Accepting request 753047 from home:jengelh:branches:security:netfilter

- Update to release 2.0.11 OBS-URL: https://build.opensuse.org/request/show/753047 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=61
2019-12-05 11:18:03 +00:00 · 2019-12-05 11:18:03 +00:00 · db552adf3a
commit db552adf3a
parent 2e703e0f84
13 changed files with 164 additions and 632 deletions
--- a/0001-Use-flock-for-concurrent-option.patch
+++ b/0001-Use-flock-for-concurrent-option.patch
@ -1,125 +0,0 @@
-From f401e3ec8358069f2407ae39ecb8b7ba1a6fbcc6 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Fri, 6 Oct 2017 12:48:50 +0200
-Subject: [PATCH 1/2] Use flock() for --concurrent option
-
-The previous locking mechanism was not atomic, hence it was possible
-that a killed ebtables process would leave the lock file in place which
-in turn made future ebtables processes wait indefinitely for the lock to
-become free.
-
-Fix this by using flock(). This also simplifies code quite a bit because
-there is no need for a custom signal handler or an __exit routine
-anymore.
-
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
- ebtables.c |  8 --------
- libebtc.c  | 49 +++++--------------------------------------------
- 2 files changed, 5 insertions(+), 52 deletions(-)
-
-diff --git a/ebtables.c b/ebtables.c
-index 62f1ba8..f7dfccf 100644
--- a/ebtables.c
-+++ b/ebtables.c
-@@ -528,12 +528,6 @@ void ebt_early_init_once()
- 	ebt_iterate_targets(merge_target);
- }
- 
-/* signal handler, installed when the option --concurrent is specified. */
-static void sighandler(int signum)
-{
-	exit(-1);
-}
-
- /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
- int do_command(int argc, char *argv[], int exec_style,
-                struct ebt_u_replace *replace_)
-@@ -1047,8 +1041,6 @@ big_iface_length:
- 			strcpy(replace->filename, optarg);
- 			break;
- 		case 13 : /* concurrent */
-			signal(SIGINT, sighandler);
-			signal(SIGTERM, sighandler);
- 			use_lockfd = 1;
- 			break;
- 		case 1 :
-diff --git a/libebtc.c b/libebtc.c
-index 17ba8f2..76dd9d7 100644
--- a/libebtc.c
-+++ b/libebtc.c
-@@ -31,6 +31,7 @@
- #include "include/ethernetdb.h"
- #include <unistd.h>
- #include <fcntl.h>
-+#include <sys/file.h>
- #include <sys/wait.h>
- #include <sys/stat.h>
- #include <sys/types.h>
-@@ -137,58 +138,18 @@ void ebt_list_extensions()
- #define LOCKDIR "/var/lib/ebtables"
- #define LOCKFILE LOCKDIR"/lock"
- #endif
-static int lockfd = -1, locked;
- int use_lockfd;
- /* Returns 0 on success, -1 when the file is locked by another process
-  * or -2 on any other error. */
- static int lock_file()
- {
-	int try = 0;
-	int ret = 0;
-	sigset_t sigset;
-
-tryagain:
-	/* the SIGINT handler will call unlock_file. To make sure the state
-	 * of the variable locked is correct, we need to temporarily mask the
-	 * SIGINT interrupt. */
-	sigemptyset(&sigset);
-	sigaddset(&sigset, SIGINT);
-	sigprocmask(SIG_BLOCK, &sigset, NULL);
-	lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
-	if (lockfd < 0) {
-		if (errno == EEXIST)
-			ret = -1;
-		else if (try == 1)
-			ret = -2;
-		else {
-			if (mkdir(LOCKDIR, 00700))
-				ret = -2;
-			else {
-				try = 1;
-				goto tryagain;
-			}
-		}
-	} else {
-		close(lockfd);
-		locked = 1;
-	}
-	sigprocmask(SIG_UNBLOCK, &sigset, NULL);
-	return ret;
-}
-+	int fd = open(LOCKFILE, O_CREAT, 00600);
- 
-void unlock_file()
-{
-	if (locked) {
-		remove(LOCKFILE);
-		locked = 0;
-	}
-+	if (fd < 0)
-+		return -2;
-+	return flock(fd, LOCK_EX);
- }
- 
-void __attribute__ ((destructor)) onexit()
-{
-	if (use_lockfd)
-		unlock_file();
-}
- /* Get the table from the kernel or from a binary file
-  * init: 1 = ask the kernel for the initial contents of a table, i.e. the
-  *           way it looks when the table is insmod'ed
-- 
-2.20.1
-
--- a/0001-fix-compilation-warning.patch
+++ b/0001-fix-compilation-warning.patch
@ -1,25 +0,0 @@
-From 146f762e1b4be613fad4b045c67974c000742647 Mon Sep 17 00:00:00 2001
-From: Petri Gynther <petri.gynther@gmail.com>
-Date: Sun, 24 Feb 2013 10:56:59 +0100
-Subject: [PATCH 1/9] fix compilation warning
-
---
- communication.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/communication.c b/communication.c
-index 62ed667..ba058c0 100644
--- a/communication.c
-+++ b/communication.c
-@@ -282,7 +282,7 @@ static int store_counters_in_file(char *filename, struct ebt_u_replace *repl)
- 	}
- close_file:
- 	fclose(file);
-	return 0;
-+	return ret;
- }
- 
- /* Gets executed after ebt_deliver_table. Delivers the counters to the kernel
-- 
-2.1.4
-
--- a/0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
+++ b/0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
@ -1,45 +0,0 @@
-From 8d9665967e3ea039d720cbf80c26240f1ec1a795 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Mon, 15 Jan 2018 16:27:31 +0100
-Subject: [PATCH 2/2] Fix locking if LOCKDIR does not exist
-
-The previous conversion to using flock() missed a crucial bit of code
-which tries to create LOCKDIR once in case opening the lock failed -
-This patch reestablishes the old behaviour.
