iptables-1.8.11-5.el10

* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
- ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]
Resolves: RHEL-66725
This commit is contained in:
Phil Sutter 2024-11-14 16:46:36 +01:00
parent 04f3de2395
commit f28ec82e9d
3 changed files with 142 additions and 37 deletions

View File

@ -0,0 +1,80 @@
From 03e2d9b5adfb99735336a032f03a7ea331aa3fa7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 14 Nov 2024 16:21:04 +0100
Subject: [PATCH] ip[6]tables-translate: fix test failures when WESP is defined
JIRA: https://issues.redhat.com/browse/RHEL-66725
Upstream Status: iptables commit e6e232d0ae252b0b86278455b18d9475b95db8f0
commit e6e232d0ae252b0b86278455b18d9475b95db8f0
Author: Jeremy Sowden <jeremy@azazel.net>
Date: Fri Nov 8 17:34:43 2024 +0000
ip[6]tables-translate: fix test failures when WESP is defined
Protocol number 141 is assigned to a real protocol: Wrapped Encapsulating
Security Payload. This is listed in Debian's /etc/protocols, which leads to
test failures:
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD -p 141
exp: nft 'add rule ip filter FORWARD ip protocol 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto wesp counter'
./extensions/generic.txlate: Fail
src: iptables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip filter FORWARD ip protocol != 141 counter'
res: nft 'add rule ip filter FORWARD ip protocol != wesp counter'
./extensions/generic.txlate: Fail
src: ip6tables-translate -A FORWARD ! -p 141
exp: nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
res: nft 'add rule ip6 filter FORWARD meta l4proto != wesp counter'
Replace it with 253, which IANA reserves for testing and experimentation.
Fixes: fcaa99ca9e3c ("xtables-translate: Leverage stored protocol names")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/generic.txlate | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 9ad1266..64bc59a 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -76,17 +76,17 @@ nft 'add rule ip filter FORWARD ip protocol != sctp counter'
ip6tables-translate -A FORWARD ! -p 132
nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
-iptables-translate -A FORWARD -p 141
-nft 'add rule ip filter FORWARD ip protocol 141 counter'
+iptables-translate -A FORWARD -p 253
+nft 'add rule ip filter FORWARD ip protocol 253 counter'
-ip6tables-translate -A FORWARD -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+ip6tables-translate -A FORWARD -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto 253 counter'
-iptables-translate -A FORWARD ! -p 141
-nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+iptables-translate -A FORWARD ! -p 253
+nft 'add rule ip filter FORWARD ip protocol != 253 counter'
-ip6tables-translate -A FORWARD ! -p 141
-nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+ip6tables-translate -A FORWARD ! -p 253
+nft 'add rule ip6 filter FORWARD meta l4proto != 253 counter'
iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
nft 'add rule ip filter FORWARD tcp dport 22 counter'

View File

@ -1,36 +1,57 @@
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17) ./extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8) ./extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8) ./extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8) ./extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1) ./extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1) ./extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1) ./extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4) ./extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4) ./extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4) ./extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0) ./extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17) ./extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8) ./extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8) ./extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8) ./extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1) ./extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1) ./extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1) ./extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4) ./extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4) ./extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4) ./extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0) ./extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0) ./extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0) ./extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0) ./extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0) ./extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh) ./extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo") ./extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink) ./extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: iptables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460) ./extensions/libxt_LED.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -j LED --led-trigger-id "foo")
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP) ./extensions/libxt_LED.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT) ./extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: iptables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz) ./extensions/libxt_SYNPROXY.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -p tcp -m tcp --dport 42 -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 9 --mss 1460)
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05) ./extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00) ./extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1") ./extensions/libxt_ipcomp.t: ERROR: line 4 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi :)
./extensions/libxt_ipcomp.t: ERROR: line 5 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi :)
./extensions/libxt_ipcomp.t: ERROR: line 6 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi :4)
./extensions/libxt_ipcomp.t: ERROR: line 7 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:)
./extensions/libxt_ipcomp.t: ERROR: line 8 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 3:4)
./extensions/libxt_ipcomp.t: ERROR: line 9 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:4)
./extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
./extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
./extensions/libxt_ipcomp.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi :)
./extensions/libxt_ipcomp.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi :)
./extensions/libxt_ipcomp.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi :4)
./extensions/libxt_ipcomp.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:)
./extensions/libxt_ipcomp.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 3:4)
./extensions/libxt_ipcomp.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -p ipcomp -m ipcomp --ipcompspi 4:4)
./extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
./extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
./extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
./extensions/libxt_time.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
./extensions/libxt_time.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
./extensions/libxt_time.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
./extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
./extensions/libxt_u32.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")

View File

@ -16,7 +16,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.11 Version: 1.8.11
Release: 4%{?dist} Release: 5%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.xz Source: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -32,6 +32,7 @@ Source11: iptables-test.stderr.expect
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch3: 0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic Licence 2.0 # iptables-apply: Artistic Licence 2.0
@ -505,6 +506,9 @@ fi
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables.8.gz
%changelog %changelog
* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
- ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]
* Wed Nov 13 2024 Phil Sutter <psutter@redhat.com> [1.8.11-4.el10] * Wed Nov 13 2024 Phil Sutter <psutter@redhat.com> [1.8.11-4.el10]
- Fix for RPM build warnings '--with legacy' (Phil Sutter) [RHEL-67473] - Fix for RPM build warnings '--with legacy' (Phil Sutter) [RHEL-67473]
- spec: Use bcond macro (Phil Sutter) [RHEL-67473] - spec: Use bcond macro (Phil Sutter) [RHEL-67473]