Accepting request 753047 from home:jengelh:branches:security:netfilter

- Update to release 2.0.11 OBS-URL: https://build.opensuse.org/request/show/753047 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=61
2019-12-05 11:18:03 +00:00 · 2019-12-05 11:18:03 +00:00 · db552adf3a
commit db552adf3a
parent 2e703e0f84
13 changed files with 164 additions and 632 deletions
--- a/0001-Use-flock-for-concurrent-option.patch
+++ b/0001-Use-flock-for-concurrent-option.patch
@ -1,125 +0,0 @@
 From f401e3ec8358069f2407ae39ecb8b7ba1a6fbcc6 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Fri, 6 Oct 2017 12:48:50 +0200
 Subject: [PATCH 1/2] Use flock() for --concurrent option
 The previous locking mechanism was not atomic, hence it was possible
 that a killed ebtables process would leave the lock file in place which
 in turn made future ebtables processes wait indefinitely for the lock to
 become free.
 Fix this by using flock(). This also simplifies code quite a bit because
 there is no need for a custom signal handler or an __exit routine
 anymore.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 ebtables.c |  8 --------
 libebtc.c  | 49 +++++--------------------------------------------
 2 files changed, 5 insertions(+), 52 deletions(-)
 diff --git a/ebtables.c b/ebtables.c
 index 62f1ba8..f7dfccf 100644
 --- a/ebtables.c
 +++ b/ebtables.c
@@ -528,12 +528,6 @@ void ebt_early_init_once()
 	ebt_iterate_targets(merge_target);
 }
 -/* signal handler, installed when the option --concurrent is specified. */
 -static void sighandler(int signum)
 -{
 -	exit(-1);
 -}
 -
 /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
 int do_command(int argc, char *argv[], int exec_style,
                struct ebt_u_replace *replace_)
@@ -1047,8 +1041,6 @@ big_iface_length:
 			strcpy(replace->filename, optarg);
 			break;
 		case 13 : /* concurrent */
 -			signal(SIGINT, sighandler);
 -			signal(SIGTERM, sighandler);
 			use_lockfd = 1;
 			break;
 		case 1 :
 diff --git a/libebtc.c b/libebtc.c
 index 17ba8f2..76dd9d7 100644
 --- a/libebtc.c
 +++ b/libebtc.c
@@ -31,6 +31,7 @@
 #include "include/ethernetdb.h"
 #include <unistd.h>
 #include <fcntl.h>
 +#include <sys/file.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -137,58 +138,18 @@ void ebt_list_extensions()
 #define LOCKDIR "/var/lib/ebtables"
 #define LOCKFILE LOCKDIR"/lock"
 #endif
 -static int lockfd = -1, locked;
 int use_lockfd;
 /* Returns 0 on success, -1 when the file is locked by another process
  * or -2 on any other error. */
 static int lock_file()
 {
 -	int try = 0;
 -	int ret = 0;
 -	sigset_t sigset;
 -
 -tryagain:
 -	/* the SIGINT handler will call unlock_file. To make sure the state
 -	 * of the variable locked is correct, we need to temporarily mask the
 -	 * SIGINT interrupt. */
 -	sigemptyset(&sigset);
 -	sigaddset(&sigset, SIGINT);
 -	sigprocmask(SIG_BLOCK, &sigset, NULL);
 -	lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
 -	if (lockfd < 0) {
 -		if (errno == EEXIST)
 -			ret = -1;
 -		else if (try == 1)
 -			ret = -2;
 -		else {
 -			if (mkdir(LOCKDIR, 00700))
 -				ret = -2;
 -			else {
 -				try = 1;
 -				goto tryagain;
 -			}
 -		}
 -	} else {
 -		close(lockfd);
 -		locked = 1;
 -	}
 -	sigprocmask(SIG_UNBLOCK, &sigset, NULL);
 -	return ret;
 -}
 +	int fd = open(LOCKFILE, O_CREAT, 00600);
 -void unlock_file()
 -{
 -	if (locked) {
 -		remove(LOCKFILE);
 -		locked = 0;
 -	}
 +	if (fd < 0)
 +		return -2;
 +	return flock(fd, LOCK_EX);
 }
 -void __attribute__ ((destructor)) onexit()
 -{
 -	if (use_lockfd)
 -		unlock_file();
 -}
 /* Get the table from the kernel or from a binary file
  * init: 1 = ask the kernel for the initial contents of a table, i.e. the
  *           way it looks when the table is insmod'ed
 -- 
 2.20.1
--- a/0001-fix-compilation-warning.patch
+++ b/0001-fix-compilation-warning.patch
@ -1,25 +0,0 @@
 From 146f762e1b4be613fad4b045c67974c000742647 Mon Sep 17 00:00:00 2001
 From: Petri Gynther <petri.gynther@gmail.com>
 Date: Sun, 24 Feb 2013 10:56:59 +0100
 Subject: [PATCH 1/9] fix compilation warning
 ---
 communication.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/communication.c b/communication.c
 index 62ed667..ba058c0 100644
 --- a/communication.c
 +++ b/communication.c
@@ -282,7 +282,7 @@ static int store_counters_in_file(char *filename, struct ebt_u_replace *repl)
 	}
 close_file:
 	fclose(file);
 -	return 0;
 +	return ret;
 }
 /* Gets executed after ebt_deliver_table. Delivers the counters to the kernel
 -- 
 2.1.4
--- a/0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
+++ b/0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
@ -1,45 +0,0 @@
 From 8d9665967e3ea039d720cbf80c26240f1ec1a795 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Mon, 15 Jan 2018 16:27:31 +0100
 Subject: [PATCH 2/2] Fix locking if LOCKDIR does not exist
 The previous conversion to using flock() missed a crucial bit of code
 which tries to create LOCKDIR once in case opening the lock failed -
 This patch reestablishes the old behaviour.
