From eba35b07eaec21c8d589e22241590dd31c6f15c9146fb10aecd2f827c59e931a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 13 Mar 2016 11:49:43 +0000 Subject: [PATCH 1/4] - Update to new upstream release 6.28 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ipset?expand=0&rev=51 --- ipset-6.27.tar.bz2 | 3 -- ipset-6.28.tar.bz2 | 3 ++ ipset-pkgc.diff | 31 +++++++++++++++ ipset-preamble | 3 ++ ipset.changes | 10 +++++ ipset.spec | 96 ++++++++++++++++++++++++++++++++++------------ 6 files changed, 119 insertions(+), 27 deletions(-) delete mode 100644 ipset-6.27.tar.bz2 create mode 100644 ipset-6.28.tar.bz2 create mode 100644 ipset-pkgc.diff create mode 100644 ipset-preamble diff --git a/ipset-6.27.tar.bz2 b/ipset-6.27.tar.bz2 deleted file mode 100644 index 240ea4d..0000000 --- a/ipset-6.27.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:724897a80395534466142c3542184e5a480a5046140ca2a7d9097690b931b235 -size 532887 diff --git a/ipset-6.28.tar.bz2 b/ipset-6.28.tar.bz2 new file mode 100644 index 0000000..0ac4bef --- /dev/null +++ b/ipset-6.28.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd4239590b3f8dec31f9b4e8fdc7bc2d35f17ebd75fe448282d230b00e996b2e +size 542058 diff --git a/ipset-pkgc.diff b/ipset-pkgc.diff new file mode 100644 index 0000000..70d09f8 --- /dev/null +++ b/ipset-pkgc.diff @@ -0,0 +1,31 @@ +--- + Makefile.am | 2 +- + configure.ac | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +Index: ipset-6.28/Makefile.am +=================================================================== +--- ipset-6.28.orig/Makefile.am ++++ ipset-6.28/Makefile.am +@@ -71,7 +71,7 @@ modules_install: + if WITH_KMOD + ${MAKE} -C $(KBUILD_OUTPUT) M=$$PWD/kernel/net \ + KDIR=$$PWD/kernel modules_install +- @modinfo ip_set_hash_ip | ${GREP} /extra/ >/dev/null || echo "$$DEPMOD_WARNING" ++ ${AM_V_at}modinfo -b ${DESTDIR} ip_set_hash_ip | ${GREP} /extra/ >/dev/null || echo "$$DEPMOD_WARNING" + @lsmod | ${GREP} '^ip_set' >/dev/null && echo "$$MODULE_WARNING" + else + @echo Skipping kernel modules due to --with-kmod=no +Index: ipset-6.28/configure.ac +=================================================================== +--- ipset-6.28.orig/configure.ac ++++ ipset-6.28/configure.ac +@@ -12,6 +12,8 @@ LT_INIT([dlopen]) + LT_CONFIG_LTDL_DIR([libltdl]) + LTDL_INIT([nonrecursive]) + ++PKG_PROG_PKG_CONFIG ++ + dnl Shortcut: Linux supported alone + case "$host" in + *-*-linux* | *-*-uclinux*) ;; diff --git a/ipset-preamble b/ipset-preamble new file mode 100644 index 0000000..0be4ca1 --- /dev/null +++ b/ipset-preamble @@ -0,0 +1,3 @@ +Enhances: kernel-%1 +Requires: kernel-%1 +Supplements: packageand(kernel-%1:ipset) diff --git a/ipset.changes b/ipset.changes index fff515d..2236102 100644 --- a/ipset.changes +++ b/ipset.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Sat Mar 12 21:40:08 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 6.28 +* Test added to check 0.0.0.0/0,iface to be matched in + hash:net,iface type +* Check IPSET_ATTR_ETHER netlink attribute length +* Fix set:list type crash when flush/dump set in parallel +* Allow a 0 netmask with hash_netiface type + ------------------------------------------------------------------- Mon Jan 18 15:42:54 UTC 2016 - kstreitova@suse.com diff --git a/ipset.spec b/ipset.spec index fb451e4..44fbb98 100644 --- a/ipset.spec +++ b/ipset.spec @@ -16,9 +16,9 @@ # -%define lname libipset3 Name: ipset -Version: 6.27 +%define lname libipset3 +Version: 6.28 Release: 0 Summary: Netfilter ipset administration utility License: GPL-2.0 @@ -26,14 +26,24 @@ Group: Productivity/Networking/Security Url: http://ipset.netfilter.org/ #Git-Clone: git://git.netfilter.org/ipset #Git-Web: http://git.netfilter.org/ -Source: ftp://ftp.netfilter.org/pub/ipset/%{name}-%{version}.tar.bz2 +Source: ftp://ftp.netfilter.org/pub/ipset/%name-%version.tar.bz2 +Source3: %name-preamble +Patch1: ipset-pkgc.diff +BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: linux-glibc-devel >= 2.6.24 -BuildRequires: pkgconfig >= 0.21 +BuildRequires: pkg-config >= 0.21 BuildRequires: pkgconfig(libmnl) >= 1 -BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if 0%{?ipset_build_kmp} +BuildRequires: %kernel_module_package_buildreqs +%if 0%{?suse_version} >= 1320 +BuildRequires: kmod-compat +%endif +BuildRequires: kernel-syms >= 2.6.39 +%kernel_module_package -p %name-preamble +%endif %description IP sets are a framework inside the Linux kernel, which can be @@ -50,11 +60,24 @@ ipset can: * express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets -%package -n %{lname} +%package KMP +Summary: Netfilter ipset kernel modules +Group: System/Kernel + +%description KMP +IP sets are a framework inside the Linux kernel, which can be +administered by the ipset utility. Depending on the type, currently +an IP set may store IP addresses, (TCP/UDP) port numbers or IP +addresses with MAC addresses in a way, which ensures lightning speed +when matching an entry against a set. + +This package contains a version update to the in-kernel ipset modules. + +%package -n %lname Summary: Userspace library for the in-kernel Netfilter ipset interface Group: System/Libraries -%description -n %{lname} +%description -n %lname IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP @@ -64,7 +87,7 @@ when matching an entry against a set. %package devel Summary: Development files for ipset extensions Group: Development/Libraries/C and C++ -Requires: %{lname} = %{version} +Requires: %lname = %version %description devel IP sets are a framework inside the Linux kernel, which can be @@ -75,34 +98,59 @@ when matching an entry against a set. %prep %setup -q +%patch -P 1 -p1 %build -%configure --disable-static \ - --with-kmod=no \ - --includedir="%{_includedir}/pkg/%{name}" -make %{?_smp_mflags}; +# build wants to call modinfo at some point +export PATH="$PATH:/usr/sbin" +autoreconf -fi +%if 0%{?ipset_build_kmp} +for flavor in %flavors_to_build; do + cp -a . "../%name-$flavor-%version" + pushd "../%name-$flavor-%version/" + # ksource: it just checks for a header + %configure --disable-static \ + --with-kbuild="/usr/src/linux-obj/%_target_cpu/$flavor" \ + --with-ksource="/usr/src/linux" \ + --includedir="%_includedir/%name" + make %{?_smp_mflags} all modules + popd +done +%endif +%configure --disable-static --with-kmod=no \ + --includedir="%_includedir/%name" +make %{?_smp_mflags} %install -make %{?_smp_mflags} install DESTDIR="%{buildroot}"; -find %{buildroot} -type f -name "*.la" -delete -print +export PATH="$PATH:/usr/sbin" +b="%buildroot" +%if 0%{?ipset_build_kmp} +for flavor in %flavors_to_build; do + pushd "../%name-$flavor-%version/" + make %{?_smp_mflags} install modules_install \ + DESTDIR="$b" INSTALL_MOD_PATH="$b" V=1 + popd; +done; +%endif +make %{?_smp_mflags} install DESTDIR="$b" +find "$b/%_libdir" -type f -name "*.la" -delete -%post -n %{lname} -p /sbin/ldconfig - -%postun -n %{lname} -p /sbin/ldconfig +%post -n %lname -p /sbin/ldconfig +%postun -n %lname -p /sbin/ldconfig %files %defattr(-,root,root) -%{_sbindir}/ipset -%{_mandir}/man*/* +%_sbindir/ipset +%_mandir/man*/* -%files -n %{lname} +%files -n %lname %defattr(-,root,root) -%{_libdir}/libipset.so.3* +%_libdir/libipset.so.3* %files devel %defattr(-,root,root) -%{_libdir}/libipset.so -%{_libdir}/pkgconfig/libipset.pc -%{_includedir}/pkg/ +%_libdir/libipset.so +%_libdir/pkgconfig/libipset.pc +%_includedir/%name/ %changelog