diff --git a/Allocate-rule-cache-just-once.patch b/Allocate-rule-cache-just-once.patch deleted file mode 100644 index b42a147cc025c354cdef7b10ac1b975c2029af7b..0000000000000000000000000000000000000000 --- a/Allocate-rule-cache-just-once.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c2594475dd270e3a81033fed2e5251dbd5ce319b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Aug 2018 17:05:08 +0200 -Subject: xtables: Allocate rule cache just once - -For each parsed table, xtables-restore calls nft_table_flush() which -each time allocates a new rule cache, possibly overwriting the pointer -to the previously allocated one. Fix this by checking the pointer value -and only allocate if it's NULL. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index a9cb92ed..d5c4c766 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1867,9 +1867,11 @@ next: - t = nftnl_table_list_iter_next(iter); - } - -- h->rule_cache = nftnl_rule_list_alloc(); -- if (h->rule_cache == NULL) -- return -1; -+ if (!h->rule_cache) { -+ h->rule_cache = nftnl_rule_list_alloc(); -+ if (h->rule_cache == NULL) -+ return -1; -+ } - - err_table_iter: - nftnl_table_list_iter_destroy(iter); --- -cgit v1.2.1 - diff --git a/Fix-for-nft_rule_flush-returning-garbage.patch b/Fix-for-nft_rule_flush-returning-garbage.patch deleted file mode 100644 index b89baf9a2fb368da06fd8c32871f19a8ad5bb49c..0000000000000000000000000000000000000000 --- a/Fix-for-nft_rule_flush-returning-garbage.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 89d344381c81bd1d5f29b498844f20280200c786 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Aug 2018 17:05:09 +0200 -Subject: xtables: Fix for nft_rule_flush() returning garbage - -Due to variable 'ret' not being initialized in all situations, return -code of the function depends on garbage in stack. Fix this by -initializing 'ret' to zero upon declaration. - -While being at it, make nftnl_chain_list_get() failure as well as -nftnl_chain_list_iter_create() failure an error condition since both -functions should succeed even if the current ruleset does not contain -any chains at all. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index d5c4c766..f2d6ea13 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list, - - int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table) - { -- int ret; -+ int ret = 0; - struct nftnl_chain_list *list; - struct nftnl_chain_list_iter *iter; - struct nftnl_chain *c; -@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table) - - list = nftnl_chain_list_get(h); - if (list == NULL) { -- ret = 0; -+ ret = 1; - goto err; - } - - iter = nftnl_chain_list_iter_create(list); -- if (iter == NULL) -+ if (iter == NULL) { -+ ret = 1; - goto err; -+ } - - c = nftnl_chain_list_iter_next(iter); - while (c != NULL) { --- -cgit v1.2.1 - diff --git a/Fix-for-potential-array-boundary-overstep.patch b/Fix-for-potential-array-boundary-overstep.patch deleted file mode 100644 index 66f45ce7bb94edc2a765fd55966d856d2dc8ba9a..0000000000000000000000000000000000000000 --- a/Fix-for-potential-array-boundary-overstep.patch +++ /dev/null @@ -1,30 +0,0 @@ -From bfd41c8d99a54769678e0c66d55797082bf1edd3 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Mon, 10 Sep 2018 23:35:15 +0200 -Subject: ebtables: Fix for potential array boundary overstep - -Fix the parameter check in nft_ebt_standard_target() to avoid an array -out of bounds access in ebt_standard_targets. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft-bridge.