mirror of https://github.com/hak5/openwrt.git
iptables: update to 1.8.3
Update iptables to 1.8.3
ChangeLog:
https://netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt
Removed upstream patches:
- 001-extensions_format-security_fixes_in_libip.patch
- 002-include_fix_build_with_kernel_headers_before_4_2.patch
- 003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch
Altered patches:
- 200-configurable_builtin.patch
- 600-shared-libext.patch
No notable size changes
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [lipibtc ABI_VERSION fix]
(cherry picked from commit 299f6cb2da
)
openwrt-19.07
parent
74b0b42fc6
commit
7a4acfce6d
|
@ -9,13 +9,12 @@ include $(TOPDIR)/rules.mk
|
|||
include $(INCLUDE_DIR)/kernel.mk
|
||||
|
||||
PKG_NAME:=iptables
|
||||
PKG_VERSION:=1.8.2
|
||||
PKG_RELEASE:=3
|
||||
PKG_VERSION:=1.8.3
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://git.netfilter.org/iptables
|
||||
PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83
|
||||
PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9
|
||||
PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_HASH:=a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80
|
||||
|
||||
PKG_FIXUP:=autoreconf
|
||||
PKG_FLAGS:=nonshared
|
||||
|
@ -37,7 +36,7 @@ define Package/iptables/Default
|
|||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
SUBMENU:=Firewall
|
||||
URL:=http://netfilter.org/
|
||||
URL:=https://netfilter.org/
|
||||
endef
|
||||
|
||||
define Package/iptables/Module
|
||||
|
@ -502,7 +501,7 @@ $(call Package/iptables/Default)
|
|||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv4 firewall - shared libiptc library
|
||||
ABI_VERSION:=0
|
||||
ABI_VERSION:=2
|
||||
DEPENDS:=+libxtables
|
||||
endef
|
||||
|
||||
|
@ -511,7 +510,7 @@ $(call Package/iptables/Default)
|
|||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv6 firewall - shared libiptc library
|
||||
ABI_VERSION:=0
|
||||
ABI_VERSION:=2
|
||||
DEPENDS:=+libxtables
|
||||
endef
|
||||
|
||||
|
|
|
@ -1,52 +0,0 @@
|
|||
From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
|
||||
Date: Wed, 14 Nov 2018 07:35:28 +0100
|
||||
Subject: extensions: format-security fixes in libip[6]t_icmp
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
|
||||
introduced support for gcc feature to check format string against passed
|
||||
argument. This commit adds missing bits to extenstions's libipt_icmp.c
|
||||
and libip6t_icmp6.c that were causing build to fail.
|
||||
|
||||
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
|
||||
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
extensions/libip6t_icmp6.c | 4 ++--
|
||||
extensions/libipt_icmp.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/extensions/libip6t_icmp6.c
|
||||
+++ b/extensions/libip6t_icmp6.c
|
||||
@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str
|
||||
type_name = icmp6_type_xlate(icmptype);
|
||||
|
||||
if (type_name) {
|
||||
- xt_xlate_add(xl, type_name);
|
||||
+ xt_xlate_add(xl, "%s", type_name);
|
||||
} else {
|
||||
for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
|
||||
if (icmpv6_codes[i].type == icmptype &&
|
||||
@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str
|
||||
break;
|
||||
|
||||
if (i != ARRAY_SIZE(icmpv6_codes))
|
||||
- xt_xlate_add(xl, icmpv6_codes[i].name);
|
||||
+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
|
||||
else
|
||||
return 0;
|
||||
}
|
||||
--- a/extensions/libipt_icmp.c
|
||||
+++ b/extensions/libipt_icmp.c
|
||||
@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str
|
||||
if (icmp_codes[i].type == icmptype &&
|
||||
icmp_codes[i].code_min == code_min &&
|
||||
icmp_codes[i].code_max == code_max) {
|
||||
- xt_xlate_add(xl, icmp_codes[i].name);
|
||||
+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
|
||||
return 1;
|
||||
}
|
||||
}
|
|
@ -1,48 +0,0 @@
|
|||
From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001
|
||||
From: Baruch Siach <baruch@tkos.co.il>
|
||||
Date: Fri, 16 Nov 2018 09:30:33 +0200
|
||||
Subject: include: fix build with kernel headers before 4.2
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit 672accf1530 (include: update kernel netfilter header files)
|
||||
updated linux/netfilter.h and brought with it the update from kernel
|
||||
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
|
||||
from netns headers). This triggers conflict of headers that is fixed in
|
||||
kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
|
||||
netinet/in.h) included in kernel version 4.2. For earlier kernel headers
|
||||
we need a workaround that prevents the headers conflict.
