iptables: update to 1.8.3

Update iptables to 1.8.3

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt

Removed upstream patches:
- 001-extensions_format-security_fixes_in_libip.patch
- 002-include_fix_build_with_kernel_headers_before_4_2.patch
- 003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch

Altered patches:
- 200-configurable_builtin.patch
- 600-shared-libext.patch

No notable size changes

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [lipibtc ABI_VERSION fix]
(cherry picked from commit 299f6cb2da)
openwrt-19.07
Deng Qingfang 2019-06-06 04:24:44 +08:00 committed by Petr Štetiar
parent 74b0b42fc6
commit 7a4acfce6d
8 changed files with 28 additions and 170 deletions

View File

@ -9,13 +9,12 @@ include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=iptables PKG_NAME:=iptables
PKG_VERSION:=1.8.2 PKG_VERSION:=1.8.3
PKG_RELEASE:=3 PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
PKG_SOURCE_URL:=https://git.netfilter.org/iptables PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83 PKG_HASH:=a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80
PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9
PKG_FIXUP:=autoreconf PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared PKG_FLAGS:=nonshared
@ -37,7 +36,7 @@ define Package/iptables/Default
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
SUBMENU:=Firewall SUBMENU:=Firewall
URL:=http://netfilter.org/ URL:=https://netfilter.org/
endef endef
define Package/iptables/Module define Package/iptables/Module
@ -502,7 +501,7 @@ $(call Package/iptables/Default)
SECTION:=libs SECTION:=libs
CATEGORY:=Libraries CATEGORY:=Libraries
TITLE:=IPv4 firewall - shared libiptc library TITLE:=IPv4 firewall - shared libiptc library
ABI_VERSION:=0 ABI_VERSION:=2
DEPENDS:=+libxtables DEPENDS:=+libxtables
endef endef
@ -511,7 +510,7 @@ $(call Package/iptables/Default)
SECTION:=libs SECTION:=libs
CATEGORY:=Libraries CATEGORY:=Libraries
TITLE:=IPv6 firewall - shared libiptc library TITLE:=IPv6 firewall - shared libiptc library
ABI_VERSION:=0 ABI_VERSION:=2
DEPENDS:=+libxtables DEPENDS:=+libxtables
endef endef

View File

@ -1,52 +0,0 @@
From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
Date: Wed, 14 Nov 2018 07:35:28 +0100
Subject: extensions: format-security fixes in libip[6]t_icmp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
introduced support for gcc feature to check format string against passed
argument. This commit adds missing bits to extenstions's libipt_icmp.c
and libip6t_icmp6.c that were causing build to fail.
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/libip6t_icmp6.c | 4 ++--
extensions/libipt_icmp.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str
type_name = icmp6_type_xlate(icmptype);
if (type_name) {
- xt_xlate_add(xl, type_name);
+ xt_xlate_add(xl, "%s", type_name);
} else {
for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
if (icmpv6_codes[i].type == icmptype &&
@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str
break;
if (i != ARRAY_SIZE(icmpv6_codes))
- xt_xlate_add(xl, icmpv6_codes[i].name);
+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
else
return 0;
}
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str
if (icmp_codes[i].type == icmptype &&
icmp_codes[i].code_min == code_min &&
icmp_codes[i].code_max == code_max) {
- xt_xlate_add(xl, icmp_codes[i].name);
+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
return 1;
}
}