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h -index 1fe26bab..9d49ccbe 100644 ---- a/iptables/nft-bridge.h -+++ b/iptables/nft-bridge.h -@@ -78,7 +78,7 @@ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = { - - static inline const char *nft_ebt_standard_target(unsigned int num) - { -- if (num > NUM_STANDARD_TARGETS) -+ if (num >= NUM_STANDARD_TARGETS) - return NULL; - - return ebt_standard_targets[num]; --- -cgit v1.2.1 - diff --git a/Fix-for-segfault-in-iptables-nft.patch b/Fix-for-segfault-in-iptables-nft.patch deleted file mode 100644 index 2944c5ee1b250f56ee39e69521e171891564eb9a..0000000000000000000000000000000000000000 --- a/Fix-for-segfault-in-iptables-nft.patch +++ /dev/null @@ -1,93 +0,0 @@ - -m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Aug 2018 15:35:47 +0200 -Subject: xtables: Fix for segfault in iptables-nft - -Trying to set a chain's policy in an invalid table resulted in a -segfault. Reproducer was: - -| # iptables -t broute -P BROUTING ACCEPT - -Fix this by aborting in nft_chain_new() if nft_table_builtin_find() -returned NULL for the given table name. - -For an illustrative error message, set errno to ENXIO in the above case -and add an appropriate Mesage to nft_strerror(). - -While being at it, improve the error message if an invalid policy was -given. Before: - -| # iptables-nft -t filter -P INPUT ACCEPTdf -| iptables: Incompatible with this kernel. - -After: - -| # iptables-nft -t filter -P INPUT ACCEPTdf -| iptables: Bad policy name. Run `dmesg' for more information. - -Third unrelated change in this patch: Drop error checking of -nft_chain_set() in do_commandx(): The function never returns negative, -so that check never yielded true. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft.c | 11 +++++++++-- - iptables/xtables.c | 3 --- - 2 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 0b29caeb..dd8469a9 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, - struct builtin_chain *_c; - - _t = nft_table_builtin_find(h, table); -+ if (!_t) { -+ errno = ENXIO; -+ return NULL; -+ } -+ - /* if this built-in table does not exists, create it */ -- if (_t != NULL) -- nft_table_builtin_add(h, _t); -+ nft_table_builtin_add(h, _t); - - _c = nft_chain_builtin_find(_t, chain); - if (_c != NULL) { -@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table, - c = nft_chain_new(h, table, chain, NF_DROP, counters); - else if (strcmp(policy, "ACCEPT") == 0) - c = nft_chain_new(h, table, chain, NF_ACCEPT, counters); -+ else -+ errno = EINVAL; - - if (c == NULL) - return 0; -@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err) - "Bad rule (does a matching rule exist in that chain?)" }, - { nft_chain_set, ENOENT, "Bad built-in chain name" }, - { nft_chain_set, EINVAL, "Bad policy name" }, -+ { nft_chain_set, ENXIO, "Bad table name" }, - { NULL, ELOOP, "Loop found in table" }, - { NULL, EPERM, "Permission denied (you must be root)" }, - { NULL, 0, "Incompatible with this kernel" }, -diff --git a/iptables/xtables.c b/iptables/xtables.c -index d9050b45..72f65962 100644 ---- a/iptables/xtables.c -+++ b/iptables/xtables.c -@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, - break; - case CMD_SET_POLICY: - ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); -- if (ret < 0) -- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", -- p.policy); - break; - default: - /* We should never reach this... */ --- -cgit v1.2.1 - diff --git a/Fix-for-segfault-when-registering-hashlimit-extension.patch b/Fix-for-segfault-when-registering-hashlimit-extension.patch deleted file mode 100644 index 5e898c2dc0f8d789f7f24394be28aa8cda135915..0000000000000000000000000000000000000000 --- a/Fix-for-segfault-when-registering-hashlimit-extension.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 37b68b2bc903112a74545c7f4a49c89e889582a9 Mon Sep 17 00:00:00 2001 -From: Heena Sirwani -Date: Tue, 21 Aug 2018 17:25:56 +0530 -Subject: xtables: Fix for segfault when registering hashlimit extension - -This patch fixes the crash when registering the hashlimit extension -with xtables during init_extensions(when built with static libs) . -The option validation function xtables_option_metavalidate has a -loop termination condition of the entry name being NULL. The loop -does not terminate when validating hashlimit_mt_opts_v2 which causes -a crash on derefencing an invalid entry. - -Signed-off-by: Heena Sirwani -Signed-off-by: Florian Westphal ---- - extensions/libxt_hashlimit.