 Reported-by: Tangchen (UVP) <tang.chen@huawei.com>
 Fixes: 6a826591878db ("Use flock() for --concurrent option")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 libebtc.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)
 diff --git a/libebtc.c b/libebtc.c
 index 76dd9d7..7349b27 100644
 --- a/libebtc.c
 +++ b/libebtc.c
@@ -143,10 +143,16 @@ int use_lockfd;
  * or -2 on any other error. */
 static int lock_file()
 {
 -	int fd = open(LOCKFILE, O_CREAT, 00600);
 -
 -	if (fd < 0)
 -		return -2;
 +	int fd, try = 0;
 +
 +retry:
 +	fd = open(LOCKFILE, O_CREAT, 00600);
 +	if (fd < 0) {
 +		if (try == 1 || mkdir(LOCKDIR, 00700))
 +			return -2;
 +		try = 1;
 +		goto retry;
 +	}
 	return flock(fd, LOCK_EX);
 }
 -- 
 2.20.1
--- a/ebtables-2.0.11.tar.gz
+++ b/ebtables-2.0.11.tar.gz
--- a/ebtables-2.0.11.tar.gz.sig
+++ b/ebtables-2.0.11.tar.gz.sig
--- a/ebtables-v2.0.10-4-audit.patch
+++ b/ebtables-v2.0.10-4-audit.patch
@ -1,157 +0,0 @@
 --- ebtables2.orig/extensions/ebt_AUDIT.c	1970-01-01 01:00:00.000000000 +0100
 +++ ebtables2.orig/extensions/ebt_AUDIT.c	2011-01-07 10:53:46.680329228 +0100
@@ -0,0 +1,110 @@ 
 +
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +#include <getopt.h>
 +#include "../include/ebtables_u.h"
 +#include <linux/netfilter/xt_AUDIT.h>
 +
 +#define AUDIT_TYPE  '1'
 +static struct option opts[] =
 +{
 +	{ "audit-type" , required_argument, 0, AUDIT_TYPE },
 +	{ 0 }
 +};
 +
 +static void print_help()
 +{
 +	printf(
 +	"AUDIT target options:\n"
 +	" --audit-type TYPE          : Set action type to record.\n");
 +}
 +
 +static void init(struct ebt_entry_target *target)
 +{
 +	struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) target->data;
 +
 +	info->type = 0;
 +}
 +
 +static int parse(int c, char **argv, int argc,
 +   const struct ebt_u_entry *entry, unsigned int *flags,
 +   struct ebt_entry_target **target)
 +{
 +	struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) (*target)->data;
 +
 +	switch (c) {
 +	case AUDIT_TYPE:
 +		ebt_check_option2(flags, AUDIT_TYPE);
 +
 +		if (!strcasecmp(optarg, "accept"))
 +			info->type = XT_AUDIT_TYPE_ACCEPT;
 +		else if (!strcasecmp(optarg, "drop"))
 +			info->type = XT_AUDIT_TYPE_DROP;
 +		else if (!strcasecmp(optarg, "reject"))
 +			info->type = XT_AUDIT_TYPE_REJECT;
 +		else
 +			ebt_print_error2("Bad action type value `%s'", optarg);
 +
 +		break;
 +	 default:
 +		return 0;
 +	}
 +	return 1;
 +}
 +
 +static void final_check(const struct ebt_u_entry *entry,
 +   const struct ebt_entry_match *match, const char *name,
 +   unsigned int hookmask, unsigned int time)
 +{
 +}
 +
 +static void print(const struct ebt_u_entry *entry,
 +   const struct ebt_entry_target *target)
 +{
 +	const struct xt_AUDIT_info *info =
 +		(const struct xt_AUDIT_info *) target->data;
 +
 +	printf("--audit-type ");
 +
 +	switch(info->type) {
 +	case XT_AUDIT_TYPE_ACCEPT:
 +		printf("accept");
 +		break;
 +	case XT_AUDIT_TYPE_DROP:
 +		printf("drop");
 +		break;
 +	case XT_AUDIT_TYPE_REJECT:
 +		printf("reject");
 +		break;
 +	}
 +}
 +
 +static int compare(const struct ebt_entry_target *t1,
 +   const struct ebt_entry_target *t2)
 +{
 +	const struct xt_AUDIT_info *info1 =
 +		(const struct xt_AUDIT_info *) t1->data;
 +	const struct xt_AUDIT_info *info2 =
 +		(const struct xt_AUDIT_info *) t2->data;
 +
 +	return info1->type == info2->type;
 +}
 +
 +static struct ebt_u_target AUDIT_target =
 +{
 +	.name		= "AUDIT",
 +	.size		= sizeof(struct xt_AUDIT_info),
 +	.help		= print_help,
 +	.init		= init,
 +	.parse		= parse,
 +	.final_check	= final_check,
 +	.print		= print,
 +	.compare	= compare,
 +	.extra_ops	= opts,
 +};
 +
 +void _init(void)
 +{
 +	ebt_register_target(&AUDIT_target);
 +}
 --- ebtables2.orig/extensions/Makefile	2011-01-07 10:55:28.077246240 +0100
 +++ ebtables2.orig/extensions/Makefile	2011-01-07 10:53:46.686329230 +0100
@@ -1,7 +1,7 @@ 
 #! /usr/bin/make
 EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
 -          pkttype stp among limit ulog nflog
 +          pkttype stp among limit ulog nflog AUDIT
 EXT_TABLES+=filter nat broute
 EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
 EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
 --- a/include/linux/netfilter/xt_AUDIT.h	
 +++ a/include/linux/netfilter/xt_AUDIT.h	
@@ -0,0 +1,30 @@ 
 +/*
 + * Header file for iptables xt_AUDIT target
 + *
 + * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
 + * (C) 2010-2011 Red Hat, Inc.
