diff --git a/.gitignore b/.gitignore index 19cdd5b..3a4afb2 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ ebtables-v2.0.9-2.tar.gz /ebtables-v2.0.10-1.tar.gz /ebtables-v2.0.10-2.tar.gz /ebtables-v2.0.10-4.tar.gz +/ebtables-2.0.11.tar.bz2 diff --git a/0040-Fix-segfault-with-missing-lockfile-directory.patch b/0040-Fix-segfault-with-missing-lockfile-directory.patch new file mode 100644 index 0000000..084b879 --- /dev/null +++ b/0040-Fix-segfault-with-missing-lockfile-directory.patch @@ -0,0 +1,40 @@ +From 97a7193e1838da9ab9631d07f6b3cedf63a5995d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 9 Apr 2019 14:21:25 +0200 +Subject: [PATCH] Fix segfault with missing lockfile directory + +Apparently, dirname() modifies the buffer passed to it. Given a +read-only location, this leads to a segfault. Use a buffer initialized +(and tailored) to the content of LOCKFILE macro at compile-time instead. + +Fixes: f45756c1ca3b5 ("Allow customizing lockfile location at configure time") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +(cherry picked from commit c9348e18f3cdd52a7cb1586e03a55cefac08d849) +Signed-off-by: Phil Sutter +--- + libebtc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libebtc.c b/libebtc.c +index f2a2b500ea751..2a9ab87ac99c0 100644 +--- a/libebtc.c ++++ b/libebtc.c +@@ -140,12 +140,13 @@ int use_lockfd; + * or -2 on any other error. */ + static int lock_file() + { ++ char pathbuf[] = LOCKFILE; + int fd, try = 0; + + retry: + fd = open(LOCKFILE, O_CREAT, 00600); + if (fd < 0) { +- if (try == 1 || mkdir(dirname(LOCKFILE), 00700)) ++ if (try == 1 || mkdir(dirname(pathbuf), 00700)) + return -2; + try = 1; + goto retry; +-- +2.21.0 + diff --git a/ebtables-config b/ebtables-config deleted file mode 100644 index 69d9289..0000000 --- a/ebtables-config +++ /dev/null @@ -1,11 +0,0 @@ -# Save current firewall rules on stop. -# Value: yes|no, default: no -# Saves all firewall rules if firewall gets stopped -# (e.g. on system shutdown). -EBTABLES_SAVE_ON_STOP="no" - -# Save (and restore) rule counters. -# Value: yes|no, default: no -# Save rule counters when saving a kernel table to a file. If the -# rule counters were saved, they will be restored when restoring the table. -EBTABLES_SAVE_COUNTER="no" diff --git a/ebtables-helper b/ebtables-helper deleted file mode 100644 index 0f5bba9..0000000 --- a/ebtables-helper +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# Source function library. -. /etc/init.d/functions - -# internal variables -EBTABLES_CONFIG=/etc/sysconfig/ebtables-config -EBTABLES_DATA=/etc/sysconfig/ebtables -EBTABLES_TABLES="filter nat" -if ebtables --version | grep -q '(legacy)'; then - EBTABLES_TABLES+=" broute" -fi -VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables - -# ebtables-config defaults -EBTABLES_SAVE_ON_STOP="no" -EBTABLES_SAVE_ON_RESTART="no" -EBTABLES_SAVE_COUNTER="no" - -# load config if existing -[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG" - -initialize() { - local ret=0 - for table in $EBTABLES_TABLES; do - ebtables -t $table --init-table || ret=1 - done - return $ret -} - -sanitize_dump() { - local drop=false - - export EBTABLES_TABLES - - cat $1 | while read line; do - case $line in - \**) - drop=false - local table="${line#\*}" - local found=false - for t in $EBTABLES_TABLES; do - if [[ $t == $table ]]; then - found=true - break - fi - done - $found || drop=true - ;; - esac - $drop || echo "$line" - done -} - -start() { - if [ -f $EBTABLES_DATA ]; then - echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: " - sanitize_dump $EBTABLES_DATA | ebtables-restore - else - echo -n $"ebtables: no stored ruleset, initializing empty tables: " - initialize - fi - local ret=$? - touch $VAR_SUBSYS_EBTABLES - return $ret -} - -save() { - echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: " - export EBTABLES_SAVE_COUNTER - ebtables-save >$EBTABLES_DATA && success || failure -} - -case $1 in - start) - [ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0 - start && success || failure - RETVAL=$? - ;; - stop) - [ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save - action "ebtables: stopping firewall" initialize - RETVAL=$? - rm -f $VAR_SUBSYS_EBTABLES - ;; - save) - save - ;; - *) - echo "usage: ${0##*/} {start|stop|save}" >&2 - RETVAL=2 - ;; -esac - -exit $RETVAL diff --git a/ebtables.service b/ebtables.service deleted file mode 100644 index b096f1d..0000000 --- a/ebtables.