iptables: updated to 1.8.13

5 files changed, 2 insertions, 290 deletions

diff --git a/repos/extra/iptables/.checksum b/repos/extra/iptables/.checksum
index 0fe6dead..9b2dd29c 100644
--- a/repos/extra/iptables/.checksum
+++ b/repos/extra/iptables/.checksum
@@ -1,5 +1,2 @@
-66e08567e2be13260210b86c9ca6cf34bc36e439d39ede4b5b664d599ee3c0dd  configure-Avoid-addition-assignment-operators.patch
-7d3135fe9b800d930bdb1ddf0531bbf7cd8b7622fe2f930a9d7385e5b15692ce  drop-interface-mask-leftovers-from-post-parse-callbacks.patch
-08f641bc7ce74cb01d7778b0f27d8cee63a9d03e03d01ee429f1bc54702412ba  fix-interface-comparissons-in-dash-C-commands.patch
-407c93b0ececb7ced0e1cafee020cbc48dba9387f33a0302b21fdde6eca7061c  iptables-1.8.11.tar.xz
+73842925cdcf083c251143bcf76f693f46d8f74be5b21a97d78bffebb3c3e90c  iptables-1.8.13.tar.xz
 618cbcced62b548b080e7903ac8b50161b1d2af5c6c425b191eb67e87ff75b91  use-sh-iptables-apply.patch
diff --git a/repos/extra/iptables/abuild b/repos/extra/iptables/abuild
index 7a7dbe6b..69589809 100644
--- a/repos/extra/iptables/abuild
+++ b/repos/extra/iptables/abuild
@@ -1,10 +1,7 @@
 name=iptables
-version=1.8.11
+version=1.8.13
 release=1
 source="https://www.netfilter.org/projects/${name}/files/${name}-${version}.tar.xz
-	configure-Avoid-addition-assignment-operators.patch
-	drop-interface-mask-leftovers-from-post-parse-callbacks.patch
-	fix-interface-comparissons-in-dash-C-commands.patch
 	use-sh-iptables-apply.patch"
 build_opt="--disable-nftables"
 
diff --git a/repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch b/repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch
deleted file mode 100644
index 04590f76..00000000
--- a/repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Patch-Source: https://lore.kernel.org/netfilter-devel/D711RJX8FZM8.1ZZRJ5PYBRMID@pwned.life/
----
-From a81896ac8c0fcc73ee52603748f876375906cead Mon Sep 17 00:00:00 2001
-From: fossdd <fossdd@pwned.life>
-Date: Mon, 13 Jan 2025 16:08:34 +0100
-Subject: [PATCH] configure: Avoid addition assignment operators
-
-For compatability with other /bin/sh like busybox ash, since they don't
-support the addition assignment operators (+=) and otherwise fails with:
-
-	./configure: line 14174: regular_CFLAGS+= -D__UAPI_DEF_ETHHDR=0: not found
-
-Signed-off-by: fossdd <fossdd@pwned.life>
----
- configure.ac | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 2d38a4d4..0106b316 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -202,8 +202,8 @@ fi;
- pkgdatadir='${datadir}/xtables';
- 
- if test "x$enable_profiling" = "xyes"; then
--	regular_CFLAGS+=" -fprofile-arcs -ftest-coverage"
--	regular_LDFLAGS+=" -lgcov --coverage"
-+	regular_CFLAGS="$regular_CFLAGS -fprofile-arcs -ftest-coverage"
-+	regular_LDFLAGS="$regular_LDFLAGS -lgcov --coverage"
- fi
- 
- AC_MSG_CHECKING([whether the build is using musl-libc])
-@@ -222,7 +222,7 @@ AC_COMPILE_IFELSE(
- AC_MSG_RESULT([${enable_musl_build}])
- 
- if test "x$enable_musl_build" = "xyes"; then
--	regular_CFLAGS+=" -D__UAPI_DEF_ETHHDR=0"
-+	regular_CFLAGS="$regular_CFLAGS -D__UAPI_DEF_ETHHDR=0"
- fi
- 
- define([EXPAND_VARIABLE],
--- 
-2.48.0
-
diff --git a/repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch b/repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch
deleted file mode 100644
index 70716b1d..00000000
--- a/repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Url: https://git.netfilter.org/iptables/patch/?id=b3f3e256c263b9a1db49732696aba0dde084ef5e
-From b3f3e256c263b9a1db49732696aba0dde084ef5e Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Fri, 15 Nov 2024 19:55:32 +0100
-Subject: nft: Drop interface mask leftovers from post_parse callbacks
-
-Fixed commit only adjusted the IPv4-specific callback for unclear
-reasons.