 + *
 + * This program is free software; you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License version 2 as
 + * published by the Free Software Foundation.
 + */
 +
 +#ifndef _XT_AUDIT_TARGET_H
 +#define _XT_AUDIT_TARGET_H
 +
 +#include <linux/types.h>
 +
 +enum {
 +	XT_AUDIT_TYPE_ACCEPT = 0,
 +	XT_AUDIT_TYPE_DROP,
 +	XT_AUDIT_TYPE_REJECT,
 +	__XT_AUDIT_TYPE_MAX,
 +};
 +
 +#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
 +
 +struct xt_AUDIT_info {
 +	__u8 type; /* XT_AUDIT_TYPE_* */
 +};
 +
 +#endif /* _XT_AUDIT_TARGET_H */
--- a/ebtables-v2.0.10-4.tar.xz
+++ b/ebtables-v2.0.10-4.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:b12e664aa78b9b6c45503c91d7db1f892760bf100152179e31d08e34ddcc2b23
 size 83956
--- a/ebtables-v2.0.8-initscript.diff
+++ b/ebtables-v2.0.8-initscript.diff
@ -1,143 +0,0 @@
 Index: ebtables.sysv
 ===================================================================
 --- ebtables.sysv.orig
 +++ ebtables.sysv
@@ -11,12 +11,15 @@
 #
 # config: __SYSCONFIG__/ebtables         (text)
 #         __SYSCONFIG__/ebtables.<table> (binary)
 -
 -source /etc/init.d/functions
 -source /etc/sysconfig/network
 -
 -# Check that networking is up.
 -[ ${NETWORKING} = "no" ] && exit 0
 +### BEGIN INIT INFO
 +# Provides:          ebtables
 +# Required-Start:    $remote_fs $network
 +# Required-Stop:     $remote_fs $network
 +# Short-Description: Ethernet Bridge filter tables
 +# Description:       Ethernet Bridge filter tables
 +# Default-Start:     2 3 5
 +# Default-Stop:      0 1 6
 +### END INIT INFO
 [ -x __EXEC_PATH__/ebtables ] || exit 1
 [ -x __EXEC_PATH__/ebtables-save ] || exit 1
@@ -30,12 +33,15 @@ umask 0077
 #default configuration
 EBTABLES_TEXT_FORMAT="yes"
 EBTABLES_BINARY_FORMAT="yes"
 -EBTABLES_MODULES_UNLOAD="yes"
 +EBTABLES_MODULES_UNLOAD="no"
 EBTABLES_SAVE_ON_STOP="no"
 EBTABLES_SAVE_ON_RESTART="no"
 EBTABLES_SAVE_COUNTER="no"
 -config=__SYSCONFIG__/$prog-config
 +. /etc/rc.status
 +rc_reset
 +
 +config=/etc/sysconfig/ebtables
 [ -f "$config" ] && . "$config"
 start() {
@@ -45,16 +51,15 @@ start() {
 			__EXEC_PATH__/ebtables -t $table --atomic-file __SYSCONFIG__/ebtables.$table --atomic-commit || RETVAL=1
 		done
 	else
 -		__EXEC_PATH__/ebtables-restore < /etc/sysconfig/ebtables || RETVAL=1
 +		__EXEC_PATH__/ebtables-restore < __SYSCONFIG__/ebtables || RETVAL=1
 	fi
 	if [ $RETVAL -eq 0 ]; then
 -		success "$prog startup"
 -		rm -f /var/lock/subsys/$prog
 +		touch /var/run/rcebtables
 +		rc_failed 0
 	else
 -		failure "$prog startup"
 +		rc_failed 3
 	fi
 -	echo
 }
 stop() {
@@ -70,17 +75,18 @@ stop() {
 	fi
 	if [ $RETVAL -eq 0 ]; then
 -		success "$prog shutdown"
 -		rm -f /var/lock/subsys/$prog
 +		rm -f /var/run/rcebtables
 +		rc_failed 0
 	else
 -		failure "$prog shutdown"
 +		rc_failed 3
 	fi
 -	echo
 }
 restart() {
 	stop
 +	rc_status -v
 	start
 +	rc_status -v
 }
 save() {
@@ -106,40 +112,42 @@ save() {
 		done
 	fi
 -	if [ $RETVAL -eq 0 ]; then
 -		success "$prog saved"
 -	else
 -		failure "$prog saved"
 +	if [ $RETVAL -ne 0 ]; then
 +		rc_failed 3
 	fi
 -	echo
 }
 case "$1" in
   start)
 	start
 +	rc_status -v
 	;;
   stop)
 	[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
 	stop
 +	rc_status -v
 	;;
   restart|reload)
 	[ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
 	restart
 	;;
 -  condrestart)
 -	[ -e /var/lock/subsys/$prog ] && restart
 -	RETVAL=$?
