iptables-1.8.11-9.el10

* Wed Apr 23 2025 Phil Sutter <psutter@redhat.com> [1.8.11-9.el10] - xshared: Accept an option if any given command allows it (Phil Sutter) [RHEL-72061] - extensions: icmp: Support info-request/-reply type names (Phil Sutter) [RHEL-85286] Resolves: RHEL-72061, RHEL-85286
2025-04-23 23:18:56 +02:00 · 2025-04-23 23:18:56 +02:00 · b277d9bafb
commit b277d9bafb
parent 46e0fa580c
3 changed files with 100 additions and 1 deletions
--- a/0006-extensions-icmp-Support-info-request-reply-type-name.patch
+++ b/0006-extensions-icmp-Support-info-request-reply-type-name.patch
@ -0,0 +1,53 @@
+From 1b704fe3dc715a10cc995e14b3fe1da44e827eee Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 23 Apr 2025 23:11:59 +0200
+Subject: [PATCH] extensions: icmp: Support info-request/-reply type names
+
+JIRA: https://issues.redhat.com/browse/RHEL-85286
+Upstream Status: iptables commit 1e6a2812971a268428b04b03520cd68cb61d76e3
+
+commit 1e6a2812971a268428b04b03520cd68cb61d76e3
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Fri Mar 28 17:35:04 2025 +0100
+
+    extensions: icmp: Support info-request/-reply type names
+
+    The intended side-effect here is that iptables-translate will accept
+    them too. In nftables, the names are supported since basically day 1.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libipt_icmp.txlate | 6 ++++++
+ extensions/libxt_icmp.h       | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/extensions/libipt_icmp.txlate b/extensions/libipt_icmp.txlate
+index e7208d8..4315875 100644
+--- a/extensions/libipt_icmp.txlate
+++ b/extensions/libipt_icmp.txlate
+@@ -9,3 +9,9 @@ nft 'add rule ip filter INPUT icmp type != destination-unreachable counter accep
+ 
+ iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT
+ nft 'add rule ip filter INPUT ip protocol icmp counter accept'
+
+iptables-translate -t filter -A INPUT -m icmp --icmp-type info-request -j ACCEPT
+nft 'add rule ip filter INPUT icmp type info-request counter accept'
+
+iptables-translate -t filter -A INPUT -m icmp --icmp-type 16 -j ACCEPT
+nft 'add rule ip filter INPUT icmp type info-reply counter accept'
+diff --git a/extensions/libxt_icmp.h b/extensions/libxt_icmp.h
+index 7a45b4b..c44aa4b 100644
+--- a/extensions/libxt_icmp.h
+++ b/extensions/libxt_icmp.h
+@@ -52,6 +52,9 @@ static const struct xt_icmp_names {
+ 
+ 	{ "timestamp-reply", 14, 0, 0xFF },
+ 
+	{ "info-request", 15, 0, 0xFF },
+	{ "info-reply", 16, 0, 0xFF },
+
+ 	{ "address-mask-request", 17, 0, 0xFF },
+ 
+ 	{ "address-mask-reply", 18, 0, 0xFF }
--- a/0007-xshared-Accept-an-option-if-any-given-command-allows.patch
+++ b/0007-xshared-Accept-an-option-if-any-given-command-allows.patch
@ -0,0 +1,40 @@
+From 83c3c9db46af8f1146fcd1dbc5a110a183610b24 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 23 Apr 2025 23:17:04 +0200
+Subject: [PATCH] xshared: Accept an option if any given command allows it
+
+JIRA: https://issues.redhat.com/browse/RHEL-72061
+Upstream Status: iptables commit 192c3a6bc18f206895ec5e38812d648ccfe7e281
+
+commit 192c3a6bc18f206895ec5e38812d648ccfe7e281
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Apr 23 12:36:13 2025 +0200
+
+    xshared: Accept an option if any given command allows it
+
+    Fixed commit made option checking overly strict: Some commands may be
+    commbined (foremost --list and --zero), reject a given option only if it
+    is not allowed by any of the given commands.
+
+    Reported-by: Adam Nielsen <a.nielsen@shikadi.net>
+    Fixes: 9c09d28102bb4 ("xshared: Simplify generic_opt_check()")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/xshared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 2f663f9..b941b8d 100644
+--- a/iptables/xshared.c
+++ b/iptables/xshared.c
+@@ -980,7 +980,7 @@ static void generic_opt_check(struct xt_cmd_parse_ops *ops,
+ 	 */
+ 	for (i = 0, optval = 1; i < NUMBER_OF_OPT; optval = (1 << ++i)) {
+ 		if ((options & optval) &&
+-		    (options_v_commands[i] & command) != command)
+		    !(options_v_commands[i] & command))
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "Illegal option `%s' with this command",
+ 				      ops->option_name(optval));
--- a/iptables.spec
+++ b/iptables.spec
@ -14,7 +14,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.11
-Release: 8%{?dist}
+Release: 9%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@ -33,6 +33,8 @@ Patch2:             0002-extensions-SECMARK-Use-a-better-context-in-test-case.pa
 Patch3:             0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
 Patch4:             0004-nft-fix-interface-comparisons-in-C-commands.patch
 Patch5:             0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch
+Patch6:             0006-extensions-icmp-Support-info-request-reply-type-name.patch
+Patch7:             0007-xshared-Accept-an-option-if-any-given-command-allows.patch

 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -532,6 +534,10 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Wed Apr 23 2025 Phil Sutter <psutter@redhat.com> [1.8.11-9.el10]
+- xshared: Accept an option if any given command allows it (Phil Sutter) [RHEL-72061]
+- extensions: icmp: Support info-request/-reply type names (Phil Sutter) [RHEL-85286]
+
 * Mon Mar 17 2025 Eric Garver <egarver@redhat.com> [1.8.11-8.el10]
 - fix kernel-modules-extra dependency for aarch64 64k variant [RHEL-83068]