iptables: update to 1.8.3
authorDeng Qingfang <dengqf6@mail2.sysu.edu.cn>
Wed, 5 Jun 2019 20:24:44 +0000 (04:24 +0800)
committerHans Dedecker <dedeckeh@gmail.com>
Tue, 2 Jul 2019 19:50:54 +0000 (21:50 +0200)
Update iptables to 1.8.3

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt

Removed upstream patches:
- 001-extensions_format-security_fixes_in_libip.patch
- 002-include_fix_build_with_kernel_headers_before_4_2.patch
- 003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch

Altered patches:
- 200-configurable_builtin.patch
- 600-shared-libext.patch

No notable size changes

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [lipibtc ABI_VERSION fix]
package/network/utils/iptables/Makefile
package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch [deleted file]
package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch [deleted file]
package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch [deleted file]
package/network/utils/iptables/patches/101-remove-check-already.patch
package/network/utils/iptables/patches/103-optional-xml.patch
package/network/utils/iptables/patches/200-configurable_builtin.patch
package/network/utils/iptables/patches/600-shared-libext.patch

index d60e25cdc7ea628cbc8676db252b71d7b1d0efd6..dd761f3443197d51e079544a76b8c85614cf463e 100644 (file)
@@ -9,13 +9,12 @@ include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=iptables
-PKG_VERSION:=1.8.2
-PKG_RELEASE:=3
+PKG_VERSION:=1.8.3
+PKG_RELEASE:=1
 
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://git.netfilter.org/iptables
-PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83
-PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9
+PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_HASH:=a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80
 
 PKG_FIXUP:=autoreconf
 PKG_FLAGS:=nonshared
@@ -37,7 +36,7 @@ define Package/iptables/Default
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=Firewall
-  URL:=http://netfilter.org/
+  URL:=https://netfilter.org/
 endef
 
 define Package/iptables/Module
@@ -502,7 +501,7 @@ $(call Package/iptables/Default)
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=IPv4 firewall - shared libiptc library
-  ABI_VERSION:=0
+  ABI_VERSION:=2
   DEPENDS:=+libxtables
 endef
 
@@ -511,7 +510,7 @@ $(call Package/iptables/Default)
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=IPv6 firewall - shared libiptc library
-  ABI_VERSION:=0
+  ABI_VERSION:=2
   DEPENDS:=+libxtables
 endef
 
diff --git a/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch b/package/network/utils/iptables/patches/001-extensions_format-security_fixes_in_libip.patch
deleted file mode 100644 (file)
index 9bd85ec..0000000
+++ /dev/null
@@ -1,52 +0,0 @@
-From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
-Date: Wed, 14 Nov 2018 07:35:28 +0100
-Subject: extensions: format-security fixes in libip[6]t_icmp
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-introduced support for gcc feature to check format string against passed
-argument.  This commit adds missing bits to extenstions's libipt_icmp.c
-and libip6t_icmp6.c that were causing build to fail.
-
-Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
-Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- extensions/libip6t_icmp6.c | 4 ++--
- extensions/libipt_icmp.c   | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
---- a/extensions/libip6t_icmp6.c
-+++ b/extensions/libip6t_icmp6.c
-@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str
-       type_name = icmp6_type_xlate(icmptype);
-       if (type_name) {
--              xt_xlate_add(xl, type_name);
-+              xt_xlate_add(xl, "%s", type_name);
-       } else {
-               for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
-                       if (icmpv6_codes[i].type == icmptype &&
-@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str
-                               break;
-               if (i != ARRAY_SIZE(icmpv6_codes))
--                      xt_xlate_add(xl, icmpv6_codes[i].name);
-+                      xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
-               else
-                       return 0;
-       }
---- a/extensions/libipt_icmp.c
-+++ b/extensions/libipt_icmp.c
-@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str
-                       if (icmp_codes[i].type == icmptype &&
-                           icmp_codes[i].code_min == code_min &&
-                           icmp_codes[i].code_max == code_max) {
--                              xt_xlate_add(xl, icmp_codes[i].name);
-+                              xt_xlate_add(xl, "%s", icmp_codes[i].name);
-                               return 1;
-                       }
-       }
diff --git a/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch b/package/network/utils/iptables/patches/002-include_fix_build_with_kernel_headers_before_4_2.patch
deleted file mode 100644 (file)
index 13737cf..0000000
+++ /dev/null
@@ -1,48 +0,0 @@
-From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Fri, 16 Nov 2018 09:30:33 +0200
-Subject: include: fix build with kernel headers before 4.2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit 672accf1530 (include: update kernel netfilter header files)
-updated linux/netfilter.h and brought with it the update from kernel
-commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
-from netns headers). This triggers conflict of headers that is fixed in
-kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
-netinet/in.h) included in kernel version 4.2. For earlier kernel headers
-we need a workaround that prevents the headers conflict.
-
-Fixes the following build failure:
-
-In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
-                 from ../include/libiptc/ipt_kernel_headers.h:8,
-                 from ../include/libiptc/libiptc.h:6,
-                 from libip4tc.c:29:
-.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
-   IPPROTO_IP = 0,  /* Dummy protocol for TCP  */
-   ^
-.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
-     IPPROTO_IP = 0,    /* Dummy protocol for TCP.  */
-     ^~~~~~~~~~
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Florian Westphal <fw@strlen.de>
----
- include/linux/netfilter.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/include/linux/netfilter.h
-+++ b/include/linux/netfilter.h
-@@ -3,8 +3,10 @@
- #include <linux/types.h>
-+#ifndef _NETINET_IN_H
- #include <linux/in.h>
- #include <linux/in6.h>
-+#endif
- #include <limits.h>
- /* Responses from hook functions. */
diff --git a/package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch b/package/network/utils/iptables/patches/003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch
deleted file mode 100644 (file)
index 53e1113..0000000
+++ /dev/null
@@ -1,41 +0,0 @@
-From 51d374ba41ae4f1bb851228c06b030b83dd2092f Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Tue, 13 Nov 2018 19:22:08 +0200
-Subject: ebtables: vlan: fix userspace/kernel headers collision
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Build with musl libc fails because of conflicting struct ethhdr
-definitions:
-
-In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
-                 from ../iptables/nft-bridge.h:8,
-                 from libebt_vlan.c:18:
-.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
- struct ethhdr {
-        ^~~~~~
-In file included from libebt_vlan.c:16:0:
-.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
- struct ethhdr {
-        ^~~~~~
-
-Include the userspace header first for the definition suppression logic
-to do the right thing.
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- extensions/libebt_vlan.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/extensions/libebt_vlan.c
-+++ b/extensions/libebt_vlan.c
-@@ -12,6 +12,7 @@
- #include <getopt.h>
- #include <ctype.h>
- #include <xtables.h>
-+#include <netinet/if_ether.h>
- #include <linux/netfilter_bridge/ebt_vlan.h>
- #include <linux/if_ether.h>
- #include "iptables/nft.h"
index f8d1bf44b6e8b8f103a7d92e596c45c3cfb463b0..98e825f01685d822c24e0d4474a0ad0e2535a896 100644 (file)
@@ -1,6 +1,6 @@
 --- a/libxtables/xtables.c
 +++ b/libxtables/xtables.c
-@@ -887,12 +887,6 @@ static void xtables_check_options(const
+@@ -903,12 +903,6 @@ static void xtables_check_options(const
  
  void xtables_register_match(struct xtables_match *me)
  {
@@ -13,7 +13,7 @@
        if (me->version == NULL) {
                fprintf(stderr, "%s: match %s<%u> is missing a version\n",
                        xt_params->program_name, me->name, me->revision);
-@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta
+@@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta
  
  void xtables_register_target(struct xtables_target *me)
  {
index 2396037fdd4a96c9f5605cf2a1817b6a4e7ac918..342808a3959132b8301a5ac3aea794e908e10d91 100644 (file)
@@ -1,6 +1,6 @@
 --- a/iptables/xtables-legacy-multi.c
 +++ b/iptables/xtables-legacy-multi.c
-@@ -31,8 +31,10 @@ static const struct subcommand multi_sub
+@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
  
  
  #endif
index 9c53c2bfed287bbb12db20fb05d8ada190247c3d..5788a829b0676c8151c401f8ecb558a3b83b1c41 100644 (file)
 +pfa_objs      := $(patsubst %,libarpt_%.o,${pfa_build_static})
 +pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
 +pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
- pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
  pfb_solibs    := $(patsubst %,libebt_%.so,${pfb_build_mod})
  pfa_solibs    := $(patsubst %,libarpt_%.so,${pfa_build_mod})
-@@ -67,13 +87,13 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
  #
  targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
  targets_install :=
 -@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
 -@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
 -@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
--@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
 -@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
+-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
 +libext_objs := ${pfx_objs}
 +libext_ebt_objs := ${pfb_objs}
 +libext_arpt_objs := ${pfa_objs}
 +libext4_objs := ${pf4_objs}
 +libext6_objs := ${pf6_objs}
-+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
++targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
 +targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
++symlinks_install := ${pfx_symlink_files}
  
  .SECONDARY:
  
-@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs}
+@@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs}
  libext6.a: initext6.o ${libext6_objs}
        ${AM_VERBOSE_AR} ${AR} crs $@ $^;
  
index e88c288be609a870696b72c0a6e6a87b155c791d..f5c9c9d7799a8aa3f185dc4f32182d9c4f3c8ea9 100644 (file)
@@ -1,6 +1,6 @@
 --- a/extensions/GNUmakefile.in
 +++ b/extensions/GNUmakefile.in
-@@ -85,7 +85,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
+@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
  #
  # Building blocks
  #
@@ -9,7 +9,7 @@
  targets_install :=
  libext_objs := ${pfx_objs}
  libext_ebt_objs := ${pfb_objs}
-@@ -112,7 +112,7 @@ clean:
+@@ -119,7 +119,7 @@ clean:
  distclean: clean
  
  init%.o: init%.c
@@ -18,7 +18,7 @@
  
  -include .*.d
  
-@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
+@@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
  #     handling code in the Makefiles.
  #
  lib%.o: ${srcdir}/lib%.c
@@ -54,7 +54,7 @@
  initextb_func := $(addprefix ebt_,${pfb_build_static})
 --- a/iptables/Makefile.am
 +++ b/iptables/Makefile.am
-@@ -8,7 +8,8 @@ BUILT_SOURCES =
+@@ -8,19 +8,22 @@ BUILT_SOURCES =
  
  xtables_legacy_multi_SOURCES  = xtables-legacy-multi.c iptables-xml.c
  xtables_legacy_multi_CFLAGS   = ${AM_CFLAGS}
  if ENABLE_STATIC
  xtables_legacy_multi_CFLAGS  += -DALL_INCLUSIVE
  endif
-@@ -16,13 +17,15 @@ if ENABLE_IPV4
- xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \
-                          iptables-standalone.c iptables.c
+ if ENABLE_IPV4
+ xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
  xtables_legacy_multi_CFLAGS  += -DENABLE_IPV4
 -xtables_legacy_multi_LDADD   += ../libiptc/libip4tc.la ../extensions/libext4.a
 +xtables_legacy_multi_LDADD   += ../libiptc/libip4tc.la
 +xtables_legacy_multi_LDFLAGS += -liptext4
  endif
  if ENABLE_IPV6
- xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
-                           ip6tables-standalone.c ip6tables.c
+ xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
  xtables_legacy_multi_CFLAGS  += -DENABLE_IPV6
 -xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
 +xtables_legacy_multi_LDADD   += ../libiptc/libip6tc.la
 +xtables_legacy_multi_LDFLAGS += -liptext6
  endif
- xtables_legacy_multi_SOURCES += xshared.c
+ xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
  xtables_legacy_multi_LDADD   += ../libxtables/libxtables.la -lm
-@@ -32,7 +35,8 @@ if ENABLE_NFTABLES
+@@ -30,7 +33,8 @@ if ENABLE_NFTABLES
  BUILT_SOURCES += xtables-config-parser.h
  xtables_nft_multi_SOURCES  = xtables-nft-multi.c iptables-xml.c
  xtables_nft_multi_CFLAGS   = ${AM_CFLAGS}
@@ -92,7 +90,7 @@
  if ENABLE_STATIC
  xtables_nft_multi_CFLAGS  += -DALL_INCLUSIVE
  endif
-@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav
+@@ -45,7 +49,8 @@ xtables_nft_multi_SOURCES += xtables-sav
                                xtables-eb-standalone.c xtables-eb.c \
                                xtables-eb-translate.c \
                                xtables-translate.c