Compare commits

...

No commits in common. 'c9' and 'i10cs' have entirely different histories.
c9 ... i10cs

@ -1,336 +0,0 @@
From 2abc07c47189b26fce16f4751a96f747fa53fc0f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 17 Jun 2021 18:44:28 +0200
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1945151
Upstream Status: RHEL-only
This is RHEL9 trying to friendly kick people towards nftables.
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
iptables/arptables-nft-save.8 | 14 +++++++++++++-
iptables/arptables-nft.8 | 19 ++++++++++++++++++-
iptables/ebtables-nft.8 | 15 ++++++++++++++-
iptables/iptables-apply.8.in | 14 +++++++++++++-
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
iptables/iptables-restore.8.in | 17 ++++++++++++++++-
iptables/iptables-save.8.in | 15 ++++++++++++++-
iptables/iptables.8.in | 17 +++++++++++++++++
iptables/xtables-monitor.8.in | 11 +++++++++++
10 files changed, 142 insertions(+), 7 deletions(-)
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 09d9082..b1bf029 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
.SH SYNOPSIS
\fBarptables\-restore
.SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
.PP
.B arptables-restore
is used to restore ARP Tables from data specified on STDIN or
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
-\fBarptables\-save\fP(8), \fBarptables\fP(8)
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
.PP
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
index 905e598..49bb0f6 100644
--- a/iptables/arptables-nft-save.8
+++ b/iptables/arptables-nft-save.8
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
\fBarptables\-save\fP [\fB\-V\fP]
.SH DESCRIPTION
.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B arptables-save
is used to dump the contents of an ARP Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
@@ -43,5 +55,5 @@ Print version information and exit.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
.PP
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index ea31e08..ec5b993 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
.SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B arptables
is a user space tool, it is used to set up and maintain the
tables of ARP rules in the Linux kernel. These rules inspect
@@ -340,9 +353,13 @@ bridges, the same may be achieved using
chain in
.BR ebtables .
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
+will not receive new features. New setups should use \fBnft\fP(8). Existing
+setups should migrate to \fBnft\fP(8) when possible.
+
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
.PP
.BR "" "See " https://wiki.nftables.org
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 0304b50..cfd617a 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
.br
.SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B ebtables
is an application program used to set up and maintain the
tables of rules (inside the Linux kernel) that inspect
@@ -1083,6 +1096,6 @@ has not been implemented, although
might replace them entirely given the inherent atomicity of nftables.
Finally, this list is probably not complete.
.SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
.PP
.BR "" "See " https://wiki.nftables.org
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
index f0ed4e5..7f99a21 100644
--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
.SH "DESCRIPTION"
.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
iptables\-apply will try to apply a new rulesfile (as output by
iptables-save, read by iptables-restore) or run a command to configure
iptables and then prompt the user whether the changes are okay. If the
@@ -47,7 +59,7 @@ Display usage information.
Display version information.
.SH "SEE ALSO"
.PP
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
.SH LEGALESE
.PP
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
index 99d89a1..73d40bb 100644
--- a/iptables/iptables-extensions.8.tmpl.in
+++ b/iptables/iptables-extensions.8.tmpl.in
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
.PP
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
.SH MATCH EXTENSIONS
iptables can use extended packet matching modules
with the \fB\-m\fP or \fB\-\-match\fP
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index aa816f7..353d4dc 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
[\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fIfile\fP]
.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
+to help with the migration.
.PP
.B iptables-restore
and
@@ -82,7 +95,9 @@ from Rusty Russell.
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO
-\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
+\fBip6tables\-restore\-translate\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 65c1f28..d47be27 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.SH DESCRIPTION
.PP
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B iptables-save
and
.B ip6tables-save
@@ -66,7 +78,8 @@ Rusty Russell <rusty@rustcorp.com.au>
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
.SH SEE ALSO
-\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8), \fBiptables\-restore\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index ecaa555..4c4a15a 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
.PP
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
+.PP
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
tables of IPv4 and IPv6 packet
filter rules in the Linux kernel. Several different tables
@@ -455,6 +469,9 @@ There are several other changes in iptables.
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
\fBiptables\-extensions\fP(8),
+\fBnft\fP(8),
+\fBiptables\-translate\fP(8),
+\fBip6tables\-translate\fP(8)
.PP
The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT,
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
index a7f22c0..e21d7ff 100644
--- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
.PP
\
.SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
.PP
.B xtables-monitor
is used to monitor changes to the ruleset or to show rule evaluation events

@ -0,0 +1,81 @@
From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Oct 2023 17:27:42 +0200
Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL
pointer
Chain rename code missed to adjust the num_chains value which is used to
calculate the number of chain index buckets to allocate during an index
rebuild. So with the right number of chains present, the last chain in a
middle bucket being renamed (and ending up in another bucket) triggers
an index rebuild based on false data. The resulting NULL pointer index
bucket then causes a segfault upon reinsertion.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620)
---
.../testcases/chain/0008rename-segfault2_0 | 32 +++++++++++++++++++
libiptc/libiptc.c | 4 +++
2 files changed, 36 insertions(+)
create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
new file mode 100755
index 0000000000000..bc473d2511bbd
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Another funny rename bug in libiptc:
+# If there is a chain index bucket with only a single chain in it and it is not
+# the last one and that chain is renamed, a chain index rebuild is triggered.
+# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
+# extra index is allocated and remains NULL. The following insert of renamed
+# chain then segfaults.
+
+(
+ echo "*filter"
+ # first bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-a-$i - [0:0]"
+ done
+ # second bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-b-$i - [0:0]"
+ done
+ # third bucket, just make sure it exists
+ echo ":chain-c-0 - [0:0]"
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore
+
+# rename all chains of the middle bucket
+(
+ echo "*filter"
+ for ((i = 0; i < 40; i++)); do
+ echo "-E chain-b-$i chain-d-$i"
+ done
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore --noflush
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index e475063367c26..9712a36353b9a 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
return 0;
}
+ handle->num_chains--;
+
/* This only unlinks "c" from the list, thus no free(c) */
iptcc_chain_index_delete_chain(c, handle);
/* Change the name of the chain */
strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
+ handle->num_chains++;
+
/* Insert sorted into to list again */
iptc_insert_chain(handle, c);

