iptables-1.6.2

OBS-URL: https://build.opensuse.org/package/show/security:netfilter/iptables?expand=0&rev=94

iptables-1.6.1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0fc2d7bd5d7be11311726466789d4c65fb4c8e096c9182b56ce97440864f0cf5
-size 620890

iptables-1.6.2.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:55d02dfa46263343a401f297d44190f2a3e5113c8933946f094ed40237053733
+size 639785

iptables-batch-lock.patch

@@ -1,70 +1,67 @@
-Index: iptables-1.6.1/iptables/iptables-batch.c
+---
+ iptables/iptables-batch.c |   21 +++++++++++++++++++++
+ iptables/xshared.c        |    8 +++++++-
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+Index: iptables-1.6.2/iptables/iptables-batch.c
 ===================================================================
---- iptables-1.6.1.orig/iptables/iptables-batch.c
+--- iptables-1.6.2.orig/iptables/iptables-batch.c
-+++ iptables-1.6.1/iptables/iptables-batch.c
++++ iptables-1.6.2/iptables/iptables-batch.c
-@@ -404,6 +404,34 @@ main(int argc, char *argv[])
+@@ -403,6 +403,27 @@ main(int argc, char *argv[])
+ 	tables[3].name = "raw";
  	tables[3].handle = NULL;
  	current_table = &tables[0];
- 
 +	/*
-+	 * we need to lock the complete batch processing against parallel
++	 * We need to lock the complete batch processing against parallel
-+	 * modification by other processes. Otherwise we can end up with
++	 * modification by other processes. Otherwise, we can end up with
 +	 * EAGAIN errors.
 +	 *
-+	 * the do_command{4,6} function already locks itself, but the
++	 * The do_command{4,6} function already locks itself, but the complete
-+	 * complete call sequence needs to be locked until the commit is
++	 * call sequence needs to be locked until the commit is performed.
-+	 * performed.
 +	 *
-+	 * sadly the xtables_lock() implementation is not very cooperative.
++	 * Sadly, the xtables_lock() implementation is not very cooperative.
-+	 * There's no unlock() equivalent. The lock file descriptor is smiply
++	 * There is no unlock() equivalent. The lock file descriptor is smiply
-+	 * left open until the process exits. Thus we'd have deadlocks when
++	 * left open until the process exits. Thus, we would have deadlocks
-+	 * calling do_command{4,6} the second time.
++	 * when calling do_command{4,6} the second time.
 +	 *
 +	 * To prevent this, part of this patch adds logic to avoid taking the
 +	 * lock a second time in the same process in xtables_lock()
 +	 */
-+
++	const struct timeval wait_interval = {.tv_sec = 1};
-+	const struct timeval wait_interval = {
++	if (!xtables_lock_or_exit(-1, &wait_interval)) {
-+		.tv_sec = 1,
-+	};
-+
-+	if( xtables_lock(-1, &wait_interval) != true )
-+	{
 +		fprintf(stderr, "failed to acquire the xtables lock\n");
 +		exit(1);
 +	}
-+
+ 
  	while((r = getline(&iline, &llen, fp)) != -1)
  	{
- 		if(llen < 1 || !*iline)
+Index: iptables-1.6.2/iptables/xshared.c
-Index: iptables-1.6.1/iptables/xshared.c
 ===================================================================
---- iptables-1.6.1.orig/iptables/xshared.c
+--- iptables-1.6.2.orig/iptables/xshared.c
-+++ iptables-1.6.1/iptables/xshared.c
++++ iptables-1.6.2/iptables/xshared.c
-@@ -250,8 +250,14 @@ void xs_init_match(struct xtables_match
+@@ -248,9 +248,13 @@ void xs_init_match(struct xtables_match
- bool xtables_lock(int wait, struct timeval *wait_interval)
+ 
+ static int xtables_lock(int wait, struct timeval *wait_interval)
  {
- 	struct timeval time_left, wait_time, waited_time;
 +	static bool already_locked = false;
+ 	struct timeval time_left, wait_time;
  	int fd, i = 0;
  
-+	if( already_locked ) {
++	if (already_locked)
-+		// avoid dead-locks, see iptables-batch.c
++		/* Avoid deadlocks, see iptables-batch.c */
 +		return true;
-+	}
-+
  	time_left.tv_sec = wait;
  	time_left.tv_usec = 0;
- 	waited_time.tv_sec = 0;
-@@ -262,8 +268,10 @@ bool xtables_lock(int wait, struct timev
- 		return true;
  
