diff --git a/.gitignore b/.gitignore index 0221a1e..7cd0180 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/iptables-1.8.8.tar.bz2 +SOURCES/iptables-1.8.10.tar.xz diff --git a/.iptables.metadata b/.iptables.metadata index 1065d12..9475c38 100644 --- a/.iptables.metadata +++ b/.iptables.metadata @@ -1 +1 @@ -98783621a5e58ff55f83b1350523f3de41af621d SOURCES/iptables-1.8.8.tar.bz2 +ddbebf81eacbf900dc6dd4ed409353930397e0c2 SOURCES/iptables-1.8.10.tar.xz diff --git a/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch b/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch index cdffca9..07221d2 100644 --- a/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +++ b/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch @@ -1,9 +1,14 @@ -From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001 +From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 17 Jun 2021 18:44:28 +0200 Subject: [PATCH] doc: Add deprecation notices to all relevant man pages +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151 +Upstream Status: RHEL-only + This is RHEL9 trying to friendly kick people towards nftables. + +Signed-off-by: Phil Sutter --- iptables/arptables-nft-restore.8 | 13 ++++++++++++- iptables/arptables-nft-save.8 | 14 +++++++++++++- @@ -18,7 +23,7 @@ This is RHEL9 trying to friendly kick people towards nftables. 10 files changed, 142 insertions(+), 7 deletions(-) diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 -index 09d9082cf9fd3..b1bf02998f9cc 100644 +index 09d9082..b1bf029 100644 --- a/iptables/arptables-nft-restore.8 +++ b/iptables/arptables-nft-restore.8 @@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based) @@ -47,7 +52,7 @@ index 09d9082cf9fd3..b1bf02998f9cc 100644 +\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8) .PP diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8 -index 905e59854cc28..49bb0f6260f2f 100644 +index 905e598..49bb0f6 100644 --- a/iptables/arptables-nft-save.8 +++ b/iptables/arptables-nft-save.8 @@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based) @@ -77,7 +82,7 @@ index 905e59854cc28..49bb0f6260f2f 100644 +\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8) .PP diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 -index ea31e0842acd4..ec5b993a41e8b 100644 +index ea31e08..ec5b993 100644 --- a/iptables/arptables-nft.8 +++ b/iptables/arptables-nft.8 @@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based) @@ -116,7 +121,7 @@ index ea31e0842acd4..ec5b993a41e8b 100644 .PP .BR "" "See " https://wiki.nftables.org diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index d75aae240bc05..ed1bf8f2db55b 100644 +index 0304b50..cfd617a 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 @@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) @@ -139,7 +144,7 @@ index d75aae240bc05..ed1bf8f2db55b 100644 .B ebtables is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect -@@ -1069,6 +1082,6 @@ has not been implemented, although +@@ -1083,6 +1096,6 @@ has not been implemented, although might replace them entirely given the inherent atomicity of nftables. Finally, this list is probably not complete. .SH SEE ALSO @@ -148,7 +153,7 @@ index d75aae240bc05..ed1bf8f2db55b 100644 .PP .BR "" "See " https://wiki.nftables.org diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in -index f0ed4e5f8d450..7f99a21ed2b61 100644 +index f0ed4e5..7f99a21 100644 --- a/iptables/iptables-apply.8.in +++ b/iptables/iptables-apply.8.in @@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely @@ -180,7 +185,7 @@ index f0ed4e5f8d450..7f99a21ed2b61 100644 .PP Original iptables-apply - Copyright 2006 Martin F. Krafft . diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in -index 99d89a1fe44ad..73d40bbfe9c52 100644 +index 99d89a1..73d40bb 100644 --- a/iptables/iptables-extensions.8.tmpl.in +++ b/iptables/iptables-extensions.8.tmpl.in @@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio @@ -205,12 +210,12 @@ index 99d89a1fe44ad..73d40bbfe9c52 100644 iptables can use extended packet matching modules with the \fB\-m\fP or \fB\-\-match\fP diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in -index 20216842d8358..8f4811c72f2ec 100644 +index aa816f7..353d4dc 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables - [\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] - [\fBfile\fP] + [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] + [\fIfile\fP] .SH DESCRIPTION +These tools are +.B deprecated @@ -228,11 +233,11 @@ index 20216842d8358..8f4811c72f2ec 100644 .PP .B iptables-restore and -@@ -81,7 +94,9 @@ from Rusty Russell. +@@ -82,7 +95,9 @@ from Rusty Russell. .br Andras Kis-Szabo contributed ip6tables-restore. .SH SEE ALSO --\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8) +-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8) +\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8), +\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8), +\fBip6tables\-restore\-translate\fP(8) @@ -240,7 +245,7 @@ index 20216842d8358..8f4811c72f2ec 100644 The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in -index 7683fd3780f72..6fe50b2d446e5 100644 +index 65c1f28..d47be27 100644 --- a/iptables/iptables-save.8.in +++ b/iptables/iptables-save.8.in @@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules @@ -262,18 +267,18 @@ index 7683fd3780f72..6fe50b2d446e5 100644 .B iptables-save and .B ip6tables-save -@@ -62,7 +74,8 @@ Rusty Russell +@@ -66,7 +78,8 @@ Rusty Russell .br Andras Kis-Szabo contributed ip6tables-save. .SH SEE ALSO --\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8) -+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8), +-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8) ++\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8), +\fBnft\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in -index 627ff0e4da7a4..a8b31206d45b2 100644 +index ecaa555..4c4a15a 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] @@ -297,7 +302,7 @@ index 627ff0e4da7a4..a8b31206d45b2 100644 \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables -@@ -447,6 +461,9 @@ There are several other changes in iptables. +@@ -455,6 +469,9 @@ There are several other changes in iptables. \fBiptables\-save\fP(8), \fBiptables\-restore\fP(8), \fBiptables\-extensions\fP(8), @@ -308,7 +313,7 @@ index 627ff0e4da7a4..a8b31206d45b2 100644 The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in -index a7f22c0d8c08e..e21d7ff23035f 100644 +index a7f22c0..e21d7ff 100644 --- a/iptables/xtables-monitor.8.in +++ b/iptables/xtables-monitor.8.in @@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events @@ -329,6 +334,3 @@ index a7f22c0d8c08e..e21d7ff23035f 100644 .PP .B xtables-monitor is used to monitor changes to the ruleset or to show rule evaluation events --- -2.34.1 - diff --git a/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch b/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch index e432d7a..5086dc5 100644 --- a/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch +++ b/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch @@ -1,18 +1,23 @@ -From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001 +From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 16 Jul 2021 21:51:49 +0200 Subject: [PATCH] extensions: SECMARK: Use a better context in test case +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558 +Upstream Status: RHEL-only + RHEL SELinux policies don't allow setting system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has 'packet_type' attribute (identified via 'seinfo -xt | grep packet_type'). + +Signed-off-by: Phil Sutter --- extensions/libxt_SECMARK.