diff --git a/0001-extensions-NAT-Fix-for-Werror-format-security.patch b/0001-extensions-NAT-Fix-for-Werror-format-security.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff8adfbc5709db742d03ab0b74f317b8c221c0f1 --- /dev/null +++ b/0001-extensions-NAT-Fix-for-Werror-format-security.patch @@ -0,0 +1,29 @@ +From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 12 Jan 2023 14:38:44 +0100 +Subject: [iptables PATCH] extensions: NAT: Fix for -Werror=format-security + +Have to pass either a string literal or format string to xt_xlate_add(). + +Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE") +Signed-off-by: Phil Sutter +--- + extensions/libxt_NAT.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c +index da9f22012c5d6..2a6343986d54f 100644 +--- a/extensions/libxt_NAT.c ++++ b/extensions/libxt_NAT.c +@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r, + if (r->flags & NF_NAT_RANGE_PROTO_OFFSET) + return 0; + +- xt_xlate_add(xl, tgt); ++ xt_xlate_add(xl, "%s", tgt); + if (strlen(range_str)) + xt_xlate_add(xl, " to %s", range_str); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) { +-- +2.38.0 + diff --git a/0001-xshared-Fix-build-for-Werror-format-security.patch b/0001-xshared-Fix-build-for-Werror-format-security.patch deleted file mode 100644 index ba6d2dbb394c0bc15e9780f114b1f54cd6d35daf..0000000000000000000000000000000000000000 --- a/0001-xshared-Fix-build-for-Werror-format-security.patch +++ /dev/null @@ -1,29 +0,0 @@ -From fe9bd3b29dd7661e6f74c24db8356014798d1d78 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 13 May 2022 16:51:58 +0200 -Subject: [PATCH] xshared: Fix build for -Werror=format-security - -Gcc complains about the omitted format string. - -Signed-off-by: Phil Sutter -(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a) ---- - iptables/xshared.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index fae5ddd5df93e..a8512d3808154 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) - return; - - if (args->family != NFPROTO_ARP) -- xtables_error(PARAMETER_PROBLEM, msg); -+ xtables_error(PARAMETER_PROBLEM, "%s", msg); - - fprintf(stderr, "%s", msg); - } --- -2.34.1 - diff --git a/iptables-1.8.8.tar.bz2 b/iptables-1.8.8.tar.bz2 deleted file mode 100644 index 6704ee664712eaad79ef4b8ae185b48c99989d0b..0000000000000000000000000000000000000000 Binary files a/iptables-1.8.8.tar.bz2 and /dev/null differ diff --git a/iptables-1.8.9.tar.xz b/iptables-1.8.9.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..08bd0f88f59012754a59ab799d98f416c322cf74 Binary files /dev/null and b/iptables-1.8.9.tar.xz differ diff --git a/iptables.spec b/iptables.spec index d8b5f9857d98130cbcbb5695f032c5960148982a..994c805753948155c7d58e31f245b07c57de0e14 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,5 +1,5 @@ +%define anolis_release 1 # install init scripts to /usr/libexec with systemd -%define anolis_release 4 %global script_path %{_libexecdir}/iptables %global legacy_actions %{_libexecdir}/initscripts/legacy-actions %global iptc_so_ver 0 @@ -8,9 +8,9 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables -Version: 1.8.8 +Version: 1.8.9 Release: %{anolis_release}%{?dist} -Source: %{url}/files/%{name}-%{version}.tar.bz2 +Source: https://www.netfilter.org/pub/iptables/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config Source3: iptables.service @@ -19,7 +19,7 @@ Source5: sysconfig_ip6tables Source6: arptables-nft-helper # fix mock err -Werror=format-security -Patch01: 0001-xshared-Fix-build-for-Werror-format-security.patch +Patch01: 0001-extensions-NAT-Fix-for-Werror-format-security.