|
||||
the commands
|
||||
.BR -L " and " -Z
|
||||
-are combined, the commands
|
||||
+are combined or the commands
|
||||
.BR -N " and " -P
|
||||
-are combined, or when
|
||||
-.B --atomic-file
|
||||
-is used.
|
||||
+are combined.
|
||||
.TP
|
||||
.B "-A, --append"
|
||||
Append a rule to the end of the selected chain.
|
||||
@@ -326,39 +318,6 @@ of the ebtables kernel table.
|
||||
.TP
|
||||
.B "--init-table"
|
||||
Replace the current table data by the initial table data.
|
||||
-.TP
|
||||
-.B "--atomic-init"
|
||||
-Copy the kernel's initial data of the table to the specified
|
||||
-file. This can be used as the first action, after which rules are added
|
||||
-to the file. The file can be specified using the
|
||||
-.B --atomic-file
|
||||
-command or through the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable."
|
||||
-.TP
|
||||
-.B "--atomic-save"
|
||||
-Copy the kernel's current data of the table to the specified
|
||||
-file. This can be used as the first action, after which rules are added
|
||||
-to the file. The file can be specified using the
|
||||
-.B --atomic-file
|
||||
-command or through the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable."
|
||||
-.TP
|
||||
-.B "--atomic-commit"
|
||||
-Replace the kernel table data with the data contained in the specified
|
||||
-file. This is a useful command that allows you to load all your rules of a
|
||||
-certain table into the kernel at once, saving the kernel a lot of precious
|
||||
-time and allowing atomic updates of the tables. The file which contains
|
||||
-the table data is constructed by using either the
|
||||
-.B "--atomic-init"
|
||||
-or the
|
||||
-.B "--atomic-save"
|
||||
-command to generate a starting file. After that, using the
|
||||
-.B "--atomic-file"
|
||||
-command when constructing rules or setting the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable"
|
||||
-allows you to extend the file and build the complete table before
|
||||
-committing it to the kernel. This command can be very useful in boot scripts
|
||||
-to populate the ebtables tables in a fast way.
|
||||
.SS MISCELLANOUS COMMANDS
|
||||
.TP
|
||||
.B "-V, --version"
|
||||
@@ -384,16 +343,6 @@ a target extension (see
|
||||
.BR "TARGET EXTENSIONS" ")"
|
||||
or a user-defined chain name.
|
||||
.TP
|
||||
-.B --atomic-file "\fIfile\fP"
|
||||
-Let the command operate on the specified
|
||||
-.IR file .
|
||||
-The data of the table to
|
||||
-operate on will be extracted from the file and the result of the operation
|
||||
-will be saved back into the file. If specified, this option should come
|
||||
-before the command specification. An alternative that should be preferred,
|
||||
-is setting the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable."
|
||||
-.TP
|
||||
.B -M, --modprobe "\fIprogram\fP"
|
||||
When talking to the kernel, use this
|
||||
.I program
|
||||
@@ -1113,8 +1062,6 @@ arp message and the hardware address length in the arp header is 6 bytes.
|
||||
.br
|
||||
.SH FILES
|
||||
.I /etc/ethertypes
|
||||
-.SH ENVIRONMENT VARIABLES
|
||||
-.I EBTABLES_ATOMIC_FILE
|
||||
.SH MAILINGLISTS
|
||||
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
.SH BUGS
|
||||
@@ -1122,7 +1069,12 @@ The version of ebtables this man page ships with does not support the
|
||||
.B broute
|
||||
table. Also there is no support for
|
||||
.B string
|
||||
-match. And finally, this list is probably not complete.
|
||||
+match. Further, support for atomic-options
|
||||
+.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit )
|
||||
+has not been implemented, although
|
||||
+.BR ebtables-save " and " ebtables-restore
|
||||
+might replace them entirely given the inherent atomicity of nftables.
