)]}' { "log": [ { "commit": "672d4a9452846646a3017d255fae319e12d92295", "tree": "996423fb58b312b7e780fefc86961de6f9f4de70", "parents": [ "d91f794d75bf120ee2118bb112c859a59723b1b0", "1b1747b4115c9c34a70ab79ba77f6ca084df7840" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 17:06:45 2025 -0800" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Tue Mar 04 17:06:45 2025 -0800" }, "message": "Merge \"iptables: update METADATA \u0026 config.h\" into main am: 1b1747b411\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3525255\n\nChange-Id: I2a4b536b54cbf73980b00083d914c87dca5d0b17\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "d91f794d75bf120ee2118bb112c859a59723b1b0", "tree": "2bd52d5adafe03f2e7e2e2079758b41e7e109cab", "parents": [ "204df8d8ed191279850faa4f42f3cb129ae23024", "ce9086a4bef6c253534528b66d927850b63186ea" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Tue Mar 04 17:06:35 2025 -0800" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Tue Mar 04 17:06:35 2025 -0800" }, "message": "Merge changes Ia72066c7,I23cf2d01,Ia6dd6fc0,I3d9d49a4 into main am: ce9086a4be\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3525593\n\nChange-Id: I9f1078bbf95c4e1ed3ab0e2654cb0fd25758ccf4\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "1b1747b4115c9c34a70ab79ba77f6ca084df7840", "tree": "996423fb58b312b7e780fefc86961de6f9f4de70", "parents": [ "ce9086a4bef6c253534528b66d927850b63186ea", "5ff14bf15e5c7883827f551b0a73e87cdf351f54" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 16:43:00 2025 -0800" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Tue Mar 04 16:43:00 2025 -0800" }, "message": "Merge \"iptables: update METADATA \u0026 config.h\" into main" }, { "commit": "ce9086a4bef6c253534528b66d927850b63186ea", "tree": "2bd52d5adafe03f2e7e2e2079758b41e7e109cab", "parents": [ "eb20ae967f28f29eede32059d2d6d7f2151ba3fe", "ef366a71eee5a9bad5bc822ba5d118f14827de24" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Tue Mar 04 16:41:54 2025 -0800" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Tue Mar 04 16:41:54 2025 -0800" }, "message": "Merge changes Ia72066c7,I23cf2d01,Ia6dd6fc0,I3d9d49a4 into main\n\n* changes:\n Merge upstream iptables at master\n ANDROID: fix build for missing ETH_ALEN definition\n Merge upstream iptables 1.8.11\n Revert \"ANDROID: unconditionally use \u0027all\u0027 for proto 0\"\n" }, { "commit": "5ff14bf15e5c7883827f551b0a73e87cdf351f54", "tree": "996423fb58b312b7e780fefc86961de6f9f4de70", "parents": [ "ef366a71eee5a9bad5bc822ba5d118f14827de24" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 15:42:40 2025 -0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 15:42:52 2025 -0800" }, "message": "iptables: update METADATA \u0026 config.h\n\nTest: TreeHugger\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: Ic723ba5b3af042d728fa9420723a660b6b117e7c\n" }, { "commit": "ef366a71eee5a9bad5bc822ba5d118f14827de24", "tree": "2bd52d5adafe03f2e7e2e2079758b41e7e109cab", "parents": [ "d18e1bb20bc87a49bc3924821306d4195ac30055", "6310639f697d4a570286960c470a6ec8c324be89" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:50:04 2025 -0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:56:11 2025 -0800" }, "message": "Merge upstream iptables at master\n\nSee:\n https://git.netfilter.org/iptables/commit/?id\u003d6310639f697d4a570286960c470a6ec8c324be89\n\nThis pulls in commit 6310639f697d4a570286960c470a6ec8c324be89:\n configure: Avoid addition assignment operators\n nft: Drop interface mask leftovers from post_parse callbacks\n nft: fix interface comparisons in `-C` commands\n ip[6]tables-translate: fix test failures when WESP is defined\n\nTest: TreeHugger, atest netd_unit_test netd_integration_test\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: Ia72066c7ce515307837bf888fc289e6eaa6ec26a\n" }, { "commit": "d18e1bb20bc87a49bc3924821306d4195ac30055", "tree": "cb8d4da92a758bebc7220f258b16cd567b9abea6", "parents": [ "065ae362a07a4de64b899a933d4aeea81038ecfb" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:45:49 2025 -0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:48:44 2025 -0800" }, "message": "ANDROID: fix build for missing ETH_ALEN definition\n\nUpstream has regressed again...\n\nSee also old Android commit 7608e136bd495fe734ad18a6897dd4425e1a633b which did:\n #ifdef __BIONIC__\n #include \u003clinux/if_ether.h\u003e /* ETH_ALEN */\n #endif\n\nTest: TreeHugger\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: I23cf2d01bcd0ecead36cc66715029cd247b7320a\n" }, { "commit": "065ae362a07a4de64b899a933d4aeea81038ecfb", "tree": "b3425cdbbb120854a1472274ab139d77a44cce55", "parents": [ "57d8b274e8bf8bb99b4248098c2afe10cee12c3b", "0506bea1dcc8f12d94e7c32bf2fb04abb3fdd269" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:37:00 2025 -0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:37:39 2025 -0800" }, "message": "Merge upstream iptables 1.8.11\n\nSee:\n https://git.netfilter.org/iptables/tag/?h\u003dv1.8.11\n https://git.netfilter.org/iptables/commit/?h\u003dv1.8.11\u0026id\u003d0506bea1dcc8f12d94e7c32bf2fb04abb3fdd269\n\nPulls in commit 0506bea1dcc8f12d94e7c32bf2fb04abb3fdd269:\n configure: Bump version for 1.8.11 release\n libxtables: Hide xtables_strtoul_base() symbol\n Makefile.am: Revert to old serial test harness\n tests: xlate-test: Fix for \u0027make distcheck\u0027\n tests: iptables-test: Fix for \u0027make distcheck\u0027\n tests: shell: Print escape sequences with terminals only\n tests: shell: iptables/0010-wait_0 is unreliable\n tests: iptables-test: Extend fast mode docs a bit\n tests: iptables-test: Properly assert rule deletion errors\n tests: shell: Test ebtables-restore deleting among matches\n ebtables: Simplify ebt_add_{match,watcher}\n ebtables: Clone extensions before modifying them\n tests: shell: Fix for \u0027make distcheck\u0027\n tests: iptables-test: extend coverage for ip6tables\n tests: iptables-test: Fix for duplicate supposed-to-fail errors\n iptables: tests: shell: use bash, not sh\n iptables: tests: add missing make +x\n tests: shell: Test some commands involving rule numbers\n nft: Fix for -Z with bogus rule number\n ebtables: Fix for -S with rule number\n xshared: iptables does not support \u0027-b\u0027\n gitignore: Ignore generated arptables-translate.8\n man: ebtables-nft.8: Note that --concurrent is a NOP\n man: xtables-legacy.8: Join two paragraphs\n tests: iptables-test: Append stderr output to log file\n tests: shell: Adjust for recent changes in libnftnl\n extensions: TPROXY: Fix for translation being non-terminal\n configure: Determine if musl is used for build\n iptables: align xt_CONNMARK with current kernel headers\n nft: ruleparse: Drop \u0027iter\u0027 variable in nft_rule_to_iptables_command_state\n nft: Reduce overhead in nft_rule_find()\n ebtables: Introduce nft_bridge_init_cs()\n ebtables: Zero freed pointers in ebt_cs_clean()\n ebtables: Omit all-wildcard interface specs from output\n arptables: Introduce print_iface()\n libxtables: Debug: Slightly improve extension ordering debugging\n xshared: Move NULL pointer check into save_iface()\n xshared: Make save_iface() static\n extensions: conntrack: Reuse print_state() for old state match\n xshared: Do not omit all-wildcard interface spec when inverted\n arptables: Fix conditional opcode/proto-type printing\n nft: Add potentially missing init_cs calls\n nft: cmd: Init struct nft_cmd::head early\n extensions: conntrack: Use the right callbacks\n extensions: recent: Fix format string for unsigned values\n nft: Fix for zeroing existent builtin chains\n nft: cache: Annotate faked base chains as such\n extensions: recent: New kernels support 999 hits\n nft: Fix for zeroing non-existent builtin chains\n xtables-monitor: Print commands instead of -4/-6/-0 flags\n xtables-monitor: Ignore ebtables policy rules unless tracing\n xtables-monitor: Fix for ebtables rule events\n tests: shell: New xtables-monitor test\n xtables-monitor: Support arptables chain events\n xtables-monitor: Align builtin chain and table output\n xtables-monitor: Flush stdout after all lines of output\n xtables-monitor: Proper re-init for rule\u0027s family\n man: recent: Adjust to changes around ip_pkt_list_tot parameter\n ebtables: Include \u0027bitmask\u0027 value when comparing rules\n extensions: libxt_sctp: Add an extra assert()\n man: extensions: recent: Clarify default value of ip_list_hash_size\n configure: Add option to enable/disable libnfnetlink\n libxtables: Attenuate effects of functions\u0027 internal static buffers\n xshared: Fix parsing of empty string arg in \u0027-c\u0027 option\n xlate: libip6t_mh: Fix and simplify plain \u0027-m mh\u0027 match\n xlate: Improve redundant l4proto match avoidance\n nft: Do not combine inverted payload matches\n extensions: xt_TPROXY: add txlate support\n extensions: xt_socket: add txlate support for socket match\n xtables-translate: Leverage stored protocol names\n nft: Fix for broken recover_rule_compat()\n iptables-save: Avoid /etc/protocols lookups\n libxtables: Add dccp and ipcomp to xtables_chain_protos\n Revert \"xshared: Print protocol numbers if --numeric was given\"\n libxtables: xtoptions: Respect min/max values when completing ranges\n extensions: tcp/udp: Save/xlate inverted full ranges\n nft: Do not omit full ranges if inverted\n extensions: ipcomp: Save inverted full ranges\n extensions: esp: Save/xlate inverted full ranges\n extensions: rt: Save/xlate inverted full ranges\n extensions: mh: Save/xlate inverted full ranges\n extensions: frag: Save/xlate inverted full ranges\n extensions: ah: Save/xlate inverted full ranges\n libxtables: Reject negative port ranges\n libxtables: xtoptions: Assert ranges are monotonic increasing\n extensions: *.t/*.txlate: Test range corner-cases\n ebtables: Fix for memleak with change counters command\n xshared: Introduce xtables_clear_args()\n xshared: Fix for memleak in option merging with ebtables\n xtables-eb: Eliminate \u0027opts\u0027 define\n libxtables: Fix memleak of matches\u0027 udata\n nft: ruleparse: Add missing braces around ternary\n tests: iptables-test: Increase non-fast mode strictness\n extensions: libebt_stp: fix range checking\n iptables: Add missing error codes\n ebtables: Default to extrapositioned negations\n extensions: libxt_HMARK: Review HMARK_parse()\n extensions: libebt_mark_m: Use guided option parser\n extensions: libebt_pkttype: Use guided option parser\n extensions: libxt_limit: Use guided option parser for NFPROTO_BRIDGE, too\n extensions: libebt_arp: Use guided option parser\n extensions: libebt_vlan: Use guided option parser\n extensions: libebt_802_3: Use guided option parser\n extensions: libebt_redirect: Use guided option parser\n extensions: libebt_snat: Use guided option parser\n extensions: libebt_nflog: Use guided option parser\n extensions: libebt_mark: Use guided option parser\n extensions: libebt_log: Use guided option parser\n extensions: libebt_ip: Use guided option parser\n extensions: libebt_ip6: Use guided option parser\n extensions: libebt_dnat: Use guided option parser\n extensions: libebt_arpreply: Use guided option parser\n extensions: libebt_stp: Use guided option parser\n extensions: libebt_*: Drop some needless init callbacks\n ebtables: Support for guided option parser\n libxtables: xtoptions: Treat NFPROTO_BRIDGE as IPv4\n libxtables: xtoptions: Implement XTTYPE_ETHERMACMASK\n libxtables: xtoptions: Support XTOPT_NBO with XTTYPE_UINT*\n libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK\n tests: iptables-test: Use difflib if dumps differ\n iptables-legacy: Fix for mandatory lock waiting\n build: replace `echo -e` with `printf`\n build: add an automake verbosity variable for `ln`\n build: use standard automake verbosity variables\n build: remove unused `AM_VERBOSE_CXX*` variables\n build: remove obsolete `AM_LIBTOOL_SILENT` variable\n build: format `AM_CPPFLAGS` variables\n Fix spelling mistakes\n ebtables: Use do_parse() from xshared\n xshared: Introduce option_test_and_reject()\n ebtables: Use struct xt_cmd_parse\n ebtables: Make \u0027h\u0027 case just a call to print_help()\n ebtables: Pass struct iptables_command_state to print_help()\n ebtables: Change option values to avoid clashes\n ebtables{,-translate}: Convert if-clause to switch()\n xshared: Support for ebtables\u0027 --change-counters command\n xshared: Support rule range deletion in do_parse()\n xshared: Introduce print_help callback (again)\n xshared: Turn command_default() into a callback\n xshared: Perform protocol value parsing in callback\n xshared: do_parse: Skip option checking for CMD_DELETE_NUM\n libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks\n libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()\n man: Do not escape exclamation marks\n nft: Leave interface masks alone when parsing from kernel\n xshared: Do not populate interface masks per default\n xshared: Entirely ignore interface masks when saving rules\n xshared: Simplify generic_opt_check()\n xshared: Introduce xt_cmd_parse_ops::option_invert\n xshared: Introduce xt_cmd_parse_ops::option_name\n man: proper roff encoding for ~ and ^\n extensions: MARK: arptables: Use guided option parser\n extensions: libarpt_mangle: Use guided option parser\n libxtables: Introduce struct xt_option_entry::base\n libxtables: Introduce xtables_strtoul_base()\n libxtables: Fix guided option parser for use with arptables\n libxtables: Combine the two extension option mergers\n ebtables: Implement --change-counters command\n xshared: do_parse: Ignore \u0027-j CONTINUE\u0027\n ebtables: Align line number formatting with legacy\n ebtables: Make ebt_load_match_extensions() static\n ebtables: Drop append_entry() wrapper\n tests: xlate: Print failing command line\n xshared: Drop pointless CMD_REPLACE check\n xshared: Drop needless assignment in --help case\n xshared: All variants support -v, update OPTSTRING_COMMON\n xshared: struct xt_cmd_parse::xlate is unused\n nft-bridge: nft_bridge_add() uses wrong flags\n Makefile: Install arptables-translate link and man page\n man: more backslash-encoding of characters\n man: limit targets for -P option synopsis\n man: copy synopsis markup from iptables.8 to arptables-nft.8\n man: stop putting non-terminals in italic\n man: repeal manual hyphenation\n man: remove lone .nh command\n man: consistent use of \\(em in Name sections\n extensions: libarpt_standard.t: Add a rule with builtin option masks\n arptables: Fix --proto-type mask formatting\n arptables: Fix formatting of numeric --h-type output\n extensions: MARK: fix arptables support\n arptables-txlate: add test cases\n nft-arp: add arptables-translate\n nft-arp: add missing mask support\n ebtables: Fix corner-case noflush restore bug\n arptables-nft: remove ARPT_INV flags usage\n man: reveal rateest\u0027s combination categories\n man: use .TP for lists in xt_osf man page\n man: use native bullet point markup\n man: grammar fixes to some manpages\n man: consistent casing of \"IPv[46]\"\n man: encode hyphens the way groff/man requires it\n man: encode emdash the way groff/man requires it\n man: encode minushyphen the way groff/man requires it\n man: display number ranges with an en dash\n extensions: string: Adjust description of --to to recent kernel changes\n\nTest: N/A\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: Ia6dd6fc055ce61fbe2734c435dfb1e24acaeb5eb\n" }, { "commit": "57d8b274e8bf8bb99b4248098c2afe10cee12c3b", "tree": "7d86ee53c6f1662357f140a17d6dfdd6950d6e1a", "parents": [ "eb20ae967f28f29eede32059d2d6d7f2151ba3fe" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:36:32 2025 -0800" }, "committer": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Tue Mar 04 14:36:52 2025 -0800" }, "message": "Revert \"ANDROID: unconditionally use \u0027all\u0027 for proto 0\"\n\nThis reverts commit 9122b27635055a26c8a1d336bcf7382945dc576f.\n\nTest: N/A\nSigned-off-by: Maciej Żenczykowski \u003cmaze@google.com\u003e\nChange-Id: I3d9d49a44e5f16d87d6d0a6049e2cd13a4952927\n" }, { "commit": "6310639f697d4a570286960c470a6ec8c324be89", "tree": "541ec273892c9a1e16594c3e249fee7511d8ac6b", "parents": [ "b3f3e256c263b9a1db49732696aba0dde084ef5e" ], "author": { "name": "Achill Gilgenast", "email": "fossdd@pwned.life", "time": "Tue Jan 28 13:28:48 2025 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Tue Jan 28 14:36:31 2025 +0100" }, "message": "configure: Avoid addition assignment operators\n\nFor compatability with other /bin/sh like busybox ash, since they don\u0027t\nsupport the addition assignment operators (+\u003d) and otherwise fails with:\n\n\t./configure: line 14174: regular_CFLAGS+\u003d -D__UAPI_DEF_ETHHDR\u003d0: not found\n\nSigned-off-by: Achill Gilgenast \u003cfossdd@pwned.life\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "204df8d8ed191279850faa4f42f3cb129ae23024", "tree": "27ab57f58eecc27d122e75ef32a2e4c6ff59f6c6", "parents": [ "a71a954618bbadd4a345637e5edcf36eec826889", "eb20ae967f28f29eede32059d2d6d7f2151ba3fe" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Wed Dec 18 14:03:54 2024 -0800" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Dec 18 14:03:54 2024 -0800" }, "message": "Merge \"Add janitors to the OWNERS file\" into main am: eb20ae967f\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3423255\n\nChange-Id: I301728cd3a859833ec90603068eee95c558a14a0\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "eb20ae967f28f29eede32059d2d6d7f2151ba3fe", "tree": "27ab57f58eecc27d122e75ef32a2e4c6ff59f6c6", "parents": [ "a71a954618bbadd4a345637e5edcf36eec826889", "84d33856657d416ad4be2ccbe3ed6bffa7c5c2eb" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Wed Dec 18 13:29:51 2024 -0800" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Wed Dec 18 13:29:51 2024 -0800" }, "message": "Merge \"Add janitors to the OWNERS file\" into main" }, { "commit": "84d33856657d416ad4be2ccbe3ed6bffa7c5c2eb", "tree": "27ab57f58eecc27d122e75ef32a2e4c6ff59f6c6", "parents": [ "a71a954618bbadd4a345637e5edcf36eec826889" ], "author": { "name": "Sadaf Ebrahimi", "email": "sadafebrahimi@google.com", "time": "Wed Dec 18 20:17:38 2024 +0000" }, "committer": { "name": "Sadaf Ebrahimi", "email": "sadafebrahimi@google.com", "time": "Wed Dec 18 20:17:38 2024 +0000" }, "message": "Add janitors to the OWNERS file\n\nTest: TreeHugger\nChange-Id: I28c84dcfc4a189c82ebdd0143839510e1dd44eda\n" }, { "commit": "b3f3e256c263b9a1db49732696aba0dde084ef5e", "tree": "555fde36aa8fc873818bbf8a2c17ccbd191be3e8", "parents": [ "40406dbfaefbc204134452b2747bae4f6a122848" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Nov 15 19:55:32 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 19 23:46:39 2024 +0100" }, "message": "nft: Drop interface mask leftovers from post_parse callbacks\n\nFixed commit only adjusted the IPv4-specific callback for unclear\nreasons.\n\nFixes: fe70364b36119 (\"xshared: Do not populate interface masks per default\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\nReviewed-by: Jeremy Sowden \u003cjeremy@azazel.net\u003e\n" }, { "commit": "40406dbfaefbc204134452b2747bae4f6a122848", "tree": "473ffdb58a20f5f84259f435f4012aeb400a7ba1", "parents": [ "e6e232d0ae252b0b86278455b18d9475b95db8f0" ], "author": { "name": "Jeremy Sowden", "email": "jeremy@azazel.net", "time": "Mon Nov 18 13:56:50 2024 +0000" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 19 23:46:34 2024 +0100" }, "message": "nft: fix interface comparisons in `-C` commands\n\nCommit 9ccae6397475 (\"nft: Leave interface masks alone when parsing from\nkernel\") removed code which explicitly set interface masks to all ones. The\nresult of this is that they are zero. However, they are used to mask interfaces\nin `is_same_interfaces`. Consequently, the masked values are alway zero, the\ncomparisons are always true, and check commands which ought to fail succeed:\n\n # iptables -N test\n # iptables -A test -i lo \\! -o lo -j REJECT\n # iptables -v -L test\n Chain test (0 references)\n pkts bytes target prot opt in out source destination\n 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable\n # iptables -v -C test -i abcdefgh \\! -o abcdefgh -j REJECT\n REJECT all opt -- in lo out !lo 0.0.0.0/0 -\u003e 0.0.0.0/0 reject-with icmp-port-unreachable\n\nRemove the mask parameters from `is_same_interfaces`. Add a test-case.