From 8724b1aa12f413aabfe39ac2d835eb1465930a52 Mon Sep 17 00:00:00 2001
From: yangl777 <yanglu72@h-partners.com>
Date: Fri, 25 Apr 2025 16:29:37 +0800
Subject: [PATCH] ip6tables:Fix checking existence of rule

(cherry picked from commit dfda463ee924bf1be5bed272a2ecc2c4c1f4d7b0)
---
 ...ables-Fix-checking-existence-of-rule.patch | 35 +++++++++++++++++++
 iptables.spec                                 |  9 ++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 backport-ip6tables-Fix-checking-existence-of-rule.patch

diff --git a/backport-ip6tables-Fix-checking-existence-of-rule.patch b/backport-ip6tables-Fix-checking-existence-of-rule.patch
new file mode 100644
index 0000000..6c24717
--- /dev/null
+++ b/backport-ip6tables-Fix-checking-existence-of-rule.patch
@@ -0,0 +1,35 @@
+From 78850e7dba64a949c440dbdbe557f59409c6db48 Mon Sep 17 00:00:00 2001
+From: Markus Boehme <markubo@amazon.com>
+Date: Mon, 3 Apr 2023 23:13:47 +0200
+Subject: ip6tables: Fix checking existence of rule
+
+Pass the proper entry size when creating a match mask for checking the
+existence of a rule. Failing to do so causes wrong results.
+
+Reported-by: Jonathan Caicedo <jonathan@jcaicedo.com>
+Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables")
+Signed-off-by: Markus Boehme <markubo@amazon.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:Adapt context
+Reference:https://git.netfilter.org/iptables/commit/?id=78850e7dba64a949c440dbdbe557f59409c6db48
+---
+ iptables/ip6tables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 7038689..5c10679 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -352,7 +352,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
+                 return 0;
+         }
+ 
+-	mask = make_delete_mask(matches, target, sizeof(fw));
++	mask = make_delete_mask(matches, target, sizeof(*fw));
+ 	for (i = 0; i < nsaddrs; i++) {
+ 		fw->ipv6.src = saddrs[i];
+ 		fw->ipv6.smsk = smasks[i];
+-- 
+2.43.0
+
diff --git a/iptables.spec b/iptables.spec
index df423d5..398b739 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.9
-Release:	  9
+Release:	  10
 Summary:	  IP packet filter administration utilities
 License:	  GPL-2.0-only and Artistic-2.0
 URL:		  https://www.netfilter.org/
@@ -31,6 +31,7 @@ Patch14:          backport-xshared-Fix-parsing-of-empty-string-arg-in-c-option.p
 Patch15:          tests-extensions-add-some-testcases.patch
 Patch16:          backport-extensions-recent-Fix-format-string-for-unsigned-values.patch
 Patch17:          backport-nft-cmd-Init-struct-nft_cmd-head-early.patch
+Patch18:          backport-ip6tables-Fix-checking-existence-of-rule.patch
 
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
@@ -342,6 +343,12 @@ fi
 %{_datadir}/xtables/iptables.xslt
 
 %changelog
+* Fri Apr 25 2025 yanglu <yanglu72@h-partners.com> - 1.8.9-10
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:ip6tables:Fix checking existence of rule
+
 * Tue Dec 3 2024 sunsuwan <sunsuwan3@huawei.com> - 1.8.9-9
 - Type:bugfix
 - CVE:NA
-- 
Gitee