From 7a4acfce6df156da3006098abf5c44156862cf32 Mon Sep 17 00:00:00 2001 From: Deng Qingfang Date: Thu, 6 Jun 2019 04:24:44 +0800 Subject: [PATCH] iptables: update to 1.8.3 Update iptables to 1.8.3 ChangeLog: https://netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt Removed upstream patches: - 001-extensions_format-security_fixes_in_libip.patch - 002-include_fix_build_with_kernel_headers_before_4_2.patch - 003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch Altered patches: - 200-configurable_builtin.patch - 600-shared-libext.patch No notable size changes Signed-off-by: Deng Qingfang Signed-off-by: Hans Dedecker [lipibtc ABI_VERSION fix] (cherry picked from commit 299f6cb2da0a443484339aaa51b3d9edcc21ce4e) --- package/network/utils/iptables/Makefile | 17 +++--- ...sions_format-security_fixes_in_libip.patch | 52 ------------------- ...build_with_kernel_headers_before_4_2.patch | 48 ----------------- ...x_userspace_kernel_headers_collision.patch | 41 --------------- .../patches/101-remove-check-already.patch | 4 +- .../iptables/patches/103-optional-xml.patch | 2 +- .../patches/200-configurable_builtin.patch | 12 +++-- .../iptables/patches/600-shared-libext.patch | 22 ++++---- 8 files changed, 28 insertions(+), 170 deletions(-) delete mode 100644 package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch delete mode 100644 package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch delete mode 100644 package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile index d60e25cdc7..dd761f3443 100644 --- a/package/network/utils/iptables/Makefile +++ b/package/network/utils/iptables/Makefile @@ -9,13 +9,12 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=iptables -PKG_VERSION:=1.8.2 -PKG_RELEASE:=3 +PKG_VERSION:=1.8.3 +PKG_RELEASE:=1 -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://git.netfilter.org/iptables -PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83 -PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9 +PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_HASH:=a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80 PKG_FIXUP:=autoreconf PKG_FLAGS:=nonshared @@ -37,7 +36,7 @@ define Package/iptables/Default SECTION:=net CATEGORY:=Network SUBMENU:=Firewall - URL:=http://netfilter.org/ + URL:=https://netfilter.org/ endef define Package/iptables/Module @@ -502,7 +501,7 @@ $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries TITLE:=IPv4 firewall - shared libiptc library - ABI_VERSION:=0 + ABI_VERSION:=2 DEPENDS:=+libxtables endef @@ -511,7 +510,7 @@ $(call Package/iptables/Default) SECTION:=libs CATEGORY:=Libraries TITLE:=IPv6 firewall - shared libiptc library - ABI_VERSION:=0 + ABI_VERSION:=2 DEPENDS:=+libxtables endef diff --git a/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch b/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch deleted file mode 100644 index 9bd85ec139..0000000000 --- a/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= -Date: Wed, 14 Nov 2018 07:35:28 +0100 -Subject: extensions: format-security fixes in libip[6]t_icmp -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") -introduced support for gcc feature to check format string against passed -argument. This commit adds missing bits to extenstions's libipt_icmp.c -and libip6t_icmp6.c that were causing build to fail. - -Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") -Signed-off-by: Adam Gołębiowski -Signed-off-by: Pablo Neira Ayuso ---- - extensions/libip6t_icmp6.c | 4 ++-- - extensions/libipt_icmp.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - ---- a/extensions/libip6t_icmp6.c -+++ b/extensions/libip6t_icmp6.c -@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str - type_name = icmp6_type_xlate(icmptype); - - if (type_name) { -- xt_xlate_add(xl, type_name); -+ xt_xlate_add(xl, "%s", type_name); - } else { - for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) - if (icmpv6_codes[i].type == icmptype && -@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str - break; - - if (i != ARRAY_SIZE(icmpv6_codes)) -- xt_xlate_add(xl, icmpv6_codes[i].name); -+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); - else - return 0; - } ---- a/extensions/libipt_icmp.c -+++ b/extensions/libipt_icmp.c -@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str - if (icmp_codes[i].type == icmptype && - icmp_codes[i].code_min == code_min && - icmp_codes[i].code_max == code_max) { -- xt_xlate_add(xl, icmp_codes[i].name); -+ xt_xlate_add(xl, "%s", icmp_codes[i].name); - return 1; - } - } diff --git a/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch b/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch deleted file mode 100644 index 13737cf7cd..0000000000 --- a/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001 -From: Baruch Siach -Date: Fri, 16 Nov 2018 09:30:33 +0200 -Subject: include: fix build with kernel headers before 4.2 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit 672accf1530 (include: update kernel netfilter header files) -updated linux/netfilter.h and brought with it the update from kernel -commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h -from netns headers). This triggers conflict of headers that is fixed in -kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with -netinet/in.h) included in kernel version 4.2. For earlier kernel headers -we need a workaround that prevents the headers conflict. - -Fixes the following build failure: - -In file included from .../sysroot/usr/include/netinet/ip.h:25:0, - from ../include/libiptc/ipt_kernel_headers.h:8, - from ../include/libiptc/libiptc.h:6, - from libip4tc.c:29: -.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’ - IPPROTO_IP = 0, /* Dummy protocol for TCP */ - ^ -.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here - IPPROTO_IP = 0, /* Dummy protocol for TCP. */ - ^~~~~~~~~~ - -Signed-off-by: Baruch Siach -Signed-off-by: Florian Westphal ---- - include/linux/netfilter.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/include/linux/netfilter.h -+++ b/include/linux/netfilter.h -@@ -3,8 +3,10 @@ - - #include - -+#ifndef _NETINET_IN_H - #include - #include -+#endif - #include - - /* Responses from hook functions. */ diff --git a/package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch b/package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch deleted file mode 100644 index 53e1113003..0000000000 --- a/package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 51d374ba41ae4f1bb851228c06b030b83dd2092f Mon Sep 17 00:00:00 2001 -From: Baruch Siach -Date: Tue, 13 Nov 2018 19:22:08 +0200 -Subject: ebtables: vlan: fix userspace/kernel headers collision -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Build with musl libc fails because of conflicting struct ethhdr -definitions: - -In file included from .../sysroot/usr/include/net/ethernet.h:10:0, - from ../iptables/nft-bridge.h:8, - from libebt_vlan.c:18: -.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’ - struct ethhdr { - ^~~~~~ -In file included from libebt_vlan.c:16:0: -.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here - struct ethhdr { - ^~~~~~ - -Include the userspace header first for the definition suppression logic -to do the right thing. - -Signed-off-by: Baruch Siach -Signed-off-by: Pablo Neira Ayuso ---- - extensions/libebt_vlan.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/extensions/libebt_vlan.c -+++ b/extensions/libebt_vlan.c -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include - #include - #include - #include "iptables/nft.h" diff --git a/package/network/utils/iptables/patches/101-remove-check-already.patch b/package/network/utils/iptables/patches/101-remove-check-already.patch index f8d1bf44b6..98e825f016 100644 --- a/package/network/utils/iptables/patches/101-remove-check-already.patch +++ b/package/network/utils/iptables/patches/101-remove-check-already.patch @@ -1,6 +1,6 @@ --- a/libxtables/xtables.c +++ b/libxtables/xtables.c -@@ -887,12 +887,6 @@ static void xtables_check_options(const +@@ -903,12 +903,6 @@ static void xtables_check_options(const void xtables_register_match(struct xtables_match *me) { @@ -13,7 +13,7 @@ if (me->version == NULL) { fprintf(stderr, "%s: match %s<%u> is missing a version\n", xt_params->program_name, me->name, me->revision); -@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta +@@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta void xtables_register_target(struct xtables_target *me) { diff --git a/package/network/utils/iptables/patches/103-optional-xml.patch b/package/network/utils/iptables/patches/103-optional-xml.patch index 2396037fdd..342808a395 100644 --- a/package/network/utils/iptables/patches/103-optional-xml.patch +++ b/package/network/utils/iptables/patches/103-optional-xml.patch @@ -1,6 +1,6 @@ --- a/iptables/xtables-legacy-multi.c +++ b/iptables/xtables-legacy-multi.c -@@ -31,8 +31,10 @@ static const struct subcommand multi_sub +@@ -32,8 +32,10 @@ static const struct subcommand multi_sub #endif diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch index 9c53c2bfed..5788a829b0 100644 --- a/package/network/utils/iptables/patches/200-configurable_builtin.patch +++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch @@ -34,10 +34,10 @@ +pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static}) +pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) +pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) - pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) + pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod}) pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod}) -@@ -67,13 +87,13 @@ pf6_solibs := $(patsubst %,libip6t_%. +@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_ # targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man targets_install := @@ -46,19 +46,21 @@ -@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs} -@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} -@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} --@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} -@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files} +libext_objs := ${pfx_objs} +libext_ebt_objs := ${pfb_objs} +libext_arpt_objs := ${pfa_objs} +libext4_objs := ${pf4_objs} +libext6_objs := ${pf6_objs} -+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ++targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files} +targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}) ++symlinks_install := ${pfx_symlink_files} .SECONDARY: -@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs} +@@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs} libext6.a: initext6.o ${libext6_objs} ${AM_VERBOSE_AR} ${AR} crs $@ $^; diff --git a/package/network/utils/iptables/patches/600-shared-libext.patch b/package/network/utils/iptables/patches/600-shared-libext.patch index e88c288be6..f5c9c9d779 100644 --- a/package/network/utils/iptables/patches/600-shared-libext.patch +++ b/package/network/utils/iptables/patches/600-shared-libext.patch @@ -1,6 +1,6 @@ --- a/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in -@@ -85,7 +85,7 @@ pf6_solibs := $(patsubst %,libip6t_%. +@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_ # # Building blocks # @@ -9,7 +9,7 @@ targets_install := libext_objs := ${pfx_objs} libext_ebt_objs := ${pfb_objs} -@@ -112,7 +112,7 @@ clean: +@@ -119,7 +119,7 @@ clean: distclean: clean init%.o: init%.c @@ -18,7 +18,7 @@ -include .*.d -@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn +@@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn # handling code in the Makefiles. # lib%.o: ${srcdir}/lib%.c @@ -54,7 +54,7 @@ initextb_func := $(addprefix ebt_,${pfb_build_static}) --- a/iptables/Makefile.am +++ b/iptables/Makefile.am -@@ -8,7 +8,8 @@ BUILT_SOURCES = +@@ -8,19 +8,22 @@ BUILT_SOURCES = xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} @@ -64,25 +64,23 @@ if ENABLE_STATIC xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE endif -@@ -16,13 +17,15 @@ if ENABLE_IPV4 - xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \ - iptables-standalone.c iptables.c + if ENABLE_IPV4 + xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 -xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a +xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la +xtables_legacy_multi_LDFLAGS += -liptext4 endif if ENABLE_IPV6 - xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ - ip6tables-standalone.c ip6tables.c + xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 -xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a +xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la +xtables_legacy_multi_LDFLAGS += -liptext6 endif - xtables_legacy_multi_SOURCES += xshared.c + xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm -@@ -32,7 +35,8 @@ if ENABLE_NFTABLES +@@ -30,7 +33,8 @@ if ENABLE_NFTABLES BUILT_SOURCES += xtables-config-parser.h xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c xtables_nft_multi_CFLAGS = ${AM_CFLAGS} @@ -92,7 +90,7 @@ if ENABLE_STATIC xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE endif -@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav +@@ -45,7 +49,8 @@ xtables_nft_multi_SOURCES += xtables-sav xtables-eb-standalone.c xtables-eb.c \ xtables-eb-translate.c \ xtables-translate.c