import iptables-1.8.4-15.el8

SOURCES/0015-xtables-Review-nft_init.patch

@@ -0,0 +1,274 @@
+From 51f895d54af6e163e0290520e124e9413438ccf4 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 21 Feb 2020 14:55:52 +0100
+Subject: [PATCH] xtables: Review nft_init()
+
+Move common code into nft_init(), such as:
+
+* initial zeroing nft_handle fields
+* family ops lookup and assignment to 'ops' field
+* setting of 'family' field
+
+This requires minor adjustments in xtables_restore_main() so extra field
+initialization doesn't happen before nft_init() call.
+
+As a side-effect, this fixes segfaulting xtables-monitor binary when
+printing rules for trace event as in that code-path 'ops' field wasn't
+initialized.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit d0446ab11182f6ca2adc486a124895f09a220c6e)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/nft.c                |  9 ++++++++-
+ iptables/nft.h                |  2 +-
+ iptables/xtables-arp.c        |  9 +--------
+ iptables/xtables-eb.c         |  9 +--------
+ iptables/xtables-monitor.c    |  2 +-
+ iptables/xtables-restore.c    | 14 +++++++-------
+ iptables/xtables-save.c       |  9 ++-------
+ iptables/xtables-standalone.c |  6 ++----
+ iptables/xtables-translate.c  |  2 +-
+ iptables/xtables.c            |  4 ----
+ 10 files changed, 24 insertions(+), 42 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 3f2a62ae12c07..0287add3fb21f 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -789,8 +789,10 @@ int nft_restart(struct nft_handle *h)
+ 	return 0;
+ }
+ 
+-int nft_init(struct nft_handle *h, const struct builtin_table *t)
++int nft_init(struct nft_handle *h, int family, const struct builtin_table *t)
+ {
++	memset(h, 0, sizeof(*h));
++
+ 	h->nl = mnl_socket_open(NETLINK_NETFILTER);
+ 	if (h->nl == NULL)
+ 		return -1;
+@@ -800,9 +802,14 @@ int nft_init(struct nft_handle *h, const struct builtin_table *t)
+ 		return -1;
+ 	}
+ 
++	h->ops = nft_family_ops_lookup(family);
++	if (!h->ops)
++		xtables_error(PARAMETER_PROBLEM, "Unknown family");
++
+ 	h->portid = mnl_socket_get_portid(h->nl);
+ 	h->tables = t;
+ 	h->cache = &h->__cache[0];
++	h->family = family;
+ 
+ 	INIT_LIST_HEAD(&h->obj_list);
+ 	INIT_LIST_HEAD(&h->err_list);
+diff --git a/iptables/nft.h b/iptables/nft.h
+index 51b5660314c0c..5cf260a6d2cd3 100644
+--- a/iptables/nft.h
++++ b/iptables/nft.h
+@@ -80,7 +80,7 @@ extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX];
+ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
+ 	     int (*cb)(const struct nlmsghdr *nlh, void *data),
+ 	     void *data);
+-int nft_init(struct nft_handle *h, const struct builtin_table *t);
++int nft_init(struct nft_handle *h, int family, const struct builtin_table *t);
+ void nft_fini(struct nft_handle *h);
+ int nft_restart(struct nft_handle *h);
+ 
+diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
+index 9cfad76263d32..c8196f08baa59 100644
+--- a/iptables/xtables-arp.c
++++ b/iptables/xtables-arp.c
+@@ -500,17 +500,10 @@ int nft_init_arp(struct nft_handle *h, const char *pname)
+ 	init_extensionsa();
+ #endif
+ 
+-	memset(h, 0, sizeof(*h));
+-	h->family = NFPROTO_ARP;
+-
+-	if (nft_init(h, xtables_arp) < 0)
++	if (nft_init(h, NFPROTO_ARP, xtables_arp) < 0)
+ 		xtables_error(OTHER_PROBLEM,
+ 			      "Could not initialize nftables layer.");
+ 
+-	h->ops = nft_family_ops_lookup(h->family);
+-	if (h->ops == NULL)
+-		xtables_error(PARAMETER_PROBLEM, "Unknown family");
+-
+ 	return 0;
+ }
+ 
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index 15b971da3d425..c006bc95ac681 100644
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -739,16 +739,9 @@ int nft_init_eb(struct nft_handle *h, const char *pname)
+ 	init_extensionsb();
+ #endif
+ 
+-	memset(h, 0, sizeof(*h));
+-
+-	h->family = NFPROTO_BRIDGE;
+-
+-	if (nft_init(h, xtables_bridge) < 0)
++	if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0)
+ 		xtables_error(OTHER_PROBLEM,
+ 			      "Could not initialize nftables layer.");
+-	h->ops = nft_family_ops_lookup(h->family);
+-	if (!h->ops)
+-		xtables_error(PARAMETER_PROBLEM, "Unknown family");
+ 
+ 	/* manually registering ebt matches, given the original ebtables parser
+ 	 * don't use '-m matchname' and the match can't be loaded dynamically when
+diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
+index a5245d1422af9..c2b31dbaa0795 100644
+--- a/iptables/xtables-monitor.c