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c -index 70bc615b..7d78d852 100644 ---- a/extensions/libxt_hashlimit.c -+++ b/extensions/libxt_hashlimit.c -@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = { - {.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING}, - {.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING, - .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1}, -+ XTOPT_TABLEEND, - }; - #undef s - --- -cgit v1.2.1 - diff --git a/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch b/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch deleted file mode 100644 index 7ef53dbb59d620716b39de9d6318ac6e4bc42bad..0000000000000000000000000000000000000000 --- a/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 7c9a1521105aa515a272e2d04fa806bed8b43396 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 19 Sep 2018 15:17:07 +0200 -Subject: arptables: Fix incorrect strcmp() in nft_arp_rule_find() - -Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to -strcmp() may be passed a NULL pointer. Therefore check if the pointer is -valid before doing so. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft-arp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index b8e89826..a2109c60 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -661,7 +661,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r, - if (!compare_targets(cs->target, this.target)) - return false; - -- if (strcmp(cs->jumpto, this.jumpto) != 0) -+ if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0) - return false; - - return true; --- -cgit v1.2.1 - diff --git a/Fix-opcode-printing-in-numeric-output.patch b/Fix-opcode-printing-in-numeric-output.patch deleted file mode 100644 index 991861f4086c84230d9cb685b38a84b5cf6eb81a..0000000000000000000000000000000000000000 --- a/Fix-opcode-printing-in-numeric-output.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 3f279553a2908bfa3ad76211ee657c97e4103563 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Aug 2018 17:05:22 +0200 -Subject: arptables: Fix opcode printing in numeric output - -This line of code was dropped by accident, add it back. - -Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall") -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft-arp.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index 5cabb93e..570a2589 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -543,6 +543,7 @@ after_devdst: - if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC)) - printf("--opcode %s", opcodes[tmp-1]); - else -+ printf("--opcode %d", tmp); - - if (fw->arp.arpop_mask != 65535) - printf("/%d", ntohs(fw->arp.arpop_mask)); --- -cgit v1.2.1 - diff --git a/Fix-potential-array-overrun-in-xtables_option_parse.patch b/Fix-potential-array-overrun-in-xtables_option_parse.patch deleted file mode 100644 index 22372dfe52e6948f5fe923c9db81772b11f90b13..0000000000000000000000000000000000000000 --- a/Fix-potential-array-overrun-in-xtables_option_parse.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 4144571f87c094471419ef59e8bb89ef33cd1365 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Mon, 10 Sep 2018 23:35:13 +0200 -Subject: libxtables: Fix potential array overrun in xtables_option_parse() - -If entry->type is to be used as array index, it needs to be at max one -less than that array's size. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - libxtables/xtoptions.