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t -index 39d4c09348bf4..295e7a7244902 100644 +index 39d4c09..295e7a7 100644 --- a/extensions/libxt_SECMARK.t +++ b/extensions/libxt_SECMARK.t @@ -1,4 +1,4 @@ @@ -21,6 +26,3 @@ index 39d4c09348bf4..295e7a7244902 100644 --j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK +-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK -j SECMARK;;FAIL --- -2.34.1 - diff --git a/SOURCES/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch b/SOURCES/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch new file mode 100644 index 0000000..9b28f86 --- /dev/null +++ b/SOURCES/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch @@ -0,0 +1,73 @@ +From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 7 Nov 2023 23:44:55 +0100 +Subject: [PATCH] ebtables: Fix corner-case noflush restore bug + +JIRA: https://issues.redhat.com/browse/RHEL-14147 +Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8 + +commit c1083acea70787eea3f7929fd04718434bb05ba8 +Author: Phil Sutter +Date: Tue Nov 7 19:12:14 2023 +0100 + + ebtables: Fix corner-case noflush restore bug + + Report came from firwalld, but this is actually rather hard to trigger. + Since a regular chain line prevents it, typical dump/restore use-cases + are unaffected. + + Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation") + Cc: Eric Garver + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + .../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++ + iptables/xtables-eb.c | 2 ++ + 2 files changed, 27 insertions(+) + create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 + +diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 +new file mode 100755 +index 0000000..0def0ac +--- /dev/null ++++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 +@@ -0,0 +1,25 @@ ++#!/bin/sh ++# ++# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring: ++# - with --noflush ++# - a second table after the broute one ++# - A policy command but no chain line for BROUTING chain ++ ++set -e ++ ++case "$XT_MULTI" in ++*xtables-nft-multi) ++ ;; ++*) ++ echo "skip $XT_MULTI" ++ exit 0 ++ ;; ++esac ++ ++$XT_MULTI ebtables-restore --noflush < -Date: Fri, 13 May 2022 16:51:58 +0200 -Subject: [PATCH] xshared: Fix build for -Werror=format-security - -Gcc complains about the omitted format string. - -Signed-off-by: Phil Sutter -(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a) ---- - iptables/xshared.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index fae5ddd5df93e..a8512d3808154 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) - return; - - if (args->family != NFPROTO_ARP) -- xtables_error(PARAMETER_PROBLEM, msg); -+ xtables_error(PARAMETER_PROBLEM, "%s", msg); - - fprintf(stderr, "%s", msg); - } --- -2.34.1 - diff --git a/SOURCES/0004-nft-Fix-for-broken-recover_rule_compat.patch b/SOURCES/0004-nft-Fix-for-broken-recover_rule_compat.patch new file mode 100644 index 0000000..fb7e80e --- /dev/null +++ b/SOURCES/0004-nft-Fix-for-broken-recover_rule_compat.patch @@ -0,0 +1,99 @@ +From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 22 May 2024 18:26:58 +0200 +Subject: [PATCH] nft: Fix for broken recover_rule_compat() + +JIRA: https://issues.redhat.com/browse/RHEL-26619 +Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305 + +commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305 +Author: Phil Sutter +Date: Tue Feb 27 18:47:39 2024 +0100 + + nft: Fix for broken recover_rule_compat() + + When IPv4 rule generator was changed to emit payload instead of + meta expressions for l4proto matches, the code reinserting + NFTNL_RULE_COMPAT_* attributes into rules being reused for counter + zeroing was broken by accident. + + Make rule compat recovery aware of the alternative match, basically + reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules + with NFTA_RULE_COMPAT") but add a test case this time to make sure + things stay intact. + + Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 27 ++++++++++++++++--- + .../nft-only/0011-zero-needs-compat_0 | 12 +++++++++ + 2 files changed, 35 insertions(+), 4 deletions(-) + create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 + +diff --git a/iptables/nft.c b/iptables/nft.c +index 97fd4f4..c4caf29 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err) + return strerror(err); + } + ++static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp) ++{ ++ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME); ++ uint32_t poff = offsetof(struct iphdr, protocol); ++ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER; ++ ++ if (!strcmp(name, "payload") && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) { ++ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG); ++ return 0; ++ } ++ if (!strcmp(name, "meta") && ++ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) { ++ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); ++ return 0; ++ } ++ return -1; ++} ++ + static int recover_rule_compat(struct nftnl_rule *r) + { + struct nftnl_expr_iter *iter; +@@ -3695,12 +3716,10 @@ next_expr: + if (!e) + goto out; + +- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) || +- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO) ++ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */ ++ if (l4proto_expr_get_dreg(e, ®) < 0) + goto next_expr; + +- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG); +- + e = nftnl_expr_iter_next(iter); + if (!e) + goto out; +diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 +new file mode 100755 +index 0000000..e276a95 +--- /dev/null ++++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 +@@ -0,0 +1,12 @@ ++#!/bin/bash ++ ++[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } ++ ++set -e ++ ++rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080" ++for cmd in iptables ip6tables; do ++ $XT_MULTI $cmd -t mangle -A PREROUTING $rule ++ $XT_MULTI $cmd -t mangle -Z ++ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}" ++done diff --git a/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch b/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch deleted file mode 100644 index 1994bff..0000000 --- a/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch +++ /dev/null @@ -1,61 +0,0 @@ -From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Jun 2022 13:44:45 +0200 -Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore - -Some repeated calls have been reduced recently, assert this in a test -evaluating strace output. - -Signed-off-by: Phil Sutter -(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1) ---- - .../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++ - 1 file changed, 37 insertions(+) - create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0 - -diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 -new file mode 100755 -index 0000000000000..b86d71f209471 ---- /dev/null -+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 -@@ -0,0 +1,37 @@ -+#!