 +  try-restart|condrestart)
 +	if [ -e /var/run/rcebtables ]; then
 +		restart
 +	fi
 	;;
   save)
 	save
 +	rc_status -v
 	;;
   status)
 	__EXEC_PATH__/ebtables-save
 -	RETVAL=$?
 +	rc_status -v
 	;;
   *)
 -	echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
 -	RETVAL=1
 +	echo $"Usage $0 {start|stop|restart|try-restart|save|status}"
 +	exit 1
 +	;;
 esac
 -exit $RETVAL
 +rc_exit
--- a/ebtables-v2.0.8-makefile.diff
+++ b/ebtables-v2.0.8-makefile.diff
@ -1,71 +0,0 @@
 ---
 Makefile |   24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)
 Index: Makefile
 ===================================================================
 --- Makefile.orig
 +++ Makefile
@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
 scripts: ebtables-save ebtables.sysv ebtables-config
 	cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
 	mkdir -p $(DESTDIR)$(BINDIR)
 -	install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
 +	install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
 	cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
 	if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
 -	if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
 +	if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
 	cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
 	if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
 -	if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
 +	if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
 	rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
 tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
 $(MANDIR)/man8/ebtables.8: ebtables.8
 	mkdir -p $(DESTDIR)$(@D)
 	sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
 -	install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
 +	install -m 0644 ebtables.8_ $(DESTDIR)$@
 	rm -f ebtables.8_
 $(DESTDIR)$(ETHERTYPESFILE): ethertypes
 	mkdir -p $(@D)
 -	install -m 0644 -o root -g root $< $@
 +	install -m 0644 $< $@
 .PHONY: exec
 exec: ebtables ebtables-restore
 	mkdir -p $(DESTDIR)$(BINDIR)
 -	install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
 -	install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
 +	install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
 +	install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
 .PHONY: install
 install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
@@ -205,18 +205,18 @@ release:
 	rm -f extensions/ebt_inat.c
 	rm -rf $(CVSDIRS)
 	mkdir -p include/linux/netfilter_bridge
 -	install -m 0644 -o root -g root \
 +	install -m 0644 \
 		$(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/
 # To keep possible compile error complaints about undefined ETH_P_8021Q
 # off my back
 -	install -m 0644 -o root -g root \
 +	install -m 0644 \
 		$(KERNEL_INCLUDES)/linux/if_ether.h include/linux/
 -	install -m 0644 -o root -g root \
 +	install -m 0644 \
 		$(KERNEL_INCLUDES)/linux/types.h include/linux/
 -	install -m 0644 -o root -g root \
 +	install -m 0644 \
 		$(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \
 		include/linux/netfilter_bridge/
 -	install -m 0644 -o root -g root \
 +	install -m 0644 \
 		include/ebtables.h include/linux/netfilter_bridge/
 	make clean
 	touch *
--- a/ebtables.changes