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index ba3128bd..326febd5 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -844,7 +844,7 @@ void xtables_option_parse(struct xt_option_call *cb) - * a *RC option type. - */ - cb->nvals = 1; -- if (entry->type <= ARRAY_SIZE(xtopt_subparse) && -+ if (entry->type < ARRAY_SIZE(xtopt_subparse) && - xtopt_subparse[entry->type] != NULL) - xtopt_subparse[entry->type](cb); - /* Exclusion with other flags tested later in finalize. */ --- -cgit v1.2.1 - diff --git a/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch b/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch deleted file mode 100644 index e487e32312534ee74852df4e0a5ed477d1af9033..0000000000000000000000000000000000000000 --- a/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 82d278c19f8f187e78c90c91834018b16c007098 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Aug 2018 17:05:11 +0200 -Subject: xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs - -Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are -not added to the cache. - -There is one exception though, namely when zeroing counters: -nft_chain_zero_counters() adds a chain object it took from chain cache. -To distinguish this situation from the others, introduce -NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like -NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 26df1287..327c19ad 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -246,6 +246,7 @@ enum obj_update_type { - NFT_COMPAT_CHAIN_USER_FLUSH, - NFT_COMPAT_CHAIN_UPDATE, - NFT_COMPAT_CHAIN_RENAME, -+ NFT_COMPAT_CHAIN_ZERO, - NFT_COMPAT_RULE_APPEND, - NFT_COMPAT_RULE_INSERT, - NFT_COMPAT_RULE_REPLACE, -@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h, - nftnl_table_get_str(o->table, NFTNL_TABLE_NAME)); - break; - case NFT_COMPAT_CHAIN_ADD: -+ case NFT_COMPAT_CHAIN_ZERO: - case NFT_COMPAT_CHAIN_USER_ADD: - case NFT_COMPAT_CHAIN_USER_DEL: - case NFT_COMPAT_CHAIN_USER_FLUSH: -@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o) - case NFT_COMPAT_TABLE_FLUSH: - nftnl_table_free(o->table); - break; -- case NFT_COMPAT_CHAIN_ADD: -+ case NFT_COMPAT_CHAIN_ZERO: - case NFT_COMPAT_CHAIN_USER_ADD: - break; -+ case NFT_COMPAT_CHAIN_ADD: - case NFT_COMPAT_CHAIN_USER_DEL: - case NFT_COMPAT_CHAIN_USER_FLUSH: - case NFT_COMPAT_CHAIN_UPDATE: -@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action) - n->seq, n->table); - break; - case NFT_COMPAT_CHAIN_ADD: -+ case NFT_COMPAT_CHAIN_ZERO: - nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN, - NLM_F_CREATE, n->seq, - n->chain); -@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, - - nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); - -- ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); -+ ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c); - - if (chain != NULL) - break; --- -cgit v1.2.1 - diff --git a/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch b/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch deleted file mode 100644 index 057a3a41eecc7647b8c872b2242d46895ad31737..0000000000000000000000000000000000000000 --- a/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c2895eaf7a9d604c4aa10848ad46cdde48a00357 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Aug 2018 17:05:10 +0200 -Subject: xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs - -These always have to be freed because nft_chain_user_del() removes them -from the cache so they are not freed when the chain cache is flushed. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index f2d6ea13..26df1287 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -2447,8 +2447,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o) - break; - case NFT_COMPAT_CHAIN_ADD: - case NFT_COMPAT_CHAIN_USER_ADD: -- case NFT_COMPAT_CHAIN_USER_DEL: - break; -+ case NFT_COMPAT_CHAIN_USER_DEL: - case NFT_COMPAT_CHAIN_USER_FLUSH: - case NFT_COMPAT_CHAIN_UPDATE: - case NFT_COMPAT_CHAIN_RENAME: --- -cgit v1.2.1 - diff --git a/fix-crash-if-nft_rule_list_get-fails.patch b/fix-crash-if-nft_rule_list_get-fails.patch deleted file mode 100644 index 1081d702f0b8e8065ee36cd73745806a73b6fd71..0000000000000000000000000000000000000000 --- a/fix-crash-if-nft_rule_list_get-fails.