From d2f355ad5990bfb9a23d2cdee180f3cf599334c7 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Sun, 1 Nov 2020 00:06:32 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/iptables.git#730c58d40441a3e02712919ad84548d819a7d1bd --- .gitignore | 1 + ...iptables-apply-not-getting-installed.patch | 42 ------------- ...mat-security-fixes-in-libip-6-t_icmp.patch | 60 ------------------- ...ate-don-t-fail-if-help-was-requested.patch | 58 ------------------ ...eck-consistency-with-NFT_CL_FAKE-too.patch | 40 ------------- ...mand-name-in-ip6tables-error-message.patch | 45 -------------- iptables.spec | 12 ++-- sources | 2 +- 8 files changed, 7 insertions(+), 253 deletions(-) delete mode 100644 0001-build-resolve-iptables-apply-not-getting-installed.patch delete mode 100644 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch delete mode 100644 0002-xtables-translate-don-t-fail-if-help-was-requested.patch delete mode 100644 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch delete mode 100644 0004-nft-Fix-command-name-in-ip6tables-error-message.patch diff --git a/.gitignore b/.gitignore index ae4c970..a72e3b2 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /iptables-1.8.3.tar.bz2 /iptables-1.8.4.tar.bz2 /iptables-1.8.5.tar.bz2 +/iptables-1.8.6.tar.bz2 diff --git a/0001-build-resolve-iptables-apply-not-getting-installed.patch b/0001-build-resolve-iptables-apply-not-getting-installed.patch deleted file mode 100644 index 26e08db..0000000 --- a/0001-build-resolve-iptables-apply-not-getting-installed.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 55bb60d8ae717d3bc1cfdd6203604a18f30eb3c3 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Wed, 3 Jun 2020 15:38:48 +0200 -Subject: [PATCH] build: resolve iptables-apply not getting installed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ip6tables-apply gets installed but iptables-apply does not. -That is wrong. - -» make install DESTDIR=$PWD/r -» find r -name "*app*" -r/usr/local/sbin/ip6tables-apply -r/usr/local/share/man/man8/iptables-apply.8 -r/usr/local/share/man/man8/ip6tables-apply.8 - -Fixes: v1.8.5~87 -Signed-off-by: Jan Engelhardt -Signed-off-by: Pablo Neira Ayuso -(cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b) -Signed-off-by: Phil Sutter ---- - iptables/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/Makefile.am b/iptables/Makefile.am -index dc66b3cc09c08..2024dbf5cb88c 100644 ---- a/iptables/Makefile.am -+++ b/iptables/Makefile.am -@@ -56,7 +56,7 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ - ip6tables-save.8 iptables-extensions.8 \ - iptables-apply.8 ip6tables-apply.8 - --sbin_SCRIPT = iptables-apply -+sbin_SCRIPTS = iptables-apply - - if ENABLE_NFTABLES - man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ --- -2.27.0 - diff --git a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch b/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch deleted file mode 100644 index 1bdbbd1..0000000 --- a/0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 6e8f0c61f4c9abc2836d772fca97ff0d84c03360 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= -Date: Wed, 14 Nov 2018 07:35:28 +0100 -Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") -introduced support for gcc feature to check format string against passed -argument. This commit adds missing bits to extenstions's libipt_icmp.c -and libip6t_icmp6.c that were causing build to fail. - -Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") -Signed-off-by: Adam Gołębiowski -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Phil Sutter ---- - extensions/libip6t_icmp6.c | 4 ++-- - extensions/libipt_icmp.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c -index 45a71875722c4..cc7bfaeb72fd7 100644 ---- a/extensions/libip6t_icmp6.c -+++ b/extensions/libip6t_icmp6.c -@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, - type_name = icmp6_type_xlate(icmptype); - - if (type_name) { -- xt_xlate_add(xl, type_name); -+ xt_xlate_add(xl, "%s", type_name); - } else { - for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) - if (icmpv6_codes[i].type == icmptype && -@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, - break; - - if (i != ARRAY_SIZE(icmpv6_codes)) -- xt_xlate_add(xl, icmpv6_codes[i].name); -+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); - else - return 0; - } -diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c -index 5418997668d4c..e76257c54708c 100644 ---- a/extensions/libipt_icmp.c -+++ b/extensions/libipt_icmp.c -@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, - if (icmp_codes[i].type == icmptype && - icmp_codes[i].code_min == code_min && - icmp_codes[i].code_max == code_max) { -- xt_xlate_add(xl, icmp_codes[i].name); -+ xt_xlate_add(xl, "%s", icmp_codes[i].name); - return 1; - } - } --- -2.21.0 - diff --git a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch b/0002-xtables-translate-don-t-fail-if-help-was-requested.patch deleted file mode 100644 index 4fcb549..0000000 --- a/0002-xtables-translate-don-t-fail-if-help-was-requested.