ebtables-2.0.10-36

- Fix segfault with non-existing lock directory
2019-06-26 14:15:01 +02:00
6 changed files with 231 additions and 106 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,4 +2,3 @@ ebtables-v2.0.9-2.tar.gz
 /ebtables-v2.0.10-1.tar.gz
 /ebtables-v2.0.10-2.tar.gz
 /ebtables-v2.0.10-4.tar.gz
-/ebtables-2.0.11.tar.bz2
--- a/11
+++ b/11
@ -0,0 +1,11 @@
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules if firewall gets stopped
+# (e.g. on system shutdown).
+EBTABLES_SAVE_ON_STOP="no"
+
+# Save (and restore) rule counters.
+#   Value: yes|no,  default: no
+# Save rule counters when saving a kernel table to a file. If the
+# rule counters were saved, they will be restored when restoring the table.
+EBTABLES_SAVE_COUNTER="no"
--- a/95
+++ b/95
@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Source function library.
+. /etc/init.d/functions
+
+# internal variables
+EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
+EBTABLES_DATA=/etc/sysconfig/ebtables
+EBTABLES_TABLES="filter nat"
+if ebtables --version | grep -q '(legacy)'; then
+	EBTABLES_TABLES+=" broute"
+fi
+VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
+
+# ebtables-config defaults
+EBTABLES_SAVE_ON_STOP="no"
+EBTABLES_SAVE_ON_RESTART="no"
+EBTABLES_SAVE_COUNTER="no"
+
+# load config if existing
+[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
+
+initialize() {
+	local ret=0
+	for table in $EBTABLES_TABLES; do
+		ebtables -t $table --init-table || ret=1
+	done
+	return $ret
+}
+
+sanitize_dump() {
+	local drop=false
+
+	export EBTABLES_TABLES
+
+	cat $1 | while read line; do
+		case $line in
+		\**)
+			drop=false
+			local table="${line#\*}"
+			local found=false
+			for t in $EBTABLES_TABLES; do
+				if [[ $t == $table ]]; then
+					found=true
+					break
+				fi
+			done
+			$found || drop=true
+			;;
+		esac
+		$drop || echo "$line"
+	done
+}
+
+start() {
+	if [ -f $EBTABLES_DATA ]; then
+		echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
+		sanitize_dump $EBTABLES_DATA | ebtables-restore
+	else
+		echo -n $"ebtables: no stored ruleset, initializing empty tables: "
+		initialize
+	fi
+	local ret=$?
+	touch $VAR_SUBSYS_EBTABLES
+	return $ret
+}
+
+save() {
+	echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
+	export EBTABLES_SAVE_COUNTER
+	ebtables-save >$EBTABLES_DATA && success || failure
+}
+
+case $1 in
+	start)
+		[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
+		start && success || failure
+		RETVAL=$?
+		;;
+	stop)
+		[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
+		action "ebtables: stopping firewall" initialize
+		RETVAL=$?
+		rm -f $VAR_SUBSYS_EBTABLES
+		;;
+	save)
+		save
+		;;
+	*)
+		echo "usage: ${0##*/} {start|stop|save}" >&2
+		RETVAL=2
+		;;
+esac
+
+exit $RETVAL
--- a/ebtables.service
+++ b/ebtables.service
@ -0,0 +1,11 @@
+[Unit]
+Description=Ethernet Bridge Filtering tables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ebtables-helper start
+ExecStop=/usr/libexec/ebtables-helper stop
+
+[Install]
+WantedBy=multi-user.target
--- a/ebtables.spec
+++ b/ebtables.spec
@ -1,21 +1,66 @@
+%global ebminor 4
 %undefine _ld_as_needed

 Name:			ebtables
-Version:		2.0.11
-Release:		21%{?dist}
+Version:		2.0.10
+Release:		36%{?dist}
 Summary:		Ethernet Bridge frame table administration tool
-# Automatically converted from old format: GPLv2+ - review is highly recommended.
-License:		GPL-2.0-or-later
+License:		GPLv2+
 URL:			http://ebtables.sourceforge.net/