++++ b/iptables/xtables-monitor.c
+@@ -615,7 +615,7 @@ int xtables_monitor_main(int argc, char *argv[])
+ 	init_extensions4();
+ #endif
+ 
+-	if (nft_init(&h, xtables_ipv4)) {
++	if (nft_init(&h, AF_INET, xtables_ipv4)) {
+ 		fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
+ 			xtables_globals.program_name,
+ 			xtables_globals.program_version,
+diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
+index fb2ac8b5c12a3..11834c0ea98c5 100644
+--- a/iptables/xtables-restore.c
++++ b/iptables/xtables-restore.c
+@@ -360,15 +360,13 @@ static int
+ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
+ {
+ 	const struct builtin_table *tables;
+-	struct nft_handle h = {
+-		.family = family,
+-		.restore = true,
+-	};
+-	int c;
+ 	struct nft_xt_restore_parse p = {
+ 		.commit = true,
+ 		.cb = &restore_cb,
+ 	};
++	bool noflush = false;
++	struct nft_handle h;
++	int c;
+ 
+ 	line = 0;
+ 
+@@ -402,7 +400,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
+ 				print_usage(prog_name, PACKAGE_VERSION);
+ 				exit(0);
+ 			case 'n':
+-				h.noflush = 1;
++				noflush = true;
+ 				break;
+ 			case 'M':
+ 				xtables_modprobe_program = optarg;
+@@ -464,13 +462,15 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
+ 		return 1;
+ 	}
+ 
+-	if (nft_init(&h, tables) < 0) {
++	if (nft_init(&h, family, tables) < 0) {
+ 		fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
+ 				xtables_globals.program_name,
+ 				xtables_globals.program_version,
+ 				strerror(errno));
+ 		exit(EXIT_FAILURE);
+ 	}
++	h.noflush = noflush;
++	h.restore = true;
+ 
+ 	xtables_restore_parse(&h, &p);
+ 
+diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
+index 3a52f8c3d8209..228282deaed07 100644
+--- a/iptables/xtables-save.c
++++ b/iptables/xtables-save.c
+@@ -139,10 +139,8 @@ xtables_save_main(int family, int argc, char *argv[],
+ 	struct do_output_data d = {
+ 		.format = FMT_NOCOUNTS,
+ 	};
++	struct nft_handle h;
+ 	bool dump = false;
+-	struct nft_handle h = {
+-		.family	= family,
+-	};
+ 	FILE *file = NULL;
+ 	int ret, c;
+ 
+@@ -242,16 +240,13 @@ xtables_save_main(int family, int argc, char *argv[],
+ 		return 1;
+ 	}
+ 
+-	if (nft_init(&h, tables) < 0) {
++	if (nft_init(&h, family, tables) < 0) {
+ 		fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
+ 				xtables_globals.program_name,
+ 				xtables_globals.program_version,
+ 				strerror(errno));
+ 		exit(EXIT_FAILURE);
+ 	}
+-	h.ops = nft_family_ops_lookup(h.family);
+-	if (!h.ops)
+-		xtables_error(PARAMETER_PROBLEM, "Unknown family");
+ 
+ 	ret = do_output(&h, tablename, &d);
+ 	nft_fini(&h);
+diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
+index 1a28c5480629f..022d5dd44abbf 100644
+--- a/iptables/xtables-standalone.c
++++ b/iptables/xtables-standalone.c
+@@ -44,9 +44,7 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
+ {
+ 	int ret;
+ 	char *table = "filter";
+-	struct nft_handle h = {
+-		.family = family,
+-	};
++	struct nft_handle h;
+ 
+ 	xtables_globals.program_name = progname;
+ 	ret = xtables_init_all(&xtables_globals, family);
+@@ -61,7 +59,7 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
+ 	init_extensions4();
+ #endif
+ 
+-	if (nft_init(&h, xtables_ipv4) < 0) {
++	if (nft_init(&h, family, xtables_ipv4) < 0) {
+ 		fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
+ 				xtables_globals.program_name,
+ 				xtables_globals.program_version,
+diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
+index 0f95855b41aa4..76ad7eb69eca9 100644
+--- a/iptables/xtables-translate.c
++++ b/iptables/xtables-translate.c
+@@ -480,7 +480,7 @@ static int xtables_xlate_main_common(struct nft_handle *h,
+ 		return 1;
+ 	}
+ 
+-	if (nft_init(h, tables) < 0) {
++	if (nft_init(h, family, tables) < 0) {
+ 		fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
+ 				xtables_globals.program_name,
+ 				xtables_globals.program_version,
+diff --git a/iptables/xtables.c b/iptables/xtables.c
+index 8f9dc628d0029..4b24d15c46295 100644
+--- a/iptables/xtables.c
++++ b/iptables/xtables.c
+@@ -571,10 +571,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
+ 	   demand-load a protocol. */
+ 	opterr = 0;
+ 
+-	h->ops = nft_family_ops_lookup(h->family);
+-	if (h->ops == NULL)
+-		xtables_error(PARAMETER_PROBLEM, "Unknown family");
+-
+ 	opts = xt_params->orig_opts;
+ 	while ((cs->c = getopt_long(argc, argv,
+ 	   "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46",
+-- 
+2.26.2
+