From b8e44c76f5e353ed1b8889b1ec37c6255d8446ca4fbe2860b2988384638734b5 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Mar 2016 23:30:10 +0000 Subject: [PATCH 2/4] - Update to new upstream release 6.29 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ipset?expand=0&rev=52 --- ipset-6.28.tar.bz2 | 3 --- ipset-6.29.tar.bz2 | 3 +++ ipset-pkgc.diff | 31 ------------------------------- ipset.changes | 6 ++++++ ipset.spec | 4 +--- 5 files changed, 10 insertions(+), 37 deletions(-) delete mode 100644 ipset-6.28.tar.bz2 create mode 100644 ipset-6.29.tar.bz2 delete mode 100644 ipset-pkgc.diff diff --git a/ipset-6.28.tar.bz2 b/ipset-6.28.tar.bz2 deleted file mode 100644 index 0ac4bef..0000000 --- a/ipset-6.28.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fd4239590b3f8dec31f9b4e8fdc7bc2d35f17ebd75fe448282d230b00e996b2e -size 542058 diff --git a/ipset-6.29.tar.bz2 b/ipset-6.29.tar.bz2 new file mode 100644 index 0000000..66d82a0 --- /dev/null +++ b/ipset-6.29.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6af58b21c8b475b1058e02529ea9f15b4b727dbc13dc9cbddf89941b0103880e +size 542735 diff --git a/ipset-pkgc.diff b/ipset-pkgc.diff deleted file mode 100644 index 70d09f8..0000000 --- a/ipset-pkgc.diff +++ /dev/null @@ -1,31 +0,0 @@ ---- - Makefile.am | 2 +- - configure.ac | 2 ++ - 2 files changed, 3 insertions(+), 1 deletion(-) - -Index: ipset-6.28/Makefile.am -=================================================================== ---- ipset-6.28.orig/Makefile.am -+++ ipset-6.28/Makefile.am -@@ -71,7 +71,7 @@ modules_install: - if WITH_KMOD - ${MAKE} -C $(KBUILD_OUTPUT) M=$$PWD/kernel/net \ - KDIR=$$PWD/kernel modules_install -- @modinfo ip_set_hash_ip | ${GREP} /extra/ >/dev/null || echo "$$DEPMOD_WARNING" -+ ${AM_V_at}modinfo -b ${DESTDIR} ip_set_hash_ip | ${GREP} /extra/ >/dev/null || echo "$$DEPMOD_WARNING" - @lsmod | ${GREP} '^ip_set' >/dev/null && echo "$$MODULE_WARNING" - else - @echo Skipping kernel modules due to --with-kmod=no -Index: ipset-6.28/configure.ac -=================================================================== ---- ipset-6.28.orig/configure.ac -+++ ipset-6.28/configure.ac -@@ -12,6 +12,8 @@ LT_INIT([dlopen]) - LT_CONFIG_LTDL_DIR([libltdl]) - LTDL_INIT([nonrecursive]) - -+PKG_PROG_PKG_CONFIG -+ - dnl Shortcut: Linux supported alone - case "$host" in - *-*-linux* | *-*-uclinux*) ;; diff --git a/ipset.changes b/ipset.changes index 2236102..cf0b9ae 100644 --- a/ipset.changes +++ b/ipset.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 16 23:25:41 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 6.29 +* Fix race condition in ipset save, swap and delete + ------------------------------------------------------------------- Sat Mar 12 21:40:08 UTC 2016 - jengelh@inai.de diff --git a/ipset.spec b/ipset.spec index 44fbb98..24a4527 100644 --- a/ipset.spec +++ b/ipset.spec @@ -18,7 +18,7 @@ Name: ipset %define lname libipset3 -Version: 6.28 +Version: 6.29 Release: 0 Summary: Netfilter ipset administration utility License: GPL-2.0 @@ -28,7 +28,6 @@ Url: http://ipset.netfilter.org/ #Git-Web: http://git.netfilter.org/ Source: ftp://ftp.netfilter.org/pub/ipset/%name-%version.tar.bz2 Source3: %name-preamble -Patch1: ipset-pkgc.