Accepting request 753047 from home:jengelh:branches:security:netfilter

- Update to release 2.0.11

OBS-URL: https://build.opensuse.org/request/show/753047
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ebtables?expand=0&rev=61
This commit is contained in:
Kristyna Streitova 2019-12-05 11:18:03 +00:00 committed by Git OBS Bridge
parent 2e703e0f84
commit db552adf3a
13 changed files with 164 additions and 632 deletions

View File

@ -1,125 +0,0 @@
From f401e3ec8358069f2407ae39ecb8b7ba1a6fbcc6 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 6 Oct 2017 12:48:50 +0200
Subject: [PATCH 1/2] Use flock() for --concurrent option
The previous locking mechanism was not atomic, hence it was possible
that a killed ebtables process would leave the lock file in place which
in turn made future ebtables processes wait indefinitely for the lock to
become free.
Fix this by using flock(). This also simplifies code quite a bit because
there is no need for a custom signal handler or an __exit routine
anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
ebtables.c | 8 --------
libebtc.c | 49 +++++--------------------------------------------
2 files changed, 5 insertions(+), 52 deletions(-)
diff --git a/ebtables.c b/ebtables.c
index 62f1ba8..f7dfccf 100644
--- a/ebtables.c
+++ b/ebtables.c
@@ -528,12 +528,6 @@ void ebt_early_init_once()
ebt_iterate_targets(merge_target);
}
-/* signal handler, installed when the option --concurrent is specified. */
-static void sighandler(int signum)
-{
- exit(-1);
-}
-
/* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
int do_command(int argc, char *argv[], int exec_style,
struct ebt_u_replace *replace_)
@@ -1047,8 +1041,6 @@ big_iface_length:
strcpy(replace->filename, optarg);
break;
case 13 : /* concurrent */
- signal(SIGINT, sighandler);
- signal(SIGTERM, sighandler);
use_lockfd = 1;
break;
case 1 :
diff --git a/libebtc.c b/libebtc.c
index 17ba8f2..76dd9d7 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -31,6 +31,7 @@
#include "include/ethernetdb.h"
#include <unistd.h>
#include <fcntl.h>
+#include <sys/file.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -137,58 +138,18 @@ void ebt_list_extensions()
#define LOCKDIR "/var/lib/ebtables"
#define LOCKFILE LOCKDIR"/lock"
#endif
-static int lockfd = -1, locked;
int use_lockfd;
/* Returns 0 on success, -1 when the file is locked by another process
* or -2 on any other error. */
static int lock_file()
{
- int try = 0;
- int ret = 0;
- sigset_t sigset;
-
-tryagain:
- /* the SIGINT handler will call unlock_file. To make sure the state
- * of the variable locked is correct, we need to temporarily mask the
- * SIGINT interrupt. */
- sigemptyset(&sigset);
- sigaddset(&sigset, SIGINT);
- sigprocmask(SIG_BLOCK, &sigset, NULL);
- lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
- if (lockfd < 0) {
- if (errno == EEXIST)
- ret = -1;
- else if (try == 1)
- ret = -2;
- else {
- if (mkdir(LOCKDIR, 00700))
- ret = -2;
- else {
- try = 1;
- goto tryagain;
- }
- }
- } else {
- close(lockfd);
- locked = 1;
- }
- sigprocmask(SIG_UNBLOCK, &sigset, NULL);
- return ret;
-}
+ int fd = open(LOCKFILE, O_CREAT, 00600);
-void unlock_file()
-{
- if (locked) {
- remove(LOCKFILE);
- locked = 0;
- }
+ if (fd < 0)
+ return -2;
+ return flock(fd, LOCK_EX);
}
-void __attribute__ ((destructor)) onexit()
-{
- if (use_lockfd)
- unlock_file();
-}
/* Get the table from the kernel or from a binary file
* init: 1 = ask the kernel for the initial contents of a table, i.e. the
* way it looks when the table is insmod'ed
--
2.20.1

View File

@ -1,25 +0,0 @@
From 146f762e1b4be613fad4b045c67974c000742647 Mon Sep 17 00:00:00 2001
From: Petri Gynther <petri.gynther@gmail.com>
Date: Sun, 24 Feb 2013 10:56:59 +0100
Subject: [PATCH 1/9] fix compilation warning
---
communication.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/communication.c b/communication.c
index 62ed667..ba058c0 100644
--- a/communication.c
+++ b/communication.c
@@ -282,7 +282,7 @@ static int store_counters_in_file(char *filename, struct ebt_u_replace *repl)
}
close_file:
fclose(file);
- return 0;
+ return ret;
}
/* Gets executed after ebt_deliver_table. Delivers the counters to the kernel
--
2.1.4

