commit 61a66b35cfae87319725cb4212dc338f9a6618c2 Author: Adrian Schröter Date: Mon Oct 14 14:31:14 2024 +0200 Sync from SUSE:ALP:Source:Standard:1.0 ipset revision ab136f047c44152da5df17e2151c9c01 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/ipset-7.17.tar.bz2 b/ipset-7.17.tar.bz2 new file mode 100644 index 0000000..8ff25f4 --- /dev/null +++ b/ipset-7.17.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:be49c9ff489dd6610cad6541e743c3384eac96e9f24707da7b3929d8f2ac64d8 +size 684983 diff --git a/ipset-destdir.diff b/ipset-destdir.diff new file mode 100644 index 0000000..3b4578f --- /dev/null +++ b/ipset-destdir.diff @@ -0,0 +1,31 @@ +From: Jan Engelhardt +Date: 2016-03-17 01:13:03.340741300 +0100 + +Skip these two steps from Makefile.am altogether. + +1. If $INSTALL_MOD_PATH/lib/modules/uname_r is missing, no depmod + files will be created at all (by depmod as invoked by the kernel's + modules_install target). + +2. Therefore, modinfo -b will error out because it cannot find + $INSTALL_MOD_PATH/lib/modules/uname-r/modules.order. + +3. lsmod fails because /proc and /sys are not mounted. + +--- + Makefile.am | 2 -- + 1 file changed, 2 deletions(-) + +Index: ipset-7.4/Makefile.am +=================================================================== +--- ipset-7.4.orig/Makefile.am ++++ ipset-7.4/Makefile.am +@@ -72,8 +72,6 @@ modules_install: + if WITH_KMOD + ${MAKE} -C $(KBUILD_OUTPUT) M=$$PWD/kernel/net \ + KDIR=$$PWD/kernel modules_install +- @modinfo -b ${INSTALL_MOD_PATH} ip_set_hash_ip | ${GREP} /extra/ >/dev/null || echo "$$DEPMOD_WARNING" +- @lsmod | ${GREP} '^ip_set' >/dev/null && echo "$$MODULE_WARNING"; true + else + @echo Skipping kernel modules due to --with-kmod=no + endif diff --git a/ipset-preamble b/ipset-preamble new file mode 100644 index 0000000..86e7171 --- /dev/null +++ b/ipset-preamble @@ -0,0 +1,3 @@ +Enhances: kernel-%1 +Requires: kernel-%1 +Supplements: packageand(kernel-%1:ipset) diff --git a/ipset.changes b/ipset.changes new file mode 100644 index 0000000..b13dd32 --- /dev/null +++ b/ipset.changes @@ -0,0 +1,421 @@ +------------------------------------------------------------------- +Fri Dec 30 14:50:44 UTC 2022 - Jan Engelhardt + +- Update to release 7.17 + * No userspace changes (kernel modules are not generated + here for openSUSE, see kernel-default instead) + +------------------------------------------------------------------- +Mon Nov 21 20:05:41 UTC 2022 - Jan Engelhardt + +- Update to release 7.16 + * Add bitmask support to hash:netnet, hash:ipport, hash:ip + * Add support for new bitmask parameter + +------------------------------------------------------------------- +Fri Nov 4 09:49:23 UTC 2022 - Danilo Spinella + +- Tumbleweed is not affected by the following SLE issues: + bsc#1122853 + +------------------------------------------------------------------- +Wed Aug 4 09:37:44 UTC 2021 - Paolo Stivanin + +- Update to release 7.15 + * netfilter: ipset: Fix maximal range check in + hash_ipportnet4_uadt() + +------------------------------------------------------------------- +Wed Jul 28 14:54:37 UTC 2021 - Jan Engelhardt + +- Update to release 7.14 + * Allow specifying protocols by number + * Limit the maximum range of consecutive elements to add/delete + +------------------------------------------------------------------- +Fri Feb 19 21:23:04 UTC 2021 - Jan Engelhardt + +- Update to release 7.11 + * Argument parsing buffer overflow in ipset_parse_argv fixed + +------------------------------------------------------------------- +Sun Dec 20 15:37:21 UTC 2020 - Jan Engelhardt + +- Update to release 7.10 + * Fix shift-out-of-bounds in htable_bits() + +------------------------------------------------------------------- +Thu Nov 19 23:30:50 UTC 2020 - Jan Engelhardt + +- Update to release 7.9 + * Enable memory accounting for ipset allocations + * Expose the initval hash parameter to userspace + * Add bucketsize parameter to all hash types + * Support the -exist flag with the destroy command + +------------------------------------------------------------------- +Mon Feb 24 17:06:59 UTC 2020 - Jan Engelhardt + +- Update to release 7.6 + * Add checking system_power_efficient_wq in the source tree. + +------------------------------------------------------------------- +Fri Jan 10 13:03:52 UTC 2020 - Jan Engelhardt + +- Update to release 7.5 + * netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO + is present. + * netfilter: xt_set: Do not restrict --map-set to the + mangle table. + +------------------------------------------------------------------- +Fri