import iptables-1.8.4-20.el8

2021-08-24 22:29:45 +00:00 · 2021-08-24 22:29:45 +00:00 · b85241e8a3
parent df2c1b9c8e
commit b85241e8a3
6 changed files with 532 additions and 1 deletions
--- a/SOURCES/0054-extensions-SECMARK-Implement-revision-1.patch
+++ b/SOURCES/0054-extensions-SECMARK-Implement-revision-1.patch
@ -0,0 +1,177 @@
+From 3bd3af273ccfa550ed50ad19d4bcd04a29b88f5b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 29 Apr 2021 15:28:59 +0200
+Subject: [PATCH] extensions: SECMARK: Implement revision 1
+
+The changed data structure for communication with kernel allows to
+exclude the field 'secid' which is populated on kernel side. Thus
+this fixes the formerly always failing extension comparison breaking
+rule check and rule delete by content.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
+---
+ extensions/libxt_SECMARK.c           | 90 +++++++++++++++++++++-------
+ extensions/libxt_SECMARK.t           |  4 ++
+ include/linux/netfilter/xt_SECMARK.h |  6 ++
+ 3 files changed, 80 insertions(+), 20 deletions(-)
+ create mode 100644 extensions/libxt_SECMARK.t
+
+diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
+index 6ba8606355daa..24249bd618ffe 100644
+--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
+@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
+ 	XTOPT_TABLEEND,
+ };
+ 
+static const struct xt_option_entry SECMARK_opts_v1[] = {
+	{.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
+	 .flags = XTOPT_MAND | XTOPT_PUT,
+	 XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
+	XTOPT_TABLEEND,
+};
+
+ static void SECMARK_parse(struct xt_option_call *cb)
+ {
+ 	struct xt_secmark_target_info *info = cb->data;
+@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
+ 	info->mode = SECMARK_MODE_SEL;
+ }
+ 
+-static void print_secmark(const struct xt_secmark_target_info *info)
+static void SECMARK_parse_v1(struct xt_option_call *cb)
+{
+	struct xt_secmark_target_info_v1 *info = cb->data;
+
+	xtables_option_parse(cb);
+	info->mode = SECMARK_MODE_SEL;
+}
+
+static void print_secmark(__u8 mode, const char *secctx)
+ {
+-	switch (info->mode) {
+	switch (mode) {
+ 	case SECMARK_MODE_SEL:
+-		printf("selctx %s", info->secctx);
+		printf("selctx %s", secctx);
+ 		break;
+-	
+
+ 	default:
+-		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+		xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
+ 	}
+ }
+ 
+@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
+ 		(struct xt_secmark_target_info*)(target)->data;
+ 
+ 	printf(" SECMARK ");
+-	print_secmark(info);
+	print_secmark(info->mode, info->secctx);
+}
+
+static void SECMARK_print_v1(const void *ip,
+			     const struct xt_entry_target *target, int numeric)
+{
+	const struct xt_secmark_target_info_v1 *info =
+		(struct xt_secmark_target_info_v1 *)(target)->data;
+
+	printf(" SECMARK ");
+	print_secmark(info->mode, info->secctx);
+ }
+ 
+ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
+@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
+ 		(struct xt_secmark_target_info*)target->data;
+ 
+ 	printf(" --");
+-	print_secmark(info);
+	print_secmark(info->mode, info->secctx);
+ }
+ 
+-static struct xtables_target secmark_target = {
+-	.family		= NFPROTO_UNSPEC,
+-	.name		= "SECMARK",
+-	.version	= XTABLES_VERSION,
+-	.revision	= 0,
+-	.size		= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+-	.userspacesize	= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+-	.help		= SECMARK_help,
+-	.print		= SECMARK_print,
+-	.save		= SECMARK_save,
+-	.x6_parse	= SECMARK_parse,
+-	.x6_options	= SECMARK_opts,
+static void SECMARK_save_v1(const void *ip,
+			    const struct xt_entry_target *target)
+{
+	const struct xt_secmark_target_info_v1 *info =
+		(struct xt_secmark_target_info_v1 *)target->data;
+
+	printf(" --");
+	print_secmark(info->mode, info->secctx);
+}
