summaryrefslogtreecommitdiff
path: root/aports/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'aports/iptables')
-rw-r--r--aports/iptables/APKBUILD15
-rw-r--r--aports/iptables/fix-u_int16_t.patch163
-rw-r--r--aports/iptables/fix-xtables.patch10
-rw-r--r--aports/iptables/format-security.patch31
4 files changed, 37 insertions, 182 deletions
diff --git a/aports/iptables/APKBUILD b/aports/iptables/APKBUILD
index f6ed3cc..5e6f907 100644
--- a/aports/iptables/APKBUILD
+++ b/aports/iptables/APKBUILD
@@ -1,24 +1,22 @@
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=iptables
-pkgver=1.8.8
+pkgver=1.8.9
pkgrel=0 # base: 2
pkgdesc="Linux kernel firewall, NAT and packet mangling tools"
url="https://www.netfilter.org/projects/iptables/index.html"
arch="all"
license="GPL-2.0-or-later"
makedepends="libnftnl-dev bison flex autoconf automake"
-source="https://www.netfilter.org/projects/iptables/files/iptables-$pkgver.tar.bz2
+source="https://www.netfilter.org/projects/iptables/files/iptables-$pkgver.tar.xz
+ format-security.patch
use-sh-iptables-apply.patch
- fix-xtables.patch
- fix-u_int16_t.patch
iptables.initd
iptables.confd
ip6tables.confd
"
build() {
- export CFLAGS="$CFLAGS -D_GNU_SOURCE"
./configure \
--build="$CBUILD" \
--host="$CHOST" \
@@ -39,7 +37,7 @@ build() {
}
package() {
- make -j1 install DESTDIR="$pkgdir"
+ make install DESTDIR="$pkgdir"
rm -rf "$pkgdir"/tmp \
"$pkgdir"/usr/bin \
@@ -59,10 +57,9 @@ package() {
}
sha512sums="
-f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59 iptables-1.8.8.tar.bz2
+e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70 iptables-1.8.9.tar.xz
+9501cd8572d37a680d46ee0b1e95ede3b3d79ff5e347ca32afb0e5e16b3717ed085c96d2214a3b2e08e10619c3295561d86e18089f18026b7ef20daeeb094587 format-security.patch
ac78898c2acbe66ed8d32a06f41ff08cde7c22c3df6dfec6bc89a912d2cef2bde730de19d25a5407886d567cb0972a0b7bde7e6b18a34c4511495b4dad3b90ad use-sh-iptables-apply.patch
-ce8c4ff001be49b77bb82efc3cb8b9f3c8f8684abcb07d079c6a00fab5c7a22e0d7f66f8ccdf3aab63d8fdb2b01b249679a89561e2f723111c8ce4075681b134 fix-xtables.patch
-015ca550cf27802446d74521b7618095a342663d4fd73700975f3186428ecdc9eec27016f4d40862d3837cbbe0bb43509c1022b19ef8692ab28cc24e18831d57 fix-u_int16_t.patch
a37c17a5382c756fcfb183af73af2283f0d09932c5a767241cbab5d784738f6f587f287a0cdf13b4fa74724ecd3a2063a9689ccee84c1bda02e730f63480f74d iptables.initd
85bb1660c2452fdede5ae0a483489a3648a8b327ea658839a1ad8c6405f6526bdf842a62d4df3f6e3cbbb9ad59137d37b39266cee21e252814191964d4c50f44 iptables.confd
0897a7a22f8b700f7f1f5c355ad6cbf39740e44d6c962af99e479978d8a2d556ca7fe4e31f238829046b4a871ce0b5fd52e2544f1361d15dd1ea3e33992646c4 ip6tables.confd
diff --git a/aports/iptables/fix-u_int16_t.patch b/aports/iptables/fix-u_int16_t.patch
deleted file mode 100644
index 37b3950..0000000
--- a/aports/iptables/fix-u_int16_t.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From f319389525b066b7dc6d389c88f16a0df3b8f189 Mon Sep 17 00:00:00 2001
-From: Nick Hainke <vincent@systemli.org>
-Date: Mon, 16 May 2022 18:16:41 +0200
-Subject: treewide: use uint* instead of u_int*
-
-Gcc complains about missing types. Some commits introduced u_int* instead
-of uint*. Use uint treewide.