- 	while (1) {
+@@ -262,8 +266,10 @@ static int xtables_lock(int wait, struct
--		if (flock(fd, LOCK_EX | LOCK_NB) == 0)
+ 	}
-+		if (flock(fd, LOCK_EX | LOCK_NB) == 0) {
+ 
+ 	if (wait == -1) {
+-		if (flock(fd, LOCK_EX) == 0)
++		if (flock(fd, LOCK_EX) == 0) {
 +			already_locked = true;
- 			return true;
+ 			return fd;
 +		}
- 		if (++i % 10 == 0) {
+ 
- 			if (wait != -1)
+ 		fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME,
- 				fprintf(stderr, "Another app is currently holding the xtables lock; "
+ 			strerror(errno));

iptables.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Sat Feb  3 14:02:59 UTC 2018 - jengelh@inai.de
+
+- Update to new upstream release 1.6.2
+  * add support for the "srh" match
+  * add randomize-full for the "MASQUERADE" target
+  * add rate match mode to the "hashlimit" match
+
 -------------------------------------------------------------------
 Thu Jun 22 15:34:40 UTC 2017 - matthias.gerstner@suse.com
 

iptables.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package iptables
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,12 +17,13 @@
 
 
 Name:           iptables
-Version:        1.6.1
+Version:        1.6.2
 Release:        0
-Summary:        IP Packet Filter Administration utilities
+Summary:        IP packet filter administration utilities
 License:        GPL-2.0 and Artistic-2.0
 Group:          Productivity/Networking/Security
 Url:            http://netfilter.org/projects/iptables/
+#Git-Clone:     git://git.netfilter.org/iptables
 Source:         http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
 Source2:        http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
 Source3:        %name.keyring
@@ -55,19 +56,19 @@ the classic "ip6_tables" and "ip_tables" packet filters in the Linux
 kernel.
 
 %package nft
-Summary:        NFT Packet Filter Administration utilties in the style of Xtables
+Summary:        nft packet filter administration utilties in the style of Xtables
 Group:          Productivity/Networking/Security
 Requires:       xtables-plugins = %version-%release
 Conflicts:      ebtables
 
 %description nft
 The programs shipped in this subpackage behave like iptables on the
-command line, but instead edit the rules of the NFT packet filter in
+command line, but instead edits the rules of the nft packet filter in
 the Linux kernel. Linux kernel 4.2 or newer is recommended to exploit
-all features.
+the features.
 
 %package -n xtables-plugins
-Summary:        Match and Target Extension plugins for iptables
+Summary:        Match and target extension plugins for iptables
 Group:          Productivity/Networking/Security
 Conflicts:      iptables < 1.4.18
 
@@ -128,7 +129,7 @@ ip6tables, their extensions, and for external integration for e.g.
 iproute2's m_xt.
 
 %package -n libxtables-devel
-Summary:        Libraries, Headers and Development Man Pages for iptables
+Summary:        Headers and manpages for iptables
 Group:          Development/Libraries/C and C++
 Requires:       libxtables12 = %version
 
@@ -147,7 +148,7 @@ xtables --variable=xtlibdir).
 %build
 # We have the iptables-batch patch, so always regenerate.
 if true || [ ! -e configure ]; then
-	./autogen.sh;
+	./autogen.sh
 fi
 # bnc#561793 - do not include unclean module in iptables manpage
 rm -f extensions/libipt_unclean.man
@@ -161,7 +162,7 @@ make DESTDIR=%buildroot install
 # iptables-apply is not installed by upstream Makefile
 install -m0755 iptables/iptables-apply %buildroot%_sbindir/
 install -m0644 iptables/iptables-apply.8 %buildroot%_mandir/man8/
-rm -f "%buildroot/%_libdir"/*.la;
+rm -f "%buildroot/%_libdir"/*.la
 %if 0%{?suse_version}
 %fdupes %buildroot/%_prefix
 %endif
@@ -200,6 +201,7 @@ rm -f "%buildroot/%_libdir"/*.la;
 %defattr(-,root,root)
 %_libdir/xtables/
 %_sbindir/nfnl_osf
+%_mandir/man8/nfnl_osf.8*
 %_datadir/xtables/
 
 %files -n libipq0