!5 update1.8.1

Merge pull request !5 from zhouxudong8/zxd
2020-01-11 20:47:33 +08:00 · 2020-01-11 20:47:33 +08:00 · 39708db643
commit 39708db643
parent a9b3582ca5 9e25cff7f5
18 changed files with 44 additions and 716 deletions
--- a/Allocate-rule-cache-just-once.patch
+++ b/Allocate-rule-cache-just-once.patch
@ -1,38 +0,0 @@
 From c2594475dd270e3a81033fed2e5251dbd5ce319b Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 2 Aug 2018 17:05:08 +0200
 Subject: xtables: Allocate rule cache just once
 For each parsed table, xtables-restore calls nft_table_flush() which
 each time allocates a new rule cache, possibly overwriting the pointer
 to the previously allocated one. Fix this by checking the pointer value
 and only allocate if it's NULL.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index a9cb92ed..d5c4c766 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -1867,9 +1867,11 @@ next:
 		t = nftnl_table_list_iter_next(iter);
 	}
 -	h->rule_cache = nftnl_rule_list_alloc();
 -	if (h->rule_cache == NULL)
 -		return -1;
 +	if (!h->rule_cache) {
 +		h->rule_cache = nftnl_rule_list_alloc();
 +		if (h->rule_cache == NULL)
 +			return -1;
 +	}
 err_table_iter:
 	nftnl_table_list_iter_destroy(iter);
 -- 
 cgit v1.2.1
--- a/Fix-for-nft_rule_flush-returning-garbage.patch
+++ b/Fix-for-nft_rule_flush-returning-garbage.patch
@ -1,54 +0,0 @@
 From 89d344381c81bd1d5f29b498844f20280200c786 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 2 Aug 2018 17:05:09 +0200
 Subject: xtables: Fix for nft_rule_flush() returning garbage
 Due to variable 'ret' not being initialized in all situations, return
 code of the function depends on garbage in stack. Fix this by
 initializing 'ret' to zero upon declaration.
 While being at it, make nftnl_chain_list_get() failure as well as
 nftnl_chain_list_iter_create() failure an error condition since both
 functions should succeed even if the current ruleset does not contain
 any chains at all.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index d5c4c766..f2d6ea13 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
 {
 -	int ret;
 +	int ret = 0;
 	struct nftnl_chain_list *list;
 	struct nftnl_chain_list_iter *iter;
 	struct nftnl_chain *c;
@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
 	list = nftnl_chain_list_get(h);
 	if (list == NULL) {
 -		ret = 0;
 +		ret = 1;
 		goto err;
 	}
 	iter = nftnl_chain_list_iter_create(list);
 -	if (iter == NULL)
 +	if (iter == NULL) {
 +		ret = 1;
 		goto err;
 +	}
 	c = nftnl_chain_list_iter_next(iter);
 	while (c != NULL) {
 -- 
 cgit v1.2.1
--- a/Fix-for-potential-array-boundary-overstep.patch
+++ b/Fix-for-potential-array-boundary-overstep.patch
@ -1,30 +0,0 @@
 From bfd41c8d99a54769678e0c66d55797082bf1edd3 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Mon, 10 Sep 2018 23:35:15 +0200
 Subject: ebtables: Fix for potential array boundary overstep
 Fix the parameter check in nft_ebt_standard_target() to avoid an array
 out of bounds access in ebt_standard_targets.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft-bridge.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
 index 1fe26bab..9d49ccbe 100644
 --- a/iptables/nft-bridge.h
 +++ b/iptables/nft-bridge.h
@@ -78,7 +78,7 @@ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
 static inline const char *nft_ebt_standard_target(unsigned int num)
 {
 -	if (num > NUM_STANDARD_TARGETS)
 +	if (num >= NUM_STANDARD_TARGETS)
 		return NULL;
 	return ebt_standard_targets[num];
 -- 
 cgit v1.2.1
--- a/Fix-for-segfault-in-iptables-nft.patch
+++ b/Fix-for-segfault-in-iptables-nft.patch
@ -1,93 +0,0 @@
 m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Fri, 17 Aug 2018 15:35:47 +0200
 Subject: xtables: Fix for segfault in iptables-nft
 Trying to set a chain's policy in an invalid table resulted in a
 segfault. Reproducer was:
 | # iptables -t broute -P BROUTING ACCEPT
 Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
 returned NULL for the given table name.