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 51730adbe90a17e0d86d5adcab30040fa7e751ed Mon Sep 17 00:00:00 2001 -From: Arturo Borrero Gonzalez -Date: Tue, 16 Jun 2020 11:20:42 +0200 -Subject: [PATCH] xtables-translate: don't fail if help was requested - -If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle -this case in do_command_xlate(). - -Before this patch, you would see: - - user@debian:~$ sudo iptables-translate -h - [..] - nft Unsupported command? - user@debian:~$ echo $? - 1 - -After this patch: - - user@debian:~$ sudo iptables-translate -h - [..] - user@debian:~$ echo $? - 0 - -Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts") -Acked-by: Phil Sutter -Signed-off-by: Arturo Borrero Gonzalez -(cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069) -Signed-off-by: Phil Sutter ---- - iptables/xtables-translate.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c -index 5aa42496b5a48..363c8be15b3fa 100644 ---- a/iptables/xtables-translate.c -+++ b/iptables/xtables-translate.c -@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], - - cs.restore = restore; - -- if (!restore) -+ if (!restore && p.command != CMD_NONE) - printf("nft "); - - switch (p.command) { -@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], - break; - case CMD_SET_POLICY: - break; -+ case CMD_NONE: -+ ret = 1; -+ break; - default: - /* We should never reach this... */ - printf("Unsupported command?\n"); --- -2.27.0 - diff --git a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch deleted file mode 100644 index abe95fe..0000000 --- a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch +++ /dev/null @@ -1,40 +0,0 @@ -From eacefb728885b5dc51036181de83b2df309d4e6b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 29 Jul 2020 15:39:31 +0200 -Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too - -Athough this cache level fetches table names only, it shouldn't skip the -consistency check. - -Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check") -Signed-off-by: Phil Sutter -(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd) -Signed-off-by: Phil Sutter ---- - iptables/nft-cache.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 638b18bc7e382..434cc10b82ce7 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -511,14 +511,14 @@ retry: - if (req->level >= NFT_CL_TABLES) - fetch_table_cache(h); - if (req->level == NFT_CL_FAKE) -- return; -+ goto genid_check; - if (req->level >= NFT_CL_CHAINS) - fetch_chain_cache(h, t, chains); - if (req->level >= NFT_CL_SETS) - fetch_set_cache(h, t, NULL); - if (req->level >= NFT_CL_RULES) - fetch_rule_cache(h, t); -- -+genid_check: - mnl_genid_get(h, &genid_check); - if (h->nft_genid != genid_check) { - flush_cache(h, h->cache, NULL); --- -2.27.0 - diff --git a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch deleted file mode 100644 index b9a83f6..0000000 --- a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch +++ /dev/null @@ -1,45 +0,0 @@ -From dac3434e2e7ea297a3886c662d558305b460670b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 7 Aug 2020 13:48:28 +0200 -Subject: [PATCH] nft: Fix command name in ip6tables error message - -Upon errors, ip6tables-nft would prefix its error messages with -'iptables:' instead of 'ip6tables:'. Turns out the command name was -hard-coded, use 'progname' variable instead. -While being at it, merge the two mostly identical fprintf() calls into -one. - -Signed-off-by: Phil Sutter -Acked-by: Pablo Neira Ayuso -(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13) -Signed-off-by: Phil Sutter ---- - iptables/xtables-standalone.c | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c -index dd6fb7919d2e1..7b71db62f1ea6 100644 ---- a/iptables/xtables-standalone.c -+++ b/iptables/xtables-standalone.c -@@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[]) - xtables_fini(); - - if (!ret) { -- if (errno == EINVAL) { -- fprintf(stderr, "iptables: %s. " -- "Run `dmesg' for more information.\n", -- nft_strerror(errno)); -- } else { -- fprintf(stderr, "iptables: %s.\n", -- nft_strerror(errno)); -- } -+ fprintf(stderr, "%s: %s.%s\n", progname, nft_strerror(errno), -+ (errno == EINVAL ? -+ " Run `dmesg' for more information." : "")); -+ - if (errno == EAGAIN) - exit(RESOURCE_PROBLEM); - } --- -2.27.0 - diff --git a/iptables.spec b/iptables.spec index 42ce8c2..21cd8f1 100644 --- a/iptables.spec +++ b/iptables.spec @@ -18,8 +18,8 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables -Version: 1.8.5 -Release: 3%{?dist} +Version: 1.8.6 +Release: 1%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -32,11 +32,6 @@ Source7: %{url}/files/%{name}-%{version_old}.tar.bz2 Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch %endif -Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch -Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch -Patch3: 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch -Patch4: 0004-nft-Fix-command-name-in-ip6tables-error-message.patch - # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 License: GPLv2 and Artistic Licence 2.0 and ISC @@ -448,6 +443,9 @@ fi %changelog +* Sat Oct 31 2020 Kevin Fenzi - 1.8.6-1 +- Update to 1.8.6. Fixes bug #1893453 + * Tue Aug 25 15:56:10 GMT 2020 Phil Sutter - 1.8.5-3 - nft: cache: Check consistency with NFT_CL_FAKE, too - nft: Fix command name in ip6tables error message diff --git a/sources b/sources index a7e9f94..ece3ae2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (iptables-1.8.5.tar.bz2) = 6a6baa541bb7aa331b176e0a91894e0766859814b59e77c71351ac34d6ebd337487981db48c70e476a48c67bcf891cfc663221a7582feb1496ad1df56eb28da8 +SHA512 (iptables-1.8.6.tar.bz2) = d06e4cddb69822c4618664a35877fc5811992936cade2040bb0e4eb25a4d879eadc7c84401c40fb39ffac7888568505adcb1cfe995cd166a15c702237daf6acf