From 0be2487f5737347cf4b38a88d4f07dff48c00d07e971c7d2f93121ad70d62024 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 22 May 2019 16:20:16 +0000 Subject: [PATCH 1/2] - Add 0001-include-fix-build-with-kernel-headers-before-4.2.patch, 0001-include-extend-the-headers-conflict-workaround-to-in.patch to fix build with older linux-glibc-devel. [boo#1132821] OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=129 --- ...he-headers-conflict-workaround-to-in.patch | 36 +++++++++++++ ...build-with-kernel-headers-before-4.2.patch | 52 +++++++++++++++++++ iptables.changes | 7 +++ iptables.spec | 2 + 4 files changed, 97 insertions(+) create mode 100644 0001-include-extend-the-headers-conflict-workaround-to-in.patch create mode 100644 0001-include-fix-build-with-kernel-headers-before-4.2.patch diff --git a/0001-include-extend-the-headers-conflict-workaround-to-in.patch b/0001-include-extend-the-headers-conflict-workaround-to-in.patch new file mode 100644 index 0000000..ba80d79 --- /dev/null +++ b/0001-include-extend-the-headers-conflict-workaround-to-in.patch @@ -0,0 +1,36 @@ +From 2908eda10bf9fc81119d4f3ad672c67918ab5955 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Sun, 2 Dec 2018 18:56:34 +0200 +Subject: [PATCH] include: extend the headers conflict workaround to in6.h + +Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") +introduced a kernel/user headers conflict workaround that allows build +of iptables with kernel headers older than 4.2. This minor extension +allows build with kernel headers older than 3.12, which is the version +that introduced explicit IP headers synchronization. + +Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2") +Cc: Florian Westphal +Signed-off-by: Baruch Siach +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h +index bacf8cd9..042d8b14 100644 +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -5,8 +5,8 @@ + + #ifndef _NETINET_IN_H + #include +-#endif + #include ++#endif + #include + + /* Responses from hook functions. */ +-- +2.21.0 + diff --git a/0001-include-fix-build-with-kernel-headers-before-4.2.patch b/0001-include-fix-build-with-kernel-headers-before-4.2.patch new file mode 100644 index 0000000..13bc73d --- /dev/null +++ b/0001-include-fix-build-with-kernel-headers-before-4.2.patch @@ -0,0 +1,52 @@ +From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Fri, 16 Nov 2018 09:30:33 +0200 +Subject: [PATCH] include: fix build with kernel headers before 4.2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 672accf1530 (include: update kernel netfilter header files) +updated linux/netfilter.h and brought with it the update from kernel +commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h +from netns headers). This triggers conflict of headers that is fixed in +kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with +netinet/in.h) included in kernel version 4.2. For earlier kernel headers +we need a workaround that prevents the headers conflict. + +Fixes the following build failure: + +In file included from .../sysroot/usr/include/netinet/ip.h:25:0, + from ../include/libiptc/ipt_kernel_headers.h:8, + from ../include/libiptc/libiptc.h:6, + from libip4tc.c:29: +.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ + IPPROTO_IP = 0, /* Dummy protocol for TCP */ + ^ +.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here + IPPROTO_IP = 0, /* Dummy protocol for TCP. */ + ^~~~~~~~~~ + +Signed-off-by: Baruch Siach +Signed-off-by: Florian Westphal +--- + include/linux/netfilter.