diff --git a/0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch b/0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch new file mode 100644 index 0000000..d07e50f --- /dev/null +++ b/0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch @@ -0,0 +1,130 @@ +From 172a84516d3311733cf2a11acc7a86203ad38156 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 28 Jul 2021 17:53:53 +0200 +Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options + +Drop any reference to them (and the environment variable) but list them +in BUGS section hinting at ebtables-save and -restore tools. + +Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page") +Signed-off-by: Phil Sutter +Acked-by: Pablo Neira Ayuso +(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39) +--- + iptables/ebtables-nft.8 | 64 ++++++----------------------------------- + 1 file changed, 8 insertions(+), 56 deletions(-) + +diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 +index 1fa5ad9388cc0..08e9766f2cc74 100644 +--- a/iptables/ebtables-nft.8 ++++ b/iptables/ebtables-nft.8 +@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based) + .br + .BR "ebtables " [ -t " table ] " --init-table + .br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit +-.br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init +-.br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save +-.br + + .SH DESCRIPTION + .B ebtables +@@ -149,11 +143,9 @@ a table, the commands apply to the default filter table. + Only one command may be used on the command line at a time, except when + the commands + .BR -L " and " -Z +-are combined, the commands ++are combined or the commands + .BR -N " and " -P +-are combined, or when +-.B --atomic-file +-is used. ++are combined. + .TP + .B "-A, --append" + Append a rule to the end of the selected chain. +@@ -313,39 +305,6 @@ of the ebtables kernel table. + .TP + .B "--init-table" + Replace the current table data by the initial table data. +-.TP +-.B "--atomic-init" +-Copy the kernel's initial data of the table to the specified +-file. This can be used as the first action, after which rules are added +-to the file. The file can be specified using the +-.B --atomic-file +-command or through the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP +-.B "--atomic-save" +-Copy the kernel's current data of the table to the specified +-file. This can be used as the first action, after which rules are added +-to the file. The file can be specified using the +-.B --atomic-file +-command or through the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP +-.B "--atomic-commit" +-Replace the kernel table data with the data contained in the specified +-file. This is a useful command that allows you to load all your rules of a +-certain table into the kernel at once, saving the kernel a lot of precious +-time and allowing atomic updates of the tables. The file which contains +-the table data is constructed by using either the +-.B "--atomic-init" +-or the +-.B "--atomic-save" +-command to generate a starting file. After that, using the +-.B "--atomic-file" +-command when constructing rules or setting the +-.IR EBTABLES_ATOMIC_FILE " environment variable" +-allows you to extend the file and build the complete table before +-committing it to the kernel. This command can be very useful in boot scripts +-to populate the ebtables tables in a fast way. + .SS MISCELLANOUS COMMANDS + .TP + .B "-V, --version" +@@ -371,16 +330,6 @@ a target extension (see + .BR "TARGET EXTENSIONS" ")" + or a user-defined chain name. + .TP +-.B --atomic-file "\fIfile\fP" +-Let the command operate on the specified +-.IR file . +-The data of the table to +-operate on will be extracted from the file and the result of the operation +-will be saved back into the file. If specified, this option should come +-before the command specification. An alternative that should be preferred, +-is setting the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP + .B -M, --modprobe "\fIprogram\fP" + When talking to the kernel, use this + .I program +@@ -1100,8 +1049,6 @@ arp message and the hardware address length in the arp header is 6 bytes. + .br + .SH FILES + .I /etc/ethertypes +-.SH ENVIRONMENT VARIABLES +-.I EBTABLES_ATOMIC_FILE + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH BUGS +@@ -1109,7 +1056,12 @@ The version of ebtables this man page ships with does not support the + .B broute + table. Also there is no support for + .B string +-match. And finally, this list is probably not complete. ++match. Further, support for atomic-options ++.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit ) ++has not been implemented, although ++.BR ebtables-save " and " ebtables-restore ++might replace them entirely given the inherent atomicity of nftables. ++Finally, this list is probably not complete. + .SH SEE ALSO + .BR xtables-nft "(8), " iptables "(8), " ip (8) + .PP +-- +2.32.0 + diff --git a/0013-nft-Fix-for-non-verbose-check-command.patch b/0013-nft-Fix-for-non-verbose-check-command.patch new file mode 100644 index 0000000..3d9d27d --- /dev/null +++ b/0013-nft-Fix-for-non-verbose-check-command.patch @@ -0,0 +1,31 @@ +From f3d74895be5847db13af403067c28385356376df Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 3 Aug 2021 10:55:20 +0200 +Subject: [PATCH] nft: Fix for non-verbose check command + +Check command was unconditionally verbose since v1.8.5. Make it respect +--verbose option again. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter +(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0) +--- + iptables/nft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index f1deb82f87576..795dff8605404 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h) + case NFT_COMPAT_RULE_CHECK: + assert_chain_exists(h, cmd->table, cmd->jumpto); + ret = nft_rule_check(h, cmd->chain, cmd->table, +- cmd->obj.rule, cmd->rulenum); ++ cmd->obj.rule, cmd->verbose); + break; + case NFT_COMPAT_RULE_ZERO: + ret = nft_rule_zero_counters(h, cmd->chain, cmd->table, +-- +2.32.0 + diff --git a/iptables.spec b/iptables.spec index 9546dc3..5af268f 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 12%{?dist} +Release: 13%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -31,6 +31,8 @@ Patch08: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch Patch09: 0009-iptables-apply-Drop-unused-variable.patch Patch10: 0010-nft-cache-Sort-chains-on-demand-only.patch Patch11: 0011-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch +Patch12: 0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch +Patch13: 0013-nft-Fix-for-non-verbose-check-command.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -140,6 +142,7 @@ Requires: %{name} = %{version}-%{release} Obsoletes: %{name} < 1.4.16.1 # obsolete ipv6 sub package Obsoletes: %{name}-ipv6 < 1.4.11.1 +BuildArch: noarch %description services iptables services for IPv4 and IPv6 @@ -428,6 +431,11 @@ fi %changelog +* Thu Aug 05 2021 Phil Sutter - 1.8.7-13 +- doc: ebtables-nft.8: Adjust for missing atomic-options +- nft: Fix for non-verbose check command +- Build services sub-package as noarch + * Thu Jul 22 2021 Fedora Release Engineering - 1.8.7-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild