iptables-1.8.5-1

- Rebase onto upstream version 1.8.5 plus two late fixes - Drop explicit iptables-apply installation, upstream fixed that - Ship ip6tables-apply along with iptables package
2020-06-23 12:01:10 +02:00 · 2020-06-23 12:01:10 +02:00 · bf5df54de6
commit bf5df54de6
parent 66ed4161fe
14 changed files with 112 additions and 395 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@
 /iptables-1.8.2.tar.bz2
 /iptables-1.8.3.tar.bz2
 /iptables-1.8.4.tar.bz2
 /iptables-1.8.5.tar.bz2
--- a/0001-build-resolve-iptables-apply-not-getting-installed.patch
+++ b/0001-build-resolve-iptables-apply-not-getting-installed.patch
@ -0,0 +1,42 @@
 From 55bb60d8ae717d3bc1cfdd6203604a18f30eb3c3 Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
 Date: Wed, 3 Jun 2020 15:38:48 +0200
 Subject: [PATCH] build: resolve iptables-apply not getting installed
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 ip6tables-apply gets installed but iptables-apply does not.
 That is wrong.
 » make install DESTDIR=$PWD/r
 » find r -name "*app*"
 r/usr/local/sbin/ip6tables-apply
 r/usr/local/share/man/man8/iptables-apply.8
 r/usr/local/share/man/man8/ip6tables-apply.8
 Fixes: v1.8.5~87
 Signed-off-by: Jan Engelhardt <jengelh@inai.de>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/Makefile.am b/iptables/Makefile.am
 index dc66b3cc09c08..2024dbf5cb88c 100644
 --- a/iptables/Makefile.am
 +++ b/iptables/Makefile.am
@@ -56,7 +56,7 @@ man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
                    ip6tables-save.8 iptables-extensions.8 \
                    iptables-apply.8 ip6tables-apply.8
 -sbin_SCRIPT      = iptables-apply
 +sbin_SCRIPTS     = iptables-apply
 if ENABLE_NFTABLES
 man_MANS	+= xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
 -- 
 2.27.0
--- a/0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
+++ b/0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
@ -1,35 +0,0 @@
 From 6455a8201fab45194413b326aecc1d764033db0b Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 12 Apr 2019 18:02:19 +0200
 Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/iptables-apply | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/iptables/iptables-apply b/iptables/iptables-apply
 index 819ca4a459c42..a685b6bbcd7dc 100755
 --- a/iptables/iptables-apply
 +++ b/iptables/iptables-apply
@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
 	exit 2
 fi
 -COMMANDS=(tempfile "$SAVE" "$RESTORE")
 +COMMANDS=(mktemp "$SAVE" "$RESTORE")
 for cmd in "${COMMANDS[@]}"; do
 	if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
 umask 0700
 -TMPFILE=$(tempfile -p iptap)
 +TMPFILE=$(mktemp)
 trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
 		      FPE USR1 SEGV USR2 PIPE ALRM TERM
 -- 
 2.24.1
--- a/0002-Fix-DEBUG-build.patch
+++ b/0002-Fix-DEBUG-build.patch
@ -1,33 +0,0 @@
 From a7eb134ce97d873c0fe5d30ac1ddce447aba576c Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Wed, 4 Dec 2019 09:36:59 +0100
 Subject: [PATCH] Fix DEBUG build
 Fixed commit missed to update this conditional call to
 nft_rule_print_save().
 Fixes: 1e8ef6a584754 ("nft: family_ops: Pass nft_handle to 'rule_to_cs' callback")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 066a19596ae3d69b49a70405e2daf75c929dcd4d)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/nft-shared.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
 index 78e422781723f..426765641cff6 100644
 --- a/iptables/nft-shared.c
 +++ b/iptables/nft-shared.c
@@ -998,7 +998,7 @@ bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, void *data)
 	DEBUGP("comparing with... ");
 #ifdef DEBUG_DEL
 -	nft_rule_print_save(r, NFT_RULE_APPEND, 0);
 +	nft_rule_print_save(h, r, NFT_RULE_APPEND, 0);
 #endif
 	if (!h->ops->is_same(cs, &this))
 		goto out;
 -- 
 2.24.1
--- a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch
+++ b/0002-xtables-translate-don-t-fail-if-help-was-requested.patch
@ -0,0 +1,58 @@
 From 51730adbe90a17e0d86d5adcab30040fa7e751ed Mon Sep 17 00:00:00 2001
 From: Arturo Borrero Gonzalez <arturo@netfilter.org>
 Date: Tue, 16 Jun 2020 11:20:42 +0200
 Subject: [PATCH] xtables-translate: don't fail if help was requested
 If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle
 this case in do_command_xlate().
 Before this patch, you would see:
 user@debian:~$ sudo iptables-translate -h
 [..]
 nft Unsupported command?
 user@debian:~$ echo $?
 1
 After this patch:
 user@debian:~$ sudo iptables-translate -h
 [..]
 user@debian:~$ echo $?
 0
 Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts")
 Acked-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
 (cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/xtables-translate.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
 index 5aa42496b5a48..363c8be15b3fa 100644
 --- a/iptables/xtables-translate.c
 +++ b/iptables/xtables-translate.c
@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
 	cs.restore = restore;
 -	if (!restore)
 +	if (!restore && p.command != CMD_NONE)
 		printf("nft ");
 	switch (p.command) {
@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
 		break;
 	case CMD_SET_POLICY:
 		break;
 +	case CMD_NONE:
 +		ret = 1;
 +		break;
 	default:
 		/* We should never reach this... */
 		printf("Unsupported command?\n");
 -- 
 2.27.0
--- a/0003-xtables-restore-Fix-parser-feed-from-line-buffer.patch
+++ b/0003-xtables-restore-Fix-parser-feed-from-line-buffer.patch
@ -1,59 +0,0 @@
 From f587011318fd47b18d0f0174b6594485a546ca8f Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Wed, 4 Dec 2019 09:56:06 +0100
 Subject: [PATCH] xtables-restore: Fix parser feed from line buffer
 When called with --noflush, xtables-restore would trip over chain lines:
 Parser uses strtok() to separate chain name, policy and counters which
 inserts nul-chars into the source string. Therefore strlen() can't be
 used anymore to find end of line. Fix this by caching line length before
 calling xtables_restore_parse_line().
 Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit a103fbfadf4c17b8b12caa57eef72deaaa71a18c)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 .../testcases/ipt-restore/0010-noflush-new-chain_0     | 10 ++++++++++
 iptables/xtables-restore.c                             |  4 +++-
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100755 iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
 diff --git a/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
 new file mode 100755
 index 0000000000000..739e684a21183
 --- /dev/null
 +++ b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
@@ -0,0 +1,10 @@
 +#!/bin/sh -e
 +
 +# assert input feed from buffer doesn't trip over
 +# added nul-chars from parsing chain line.
 +
 +$XT_MULTI iptables-restore --noflush <<EOF
 +*filter
 +:foobar - [0:0]
 +-A foobar -j ACCEPT
 +COMMIT
 diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
 index 2f0fe7d439d94..dd907e0b8ddd5 100644
 --- a/iptables/xtables-restore.c
 +++ b/iptables/xtables-restore.c
@@ -327,10 +327,12 @@ void xtables_restore_parse(struct nft_handle *h,
 	line = 0;
 	ptr = preload_buffer;
 	while (*ptr) {
 +		size_t len = strlen(ptr);
 +
 		h->error.lineno = ++line;
 		DEBUGP("%s: buffered line %d: '%s'\n", __func__, line, ptr);
 		xtables_restore_parse_line(h, p, &state, ptr);
 -		ptr += strlen(ptr) + 1;
 +		ptr += len + 1;
 	}
 	if (*buffer) {
 		h->error.lineno = ++line;
 -- 
 2.24.1
--- a/0004-xtables-restore-Avoid-access-of-uninitialized-data.patch
+++ b/0004-xtables-restore-Avoid-access-of-uninitialized-data.patch
@ -1,31 +0,0 @@
 From 79aea9da9108323922dce0820d362c23619371f4 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 5 Dec 2019 11:40:26 +0100
 Subject: [PATCH] xtables-restore: Avoid access of uninitialized data
 When flushing, 'buffer' is not written to prior to checking its first
 byte's value. Therefore it needs to be initialized upon declaration.
 Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
 (cherry picked from commit 48be21bf39f9af35d53af0e211cbd50dcfd12d08)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/xtables-restore.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
 index dd907e0b8ddd5..63cc15cee9621 100644
 --- a/iptables/xtables-restore.c
 +++ b/iptables/xtables-restore.c
@@ -281,7 +281,7 @@ void xtables_restore_parse(struct nft_handle *h,
 			   const struct nft_xt_restore_parse *p)
 {
 	struct nft_xt_restore_state state = {};
 -	char preload_buffer[PREBUFSIZ] = {}, buffer[10240], *ptr;
 +	char preload_buffer[PREBUFSIZ] = {}, buffer[10240] = {}, *ptr;
 	if (!h->noflush) {
 		nft_fake_cache(h);
 -- 
 2.24.1
--- a/0005-extensions-time-Avoid-undefined-shift.patch
+++ b/0005-extensions-time-Avoid-undefined-shift.patch
@ -1,31 +0,0 @@
 From cf6d2d3892f62d60fa029a94867a99e87e2ab175 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 5 Dec 2019 13:15:01 +0100
 Subject: [PATCH] extensions: time: Avoid undefined shift
 Value 1 is signed by default and left-shifting by 31 is undefined for
 those. Fix this by marking the value as unsigned.
 Fixes: ad326ef9f734a ("Add the libxt_time iptables match")
 (cherry picked from commit 98b221002960040bf3505811c06025b6b9b6984b)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 extensions/libxt_time.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
 index 5a8cc5de13031..d001f5b7f448f 100644
 --- a/extensions/libxt_time.c
 +++ b/extensions/libxt_time.c
@@ -330,7 +330,7 @@ static void time_print_monthdays(uint32_t mask, bool human_readable)
 	printf(" ");
 	for (i = 1; i <= 31; ++i)
 -		if (mask & (1 << i)) {
 +		if (mask & (1u << i)) {
 			if (nbdays++ > 0)
 				printf(",");
 			printf("%u", i);
 -- 
 2.24.1
--- a/0006-extensions-cluster-Avoid-undefined-shift.patch
+++ b/0006-extensions-cluster-Avoid-undefined-shift.patch
@ -1,31 +0,0 @@
 From adfa4a0a95d26b7aaae0c1754f77a863bcd05120 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 5 Dec 2019 13:36:31 +0100
 Subject: [PATCH] extensions: cluster: Avoid undefined shift
 Value 1 is signed by default and left-shifting by 31 is undefined for
 those. Fix this by marking the value as unsigned.
 Fixes: 64a0e09894e52 ("extensions: libxt_cluster: Add translation to nft")
 (cherry picked from commit 28c16371cdad16707674450b59919e3d97185694)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 extensions/libxt_cluster.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/extensions/libxt_cluster.c b/extensions/libxt_cluster.c
 index c9c35ee22e3df..d164bf6960166 100644
 --- a/extensions/libxt_cluster.c
 +++ b/extensions/libxt_cluster.c
@@ -156,7 +156,7 @@ static int cluster_xlate(struct xt_xlate *xl,
 		xt_xlate_add(xl, "%s %u seed 0x%08x ", jhash_st,
 				info->total_nodes, info->hash_seed);
 		for (node = 0; node < 32; node++) {
 -			if (info->node_mask & (1 << node)) {
 +			if (info->node_mask & (1u << node)) {
 				if (needs_set == 0) {
 					xt_xlate_add(xl, "{ ");
 					needs_set = 1;
 -- 
 2.24.1
--- a/0007-xtables-translate-Guard-strcpy-call-in-xlate_ifname.patch
+++ b/0007-xtables-translate-Guard-strcpy-call-in-xlate_ifname.patch
@ -1,40 +0,0 @@
 From 24e3defb866ecd391ee92417129df96402e1867c Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 5 Dec 2019 16:01:29 +0100
 Subject: [PATCH] xtables-translate: Guard strcpy() call in xlate_ifname()
 The function potentially fed overlong strings to strcpy(). Given that
 everything needed to avoid this is there, reorder code a bit to prevent
 those inputs, too.
