Accepting request 177745 from security:netfilter

- Update to new upstream release 1.4.19.1
* New connlabel and bpf matches
- Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch,
  0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch
  (are upstream)

OBS-URL: https://build.opensuse.org/request/show/177745
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/iptables?expand=0&rev=51
This commit is contained in:
Stephan Kulow 2013-06-05 15:43:24 +00:00 committed by Git OBS Bridge
commit 930a9385ba
8 changed files with 28 additions and 179 deletions

View File

@ -1,74 +0,0 @@
From 37b19d08f3cbc83a653386d76261490e173a874b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 16 Mar 2013 12:15:30 +0100
Subject: [PATCH] Revert "build: resolve link failure for ip6t_NETMAP"
This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6.
The use of libtool was introduced to resolve linking problems
in NETMAP (IPv6 version), but that resulted in RPATH problems
reported from distributors and warnings spotted by libtool at
linking stage.
Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and
get rid of libip6tc dependency) fixed the NETMAP issue, let's
roll back to our previous stage.
A small conflicts in extensions/GNUmakefile.in has been resolved
in this revert.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/GNUmakefile.in | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index 3db6985..1ae7f74 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -33,7 +33,6 @@ AM_VERBOSE_CXX = @echo " CXX " $@;
AM_VERBOSE_CXXLD = @echo " CXXLD " $@;
AM_VERBOSE_AR = @echo " AR " $@;
AM_VERBOSE_GEN = @echo " GEN " $@;
-AM_VERBOSE_NULL = @
endif
#
@@ -76,7 +75,7 @@ install: ${targets_install}
if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
clean:
- rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+ rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
rm -f .*.d .*.dd;
distclean: clean
@@ -90,19 +89,16 @@ init%.o: init%.c
#
# Shared libraries
#
-lib%.so: lib%.la
- ${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
+lib%.so: lib%.oo
+ ${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -lxtables ${$*_LIBADD};
-lib%.la: lib%.lo
- ${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
-
-lib%.lo: ${srcdir}/lib%.c
- ${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
+lib%.oo: ${srcdir}/lib%.c
+ ${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
libxt_NOTRACK.so: libxt_CT.so
- ${AM_VERBOSE_GEN} ln -fs $< $@
+ ln -fs $< $@
libxt_state.so: libxt_conntrack.so
- ${AM_VERBOSE_GEN} ln -fs $< $@
+ ln -fs $< $@
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
xt_RATEEST_LIBADD = -lm
--
1.8.2

View File

@ -1,88 +0,0 @@
From cccfff9309743f173c504dd265fae173caa5b47f Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 16 Mar 2013 12:11:07 +0100
Subject: [PATCH] libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of
libip6tc dependency
This patch changes the NETMAP target extension (IPv6 side) to use
the xtables_ip6mask_to_cidr available in libxtables.
As a side effect, we get rid of the libip6tc dependency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/GNUmakefile.in | 1 -
extensions/libip6t_NETMAP.c | 2 +-
include/libiptc/libip6tc.h | 3 ---
iptables/ip6tables.c | 2 +-
libiptc/libip6tc.c | 2 +-
5 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index adad4d6..3db6985 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -105,7 +105,6 @@ libxt_state.so: libxt_conntrack.so
${AM_VERBOSE_GEN} ln -fs $< $@
# Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
-ip6t_NETMAP_LIBADD = ../libiptc/libip6tc.la
xt_RATEEST_LIBADD = -lm
xt_statistic_LIBADD = -lm
diff --git a/extensions/libip6t_NETMAP.c b/extensions/libip6t_NETMAP.c
index d14dece..a4df70e 100644
--- a/extensions/libip6t_NETMAP.c
+++ b/extensions/libip6t_NETMAP.c
@@ -61,7 +61,7 @@ static void NETMAP_print(const void *ip, const struct xt_entry_target *target,
printf("%s", xtables_ip6addr_to_numeric(&a));
for (i = 0; i < 4; i++)
a.s6_addr32[i] = ~(r->min_addr.ip6[i] ^ r->max_addr.ip6[i]);
- bits = ipv6_prefix_length(&a);
+ bits = xtables_ip6mask_to_cidr(&a);
if (bits < 0)
printf("/%s", xtables_ip6addr_to_numeric(&a));
else
diff --git a/include/libiptc/libip6tc.h b/include/libiptc/libip6tc.h
index c656bc4..9aed80a 100644
--- a/include/libiptc/libip6tc.h
+++ b/include/libiptc/libip6tc.h
@@ -154,9 +154,6 @@ int ip6tc_get_raw_socket(void);
/* Translates errno numbers into more human-readable form than strerror. */
const char *ip6tc_strerror(int err);
-/* Return prefix length, or -1 if not contiguous */
-int ipv6_prefix_length(const struct in6_addr *a);
-
extern void dump_entries6(struct xtc_handle *const);
extern const struct xtc_ops ip6tc_ops;
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 4cfbea3..7d02cc1 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1022,7 +1022,7 @@ static void print_ip(const char *prefix, const struct in6_addr *ip,
const struct in6_addr *mask, int invert)
{
char buf[51];
- int l = ipv6_prefix_length(mask);
+ int l = xtables_ip6mask_to_cidr(mask);
if (l == 0 && !invert)
return;
diff --git a/libiptc/libip6tc.c b/libiptc/libip6tc.c
index 7128e1c..ca01bcb 100644
--- a/libiptc/libip6tc.c
+++ b/libiptc/libip6tc.c
@@ -113,7 +113,7 @@ typedef unsigned int socklen_t;
#define BIT6(a, l) \
((ntohl(a->s6_addr32[(l) / 32]) >> (31 - ((l) & 31))) & 1)
-int
+static int
ipv6_prefix_length(const struct in6_addr *a)
{
int l, i;
--
1.8.2