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 907da5c505b219537586f7c2bdb7320c4f97386f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 19 Jul 2018 18:31:53 +0200 -Subject: xtables: fix crash if nft_rule_list_get() fails - -Without this, trying to add a rule using ebtables without proper -permissions crashes the program. - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal ---- - iptables/nft.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 3cacf5fe..e1788dba 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1176,7 +1176,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table, - if (batch_rule_add(h, type, r) < 0) - nftnl_rule_free(r); - -- nft_rule_list_get(h); -+ if (!nft_rule_list_get(h)) -+ return 0; - - nftnl_rule_list_add_tail(r, h->rule_cache); - --- -cgit v1.2.1 - diff --git a/free-the-table-lock-when-skipping-a-table.patch b/free-the-table-lock-when-skipping-a-table.patch deleted file mode 100644 index 6291353f05ea13bb3d69e96249ef2d6c2623d959..0000000000000000000000000000000000000000 --- a/free-the-table-lock-when-skipping-a-table.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001 -From: Joel Goguen -Date: Wed, 11 Jul 2018 16:32:20 -0700 -Subject: iptables-restore: free the table lock when skipping a table - -Currently, when running `iptables-restore --table=X`, where `X` is not the first -table in the rules dump, the restore will fail when parsing the second table: - -- a lock is acquird when parsing the first table name -- the table name does not match the parameter to `--table` so processing - continues until the next table -- when processing the next table a lock is acquired, which fails because a lock - is already held - -Another app is currently holding the xtables lock. Perhaps you want to use the -w option? - -This will release the lock as soon as it's decided the current table won't be -used. - -Signed-off-by: Joel Goguen -Signed-off-by: Florian Westphal ---- - iptables/ip6tables-restore.c | 7 +++- - iptables/iptables-restore.c | 7 +++- - .../ipt-restore/0001load-specific-table_0 | 41 ++++++++++++++++++++++ - .../testcases/ipt-restore/dumps/ip6tables.dump | 30 ++++++++++++++++ - .../testcases/ipt-restore/dumps/iptables.dump | 30 ++++++++++++++++ - 5 files changed, 113 insertions(+), 2 deletions(-) - create mode 100755 iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 - create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump - create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump - -diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c -index cc50bb4f..d36f92da 100644 ---- a/iptables/ip6tables-restore.c -+++ b/iptables/ip6tables-restore.c -@@ -325,8 +325,13 @@ int ip6tables_restore_main(int argc, char *argv[]) - strncpy(curtable, table, XT_TABLE_MAXNAMELEN); - curtable[XT_TABLE_MAXNAMELEN] = '\0'; - -- if (tablename != NULL && strcmp(tablename, table) != 0) -+ if (tablename != NULL && strcmp(tablename, table) != 0) { -+ if (lock >= 0) { -+ xtables_unlock(lock); -+ lock = XT_LOCK_NOT_ACQUIRED; -+ } - continue; -+ } - if (handle) - ops->free(handle); - -diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c -index d5603fce..142ddb82 100644 ---- a/iptables/iptables-restore.c -+++ b/iptables/iptables-restore.c -@@ -323,8 +323,13 @@ iptables_restore_main(int argc, char *argv[]) - strncpy(curtable, table, XT_TABLE_MAXNAMELEN); - curtable[XT_TABLE_MAXNAMELEN] = '\0'; - -- if (tablename && (strcmp(tablename, table) != 0)) -+ if (tablename && (strcmp(tablename, table) != 0)) { -+ if (lock >= 0) { -+ xtables_unlock(lock); -+ lock = XT_LOCK_NOT_ACQUIRED; -+ } - continue; -+ } - if (handle) - ops->free(handle); - -diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 -new file mode 100755 -index 00000000..ce3bef3a ---- /dev/null -+++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 -@@ -0,0 +1,41 @@ -+#!