View File

@ -1,45 +0,0 @@
From 8d9665967e3ea039d720cbf80c26240f1ec1a795 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 15 Jan 2018 16:27:31 +0100
Subject: [PATCH 2/2] Fix locking if LOCKDIR does not exist
The previous conversion to using flock() missed a crucial bit of code
which tries to create LOCKDIR once in case opening the lock failed -
This patch reestablishes the old behaviour.
Reported-by: Tangchen (UVP) <tang.chen@huawei.com>
Fixes: 6a826591878db ("Use flock() for --concurrent option")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
libebtc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/libebtc.c b/libebtc.c
index 76dd9d7..7349b27 100644
--- a/libebtc.c
+++ b/libebtc.c
@@ -143,10 +143,16 @@ int use_lockfd;
* or -2 on any other error. */
static int lock_file()
{
- int fd = open(LOCKFILE, O_CREAT, 00600);
-
- if (fd < 0)
- return -2;
+ int fd, try = 0;
+
+retry:
+ fd = open(LOCKFILE, O_CREAT, 00600);
+ if (fd < 0) {
+ if (try == 1 || mkdir(LOCKDIR, 00700))
+ return -2;
+ try = 1;
+ goto retry;
+ }
return flock(fd, LOCK_EX);
}
--
2.20.1

BIN
ebtables-2.0.11.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
ebtables-2.0.11.tar.gz.sig Normal file

Binary file not shown.

View File

@ -1,157 +0,0 @@
--- ebtables2.orig/extensions/ebt_AUDIT.c 1970-01-01 01:00:00.000000000 +0100
+++ ebtables2.orig/extensions/ebt_AUDIT.c 2011-01-07 10:53:46.680329228 +0100
@@ -0,0 +1,110 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include "../include/ebtables_u.h"
+#include <linux/netfilter/xt_AUDIT.h>
+
+#define AUDIT_TYPE '1'
+static struct option opts[] =
+{
+ { "audit-type" , required_argument, 0, AUDIT_TYPE },
+ { 0 }
+};
+
+static void print_help()
+{
+ printf(
+ "AUDIT target options:\n"
+ " --audit-type TYPE : Set action type to record.\n");
+}
+
+static void init(struct ebt_entry_target *target)
+{
+ struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) target->data;
+
+ info->type = 0;
+}
+
+static int parse(int c, char **argv, int argc,
+ const struct ebt_u_entry *entry, unsigned int *flags,
+ struct ebt_entry_target **target)
+{
+ struct xt_AUDIT_info *info = (struct xt_AUDIT_info *) (*target)->data;
+
+ switch (c) {
+ case AUDIT_TYPE:
+ ebt_check_option2(flags, AUDIT_TYPE);
+
+ if (!strcasecmp(optarg, "accept"))
+ info->type = XT_AUDIT_TYPE_ACCEPT;
+ else if (!strcasecmp(optarg, "drop"))
+ info->type = XT_AUDIT_TYPE_DROP;
+ else if (!strcasecmp(optarg, "reject"))
+ info->type = XT_AUDIT_TYPE_REJECT;
+ else
+ ebt_print_error2("Bad action type value `%s'", optarg);
+
+ break;
+ default:
+ return 0;
+ }
+ return 1;
+}
+
+static void final_check(const struct ebt_u_entry *entry,
+ const struct ebt_entry_match *match, const char *name,
+ unsigned int hookmask, unsigned int time)
+{
+}
+
+static void print(const struct ebt_u_entry *entry,
+ const struct ebt_entry_target *target)
+{
+ const struct xt_AUDIT_info *info =
+ (const struct xt_AUDIT_info *) target->data;
+
+ printf("--audit-type ");
+
+ switch(info->type) {
+ case XT_AUDIT_TYPE_ACCEPT:
+ printf("accept");
+ break;
+ case XT_AUDIT_TYPE_DROP:
+ printf("drop");
+ break;
+ case XT_AUDIT_TYPE_REJECT:
+ printf("reject");
+ break;
+ }
+}
+
+static int compare(const struct ebt_entry_target *t1,
+ const struct ebt_entry_target *t2)
+{
+ const struct xt_AUDIT_info *info1 =
+ (const struct xt_AUDIT_info *) t1->data;
+ const struct xt_AUDIT_info *info2 =
+ (const struct xt_AUDIT_info *) t2->data;
+
+ return info1->type == info2->type;
+}
+
+static struct ebt_u_target AUDIT_target =
+{
+ .name = "AUDIT",
+ .size = sizeof(struct xt_AUDIT_info),
+ .help = print_help,
+ .init = init,
+ .parse = parse,
+ .final_check = final_check,
+ .print = print,
+ .compare = compare,
+ .extra_ops = opts,
+};
+
+void _init(void)
+{
+ ebt_register_target(&AUDIT_target);
+}
--- ebtables2.orig/extensions/Makefile 2011-01-07 10:55:28.077246240 +0100
+++ ebtables2.orig/extensions/Makefile 2011-01-07 10:53:46.686329230 +0100
@@ -1,7 +1,7 @@
#! /usr/bin/make
EXT_FUNC+=802_3 nat arp arpreply ip ip6 standard log redirect vlan mark_m mark \
- pkttype stp among limit ulog nflog
+ pkttype stp among limit ulog nflog AUDIT
EXT_TABLES+=filter nat broute
EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/ebt_$(T).o)
EXT_OBJS+=$(foreach T,$(EXT_TABLES), extensions/ebtable_$(T).o)
--- a/include/linux/netfilter/xt_AUDIT.h
+++ a/include/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
+/*
+ * Header file for iptables xt_AUDIT target
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _XT_AUDIT_TARGET_H
+#define _XT_AUDIT_TARGET_H
+
+#include <linux/types.h>
+
+enum {
+ XT_AUDIT_TYPE_ACCEPT = 0,
+ XT_AUDIT_TYPE_DROP,
+ XT_AUDIT_TYPE_REJECT,
+ __XT_AUDIT_TYPE_MAX,
+};
+
+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
+
+struct xt_AUDIT_info {
+ __u8 type; /* XT_AUDIT_TYPE_* */
+};
+
+#endif /* _XT_AUDIT_TARGET_H */