+
+static struct xtables_target secmark_tg_reg[] = {
+	{
+		.family		= NFPROTO_UNSPEC,
+		.name		= "SECMARK",
+		.version	= XTABLES_VERSION,
+		.revision	= 0,
+		.size		= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+		.help		= SECMARK_help,
+		.print		= SECMARK_print,
+		.save		= SECMARK_save,
+		.x6_parse	= SECMARK_parse,
+		.x6_options	= SECMARK_opts,
+	},
+	{
+		.family		= NFPROTO_UNSPEC,
+		.name		= "SECMARK",
+		.version	= XTABLES_VERSION,
+		.revision	= 1,
+		.size		= XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
+		.userspacesize	= XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
+		.help		= SECMARK_help,
+		.print		= SECMARK_print_v1,
+		.save		= SECMARK_save_v1,
+		.x6_parse	= SECMARK_parse_v1,
+		.x6_options	= SECMARK_opts_v1,
+	}
+ };
+ 
+ void _init(void)
+ {
+-	xtables_register_target(&secmark_target);
+	xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
+ }
+diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
+new file mode 100644
+index 0000000000000..39d4c09348bf4
+--- /dev/null
+++ b/extensions/libxt_SECMARK.t
+@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+*security
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK;;FAIL
+diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
+index 989092bd6274b..31760a286a854 100644
+--- a/include/linux/netfilter/xt_SECMARK.h
+++ b/include/linux/netfilter/xt_SECMARK.h
+@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
+ 	char secctx[SECMARK_SECCTX_MAX];
+ };
+ 
+struct xt_secmark_target_info_v1 {
+	__u8 mode;
+	char secctx[SECMARK_SECCTX_MAX];
+	__u32 secid;
+};
+
+ #endif /*_XT_SECMARK_H_target */
+-- 
+2.31.1
+
--- a/SOURCES/0055-extensions-sctp-Fix-nftables-translation.patch
+++ b/SOURCES/0055-extensions-sctp-Fix-nftables-translation.patch
@ -0,0 +1,80 @@
+From b675a15b70215deab520ef1a8e52edad9129328e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 4 May 2021 16:03:24 +0200
+Subject: [PATCH] extensions: sctp: Fix nftables translation
+
+If both sport and dport was present, incorrect nft syntax was generated.
+
+Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
+---
+ extensions/libxt_sctp.c      | 10 ++++------
+ extensions/libxt_sctp.txlate | 10 +++++-----
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index 140de2653b1ef..ee4e99ebf11bf 100644
+--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
+@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 	if (!einfo->flags)
+ 		return 0;
+ 
+-	xt_xlate_add(xl, "sctp ");
+-
+ 	if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ 		if (einfo->spts[0] != einfo->spts[1])
+-			xt_xlate_add(xl, "sport%s %u-%u",
+			xt_xlate_add(xl, "sctp sport%s %u-%u",
+ 				     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
+ 				     einfo->spts[0], einfo->spts[1]);
+ 		else
+-			xt_xlate_add(xl, "sport%s %u",
+			xt_xlate_add(xl, "sctp sport%s %u",
+ 				     einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
+ 				     einfo->spts[0]);
+ 		space = " ";
+@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 
+ 	if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ 		if (einfo->dpts[0] != einfo->dpts[1])
+-			xt_xlate_add(xl, "%sdport%s %u-%u", space,
+			xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0], einfo->dpts[1]);
+ 		else
+-			xt_xlate_add(xl, "%sdport%s %u", space,
+			xt_xlate_add(xl, "%ssctp dport%s %u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0]);
+ 	}
+diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
+index 72f4641ab021c..0d6c59e183675 100644
+--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
+@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
+ nft add rule ip filter INPUT sctp dport != 50-56 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
+ 
+ iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
+-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