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:14a99fb8b0ca22027a9ac6eb72fa32c834ceb3073820e0ba79bf251c6a7bcf3c
size 542308

Binary file not shown.

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dd51d3b942758a462afc7c8495930d25c93058e5319303247375183ad50164d2
size 543785

Binary file not shown.

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri May 31 20:00:39 UTC 2013 - jengelh@inai.de
- Update to new upstream release 1.4.19.1
* New connlabel and bpf matches
- Remove 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch,
0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch
(are upstream)
-------------------------------------------------------------------
Mon Apr 15 06:19:21 UTC 2013 - jengelh@inai.de

View File

@ -20,7 +20,7 @@ Name: iptables
%define lname_ipq libipq0
%define lname_iptc libiptc0
%define lname_xt libxtables10
Version: 1.4.18
Version: 1.4.19.1
Release: 0
Summary: IP Packet Filter Administration utilities
License: GPL-2.0 and Artistic-2.0
@ -34,8 +34,6 @@ Url: http://netfilter.org/projects/iptables/
Source: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2
Source2: http://netfilter.org/projects/iptables/files/%name-%version.tar.bz2.sig
Source3: %name.keyring
Patch1: 0001-libip6t_NETMAP-Use-xtables_ip6mask_to_cidr-and-get-r.patch
Patch2: 0001-Revert-build-resolve-link-failure-for-ip6t_NETMAP.patch
Patch3: iptables-batch.patch
Patch4: iptables-apply-mktemp-fix.patch
@ -148,7 +146,7 @@ xtables --variable=xtlibdir).
%prep
%{?gpg_verify: %gpg_verify %{S:2}}
%setup -q
%patch -P 1 -P 2 -P 3 -P 4 -p1
%patch -P 3 -P 4 -p1
%build
# We have the iptables-batch patch, so always regenerate.
@ -159,7 +157,7 @@ fi
rm -f extensions/libipt_unclean.man
# includedir is overriden on purpose to detect projects that
# fail to include libxtables_CFLAGS
%configure --includedir=%_includedir/%name-%version --enable-libipq
%configure --includedir="%_includedir/pkg/%name" --enable-libipq
make %{?_smp_mflags}
%install
@ -201,9 +199,11 @@ rm -f "%buildroot/%_libdir"/*.la;
%files -n xtables-plugins
%defattr(-,root,root)
%_libdir/xtables
%dir %_sysconfdir/xtables/
%config %_sysconfdir/xtables/*.conf
%_libdir/xtables/
%_sbindir/nfnl_osf
%_datadir/xtables
%_datadir/xtables/
%files -n %lname_ipq
%defattr(-,root,root)
@ -213,8 +213,8 @@ rm -f "%buildroot/%_libdir"/*.la;
%defattr(-,root,root)
%doc %_mandir/man3/libipq*
%doc %_mandir/man3/ipq*
%dir %_includedir/%name-%version
%_includedir/%name-%version/libipq*
%dir %_includedir/pkg/%name/
%_includedir/pkg/%name/libipq*
%_libdir/libipq.so
%_libdir/pkgconfig/libipq.pc
@ -226,8 +226,9 @@ rm -f "%buildroot/%_libdir"/*.la;
%files -n libiptc-devel
%defattr(-,root,root)
%dir %_includedir/%name-%version
%_includedir/%name-%version/libiptc*
%dir %_includedir/pkg/
%dir %_includedir/pkg/%name/
%_includedir/pkg/%name/libiptc*
%_libdir/libip*tc.so
%_libdir/pkgconfig/libip*tc.pc
@ -237,9 +238,10 @@ rm -f "%buildroot/%_libdir"/*.la;
%files -n libxtables-devel
%defattr(-,root,root)
%dir %_includedir/%name-%version
%_includedir/%name-%version/xtables.h
%_includedir/%name-%version/xtables-version.h
%dir %_includedir/pkg/
%dir %_includedir/pkg/%name/
%_includedir/pkg/%name/xtables.h
%_includedir/pkg/%name/xtables-version.h
%_libdir/libxtables.so
%_libdir/pkgconfig/xtables.pc