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b12e664aa78b9b6c45503c91d7db1f892760bf100152179e31d08e34ddcc2b23
size 83956

View File

@ -1,143 +0,0 @@
Index: ebtables.sysv
===================================================================
--- ebtables.sysv.orig
+++ ebtables.sysv
@@ -11,12 +11,15 @@
#
# config: __SYSCONFIG__/ebtables (text)
# __SYSCONFIG__/ebtables.<table> (binary)
-
-source /etc/init.d/functions
-source /etc/sysconfig/network
-
-# Check that networking is up.
-[ ${NETWORKING} = "no" ] && exit 0
+### BEGIN INIT INFO
+# Provides: ebtables
+# Required-Start: $remote_fs $network
+# Required-Stop: $remote_fs $network
+# Short-Description: Ethernet Bridge filter tables
+# Description: Ethernet Bridge filter tables
+# Default-Start: 2 3 5
+# Default-Stop: 0 1 6
+### END INIT INFO
[ -x __EXEC_PATH__/ebtables ] || exit 1
[ -x __EXEC_PATH__/ebtables-save ] || exit 1
@@ -30,12 +33,15 @@ umask 0077
#default configuration
EBTABLES_TEXT_FORMAT="yes"
EBTABLES_BINARY_FORMAT="yes"
-EBTABLES_MODULES_UNLOAD="yes"
+EBTABLES_MODULES_UNLOAD="no"
EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_ON_RESTART="no"
EBTABLES_SAVE_COUNTER="no"
-config=__SYSCONFIG__/$prog-config
+. /etc/rc.status
+rc_reset
+
+config=/etc/sysconfig/ebtables
[ -f "$config" ] && . "$config"
start() {
@@ -45,16 +51,15 @@ start() {
__EXEC_PATH__/ebtables -t $table --atomic-file __SYSCONFIG__/ebtables.$table --atomic-commit || RETVAL=1
done
else
- __EXEC_PATH__/ebtables-restore < /etc/sysconfig/ebtables || RETVAL=1
+ __EXEC_PATH__/ebtables-restore < __SYSCONFIG__/ebtables || RETVAL=1
fi
if [ $RETVAL -eq 0 ]; then
- success "$prog startup"
- rm -f /var/lock/subsys/$prog
+ touch /var/run/rcebtables
+ rc_failed 0
else
- failure "$prog startup"
+ rc_failed 3
fi
- echo
}
stop() {
@@ -70,17 +75,18 @@ stop() {
fi
if [ $RETVAL -eq 0 ]; then
- success "$prog shutdown"
- rm -f /var/lock/subsys/$prog
+ rm -f /var/run/rcebtables
+ rc_failed 0
else
- failure "$prog shutdown"
+ rc_failed 3
fi
- echo
}
restart() {
stop
+ rc_status -v
start
+ rc_status -v
}
save() {
@@ -106,40 +112,42 @@ save() {
done
fi
- if [ $RETVAL -eq 0 ]; then
- success "$prog saved"
- else
- failure "$prog saved"
+ if [ $RETVAL -ne 0 ]; then
+ rc_failed 3
fi
- echo
}
case "$1" in
start)
start
+ rc_status -v
;;
stop)
[ "$EBTABLES_SAVE_ON_STOP" = "yes" ] && save
stop
+ rc_status -v
;;
restart|reload)
[ "$EBTABLES_SAVE_ON_RESTART" = "yes" ] && save
restart
;;
- condrestart)
- [ -e /var/lock/subsys/$prog ] && restart
- RETVAL=$?
+ try-restart|condrestart)
+ if [ -e /var/run/rcebtables ]; then
+ restart
+ fi
;;
save)
save
+ rc_status -v
;;
status)
__EXEC_PATH__/ebtables-save
- RETVAL=$?
+ rc_status -v
;;
*)
- echo $"Usage $0 {start|stop|restart|condrestart|save|status}"
- RETVAL=1
+ echo $"Usage $0 {start|stop|restart|try-restart|save|status}"
+ exit 1
+ ;;
esac
-exit $RETVAL
+rc_exit