 For an illustrative error message, set errno to ENXIO in the above case
 and add an appropriate Mesage to nft_strerror().
 While being at it, improve the error message if an invalid policy was
 given. Before:
 | # iptables-nft -t filter -P INPUT ACCEPTdf
 | iptables: Incompatible with this kernel.
 After:
 | # iptables-nft -t filter -P INPUT ACCEPTdf
 | iptables: Bad policy name. Run `dmesg' for more information.
 Third unrelated change in this patch: Drop error checking of
 nft_chain_set() in do_commandx(): The function never returns negative,
 so that check never yielded true.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft.c     | 11 +++++++++--
 iptables/xtables.c |  3 ---
 2 files changed, 9 insertions(+), 5 deletions(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index 0b29caeb..dd8469a9 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
 	struct builtin_chain *_c;
 	_t = nft_table_builtin_find(h, table);
 +	if (!_t) {
 +		errno = ENXIO;
 +		return NULL;
 +	}
 +
 	/* if this built-in table does not exists, create it */
 -	if (_t != NULL)
 -		nft_table_builtin_add(h, _t);
 +	nft_table_builtin_add(h, _t);
 	_c = nft_chain_builtin_find(_t, chain);
 	if (_c != NULL) {
@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
 		c = nft_chain_new(h, table, chain, NF_DROP, counters);
 	else if (strcmp(policy, "ACCEPT") == 0)
 		c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
 +	else
 +		errno = EINVAL;
 	if (c == NULL)
 		return 0;
@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err)
 	      "Bad rule (does a matching rule exist in that chain?)" },
 	    { nft_chain_set, ENOENT, "Bad built-in chain name" },
 	    { nft_chain_set, EINVAL, "Bad policy name" },
 +	    { nft_chain_set, ENXIO, "Bad table name" },
 	    { NULL, ELOOP, "Loop found in table" },
 	    { NULL, EPERM, "Permission denied (you must be root)" },
 	    { NULL, 0, "Incompatible with this kernel" },
 diff --git a/iptables/xtables.c b/iptables/xtables.c
 index d9050b45..72f65962 100644
 --- a/iptables/xtables.c
 +++ b/iptables/xtables.c
@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 		break;
 	case CMD_SET_POLICY:
 		ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
 -		if (ret < 0)
 -			xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
 -				      p.policy);
 		break;
 	default:
 		/* We should never reach this... */
 -- 
 cgit v1.2.1
--- a/Fix-for-segfault-when-registering-hashlimit-extension.patch
+++ b/Fix-for-segfault-when-registering-hashlimit-extension.patch
@ -1,33 +0,0 @@
 From 37b68b2bc903112a74545c7f4a49c89e889582a9 Mon Sep 17 00:00:00 2001
 From: Heena Sirwani <heenasirwani@gmail.com>
 Date: Tue, 21 Aug 2018 17:25:56 +0530
 Subject: xtables: Fix for segfault when registering hashlimit extension
 This patch fixes the crash when registering the hashlimit extension
 with xtables during init_extensions(when built with static libs) .
 The option validation function xtables_option_metavalidate has a
 loop termination condition of the entry name being NULL. The loop
 does not terminate when validating hashlimit_mt_opts_v2 which causes
 a crash on derefencing an invalid entry.