+-- 
+2.31.1
+
--- a/SOURCES/0056-extensions-sctp-Translate-chunk-types-option.patch
+++ b/SOURCES/0056-extensions-sctp-Translate-chunk-types-option.patch
@ -0,0 +1,159 @@
+From 48f38c4224f31d19176df83539501292fcc6092b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 4 May 2021 16:26:42 +0200
+Subject: [PATCH] extensions: sctp: Translate --chunk-types option
+
+The translation is not fully complete as it is not possible to map 'any'
+match type into nft syntax with a single rule. Also, 'only' match type
+translation is a bit poor as it explicitly lists all chunk types that
+are supposed to be missing.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 5818be177110a09120dd8fe4bd2533acbf8da301)
+---
+ extensions/libxt_sctp.c      | 91 ++++++++++++++++++++++++++++--------
+ extensions/libxt_sctp.txlate |  6 +++
+ 2 files changed, 78 insertions(+), 19 deletions(-)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index ee4e99ebf11bf..5d8ab85cacf42 100644
+--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
+@@ -92,28 +92,29 @@ struct sctp_chunk_names {
+ 	const char *name;
+ 	unsigned int chunk_type;
+ 	const char *valid_flags;
+	const char *nftname;
+ };
+ 
+ /*'ALL' and 'NONE' will be treated specially. */
+ static const struct sctp_chunk_names sctp_chunk_names[]
+-= { { .name = "DATA", 		.chunk_type = 0,   .valid_flags = "----IUBE"},
+-    { .name = "INIT", 		.chunk_type = 1,   .valid_flags = "--------"},
+-    { .name = "INIT_ACK", 	.chunk_type = 2,   .valid_flags = "--------"},
+-    { .name = "SACK",		.chunk_type = 3,   .valid_flags = "--------"},
+-    { .name = "HEARTBEAT",	.chunk_type = 4,   .valid_flags = "--------"},
+-    { .name = "HEARTBEAT_ACK",	.chunk_type = 5,   .valid_flags = "--------"},
+-    { .name = "ABORT",		.chunk_type = 6,   .valid_flags = "-------T"},
+-    { .name = "SHUTDOWN",	.chunk_type = 7,   .valid_flags = "--------"},
+-    { .name = "SHUTDOWN_ACK",	.chunk_type = 8,   .valid_flags = "--------"},
+-    { .name = "ERROR",		.chunk_type = 9,   .valid_flags = "--------"},
+-    { .name = "COOKIE_ECHO",	.chunk_type = 10,  .valid_flags = "--------"},
+-    { .name = "COOKIE_ACK",	.chunk_type = 11,  .valid_flags = "--------"},
+-    { .name = "ECN_ECNE",	.chunk_type = 12,  .valid_flags = "--------"},
+-    { .name = "ECN_CWR",	.chunk_type = 13,  .valid_flags = "--------"},
+-    { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14,  .valid_flags = "-------T"},
+-    { .name = "ASCONF",		.chunk_type = 193,  .valid_flags = "--------"},
+-    { .name = "ASCONF_ACK",	.chunk_type = 128,  .valid_flags = "--------"},
+-    { .name = "FORWARD_TSN",	.chunk_type = 192,  .valid_flags = "--------"},
+= { { .name = "DATA", 		.chunk_type = 0,   .valid_flags = "----IUBE", .nftname = "data" },
+    { .name = "INIT", 		.chunk_type = 1,   .valid_flags = "--------", .nftname = "init" },
+    { .name = "INIT_ACK", 	.chunk_type = 2,   .valid_flags = "--------", .nftname = "init-ack" },
+    { .name = "SACK",		.chunk_type = 3,   .valid_flags = "--------", .nftname = "sack" },
+    { .name = "HEARTBEAT",	.chunk_type = 4,   .valid_flags = "--------", .nftname = "heartbeat" },
+    { .name = "HEARTBEAT_ACK",	.chunk_type = 5,   .valid_flags = "--------", .nftname = "heartbeat-ack" },
+    { .name = "ABORT",		.chunk_type = 6,   .valid_flags = "-------T", .nftname = "abort" },
+    { .name = "SHUTDOWN",	.chunk_type = 7,   .valid_flags = "--------", .nftname = "shutdown" },
+    { .name = "SHUTDOWN_ACK",	.chunk_type = 8,   .valid_flags = "--------", .nftname = "shutdown-ack" },
+    { .name = "ERROR",		.chunk_type = 9,   .valid_flags = "--------", .nftname = "error" },
+    { .name = "COOKIE_ECHO",	.chunk_type = 10,  .valid_flags = "--------", .nftname = "cookie-echo" },
+    { .name = "COOKIE_ACK",	.chunk_type = 11,  .valid_flags = "--------", .nftname = "cookie-ack" },