Nov 1 17:06:36 UTC 2019 - Jan Engelhardt + +- Update to release 7.4 + * Wildcard support for the "hash:net,iface" type. + +------------------------------------------------------------------- +Mon Aug 19 12:53:22 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 7.3 + * Fix rename concurrency with listing, which can result broken + list/save results. + * ipset: Copy the right MAC address in bitmap:ip,mac and + hash:ip,mac sets. + * ipset: Actually allow destination MAC address for hash:ip,mac + sets too. + +------------------------------------------------------------------- +Mon Jun 10 13:09:47 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 7.2 + * ipset: Fix memory accounting for hash types on resize + +------------------------------------------------------------------- +Tue Dec 11 13:02:03 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 7.1 + * Correct the manpage about the sort option + * Implement sorting for hash types in the ipset tool + * Fix to list/save into file specified by option +- Remove ipset-file.diff (merged) + +------------------------------------------------------------------- +Tue Nov 20 17:58:53 UTC 2018 - Arjen de Korte + +- Add ipset-file.diff [boo#1116432]. + +------------------------------------------------------------------- +Tue Oct 30 07:54:50 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 7.0 + * A new internal protocol version between the kernel and + userspace is used. This is required in order to support two + new functions and the extendend LIST operation, which makes + possible to run ipset in every case entirely over netlink, + without the need to use getsockopt(). + * The userspace library was reworked so it can be embedded + without calling the binary. + +------------------------------------------------------------------- +Tue Apr 10 20:21:59 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 6.38 + * Fix parsing service names for ports. + +------------------------------------------------------------------- +Sat Mar 3 23:27:51 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 6.36 + * Adding a IPv4 range x.x.x.x–255.255.255.255 could lead to + memory exhaustion, which has been fixed. +- Drop 0001-build-do-install-libipset-args.h.patch (merged) + +------------------------------------------------------------------- +Mon Jan 22 21:49:31 UTC 2018 - jengelh@inai.de + +- Add 0001-build-do-install-libipset-args.h.patch [boo#1077037]. + +------------------------------------------------------------------- +Sat Jan 6 21:47:52 UTC 2018 - jengelh@inai.de + +- Update to new upstream release 6.35 + * Userspace revision handling is reworked + * Backport patch: netfilter: ipset: use nfnl_mutex_is_locked + * Missing nfnl_lock()/nfnl_unlock() is added to + ip_set_net_exit() + * netfilter: ipset: add resched points during set listing + * Fix "don't update counters" mode when counters used at the + matching + * netfilter: ipset: Fix race between dump and swap + +------------------------------------------------------------------- +Sat Sep 23 19:10:12 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 6.34 + * Reset state after a command failed, when multiple ones + are issued. + * Handle padding attribute properly in userspace. + * Test to check the fix to add an IPv4 range containing more + than 2^31 addresses. +- Remove ipset-6.33-export-func.diff (merged) + +------------------------------------------------------------------- +Sun Sep 17 21:19:30 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 6.33 + * Report if the option is supported by a newer kernel release +- Add ipset-6.33-export-func.diff + +------------------------------------------------------------------- +Fri Sep 15 16:44:31 UTC 2017 - kstreitova@suse.com + +- fix build for Factory + +------------------------------------------------------------------- +Fri Mar 17 11:45:35 UTC 2017 - jengelh@inai.de + +- Update to new upstream release 6.31 + * ipset: avoid kernel null pointer exception in ipset list:set + * fix bug: sometimes valid entries in hash:* types of sets were + evicted +- Update to new upstream release 6.32 + * fix possible truncated output in ipset output buffer handling + +------------------------------------------------------------------- +Thu Oct 20 18:25:24 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 6.30 +* hash:ipmac type support added to ipset + +------------------------------------------------------------------- +Wed Mar 16 23:25:41 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 6.29 +* Fix race