 Signed-off-by: Heena Sirwani <heenasirwani@gmail.com>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 extensions/libxt_hashlimit.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
 index 70bc615b..7d78d852 100644
 --- a/extensions/libxt_hashlimit.c
 +++ b/extensions/libxt_hashlimit.c
@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = {
 	{.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING},
 	{.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING,
 	 .flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1},
 +	XTOPT_TABLEEND,
 };
 #undef s
 -- 
 cgit v1.2.1
--- a/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
+++ b/Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
@ -1,31 +0,0 @@
 From 7c9a1521105aa515a272e2d04fa806bed8b43396 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Wed, 19 Sep 2018 15:17:07 +0200
 Subject: arptables: Fix incorrect strcmp() in nft_arp_rule_find()
 Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
 strcmp() may be passed a NULL pointer. Therefore check if the pointer is
 valid before doing so.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft-arp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
 index b8e89826..a2109c60 100644
 --- a/iptables/nft-arp.c
 +++ b/iptables/nft-arp.c
@@ -661,7 +661,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
 	if (!compare_targets(cs->target, this.target))
 		return false;
 -	if (strcmp(cs->jumpto, this.jumpto) != 0)
 +	if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0)
 		return false;
 	return true;
 -- 
 cgit v1.2.1
--- a/Fix-opcode-printing-in-numeric-output.patch
+++ b/Fix-opcode-printing-in-numeric-output.patch
@ -1,29 +0,0 @@
 From 3f279553a2908bfa3ad76211ee657c97e4103563 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 2 Aug 2018 17:05:22 +0200
 Subject: arptables: Fix opcode printing in numeric output
 This line of code was dropped by accident, add it back.
 Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft-arp.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
 index 5cabb93e..570a2589 100644
 --- a/iptables/nft-arp.c
 +++ b/iptables/nft-arp.c
@@ -543,6 +543,7 @@ after_devdst:
 		if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC))
 			printf("--opcode %s", opcodes[tmp-1]);
 		else
 +			printf("--opcode %d", tmp);
 		if (fw->arp.arpop_mask != 65535)
 			printf("/%d", ntohs(fw->arp.arpop_mask));
 -- 
 cgit v1.2.1
--- a/Fix-potential-array-overrun-in-xtables_option_parse.patch
+++ b/Fix-potential-array-overrun-in-xtables_option_parse.patch
@ -1,30 +0,0 @@
 From 4144571f87c094471419ef59e8bb89ef33cd1365 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Mon, 10 Sep 2018 23:35:13 +0200
 Subject: libxtables: Fix potential array overrun in xtables_option_parse()
 If entry->type is to be used as array index, it needs to be at max one
 less than that array's size.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 libxtables/xtoptions.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
 index ba3128bd..326febd5 100644
 --- a/libxtables/xtoptions.c
 +++ b/libxtables/xtoptions.c
@@ -844,7 +844,7 @@ void xtables_option_parse(struct xt_option_call *cb)
 	 * a *RC option type.
 	 */
 	cb->nvals = 1;
 -	if (entry->type <= ARRAY_SIZE(xtopt_subparse) &&
 +	if (entry->type < ARRAY_SIZE(xtopt_subparse) &&
 	    xtopt_subparse[entry->type] != NULL)
 		xtopt_subparse[entry->type](cb);
 	/* Exclusion with other flags tested later in finalize. */
 -- 
 cgit v1.2.1
--- a/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
+++ b/Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
@ -1,72 +0,0 @@
 From 82d278c19f8f187e78c90c91834018b16c007098 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 2 Aug 2018 17:05:11 +0200
 Subject: xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
 Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
 not added to the cache.
 There is one exception though, namely when zeroing counters:
 nft_chain_zero_counters() adds a chain object it took from chain cache.
