Bug 2084543
| Summary: | Rebase iptables to current upstream version | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Phil Sutter <psutter> |
| Component: | iptables | Assignee: | Phil Sutter <psutter> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.1 | CC: | qe-baseos-daemons, todoleza |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | iptables-1.8.8-1.el9 | Doc Type: | Rebase: Bug Fixes and Enhancements |
| Doc Text: |
Important: if this rebase instead contains *only bug fixes,* or *only enhancements*, select the correct option from the Doc Type drop-down list.
Rebase package(s) to version: 1.8.8
Highlights, important fixes, or notable enhancements:
Quoting upstream v1.8.8 release announcement mail, dropping legacy iptables
specific items and those referencing previously backported commits:
This release contains new features:
* Add iptables-translate support for:
* sctp match's --chunk-types option
* connlimit match
* multiport match's --ports option
* tcpmss match
* Simplified translation of:
* tcp match's --tcp-flags option
* conntrack match
* Reject setuid executables in libxtables for safety reasons
* Support deleting builtin chains in iptables-nft
* Merged arptables-nft rule parser into iptables-nft one, thereby extending
arptables-nft by:
* '-C' and '-S' commands
* Rule indexes with '-I' and '-R' commands
* '-c N,M' counter syntax
* Drop support for multiple IPv4 ranges in *NAT targets which required a linux
kernel before 2.6.11 anyway
* Use native log expression for NFLOG target with iptables-nft, this allows to
use up to 127 character prefix strings
* Use native payload expressions when matching on TCP/UDP header fields in
iptables-nft
* Debug output in iptables-nft, iptables-nft-restore and ebtables-nft when
specifying '-v' multiple times
* Use native meta expression when matching on fwmark value.
... and fixes:
* Wrong translation of inverted conntrack state/status matches
* Broken ebtables-translate with '-o' and custom chains
* Wrong translation of '--random-fully' option in ip6tables MASQUERADE
* Missing space in listing of mac match
* ebtables-nft drops user-defined chain policies when flushing
* Clarify synopsis in iptables-translate help text
* Potential double free with unrecognized base chains in iptables-nft
* Wrong ip6tables-nft help text (identical with iptables by accident)
* Extra whitespace after --nflog-prefix option of NFLOG target
* Sanitize behaviour for unprivileged callers, allow printing (extension) help
* Trying to use non-existent extensions caused misleading error messages
* Extra newline when printing MARK extension help
* Improved arptables-nft help output
... and documentation updates:
* sctp match types
* Drop documentation of ebtables-nft unsupported atomic options
* Misc typo fixes
* Support for shifted port ranges with DNAT
* (Limited) support for service names with DNAT and REDIRECT
* Review NAT extensions' documentation in man page
* LOG target's --log-macdecode option
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-15 11:20:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1917399 | ||
| Bug Blocks: | |||
|
Description
Phil Sutter
2022-05-12 12:03:20 UTC
https://gitlab.com/redhat/centos-stream/rpms/iptables/-/merge_requests/28 Tomas/Jiri, please consider this ticket for qa_ack+ and set ITM as you see fit. Thanks! I'll backport following commit from upstream to fix Sanity/arptables-smoketest failure:
commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0
Author: Phil Sutter <phil>
Date: Tue Jun 7 18:07:00 2022 +0200
arptables: Support -x/--exact flag
Legacy arptables accepts but ignores the flag. Yet there are remains of
the functionality in sources, like OPT_EXPANDED define and a print_num()
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
arptables, just enable the feature for it.
Signed-off-by: Phil Sutter <phil>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (iptables bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8349 |