From c940d32313055c75602a0a90fb245d826b05afc9 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Wed, 24 Jul 2024 10:31:52 +0800 Subject: [PATCH 1/3] update to iptables-1.8.5-11.src.rpm Signed-off-by: Zhao Hang --- 0146-iptables-restore-Drop-dead-code.patch | 31 +++++++ ...-apply-Eliminate-shellcheck-warnings.patch | 82 +++++++++++++++++++ ...it-gracefully-on-invalid-table-names.patch | 51 ++++++++++++ iptables.spec | 36 ++++---- 4 files changed, 182 insertions(+), 18 deletions(-) create mode 100644 0146-iptables-restore-Drop-dead-code.patch create mode 100644 0147-iptables-apply-Eliminate-shellcheck-warnings.patch create mode 100644 0148-ebtables-Exit-gracefully-on-invalid-table-names.patch diff --git a/0146-iptables-restore-Drop-dead-code.patch b/0146-iptables-restore-Drop-dead-code.patch new file mode 100644 index 0000000..b1cb361 --- /dev/null +++ b/0146-iptables-restore-Drop-dead-code.patch @@ -0,0 +1,31 @@ +From 0482da08db2dcf9414008c286ebf227952512b03 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 13 Jul 2023 18:32:02 +0200 +Subject: [PATCH] iptables-restore: Drop dead code + +Handle initialization is guarded by 'in_table' boolean, so there can't +be a handle already (because the branch which unsets 'in_table' also +frees the handle). + +Signed-off-by: Phil Sutter +(cherry picked from commit 4d9453233538200e9663c6bd0c2df09e1671b5f4) +--- + iptables/iptables-restore.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 3b821467db355..6dfafe0c18072 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -225,8 +225,6 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, + } + continue; + } +- if (handle) +- cb->ops->free(handle); + + handle = create_handle(cb, table); + if (noflush == 0) { +-- +2.41.0 + diff --git a/0147-iptables-apply-Eliminate-shellcheck-warnings.patch b/0147-iptables-apply-Eliminate-shellcheck-warnings.patch new file mode 100644 index 0000000..a97159d --- /dev/null +++ b/0147-iptables-apply-Eliminate-shellcheck-warnings.patch @@ -0,0 +1,82 @@ +From ff0c0dc23fec33e339974e419c664d3bef39edc9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 1 Aug 2023 16:56:42 +0200 +Subject: [PATCH] iptables-apply: Eliminate shellcheck warnings + +Actual warnings were only about use of '-a' in bracket expressions +(replace by '&&' pipeline) and the immediate evaluation of the variable +in trap command. + +The remaining changes silence info-level messages: missing quoting +around variables, pointless '$' in arithmetic expressions, backticks +instead of $(...), missing '-r' parameter when calling read and an +awkward negated '-z' check. + +Signed-off-by: Phil Sutter +(cherry picked from commit 9f98550d58a49fc95d529ebdc0173579d957b425) +--- + iptables/iptables-apply | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/iptables/iptables-apply b/iptables/iptables-apply +index 3a7df5e3cbc1f..c603fb2113ef3 100755 +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -141,9 +141,9 @@ for opt in $OPTS; do + ;; + (*) + case "${OPT_STATE:-}" in +- (SET_TIMEOUT) eval TIMEOUT=$opt;; ++ (SET_TIMEOUT) eval TIMEOUT="$opt";; + (SET_SAVEFILE) +- eval SAVEFILE=$opt ++ eval SAVEFILE="$opt" + [ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE" + ;; + esac +@@ -163,13 +163,13 @@ done + + # Validate parameters + if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then +- TIMEOUT=$(($TIMEOUT)) ++ TIMEOUT=$((TIMEOUT)) + else + echo "Error: timeout must be a positive number" >&2 + exit 1 + fi + +-if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then ++if [ -n "$SAVEFILE" ] && [ -e "$SAVEFILE" ] && [ ! -w "$SAVEFILE" ]; then + echo "Error: savefile not writable: $SAVEFILE" >&2 + exit 8 + fi +@@ -205,8 +205,8 @@ esac + ### Begin work + + # Store old iptables rules to temporary file +-TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX` +-trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \ ++TMPFILE=$(mktemp "/tmp/$PROGNAME-XXXXXXXX") ++trap 'rm -f $TMPFILE' EXIT HUP INT QUIT ILL TRAP ABRT BUS \ + FPE USR1 SEGV USR2 PIPE ALRM TERM + + if ! "$SAVE" >"$TMPFILE"; then +@@ -257,13 +257,13 @@ esac + # Prompt user for confirmation + echo -n "Can you establish NEW connections to the machine? (y/N) " + +-read -n1 -t "$TIMEOUT" ret 2>&1 || : ++read -r -n1 -t "$TIMEOUT" ret 2>&1 || : + case "${ret:-}" in + (y*|Y*) + # Success + echo + +- if [ ! -z "$SAVEFILE" ]; then ++ if [ -n "$SAVEFILE" ]; then + # Write successfully applied rules to the savefile + echo "Writing successfully applied rules to '$SAVEFILE'..." + if ! "$SAVE" >"$SAVEFILE"; then +-- +2.41.0 + diff --git a/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch b/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch new file mode 100644 index 0000000..118da17 --- /dev/null +++ b/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch @@ -0,0 +1,51 @@ +From f4f3fd1fa83a56c051fa72ee619ef23942e65504 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 28 Jan 2021 01:09:56 +0100 +Subject: [PATCH] ebtables: Exit gracefully on invalid table names + +Users are able to cause program abort by passing a table name that +doesn't exist: + +| # ebtables-nft -t dummy -P INPUT ACCEPT +| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. +| Aborted + +Avoid this by checking table existence just like iptables-nft does upon +parsing '-t' optarg. Since the list of tables is known and fixed, +checking the given name's length is pointless. So just drop that check +in return. + +With this patch in place, output looks much better: + +| # ebtables-nft -t dummy -P INPUT ACCEPT +| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist +| Perhaps iptables or your kernel needs to be upgraded. + +Signed-off-by: Phil Sutter +(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f) +--- + iptables/xtables-eb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index a3d659fb35e27..6e47feec5132f 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -957,10 +957,10 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); +- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) +- xtables_error(PARAMETER_PROBLEM, +- "Table name length cannot exceed %d characters", +- EBT_TABLE_MAXNAMELEN - 1); ++ if (!nft_table_builtin_find(h, optarg)) ++ xtables_error(VERSION_PROBLEM, ++ "table '%s' does not exist", ++ optarg); + *table = optarg; + table_set = true; + break; +-- +2.41.0 + diff --git a/iptables.spec b/iptables.spec index 24da2c1..705c2f8 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # install init scripts to /usr/libexec with systemd %global script_path %{_libexecdir}/iptables @@ -11,7 +10,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.5 -Release: 9%{anolis_release}%{?dist} +Release: 11%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -170,6 +169,9 @@ Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch Patch145: 0145-iptables-nft-fix-basechain-policy-configuration.patch +Patch146: 0146-iptables-restore-Drop-dead-code.patch +Patch147: 0147-iptables-apply-Eliminate-shellcheck-warnings.patch +Patch148: 0148-ebtables-Exit-gracefully-on-invalid-table-names.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -290,7 +292,7 @@ traffic passing a bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. This tool is the userspace control for the bridge and ebtables kernel -components. +components (built by default in RHEL kernels). The ebtables tool can be used together with the other Linux filtering tools, like iptables. There are no known incompatibility issues. @@ -376,6 +378,12 @@ install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/ rm -f %{buildroot}%{_sysconfdir}/ethertypes %endif +# drop all legacy tools +rm -f %{buildroot}%{_sbindir}/*legacy* +rm -f %{buildroot}%{_bindir}/iptables-xml +rm -f %{buildroot}%{_mandir}/man1/iptables-xml* +rm -f %{buildroot}%{_mandir}/man8/xtables-legacy* + # rename nft versions to standard name pfx=%{buildroot}%{_sbindir}/iptables for pfx in %{buildroot}%{_sbindir}/{iptables,ip6tables,arptables,ebtables}; do @@ -468,18 +476,6 @@ done %{_sbindir}/ip6tables-translate %{_sbindir}/xtables-monitor %{_sbindir}/xtables-nft-multi - -%{_bindir}/iptables-xml -%{_sbindir}/xtables-legacy-multi -%{_sbindir}/ip6tables-legacy -%{_sbindir}/ip6tables-legacy-restore -%{_sbindir}/ip6tables-legacy-save -%{_sbindir}/iptables-legacy -%{_sbindir}/iptables-legacy-restore -%{_sbindir}/iptables-legacy-save -%doc %{_mandir}/man1/iptables-xml* -%doc %{_mandir}/man8/xtables-legacy* - %doc %{_mandir}/man8/iptables* %doc %{_mandir}/man8/ip6tables* %doc %{_mandir}/man8/xtables-* @@ -548,9 +544,13 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog -* Tue Dec 12 2023 Liwei Ge - 1.8.5-9.0.1 -- Debrand for Anolis OS -- Add legacy tools back +* Thu Nov 16 2023 Phil Sutter - 1.8.5-11 +- iptables-restore: Drop dead code +- iptables-apply: Eliminate shellcheck warnings +- ebtables: Exit gracefully on invalid table names + +* Fri Sep 08 2023 Phil Sutter - 1.8.5-10 +- Bump NVR to fix for wrong build tag * Wed Sep 06 2023 Phil Sutter - 1.8.5-9 - iptables-nft: fix basechain policy configuration -- Gitee From 29be45aab3edcd78358c0c9c0be5e9def0194619 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Fri, 29 Jan 2021 09:17:59 +0800 Subject: [PATCH 2/3] debrand: update package description Signed-off-by: Liwei Ge Change-Id: Iaa78019c617b2cc4b75dfbabd0252a988a0f7351 (cherry picked from commit 5a3f5873e9cbd6395f70f215c83dce191a7bf2c8) Signed-off-by: zhangbinchen --- iptables.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/iptables.spec b/iptables.spec index 705c2f8..6896d11 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 # install init scripts to /usr/libexec with systemd %global script_path %{_libexecdir}/iptables @@ -10,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.5 -Release: 11%{?dist} +Release: 11%{anolis_release}%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -292,7 +293,7 @@ traffic passing a bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. This tool is the userspace control for the bridge and ebtables kernel -components (built by default in RHEL kernels). +components. The ebtables tool can be used together with the other Linux filtering tools, like iptables. There are no known incompatibility issues. @@ -544,6 +545,9 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Wed Jul 24 2024 Liwei Ge - 1.8.5-11.0.1 +- Debrand for Anolis OS + * Thu Nov 16 2023 Phil Sutter - 1.8.5-11 - iptables-restore: Drop dead code - iptables-apply: Eliminate shellcheck warnings -- Gitee From b99d465d43c695335c0d3c3fbb9c88f2dd3fd696 Mon Sep 17 00:00:00 2001 From: DengXiewei Date: Wed, 22 Jun 2022 19:32:42 +0800 Subject: [PATCH 3/3] Add legacy tools back Signed-off-by: DengXiewei --- iptables.spec | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/iptables.spec b/iptables.spec index 6896d11..7fbf204 100644 --- a/iptables.spec +++ b/iptables.spec @@ -379,12 +379,6 @@ install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/ rm -f %{buildroot}%{_sysconfdir}/ethertypes %endif -# drop all legacy tools -rm -f %{buildroot}%{_sbindir}/*legacy* -rm -f %{buildroot}%{_bindir}/iptables-xml -rm -f %{buildroot}%{_mandir}/man1/iptables-xml* -rm -f %{buildroot}%{_mandir}/man8/xtables-legacy* - # rename nft versions to standard name pfx=%{buildroot}%{_sbindir}/iptables for pfx in %{buildroot}%{_sbindir}/{iptables,ip6tables,arptables,ebtables}; do @@ -477,6 +471,18 @@ done %{_sbindir}/ip6tables-translate %{_sbindir}/xtables-monitor %{_sbindir}/xtables-nft-multi + +%{_bindir}/iptables-xml +%{_sbindir}/xtables-legacy-multi +%{_sbindir}/ip6tables-legacy +%{_sbindir}/ip6tables-legacy-restore +%{_sbindir}/ip6tables-legacy-save +%{_sbindir}/iptables-legacy +%{_sbindir}/iptables-legacy-restore +%{_sbindir}/iptables-legacy-save +%doc %{_mandir}/man1/iptables-xml* +%doc %{_mandir}/man8/xtables-legacy* + %doc %{_mandir}/man8/iptables* %doc %{_mandir}/man8/ip6tables* %doc %{_mandir}/man8/xtables-* @@ -547,6 +553,7 @@ done %changelog * Wed Jul 24 2024 Liwei Ge - 1.8.5-11.0.1 - Debrand for Anolis OS +- Add legacy tools back * Thu Nov 16 2023 Phil Sutter - 1.8.5-11 - iptables-restore: Drop dead code -- Gitee