\n\nFixes: 9ccae6397475 (\"nft: Leave interface masks alone when parsing from kernel\")\nSigned-off-by: Jeremy Sowden \u003cjeremy@azazel.net\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "e6e232d0ae252b0b86278455b18d9475b95db8f0", "tree": "a978c58a44ad7fa61a16fed48b6f386aa1a1b6d1", "parents": [ "0506bea1dcc8f12d94e7c32bf2fb04abb3fdd269" ], "author": { "name": "Jeremy Sowden", "email": "jeremy@azazel.net", "time": "Fri Nov 08 17:34:43 2024 +0000" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 12 14:53:52 2024 +0100" }, "message": "ip[6]tables-translate: fix test failures when WESP is defined\n\nProtocol number 141 is assigned to a real protocol: Wrapped Encapsulating\nSecurity Payload. This is listed in Debian\u0027s /etc/protocols, which leads to\ntest failures:\n\n ./extensions/generic.txlate: Fail\n src: iptables-translate -A FORWARD -p 141\n exp: nft \u0027add rule ip filter FORWARD ip protocol 141 counter\u0027\n res: nft \u0027add rule ip filter FORWARD ip protocol wesp counter\u0027\n\n ./extensions/generic.txlate: Fail\n src: ip6tables-translate -A FORWARD -p 141\n exp: nft \u0027add rule ip6 filter FORWARD meta l4proto 141 counter\u0027\n res: nft \u0027add rule ip6 filter FORWARD meta l4proto wesp counter\u0027\n\n ./extensions/generic.txlate: Fail\n src: iptables-translate -A FORWARD ! -p 141\n exp: nft \u0027add rule ip filter FORWARD ip protocol !\u003d 141 counter\u0027\n res: nft \u0027add rule ip filter FORWARD ip protocol !\u003d wesp counter\u0027\n\n ./extensions/generic.txlate: Fail\n src: ip6tables-translate -A FORWARD ! -p 141\n exp: nft \u0027add rule ip6 filter FORWARD meta l4proto !\u003d 141 counter\u0027\n res: nft \u0027add rule ip6 filter FORWARD meta l4proto !\u003d wesp counter\u0027\n\nReplace it with 253, which IANA reserves for testing and experimentation.\n\nFixes: fcaa99ca9e3c (\"xtables-translate: Leverage stored protocol names\")\nSigned-off-by: Jeremy Sowden \u003cjeremy@azazel.net\u003e\nReviewed-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "0506bea1dcc8f12d94e7c32bf2fb04abb3fdd269", "tree": "99552761992d97503e7c1d9e040ce6e3ef265c24", "parents": [ "b15981e6ff2138b45bce3867454ae084790cbf43" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 11:47:59 2024 +0100" }, "committer": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Fri Nov 08 09:02:36 2024 +0100" }, "message": "configure: Bump version for 1.8.11 release\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "b15981e6ff2138b45bce3867454ae084790cbf43", "tree": "1ec2ccbbe5feb17370e934ed68e7aa368ded6168", "parents": [ "a740ba811a70c318aee0410d42e4fa74e104c440" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Thu Nov 07 17:02:20 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Thu Nov 07 17:41:04 2024 +0100" }, "message": "libxtables: Hide xtables_strtoul_base() symbol\n\nThere are no external users, no need to promote it in xtables.h.\n\nFixes: 1af6984c57cce (\"libxtables: Introduce xtables_strtoul_base()\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\nAcked-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\n" }, { "commit": "a740ba811a70c318aee0410d42e4fa74e104c440", "tree": "5b9bfbfd61fe98d6e797b622a1580af93e08280e", "parents": [ "79787c6eaeed3e1164d2ad87d3c82329bfbd885a" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 15:24:45 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 17:41:55 2024 +0100" }, "message": "Makefile.am: Revert to old serial test harness\n\nRunning the different testsuites in parallel is dangerous since despite\nrunning in different netns, legacy iptables still synchronizes via the\ncommon XTABLES_LOCKFILE.\n\nFixes: e1eaa04e31e44 (\"Makefile.am: Integrate testsuites\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "79787c6eaeed3e1164d2ad87d3c82329bfbd885a", "tree": "4ad3066f22fc80863f4db36c5d83092c51fac710", "parents": [ "55ac47847806c248fe6385f0f273e9e1017ea7ee" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 16:42:46 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 17:41:55 2024 +0100" }, "message": "tests: xlate-test: Fix for \u0027make distcheck\u0027\n\nSimilar problem as with the other suites: The build directory does not\ncontain test cases, only build results.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "55ac47847806c248fe6385f0f273e9e1017ea7ee", "tree": "1dbc9df1037c5231efbe00a88f7fe9797f263db8", "parents": [ "2393d33d4c44c25faf7784414abe546baccf71e4" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 15:18:36 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 16:09:52 2024 +0100" }, "message": "tests: iptables-test: Fix for \u0027make distcheck\u0027\n\nThis was a tricky one: Since called from VPATH topdir, extensions/ do\nnot contain test files at all. The script consequently passed since 0\ntests failed (of 0 in total).\n\nFix this by introducing TESTS_PATH which is extensions/ below the directory\nof the running iptables-test.py. Keep EXTENSIONS_PATH as-is: The built\nextensions are indeed there and XTABLES_LIBDIR must point to them.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "2393d33d4c44c25faf7784414abe546baccf71e4", "tree": "819b0b5d58e74e725e7f3d91ee21f6829312cf98", "parents": [ "ffcf95e18c48b6a86acffb1630d65b07293581b5" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 13:57:30 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 16:09:52 2024 +0100" }, "message": "tests: shell: Print escape sequences with terminals only\n\nIf stdout is not a terminal, don\u0027t print the \u0027[EXECUTING]\u0027 status line\nwhich has to be cleared again.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "ffcf95e18c48b6a86acffb1630d65b07293581b5", "tree": "a32fbb7954f5050e5cec62d97f3c7375529f6e47", "parents": [ "406ff3c3db9475ddf9cf4eb6854d79ca567a98fd" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 15:55:29 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Nov 06 16:09:52 2024 +0100" }, "message": "tests: shell: iptables/0010-wait_0 is unreliable\n\nSometimes the test would fail, especially after removing\n/run/xtables.lock file. Looks like the supposedly blocking\niptables-restore coproc sometimes takes a moment to set things up.\n\nFixes: 63ab5b8906f69 (\"iptables-legacy: Fix for mandatory lock waiting\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "406ff3c3db9475ddf9cf4eb6854d79ca567a98fd", "tree": "03907f7936ebfc4bbc4c8b93b3755638234dbb1e", "parents": [ "6fbd211b48648a337d794ac1e1665d6ed3175a78" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 16:12:11 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 23:58:03 2024 +0100" }, "message": "tests: iptables-test: Extend fast mode docs a bit\n\nTo make things less confusing for new readers, describe at least what\nthe two significant functions do.\n\nFixes: 0e80cfea3762b (\"tests: iptables-test: Implement fast test mode\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "6fbd211b48648a337d794ac1e1665d6ed3175a78", "tree": "47334ac17fe84f2ff82a8539943a5b6a578a080e", "parents": [ "36d87cd8092edc1f256a0505e260cc8d5ccacb33" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 16:07:01 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 23:58:03 2024 +0100" }, "message": "tests: iptables-test: Properly assert rule deletion errors\n\nCapture any non-zero return code, iptables not necessarily returns 1 on\nerror.\n\nA known issue with trying to delete a rule by spec is the unsupported\n--set-counters option. Strip it before deleting the rule.\n\nFixes: c8b7aaabbe1fc (\"add iptables unit test infrastructure\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "36d87cd8092edc1f256a0505e260cc8d5ccacb33", "tree": "4433aeb042d4a00c46f8c7486b58e595a319eb74", "parents": [ "664cada57d72b64bf3ad2335caaf49cd2d942046" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 17:17:01 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 23:58:03 2024 +0100" }, "message": "tests: shell: Test ebtables-restore deleting among matches\n\nRules containing among match would spuriously fail to compare if there\nwas a previous rule with larger among match payload.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "664cada57d72b64bf3ad2335caaf49cd2d942046", "tree": "ffd40107a3d83fc03d1b2ba7cf253a410b781276", "parents": [ "484eba83fe502f6cb010b927380da951cbd1fbab" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 16:00:13 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 23:58:03 2024 +0100" }, "message": "ebtables: Simplify ebt_add_{match,watcher}\n\nNow that extension options are parsed after these functions return, no\nmodifications need to be carried over to the clone and undone in the\noriginal.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "484eba83fe502f6cb010b927380da951cbd1fbab", "tree": "d0b444511644714b5176b54b8cbd41ad527fc8c7", "parents": [ "cdbd798286270b6ad65eb4cfe3a8933430651d0b" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Thu Oct 31 16:18:13 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 23:58:03 2024 +0100" }, "message": "ebtables: Clone extensions before modifying them\n\nUpon identifying an extension option, ebt_command_default() would have\nthe extension parse the option prior to creating a copy for attaching to\nthe iptables_command_state object. After copying, the (modified)\ninitial extension\u0027s data was cleared.\n\nThis somewhat awkward process breaks with among match which increases\nmatch_size if needed (but never reduces it). This change is not undone,\nhence leaks into following instances. This in turn is problematic with\nebtables-restore only (as multiple rules are parsed) and specifically\nwhen deleting rules as the potentially over-sized match_size won\u0027t match\nthe one parsed from the kernel.\n\nA workaround would be to make bramong_parse() realloc the match also if\nnew size is smaller than the old one. This patch attempts a proper fix\nthough, by making ebt_command_default() copy the extension first and\nparsing the option into the copy afterwards.\n\nNo Fixes tag: Prior to commit 24bb57d3f52ac (\"ebtables: Support for\nguided option parser\"), ebtables relied upon the extension\u0027s parser\nreturn code instead of checking option_offset, so copying the extension\nopportunistically wasn\u0027t feasible.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "cdbd798286270b6ad65eb4cfe3a8933430651d0b", "tree": "6dd1669a3d906343e6c80563f28556acff54b19e", "parents": [ "29d78e196c771a8cc0788397a504b1b8c9e40e6e" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Oct 29 12:21:54 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 18:10:24 2024 +0100" }, "message": "tests: shell: Fix for \u0027make distcheck\u0027\n\nThe target performs a \"VPATH build\", so built binaries are not put into\nthe same directory tree as the test script itself. For lack of a better\nway to detect this, assume $PWD in this situation remains being the\nbuild tree\u0027s TLD and check if binaries are present in there.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "29d78e196c771a8cc0788397a504b1b8c9e40e6e", "tree": "4271cde5e523bddbb8e6dab28a0c77fa1599b86a", "parents": [ "d6068deba5a51f906abea6c99dc7d2d07d0d4901" ], "author": { "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org", "time": "Tue Oct 22 17:30:42 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 18:10:24 2024 +0100" }, "message": "tests: iptables-test: extend coverage for ip6tables\n\nUpdate iptables-test.py to run libxt_*.t both for iptables and\nip6tables. For libxt_*.t tests, append the command name to status output\nline. This update requires changes in the existing tests.\n\n* Rename libxt_*.t into libipt_*.t and add libip6_*.t variant.\n\n- TEE\n- TPROXY\n- connlimit\n- conntrack\n- iprange\n- ipvs\n- policy\n- recent\n\n* Rename the following libxt_*.t to libipt_*.t since they are IPv4\n specific:\n\n- standard\n- osf\n\n* Remove IPv4 specific test in libxt_mark.t\n\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "d6068deba5a51f906abea6c99dc7d2d07d0d4901", "tree": "4c7bf99fe37f3779924018877439d631cb4c5e1b", "parents": [ "ce7aab8a5c852352421463a3dcb6f30ca53fb5b2" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Oct 22 16:56:21 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Nov 05 18:10:24 2024 +0100" }, "message": "tests: iptables-test: Fix for duplicate supposed-to-fail errors\n\nUnexpected results for lines which are supposed to fail are reported\ntwice: Once when fast mode runs them individually to clear the path\nbefore batch-handling all others, a second time when non-fast mode takes\nover after fast mode had failed and runs all tests individually again.\n\nSort this nuisance by running these tests silently in fast mode, knowing\nthat they will run again if failing anyway.\n\nFixes: 0e80cfea3762b (\"tests: iptables-test: Implement fast test mode\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "ce7aab8a5c852352421463a3dcb6f30ca53fb5b2", "tree": "a77e7c7f4d760cb33292f53cf23140f3d61cb117", "parents": [ "4d5f501e035bea93ebb699bbee2490d3d5d774c2" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Wed Oct 30 10:28:49 2024 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Wed Oct 30 10:28:49 2024 +0100" }, "message": "iptables: tests: shell: use bash, not sh\n\ndash can\u0027t run this script, so it will fail:\nebtables/0010-change-counters_0: 43: Syntax error: \"(\" unexpected\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "4d5f501e035bea93ebb699bbee2490d3d5d774c2", "tree": "5c30094d1af2710c62f3078df8cd40c26ab8d86c", "parents": [ "d455bd1a869cd7cfd2b4930409f0232ea73444d7" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Tue Oct 29 20:49:56 2024 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Tue Oct 29 20:51:56 2024 +0100" }, "message": "iptables: tests: add missing make +x\n\nElse, run-tests.sh doesn\u0027t execute it.\n\n--- /tmp/old\n+++ /tmp/new\n@I: [OK] ././testcases/ipt-save/0001load-dumps_0\n I: [OK] ././testcases/ipt-save/0002load-fedora27-firewalld_0\n+I: [OK] ././testcases/ipt-save/0003save-restore_0\n I: [OK] ././testcases/ipt-save/0005iptables_0\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "d455bd1a869cd7cfd2b4930409f0232ea73444d7", "tree": "0e630b13cbeb9468143d475209bcae190f706f6f", "parents": [ "79816721276e104bd54b684991d1975abad2ca02" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 09 19:08:44 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:34:50 2024 +0200" }, "message": "tests: shell: Test some commands involving rule numbers\n\nSkip on ip6tables and arptables as they share the relevant code with\niptables.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "79816721276e104bd54b684991d1975abad2ca02", "tree": "b91dfb5c29e5181f6aaa699b11c7f7b94cde234e", "parents": [ "4d36046edada7a6cd4a619ac53496a6d74947f65" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 09 18:43:34 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:34:50 2024 +0200" }, "message": "nft: Fix for -Z with bogus rule number\n\nThe command is supposed to fail if no rule at given index is found.\nWhile at it, drop the goto and label which are unused since commit\n9b896224e0bfc (\"xtables: rework rule cache logic\").\n\nFixes: a69cc575295ee (\"xtables: allow to reset the counters of an existing rule\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "4d36046edada7a6cd4a619ac53496a6d74947f65", "tree": "23b812a5b65eb758d678544c9d132210adcd8811", "parents": [ "05af72ca6184f08435c1ef31436e1eb7ac931e14" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 09 17:49:41 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:34:50 2024 +0200" }, "message": "ebtables: Fix for -S with rule number\n\nFor NFT_COMPAT_RULE_SAVE, one has to store the rule number, not its\nindex in nft_cmd object.\n\nFixes: 58d364c7120b5 (\"ebtables: Use do_parse() from xshared\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "05af72ca6184f08435c1ef31436e1eb7ac931e14", "tree": "cfa3e21aeb3a09571cd8f0b5f11cbb3b90d7f781", "parents": [ "9a9f19bd46968ed9a50a782b3755994e01651a21" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Oct 04 23:00:11 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:31:44 2024 +0200" }, "message": "xshared: iptables does not support \u0027-b\u0027\n\nThis flag is merely known to iptables-restore but actively rejected\nthere and it does not use IPT_OPTSTRING at all.\n\nFixes: 384958620abab (\"use nf_tables and nf_tables compatibility interface\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "9a9f19bd46968ed9a50a782b3755994e01651a21", "tree": "ca858973b33105b7aa887d6fa698cbd8a052943f", "parents": [ "c535160e2da4db6921d4441703ff8ec3beb6f2cd" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Oct 04 22:01:57 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:31:44 2024 +0200" }, "message": "gitignore: Ignore generated arptables-translate.8\n\nIt is a semantic link created by the build system.\n\nFixes: 68ff869e94a1b (\"Makefile: Install arptables-translate link and man page\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "c535160e2da4db6921d4441703ff8ec3beb6f2cd", "tree": "8dfec39158e5c8d56efc33da1b6231f4a8623797", "parents": [ "42b012d7ad20c4f416d34056d7e2600a60f1f1a4" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Oct 08 18:11:39 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:31:44 2024 +0200" }, "message": "man: ebtables-nft.8: Note that --concurrent is a NOP\n\nFor obvious reasons, ebtables-nft does not need file-based locking to\nprevent concurrency.\n\nFixes: 1939cbc25e6f5 (\"doc: Adjust ebtables man page\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "42b012d7ad20c4f416d34056d7e2600a60f1f1a4", "tree": "1491080f65898e05fbb978b832c683802f813de9", "parents": [ "78ec113ffd7628d4086b7603889c94984c0f361b" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Oct 08 16:15:03 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:31:44 2024 +0200" }, "message": "man: xtables-legacy.8: Join two paragraphs\n\nThe second one referring to xtables-monitor seems out of context without\nthe first one, join them.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "78ec113ffd7628d4086b7603889c94984c0f361b", "tree": "9a78ccf66f55d87c71a8a25f48bceba1e7c0d341", "parents": [ "e93372954cf88ac044fb2fc14dcb0e9237804e2d" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 09 12:41:16 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Oct 16 15:31:44 2024 +0200" }, "message": "tests: iptables-test: Append stderr output to log file\n\nRight now this merely contains a number of intrapositioned negation\nwarnings, but might be useful in future when debugging unexpected\nfailures.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "e93372954cf88ac044fb2fc14dcb0e9237804e2d", "tree": "791b55423da409c4c563d694e9631755e567f564", "parents": [ "38fde6a6d9959fe8d0bb25e1800ae996becf0621" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Oct 01 21:43:18 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Oct 01 21:49:45 2024 +0200" }, "message": "tests: shell: Adjust for recent changes in libnftnl\n\nlibnftnl commit a96d5a338f24e (\"rule: Don\u0027t append a newline when\nprinting a rule\") affected nft (and iptables-nft) debug output in that\nno extra newline is appended to rule bytecode output anymore. Tolerate\nthis in the sole test case it breaks by ignoring changes to blank lines.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "38fde6a6d9959fe8d0bb25e1800ae996becf0621", "tree": "e15d8844b5acaf223fb58f321adc4321a08ef165", "parents": [ "76fce22826f8e860b5eb5b5a2463040c17ff85da" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Sep 13 16:57:48 2024 +0200" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Sun Sep 15 17:17:34 2024 +0200" }, "message": "extensions: TPROXY: Fix for translation being non-terminal\n\nnftables users have to explicitly add a verdict: xt_TPROXY\u0027s\ntproxy_tg4() returns NF_ACCEPT if a socket was found and assigned,\nNF_DROP otherwise.