iptables: new added - alicelinux - A lightweight musl + clang/llvm + libressl + busybox distro

commit 905e86e8323a97c4190e231dfa51182b39d31a9f
parent 074ddb6661dc348f641eefbf33b5d66f432275b6
Author: emmett1 <emmett1.2miligrams@protonmail.com>
Date:   Fri, 12 Sep 2025 03:06:39 +0800

iptables: new added

Diffstat:
A repos/extra/iptables/.checksum  | 5 +++++
A repos/extra/iptables/.files  | 164 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A repos/extra/iptables/abuild  | 13 +++++++++++++
A repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch  | 44 ++++++++++++++++++++++++++++++++++++++++++++
A repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch  | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch  | 173 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A repos/extra/iptables/use-sh-iptables-apply.patch  | 39 +++++++++++++++++++++++++++++++++++++++

7 files changed, 503 insertions(+), 0 deletions(-)
diff --git a/repos/extra/iptables/.checksum b/repos/extra/iptables/.checksum
@@ -0,0 +1,5 @@
+66e08567e2be13260210b86c9ca6cf34bc36e439d39ede4b5b664d599ee3c0dd  configure-Avoid-addition-assignment-operators.patch
+7d3135fe9b800d930bdb1ddf0531bbf7cd8b7622fe2f930a9d7385e5b15692ce  drop-interface-mask-leftovers-from-post-parse-callbacks.patch
+08f641bc7ce74cb01d7778b0f27d8cee63a9d03e03d01ee429f1bc54702412ba  fix-interface-comparissons-in-dash-C-commands.patch
+407c93b0ececb7ced0e1cafee020cbc48dba9387f33a0302b21fdde6eca7061c  iptables-1.8.11.tar.xz
+618cbcced62b548b080e7903ac8b50161b1d2af5c6c425b191eb67e87ff75b91  use-sh-iptables-apply.patch
diff --git a/repos/extra/iptables/.files b/repos/extra/iptables/.files
@@ -0,0 +1,164 @@
+drwxr-xr-x root/root    usr/
+drwxr-xr-x root/root    usr/bin/
+lrwxrwxrwx root/root    usr/bin/iptables-xml -> /usr/sbin/xtables-legacy-multi
+drwxr-xr-x root/root    usr/include/
+drwxr-xr-x root/root    usr/include/libiptc/
+-rw-r--r-- root/root    usr/include/libiptc/ipt_kernel_headers.h
+-rw-r--r-- root/root    usr/include/libiptc/libip6tc.h
+-rw-r--r-- root/root    usr/include/libiptc/libiptc.h
+-rw-r--r-- root/root    usr/include/libiptc/libxtc.h
+-rw-r--r-- root/root    usr/include/libiptc/xtcshared.h
+-rw-r--r-- root/root    usr/include/xtables-version.h
+-rw-r--r-- root/root    usr/include/xtables.h
+drwxr-xr-x root/root    usr/lib/
+lrwxrwxrwx root/root    usr/lib/libip4tc.so -> libip4tc.so.2.0.0
+lrwxrwxrwx root/root    usr/lib/libip4tc.so.2 -> libip4tc.so.2.0.0
+-rwxr-xr-x root/root    usr/lib/libip4tc.so.2.0.0
+lrwxrwxrwx root/root    usr/lib/libip6tc.so -> libip6tc.so.2.0.0
+lrwxrwxrwx root/root    usr/lib/libip6tc.so.2 -> libip6tc.so.2.0.0
+-rwxr-xr-x root/root    usr/lib/libip6tc.so.2.0.0
+lrwxrwxrwx root/root    usr/lib/libxtables.so -> libxtables.so.12.7.0
+lrwxrwxrwx root/root    usr/lib/libxtables.so.12 -> libxtables.so.12.7.0
+-rwxr-xr-x root/root    usr/lib/libxtables.so.12.7.0
+drwxr-xr-x root/root    usr/lib/pkgconfig/
+-rw-r--r-- root/root    usr/lib/pkgconfig/libip4tc.pc
+-rw-r--r-- root/root    usr/lib/pkgconfig/libip6tc.pc
+-rw-r--r-- root/root    usr/lib/pkgconfig/libiptc.pc
+-rw-r--r-- root/root    usr/lib/pkgconfig/xtables.pc
+drwxr-xr-x root/root    usr/lib/xtables/
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_DNPT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_HL.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_NETMAP.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_REJECT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_SNPT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_ah.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_dst.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_eui64.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_frag.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_hbh.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_hl.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_icmp6.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_ipv6header.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_mh.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_rt.so
+-rwxr-xr-x root/root    usr/lib/xtables/libip6t_srh.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_CLUSTERIP.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_ECN.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_NETMAP.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_REJECT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_TTL.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_ULOG.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_ah.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_icmp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_realm.so