 To distinguish this situation from the others, introduce
 NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
 NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index 26df1287..327c19ad 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -246,6 +246,7 @@ enum obj_update_type {
 	NFT_COMPAT_CHAIN_USER_FLUSH,
 	NFT_COMPAT_CHAIN_UPDATE,
 	NFT_COMPAT_CHAIN_RENAME,
 +	NFT_COMPAT_CHAIN_ZERO,
 	NFT_COMPAT_RULE_APPEND,
 	NFT_COMPAT_RULE_INSERT,
 	NFT_COMPAT_RULE_REPLACE,
@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h,
 			 nftnl_table_get_str(o->table, NFTNL_TABLE_NAME));
 		break;
 	case NFT_COMPAT_CHAIN_ADD:
 +	case NFT_COMPAT_CHAIN_ZERO:
 	case NFT_COMPAT_CHAIN_USER_ADD:
 	case NFT_COMPAT_CHAIN_USER_DEL:
 	case NFT_COMPAT_CHAIN_USER_FLUSH:
@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
 	case NFT_COMPAT_TABLE_FLUSH:
 		nftnl_table_free(o->table);
 		break;
 -	case NFT_COMPAT_CHAIN_ADD:
 +	case NFT_COMPAT_CHAIN_ZERO:
 	case NFT_COMPAT_CHAIN_USER_ADD:
 		break;
 +	case NFT_COMPAT_CHAIN_ADD:
 	case NFT_COMPAT_CHAIN_USER_DEL:
 	case NFT_COMPAT_CHAIN_USER_FLUSH:
 	case NFT_COMPAT_CHAIN_UPDATE:
@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action)
 						   n->seq, n->table);
 			break;
 		case NFT_COMPAT_CHAIN_ADD:
 +		case NFT_COMPAT_CHAIN_ZERO:
 			nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
 						   NLM_F_CREATE, n->seq,
 						   n->chain);
@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
 		nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
 -		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
 +		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);
 		if (chain != NULL)
 			break;
 -- 
 cgit v1.2.1
--- a/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
+++ b/Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
@ -1,31 +0,0 @@
 From c2895eaf7a9d604c4aa10848ad46cdde48a00357 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 2 Aug 2018 17:05:10 +0200
 Subject: xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
 These always have to be freed because nft_chain_user_del() removes them
 from the cache so they are not freed when the chain cache is flushed.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index f2d6ea13..26df1287 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -2447,8 +2447,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
 		break;
 	case NFT_COMPAT_CHAIN_ADD:
 	case NFT_COMPAT_CHAIN_USER_ADD:
 -	case NFT_COMPAT_CHAIN_USER_DEL:
 		break;
 +	case NFT_COMPAT_CHAIN_USER_DEL:
 	case NFT_COMPAT_CHAIN_USER_FLUSH:
 	case NFT_COMPAT_CHAIN_UPDATE:
 	case NFT_COMPAT_CHAIN_RENAME:
 -- 
 cgit v1.2.1
--- a/fix-crash-if-nft_rule_list_get-fails.patch
+++ b/fix-crash-if-nft_rule_list_get-fails.patch
@ -1,31 +0,0 @@
 From 907da5c505b219537586f7c2bdb7320c4f97386f Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 19 Jul 2018 18:31:53 +0200
 Subject: xtables: fix crash if nft_rule_list_get() fails
 Without this, trying to add a rule using ebtables without proper
 permissions crashes the program.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/nft.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/iptables/nft.c b/iptables/nft.c
 index 3cacf5fe..e1788dba 100644
 --- a/iptables/nft.c
 +++ b/iptables/nft.c
@@ -1176,7 +1176,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
 	if (batch_rule_add(h, type, r) < 0)
 		nftnl_rule_free(r);
 -	nft_rule_list_get(h);
 +	if (!nft_rule_list_get(h))
 +		return 0;
 	nftnl_rule_list_add_tail(r, h->rule_cache);
 -- 
 cgit v1.2.1
--- a/free-the-table-lock-when-skipping-a-table.patch
+++ b/free-the-table-lock-when-skipping-a-table.patch
@ -1,192 +0,0 @@
 From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001
 From: Joel Goguen <contact+netfilter@jgoguen.ca>
 Date: Wed, 11 Jul 2018 16:32:20 -0700
 Subject: iptables-restore: free the table lock when skipping a table
 Currently, when running `iptables-restore --table=X`, where `X` is not the first
 table in the rules dump, the restore will fail when parsing the second table:
 - a lock is acquird when parsing the first table name
 - the table name does not match the parameter to `--table` so processing
  continues until the next table
 - when processing the next table a lock is acquired, which fails because a lock
  is already held
 Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
 This will release the lock as soon as it's decided the current table won't be
 used.