condition in ipset save, swap and delete + +------------------------------------------------------------------- +Sat Mar 12 21:40:08 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 6.28 +* Test added to check 0.0.0.0/0,iface to be matched in + hash:net,iface type +* Check IPSET_ATTR_ETHER netlink attribute length +* Fix set:list type crash when flush/dump set in parallel +* Allow a 0 netmask with hash_netiface type +- Restore unreviewed deletion of KMP production, + undo spec-cleaner refucktoring +- Add ipset-destdir.diff + +------------------------------------------------------------------- +Mon Jan 18 15:42:54 UTC 2016 - kstreitova@suse.com + +- update to 6.27: + * kernel part changes + * fix reported memory size for hash:* types + * fix hash type expire: release empty hash bucket block + * fix hash type expiration: incorrect index fixed + * collapse same condition body to a single one + * fix extension alignment + * compatibility: include linux/export.h when needed + * compatibility: make sure vmalloc.h is included for kvfree() + * compatibility: Fix detecting 'struct net' in 'struct tcf_ematch' + * compatibility: Protect definition of RCU_INIT_POINTER in + compatibility header file + * netfilter: ipset: Fix sleeping memory allocation in atomic + context (Nikolay Borisov) + * userspace changes + * handle uint64_t alignment issue in ipset tool +- disable KMP build as we support the in-kernel version instead. + Remove ipset-preamble file that is no longer needed [bsc#962345] +- run spec-cleaner + +------------------------------------------------------------------- +Sun Aug 30 11:23:27 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 6.26 +* Out of bound access in hash:net* types fixed +* Make struct htype per ipset family +* Optimize hash creation routine + +------------------------------------------------------------------- +Thu Jun 25 09:57:08 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 6.25.1 +* Add element count to all set types header +* Add element count to hash headers +* Support linking libipset to C++ programs +* When a single set is destroyed, make sure it cannot + be grabbed by dump +* Check CIDR value only when attribute is given +* Permit CIDR equal to the host address CIDR in IPv6 + +------------------------------------------------------------------- +Mon Nov 24 21:31:24 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 6.24 +* Alignment problem between 64bit kernel 32bit userspace fixed +* Potential read beyond the end of buffer resolved +* Fix parallel resizing and listing of the same set +* Introduce RCU in all set types instead of rwlock per set +* Remove rbtree from hash:net,iface in order to run under RCU +* Explicitly add padding elements to hash:net,net and + hash:net,port,net +* Allocate the proper size of memory when /0 networks are supported +* Simplify cidr handling for hash:*net* types +* Indicate when /0 networks are supported + +------------------------------------------------------------------- +Tue Sep 23 18:04:06 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 6.23 +* Order create and add options in manpage so that generic ones + come first +* Centralise generic create options (family, hashsize, maxelem) + on top of man page in the generic options section. +* Add description of hash:mac set type to man page. +* Add missing space for skbinfo option synopsis. +* Support updating extensions when the set is full +- Drop sovers.diff (no longer needed) + +------------------------------------------------------------------- +Tue Sep 16 06:27:32 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 6.22 +* includes the new set type hash:mac +* The new skbinfo extension makes possible to store fw mark, tc + class and/or hardware queue parameters together with the set + elements and then attach them to the matchig packets by the SET + target. +- Add sovers.diff to counter missing symbol errors + +------------------------------------------------------------------- +Wed Mar 5 08:47:39 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 6.21.1 +* add userspace support for forceadd +* fix ifname "physdev:" prefix parsing +* print mark & mark mask in hex rather then decimal +* add markmask for hash:ip,mark data type +* add hash:ip,mark data type to ipset +* Fix all set output from list/save when set with counters in use. +* ipset: Fix malformed output from list/save for ICMP types in port + field +* ipset: fix timeout data type size (Nikolay Martynov) + +------------------------------------------------------------------- +Mon