-Source0:		ftp://ftp.netfilter.org/pub/ebtables/ebtables-%{version}.tar.bz2
+Source0:		http://downloads.sourceforge.net/ebtables/ebtables-v%{version}-%{ebminor}.tar.gz
 Source1:		ebtables-legacy-save
+Source2:		ebtables-helper
+Source3:		ebtables.service
+Source4:		ebtables-config

+Patch1:   0001-add-RARP-and-update-iana-url.patch
+Patch2:   0002-fix-compilation-warning.patch
+Patch3:   0003-add-info-about-Wl-no-as-needed.patch
+Patch4:   0004-workaround-for-kernel-regression-bug-IPv6-source-des.patch
+Patch5:   0005-Add-noflush-command-line-support-for-ebtables-restor.patch
+Patch6:   0006-don-t-print-IPv6-mask-if-it-s-all-ones-based-on-patc.patch
+Patch7:   0007-Add-kernel-headers-needed-from-v3.16.patch
+Patch8:   0008-extensions-Use-stdint-types.patch
+Patch9:   0009-ethernetdb.h-Remove-C-specific-compiler-hint-macro-_.patch
+Patch10:  0010-ebtables-Allow-RETURN-target-rules-in-user-defined-c.patch
+Patch11:  0011-ebtables-extensions-Constify-option-struct.patch
+Patch12:  0012-Use-flock-for-concurrent-option.patch
+Patch13:  0013-Fix-locking-if-LOCKDIR-does-not-exist.patch
+Patch14:  0014-include-sync-linux-netfilter_bridge-ebt_ip.h-with-ke.patch
+Patch15:  0015-Move-ICMP-type-handling-functions-from-ebt_ip6-to-us.patch
+Patch16:  0016-ebt_ip-add-support-for-matching-ICMP-type-and-code.patch
+Patch17:  0017-ebt_ip-add-support-for-matching-IGMP-type.patch
+Patch18:  0018-extensions-Add-string-filter-to-ebtables.patch
+Patch19:  0019-include-Fix-musl-libc-compatibility.patch
+Patch20:  0020-ebtables-Fix-build-errors-and-warnings.patch
+Patch21:  0021-build-update-ebtables.h-from-kernel-and-drop-local-u.patch
+Patch22:  0022-extensions-fix-build-failure-on-fc28.patch
+Patch23:  0023-extensions-ebt_string-take-action-if-snprintf-discar.patch
+Patch24:  0024-build-drop-install-o-g-root.patch
+Patch25:  0025-build-rename-sed-source-files-to-.in.patch
+Patch26:  0026-build-use-autoconf-style-placeholders-in-sed-ed-file.patch
+Patch27:  0027-extensions-use-__attribute__-constructor-for-autoreg.patch
+Patch28:  0028-Add-.gitignore.patch
+Patch29:  0029-build-move-to-automake.patch
+Patch30:  0030-ebtablesd-avoid-build-warning.patch
+Patch31:  0031-extensions-among-Fix-bitmask-check.patch
+Patch32:  0032-ebtables-legacy-renaming.patch
+Patch33:  0033-ebtables-drop-.spec-file.patch
+Patch34:  0034-ebtables-drop-sysvinit-script.patch
+Patch35:  0035-Print-IPv6-prefixes-in-CIDR-notation.patch
+Patch36:  0036-Adjust-.gitignore-to-renamed-files.patch
+Patch37:  0037-extensions-Drop-Makefile.patch
+Patch38:  0038-Allow-customizing-lockfile-location-at-configure-tim.patch
+Patch39:  0039-extensions-Add-AUDIT-target.patch
+Patch40:  0040-Fix-segfault-with-missing-lockfile-directory.patch
+
+BuildRequires:		autogen
 BuildRequires:		autoconf
 BuildRequires:		automake
 BuildRequires:		libtool
 BuildRequires:		gcc
-BuildRequires:		make
+BuildRequires:		systemd

 %description
 Ethernet bridge tables is a firewalling tool to transparently filter network
@ -30,19 +75,10 @@ like iptables. There are no known incompatibility issues.