View File

@ -1,71 +0,0 @@
---
Makefile | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
Index: Makefile
===================================================================
--- Makefile.orig
+++ Makefile
@@ -157,31 +157,31 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
scripts: ebtables-save ebtables.sysv ebtables-config
cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
mkdir -p $(DESTDIR)$(BINDIR)
- install -m 0755 -o root -g root ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
+ install -m 0755 ebtables-save_ $(DESTDIR)$(BINDIR)/ebtables-save
cat ebtables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables.sysv_
if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi
- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 -o root -g root ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
+ if test -d $(DESTDIR)$(INITDIR); then install -m 0755 ebtables.sysv_ $(DESTDIR)$(INITDIR)/ebtables; fi
cat ebtables-config | sed 's/__SYSCONFIG__/$(tmp2)/g' > ebtables-config_
if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(SYSCONFIGDIR); fi
- if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 -o root -g root ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
+ if test -d $(DESTDIR)$(SYSCONFIGDIR); then install -m 0600 ebtables-config_ $(DESTDIR)$(SYSCONFIGDIR)/ebtables-config; fi
rm -f ebtables-save_ ebtables.sysv_ ebtables-config_
tmp4:=$(shell printf $(LOCKFILE) | sed 's/\//\\\//g')
$(MANDIR)/man8/ebtables.8: ebtables.8
mkdir -p $(DESTDIR)$(@D)
sed -e 's/$$(VERSION)/$(PROGVERSION)/' -e 's/$$(DATE)/$(PROGDATE)/' -e 's/$$(LOCKFILE)/$(tmp4)/' ebtables.8 > ebtables.8_
- install -m 0644 -o root -g root ebtables.8_ $(DESTDIR)$@
+ install -m 0644 ebtables.8_ $(DESTDIR)$@
rm -f ebtables.8_
$(DESTDIR)$(ETHERTYPESFILE): ethertypes
mkdir -p $(@D)
- install -m 0644 -o root -g root $< $@
+ install -m 0644 $< $@
.PHONY: exec
exec: ebtables ebtables-restore
mkdir -p $(DESTDIR)$(BINDIR)
- install -m 0755 -o root -g root $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
- install -m 0755 -o root -g root ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
+ install -m 0755 $(PROGNAME) $(DESTDIR)$(BINDIR)/$(PROGNAME)
+ install -m 0755 ebtables-restore $(DESTDIR)$(BINDIR)/ebtables-restore
.PHONY: install
install: $(MANDIR)/man8/ebtables.8 $(DESTDIR)$(ETHERTYPESFILE) exec scripts
@@ -205,18 +205,18 @@ release:
rm -f extensions/ebt_inat.c
rm -rf $(CVSDIRS)
mkdir -p include/linux/netfilter_bridge
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/netfilter_bridge.h include/linux/
# To keep possible compile error complaints about undefined ETH_P_8021Q
# off my back
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/if_ether.h include/linux/
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/types.h include/linux/
- install -m 0644 -o root -g root \
+ install -m 0644 \
$(KERNEL_INCLUDES)/linux/netfilter_bridge/*.h \
include/linux/netfilter_bridge/
- install -m 0644 -o root -g root \
+ install -m 0644 \
include/ebtables.h include/linux/netfilter_bridge/
make clean
touch *

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Mon Dec 2 19:26:41 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.0.11
* Add --noflush command line support for ebtables-restore
* Do not print IPv6 mask if it is all ones
* Allow RETURN target rules in user defined chains
* ebt_ip: add support for matching ICMP type and code
* ebt_ip: add support for matching IGMP type
* extensions: Add string filter to ebtables
* Print IPv6 prefixes in CIDR notation
* extensions: Add AUDIT target
* Fix incorrect IPv6 prefix formatting
- Drop ebtables-v2.0.8-makefile.diff (no longer needed)
- Drop ebtables-v2.0.8-initscript.diff, include-linux-if.patch
(not applicable)
- Drop ebtables-v2.0.10-4-audit.patch,
0001-fix-compilation-warning.patch,
0001-Use-flock-for-concurrent-option.patch,
0002-Fix-locking-if-LOCKDIR-does-not-exist.patch (merged)
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jul 10 11:30:50 UTC 2019 - Kristyna Streitova <kstreitova@suse.com> Wed Jul 10 11:30:50 UTC 2019 - Kristyna Streitova <kstreitova@suse.com>