 Signed-off-by: Joel Goguen <contact+netfilter@jgoguen.ca>
 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 iptables/ip6tables-restore.c                       |  7 +++-
 iptables/iptables-restore.c                        |  7 +++-
 .../ipt-restore/0001load-specific-table_0          | 41 ++++++++++++++++++++++
 .../testcases/ipt-restore/dumps/ip6tables.dump     | 30 ++++++++++++++++
 .../testcases/ipt-restore/dumps/iptables.dump      | 30 ++++++++++++++++
 5 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
 create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
 create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
 diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
 index cc50bb4f..d36f92da 100644
 --- a/iptables/ip6tables-restore.c
 +++ b/iptables/ip6tables-restore.c
@@ -325,8 +325,13 @@ int ip6tables_restore_main(int argc, char *argv[])
 			strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
 			curtable[XT_TABLE_MAXNAMELEN] = '\0';
 -			if (tablename != NULL && strcmp(tablename, table) != 0)
 +			if (tablename != NULL && strcmp(tablename, table) != 0) {
 +				if (lock >= 0) {
 +					xtables_unlock(lock);
 +					lock = XT_LOCK_NOT_ACQUIRED;
 +				}
 				continue;
 +			}
 			if (handle)
 				ops->free(handle);
 diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
 index d5603fce..142ddb82 100644
 --- a/iptables/iptables-restore.c
 +++ b/iptables/iptables-restore.c
@@ -323,8 +323,13 @@ iptables_restore_main(int argc, char *argv[])
 			strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
 			curtable[XT_TABLE_MAXNAMELEN] = '\0';
 -			if (tablename && (strcmp(tablename, table) != 0))
 +			if (tablename && (strcmp(tablename, table) != 0)) {
 +				if (lock >= 0) {
 +					xtables_unlock(lock);
 +					lock = XT_LOCK_NOT_ACQUIRED;
 +				}
 				continue;
 +			}
 			if (handle)
 				ops->free(handle);
 diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
 new file mode 100755
 index 00000000..ce3bef3a
 --- /dev/null
 +++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
@@ -0,0 +1,41 @@
 +#!/bin/bash
 +
 +RET=0
 +tmpfile=""
 +
 +set -x
 +
 +clean_tempfile()
 +{
 +	if [ -n "${tmpfile}" ]; then
 +		rm -f "${tmpfile}"
 +	fi
 +}
 +
 +trap clean_tempfile EXIT
 +
 +tmpfile=$(mktemp) || exit 1
 +
 +do_simple()
 +{
 +	iptables="${1}"
 +	table="${2}"
 +	dumpfile="$(dirname "${0}")/dumps/${iptables}.dump"
 +
 +	"$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$?
