From ff4a6baab18fe0c0cf442f42f3ed3a28c0da15be Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 07 2021 19:22:47 +0000 Subject: import iptables-1.8.7-26.el9 --- diff --git a/SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch b/SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch new file mode 100644 index 0000000..9ad1e18 --- /dev/null +++ b/SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch @@ -0,0 +1,31 @@ +From 000c159641522abf56ccb4deebfc558e8bb41302 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 31 Aug 2021 12:26:20 +0200 +Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add() + +The function called malloc() without checking for memory allocation +failure. Simply replace the call by xtables_malloc() to fix that. + +Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API") +Signed-off-by: Phil Sutter +(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93) +--- + iptables/nft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index f1deb82f87576..83054e528cae1 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -143,7 +143,7 @@ struct mnl_err { + static void mnl_err_list_node_add(struct list_head *err_list, int error, + int seqnum) + { +- struct mnl_err *err = malloc(sizeof(struct mnl_err)); ++ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err)); + + err->seqnum = seqnum; + err->err = error; +-- +2.33.0 + diff --git a/SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch b/SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch new file mode 100644 index 0000000..377486a --- /dev/null +++ b/SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch @@ -0,0 +1,130 @@ +From f73416517ac7bb6868ff4c0199fcd4327c9dffa5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 28 Jul 2021 17:53:53 +0200 +Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options + +Drop any reference to them (and the environment variable) but list them +in BUGS section hinting at ebtables-save and -restore tools. + +Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page") +Signed-off-by: Phil Sutter +Acked-by: Pablo Neira Ayuso +(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39) +--- + iptables/ebtables-nft.8 | 64 ++++++----------------------------------- + 1 file changed, 8 insertions(+), 56 deletions(-) + +diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 +index 5bdc0bb8a939e..85f6738d7d1aa 100644 +--- a/iptables/ebtables-nft.8 ++++ b/iptables/ebtables-nft.8 +@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based) + .br + .BR "ebtables " [ -t " table ] " --init-table + .br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit +-.br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init +-.br +-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save +-.br + + .SH DESCRIPTION + .PP +@@ -162,11 +156,9 @@ a table, the commands apply to the default filter table. + Only one command may be used on the command line at a time, except when + the commands + .BR -L " and " -Z +-are combined, the commands ++are combined or the commands + .BR -N " and " -P +-are combined, or when +-.B --atomic-file +-is used. ++are combined. + .TP + .B "-A, --append" + Append a rule to the end of the selected chain. +@@ -326,39 +318,6 @@ of the ebtables kernel table. + .TP + .B "--init-table" + Replace the current table data by the initial table data. +-.TP +-.B "--atomic-init" +-Copy the kernel's initial data of the table to the specified +-file. This can be used as the first action, after which rules are added +-to the file. The file can be specified using the +-.B --atomic-file +-command or through the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP +-.B "--atomic-save" +-Copy the kernel's current data of the table to the specified +-file. This can be used as the first action, after which rules are added +-to the file. The file can be specified using the +-.B --atomic-file +-command or through the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP +-.B "--atomic-commit" +-Replace the kernel table data with the data contained in the specified +-file. This is a useful command that allows you to load all your rules of a +-certain table into the kernel at once, saving the kernel a lot of precious +-time and allowing atomic updates of the tables. The file which contains +-the table data is constructed by using either the +-.B "--atomic-init" +-or the +-.B "--atomic-save" +-command to generate a starting file. After that, using the +-.B "--atomic-file" +-command when constructing rules or setting the +-.IR EBTABLES_ATOMIC_FILE " environment variable" +-allows you to extend the file and build the complete table before +-committing it to the kernel. This command can be very useful in boot scripts +-to populate the ebtables tables in a fast way. + .SS MISCELLANOUS