107
ebtables.keyring Normal file
View File

@ -0,0 +1,107 @@
pub 4096R/0xA4111F89BB5F58CC 2010-10-21 [expires: 2015-10-20]
Key fingerprint = 57FF 5E9C 9AA6 7A86 0B55 7AF7 A411 1F89 BB5F 58CC
uid [ expired] Netfilter Core Team <coreteam@netfilter.org>
sub 4096R/0x0FD3A13A04B92F5C 2010-10-21 [expires: 2015-10-20]
pub 4096R/0xAB4655A126D292E4 2015-10-19 [expires: 2020-10-17]
Key fingerprint = C09D B206 3F1D 7034 BA61 52AD AB46 55A1 26D2 92E4
uid [ unknown] Netfilter Core Team <coreteam@netfilter.org>
sub 4096R/0xE3B0B6BAE3AAA39E 2015-10-19 [expires: 2020-10-17]
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBEzAS5EBEADVlGm+KwODJcVmP33HTCbn/eP8obZbgu+3Z1CYRklF8V43vC6D
8Jfk7fjD4/gWbAKZxriOESXVAN7mp0Fho4+Ga+pxWeLIET9tVM5xbNFK1p9R3XCK
p5SrugG+tGhizTR9b/1YCMVRz/yX3aDtC7lwObas4hkr5BqhphjvlkjFE7us32by
43LPpFj2yUpp1VdOf6gxl03kAgJg08h9J7a+n9KHQeAhIpXSRFq3tXiTdXQlovsv
ckwBjO0m8P2d1Z8/UYwXQgXzuO8W8EqaUSR95nDwl7UnilnKJm2fGvNg3A6PfCSk
3KdeEBZ45SRfMTPsuC5C4T0Az75h3HFR6YSae46ymg7d4ZA/Bd5K4hvp4PdYrfCi
GXen7iK9q5XDpopWb0yCrEVJzKjBjDurvpLtAD0IFWcpB6zwM38AnxVH05J8QOx/
VCZ4vZJxTKWbpHbdcISSMmVt00VfKorF9DsjiAcBRMBcIvDpJTP4yjvr32W09wLc
d5CIYGrLKhLNysUIJ44AQoTL9yV5aQvCb2EFnoPqCEKQm8onTAGX19PpTDjDPJFt
WyMMUDtiMp2yODuFo1qHjxvqzSVX+Ti2sGpiT1hEz97GAIlbAvmXs/bTb+U+rBnd
6027ooes3cWmBSV5kpz/sMp+nFynrLZ5NDnehPScz3W31oGgSdrGsnnhaQARAQAB
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
PgQTAQIAKAUCTMBLkQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
CgkQpBEfibtfWMzULxAAtGgYeuEqk0F9y4sz6hFJf+fXKSPPrwWTIUXs/sCxlBtS
lgf9oTvk3aT48zsMIfsDsS8yfIUjaK+eedIZW3oJ0lBtwRncZKjks8Od5J7DvEhR
Kpo3cajT1KXJh584IvXN0/BbCdPUI6EQE8n0fEUrSWANfzhuD3qYtX9UUGBq/7i8
Cf3pGFDeYRjcwWeNZ1T+xbaCKPS5BGlOVhMtauaTBZvTJniB828bOZXd3KrXUeul
AicbzZzqU7XcNX2YKw19MTQzuGNZQ3npJUPQiHgyELTh3+YUmRkPaZaZiDNZeQvu
/j8cgSoa26Q48apjghREo0Ues4MwQwEGBbdVkEQQMuC9ASti3OyZBTOqyApc2rpE
VsW2CkqvoQ8jaP51Ua4mjerYkqEqXaVtbPelNFMJXGNXrKdf0xg5Nl/onWnT9S/s
jtR3LtjOQ0apbBiGPROtYKWSQtA55TgYNLLS1+947TvU134Px1FA8Dqi72SBl7Xc
ET4nwISO222wMJBxbY4MYB2TppMysIKXUazIyekbRkpK1woH4AR6NsuJOiVdhjEi
46MkN7tmHI9S9blA98Ih6C9hMz2YgmQEwOQ0qYgVruPdYZSP+M5o+pra9ch+STBk
FbB03L9kqcAAE8wpGSBRYU+KuyVRipnPeqoeR8niO71AiKbsfbL1skTGRafC2Q+5
Ag0ETMBLkQEQANNv2Ymm/BVxwqb1vrLq1scoWK5kmeaRD3ndMBv9F3xwqGnE/JTn
HnVoZIzGb8MD+MCe9jfm8Y+NLU0D71NpDDqRzFZCCjcTmRMYV6QXlsg/ndnSaU1b
hG0gSq4N+qZFZ+35yiY5pYv1qZkIqWr4/vg9mk53CU620bNgNJ1+F19s/eTw1231
pJ6K6BsDi7pj4LXGD5wHZPKAmLabFweCkGbGQo6VwWw1ieNJ0igvzkZtVXuvoeHU
mAitCaZT9AIYDl4PHryckIzjgTdhK0PP92fyHV64Yr3B7G6hWlEwq4wKk9irdgqD
20Fuqw8Cvv6k1YucWfdpNbZkUI3siQE+1HUUuRTcT8yrPcEA5ZM1/U+e8jBT3EAr
hk69G6LCfwyX2Xd/JGlBmc0Qv0t2YKqj9Io1G5lBN1q57+vK7ttiIUomwvfD2ltY
0bdcEr5LjXOk3Sb+OPIVm7+vr6hDMKdUpdm5ABZRSUb0RJ37hBT+DKYbnp0t/e3a
MXxV9m3jUq8hNdwc8vU1khr9kf+MWPonE0Vw2kqHIIb4I5W9HkMJf4Vzj9/hVPMI
ucV+2de/7zqxwa0Jh5VSD7SeKj7LznsAy9gi/AioYq4AKVTsigfyJlWpjOLeOvv7
z4uUfLRQ5OWWfX8BBw8SoPwnWQD4cXHkrHXVwYR2yy7pEc1CstUN+uqXABEBAAGJ
AiUEGAECAA8FAkzAS5ECGwwFCQlmAYAACgkQpBEfibtfWMyLqw/6A12S4bnLYaik
ToKc13ywTUsHplbmlLOy2E/5ZMksdfuWjh9XTMR0nbXWnFULxGKTP00kA0yVpv/j
beDY/qLzY2Yb0rROCQJjuWSLYuNW40+Hmh9TGsDWt7iK3XsONVpV0sRsMOBCwV3k
2EsFXu73Fj+1JvQ+WSGluj+N7HFAqPi5OFk3IFFnIGhScUz22V6meSaOEqiXLySg
qh3lv7+XuGzoBjdy7dDm+SnbmK9lO1IqPsIm4iDwmTNJBiu1Wrz319kLYA0/Vx+o
fmxyViOX1GZShb1mGH0Aeo4jeYmDNLXapkoymC3HCIMctYDmuIw6QlgG8i1LRcFh
VKMngLjZ17dl/w8gYOdkCsGIUBzvbFBhxuJnXMnFVyDxft/lorMAimH2kbjDn6qa
