iptables: update 1.8.8 -> 1.8.9

Replace one format string fixing patch with another format string fixing patch.
(one problem fixed upstream, another introduced)

(From OE-Core rev: 4a7b4d41ddcfaeaf47cf75200f2346639c64b11c)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-extended/iptables/iptables/0001-configure-Add-option-to-enable-disable-libnfnetlink.patch

@@ -1,7 +1,7 @@
-From c46db7c2e1f63ec525835553587e70c635565310 Mon Sep 17 00:00:00 2001
+From 698ed332e2c592235d2b737c545ac25ad0970e15 Mon Sep 17 00:00:00 2001
 From: "Maxin B. John" <maxin.john@intel.com>
 Date: Tue, 21 Feb 2017 11:16:31 +0200
-Subject: [PATCH] configure: Add option to enable/disable libnfnetlink
+Subject: [PATCH 1/4] configure: Add option to enable/disable libnfnetlink
 
 This changes the configure behaviour from autodetecting
 for libnfnetlink to having an option to disable it explicitly
@@ -15,7 +15,7 @@ Signed-off-by: Maxin B. John <maxin.john@intel.com>
  1 file changed, 7 insertions(+), 3 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index eda7871..03ddc50 100644
+index bc2ed47b..e27745e5 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH],
@@ -28,7 +28,7 @@ index eda7871..03ddc50 100644
  AC_ARG_ENABLE([connlabel],
  	AS_HELP_STRING([--disable-connlabel],
  	[Do not build libnetfilter_conntrack]),
-@@ -115,9 +118,10 @@ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
+@@ -117,9 +120,10 @@ if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
  	AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library required by bpf compiler or nfsynproxy tool))
  fi
  
@@ -43,5 +43,5 @@ index eda7871..03ddc50 100644
  if test "x$enable_nftables" = "xyes"; then
  	PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0], [mnl=1], [mnl=0])
 -- 
-2.4.0
+2.30.2
 

meta/recipes-extended/iptables/iptables/0002-iptables-xshared.h-add-missing-sys.types.h-include.patch

@@ -1,7 +1,7 @@
-From 796b8f6fc1e584c27c42ba302f623fd1c5aa0667 Mon Sep 17 00:00:00 2001
+From d4699d2169fe2d91d0f1f4369d40d2e5f42b8877 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex@linutronix.de>
 Date: Tue, 17 May 2022 10:56:59 +0200
-Subject: [PATCH] iptables/xshared.h: add missing sys.types.h include
+Subject: [PATCH 2/4] iptables/xshared.h: add missing sys.types.h include
 
 This resolves the build error under musl:
 
@@ -17,7 +17,7 @@ Signed-off-by: Alexander Kanavin <alex@linutronix.de>
  1 file changed, 1 insertion(+)
 
 diff --git a/iptables/xshared.h b/iptables/xshared.h
-index 14568bb..73b1017 100644
+index 0ed9f3c2..b1413834 100644
 --- a/iptables/xshared.h
 +++ b/iptables/xshared.h
 @@ -6,6 +6,7 @@
@@ -28,3 +28,6 @@ index 14568bb..73b1017 100644
  #include <linux/netfilter_arp/arp_tables.h>
  #include <linux/netfilter_ipv4/ip_tables.h>
  #include <linux/netfilter_ipv6/ip6_tables.h>
+-- 
+2.30.2
+

meta/recipes-extended/iptables/iptables/0003-Makefile.am-do-not-install-etc-ethertypes.patch

@@ -1,7 +1,7 @@
-From a4ed9fc8da720585f853d2ca6ffd30e2fa4d1247 Mon Sep 17 00:00:00 2001
+From 28291b41bc3717f51e8d9d465f0100f1ca99dc26 Mon Sep 17 00:00:00 2001
 From: Trevor Gamblin <trevor.gamblin@windriver.com>
 Date: Wed, 9 Mar 2022 12:50:39 -0500
-Subject: [PATCH] Makefile.am: do not install /etc/ethertypes
+Subject: [PATCH 3/4] Makefile.am: do not install /etc/ethertypes
 
 The /etc/ethertypes is provided by netbase since 6.0[1].
 Do not instal the file in ebtables, otherwise there would be a conflict:
@@ -20,21 +20,22 @@ Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
 ---
- Makefile.am | 1 -
+ Makefile.am | 2 +-
- 1 file changed, 1 deletion(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile.am b/Makefile.am
-index 799bf8b8..2eb1843f 100644
+index 451c3cb2..5125238c 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -18,7 +18,6 @@ SUBDIRS         += iptables
+@@ -20,7 +20,7 @@ EXTRA_DIST	= autogen.sh iptables-test.py xlate-test.py
  
  if ENABLE_NFTABLES
  confdir		= $(sysconfdir)
--dist_conf_DATA	= etc/ethertypes
+-dist_conf_DATA	= etc/ethertypes etc/xtables.conf
++dist_conf_DATA	= etc/xtables.conf
  endif
  
  .PHONY: tarball
 -- 
-2.35.1
+2.30.2
 

meta/recipes-extended/iptables/iptables/0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch

@@ -1,7 +1,7 @@
-From 26090b3dbcdf6a11e60535da949b726a6e86426d Mon Sep 17 00:00:00 2001
+From e7aa1dd2831f9bb5d0603c5e5027387ad7721b00 Mon Sep 17 00:00:00 2001
 From: "Maxin B. John" <maxin.john@intel.com>
 Date: Tue, 21 Feb 2017 11:49:07 +0200
-Subject: [PATCH] configure.ac:
+Subject: [PATCH 4/4] configure.ac:
  only-check-conntrack-when-libnfnetlink-enabled.patch
 
 Package libnetfilter-conntrack depends on package libnfnetlink. iptables
@@ -28,10 +28,10 @@ Signed-off-by: Maxin B. John <maxin.john@intel.com>
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 03ddc50..523caea 100644
+index e27745e5..528f1bb5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -172,10 +172,12 @@ if test "$nftables" != 1; then
+@@ -158,10 +158,12 @@ if test "$nftables" != 1; then
  fi
  
  if test "x$enable_connlabel" = "xyes"; then
@@ -47,5 +47,5 @@ index 03ddc50..523caea 100644
  		blacklist_modules="$blacklist_modules connlabel";
  		echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built";
 -- 
-2.4.0
+2.30.2
 

meta/recipes-extended/iptables/iptables/format-security.patch

@@ -1,30 +1,31 @@
-From b72eb12ea5a61df0655ad99d5048994e916be83a Mon Sep 17 00:00:00 2001
+From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
-Date: Fri, 13 May 2022 16:51:58 +0200
+Date: Thu, 12 Jan 2023 14:38:44 +0100
-Subject: xshared: Fix build for -Werror=format-security
+Subject: extensions: NAT: Fix for -Werror=format-security
 
-Gcc complains about the omitted format string.
+Have to pass either a string literal or format string to xt_xlate_add().
 
+Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
-Upstream-Status: Backport
+Upstream-Status: Backport [https://git.netfilter.org/iptables/commit/?id=ed4082a7405a5838c205a34c1559e289949200cc]
 Signed-off-by: Alexander Kanavin <alex@linutronix.de>
 ---
- iptables/xshared.c | 2 +-
+ extensions/libxt_NAT.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/iptables/xshared.c b/iptables/xshared.c
+diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
-index fae5ddd5..a8512d38 100644
+index da9f2201..2a634398 100644
---- a/iptables/xshared.c
+--- a/extensions/libxt_NAT.c
-+++ b/iptables/xshared.c
++++ b/extensions/libxt_NAT.c
-@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
+@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
- 		return;
+ 	if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
+ 		return 0;
  
- 	if (args->family != NFPROTO_ARP)
+-	xt_xlate_add(xl, tgt);
--		xtables_error(PARAMETER_PROBLEM, msg);
++	xt_xlate_add(xl, "%s", tgt);
-+		xtables_error(PARAMETER_PROBLEM, "%s", msg);
+ 	if (strlen(range_str))
- 
+ 		xt_xlate_add(xl, " to %s", range_str);
- 	fprintf(stderr, "%s", msg);
+ 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
- }
 -- 
 cgit v1.2.3
 

meta/recipes-extended/iptables/iptables_1.8.9.bb

@@ -8,18 +8,18 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc \
 "
 
-SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
+SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.xz \
-           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
-           file://0001-Makefile.am-do-not-install-etc-ethertypes.patch \
-           file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
-           file://format-security.patch \
            file://iptables.service \
            file://iptables.rules \
            file://ip6tables.service \
            file://ip6tables.rules \
-           file://0001-iptables-xshared.h-add-missing-sys.types.h-include.patch \
+           file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
+           file://0002-iptables-xshared.h-add-missing-sys.types.h-include.patch \
+           file://0003-Makefile.am-do-not-install-etc-ethertypes.patch \
+           file://0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch \
+           file://format-security.patch \
            "
-SRC_URI[sha256sum] = "71c75889dc710676631553eb1511da0177bbaaf1b551265b912d236c3f51859f"
+SRC_URI[sha256sum] = "ef6639a43be8325a4f8ea68123ffac236cb696e8c78501b64e8106afb008c87f"
 
 SYSTEMD_SERVICE:${PN} = "\
     iptables.service \
@@ -116,8 +116,10 @@ RDEPENDS:${PN}-apply = "${PN} bash"
 # Include the symlinks as well in respective packages
 FILES:${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
 FILES:${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so ${libdir}/xtables/libxt_REDIRECT.so"
+FILES:${PN}-module-xt-nat += "${libdir}/xtables/libxt_SNAT.so ${libdir}/xtables/libxt_DNAT.so ${libdir}/xtables/libxt_MASQUERADE.so"
 
 ALLOW_EMPTY:${PN}-modules = "1"
 
 INSANE_SKIP:${PN}-module-xt-conntrack = "dev-so"
 INSANE_SKIP:${PN}-module-xt-ct = "dev-so"
+INSANE_SKIP:${PN}-module-xt-nat = "dev-so"