-
-Reported-by: Tangchen (UVP) <tang.chen@huawei.com>
-Fixes: 6a826591878db ("Use flock() for --concurrent option")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
- libebtc.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/libebtc.c b/libebtc.c
-index 76dd9d7..7349b27 100644
--- a/libebtc.c
-+++ b/libebtc.c
-@@ -143,10 +143,16 @@ int use_lockfd;
-  * or -2 on any other error. */
- static int lock_file()
- {
-	int fd = open(LOCKFILE, O_CREAT, 00600);
-
-	if (fd < 0)
-		return -2;
-+	int fd, try = 0;
-+
-+retry:
-+	fd = open(LOCKFILE, O_CREAT, 00600);
-+	if (fd < 0) {
-+		if (try == 1 || mkdir(LOCKDIR, 00700))
-+			return -2;
-+		try = 1;
-+		goto retry;
-+	}
- 	return flock(fd, LOCK_EX);
- }
- 
-- 
-2.20.1
-
--- a/ebtables-2.0.11.tar.gz
+++ b/ebtables-2.0.11.tar.gz
--- a/ebtables-2.0.11.tar.gz.sig
+++ b/ebtables-2.0.11.tar.gz.sig
--- a/ebtables-v2.0.10-4-audit.patch
+++ b/ebtables-v2.0.10-4-audit.patch
@ -1,157 +0,0 @@
--- ebtables2.orig/extensions/ebt_AUDIT.c	1970-01-01 01:00:00.000000000 +0100
-+++ ebtables2.orig/extensions/ebt_AUDIT.c	2011-01-07 10:53:46.680329228 +0100
-@@ -0,0 +1,110 @@ 
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <getopt.h>
-+#include "../include/ebtables_u.h"
-+#include <linux/netfilter/xt_AUDIT.h>
-+
-+#define AUDIT_TYPE  '1'
-+static struct option opts[] =
-+{
-+	{ "audit-type" , required_argument, 0, AUDIT_TYPE },
-+	{ 0 }
-+};
-+
-+static void print_help()
-+{
-+	printf(
-+	"AUDIT target options:\n"
-+	" --audit-type TYPE          : Set action type to record.\n");
-+}
-+
-+static void init(struct ebt_entry_target *target)
-+{
-+	struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) target->data;
-+
-+	info->type = 0;
-+}
-+
-+static int parse(int c, char **argv, int argc,
-+   const struct ebt_u_entry *entry, unsigned int *flags,
-+   struct ebt_entry_target **target)
-+{
-+	struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) (*target)->data;
-+
-+	switch (c) {
-+	case AUDIT_TYPE:
-+		ebt_check_option2(flags, AUDIT_TYPE);
-+
-+		if (!strcasecmp(optarg, "accept"))
-+			info->type = XT_AUDIT_TYPE_ACCEPT;
-+		else if (!strcasecmp(optarg, "drop"))
-+			info->type = XT_AUDIT_TYPE_DROP;
-+		else if (!strcasecmp(optarg, "reject"))
-+			info->type = XT_AUDIT_TYPE_REJECT;
-+		else
-+			ebt_print_error2("Bad action type value `%s'", optarg);
-+
-+		break;
-+	 default:
-+		return 0;
-+	}
-+	return 1;
-+}
-+
-+static void final_check(const struct ebt_u_entry *entry,
-+   const struct ebt_entry_match *match, const char *name,
-+   unsigned int hookmask, unsigned int time)
-+{
-+}
-+
-+static void print(const struct ebt_u_entry *entry,
-+   const struct ebt_entry_target *target)
-+{
-+	const struct xt_AUDIT_info *info =
-+		(const struct xt_AUDIT_info *) target->data;
-+
-+	printf("--audit-type ");
-+
-+	switch(info->type) {
-+	case XT_AUDIT_TYPE_ACCEPT:
-+		printf("accept");
-+		break;
-+	case XT_AUDIT_TYPE_DROP:
-+		printf("drop");
-+		break;
-+	case XT_AUDIT_TYPE_REJECT:
-+		printf("reject");
-+		break;
-+	}
-+}
-+
-+static int compare(const struct ebt_entry_target *t1,
-+   const struct ebt_entry_target *t2)
-+{
-+	const struct xt_AUDIT_info *info1 =
-+		(const struct xt_AUDIT_info *) t1->data;
-+	const struct xt_AUDIT_info *info2 =
-+		(const struct xt_AUDIT_info *) t2->data;
-+
-+	return info1->type == info2->type;
-+}
-+
-+static struct ebt_u_target AUDIT_target =
-+{
-+	.name		= "AUDIT",
-+	.size		= sizeof(struct xt_AUDIT_info),
-+	.help		= print_help,
-+	.init		= init,
-+	.parse		= parse,
-+	.final_check	= final_check,
-+	.print		= print,
-+	.compare	= compare,
-+	.extra_ops	= opts,
-+};
-+
-+void _init(void)
-+{
-+	ebt_register_target(&AUDIT_target);
-+}
--- ebtables2.orig/extensions/Makefile	2011-01-07 10:55:28.077246240 +0100
-+++ ebtables2.orig/extensions/Makefile	2011-01-07 10:53:46.686329230 +0100
-@@ -1,7 +1,7 @@ 
- #! /usr/bin/make
- 
- EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
-          pkttype stp among limit ulog nflog
-+          pkttype stp among limit ulog nflog AUDIT
- EXT_TABLES+=filter nat broute
- EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
- EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
--- a/include/linux/netfilter/xt_AUDIT.h	
-+++ a/include/linux/netfilter/xt_AUDIT.h	
-@@ -0,0 +1,30 @@ 
-+/*
-+ * Header file for iptables xt_AUDIT target
-+ *
-+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
-+ * (C) 2010-2011 Red Hat, Inc.