SOURCES/0015-xtables-monitor-Fix-segfault-when-tracing.patch

@@ -1,43 +0,0 @@
-From 6857a112296dee96966212a88bf671bd76467d95 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Mon, 24 Feb 2020 16:14:16 +0100
-Subject: [PATCH] xtables-monitor: Fix segfault when tracing
-
-This is a minimal fix extracted from upstream commit d0446ab11182f
-("xtables: Review nft_init()") which was deemed too untrusive for late
-inclusion into RHEL8.2.
-
-(cherry picked from commit e6445667fd0f141ca301aeabeee312545dbf014a)
-Signed-off-by: Phil Sutter <psutter@redhat.com>
----
- iptables/xtables-monitor.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
-index a5245d1422af9..737c35f2ac60c 100644
---- a/iptables/xtables-monitor.c
-+++ b/iptables/xtables-monitor.c
-@@ -595,7 +595,9 @@ int xtables_monitor_main(int argc, char *argv[])
- 	struct mnl_socket *nl;
- 	char buf[MNL_SOCKET_BUFFER_SIZE];
- 	uint32_t nfgroup = 0;
--	struct nft_handle h = {};
-+	struct nft_handle h = {
-+		.family = AF_INET,
-+	};
- 	struct cb_arg cb_arg = {
- 		.h = &h,
- 	};
-@@ -622,6 +624,9 @@ int xtables_monitor_main(int argc, char *argv[])
- 			strerror(errno));
- 		exit(EXIT_FAILURE);
- 	}
-+	h.ops = nft_family_ops_lookup(h.family);
-+	if (!h.ops)
-+		xtables_error(PARAMETER_PROBLEM, "Unknown family");
- 
- 	opterr = 0;
- 	while ((c = getopt_long(argc, argv, "ceht46V", options, NULL)) != -1) {
--- 
-2.25.1
-

SOURCES/0018-ebtables-among-Support-mixed-MAC-and-MAC-IP-entries.patch

@@ -0,0 +1,127 @@
+From 654b2e2512630df07e3ea57f8d54e851e75b33f1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 13 Feb 2020 17:49:53 +0100
+Subject: [PATCH] ebtables: among: Support mixed MAC and MAC/IP entries
+
+Powered by Stefano's support for concatenated ranges, a full among match
+replacement can be implemented. The trick is to add MAC-only elements as
+a concatenation of MAC and zero-length prefix, i.e. a range from
+0.0.0.0 till 255.255.255.255.
+
+Although not quite needed, detection of pure MAC-only matches is left in
+place. For those, no implicit 'meta protocol' match is added (which is
+required otherwise at least to keep nft output correct) and no concat
+type is used for the set.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit c33bae9c6c7a49c8af16df846e6112fc4727e643)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libebt_among.c |  6 +-----
+ extensions/libebt_among.t |  2 +-
+ iptables/ebtables-nft.8   |  4 ----
+ iptables/nft.c            | 20 +++++++++++++++++++-
+ 4 files changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
+index 715d559f432c2..2b9a1b6566684 100644
+--- a/extensions/libebt_among.c
++++ b/extensions/libebt_among.c
+@@ -63,10 +63,6 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
+ 	char *sep = index(buf, '=');
+ 	struct ether_addr *ether;
+ 
+-	if (have_ip ^ !!sep)
+-		xtables_error(PARAMETER_PROBLEM,
+-			      "among: Mixed MAC and MAC=IP not allowed.");
+-
+ 	if (sep) {
+ 		*sep = '\0';
+ 
+@@ -205,7 +201,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
+ 		isep = ",";
+ 
+ 		printf("%s", ether_ntoa(&pairs[i].ether));
+-		if (have_ip)
++		if (pairs[i].in.s_addr != INADDR_ANY)
+ 			printf("=%s", inet_ntoa(pairs[i].in));
+ 	}
+ 	printf(" ");
+diff --git a/extensions/libebt_among.t b/extensions/libebt_among.t
+index 56b299161ff31..a02206f391cde 100644
+--- a/extensions/libebt_among.t
++++ b/extensions/libebt_among.t
+@@ -13,4 +13,4 @@
+ --among-src;=;FAIL
+ --among-src 00:11=10.0.0.1;=;FAIL
+ --among-src de:ad:0:be:ee:ff=10.256.0.1;=;FAIL
+---among-src de:ad:0:be:ee:ff,c0:ff:ee:0:ba:be=192.168.1.1;=;FAIL
++--among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff;=;OK
+diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
+index a91f0c1aacb0f..1fa5ad9388cc0 100644
+--- a/iptables/ebtables-nft.8
++++ b/iptables/ebtables-nft.8
+@@ -551,10 +551,6 @@ Same as
+ .BR "--among-src-file " "[!] \fIfile\fP"
+ Same as
+ .BR --among-src " but the list is read in from the specified file."
+-.PP
+-Note that in this implementation of ebtables, among lists uses must be
+-internally homogeneous regarding whether IP addresses are present or not. Mixed
+-use of MAC addresses and MAC/IP address pairs is not supported yet.
+ .SS arp
+ Specify (R)ARP fields. The protocol must be specified as
+ .IR ARP " or " RARP .
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 0287add3fb21f..4930b6de534d8 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1029,19 +1029,28 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
+ 	};
+ 	struct nftnl_expr *e;
+ 	struct nftnl_set *s;
++	uint32_t flags = 0;
+ 	int idx = 0;
+ 
+ 	if (ip) {
+ 		type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
+ 		len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
+ 		len &= ~(NETLINK_ALIGN - 1);
++		flags = NFT_SET_INTERVAL;
+ 	}
+ 
+-	s = add_anon_set(h, table, 0, type, len, cnt);
++	s = add_anon_set(h, table, flags, type, len, cnt);
+ 	if (!s)
+ 		return -ENOMEM;
+ 	set_id = nftnl_set_get_u32(s, NFTNL_SET_ID);
+ 
++	if (ip) {
++		uint8_t field_len[2] = { ETH_ALEN, sizeof(struct in_addr) };
++
++		nftnl_set_set_data(s, NFTNL_SET_DESC_CONCAT,
++				   field_len, sizeof(field_len));
++	}
++
+ 	for (idx = 0; idx < cnt; idx++) {
+ 		struct nftnl_set_elem *elem = nftnl_set_elem_alloc();
+ 
+@@ -1049,6 +1058,15 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
+ 			return -ENOMEM;
+ 		nftnl_set_elem_set(elem, NFTNL_SET_ELEM_KEY,
+ 				   &pairs[idx], len);
++		if (ip) {
++			struct in_addr tmp = pairs[idx].in;
++
++			if (tmp.s_addr == INADDR_ANY)
++				pairs[idx].in.s_addr = INADDR_BROADCAST;
++			nftnl_set_elem_set(elem, NFTNL_SET_ELEM_KEY_END,
++					   &pairs[idx], len);
++			pairs[idx].in = tmp;
++		}
+ 		nftnl_set_elem_add(s, elem);
+ 	}
+ 
+-- 
+2.26.2
+