+++ b/ebtables.changes
@ -1,3 +1,24 @@
 -------------------------------------------------------------------
 Mon Dec  2 19:26:41 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 - Update to release 2.0.11
  * Add --noflush command line support for ebtables-restore
  * Do not print IPv6 mask if it is all ones
  * Allow RETURN target rules in user defined chains
  * ebt_ip: add support for matching ICMP type and code
  * ebt_ip: add support for matching IGMP type
  * extensions: Add string filter to ebtables
  * Print IPv6 prefixes in CIDR notation
  * extensions: Add AUDIT target
  * Fix incorrect IPv6 prefix formatting
 - Drop ebtables-v2.0.8-makefile.diff (no longer needed)
 - Drop ebtables-v2.0.8-initscript.diff, include-linux-if.patch
  (not applicable)
 - Drop ebtables-v2.0.10-4-audit.patch,
  0001-fix-compilation-warning.patch,
  0001-Use-flock-for-concurrent-option.patch,
  0002-Fix-locking-if-LOCKDIR-does-not-exist.patch (merged)
 -------------------------------------------------------------------
 Wed Jul 10 11:30:50 UTC 2019 - Kristyna Streitova <kstreitova@suse.com>
--- a/ebtables.keyring
+++ b/ebtables.keyring
@ -0,0 +1,107 @@
 pub   4096R/0xA4111F89BB5F58CC 2010-10-21 [expires: 2015-10-20]
      Key fingerprint = 57FF 5E9C 9AA6 7A86 0B55  7AF7 A411 1F89 BB5F 58CC
 uid                 [ expired] Netfilter Core Team <coreteam@netfilter.org>
 sub   4096R/0x0FD3A13A04B92F5C 2010-10-21 [expires: 2015-10-20]
 pub   4096R/0xAB4655A126D292E4 2015-10-19 [expires: 2020-10-17]
      Key fingerprint = C09D B206 3F1D 7034 BA61  52AD AB46 55A1 26D2 92E4
 uid                 [ unknown] Netfilter Core Team <coreteam@netfilter.org>
 sub   4096R/0xE3B0B6BAE3AAA39E 2015-10-19 [expires: 2020-10-17]
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBEzAS5EBEADVlGm+KwODJcVmP33HTCbn/eP8obZbgu+3Z1CYRklF8V43vC6D
 8Jfk7fjD4/gWbAKZxriOESXVAN7mp0Fho4+Ga+pxWeLIET9tVM5xbNFK1p9R3XCK
 p5SrugG+tGhizTR9b/1YCMVRz/yX3aDtC7lwObas4hkr5BqhphjvlkjFE7us32by
 43LPpFj2yUpp1VdOf6gxl03kAgJg08h9J7a+n9KHQeAhIpXSRFq3tXiTdXQlovsv
 ckwBjO0m8P2d1Z8/UYwXQgXzuO8W8EqaUSR95nDwl7UnilnKJm2fGvNg3A6PfCSk
 3KdeEBZ45SRfMTPsuC5C4T0Az75h3HFR6YSae46ymg7d4ZA/Bd5K4hvp4PdYrfCi
 GXen7iK9q5XDpopWb0yCrEVJzKjBjDurvpLtAD0IFWcpB6zwM38AnxVH05J8QOx/
 VCZ4vZJxTKWbpHbdcISSMmVt00VfKorF9DsjiAcBRMBcIvDpJTP4yjvr32W09wLc
 d5CIYGrLKhLNysUIJ44AQoTL9yV5aQvCb2EFnoPqCEKQm8onTAGX19PpTDjDPJFt
 WyMMUDtiMp2yODuFo1qHjxvqzSVX+Ti2sGpiT1hEz97GAIlbAvmXs/bTb+U+rBnd
 6027ooes3cWmBSV5kpz/sMp+nFynrLZ5NDnehPScz3W31oGgSdrGsnnhaQARAQAB
 tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
 PgQTAQIAKAUCTMBLkQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
 CgkQpBEfibtfWMzULxAAtGgYeuEqk0F9y4sz6hFJf+fXKSPPrwWTIUXs/sCxlBtS
 lgf9oTvk3aT48zsMIfsDsS8yfIUjaK+eedIZW3oJ0lBtwRncZKjks8Od5J7DvEhR
 Kpo3cajT1KXJh584IvXN0/BbCdPUI6EQE8n0fEUrSWANfzhuD3qYtX9UUGBq/7i8
 Cf3pGFDeYRjcwWeNZ1T+xbaCKPS5BGlOVhMtauaTBZvTJniB828bOZXd3KrXUeul
 AicbzZzqU7XcNX2YKw19MTQzuGNZQ3npJUPQiHgyELTh3+YUmRkPaZaZiDNZeQvu
 /j8cgSoa26Q48apjghREo0Ues4MwQwEGBbdVkEQQMuC9ASti3OyZBTOqyApc2rpE
 VsW2CkqvoQ8jaP51Ua4mjerYkqEqXaVtbPelNFMJXGNXrKdf0xg5Nl/onWnT9S/s
 jtR3LtjOQ0apbBiGPROtYKWSQtA55TgYNLLS1+947TvU134Px1FA8Dqi72SBl7Xc
 ET4nwISO222wMJBxbY4MYB2TppMysIKXUazIyekbRkpK1woH4AR6NsuJOiVdhjEi