 %package legacy
 Summary: Legacy user space tool to configure bridge netfilter rules in kernel
-Requires(post):   /usr/sbin/update-alternatives
-Requires(post):   %{_bindir}/readlink
-Requires(postun): /usr/sbin/update-alternatives
+Requires(post):   %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
 Conflicts:        setup < 2.10.4-1
-%if 0%{?rhel} >= 9
-# RHEL-9 provides ebtables via iptables-nft, but doesn't support ebtables
-# alternatives. As such avoid the Provides here so iptables-nft is chosen, not
-# ebtables-legacy.
-%else
 Provides:         ebtables
-%endif
-
-%sbin_merge_compat %{_prefix}/sbin/ebtables

 %description legacy
 Ethernet bridge tables is a firewalling tool to transparently filter network
@ -58,10 +94,31 @@ like iptables. There are no known incompatibility issues.
 Note that it is considered legacy upstream since nftables provides the same
 functionality in a much newer code-base. To aid in migration, there is
 ebtables-nft utility, a drop-in replacement for the legacy one which uses
-nftables internally. It is provided by iptables-nft package.
+nftables internally. It is provided by iptables-ebtables package.
+
+%package services
+Summary: ebtables systemd services
+%{?systemd_ordering}
+
+%description services
+ebtables systemd services
+
+This package provides the systemd ebtables service that has been split
+out of the base package for better integration with alternatives.
+
+%package compat
+Summary: Transitioning helper package for services sub-package split
+Obsoletes: ebtables < 2.0.10-32
+Requires:  ebtables-legacy = %{version}-%{release}
+Requires:  ebtables-services = %{version}-%{release}
+
+%description compat
+This package only exists to help transition ebtables users to the
+new package split. It will be removed after one distribution release
+cycle, please do not reference it or depend on it in any way.

 %prep
-%autosetup -p1 -n ebtables-%{version}
+%autosetup -p1 -n ebtables-v%{version}-%{ebminor}
 # Convert to UTF-8
 f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f

@ -72,6 +129,10 @@ f=THANKS; iconv -f iso-8859-1 -t utf-8 $f -o $f.utf8 ; mv $f.utf8 $f

 %install
 %make_install
+install -D -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/ebtables.service
+install -D -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/ebtables-helper
+install -D -m 600 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/ebtables-config
+touch %{buildroot}%{_sysconfdir}/sysconfig/ebtables

 # install ebtables-legacy-save bash script
 install -m 755 %{SOURCE1} %{buildroot}%{_sbindir}/ebtables-legacy-save
@ -85,8 +146,14 @@ rm -f %{buildroot}%{_sysconfdir}/ethertypes
 # Drop these binaries (for now at least)
 rm %{buildroot}/%{_sbindir}/ebtables{d,u}

+# Prepare for Alternatives system
+touch %{buildroot}%{_sbindir}/ebtables
+touch %{buildroot}%{_sbindir}/ebtables-save
+touch %{buildroot}%{_sbindir}/ebtables-restore
+touch %{buildroot}%{_mandir}/man8/ebtables.8
+
 %post legacy
-pfx=%{_prefix}/sbin/ebtables
+pfx=%{_sbindir}/ebtables
 manpfx=%{_mandir}/man8/ebtables
 for sfx in "" "-restore" "-save"; do
 	if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then
@ -96,9 +163,7 @@ done
 if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
 	rm -f $manpfx.8.gz
 fi
-# drop the extra entry linking to /usr/bin which previous version installed
-update-alternatives --remove ebtables /usr/bin/ebtables-legacy 2>/dev/null
-update-alternatives --install \
+%{_sbindir}/update-alternatives --install \
 	$pfx ebtables $pfx-legacy 10 \
 	--slave $pfx-save ebtables-save $pfx-legacy-save \
 	--slave $pfx-restore ebtables-restore $pfx-legacy-restore \
@ -107,107 +172,51 @@ update-alternatives --install \
 %postun legacy
 if [ $1 -eq 0 ]; then
 	%{_sbindir}/update-alternatives --remove \
-		ebtables %{_prefix}/sbin/ebtables-legacy
+		ebtables %{_sbindir}/ebtables-legacy
 fi