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h +index c3f087ac..bacf8cd9 100644 +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -3,7 +3,9 @@ + + #include + ++#ifndef _NETINET_IN_H + #include ++#endif + #include + #include + +-- +2.21.0 + diff --git a/iptables.changes b/iptables.changes index 4a8d428..20d223d 100644 --- a/iptables.changes +++ b/iptables.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed May 22 16:15:28 UTC 2019 - Jan Engelhardt + +- Add 0001-include-fix-build-with-kernel-headers-before-4.2.patch, + 0001-include-extend-the-headers-conflict-workaround-to-in.patch + to fix build with older linux-glibc-devel. [boo#1132821] + ------------------------------------------------------------------- Thu Apr 4 11:44:31 UTC 2019 - Kristýna Streitová diff --git a/iptables.spec b/iptables.spec index 5f4bed1..9170767 100644 --- a/iptables.spec +++ b/iptables.spec @@ -27,6 +27,8 @@ URL: https://netfilter.org/projects/iptables/ Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring +Patch1: 0001-include-fix-build-with-kernel-headers-before-4.2.patch +Patch2: 0001-include-extend-the-headers-conflict-workaround-to-in.patch Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch Patch5: iptables-batch-lock.patch From b743329ed5042473e97451200d9776219494513f27a1a73da740d7fca84e0ac3 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 28 May 2019 09:54:16 +0000 Subject: [PATCH 2/2] - Update to new upstream release 1.8.3 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=130 --- ...he-headers-conflict-workaround-to-in.patch | 36 ------------ ...build-with-kernel-headers-before-4.2.patch | 52 ------------------ iptables-1.8.2.tar.bz2 | 3 - iptables-1.8.2.tar.bz2.sig | Bin 590 -> 0 bytes iptables-1.8.3.tar.bz2 | 3 + iptables-1.8.3.tar.bz2.sig | Bin 0 -> 590 bytes iptables.changes | 10 ++++ iptables.spec | 42 +++++++++----- 8 files changed, 41 insertions(+), 105 deletions(-) delete mode 100644 0001-include-extend-the-headers-conflict-workaround-to-in.patch delete mode 100644 0001-include-fix-build-with-kernel-headers-before-4.2.patch delete mode 100644 iptables-1.8.2.tar.bz2 delete mode 100644 iptables-1.8.2.tar.bz2.sig create mode 100644 iptables-1.8.3.tar.bz2 create mode 100644 iptables-1.8.3.tar.bz2.sig diff --git a/0001-include-extend-the-headers-conflict-workaround-to-in.patch b/0001-include-extend-the-headers-conflict-workaround-to-in.patch deleted file mode 100644 index ba80d79..0000000 --- a/0001-include-extend-the-headers-conflict-workaround-to-in.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 2908eda10bf9fc81119d4f3ad672c67918ab5955 Mon Sep 17 00:00:00 2001 -From: Baruch Siach -Date: Sun, 2 Dec 2018 18:56:34 +0200 -Subject: [PATCH] include: extend the headers conflict workaround to in6.h - -Commit 8d9d7e4b9ef ("include: fix build with kernel headers before 4.2") -introduced a kernel/user headers conflict workaround that allows build -of iptables with kernel headers older than 4.2. This minor extension -allows build with kernel headers older than 3.12, which is the version -that introduced explicit IP headers synchronization. - -Fixes: 8d9d7e4b9ef4 ("include: fix build with kernel headers before 4.2") -Cc: Florian Westphal -Signed-off-by: Baruch Siach -Signed-off-by: Pablo Neira Ayuso ---- - include/linux/netfilter.