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Ethernet Bridge Filtering tables - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/ebtables-helper start -ExecStop=/usr/libexec/ebtables-helper stop - -[Install] -WantedBy=multi-user.target diff --git a/ebtables.spec b/ebtables.spec index 967eac5..87b84e2 100644 --- a/ebtables.spec +++ b/ebtables.spec @@ -1,65 +1,21 @@ -%global ebminor 4 %undefine _ld_as_needed Name: ebtables -Version: 2.0.10 -Release: 35%{?dist} +Version: 2.0.11 +Release: 21%{?dist} Summary: Ethernet Bridge frame table administration tool -License: GPLv2+ +# Automatically converted from old format: GPLv2+ - review is highly recommended. +License: GPL-2.0-or-later URL: http://ebtables.sourceforge.net/ -Source0: http://downloads.sourceforge.net/ebtables/ebtables-v%{version}-%{ebminor}.tar.gz +Source0: ftp://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.bz2 Source1: ebtables-legacy-save -Source2: ebtables-helper -Source3: ebtables.service -Source4: ebtables-config -Patch1: 0001-add-RARP-and-update-iana-url.patch -Patch2: 0002-fix-compilation-warning.patch -Patch3: 0003-add-info-about-Wl-no-as-needed.patch -Patch4: 0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch -Patch5: 0005-Add-noflush-command-line-support-for-ebtables-restor.patch -Patch6: 0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch -Patch7: 0007-Add-kernel-headers-needed-from-v3.16.patch -Patch8: 0008-extensions-Use-stdint-types.patch -Patch9: 0009-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch -Patch10: 0010-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch -Patch11: 0011-ebtables-extensions-Constify-option-struct.patch -Patch12: 0012-Use-flock-for-concurrent-option.patch -Patch13: 0013-Fix-locking-if-LOCKDIR-does-not-exist.patch -Patch14: 0014-include-sync-linux-netfilter_bridge-ebt_ip.h-with-ke.patch -Patch15: 0015-Move-ICMP-type-handling-functions-from-ebt_ip6-to-us.patch -Patch16: 0016-ebt_ip-add-support-for-matching-ICMP-type-and-code.patch -Patch17: 0017-ebt_ip-add-support-for-matching-IGMP-type.patch -Patch18: 0018-extensions-Add-string-filter-to-ebtables.patch -Patch19: 0019-include-Fix-musl-libc-compatibility.patch -Patch20: 0020-ebtables-Fix-build-errors-and-warnings.patch -Patch21: 0021-build-update-ebtables.h-from-kernel-and-drop-local-u.patch -Patch22: 0022-extensions-fix-build-failure-on-fc28.patch -Patch23: 0023-extensions-ebt_string-take-action-if-snprintf-discar.patch -Patch24: 0024-build-drop-install-o-g-root.patch -Patch25: 0025-build-rename-sed-source-files-to-.in.patch -Patch26: 0026-build-use-autoconf-style-placeholders-in-sed-ed-file.patch -Patch27: 0027-extensions-use-__attribute__-constructor-for-autoreg.patch -Patch28: 0028-Add-.gitignore.patch -Patch29: 0029-build-move-to-automake.patch -Patch30: 0030-ebtablesd-avoid-build-warning.patch -Patch31: 0031-extensions-among-Fix-bitmask-check.patch -Patch32: 0032-ebtables-legacy-renaming.patch -Patch33: 0033-ebtables-drop-.spec-file.patch -Patch34: 0034-ebtables-drop-sysvinit-script.patch -Patch35: 0035-Print-IPv6-prefixes-in-CIDR-notation.patch -Patch36: 0036-Adjust-.gitignore-to-renamed-files.patch -Patch37: 0037-extensions-Drop-Makefile.patch -Patch38: 0038-Allow-customizing-lockfile-location-at-configure-tim.patch -Patch39: 0039-extensions-Add-AUDIT-target.patch - -BuildRequires: autogen BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: gcc -BuildRequires: systemd +BuildRequires: make %description Ethernet bridge tables is a firewalling tool to transparently filter network @@ -74,10 +30,19 @@ like iptables. There are no known incompatibility