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -218,9 +218,14 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/ebtables.8 -%generate_compatibility_deps +# Drop xtables.conf, it's not used +rm -f %{buildroot}%{_sysconfdir}/xtables.conf + +# fix absolute symlink +rm -f %{buildroot}%{_bindir}/iptables-xml +ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml -%ldconfig_scriptlets +%generate_compatibility_deps %post legacy pfx=%{_sbindir}/iptables @@ -265,7 +270,6 @@ mv /var/tmp/alternatives.iptables.setup /var/lib/alternatives/iptables %systemd_preun iptables.service ip6tables.service %postun services -%?ldconfig %systemd_postun iptables.service ip6tables.service %post nft @@ -279,7 +283,6 @@ pfx6=%{_sbindir}/ip6tables --slave $pfx6-restore ip6tables-restore $pfx6-nft-restore \ --slave $pfx6-save ip6tables-save $pfx6-nft-save -rm -f /var/lib/alternatives/ebtables pfx=%{_sbindir}/ebtables manpfx=%{_mandir}/man8/ebtables for sfx in "" "-restore" "-save"; do @@ -287,16 +290,16 @@ for sfx in "" "-restore" "-save"; do rm -f $pfx$sfx fi done -if [ "$(readlink -e $manpfx.8.zst)" == $manpfx.8.zst ]; then - rm -f $manpfx.8.zst +if [ "$(readlink -e $manpfx.8%{_extension})" == $manpfx.8%{_extension} ]; then + rm -f $manpfx.8%{_extension} fi + %{_sbindir}/update-alternatives --install \ $pfx ebtables $pfx-nft 10 \ --slave $pfx-save ebtables-save $pfx-nft-save \ --slave $pfx-restore ebtables-restore $pfx-nft-restore \ - --slave $manpfx.8.zst ebtables-man $manpfx-nft.8.zst + --slave $manpfx.8%{_extension} ebtables.8%{_extension} $manpfx-nft.8%{_extension} -rm -f /var/lib/alternatives/arptables pfx=%{_sbindir}/arptables manpfx=%{_mandir}/man8/arptables lepfx=%{_libexecdir}/arptables @@ -304,20 +307,21 @@ for sfx in "" "-restore" "-save"; do if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then rm -f $pfx$sfx fi - if [ "$(readlink -e $manpfx$sfx.8.zst)" == $manpfx$sfx.8.zst ]; then - rm -f $manpfx$sfx.8.zst + if [ "$(readlink -e $manpfx$sfx.8%{_extension})" == $manpfx$sfx.8%{_extension} ]; then + rm -f $manpfx$sfx.8%{_extension} fi done if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then rm -f $lepfx-helper fi + %{_sbindir}/update-alternatives --install \ $pfx arptables $pfx-nft 10 \ --slave $pfx-save arptables-save $pfx-nft-save \ --slave $pfx-restore arptables-restore $pfx-nft-restore \ - --slave $manpfx.8.zst arptables-man $manpfx-nft.8.zst \ - --slave $manpfx-save.8.zst arptables-save-man $manpfx-nft-save.8.zst \ - --slave $manpfx-restore.8.zst arptables-restore-man $manpfx-nft-restore.8.zst \ + --slave $manpfx.8%{_extension} arptables.8%{_extension} $manpfx-nft.8%{_extension} \ + --slave $manpfx-save.8%{_extension} arptables-save.8%{_extension} $manpfx-nft-save.8%{_extension} \ + --slave $manpfx-restore.8%{_extension} arptables-restore.8%{_extension} $manpfx-nft-restore.8%{_extension} \ --slave $lepfx-helper arptables-helper $lepfx-nft-helper %postun nft @@ -331,19 +335,19 @@ fi %files compat %files legacy -%doc INCOMPATIBILITIES %{_sbindir}/ip{,6}tables-legacy* %{_sbindir}/xtables-legacy-multi %{_bindir}/iptables-xml %{_mandir}/man1/iptables-xml* %{_mandir}/man8/xtables-legacy* +%dir %{_datadir}/xtables +%{_datadir}/xtables/iptables.xslt %ghost %{_sbindir}/ip{,6}tables{,-save,-restore} %files libs %dir %{abidir} %license COPYING %{_libdir}/libxtables.so.12* -%{abidir}/libxtables.dump %dir %{_libdir}/xtables %{_libdir}/xtables/lib{ip,ip6,x}t* %{abidir}/lib{ip,ip6,x}t*.dump @@ -392,6 +396,7 @@ fi %{_sbindir}/{eb,arp}tables-nft* %{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-monitor +%{_sbindir}/ebtables-translate %dir %{_libdir}/xtables %{_libdir}/xtables/lib{arp,eb}t* %{abidir}/lib{arp,eb}t*.dump @@ -400,6 +405,7 @@ fi %{_mandir}/man8/xtables-translate* %{_mandir}/man8/*-nft* %{_mandir}/man8/ip{,6}tables{,-restore}-translate* +%{_mandir}/man8/ebtables-translate* %ghost %{_sbindir}/ip{,6}tables{,-save,-restore} %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore} %ghost %{_libexecdir}/arptables-helper @@ -408,6 +414,9 @@ fi %changelog +* Sun Jan 15 2023 Funda Wang - 1.8.9-1 +- New version 1.8.9 + * Wed Jan 11 2023 Chunmei Xu - 1.8.8-4 - fix iptables-nft post scriptlet fail