+-rwxr-xr-x root/root    usr/lib/xtables/libipt_ttl.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_AUDIT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_CHECKSUM.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_CLASSIFY.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_CONNMARK.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_CONNSECMARK.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_CT.so
+lrwxrwxrwx root/root    usr/lib/xtables/libxt_DNAT.so -> libxt_NAT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_DSCP.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_HMARK.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_IDLETIMER.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_LED.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_LOG.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_MARK.so
+lrwxrwxrwx root/root    usr/lib/xtables/libxt_MASQUERADE.so -> libxt_NAT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_NAT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_NFLOG.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_NFQUEUE.so
+lrwxrwxrwx root/root    usr/lib/xtables/libxt_NOTRACK.so -> libxt_CT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_RATEEST.so
+lrwxrwxrwx root/root    usr/lib/xtables/libxt_REDIRECT.so -> libxt_NAT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_SECMARK.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_SET.so
+lrwxrwxrwx root/root    usr/lib/xtables/libxt_SNAT.so -> libxt_NAT.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_SYNPROXY.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_TCPMSS.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_TCPOPTSTRIP.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_TEE.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_TOS.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_TPROXY.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_TRACE.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_addrtype.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_bpf.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_cgroup.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_cluster.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_comment.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_connbytes.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_connlimit.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_connmark.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_conntrack.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_cpu.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_dccp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_devgroup.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_dscp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_ecn.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_esp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_hashlimit.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_helper.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_ipcomp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_iprange.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_ipvs.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_length.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_limit.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_mac.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_mark.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_multiport.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_nfacct.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_osf.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_owner.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_physdev.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_pkttype.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_policy.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_quota.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_rateest.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_recent.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_rpfilter.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_sctp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_set.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_socket.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_standard.so
+lrwxrwxrwx root/root    usr/lib/xtables/libxt_state.so -> libxt_conntrack.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_statistic.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_string.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_tcp.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_tcpmss.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_time.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_tos.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_u32.so