@ -0,0 +1,81 @@
From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 3 Nov 2023 17:33:22 +0100
Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage
ARPT_ and IPT_INV flags are not interchangeable, e.g.:
define IPT_INV_SRCDEVADDR 0x0080
define ARPT_INV_SRCDEVADDR 0x0010
as these flags can be tested by libarp_foo.so such checks can yield
incorrect results.
Because arptables-nft uses existing code, e.g. xt_mark, it makes
sense to unify this completely by converting the last users of
ARPT_INV_ constants.
Note that arptables-legacy does not do run-time module loading via
dlopen(). Functionaliy implemented by "extensions" in the
arptables-legacy git tree are built-in, so this doesn't break
arptables-legacy binaries.
Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68)
---
extensions/libarpt_mangle.c | 4 ++--
iptables/nft-arp.c | 2 +-
iptables/xshared.h | 4 +++-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
index 765edf34781f3..a846e97ec8f27 100644
--- a/extensions/libarpt_mangle.c
+++ b/extensions/libarpt_mangle.c
@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
- if (e->arp.invflags & ARPT_INV_ARPHLN)
+ if (e->arp.invflags & IPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! --h-length not allowed for "
"--mangle-mac-s");
@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
- if (e->arp.invflags & ARPT_INV_ARPHLN)
+ if (e->arp.invflags & IPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! hln not allowed for --mangle-mac-d");
if (e->arp.arhln != 6)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index aed39ebdd5166..535dd6b83237b 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
&args->d.naddrs);
if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
+ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
xtables_error(PARAMETER_PROBLEM,
"! not allowed with multiple"
" source or destination IP addresses");
diff --git a/iptables/xshared.h b/iptables/xshared.h
index a200e0d620ad3..5586385456a4d 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,9 @@ struct xtables_target;
#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
-/* define invflags which won't collide with IPT ones */
+/* define invflags which won't collide with IPT ones.
+ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
+ */
#define IPT_INV_SRCDEVADDR 0x0080
#define IPT_INV_TGTDEVADDR 0x0100
#define IPT_INV_ARPHLN 0x0200

@ -1,28 +0,0 @@
From 4388fad6c3874a3861907734f9a6368cfd0a731c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 16 Jul 2021 21:51:49 +0200
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047558
Upstream Status: RHEL-only
RHEL SELinux policies don't allow setting
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
'packet_type' attribute (identified via
'seinfo -xt | grep packet_type').
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_SECMARK.t | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
index 39d4c09..295e7a7 100644
--- a/extensions/libxt_SECMARK.t
+++ b/extensions/libxt_SECMARK.t
@@ -1,4 +1,4 @@
:INPUT,FORWARD,OUTPUT
*security
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
-j SECMARK;;FAIL

@ -1,26 +1,16 @@
From 7a8231504928a4ad7a2229d0f8a27d9734159647 Mon Sep 17 00:00:00 2001 From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com> From: Phil Sutter <phil@nwl.cc>
Date: Tue, 7 Nov 2023 23:44:55 +0100 Date: Tue, 7 Nov 2023 19:12:14 +0100
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
JIRA: https://issues.redhat.com/browse/RHEL-14147 Report came from firwalld, but this is actually rather hard to trigger.
Upstream Status: iptables commit c1083acea70787eea3f7929fd04718434bb05ba8 Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
commit c1083acea70787eea3f7929fd04718434bb05ba8 Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Author: Phil Sutter <phil@nwl.cc> Cc: Eric Garver <eric@garver.life>
Date: Tue Nov 7 19:12:14 2023 +0100 Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8)
ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++ .../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
iptables/xtables-eb.c | 2 ++ iptables/xtables-eb.c | 2 ++
@ -29,7 +19,7 @@ Signed-off-by: Phil Sutter <psutter@redhat.com>
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755 new file mode 100755
index 0000000..0def0ac index 0000000000000..0def0ac58e7be
--- /dev/null --- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 +++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@ @@ -0,0 +1,25 @@
@ -59,7 +49,7 @@ index 0000000..0def0ac
+COMMIT +COMMIT
+EOF +EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79..a8ad57c 100644 index 08eec79d80400..a8ad57c735cc5 100644
--- a/iptables/xtables-eb.c --- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain) @@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)

@ -1,99 +0,0 @@
From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 22 May 2024 18:26:58 +0200
Subject: [PATCH] nft: Fix for broken recover_rule_compat()
JIRA: https://issues.redhat.com/browse/RHEL-26619
Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Feb 27 18:47:39 2024 +0100
nft: Fix for broken recover_rule_compat()
When IPv4 rule generator was changed to emit payload instead of
meta expressions for l4proto matches, the code reinserting
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
zeroing was broken by accident.
Make rule compat recovery aware of the alternative match, basically
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
with NFTA_RULE_COMPAT") but add a test case this time to make sure
things stay intact.
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 27 ++++++++++++++++---
.../nft-only/0011-zero-needs-compat_0 | 12 +++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
diff --git a/iptables/nft.c b/iptables/nft.c
index 97fd4f4..c4caf29 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
return strerror(err);
}
+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
+{
+ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
+ uint32_t poff = offsetof(struct iphdr, protocol);
+ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
+
+ if (!strcmp(name, "payload") &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
+ return 0;
+ }
+ if (!strcmp(name, "meta") &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
+ return 0;
+ }
+ return -1;
+}
+
static int recover_rule_compat(struct nftnl_rule *r)
{
struct nftnl_expr_iter *iter;
@@ -3695,12 +3716,10 @@ next_expr:
if (!e)
goto out;
- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
+ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */
+ if (l4proto_expr_get_dreg(e, &reg) < 0)
goto next_expr;
- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
-
e = nftnl_expr_iter_next(iter);
if (!e)
goto out;
diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
new file mode 100755
index 0000000..e276a95
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+set -e
+
+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
+for cmd in iptables ip6tables; do
+ $XT_MULTI $cmd -t mangle -A PREROUTING $rule
+ $XT_MULTI $cmd -t mangle -Z
+ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
+done