 46MkN7tmHI9S9blA98Ih6C9hMz2YgmQEwOQ0qYgVruPdYZSP+M5o+pra9ch+STBk
 FbB03L9kqcAAE8wpGSBRYU+KuyVRipnPeqoeR8niO71AiKbsfbL1skTGRafC2Q+5
 Ag0ETMBLkQEQANNv2Ymm/BVxwqb1vrLq1scoWK5kmeaRD3ndMBv9F3xwqGnE/JTn
 HnVoZIzGb8MD+MCe9jfm8Y+NLU0D71NpDDqRzFZCCjcTmRMYV6QXlsg/ndnSaU1b
 hG0gSq4N+qZFZ+35yiY5pYv1qZkIqWr4/vg9mk53CU620bNgNJ1+F19s/eTw1231
 pJ6K6BsDi7pj4LXGD5wHZPKAmLabFweCkGbGQo6VwWw1ieNJ0igvzkZtVXuvoeHU
 mAitCaZT9AIYDl4PHryckIzjgTdhK0PP92fyHV64Yr3B7G6hWlEwq4wKk9irdgqD
 20Fuqw8Cvv6k1YucWfdpNbZkUI3siQE+1HUUuRTcT8yrPcEA5ZM1/U+e8jBT3EAr
 hk69G6LCfwyX2Xd/JGlBmc0Qv0t2YKqj9Io1G5lBN1q57+vK7ttiIUomwvfD2ltY
 0bdcEr5LjXOk3Sb+OPIVm7+vr6hDMKdUpdm5ABZRSUb0RJ37hBT+DKYbnp0t/e3a
 MXxV9m3jUq8hNdwc8vU1khr9kf+MWPonE0Vw2kqHIIb4I5W9HkMJf4Vzj9/hVPMI
 ucV+2de/7zqxwa0Jh5VSD7SeKj7LznsAy9gi/AioYq4AKVTsigfyJlWpjOLeOvv7
 z4uUfLRQ5OWWfX8BBw8SoPwnWQD4cXHkrHXVwYR2yy7pEc1CstUN+uqXABEBAAGJ
 AiUEGAECAA8FAkzAS5ECGwwFCQlmAYAACgkQpBEfibtfWMyLqw/6A12S4bnLYaik
 ToKc13ywTUsHplbmlLOy2E/5ZMksdfuWjh9XTMR0nbXWnFULxGKTP00kA0yVpv/j
 beDY/qLzY2Yb0rROCQJjuWSLYuNW40+Hmh9TGsDWt7iK3XsONVpV0sRsMOBCwV3k
 2EsFXu73Fj+1JvQ+WSGluj+N7HFAqPi5OFk3IFFnIGhScUz22V6meSaOEqiXLySg
 qh3lv7+XuGzoBjdy7dDm+SnbmK9lO1IqPsIm4iDwmTNJBiu1Wrz319kLYA0/Vx+o
 fmxyViOX1GZShb1mGH0Aeo4jeYmDNLXapkoymC3HCIMctYDmuIw6QlgG8i1LRcFh
 VKMngLjZ17dl/w8gYOdkCsGIUBzvbFBhxuJnXMnFVyDxft/lorMAimH2kbjDn6qa
 H0uV8ILfFVe6gnKzanugmaSQjWzby/ARPhs6OYAXoIUv5MUVDgvTzVmTckWjVa1R
 kMm3eGmDSqoMxsPmarb80nkoFQMOPhJWlyaUCt6HHRYuSkIcxY4H4Ni3Oq1s1R9/
 EqUuIfxNv7Kp0mcsE2KvANc3JfB9wXwLWqDYRCifLkCD6pbpt9L/+xQ49VzcFxNO
 9DqTyk4N7cz7OZrAi+ouVrdFuiwnZyn5YSQoof6Pos58b3bkFn14m9gofwTqGzPh
 R4Vot9rRu5zrWdoCM4cRThpJyrjqBMuZAg0EViV2IwEQALrfnP0L2QbpXPN1Yg7w
 ESbOMnp3B7nIyeVmo3mvYI/mH0GtEHcFbigsUt4nIXCxI/ppB5NQH/GR8EbTUbq2
 OycNaIRWSDYHX+LDijyZ9NO6m8wbQODdhjroK7q8rHzO8Vp+reNzPM2nY7Uh3w3s
 dPrOERGYeZld1nDyN20ko2Zg4fIJIwVJaHwv4L1j9GYAKp6ACnyG81+VA9adPNCi
 9YyIbET/3/bWkl86AS78rLY7fFo5s2BZn0gvFzCB/q9v/dKYs6e5aX7DUeF2q4OW
 /J7vJjITXGum7ydRC3Neov8PdeNAbBfciznWvnTyArExjgTiHwqQOIDnW4dEJtJw
 iNP50rVKb5DZI3/YokZ5AAQV70ZZemL/5vfGl6a77wvuUFcKFtiQq3JYvt3oWcBO
 zyWbd7L1McwAbOOeSXS9hGWuWHjzFuQl7igdJAXs4GRCgUbM83yTCtmDD11337De
 diSfrcgtmNpkvfRBkjUKYten6N1jsNBqCevLxw0uFYBeSVl96KJyybMd2Rd7P+tC
 jtfpPuEvw9AlPqHZKnKQ4c8vp07MCI9JavJ/nola7rCMk0LULC9tttyaOGNSD3vb
 /t26lXr6qOV60+0lw7xEbdAu8zdEqR/ixKbvn1jbSajTcH3geGL7YakliuctRWTB
 XYyd8abaKDUzrTES1JJ53xRNABEBAAG0LE5ldGZpbHRlciBDb3JlIFRlYW0gPGNv
 cmV0ZWFtQG5ldGZpbHRlci5vcmc+iQI+BBMBAgAoBQJWJXYjAhsDBQkJZgGABgsJ
 CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCrRlWhJtKS5NoHEAC6mgfbDygR+Mrb
 Hg3qbGkgonPjUnYBqkBDz8jgdvFXS3Qm/ANI92qqeLkG+eFusuioIpXg4SHNmyUB
 oR+B60tApBtzO88iAbCHkjvfz4fqAZpYJ3VzYXIa/ScSoQHj77quNkO9aauikTj4
 ro6gnMUI2ilN1dv9Fb9/3XYxfyvP7QhWyGRuu9MekaPNjATtw7tDnDBe0C5eHrwX
 l2ojGxldj2eecoLLYcGw8x4rVDAxlNldh6tNgwc3IQ+4FkIri5sudK4vxDkPbouf
 srT6xoUe+qAj+9mScUeRFSrrdCCRd2EsBq+jhWS/kOWa0OAi6TKSOXMIdJze84Og
 R+67m+PNivmZ5+XgSmM/AzN36Lynx8nx7WNThVCd9HViq9kyXI1tQazGU30++Wec
 ct+7VE2f4aP5ITjd7WlHlEULVjRMBg+mFdz+jfmEncmC41TjWykqvrZWsT98FhNR
 YiRVsniiNvc7BS8X1qBODovvKg44yF3xEy3uFScHMqwMjiEqtVfQpfZh9PjzX1eA
 uj9sMF16NnzVeT/n4gKbO8E4vebtIJgzMd19Y0KCxfMxu4rjSHw1T0bYzwOoa9y/
 ejKM/G/NEnFKzwjySEbG9zlciJXrhb7a2y+YzNvSjEuP8Hs2BLPgJkZtVoiE4UVE
 9Wb7jNhyUz4RC0FdjRyGItGglyc9IbkCDQRWJXYjARAArK1scDuvvWTEJv+y0Sr3
