From 0fe924cf1e75876551f116f9457dd0787169ed8384e382349ee5d7825daf11da Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 30 Aug 2015 11:27:21 +0000 Subject: [PATCH 1/2] ipset-6.26 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ipset?expand=0&rev=48 --- ipset-6.25.1.tar.bz2 | 3 --- ipset-6.26.tar.bz2 | 3 +++ ipset.changes | 8 ++++++++ ipset.spec | 2 +- 4 files changed, 12 insertions(+), 4 deletions(-) delete mode 100644 ipset-6.25.1.tar.bz2 create mode 100644 ipset-6.26.tar.bz2 diff --git a/ipset-6.25.1.tar.bz2 b/ipset-6.25.1.tar.bz2 deleted file mode 100644 index 98e4e82..0000000 --- a/ipset-6.25.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:658e15d0d0d6a7160137ef1c2bc2c8669cfee996eb9e049df8d7313e34795e7b -size 531786 diff --git a/ipset-6.26.tar.bz2 b/ipset-6.26.tar.bz2 new file mode 100644 index 0000000..601c9e0 --- /dev/null +++ b/ipset-6.26.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7626a18e8a61e099af7d508e6bd71e5f8c5e77f4f1e347534935f1b85c787a51 +size 533037 diff --git a/ipset.changes b/ipset.changes index 7774b50..40a5c72 100644 --- a/ipset.changes +++ b/ipset.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sun Aug 30 11:23:27 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 6.26 +* Out of bound access in hash:net* types fixed +* Make struct htype per ipset family +* Optimize hash creation routine + ------------------------------------------------------------------- Thu Jun 25 09:57:08 UTC 2015 - jengelh@inai.de diff --git a/ipset.spec b/ipset.spec index 92b34fc..666740d 100644 --- a/ipset.spec +++ b/ipset.spec @@ -18,7 +18,7 @@ Name: ipset %define lname libipset3 -Version: 6.25.1 +Version: 6.26 Release: 0 Summary: Netfilter ipset administration utility License: GPL-2.0 From d6162b1d5e8022b2dee76a64f052cd679c7d7d5e4691d46ac719c6c8af0610b1 Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Tue, 19 Jan 2016 13:12:16 +0000 Subject: [PATCH 2/2] Accepting request 354634 from home:kstreitova:branches:security:netfilter - update to 6.27: * kernel part changes * fix reported memory size for hash:* types * fix hash type expire: release empty hash bucket block * fix hash type expiration: incorrect index fixed * collapse same condition body to a single one * fix extension alignment * compatibility: include linux/export.h when needed * compatibility: make sure vmalloc.h is included for kvfree() * compatibility: Fix detecting 'struct net' in 'struct tcf_ematch' * compatibility: Protect definition of RCU_INIT_POINTER in compatibility header file * netfilter: ipset: Fix sleeping memory allocation in atomic context (Nikolay Borisov) * userspace changes * handle uint64_t alignment issue in ipset tool - disable KMP build as we support the in-kernel version instead. Remove ipset-preamble file that is no longer needed [bsc#962345] - run spec-cleaner OBS-URL: https://build.opensuse.org/request/show/354634 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ipset?expand=0&rev=49 --- ipset-6.26.tar.bz2 | 3 -- ipset-6.27.tar.bz2 | 3 ++ ipset-preamble | 3 -- ipset.changes | 23 +++++++++++ ipset.spec | 95 +++++++++++----------------------------------- 5 files changed, 49 insertions(+), 78 deletions(-) delete mode 100644 ipset-6.26.tar.bz2 create mode 100644 ipset-6.27.tar.bz2 delete mode 100644 ipset-preamble diff --git a/ipset-6.26.tar.bz2 b/ipset-6.26.tar.bz2 deleted file mode 100644 index 601c9e0..0000000 --- a/ipset-6.26.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7626a18e8a61e099af7d508e6bd71e5f8c5e77f4f1e347534935f1b85c787a51 -size 533037 diff --git a/ipset-6.27.tar.bz2 b/ipset-6.27.tar.bz2 new file mode 100644 index 0000000..240ea4d --- /dev/null +++ b/ipset-6.27.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:724897a80395534466142c3542184e5a480a5046140ca2a7d9097690b931b235 +size 532887 diff --git a/ipset-preamble b/ipset-preamble deleted file mode 100644 index 0be4ca1..0000000 --- a/ipset-preamble +++ /dev/null @@ -1,3 +0,0 @@ -Enhances: kernel-%1 -Requires: kernel-%1 -Supplements: packageand(kernel-%1:ipset) diff --git a/ipset.changes b/ipset.changes index 40a5c72..fff515d 100644 --- a/ipset.changes +++ b/ipset.