-
-Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
----
- iptables/nft-arp.c | 3 ---
- iptables/xshared.c | 5 -----
- iptables/xshared.h | 1 -
- 3 files changed, 9 deletions(-)
-
-diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
-index c11d64c3..fa2dd558 100644
---- a/iptables/nft-arp.c
-+++ b/iptables/nft-arp.c
-@@ -459,10 +459,7 @@ static void nft_arp_post_parse(int command,
- 	cs->arp.arp.invflags = args->invflags;
- 
- 	memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ);
--	memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ);
--
- 	memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ);
--	memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ);
- 
- 	cs->arp.counters.pcnt = args->pcnt_cnt;
- 	cs->arp.counters.bcnt = args->bcnt_cnt;
-diff --git a/iptables/xshared.c b/iptables/xshared.c
-index 2a5eef09..2f663f97 100644
---- a/iptables/xshared.c
-+++ b/iptables/xshared.c
-@@ -2104,12 +2104,7 @@ void ipv6_post_parse(int command, struct iptables_command_state *cs,
- 	cs->fw6.ipv6.invflags = args->invflags;
- 
- 	memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
--	memcpy(cs->fw6.ipv6.iniface_mask,
--	       args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
--
- 	memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
--	memcpy(cs->fw6.ipv6.outiface_mask,
--	       args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
- 
- 	if (args->goto_set)
- 		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
-diff --git a/iptables/xshared.h b/iptables/xshared.h
-index a111e797..af756738 100644
---- a/iptables/xshared.h
-+++ b/iptables/xshared.h
-@@ -262,7 +262,6 @@ struct xtables_args {
- 	uint8_t		flags;
- 	uint16_t	invflags;
- 	char		iniface[IFNAMSIZ], outiface[IFNAMSIZ];
--	unsigned char	iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
- 	char		bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ];
- 	bool		goto_set;
- 	const char	*shostnetworkmask, *dhostnetworkmask;
--- 
-cgit v1.2.3
-
diff --git a/repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch b/repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch
deleted file mode 100644
index 3cae51ee..00000000
--- a/repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Url: https://git.netfilter.org/iptables/patch/?id=40406dbfaefbc204134452b2747bae4f6a122848
-From 40406dbfaefbc204134452b2747bae4f6a122848 Mon Sep 17 00:00:00 2001
-From: Jeremy Sowden <jeremy@azazel.net>
-Date: Mon, 18 Nov 2024 13:56:50 +0000
-Subject: nft: fix interface comparisons in `-C` commands
-
-Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
-kernel") removed code which explicitly set interface masks to all ones.  The
-result of this is that they are zero.  However, they are used to mask interfaces
-in `is_same_interfaces`.  Consequently, the masked values are alway zero, the
-comparisons are always true, and check commands which ought to fail succeed:
-
-  # iptables -N test
-  # iptables -A test -i lo \! -o lo -j REJECT
-  # iptables -v -L test
-  Chain test (0 references)
-   pkts bytes target     prot opt in     out     source               destination
-      0     0 REJECT     all  --  lo     !lo     anywhere             anywhere             reject-with icmp-port-unreachable
-  # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
-  REJECT  all opt -- in lo out !lo  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
-
-Remove the mask parameters from `is_same_interfaces`.  Add a test-case.