+-rwxr-xr-x root/root    usr/lib/xtables/libxt_udp.so
+drwxr-xr-x root/root    usr/sbin/
+lrwxrwxrwx root/root    usr/sbin/ip6tables -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/ip6tables-apply -> iptables-apply
+lrwxrwxrwx root/root    usr/sbin/ip6tables-legacy -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/ip6tables-legacy-restore -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/ip6tables-legacy-save -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/ip6tables-restore -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/ip6tables-save -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/iptables -> xtables-legacy-multi
+-rwxr-xr-x root/root    usr/sbin/iptables-apply
+lrwxrwxrwx root/root    usr/sbin/iptables-legacy -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/iptables-legacy-save -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/iptables-restore -> xtables-legacy-multi
+lrwxrwxrwx root/root    usr/sbin/iptables-save -> xtables-legacy-multi
+-rwxr-xr-x root/root    usr/sbin/xtables-legacy-multi
+drwxr-xr-x root/root    usr/share/
+drwxr-xr-x root/root    usr/share/man/
+drwxr-xr-x root/root    usr/share/man/man1/
+-rw-r--r-- root/root    usr/share/man/man1/iptables-xml.1.gz
+drwxr-xr-x root/root    usr/share/man/man8/
+-rw-r--r-- root/root    usr/share/man/man8/ip6tables-apply.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/ip6tables-restore.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/ip6tables-save.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/ip6tables.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/iptables-apply.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/iptables-extensions.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/iptables-restore.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/iptables-save.8.gz
+-rw-r--r-- root/root    usr/share/man/man8/iptables.8.gz
+drwxr-xr-x root/root    usr/share/xtables/
+-rw-r--r-- root/root    usr/share/xtables/iptables.xslt
diff --git a/repos/extra/iptables/abuild b/repos/extra/iptables/abuild
@@ -0,0 +1,13 @@
+name=iptables
+version=1.8.11
+release=1
+source="https://www.netfilter.org/projects/${name}/files/${name}-${version}.tar.xz
+	configure-Avoid-addition-assignment-operators.patch
+	drop-interface-mask-leftovers-from-post-parse-callbacks.patch
+	fix-interface-comparissons-in-dash-C-commands.patch
+	use-sh-iptables-apply.patch"
+build_opt="--disable-nftables"
+
+prebuild() {
+	autoreconf -fi
+}
diff --git a/repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch b/repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch
@@ -0,0 +1,44 @@
+Patch-Source: https://lore.kernel.org/netfilter-devel/D711RJX8FZM8.1ZZRJ5PYBRMID@pwned.life/
+---
+From a81896ac8c0fcc73ee52603748f876375906cead Mon Sep 17 00:00:00 2001
+From: fossdd <fossdd@pwned.life>
+Date: Mon, 13 Jan 2025 16:08:34 +0100
+Subject: [PATCH] configure: Avoid addition assignment operators
+
+For compatability with other /bin/sh like busybox ash, since they don't
+support the addition assignment operators (+=) and otherwise fails with:
+
+	./configure: line 14174: regular_CFLAGS+= -D__UAPI_DEF_ETHHDR=0: not found
+
+Signed-off-by: fossdd <fossdd@pwned.life>
+---
+ configure.ac | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2d38a4d4..0106b316 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -202,8 +202,8 @@ fi;
+ pkgdatadir='${datadir}/xtables';
+ 
+ if test "x$enable_profiling" = "xyes"; then
+-	regular_CFLAGS+=" -fprofile-arcs -ftest-coverage"
+-	regular_LDFLAGS+=" -lgcov --coverage"
++	regular_CFLAGS="$regular_CFLAGS -fprofile-arcs -ftest-coverage"
++	regular_LDFLAGS="$regular_LDFLAGS -lgcov --coverage"
+ fi
+ 
+ AC_MSG_CHECKING([whether the build is using musl-libc])
+@@ -222,7 +222,7 @@ AC_COMPILE_IFELSE(
+ AC_MSG_RESULT([${enable_musl_build}])
+ 
+ if test "x$enable_musl_build" = "xyes"; then
+-	regular_CFLAGS+=" -D__UAPI_DEF_ETHHDR=0"
++	regular_CFLAGS="$regular_CFLAGS -D__UAPI_DEF_ETHHDR=0"
+ fi
+ 
+ define([EXPAND_VARIABLE],
+-- 
+2.48.0
+
diff --git a/repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch b/repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch
@@ -0,0 +1,65 @@
+Url: https://git.netfilter.org/iptables/patch/?id=b3f3e256c263b9a1db49732696aba0dde084ef5e
+From b3f3e256c263b9a1db49732696aba0dde084ef5e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 15 Nov 2024 19:55:32 +0100
+Subject: nft: Drop interface mask leftovers from post_parse callbacks
+
+Fixed commit only adjusted the IPv4-specific callback for unclear
+reasons.