Oct 28 12:34:04 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 6.20.1 +* build fixes for kernel 3.8 and the userspace library +- Remove 0001-build-fix-incorrect-library-versioning.patch (merged) + +------------------------------------------------------------------- +Sun Oct 20 13:03:53 UTC 2013 - jengelh@inai.de + +- Add 0001-build-fix-incorrect-library-versioning.patch + +------------------------------------------------------------------- +Sun Oct 20 12:43:51 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 6.20 +* netns support +* new set types: hash:net,net and hash:net,port,net +* new extension: "comment", for annotation of set elements +- Drop sles11.diff (no longer needed, upstream has better fix) + +------------------------------------------------------------------- +Fri May 10 20:11:15 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 6.19 +* This release adds per-element byte and packet counters for every + set type. (Matching these will be available in iptables-1.4.19.) + +------------------------------------------------------------------- +Mon Apr 15 06:20:31 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 6.18 +* bitmap:ip,mac: fix listing with timeout +* hash:*net*: nomatch flag not excluded on set resize +* list:set: update reference counter when last element pushed off + +------------------------------------------------------------------- +Thu Feb 21 16:07:01 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 6.17 +* Fix revision printing in XML mode +* Correct "Suspicious condition (assignment + comparison)" +* Fix error path when protocol number is used with port range +* Interactive mode error after syntax error +* New utilities: ipset_bash_completion, ipset_list +* Ensure ip_set_max is not set to IPSET_INVALID_ID +* Resolve corrupted timeout values on set resize +* Resolve "Directory not empty" error message + +------------------------------------------------------------------- +Tue Nov 27 12:50:37 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 6.16.1 +* Fix RCU handling when the number of maximal sets are increased +* netfilter: ipset: fix netiface set name overflow +- Remove 0001-build-support-for-Linux-3.7-UAPI.patch, merged upstream +- Remove 0001-build-Linux-3.7-netlink-fun.patch, merged upstream + +------------------------------------------------------------------- +Mon Nov 19 16:20:13 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 6.15 +* Userspace changes: +* Use gethostbyname2 instead of getaddrinfo +* Support protocol numbers as well, not only protocol names +* Kernel part changes: +* Increase the number of maximal sets automatically as needed +* Fix range bug in hash:ip,port,net +- Add 0001-build-support-for-Linux-3.7-UAPI.patch +- Add 0001-build-Linux-3.7-netlink-fun.patch + +------------------------------------------------------------------- +Sat Sep 22 14:20:06 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 6.14 +* Internal CIDR bookkeeping was broken and would lead to mismatches + when the number of different sized networks are greater than the + smallest CIDR value +* Support to match elements marked with "nomatch" in hash:*net* sets +* Add /0 network support to hash:net,iface type + +------------------------------------------------------------------- +Sat Jun 30 18:33:33 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 6.13 +* more restrictive command-line parser +* documentation updates w.r.t. src/dst for hash:net,iface +* allow saving to/restoring from a file without shell redirection +* kernel: hash:net,iface: fix interface comparison +* timeout fixing bug broke SET target special timeout value, fixed + +------------------------------------------------------------------- +Thu May 10 11:07:52 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 6.12 +* Report syntax error messages immediately +* Add dynamic module support to ipset userspace tool +* Fix timeout value overflow bug at large timeout parameters +* gcc 4.7 support + +------------------------------------------------------------------- +Fri Jan 20 17:27:01 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 6.11 +* libipset is now complete; ipset is just a frontend +* Log warning when a hash type of set gets full +* Exceptions support added to hash:*net* types +* hash:net,iface timeout bug fixed +* Support hostnames and service names with dash + + +------------------------------------------------------------------- +Sun Jan 1 03:17:39 UTC 2012 - jengelh@medozas.de + +- Populate ipset package on build.opensuse.org