/bin/bash -+ -+RET=0 -+tmpfile="" -+ -+set -x -+ -+clean_tempfile() -+{ -+ if [ -n "${tmpfile}" ]; then -+ rm -f "${tmpfile}" -+ fi -+} -+ -+trap clean_tempfile EXIT -+ -+tmpfile=$(mktemp) || exit 1 -+ -+do_simple() -+{ -+ iptables="${1}" -+ table="${2}" -+ dumpfile="$(dirname "${0}")/dumps/${iptables}.dump" -+ -+ "$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$? -+ -+ if [ "${rv}" -ne 0 ]; then -+ RET=1 -+ fi -+} -+ -+do_simple "iptables" "filter" -+do_simple "iptables" "mangle" -+do_simple "iptables" "raw" -+do_simple "iptables" "nat" -+do_simple "ip6tables" "filter" -+do_simple "ip6tables" "mangle" -+do_simple "ip6tables" "raw" -+do_simple "ip6tables" "nat" -+ -+exit "${RET}" -diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump -new file mode 100644 -index 00000000..4ac4f882 ---- /dev/null -+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump -@@ -0,0 +1,30 @@ -+*nat -+:PREROUTING ACCEPT [0:0] -+:INPUT ACCEPT [0:0] -+:OUTPUT ACCEPT [8:656] -+:POSTROUTING ACCEPT [8:656] -+COMMIT -+ -+*mangle -+:PREROUTING ACCEPT [794:190738] -+:INPUT ACCEPT [794:190738] -+:FORWARD ACCEPT [0:0] -+:OUTPUT ACCEPT [991:170303] -+:POSTROUTING ACCEPT [991:170303] -+COMMIT -+ -+*raw -+:PREROUTING ACCEPT [794:190738] -+:OUTPUT ACCEPT [991:170303] -+COMMIT -+ -+*filter -+:INPUT DROP [0:0] -+:FORWARD DROP [0:0] -+:OUTPUT ACCEPT [991:170303] -+-A INPUT -i lo -j ACCEPT -+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -+-A INPUT -p ipv6-icmp -j ACCEPT -+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp6-port-unreachable -+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp6-port-unreachable -+COMMIT -diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump -new file mode 100644 -index 00000000..6e4e42d3 ---- /dev/null -+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump -@@ -0,0 +1,30 @@ -+*nat -+:PREROUTING ACCEPT [1:89] -+:INPUT ACCEPT [0:0] -+:OUTPUT ACCEPT [351:24945] -+:POSTROUTING ACCEPT [351:24945] -+COMMIT -+ -+*mangle -+:PREROUTING ACCEPT [3270:1513114] -+:INPUT ACCEPT [3270:1513114] -+:FORWARD ACCEPT [0:0] -+:OUTPUT ACCEPT [3528:1087907] -+:POSTROUTING ACCEPT [3546:1090751] -+COMMIT -+ -+*raw -+:PREROUTING ACCEPT [3270:1513114] -+:OUTPUT ACCEPT [3528:1087907] -+COMMIT -+ -+*filter -+:INPUT DROP [37:4057] -+:FORWARD DROP [0:0] -+:OUTPUT ACCEPT [3528:1087907] -+-A INPUT -i lo -j ACCEPT -+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -+-A INPUT -p icmp -j ACCEPT -+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable -+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable -+COMMIT --- -cgit v1.2.1 - diff --git a/iptables-1.6.0-iptables-apply_mktemp.patch b/iptables-1.6.0-iptables-apply_mktemp.patch deleted file mode 100644 index 607a6113d0d7cf24fde78658d4f1fd505dcea923..0000000000000000000000000000000000000000 --- a/iptables-1.6.0-iptables-apply_mktemp.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply ---- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp 2015-12-09 13:55:06.000000000 +0100 -+++ iptables-1.6.0/iptables/iptables-apply 2016-04-13 17:44:07.130453958 +0200 -@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then - exit 2 - fi - --COMMANDS=(tempfile "$SAVE" "$RESTORE") -+COMMANDS=(mktemp "$SAVE" "$RESTORE") - - for cmd in "${COMMANDS[@]}"; do - if ! command -v $cmd >/dev/null; then -@@ -122,7 +122,7 @@ done - - umask 0700 - --TMPFILE=$(tempfile -p iptap) -+TMPFILE=$(mktemp) - trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 - - if ! "$SAVE" >"$TMPFILE"; then diff --git a/iptables-1.8.0-xtables-nft-multi.patch b/iptables-1.8.0-xtables-nft-multi.patch deleted file mode 100644 index f1f5ab8dd3bab512069428e288635c16b2db5bf8..0000000000000000000000000000000000000000 --- a/iptables-1.8.0-xtables-nft-multi.