COMMANDS + .TP + .B "-V, --version" +@@ -384,16 +343,6 @@ a target extension (see + .BR "TARGET EXTENSIONS" ")" + or a user-defined chain name. + .TP +-.B --atomic-file "\fIfile\fP" +-Let the command operate on the specified +-.IR file . +-The data of the table to +-operate on will be extracted from the file and the result of the operation +-will be saved back into the file. If specified, this option should come +-before the command specification. An alternative that should be preferred, +-is setting the +-.IR EBTABLES_ATOMIC_FILE " environment variable." +-.TP + .B -M, --modprobe "\fIprogram\fP" + When talking to the kernel, use this + .I program +@@ -1113,8 +1062,6 @@ arp message and the hardware address length in the arp header is 6 bytes. + .br + .SH FILES + .I /etc/ethertypes +-.SH ENVIRONMENT VARIABLES +-.I EBTABLES_ATOMIC_FILE + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH BUGS +@@ -1122,7 +1069,12 @@ The version of ebtables this man page ships with does not support the + .B broute + table. Also there is no support for + .B string +-match. And finally, this list is probably not complete. ++match. Further, support for atomic-options ++.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit ) ++has not been implemented, although ++.BR ebtables-save " and " ebtables-restore ++might replace them entirely given the inherent atomicity of nftables. ++Finally, this list is probably not complete. + .SH SEE ALSO + .BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) + .PP +-- +2.33.0 + diff --git a/SOURCES/0022-ebtables-Dump-atomic-waste.patch b/SOURCES/0022-ebtables-Dump-atomic-waste.patch new file mode 100644 index 0000000..b5be6cb --- /dev/null +++ b/SOURCES/0022-ebtables-Dump-atomic-waste.patch @@ -0,0 +1,102 @@ +From cb68daac1f24c94a48450a683a5f765dc00da164 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 30 Jul 2021 12:25:10 +0200 +Subject: [PATCH] ebtables: Dump atomic waste + +With ebtables-nft.8 now educating people about the missing +functionality, get rid of atomic remains in source code. This eliminates +mostly comments except for --atomic-commit which was treated as alias of +--init-table. People not using the latter are probably trying to +atomic-commit from an atomic-file which in turn is not supported, so no +point keeping it. + +Signed-off-by: Phil Sutter +(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0) +--- + iptables/xtables-eb.c | 53 ------------------------------------------- + 1 file changed, 53 deletions(-) + +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index 5bb34d6d292a9..aeb4d92166431 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -211,10 +211,6 @@ struct option ebt_original_options[] = + { "new-chain" , required_argument, 0, 'N' }, + { "rename-chain" , required_argument, 0, 'E' }, + { "delete-chain" , optional_argument, 0, 'X' }, +- { "atomic-init" , no_argument , 0, 7 }, +- { "atomic-commit" , no_argument , 0, 8 }, +- { "atomic-file" , required_argument, 0, 9 }, +- { "atomic-save" , no_argument , 0, 10 }, + { "init-table" , no_argument , 0, 11 }, + { "concurrent" , no_argument , 0, 13 }, + { 0 } +@@ -320,10 +316,6 @@ static void print_help(const struct xtables_target *t, + "--new-chain -N chain : create a user defined chain\n" + "--rename-chain -E old new : rename a chain\n" + "--delete-chain -X [chain] : delete a user defined chain\n" +-"--atomic-commit : update the kernel w/t table contained in \n" +-"--atomic-init : put the initial kernel table into \n" +-"--atomic-save : put the current kernel table into \n" +-"--atomic-file file : set to file\n\n" + "Options:\n" + "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" + "--src -s [!] address[/mask]: source mac address\n" +@@ -1088,54 +1080,9 @@ print_zero: + "Use --Lmac2 with -L"); + flags |= LIST_MAC2; + break; +- case 8 : /* atomic-commit */ +-/* +- replace->command = c; +- if (OPT_COMMANDS) +- ebt_print_error2("Multiple commands are not allowed"); +- replace->flags |= OPT_COMMAND; +- if (!replace->filename) +- ebt_print_error2("No atomic file specified");*/ +- /* Get the information from the file */ +- /*ebt_get_table(replace, 0);*/ +- /* We don't want the kernel giving us its counters, +- * they would overwrite the counters extracted from +- * the file */ +- /*replace->num_counters = 0;*/ +- /* Make sure the table will be written to the kernel */ +- /*free(replace->filename); +- replace->filename = NULL; +- break;*/ +- /*case 7 :*/ /* atomic-init */ +- /*case 10:*/ /* atomic-save */ + case 11: /* init-table */ + nft_cmd_table_flush(h, *table, false); + return 1; +- /* +- replace->command = c; +- if (OPT_COMMANDS) +- ebt_print_error2("Multiple commands are not allowed"); +- if (c != 11 && !replace->filename) +- ebt_print_error2("No atomic file specified"); +- replace->flags |= OPT_COMMAND; +- { +- char *tmp = replace->filename;*/ +- +- /* Get the kernel table */ +- /*replace->filename = NULL; +- ebt_get_kernel_table(replace, c == 10 ? 