|
||||
|
||||
Fixes the following build failure:
|
||||
|
||||
In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
|
||||
from ../include/libiptc/ipt_kernel_headers.h:8,
|
||||
from ../include/libiptc/libiptc.h:6,
|
||||
from libip4tc.c:29:
|
||||
.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
|
||||
IPPROTO_IP = 0, /* Dummy protocol for TCP */
|
||||
^
|
||||
.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
|
||||
IPPROTO_IP = 0, /* Dummy protocol for TCP. */
|
||||
^~~~~~~~~~
|
||||
|
||||
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
include/linux/netfilter.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/include/linux/netfilter.h
|
||||
+++ b/include/linux/netfilter.h
|
||||
@@ -3,8 +3,10 @@
|
||||
|
||||
#include <linux/types.h>
|
||||
|
||||
+#ifndef _NETINET_IN_H
|
||||
#include <linux/in.h>
|
||||
#include <linux/in6.h>
|
||||
+#endif
|
||||
#include <limits.h>
|
||||
|
||||
/* Responses from hook functions. */
|
|
@ -1,41 +0,0 @@
|
|||
From 51d374ba41ae4f1bb851228c06b030b83dd2092f Mon Sep 17 00:00:00 2001
|
||||
From: Baruch Siach <baruch@tkos.co.il>
|
||||
Date: Tue, 13 Nov 2018 19:22:08 +0200
|
||||
Subject: ebtables: vlan: fix userspace/kernel headers collision
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Build with musl libc fails because of conflicting struct ethhdr
|
||||
definitions:
|
||||
|
||||
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
|
||||
from ../iptables/nft-bridge.h:8,
|
||||
from libebt_vlan.c:18:
|
||||
.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
|
||||
struct ethhdr {
|
||||
^~~~~~
|
||||
In file included from libebt_vlan.c:16:0:
|
||||
.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
|
||||
struct ethhdr {
|
||||
^~~~~~
|
||||
|
||||
Include the userspace header first for the definition suppression logic
|
||||
to do the right thing.
|
||||
|
||||
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
extensions/libebt_vlan.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/extensions/libebt_vlan.c
|
||||
+++ b/extensions/libebt_vlan.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <getopt.h>
|
||||
#include <ctype.h>
|
||||
#include <xtables.h>
|
||||
+#include <netinet/if_ether.h>
|
||||
#include <linux/netfilter_bridge/ebt_vlan.h>
|
||||
#include <linux/if_ether.h>
|
||||
#include "iptables/nft.h"
|
|
@ -1,6 +1,6 @@
|
|||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -887,12 +887,6 @@ static void xtables_check_options(const
|
||||
@@ -903,12 +903,6 @@ static void xtables_check_options(const
|
||||
|
||||
void xtables_register_match(struct xtables_match *me)
|
||||
{
|
||||
|
@ -13,7 +13,7 @@
|
|||
if (me->version == NULL) {
|
||||
fprintf(stderr, "%s: match %s<%u> is missing a version\n",
|
||||
xt_params->program_name, me->name, me->revision);
|
||||
@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta
|
||||
@@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta
|
||||
|
||||
void xtables_register_target(struct xtables_target *me)
|
||||
{
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- a/iptables/xtables-legacy-multi.c
|
||||
+++ b/iptables/xtables-legacy-multi.c
|
||||
@@ -31,8 +31,10 @@ static const struct subcommand multi_sub
|
||||
@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
|
||||
|
||||
|
||||
#endif
|
||||
|
|
|
@ -34,10 +34,10 @@
|
|||
+pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static})
|
||||
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
|
||||
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
|
||||
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
|
||||
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
|
||||
pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod})
|
||||
pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod})
|
||||
@@ -67,13 +87,13 @@ pf6_solibs := $(patsubst %,libip6t_%.