SOURCES/0019-xtables-Align-effect-of-4-6-options-with-legacy.patch

@@ -0,0 +1,157 @@
+From aa221d3a7ffc8e3245d9031173b306431ddfaf9f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 21 Feb 2020 13:18:32 +0100
+Subject: [PATCH] xtables: Align effect of -4/-6 options with legacy
+
+Legacy iptables doesn't accept -4 or -6 if they don't match the
+symlink's native family. The only exception to that is iptables-restore
+which simply ignores the lines introduced by non-matching options, which
+is useful to create combined dump files for feeding into both
+iptables-restore and ip6tables-restore.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 1639b8ba5105542c73e0e1c35e70f245dab89d81)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ .../shell/testcases/iptables/0006-46-args_0   | 88 +++++++++++++++++++
+ iptables/xtables.c                            | 21 ++---
+ 2 files changed, 96 insertions(+), 13 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/iptables/0006-46-args_0
+
+diff --git a/iptables/tests/shell/testcases/iptables/0006-46-args_0 b/iptables/tests/shell/testcases/iptables/0006-46-args_0
+new file mode 100755
+index 0000000000000..17a0a01829df5
+--- /dev/null
++++ b/iptables/tests/shell/testcases/iptables/0006-46-args_0
+@@ -0,0 +1,88 @@
++#!/bin/bash
++
++RC=0
++
++$XT_MULTI iptables -6 -A FORWARD -j ACCEPT
++rc=$?
++if [[ $rc -ne 2 ]]; then
++	echo "'iptables -6' returned $rc instead of 2"
++	RC=1
++fi
++
++$XT_MULTI ip6tables -4 -A FORWARD -j ACCEPT
++rc=$?
++if [[ $rc -ne 2 ]]; then
++	echo "'ip6tables -4' returned $rc instead of 2"
++	RC=1
++fi
++
++RULESET='*filter
++-4 -A FORWARD -d 10.0.0.1 -j ACCEPT
++-6 -A FORWARD -d fec0:10::1 -j ACCEPT
++COMMIT
++'
++EXPECT4='-P FORWARD ACCEPT
++-A FORWARD -d 10.0.0.1/32 -j ACCEPT'
++EXPECT6='-P FORWARD ACCEPT
++-A FORWARD -d fec0:10::1/128 -j ACCEPT'
++EXPECT_EMPTY='-P FORWARD ACCEPT'
++
++echo "$RULESET" | $XT_MULTI iptables-restore || {
++	echo "iptables-restore failed!"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || {
++	echo "unexpected iptables ruleset"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || {
++	echo "unexpected non-empty ip6tables ruleset"
++	RC=1
++}
++
++$XT_MULTI iptables -F FORWARD
++
++echo "$RULESET" | $XT_MULTI ip6tables-restore || {
++	echo "ip6tables-restore failed!"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || {
++	echo "unexpected ip6tables ruleset"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || {
++	echo "unexpected non-empty iptables ruleset"
++	RC=1
++}
++
++$XT_MULTI ip6tables -F FORWARD
++
++$XT_MULTI iptables -4 -A FORWARD -d 10.0.0.1 -j ACCEPT || {
++	echo "iptables failed!"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || {
++	echo "unexpected iptables ruleset"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || {
++	echo "unexpected non-empty ip6tables ruleset"
++	RC=1
++}
++
++$XT_MULTI iptables -F FORWARD
++
++$XT_MULTI ip6tables -6 -A FORWARD -d fec0:10::1 -j ACCEPT || {
++	echo "ip6tables failed!"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || {
++	echo "unexpected ip6tables ruleset"
++	RC=1
++}
++diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || {
++	echo "unexpected non-empty iptables ruleset"
++	RC=1
++}
++
++exit $RC
+diff --git a/iptables/xtables.c b/iptables/xtables.c
+index 4b24d15c46295..8c2d21d42b7d2 100644
+--- a/iptables/xtables.c
++++ b/iptables/xtables.c
+@@ -913,27 +913,22 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
+ 			break;
+ 
+ 		case '4':
++			if (args->family == AF_INET)