-
-Fixes errors in the form of:
-In file included from xtables-legacy-multi.c:5:
-xshared.h:83:56: error: unknown type name 'u_int16_t'; did you mean 'uint16_t'?
- 83 | set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
- | ^~~~~~~~~
- | uint16_t
-make[6]: *** [Makefile:712: xtables_legacy_multi-xtables-legacy-multi.o] Error 1
-
-Avoid libipq API breakage by adjusting libipq.h include accordingly. For
-arpt_mangle.h kernel uAPI header, apply same change as in kernel commit
-e91ded8db5747 ("uapi: netfilter_arp: use __u8 instead of u_int8_t").
-
-Signed-off-by: Nick Hainke <vincent@systemli.org>
-Signed-off-by: Phil Sutter <phil@nwl.cc>
----
- extensions/libxt_conntrack.c | 2 +-
- include/libipq/libipq.h | 8 ++++----
- include/libiptc/libxtc.h | 2 +-
- include/linux/netfilter_arp/arpt_mangle.h | 2 +-
- iptables/xshared.c | 2 +-
- iptables/xshared.h | 2 +-
- libipq/ipq_create_handle.3 | 2 +-
- libipq/ipq_set_mode.3 | 2 +-
- 8 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
-index 64018ce1..234085c5 100644
---- a/extensions/libxt_conntrack.c
-+++ b/extensions/libxt_conntrack.c
-@@ -778,7 +778,7 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
-
- static void
- conntrack_dump_ports(const char *prefix, const char *opt,
-- u_int16_t port_low, u_int16_t port_high)
-+ uint16_t port_low, uint16_t port_high)
- {
- if (port_high == 0 || port_low == port_high)
- printf(" %s%s %u", prefix, opt, port_low);
-diff --git a/include/libipq/libipq.h b/include/libipq/libipq.h
-index 3cd13292..dd0cb205 100644
---- a/include/libipq/libipq.h
-+++ b/include/libipq/libipq.h
-@@ -24,7 +24,7 @@
- #include <errno.h>
- #include <unistd.h>
- #include <fcntl.h>
--#include <sys/types.h>
-+#include <stdint.h>
- #include <sys/socket.h>
- #include <sys/uio.h>
- #include <asm/types.h>
-@@ -48,19 +48,19 @@ typedef unsigned long ipq_id_t;
- struct ipq_handle
- {
- int fd;
-- u_int8_t blocking;
-+ uint8_t blocking;
- struct sockaddr_nl local;
- struct sockaddr_nl peer;
- };
-
--struct ipq_handle *ipq_create_handle(u_int32_t flags, u_int32_t protocol);
-+struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol);
-
- int ipq_destroy_handle(struct ipq_handle *h);
-
- ssize_t ipq_read(const struct ipq_handle *h,
- unsigned char *buf, size_t len, int timeout);
-
--int ipq_set_mode(const struct ipq_handle *h, u_int8_t mode, size_t len);
-+int ipq_set_mode(const struct ipq_handle *h, uint8_t mode, size_t len);
-
- ipq_packet_msg_t *ipq_get_packet(const unsigned char *buf);
-
-diff --git a/include/libiptc/libxtc.h b/include/libiptc/libxtc.h
-index 37010188..a1d16ef9 100644
---- a/include/libiptc/libxtc.h
-+++ b/include/libiptc/libxtc.h
-@@ -10,7 +10,7 @@ extern "C" {
- #endif
-
- #ifndef XT_MIN_ALIGN
--/* xt_entry has pointers and u_int64_t's in it, so if you align to
-+/* xt_entry has pointers and uint64_t's in it, so if you align to
- it, you'll also align to any crazy matches and targets someone
- might write */
- #define XT_MIN_ALIGN (__alignof__(struct xt_entry))
-diff --git a/include/linux/netfilter_arp/arpt_mangle.h b/include/linux/netfilter_arp/arpt_mangle.h
-index 250f5029..8c2b16a1 100644
---- a/include/linux/netfilter_arp/arpt_mangle.h
-+++ b/include/linux/netfilter_arp/arpt_mangle.h
-@@ -13,7 +13,7 @@ struct arpt_mangle
- union {
- struct in_addr tgt_ip;
- } u_t;
-- u_int8_t flags;
-+ __u8 flags;
- int target;
- };
-
-diff --git a/iptables/xshared.c b/iptables/xshared.c
-index a8512d38..9b5e5b5b 100644
