iptables-1.8.11-5.el10
* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10] - ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725] Resolves: RHEL-66725
This commit is contained in:
Phil Sutter
parent
04f3de2395
commit
f28ec82e9d
@ -0,0 +1,80 @@
|
||||
From 03e2d9b5adfb99735336a032f03a7ea331aa3fa7 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 14 Nov 2024 16:21:04 +0100
|
||||
Subject: [PATCH] ip[6]tables-translate: fix test failures when WESP is defined
|
||||
|
||||
JIRA: https://issues.redhat.com/browse/RHEL-66725
|
||||
Upstream Status: iptables commit e6e232d0ae252b0b86278455b18d9475b95db8f0
|
||||
|
||||
commit e6e232d0ae252b0b86278455b18d9475b95db8f0
|
||||
Author: Jeremy Sowden <jeremy@azazel.net>
|
||||
Date: Fri Nov 8 17:34:43 2024 +0000
|
||||
|
||||
ip[6]tables-translate: fix test failures when WESP is defined
|
||||
|
||||
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
|
||||
Security Payload. This is listed in Debian's /etc/protocols, which leads to
|
||||
test failures:
|
||||
|
||||
./extensions/generic.txlate: Fail
|
||||
src: iptables-translate -A FORWARD -p 141
|
||||
exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
|
||||
res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
|
||||
|
||||
./extensions/generic.txlate: Fail
|
||||
src: ip6tables-translate -A FORWARD -p 141
|
||||
exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
|
||||
res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
|
||||
|
||||
./extensions/generic.txlate: Fail
|
||||
src: iptables-translate -A FORWARD ! -p 141
|
||||
exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
|
||||
res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
|
||||
|
||||
./extensions/generic.txlate: Fail
|
||||
src: ip6tables-translate -A FORWARD ! -p 141
|
||||
exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
|
||||
res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
|
||||
|
||||
Replace it with 253, which IANA reserves for testing and experimentation.
|
||||
|
||||
Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
|
||||
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
|
||||
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
extensions/generic.txlate | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
|
||||
index 9ad1266..64bc59a 100644
|
||||
--- a/extensions/generic.txlate
|
||||
+++ b/extensions/generic.txlate
|
||||
@@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter'
|
||||
ip6tables-translate -A FORWARD ! -p 132
|
||||
nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
|
||||
|
||||
-iptables-translate -A FORWARD -p 141
|
||||
-nft 'add rule ip filter FORWARD ip protocol 141 counter'
|
||||
+iptables-translate -A FORWARD -p 253
|
||||
+nft 'add rule ip filter FORWARD ip protocol 253 counter'
|
||||
|
||||
-ip6tables-translate -A FORWARD -p 141
|
||||
-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
|
||||
+ip6tables-translate -A FORWARD -p 253
|
||||
+nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'
|
||||
|
||||
-iptables-translate -A FORWARD ! -p 141
|
||||
-nft 'add rule ip filter FORWARD ip protocol != 141 counter'
|
||||
+iptables-translate -A FORWARD ! -p 253
|
||||
+nft 'add rule ip filter FORWARD ip protocol != 253 counter'
|
||||
|
||||
-ip6tables-translate -A FORWARD ! -p 141
|
||||
-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
|
||||
+ip6tables-translate -A FORWARD ! -p 253
|
||||
+nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'
|
||||
|
||||
iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
|
||||
nft 'add rule ip filter FORWARD tcp dport 22 counter'
|
||||
@ -1,36 +1,57 @@
|
||||
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
|
||||
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
|
||||
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
|
||||
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
|
||||
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
|
||||
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
|
||||
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
|
||||
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
|
||||
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
|
||||
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
|
||||
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
|
||||
extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: iptables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
|
||||
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
|
||||
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
|
||||
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
|
||||
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
|
||||
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
|
||||
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
|
||||
./extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
|
||||
./extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
|
||||
./extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
|
||||
./extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
|
||||
./extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
|
||||
./extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
|
||||
./extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
|
||||
./extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
|
||||
./extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
|
||||
./extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
|
||||
./extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
|
||||
./extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
|
||||
./extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
|
||||
./extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
|
||||
./extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
|
||||
./extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
|
||||
./extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
|
||||
./extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
|
||||
./extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
|
||||
./extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
|
||||
./extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
|
||||
./extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
|
||||
./extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
|
||||
./extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
|
||||
./extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
|
||||
./extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
|
||||
./extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
|
||||
./extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
|
||||
./extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
|
||||
./extensions/libxt_LED.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -j LED --led-trigger-id "foo")
|
||||
./extensions/libxt_LED.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
|
||||
./extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: iptables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
|
||||
./extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 4 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi :)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 5 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi :)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 6 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi :4)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 7 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 8 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 3:4)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 9 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:4)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi :)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi :)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi :4)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 3:4)
|
||||
./extensions/libxt_ipcomp.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:4)
|
||||
./extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
|
||||
./extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
|
||||
./extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
|
||||
./extensions/libxt_time.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
|
||||
./extensions/libxt_time.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
|
||||
./extensions/libxt_time.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
|
||||
./extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
|
||||
./extensions/libxt_u32.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
|
||||
|
||||
@ -16,7 +16,7 @@ Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.11
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.xz
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -32,6 +32,7 @@ Source11: iptables-test.stderr.expect
|
||||
|
||||
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch3: 0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic Licence 2.0
|
||||
@ -505,6 +506,9 @@ fi
|
||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||
|
||||
%changelog
|
||||
* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
|
||||
- ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]
|
||||
|
||||
* Wed Nov 13 2024 Phil Sutter <psutter@redhat.com> [1.8.11-4.el10]
|
||||
- Fix for RPM build warnings '--with legacy' (Phil Sutter) [RHEL-67473]
|
||||
- spec: Use bcond macro (Phil Sutter) [RHEL-67473]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user