++				break;
++
+ 			if (p->restore && args->family == AF_INET6)
+ 				return;
+ 
+-			if (args->family != AF_INET)
+-				exit_tryhelp(2);
+-
+-			h->ops = nft_family_ops_lookup(args->family);
+-			break;
++			exit_tryhelp(2);
+ 
+ 		case '6':
++			if (args->family == AF_INET6)
++				break;
++
+ 			if (p->restore && args->family == AF_INET)
+ 				return;
+ 
+-			args->family = AF_INET6;
+-			xtables_set_nfproto(AF_INET6);
+-
+-			h->ops = nft_family_ops_lookup(args->family);
+-			if (h->ops == NULL)
+-				xtables_error(PARAMETER_PROBLEM,
+-					      "Unknown family");
+-			break;
++			exit_tryhelp(2);
+ 
+ 		case 1: /* non option */
+ 			if (optarg[0] == '!' && optarg[1] == '\0') {
+-- 
+2.26.2
+

SOURCES/0020-xtables-Drop-4-and-6-support-from-xtables-save-resto.patch

@@ -0,0 +1,81 @@
+From ea9d40744307d7c49808d8fabfc904d525081055 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 21 Feb 2020 13:29:05 +0100
+Subject: [PATCH] xtables: Drop -4 and -6 support from xtables-{save,restore}
+
+Legacy tools don't support those options, either.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 0f40a8bc49d3f7b815336199931a82f919f37c4e)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/xtables-restore.c |  9 +--------
+ iptables/xtables-save.c    | 11 +----------
+ 2 files changed, 2 insertions(+), 18 deletions(-)
+
+diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
+index 11834c0ea98c5..c472ac9bf651b 100644
+--- a/iptables/xtables-restore.c
++++ b/iptables/xtables-restore.c
+@@ -379,7 +379,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
+ 		exit(1);
+ 	}
+ 
+-	while ((c = getopt_long(argc, argv, "bcvVthnM:T:46wW", options, NULL)) != -1) {
++	while ((c = getopt_long(argc, argv, "bcvVthnM:T:wW", options, NULL)) != -1) {
+ 		switch (c) {
+ 			case 'b':
+ 				fprintf(stderr, "-b/--binary option is not implemented\n");
+@@ -408,13 +408,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
+ 			case 'T':
+ 				p.tablename = optarg;
+ 				break;
+-			case '4':
+-				h.family = AF_INET;
+-				break;
+-			case '6':
+-				h.family = AF_INET6;
+-				xtables_set_nfproto(AF_INET6);
+-				break;
+ 			case 'w': /* fallthrough.  Ignored by xt-restore */
+ 			case 'W':
+ 				if (!optarg && xs_has_arg(argc, argv))
+diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
+index 228282deaed07..28f7490275ce5 100644
+--- a/iptables/xtables-save.c
++++ b/iptables/xtables-save.c
+@@ -32,7 +32,7 @@
+ #define prog_name xtables_globals.program_name
+ #define prog_vers xtables_globals.program_version
+ 
+-static const char *ipt_save_optstring = "bcdt:M:f:46V";
++static const char *ipt_save_optstring = "bcdt:M:f:V";
+ static const struct option ipt_save_options[] = {
+ 	{.name = "counters", .has_arg = false, .val = 'c'},
+ 	{.name = "version",  .has_arg = false, .val = 'V'},
+@@ -40,8 +40,6 @@ static const struct option ipt_save_options[] = {
+ 	{.name = "table",    .has_arg = true,  .val = 't'},
+ 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+ 	{.name = "file",     .has_arg = true,  .val = 'f'},
+-	{.name = "ipv4",     .has_arg = false, .val = '4'},
+-	{.name = "ipv6",     .has_arg = false, .val = '6'},
+ 	{NULL},
+ };
+ 
+@@ -187,13 +185,6 @@ xtables_save_main(int family, int argc, char *argv[],
+ 		case 'd':
+ 			dump = true;
+ 			break;
+-		case '4':
+-			h.family = AF_INET;
+-			break;
+-		case '6':
+-			h.family = AF_INET6;
+-			xtables_set_nfproto(AF_INET6);
+-			break;
+ 		case 'V':
+ 			printf("%s v%s (nf_tables)\n", prog_name, prog_vers);
+ 			exit(0);
+-- 
+2.26.2
+