@ -0,0 +1,42 @@
From 37622ca0f4c29c9a06b0d2f3f1abc6695c57d560 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 19 Nov 2023 13:18:26 +0100
Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused
Drop the boolean, it was meant to disable some existence checks in
do_parse() prior to the caching rework. Now that do_parse() runs before
any caching is done, the checks in question don't exist anymore so drop
this relict.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb)
---
iptables/xshared.h | 1 -
iptables/xtables-translate.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 5586385456a4d..c77556a1987dc 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -284,7 +284,6 @@ struct xt_cmd_parse {
bool restore;
int line;
int verbose;
- bool xlate;
struct xt_cmd_parse_ops *ops;
};
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 88e0a6b639494..c019cd2991305 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
.table = *table,
.restore = restore,
.line = line,
- .xlate = true,
.ops = &h->ops->cmd_parse,
};
struct iptables_command_state cs = {

@ -1,43 +0,0 @@
From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 12 Jun 2024 22:49:48 +0200
Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
JIRA: https://issues.redhat.com/browse/RHEL-40928
Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
commit 0234117d24609070f08ef36a11795c3c8e4c19bf
Author: Phil Sutter <phil@nwl.cc>
Date: Fri May 17 15:20:05 2024 +0200
extensions: libxt_sctp: Add an extra assert()
The code is sane, but this keeps popping up in static code analyzers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_sctp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 6e2b274..e8312f0 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -7,6 +7,7 @@
* libipt_ecn.c borrowed heavily from libipt_dscp.c
*
*/
+#include <assert.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
for (i = 7; i >= 0; i--) {
if (chunk_flags_mask & (1 << i)) {
+ assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
if (chunk_flags & (1 << i)) {
printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
} else {

@ -0,0 +1,31 @@
From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 19 Nov 2023 13:25:36 +0100
Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON
Fixes: 51d9d9e081344 ("ebtables: Support verbose mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a)
---
iptables/xshared.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c77556a1987dc..815b9d3e98726 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -75,10 +75,10 @@ struct xtables_globals;
struct xtables_rule_match;
struct xtables_target;
-#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
-#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
-#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
+#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v"
+#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x"
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */
+#define EBT_OPTSTRING OPTSTRING_COMMON "h"
/* define invflags which won't collide with IPT ones.
* arptables-nft does NOT use the legacy ARPT_INV_* defines.

@ -0,0 +1,28 @@
From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 21 Nov 2023 22:58:47 +0100
Subject: [PATCH] ebtables: Align line number formatting with legacy
Legacy ebtables appends a dot to the number printed in first column if
--Ln flag was given.
Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf)
---
iptables/nft-bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index d9a8ad2b0f373..e414ef5584392 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
struct iptables_command_state cs = {};
if (format & FMT_LINENUMBERS)
- printf("%d ", num);
+ printf("%d. ", num);
nft_rule_to_ebtables_command_state(h, r, &cs);
__nft_bridge_save_rule(&cs, format);

@ -0,0 +1,44 @@
From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 13:29:17 +0100
Subject: [PATCH] man: Do not escape exclamation marks
This appears to be not necessary, also mandoc complains about it:
| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!
Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a)
---
extensions/libip6t_DNPT.man | 2 +-
extensions/libip6t_SNPT.man | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
index 9b060f5b7179b..72c6ae5d422a2 100644
--- a/extensions/libip6t_DNPT.man
+++ b/extensions/libip6t_DNPT.man
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
.PP
You have to use the SNPT target to undo the translation. Example:
.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
.IP
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
index 97e0071b43cc1..0c926978377a7 100644
--- a/extensions/libip6t_SNPT.man
+++ b/extensions/libip6t_SNPT.man
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
.PP
You have to use the DNPT target to undo the translation. Example:
.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
.IP
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64

@ -0,0 +1,49 @@
From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 20:21:49 +0100
Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
In order to parse the mask, xtopt_parse_hostmask() calls
xtopt_parse_plenmask() thereby limiting netmask support to prefix
lengths (alternatively specified in IP address notation).
In order to lift this impractical restriction, make
xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
fall back to xtopt_parse_mask() which correctly initializes val.hmask
itself and indicates non-CIDR-compatible masks by setting val.hlen to
-1.
So in order to support these odd masks, it is sufficient for
xtopt_parse_plenmask() to skip its mask building from val.hlen value and
take whatever val.hmask contains.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232)
---
libxtables/xtoptions.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index b16bbfbe32311..d91a78f470eda 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
xtopt_parse_plen(cb);
+ /* may not be convertible to CIDR notation */
+ if (cb->val.hlen == (uint8_t)-1)
+ goto out_put;
+
memset(mask, 0xFF, sizeof(union nf_inet_addr));
/* This shifting is AF-independent. */
if (cb->val.hlen == 0) {
@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
mask[1] = htonl(mask[1]);
mask[2] = htonl(mask[2]);
mask[3] = htonl(mask[3]);
+out_put:
if (entry->flags & XTOPT_PUT)
memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
}

@ -0,0 +1,114 @@
From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 19 Dec 2023 00:56:07 +0100
Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting
Parameter 'wait' passed to xtables_lock() signals three modes of
operation, depending on its value:
0: --wait not specified, do not wait if lock is busy
-1: --wait specified without value, wait indefinitely until lock becomes
free
>0: Wait for 'wait' seconds for lock to become free, abort otherwise
Since fixed commit, the first two cases were treated the same apart from
calling alarm(0), but that is a nop if no alarm is pending. Fix the code
by requesting a non-blocking flock() in the second case. While at it,
restrict the alarm setup to the third case only.
Cc: Jethro Beekman <jethro@fortanix.com>
Cc: howardjohn@google.com
Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728
Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9)
---
.../shell/testcases/iptables/0010-wait_0 | 55 +++++++++++++++++++
iptables/xshared.c | 4 +-
2 files changed, 57 insertions(+), 2 deletions(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0
diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0
new file mode 100755
index 0000000000000..4481f966ce435
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0010-wait_0
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+case "$XT_MULTI" in
+*xtables-legacy-multi)
+ ;;
+*)
+ echo skip $XT_MULTI
+ exit 0
+ ;;
+esac
+
+coproc RESTORE { $XT_MULTI iptables-restore; }
+echo "*filter" >&${RESTORE[1]}
+
+
+$XT_MULTI iptables -A FORWARD -j ACCEPT &
+ipt_pid=$!
+
+waitpid -t 1 $ipt_pid
+[[ $? -eq 3 ]] && {
+ echo "process waits when it should not"
+ exit 1
+}
+wait $ipt_pid
+[[ $? -eq 0 ]] && {
+ echo "process exited 0 despite busy lock"
+ exit 1
+}
+
+t0=$(date +%s)
+$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT
+t1=$(date +%s)
+[[ $((t1 - t0)) -ge 3 ]] || {
+ echo "wait time not expired"
+ exit 1
+}
+
+$XT_MULTI iptables -w -A FORWARD -j ACCEPT &
+ipt_pid=$!
+
+waitpid -t 3 $ipt_pid
+[[ $? -eq 3 ]] || {
+ echo "no indefinite wait"
+ exit 1
+}
+kill $ipt_pid
+waitpid -t 3 $ipt_pid
+[[ $? -eq 3 ]] && {
+ echo "killed waiting iptables call did not exit in time"
+ exit 1
+}
+
+kill $RESTORE_PID
+wait
+exit 0
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 5f75a0a57a023..690502c457dd0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -270,7 +270,7 @@ static int xtables_lock(int wait)
return XT_LOCK_FAILED;
}
- if (wait != -1) {
+ if (wait > 0) {
sigact_alarm.sa_handler = alarm_ignore;
sigact_alarm.sa_flags = SA_RESETHAND;
sigemptyset(&sigact_alarm.sa_mask);
@@ -278,7 +278,7 @@ static int xtables_lock(int wait)
alarm(wait);
}
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0)
return fd;
if (errno == EINTR) {