View File

@ -1,48 +0,0 @@
From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001
From: Baruch Siach <baruch@tkos.co.il>
Date: Fri, 16 Nov 2018 09:30:33 +0200
Subject: include: fix build with kernel headers before 4.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 672accf1530 (include: update kernel netfilter header files)
updated linux/netfilter.h and brought with it the update from kernel
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
from netns headers). This triggers conflict of headers that is fixed in
kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
netinet/in.h) included in kernel version 4.2. For earlier kernel headers
we need a workaround that prevents the headers conflict.
Fixes the following build failure:
In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
from ../include/libiptc/ipt_kernel_headers.h:8,
from ../include/libiptc/libiptc.h:6,
from libip4tc.c:29:
.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator IPPROTO_IP
IPPROTO_IP = 0, /* Dummy protocol for TCP */
^
.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of IPPROTO_IP was here
IPPROTO_IP = 0, /* Dummy protocol for TCP. */
^~~~~~~~~~
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/netfilter.h | 2 ++
1 file changed, 2 insertions(+)
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -3,8 +3,10 @@
#include <linux/types.h>
+#ifndef _NETINET_IN_H
#include <linux/in.h>
#include <linux/in6.h>
+#endif
#include <limits.h>
/* Responses from hook functions. */

View File

@ -1,41 +0,0 @@
From 51d374ba41ae4f1bb851228c06b030b83dd2092f Mon Sep 17 00:00:00 2001
From: Baruch Siach <baruch@tkos.co.il>
Date: Tue, 13 Nov 2018 19:22:08 +0200
Subject: ebtables: vlan: fix userspace/kernel headers collision
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Build with musl libc fails because of conflicting struct ethhdr
definitions:
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
from ../iptables/nft-bridge.h:8,
from libebt_vlan.c:18:
.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of struct ethhdr
struct ethhdr {
^~~~~~
In file included from libebt_vlan.c:16:0:
.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
struct ethhdr {
^~~~~~
Include the userspace header first for the definition suppression logic
to do the right thing.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/libebt_vlan.c | 1 +
1 file changed, 1 insertion(+)
--- a/extensions/libebt_vlan.c
+++ b/extensions/libebt_vlan.c
@@ -12,6 +12,7 @@
#include <getopt.h>
#include <ctype.h>
#include <xtables.h>
+#include <netinet/if_ether.h>
#include <linux/netfilter_bridge/ebt_vlan.h>
#include <linux/if_ether.h>
#include "iptables/nft.h"

View File

@ -1,6 +1,6 @@
--- a/libxtables/xtables.c --- a/libxtables/xtables.c
+++ b/libxtables/xtables.c +++ b/libxtables/xtables.c
@@ -887,12 +887,6 @@ static void xtables_check_options(const @@ -903,12 +903,6 @@ static void xtables_check_options(const
void xtables_register_match(struct xtables_match *me) void xtables_register_match(struct xtables_match *me)
{ {
@ -13,7 +13,7 @@
if (me->version == NULL) { if (me->version == NULL) {
fprintf(stderr, "%s: match %s<%u> is missing a version\n", fprintf(stderr, "%s: match %s<%u> is missing a version\n",
xt_params->program_name, me->name, me->revision); xt_params->program_name, me->name, me->revision);
@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta @@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta
void xtables_register_target(struct xtables_target *me) void xtables_register_target(struct xtables_target *me)
{ {

View File

@ -1,6 +1,6 @@
--- a/iptables/xtables-legacy-multi.c --- a/iptables/xtables-legacy-multi.c
+++ b/iptables/xtables-legacy-multi.c +++ b/iptables/xtables-legacy-multi.c
@@ -31,8 +31,10 @@ static const struct subcommand multi_sub @@ -32,8 +32,10 @@ static const struct subcommand multi_sub
#endif #endif