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Mon Jan 18 15:42:54 UTC 2016 - kstreitova@suse.com + +- update to 6.27: + * kernel part changes + * fix reported memory size for hash:* types + * fix hash type expire: release empty hash bucket block + * fix hash type expiration: incorrect index fixed + * collapse same condition body to a single one + * fix extension alignment + * compatibility: include linux/export.h when needed + * compatibility: make sure vmalloc.h is included for kvfree() + * compatibility: Fix detecting 'struct net' in 'struct tcf_ematch' + * compatibility: Protect definition of RCU_INIT_POINTER in + compatibility header file + * netfilter: ipset: Fix sleeping memory allocation in atomic + context (Nikolay Borisov) + * userspace changes + * handle uint64_t alignment issue in ipset tool +- disable KMP build as we support the in-kernel version instead. + Remove ipset-preamble file that is no longer needed [bsc#962345] +- run spec-cleaner + ------------------------------------------------------------------- Sun Aug 30 11:23:27 UTC 2015 - jengelh@inai.de diff --git a/ipset.spec b/ipset.spec index 666740d..fb451e4 100644 --- a/ipset.spec +++ b/ipset.spec @@ -1,7 +1,7 @@ # # spec file for package ipset # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,38 +16,24 @@ # -Name: ipset %define lname libipset3 -Version: 6.26 +Name: ipset +Version: 6.27 Release: 0 Summary: Netfilter ipset administration utility License: GPL-2.0 Group: Productivity/Networking/Security Url: http://ipset.netfilter.org/ - #Git-Clone: git://git.netfilter.org/ipset #Git-Web: http://git.netfilter.org/ -Source: ftp://ftp.netfilter.org/pub/ipset/%name-%version.tar.bz2 -Source3: %name-preamble - -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Source: ftp://ftp.netfilter.org/pub/ipset/%{name}-%{version}.tar.bz2 BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: linux-glibc-devel >= 2.6.24 BuildRequires: pkgconfig >= 0.21 BuildRequires: pkgconfig(libmnl) >= 1 -# Make quilt happy -%if 0%{?kernel_module_package_buildreqs:1} -%define with_kmp 1 -BuildRequires: %kernel_module_package_buildreqs -%endif -BuildRequires: kernel-syms >= 2.6.39 -Recommends: %name-kmp - -%if 0%{?with_kmp:1} -%kernel_module_package -p %name-preamble -%endif +BuildRoot: %{_tmppath}/%{name}-%{version}-build %description IP sets are a framework inside the Linux kernel, which can be @@ -64,24 +50,11 @@ ipset can: * express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets -%package KMP -Summary: Netfilter ipset kernel modules -Group: System/Kernel - -%description KMP -IP sets are a framework inside the Linux kernel, which can be -administered by the ipset utility. Depending on the type, currently -an IP set may store IP addresses, (TCP/UDP) port numbers or IP -addresses with MAC addresses in a way, which ensures lightning speed -when matching an entry against a set. - -This package contains a version update to the in-kernel ipset modules. - -%package -n %lname +%package -n %{lname} Summary: Userspace library for the in-kernel Netfilter ipset interface Group: System/Libraries -%description -n %lname +%description -n %{lname} IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP @@ -91,7 +64,7 @@ when matching an entry against a set. %package devel Summary: Development files for ipset extensions Group: Development/Libraries/C and C++ -Requires: %lname = %version +Requires: %{lname} = %{version} %description devel IP sets are a framework inside the Linux kernel, which can be @@ -104,54 +77,32 @@ when matching an entry against a set. %setup -q %build -%if 0%{?with_kmp} -for flavor in %flavors_to_build; do - cp -a . "../%name-$flavor-%version"; - pushd "../%name-$flavor-%version/"; - # ksource: it just checks for a header - %configure --disable-static \ - --with-kbuild="/usr/src/linux-obj/%_target_cpu/$flavor" \ - --with-ksource="/usr/src/linux" \ - --includedir="%_includedir/pkg/%name" - make %{?_smp_mflags} all modules; - popd; -done; -%else -%configure --disable-static --with-kmod=no \ - --includedir="%_includedir/pkg/%name" +%configure --disable-static \ + --with-kmod=no \ + --includedir="%{_includedir}/pkg/%{name}" make %{?_smp_mflags}; -%endif %install -b="%buildroot"; -%if 0%{?with_kmp} -for flavor in %flavors_to_build; do - pushd "../%name-$flavor-%version/"; - make %{?_smp_mflags} install modules_install \ - DESTDIR="$b" INSTALL_MOD_PATH="$b"; - popd; -done; -%else -make %{?_smp_mflags} install DESTDIR="$b"; -%endif -find "$b/%_libdir" -type f -name "*.la" -delete; +make %{?_smp_mflags} install DESTDIR="%{buildroot}"; +find %{buildroot} -type f -name "*.la" -delete -print -%post -n %lname -p /sbin/ldconfig -%postun -n %lname -p /sbin/ldconfig +%post -n %{lname} -p /sbin/ldconfig + +%postun -n %{lname} -p /sbin/ldconfig %files %defattr(-,root,root) -%_sbindir/ipset -%_mandir/man*/* +%{_sbindir}/ipset +%{_mandir}/man*/* -%files -n %lname +%files -n %{lname} %defattr(-,root,root) -%_libdir/libipset.so.3* +%{_libdir}/libipset.so.3* %files devel %defattr(-,root,root) -%_libdir/libipset.so -%_libdir/pkgconfig/libipset.pc -%_includedir/pkg/ +%{_libdir}/libipset.so +%{_libdir}/pkgconfig/libipset.pc +%{_includedir}/pkg/ %changelog