 +
 +	if [ "${rv}" -ne 0 ]; then
 +		RET=1
 +	fi
 +}
 +
 +do_simple "iptables" "filter"
 +do_simple "iptables" "mangle"
 +do_simple "iptables" "raw"
 +do_simple "iptables" "nat"
 +do_simple "ip6tables" "filter"
 +do_simple "ip6tables" "mangle"
 +do_simple "ip6tables" "raw"
 +do_simple "ip6tables" "nat"
 +
 +exit "${RET}"
 diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
 new file mode 100644
 index 00000000..4ac4f882
 --- /dev/null
 +++ b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
@@ -0,0 +1,30 @@
 +*nat
 +:PREROUTING ACCEPT [0:0]
 +:INPUT ACCEPT [0:0]
 +:OUTPUT ACCEPT [8:656]
 +:POSTROUTING ACCEPT [8:656]
 +COMMIT
 +
 +*mangle
 +:PREROUTING ACCEPT [794:190738]
 +:INPUT ACCEPT [794:190738]
 +:FORWARD ACCEPT [0:0]
 +:OUTPUT ACCEPT [991:170303]
 +:POSTROUTING ACCEPT [991:170303]
 +COMMIT
 +
 +*raw
 +:PREROUTING ACCEPT [794:190738]
 +:OUTPUT ACCEPT [991:170303]
 +COMMIT
 +
 +*filter
 +:INPUT DROP [0:0]
 +:FORWARD DROP [0:0]
 +:OUTPUT ACCEPT [991:170303]
 +-A INPUT -i lo -j ACCEPT
 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +-A INPUT -p ipv6-icmp -j ACCEPT
 +-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
 +-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
 +COMMIT
 diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
 new file mode 100644
 index 00000000..6e4e42d3
 --- /dev/null
 +++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
@@ -0,0 +1,30 @@
 +*nat
 +:PREROUTING ACCEPT [1:89]
 +:INPUT ACCEPT [0:0]
 +:OUTPUT ACCEPT [351:24945]
 +:POSTROUTING ACCEPT [351:24945]
 +COMMIT
 +
 +*mangle
 +:PREROUTING ACCEPT [3270:1513114]
 +:INPUT ACCEPT [3270:1513114]
 +:FORWARD ACCEPT [0:0]
 +:OUTPUT ACCEPT [3528:1087907]
 +:POSTROUTING ACCEPT [3546:1090751]
 +COMMIT
 +
 +*raw
 +:PREROUTING ACCEPT [3270:1513114]
 +:OUTPUT ACCEPT [3528:1087907]
 +COMMIT
 +
 +*filter
 +:INPUT DROP [37:4057]
 +:FORWARD DROP [0:0]
 +:OUTPUT ACCEPT [3528:1087907]
 +-A INPUT -i lo -j ACCEPT
 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +-A INPUT -p icmp -j ACCEPT
 +-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable
 +-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
 +COMMIT
 -- 
 cgit v1.2.1
--- a/iptables-1.6.0-iptables-apply_mktemp.patch
+++ b/iptables-1.6.0-iptables-apply_mktemp.patch
@ -1,21 +0,0 @@
 diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply
 --- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp	2015-12-09 13:55:06.000000000 +0100
 +++ iptables-1.6.0/iptables/iptables-apply	2016-04-13 17:44:07.130453958 +0200
@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
 	exit 2
 fi
 -COMMANDS=(tempfile "$SAVE" "$RESTORE")
 +COMMANDS=(mktemp "$SAVE" "$RESTORE")
 for cmd in "${COMMANDS[@]}"; do
 	if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
 umask 0700
 -TMPFILE=$(tempfile -p iptap)
 +TMPFILE=$(mktemp)
 trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
 if ! "$SAVE" >"$TMPFILE"; then
--- a/iptables-1.8.0-xtables-nft-multi.patch
+++ b/iptables-1.8.0-xtables-nft-multi.patch
@ -1,15 +0,0 @@
 diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c
 index 187da81e9f59b..03690a56edb72 100644
 --- a/iptables/xtables-nft-multi.c
 +++ b/iptables/xtables-nft-multi.c
@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = {
 	{"iptables-restore-translate",	xtables_ip4_xlate_restore_main},
 	{"ip6tables-restore-translate",	xtables_ip6_xlate_restore_main},
