Compare commits

...

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

4 changed files with 1 additions and 173 deletions

View File

@ -1,31 +0,0 @@
From 0482da08db2dcf9414008c286ebf227952512b03 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 13 Jul 2023 18:32:02 +0200
Subject: [PATCH] iptables-restore: Drop dead code
Handle initialization is guarded by 'in_table' boolean, so there can't
be a handle already (because the branch which unsets 'in_table' also
frees the handle).
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 4d9453233538200e9663c6bd0c2df09e1671b5f4)
---
iptables/iptables-restore.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 3b821467db355..6dfafe0c18072 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -225,8 +225,6 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
}
continue;
}
- if (handle)
- cb->ops->free(handle);
handle = create_handle(cb, table);
if (noflush == 0) {
--
2.41.0

View File

@ -1,82 +0,0 @@
From ff0c0dc23fec33e339974e419c664d3bef39edc9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 1 Aug 2023 16:56:42 +0200
Subject: [PATCH] iptables-apply: Eliminate shellcheck warnings
Actual warnings were only about use of '-a' in bracket expressions
(replace by '&&' pipeline) and the immediate evaluation of the variable
in trap command.
The remaining changes silence info-level messages: missing quoting
around variables, pointless '$' in arithmetic expressions, backticks
instead of $(...), missing '-r' parameter when calling read and an
awkward negated '-z' check.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9f98550d58a49fc95d529ebdc0173579d957b425)
---
iptables/iptables-apply | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 3a7df5e3cbc1f..c603fb2113ef3 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -141,9 +141,9 @@ for opt in $OPTS; do
;;
(*)
case "${OPT_STATE:-}" in
- (SET_TIMEOUT) eval TIMEOUT=$opt;;
+ (SET_TIMEOUT) eval TIMEOUT="$opt";;
(SET_SAVEFILE)
- eval SAVEFILE=$opt
+ eval SAVEFILE="$opt"
[ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE"
;;
esac
@@ -163,13 +163,13 @@ done
# Validate parameters
if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then
- TIMEOUT=$(($TIMEOUT))
+ TIMEOUT=$((TIMEOUT))
else
echo "Error: timeout must be a positive number" >&2
exit 1
fi
-if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then
+if [ -n "$SAVEFILE" ] && [ -e "$SAVEFILE" ] && [ ! -w "$SAVEFILE" ]; then
echo "Error: savefile not writable: $SAVEFILE" >&2
exit 8
fi
@@ -205,8 +205,8 @@ esac
### Begin work
# Store old iptables rules to temporary file
-TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX`
-trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
+TMPFILE=$(mktemp "/tmp/$PROGNAME-XXXXXXXX")
+trap 'rm -f $TMPFILE' EXIT HUP INT QUIT ILL TRAP ABRT BUS \
FPE USR1 SEGV USR2 PIPE ALRM TERM
if ! "$SAVE" >"$TMPFILE"; then
@@ -257,13 +257,13 @@ esac
# Prompt user for confirmation
echo -n "Can you establish NEW connections to the machine? (y/N) "
-read -n1 -t "$TIMEOUT" ret 2>&1 || :
+read -r -n1 -t "$TIMEOUT" ret 2>&1 || :
case "${ret:-}" in
(y*|Y*)
# Success
echo
- if [ ! -z "$SAVEFILE" ]; then
+ if [ -n "$SAVEFILE" ]; then
# Write successfully applied rules to the savefile
echo "Writing successfully applied rules to '$SAVEFILE'..."
if ! "$SAVE" >"$SAVEFILE"; then
--
2.41.0

View File

@ -1,51 +0,0 @@
From f4f3fd1fa83a56c051fa72ee619ef23942e65504 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 28 Jan 2021 01:09:56 +0100
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
Users are able to cause program abort by passing a table name that
doesn't exist:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
| Aborted
Avoid this by checking table existence just like iptables-nft does upon
parsing '-t' optarg. Since the list of tables is known and fixed,
checking the given name's length is pointless. So just drop that check
in return.
With this patch in place, output looks much better:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
| Perhaps iptables or your kernel needs to be upgraded.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
---
iptables/xtables-eb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index a3d659fb35e27..6e47feec5132f 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -957,10 +957,10 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
- xtables_error(PARAMETER_PROBLEM,
- "Table name length cannot exceed %d characters",
- EBT_TABLE_MAXNAMELEN - 1);
+ if (!nft_table_builtin_find(h, optarg))
+ xtables_error(VERSION_PROBLEM,
+ "table '%s' does not exist",
+ optarg);
*table = optarg;
table_set = true;
break;
--
2.41.0

View File

@ -10,7 +10,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: http://www.netfilter.org/projects/iptables
Version: 1.8.5
Release: 11%{?dist}
Release: 10%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@ -169,9 +169,6 @@ Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch
Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch
Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch
Patch145: 0145-iptables-nft-fix-basechain-policy-configuration.patch
Patch146: 0146-iptables-restore-Drop-dead-code.patch
Patch147: 0147-iptables-apply-Eliminate-shellcheck-warnings.patch
Patch148: 0148-ebtables-Exit-gracefully-on-invalid-table-names.patch
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
@ -544,11 +541,6 @@ done
%doc %{_mandir}/man8/ebtables*.8*
%changelog
* Thu Nov 16 2023 Phil Sutter <psutter@redhat.com> - 1.8.5-11
- iptables-restore: Drop dead code
- iptables-apply: Eliminate shellcheck warnings
- ebtables: Exit gracefully on invalid table names
* Fri Sep 08 2023 Phil Sutter <psutter@redhat.com> - 1.8.5-10
- Bump NVR to fix for wrong build tag