SOURCES/0021-nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch

@@ -0,0 +1,42 @@
+From b29b3a215b9cbec20ea633e6a861accfc48b59bb Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sat, 9 May 2020 13:36:49 +0200
+Subject: [PATCH] nfnl_osf: Fix broken conversion to nfnl_query()
+
+Due to missing NLM_F_ACK flag in request, nfnetlink code in kernel
+didn't create an own ACK message but left it upon subsystem to ACK or
+not. Since nfnetlink_osf doesn't ACK by itself, nfnl_query() got stuck
+waiting for a reply.
+
+Whoever did the conversion from deprecated nfnl_talk() obviously didn't
+even test basic functionality of the tool.
+
+Fixes: 52aa15098ebd6 ("nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit c8332553caf48132403895bae750b3cd09a2efd8)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ utils/nfnl_osf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
+index 15d531975e11d..922d90ac135b7 100644
+--- a/utils/nfnl_osf.c
++++ b/utils/nfnl_osf.c
+@@ -378,9 +378,11 @@ static int osf_load_line(char *buffer, int len, int del)
+ 	memset(buf, 0, sizeof(buf));
+ 
+ 	if (del)
+-		nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE, NLM_F_REQUEST);
++		nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE,
++			      NLM_F_ACK | NLM_F_REQUEST);
+ 	else
+-		nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD, NLM_F_REQUEST | NLM_F_CREATE);
++		nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD,
++			      NLM_F_ACK | NLM_F_REQUEST | NLM_F_CREATE);
+ 
+ 	nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger));
+ 
+-- 
+2.26.2
+

SOURCES/0022-nfnl_osf-Improve-error-handling.patch

@@ -0,0 +1,80 @@
+From acc1fb93b3674f81c9d1daa0e4e855410d2568b0 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sat, 9 May 2020 13:42:56 +0200
+Subject: [PATCH] nfnl_osf: Improve error handling
+
+For some error cases, no log message was created - hence apart from the
+return code there was no indication of failing execution.
+
+If a line load fails, don't abort but continue with the remaining
+file contents. The current pf.os file in this repository serves as
+proof-of-concept:
+
+Lines 700 and 701: Duplicates of lines 698 and 699 because 'W*' and 'W0'
+parse into the same data.
+
+Line 704: Duplicate of line 702 because apart from 'W*' and 'W0', only
+the first three fields on right-hand side are sent to the kernel.
+
+When loading, these dups are ignored (they would bounce if NLM_F_EXCL
+was given). Upon deletion, they cause ENOENT response from kernel. In
+order to align duplicate-tolerance in both modes, just ignore that
+ENOENT.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 3e09bd1888575cfec136574d2b0e810ba33f1cfb)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ utils/nfnl_osf.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
+index 922d90ac135b7..8008e83d8af4b 100644
+--- a/utils/nfnl_osf.c
++++ b/utils/nfnl_osf.c
+@@ -392,7 +392,7 @@ static int osf_load_line(char *buffer, int len, int del)
+ static int osf_load_entries(char *path, int del)
+ {
+ 	FILE *inf;
+-	int err = 0;
++	int err = 0, lineno = 0;
+ 	char buf[1024];
+ 
+ 	inf = fopen(path, "r");
+@@ -402,7 +402,9 @@ static int osf_load_entries(char *path, int del)
+ 	}
+ 
+ 	while(fgets(buf, sizeof(buf), inf)) {
+-		int len;
++		int len, rc;
++
++		lineno++;
+ 
+ 		if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r')
+ 			continue;
+@@ -414,9 +416,11 @@ static int osf_load_entries(char *path, int del)
+ 
+ 		buf[len] = '\0';
+ 
+-		err = osf_load_line(buf, len, del);
+-		if (err)
+-			break;
++		rc = osf_load_line(buf, len, del);
++		if (rc && (!del || errno != ENOENT)) {
++			ulog_err("Failed to load line %d", lineno);
++			err = rc;
++		}
+ 
+ 		memset(buf, 0, sizeof(buf));
+ 	}
+@@ -448,6 +452,7 @@ int main(int argc, char *argv[])
+ 
+ 	if (!fingerprints) {
+ 		err = -ENOENT;
++		ulog("Missing fingerprints file argument.\n");
+ 		goto err_out_exit;
+ 	}
+ 
+-- 
+2.26.2
+