/bin/bash -+ -+# Test recent performance improvements in iptables-save due to reduced -+# overhead. -+ -+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } -+ -+RULESET=$( -+ echo "*filter" -+ for ((i = 0; i < 100; i++)); do -+ echo ":mychain$i -" -+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i" -+ done -+ echo "COMMIT" -+) -+ -+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) -+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) -+ -+do_grep() { # (name, threshold, pattern) -+ local cnt=$(grep -c "$3") -+ [[ $cnt -le $2 ]] && return 0 -+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2" -+ exit 1 -+} -+ -+# iptables prefers hard-coded protocol names instead of looking them up first -+ -+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" -+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" -+ -+# iptables-nft-save pointlessly checked whether chain jumps are targets -+ -+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" -+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" -+ -+exit 0 --- -2.34.1 - diff --git a/SOURCES/0005-arptables-Support-x-exact-flag.patch b/SOURCES/0005-arptables-Support-x-exact-flag.patch deleted file mode 100644 index 98c11b8..0000000 --- a/SOURCES/0005-arptables-Support-x-exact-flag.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 7 Jun 2022 18:07:00 +0200 -Subject: [PATCH] arptables: Support -x/--exact flag - -Legacy arptables accepts but ignores the flag. Yet there are remains of -the functionality in sources, like OPT_EXPANDED define and a print_num() -function which acts on FMT_KILOMEGAGIGA flag being set or not. So -instead of mimicking legacy behaviour by explicitly ignoring -x flag for -arptables, just enable the feature for it. - -Signed-off-by: Phil Sutter -(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0) ---- - iptables/xshared.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 14568bb00fb65..a50c8b7298072 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -69,7 +69,7 @@ struct xtables_target; - - #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" - #define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" --#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */ -+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ - #define EBT_OPTSTRING OPTSTRING_COMMON "hv" - - /* define invflags which won't collide with IPT ones */ --- -2.34.1 - diff --git a/SOURCES/0005-extensions-libxt_sctp-Add-an-extra-assert.patch b/SOURCES/0005-extensions-libxt_sctp-Add-an-extra-assert.patch new file mode 100644 index 0000000..47fe875 --- /dev/null +++ b/SOURCES/0005-extensions-libxt_sctp-Add-an-extra-assert.patch @@ -0,0 +1,43 @@ +From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 12 Jun 2024 22:49:48 +0200 +Subject: [PATCH] extensions: libxt_sctp: Add an extra assert() + +JIRA: https://issues.redhat.com/browse/RHEL-40928 +Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf + +commit 0234117d24609070f08ef36a11795c3c8e4c19bf +Author: Phil Sutter +Date: Fri May 17 15:20:05 2024 +0200 + + extensions: libxt_sctp: Add an extra assert() + + The code is sane, but this keeps popping up in static code analyzers. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + extensions/libxt_sctp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index 6e2b274..e8312f0 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -7,6 +7,7 @@ + * libipt_ecn.c borrowed heavily from libipt_dscp.c + * + */ ++#include + #include + #include + #include +@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma + + for (i = 7; i >= 0; i--) { + if (chunk_flags_mask & (1 << i)) { ++ assert(chunknum < ARRAY_SIZE(sctp_chunk_names)); + if (chunk_flags & (1 << i)) { + printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]); + } else { diff --git a/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch b/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch deleted file mode 100644 index f76f38d..0000000 --- a/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 30 Jun 2022 18:04:39 +0200 -Subject: [PATCH] libxtables: Fix unsupported extension warning corner case - -Some extensions are not supported in revision 0 by user space anymore, -for those the warning in xtables_compatible_revision() does not print as -no revision 0 is tried. - -To fix this, one has to track if none of the user space supported -revisions were accepted by the kernel. Therefore add respective logic to -xtables_find_{target,match}(). - -Note that this does not lead to duplicated warnings for unsupported -extensions that have a revision 0 because xtables_compatible_revision() -returns true for them to allow for extension's help output. - -For the record, these ip6tables extensions are affected: set/SET, -socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected -for both families. - -Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions") -Signed-off-by: Phil Sutter -(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37) ---- - libxtables/xtables.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index 96fd783a066cf..7abc63bcfd83e 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, - struct xtables_match *ptr; - const char *icmp6 = "icmp6"; - bool found = false; -+ bool seen = false; - - if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) - xtables_error(PARAMETER_PROBLEM, -@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, - if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { - ptr = *dptr; - *dptr = (*dptr)->next; -+ seen = true; - if (!found && - xtables_fully_register_pending_match(ptr, prev)) { - found = true; -@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, - dptr = &((*dptr)->next); - } - -+ if (seen && !found) -+ fprintf(stderr, -+ "Warning: Extension %s is not supported, missing kernel module?\n", -+ name); -+ - for (ptr = xtables_matches; ptr; ptr = ptr->next) { - if (extension_cmp(name, ptr->name, ptr->family)) { - struct xtables_match *clone; -@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) - struct xtables_target **dptr; - struct xtables_target *ptr; - bool found = false; -+ bool seen = false; - - /* Standard target? */ - if (strcmp(name, "") == 0 -@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) - if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { - ptr = *dptr; - *dptr = (*dptr)->next; -+ seen = true; - if (!found && - xtables_fully_register_pending_target(ptr, prev)) { - found = true; -@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) - dptr = &((*dptr)->next); - } - -+ if (seen && !found) -+ fprintf(stderr, -+ "Warning: Extension %s is not supported, missing kernel module?\n", -+ name); -+ - for (ptr = xtables_targets; ptr; ptr = ptr->next) { - if (extension_cmp(name, ptr->name, ptr->family)) { - struct xtables_target *clone; --- -2.34.1 - diff --git a/SOURCES/0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch b/SOURCES/0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch deleted file mode 100644 index d357e53..0000000 --- a/SOURCES/0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch +++ /dev/null @@ -1,36 +0,0 @@ -From f24d2449693558d3fbf2a8313a7eb65ecf25f6af Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Tue, 2 Aug 2022 14:52:30 +0200 -Subject: [PATCH] nft: fix ebtables among match when mac+ip addresses are used - -When matching mac and ip addresses, the ip address needs to be placed -into then 2nd 32bit register, the switch to dynamic register allocation -instead re-uses reg1, this partially clobbers the mac address, so -set lookup comes up empty even though it should find a match. - -Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation") -Reported-by: Yi Chen -Signed-off-by: Florian Westphal -(cherry picked from commit 2ba74d421cd622757df7a93720afc3b5b4b3b4e0) ---- - iptables/nft.