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License version 2 as
-+ * published by the Free Software Foundation.
-+ */
-+
-+#ifndef _XT_AUDIT_TARGET_H
-+#define _XT_AUDIT_TARGET_H
-+
-+#include <linux/types.h>
-+
-+enum {
-+	XT_AUDIT_TYPE_ACCEPT = 0,
-+	XT_AUDIT_TYPE_DROP,
-+	XT_AUDIT_TYPE_REJECT,
-+	__XT_AUDIT_TYPE_MAX,
-+};
-+
-+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
-+
-+struct xt_AUDIT_info {
-+	__u8 type; /* XT_AUDIT_TYPE_* */
-+};
-+
-+#endif /* _XT_AUDIT_TARGET_H */
--- a/ebtables-v2.0.10-4.tar.xz
+++ b/ebtables-v2.0.10-4.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b12e664aa78b9b6c45503c91d7db1f892760bf100152179e31d08e34ddcc2b23
-size 83956
--- a/ebtables-v2.0.8-initscript.diff
+++ b/ebtables-v2.0.8-initscript.diff
@ -1,143 +0,0 @@
-Index: ebtables.sysv
-===================================================================
--- ebtables.sysv.orig
-+++ ebtables.sysv
-@@ -11,12 +11,15 @@
- #
- # config: __SYSCONFIG__/ebtables         (text)
- #         __SYSCONFIG__/ebtables.<table> (binary)
-
-source /etc/init.d/functions
-source /etc/sysconfig/network
-
-# Check that networking is up.
-[ ${NETWORKING} = "no" ] && exit 0
-+### BEGIN INIT INFO
-+# Provides:          ebtables
-+# Required-Start:    $remote_fs $network
-+# Required-Stop:     $remote_fs $network
-+# Short-Description: Ethernet Bridge filter tables
-+# Description:       Ethernet Bridge filter tables
-+# Default-Start:     2 3 5
-+# Default-Stop:      0 1 6
-+### END INIT INFO
- 
- [ -x __EXEC_PATH__/ebtables ] || exit 1
- [ -x __EXEC_PATH__/ebtables-save ] || exit 1
-@@ -30,12 +33,15 @@ umask 0077
- #default configuration
- EBTABLES_TEXT_FORMAT="yes"
- EBTABLES_BINARY_FORMAT="yes"
-EBTABLES_MODULES_UNLOAD="yes"
-+EBTABLES_MODULES_UNLOAD="no"
- EBTABLES_SAVE_ON_STOP="no"
- EBTABLES_SAVE_ON_RESTART="no"
- EBTABLES_SAVE_COUNTER="no"
- 
-config=__SYSCONFIG__/$prog-config
-+. /etc/rc.status
-+rc_reset
-+
-+config=/etc/sysconfig/ebtables
- [ -f "$config" ] && . "$config"
- 
- start() {
-@@ -45,16 +51,15 @@ start() {
- 			__EXEC_PATH__/ebtables -t $table --atomic-file __SYSCONFIG__/ebtables.$table --atomic-commit || RETVAL=1
- 		done
- 	else
-		__EXEC_PATH__/ebtables-restore < /etc/sysconfig/ebtables || RETVAL=1
-+		__EXEC_PATH__/ebtables-restore < __SYSCONFIG__/ebtables || RETVAL=1
- 	fi
- 
- 	if [ $RETVAL -eq 0 ]; then
-		success "$prog startup"
-		rm -f /var/lock/subsys/$prog
-+		touch /var/run/rcebtables
-+		rc_failed 0
- 	else
-		failure "$prog startup"
-+		rc_failed 3
- 	fi
-	echo
- }
- 
- stop() {
-@@ -70,17 +75,18 @@ stop() {
- 	fi
- 
- 	if [ $RETVAL -eq 0 ]; then
-		success "$prog shutdown"
-		rm -f /var/lock/subsys/$prog
-+		rm -f /var/run/rcebtables
-+		rc_failed 0
- 	else
-		failure "$prog shutdown"
-+		rc_failed 3
- 	fi
-	echo
- }
- 
- restart() {
- 	stop
-+	rc_status -v
- 	start
-+	rc_status -v
- }
- 
- save() {
-@@ -106,40 +112,42 @@ save() {
- 		done
- 	fi
- 
-	if [ $RETVAL -eq 0 ]; then
-		success "$prog saved"
-	else
-		failure "$prog saved"
-+	if [ $RETVAL -ne 0 ]; then
-+		rc_failed 3
- 	fi
-	echo
- }
- 
- case "$1" in
-   start)
- 	start
-+	rc_status -v
- 	;;
-   stop)
- 	[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
- 	stop
-+	rc_status -v
- 	;;
-   restart|reload)
- 	[ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
- 	restart
- 	;;
-  condrestart)
-	[ -e /var/lock/subsys/$prog ] && restart
-	RETVAL=$?