\n\nFixes: a62fe15abcc99 (\"extensions: xt_TPROXY: add txlate support\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "76fce22826f8e860b5eb5b5a2463040c17ff85da", "tree": "4d6418471f7ea1dc89980372c0114062e1b37fa7", "parents": [ "e1496f52699b11569a09603765caeca8a4aed93f" ], "author": { "name": "Joshua Lant", "email": "joshualant@googlemail.com", "time": "Wed Aug 28 13:47:31 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Thu Aug 29 14:07:35 2024 +0200" }, "message": "configure: Determine if musl is used for build\n\nError compiling with musl-libc:\nThe commit hash 810f8568f44f5863c2350a39f4f5c8d60f762958\nintroduces the netinet/ether.h header into xtables.h, which causes an error due\nto the redefinition of the ethhdr struct, defined in linux/if_ether.h and\nnetinet/ether.h. This is fixed by the inclusion of -D__UAPI_DEF_ETHHDR\u003d0 in\nCFLAGS for musl. Automatically check for this macro, since it is defined\nin musl but not in glibc.\n\nSigned-off-by: Joshua Lant joshualant@gmail.com\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "e1496f52699b11569a09603765caeca8a4aed93f", "tree": "72d06a61575543ce0291725ee1e8e314bef34d30", "parents": [ "4e2baaee88de7e92b10e646b2756936b9784fdcb" ], "author": { "name": "Joshua Lant", "email": "joshualant@googlemail.com", "time": "Fri Aug 23 10:22:06 2024 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Fri Aug 23 16:19:52 2024 +0200" }, "message": "iptables: align xt_CONNMARK with current kernel headers\n\nlibxt_CONNMARK.c declares enum which is declared in the kernel header.\nModify the version of the header in the repo\u0027s include dir to match the\ncurrent kernel, and remove the enum declaration from xt_CONNMARK.c.\n\nSigned-off-by: Joshua Lant joshualant@gmail.com\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\n" }, { "commit": "4e2baaee88de7e92b10e646b2756936b9784fdcb", "tree": "4408a1588088d877b25daaaa445d35e714ebc9ae", "parents": [ "1778e51e5bf670b96a139248f7a0df84ef5b61c2" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 01:58:27 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Aug 14 09:50:31 2024 +0200" }, "message": "nft: ruleparse: Drop \u0027iter\u0027 variable in nft_rule_to_iptables_command_state\n\nUse the same named field in \u0027ctx\u0027 instead, it has to carry the value\nanyway.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "1778e51e5bf670b96a139248f7a0df84ef5b61c2", "tree": "8e7e8d344b5dbe923c874ce50c7e2477ac2e784d", "parents": [ "5bef3c1293092e4849a5d06032b3fa3ec10aba99" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 02:16:05 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Aug 14 09:50:31 2024 +0200" }, "message": "nft: Reduce overhead in nft_rule_find()\n\nWhen iterating through the list of rules in a chain comparing against a\nsample, there is no point in carrying that sample as nftnl_rule object\nand converting into iptables_command_state object prior to each\ncomparison. Just do it up front and adjust the callback accordingly.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "5bef3c1293092e4849a5d06032b3fa3ec10aba99", "tree": "e1c8138659f3f0ac6fb318eb891e657fd2c33745", "parents": [ "7b7c0936303abd0a7b26c8bc1382136265815677" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:07:48 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Aug 14 09:50:31 2024 +0200" }, "message": "ebtables: Introduce nft_bridge_init_cs()\n\nThe custom init done by nft_rule_to_ebtables_command_state() (which is\nalso the reason for its existence in the first place) should better go\ninto an ebtables-specific init_cs callback. Properly calling it from\ndo_commandeb() then removes the need for that custom rule_to_cs\ncallback.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "7b7c0936303abd0a7b26c8bc1382136265815677", "tree": "06a37951f8171abb658eb0a8bd148f4cce2b6616", "parents": [ "e942c8086ad1f92b8fc3547b7b5570a4a17ef1a8" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:02:23 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Aug 14 09:50:31 2024 +0200" }, "message": "ebtables: Zero freed pointers in ebt_cs_clean()\n\nTrying to recycle an iptables_command_state object by calling first\nclear_cs then init_cs callbacks causes invalid data accesses with\nebtables otherwise.\n\nFixes: fe97f60e5d2a9 (\"ebtables-compat: add watchers support\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "e942c8086ad1f92b8fc3547b7b5570a4a17ef1a8", "tree": "099c6c952e41631bbaf30147eebf27726684cee0", "parents": [ "baccf16efb0472dac65c0e4245ff43a49dc92431" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 20:43:20 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "ebtables: Omit all-wildcard interface specs from output\n\nRegular code path doesn\u0027t hit this because the conversion to\nlibnftnl_rule takes care of it already. Future changes though will cause\niptables_command_state objects to be printed directly, making this\nrelevant.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "baccf16efb0472dac65c0e4245ff43a49dc92431", "tree": "2a0fe9885ffa5a1c9be6b80fca8a4ca999114d49", "parents": [ "ec64196bbb0520fc99d88e209ff00f8e9a56b3a0" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 13:40:55 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "arptables: Introduce print_iface()\n\nMerge conditional interface printing code for input and output interface\ninto a function.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "ec64196bbb0520fc99d88e209ff00f8e9a56b3a0", "tree": "78a5e6cc04d61903107d67b69531320cfe2f30f4", "parents": [ "8e3e579e753f7a00c099a37ca8601d0da19f14bf" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 14:45:33 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "libxtables: Debug: Slightly improve extension ordering debugging\n\nPrint the extension\u0027s real name (if present) and prefix the extension\nlist by a position number for clarity.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "8e3e579e753f7a00c099a37ca8601d0da19f14bf", "tree": "1a3c6209d14ed177a59d17601f7a26eba9706fec", "parents": [ "93e8100c671aada52d8dc5690bfcc1008be6fe86" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 20:53:12 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "xshared: Move NULL pointer check into save_iface()\n\nSimplify callers a bit, the function tests other conditions\ndisqualifying any output already.\n\nWhile being at it, invert the conditional - it is more readable this\nway.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "93e8100c671aada52d8dc5690bfcc1008be6fe86", "tree": "347fdcb9a8807c024bf283ee48d050aa3d7d2f1d", "parents": [ "1c86d5513cd79c1df1a5e473ce51256129723f3e" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 20:50:15 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "xshared: Make save_iface() static\n\nSince commit 22f2e1fca127b (\"xshared: Share save_rule_details() with\nlegacy\"), there are no callers outside of xshared.c anymore.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "1c86d5513cd79c1df1a5e473ce51256129723f3e", "tree": "0ac27d0effc47a44293c414b9e2597c04ad1f333", "parents": [ "95cdf550cf1c8dfba4fd7af19e5cadc10daead9f" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 13:21:09 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "extensions: conntrack: Reuse print_state() for old state match\n\nThe extra bits supported by print_state() won\u0027t be set by the parser, no\nfunctional change expected.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "95cdf550cf1c8dfba4fd7af19e5cadc10daead9f", "tree": "5273fb7f78983cd03ef7a4f58020cdb4fa8e6fba", "parents": [ "25d4d341af5972b5560b31fa5dea72de057cb430" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 20:05:48 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "xshared: Do not omit all-wildcard interface spec when inverted\n\nThe rule parses correctly, but the (never matching) part is lost on\noutput.\n\nLooks like a day-1 bug, make it fix the change after which it applies\ncleanly.\n\nFixes: b2197e7834f77 (\"xshared: Entirely ignore interface masks when saving rules\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "25d4d341af5972b5560b31fa5dea72de057cb430", "tree": "69bdb4b62f825c4f0bd0d6503ca67f461c7f4fd2", "parents": [ "0b2e2f38d6c5c373373ab35157b406280b86b503" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 09:12:34 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "arptables: Fix conditional opcode/proto-type printing\n\nThe checks were wrong: nft_arp_init_cs() initializes masks to 65535, not\n0. This went on unnoticed because nft_arp_add() does it right and\ninit_cs callback was not used in e.g. nft_arp_print_rule(). The last\npatch adding init_cs() calls in potentially required spots exposed this\nthough.\n\nFixes: 84909d171585d (\"xtables: bootstrap ARP compatibility layer for nftables\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "0b2e2f38d6c5c373373ab35157b406280b86b503", "tree": "56ee7dc72607500291cdda1cff0afba3a19376e5", "parents": [ "db7fc1862b8bd5e2eea83ed4089fcf35fc01c032" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 15:08:08 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jul 31 23:13:55 2024 +0200" }, "message": "nft: Add potentially missing init_cs calls\n\nThe callback is there for arptables only, so other family specific code\ndoes not need it. Not calling it from family-agnostic code is wrong\nthough, as is ignoring it in arptables-specific code.\n\nFixes: cfdda18044d81 (\"nft-shared: Introduce init_cs family ops callback\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "db7fc1862b8bd5e2eea83ed4089fcf35fc01c032", "tree": "2946587ebb2e0739e5c5e0fcea97633a1763b0a7", "parents": [ "bb2ee075d8a626f2249ef9507927fae155b24093" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Jul 23 21:31:34 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 19:32:57 2024 +0200" }, "message": "nft: cmd: Init struct nft_cmd::head early\n\nCalling nft_cmd_free() in error case segfaults otherwise if the to be\nfreed object is not part of a list yet.\n\nExposed by commit eab75ed36a4f2 (\"nft: Avoid memleak in error path of\nnft_cmd_new()\"), but belongs to commit a7f1e208cdf9c (and may go well\nalong with it).