|
||||
+Finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
|
||||
.PP
|
||||
--
|
||||
2.33.0
|
||||
|
102
SOURCES/0022-ebtables-Dump-atomic-waste.patch
Normal file
102
SOURCES/0022-ebtables-Dump-atomic-waste.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From cb68daac1f24c94a48450a683a5f765dc00da164 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 30 Jul 2021 12:25:10 +0200
|
||||
Subject: [PATCH] ebtables: Dump atomic waste
|
||||
|
||||
With ebtables-nft.8 now educating people about the missing
|
||||
functionality, get rid of atomic remains in source code. This eliminates
|
||||
mostly comments except for --atomic-commit which was treated as alias of
|
||||
--init-table. People not using the latter are probably trying to
|
||||
atomic-commit from an atomic-file which in turn is not supported, so no
|
||||
point keeping it.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0)
|
||||
---
|
||||
iptables/xtables-eb.c | 53 -------------------------------------------
|
||||
1 file changed, 53 deletions(-)
|
||||
|
||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||
index 5bb34d6d292a9..aeb4d92166431 100644
|
||||
--- a/iptables/xtables-eb.c
|
||||
+++ b/iptables/xtables-eb.c
|
||||
@@ -211,10 +211,6 @@ struct option ebt_original_options[] =
|
||||
{ "new-chain" , required_argument, 0, 'N' },
|
||||
{ "rename-chain" , required_argument, 0, 'E' },
|
||||
{ "delete-chain" , optional_argument, 0, 'X' },
|
||||
- { "atomic-init" , no_argument , 0, 7 },
|
||||
- { "atomic-commit" , no_argument , 0, 8 },
|
||||
- { "atomic-file" , required_argument, 0, 9 },
|
||||
- { "atomic-save" , no_argument , 0, 10 },
|
||||
{ "init-table" , no_argument , 0, 11 },
|
||||
{ "concurrent" , no_argument , 0, 13 },
|
||||
{ 0 }
|
||||
@@ -320,10 +316,6 @@ static void print_help(const struct xtables_target *t,
|
||||
"--new-chain -N chain : create a user defined chain\n"
|
||||
"--rename-chain -E old new : rename a chain\n"
|
||||
"--delete-chain -X [chain] : delete a user defined chain\n"
|
||||
-"--atomic-commit : update the kernel w/t table contained in <FILE>\n"
|
||||
-"--atomic-init : put the initial kernel table into <FILE>\n"
|
||||
-"--atomic-save : put the current kernel table into <FILE>\n"
|
||||
-"--atomic-file file : set <FILE> to file\n\n"
|
||||
"Options:\n"
|
||||
"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n"
|
||||
"--src -s [!] address[/mask]: source mac address\n"
|
||||
@@ -1088,54 +1080,9 @@ print_zero:
|
||||
"Use --Lmac2 with -L");
|
||||
flags |= LIST_MAC2;
|
||||
break;
|
||||
- case 8 : /* atomic-commit */
|
||||
-/*
|
||||
- replace->command = c;
|
||||
- if (OPT_COMMANDS)
|
||||
- ebt_print_error2("Multiple commands are not allowed");
|
||||
- replace->flags |= OPT_COMMAND;
|
||||
- if (!replace->filename)
|
||||
- ebt_print_error2("No atomic file specified");*/
|
||||
- /* Get the information from the file */
|
||||
- /*ebt_get_table(replace, 0);*/
|
||||
- /* We don't want the kernel giving us its counters,
|
||||
- * they would overwrite the counters extracted from
|
||||
- * the file */
|
||||
- /*replace->num_counters = 0;*/
|
||||
- /* Make sure the table will be written to the kernel */
|
||||
- /*free(replace->filename);
|
||||
- replace->filename = NULL;
|
||||
- break;*/
|
||||
- /*case 7 :*/ /* atomic-init */
|
||||
- /*case 10:*/ /* atomic-save */
|
||||
case 11: /* init-table */
|
||||
nft_cmd_table_flush(h, *table, false);
|
||||
return 1;
|
||||
- /*
|
||||
- replace->command = c;
|
||||
- if (OPT_COMMANDS)
|
||||
- ebt_print_error2("Multiple commands are not allowed");
|
||||
- if (c != 11 && !replace->filename)
|
||||
- ebt_print_error2("No atomic file specified");
|
||||
- replace->flags |= OPT_COMMAND;
|
||||
- {
|
||||
- char *tmp = replace->filename;*/
|
||||
-
|
||||
- /* Get the kernel table */
|
||||
- /*replace->filename = NULL;
|
||||
- ebt_get_kernel_table(replace, c == 10 ? 0 : 1);
|
||||
- replace->filename = tmp;
|
||||
- }
|
||||
- break;
|
||||
- case 9 :*/ /* atomic */
|
||||
- /*
|
||||
- if (OPT_COMMANDS)
|
||||
- ebt_print_error2("--atomic has to come before the command");*/
|
||||
- /* A possible memory leak here, but this is not
|
||||
- * executed in daemon mode */
|
||||
- /*replace->filename = (char *)malloc(strlen(optarg) + 1);
|
||||
- strcpy(replace->filename, optarg);
|
||||
- break; */
|
||||
case 13 :
|
||||
break;
|
||||
case 1 :
|
||||
--
|
||||
2.33.0
|
||||
|
31
SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch
Normal file
31
SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 3 Aug 2021 10:55:20 +0200
|
||||
Subject: [PATCH] nft: Fix for non-verbose check command
|
||||
|
||||
Check command was unconditionally verbose since v1.8.5. Make it respect
|
||||
--verbose option again.