-+  try-restart|condrestart)
-+	if [ -e /var/run/rcebtables ]; then
-+		restart
-+	fi
- 	;;
-   save)
- 	save
-+	rc_status -v
- 	;;
-   status)
- 	__EXEC_PATH__/ebtables-save
-	RETVAL=$?
-+	rc_status -v
- 	;;
-   *)
-	echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
-	RETVAL=1
-+	echo $"Usage $0 {start|stop|restart|try-restart|save|status}"
-+	exit 1
-+	;;
- esac
- 
-exit $RETVAL
-+rc_exit
--- a/ebtables-v2.0.8-makefile.diff
+++ b/ebtables-v2.0.8-makefile.diff
@ -1,71 +0,0 @@
---
- Makefile |   24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-Index: Makefile
-===================================================================
--- Makefile.orig
-+++ Makefile
-@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
- scripts: ebtables-save ebtables.sysv ebtables-config
- 	cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
- 	mkdir -p $(DESTDIR)$(BINDIR)
-	install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
-+	install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
- 	cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
- 	if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
-	if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
-+	if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
- 	cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
- 	if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
-	if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
-+	if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
- 	rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
- 
- tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
- $(MANDIR)/man8/ebtables.8: ebtables.8
- 	mkdir -p $(DESTDIR)$(@D)
- 	sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
-	install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
-+	install -m 0644 ebtables.8_ $(DESTDIR)$@
- 	rm -f ebtables.8_
- 
- $(DESTDIR)$(ETHERTYPESFILE): ethertypes
- 	mkdir -p $(@D)
-	install -m 0644 -o root -g root $< $@
-+	install -m 0644 $< $@
- 
- .PHONY: exec
- exec: ebtables ebtables-restore
- 	mkdir -p $(DESTDIR)$(BINDIR)
-	install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
-	install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
-+	install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
-+	install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
- 
- .PHONY: install
- install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
-@@ -205,18 +205,18 @@ release:
- 	rm -f extensions/ebt_inat.c
- 	rm -rf $(CVSDIRS)
- 	mkdir -p include/linux/netfilter_bridge
-	install -m 0644 -o root -g root \
-+	install -m 0644 \
- 		$(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/
- # To keep possible compile error complaints about undefined ETH_P_8021Q
- # off my back
-	install -m 0644 -o root -g root \
-+	install -m 0644 \
- 		$(KERNEL_INCLUDES)/linux/if_ether.h include/linux/
-	install -m 0644 -o root -g root \
-+	install -m 0644 \
- 		$(KERNEL_INCLUDES)/linux/types.h include/linux/
-	install -m 0644 -o root -g root \
-+	install -m 0644 \
- 		$(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \
- 		include/linux/netfilter_bridge/
-	install -m 0644 -o root -g root \
-+	install -m 0644 \
- 		include/ebtables.h include/linux/netfilter_bridge/