0 : 1); +- replace->filename = tmp; +- } +- break; +- case 9 :*/ /* atomic */ +- /* +- if (OPT_COMMANDS) +- ebt_print_error2("--atomic has to come before the command");*/ +- /* A possible memory leak here, but this is not +- * executed in daemon mode */ +- /*replace->filename = (char *)malloc(strlen(optarg) + 1); +- strcpy(replace->filename, optarg); +- break; */ + case 13 : + break; + case 1 : +-- +2.33.0 + diff --git a/SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch b/SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch new file mode 100644 index 0000000..da2f873 --- /dev/null +++ b/SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch @@ -0,0 +1,31 @@ +From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 3 Aug 2021 10:55:20 +0200 +Subject: [PATCH] nft: Fix for non-verbose check command + +Check command was unconditionally verbose since v1.8.5. Make it respect +--verbose option again. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter +(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0) +--- + iptables/nft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 83054e528cae1..a470939db54fb 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h) + case NFT_COMPAT_RULE_CHECK: + assert_chain_exists(h, cmd->table, cmd->jumpto); + ret = nft_rule_check(h, cmd->chain, cmd->table, +- cmd->obj.rule, cmd->rulenum); ++ cmd->obj.rule, cmd->verbose); + break; + case NFT_COMPAT_RULE_ZERO: + ret = nft_rule_zero_counters(h, cmd->chain, cmd->table, +-- +2.33.0 + diff --git a/SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch b/SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch new file mode 100644 index 0000000..3b6b62f --- /dev/null +++ b/SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch @@ -0,0 +1,39 @@ +From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 3 Aug 2021 11:32:34 +0200 +Subject: [PATCH] tests/shell: Assert non-verbose mode is silent + +Unexpected output from iptables commands might mess up error-checking in +scripts for instance, so do a quick test of the most common commands. + +Note: Test adds two rules to make sure flush command operates on a +non-empty chain. + +Signed-off-by: Phil Sutter +(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2) +--- + .../shell/testcases/iptables/0002-verbose-output_0 | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 +index b1ef91f61f481..5d2af4c8d2ab2 100755 +--- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 ++++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 +@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar) + diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar) + + diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar) ++ ++# make sure non-verbose mode is silent ++diff -u <(echo -n "") <( ++ $XT_MULTI iptables -N foobar ++ $XT_MULTI iptables -A foobar $RULE1 ++ $XT_MULTI iptables -A foobar $RULE2 ++ $XT_MULTI iptables -C foobar $RULE1 ++ $XT_MULTI iptables -D foobar $RULE2 ++ $XT_MULTI iptables -F foobar ++ $XT_MULTI iptables -X foobar ++) +-- +2.33.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index f0fb732..b5a012f 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -16,7 +16,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 23%{?dist} +Release: 26%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -48,6 +48,11 @@ Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch +Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch +Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch +Patch22: 0022-ebtables-Dump-atomic-waste.patch +Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch +Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -184,6 +189,7 @@ a safer way to update iptables remotely. Summary: nftables compatibility for iptables, arptables and ebtables Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires(post): %{_sbindir}/update-alternatives +Requires(post): %{_bindir}/readlink Requires(postun): %{_sbindir}/update-alternatives Provides: arptables-helper Provides: iptables @@ -462,6 +468,18 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Mon Oct 11 2021 Phil Sutter - 1.8.7-26 +- tests/shell: Assert non-verbose mode is silent +- nft: Fix for non-verbose check command + +* Wed Oct 06 2021 Phil Sutter - 1.8.7-25 +- ebtables: Dump atomic waste +- doc: ebtables-nft.8: Adjust for missing atomic-options +- nft: Use xtables_malloc() in mnl_err_list_node_add() + +* Fri Oct 01 2021 Phil Sutter - 1.8.7-24 +- Add missing readlink required for iptables-nft(post) + * Mon Aug 09 2021 Mohan Boddu - 1.8.7-23 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688