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h -index bacf8cd9..042d8b14 100644 ---- a/include/linux/netfilter.h -+++ b/include/linux/netfilter.h -@@ -5,8 +5,8 @@ - - #ifndef _NETINET_IN_H - #include --#endif - #include -+#endif - #include - - /* Responses from hook functions. */ --- -2.21.0 - diff --git a/0001-include-fix-build-with-kernel-headers-before-4.2.patch b/0001-include-fix-build-with-kernel-headers-before-4.2.patch deleted file mode 100644 index 13bc73d..0000000 --- a/0001-include-fix-build-with-kernel-headers-before-4.2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001 -From: Baruch Siach -Date: Fri, 16 Nov 2018 09:30:33 +0200 -Subject: [PATCH] include: fix build with kernel headers before 4.2 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 672accf1530 (include: update kernel netfilter header files) -updated linux/netfilter.h and brought with it the update from kernel -commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h -from netns headers). This triggers conflict of headers that is fixed in -kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with -netinet/in.h) included in kernel version 4.2. For earlier kernel headers -we need a workaround that prevents the headers conflict. - -Fixes the following build failure: - -In file included from .../sysroot/usr/include/netinet/ip.h:25:0, - from ../include/libiptc/ipt_kernel_headers.h:8, - from ../include/libiptc/libiptc.h:6, - from libip4tc.c:29: -.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ - IPPROTO_IP = 0, /* Dummy protocol for TCP */ - ^ -.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here - IPPROTO_IP = 0, /* Dummy protocol for TCP. */ - ^~~~~~~~~~ - -Signed-off-by: Baruch Siach -Signed-off-by: Florian Westphal ---- - include/linux/netfilter.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h -index c3f087ac..bacf8cd9 100644 ---- a/include/linux/netfilter.h -+++ b/include/linux/netfilter.h -@@ -3,7 +3,9 @@ - - #include - -+#ifndef _NETINET_IN_H - #include -+#endif - #include - #include - --- -2.21.0 - diff --git a/iptables-1.8.2.tar.bz2 b/iptables-1.8.2.tar.bz2 deleted file mode 100644 index 120cf0c..0000000 --- a/iptables-1.8.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a3778b50ed1a3256f9ca975de82c2204e508001fc2471238c8c97f3d1c4c12af -size 679858 diff --git a/iptables-1.8.2.tar.bz2.sig b/iptables-1.8.2.tar.bz2.sig deleted file mode 100644 index ef08f9d2b56773870b5d162b77b5e96bd2d185ce47af31af224fb086c2f294c3..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 590 zcmV-U04?5axQOjX8;Nb5UWO2p(fIjX(KT(sg_ zM`eDa3(S?IbF?pwWhe#FFu&JD7Q@LGc~|UR#we79IPM1$Cq6<3S)7!bO)Z_Tv&;Py zw}#)`yee}HCy$YGforU6NdXmdW3SC-!`(wVvsHaKn#^V;+KPbyMJ&qbHxmGsW#QC; zGAXeh&A|G!1|xpcRWAeakjqp-WQG$qc6cvZN08Zx)PzVovB0%QQ}1+W+l=5uPAW(a ztXm8}7u;(2ostUEDU_=ZDaF7i>Iz-!%>%BTb)(^9%dSG!2N-Ox772FHzgBzBA&{_; zF(J9wx$v$w86X=dlJRH0G}N&=d`oqccL1WHk{{(b#1Fd9Fcv`eCAW!(kpflYbEo|j zmVYIYvKb@_xtF>%cb$A>5J9{%4g)D7V4{^w2%S3CgtuBnPA&TGW`=Xn1=!DBxf;sK zLZ9bVOAd}UzE%i$Vhv>5%g&ePBC)zqTvyn$vX3#nzhQVoaxVS+WTpfi$MuVN z>U-Is(qbEh!1vGub@t2{pUF+%`+WI}5Ru{Iu(3$lCHnHa?u(6fC!pNP+qGHK^3Ac; z%;5~*;#)Cp)0?BdL1%oxc^kw_4DP{!$xqmH5PCD8pNY--OaGD{Cy4ji1EYS2>np^B cbVk-9ZAeF1G%P@q<{>|)q{-cWd976UT2v(+kN^Mx diff --git a/iptables-1.8.3.tar.bz2 b/iptables-1.8.3.tar.bz2 new file mode 100644 index 0000000..9fc86e2 --- /dev/null +++ b/iptables-1.8.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80 +size 716257 diff --git a/iptables-1.8.3.tar.bz2.sig b/iptables-1.8.3.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..e9ef737a2b0f4f9b56ef3f2d0f100173e771e14057872f7627bf732e24d61e1f GIT binary patch literal 590 zcmV-U04?5axQOjX8;Nb5UWO2p(fIjMX#@xUzvy?