iptables-1.8.7-13

- doc: ebtables-nft.8: Adjust for missing atomic-options - nft: Fix for non-verbose check command - Build services sub-package as noarch
2021-08-05 14:19:53 +02:00 · 2021-08-05 14:19:53 +02:00 · cf09f27f91
commit cf09f27f91
parent 19e3e9da98
3 changed files with 170 additions and 1 deletions
--- a/0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
+++ b/0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
@ -0,0 +1,130 @@
 From 172a84516d3311733cf2a11acc7a86203ad38156 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Wed, 28 Jul 2021 17:53:53 +0200
 Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options
 Drop any reference to them (and the environment variable) but list them
 in BUGS section hinting at ebtables-save and -restore tools.
 Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39)
 ---
 iptables/ebtables-nft.8 | 64 ++++++-----------------------------------
 1 file changed, 8 insertions(+), 56 deletions(-)
 diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
 index 1fa5ad9388cc0..08e9766f2cc74 100644
 --- a/iptables/ebtables-nft.8
 +++ b/iptables/ebtables-nft.8
@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
 .br
 .BR "ebtables " [ -t " table ] " --init-table
 .br
 -.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
 -.br
 -.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
 -.br
 -.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
 -.br
 .SH DESCRIPTION
 .B ebtables
@@ -149,11 +143,9 @@ a table, the commands apply to the default filter table.
 Only one command may be used on the command line at a time, except when
 the commands
 .BR -L " and " -Z
 -are combined, the commands
 +are combined or the commands
 .BR -N " and " -P
 -are combined, or when
 -.B --atomic-file
 -is used.
 +are combined.
 .TP
 .B "-A, --append"
 Append a rule to the end of the selected chain.
@@ -313,39 +305,6 @@ of the ebtables kernel table.
 .TP
 .B "--init-table"
 Replace the current table data by the initial table data.
 -.TP
 -.B "--atomic-init"
 -Copy the kernel's initial data of the table to the specified
 -file. This can be used as the first action, after which rules are added
 -to the file. The file can be specified using the
 -.B --atomic-file
 -command or through the
 -.IR EBTABLES_ATOMIC_FILE " environment variable."
 -.TP
 -.B "--atomic-save"
 -Copy the kernel's current data of the table to the specified
 -file. This can be used as the first action, after which rules are added
 -to the file. The file can be specified using the
 -.B --atomic-file
 -command or through the
 -.IR EBTABLES_ATOMIC_FILE " environment variable."
 -.TP
 -.B "--atomic-commit"
 -Replace the kernel table data with the data contained in the specified
 -file. This is a useful command that allows you to load all your rules of a
 -certain table into the kernel at once, saving the kernel a lot of precious
 -time and allowing atomic updates of the tables. The file which contains
 -the table data is constructed by using either the
 -.B "--atomic-init"
 -or the
 -.B "--atomic-save"
 -command to generate a starting file. After that, using the
 -.B "--atomic-file"
 -command when constructing rules or setting the
 -.IR EBTABLES_ATOMIC_FILE " environment variable"
 -allows you to extend the file and build the complete table before
 -committing it to the kernel. This command can be very useful in boot scripts
 -to populate the ebtables tables in a fast way.
 .SS MISCELLANOUS COMMANDS
 .TP
 .B "-V, --version"
@@ -371,16 +330,6 @@ a target extension (see
 .BR "TARGET EXTENSIONS" ")"
 or a user-defined chain name.
 .TP
 -.B --atomic-file "\fIfile\fP"
 -Let the command operate on the specified
 -.IR file .
 -The data of the table to
 -operate on will be extracted from the file and the result of the operation
 -will be saved back into the file. If specified, this option should come
 -before the command specification. An alternative that should be preferred,
 -is setting the
 -.IR EBTABLES_ATOMIC_FILE " environment variable."
 -.TP
 .B -M, --modprobe "\fIprogram\fP"
 When talking to the kernel, use this
 .I program
@@ -1100,8 +1049,6 @@ arp message and the hardware address length in the arp header is 6 bytes.
 .br
 .SH FILES
 .I /etc/ethertypes
 -.SH ENVIRONMENT VARIABLES
 -.I EBTABLES_ATOMIC_FILE
 .SH MAILINGLISTS
 .BR "" "See " http://netfilter.org/mailinglists.html
 .SH BUGS
@@ -1109,7 +1056,12 @@ The version of ebtables this man page ships with does not support the
 .B broute
 table. Also there is no support for
 .B string
 -match. And finally, this list is probably not complete.
 +match. Further, support for atomic-options
 +.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit )
 +has not been implemented, although
 +.BR ebtables-save " and " ebtables-restore
 +might replace them entirely given the inherent atomicity of nftables.
 +Finally, this list is probably not complete.
 .SH SEE ALSO
 .BR xtables-nft "(8), " iptables "(8), " ip (8)
 .PP
 -- 
 2.32.0
--- a/0013-nft-Fix-for-non-verbose-check-command.patch
+++ b/0013-nft-Fix-for-non-verbose-check-command.patch
@ -0,0 +1,31 @@
 From f3d74895be5847db13af403067c28385356376df Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Tue, 3 Aug 2021 10:55:20 +0200
 Subject: [PATCH] nft: Fix for non-verbose check command
 Check command was unconditionally verbose since v1.8.5. Make it respect
 --verbose option again.
 Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0)
 ---
 iptables/nft.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index f1deb82f87576..795dff8605404 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h)
 		case NFT_COMPAT_RULE_CHECK:
 			assert_chain_exists(h, cmd->table, cmd->jumpto);
 			ret = nft_rule_check(h, cmd->chain, cmd->table,
 -					     cmd->obj.rule, cmd->rulenum);
 +					     cmd->obj.rule, cmd->verbose);
 			break;
 		case NFT_COMPAT_RULE_ZERO:
 			ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
 -- 
 2.32.0
--- a/iptables.spec
+++ b/iptables.spec
@ -11,7 +11,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 12%{?dist}
+Release: 13%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -31,6 +31,8 @@ Patch08: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
 Patch09: 0009-iptables-apply-Drop-unused-variable.patch
 Patch10: 0010-nft-cache-Sort-chains-on-demand-only.patch
 Patch11: 0011-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
 Patch12: 0012-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
 Patch13: 0013-nft-Fix-for-non-verbose-check-command.patch
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -140,6 +142,7 @@ Requires: %{name} = %{version}-%{release}
 Obsoletes: %{name} < 1.4.16.1
 # obsolete ipv6 sub package
 Obsoletes: %{name}-ipv6 < 1.4.11.1
 BuildArch: noarch
 %description services
 iptables services for IPv4 and IPv6
@ -428,6 +431,11 @@ fi
 %changelog
 * Thu Aug 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-13
 - doc: ebtables-nft.8: Adjust for missing atomic-options
 - nft: Fix for non-verbose check command
 - Build services sub-package as noarch
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild