From 0f637a250e69077819fa9f74fe83fac6ae056d17 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 07:13:56 +0000 Subject: import iptables-1.8.4-22.el8 --- diff --git a/SOURCES/0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch b/SOURCES/0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch new file mode 100644 index 0000000..51e3fd2 --- /dev/null +++ b/SOURCES/0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch @@ -0,0 +1,130 @@ +From 947e9c06a863c47e91a46d2cce90c677a90e4d09 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 28 Jul 2021 17:53:53 +0200 +Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options + +Drop any reference to them (and the environment variable) but list them +in BUGS section hinting at ebtables-save and -restore tools. + +Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page") +Signed-off-by: Phil Sutter +Acked-by: Pablo Neira Ayuso +(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39) +--- + iptables/ebtables-nft.8 | 64 ++++++----------------------------------- + 1 file changed, 8 insertions(+), 56 deletions(-) + +diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 +index 1fa5ad9388cc0..08e9766f2cc74 100644 +--- a/iptables/ebtables-nft.8 ++++ b/iptables/ebtables-nft.8 +@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based) + .br + .BR "ebtables " [ -t " table ] " --init-table + .br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit +-.br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init +-.br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save +-.br + + .SH DESCRIPTION + .B ebtables +@@ -149,11 +143,9 @@ a table, the commands apply to the default filter table. + Only one command may be used on the command line at a time, except when + the commands + .BR -L " and " -Z +-are combined, the commands ++are combined or the commands + .BR -N " and " -P +-are combined, or when +-.B --atomic-file +-is used. ++are combined. + .TP + .B "-A, --append" + Append a rule to the end of the selected chain. +@@ -313,39 +305,6 @@ of the ebtables kernel table. + .TP + .B "--init-table" + Replace the current table data by the initial table data. +-.TP +-.B "--atomic-init" +-Copy the kernel's initial data of the table to the specified +-file. This can be used as the first action, after which rules are added +-to the file. The file can be specified using the +-.B --atomic-file +-command or through the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP +-.B "--atomic-save" +-Copy the kernel's current data of the table to the specified +-file. This can be used as the first action, after which rules are added +-to the file. The file can be specified using the +-.B --atomic-file +-command or through the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP +-.B "--atomic-commit" +-Replace the kernel table data with the data contained in the specified +-file. This is a useful command that allows you to load all your rules of a +-certain table into the kernel at once, saving the kernel a lot of precious +-time and allowing atomic updates of the tables. The file which contains +-the table data is constructed by using either the +-.B "--atomic-init" +-or the +-.B "--atomic-save" +-command to generate a starting file. After that, using the +-.B "--atomic-file" +-command when constructing rules or setting the +-.IR EBTABLES_ATOMIC_FILE " environment variable" +-allows you to extend the file and build the complete table before +-committing it to the kernel. This command can be very useful in boot scripts +-to populate the ebtables tables in a fast way. + .SS MISCELLANOUS COMMANDS + .TP + .B "-V, --version" +@@ -371,16 +330,6 @@ a target extension (see + .BR "TARGET EXTENSIONS" ")" + or a user-defined chain name. + .TP +-.B --atomic-file "\fIfile\fP" +-Let the command operate on the specified +-.IR file . +-The data of the table to +-operate on will be extracted from the file and the result of the operation +-will be saved back into the file. If specified, this option should come +-before the command specification. An alternative that should be preferred, +-is setting the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP + .B -M, --modprobe "\fIprogram\fP" + When talking to the kernel, use this + .I program +@@ -1100,8 +1049,6 @@ arp message and the hardware address length in the arp header is 6 bytes. + .br + .SH FILES + .I /etc/ethertypes +-.SH ENVIRONMENT VARIABLES +-.I EBTABLES_ATOMIC_FILE + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH BUGS +@@ -1109,7 +1056,12 @@ The version of ebtables this man page ships with does not support the + .B broute + table. Also there is no support for + .B string +-match. And finally, this list is probably not complete. ++match. Further, support for atomic-options ++.