diff --git a/SOURCES/nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch b/SOURCES/nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch new file mode 100644 index 0000000..fe962d3 --- /dev/null +++ b/SOURCES/nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch @@ -0,0 +1,51 @@ +From 6b1bb9a978297aee15d53e31b5723972aa8bb7ed Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 19 May 2020 11:15:30 +0200 +Subject: [RHEL7.9 net 1/2] nfnl_osf: Fix broken conversion to nfnl_query() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1829820 +Upstream Status: iptables commit c8332553caf48 + +commit c8332553caf48132403895bae750b3cd09a2efd8 +Author: Phil Sutter +Date: Sat May 9 13:36:49 2020 +0200 + + nfnl_osf: Fix broken conversion to nfnl_query() + + Due to missing NLM_F_ACK flag in request, nfnetlink code in kernel + didn't create an own ACK message but left it upon subsystem to ACK or + not. Since nfnetlink_osf doesn't ACK by itself, nfnl_query() got stuck + waiting for a reply. + + Whoever did the conversion from deprecated nfnl_talk() obviously didn't + even test basic functionality of the tool. + + Fixes: 52aa15098ebd6 ("nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index 9a9fbe1268155..d726e0a6f1cf9 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -375,9 +375,11 @@ static int osf_load_line(char *buffer, int len, int del) + memset(buf, 0, sizeof(buf)); + + if (del) +- nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE, NLM_F_REQUEST); ++ nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE, ++ NLM_F_ACK | NLM_F_REQUEST); + else +- nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD, NLM_F_REQUEST | NLM_F_CREATE); ++ nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD, ++ NLM_F_ACK | NLM_F_REQUEST | NLM_F_CREATE); + + nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger)); + +-- +2.26.2 + diff --git a/SOURCES/nfnl_osf-Improve-error-handling.patch b/SOURCES/nfnl_osf-Improve-error-handling.patch new file mode 100644 index 0000000..dafc54e --- /dev/null +++ b/SOURCES/nfnl_osf-Improve-error-handling.patch @@ -0,0 +1,89 @@ +From 4dceb905dfda4a34dfcb0ad3d010d77acd43981d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 19 May 2020 11:15:30 +0200 +Subject: [RHEL7.9 net 2/2] nfnl_osf: Improve error handling + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1829820 +Upstream Status: iptables commit 3e09bd1888575 + +commit 3e09bd1888575cfec136574d2b0e810ba33f1cfb +Author: Phil Sutter +Date: Sat May 9 13:42:56 2020 +0200 + + nfnl_osf: Improve error handling + + For some error cases, no log message was created - hence apart from the + return code there was no indication of failing execution. + + If a line load fails, don't abort but continue with the remaining + file contents. The current pf.os file in this repository serves as + proof-of-concept: + + Lines 700 and 701: Duplicates of lines 698 and 699 because 'W*' and 'W0' + parse into the same data. + + Line 704: Duplicate of line 702 because apart from 'W*' and 'W0', only + the first three fields on right-hand side are sent to the kernel. + + When loading, these dups are ignored (they would bounce if NLM_F_EXCL + was given). Upon deletion, they cause ENOENT response from kernel. In + order to align duplicate-tolerance in both modes, just ignore that + ENOENT. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index d726e0a6f1cf9..73fb29e7099b6 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -389,7 +389,7 @@ static int osf_load_line(char *buffer, int len, int del) + static int osf_load_entries(char *path, int del) + { + FILE *inf; +- int err = 0; ++ int err = 0, lineno = 0; + char buf[1024]; + + inf = fopen(path, "r"); +@@ -399,7 +399,9 @@ static int osf_load_entries(char *path, int del) + } + + while(fgets(buf, sizeof(buf), inf)) { +- int len; ++ int len, rc; ++ ++ lineno++; + + if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') + continue; +@@ -411,9 +413,11 @@ static int osf_load_entries(char *path, int del) + + buf[len] = '\0'; + +- err = osf_load_line(buf, len, del); +- if (err) +- break; ++ rc = osf_load_line(buf, len, del); ++ if (rc && (!del || errno != ENOENT)) { ++ ulog_err("Failed to load line %d", lineno); ++ err = rc; ++ } + + memset(buf, 0, sizeof(buf)); + } +@@ -445,6 +449,7 @@ int main(int argc, char *argv[]) + + if (!fingerprints) { + err = -ENOENT; ++ ulog("Missing fingerprints file argument.\n"); + goto err_out_exit; + } + +-- +2.26.2 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 59c05bc..b0775c6 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,7 +7,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 34%{?dist} +Release: 35%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -77,6 +77,8 @@ Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch Patch58: man-iptables-save-Add-note-about-module-autoloading.patch Patch59: xtables-restore-Fix-table-parameter-check.patch Patch60: xtables-restore-Unbreak-tables-restore.patch +Patch61: nfnl_osf-Fix-broken-conversion-to-nfnl_query.patch +Patch62: nfnl_osf-Improve-error-handling.patch Group: System Environment/Base URL: http://www.netfilter.org/ @@ -306,6 +308,9 @@ done %changelog +* Tue May 19 2020 Phil Sutter - 1.4.21-35 +- Unbreak nfnl_osf tool and fix duplicate entries handling (RHBZ#1829820) + * Wed Oct 23 2019 Phil Sutter - 1.4.21-34 - Fix iptables-restore for rules with '-' and 't' in comments (RHBZ#1749700) - Make services start before network-pre.target is reached (RHBZ#1736765)