View File

@ -34,10 +34,10 @@
+pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static}) +pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static})
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static}) +pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static}) +pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks}) pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod}) pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod})
pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod}) pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod})
@@ -67,13 +87,13 @@ pf6_solibs := $(patsubst %,libip6t_%. @@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
# #
targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
targets_install := targets_install :=
@ -46,19 +46,21 @@
-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs} -@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs} -@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs} -@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} -@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} -@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
+libext_objs := ${pfx_objs} +libext_objs := ${pfx_objs}
+libext_ebt_objs := ${pfb_objs} +libext_ebt_objs := ${pfb_objs}
+libext_arpt_objs := ${pfa_objs} +libext_arpt_objs := ${pfa_objs}
+libext4_objs := ${pf4_objs} +libext4_objs := ${pf4_objs}
+libext6_objs := ${pf6_objs} +libext6_objs := ${pf6_objs}
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} +targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}) +targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
+symlinks_install := ${pfx_symlink_files}
.SECONDARY: .SECONDARY:
@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs} @@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs}
libext6.a: initext6.o ${libext6_objs} libext6.a: initext6.o ${libext6_objs}
${AM_VERBOSE_AR} ${AR} crs $@ $^; ${AM_VERBOSE_AR} ${AR} crs $@ $^;

View File

@ -1,6 +1,6 @@
--- a/extensions/GNUmakefile.in --- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in +++ b/extensions/GNUmakefile.in
@@ -85,7 +85,7 @@ pf6_solibs := $(patsubst %,libip6t_%. @@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
# #
# Building blocks # Building blocks
# #
@ -9,7 +9,7 @@
targets_install := targets_install :=
libext_objs := ${pfx_objs} libext_objs := ${pfx_objs}
libext_ebt_objs := ${pfb_objs} libext_ebt_objs := ${pfb_objs}
@@ -112,7 +112,7 @@ clean: @@ -119,7 +119,7 @@ clean:
distclean: clean distclean: clean
init%.o: init%.c init%.o: init%.c
@ -18,7 +18,7 @@
-include .*.d -include .*.d
@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn @@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
# handling code in the Makefiles. # handling code in the Makefiles.
# #
lib%.o: ${srcdir}/lib%.c lib%.o: ${srcdir}/lib%.c
@ -54,7 +54,7 @@
initextb_func := $(addprefix ebt_,${pfb_build_static}) initextb_func := $(addprefix ebt_,${pfb_build_static})
--- a/iptables/Makefile.am --- a/iptables/Makefile.am
+++ b/iptables/Makefile.am +++ b/iptables/Makefile.am
@@ -8,7 +8,8 @@ BUILT_SOURCES = @@ -8,19 +8,22 @@ BUILT_SOURCES =
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
xtables_legacy_multi_CFLAGS = ${AM_CFLAGS} xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
@ -64,25 +64,23 @@
if ENABLE_STATIC if ENABLE_STATIC
xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
endif endif
@@ -16,13 +17,15 @@ if ENABLE_IPV4 if ENABLE_IPV4
xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \ xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
iptables-standalone.c iptables.c
xtables_legacy_multi_CFLAGS += -DENABLE_IPV4 xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a -xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la +xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la
+xtables_legacy_multi_LDFLAGS += -liptext4 +xtables_legacy_multi_LDFLAGS += -liptext4
endif endif
if ENABLE_IPV6 if ENABLE_IPV6
xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \ xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
ip6tables-standalone.c ip6tables.c
xtables_legacy_multi_CFLAGS += -DENABLE_IPV6 xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a -xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la +xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la
+xtables_legacy_multi_LDFLAGS += -liptext6 +xtables_legacy_multi_LDFLAGS += -liptext6
endif endif
xtables_legacy_multi_SOURCES += xshared.c xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
@@ -32,7 +35,8 @@ if ENABLE_NFTABLES @@ -30,7 +33,8 @@ if ENABLE_NFTABLES
BUILT_SOURCES += xtables-config-parser.h BUILT_SOURCES += xtables-config-parser.h
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
xtables_nft_multi_CFLAGS = ${AM_CFLAGS} xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
@ -92,7 +90,7 @@
if ENABLE_STATIC if ENABLE_STATIC
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
endif endif
@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav @@ -45,7 +49,8 @@ xtables_nft_multi_SOURCES += xtables-sav
xtables-eb-standalone.c xtables-eb.c \ xtables-eb-standalone.c xtables-eb.c \
xtables-eb-translate.c \ xtables-eb-translate.c \
xtables-translate.c xtables-translate.c