issues. %package legacy Summary: Legacy user space tool to configure bridge netfilter rules in kernel -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives +Requires(post): /usr/sbin/update-alternatives +Requires(post): %{_bindir}/readlink +Requires(postun): /usr/sbin/update-alternatives Conflicts: setup < 2.10.4-1 +%if 0%{?rhel} >= 9 +# RHEL-9 provides ebtables via iptables-nft, but doesn't support ebtables +# alternatives. As such avoid the Provides here so iptables-nft is chosen, not +# ebtables-legacy. +%else Provides: ebtables +%endif + +%sbin_merge_compat %{_prefix}/sbin/ebtables %description legacy Ethernet bridge tables is a firewalling tool to transparently filter network @@ -93,31 +58,10 @@ like iptables. There are no known incompatibility issues. Note that it is considered legacy upstream since nftables provides the same functionality in a much newer code-base. To aid in migration, there is ebtables-nft utility, a drop-in replacement for the legacy one which uses -nftables internally. It is provided by iptables-ebtables package. - -%package services -Summary: ebtables systemd services -%{?systemd_ordering} - -%description services -ebtables systemd services - -This package provides the systemd ebtables service that has been split -out of the base package for better integration with alternatives. - -%package compat -Summary: Transitioning helper package for services sub-package split -Obsoletes: ebtables < 2.0.10-32 -Requires: ebtables-legacy = %{version}-%{release} -Requires: ebtables-services = %{version}-%{release} - -%description compat -This package only exists to help transition ebtables users to the -new package split. It will be removed after one distribution release -cycle, please do not reference it or depend on it in any way. +nftables internally. It is provided by iptables-nft package. %prep -%autosetup -p1 -n ebtables-v%{version}-%{ebminor} +%autosetup -p1 -n ebtables-%{version} # Convert to UTF-8 f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f @@ -128,10 +72,6 @@ f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f %install %make_install -install -D -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/ebtables.service -install -D -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables-helper -install -D -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config -touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables # install ebtables-legacy-save bash script install -m 755 %{SOURCE1} %{buildroot}%{_sbindir}/ebtables-legacy-save @@ -145,14 +85,8 @@ rm -f %{buildroot}%{_sysconfdir}/ethertypes # Drop these binaries (for now at least) rm %{buildroot}/%{_sbindir}/ebtables{d,u} -# Prepare for Alternatives system -touch %{buildroot}%{_sbindir}/ebtables -touch %{buildroot}%{_sbindir}/ebtables-save -touch %{buildroot}%{_sbindir}/ebtables-restore -touch %{buildroot}%{_mandir}/man8/ebtables.8 - %post legacy -pfx=%{_sbindir}/ebtables +pfx=%{_prefix}/sbin/ebtables manpfx=%{_mandir}/man8/ebtables for sfx in "" "-restore" "-save"; do if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then @@ -162,7 +96,9 @@ done if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then rm -f $manpfx.8.gz fi -%{_sbindir}/update-alternatives --install \ +# drop the extra entry linking to /usr/bin which previous version installed +update-alternatives --remove ebtables /usr/bin/ebtables-legacy 2>/dev/null +update-alternatives --install \ $pfx ebtables $pfx-legacy 10 \ --slave $pfx-save ebtables-save $pfx-legacy-save \ --slave $pfx-restore ebtables-restore $pfx-legacy-restore \ @@ -171,51 +107,110 @@ fi %postun legacy if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove \ - ebtables %{_sbindir}/ebtables-legacy + ebtables %{_prefix}/sbin/ebtables-legacy fi -# When upgrading ebtables to ebtables-{legacy,services,compat}, +# When upgrading ebtables to ebtables-{legacy,services}, # postun in ebtables thinks it is uninstalled and removes alternatives. # Counter this with a trigger here to have it installed again. %triggerpostun legacy -- ebtables -pfx=%{_sbindir}/ebtables +pfx=%{_prefix}/sbin/ebtables manpfx=%{_mandir}/man8/ebtables -%{_sbindir}/update-alternatives --install \ +update-alternatives --install \ $pfx ebtables $pfx-legacy 10 \ --slave $pfx-save ebtables-save $pfx-legacy-save \ --slave $pfx-restore ebtables-restore $pfx-legacy-restore \ --slave $manpfx.8.gz ebtables-man $manpfx-legacy.8.gz -%post services -%systemd_post ebtables.service - -%preun services -%systemd_preun ebtables.service - -%postun services -%systemd_postun ebtables.service - %files legacy %license COPYING %doc ChangeLog THANKS %{_sbindir}/ebtables-legacy* %{_mandir}/*/ebtables-legacy* %{_libdir}/libebtc.so* -%ghost %{_sbindir}/ebtables -%ghost %{_sbindir}/ebtables-save -%ghost %{_sbindir}/ebtables-restore -%ghost %{_mandir}/man8/ebtables.8.gz - -%files services -%{_unitdir}/ebtables.service -%{_libexecdir}/ebtables-helper -%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config -%ghost %{_sysconfdir}/sysconfig/ebtables - -%files compat +%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables +%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-save +%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-restore +%ghost %attr(0644,root,root) %{_mandir}/man8/ebtables.8.gz %changelog +* Wed Jul 23 2025 Fedora Release Engineering - 2.0.11-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Thu Apr 03 2025 Phil Sutter - 2.0.11-20 +- Drop ebtables-services package +- Add fixes/hooks for bin-sbin merge, analogous to iptables.spec + +* Thu Jan 16 2025 Fedora Release Engineering - 2.0.11-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Thu Jul 25 2024 Miroslav Suchý - 2.0.11-18 +- convert license to SPDX + +* Wed Jul 17 2024 Fedora Release Engineering - 2.0.11-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Wed Jan 24 2024 Fedora Release Engineering - 2.0.11-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 2.0.11-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jul 19 2023 Fedora Release Engineering - 2.0.11-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 2.0.11-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jul 21 2022 Fedora Release Engineering - 2.0.11-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 2.0.11-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jul 21 2021 Fedora Release Engineering - 2.0.11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Eric Garver - 2.0.11-9 +- avoid Provides: ebtables for newer RHEL/ELN builds + +* Tue Jan 26 2021 Fedora Release Engineering - 2.0.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Nov 5 2020 Florian Weimer - 2.0.11-7 +- Remove build dependency on autogen + +* Mon Jul 27 2020 Fedora Release Engineering - 2.0.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 2.0.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jan 22 2020 Tom Callaway - 2.0.11-4 +- add Requires(post): %%{_bindir}/readlink (bz1792805) + +* Mon Dec 16 2019 Phil Sutter - 2.0.11-3 +- Fix nft-variant reference in package description + +* Mon Dec 16 2019 Phil Sutter - 2.0.11-2 +- Eliminate implicit dependency on initscripts package + +* Mon Dec 2 2019 Tom Callaway - 2.0.11-1 +- update to 2.0.11 (all of Phil's awesome patches merged) + +* Wed Oct 30 2019 Phil Sutter - 2.0.10-39 +- Make services sub-package obsolete compat to fix upgrade path + +* Tue Oct 22 2019 Phil Sutter - 2.0.10-38 +- Drop compat sub-package again + +* Wed Jul 24 2019 Fedora Release Engineering - 2.0.10-37 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jun 26 2019 Phil Sutter - 2.0.10-36 +- Fix segfault with non-existing lock directory + * Wed Apr 24 2019 Phil Sutter - 2.0.10-35 - Workaround missing broute table support in ebtables-nft diff --git a/sources b/sources index c5a6b45..a7bc584 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -506742a3d44b9925955425a659c1a8d0 ebtables-v2.0.10-4.tar.gz +SHA512 (ebtables-2.0.11.tar.bz2) = 43a04c6174c8028c501591ef260526297e0f018016f226e2a3bcf80766fddf53d4605c347554d6da7c4ab5e2131584a18da20916ffddcbf2d26ac93b00c5777f