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit ) ++has not been implemented, although ++.BR ebtables-save " and " ebtables-restore ++might replace them entirely given the inherent atomicity of nftables. ++Finally, this list is probably not complete. + .SH SEE ALSO + .BR xtables-nft "(8), " iptables "(8), " ip (8) + .PP +-- +2.33.0 + diff --git a/SOURCES/0060-ebtables-Dump-atomic-waste.patch b/SOURCES/0060-ebtables-Dump-atomic-waste.patch new file mode 100644 index 0000000..4fd9fb7 --- /dev/null +++ b/SOURCES/0060-ebtables-Dump-atomic-waste.patch @@ -0,0 +1,102 @@ +From c1eaf1738533eeec3dc1bdc2285dbf28c68d5042 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 30 Jul 2021 12:25:10 +0200 +Subject: [PATCH] ebtables: Dump atomic waste + +With ebtables-nft.8 now educating people about the missing +functionality, get rid of atomic remains in source code. This eliminates +mostly comments except for --atomic-commit which was treated as alias of +--init-table. People not using the latter are probably trying to +atomic-commit from an atomic-file which in turn is not supported, so no +point keeping it. + +Signed-off-by: Phil Sutter +(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0) +--- + iptables/xtables-eb.c | 53 ------------------------------------------- + 1 file changed, 53 deletions(-) + +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index c006bc95ac681..b836616ed0259 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -262,10 +262,6 @@ struct option ebt_original_options[] = + { "new-chain" , required_argument, 0, 'N' }, + { "rename-chain" , required_argument, 0, 'E' }, + { "delete-chain" , optional_argument, 0, 'X' }, +- { "atomic-init" , no_argument , 0, 7 }, +- { "atomic-commit" , no_argument , 0, 8 }, +- { "atomic-file" , required_argument, 0, 9 }, +- { "atomic-save" , no_argument , 0, 10 }, + { "init-table" , no_argument , 0, 11 }, + { "concurrent" , no_argument , 0, 13 }, + { 0 } +@@ -371,10 +367,6 @@ static void print_help(const struct xtables_target *t, + "--new-chain -N chain : create a user defined chain\n" + "--rename-chain -E old new : rename a chain\n" + "--delete-chain -X [chain] : delete a user defined chain\n" +-"--atomic-commit : update the kernel w/t table contained in \n" +-"--atomic-init : put the initial kernel table into \n" +-"--atomic-save : put the current kernel table into \n" +-"--atomic-file file : set to file\n\n" + "Options:\n" + "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" + "--src -s [!] address[/mask]: source mac address\n" +@@ -1116,54 +1108,9 @@ print_zero: + "Use --Lmac2 with -L"); + flags |= LIST_MAC2; + break; +- case 8 : /* atomic-commit */ +-/* +- replace->command = c; +- if (OPT_COMMANDS) +- ebt_print_error2("Multiple commands are not allowed"); +- replace->flags |= OPT_COMMAND; +- if (!replace->filename) +- ebt_print_error2("No atomic file specified");*/ +- /* Get the information from the file */ +- /*ebt_get_table(replace, 0);*/ +- /* We don't want the kernel giving us its counters, +- * they would overwrite the counters extracted from +- * the file */ +- /*replace->num_counters = 0;*/ +- /* Make sure the table will be written to the kernel */ +- /*free(replace->filename); +- replace->filename = NULL; +- break;*/ +- /*case 7 :*/ /* atomic-init */ +- /*case 10:*/ /* atomic-save */ + case 11: /* init-table */ + nft_table_flush(h, *table); + return 1; +- /* +- replace->command = c; +- if (OPT_COMMANDS) +- ebt_print_error2("Multiple commands are not allowed"); +- if (c != 11 && !replace->filename) +- ebt_print_error2("No atomic file specified"); +- replace->flags |= OPT_COMMAND; +- { +- char *tmp = replace->filename;*/ +- +- /* Get the kernel table */ +- /*replace->filename = NULL; +- ebt_get_kernel_table(replace, c == 10 ? 