SOURCES/0023-nft-cache-Reset-genid-when-rebuilding-cache.patch

@@ -1,4 +1,4 @@
-From f2f7731420d56e7164d352d62184408d9570bef1 Mon Sep 17 00:00:00 2001
+From 3b98024d952d265d50078c5b7ad04c9c65373733 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 29 May 2020 19:33:22 +0200
 Subject: [PATCH] nft: cache: Reset genid when rebuilding cache
@@ -33,5 +33,5 @@ index 07265b7795e4f..bc6e7f7eaebfb 100644
  	__nft_build_cache(h, level, NULL, NULL, NULL);
  }
 -- 
-2.27.0
+2.26.2
 

SOURCES/0024-nft-Fix-for-F-in-iptables-dumps.patch

@@ -0,0 +1,81 @@
+From 8ae56bbaa4119bdcf1d6abc8b78f21490657983c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 24 Apr 2020 11:32:08 +0200
+Subject: [PATCH] nft: Fix for '-F' in iptables dumps
+
+When restoring a dump which contains an explicit flush command,
+previously added rules are removed from cache and the following commit
+will try to create netlink messages based on freed memory.
+
+Fix this by weeding any rule-based commands from obj_list if they
+address the same chain.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 5bd3ab5c778033877d44a0c619ef6f98f34516af)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/nft.c | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 4930b6de534d8..e95e99f1d8d71 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -411,6 +411,38 @@ batch_rule_add(struct nft_handle *h, enum obj_update_type type,
+ 	return batch_add(h, type, r);
+ }
+ 
++static void batch_obj_del(struct nft_handle *h, struct obj_update *o);
++
++static void batch_chain_flush(struct nft_handle *h,
++			      const char *table, const char *chain)
++{
++	struct obj_update *obj, *tmp;
++
++	list_for_each_entry_safe(obj, tmp, &h->obj_list, head) {
++		struct nftnl_rule *r = obj->ptr;
++
++		switch (obj->type) {
++		case NFT_COMPAT_RULE_APPEND:
++		case NFT_COMPAT_RULE_INSERT:
++		case NFT_COMPAT_RULE_REPLACE:
++		case NFT_COMPAT_RULE_DELETE:
++			break;
++		default:
++			continue;
++		}
++
++		if (table &&
++		    strcmp(table, nftnl_rule_get_str(r, NFTNL_RULE_TABLE)))
++			continue;
++
++		if (chain &&
++		    strcmp(chain, nftnl_rule_get_str(r, NFTNL_RULE_CHAIN)))
++			continue;
++
++		batch_obj_del(h, obj);
++	}
++}
++
+ const struct builtin_table xtables_ipv4[NFT_TABLE_MAX] = {
+ 	[NFT_TABLE_RAW] = {
+ 		.name	= "raw",
+@@ -1671,6 +1703,7 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
+ 	}
+ 
+ 	if (chain || !verbose) {
++		batch_chain_flush(h, table, chain);
+ 		__nft_rule_flush(h, table, chain, verbose, false);
+ 		flush_rule_cache(h, table, c);
+ 		return 1;
+@@ -1686,6 +1719,7 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
+ 	while (c != NULL) {
+ 		chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
+ 
++		batch_chain_flush(h, table, chain);
+ 		__nft_rule_flush(h, table, chain, verbose, false);
+ 		flush_rule_cache(h, table, c);
+ 		c = nftnl_chain_list_iter_next(iter);
+-- 
+2.27.0
+

SOURCES/0025-tests-shell-Test-F-in-dump-files.patch

@@ -0,0 +1,37 @@
+From dd98af599516806e2eb3e1186d0ad52ce7c6b4b5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 21 Apr 2020 14:10:53 +0200
+Subject: [PATCH] tests: shell: Test -F in dump files
+
+While not really useful, iptables-nft-restore shouldn't segfault either.
+This tests the problem described in nfbz#1407.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit f2ace0cdf25a5911ac84015829d65d6050a5e82d)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ .../tests/shell/testcases/ipt-restore/0012-dash-F_0  | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0
+
+diff --git a/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0 b/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0
+new file mode 100755
+index 0000000000000..fd82afa1bc8ce
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0
+@@ -0,0 +1,12 @@
++#!/bin/bash -e
++
++# make sure -F lines don't cause segfaults
++
++RULESET='*nat
++-F PREROUTING
++-A PREROUTING -j ACCEPT
++-F PREROUTING
++COMMIT'
++
++echo -e "$RULESET" | $XT_MULTI iptables-restore
++echo -e "$RULESET" | $XT_MULTI iptables-restore -n
+-- 
+2.27.0
+

SOURCES/iptables.init

@@ -134,7 +134,7 @@ load_sysctl() {
         echo -n $"Loading sysctl settings: "
         ret=0
         for item in $IPTABLES_SYSCTL_LOAD_LIST; do
-            fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
+            fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
             let ret+=$?;
         done
         [ $ret -eq 0 ] && success || failure