 Fixes: 0ddd663e9c167 ("iptables-translate: add in/out ifname wildcard match translation to nft")
 (cherry picked from commit 2861bdbbf062071487a49103513d129ce40e2652)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/xtables-translate.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
 index a42c60a3b64c6..77a186b905d73 100644
 --- a/iptables/xtables-translate.c
 +++ b/iptables/xtables-translate.c
@@ -32,14 +32,13 @@
 void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 		  bool invert)
 {
 +	int ifaclen = strlen(ifname);
 	char iface[IFNAMSIZ];
 -	int ifaclen;
 -	if (ifname[0] == '\0')
 +	if (ifaclen < 1 || ifaclen >= IFNAMSIZ)
 		return;
 	strcpy(iface, ifname);
 -	ifaclen = strlen(iface);
 	if (iface[ifaclen - 1] == '+')
 		iface[ifaclen - 1] = '*';
 -- 
 2.24.1
--- a/0008-extensions-among-Check-call-to-fstat.patch
+++ b/0008-extensions-among-Check-call-to-fstat.patch
@ -1,41 +0,0 @@
 From 10b51ba86b63a4d7afa208ea206c7c9872bc6e0a Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 5 Dec 2019 16:35:51 +0100
 Subject: [PATCH] extensions: among: Check call to fstat()
 If this fails, a bogus length value may be passed to mmap().
 Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
 (cherry picked from commit 25b38bcbf2fdc019f438805c7d1ecd877af9c968)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 extensions/libebt_among.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
 index 2e87db3bc06fa..715d559f432c2 100644
 --- a/extensions/libebt_among.c
 +++ b/extensions/libebt_among.c
@@ -6,6 +6,7 @@
  * August, 2003
  */
 +#include <errno.h>
 #include <ctype.h>
 #include <fcntl.h>
 #include <getopt.h>
@@ -137,7 +138,10 @@ static int bramong_parse(int c, char **argv, int invert,
 		if ((fd = open(optarg, O_RDONLY)) == -1)
 			xtables_error(PARAMETER_PROBLEM,
 				      "Couldn't open file '%s'", optarg);
 -		fstat(fd, &stats);
 +		if (fstat(fd, &stats) < 0)
 +			xtables_error(PARAMETER_PROBLEM,
 +				      "fstat(%s) failed: '%s'",
 +				      optarg, strerror(errno));
 		flen = stats.st_size;
 		/* use mmap because the file will probably be big */
 		optarg = mmap(0, flen, PROT_READ | PROT_WRITE,
 -- 
 2.24.1
--- a/0009-xtables-restore-fix-for-noflush-and-empty-lines.patch
+++ b/0009-xtables-restore-fix-for-noflush-and-empty-lines.patch
@ -1,78 +0,0 @@
 From 17b62e149147f05d419103dbbde9dca361c2bd5d Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Tue, 11 Feb 2020 16:52:59 +0100
 Subject: [PATCH] xtables-restore: fix for --noflush and empty lines
 Lookahead buffer used for cache requirements estimate in restore
 --noflush separates individual lines with nul-chars. Two consecutive
 nul-chars are interpreted as end of buffer and remaining buffer content
 is skipped.
 Sadly, reading an empty line (i.e., one containing a newline character
 only) caused double nul-chars to appear in buffer as well, leading to
 premature stop when reading cached lines from buffer.
 To fix that, make use of xtables_restore_parse_line() skipping empty
 lines without calling strtok() and just leave the newline character in
 place. A more intuitive approach, namely skipping empty lines while
 buffering, is deliberately not chosen as that would cause wrong values
 in 'line' variable.
