Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/iptables.git#730c58d40441a3e02712919ad84548d819a7d1bd
2020-11-01 00:06:32 +00:00 · 2020-11-01 00:06:32 +00:00 · d2f355ad59
parent 311316e433
commit d2f355ad59
8 changed files with 7 additions and 253 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,4 @@
 /iptables-1.8.3.tar.bz2
 /iptables-1.8.4.tar.bz2
 /iptables-1.8.5.tar.bz2
+/iptables-1.8.6.tar.bz2
--- a/0001-build-resolve-iptables-apply-not-getting-installed.patch
+++ b/0001-build-resolve-iptables-apply-not-getting-installed.patch
@ -1,42 +0,0 @@
-From 55bb60d8ae717d3bc1cfdd6203604a18f30eb3c3 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Wed, 3 Jun 2020 15:38:48 +0200
-Subject: [PATCH] build: resolve iptables-apply not getting installed
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ip6tables-apply gets installed but iptables-apply does not.
-That is wrong.
-
-» make install DESTDIR=$PWD/r
-» find r -name "*app*"
-r/usr/local/sbin/ip6tables-apply
-r/usr/local/share/man/man8/iptables-apply.8
-r/usr/local/share/man/man8/ip6tables-apply.8
-
-Fixes: v1.8.5~87
-Signed-off-by: Jan Engelhardt <jengelh@inai.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- iptables/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/iptables/Makefile.am b/iptables/Makefile.am
-index dc66b3cc09c08..2024dbf5cb88c 100644
--- a/iptables/Makefile.am
-+++ b/iptables/Makefile.am
-@@ -56,7 +56,7 @@ man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
-                    ip6tables-save.8 iptables-extensions.8 \
-                    iptables-apply.8 ip6tables-apply.8
- 
-sbin_SCRIPT      = iptables-apply
-+sbin_SCRIPTS     = iptables-apply
- 
- if ENABLE_NFTABLES
- man_MANS	+= xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
-- 
-2.27.0
-
--- a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
+++ b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
@ -1,60 +0,0 @@
-From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
-Date: Wed, 14 Nov 2018 07:35:28 +0100
-Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-introduced support for gcc feature to check format string against passed
-argument.  This commit adds missing bits to extenstions's libipt_icmp.c
-and libip6t_icmp6.c that were causing build to fail.
-
-Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- extensions/libip6t_icmp6.c | 4 ++--
- extensions/libipt_icmp.c   | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
-index 45a71875722c4..cc7bfaeb72fd7 100644
--- a/extensions/libip6t_icmp6.c
-+++ b/extensions/libip6t_icmp6.c
-@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 	type_name = icmp6_type_xlate(icmptype);
- 
- 	if (type_name) {
-		xt_xlate_add(xl, type_name);
-+		xt_xlate_add(xl, "%s", type_name);
- 	} else {
- 		for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
- 			if (icmpv6_codes[i].type == icmptype &&
-@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 				break;
- 
- 		if (i != ARRAY_SIZE(icmpv6_codes))
-			xt_xlate_add(xl, icmpv6_codes[i].name);
-+			xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
- 		else
- 			return 0;
- 	}
-diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
-index 5418997668d4c..e76257c54708c 100644
--- a/extensions/libipt_icmp.c
-+++ b/extensions/libipt_icmp.c
-@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
- 			if (icmp_codes[i].type == icmptype &&
- 			    icmp_codes[i].code_min == code_min &&
- 			    icmp_codes[i].code_max == code_max) {
-				xt_xlate_add(xl, icmp_codes[i].name);
-+				xt_xlate_add(xl, "%s", icmp_codes[i].name);
- 				return 1;
- 			}
- 	}
-- 
-2.21.0
-
--- a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch
+++ b/0002-xtables-translate-don-t-fail-if-help-was-requested.patch
@ -1,58 +0,0 @@
-From 51730adbe90a17e0d86d5adcab30040fa7e751ed Mon Sep 17 00:00:00 2001
-From: Arturo Borrero Gonzalez <arturo@netfilter.org>
-Date: Tue, 16 Jun 2020 11:20:42 +0200
-Subject: [PATCH] xtables-translate: don't fail if help was requested
-
-If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle
-this case in do_command_xlate().
-
-Before this patch, you would see:
-
- user@debian:~$ sudo iptables-translate -h
- [..]
- nft Unsupported command?
- user@debian:~$ echo $?
- 1
-
-After this patch:
-
- user@debian:~$ sudo iptables-translate -h
- [..]
- user@debian:~$ echo $?