@ -0,0 +1,40 @@
From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 17 Dec 2023 13:02:36 +0100
Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
Do as the comment in xtopt_parse_hostmask() claims and omit
XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
will catch the incompatibility.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31)
---
include/xtables.h | 1 -
libxtables/xtoptions.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/include/xtables.h b/include/xtables.h
index 087a1d600f9ae..9def9b43b6e58 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -61,7 +61,6 @@ struct in_addr;
* %XTTYPE_SYSLOGLEVEL: syslog level by name or number
* %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr)
* %XTTYPE_HOSTMASK: one host or address, with an optional prefix length
- * (ptr: union nf_inet_addr; only host portion is stored)
* %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t)
* %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO)
* %XTTYPE_PORTRC: colon-separated port range (names acceptable),
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d91a78f470eda..ba68056dc99f7 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = {
[XTTYPE_STRING] = -1,
[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
[XTTYPE_HOST] = sizeof(union nf_inet_addr),
- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr),
[XTTYPE_PROTOCOL] = sizeof(uint8_t),
[XTTYPE_PORT] = sizeof(uint16_t),
[XTTYPE_PORTRC] = sizeof(uint16_t[2]),

@ -1,12 +0,0 @@
[Unit]
Description=Automates a packet filtering firewall with arptables
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/libexec/arptables-helper start
ExecStop=/usr/libexec/arptables-helper stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

@ -1,11 +0,0 @@
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets stopped
# (e.g. on system shutdown).
EBTABLES_SAVE_ON_STOP="no"
# Save (and restore) rule counters.
# Value: yes|no, default: no
# Save rule counters when saving a kernel table to a file. If the
# rule counters were saved, they will be restored when restoring the table.
EBTABLES_SAVE_COUNTER="no"

@ -1,104 +0,0 @@
#!/bin/bash
# compat for removed initscripts dependency
success() {
echo "[ OK ]"
return 0
}
failure() {
echo "[FAILED]"
return 1
}
# internal variables
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
EBTABLES_DATA=/etc/sysconfig/ebtables
EBTABLES_TABLES="filter nat"
if ebtables --version | grep -q '(legacy)'; then
EBTABLES_TABLES+=" broute"
fi
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
# ebtables-config defaults
EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_COUNTER="no"
# load config if existing
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
initialize() {
local ret=0
for table in $EBTABLES_TABLES; do
ebtables -t $table --init-table || ret=1
done
return $ret
}
sanitize_dump() {
local drop=false
export EBTABLES_TABLES
cat $1 | while read line; do
case $line in
\**)
drop=false
local table="${line#\*}"
local found=false
for t in $EBTABLES_TABLES; do
if [[ $t == "$table" ]]; then
found=true
break
fi
done
$found || drop=true
;;
esac
$drop || echo "$line"
done
}
start() {
if [ -f $EBTABLES_DATA ]; then
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
sanitize_dump $EBTABLES_DATA | ebtables-restore
else
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
initialize
fi
local ret=$?
touch $VAR_SUBSYS_EBTABLES
return $ret
}
save() {
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
export EBTABLES_SAVE_COUNTER
ebtables-save >$EBTABLES_DATA && success || failure
}
case $1 in
start)
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
start && success || failure
RETVAL=$?
;;
stop)
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
echo -n $"ebtables: stopping firewall: "
initialize && success || failure
RETVAL=$?
rm -f $VAR_SUBSYS_EBTABLES
;;
save)
save
;;
*)
echo "usage: ${0##*/} {start|stop|save}" >&2
RETVAL=2
;;
esac
exit $RETVAL

@ -1,11 +0,0 @@
[Unit]
Description=Ethernet Bridge Filtering tables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ebtables-helper start
ExecStop=/usr/libexec/ebtables-helper stop
[Install]
WantedBy=multi-user.target

@ -1,35 +0,0 @@
extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")