|
||||
@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
|
||||
#
|
||||
targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
|
||||
targets_install :=
|
||||
|
@ -46,19 +46,21 @@
|
|||
-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
|
||||
-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
|
||||
-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
|
||||
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
|
||||
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
|
||||
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
|
||||
-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
|
||||
+libext_objs := ${pfx_objs}
|
||||
+libext_ebt_objs := ${pfb_objs}
|
||||
+libext_arpt_objs := ${pfa_objs}
|
||||
+libext4_objs := ${pf4_objs}
|
||||
+libext6_objs := ${pf6_objs}
|
||||
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
|
||||
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
|
||||
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
|
||||
+symlinks_install := ${pfx_symlink_files}
|
||||
|
||||
.SECONDARY:
|
||||
|
||||
@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs}
|
||||
@@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs}
|
||||
libext6.a: initext6.o ${libext6_objs}
|
||||
${AM_VERBOSE_AR} ${AR} crs $@ $^;
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- a/extensions/GNUmakefile.in
|
||||
+++ b/extensions/GNUmakefile.in
|
||||
@@ -85,7 +85,7 @@ pf6_solibs := $(patsubst %,libip6t_%.
|
||||
@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
|
||||
#
|
||||
# Building blocks
|
||||
#
|
||||
|
@ -9,7 +9,7 @@
|
|||
targets_install :=
|
||||
libext_objs := ${pfx_objs}
|
||||
libext_ebt_objs := ${pfb_objs}
|
||||
@@ -112,7 +112,7 @@ clean:
|
||||
@@ -119,7 +119,7 @@ clean:
|
||||
distclean: clean
|
||||
|
||||
init%.o: init%.c
|
||||
|
@ -18,7 +18,7 @@
|
|||
|
||||
-include .*.d
|
||||
|
||||
@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
|
||||
@@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
|
||||
# handling code in the Makefiles.
|
||||
#
|
||||
lib%.o: ${srcdir}/lib%.c
|
||||
|
@ -54,7 +54,7 @@
|
|||
initextb_func := $(addprefix ebt_,${pfb_build_static})
|
||||
--- a/iptables/Makefile.am
|
||||
+++ b/iptables/Makefile.am
|
||||
@@ -8,7 +8,8 @@ BUILT_SOURCES =
|
||||
@@ -8,19 +8,22 @@ BUILT_SOURCES =
|
||||
|
||||
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
|
||||
xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
|
||||
|
@ -64,25 +64,23 @@
|
|||
if ENABLE_STATIC
|
||||
xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
|
||||
endif
|
||||
@@ -16,13 +17,15 @@ if ENABLE_IPV4
|
||||
xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \
|
||||
iptables-standalone.c iptables.c
|
||||
if ENABLE_IPV4
|
||||
xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
|
||||
xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
|
||||
-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
|
||||
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la
|
||||
+xtables_legacy_multi_LDFLAGS += -liptext4
|
||||
endif
|
||||
if ENABLE_IPV6
|
||||
xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
|
||||
ip6tables-standalone.c ip6tables.c
|
||||
xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
|
||||
xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
|
||||
-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
|
||||
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la
|
||||
+xtables_legacy_multi_LDFLAGS += -liptext6
|
||||
endif
|
||||
xtables_legacy_multi_SOURCES += xshared.c
|
||||
xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
|
||||
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
|
||||
@@ -32,7 +35,8 @@ if ENABLE_NFTABLES
|
||||
@@ -30,7 +33,8 @@ if ENABLE_NFTABLES
|
||||
BUILT_SOURCES += xtables-config-parser.h
|
||||
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
|
||||
xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
|
||||
|
@ -92,7 +90,7 @@
|
|||
if ENABLE_STATIC
|
||||
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
|
||||
endif
|
||||
@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav
|
||||
@@ -45,7 +49,8 @@ xtables_nft_multi_SOURCES += xtables-sav
|
||||
xtables-eb-standalone.c xtables-eb.c \
|
||||
xtables-eb-translate.c \
|
||||
xtables-translate.c
|
||||
|
|
Loading…
Reference in New Issue