|
||||
|
||||
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0)
|
||||
---
|
||||
iptables/nft.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index 83054e528cae1..a470939db54fb 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h)
|
||||
case NFT_COMPAT_RULE_CHECK:
|
||||
assert_chain_exists(h, cmd->table, cmd->jumpto);
|
||||
ret = nft_rule_check(h, cmd->chain, cmd->table,
|
||||
- cmd->obj.rule, cmd->rulenum);
|
||||
+ cmd->obj.rule, cmd->verbose);
|
||||
break;
|
||||
case NFT_COMPAT_RULE_ZERO:
|
||||
ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
|
||||
--
|
||||
2.33.0
|
||||
|
@ -0,0 +1,39 @@
|
||||
From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 3 Aug 2021 11:32:34 +0200
|
||||
Subject: [PATCH] tests/shell: Assert non-verbose mode is silent
|
||||
|
||||
Unexpected output from iptables commands might mess up error-checking in
|
||||
scripts for instance, so do a quick test of the most common commands.
|
||||
|
||||
Note: Test adds two rules to make sure flush command operates on a
|
||||
non-empty chain.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2)
|
||||
---
|
||||
.../shell/testcases/iptables/0002-verbose-output_0 | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
|
||||
index b1ef91f61f481..5d2af4c8d2ab2 100755
|
||||
--- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
|
||||
+++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
|
||||
@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar)
|
||||
diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar)
|
||||
|
||||
diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar)
|
||||
+
|
||||
+# make sure non-verbose mode is silent
|
||||
+diff -u <(echo -n "") <(
|
||||
+ $XT_MULTI iptables -N foobar
|
||||
+ $XT_MULTI iptables -A foobar $RULE1
|
||||
+ $XT_MULTI iptables -A foobar $RULE2
|
||||
+ $XT_MULTI iptables -C foobar $RULE1
|
||||
+ $XT_MULTI iptables -D foobar $RULE2
|
||||
+ $XT_MULTI iptables -F foobar
|
||||
+ $XT_MULTI iptables -X foobar
|
||||
+)
|
||||
--
|
||||
2.33.0
|
||||
|
@ -16,7 +16,7 @@ Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.7
|
||||
Release: 23%{?dist}
|
||||
Release: 26%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -48,6 +48,11 @@ Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch
|
||||
Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||
Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch
|
||||
Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
|
||||
Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch
|
||||
Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
|
||||
Patch22: 0022-ebtables-Dump-atomic-waste.patch
|
||||
Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
|
||||
Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic 2.0
|
||||
@ -184,6 +189,7 @@ a safer way to update iptables remotely.
|
||||
Summary: nftables compatibility for iptables, arptables and ebtables
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires(post): %{_sbindir}/update-alternatives
|
||||
Requires(post): %{_bindir}/readlink
|
||||
Requires(postun): %{_sbindir}/update-alternatives
|
||||
Provides: arptables-helper
|
||||
Provides: iptables
|
||||
@ -462,6 +468,18 @@ fi
|
||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||
|
||||
%changelog
|
||||
* Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26
|
||||
- tests/shell: Assert non-verbose mode is silent
|
||||
- nft: Fix for non-verbose check command
|
||||
|
||||
* Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-25
|
||||
- ebtables: Dump atomic waste
|
||||
- doc: ebtables-nft.8: Adjust for missing atomic-options
|
||||
- nft: Use xtables_malloc() in mnl_err_list_node_add()
|
||||
|
||||
* Fri Oct 01 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-24
|
||||
- Add missing readlink required for iptables-nft(post)
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.8.7-23
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
Loading…
Reference in New Issue
Block a user