@ -1,6 +1,3 @@
%define iptables_rpmversion 1.8.10
%define iptables_specrelease 4
# install init scripts to /usr/libexec with systemd # install init scripts to /usr/libexec with systemd
%global script_path %{_libexecdir}/iptables %global script_path %{_libexecdir}/iptables
@ -10,16 +7,11 @@
%global iptc_so_ver 0 %global iptc_so_ver 0
%global ipXtc_so_ver 2 %global ipXtc_so_ver 2
# build legacy sub-packages only on non-rhel distributions
%global do_legacy_pkg ! 0%{?rhel}
%define _unpackaged_files_terminate_build 0
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: %{iptables_rpmversion} Version: 1.8.10
Release: %{iptables_specrelease}%{?dist}%{?buildid} Release: 8%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.xz Source: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -27,25 +19,25 @@ Source3: iptables.service
Source4: sysconfig_iptables Source4: sysconfig_iptables
Source5: sysconfig_ip6tables Source5: sysconfig_ip6tables
Source6: arptables-nft-helper Source6: arptables-nft-helper
Source7: arptables.service
Source8: ebtables-helper Patch001: 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch
Source9: ebtables.service Patch002: 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch
Source10: ebtables-config Patch003: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
Source11: iptables-test.stderr.expect Patch004: 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch
Patch005: 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch006: 0006-ebtables-Align-line-number-formatting-with-legacy.patch
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch007: 0007-man-Do-not-escape-exclamation-marks.patch
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch Patch008: 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch
Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch Patch009: 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch
Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch Patch010: 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic Licence 2.0
License: GPLv2 and Artistic 2.0 and ISC License: GPL-2.0-only AND Artistic-2.0 AND ISC
# libnetfilter_conntrack is needed for xt_connlabel # libnetfilter_conntrack is needed for xt_connlabel
BuildRequires: pkgconfig(libnetfilter_conntrack) BuildRequires: pkgconfig(libnetfilter_conntrack)
# libnfnetlink-devel is required for nfnl_osf # libnfnetlink-devel is requires for nfnl_osf
BuildRequires: pkgconfig(libnfnetlink) BuildRequires: pkgconfig(libnfnetlink)
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: kernel-headers BuildRequires: kernel-headers
@ -73,10 +65,13 @@ Summary: Legacy tools for managing Linux kernel packet filtering capabilities
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release} Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Conflicts: setup < 2.10.4-1 Conflicts: setup < 2.10.4-1
Requires(post): %{_sbindir}/update-alternatives Requires(post): /usr/sbin/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives Requires(postun): /usr/sbin/update-alternatives
Obsoletes: %{name} < %{version}-%{release} %if 0%{?rhel} < 9
Provides: iptables Provides: iptables
%endif
Provides: %{name}-compat = %{version}-%{release}
Obsoletes: %{name}-compat < 1.8.9-7
%description legacy %description legacy
The iptables utility controls the network packet filtering code in the The iptables utility controls the network packet filtering code in the
@ -96,7 +91,6 @@ and logic for those is kept in per-extension shared object files.
%package legacy-libs %package legacy-libs
Summary: iptables legacy libraries Summary: iptables legacy libraries
Obsoletes: %{name}-libs < %{version}-%{release}
%description legacy-libs %description legacy-libs
iptables libraries. iptables libraries.
@ -110,6 +104,8 @@ For more information about this, please have a look at
%package devel %package devel
Summary: Development package for iptables Summary: Development package for iptables
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# XXX: Drop this after two releases or so
Requires: %{name}-legacy-devel%{?_isa} = %{version}-%{release}
Requires: pkgconfig Requires: pkgconfig
%description devel %description devel
@ -129,7 +125,12 @@ stable and may change with every new version. It is therefore unsupported.
%package services %package services
Summary: iptables and ip6tables services for iptables Summary: iptables and ip6tables services for iptables
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires: %{name}-utils = %{version}-%{release}
%{?systemd_ordering} %{?systemd_ordering}
# obsolete old main package
Obsoletes: %{name} < 1.4.16.1
# obsolete ipv6 sub package
Obsoletes: %{name}-ipv6 < 1.4.11.1
BuildArch: noarch BuildArch: noarch
%description services %description services
@ -138,27 +139,6 @@ iptables services for IPv4 and IPv6
This package provides the services iptables and ip6tables that have been split This package provides the services iptables and ip6tables that have been split
out of the base package since they are not active by default anymore. out of the base package since they are not active by default anymore.
%package nft-services
Summary: Services for nft-variants of iptables, ebtables and arptables
Requires: %{name}-nft = %{version}-%{release}
Conflicts: arptables-services
Conflicts: ebtables-services
Provides: iptables-services = %{version}-%{release}
Provides: arptables-services
Provides: ebtables-services
Obsoletes: iptables-services <= 1.8.4
Obsoletes: iptables-arptables <= 1.8.4
Obsoletes: iptables-ebtables <= 1.8.4
Obsoletes: iptables-nft-compat <= 1.8.7-19
%{?systemd_ordering}
BuildArch: noarch
%description nft-services
Services for nft-variants of iptables, ebtables and arptables
This package provides the services iptables, ip6tables, arptables and ebtables
for use with iptables-nft which provides nft-variants of these tools.
%package utils %package utils
Summary: iptables and ip6tables misc utilities Summary: iptables and ip6tables misc utilities
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
@ -173,21 +153,20 @@ a safer way to update iptables remotely.
%package nft %package nft
Summary: nftables compatibility for iptables, arptables and ebtables Summary: nftables compatibility for iptables, arptables and ebtables
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(post): %{_sbindir}/update-alternatives Requires(post): /usr/sbin/update-alternatives
Requires(post): %{_bindir}/readlink Requires(post): /usr/bin/readlink
Requires(postun): %{_sbindir}/update-alternatives Requires(postun): /usr/sbin/update-alternatives
Obsoletes: iptables-compat < 1.6.2-4
Provides: arptables-helper Provides: arptables-helper
Provides: iptables Provides: iptables
Provides: arptables Provides: arptables
Provides: ebtables Provides: ebtables
Obsoletes: iptables <= 1.8.4
%description nft %description nft
nftables compatibility for iptables, arptables and ebtables. nftables compatibility for iptables, arptables and ebtables.