-# When upgrading ebtables to ebtables-{legacy,services},
+# When upgrading ebtables to ebtables-{legacy,services,compat},
 # postun in ebtables thinks it is uninstalled and removes alternatives.
 # Counter this with a trigger here to have it installed again.
 %triggerpostun legacy -- ebtables
-pfx=%{_prefix}/sbin/ebtables
+pfx=%{_sbindir}/ebtables
 manpfx=%{_mandir}/man8/ebtables
-update-alternatives --install \
+%{_sbindir}/update-alternatives --install \
 	$pfx ebtables $pfx-legacy 10 \
 	--slave $pfx-save ebtables-save $pfx-legacy-save \
 	--slave $pfx-restore ebtables-restore $pfx-legacy-restore \
 	--slave $manpfx.8.gz ebtables-man $manpfx-legacy.8.gz


+%post services
+%systemd_post ebtables.service
+
+%preun services
+%systemd_preun ebtables.service
+
+%postun services
+%systemd_postun ebtables.service
+
 %files legacy
 %license COPYING
 %doc ChangeLog THANKS
 %{_sbindir}/ebtables-legacy*
 %{_mandir}/*/ebtables-legacy*
 %{_libdir}/libebtc.so*
-%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables
-%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-save
-%ghost %attr(0755,root,root) %{_prefix}/sbin/ebtables-restore
-%ghost %attr(0644,root,root) %{_mandir}/man8/ebtables.8.gz
+%ghost %{_sbindir}/ebtables
+%ghost %{_sbindir}/ebtables-save
+%ghost %{_sbindir}/ebtables-restore
+%ghost %{_mandir}/man8/ebtables.8.gz
+
+%files services
+%{_unitdir}/ebtables.service
+%{_libexecdir}/ebtables-helper
+%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
+%ghost %{_sysconfdir}/sysconfig/ebtables
+
+%files compat

 %changelog
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-21
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Thu Apr 03 2025 Phil Sutter <psutter@redhat.com> - 2.0.11-20
- Drop ebtables-services package
- Add fixes/hooks for bin-sbin merge, analogous to iptables.spec
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Thu Jul  25 2024 Miroslav Suchý <msuchy@redhat.com> - 2.0.11-18
- convert license to SPDX
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Jan 26 2021 Eric Garver <egarver@redhat.com> - 2.0.11-9
- avoid Provides: ebtables for newer RHEL/ELN builds
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Nov  5 2020 Florian Weimer <fweimer@redhat.com> - 2.0.11-7
- Remove build dependency on autogen
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.11-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jan 22 2020 Tom Callaway <spot@fedoraproject.org> - 2.0.11-4
- add Requires(post): %%{_bindir}/readlink (bz1792805)
-
-* Mon Dec 16 2019 Phil Sutter <psutter@redhat.com> - 2.0.11-3
- Fix nft-variant reference in package description
-
-* Mon Dec 16 2019 Phil Sutter <psutter@redhat.com> - 2.0.11-2
- Eliminate implicit dependency on initscripts package
-
-* Mon Dec  2 2019 Tom Callaway <spot@fedoraproject.org> - 2.0.11-1
- update to 2.0.11 (all of Phil's awesome patches merged)
-
-* Wed Oct 30 2019 Phil Sutter <psutter@redhat.com> - 2.0.10-39
- Make services sub-package obsolete compat to fix upgrade path
-
-* Tue Oct 22 2019 Phil Sutter <psutter@redhat.com> - 2.0.10-38
- Drop compat sub-package again
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.10-37
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
 * Wed Jun 26 2019 Phil Sutter <psutter@redhat.com> - 2.0.10-36
 - Fix segfault with non-existing lock directory

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (ebtables-2.0.11.tar.bz2) = 43a04c6174c8028c501591ef260526297e0f018016f226e2a3bcf80766fddf53d4605c347554d6da7c4ab5e2131584a18da20916ffddcbf2d26ac93b00c5777f
+506742a3d44b9925955425a659c1a8d0  ebtables-v2.0.10-4.tar.gz