 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
 Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
 (cherry picked from commit 8e76391096f12212985c401ee83a67990aa27a29)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 .../ipt-restore/0011-noflush-empty-line_0        | 16 ++++++++++++++++
 iptables/xtables-restore.c                       |  8 +++++---
 2 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
 diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
 new file mode 100755
 index 0000000000000..bea1a690bb624
 --- /dev/null
 +++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
@@ -0,0 +1,16 @@
 +#!/bin/bash -e
 +
 +# make sure empty lines won't break --noflush
 +
 +cat <<EOF | $XT_MULTI iptables-restore --noflush
 +# just a comment followed by innocent empty line
 +
 +*filter
 +-A FORWARD -j ACCEPT
 +COMMIT
 +EOF
 +
 +EXPECT='Chain FORWARD (policy ACCEPT)
 +target     prot opt source               destination         
 +ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           '
 +diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
 diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
 index 63cc15cee9621..fb2ac8b5c12a3 100644
 --- a/iptables/xtables-restore.c
 +++ b/iptables/xtables-restore.c
@@ -293,11 +293,13 @@ void xtables_restore_parse(struct nft_handle *h,
 		while (fgets(buffer, sizeof(buffer), p->in)) {
 			size_t blen = strlen(buffer);
 -			/* drop trailing newline; xtables_restore_parse_line()
 +			/* Drop trailing newline; xtables_restore_parse_line()
 			 * uses strtok() which replaces them by nul-characters,
 			 * causing unpredictable string delimiting in
 -			 * preload_buffer */
 -			if (buffer[blen - 1] == '\n')
 +			 * preload_buffer.
 +			 * Unless this is an empty line which would fold into a
 +			 * spurious EoB indicator (double nul-char). */
 +			if (buffer[blen - 1] == '\n' && blen > 1)
 				buffer[blen - 1] = '\0';
 			else
 				blen++;
 -- 
 2.24.1
--- a/iptables.spec
+++ b/iptables.spec
@ -18,8 +18,8 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
-Version: 1.8.4
+Version: 1.8.5
-Release: 7%{?dist}
+Release: 1%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -32,15 +32,8 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
 %endif
-Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
+Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch
-Patch2: 0002-Fix-DEBUG-build.patch
+Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch
 Patch3: 0003-xtables-restore-Fix-parser-feed-from-line-buffer.patch
 Patch4: 0004-xtables-restore-Avoid-access-of-uninitialized-data.patch
 Patch5: 0005-extensions-time-Avoid-undefined-shift.patch
 Patch6: 0006-extensions-cluster-Avoid-undefined-shift.patch
 Patch7: 0007-xtables-translate-Guard-strcpy-call-in-xlate_ifname.patch
 Patch8: 0008-extensions-among-Check-call-to-fstat.patch
 Patch9: 0009-xtables-restore-fix-for-noflush-and-empty-lines.patch
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -238,10 +231,6 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
 sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
 install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
 # install iptables-apply with man page
 install -m 755 iptables/iptables-apply %{buildroot}%{_sbindir}/
 install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
 %if 0%{?fedora} > 24
 # Remove /etc/ethertypes (now part of setup)
 rm -f %{buildroot}%{_sysconfdir}/ethertypes
@ -351,6 +340,7 @@ fi
 %{_sysconfdir}/ethertypes
 %endif
 %{_sbindir}/iptables-apply
 %{_sbindir}/ip6tables-apply
 %{_sbindir}/iptables-legacy*
 %{_sbindir}/ip6tables-legacy*
 %{_sbindir}/xtables-legacy-multi
@ -456,6 +446,11 @@ fi
 %changelog
 * Tue Jun 23 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-1
 - Rebase onto upstream version 1.8.5 plus two late fixes
 - Drop explicit iptables-apply installation, upstream fixed that
 - Ship ip6tables-apply along with iptables package
 * Wed Feb 12 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-7
 - Move nft-specific extensions into iptables-nft package
 - Move remaining extensions into iptables-libs package
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (iptables-1.8.4.tar.bz2) = a7faaab58608ffaa51e26e8056551c0e91a49187439d30fcf5cce2800274cc3c0515db6cfba0f4c85613fb80779cf96089b8915db0e89161e9980a6384faebdb
+SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8
`@ -1 +1 @@`
	`SHA512 (iptables-1.8.4.tar.bz2) = a7faaab58608ffaa51e26e8056551c0e91a49187439d30fcf5cce2800274cc3c0515db6cfba0f4c85613fb80779cf96089b8915db0e89161e9980a6384faebdb`	`SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8`