%prep %prep
%autosetup -p1 %autosetup -p1
cp %{SOURCE11} .
%build %build
./autogen.sh ./autogen.sh
@ -248,45 +227,25 @@ install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables
# Remove /etc/ethertypes (now part of setup) # Remove /etc/ethertypes (now part of setup)
rm -f %{buildroot}%{_sysconfdir}/ethertypes rm -f %{buildroot}%{_sysconfdir}/ethertypes
# extra sources for arptables install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/
install -p -D -m 755 %{SOURCE6} %{buildroot}%{_libexecdir}/arptables-nft-helper touch %{buildroot}%{_libexecdir}/arptables-helper
install -p -D -m 644 %{SOURCE7} %{buildroot}%{_unitdir}/arptables.service
touch %{buildroot}%{_sysconfdir}/sysconfig/arptables
# extra sources for ebtables
install -p %{SOURCE9} %{buildroot}%{_unitdir}/
install -m0755 %{SOURCE8} %{buildroot}%{_libexecdir}/ebtables-helper
install -m0600 %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables
# prepare for alternatives # prepare for alternatives
touch %{buildroot}%{_libexecdir}/arptables-helper
touch %{buildroot}%{_mandir}/man8/arptables.8 touch %{buildroot}%{_mandir}/man8/arptables.8
touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-save.8
touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
touch %{buildroot}%{_mandir}/man8/ebtables.8 touch %{buildroot}%{_mandir}/man8/ebtables.8
# add symlinks for compatibility to merged extensions # fix absolute symlink
link_ext() { # (target, link) rm -f %{buildroot}%{_bindir}/iptables-xml
local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so" ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml
local targetname="${1}.so"
local link="%{buildroot}%{_libdir}/xtables/${2}.so"
[[ -e "$link" ]] && return 0
[[ -e "$targetfile" ]] || return 0
ln -s $targetname $link
}
for fam in ip ip6; do
link_ext libxt_LOG lib${fam}t_LOG
link_ext libxt_NAT lib${fam}t_SNAT
link_ext libxt_NAT lib${fam}t_MASQUERADE
done
%ldconfig_scriptlets %ldconfig_scriptlets
%post legacy %post legacy
pfx=%{_sbindir}/iptables pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables pfx6=%{_sbindir}/ip6tables
%{_sbindir}/update-alternatives --install \ /usr/sbin/update-alternatives --install \
$pfx iptables $pfx-legacy 10 \ $pfx iptables $pfx-legacy 10 \
--slave $pfx6 ip6tables $pfx6-legacy \ --slave $pfx6 ip6tables $pfx6-legacy \
--slave $pfx-restore iptables-restore $pfx-legacy-restore \ --slave $pfx-restore iptables-restore $pfx-legacy-restore \
@ -296,10 +255,33 @@ pfx6=%{_sbindir}/ip6tables
%postun legacy %postun legacy
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove \ /usr/sbin/update-alternatives --remove \
iptables %{_sbindir}/iptables-legacy iptables %{_sbindir}/iptables-legacy
fi fi
# iptables-1.8.0-1 introduced the use of alternatives
# when upgrading, its %postun script runs due to the package renaming
# fix this by repeating the install into alternatives
# also keep the old alternatives configuration to not change the system
%triggerun legacy -- iptables > 1.8.0
alternatives --list | awk '/^iptables/{print $3; exit}' \
>/var/tmp/alternatives.iptables.current
cp /var/lib/alternatives/iptables /var/tmp/alternatives.iptables.setup
%triggerpostun legacy -- iptables > 1.8.0
pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables
/usr/sbin/update-alternatives --install \
$pfx iptables $pfx-legacy 10 \
--slave $pfx6 ip6tables $pfx6-legacy \
--slave $pfx-restore iptables-restore $pfx-legacy-restore \
--slave $pfx-save iptables-save $pfx-legacy-save \
--slave $pfx6-restore ip6tables-restore $pfx6-legacy-restore \
--slave $pfx6-save ip6tables-save $pfx6-legacy-save
alternatives --set iptables $(</var/tmp/alternatives.iptables.current)
rm /var/tmp/alternatives.iptables.current
mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables
%post services %post services
%systemd_post iptables.service ip6tables.service %systemd_post iptables.service ip6tables.service
@ -310,25 +292,12 @@ fi
%?ldconfig %?ldconfig
%systemd_postun iptables.service ip6tables.service %systemd_postun iptables.service ip6tables.service
%post nft-services
%systemd_post iptables.service ip6tables.service
%systemd_post arptables.service ebtables.service
%preun nft-services
%systemd_preun iptables.service ip6tables.service
%systemd_preun arptables.service ebtables.service
%postun nft-services
%?ldconfig
%systemd_postun iptables.service ip6tables.service
%systemd_postun arptables.service ebtables.service
%post -e nft %post -e nft
[[ %%{_excludedocs} == 1 ]] || do_man=true [[ %%{_excludedocs} == 1 ]] || do_man=true
pfx=%{_sbindir}/iptables pfx=%{_sbindir}/iptables
pfx6=%{_sbindir}/ip6tables pfx6=%{_sbindir}/ip6tables
%{_sbindir}/update-alternatives --install \ /usr/sbin/update-alternatives --install \
$pfx iptables $pfx-nft 10 \ $pfx iptables $pfx-nft 10 \
--slave $pfx6 ip6tables $pfx6-nft \ --slave $pfx6 ip6tables $pfx6-nft \
--slave $pfx-restore iptables-restore $pfx-nft-restore \ --slave $pfx-restore iptables-restore $pfx-nft-restore \
@ -346,7 +315,7 @@ done
if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
rm -f $manpfx.8.gz rm -f $manpfx.8.gz
fi fi
%{_sbindir}/update-alternatives --install \ /usr/sbin/update-alternatives --install \
$pfx ebtables $pfx-nft 10 \ $pfx ebtables $pfx-nft 10 \
--slave $pfx-save ebtables-save $pfx-nft-save \ --slave $pfx-save ebtables-save $pfx-nft-save \
--slave $pfx-restore ebtables-restore $pfx-nft-restore \ --slave $pfx-restore ebtables-restore $pfx-nft-restore \
@ -366,7 +335,7 @@ done
if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
rm -f $lepfx-helper rm -f $lepfx-helper
fi fi
%{_sbindir}/update-alternatives --install \ /usr/sbin/update-alternatives --install \
$pfx arptables $pfx-nft 10 \ $pfx arptables $pfx-nft 10 \
--slave $pfx-save arptables-save $pfx-nft-save \ --slave $pfx-save arptables-save $pfx-nft-save \
--slave $pfx-restore arptables-restore $pfx-nft-restore \ --slave $pfx-restore arptables-restore $pfx-nft-restore \
@ -378,25 +347,37 @@ fi
%postun nft %postun nft
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
for cmd in iptables ebtables arptables; do for cmd in iptables ebtables arptables; do
%{_sbindir}/update-alternatives --remove \ /usr/sbin/update-alternatives --remove \
$cmd %{_sbindir}/$cmd-nft $cmd %{_sbindir}/$cmd-nft
done done
fi fi
%if %{do_legacy_pkg}
%files legacy %files legacy
%{_sbindir}/ip{,6}tables-legacy* %{_sbindir}/ip{,6}tables-legacy*
%{_sbindir}/xtables-legacy-multi %{_sbindir}/xtables-legacy-multi
%{_bindir}/iptables-xml %{_bindir}/iptables-xml
%{_mandir}/man1/iptables-xml* %{_mandir}/man1/iptables-xml*
%{_mandir}/man8/xtables-legacy* %{_mandir}/man8/xtables-legacy*
%{_datadir}/xtables/iptables.xslt
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore} %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%files libs
%license COPYING
%{_libdir}/libxtables.so.12*
%dir %{_libdir}/xtables
%{_libdir}/xtables/lib{ip,ip6,x}t*
%{_mandir}/man8/ip{,6}tables.8.gz