+    { .name = "ECN_ECNE",	.chunk_type = 12,  .valid_flags = "--------", .nftname = "ecne" },
+    { .name = "ECN_CWR",	.chunk_type = 13,  .valid_flags = "--------", .nftname = "cwr" },
+    { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14,  .valid_flags = "-------T", .nftname = "shutdown-complete" },
+    { .name = "ASCONF",		.chunk_type = 193,  .valid_flags = "--------", .nftname = "asconf" },
+    { .name = "ASCONF_ACK",	.chunk_type = 128,  .valid_flags = "--------", .nftname = "asconf-ack" },
+    { .name = "FORWARD_TSN",	.chunk_type = 192,  .valid_flags = "--------", .nftname = "forward-tsn" },
+ };
+ 
+ static void
+@@ -485,12 +486,52 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match)
+ 	}
+ }
+ 
+static const char *sctp_xlate_chunk(struct xt_xlate *xl, const char *space,
+				    const struct xt_sctp_info *einfo,
+				    const struct sctp_chunk_names *scn)
+{
+	bool inv = einfo->invflags & XT_SCTP_CHUNK_TYPES;
+	const struct xt_sctp_flag_info *flag_info = NULL;
+	int i;
+
+	if (!scn->nftname)
+		return space;
+
+	if (!SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, scn->chunk_type)) {
+		if (einfo->chunk_match_type != SCTP_CHUNK_MATCH_ONLY)
+			return space;
+
+		xt_xlate_add(xl, "%ssctp chunk %s %s", space,
+			     scn->nftname, inv ? "exists" : "missing");
+		return " ";
+	}
+
+	for (i = 0; i < einfo->flag_count; i++) {
+		if (einfo->flag_info[i].chunktype == scn->chunk_type) {
+			flag_info = &einfo->flag_info[i];
+			break;
+		}
+	}
+
+	if (!flag_info) {
+		xt_xlate_add(xl, "%ssctp chunk %s %s", space,
+			     scn->nftname, inv ? "missing" : "exists");
+		return " ";
+	}
+
+	xt_xlate_add(xl, "%ssctp chunk %s flags & 0x%x %s 0x%x", space,
+		     scn->nftname, flag_info->flag_mask,
+		     inv ? "!=" : "==", flag_info->flag);
+
+	return " ";
+}
+
+ static int sctp_xlate(struct xt_xlate *xl,
+ 		      const struct xt_xlate_mt_params *params)
+ {
+ 	const struct xt_sctp_info *einfo =
+ 		(const struct xt_sctp_info *)params->match->data;
+-	char *space = "";
+	const char *space = "";
+ 
+ 	if (!einfo->flags)
+ 		return 0;
+@@ -516,6 +557,18 @@ static int sctp_xlate(struct xt_xlate *xl,
+ 			xt_xlate_add(xl, "%ssctp dport%s %u", space,
+ 				     einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
+ 				     einfo->dpts[0]);
+		space = " ";
+	}
+
+	if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
+		int i;
+
+		if (einfo->chunk_match_type == SCTP_CHUNK_MATCH_ANY)
+			return 0;
+
+		for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); i++)
+			space = sctp_xlate_chunk(xl, space, einfo,
+						 &sctp_chunk_names[i]);
+ 	}
+ 
+ 	return 1;
+diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
+index 0d6c59e183675..bb817525db8d8 100644
+--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
+@@ -36,3 +36,9 @@ nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
+ 
+ iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
+ nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
+
+iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:T -j ACCEPT
+nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept
+
+iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT
+nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept
+-- 
+2.31.1
+
--- a/SOURCES/0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch
+++ b/SOURCES/0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch
@ -0,0 +1,26 @@
+From 2a45c01c4d3892871b3d3d6b67d10cb62abc561e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 16 Jul 2021 21:51:49 +0200
+Subject: [PATCH] extensions: SECMARK: Use a better context in test case
+
+RHEL SELinux policies don't allow setting
+system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
+'packet_type' attribute (identified via
+'seinfo -xt | grep packet_type').