- 	make clean
- 	touch *
--- a/ebtables.changes
+++ b/ebtables.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Mon Dec  2 19:26:41 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.0.11
+  * Add --noflush command line support for ebtables-restore
+  * Do not print IPv6 mask if it is all ones
+  * Allow RETURN target rules in user defined chains
+  * ebt_ip: add support for matching ICMP type and code
+  * ebt_ip: add support for matching IGMP type
+  * extensions: Add string filter to ebtables
+  * Print IPv6 prefixes in CIDR notation
+  * extensions: Add AUDIT target
+  * Fix incorrect IPv6 prefix formatting
+- Drop ebtables-v2.0.8-makefile.diff (no longer needed)
+- Drop ebtables-v2.0.8-initscript.diff, include-linux-if.patch
+  (not applicable)
+- Drop ebtables-v2.0.10-4-audit.patch,
+  0001-fix-compilation-warning.patch,
+  0001-Use-flock-for-concurrent-option.patch,
+  0002-Fix-locking-if-LOCKDIR-does-not-exist.patch (merged)
+
 -------------------------------------------------------------------
 Wed Jul 10 11:30:50 UTC 2019 - Kristyna Streitova <kstreitova@suse.com>

--- a/ebtables.keyring
+++ b/ebtables.keyring
@ -0,0 +1,107 @@
+pub   4096R/0xA4111F89BB5F58CC 2010-10-21 [expires: 2015-10-20]
+      Key fingerprint = 57FF 5E9C 9AA6 7A86 0B55  7AF7 A411 1F89 BB5F 58CC
+uid                 [ expired] Netfilter Core Team <coreteam@netfilter.org>
+sub   4096R/0x0FD3A13A04B92F5C 2010-10-21 [expires: 2015-10-20]
+
+pub   4096R/0xAB4655A126D292E4 2015-10-19 [expires: 2020-10-17]
+      Key fingerprint = C09D B206 3F1D 7034 BA61  52AD AB46 55A1 26D2 92E4
+uid                 [ unknown] Netfilter Core Team <coreteam@netfilter.org>
+sub   4096R/0xE3B0B6BAE3AAA39E 2015-10-19 [expires: 2020-10-17]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBEzAS5EBEADVlGm+KwODJcVmP33HTCbn/eP8obZbgu+3Z1CYRklF8V43vC6D
+8Jfk7fjD4/gWbAKZxriOESXVAN7mp0Fho4+Ga+pxWeLIET9tVM5xbNFK1p9R3XCK
+p5SrugG+tGhizTR9b/1YCMVRz/yX3aDtC7lwObas4hkr5BqhphjvlkjFE7us32by
+43LPpFj2yUpp1VdOf6gxl03kAgJg08h9J7a+n9KHQeAhIpXSRFq3tXiTdXQlovsv
+ckwBjO0m8P2d1Z8/UYwXQgXzuO8W8EqaUSR95nDwl7UnilnKJm2fGvNg3A6PfCSk
+3KdeEBZ45SRfMTPsuC5C4T0Az75h3HFR6YSae46ymg7d4ZA/Bd5K4hvp4PdYrfCi
+GXen7iK9q5XDpopWb0yCrEVJzKjBjDurvpLtAD0IFWcpB6zwM38AnxVH05J8QOx/
+VCZ4vZJxTKWbpHbdcISSMmVt00VfKorF9DsjiAcBRMBcIvDpJTP4yjvr32W09wLc
+d5CIYGrLKhLNysUIJ44AQoTL9yV5aQvCb2EFnoPqCEKQm8onTAGX19PpTDjDPJFt
+WyMMUDtiMp2yODuFo1qHjxvqzSVX+Ti2sGpiT1hEz97GAIlbAvmXs/bTb+U+rBnd
+6027ooes3cWmBSV5kpz/sMp+nFynrLZ5NDnehPScz3W31oGgSdrGsnnhaQARAQAB
+tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
+PgQTAQIAKAUCTMBLkQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
+CgkQpBEfibtfWMzULxAAtGgYeuEqk0F9y4sz6hFJf+fXKSPPrwWTIUXs/sCxlBtS
+lgf9oTvk3aT48zsMIfsDsS8yfIUjaK+eedIZW3oJ0lBtwRncZKjks8Od5J7DvEhR
+Kpo3cajT1KXJh584IvXN0/BbCdPUI6EQE8n0fEUrSWANfzhuD3qYtX9UUGBq/7i8
+Cf3pGFDeYRjcwWeNZ1T+xbaCKPS5BGlOVhMtauaTBZvTJniB828bOZXd3KrXUeul
+AicbzZzqU7XcNX2YKw19MTQzuGNZQ3npJUPQiHgyELTh3+YUmRkPaZaZiDNZeQvu
+/j8cgSoa26Q48apjghREo0Ues4MwQwEGBbdVkEQQMuC9ASti3OyZBTOqyApc2rpE
+VsW2CkqvoQ8jaP51Ua4mjerYkqEqXaVtbPelNFMJXGNXrKdf0xg5Nl/onWnT9S/s
+jtR3LtjOQ0apbBiGPROtYKWSQtA55TgYNLLS1+947TvU134Px1FA8Dqi72SBl7Xc
+ET4nwISO222wMJBxbY4MYB2TppMysIKXUazIyekbRkpK1woH4AR6NsuJOiVdhjEi