 hnM8mnHIK2XNcn4p/d5nO1myCtZWPRVDIQyyXJMntEqrLBMnjxBdQcQkt7o2mJFL
 yJYO+Xb/9JyH161MPybM60dDXOTTxnAp3dDH4tdL/5snVAyrC93W2PMahK4bdwpM
 10Cz/FxtcB2xJ7Zoqq3bveN4KSUabsRYJN29BwjKtg392MtJ68SAAWN21feQ/Js9
 KjDpNoX2Sl9ZoIR2bbIsaGNeti/ciTy43MS/V6KXNTcoYrgySyW/HCNw9KjtvH+g
 /W/ze0sCXJKLby6oRQfsR2zPBTs9YB92GepG+3j1v+tw4jtbvmLKSse+S5BG8Ue2
 j3Bxbz4/RECdrlxDe4gX1hi5K/W0159pB65fha+DM3YvKrNouKsqLsxm5DMjDjdE
 qVQWtPd4tYy4uL2RWcGvvede+tN5rYsBatfelMfTSFN+jxFntwok6YmulnzIDP4O
 tUjLOpH1ZyNTcXEyAQz51aXcjVuk/6MV64hSEnH1FB7v79Zo9afdmNSKdpXf8nvZ
 3IO7HnXhpwh3pjWplyalZR7nb7PlIDxHCK6S3EN3lutBX4w9oh03KfrWlfZb2TD/
 s85uNzbU7TSb8KFC90i9H/qsd1w3kzy4evRJlyFvIqwksYY76huTfpDdx8yabfFY
 IG2TXc2iMkA7R+oMo+B46kkAEQEAAYkCJQQYAQIADwUCViV2IwIbDAUJCWYBgAAK
 CRCrRlWhJtKS5IB2D/9eL6TJ82wCrh3Hx+R3YeWVObukEBq4Ho8KRFngvIi+2D14
 PljWtITPeplDtpXu3E1i7I74F1925xFs7pT6BD65e13/18y4RX5pwGfu0HTJpi3U
 B47WXlSnyRBLD+/qiKcSCkR1mcKJgyIY9KbA0rr1Drv/3DJR+wBt9Fuww/gxgv7v
 yIxxrDa2+GESxJc1iLyuKFiDtnUkmJpqtJV0szi38W1NQUwWWF3CWUpqfvn316CJ
 4cTyuurLn994ceJDherS9tFcYASdmbl6g6PwWgdFrpmb44J7gdBCsB9q2cpjhDbu
 bgTq7V32CVMBGKOThihJZHIz/LZyuHv9WNYXUNfpEOOUN97C+j6091TSh+5P6oJO
 E61VMBBL51nw3T0FFKtA9kubKLk08GH75vPLaBqLa5B88Z3nJWdlaJOdgGEz65PU
 Uh78iWJ3AFAOwhsDEfxFYC+gZWqt9qw3Wyp2eY2q+5ep4KRxuqq3M0V3zXE6z5ff
 F8CCqRe/yzGAh8RxEmT/Nl+yHEIVv7qpJk6GSvkXr5dN/jyZCiN2fHEhZOBtLvln
 E5UjMbYOGqk3F8OARHarJ/qARATzqNYdDRe9SKxlbog+k6WWxJ4ivSVmYY28vEWf
 79IZ79ZHJ0woRi+vr3Cwpc488Sjwi7a/O0HW6zXSaxXNeYR0VnwvcrZrtlCqIQ==
 =zI6p
 -----END PGP PUBLIC KEY BLOCK-----
--- a/ebtables.spec
+++ b/ebtables.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ebtables
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,27 +22,17 @@
 %endif
 Name:           ebtables
-Version:        2.0.10.4
+Version:        2.0.11
 Release:        0
 Summary:        Ethernet Bridge Tables
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://ebtables.sf.net/
+URL:            http://ebtables.sf.net/
 #Git-Clone:	git://git.netfilter.org/ebtables
-Source:         ebtables-v2.0.10-4.tar.xz
+Source:         http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.bz2#/ebtables-%version.tar.gz
-Source1:        ebtables.service
+Source2:        http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.bz2.sig#/ebtables-%version.tar.gz.sig
-Source2:        ebtables.systemd
+Source3:        ebtables.service
-Patch0:         ebtables-v2.0.8-makefile.diff
+Source4:        ebtables.systemd
 Patch1:         ebtables-v2.0.8-initscript.diff
 # PATCH-FIX-UPSTREAM bnc#934680 kstreitova@suse.com -- audit patch for CC certification
 Patch2:         ebtables-v2.0.10-4-audit.patch
 # PATCH-FIX-UPSTREAM
 Patch3:         0001-fix-compilation-warning.patch
 # PATCH-FIX-SUSE-ONLY
 Patch4:         include-linux-if.patch
 # PATCH-FIX-UPSTREAM boo#1126094
 Patch5:         0001-Use-flock-for-concurrent-option.patch
 Patch6:         0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
 BuildRequires:  linux-glibc-devel >= 2.6.20
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
@ -61,14 +51,17 @@ and some basic filtering on higher network layers. The ebtables tool
 can be used together with the other Linux filtering tools, like
 iptables. There are no incompatibility issues.
