From f28ec82e9d1d1f843ed7189af59e5ae39ce31eec Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 14 Nov 2024 16:46:36 +0100
Subject: [PATCH] iptables-1.8.11-5.el10

* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
- ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]
Resolves: RHEL-66725
---
 ...slate-fix-test-failures-when-WESP-is.patch | 80 ++++++++++++++++
 iptables-test.stderr.expect                   | 93 ++++++++++++-------
 iptables.spec                                 |  6 +-
 3 files changed, 142 insertions(+), 37 deletions(-)
 create mode 100644 0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch

diff --git a/0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch b/0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
new file mode 100644
index 0000000..e1ac821
--- /dev/null
+++ b/0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
@@ -0,0 +1,80 @@
+From 03e2d9b5adfb99735336a032f03a7ea331aa3fa7 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 14 Nov 2024 16:21:04 +0100
+Subject: [PATCH] ip[6]tables-translate: fix test failures when WESP is defined
+
+JIRA: https://issues.redhat.com/browse/RHEL-66725
+Upstream Status: iptables commit e6e232d0ae252b0b86278455b18d9475b95db8f0
+
+commit e6e232d0ae252b0b86278455b18d9475b95db8f0
+Author: Jeremy Sowden <jeremy@azazel.net>
+Date:   Fri Nov 8 17:34:43 2024 +0000
+
+    ip[6]tables-translate: fix test failures when WESP is defined
+
+    Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
+    Security Payload.  This is listed in Debian's /etc/protocols, which leads to
+    test failures:
+
+      ./extensions/generic.txlate: Fail
+      src: iptables-translate -A FORWARD -p 141
+      exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
+      res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
+
+      ./extensions/generic.txlate: Fail
+      src: ip6tables-translate -A FORWARD -p 141
+      exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+      res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
+
+      ./extensions/generic.txlate: Fail
+      src: iptables-translate -A FORWARD ! -p 141
+      exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+      res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
+
+      ./extensions/generic.txlate: Fail
+      src: ip6tables-translate -A FORWARD ! -p 141
+      exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+      res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
+
+    Replace it with 253, which IANA reserves for testing and experimentation.
+
+    Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
+    Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/generic.txlate | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/extensions/generic.txlate b/extensions/generic.txlate
+index 9ad1266..64bc59a 100644
+--- a/extensions/generic.txlate
++++ b/extensions/generic.txlate
+@@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter'
+ ip6tables-translate -A FORWARD ! -p 132
+ nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
+ 
+-iptables-translate -A FORWARD -p 141
+-nft 'add rule ip filter FORWARD ip protocol 141 counter'
++iptables-translate -A FORWARD -p 253
++nft 'add rule ip filter FORWARD ip protocol 253 counter'
+ 
+-ip6tables-translate -A FORWARD -p 141
+-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
++ip6tables-translate -A FORWARD -p 253
++nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'
+ 
+-iptables-translate -A FORWARD ! -p 141
+-nft 'add rule ip filter FORWARD ip protocol != 141 counter'
++iptables-translate -A FORWARD ! -p 253
++nft 'add rule ip filter FORWARD ip protocol != 253 counter'
+ 
+-ip6tables-translate -A FORWARD ! -p 141
+-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
++ip6tables-translate -A FORWARD ! -p 253
++nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'
+ 
+ iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
+ nft 'add rule ip filter FORWARD tcp dport 22 counter'
diff --git a/iptables-test.stderr.expect b/iptables-test.stderr.expect
index 150056e..67b8f94 100644
--- a/iptables-test.stderr.expect
+++ b/iptables-test.stderr.expect
@@ -1,36 +1,57 @@
-extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
-extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
-extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
-extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
-extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
-extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
-extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
-extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
-extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
-extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
-extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
-extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
-extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
-extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
-extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
-extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
-extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
-extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
-extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
-extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
-extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
-extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
-extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
-extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
-extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
-extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
-extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
-extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
-extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
-extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: iptables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
-extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
-extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
-extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
-extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
-extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
-extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
+./extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
+./extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
+./extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
+./extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
+./extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
+./extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
+./extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
+./extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
+./extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
+./extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
+./extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
+./extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
+./extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
+./extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
+./extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
+./extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
+./extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
+./extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
+./extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
+./extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
+./extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
+./extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
+./extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
+./extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
+./extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
+./extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
+./extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
+./extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
+./extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
+./extensions/libxt_LED.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -j LED --led-trigger-id "foo")
+./extensions/libxt_LED.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
+./extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: iptables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
+./extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
+./extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
+./extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
+./extensions/libxt_ipcomp.t: ERROR: line 4 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi :)
+./extensions/libxt_ipcomp.t: ERROR: line 5 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi :)
+./extensions/libxt_ipcomp.t: ERROR: line 6 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi :4)
+./extensions/libxt_ipcomp.t: ERROR: line 7 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:)
+./extensions/libxt_ipcomp.t: ERROR: line 8 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 3:4)
+./extensions/libxt_ipcomp.t: ERROR: line 9 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:4)
+./extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
+./extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
+./extensions/libxt_ipcomp.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi :)
+./extensions/libxt_ipcomp.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi :)
+./extensions/libxt_ipcomp.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi :4)
+./extensions/libxt_ipcomp.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:)
+./extensions/libxt_ipcomp.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 3:4)
+./extensions/libxt_ipcomp.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:4)
+./extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
+./extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
+./extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
+./extensions/libxt_time.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
+./extensions/libxt_time.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
+./extensions/libxt_time.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
+./extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
+./extensions/libxt_u32.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
diff --git a/iptables.spec b/iptables.spec
index c30094d..ed7db17 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -16,7 +16,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.11
-Release: 4%{?dist}
+Release: 5%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@@ -32,6 +32,7 @@ Source11: iptables-test.stderr.expect
 
 Patch1:             0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch2:             0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
+Patch3:             0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -505,6 +506,9 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz
 
 %changelog
+* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
+- ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]
+
 * Wed Nov 13 2024 Phil Sutter <psutter@redhat.com> [1.8.11-4.el10]
 - Fix for RPM build warnings '--with legacy' (Phil Sutter) [RHEL-67473]
 - spec: Use bcond macro (Phil Sutter) [RHEL-67473]