 	{"arptables",			xtables_arp_main},
 +	{"arptables-nft",		xtables_arp_main},
 	{"ebtables-translate",		xtables_eb_xlate_main},
 	{"ebtables",			xtables_eb_main},
 +	{"ebtables-nft",		xtables_eb_main},
 	{"xtables-monitor",		xtables_monitor_main},
 	{NULL},
 };
--- a/iptables-1.8.0.tar.bz2
+++ b/iptables-1.8.0.tar.bz2
--- a/iptables-1.8.1.tar.bz2
+++ b/iptables-1.8.1.tar.bz2
--- a/iptables-apply-Use-mktemp-instead-of-tempfile.patch
+++ b/iptables-apply-Use-mktemp-instead-of-tempfile.patch
@ -0,0 +1,34 @@
 0d0a2c9c269dc5ed9e7d841b8ecb9dc060af Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 12 Apr 2019 18:02:19 +0200
 Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 iptables/iptables-apply | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/iptables/iptables-apply b/iptables/iptables-apply
 index 819ca4a459c42..a685b6bbcd7dc 100755
 --- a/iptables/iptables-apply
 +++ b/iptables/iptables-apply
 @@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
  	exit 2
 fi
 -COMMANDS=(tempfile "$SAVE" "$RESTORE")
 +COMMANDS=(mktemp "$SAVE" "$RESTORE")
 for cmd in "${COMMANDS[@]}"; do
 	if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
 umask 0700
 -TMPFILE=$(tempfile -p iptap)
 +TMPFILE=$(mktemp)
 trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
 		      FPE USR1 SEGV USR2 PIPE ALRM TERM
 -- 
 2.21.0
--- a/iptables.spec
+++ b/iptables.spec
@ -1,8 +1,8 @@
 %global script_path %{_libexecdir}/iptables
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
-Version:	  1.8.0
+Version:	  1.8.1
-Release:	  6
+Release:	  1
 Summary:	  IP packet filter administration utilities
 License:	  GPLv2 and Artistic Licence 2.0 and ISC
 URL:		  https://www.netfilter.org/
@ -13,20 +13,7 @@ Source3:          iptables.service
 Source4:          sysconfig_iptables
 Source5:          sysconfig_ip6tables
-Patch1:           iptables-1.6.0-iptables-apply_mktemp.patch
+Patch1:           iptables-apply-Use-mktemp-instead-of-tempfile.patch 
 Patch2:           iptables-1.8.0-xtables-nft-multi.patch
 Patch6000:        fix-crash-if-nft_rule_list_get-fails.patch
 Patch6001:        free-the-table-lock-when-skipping-a-table.patch
 Patch6002:        Allocate-rule-cache-just-once.patch
 Patch6003:        Fix-for-nft_rule_flush-returning-garbage.patch
 Patch6004:        Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
 Patch6005:        Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
 Patch6006:        Fix-opcode-printing-in-numeric-output.patch
 Patch6007:        Fix-for-segfault-in-iptables-nft.patch
 Patch6008:        Fix-for-segfault-when-registering-hashlimit-extension.patch
 Patch6009:        Fix-potential-array-overrun-in-xtables_option_parse.patch
 Patch6010:        Fix-for-potential-array-boundary-overstep.patch
 Patch6011:        Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@ -216,6 +203,10 @@ fi
 %{_sbindir}/iptables-apply
 %{_sbindir}/ip*tables-legacy*
 %{_sbindir}/xtables-legacy-multi
 %{_sbindir}/arptables-restore
 %{_sbindir}/arptables-save
 %{_sbindir}/ebtables-restore
 %{_sbindir}/ebtables-save
 %exclude %{_sbindir}/*-nft*
 %exclude %{_sbindir}/*-translate
 %exclude %{_sbindir}/xtables-monitor
@ -257,6 +248,9 @@ fi
 %{_mandir}/*
 %changelog
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-1
 - Package update
 * Thu Nov 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-6
 - Type:bugfix
 - Id:NA