diff --git a/0146-iptables-restore-Drop-dead-code.patch b/0146-iptables-restore-Drop-dead-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1cb36115d611807ad6a3a1aa5cbce8e82a4970d --- /dev/null +++ b/0146-iptables-restore-Drop-dead-code.patch @@ -0,0 +1,31 @@ +From 0482da08db2dcf9414008c286ebf227952512b03 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 13 Jul 2023 18:32:02 +0200 +Subject: [PATCH] iptables-restore: Drop dead code + +Handle initialization is guarded by 'in_table' boolean, so there can't +be a handle already (because the branch which unsets 'in_table' also +frees the handle). + +Signed-off-by: Phil Sutter +(cherry picked from commit 4d9453233538200e9663c6bd0c2df09e1671b5f4) +--- + iptables/iptables-restore.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 3b821467db355..6dfafe0c18072 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -225,8 +225,6 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, + } + continue; + } +- if (handle) +- cb->ops->free(handle); + + handle = create_handle(cb, table); + if (noflush == 0) { +-- +2.41.0 + diff --git a/0147-iptables-apply-Eliminate-shellcheck-warnings.patch b/0147-iptables-apply-Eliminate-shellcheck-warnings.patch new file mode 100644 index 0000000000000000000000000000000000000000..a97159d736d340e7f26aea908443f8c173ca0836 --- /dev/null +++ b/0147-iptables-apply-Eliminate-shellcheck-warnings.patch @@ -0,0 +1,82 @@ +From ff0c0dc23fec33e339974e419c664d3bef39edc9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 1 Aug 2023 16:56:42 +0200 +Subject: [PATCH] iptables-apply: Eliminate shellcheck warnings + +Actual warnings were only about use of '-a' in bracket expressions +(replace by '&&' pipeline) and the immediate evaluation of the variable +in trap command. + +The remaining changes silence info-level messages: missing quoting +around variables, pointless '$' in arithmetic expressions, backticks +instead of $(...), missing '-r' parameter when calling read and an +awkward negated '-z' check. + +Signed-off-by: Phil Sutter +(cherry picked from commit 9f98550d58a49fc95d529ebdc0173579d957b425) +--- + iptables/iptables-apply | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/iptables/iptables-apply b/iptables/iptables-apply +index 3a7df5e3cbc1f..c603fb2113ef3 100755 +--- a/iptables/iptables-apply ++++ b/iptables/iptables-apply +@@ -141,9 +141,9 @@ for opt in $OPTS; do + ;; + (*) + case "${OPT_STATE:-}" in +- (SET_TIMEOUT) eval TIMEOUT=$opt;; ++ (SET_TIMEOUT) eval TIMEOUT="$opt";; + (SET_SAVEFILE) +- eval SAVEFILE=$opt ++ eval SAVEFILE="$opt" + [ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE" + ;; + esac +@@ -163,13 +163,13 @@ done + + # Validate parameters + if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then +- TIMEOUT=$(($TIMEOUT)) ++ TIMEOUT=$((TIMEOUT)) + else + echo "Error: timeout must be a positive number" >&2 + exit 1 + fi + +-if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then ++if [ -n "$SAVEFILE" ] && [ -e "$SAVEFILE" ] && [ ! -w "$SAVEFILE" ]; then + echo "Error: savefile not writable: $SAVEFILE" >&2 + exit 8 + fi +@@ -205,8 +205,8 @@ esac + ### Begin work + + # Store old iptables rules to temporary file +-TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX` +-trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \ ++TMPFILE=$(mktemp "/tmp/$PROGNAME-XXXXXXXX") ++trap 'rm -f $TMPFILE' EXIT HUP INT QUIT ILL TRAP ABRT BUS \ + FPE USR1 SEGV USR2 PIPE ALRM TERM + + if ! "$SAVE" >"$TMPFILE"; then +@@ -257,13 +257,13 @@ esac + # Prompt user for confirmation + echo -n "Can you establish NEW connections to the machine? (y/N) " + +-read -n1 -t "$TIMEOUT" ret 2>&1 || : ++read -r -n1 -t "$TIMEOUT" ret 2>&1 || : + case "${ret:-}" in + (y*|Y*) + # Success + echo + +- if [ ! -z "$SAVEFILE" ]; then ++ if [ -n "$SAVEFILE" ]; then + # Write successfully applied rules to the savefile + echo "Writing successfully applied rules to '$SAVEFILE'..." + if ! "$SAVE" >"$SAVEFILE"; then +-- +2.41.0 + diff --git a/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch b/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch new file mode 100644 index 0000000000000000000000000000000000000000..118da177e9ff8cc625e8d9f4084a3351f5427cb3 --- /dev/null +++ b/0148-ebtables-Exit-gracefully-on-invalid-table-names.patch @@ -0,0 +1,51 @@ +From f4f3fd1fa83a56c051fa72ee619ef23942e65504 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 28 Jan 2021 01:09:56 +0100 +Subject: [PATCH] ebtables: Exit gracefully on invalid table names + +Users are able to cause program abort by passing a table name that +doesn't exist: + +| # ebtables-nft -t dummy -P INPUT ACCEPT +| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. +| Aborted + +Avoid this by checking table existence just like iptables-nft does upon +parsing '-t' optarg. Since the list of tables is known and fixed, +checking the given name's length is pointless. So just drop that check +in return. + +With this patch in place, output looks much better: + +| # ebtables-nft -t dummy -P INPUT ACCEPT +| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist +| Perhaps iptables or your kernel needs to be upgraded. + +Signed-off-by: Phil Sutter +(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f) +--- + iptables/xtables-eb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index a3d659fb35e27..6e47feec5132f 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -957,10 +957,10 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); +- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) +- xtables_error(PARAMETER_PROBLEM, +- "Table name length cannot exceed %d characters", +- EBT_TABLE_MAXNAMELEN - 1); ++ if (!nft_table_builtin_find(h, optarg)) ++ xtables_error(VERSION_PROBLEM, ++ "table '%s' does not exist", ++ optarg); + *table = optarg; + table_set = true; + break; +-- +2.41.0 + diff --git a/0149-iptables-nargs-show-dismatch.patch b/0149-iptables-nargs-show-dismatch.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b3f16484c97fc72fc6895e1595b18e674100fc1 --- /dev/null +++ b/0149-iptables-nargs-show-dismatch.patch @@ -0,0 +1,31 @@ +From ac012d400e0abe972ad20686bc412f6563ac5862 Mon Sep 17 00:00:00 2001 +From: renwang +Date: Thu, 28 Nov 2024 17:11:59 +0800 +Subject: [PATCH] fix the -n args show dismatch + +--- + iptables/iptables.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/iptables/iptables.c b/iptables/iptables.c +index 88ef6cf..fba69a9 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -478,10 +478,10 @@ print_firewall(const struct ipt_entry *fw, + fputc(fw->ip.invflags & XT_INV_PROTO ? '!' : ' ', stdout); + { + const char *pname = proto_to_name(fw->ip.proto, format&FMT_NUMERIC); +- if (pname) +- printf(FMT("%-5s", "%s "), pname); +- else +- printf(FMT("%-5hu", "%hu "), fw->ip.proto); ++ if (((format & (FMT_NUMERIC | FMT_NOTABLE)) == FMT_NUMERIC) || !pname) ++ printf(FMT("%-4hu ", "%hu "), proto); ++ else ++ printf(FMT("%-4s ", "%s "), pname); + } + + if (format & FMT_OPTIONS) { +-- +2.20.1 + diff --git a/iptables.spec b/iptables.spec index 24da2c181099ce2cbc2c5b5f5025e5340f611394..f403d44b9e12174c0a56e2ff8ea00132f5c76540 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 # install init scripts to /usr/libexec with systemd %global script_path %{_libexecdir}/iptables @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.5 -Release: 9%{anolis_release}%{?dist} +Release: 11%{anolis_release}%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -170,6 +170,9 @@ Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch Patch145: 0145-iptables-nft-fix-basechain-policy-configuration.patch +Patch146: 0146-iptables-restore-Drop-dead-code.patch +Patch147: 0147-iptables-apply-Eliminate-shellcheck-warnings.patch +Patch148: 0148-ebtables-Exit-gracefully-on-invalid-table-names.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -548,10 +551,21 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog -* Tue Dec 12 2023 Liwei Ge - 1.8.5-9.0.1 +* Thu Nov 28 2024 Wang Ren - 1.8.5-11.0.2 +- Fix the -n args show dismatch + +* Wed Jul 24 2024 Liwei Ge - 1.8.5-11.0.1 - Debrand for Anolis OS - Add legacy tools back +* Thu Nov 16 2023 Phil Sutter - 1.8.5-11 +- iptables-restore: Drop dead code +- iptables-apply: Eliminate shellcheck warnings +- ebtables: Exit gracefully on invalid table names + +* Fri Sep 08 2023 Phil Sutter - 1.8.5-10 +- Bump NVR to fix for wrong build tag + * Wed Sep 06 2023 Phil Sutter - 1.8.5-9 - iptables-nft: fix basechain policy configuration