0 : 1); +- replace->filename = tmp; +- } +- break; +- case 9 :*/ /* atomic */ +- /* +- if (OPT_COMMANDS) +- ebt_print_error2("--atomic has to come before the command");*/ +- /* A possible memory leak here, but this is not +- * executed in daemon mode */ +- /*replace->filename = (char *)malloc(strlen(optarg) + 1); +- strcpy(replace->filename, optarg); +- break; */ + case 13 : + break; + case 1 : +-- +2.33.0 + diff --git a/SOURCES/0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch b/SOURCES/0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch new file mode 100644 index 0000000..b52c8b0 --- /dev/null +++ b/SOURCES/0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch @@ -0,0 +1,41 @@ +From ec4a91ac53e4dba210daa9bb3af9e09532c86b06 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 9 Aug 2021 18:48:58 +0200 +Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=100 + +With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not +overflow in kernel, making the test unstable depending on kernel config. +Change it to not overflow with 1000Hz either by increasing the burst +value by a factor of 100. + +Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test") +Signed-off-by: Phil Sutter +(cherry picked from commit bef9dc575625a98a5e6ed8ca37e49031cdba5937) +--- + extensions/libxt_hashlimit.t | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t +index ccd0d1e6a2a1a..8369933786f68 100644 +--- a/extensions/libxt_hashlimit.t ++++ b/extensions/libxt_hashlimit.t +@@ -3,14 +3,12 @@ + -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5" +--m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL ++-m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5" +--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL ++-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK +-- +2.33.0 + diff --git a/SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch b/SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch new file mode 100644 index 0000000..81b2c3a --- /dev/null +++ b/SOURCES/0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch @@ -0,0 +1,47 @@ +From 41660ba1faea8b7ebd71e94c70ef175a75ab91cc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 8 Nov 2021 17:03:21 +0100 +Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=1000 + +In an attempt to fix for failing hashlimit tests with HZ=100, the +expected failures were changed so they are expected to pass and the +parameters changed to seemingly fix them. Yet while the new parameters +worked on HZ=100 systems, with higher tick rates they didn't so the +observed problem moved from the test failing on HZ=100 to failing on +HZ=1000 instead. + +Kernel's error message "try lower: 864000000/5" turned out to be a red +herring: The burst value does not act as a dividor but a multiplier +instead, so in order to lower the overflow-checked value, a lower burst +value must be chosen. Inded, using a burst value of 1 makes the kernel +accept the rule in both HZ=100 and HZ=1000 configurations. + +Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100") +Signed-off-by: Phil Sutter +(cherry picked from commit 1eab8e83aec0e6965f11f8cad460add1caeae629) +--- + extensions/libxt_hashlimit.t | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t +index 8369933786f68..206d92935f2e2 100644 +--- a/extensions/libxt_hashlimit.t ++++ b/extensions/libxt_hashlimit.t +@@ -3,12 +3,12 @@ + -m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +--m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK ++-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK +--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK ++-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK + -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK +-- +2.33.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 71c5f1d..85be0bd 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -17,7 +17,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.4 -Release: 20%{?dist} +Release: 22%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -92,6 +92,10 @@ Patch55: 0055-extensions-sctp-Fix-nftables-translation.patch Patch56: 0056-extensions-sctp-Translate-chunk-types-option.patch Patch57: 0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch +Patch59: 0059-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch +Patch60: 0060-ebtables-Dump-atomic-waste.patch +Patch61: 0061-extensions-hashlimit-Fix-tests-with-HZ-100.patch +Patch62: 0062-extensions-hashlimit-Fix-tests-with-HZ-1000.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -500,6 +504,14 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Mon Nov 29 2021 Phil Sutter - 1.8.4-22 +- extensions: hashlimit: Fix tests with HZ=1000 + +* Thu Oct 07 2021 Phil Sutter - 1.8.4-21 +- extensions: hashlimit: Fix tests with HZ=100 +- ebtables: Dump atomic waste +- doc: ebtables-nft.8: Adjust for missing atomic-options + * Wed Aug 04 2021 Phil Sutter - 1.8.4-20 - extensions: SECMARK: Use a better context in test case - extensions: sctp: Translate --chunk-types option