+46MkN7tmHI9S9blA98Ih6C9hMz2YgmQEwOQ0qYgVruPdYZSP+M5o+pra9ch+STBk
+FbB03L9kqcAAE8wpGSBRYU+KuyVRipnPeqoeR8niO71AiKbsfbL1skTGRafC2Q+5
+Ag0ETMBLkQEQANNv2Ymm/BVxwqb1vrLq1scoWK5kmeaRD3ndMBv9F3xwqGnE/JTn
+HnVoZIzGb8MD+MCe9jfm8Y+NLU0D71NpDDqRzFZCCjcTmRMYV6QXlsg/ndnSaU1b
+hG0gSq4N+qZFZ+35yiY5pYv1qZkIqWr4/vg9mk53CU620bNgNJ1+F19s/eTw1231
+pJ6K6BsDi7pj4LXGD5wHZPKAmLabFweCkGbGQo6VwWw1ieNJ0igvzkZtVXuvoeHU
+mAitCaZT9AIYDl4PHryckIzjgTdhK0PP92fyHV64Yr3B7G6hWlEwq4wKk9irdgqD
+20Fuqw8Cvv6k1YucWfdpNbZkUI3siQE+1HUUuRTcT8yrPcEA5ZM1/U+e8jBT3EAr
+hk69G6LCfwyX2Xd/JGlBmc0Qv0t2YKqj9Io1G5lBN1q57+vK7ttiIUomwvfD2ltY
+0bdcEr5LjXOk3Sb+OPIVm7+vr6hDMKdUpdm5ABZRSUb0RJ37hBT+DKYbnp0t/e3a
+MXxV9m3jUq8hNdwc8vU1khr9kf+MWPonE0Vw2kqHIIb4I5W9HkMJf4Vzj9/hVPMI
+ucV+2de/7zqxwa0Jh5VSD7SeKj7LznsAy9gi/AioYq4AKVTsigfyJlWpjOLeOvv7
+z4uUfLRQ5OWWfX8BBw8SoPwnWQD4cXHkrHXVwYR2yy7pEc1CstUN+uqXABEBAAGJ
+AiUEGAECAA8FAkzAS5ECGwwFCQlmAYAACgkQpBEfibtfWMyLqw/6A12S4bnLYaik
+ToKc13ywTUsHplbmlLOy2E/5ZMksdfuWjh9XTMR0nbXWnFULxGKTP00kA0yVpv/j
+beDY/qLzY2Yb0rROCQJjuWSLYuNW40+Hmh9TGsDWt7iK3XsONVpV0sRsMOBCwV3k
+2EsFXu73Fj+1JvQ+WSGluj+N7HFAqPi5OFk3IFFnIGhScUz22V6meSaOEqiXLySg
+qh3lv7+XuGzoBjdy7dDm+SnbmK9lO1IqPsIm4iDwmTNJBiu1Wrz319kLYA0/Vx+o
+fmxyViOX1GZShb1mGH0Aeo4jeYmDNLXapkoymC3HCIMctYDmuIw6QlgG8i1LRcFh
+VKMngLjZ17dl/w8gYOdkCsGIUBzvbFBhxuJnXMnFVyDxft/lorMAimH2kbjDn6qa
+H0uV8ILfFVe6gnKzanugmaSQjWzby/ARPhs6OYAXoIUv5MUVDgvTzVmTckWjVa1R
+kMm3eGmDSqoMxsPmarb80nkoFQMOPhJWlyaUCt6HHRYuSkIcxY4H4Ni3Oq1s1R9/
+EqUuIfxNv7Kp0mcsE2KvANc3JfB9wXwLWqDYRCifLkCD6pbpt9L/+xQ49VzcFxNO
+9DqTyk4N7cz7OZrAi+ouVrdFuiwnZyn5YSQoof6Pos58b3bkFn14m9gofwTqGzPh
+R4Vot9rRu5zrWdoCM4cRThpJyrjqBMuZAg0EViV2IwEQALrfnP0L2QbpXPN1Yg7w
+ESbOMnp3B7nIyeVmo3mvYI/mH0GtEHcFbigsUt4nIXCxI/ppB5NQH/GR8EbTUbq2
+OycNaIRWSDYHX+LDijyZ9NO6m8wbQODdhjroK7q8rHzO8Vp+reNzPM2nY7Uh3w3s
+dPrOERGYeZld1nDyN20ko2Zg4fIJIwVJaHwv4L1j9GYAKp6ACnyG81+VA9adPNCi
+9YyIbET/3/bWkl86AS78rLY7fFo5s2BZn0gvFzCB/q9v/dKYs6e5aX7DUeF2q4OW
+/J7vJjITXGum7ydRC3Neov8PdeNAbBfciznWvnTyArExjgTiHwqQOIDnW4dEJtJw
+iNP50rVKb5DZI3/YokZ5AAQV70ZZemL/5vfGl6a77wvuUFcKFtiQq3JYvt3oWcBO
+zyWbd7L1McwAbOOeSXS9hGWuWHjzFuQl7igdJAXs4GRCgUbM83yTCtmDD11337De
+diSfrcgtmNpkvfRBkjUKYten6N1jsNBqCevLxw0uFYBeSVl96KJyybMd2Rd7P+tC
+jtfpPuEvw9AlPqHZKnKQ4c8vp07MCI9JavJ/nola7rCMk0LULC9tttyaOGNSD3vb
+/t26lXr6qOV60+0lw7xEbdAu8zdEqR/ixKbvn1jbSajTcH3geGL7YakliuctRWTB
+XYyd8abaKDUzrTES1JJ53xRNABEBAAG0LE5ldGZpbHRlciBDb3JlIFRlYW0gPGNv
+cmV0ZWFtQG5ldGZpbHRlci5vcmc+iQI+BBMBAgAoBQJWJXYjAhsDBQkJZgGABgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCrRlWhJtKS5NoHEAC6mgfbDygR+Mrb
+Hg3qbGkgonPjUnYBqkBDz8jgdvFXS3Qm/ANI92qqeLkG+eFusuioIpXg4SHNmyUB
+oR+B60tApBtzO88iAbCHkjvfz4fqAZpYJ3VzYXIa/ScSoQHj77quNkO9aauikTj4
+ro6gnMUI2ilN1dv9Fb9/3XYxfyvP7QhWyGRuu9MekaPNjATtw7tDnDBe0C5eHrwX
+l2ojGxldj2eecoLLYcGw8x4rVDAxlNldh6tNgwc3IQ+4FkIri5sudK4vxDkPbouf
+srT6xoUe+qAj+9mScUeRFSrrdCCRd2EsBq+jhWS/kOWa0OAi6TKSOXMIdJze84Og
+R+67m+PNivmZ5+XgSmM/AzN36Lynx8nx7WNThVCd9HViq9kyXI1tQazGU30++Wec
+ct+7VE2f4aP5ITjd7WlHlEULVjRMBg+mFdz+jfmEncmC41TjWykqvrZWsT98FhNR
+YiRVsniiNvc7BS8X1qBODovvKg44yF3xEy3uFScHMqwMjiEqtVfQpfZh9PjzX1eA
+uj9sMF16NnzVeT/n4gKbO8E4vebtIJgzMd19Y0KCxfMxu4rjSHw1T0bYzwOoa9y/
+ejKM/G/NEnFKzwjySEbG9zlciJXrhb7a2y+YzNvSjEuP8Hs2BLPgJkZtVoiE4UVE
+9Wb7jNhyUz4RC0FdjRyGItGglyc9IbkCDQRWJXYjARAArK1scDuvvWTEJv+y0Sr3