\n\nFixes: a7f1e208cdf9c (\"nft: split parsing from netlink commands\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "bb2ee075d8a626f2249ef9507927fae155b24093", "tree": "e56c55c8621be73a9a1f873b1962d29b64e6377f", "parents": [ "8696f659eadd58505469841a3af16ad2c830e8e5" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 26 13:41:52 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 19:32:57 2024 +0200" }, "message": "extensions: conntrack: Use the right callbacks\n\nThese version-agnostic conntrack match aliases emulating the \u0027state\u0027\nextension introduced by commit 0d70163162589 (\"libxt_state: replace as\nan alias to xt_conntrack\") had incompatible print and save callbacks\nassigned. These callbacks expected struct xt_state_info in match-\u003edata\nwhich is incompatible to any of the actual xt_conntrack_mtinfo* structs\nused.\n\nFixes: b28d4dcc9f555 (\"iptables: state match incompatibilty across versions\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "8696f659eadd58505469841a3af16ad2c830e8e5", "tree": "98f8536946a6dfab2d7495c5c37a228bca76edde", "parents": [ "6a2aeda7585e07c0fcccb0c788299ab5a6a85881" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Thu Jun 20 18:17:16 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 19:32:57 2024 +0200" }, "message": "extensions: recent: Fix format string for unsigned values\n\nBoth fields \u0027seconds\u0027 and \u0027hit_count\u0027 are unsigned, use \u0027%u\u0027\naccordingly. While being at it, also fix coding-style in those lines.\n\nBasically a day-1 bug, have Fixes: point at a reasonably old commit.\n\nFixes: af1660fe0e88c (\"Move libipt_recent to libxt_recent\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "6a2aeda7585e07c0fcccb0c788299ab5a6a85881", "tree": "e759532c057a2f9f85ea246514e28ed7e5e7deab", "parents": [ "f65d1e9a216468d5287fa05894a08e29c0fc8278" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 16:04:31 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 19:28:52 2024 +0200" }, "message": "nft: Fix for zeroing existent builtin chains\n\nPrevious attempt at fixing for non-existent chains actually broke\nfunctionality by adding a check for NFTNL_CHAIN_HANDLE right after\nunsetting the attribute.\n\nThe approach was flawed for another reason, too: Base chains added in\nthe same batch (cf. iptables-restore) have no handle either but zeroing\nthem may still be sensible.\n\nInstead, make use of the new fake chain annotation which identifies\nfakes more reliably.\n\nFixes: f462975fb8049 (\"nft: Fix for zeroing non-existent builtin chains\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "f65d1e9a216468d5287fa05894a08e29c0fc8278", "tree": "bcbabf65580e4c61f7e7b51c22e723fb297f02b5", "parents": [ "d859b91e6f3ed055c22ee7b984b481c5b518d9e1" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 19:13:40 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 19:28:52 2024 +0200" }, "message": "nft: cache: Annotate faked base chains as such\n\nTo avoid pointless kernel ruleset modifications without too many\nworkarounds in user space, code sometimes adds \"fake\" base chains to\ncache. Yet these fake entries happen to prevent base chain creation for\na following command which actually requires them. Fix this by annotating\nthe fake entries as such so *_builtin_init() functions may convert them\ninto real ones.\n\nFixes: fd4b9bf08b9eb (\"nft: Avoid pointless table/chain creation\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "d859b91e6f3ed055c22ee7b984b481c5b518d9e1", "tree": "a044be662417bbc6643d643b056ef018e45df394", "parents": [ "f462975fb8049b9b565cb35cc98302331dbd1548" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 20 02:23:28 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "extensions: recent: New kernels support 999 hits\n\nSince kernel commit f4ebd03496f6 (\"netfilter: xt_recent: Lift\nrestrictions on max hitcount value\"), the max supported hitcount value\nhas increased significantly. Adjust the test to use a value which fails\non old as well as new kernels.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "f462975fb8049b9b565cb35cc98302331dbd1548", "tree": "93af82044c21470c392addcde58694900af827ca", "parents": [ "73ac92c769c5f27ac59266ad94031ab6d54af80b" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Jul 16 21:07:31 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "nft: Fix for zeroing non-existent builtin chains\n\nTrying to zero a specific rule in an entirely empty ruleset caused an\nerror:\n\n| # nft flush ruleset\n| # iptables-nft -Z INPUT\n| iptables v1.8.10 (nf_tables): CHAIN_ZERO failed (No such file or directory): chain INPUT\n\nTo fix this, start by faking any non-existing builtin chains so verbose\nmode prints all the would-be-flushed chains. Later set \u0027skip\u0027 flag if\ngiven chain is a fake one (indicated by missing HANDLE attribute).\nFinally cover for concurrent ruleset updates by checking whether the\nchain exists.\n\nThis bug seems to exist for a long time already, Fixes tag identified\nvia git-bisect. This patch won\u0027t apply to such old trees though, but\ncalling nft_xt_builtin_init() from nft_chain_zero_counters() should work\nthere.\n\nFixes: a6ce0c65d3a39 (\"xtables: Optimize nft_chain_zero_counters()\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "73ac92c769c5f27ac59266ad94031ab6d54af80b", "tree": "c303218d713736096d06d8c8f5236a1e2f720bed", "parents": [ "5aa4935bc88fd8acf90cce4535e58fc3be85f055" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 20:30:10 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Print commands instead of -4/-6/-0 flags\n\nThe \u0027-4\u0027 and \u0027-6\u0027 flags are a rarely used feature of iptables-restore.\nThe \u0027-0\u0027 flag is purely artificial and not recognized anywhere (at least\nnot as an arptables rule prefix in this sense). Finally, there is no\nsuch flag for ebtables in the first place. Go with a more intuitively\nclear approach and instead print the typical command which added the\nrule being printed.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "5aa4935bc88fd8acf90cce4535e58fc3be85f055", "tree": "eef6d180618018e98459be083568d41312c271ae", "parents": [ "56217d37aa38938ec3e118ae761481522155ff21" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 18:07:16 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Ignore ebtables policy rules unless tracing\n\nDo not expose this implementation detail to users, otherwise new\nuser-defined chains are followed by a new rule event.\n\nWhen tracing, they are useful as they potentially terminate rule\ntraversal.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "56217d37aa38938ec3e118ae761481522155ff21", "tree": "425d69dbebc6abc246ed04dbc15e8b264399aa75", "parents": [ "876a71bf7ad573dea998ca61a03fd35f2b04557b" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 14:01:45 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Fix for ebtables rule events\n\nBridge family wasn\u0027t recognized in rule_cb(), so merely an empty\n\"EVENT:\" line was printed for ebtables rule changes. For lack of a\nwell-known family modifier flag for bridge family, simply prefix rules\nby \"ebtables\".\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "876a71bf7ad573dea998ca61a03fd35f2b04557b", "tree": "17e848ff7f2e6f09ca40384bb014714cfc1a8904", "parents": [ "de18b0da0312b81698c1dee76b1a36c47aed52d7" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 13:10:08 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "tests: shell: New xtables-monitor test\n\nOnly events monitoring for now.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "de18b0da0312b81698c1dee76b1a36c47aed52d7", "tree": "bdb3ac9b43c4768aaf4554a2206f60efd2660f12", "parents": [ "90fb6635c8b7d1ad22108d838105c01c17a5de44" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 15:48:49 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Support arptables chain events\n\nPrint arptables NEWCHAIN/DELCHAIN events just like for iptables, using\nthe \u0027-0\u0027 prefix rule callback already uses.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "90fb6635c8b7d1ad22108d838105c01c17a5de44", "tree": "cc46dddfce6d4ff5170996ce5896271ee59563ba", "parents": [ "69da16a7790048a176a44530eb57e4b60184ce6e" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 13:37:12 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Align builtin chain and table output\n\nDrop the leading hash sign and add \"NEW/DEL chain\" annotation.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "69da16a7790048a176a44530eb57e4b60184ce6e", "tree": "094e2a437aa8d22d9d273dfc5a656940648df544", "parents": [ "a5e7f9d14ee404544e2751232e69f993b16e7396" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 13:03:18 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Flush stdout after all lines of output\n\nWriting an xtables-monitor testsuite is pretty much impossible without\nthis due to unreliable output flushing. Just move the fflush() call from\ntrace_cb() to its caller so monitor events benefit from it as well.\n\nFixes: 07af4da52ab30 (\"xtables-monitor: fix rule printing\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "a5e7f9d14ee404544e2751232e69f993b16e7396", "tree": "e9a9e3778c5b49169ffbc83f70fd1748360cab3f", "parents": [ "5f904c829791d94c59936e24e419b4137bc7ed92" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 12 12:49:22 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Jul 27 14:32:39 2024 +0200" }, "message": "xtables-monitor: Proper re-init for rule\u0027s family\n\nWhen not running for a specific family only (via -4/-6 flags),\nxtables-monitor potentially sees events/traces for all families. To\ncorrectly parse rules when printing for NEWRULE, DELRULE or TRACE\nmessages, nft_handle has to be reinitialized for the rule\u0027s family.\n\nIt is not sufficient to reset nft_handle::ops: Some expression parsers\nrely upon nft_handle::family to be properly set, too (cf. references to\n\u0027ctx-\u003eh-\u003efamily in nft-ruleparse.c). Adjusting the \u0027afinfo\u0027 pointer\nprovided by libxtables is even more crucial, as e.g. do_parse() in\nxshared.c relies upon it for the proper optstring.\n\nThis is actually a day-1 bug in xtables-monitor which surfaced due to\ncommit 9075c3aa983d9 (\"nft: Increase rule parser strictness\"). Therefore\nmake this fix the commit it is following-up.