-
-Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
-Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
-Signed-off-by: Phil Sutter <phil@nwl.cc>
----
- iptables/nft-arp.c                                 | 10 ++----
- iptables/nft-ipv4.c                                |  4 +--
- iptables/nft-ipv6.c                                |  6 +---
- iptables/nft-shared.c                              | 36 +++++-----------------
- iptables/nft-shared.h                              |  6 +---
- .../testcases/nft-only/0020-compare-interfaces_0   |  9 ++++++
- 6 files changed, 22 insertions(+), 49 deletions(-)
- create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
-
-diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
-index 264864c3..c11d64c3 100644
---- a/iptables/nft-arp.c
-+++ b/iptables/nft-arp.c
-@@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a,
- 		return false;
- 	}
- 
--	return is_same_interfaces(a->arp.iniface,
--				  a->arp.outiface,
--				  (unsigned char *)a->arp.iniface_mask,
--				  (unsigned char *)a->arp.outiface_mask,
--				  b->arp.iniface,
--				  b->arp.outiface,
--				  (unsigned char *)b->arp.iniface_mask,
--				  (unsigned char *)b->arp.outiface_mask);
-+	return is_same_interfaces(a->arp.iniface, a->arp.outiface,
-+				  b->arp.iniface, b->arp.outiface);
- }
- 
- static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy)
-diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
-index 74092875..0c8bd291 100644
---- a/iptables/nft-ipv4.c
-+++ b/iptables/nft-ipv4.c
-@@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a,
- 	}
- 
- 	return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface,
--				  a->fw.ip.iniface_mask, a->fw.ip.outiface_mask,
--				  b->fw.ip.iniface, b->fw.ip.outiface,
--				  b->fw.ip.iniface_mask, b->fw.ip.outiface_mask);
-+				  b->fw.ip.iniface, b->fw.ip.outiface);
- }
- 
- static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
-diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
-index b184f8af..4dbb2af2 100644
---- a/iptables/nft-ipv6.c
-+++ b/iptables/nft-ipv6.c
-@@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a,
- 	}
- 
- 	return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface,
--				  a->fw6.ipv6.iniface_mask,
--				  a->fw6.ipv6.outiface_mask,
--				  b->fw6.ipv6.iniface, b->fw6.ipv6.outiface,
--				  b->fw6.ipv6.iniface_mask,
--				  b->fw6.ipv6.outiface_mask);
-+				  b->fw6.ipv6.iniface, b->fw6.ipv6.outiface);
- }
- 
- static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
-diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
-index 6775578b..2c29e68f 100644
---- a/iptables/nft-shared.c
-+++ b/iptables/nft-shared.c
-@@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r,
- }
- 
- bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
--			unsigned const char *a_iniface_mask,
--			unsigned const char *a_outiface_mask,
--			const char *b_iniface, const char *b_outiface,
--			unsigned const char *b_iniface_mask,
--			unsigned const char *b_outiface_mask)
-+			const char *b_iniface, const char *b_outiface)
- {
--	int i;
--
--	for (i = 0; i < IFNAMSIZ; i++) {
--		if (a_iniface_mask[i] != b_iniface_mask[i]) {
--			DEBUGP("different iniface mask %x, %x (%d)\n",
--			a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i);
--			return false;
--		}
--		if ((a_iniface[i] & a_iniface_mask[i])
--		    != (b_iniface[i] & b_iniface_mask[i])) {
--			DEBUGP("different iniface\n");
--			return false;
--		}
--		if (a_outiface_mask[i] != b_outiface_mask[i]) {
--			DEBUGP("different outiface mask\n");
--			return false;
--		}
--		if ((a_outiface[i] & a_outiface_mask[i])
--		    != (b_outiface[i] & b_outiface_mask[i])) {
--			DEBUGP("different outiface\n");
--			return false;
--		}
-+	if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) {
-+		DEBUGP("different iniface\n");
-+		return false;
-+	}
-+	if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) {
-+		DEBUGP("different outiface\n");
-+		return false;
- 	}
--
- 	return true;
- }
- 
-diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
-index 51d1e460..b57aee1f 100644
---- a/iptables/nft-shared.h
-+++ b/iptables/nft-shared.h
-@@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint
- void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
- 
- bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
--			unsigned const char *a_iniface_mask,
--			unsigned const char *a_outiface_mask,
--			const char *b_iniface, const char *b_outiface,
--			unsigned const char *b_iniface_mask,
--			unsigned const char *b_outiface_mask);
-+			const char *b_iniface, const char *b_outiface);
- 
- void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
- void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
-diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
-new file mode 100755
-index 00000000..278cd648
---- /dev/null
-+++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
-@@ -0,0 +1,9 @@
-+#!/bin/bash
-+
-+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
-+
-+$XT_MULTI iptables -N test
-+$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT
-+$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1
-+
-+exit 0
--- 
-cgit v1.2.3
-