+hnM8mnHIK2XNcn4p/d5nO1myCtZWPRVDIQyyXJMntEqrLBMnjxBdQcQkt7o2mJFL
+yJYO+Xb/9JyH161MPybM60dDXOTTxnAp3dDH4tdL/5snVAyrC93W2PMahK4bdwpM
+10Cz/FxtcB2xJ7Zoqq3bveN4KSUabsRYJN29BwjKtg392MtJ68SAAWN21feQ/Js9
+KjDpNoX2Sl9ZoIR2bbIsaGNeti/ciTy43MS/V6KXNTcoYrgySyW/HCNw9KjtvH+g
+/W/ze0sCXJKLby6oRQfsR2zPBTs9YB92GepG+3j1v+tw4jtbvmLKSse+S5BG8Ue2
+j3Bxbz4/RECdrlxDe4gX1hi5K/W0159pB65fha+DM3YvKrNouKsqLsxm5DMjDjdE
+qVQWtPd4tYy4uL2RWcGvvede+tN5rYsBatfelMfTSFN+jxFntwok6YmulnzIDP4O
+tUjLOpH1ZyNTcXEyAQz51aXcjVuk/6MV64hSEnH1FB7v79Zo9afdmNSKdpXf8nvZ
+3IO7HnXhpwh3pjWplyalZR7nb7PlIDxHCK6S3EN3lutBX4w9oh03KfrWlfZb2TD/
+s85uNzbU7TSb8KFC90i9H/qsd1w3kzy4evRJlyFvIqwksYY76huTfpDdx8yabfFY
+IG2TXc2iMkA7R+oMo+B46kkAEQEAAYkCJQQYAQIADwUCViV2IwIbDAUJCWYBgAAK
+CRCrRlWhJtKS5IB2D/9eL6TJ82wCrh3Hx+R3YeWVObukEBq4Ho8KRFngvIi+2D14
+PljWtITPeplDtpXu3E1i7I74F1925xFs7pT6BD65e13/18y4RX5pwGfu0HTJpi3U
+B47WXlSnyRBLD+/qiKcSCkR1mcKJgyIY9KbA0rr1Drv/3DJR+wBt9Fuww/gxgv7v
+yIxxrDa2+GESxJc1iLyuKFiDtnUkmJpqtJV0szi38W1NQUwWWF3CWUpqfvn316CJ
+4cTyuurLn994ceJDherS9tFcYASdmbl6g6PwWgdFrpmb44J7gdBCsB9q2cpjhDbu
+bgTq7V32CVMBGKOThihJZHIz/LZyuHv9WNYXUNfpEOOUN97C+j6091TSh+5P6oJO
+E61VMBBL51nw3T0FFKtA9kubKLk08GH75vPLaBqLa5B88Z3nJWdlaJOdgGEz65PU
+Uh78iWJ3AFAOwhsDEfxFYC+gZWqt9qw3Wyp2eY2q+5ep4KRxuqq3M0V3zXE6z5ff
+F8CCqRe/yzGAh8RxEmT/Nl+yHEIVv7qpJk6GSvkXr5dN/jyZCiN2fHEhZOBtLvln
+E5UjMbYOGqk3F8OARHarJ/qARATzqNYdDRe9SKxlbog+k6WWxJ4ivSVmYY28vEWf
+79IZ79ZHJ0woRi+vr3Cwpc488Sjwi7a/O0HW6zXSaxXNeYR0VnwvcrZrtlCqIQ==
+=zI6p
+-----END PGP PUBLIC KEY BLOCK-----
--- a/ebtables.spec
+++ b/ebtables.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ebtables
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,27 +22,17 @@
 %endif

 Name:           ebtables
-Version:        2.0.10.4
+Version:        2.0.11
 Release:        0
 Summary:        Ethernet Bridge Tables
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://ebtables.sf.net/
+URL:            http://ebtables.sf.net/
 #Git-Clone:	git://git.netfilter.org/ebtables
-Source:         ebtables-v2.0.10-4.tar.xz
-Source1:        ebtables.service
-Source2:        ebtables.systemd
-Patch0:         ebtables-v2.0.8-makefile.diff
-Patch1:         ebtables-v2.0.8-initscript.diff
-# PATCH-FIX-UPSTREAM bnc#934680 kstreitova@suse.com -- audit patch for CC certification
-Patch2:         ebtables-v2.0.10-4-audit.patch
-# PATCH-FIX-UPSTREAM
-Patch3:         0001-fix-compilation-warning.patch
-# PATCH-FIX-SUSE-ONLY
-Patch4:         include-linux-if.patch
-# PATCH-FIX-UPSTREAM boo#1126094
-Patch5:         0001-Use-flock-for-concurrent-option.patch
-Patch6:         0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
+Source:         http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.bz2#/ebtables-%version.tar.gz
+Source2:        http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.bz2.sig#/ebtables-%version.tar.gz.sig
+Source3:        ebtables.service
+Source4:        ebtables.systemd
 BuildRequires:  linux-glibc-devel >= 2.6.20
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
@ -61,14 +51,17 @@ and some basic filtering on higher network layers. The ebtables tool
 can be used together with the other Linux filtering tools, like
 iptables. There are no incompatibility issues.