 %package -n libebtc0
 Summary:        Library for the ebtables low-level ruleset generation and parsing
 Group:          System/Libraries
 %description -n libebtc0
 libebtc ("ebtables cache") is used to retrieve from the kernel, parse,
 construct, and load rulesets into the kernel.
 %prep
-%setup -q -n %{name}-v2.0.10-4
+%autosetup -p1
-%patch -P 0 -P 1
+
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 # delete all kernel headers, but keep ebt_ip6.h and ebt_nflog.h
 mv include/linux/netfilter_bridge/ebt_ip6.{h,h.save}
 mv include/linux/netfilter_bridge/ebt_nflog.{h,h.save}
@ -82,48 +75,33 @@ mv include/linux/netfilter_bridge/ebt_ulog.{h.save,h}
 %build
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
-make \
+%configure
-    CFLAGS="%{optflags}" \
+make %{?_smp_mflags}
    CXXFLAGS="%{optflags}" \
    LIBDIR="%{_libdir}/%{name}" \
    MANDIR="%{_mandir}" \
    BINDIR="%{_sbindir}" \
    ETCDIR="%{_sysconfdir}" \
    INITDIR="%{_sysconfdir}/init.d" \
    SYSCONFIGDIR="%{_sysconfdir}"
 %install
 # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
 export SUSE_ASNEEDED=0
 mkdir -p "%{buildroot}/%{_sysconfdir}/init.d"
-make \
+%make_install
    DESTDIR=%{buildroot} \
    LIBDIR="%{_libdir}/%{name}" \
    MANDIR="%{_mandir}" \
    BINDIR="%{_sbindir}" \
    ETCDIR="%{_sysconfdir}" \
    INITDIR="%{_sysconfdir}/init.d" \
    SYSCONFIGDIR="%{_sysconfdir}" \
    install
 mkdir -p %{buildroot}%{_fillupdir}
 mkdir -p %{buildroot}%{_unitdir}
-install -p %{SOURCE1} %{buildroot}%{_unitdir}/
+install -p %_sourcedir/ebtables.service %{buildroot}%{_unitdir}/
 chmod -x %{buildroot}%{_unitdir}/*.service
 mkdir -p %{buildroot}%{_libexecdir}
-install -m0755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables
+install -m0755 %_sourcedir/ebtables.systemd %{buildroot}%{_libexecdir}/ebtables
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat
 touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute
-rm -rf %{buildroot}%{_initrddir}
+rm -rfv %{buildroot}%{_initrddir}
 # not used
 rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
 mv "%{buildroot}/%{_sbindir}/ebtables" "%{buildroot}/%{_sbindir}/ebtables-legacy"
 mv "%{buildroot}/%{_sbindir}/ebtables-restore" "%{buildroot}/%{_sbindir}/ebtables-legacy-restore"
 mv "%{buildroot}/%{_sbindir}/ebtables-save" "%{buildroot}/%{_sbindir}/ebtables-legacy-save"
 for i in ebtables ebtables-restore ebtables-save; do
 	ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
 done
 echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8"
 # no headers to make use of it
 rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so"
 %pre
 %service_add_pre %{name}.service
@ -145,10 +123,13 @@ if test "$1" = 0; then
 fi
 %service_del_postun %{name}.service
 %post   -n libebtc0 -p /sbin/ldconfig
 %postun -n libebtc0 -p /sbin/ldconfig
 %files
 %defattr(-,root,root)
 %doc COPYING ChangeLog
-%{_mandir}/man8/ebtables.8*
+%{_mandir}/man8/ebtables*.8*
 %{_libexecdir}/%{name}
 %{_unitdir}/%{name}.service
 %ghost %{_sysconfdir}/alternatives/ebtables
@ -159,9 +140,10 @@ fi
 %ghost %{_fillupdir}/sysconfig.%{name}.broute
 # is provided by the netcfg package
 %exclude %{_sysconfdir}/ethertypes
 %dir %{_libdir}/%{name}
 %{_libdir}/%{name}/*.so
 %{_sbindir}/ebtables*
 %{_sbindir}/rcebtables
 %files -n libebtc0
 %_libdir/libebtc.so.0*
 %changelog
--- a/include-linux-if.patch
+++ b/include-linux-if.patch
@ -1,12 +0,0 @@
 diff --git a/include/ebtables_u.h b/include/ebtables_u.h
 index 35a5bcc..f120eb8 100644
 --- a/include/ebtables_u.h
 +++ b/include/ebtables_u.h
@@ -24,6 +24,7 @@
 #ifndef EBTABLES_U_H
 #define EBTABLES_U_H
 #include <netinet/in.h>
 +#include <linux/if.h>
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter/x_tables.h>