+cjhajj0_ofH2f`1ajhTBK0F7yBW7D3eWB9RQSH09ZwTKEhRW zP-sFJd1}Lj1x-B=ozW?T33lXKfT^B|o#|d6(F7!k#zw7leMdkw&)8v>SiaFeCgv}< z0JowgM|7y|bM-_6=cxMN6<|kCDHM%{>1MD3bBG{*xqfs1<~6W zklFT4{QFgB{@A-_LT}P>K#wM!X=p2^ox|-DD_+Ek{b?ecQ zKKs#8n$}yzMbQ&9kZ>a?jC`R5X%f~oK#EAp37tQd&P%cZ>z1zxaq*6OqJQby1%ir;&BGQqhh{ + +- Update to new upstream release 1.8.3 + * ebtables: Fix rule listing with counters + * ebtables-nft: Support user-defined chain policies +- Remove 0001-include-extend-the-headers-conflict-workaround-to-in.patch + 0001-include-fix-build-with-kernel-headers-before-4.2.patch + (upstreamed) + ------------------------------------------------------------------- Wed May 22 16:15:28 UTC 2019 - Jan Engelhardt diff --git a/iptables.spec b/iptables.spec index 9170767..ae3ce0c 100644 --- a/iptables.spec +++ b/iptables.spec @@ -17,7 +17,7 @@ Name: iptables -Version: 1.8.2 +Version: 1.8.3 Release: 0 Summary: IP packet filter administration utilities License: GPL-2.0-only AND Artistic-2.0 @@ -27,8 +27,6 @@ URL: https://netfilter.org/projects/iptables/ Source: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2 Source2: https://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig Source3: %name.keyring -Patch1: 0001-include-fix-build-with-kernel-headers-before-4.2.patch -Patch2: 0001-include-extend-the-headers-conflict-workaround-to-in.patch Patch3: iptables-batch.patch Patch4: iptables-apply-mktemp-fix.patch Patch5: iptables-batch-lock.patch @@ -45,7 +43,7 @@ BuildRequires: xz BuildRequires: pkgconfig(libmnl) >= 1.0 BuildRequires: pkgconfig(libnetfilter_conntrack) >= 1.0.4 BuildRequires: pkgconfig(libnfnetlink) >= 1.0.0 -BuildRequires: pkgconfig(libnftnl) >= 1.1.1 +BuildRequires: pkgconfig(libnftnl) >= 1.1.3 Requires: netcfg >= 11.6 Requires: xtables-plugins = %version-%release Requires(post): update-alternatives @@ -103,18 +101,29 @@ be modified in userspace prior to reinjection back into the kernel. ip_queue/libipq is obsoleted by nf_queue/libnetfilter_queue! -%package -n libiptc0 -Summary: Library for the ip_tables low-level ruleset generation and parsing +%package -n libip4tc2 +Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv4) Group: System/Libraries -%description -n libiptc0 +%description -n libip4tc2 libiptc ("iptables cache") is used to retrieve from the kernel, parse, construct, and load rulesets into the kernel. +This package contains the iptc IPv4 API. + +%package -n libip6tc2 +Summary: Library for the ip_tables low-level ruleset generation and parsing (IPv6) +Group: System/Libraries + +%description -n libip6tc2 +libiptc ("iptables cache") is used to retrieve from the kernel, parse, +construct, and load rulesets into the kernel. +This package contains the iptc IPv6 API. %package -n libiptc-devel Summary: Development files for libiptc, a packet filter ruleset library Group: Development/Libraries/C and C++ -Requires: libiptc0 = %version +Requires: libip4tc2 = %version +Requires: libip6tc2 = %version %description -n libiptc-devel libiptc ("iptables cache") is used to retrieve from the kernel, parse, @@ -158,6 +167,8 @@ make %{?_smp_mflags} V=1 %install %make_install b="%buildroot" +# no contents and is unused; proposed for removal upstream +rm -f "$b/%_libdir/"libiptc.so* # iptables-apply is not installed by upstream Makefile install -m0755 iptables/iptables-apply "$b/%_sbindir/" install -m0644 iptables/iptables-apply.8 "$b/%_mandir/man8/" @@ -211,8 +222,10 @@ fi %post -n libipq0 -p /sbin/ldconfig %postun -n libipq0 -p /sbin/ldconfig -%post -n libiptc0 -p /sbin/ldconfig -%postun -n libiptc0 -p /sbin/ldconfig +%post -n libip4tc2 -p /sbin/ldconfig +%postun -n libip4tc2 -p /sbin/ldconfig +%post -n libip6tc2 -p /sbin/ldconfig +%postun -n libip6tc2 -p /sbin/ldconfig %post -n libxtables12 -p /sbin/ldconfig %postun -n libxtables12 -p /sbin/ldconfig @@ -288,10 +301,11 @@ fi %_libdir/libipq.so %_libdir/pkgconfig/libipq.pc -%files -n libiptc0 -%_libdir/libiptc.so.0* -%_libdir/libip4tc.so.0* -%_libdir/libip6tc.so.0* +%files -n libip4tc2 +%_libdir/libip4tc.so.2* + +%files -n libip6tc2 +%_libdir/libip6tc.so.2* %files -n libiptc-devel %dir %_includedir/%name/