diff --git a/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch new file mode 100644 index 0000000..abe95fe --- /dev/null +++ b/0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch @@ -0,0 +1,40 @@ +From eacefb728885b5dc51036181de83b2df309d4e6b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 29 Jul 2020 15:39:31 +0200 +Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too + +Athough this cache level fetches table names only, it shouldn't skip the +consistency check. + +Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check") +Signed-off-by: Phil Sutter +(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd) +Signed-off-by: Phil Sutter +--- + iptables/nft-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 638b18bc7e382..434cc10b82ce7 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -511,14 +511,14 @@ retry: + if (req->level >= NFT_CL_TABLES) + fetch_table_cache(h); + if (req->level == NFT_CL_FAKE) +- return; ++ goto genid_check; + if (req->level >= NFT_CL_CHAINS) + fetch_chain_cache(h, t, chains); + if (req->level >= NFT_CL_SETS) + fetch_set_cache(h, t, NULL); + if (req->level >= NFT_CL_RULES) + fetch_rule_cache(h, t); +- ++genid_check: + mnl_genid_get(h, &genid_check); + if (h->nft_genid != genid_check) { + flush_cache(h, h->cache, NULL); +-- +2.27.0 + diff --git a/0004-nft-Fix-command-name-in-ip6tables-error-message.patch b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch new file mode 100644 index 0000000..b9a83f6 --- /dev/null +++ b/0004-nft-Fix-command-name-in-ip6tables-error-message.patch @@ -0,0 +1,45 @@ +From dac3434e2e7ea297a3886c662d558305b460670b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 7 Aug 2020 13:48:28 +0200 +Subject: [PATCH] nft: Fix command name in ip6tables error message + +Upon errors, ip6tables-nft would prefix its error messages with +'iptables:' instead of 'ip6tables:'. Turns out the command name was +hard-coded, use 'progname' variable instead. +While being at it, merge the two mostly identical fprintf() calls into +one. + +Signed-off-by: Phil Sutter +Acked-by: Pablo Neira Ayuso +(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13) +Signed-off-by: Phil Sutter +--- + iptables/xtables-standalone.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c +index dd6fb7919d2e1..7b71db62f1ea6 100644 +--- a/iptables/xtables-standalone.c ++++ b/iptables/xtables-standalone.c +@@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[]) + xtables_fini(); + + if (!ret) { +- if (errno == EINVAL) { +- fprintf(stderr, "iptables: %s. " +- "Run `dmesg' for more information.\n", +- nft_strerror(errno)); +- } else { +- fprintf(stderr, "iptables: %s.\n", +- nft_strerror(errno)); +- } ++ fprintf(stderr, "%s: %s.%s\n", progname, nft_strerror(errno), ++ (errno == EINVAL ? ++ " Run `dmesg' for more information." : "")); ++ + if (errno == EAGAIN) + exit(RESOURCE_PROBLEM); + } +-- +2.27.0 + diff --git a/iptables.spec b/iptables.spec index e20e38c..42ce8c2 100644 --- a/iptables.spec +++ b/iptables.spec @@ -19,7 +19,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.5 -Release: 2%{?dist} +Release: 3%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -34,6 +34,8 @@ Source8: 0002-extensions-format-security-fixes-in-libip-6-t_icmp.patch Patch1: 0001-build-resolve-iptables-apply-not-getting-installed.patch Patch2: 0002-xtables-translate-don-t-fail-if-help-was-requested.patch +Patch3: 0003-nft-cache-Check-consistency-with-NFT_CL_FAKE-too.patch +Patch4: 0004-nft-Fix-command-name-in-ip6tables-error-message.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -446,6 +448,10 @@ fi %changelog +* Tue Aug 25 15:56:10 GMT 2020 Phil Sutter - 1.8.5-3 +- nft: cache: Check consistency with NFT_CL_FAKE, too +- nft: Fix command name in ip6tables error message + * Tue Jul 28 2020 Fedora Release Engineering - 1.8.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild