Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package iptables for openSUSE:Factory checked in at 2026-02-23 09:21:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/iptables (Old) and /work/SRC/openSUSE:Factory/.iptables.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "iptables" Mon Feb 23 09:21:01 2026 rev:89 rq: version:1.8.11 Changes: -------- --- /work/SRC/openSUSE:Factory/iptables/iptables.changes 2026-02-21 21:02:40.926664648 +0100 +++ /work/SRC/openSUSE:Factory/.iptables.new.1977/iptables.changes 2026-02-23 09:21:02.180751368 +0100 @@ -2,18 +1,0 @@ -Fri Feb 20 12:48:25 UTC 2026 - Jan Engelhardt <[email protected]> - -- Update to release 1.8.12 - * Fix null dereference parsing bitwise operations. - * Refuse to run under file capabilities, i.e. getauxval(AT_SECURE). - * Fix for all-zero mask on big endian in arptables-nft. - * Support adding and replacing a rule in the same batch in - iptables-nft. - * Print -X in xtables-monitor command for base chains. - * Remove incorrect libebt_redirect translations. - * Translate bare `-m sctp` match to `-p sctp` just like - TCP and UDP. - * Support for `info-request` and `info-reply` ICMP types. - * Fix interface comparisons in `-C` commands in iptables-nft. - * Document flush behaviour with --noflush for user-defined chains. -- Delete iptables-nft-fix-interface-comparisons.patch (merged) - -------------------------------------------------------------------- Old: ---- iptables-1.8.12.tar.xz iptables-1.8.12.tar.xz.sig New: ---- iptables-1.8.11.tar.xz iptables-1.8.11.tar.xz.sig iptables-nft-fix-interface-comparisons.patch ----------(New B)---------- New: - Add iptables-nft-fix-interface-comparisons.patch * fix '-C' commands for nft backend (bsc#1233690) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ iptables.spec ++++++ --- /var/tmp/diff_new_pack.D7jCko/_old 2026-02-23 09:21:02.700772658 +0100 +++ /var/tmp/diff_new_pack.D7jCko/_new 2026-02-23 09:21:02.704772823 +0100 @@ -1,7 +1,7 @@ # # spec file for package iptables # -# Copyright (c) 2026 SUSE LLC and contributors +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %endif Name: iptables -Version: 1.8.12 +Version: 1.8.11 Release: 0 Summary: IP packet filter administration utilities License: Artistic-2.0 AND GPL-2.0-only @@ -43,6 +43,8 @@ Patch1: iptables-batch.patch Patch2: iptables-batch-lock.patch Patch3: iptables-1.8.2-dont_read_garbage.patch +Patch4: iptables-nft-fix-interface-comparisons.patch + BuildRequires: bison BuildRequires: fdupes BuildRequires: flex >= 2.5.33 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.D7jCko/_old 2026-02-23 09:21:02.736774132 +0100 +++ /var/tmp/diff_new_pack.D7jCko/_new 2026-02-23 09:21:02.740774297 +0100 @@ -1,5 +1,5 @@ -mtime: 1771591892 -commit: f94a6d2fdc0329e59753b3be9556f9f552f52bd1e05b21c4d14ac27760c68ba7 +mtime: 1746233205 +commit: 79d271cfa81d82914652e93b9056b0eff9b8b3cd95e8cbaaa1721eeed76badbb url: https://src.opensuse.org/jengelh/iptables revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-05-03 02:47:52.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ iptables-1.8.12.tar.xz -> iptables-1.8.11.tar.xz ++++++ ++++ 14295 lines of diff (skipped) ++++++ iptables-nft-fix-interface-comparisons.patch ++++++ From 40406dbfaefbc204134452b2747bae4f6a122848 Mon Sep 17 00:00:00 2001 From: Jeremy Sowden <[email protected]> Date: Mon, 18 Nov 2024 13:56:50 +0000 Subject: nft: fix interface comparisons in `-C` commands Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") removed code which explicitly set interface masks to all ones. The result of this is that they are zero. However, they are used to mask interfaces in `is_same_interfaces`. Consequently, the masked values are alway zero, the comparisons are always true, and check commands which ought to fail succeed: # iptables -N test # iptables -A test -i lo \! -o lo -j REJECT # iptables -v -L test Chain test (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable Remove the mask parameters from `is_same_interfaces`. Add a test-case. Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") Signed-off-by: Jeremy Sowden <[email protected]> Signed-off-by: Phil Sutter <[email protected]> --- iptables/nft-arp.c | 10 ++---- iptables/nft-ipv4.c | 4 +-- iptables/nft-ipv6.c | 6 +--- iptables/nft-shared.c | 36 +++++----------------- iptables/nft-shared.h | 6 +--- .../testcases/nft-only/0020-compare-interfaces_0 | 9 ++++++ 6 files changed, 22 insertions(+), 49 deletions(-) create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 264864c3..c11d64c3 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a, return false; } - return is_same_interfaces(a->arp.iniface, - a->arp.outiface, - (unsigned char *)a->arp.iniface_mask, - (unsigned char *)a->arp.outiface_mask, - b->arp.iniface, - b->arp.outiface, - (unsigned char *)b->arp.iniface_mask, - (unsigned char *)b->arp.outiface_mask); + return is_same_interfaces(a->arp.iniface, a->arp.outiface, + b->arp.iniface, b->arp.outiface); } static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy) diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 74092875..0c8bd291 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a, } return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface, - a->fw.ip.iniface_mask, a->fw.ip.outiface_mask, - b->fw.ip.iniface, b->fw.ip.outiface, - b->fw.ip.iniface_mask, b->fw.ip.outiface_mask); + b->fw.ip.iniface, b->fw.ip.outiface); } static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index b184f8af..4dbb2af2 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a, } return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface, - a->fw6.ipv6.iniface_mask, - a->fw6.ipv6.outiface_mask, - b->fw6.ipv6.iniface, b->fw6.ipv6.outiface, - b->fw6.ipv6.iniface_mask, - b->fw6.ipv6.outiface_mask); + b->fw6.ipv6.iniface, b->fw6.ipv6.outiface); } static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 6775578b..2c29e68f 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, } bool is_same_interfaces(const char *a_iniface, const char *a_outiface, - unsigned const char *a_iniface_mask, - unsigned const char *a_outiface_mask, - const char *b_iniface, const char *b_outiface, - unsigned const char *b_iniface_mask, - unsigned const char *b_outiface_mask) + const char *b_iniface, const char *b_outiface) { - int i; - - for (i = 0; i < IFNAMSIZ; i++) { - if (a_iniface_mask[i] != b_iniface_mask[i]) { - DEBUGP("different iniface mask %x, %x (%d)\n", - a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i); - return false; - } - if ((a_iniface[i] & a_iniface_mask[i]) - != (b_iniface[i] & b_iniface_mask[i])) { - DEBUGP("different iniface\n"); - return false; - } - if (a_outiface_mask[i] != b_outiface_mask[i]) { - DEBUGP("different outiface mask\n"); - return false; - } - if ((a_outiface[i] & a_outiface_mask[i]) - != (b_outiface[i] & b_outiface_mask[i])) { - DEBUGP("different outiface\n"); - return false; - } + if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) { + DEBUGP("different iniface\n"); + return false; + } + if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) { + DEBUGP("different outiface\n"); + return false; } - return true; } diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 51d1e460..b57aee1f 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv); bool is_same_interfaces(const char *a_iniface, const char *a_outiface, - unsigned const char *a_iniface_mask, - unsigned const char *a_outiface_mask, - const char *b_iniface, const char *b_outiface, - unsigned const char *b_iniface_mask, - unsigned const char *b_outiface_mask); + const char *b_iniface, const char *b_outiface); void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op); void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 new file mode 100755 index 00000000..278cd648 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +$XT_MULTI iptables -N test +$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT +$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1 + +exit 0 -- cgit v1.2.3