\n\nFixes: ca69b0290dc50 (\"xtables-monitor: Fix ip6tables rule printing\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "5f904c829791d94c59936e24e419b4137bc7ed92", "tree": "5ae41b497496d1d760ccaea539ed829aa472ad2d", "parents": [ "9d0f4d239ab9d530120d3bc885d7ea41161ddf0b" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jun 12 16:17:28 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri Jul 05 19:15:26 2024 +0200" }, "message": "man: recent: Adjust to changes around ip_pkt_list_tot parameter\n\nThe parameter became obsolete in kernel commit abc86d0f9924 (\"netfilter:\nxt_recent: relax ip_pkt_list_tot restrictions\").\n\nReported-by: Fabio \u003cpedretti.fabio@gmail.com\u003e\nCloses: https://bugzilla.netfilter.org/show_bug.cgi?id\u003d1745\nCc: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "9d0f4d239ab9d530120d3bc885d7ea41161ddf0b", "tree": "3c553c29023fde0ff181e7eba345839a5b46030f", "parents": [ "0234117d24609070f08ef36a11795c3c8e4c19bf" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jun 12 14:22:54 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jun 12 17:14:27 2024 +0200" }, "message": "ebtables: Include \u0027bitmask\u0027 value when comparing rules\n\nThe former FIXME comment pointed at the fact that struct ebt_entry does\nnot have a \u0027flags\u0027 field (unlike struct ipt_ip). In fact, ebt_entry\u0027s\nequivalent is \u0027bitmask\u0027 field. Comparing that instead is the right\nthing to do, even though it does not seem to make a difference in\npractice: No rule options alter just the bitmask value, nor is it\npossible to fill an associated field with default values (e.g. all-zero\nMAC and mask).\n\nSince the situation described above might change and there is a slight\nperformance improvement in some cases (e.g. comparing rules differing\nonly by specified/omitted source/dest MAC address), add the check\nanyway.\n\nSuggested-by: Michael Estner \u003cmichaelestner@web.de\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "0234117d24609070f08ef36a11795c3c8e4c19bf", "tree": "43d2163cc2f938a3dcee247561787fe7f856632f", "parents": [ "14f313ec68e2e4ff7eeb94b0fd125f7adcab77e3" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Fri May 17 15:20:05 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jun 12 17:14:27 2024 +0200" }, "message": "extensions: libxt_sctp: Add an extra assert()\n\nThe code is sane, but this keeps popping up in static code analyzers.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "14f313ec68e2e4ff7eeb94b0fd125f7adcab77e3", "tree": "e8f52f8bf576eaf6ef6570b554a5554358a7fb92", "parents": [ "653db8b938166db7833135f615b90c38a3f27a30" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Apr 24 23:09:39 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Jun 12 17:13:45 2024 +0200" }, "message": "man: extensions: recent: Clarify default value of ip_list_hash_size\n\nThe default value of 0 is a bit confusing.\n\nReported-by: Fabio \u003cpedretti.fabio@gmail.com\u003e\nLink: https://bugzilla.netfilter.org/show_bug.cgi?id\u003d1745\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "653db8b938166db7833135f615b90c38a3f27a30", "tree": "61f7b2881146cc9a632ddd73c47dc830b9b3150a", "parents": [ "8bf2bab8eb2e4f5ae2fef859ea7c877662854101" ], "author": { "name": "Maxin B. John", "email": "maxin.john@intel.com", "time": "Thu Apr 25 10:51:02 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Thu Apr 25 13:22:30 2024 +0200" }, "message": "configure: Add option to enable/disable libnfnetlink\n\nDefault behavior (autodetecting) does not change, but specifying\neither option would explicitly disable or enable libnfnetlink support,\nand if the library is not found in the latter case, ./configure will error\nout.\n\nSigned-off-by: Khem Raj \u003craj.khem@gmail.com\u003e\nSigned-off-by: Maxin B. John \u003cmaxin.john@intel.com\u003e\nSigned-off-by: Alexander Kanavin \u003calex@linutronix.de\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "a71a954618bbadd4a345637e5edcf36eec826889", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "ad71b9bfb9baccaedd01d9f4fecea2b1bda80a2b", "e6d52238113ea74a807b395372add145fedbcfae" ], "author": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Fri Apr 12 21:14:56 2024 +0000" }, "committer": { "name": "Android (Google) Code Review", "email": "android-gerrit@google.com", "time": "Fri Apr 12 21:14:56 2024 +0000" }, "message": "Merge \"Merge \"Remove NOTICE symlink.\" into main am: 85e290f980 am: b96df86e3c\" into main" }, { "commit": "e6d52238113ea74a807b395372add145fedbcfae", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "1bb439c103e60f3b14c7091995235ba6f5ff0ebd", "b96df86e3cd84f2f5e70ae9bc9c08a9f48a3f3e3" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Fri Apr 12 21:14:50 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Fri Apr 12 21:14:50 2024 +0000" }, "message": "Merge \"Remove NOTICE symlink.\" into main am: 85e290f980 am: b96df86e3c\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3037649\n\nChange-Id: Ieecccc06b70a2c357101bcd69b2ac24b1397bffe\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "ad71b9bfb9baccaedd01d9f4fecea2b1bda80a2b", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "1bb439c103e60f3b14c7091995235ba6f5ff0ebd", "7958e0e22e9ccf1bdff64f892e0bddb7e8516e67" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Fri Apr 12 21:14:44 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Fri Apr 12 21:14:44 2024 +0000" }, "message": "Merge \"Remove NOTICE symlink.\" into main am: 85e290f980 am: 7958e0e22e\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3037649\n\nChange-Id: I8c2d6be4344622132a911ab75ef0a5147eace1d0\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "7958e0e22e9ccf1bdff64f892e0bddb7e8516e67", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "f0ab58df66fc24a8625fdff8a93bf201f1883048", "85e290f980fd1f090377e5048ca8b48bd126c055" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Fri Apr 12 20:57:33 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Fri Apr 12 20:57:33 2024 +0000" }, "message": "Merge \"Remove NOTICE symlink.\" into main am: 85e290f980\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3037649\n\nChange-Id: I3fb9dd98ac42d40f591ea7bbc4f9e99013e0714b\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "b96df86e3cd84f2f5e70ae9bc9c08a9f48a3f3e3", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "4c4dbdb958419dda1e95fc6ca84b6231f086f6c6", "85e290f980fd1f090377e5048ca8b48bd126c055" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Fri Apr 12 20:56:02 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Fri Apr 12 20:56:02 2024 +0000" }, "message": "Merge \"Remove NOTICE symlink.\" into main am: 85e290f980\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/3037649\n\nChange-Id: I732a27b307c1f31e1bf51cced1a56a145c815c2c\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "85e290f980fd1f090377e5048ca8b48bd126c055", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "f0ab58df66fc24a8625fdff8a93bf201f1883048", "713f9fb14e117998b6822261843dedd8fe25170e" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Fri Apr 12 20:38:28 2024 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "noreply-gerritcodereview@google.com", "time": "Fri Apr 12 20:38:28 2024 +0000" }, "message": "Merge \"Remove NOTICE symlink.\" into main" }, { "commit": "713f9fb14e117998b6822261843dedd8fe25170e", "tree": "e47751ca5465233b29235001b2c39118e0fd1872", "parents": [ "f0ab58df66fc24a8625fdff8a93bf201f1883048" ], "author": { "name": "Elliott Hughes", "email": "enh@google.com", "time": "Fri Apr 12 18:56:58 2024 +0000" }, "committer": { "name": "Elliott Hughes", "email": "enh@google.com", "time": "Fri Apr 12 18:56:58 2024 +0000" }, "message": "Remove NOTICE symlink.\n\nThe .bp file explicitly points to upstream\u0027s COPYING file.\n\nTest: treehugger\nChange-Id: I07032ea512f785aeddf1a19f83077c64f8cfb751\n" }, { "commit": "8bf2bab8eb2e4f5ae2fef859ea7c877662854101", "tree": "5d41034c577d477c4f25c5daa22324a4c8100c4f", "parents": [ "a2911408959d7e86bc4bad4f1be2551a19ad125c" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Apr 09 15:38:14 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Apr 10 01:09:25 2024 +0200" }, "message": "libxtables: Attenuate effects of functions\u0027 internal static buffers\n\nWhile functions returning pointers to internal static buffers have\nobvious limitations, users are likely unaware how they call each other\ninternally and thus won\u0027t notice unsafe use. One such case is calling\nboth xtables_ipaddr_to_numeric() and xtables_ipmask_to_numeric() as\nparameters for a single printf() call.\n\nDefuse this trap by avoiding the internal calls to\nxtables_ip{,6}addr_to_numeric() which is easily doable since callers\nkeep their own static buffers already.\n\nWhile being at it, make use of inet_ntop() everywhere and also use\nINET_ADDRSTRLEN/INET6_ADDRSTRLEN defines for correct (and annotated)\nstatic buffer sizes.\n\nReported-by: Vitaly Chikunov \u003cvt@altlinux.org\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\nReviewed-by: Vitaly Chikunov \u003cvt@altlinux.org\u003e\n" }, { "commit": "a2911408959d7e86bc4bad4f1be2551a19ad125c", "tree": "27c680e0a60c55923e49df5eaa7214bce0dc304e", "parents": [ "400fb98dde882da4c1d2c763de3f16a8ba1484b4" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Apr 09 13:18:12 2024 +0200" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Wed Apr 10 01:08:45 2024 +0200" }, "message": "xshared: Fix parsing of empty string arg in \u0027-c\u0027 option\n\nCalling iptables with \u0027-c \"\"\u0027 resulted in a call to strchr() with an\ninvalid pointer as \u0027optarg + 1\u0027 points to past the buffer. The most\nsimple fix is to drop the offset: The global optstring part specifies a\nsingle colon after \u0027c\u0027, so getopt() enforces a valid pointer in optarg.\nIf it contains a comma at first position, packet counter value parsing\nwill fail so all cases are covered.\n\nReported-by: gorbanev.es@gmail.com\nCloses: https://bugzilla.netfilter.org/show_bug.cgi?id\u003d1741\nFixes: 60a6073690a45 (\"Make --set-counters (-c) accept comma separated counters\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "400fb98dde882da4c1d2c763de3f16a8ba1484b4", "tree": "9d08fa18405d6f86501a2cb6f2d491929100210d", "parents": [ "d45fb0a4077304a7e3f2c44bbac1bde3a9b49a77" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Mar 05 17:02:56 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Apr 09 23:20:36 2024 +0200" }, "message": "xlate: libip6t_mh: Fix and simplify plain \u0027-m mh\u0027 match\n\nSince core xlate code now ignores \u0027-p mh\u0027 if an mh extension is also\npresent in the rule, mh extension has to emit the l4proto match itself.