H0uV8ILfFVe6gnKzanugmaSQjWzby/ARPhs6OYAXoIUv5MUVDgvTzVmTckWjVa1R
kMm3eGmDSqoMxsPmarb80nkoFQMOPhJWlyaUCt6HHRYuSkIcxY4H4Ni3Oq1s1R9/
EqUuIfxNv7Kp0mcsE2KvANc3JfB9wXwLWqDYRCifLkCD6pbpt9L/+xQ49VzcFxNO
9DqTyk4N7cz7OZrAi+ouVrdFuiwnZyn5YSQoof6Pos58b3bkFn14m9gofwTqGzPh
R4Vot9rRu5zrWdoCM4cRThpJyrjqBMuZAg0EViV2IwEQALrfnP0L2QbpXPN1Yg7w
ESbOMnp3B7nIyeVmo3mvYI/mH0GtEHcFbigsUt4nIXCxI/ppB5NQH/GR8EbTUbq2
OycNaIRWSDYHX+LDijyZ9NO6m8wbQODdhjroK7q8rHzO8Vp+reNzPM2nY7Uh3w3s
dPrOERGYeZld1nDyN20ko2Zg4fIJIwVJaHwv4L1j9GYAKp6ACnyG81+VA9adPNCi
9YyIbET/3/bWkl86AS78rLY7fFo5s2BZn0gvFzCB/q9v/dKYs6e5aX7DUeF2q4OW
/J7vJjITXGum7ydRC3Neov8PdeNAbBfciznWvnTyArExjgTiHwqQOIDnW4dEJtJw
iNP50rVKb5DZI3/YokZ5AAQV70ZZemL/5vfGl6a77wvuUFcKFtiQq3JYvt3oWcBO
zyWbd7L1McwAbOOeSXS9hGWuWHjzFuQl7igdJAXs4GRCgUbM83yTCtmDD11337De
diSfrcgtmNpkvfRBkjUKYten6N1jsNBqCevLxw0uFYBeSVl96KJyybMd2Rd7P+tC
jtfpPuEvw9AlPqHZKnKQ4c8vp07MCI9JavJ/nola7rCMk0LULC9tttyaOGNSD3vb
/t26lXr6qOV60+0lw7xEbdAu8zdEqR/ixKbvn1jbSajTcH3geGL7YakliuctRWTB
XYyd8abaKDUzrTES1JJ53xRNABEBAAG0LE5ldGZpbHRlciBDb3JlIFRlYW0gPGNv
cmV0ZWFtQG5ldGZpbHRlci5vcmc+iQI+BBMBAgAoBQJWJXYjAhsDBQkJZgGABgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCrRlWhJtKS5NoHEAC6mgfbDygR+Mrb
Hg3qbGkgonPjUnYBqkBDz8jgdvFXS3Qm/ANI92qqeLkG+eFusuioIpXg4SHNmyUB
oR+B60tApBtzO88iAbCHkjvfz4fqAZpYJ3VzYXIa/ScSoQHj77quNkO9aauikTj4
ro6gnMUI2ilN1dv9Fb9/3XYxfyvP7QhWyGRuu9MekaPNjATtw7tDnDBe0C5eHrwX
l2ojGxldj2eecoLLYcGw8x4rVDAxlNldh6tNgwc3IQ+4FkIri5sudK4vxDkPbouf
srT6xoUe+qAj+9mScUeRFSrrdCCRd2EsBq+jhWS/kOWa0OAi6TKSOXMIdJze84Og
R+67m+PNivmZ5+XgSmM/AzN36Lynx8nx7WNThVCd9HViq9kyXI1tQazGU30++Wec
ct+7VE2f4aP5ITjd7WlHlEULVjRMBg+mFdz+jfmEncmC41TjWykqvrZWsT98FhNR
YiRVsniiNvc7BS8X1qBODovvKg44yF3xEy3uFScHMqwMjiEqtVfQpfZh9PjzX1eA
uj9sMF16NnzVeT/n4gKbO8E4vebtIJgzMd19Y0KCxfMxu4rjSHw1T0bYzwOoa9y/
ejKM/G/NEnFKzwjySEbG9zlciJXrhb7a2y+YzNvSjEuP8Hs2BLPgJkZtVoiE4UVE
9Wb7jNhyUz4RC0FdjRyGItGglyc9IbkCDQRWJXYjARAArK1scDuvvWTEJv+y0Sr3
hnM8mnHIK2XNcn4p/d5nO1myCtZWPRVDIQyyXJMntEqrLBMnjxBdQcQkt7o2mJFL
yJYO+Xb/9JyH161MPybM60dDXOTTxnAp3dDH4tdL/5snVAyrC93W2PMahK4bdwpM
10Cz/FxtcB2xJ7Zoqq3bveN4KSUabsRYJN29BwjKtg392MtJ68SAAWN21feQ/Js9
KjDpNoX2Sl9ZoIR2bbIsaGNeti/ciTy43MS/V6KXNTcoYrgySyW/HCNw9KjtvH+g
/W/ze0sCXJKLby6oRQfsR2zPBTs9YB92GepG+3j1v+tw4jtbvmLKSse+S5BG8Ue2
j3Bxbz4/RECdrlxDe4gX1hi5K/W0159pB65fha+DM3YvKrNouKsqLsxm5DMjDjdE
qVQWtPd4tYy4uL2RWcGvvede+tN5rYsBatfelMfTSFN+jxFntwok6YmulnzIDP4O
tUjLOpH1ZyNTcXEyAQz51aXcjVuk/6MV64hSEnH1FB7v79Zo9afdmNSKdpXf8nvZ
3IO7HnXhpwh3pjWplyalZR7nb7PlIDxHCK6S3EN3lutBX4w9oh03KfrWlfZb2TD/
s85uNzbU7TSb8KFC90i9H/qsd1w3kzy4evRJlyFvIqwksYY76huTfpDdx8yabfFY
IG2TXc2iMkA7R+oMo+B46kkAEQEAAYkCJQQYAQIADwUCViV2IwIbDAUJCWYBgAAK
CRCrRlWhJtKS5IB2D/9eL6TJ82wCrh3Hx+R3YeWVObukEBq4Ho8KRFngvIi+2D14
PljWtITPeplDtpXu3E1i7I74F1925xFs7pT6BD65e13/18y4RX5pwGfu0HTJpi3U
B47WXlSnyRBLD+/qiKcSCkR1mcKJgyIY9KbA0rr1Drv/3DJR+wBt9Fuww/gxgv7v
yIxxrDa2+GESxJc1iLyuKFiDtnUkmJpqtJV0szi38W1NQUwWWF3CWUpqfvn316CJ
4cTyuurLn994ceJDherS9tFcYASdmbl6g6PwWgdFrpmb44J7gdBCsB9q2cpjhDbu
bgTq7V32CVMBGKOThihJZHIz/LZyuHv9WNYXUNfpEOOUN97C+j6091TSh+5P6oJO
E61VMBBL51nw3T0FFKtA9kubKLk08GH75vPLaBqLa5B88Z3nJWdlaJOdgGEz65PU
Uh78iWJ3AFAOwhsDEfxFYC+gZWqt9qw3Wyp2eY2q+5ep4KRxuqq3M0V3zXE6z5ff
F8CCqRe/yzGAh8RxEmT/Nl+yHEIVv7qpJk6GSvkXr5dN/jyZCiN2fHEhZOBtLvln
E5UjMbYOGqk3F8OARHarJ/qARATzqNYdDRe9SKxlbog+k6WWxJ4ivSVmYY28vEWf
79IZ79ZHJ0woRi+vr3Cwpc488Sjwi7a/O0HW6zXSaxXNeYR0VnwvcrZrtlCqIQ==
=zI6p
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,7 +1,7 @@
