Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/iptables.git#648ffbc31613acd9f9015892c0820df9be00cb89

0001-ebtables-Exit-gracefully-on-invalid-table-names.patch

@@ -0,0 +1,51 @@
+From 30c1d443896311e69762d6b51b63908ec602574f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 28 Jan 2021 01:09:56 +0100
+Subject: [PATCH] ebtables: Exit gracefully on invalid table names
+
+Users are able to cause program abort by passing a table name that
+doesn't exist:
+
+| # ebtables-nft -t dummy -P INPUT ACCEPT
+| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
+| Aborted
+
+Avoid this by checking table existence just like iptables-nft does upon
+parsing '-t' optarg. Since the list of tables is known and fixed,
+checking the given name's length is pointless. So just drop that check
+in return.
+
+With this patch in place, output looks much better:
+
+| # ebtables-nft -t dummy -P INPUT ACCEPT
+| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
+| Perhaps iptables or your kernel needs to be upgraded.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/xtables-eb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index cfa9317c78e94..5bb34d6d292a9 100644
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -914,10 +914,10 @@ print_zero:
+ 				xtables_error(PARAMETER_PROBLEM,
+ 					      "The -t option (seen in line %u) cannot be used in %s.\n",
+ 					      line, xt_params->program_name);
+-			if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
+-				xtables_error(PARAMETER_PROBLEM,
+-					      "Table name length cannot exceed %d characters",
+-					      EBT_TABLE_MAXNAMELEN - 1);
++			if (!nft_table_builtin_find(h, optarg))
++				xtables_error(VERSION_PROBLEM,
++					      "table '%s' does not exist",
++					      optarg);
+ 			*table = optarg;
+ 			table_set = true;
+ 			break;
+-- 
+2.28.0
+

iptables.spec

@@ -19,7 +19,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 1%{?dist}
+Release: 3%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -32,6 +32,8 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
 %endif
 
+Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
+
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
 License: GPLv2 and Artistic Licence 2.0 and ISC
@@ -443,6 +445,12 @@ fi
 
 
 %changelog
+* Thu Jan 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-3
+- ebtables: Exit gracefully on invalid table names
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
 * Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1
 - Update to 1.8.7. Fixes rhbz#1916948
 

tests/tests.yml

@@ -21,7 +21,7 @@
   roles:
   - role: standard-test-rhts
     tests:
-    - backport-iptables-add-libxt-cgroup-frontend
+#    - backport-iptables-add-libxt-cgroup-frontend
     - initscript-sanity
     - ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
     - ip6tables-service-does-not-allow-dhcpv6-client-by