after disabling + ipset-genl compilation in xtables-addons diff --git a/ipset.spec b/ipset.spec new file mode 100644 index 0000000..d9d2b68 --- /dev/null +++ b/ipset.spec @@ -0,0 +1,156 @@ +# +# spec file for package ipset +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define lname libipset13 +%if 0%{?suse_version} && 0%{?suse_version} < 1330 +# Factory gets new kernels, old releases don't. +# Always build KMPs for all versions older than Factory. +%define ipset_build_kmp 1 +%else +%define ipset_build_kmp 0 +%endif +Name: ipset +Version: 7.17 +Release: 0 +Summary: Netfilter ipset administration utility +License: GPL-2.0-only +Group: Productivity/Networking/Security +URL: https://ipset.netfilter.org/ +#Git-Clone: git://git.netfilter.org/ipset +#Git-Web: http://git.netfilter.org/ +Source: http://ipset.netfilter.org/%name-%version.tar.bz2 +Source3: %name-preamble +Patch1: ipset-destdir.diff +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: linux-glibc-devel >= 2.6.24 +BuildRequires: pkg-config >= 0.21 +BuildRequires: pkgconfig(libmnl) >= 1 +%if 0%{?ipset_build_kmp} +BuildRequires: %kernel_module_package_buildreqs +BuildRequires: kernel-devel >= 2.6.39 +BuildRequires: kmod-compat +%kernel_module_package -p %name-preamble +%endif + +%description +IP sets are a framework inside the Linux kernel, which can be +administered by the ipset utility. Depending on the type, currently +an IP set may store IP addresses, (TCP/UDP) port numbers or IP +addresses with MAC addresses in a way, which ensures lightning speed +when matching an entry against a set. + +ipset can: +* store multiple IP addresses or port numbers and match against the + collection by iptables in one swoop; +* dynamically update iptables rules against IP addresses or ports + without performance penalty; +* express complex IP address and ports based rulesets with one single + iptables rule and benefit from the speed of IP sets + +%package KMP +Summary: Netfilter ipset kernel modules +Group: System/Kernel + +%description KMP +IP sets are a framework inside the Linux kernel, which can be +administered by the ipset utility. Depending on the type, currently +an IP set may store IP addresses, (TCP/UDP) port numbers or IP +addresses with MAC addresses in a way, which ensures lightning speed +when matching an entry against a set. + +This package contains a version update to the in-kernel ipset modules. + +%package -n %lname +Summary: Userspace library for the in-kernel Netfilter ipset interface +Group: System/Libraries + +%description -n %lname +IP sets are a framework inside the Linux kernel, which can be +administered by the ipset utility. Depending on the type, currently +an IP set may store IP addresses, (TCP/UDP) port numbers or IP +addresses with MAC addresses in a way, which ensures lightning speed +when matching an entry against a set. + +%package devel +Summary: Development files for ipset extensions +Group: Development/Libraries/C and C++ +Requires: %lname = %version + +%description devel +IP sets are a framework inside the Linux kernel, which can be +administered by the ipset utility. Depending on the type, currently +an IP set may store IP addresses, (TCP/UDP) port numbers or IP +addresses with MAC addresses in a way, which ensures lightning speed +when matching an entry against a set. + +%prep +%autosetup -p1 + +%build +# build wants to call modinfo at some point +export PATH="$PATH:%_sbindir" +autoreconf -fi +%if 0%{?ipset_build_kmp} +for flavor in %flavors_to_build; do + cp -a . "../%name-$flavor-%version" + pushd "../%name-$flavor-%version/" + # ksource: it just checks for a header + %configure --disable-static \ + --with-kbuild="%_prefix/src/linux-obj/%_target_cpu/$flavor" \ + --with-ksource="%_prefix/src/linux" \ + --includedir="%_includedir/%name" + %make_build all modules + popd +done +%endif +%configure --disable-static --with-kmod=no \ + --includedir="%_includedir/%name" +%make_build + +%install +export PATH="$PATH:%_sbindir" +b="%buildroot" +%if 0%{?ipset_build_kmp} +for flavor in %flavors_to_build; do + pushd "../%name-$flavor-%version/" + make %{?_smp_mflags} install modules_install \ + DESTDIR="$b" INSTALL_MOD_PATH="$b" V=1 + popd +done +%endif +%make_install +find "$b/%_libdir" -type f -name "*.la" -delete -print + +%post -n %lname -p /sbin/ldconfig +%postun -n %lname -p /sbin/ldconfig + +%files +%_sbindir/ipset* +%_mandir/man*/* + +%files -n %lname +%_libdir/libipset.so.13* + +%files devel +%_libdir/libipset.so +%_libdir/pkgconfig/libipset.pc +%_includedir/%name/ + +%changelog