- 0
-
-Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts")
-Acked-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
-(cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- iptables/xtables-translate.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
-index 5aa42496b5a48..363c8be15b3fa 100644
--- a/iptables/xtables-translate.c
-+++ b/iptables/xtables-translate.c
-@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
- 
- 	cs.restore = restore;
- 
-	if (!restore)
-+	if (!restore && p.command != CMD_NONE)
- 		printf("nft ");
- 
- 	switch (p.command) {
-@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
- 		break;
- 	case CMD_SET_POLICY:
- 		break;
-+	case CMD_NONE:
-+		ret = 1;
-+		break;
- 	default:
- 		/* We should never reach this... */
- 		printf("Unsupported command?\n");
-- 
-2.27.0
-
--- a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch
+++ b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch
@ -1,40 +0,0 @@
-From eacefb728885b5dc51036181de83b2df309d4e6b Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Wed, 29 Jul 2020 15:39:31 +0200
-Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too
-
-Athough this cache level fetches table names only, it shouldn't skip the
-consistency check.
-
-Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- iptables/nft-cache.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
-index 638b18bc7e382..434cc10b82ce7 100644
--- a/iptables/nft-cache.c
-+++ b/iptables/nft-cache.c
-@@ -511,14 +511,14 @@ retry:
- 	if (req->level >= NFT_CL_TABLES)
- 		fetch_table_cache(h);
- 	if (req->level == NFT_CL_FAKE)
-		return;
-+		goto genid_check;
- 	if (req->level >= NFT_CL_CHAINS)
- 		fetch_chain_cache(h, t, chains);
- 	if (req->level >= NFT_CL_SETS)
- 		fetch_set_cache(h, t, NULL);
- 	if (req->level >= NFT_CL_RULES)
- 		fetch_rule_cache(h, t);
-
-+genid_check:
- 	mnl_genid_get(h, &genid_check);
- 	if (h->nft_genid != genid_check) {
- 		flush_cache(h, h->cache, NULL);
-- 
-2.27.0
-
--- a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch
+++ b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch
@ -1,45 +0,0 @@
-From dac3434e2e7ea297a3886c662d558305b460670b Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Fri, 7 Aug 2020 13:48:28 +0200
-Subject: [PATCH] nft: Fix command name in ip6tables error message
-
-Upon errors, ip6tables-nft would prefix its error messages with
-'iptables:' instead of 'ip6tables:'. Turns out the command name was
-hard-coded, use 'progname' variable instead.
-While being at it, merge the two mostly identical fprintf() calls into
-one.
-
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
---
- iptables/xtables-standalone.c | 12 ++++--------
- 1 file changed, 4 insertions(+), 8 deletions(-)
-
-diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
-index dd6fb7919d2e1..7b71db62f1ea6 100644
--- a/iptables/xtables-standalone.c
-+++ b/iptables/xtables-standalone.c
-@@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
- 	xtables_fini();
- 
- 	if (!ret) {
-		if (errno == EINVAL) {
-			fprintf(stderr, "iptables: %s. "
-					"Run `dmesg' for more information.\n",
-				nft_strerror(errno));
-		} else {
-			fprintf(stderr, "iptables: %s.\n",
-				nft_strerror(errno));
-		}
-+		fprintf(stderr, "%s: %s.%s\n", progname, nft_strerror(errno),
-+			(errno == EINVAL ?
-+			 " Run `dmesg' for more information." : ""));
-+
- 		if (errno == EAGAIN)
- 			exit(RESOURCE_PROBLEM);
- 	}
-- 
-2.27.0
-
--- a/iptables.spec
+++ b/iptables.spec
@ -18,8 +18,8 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
-Version: 1.8.5
-Release: 3%{?dist}
+Version: 1.8.6
+Release: 1%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@ -32,11 +32,6 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2
 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch
 %endif

-Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch
-Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch
-Patch3: 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch
-Patch4: 0004-nft-Fix-command-name-in-ip6tables-error-message.patch
-
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
 License: GPLv2 and Artistic Licence 2.0 and ISC
@ -448,6 +443,9 @@ fi


 %changelog
+* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1
+- Update to 1.8.6. Fixes bug #1893453
+
 * Tue Aug 25 15:56:10 GMT 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
 - nft: cache: Check consistency with NFT_CL_FAKE, too
 - nft: Fix command name in ip6tables error message
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8
+SHA512 (iptables-1.8.6.tar.bz2) = d06e4cddb69822c4618664a35877fc5811992936cade2040bb0e4eb25a4d879eadc7c84401c40fb39ffac7888568505adcb1cfe995cd166a15c702237daf6acf