---- a/iptables/xshared.c
-+++ b/iptables/xshared.c
-@@ -1025,7 +1025,7 @@ static const int inverse_for_options[NUMBER_OF_OPT] =
- };
-
- void
--set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
-+set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
- bool invert)
- {
- if (*options & option)
-diff --git a/iptables/xshared.h b/iptables/xshared.h
-index 14568bb0..f8212988 100644
---- a/iptables/xshared.h
-+++ b/iptables/xshared.h
-@@ -80,7 +80,7 @@ struct xtables_target;
- #define IPT_INV_ARPHRD 0x0800
-
- void
--set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
-+set_option(unsigned int *options, unsigned int option, uint16_t *invflg,
- bool invert);
-
- /**
-diff --git a/libipq/ipq_create_handle.3 b/libipq/ipq_create_handle.3
-index 11ef95c4..ebe46daa 100644
---- a/libipq/ipq_create_handle.3
-+++ b/libipq/ipq_create_handle.3
-@@ -24,7 +24,7 @@ ipq_create_handle, ipq_destroy_handle \(em create and destroy libipq handles.
- .br
- .B #include <libipq.h>
- .sp
--.BI "struct ipq_handle *ipq_create_handle(u_int32_t " flags ", u_int32_t " protocol ");"
-+.BI "struct ipq_handle *ipq_create_handle(uint32_t " flags ", uint32_t " protocol ");"
- .br
- .BI "int ipq_destroy_handle(struct ipq_handle *" h );
- .SH DESCRIPTION
-diff --git a/libipq/ipq_set_mode.3 b/libipq/ipq_set_mode.3
-index 0edd3c00..e206886c 100644
---- a/libipq/ipq_set_mode.3
-+++ b/libipq/ipq_set_mode.3
-@@ -24,7 +24,7 @@ ipq_set_mode \(em set the ip_queue queuing mode
- .br
- .B #include <libipq.h>
- .sp
--.BI "int ipq_set_mode(const struct ipq_handle *" h ", u_int8_t " mode ", size_t " range );
-+.BI "int ipq_set_mode(const struct ipq_handle *" h ", uint8_t " mode ", size_t " range );
- .SH DESCRIPTION
- The
- .B ipq_set_mode
---
-cgit v1.2.3
-
diff --git a/aports/iptables/fix-xtables.patch b/aports/iptables/fix-xtables.patch
deleted file mode 100644
index 657c821..0000000
--- a/aports/iptables/fix-xtables.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/libxtables/xtables.c 2022-05-13 13:26:26.000000000 +0000
-+++ b/libxtables/xtables.c 2022-05-17 08:56:52.670556393 +0000
-@@ -45,7 +45,6 @@
-
- #include <xtables.h>
- #include <limits.h> /* INT_MAX in ip_tables.h/ip6_tables.h */
--#include <linux/if_ether.h> /* ETH_ALEN */
- #include <linux/netfilter_ipv4/ip_tables.h>
- #include <linux/netfilter_ipv6/ip6_tables.h>
- #include <libiptc/libxtc.h>
diff --git a/aports/iptables/format-security.patch b/aports/iptables/format-security.patch
new file mode 100644
index 0000000..432aac9
--- /dev/null
+++ b/aports/iptables/format-security.patch
@@ -0,0 +1,31 @@
+Patch-Source: https://git.netfilter.org/iptables/patch/?id=ed4082a7405a5838c205a34c1559e289949200cc
+--
+From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Jan 2023 14:38:44 +0100
+Subject: extensions: NAT: Fix for -Werror=format-security
+
+Have to pass either a string literal or format string to xt_xlate_add().
+
+Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libxt_NAT.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
+index da9f2201..2a634398 100644
+--- a/extensions/libxt_NAT.c
++++ b/extensions/libxt_NAT.c
+@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
+ if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
+ return 0;
+
+- xt_xlate_add(xl, tgt);
++ xt_xlate_add(xl, "%s", tgt);
+ if (strlen(range_str))
+ xt_xlate_add(xl, " to %s", range_str);
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
+--
+cgit v1.2.3
+