+
+Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
+---
+ iptables/nft-arp.c | 3 ---
+ iptables/xshared.c | 5 -----
+ iptables/xshared.h | 1 -
+ 3 files changed, 9 deletions(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index c11d64c3..fa2dd558 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -459,10 +459,7 @@ static void nft_arp_post_parse(int command,
+ 	cs->arp.arp.invflags = args->invflags;
+ 
+ 	memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ);
+-	memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ);
+-
+ 	memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ);
+-	memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ);
+ 
+ 	cs->arp.counters.pcnt = args->pcnt_cnt;
+ 	cs->arp.counters.bcnt = args->bcnt_cnt;
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 2a5eef09..2f663f97 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -2104,12 +2104,7 @@ void ipv6_post_parse(int command, struct iptables_command_state *cs,
+ 	cs->fw6.ipv6.invflags = args->invflags;
+ 
+ 	memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
+-	memcpy(cs->fw6.ipv6.iniface_mask,
+-	       args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
+-
+ 	memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
+-	memcpy(cs->fw6.ipv6.outiface_mask,
+-	       args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
+ 
+ 	if (args->goto_set)
+ 		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index a111e797..af756738 100644
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -262,7 +262,6 @@ struct xtables_args {
+ 	uint8_t		flags;
+ 	uint16_t	invflags;
+ 	char		iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+-	unsigned char	iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+ 	char		bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ];
+ 	bool		goto_set;
+ 	const char	*shostnetworkmask, *dhostnetworkmask;
+-- 
+cgit v1.2.3
+
diff --git a/repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch b/repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch
@@ -0,0 +1,173 @@
+Url: https://git.netfilter.org/iptables/patch/?id=40406dbfaefbc204134452b2747bae4f6a122848
+From 40406dbfaefbc204134452b2747bae4f6a122848 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Mon, 18 Nov 2024 13:56:50 +0000
+Subject: nft: fix interface comparisons in `-C` commands
+
+Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
+kernel") removed code which explicitly set interface masks to all ones.  The
+result of this is that they are zero.  However, they are used to mask interfaces
+in `is_same_interfaces`.  Consequently, the masked values are alway zero, the
+comparisons are always true, and check commands which ought to fail succeed:
+
+  # iptables -N test
+  # iptables -A test -i lo \! -o lo -j REJECT
+  # iptables -v -L test
+  Chain test (0 references)
+   pkts bytes target     prot opt in     out     source               destination
+      0     0 REJECT     all  --  lo     !lo     anywhere             anywhere             reject-with icmp-port-unreachable
+  # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
+  REJECT  all opt -- in lo out !lo  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
+
+Remove the mask parameters from `is_same_interfaces`.  Add a test-case.
+
+Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft-arp.c                                 | 10 ++----
+ iptables/nft-ipv4.c                                |  4 +--
+ iptables/nft-ipv6.c                                |  6 +---
+ iptables/nft-shared.c                              | 36 +++++-----------------
+ iptables/nft-shared.h                              |  6 +---
+ .../testcases/nft-only/0020-compare-interfaces_0   |  9 ++++++
+ 6 files changed, 22 insertions(+), 49 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index 264864c3..c11d64c3 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a,
+ 		return false;
+ 	}
+ 
+-	return is_same_interfaces(a->arp.iniface,
+-				  a->arp.outiface,
+-				  (unsigned char *)a->arp.iniface_mask,
+-				  (unsigned char *)a->arp.outiface_mask,
+-				  b->arp.iniface,
+-				  b->arp.outiface,
+-				  (unsigned char *)b->arp.iniface_mask,
+-				  (unsigned char *)b->arp.outiface_mask);
++	return is_same_interfaces(a->arp.iniface, a->arp.outiface,
++				  b->arp.iniface, b->arp.outiface);
+ }
+ 
+ static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy)
+diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
+index 74092875..0c8bd291 100644
+--- a/iptables/nft-ipv4.c
++++ b/iptables/nft-ipv4.c
+@@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a,
+ 	}
+ 
+ 	return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface,
+-				  a->fw.ip.iniface_mask, a->fw.ip.outiface_mask,
+-				  b->fw.ip.iniface, b->fw.ip.outiface,
+-				  b->fw.ip.iniface_mask, b->fw.ip.outiface_mask);
++				  b->fw.ip.iniface, b->fw.ip.outiface);
+ }
+ 
+ static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
+diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
+index b184f8af..4dbb2af2 100644
+--- a/iptables/nft-ipv6.c
++++ b/iptables/nft-ipv6.c
+@@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a,
+ 	}
+ 
+ 	return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface,
+-				  a->fw6.ipv6.iniface_mask,
+-				  a->fw6.ipv6.outiface_mask,
+-				  b->fw6.ipv6.iniface, b->fw6.ipv6.outiface,
+-				  b->fw6.ipv6.iniface_mask,
+-				  b->fw6.ipv6.outiface_mask);
++				  b->fw6.ipv6.iniface, b->fw6.ipv6.outiface);
+ }
+ 
+ static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index 6775578b..2c29e68f 100644
+--- a/iptables/nft-shared.c
++++ b/iptables/nft-shared.c
+@@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r,
+ }
+ 
+ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
+-			unsigned const char *a_iniface_mask,
+-			unsigned const char *a_outiface_mask,
+-			const char *b_iniface, const char *b_outiface,
+-			unsigned const char *b_iniface_mask,
+-			unsigned const char *b_outiface_mask)
++			const char *b_iniface, const char *b_outiface)
+ {
+-	int i;
+-
+-	for (i = 0; i < IFNAMSIZ; i++) {
+-		if (a_iniface_mask[i] != b_iniface_mask[i]) {
+-			DEBUGP("different iniface mask %x, %x (%d)\n",
+-			a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i);
+-			return false;
+-		}
+-		if ((a_iniface[i] & a_iniface_mask[i])
+-		    != (b_iniface[i] & b_iniface_mask[i])) {
+-			DEBUGP("different iniface\n");
+-			return false;
+-		}
+-		if (a_outiface_mask[i] != b_outiface_mask[i]) {
+-			DEBUGP("different outiface mask\n");
+-			return false;
+-		}
+-		if ((a_outiface[i] & a_outiface_mask[i])
+-		    != (b_outiface[i] & b_outiface_mask[i])) {
+-			DEBUGP("different outiface\n");
+-			return false;
+-		}
++	if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) {
++		DEBUGP("different iniface\n");
++		return false;
++	}
++	if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) {
++		DEBUGP("different outiface\n");
++		return false;
+ 	}
+-
+ 	return true;
+ }
+ 
+diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
+index 51d1e460..b57aee1f 100644
+--- a/iptables/nft-shared.h
++++ b/iptables/nft-shared.h
+@@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint
+ void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
+ 
+ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
+-			unsigned const char *a_iniface_mask,
+-			unsigned const char *a_outiface_mask,
+-			const char *b_iniface, const char *b_outiface,
+-			unsigned const char *b_iniface_mask,
+-			unsigned const char *b_outiface_mask);
++			const char *b_iniface, const char *b_outiface);
+ 
+ void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
+ void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
+diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
+new file mode 100755
+index 00000000..278cd648
+--- /dev/null
++++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
+@@ -0,0 +1,9 @@
++#!/bin/bash
++
++[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
++
++$XT_MULTI iptables -N test
++$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT
++$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1
++
++exit 0
+-- 
+cgit v1.2.3
+
diff --git a/repos/extra/iptables/use-sh-iptables-apply.patch b/repos/extra/iptables/use-sh-iptables-apply.patch
@@ -0,0 +1,39 @@
+From: Simon Frankenberger <simon-alpine@fraho.eu>
+
+make iptables-apply use posix sh
+
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ # iptables-apply -- a safer way to update iptables remotely
+ #
+ # Usage:
+@@ -110,7 +110,7 @@
+ }
+ 
+ function checkcommands() {
+-	for cmd in "${COMMANDS[@]}"; do
++	for cmd in ${COMMANDS}; do
+ 		if ! command -v "$cmd" >/dev/null; then
+ 			echo "Error: needed command not found: $cmd" >&2
+ 			exit 127
+@@ -184,7 +184,7 @@
+ 		fi
+ 
+ 		# Needed commands
+-		COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD")
++		COMMANDS="mktemp $SAVE $RESTORE $RUNCMD"
+ 		checkcommands
+ 		;;
+ 	(*)
+@@ -196,7 +196,7 @@
+ 		fi
+ 
+ 		# Needed commands
+-		COMMANDS=(mktemp "$SAVE" "$RESTORE")
++		COMMANDS="mktemp $SAVE $RESTORE"
+ 		checkcommands
+ 		;;
+ esac

	alicelinux A lightweight musl + clang/llvm + libressl + busybox distro
	git clone https://codeberg.org/emmett1/alicelinux
	Log \| Files \| Refs \| README \| LICENSE

A	repos/extra/iptables/.checksum	\|	5	+++++
A	repos/extra/iptables/.files	\|	164	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	repos/extra/iptables/abuild	\|	13	+++++++++++++
A	repos/extra/iptables/configure-Avoid-addition-assignment-operators.patch	\|	44	++++++++++++++++++++++++++++++++++++++++++++
A	repos/extra/iptables/drop-interface-mask-leftovers-from-post-parse-callbacks.patch	\|	65	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	repos/extra/iptables/fix-interface-comparissons-in-dash-C-commands.patch	\|	173	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	repos/extra/iptables/use-sh-iptables-apply.patch	\|	39	+++++++++++++++++++++++++++++++++++++++