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
%files legacy-libs %files legacy-libs
%license COPYING %license COPYING
%{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}* %{_libdir}/libip{4,6}tc.so.%{ipXtc_so_ver}*
%files devel
%{_includedir}/xtables{,-version}.h
%{_libdir}/libxtables.so
%{_libdir}/pkgconfig/xtables.pc
%files legacy-devel %files legacy-devel
%dir %{_includedir}/libiptc %dir %{_includedir}/libiptc
%{_includedir}/libiptc/*.h %{_includedir}/libiptc/*.h
@ -411,35 +392,6 @@ fi
%dir %{legacy_actions}/ip{,6}tables %dir %{legacy_actions}/ip{,6}tables
%{legacy_actions}/ip{,6}tables/{save,panic} %{legacy_actions}/ip{,6}tables/{save,panic}
# do_legacy_pkg
%endif
%files nft-services
%{_unitdir}/{arp,eb}tables.service
%{_libexecdir}/ebtables-helper
%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
%ghost %{_sysconfdir}/sysconfig/arptables
%ghost %{_sysconfdir}/sysconfig/ebtables
%dir %{script_path}
%{script_path}/ip{,6}tables.init
%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
%{_unitdir}/ip{,6}tables.service
%dir %{legacy_actions}/ip{,6}tables
%{legacy_actions}/ip{,6}tables/{save,panic}
%files libs
%license COPYING
%{_libdir}/libxtables.so.12*
%dir %{_libdir}/xtables
%{_libdir}/xtables/lib{ip,ip6,x}t*
%{_mandir}/man8/ip{,6}tables.8.gz
%{_mandir}/man8/ip{,6}tables-{extensions,save,restore}.8.gz
%files devel
%{_includedir}/xtables{,-version}.h
%{_libdir}/libxtables.so
%{_libdir}/pkgconfig/xtables.pc
%files utils %files utils
%license COPYING %license COPYING
%{_sbindir}/nfnl_osf %{_sbindir}/nfnl_osf
@ -455,9 +407,9 @@ fi
%{_sbindir}/ip{,6}tables-nft* %{_sbindir}/ip{,6}tables-nft*
%{_sbindir}/ip{,6}tables{,-restore}-translate %{_sbindir}/ip{,6}tables{,-restore}-translate
%{_sbindir}/{eb,arp}tables-nft* %{_sbindir}/{eb,arp}tables-nft*
%{_sbindir}/ebtables-translate
%{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-nft-multi
%{_sbindir}/xtables-monitor %{_sbindir}/xtables-monitor
%{_sbindir}/ebtables-translate
%dir %{_libdir}/xtables %dir %{_libdir}/xtables
%{_libdir}/xtables/lib{arp,eb}t* %{_libdir}/xtables/lib{arp,eb}t*
%{_libexecdir}/arptables-nft-helper %{_libexecdir}/arptables-nft-helper
@ -465,156 +417,113 @@ fi
%{_mandir}/man8/xtables-translate* %{_mandir}/man8/xtables-translate*
%{_mandir}/man8/*-nft* %{_mandir}/man8/*-nft*
%{_mandir}/man8/ip{,6}tables{,-restore}-translate* %{_mandir}/man8/ip{,6}tables{,-restore}-translate*
%{_mandir}/man8/ebtables-translate*
%ghost %{_sbindir}/ip{,6}tables{,-save,-restore} %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore} %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
%ghost %{_libexecdir}/arptables-helper %ghost %{_libexecdir}/arptables-helper
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz %ghost %{_mandir}/man8/ebtables.8.gz
%changelog %changelog
* Wed Jul 03 2024 Phil Sutter <psutter@redhat.com> [1.8.10-4.el9] * Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1.8.10-8
- spec: Simplify legacy package integration (Phil Sutter) [RHEL-5797] - Rebuilt for MSVSphere 10
* Wed Jun 12 2024 Phil Sutter <psutter@redhat.com> [1.8.10-3.el9] * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.8.10-8
- extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928] - Bump release for June 2024 mass rebuild
- spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463]
- nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619]
- spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922]
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9] * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10-7
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147] - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.8.10-1.el9] * Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.10-6
- spec: Support for _excludedocs macro in alternatives installation (Phil Sutter) [RHEL-5810] - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
- Rebase onto version 1.8.10 (Phil Sutter) [RHEL-14147]
* Wed Dec 07 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-6 * Thu Jan 11 2024 Phil Sutter <psutter@redhat.com> - 1.8.10-5
- Add expected testsuite result - Backport fixes from upstream
- Fix flatpak build
* Tue Dec 06 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-5 * Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> - 1.8.10-4
- nft: un-break among match with concatenation - The actual obsoletes fix
- nft: fix ebtables among match when mac+ip addresses are used
* Tue Jul 05 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-4 * Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> - 1.8.10-3
- libxtables: Fix unsupported extension warning corner case - Fix compat sub-package obsoletion
* Wed Jun 08 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-3 * Tue Oct 10 2023 Phil Sutter <psutter@redhat.com> - 1.8.10-2
- arptables: Support -x/--exact flag - Obsolete dropped compat package
* Thu Jun 02 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-2 * Tue Oct 10 2023 Phil Sutter <psutter@redhat.com> - 1.8.10-1
- tests: shell: Check overhead in iptables-save and -restore - New version 1.8.10
- Drop compat sub-package
* Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1 * Tue Aug 15 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-6
- new version - Convert license to SPDX format
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-30 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.9-5
- Use proto_to_name() from xshared in more places - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-29 * Wed May 24 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-4
- libxtables: Boost rule target checks by announcing chain names - Backport fixes from upstream
- libxtables: Implement notargets hash table
- nft: Reject standard targets as chain names when restoring
- xshared: Merge and share parse_chain()
- xshared: Prefer xtables_chain_protos lookup over getprotoent
- nft: Speed up immediate parsing
- nft: Simplify immediate parsing
* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28 * Thu Apr 20 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-3
- extensions: SECMARK: Use a better context in test case - Support %%_excludedocs macro in alternatives installation
* Fri Jan 28 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-27 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.9-2
- extensions: SECMARK: Implement revision 1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26 * Thu Jan 12 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-1
- tests/shell: Assert non-verbose mode is silent - Make iptables-xml a relative symlink
- nft: Fix for non-verbose check command - Drop not needed xtables.conf
- Ship iptables.xslt with iptables-legacy package
- Ship ebtables-translate tool with iptables-nft package
- Update to 1.8.9.
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 08 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.8-2
- iptables-services requires iptables-apply in utils to apply rules
* Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1
- Update to 1.8.8. Fixes rhbz#2085503
* Thu Mar 03 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-16
- Improve error messages for unsupported extensions
- xshared: Fix response to unprivileged users
- libxtables: Register only the highest revision extension
- Ignore typical 'fedpkg local' results in .gitignore
* Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-25 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-15
- ebtables: Dump atomic waste - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Nov 27 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-14
- Rebuild for new libnftnl.
* Thu Aug 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-13
- doc: ebtables-nft.8: Adjust for missing atomic-options - doc: ebtables-nft.8: Adjust for missing atomic-options
- nft: Use xtables_malloc() in mnl_err_list_node_add() - nft: Fix for non-verbose check command
- Build services sub-package as noarch
* Fri Oct 01 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-24 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.7-12
- Add missing readlink required for iptables-nft(post) - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Thu Jul 01 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
- Fix performance restoring large rulesets
- Review unit file
* Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-10
- Backport fixes from upstream
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.8.7-23 * Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Remove bashisms from arptables-nft-helper
Related: rhbz#1991688
* Fri May 07 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
* Thu Aug 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-22
- nft-services must not depend on specific arch's build
* Thu Aug 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-21
- Build services sub-packages as noarch
* Fri Jul 30 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-20
- Make nft-services obsolete nft-compat to fix upgrade path
* Thu Jul 29 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-19
- Build iptables-services on C9S only
- Use systemd_ordering in nft-services, too
- Drop compat package, nft-services serves well for that purpose
- Make legacy unconditionally provide iptables, it's not built on RHEL
* Wed Jul 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-18
- Make iptables-nft-services require iptables-services to avoid confusion
- Add deprecation notice to iptables-extensions man page as well
* Mon Jul 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-17
- Provide a compat package to fix upgrade path from RHEL8
* Mon Jul 05 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-16
- Review systemd unit file
* Fri Jul 02 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-15
- doc: Improve deprecation notices a bit
- nft: cache: Sort chains on demand only
- nft: Increase BATCH_PAGE_SIZE to support huge rulesets
* Fri Jun 25 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-14
- doc: Add deprecation notices to all relevant man pages
* Wed Jun 16 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-13
- extensions: sctp: Fix nftables translation
- nft: Fix bitwise expression avoidance detection
- iptables-nft: fix -Z option
- Do not build legacy sub-packages on RHEL
* Thu Jun 10 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-12
- arptables-nft-helper: Remove bashisms
- ebtables-helper: Drop unused variable, add a missing quote
- extensions: libxt_string: Avoid buffer size warning for strncpy()
- libxtables: Introduce xtables_strdup() and use it everywhere
- extensions: libebt_ip6: Use xtables_ip6parse_any()
- iptables-apply: Drop unused variable
- nft: Avoid buffer size warnings copying iface names
- nft: Avoid memleak in error path of nft_cmd_new()
- libxtables: Fix memleak in xtopt_parse_hostmask()
- extensions: libebt_ip6: Drop unused variables
- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
- Fix License name in spec file
- Eliminate inet_aton() and inet_ntoa()
- nft-arp: Make use of ipv4_addr_to_string()
- Make legacy sub-packages obsolete older non-legacy ones
- Fix dates in changelog
- iptables.init: Fix functionality for iptables-nft - iptables.init: Fix functionality for iptables-nft
- iptables.init: Ignore sysctl files not suffixed '.conf' - iptables.init: Ignore sysctl files not suffixed '.conf'
- iptables.init: Drop unused NEW_MODUTILS check - iptables.init: Drop unused NEW_MODUTILS check
- iptables.init: Drop some trailing whitespace - iptables.init: Drop some trailing whitespace
* Fri Apr 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-10 * Mon Mar 29 2021 Damian Wrobel <dwrobel@ertelnet.rybnik.pl> - 1.8.7-7
- Add provides to iptables-nft-services - Add missing readlink required for iptables-nft(post)
* Wed Apr 21 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-9
- Add nft-services subpackage
* Mon Apr 19 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-8
- Drop hacks to maintain upgrade path
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.8.7-7
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-6 * Tue Mar 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-6
- Restore alternatives configuration after upgrade - Restore alternatives configuration after upgrade
@ -646,13 +555,13 @@ fi
* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1 * Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1
- Update to 1.8.7. Fixes rhbz#1916948 - Update to 1.8.7. Fixes rhbz#1916948
* Thu Nov 19 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5 * Thu Nov 19 17:32:24 CET 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5
- Use make macros - Use make macros
* Tue Nov 17 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4 * Tue Nov 17 14:05:30 CET 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4
- ebtables: Fix for broken chain renaming - ebtables: Fix for broken chain renaming
* Mon Nov 16 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3 * Mon Nov 16 13:39:22 CET 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3
- Drop obsolete StandardOutput setting from unit file - Drop obsolete StandardOutput setting from unit file
- Remove StandardError setting from unit file, its value is default - Remove StandardError setting from unit file, its value is default
@ -662,7 +571,7 @@ fi
* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1 * Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1
- Update to 1.8.6. Fixes bug #1893453 - Update to 1.8.6. Fixes bug #1893453
* Tue Aug 25 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3 * Tue Aug 25 15:56:10 GMT 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
- nft: cache: Check consistency with NFT_CL_FAKE, too - nft: cache: Check consistency with NFT_CL_FAKE, too
- nft: Fix command name in ip6tables error message - nft: Fix command name in ip6tables error message

Loading…
Cancel
Save