+%package -n libebtc0
+Summary:        Library for the ebtables low-level ruleset generation and parsing
+Group:          System/Libraries
+
+%description -n libebtc0
+libebtc ("ebtables cache") is used to retrieve from the kernel, parse,
+construct, and load rulesets into the kernel.
+
 %prep
-%setup -q -n %{name}-v2.0.10-4
-%patch -P 0 -P 1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
+%autosetup -p1
+
 # delete all kernel headers, but keep ebt_ip6.h and ebt_nflog.h
 mv include/linux/netfilter_bridge/ebt_ip6.{h,h.save}
 mv include/linux/netfilter_bridge/ebt_nflog.{h,h.save}
@ -82,48 +75,33 @@ mv include/linux/netfilter_bridge/ebt_ulog.{h.save,h}
 %build
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
-make \
-    CFLAGS="%{optflags}" \
-    CXXFLAGS="%{optflags}" \
-    LIBDIR="%{_libdir}/%{name}" \
-    MANDIR="%{_mandir}" \
-    BINDIR="%{_sbindir}" \
-    ETCDIR="%{_sysconfdir}" \
-    INITDIR="%{_sysconfdir}/init.d" \
-    SYSCONFIGDIR="%{_sysconfdir}"
+%configure
+make %{?_smp_mflags}

 %install
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
 mkdir -p "%{buildroot}/%{_sysconfdir}/init.d"
-make \
-    DESTDIR=%{buildroot} \
-    LIBDIR="%{_libdir}/%{name}" \
-    MANDIR="%{_mandir}" \
-    BINDIR="%{_sbindir}" \
-    ETCDIR="%{_sysconfdir}" \
-    INITDIR="%{_sysconfdir}/init.d" \
-    SYSCONFIGDIR="%{_sysconfdir}" \
-    install
+%make_install
 mkdir -p %{buildroot}%{_fillupdir}
 mkdir -p %{buildroot}%{_unitdir}
-install -p %{SOURCE1} %{buildroot}%{_unitdir}/
+install -p %_sourcedir/ebtables.service %{buildroot}%{_unitdir}/
 chmod -x %{buildroot}%{_unitdir}/*.service
 mkdir -p %{buildroot}%{_libexecdir}
-install -m0755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables
+install -m0755 %_sourcedir/ebtables.systemd %{buildroot}%{_libexecdir}/ebtables
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute
-rm -rf %{buildroot}%{_initrddir}
+rm -rfv %{buildroot}%{_initrddir}
 # not used
 rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
-mv "%{buildroot}/%{_sbindir}/ebtables" "%{buildroot}/%{_sbindir}/ebtables-legacy"
-mv "%{buildroot}/%{_sbindir}/ebtables-restore" "%{buildroot}/%{_sbindir}/ebtables-legacy-restore"
-mv "%{buildroot}/%{_sbindir}/ebtables-save" "%{buildroot}/%{_sbindir}/ebtables-legacy-save"
 for i in ebtables ebtables-restore ebtables-save; do
 	ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
 done
+echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8"
+# no headers to make use of it
+rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so"

 %pre
 %service_add_pre %{name}.service
@ -145,10 +123,13 @@ if test "$1" = 0; then
 fi
 %service_del_postun %{name}.service

+%post   -n libebtc0 -p /sbin/ldconfig
+%postun -n libebtc0 -p /sbin/ldconfig
+
 %files
 %defattr(-,root,root)
 %doc COPYING ChangeLog
-%{_mandir}/man8/ebtables.8*
+%{_mandir}/man8/ebtables*.8*
 %{_libexecdir}/%{name}
 %{_unitdir}/%{name}.service
 %ghost %{_sysconfdir}/alternatives/ebtables
@ -159,9 +140,10 @@ fi
 %ghost %{_fillupdir}/sysconfig.%{name}.broute
 # is provided by the netcfg package
 %exclude %{_sysconfdir}/ethertypes
-%dir %{_libdir}/%{name}
-%{_libdir}/%{name}/*.so
 %{_sbindir}/ebtables*
 %{_sbindir}/rcebtables

+%files -n libebtc0
+%_libdir/libebtc.so.0*
+
 %changelog
--- a/include-linux-if.patch
+++ b/include-linux-if.patch
@ -1,12 +0,0 @@
-diff --git a/include/ebtables_u.h b/include/ebtables_u.h
-index 35a5bcc..f120eb8 100644
--- a/include/ebtables_u.h
-+++ b/include/ebtables_u.h
-@@ -24,6 +24,7 @@
- #ifndef EBTABLES_U_H
- #define EBTABLES_U_H
- #include <netinet/in.h>
-+#include <linux/if.h>
- #include <linux/netfilter_bridge/ebtables.h>
- #include <linux/netfilter/x_tables.h>
-