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index ec79f2bc5e98b..ee003511ab7f3 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table, - nftnl_rule_add_expr(r, e); - - if (ip) { -- e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst], -- sizeof(struct in_addr), ®); -+ e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst], -+ sizeof(struct in_addr), NFT_REG32_02); - if (!e) - return -ENOMEM; - nftnl_rule_add_expr(r, e); --- -2.38.0 - diff --git a/SOURCES/0008-nft-un-break-among-match-with-concatenation.patch b/SOURCES/0008-nft-un-break-among-match-with-concatenation.patch deleted file mode 100644 index 021d17e..0000000 --- a/SOURCES/0008-nft-un-break-among-match-with-concatenation.patch +++ /dev/null @@ -1,958 +0,0 @@ -From 22e12e53b1378f0e3da23ea298dda59985d5b99b Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Thu, 22 Sep 2022 13:33:50 +0200 -Subject: [PATCH] nft: un-break among match with concatenation - -The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags") -breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but -doesn't set the CONCAT flag. - -Update uapi header and also set CONCAT. - -Signed-off-by: Florian Westphal -(cherry picked from commit 32efb4ffc33ae874b3f26f3380e2184ad6ceb26f) ---- - include/linux/netfilter/nf_tables.h | 483 +++++++++++++++++++++++++++- - iptables/nft.c | 2 +- - 2 files changed, 476 insertions(+), 9 deletions(-) - -diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h -index 66dceee0ae307..e94d1fa554cb2 100644 ---- a/include/linux/netfilter/nf_tables.h -+++ b/include/linux/netfilter/nf_tables.h -@@ -8,6 +8,7 @@ - #define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN - #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN - #define NFT_USERDATA_MAXLEN 256 -+#define NFT_OSF_MAXGENRELEN 16 - - /** - * enum nft_registers - nf_tables registers -@@ -47,6 +48,7 @@ enum nft_registers { - - #define NFT_REG_SIZE 16 - #define NFT_REG32_SIZE 4 -+#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1) - - /** - * enum nft_verdicts - nf_tables internal verdicts -@@ -131,7 +133,7 @@ enum nf_tables_msg_types { - * @NFTA_LIST_ELEM: list element (NLA_NESTED) - */ - enum nft_list_attributes { -- NFTA_LIST_UNPEC, -+ NFTA_LIST_UNSPEC, - NFTA_LIST_ELEM, - __NFTA_LIST_MAX - }; -@@ -143,12 +145,14 @@ enum nft_list_attributes { - * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) - * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) - * @NFTA_HOOK_DEV: netdevice name (NLA_STRING) -+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED) - */ - enum nft_hook_attributes { - NFTA_HOOK_UNSPEC, - NFTA_HOOK_HOOKNUM, - NFTA_HOOK_PRIORITY, - NFTA_HOOK_DEV, -+ NFTA_HOOK_DEVS, - __NFTA_HOOK_MAX - }; - #define NFTA_HOOK_MAX (__NFTA_HOOK_MAX - 1) -@@ -160,7 +164,10 @@ enum nft_hook_attributes { - */ - enum nft_table_flags { - NFT_TABLE_F_DORMANT = 0x1, -+ NFT_TABLE_F_OWNER = 0x2, - }; -+#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \ -+ NFT_TABLE_F_OWNER) - - /** - * enum nft_table_attributes - nf_tables table netlink attributes -@@ -168,6 +175,8 @@ enum nft_table_flags { - * @NFTA_TABLE_NAME: name of the table (NLA_STRING) - * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) - * @NFTA_TABLE_USE: number of chains in this table (NLA_U32) -+ * @NFTA_TABLE_USERDATA: user data (NLA_BINARY) -+ * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32) - */ - enum nft_table_attributes { - NFTA_TABLE_UNSPEC, -@@ -176,10 +185,21 @@ enum nft_table_attributes { - NFTA_TABLE_USE, - NFTA_TABLE_HANDLE, - NFTA_TABLE_PAD, -+ NFTA_TABLE_USERDATA, -+ NFTA_TABLE_OWNER, - __NFTA_TABLE_MAX - }; - #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) - -+enum nft_chain_flags { -+ NFT_CHAIN_BASE = (1 << 0), -+ NFT_CHAIN_HW_OFFLOAD = (1 << 1), -+ NFT_CHAIN_BINDING = (1 << 2), -+}; -+#define NFT_CHAIN_FLAGS (NFT_CHAIN_BASE | \ -+ NFT_CHAIN_HW_OFFLOAD | \ -+ NFT_CHAIN_BINDING) -+ - /** - * enum nft_chain_attributes - nf_tables chain netlink attributes - * -@@ -191,6 +211,9 @@ enum nft_table_attributes { - * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32) - * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING) - * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes) -+ * @NFTA_CHAIN_FLAGS: chain flags -+ * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32) -+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY) - */ - enum nft_chain_attributes { - NFTA_CHAIN_UNSPEC, -@@ -203,6 +226,9 @@ enum nft_chain_attributes { - NFTA_CHAIN_TYPE, - NFTA_CHAIN_COUNTERS, - NFTA_CHAIN_PAD, -+ NFTA_CHAIN_FLAGS, -+ NFTA_CHAIN_ID, -+ NFTA_CHAIN_USERDATA, - __NFTA_CHAIN_MAX - }; - #define NFTA_CHAIN_MAX (__NFTA_CHAIN_MAX - 1) -@@ -218,6 +244,7 @@ enum nft_chain_attributes { - * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) - * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) - * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32) -+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32) - */ - enum nft_rule_attributes { - NFTA_RULE_UNSPEC, -@@ -230,6 +257,8 @@ enum nft_rule_attributes { - NFTA_RULE_USERDATA, - NFTA_RULE_PAD, - NFTA_RULE_ID, -+ NFTA_RULE_POSITION_ID, -+ NFTA_RULE_CHAIN_ID, - __NFTA_RULE_MAX - }; - #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) -@@ -266,8 +295,10 @@ enum nft_rule_compat_attributes { - * @NFT_SET_INTERVAL: set contains intervals - * @NFT_SET_MAP: set is used as a dictionary - * @NFT_SET_TIMEOUT: set uses timeouts -- * @NFT_SET_EVAL: set contains expressions for evaluation -+ * @NFT_SET_EVAL: set can be updated from the evaluation path - * @NFT_SET_OBJECT: set contains stateful objects -+ * @NFT_SET_CONCAT: set contains a concatenation -+ * @NFT_SET_EXPR: set contains expressions - */ - enum nft_set_flags { - NFT_SET_ANONYMOUS = 0x1, -@@ -277,6 +308,8 @@ enum nft_set_flags { - NFT_SET_TIMEOUT = 0x10, - NFT_SET_EVAL = 0x20, - NFT_SET_OBJECT = 0x40, -+ NFT_SET_CONCAT = 0x80, -+ NFT_SET_EXPR = 0x100, - }; - - /** -@@ -294,14 +327,28 @@ enum nft_set_policies { - * enum nft_set_desc_attributes - set element description - * - * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) -+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED) - */ - enum nft_set_desc_attributes { - NFTA_SET_DESC_UNSPEC, - NFTA_SET_DESC_SIZE, -+ NFTA_SET_DESC_CONCAT, - __NFTA_SET_DESC_MAX - }; - #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) - -+/** -+ * enum nft_set_field_attributes - attributes of concatenated fields -+ * -+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) -+ */ -+enum nft_set_field_attributes { -+ NFTA_SET_FIELD_UNSPEC, -+ NFTA_SET_FIELD_LEN, -+ __NFTA_SET_FIELD_MAX -+}; -+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) -+ - /** - * enum nft_set_attributes - nf_tables set netlink attributes - * -@@ -320,6 +367,8 @@ enum nft_set_desc_attributes { - * @NFTA_SET_USERDATA: user data (NLA_BINARY) - * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*) - * @NFTA_SET_HANDLE: set handle (NLA_U64) -+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes) -+ * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) - */ - enum nft_set_attributes { - NFTA_SET_UNSPEC, -@@ -339,6 +388,8 @@ enum nft_set_attributes { - NFTA_SET_PAD, - NFTA_SET_OBJ_TYPE, - NFTA_SET_HANDLE, -+ NFTA_SET_EXPR, -+ NFTA_SET_EXPRESSIONS, - __NFTA_SET_MAX - }; - #define NFTA_SET_MAX (__NFTA_SET_MAX - 1) -@@ -347,9 +398,11 @@ enum nft_set_attributes { - * enum nft_set_elem_flags - nf_tables set element flags - * - * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval -+ * @NFT_SET_ELEM_CATCHALL: special catch-all element - */ - enum nft_set_elem_flags { - NFT_SET_ELEM_INTERVAL_END = 0x1, -+ NFT_SET_ELEM_CATCHALL = 0x2, - }; - - /** -@@ -363,6 +416,8 @@ enum nft_set_elem_flags { - * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) - * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) - * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING) -+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data) -+ * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) - */ - enum nft_set_elem_attributes { - NFTA_SET_ELEM_UNSPEC, -@@ -375,6 +430,8 @@ enum nft_set_elem_attributes { - NFTA_SET_ELEM_EXPR, - NFTA_SET_ELEM_PAD, - NFTA_SET_ELEM_OBJREF, -+ NFTA_SET_ELEM_KEY_END, -+ NFTA_SET_ELEM_EXPRESSIONS, - __NFTA_SET_ELEM_MAX - }; - #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) -@@ -440,11 +497,13 @@ enum nft_data_attributes { - * - * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts) - * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING) -+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32) - */ - enum nft_verdict_attributes { - NFTA_VERDICT_UNSPEC, - NFTA_VERDICT_CODE, - NFTA_VERDICT_CHAIN, -+ NFTA_VERDICT_CHAIN_ID, - __NFTA_VERDICT_MAX - }; - #define NFTA_VERDICT_MAX (__NFTA_VERDICT_MAX - 1) -@@ -477,6 +536,20 @@ enum nft_immediate_attributes { - }; - #define NFTA_IMMEDIATE_MAX (__NFTA_IMMEDIATE_MAX - 1) - -+/** -+ * enum nft_bitwise_ops - nf_tables bitwise operations -+ * -+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and -+ * XOR boolean operations -+ * @NFT_BITWISE_LSHIFT: left-shift operation -+ * @NFT_BITWISE_RSHIFT: right-shift operation -+ */ -+enum nft_bitwise_ops { -+ NFT_BITWISE_BOOL, -+ NFT_BITWISE_LSHIFT, -+ NFT_BITWISE_RSHIFT, -+}; -+ - /** - * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes - * -@@ -485,16 +558,20 @@ enum nft_immediate_attributes { - * @NFTA_BITWISE_LEN: length of operands (NLA_U32) - * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes) - * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes) -+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops) -+ * @NFTA_BITWISE_DATA: argument for non-boolean operations -+ * (NLA_NESTED: nft_data_attributes) - * -- * The bitwise expression performs the following operation: -+ * The bitwise expression supports boolean and shift operations. It implements -+ * the boolean operations by performing the following operation: - * - * dreg = (sreg & mask) ^ xor - * -- * which allow to express all bitwise operations: -+ * with these mask and xor values: - * - * mask xor - * NOT: 1 1 -- * OR: 0 x -+ * OR: ~x x - * XOR: 1 x - * AND: x 0 - */ -@@ -505,6 +582,8 @@ enum nft_bitwise_attributes { - NFTA_BITWISE_LEN, - NFTA_BITWISE_MASK, - NFTA_BITWISE_XOR, -+ NFTA_BITWISE_OP, -+ NFTA_BITWISE_DATA, - __NFTA_BITWISE_MAX - }; - #define NFTA_BITWISE_MAX (__NFTA_BITWISE_MAX - 1) -@@ -631,10 +710,12 @@ enum nft_lookup_attributes { - enum nft_dynset_ops { - NFT_DYNSET_OP_ADD, - NFT_DYNSET_OP_UPDATE, -+ NFT_DYNSET_OP_DELETE, - }; - - enum nft_dynset_flags { - NFT_DYNSET_F_INV = (1 << 0), -+ NFT_DYNSET_F_EXPR = (1 << 1), - }; - - /** -@@ -648,6 +729,7 @@ enum nft_dynset_flags { - * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64) - * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes) - * @NFTA_DYNSET_FLAGS: flags (NLA_U32) -+ * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes) - */ - enum nft_dynset_attributes { - NFTA_DYNSET_UNSPEC, -@@ -660,6 +742,7 @@ enum nft_dynset_attributes { - NFTA_DYNSET_EXPR, - NFTA_DYNSET_PAD, - NFTA_DYNSET_FLAGS, -+ NFTA_DYNSET_EXPRESSIONS, - __NFTA_DYNSET_MAX, - }; - #define NFTA_DYNSET_MAX (__NFTA_DYNSET_MAX - 1) -@@ -682,10 +765,12 @@ enum nft_payload_bases { - * - * @NFT_PAYLOAD_CSUM_NONE: no checksumming - * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791) -+ * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309) - */ - enum nft_payload_csum_types { - NFT_PAYLOAD_CSUM_NONE, - NFT_PAYLOAD_CSUM_INET, -+ NFT_PAYLOAD_CSUM_SCTP, - }; - - enum nft_payload_csum_flags { -@@ -727,10 +812,14 @@ enum nft_exthdr_flags { - * - * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers - * @NFT_EXTHDR_OP_TCP: match against tcp options -+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options -+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks - */ - enum nft_exthdr_op { - NFT_EXTHDR_OP_IPV6, - NFT_EXTHDR_OP_TCPOPT, -+ NFT_EXTHDR_OP_IPV4, -+ NFT_EXTHDR_OP_SCTP, - __NFT_EXTHDR_OP_MAX - }; - #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) -@@ -788,6 +877,15 @@ enum nft_exthdr_attributes { - * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) - * @NFT_META_PRANDOM: a 32bit pseudo-random number - * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) -+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind) -+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind) -+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid -+ * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto -+ * @NFT_META_TIME_NS: time since epoch (in nanoseconds) -+ * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) -+ * @NFT_META_TIME_HOUR: hour of day (in seconds) -+ * @NFT_META_SDIF: slave device interface index -+ * @NFT_META_SDIFNAME: slave device interface name - */ - enum nft_meta_keys { - NFT_META_LEN, -@@ -816,6 +914,15 @@ enum nft_meta_keys { - NFT_META_CGROUP, - NFT_META_PRANDOM, - NFT_META_SECPATH, -+ NFT_META_IIFKIND, -+ NFT_META_OIFKIND, -+ NFT_META_BRI_IIFPVID, -+ NFT_META_BRI_IIFVPROTO, -+ NFT_META_TIME_NS, -+ NFT_META_TIME_DAY, -+ NFT_META_TIME_HOUR, -+ NFT_META_SDIF, -+ NFT_META_SDIFNAME, - }; - - /** -@@ -825,13 +932,17 @@ enum nft_meta_keys { - * @NFT_RT_NEXTHOP4: routing nexthop for IPv4 - * @NFT_RT_NEXTHOP6: routing nexthop for IPv6 - * @NFT_RT_TCPMSS: fetch current path tcp mss -+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL - */ - enum nft_rt_keys { - NFT_RT_CLASSID, - NFT_RT_NEXTHOP4, - NFT_RT_NEXTHOP6, - NFT_RT_TCPMSS, -+ NFT_RT_XFRM, -+ __NFT_RT_MAX - }; -+#define NFT_RT_MAX (__NFT_RT_MAX - 1) - - /** - * enum nft_hash_types - nf_tables hash expression types -@@ -854,6 +965,8 @@ enum nft_hash_types { - * @NFTA_HASH_SEED: seed value (NLA_U32) - * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32) - * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types) -+ * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING) -+ * @NFTA_HASH_SET_ID: id of the map (NLA_U32) - */ - enum nft_hash_attributes { - NFTA_HASH_UNSPEC, -@@ -864,6 +977,8 @@ enum nft_hash_attributes { - NFTA_HASH_SEED, - NFTA_HASH_OFFSET, - NFTA_HASH_TYPE, -+ NFTA_HASH_SET_NAME, /* deprecated */ -+ NFTA_HASH_SET_ID, /* deprecated */ - __NFTA_HASH_MAX, - }; - #define NFTA_HASH_MAX (__NFTA_HASH_MAX - 1) -@@ -898,6 +1013,39 @@ enum nft_rt_attributes { - }; - #define NFTA_RT_MAX (__NFTA_RT_MAX - 1) - -+/** -+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes -+ * -+ * @NFTA_SOCKET_KEY: socket key to match -+ * @NFTA_SOCKET_DREG: destination register -+ * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2) -+ */ -+enum nft_socket_attributes { -+ NFTA_SOCKET_UNSPEC, -+ NFTA_SOCKET_KEY, -+ NFTA_SOCKET_DREG, -+ NFTA_SOCKET_LEVEL, -+ __NFTA_SOCKET_MAX -+}; -+#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) -+ -+/* -+ * enum nft_socket_keys - nf_tables socket expression keys -+ * -+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option -+ * @NFT_SOCKET_MARK: Value of the socket mark -+ * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0) -+ * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2 -+ */ -+enum nft_socket_keys { -+ NFT_SOCKET_TRANSPARENT, -+ NFT_SOCKET_MARK, -+ NFT_SOCKET_WILDCARD, -+ NFT_SOCKET_CGROUPV2, -+ __NFT_SOCKET_MAX -+}; -+#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) -+ - /** - * enum nft_ct_keys - nf_tables ct expression keys - * -@@ -909,8 +1057,8 @@ enum nft_rt_attributes { - * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms - * @NFT_CT_HELPER: connection tracking helper assigned to conntrack - * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol -- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address) -- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address) -+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated) -+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated) - * @NFT_CT_PROTOCOL: conntrack layer 4 protocol - * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source - * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination -@@ -920,6 +1068,11 @@ enum nft_rt_attributes { - * @NFT_CT_AVGPKT: conntrack average bytes per packet - * @NFT_CT_ZONE: conntrack zone - * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack -+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address) -+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) -+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) -+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) -+ * @NFT_CT_ID: conntrack id - */ - enum nft_ct_keys { - NFT_CT_STATE, -@@ -941,7 +1094,14 @@ enum nft_ct_keys { - NFT_CT_AVGPKT, - NFT_CT_ZONE, - NFT_CT_EVENTMASK, -+ NFT_CT_SRC_IP, -+ NFT_CT_DST_IP, -+ NFT_CT_SRC_IP6, -+ NFT_CT_DST_IP6, -+ NFT_CT_ID, -+ __NFT_CT_MAX - }; -+#define NFT_CT_MAX (__NFT_CT_MAX - 1) - - /** - * enum nft_ct_attributes - nf_tables ct expression netlink attributes -@@ -1002,6 +1162,24 @@ enum nft_limit_attributes { - }; - #define NFTA_LIMIT_MAX (__NFTA_LIMIT_MAX - 1) - -+enum nft_connlimit_flags { -+ NFT_CONNLIMIT_F_INV = (1 << 0), -+}; -+ -+/** -+ * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes -+ * -+ * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32) -+ * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags) -+ */ -+enum nft_connlimit_attributes { -+ NFTA_CONNLIMIT_UNSPEC, -+ NFTA_CONNLIMIT_COUNT, -+ NFTA_CONNLIMIT_FLAGS, -+ __NFTA_CONNLIMIT_MAX -+}; -+#define NFTA_CONNLIMIT_MAX (__NFTA_CONNLIMIT_MAX - 1) -+ - /** - * enum nft_counter_attributes - nf_tables counter expression netlink attributes - * -@@ -1017,6 +1195,21 @@ enum nft_counter_attributes { - }; - #define NFTA_COUNTER_MAX (__NFTA_COUNTER_MAX - 1) - -+/** -+ * enum nft_last_attributes - nf_tables last expression netlink attributes -+ * -+ * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32) -+ * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64) -+ */ -+enum nft_last_attributes { -+ NFTA_LAST_UNSPEC, -+ NFTA_LAST_SET, -+ NFTA_LAST_MSECS, -+ NFTA_LAST_PAD, -+ __NFTA_LAST_MAX -+}; -+#define NFTA_LAST_MAX (__NFTA_LAST_MAX - 1) -+ - /** - * enum nft_log_attributes - nf_tables log expression netlink attributes - * -@@ -1039,6 +1232,33 @@ enum nft_log_attributes { - }; - #define NFTA_LOG_MAX (__NFTA_LOG_MAX - 1) - -+/** -+ * enum nft_log_level - nf_tables log levels -+ * -+ * @NFT_LOGLEVEL_EMERG: system is unusable -+ * @NFT_LOGLEVEL_ALERT: action must be taken immediately -+ * @NFT_LOGLEVEL_CRIT: critical conditions -+ * @NFT_LOGLEVEL_ERR: error conditions -+ * @NFT_LOGLEVEL_WARNING: warning conditions -+ * @NFT_LOGLEVEL_NOTICE: normal but significant condition -+ * @NFT_LOGLEVEL_INFO: informational -+ * @NFT_LOGLEVEL_DEBUG: debug-level messages -+ * @NFT_LOGLEVEL_AUDIT: enabling audit logging -+ */ -+enum nft_log_level { -+ NFT_LOGLEVEL_EMERG, -+ NFT_LOGLEVEL_ALERT, -+ NFT_LOGLEVEL_CRIT, -+ NFT_LOGLEVEL_ERR, -+ NFT_LOGLEVEL_WARNING, -+ NFT_LOGLEVEL_NOTICE, -+ NFT_LOGLEVEL_INFO, -+ NFT_LOGLEVEL_DEBUG, -+ NFT_LOGLEVEL_AUDIT, -+ __NFT_LOGLEVEL_MAX -+}; -+#define NFT_LOGLEVEL_MAX (__NFT_LOGLEVEL_MAX - 1) -+ - /** - * enum nft_queue_attributes - nf_tables queue expression netlink attributes - * -@@ -1083,6 +1303,21 @@ enum nft_quota_attributes { - }; - #define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1) - -+/** -+ * enum nft_secmark_attributes - nf_tables secmark object netlink attributes -+ * -+ * @NFTA_SECMARK_CTX: security context (NLA_STRING) -+ */ -+enum nft_secmark_attributes { -+ NFTA_SECMARK_UNSPEC, -+ NFTA_SECMARK_CTX, -+ __NFTA_SECMARK_MAX, -+}; -+#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1) -+ -+/* Max security context length */ -+#define NFT_SECMARK_CTX_MAXLEN 256 -+ - /** - * enum nft_reject_types - nf_tables reject expression reject types - * -@@ -1164,6 +1399,22 @@ enum nft_nat_attributes { - }; - #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) - -+/** -+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes -+ * -+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers) -+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers) -+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers) -+ */ -+enum nft_tproxy_attributes { -+ NFTA_TPROXY_UNSPEC, -+ NFTA_TPROXY_FAMILY, -+ NFTA_TPROXY_REG_ADDR, -+ NFTA_TPROXY_REG_PORT, -+ __NFTA_TPROXY_MAX -+}; -+#define NFTA_TPROXY_MAX (__NFTA_TPROXY_MAX - 1) -+ - /** - * enum nft_masq_attributes - nf_tables masquerade expression attributes - * -@@ -1214,10 +1465,14 @@ enum nft_dup_attributes { - * enum nft_fwd_attributes - nf_tables fwd expression netlink attributes - * - * @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register) -+ * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register) -+ * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto) - */ - enum nft_fwd_attributes { - NFTA_FWD_UNSPEC, - NFTA_FWD_SREG_DEV, -+ NFTA_FWD_SREG_ADDR, -+ NFTA_FWD_NFPROTO, - __NFTA_FWD_MAX - }; - #define NFTA_FWD_MAX (__NFTA_FWD_MAX - 1) -@@ -1302,12 +1557,38 @@ enum nft_ct_helper_attributes { - }; - #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) - -+enum nft_ct_timeout_timeout_attributes { -+ NFTA_CT_TIMEOUT_UNSPEC, -+ NFTA_CT_TIMEOUT_L3PROTO, -+ NFTA_CT_TIMEOUT_L4PROTO, -+ NFTA_CT_TIMEOUT_DATA, -+ __NFTA_CT_TIMEOUT_MAX, -+}; -+#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1) -+ -+enum nft_ct_expectation_attributes { -+ NFTA_CT_EXPECT_UNSPEC, -+ NFTA_CT_EXPECT_L3PROTO, -+ NFTA_CT_EXPECT_L4PROTO, -+ NFTA_CT_EXPECT_DPORT, -+ NFTA_CT_EXPECT_TIMEOUT, -+ NFTA_CT_EXPECT_SIZE, -+ __NFTA_CT_EXPECT_MAX, -+}; -+#define NFTA_CT_EXPECT_MAX (__NFTA_CT_EXPECT_MAX - 1) -+ - #define NFT_OBJECT_UNSPEC 0 - #define NFT_OBJECT_COUNTER 1 - #define NFT_OBJECT_QUOTA 2 - #define NFT_OBJECT_CT_HELPER 3 - #define NFT_OBJECT_LIMIT 4 --#define __NFT_OBJECT_MAX 5 -+#define NFT_OBJECT_CONNLIMIT 5 -+#define NFT_OBJECT_TUNNEL 6 -+#define NFT_OBJECT_CT_TIMEOUT 7 -+#define NFT_OBJECT_SECMARK 8 -+#define NFT_OBJECT_CT_EXPECT 9 -+#define NFT_OBJECT_SYNPROXY 10 -+#define __NFT_OBJECT_MAX 11 - #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) - - /** -@@ -1319,6 +1600,7 @@ enum nft_ct_helper_attributes { - * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED) - * @NFTA_OBJ_USE: number of references to this expression (NLA_U32) - * @NFTA_OBJ_HANDLE: object handle (NLA_U64) -+ * @NFTA_OBJ_USERDATA: user data (NLA_BINARY) - */ - enum nft_object_attributes { - NFTA_OBJ_UNSPEC, -@@ -1329,10 +1611,24 @@ enum nft_object_attributes { - NFTA_OBJ_USE, - NFTA_OBJ_HANDLE, - NFTA_OBJ_PAD, -+ NFTA_OBJ_USERDATA, - __NFTA_OBJ_MAX - }; - #define NFTA_OBJ_MAX (__NFTA_OBJ_MAX - 1) - -+/** -+ * enum nft_flowtable_flags - nf_tables flowtable flags -+ * -+ * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled -+ * @NFT_FLOWTABLE_COUNTER: enable flow counters -+ */ -+enum nft_flowtable_flags { -+ NFT_FLOWTABLE_HW_OFFLOAD = 0x1, -+ NFT_FLOWTABLE_COUNTER = 0x2, -+ NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD | -+ NFT_FLOWTABLE_COUNTER) -+}; -+ - /** - * enum nft_flowtable_attributes - nf_tables flow table netlink attributes - * -@@ -1341,6 +1637,7 @@ enum nft_object_attributes { - * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32) - * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32) - * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64) -+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32) - */ - enum nft_flowtable_attributes { - NFTA_FLOWTABLE_UNSPEC, -@@ -1350,6 +1647,7 @@ enum nft_flowtable_attributes { - NFTA_FLOWTABLE_USE, - NFTA_FLOWTABLE_HANDLE, - NFTA_FLOWTABLE_PAD, -+ NFTA_FLOWTABLE_FLAGS, - __NFTA_FLOWTABLE_MAX - }; - #define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1) -@@ -1370,6 +1668,42 @@ enum nft_flowtable_hook_attributes { - }; - #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) - -+/** -+ * enum nft_osf_attributes - nftables osf expression netlink attributes -+ * -+ * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) -+ * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) -+ * @NFTA_OSF_FLAGS: flags (NLA_U32) -+ */ -+enum nft_osf_attributes { -+ NFTA_OSF_UNSPEC, -+ NFTA_OSF_DREG, -+ NFTA_OSF_TTL, -+ NFTA_OSF_FLAGS, -+ __NFTA_OSF_MAX, -+}; -+#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1) -+ -+enum nft_osf_flags { -+ NFT_OSF_F_VERSION = (1 << 0), -+}; -+ -+/** -+ * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes -+ * -+ * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16) -+ * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8) -+ * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32) -+ */ -+enum nft_synproxy_attributes { -+ NFTA_SYNPROXY_UNSPEC, -+ NFTA_SYNPROXY_MSS, -+ NFTA_SYNPROXY_WSCALE, -+ NFTA_SYNPROXY_FLAGS, -+ __NFTA_SYNPROXY_MAX, -+}; -+#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1) -+ - /** - * enum nft_device_attributes - nf_tables device netlink attributes - * -@@ -1382,6 +1716,35 @@ enum nft_devices_attributes { - }; - #define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1) - -+/* -+ * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes -+ * -+ * @NFTA_XFRM_DREG: destination register (NLA_U32) -+ * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32) -+ * @NFTA_XFRM_DIR: direction (NLA_U8) -+ * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32) -+ */ -+enum nft_xfrm_attributes { -+ NFTA_XFRM_UNSPEC, -+ NFTA_XFRM_DREG, -+ NFTA_XFRM_KEY, -+ NFTA_XFRM_DIR, -+ NFTA_XFRM_SPNUM, -+ __NFTA_XFRM_MAX -+}; -+#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1) -+ -+enum nft_xfrm_keys { -+ NFT_XFRM_KEY_UNSPEC, -+ NFT_XFRM_KEY_DADDR_IP4, -+ NFT_XFRM_KEY_DADDR_IP6, -+ NFT_XFRM_KEY_SADDR_IP4, -+ NFT_XFRM_KEY_SADDR_IP6, -+ NFT_XFRM_KEY_REQID, -+ NFT_XFRM_KEY_SPI, -+ __NFT_XFRM_KEY_MAX, -+}; -+#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1) - - /** - * enum nft_trace_attributes - nf_tables trace netlink attributes -@@ -1442,6 +1805,8 @@ enum nft_trace_types { - * @NFTA_NG_MODULUS: maximum counter value (NLA_U32) - * @NFTA_NG_TYPE: operation type (NLA_U32) - * @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32) -+ * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING) -+ * @NFTA_NG_SET_ID: id of the map (NLA_U32) - */ - enum nft_ng_attributes { - NFTA_NG_UNSPEC, -@@ -1449,6 +1814,8 @@ enum nft_ng_attributes { - NFTA_NG_MODULUS, - NFTA_NG_TYPE, - NFTA_NG_OFFSET, -+ NFTA_NG_SET_NAME, /* deprecated */ -+ NFTA_NG_SET_ID, /* deprecated */ - __NFTA_NG_MAX - }; - #define NFTA_NG_MAX (__NFTA_NG_MAX - 1) -@@ -1460,4 +1827,104 @@ enum nft_ng_types { - }; - #define NFT_NG_MAX (__NFT_NG_MAX - 1) - -+enum nft_tunnel_key_ip_attributes { -+ NFTA_TUNNEL_KEY_IP_UNSPEC, -+ NFTA_TUNNEL_KEY_IP_SRC, -+ NFTA_TUNNEL_KEY_IP_DST, -+ __NFTA_TUNNEL_KEY_IP_MAX -+}; -+#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1) -+ -+enum nft_tunnel_ip6_attributes { -+ NFTA_TUNNEL_KEY_IP6_UNSPEC, -+ NFTA_TUNNEL_KEY_IP6_SRC, -+ NFTA_TUNNEL_KEY_IP6_DST, -+ NFTA_TUNNEL_KEY_IP6_FLOWLABEL, -+ __NFTA_TUNNEL_KEY_IP6_MAX -+}; -+#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1) -+ -+enum nft_tunnel_opts_attributes { -+ NFTA_TUNNEL_KEY_OPTS_UNSPEC, -+ NFTA_TUNNEL_KEY_OPTS_VXLAN, -+ NFTA_TUNNEL_KEY_OPTS_ERSPAN, -+ NFTA_TUNNEL_KEY_OPTS_GENEVE, -+ __NFTA_TUNNEL_KEY_OPTS_MAX -+}; -+#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1) -+ -+enum nft_tunnel_opts_vxlan_attributes { -+ NFTA_TUNNEL_KEY_VXLAN_UNSPEC, -+ NFTA_TUNNEL_KEY_VXLAN_GBP, -+ __NFTA_TUNNEL_KEY_VXLAN_MAX -+}; -+#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1) -+ -+enum nft_tunnel_opts_erspan_attributes { -+ NFTA_TUNNEL_KEY_ERSPAN_UNSPEC, -+ NFTA_TUNNEL_KEY_ERSPAN_VERSION, -+ NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX, -+ NFTA_TUNNEL_KEY_ERSPAN_V2_HWID, -+ NFTA_TUNNEL_KEY_ERSPAN_V2_DIR, -+ __NFTA_TUNNEL_KEY_ERSPAN_MAX -+}; -+#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1) -+ -+enum nft_tunnel_opts_geneve_attributes { -+ NFTA_TUNNEL_KEY_GENEVE_UNSPEC, -+ NFTA_TUNNEL_KEY_GENEVE_CLASS, -+ NFTA_TUNNEL_KEY_GENEVE_TYPE, -+ NFTA_TUNNEL_KEY_GENEVE_DATA, -+ __NFTA_TUNNEL_KEY_GENEVE_MAX -+}; -+#define NFTA_TUNNEL_KEY_GENEVE_MAX (__NFTA_TUNNEL_KEY_GENEVE_MAX - 1) -+ -+enum nft_tunnel_flags { -+ NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0), -+ NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1), -+ NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2), -+}; -+#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \ -+ NFT_TUNNEL_F_DONT_FRAGMENT | \ -+ NFT_TUNNEL_F_SEQ_NUMBER) -+ -+enum nft_tunnel_key_attributes { -+ NFTA_TUNNEL_KEY_UNSPEC, -+ NFTA_TUNNEL_KEY_ID, -+ NFTA_TUNNEL_KEY_IP, -+ NFTA_TUNNEL_KEY_IP6, -+ NFTA_TUNNEL_KEY_FLAGS, -+ NFTA_TUNNEL_KEY_TOS, -+ NFTA_TUNNEL_KEY_TTL, -+ NFTA_TUNNEL_KEY_SPORT, -+ NFTA_TUNNEL_KEY_DPORT, -+ NFTA_TUNNEL_KEY_OPTS, -+ __NFTA_TUNNEL_KEY_MAX -+}; -+#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1) -+ -+enum nft_tunnel_keys { -+ NFT_TUNNEL_PATH, -+ NFT_TUNNEL_ID, -+ __NFT_TUNNEL_MAX -+}; -+#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) -+ -+enum nft_tunnel_mode { -+ NFT_TUNNEL_MODE_NONE, -+ NFT_TUNNEL_MODE_RX, -+ NFT_TUNNEL_MODE_TX, -+ __NFT_TUNNEL_MODE_MAX -+}; -+#define NFT_TUNNEL_MODE_MAX (__NFT_TUNNEL_MODE_MAX - 1) -+ -+enum nft_tunnel_attributes { -+ NFTA_TUNNEL_UNSPEC, -+ NFTA_TUNNEL_KEY, -+ NFTA_TUNNEL_DREG, -+ NFTA_TUNNEL_MODE, -+ __NFTA_TUNNEL_MAX -+}; -+#define NFTA_TUNNEL_MAX (__NFTA_TUNNEL_MAX - 1) -+ - #endif /* _LINUX_NF_TABLES_H */ -diff --git a/iptables/nft.c b/iptables/nft.c -index ee003511ab7f3..4807090cc4306 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1167,7 +1167,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table, - type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR; - len += sizeof(struct in_addr) + NETLINK_ALIGN - 1; - len &= ~(NETLINK_ALIGN - 1); -- flags = NFT_SET_INTERVAL; -+ flags = NFT_SET_INTERVAL | NFT_SET_CONCAT; - } - - s = add_anon_set(h, table, flags, type, len, cnt); --- -2.38.0 - diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index b464b77..dfe8685 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -1,3 +1,6 @@ +%define iptables_rpmversion 1.8.10 +%define iptables_specrelease 4 + # install init scripts to /usr/libexec with systemd %global script_path %{_libexecdir}/iptables @@ -15,9 +18,9 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables -Version: 1.8.8 -Release: 6%{?dist} -Source: %{url}/files/%{name}-%{version}.tar.bz2 +Version: %{iptables_rpmversion} +Release: %{iptables_specrelease}%{?dist}%{?buildid} +Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config Source3: iptables.service @@ -30,14 +33,11 @@ Source9: ebtables.service Source10: ebtables-config Source11: iptables-test.stderr.expect -Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch -Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch -Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch -Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch -Patch05: 0005-arptables-Support-x-exact-flag.patch -Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch -Patch07: 0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch -Patch08: 0008-nft-un-break-among-match-with-concatenation.patch +Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch +Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch +Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch +Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -45,7 +45,7 @@ License: GPLv2 and Artistic 2.0 and ISC # libnetfilter_conntrack is needed for xt_connlabel BuildRequires: pkgconfig(libnetfilter_conntrack) -# libnfnetlink-devel is requires for nfnl_osf +# libnfnetlink-devel is required for nfnl_osf BuildRequires: pkgconfig(libnfnetlink) BuildRequires: libselinux-devel BuildRequires: kernel-headers @@ -55,7 +55,7 @@ BuildRequires: bison BuildRequires: flex BuildRequires: gcc BuildRequires: pkgconfig(libmnl) >= 1.0 -BuildRequires: pkgconfig(libnftnl) >= 1.1.6 +BuildRequires: pkgconfig(libnftnl) >= 1.2.6 # libpcap-devel for nfbpf_compile BuildRequires: libpcap-devel BuildRequires: autoconf @@ -266,6 +266,21 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/ebtables.8 +# add symlinks for compatibility to merged extensions +link_ext() { # (target, link) + local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so" + local targetname="${1}.so" + local link="%{buildroot}%{_libdir}/xtables/${2}.so" + [[ -e "$link" ]] && return 0 + [[ -e "$targetfile" ]] || return 0 + ln -s $targetname $link +} +for fam in ip ip6; do + link_ext libxt_LOG lib${fam}t_LOG + link_ext libxt_NAT lib${fam}t_SNAT + link_ext libxt_NAT lib${fam}t_MASQUERADE +done + %ldconfig_scriptlets %post legacy @@ -308,7 +323,9 @@ fi %systemd_postun iptables.service ip6tables.service %systemd_postun arptables.service ebtables.service -%post nft +%post -e nft +[[ %%{_excludedocs} == 1 ]] || do_man=true + pfx=%{_sbindir}/iptables pfx6=%{_sbindir}/ip6tables %{_sbindir}/update-alternatives --install \ @@ -333,7 +350,7 @@ fi $pfx ebtables $pfx-nft 10 \ --slave $pfx-save ebtables-save $pfx-nft-save \ --slave $pfx-restore ebtables-restore $pfx-nft-restore \ - --slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz + ${do_man:+--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz} pfx=%{_sbindir}/arptables manpfx=%{_mandir}/man8/arptables @@ -353,9 +370,9 @@ fi $pfx arptables $pfx-nft 10 \ --slave $pfx-save arptables-save $pfx-nft-save \ --slave $pfx-restore arptables-restore $pfx-nft-restore \ - --slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \ - --slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \ - --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \ + ${do_man:+--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz} \ + ${do_man:+--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz} \ + ${do_man:+--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz} \ --slave $lepfx-helper arptables-helper $lepfx-nft-helper %postun nft @@ -369,7 +386,6 @@ fi %if %{do_legacy_pkg} %files legacy -%doc INCOMPATIBILITIES %{_sbindir}/ip{,6}tables-legacy* %{_sbindir}/xtables-legacy-multi %{_bindir}/iptables-xml @@ -388,9 +404,15 @@ fi %{_libdir}/pkgconfig/libip{,4,6}tc.pc %files services +%dir %{script_path} +%{script_path}/ip{,6}tables.init +%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config} +%{_unitdir}/ip{,6}tables.service +%dir %{legacy_actions}/ip{,6}tables +%{legacy_actions}/ip{,6}tables/{save,panic} # do_legacy_pkg -%else +%endif %files nft-services %{_unitdir}/{arp,eb}tables.service @@ -398,11 +420,6 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config %ghost %{_sysconfdir}/sysconfig/arptables %ghost %{_sysconfdir}/sysconfig/ebtables - -# do_legacy_pkg -%endif - -# the common files in services and nft-services %dir %{script_path} %{script_path}/ip{,6}tables.init %config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config} @@ -438,6 +455,7 @@ fi %{_sbindir}/ip{,6}tables-nft* %{_sbindir}/ip{,6}tables{,-restore}-translate %{_sbindir}/{eb,arp}tables-nft* +%{_sbindir}/ebtables-translate %{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-monitor %dir %{_libdir}/xtables @@ -451,9 +469,25 @@ fi %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore} %ghost %{_libexecdir}/arptables-helper %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz -%ghost %{_mandir}/man8/ebtables.8.gz +%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz %changelog +* Wed Jul 03 2024 Phil Sutter [1.8.10-4.el9] +- spec: Simplify legacy package integration (Phil Sutter) [RHEL-5797] + +* Wed Jun 12 2024 Phil Sutter [1.8.10-3.el9] +- extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928] +- spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463] +- nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619] +- spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922] + +* Tue Nov 07 2023 Phil Sutter [1.8.10-2.el9] +- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147] + +* Fri Oct 27 2023 Phil Sutter [1.8.10-1.el9] +- spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810] +- Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147] + * Wed Dec 07 2022 Phil Sutter - 1.8.8-6 - Add expected testsuite result