+---
+ extensions/libxt_SECMARK.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
+index 39d4c09348bf4..295e7a7244902 100644
+--- a/extensions/libxt_SECMARK.t
+++ b/extensions/libxt_SECMARK.t
+@@ -1,4 +1,4 @@
+ :INPUT,FORWARD,OUTPUT
+ *security
+--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
+ -j SECMARK;;FAIL
+-- 
+2.31.1
+
--- a/SOURCES/0058-nft-cache-Retry-if-kernel-returns-EINTR.patch
+++ b/SOURCES/0058-nft-cache-Retry-if-kernel-returns-EINTR.patch
@ -0,0 +1,77 @@
+From 681cb811e4cb8c5f22fd0fae60a3533289657705 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 4 Aug 2021 17:14:05 +0200
+Subject: [PATCH] nft: cache: Retry if kernel returns EINTR
+
+In case of parallel ruleset updates, recvfrom() calls may return EINTR.
+Due to the fact that cache fetches may get triggered while iterating
+over cache elements, __nft_build_cache must not restart based on
+comparing before and after generation ID like upstream does. Instead,
+just retry the recvfrom() calls until they either succeed or return a
+different error than EINTR.
+---
+ iptables/nft-cache.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
+index 9623b463f0dd5..699dc66a95cd1 100644
+--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
+@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h)
+ 	nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family,
+ 					NLM_F_DUMP, h->seq);
+ 
+retry:
+ 	ret = mnl_talk(h, nlh, nftnl_table_list_cb, list);
+-	if (ret < 0 && errno == EINTR)
+	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
+		goto retry;
+	}
+ 
+ 	h->cache->tables = list;
+ 
+@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h,
+ 						NLM_F_DUMP, h->seq);
+ 	}
+ 
+retry:
+ 	ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
+ 	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
+-		return ret;
+		goto retry;
+ 	}
+ 
+ 	if (t && set) {
+@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h,
+ 						  h->seq);
+ 	}
+ 
+retry:
+ 	ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
+-	if (ret < 0 && errno == EINTR)
+	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
+		goto retry;
+	}
+ 
+ 	return ret;
+ }
+@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
+ 					NLM_F_DUMP, h->seq);
+ 	nftnl_rule_nlmsg_build_payload(nlh, rule);
+ 
+retry:
+ 	ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c);
+-	if (ret < 0 && errno == EINTR)
+	if (ret < 0 && errno == EINTR) {
+ 		assert(nft_restart(h) >= 0);
+		goto retry;
+	}
+ 
+ 	nftnl_rule_free(rule);
+ 
+-- 
+2.32.0
+
--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
@ -17,7 +17,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.4
-Release: 19%{?dist}
+Release: 20%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -87,6 +87,11 @@ Patch50: 0050-xtables-translate-Fix-translation-of-odd-netmasks.patch
 Patch51: 0051-Eliminate-inet_aton-and-inet_ntoa.patch
 Patch52: 0052-xtables-arp-Don-t-use-ARPT_INV_.patch
 Patch53: 0053-nft-arp-Make-use-of-ipv4_addr_to_string.patch
+Patch54: 0054-extensions-SECMARK-Implement-revision-1.patch
+Patch55: 0055-extensions-sctp-Fix-nftables-translation.patch
+Patch56: 0056-extensions-sctp-Translate-chunk-types-option.patch
+Patch57: 0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch
+Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch

 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -495,6 +500,13 @@ done
 %doc %{_mandir}/man8/ebtables*.8*

 %changelog
+* Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-20
+- extensions: SECMARK: Use a better context in test case
+- extensions: sctp: Translate --chunk-types option
+- extensions: sctp: Fix nftables translation
+- extensions: SECMARK: Implement revision 1
+- nft: cache: Retry if kernel returns EINTR
+
 * Fri Jun 18 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-19
 - Fix for rpminspect results