\nTherefore emit the exthdr match irrespective of \u0027-p\u0027 argument value just\nlike other IPv6 extension header matches do.\n\nFixes: 83f60fb37d594 (\"extensions: mh: Save/xlate inverted full ranges\")\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "d45fb0a4077304a7e3f2c44bbac1bde3a9b49a77", "tree": "7f8643ab3f4d692dbbcbf224e58b82de73893ddb", "parents": [ "681935f6cb5734e120b5efe5aa8512508e2793f4" ], "author": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Mar 05 16:28:29 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Apr 09 23:20:36 2024 +0200" }, "message": "xlate: Improve redundant l4proto match avoidance\n\nxtables-translate tries to avoid \u0027ip protocol\u0027/\u0027meta l4proto\u0027 matches if\nfollowing expressions add this as dependency anyway. E.g.:\n\n| # iptables-translate -A FOO -p tcp -m tcp --dport 22 -j ACCEPT\n| nft \u0027add rule ip filter FOO tcp dport 22 counter accept\u0027\n\nThis worked by searching protocol name in loaded matches, but that\napproach is flawed as the protocol name and corresponding extension may\ndiffer (\"mobility-header\" vs. \"mh\"). Improve this by searching for all\nnames (cached or resolved) for a given protocol number.\n\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "681935f6cb5734e120b5efe5aa8512508e2793f4", "tree": "918fc5fb0bf9b23bc4c1bdf81b11ca9cc1cef644", "parents": [ "a62fe15abcc997c38c3b46c5273961d3e9579293" ], "author": { "name": "Sriram Rajagopalan", "email": "bglsriram@gmail.com", "time": "Wed Mar 13 02:04:37 2024 -0700" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Tue Mar 19 16:57:48 2024 +0100" }, "message": "nft: Do not combine inverted payload matches\n\nFixed the issue with combining the payload in case of invert filter for\ntcp src and dst ports.\n\nSigned-off-by: Sriram Rajagopalan \u003csriramr@arista.com\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "a62fe15abcc997c38c3b46c5273961d3e9579293", "tree": "a534c555f99064620b99b19537ee15cfa8b98e25", "parents": [ "494eae37f2690be4a86fd6516264979afbfe95ca" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Fri Mar 08 15:24:28 2024 +0100" }, "committer": { "name": "Phil Sutter", "email": "phil@nwl.cc", "time": "Sat Mar 09 00:01:17 2024 +0100" }, "message": "extensions: xt_TPROXY: add txlate support\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "494eae37f2690be4a86fd6516264979afbfe95ca", "tree": "f1a4445f249e896f677e3f11a94231ec4700a3b1", "parents": [ "fcaa99ca9e3c18f831fe523a0ad79fb1da34b0ec" ], "author": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Wed Mar 06 11:11:25 2024 +0100" }, "committer": { "name": "Florian Westphal", "email": "fw@strlen.de", "time": "Wed Mar 06 21:06:58 2024 +0100" }, "message": "extensions: xt_socket: add txlate support for socket match\n\nv2: document the match semantics of -m socket.\n\nIgnore --nowildcard if used with other options when translating\nand add \"wildcard 0\" if the option is missing.\n\n\"-m socket\" will ignore sockets bound to 0.0.0.0/:: by default,\nunless --nowildcard is given.\n\nSo, xlate must always append \"wildcard 0\", can elide \"wildcard\"\nif other options are present along with --nowildcard.\n\nTo emulate \"-m socket --nowildcard\", check for \"wildcard \u003c\u003d 1\" to\nget a \"socket exists\" type matching.\n\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nAcked-by: Phil Sutter \u003cphil@nwl.cc\u003e\n" }, { "commit": "1bb439c103e60f3b14c7091995235ba6f5ff0ebd", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "bbed2ba2b66047dcc373011899ec50c70e2ac276", "4c4dbdb958419dda1e95fc6ca84b6231f086f6c6" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Wed Mar 06 06:41:08 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:41:08 2024 +0000" }, "message": "Merge \"Revert \"ANDROID: extensions/libxt_LOG.c: manually define prioritynames[]\"\" into main am: 2f7a7bc287 am: b37a9e65d0 am: 24e5ad9a4b am: f0ab58df66 am: 4c4dbdb958\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/2800994\n\nChange-Id: Ifc04bedbc81ffdcb50c26cb71fd791fe8cfe82c0\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "bbed2ba2b66047dcc373011899ec50c70e2ac276", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "e031e8caf5efd26ea519e258a4c5481bf373143a", "645e608975569c51fbffadec4164674b70cc655b" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Wed Mar 06 06:39:42 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:39:42 2024 +0000" }, "message": "Merge changes from topics \"ipt1810\", \"ipt189\" into main am: 8e74bb6bb5 am: 0a8ee35316 am: 05c685e485 am: 467dd03df1 am: 645e608975\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/2799843\n\nChange-Id: Ib0abbd9f6e5ad5d8e2a8eb6fe7911ba769cd1b29\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "e031e8caf5efd26ea519e258a4c5481bf373143a", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "59c9561ea721b80447db3a7e7488b59effe0e4bc", "fc8f78a42343fcf99610eb78650667d5b0c82d8c" ], "author": { "name": "Treehugger Robot", "email": "android-test-infra-autosubmit@system.gserviceaccount.com", "time": "Wed Mar 06 06:38:12 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:38:12 2024 +0000" }, "message": "Merge changes If212f600,Ibbedf6e7,I7f10813f,I370d68c1,I38949223 into main am: 3dd590f333 am: 20799e993e am: f0d39fc4e7 am: d0a5114369 am: fc8f78a423\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/2798950\n\nChange-Id: Ie0d4effebd89f6740e093892b417b372f4b182a9\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "59c9561ea721b80447db3a7e7488b59effe0e4bc", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "8fa6d8419f1da0080264a41d1337df73e2ff03c6", "55a11c7717d5365de60d4a22def8a361eead0511" ], "author": { "name": "Sam Saccone", "email": "samccone@google.com", "time": "Wed Mar 06 06:35:33 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:35:33 2024 +0000" }, "message": "Merge \"Move OWNER reference master\u003d\u003emain.\" into main am: 7c488c82e4 am: 0d290e451f am: 9d60c2999e am: 79a37135cc am: dda1fee032 am: 8902cb0d42 am: e2563b1361 am: 55a11c7717\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/2661151\n\nChange-Id: I811c3e17851653406ffba42747d57ad667f30d1b\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "8fa6d8419f1da0080264a41d1337df73e2ff03c6", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "9b655373b4eac8cae40a9516a4d7026f9581f58a", "3fda8c7e76ca2a76a078d06799de6293aba02d16" ], "author": { "name": "Evgenii Stepanov", "email": "eugenis@google.com", "time": "Wed Mar 06 06:20:10 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:20:10 2024 +0000" }, "message": "[automerger skipped] [NFC] Move MTE mode settings to a product variable. am: 4c2e8e9be2 am: 6005106fd2 -s ours am: a89c3229ae -s ours am: 06cfeee6a5 -s ours am: 65548ab9c2 -s ours am: 3fda8c7e76 -s ours\n\nam skip reason: Merged-In Ia894b5c70dd846d1a34a7e9ada4dc1442d5f53fb with SHA-1 4c2e8e9be2 is already in history\n\nOriginal change: https://googleplex-android-review.googlesource.com/c/platform/external/iptables/+/23716874\n\nChange-Id: I78311b7258cac3b98d2a768f19f8b614904e9c00\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "9b655373b4eac8cae40a9516a4d7026f9581f58a", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "d21551d78b5442de436bf6184cf9ddeb0fbeda08", "e670148931484cb9c29df806e653a914c19ce1b1" ], "author": { "name": "Evgenii Stepanov", "email": "eugenis@google.com", "time": "Wed Mar 06 06:18:33 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:18:33 2024 +0000" }, "message": "[automerger skipped] [NFC] Move MTE mode settings to a product variable. am: 4c2e8e9be2 -s ours am: 26ef810e6a -s ours am: fcc4872b6e -s ours am: dcdd8aef87 -s ours am: 530cb9e570 -s ours am: e670148931 -s ours\n\nam skip reason: Merged-In Ia894b5c70dd846d1a34a7e9ada4dc1442d5f53fb with SHA-1 14c4d09445 is already in history\n\nOriginal change: https://googleplex-android-review.googlesource.com/c/platform/external/iptables/+/23716874\n\nChange-Id: I4dd9e7c1ea32452d0de878dbfa808ff1cecab51b\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "d21551d78b5442de436bf6184cf9ddeb0fbeda08", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "aab0c4c143a96730bcbb54b118cf385decd5cb56", "64657aa25316744ed07e06b94e40f7208cc5344e" ], "author": { "name": "Evgenii Stepanov", "email": "eugenis@google.com", "time": "Wed Mar 06 06:17:08 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:17:08 2024 +0000" }, "message": "Merge \"[NFC] Move MTE mode settings to a product variable.\" am: 7a0812ebc3 am: b4fd4142a0 am: 79c7596422 am: cd890a3405 am: 42cdc39beb am: 13567c65bd am: 700b1ce4f3 am: 88964afd67 am: 64657aa253\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/2622505\n\nChange-Id: I27e97f4eb38c65d8035e9b5dc5b407c9c17d5e00\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" }, { "commit": "aab0c4c143a96730bcbb54b118cf385decd5cb56", "tree": "c13472d6baa12a26b2427a040b642a7524fa6aa2", "parents": [ "223f5bb5348669828c31aa892a7dd06fd91fd8e3", "a2a6b9489c75a71b2858de9e48657c0b713642f8" ], "author": { "name": "Maciej Żenczykowski", "email": "maze@google.com", "time": "Wed Mar 06 06:15:19 2024 +0000" }, "committer": { "name": "Automerger Merge Worker", "email": "android-build-automerger-merge-worker@system.gserviceaccount.com", "time": "Wed Mar 06 06:15:19 2024 +0000" }, "message": "Merge \"Revert \"ANDROID: extensions/libxt_LOG.c: manually define prioritynames[]\"\" into main am: 2f7a7bc287 am: b37a9e65d0 am: 84c05e0b96 am: 54c410d7f6 am: a2a6b9489c\n\nOriginal change: https://android-review.googlesource.com/c/platform/external/iptables/+/2800994\n\nChange-Id: Ia0af1011cf1aa8841e8b3b2c41262e1cfae0a2f7\nSigned-off-by: Automerger Merge Worker \u003candroid-build-automerger-merge-worker@system.gserviceaccount.com\u003e\n" } ], "next": "223f5bb5348669828c31aa892a7dd06fd91fd8e3" }