# #
# spec file for package ebtables # spec file for package ebtables
# #
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2019 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -22,27 +22,17 @@
%endif %endif
Name: ebtables Name: ebtables
Version: 2.0.10.4 Version: 2.0.11
Release: 0 Release: 0
Summary: Ethernet Bridge Tables Summary: Ethernet Bridge Tables
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Url: http://ebtables.sf.net/ URL: http://ebtables.sf.net/
#Git-Clone: git://git.netfilter.org/ebtables #Git-Clone: git://git.netfilter.org/ebtables
Source: ebtables-v2.0.10-4.tar.xz Source: http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.bz2#/ebtables-%version.tar.gz
Source1: ebtables.service Source2: http://ftp.netfilter.org/pub/ebtables/ebtables-%version.tar.bz2.sig#/ebtables-%version.tar.gz.sig
Source2: ebtables.systemd Source3: ebtables.service
Patch0: ebtables-v2.0.8-makefile.diff Source4: ebtables.systemd
Patch1: ebtables-v2.0.8-initscript.diff
# PATCH-FIX-UPSTREAM bnc#934680 kstreitova@suse.com -- audit patch for CC certification
Patch2: ebtables-v2.0.10-4-audit.patch
# PATCH-FIX-UPSTREAM
Patch3: 0001-fix-compilation-warning.patch
# PATCH-FIX-SUSE-ONLY
Patch4: include-linux-if.patch
# PATCH-FIX-UPSTREAM boo#1126094
Patch5: 0001-Use-flock-for-concurrent-option.patch
Patch6: 0002-Fix-locking-if-LOCKDIR-does-not-exist.patch
BuildRequires: linux-glibc-devel >= 2.6.20 BuildRequires: linux-glibc-devel >= 2.6.20
BuildRequires: sed BuildRequires: sed
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
@ -61,14 +51,17 @@ and some basic filtering on higher network layers. The ebtables tool
can be used together with the other Linux filtering tools, like can be used together with the other Linux filtering tools, like
iptables. There are no incompatibility issues. iptables. There are no incompatibility issues.
%package -n libebtc0
Summary: Library for the ebtables low-level ruleset generation and parsing
Group: System/Libraries
%description -n libebtc0
libebtc ("ebtables cache") is used to retrieve from the kernel, parse,
construct, and load rulesets into the kernel.
%prep %prep
%setup -q -n %{name}-v2.0.10-4 %autosetup -p1
%patch -P 0 -P 1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# delete all kernel headers, but keep ebt_ip6.h and ebt_nflog.h # delete all kernel headers, but keep ebt_ip6.h and ebt_nflog.h
mv include/linux/netfilter_bridge/ebt_ip6.{h,h.save} mv include/linux/netfilter_bridge/ebt_ip6.{h,h.save}
mv include/linux/netfilter_bridge/ebt_nflog.{h,h.save} mv include/linux/netfilter_bridge/ebt_nflog.{h,h.save}
@ -82,48 +75,33 @@ mv include/linux/netfilter_bridge/ebt_ulog.{h.save,h}
%build %build
# The way ebtables is built requires ASNEEDED=0 forever [bnc#567267] # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0
make \ %configure
CFLAGS="%{optflags}" \ make %{?_smp_mflags}
CXXFLAGS="%{optflags}" \
LIBDIR="%{_libdir}/%{name}" \
MANDIR="%{_mandir}" \
BINDIR="%{_sbindir}" \
ETCDIR="%{_sysconfdir}" \
INITDIR="%{_sysconfdir}/init.d" \
SYSCONFIGDIR="%{_sysconfdir}"
%install %install
# The way ebtables is built requires ASNEEDED=0 forever [bnc#567267] # The way ebtables is built requires ASNEEDED=0 forever [bnc#567267]
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0
mkdir -p "%{buildroot}/%{_sysconfdir}/init.d" mkdir -p "%{buildroot}/%{_sysconfdir}/init.d"