SOURCES/iptables.service

@@ -1,7 +1,8 @@
 [Unit]
 Description=IPv4 firewall with iptables
-After=syslog.target
 AssertPathExists=/etc/sysconfig/iptables
+Before=network-pre.target
+Wants=network-pre.target
 
 [Service]
 Type=oneshot
@@ -15,4 +16,4 @@ StandardOutput=syslog
 StandardError=syslog
 
 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target

SPECS/iptables.spec

@@ -17,7 +17,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.4
-Release: 10%{?dist}.1
+Release: 15%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -34,24 +34,31 @@ Source11: %{url}/files/%{name}-%{version_old}.tar.bz2
 Source12: 0003-extensions-format-security-fixes-in-libip-6-t_icmp.patch
 %endif
 
-Patch1: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
-Patch2: 0002-xtables-restore-Fix-parser-feed-from-line-buffer.patch
-Patch3: 0003-xtables-restore-Avoid-access-of-uninitialized-data.patch
-Patch4: 0004-extensions-time-Avoid-undefined-shift.patch
-Patch5: 0005-extensions-cluster-Avoid-undefined-shift.patch
-Patch6: 0006-libxtables-Avoid-buffer-overrun-in-xtables_compatibl.patch
-Patch7: 0007-xtables-translate-Guard-strcpy-call-in-xlate_ifname.patch
-Patch8: 0008-extensions-among-Check-call-to-fstat.patch
-Patch9: 0009-uapi-netfilter-Avoid-undefined-left-shift-in-xt_sctp.patch
+Patch01: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
+Patch02: 0002-xtables-restore-Fix-parser-feed-from-line-buffer.patch
+Patch03: 0003-xtables-restore-Avoid-access-of-uninitialized-data.patch
+Patch04: 0004-extensions-time-Avoid-undefined-shift.patch
+Patch05: 0005-extensions-cluster-Avoid-undefined-shift.patch
+Patch06: 0006-libxtables-Avoid-buffer-overrun-in-xtables_compatibl.patch
+Patch07: 0007-xtables-translate-Guard-strcpy-call-in-xlate_ifname.patch
+Patch08: 0008-extensions-among-Check-call-to-fstat.patch
+Patch09: 0009-uapi-netfilter-Avoid-undefined-left-shift-in-xt_sctp.patch
 Patch10: 0010-xtables-translate-Fix-for-interface-name-corner-case.patch
 Patch11: 0011-xtables-translate-Fix-for-iface.patch
 Patch12: 0012-tests-shell-Fix-skip-checks-with-host-mode.patch
 Patch13: 0013-xtables-restore-fix-for-noflush-and-empty-lines.patch
 Patch14: 0014-iptables-test.py-Fix-host-mode.patch
-Patch15: 0015-xtables-monitor-Fix-segfault-when-tracing.patch
+Patch15: 0015-xtables-Review-nft_init.patch
 Patch16: 0016-nft-cache-Fix-nft_release_cache-under-stress.patch
 Patch17: 0017-nft-cache-Fix-iptables-save-segfault-under-stress.patch
-Patch18: 0018-nft-cache-Reset-genid-when-rebuilding-cache.patch
+Patch18: 0018-ebtables-among-Support-mixed-MAC-and-MAC-IP-entries.patch
+Patch19: 0019-xtables-Align-effect-of-4-6-options-with-legacy.patch
+Patch20: 0020-xtables-Drop-4-and-6-support-from-xtables-save-resto.patch
+Patch21: 0021-nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch
+Patch22: 0022-nfnl_osf-Improve-error-handling.patch
+Patch23: 0023-nft-cache-Reset-genid-when-rebuilding-cache.patch
+Patch24: 0024-nft-Fix-for-F-in-iptables-dumps.patch
+Patch25: 0025-tests-shell-Test-F-in-dump-files.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -460,8 +467,25 @@ done
 %doc %{_mandir}/man8/ebtables*.8*
 
 %changelog
-* Tue Jun 09 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-10.1
-- Fix for hanging iptables-restore --test
+* Sat Aug 15 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-15
+- Ignore sysctl files not suffixed '.conf'
+
+* Wed Jun 24 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-14
+- nft: Fix for '-F' in iptables dumps
+- tests: shell: Test -F in dump files
+
+* Fri May 29 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-13
+- Fix for endless loop in iptables-restore --test
+
+* Tue May 26 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-12
+- Unbreak nfnl_osf tool
+
+* Tue May 19 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-11
+- Complete ebtables-nft among match support
+- Replace RHEL-only xtables-monitor fix with upstream solution
+- xtables: Align effect of -4/-6 options with legacy
+- xtables: Drop -4 and -6 support from xtables-{save,restore}
+- Review systemd unit files
 
 * Tue Mar 17 2020 Phil Sutter <psutter@redhat.com> - 1.8.4-10
 - Fix for iptables-restore segfault under pressure