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake @@ -98,7 +97,6 @@ when matching an entry against a set. %prep %setup -q -%patch -P 1 -p1 %build # build wants to call modinfo at some point From 15df0cd4aa0bad9712bb79f7d33551b8c4cd85596f6c27ba5ffa1bd18cf9e8f6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 17 Mar 2016 00:24:00 +0000 Subject: [PATCH 3/4] Reenable KMP %install section I did not finish yesterday OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ipset?expand=0&rev=53 --- ipset-destdir.diff | 31 +++++++++++++++++++++++++++++++ ipset.changes | 2 ++ ipset.spec | 7 +++++++ 3 files changed, 40 insertions(+) create mode 100644 ipset-destdir.diff diff --git a/ipset-destdir.diff b/ipset-destdir.diff new file mode 100644 index 0000000..c15f3eb --- /dev/null +++ b/ipset-destdir.diff @@ -0,0 +1,31 @@ +From: Jan Engelhardt +Date: 2016-03-17 01:13:03.340741300 +0100 + +Skip these two steps from Makefile.am altogether. + +1. If $INSTALL_MOD_PATH/lib/modules/uname_r is missing, no depmod + files will be created at all (by depmod as invoked by the kernel's + modules_install target). + +2. Therefore, modinfo -b will error out because it cannot find + $INSTALL_MOD_PATH/lib/modules/uname-r/modules.order. + +3. lsmod fails because /proc and /sys are not mounted. + +--- + Makefile.am | 2 -- + 1 file changed, 2 deletions(-) + +Index: ipset-6.29/Makefile.am +=================================================================== +--- ipset-6.29.orig/Makefile.am ++++ ipset-6.29/Makefile.am +@@ -72,8 +72,6 @@ modules_install: + if WITH_KMOD + ${MAKE} -C $(KBUILD_OUTPUT) M=$$PWD/kernel/net \ + KDIR=$$PWD/kernel modules_install +- @modinfo -b ${INSTALL_MOD_PATH} ip_set_hash_ip | ${GREP} /extra/ >/dev/null || echo "$$DEPMOD_WARNING" +- @lsmod | ${GREP} '^ip_set' >/dev/null && echo "$$MODULE_WARNING" + else + @echo Skipping kernel modules due to --with-kmod=no + endif diff --git a/ipset.changes b/ipset.changes index cf0b9ae..a15a9b1 100644 --- a/ipset.changes +++ b/ipset.changes @@ -13,6 +13,8 @@ Sat Mar 12 21:40:08 UTC 2016 - jengelh@inai.de * Check IPSET_ATTR_ETHER netlink attribute length * Fix set:list type crash when flush/dump set in parallel * Allow a 0 netmask with hash_netiface type +- Restore unreviewed deletion of KMP production, + undo spec-cleaner refucktoring ------------------------------------------------------------------- Mon Jan 18 15:42:54 UTC 2016 - kstreitova@suse.com diff --git a/ipset.spec b/ipset.spec index 24a4527..c1feb55 100644 --- a/ipset.spec +++ b/ipset.spec @@ -28,6 +28,7 @@ Url: http://ipset.netfilter.org/ #Git-Web: http://git.netfilter.org/ Source: ftp://ftp.netfilter.org/pub/ipset/%name-%version.tar.bz2 Source3: %name-preamble +Patch1: ipset-destdir.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf BuildRequires: automake @@ -35,6 +36,11 @@ BuildRequires: libtool BuildRequires: linux-glibc-devel >= 2.6.24 BuildRequires: pkg-config >= 0.21 BuildRequires: pkgconfig(libmnl) >= 1 +%if 0%{?suse_version} && 0%{?suse_version} < 1330 +# Factory gets new kernels, old releases don't. +# Always build KMPs for all versions older than Factory. +%define ipset_build_kmp 1 +%endif %if 0%{?ipset_build_kmp} BuildRequires: %kernel_module_package_buildreqs %if 0%{?suse_version} >= 1320 @@ -97,6 +103,7 @@ when matching an entry against a set. %prep %setup -q +%patch -P 1 -p1 %build # build wants to call modinfo at some point From 28dd41170fc0899083983a0b132e10fabfd04614b0b5ed6fdc9ec44e1eee21f4 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 24 Mar 2016 11:20:07 +0000 Subject: [PATCH 4/4] - Add ipset-destdir.diff OBS-URL: https://build.opensuse.org/package/show/security:netfilter/ipset?expand=0&rev=54 --- ipset.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/ipset.changes b/ipset.changes index a15a9b1..6d89d2d 100644 --- a/ipset.changes +++ b/ipset.changes @@ -15,6 +15,7 @@ Sat Mar 12 21:40:08 UTC 2016 - jengelh@inai.de * Allow a 0 netmask with hash_netiface type - Restore unreviewed deletion of KMP production, undo spec-cleaner refucktoring +- Add ipset-destdir.diff ------------------------------------------------------------------- Mon Jan 18 15:42:54 UTC 2016 - kstreitova@suse.com