diff --git a/0146-iptables-restore-Drop-dead-code.patch b/0146-iptables-restore-Drop-dead-code.patch new file mode 100644 index 0000000..b1cb361 --- /dev/null +++ b/0146-iptables-restore-Drop-dead-code.patch @@ -0,0 +1,31 @@ +From 0482da08db2dcf9414008c286ebf227952512b03 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 13 Jul 2023 18:32:02 +0200 +Subject: [PATCH] iptables-restore: Drop dead code + +Handle initialization is guarded by 'in_table' boolean, so there can't +be a handle already (because the branch which unsets 'in_table' also +frees the handle). + +Signed-off-by: Phil Sutter +(cherry picked from commit 4d9453233538200e9663c6bd0c2df09e1671b5f4) +--- + iptables/iptables-restore.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 3b821467db355..6dfafe0c18072 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -225,8 +225,6 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, + } + continue; + } +- if (handle) +- cb->ops->free(handle); + + handle = create_handle(cb, table); + if (noflush == 0) { +-- +2.41.0 + diff --git a/0147-iptables-apply-Eliminate-shellcheck-warnings.patch b/0147-iptables-apply-Eliminate-shellcheck-warnings.patch new file mode 100644 index 0000000..a97159d --- /dev/null +++ b/0147-iptables-apply-Eliminate-shellcheck-warnings.patch @@ -0,0 +1,82 @@ +From ff0c0dc23fec33e339974e419c664d3bef39edc9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 1 Aug 2023 16:56:42 +0200 +Subject: [PATCH] iptables-apply: Eliminate shellcheck warnings + +Actual warnings were only about use of '-a' in bracket expressions +(replace by '&&' pipeline) and the immediate evaluation of the variable +in trap command. + +The remaining changes silence info-level messages: missing quoting +around variables, pointless '$' in arithmetic expressions, backticks +instead of $(...), missing '-r' parameter when calling read and an +awkward negated '-z' check. + +Signed-off-by: Phil Sutter +(cherry picked from commit 9f98550d58a49fc95d529ebdc0173579d957b425) +--- + iptables/iptables-apply | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/iptables/iptables-apply b/iptables/iptables-apply +index 3a7df5e3cbc1f..c603fb2113ef3 100755 +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -141,9 +141,9 @@ for opt in $OPTS; do + ;; + (*) + case "${OPT_STATE:-}" in +- (SET_TIMEOUT) eval TIMEOUT=$opt;; ++ (SET_TIMEOUT) eval TIMEOUT="$opt";; + (SET_SAVEFILE) +- eval SAVEFILE=$opt ++ eval SAVEFILE="$opt" + [ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE" + ;; + esac +@@ -163,13 +163,13 @@ done + + # Validate parameters + if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then +- TIMEOUT=$(($TIMEOUT)) ++ TIMEOUT=$((TIMEOUT)) + else + echo "Error: timeout must be a positive number" >&2 + exit 1 + fi + +-if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then ++if [ -n "$SAVEFILE" ] && [ -e "$SAVEFILE" ] && [ ! -w "$SAVEFILE" ]; then + echo "Error: savefile not writable: $SAVEFILE" >&2 + exit 8 + fi +@@ -205,8 +205,8 @@ esac + ### Begin work + + # Store old iptables rules to temporary file +-TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX` +-trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \ ++TMPFILE=$(mktemp "/tmp/$PROGNAME-XXXXXXXX") ++trap 'rm -f $TMPFILE' EXIT HUP INT QUIT ILL TRAP ABRT BUS \ + FPE USR1 SEGV USR2 PIPE ALRM TERM + + if ! "$SAVE" >"$TMPFILE"; then +@@ -257,13 +257,13 @@ esac + # Prompt user for confirmation + echo -n "Can you establish NEW connections to the machine? (y/N) " + +-read -n1 -t "$TIMEOUT" ret 2>&1 || : ++read -r -n1 -t "$TIMEOUT" ret 2>&1 || : + case "${ret:-}" in + (y*|Y*) + # Success + echo + +- if [ ! -z "$SAVEFILE" ]; then ++ if [ -n "$SAVEFILE" ]; then + # Write successfully applied rules to the savefile + echo "Writing successfully applied rules to '$SAVEFILE'..." + if ! "$SAVE" >"$SAVEFILE"; then +-- +2.41.0 + diff --git a/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch b/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch new file mode 100644 index 0000000..118da17 --- /dev/null +++ b/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch @@ -0,0 +1,51 @@ +From f4f3fd1fa83a56c051fa72ee619ef23942e65504 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 28 Jan 2021 01:09:56 +0100 +Subject: [PATCH] ebtables: Exit gracefully on invalid table names + +Users are able to cause program abort by passing a table name that +doesn't exist: + +| # ebtables-nft -t dummy -P INPUT ACCEPT +| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. +| Aborted + +Avoid this by checking table existence just like iptables-nft does upon +parsing '-t' optarg. Since the list of tables is known and fixed, +checking the given name's length is pointless. So just drop that check +in return. + +With this patch in place, output looks much better: + +| # ebtables-nft -t dummy -P INPUT ACCEPT +| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist +| Perhaps iptables or your kernel needs to be upgraded. + +Signed-off-by: Phil Sutter +(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f) +--- + iptables/xtables-eb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index a3d659fb35e27..6e47feec5132f 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -957,10 +957,10 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); +- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) +- xtables_error(PARAMETER_PROBLEM, +- "Table name length cannot exceed %d characters", +- EBT_TABLE_MAXNAMELEN - 1); ++ if (!nft_table_builtin_find(h, optarg)) ++ xtables_error(VERSION_PROBLEM, ++ "table '%s' does not exist", ++ optarg); + *table = optarg; + table_set = true; + break; +-- +2.41.0 + diff --git a/iptables.spec b/iptables.spec index 479f5dd..705c2f8 100644 --- a/iptables.spec +++ b/iptables.spec @@ -10,7 +10,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.5 -Release: 10%{?dist} +Release: 11%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -169,6 +169,9 @@ Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch Patch145: 0145-iptables-nft-fix-basechain-policy-configuration.patch +Patch146: 0146-iptables-restore-Drop-dead-code.patch +Patch147: 0147-iptables-apply-Eliminate-shellcheck-warnings.patch +Patch148: 0148-ebtables-Exit-gracefully-on-invalid-table-names.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -541,6 +544,11 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Thu Nov 16 2023 Phil Sutter - 1.8.5-11 +- iptables-restore: Drop dead code +- iptables-apply: Eliminate shellcheck warnings +- ebtables: Exit gracefully on invalid table names + * Fri Sep 08 2023 Phil Sutter - 1.8.5-10 - Bump NVR to fix for wrong build tag