make \ %make_install
DESTDIR=%{buildroot} \
LIBDIR="%{_libdir}/%{name}" \
MANDIR="%{_mandir}" \
BINDIR="%{_sbindir}" \
ETCDIR="%{_sysconfdir}" \
INITDIR="%{_sysconfdir}/init.d" \
SYSCONFIGDIR="%{_sysconfdir}" \
install
mkdir -p %{buildroot}%{_fillupdir} mkdir -p %{buildroot}%{_fillupdir}
mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_unitdir}
install -p %{SOURCE1} %{buildroot}%{_unitdir}/ install -p %_sourcedir/ebtables.service %{buildroot}%{_unitdir}/
chmod -x %{buildroot}%{_unitdir}/*.service chmod -x %{buildroot}%{_unitdir}/*.service
mkdir -p %{buildroot}%{_libexecdir} mkdir -p %{buildroot}%{_libexecdir}
install -m0755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables install -m0755 %_sourcedir/ebtables.systemd %{buildroot}%{_libexecdir}/ebtables
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.filter
touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.nat
touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute touch %{buildroot}%{_fillupdir}/sysconfig.%{name}.broute
rm -rf %{buildroot}%{_initrddir} rm -rfv %{buildroot}%{_initrddir}
# not used # not used
rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config" rm -f "%{buildroot}/%{_sysconfdir}/ebtables-config"
mv "%{buildroot}/%{_sbindir}/ebtables" "%{buildroot}/%{_sbindir}/ebtables-legacy"
mv "%{buildroot}/%{_sbindir}/ebtables-restore" "%{buildroot}/%{_sbindir}/ebtables-legacy-restore"
mv "%{buildroot}/%{_sbindir}/ebtables-save" "%{buildroot}/%{_sbindir}/ebtables-legacy-save"
for i in ebtables ebtables-restore ebtables-save; do for i in ebtables ebtables-restore ebtables-save; do
ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i" ln -fsv "/etc/alternatives/$i" "%{buildroot}/%{_sbindir}/$i"
done done
echo ".so ebtables-legacy.8" >"%buildroot/%_mandir/man8/ebtables.8"
# no headers to make use of it
rm -f "%buildroot/%_libdir/libebtc.la" "%buildroot/%_libdir/libebtc.so"
%pre %pre
%service_add_pre %{name}.service %service_add_pre %{name}.service
@ -145,10 +123,13 @@ if test "$1" = 0; then
fi fi
%service_del_postun %{name}.service %service_del_postun %{name}.service
%post -n libebtc0 -p /sbin/ldconfig
%postun -n libebtc0 -p /sbin/ldconfig
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc COPYING ChangeLog %doc COPYING ChangeLog
%{_mandir}/man8/ebtables.8* %{_mandir}/man8/ebtables*.8*
%{_libexecdir}/%{name} %{_libexecdir}/%{name}
%{_unitdir}/%{name}.service %{_unitdir}/%{name}.service
%ghost %{_sysconfdir}/alternatives/ebtables %ghost %{_sysconfdir}/alternatives/ebtables
@ -159,9 +140,10 @@ fi
%ghost %{_fillupdir}/sysconfig.%{name}.broute %ghost %{_fillupdir}/sysconfig.%{name}.broute
# is provided by the netcfg package # is provided by the netcfg package
%exclude %{_sysconfdir}/ethertypes %exclude %{_sysconfdir}/ethertypes
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/*.so
%{_sbindir}/ebtables* %{_sbindir}/ebtables*
%{_sbindir}/rcebtables %{_sbindir}/rcebtables
%files -n libebtc0
%_libdir/libebtc.so.0*
%changelog %changelog

View File

@ -1,12 +0,0 @@
diff --git a/include/ebtables_u.h b/include/ebtables_u.h
index 35a5bcc..f120eb8 100644
--- a/include/ebtables_u.h
+++ b/include/ebtables_u.h
@@ -24,6 +24,7 @@
#ifndef EBTABLES_U_H
#define EBTABLES_U_H
#include <netinet/in.h>
+#include <linux/if.h>
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter/x_tables.h>