diff --git a/iptables-1.8.7.tar.bz2 b/iptables-1.8.7.tar.bz2 deleted file mode 100644 index 1c24da2..0000000 --- a/iptables-1.8.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c109c96bb04998cd44156622d36f8e04b140701ec60531a10668cfdff5e8d8f0 -size 717862 diff --git a/iptables-1.8.7.tar.bz2.sig b/iptables-1.8.7.tar.bz2.sig deleted file mode 100644 index e2ba969..0000000 Binary files a/iptables-1.8.7.tar.bz2.sig and /dev/null differ diff --git a/iptables-1.8.8.tar.bz2 b/iptables-1.8.8.tar.bz2 new file mode 100644 index 0000000..123c4d7 --- /dev/null +++ b/iptables-1.8.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:71c75889dc710676631553eb1511da0177bbaaf1b551265b912d236c3f51859f +size 746985 diff --git a/iptables-1.8.8.tar.bz2.sig b/iptables-1.8.8.tar.bz2.sig new file mode 100644 index 0000000..088b87b Binary files /dev/null and b/iptables-1.8.8.tar.bz2.sig differ diff --git a/iptables-batch-lock.patch b/iptables-batch-lock.patch index 018eff3..abf2825 100644 --- a/iptables-batch-lock.patch +++ b/iptables-batch-lock.patch @@ -10,10 +10,10 @@ Date: 2017-06-26T10:53:24+0000 iptables/xshared.c | 8 +++++++- 2 files changed, 28 insertions(+), 1 deletion(-) -Index: iptables-1.8.6/iptables/iptables-batch.c +Index: iptables-1.8.8/iptables/iptables-batch.c =================================================================== ---- iptables-1.8.6.orig/iptables/iptables-batch.c -+++ iptables-1.8.6/iptables/iptables-batch.c +--- iptables-1.8.8.orig/iptables/iptables-batch.c ++++ iptables-1.8.8/iptables/iptables-batch.c @@ -403,6 +403,27 @@ main(int argc, char *argv[]) tables[3].name = "raw"; tables[3].handle = NULL; @@ -27,7 +27,7 @@ Index: iptables-1.8.6/iptables/iptables-batch.c + * call sequence needs to be locked until the commit is performed. + * + * Sadly, the xtables_lock() implementation is not very cooperative. -+ * There is no unlock() equivalent. The lock file descriptor is smiply ++ * There is no unlock() equivalent. The lock file descriptor is simply + * left open until the process exits. Thus, we would have deadlocks + * when calling do_command{4,6} the second time. + * @@ -42,34 +42,34 @@ Index: iptables-1.8.6/iptables/iptables-batch.c while((r = getline(&iline, &llen, fp)) != -1) { -Index: iptables-1.8.6/iptables/xshared.c +Index: iptables-1.8.8/iptables/xshared.c =================================================================== ---- iptables-1.8.6.orig/iptables/xshared.c -+++ iptables-1.8.6/iptables/xshared.c -@@ -248,10 +248,14 @@ void xs_init_match(struct xtables_match +--- iptables-1.8.8.orig/iptables/xshared.c ++++ iptables-1.8.8/iptables/xshared.c +@@ -262,10 +262,14 @@ static void alarm_ignore(int i) { - static int xtables_lock(int wait, struct timeval *wait_interval) + static int xtables_lock(int wait) { + static bool already_locked = false; - struct timeval time_left, wait_time; + struct sigaction sigact_alarm; const char *lock_file; - int fd, i = 0; + int fd; + if (already_locked) + /* Avoid deadlocks, see iptables-batch.c */ + return true; - time_left.tv_sec = wait; - time_left.tv_usec = 0; - -@@ -267,8 +271,10 @@ static int xtables_lock(int wait, struct + lock_file = getenv("XTABLES_LOCKFILE"); + if (lock_file == NULL || lock_file[0] == '\0') + lock_file = XT_LOCK_NAME; +@@ -285,8 +289,10 @@ static int xtables_lock(int wait) + alarm(wait); } - if (wait == -1) { -- if (flock(fd, LOCK_EX) == 0) -+ if (flock(fd, LOCK_EX) == 0) { -+ already_locked = true; - return fd; -+ } +- if (flock(fd, LOCK_EX) == 0) ++ if (flock(fd, LOCK_EX) == 0) { ++ already_locked = true; + return fd; ++ } - fprintf(stderr, "Can't lock %s: %s\n", lock_file, - strerror(errno)); + if (errno == EINTR) { + errno = EWOULDBLOCK; diff --git a/iptables.changes b/iptables.changes index 4e94cea..2f5668f 100644 --- a/iptables.changes +++ b/iptables.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Fri May 13 15:39:33 UTC 2022 - Jan Engelhardt + +- Update to release 1.8.8 + * Add iptables-translate support for: sctp match's + --chunk-types option, connlimit match, multiport match's + --ports option, and the tcpmss match. + * Reject setuid executables in libxtables for safety reasons + * Extended arptables-nft with -C, -I, -R, -S cmomands and the + "-c N,M" counter syntax. + * Debug output in iptables-restore (all variants), iptables-nft + and ebtables-nft when specifying -v multiple times + * Improved performance of iptables-save and -restore + ------------------------------------------------------------------- Thu Dec 30 15:05:20 UTC 2021 - Danilo Spinella diff --git a/iptables.spec b/iptables.spec index af7fbf0..a5d893c 100644 --- a/iptables.spec +++ b/iptables.spec @@ -1,7 +1,7 @@ # # spec file for package iptables # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %endif Name: iptables -Version: 1.8.7 +Version: 1.8.8 Release: 0 Summary: IP packet filter administration utilities License: Artistic-2.0 AND GPL-2.0-only