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c -index 187da81e9f59b..03690a56edb72 100644 ---- a/iptables/xtables-nft-multi.c -+++ b/iptables/xtables-nft-multi.c -@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = { - {"iptables-restore-translate", xtables_ip4_xlate_restore_main}, - {"ip6tables-restore-translate", xtables_ip6_xlate_restore_main}, - {"arptables", xtables_arp_main}, -+ {"arptables-nft", xtables_arp_main}, - {"ebtables-translate", xtables_eb_xlate_main}, - {"ebtables", xtables_eb_main}, -+ {"ebtables-nft", xtables_eb_main}, - {"xtables-monitor", xtables_monitor_main}, - {NULL}, - }; diff --git a/iptables-1.8.0.tar.bz2 b/iptables-1.8.0.tar.bz2 deleted file mode 100644 index f6d028eb8c5e8ad5bfd66f0a2cfc5b9f7d7e4701..0000000000000000000000000000000000000000 Binary files a/iptables-1.8.0.tar.bz2 and /dev/null differ diff --git a/iptables-1.8.1.tar.bz2 b/iptables-1.8.1.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..c93c714a9086c0001863ea755f4fbea725624d5c Binary files /dev/null and b/iptables-1.8.1.tar.bz2 differ diff --git a/iptables-apply-Use-mktemp-instead-of-tempfile.patch b/iptables-apply-Use-mktemp-instead-of-tempfile.patch new file mode 100644 index 0000000000000000000000000000000000000000..d9b36b8f3fd329d82687f5333505b48973c8e687 --- /dev/null +++ b/iptables-apply-Use-mktemp-instead-of-tempfile.patch @@ -0,0 +1,34 @@ +0d0a2c9c269dc5ed9e7d841b8ecb9dc060af Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 12 Apr 2019 18:02:19 +0200 +Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile + +Signed-off-by: Phil Sutter +--- + iptables/iptables-apply | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + + diff --git a/iptables/iptables-apply b/iptables/iptables-apply + index 819ca4a459c42..a685b6bbcd7dc 100755 + --- a/iptables/iptables-apply + +++ b/iptables/iptables-apply + @@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then + exit 2 +fi + +-COMMANDS=(tempfile "$SAVE" "$RESTORE") ++COMMANDS=(mktemp "$SAVE" "$RESTORE") + + for cmd in "${COMMANDS[@]}"; do + if ! command -v $cmd >/dev/null; then +@@ -122,7 +122,7 @@ done + + umask 0700 + +-TMPFILE=$(tempfile -p iptap) ++TMPFILE=$(mktemp) + trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \ + FPE USR1 SEGV USR2 PIPE ALRM TERM + +-- +2.21.0 diff --git a/iptables.spec b/iptables.spec index be794dc4d459f12011bd004993ceb2b8121b60ff..b98935bb0389197f5657983a32f574b6870b4f96 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,8 +1,8 @@ %global script_path %{_libexecdir}/iptables %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables -Version: 1.8.0 -Release: 6 +Version: 1.8.1 +Release: 1 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ @@ -13,20 +13,7 @@ Source3: iptables.service Source4: sysconfig_iptables Source5: sysconfig_ip6tables -Patch1: iptables-1.6.0-iptables-apply_mktemp.patch -Patch2: iptables-1.8.0-xtables-nft-multi.patch -Patch6000: fix-crash-if-nft_rule_list_get-fails.patch -Patch6001: free-the-table-lock-when-skipping-a-table.patch -Patch6002: Allocate-rule-cache-just-once.patch -Patch6003: Fix-for-nft_rule_flush-returning-garbage.patch -Patch6004: Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch -Patch6005: Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch -Patch6006: Fix-opcode-printing-in-numeric-output.patch -Patch6007: Fix-for-segfault-in-iptables-nft.patch -Patch6008: Fix-for-segfault-when-registering-hashlimit-extension.patch -Patch6009: Fix-potential-array-overrun-in-xtables_option_parse.patch -Patch6010: Fix-for-potential-array-boundary-overstep.patch -Patch6011: Fix-incorrect-strcmp-in-nft_arp_rule_find.patch +Patch1: iptables-apply-Use-mktemp-instead-of-tempfile.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -216,6 +203,10 @@ fi %{_sbindir}/iptables-apply %{_sbindir}/ip*tables-legacy* %{_sbindir}/xtables-legacy-multi +%{_sbindir}/arptables-restore +%{_sbindir}/arptables-save +%{_sbindir}/ebtables-restore +%{_sbindir}/ebtables-save %exclude %{_sbindir}/*-nft* %exclude %{_sbindir}/*-translate %exclude %{_sbindir}/xtables-monitor @@ -257,6 +248,9 @@ fi %{_mandir}/* %changelog +* Fri Jan 10 2020 openEuler Buildteam - 1.8.1-1 +- Package update + * Thu Nov 7 2019 openEuler Buildteam - 1.8.0-6 - Type:bugfix - Id:NA