Merge tag 'debian/1.8.5-3' into debian/buster-backports

Debian package 1.8.5-3
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>

debian/copyright

@@ -353,7 +353,7 @@ License: GPL-2
 Files: iptables/iptables-apply
 Copyright: 2006, Martin F. Krafft <madduck@madduck.net>
            2010, GW <gw.2010@tnode.com or http://gw.tnode.com/>
-License: Artistic-2
+License: Artistic
 
 Files: iptables/iptables-save.c
 Copyright: 1999, Paul 'Rusty' Russell <rusty@rustcorp.com.au>
@@ -370,7 +370,7 @@ License: GPL-2+
 
 Files: iptables/nft-arp.c
 Copyright: 2013 Pablo Neira Ayuso <pablo@netfilter.org>
-	   2013 Giuseppe Longo <giuseppelng@gmail.com>
+           2013 Giuseppe Longo <giuseppelng@gmail.com>
 License: GPL-2+
 
 Files: iptables/nft-bridge.c
@@ -379,7 +379,7 @@ License: GPL-2+
 
 Files: iptables/nft-ipv4.c iptables/nft-ipv6.c iptables/nft-shared.c
 Copyright: 2012-2013 Pablo Neira Ayuso <pablo@netfilter.org>
-	   2013 Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
+           2013 Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
 License: GPL-2+
 
 Files: iptables/xtables-arp.c iptables/xtables-eb.c
@@ -467,131 +467,5 @@ License: GPL-2+
  On Debian systems, the complete text of the GNU General
  Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
 
-License: Artistic-2
- 			 The "Artistic License"
- .
- 				Preamble
- .
- The intent of this document is to state the conditions under which a
- Package may be copied, such that the Copyright Holder maintains some
- semblance of artistic control over the development of the package,
- while giving the users of the package the right to use and distribute
- the Package in a more-or-less customary fashion, plus the right to make
- reasonable modifications.
- .
- Definitions:
- .
- 	"Package" refers to the collection of files distributed by the
- 	Copyright Holder, and derivatives of that collection of files
- 	created through textual modification.
- .
- 	"Standard Version" refers to such a Package if it has not been
- 	modified, or has been modified in accordance with the wishes
- 	of the Copyright Holder as specified below.
- .
- 	"Copyright Holder" is whoever is named in the copyright or
- 	copyrights for the package.
- .
- 	"You" is you, if you're thinking about copying or distributing
- 	this Package.
- .
- 	"Reasonable copying fee" is whatever you can justify on the
- 	basis of media cost, duplication charges, time of people involved,
- 	and so on.  (You will not be required to justify it to the
- 	Copyright Holder, but only to the computing community at large
- 	as a market that must bear the fee.)
- .
- 	"Freely Available" means that no fee is charged for the item
- 	itself, though there may be fees involved in handling the item.
- 	It also means that recipients of the item may redistribute it
- 	under the same conditions they received it.
- .
- 1. You may make and give away verbatim copies of the source form of the
- Standard Version of this Package without restriction, provided that you
- duplicate all of the original copyright notices and associated disclaimers.
- .
- 2. You may apply bug fixes, portability fixes and other modifications
- derived from the Public Domain or from the Copyright Holder.  A Package
- modified in such a way shall still be considered the Standard Version.
- .
- 3. You may otherwise modify your copy of this Package in any way, provided
- that you insert a prominent notice in each changed file stating how and
- when you changed that file, and provided that you do at least ONE of the
- following:
- .
-     a) place your modifications in the Public Domain or otherwise make them
-     Freely Available, such as by posting said modifications to Usenet or
-     an equivalent medium, or placing the modifications on a major archive
-     site such as uunet.uu.net, or by allowing the Copyright Holder to include
-     your modifications in the Standard Version of the Package.
- .
-     b) use the modified Package only within your corporation or organization.
- .
-     c) rename any non-standard executables so the names do not conflict
-     with standard executables, which must also be provided, and provide
-     a separate manual page for each non-standard executable that clearly
-     documents how it differs from the Standard Version.
- .
-     d) make other distribution arrangements with the Copyright Holder.
- .
- 4. You may distribute the programs of this Package in object code or
- executable form, provided that you do at least ONE of the following:
- .
-     a) distribute a Standard Version of the executables and library files,
-     together with instructions (in the manual page or equivalent) on where
-     to get the Standard Version.
- .
-     b) accompany the distribution with the machine-readable source of
-     the Package with your modifications.
- .
-     c) give non-standard executables non-standard names, and clearly
-     document the differences in manual pages (or equivalent), together
-     with instructions on where to get the Standard Version.
- .
-     d) make other distribution arrangements with the Copyright Holder.
- .
- 5. You may charge a reasonable copying fee for any distribution of this
- Package.  You may charge any fee you choose for support of this
- Package.  You may not charge a fee for this Package itself.  However,
- you may distribute this Package in aggregate with other (possibly
- commercial) programs as part of a larger (possibly commercial) software
- distribution provided that you do not advertise this Package as a
- product of your own.  You may embed this Package's interpreter within
- an executable of yours (by linking); this shall be construed as a mere
- form of aggregation, provided that the complete Standard Version of the
- interpreter is so embedded.
- .
- 6. The scripts and library files supplied as input to or produced as
- output from the programs of this Package do not automatically fall
- under the copyright of this Package, but belong to whoever generated
- them, and may be sold commercially, and may be aggregated with this
- Package.  If such scripts or library files are aggregated with this
- Package via the so-called "undump" or "unexec" methods of producing a
- binary executable image, then distribution of such an image shall
- neither be construed as a distribution of this Package nor shall it
- fall under the restrictions of Paragraphs 3 and 4, provided that you do
- not represent such an executable image as a Standard Version of this
- Package.
- .
- 7. C subroutines (or comparably compiled subroutines in other
- languages) supplied by you and linked into this Package in order to
- emulate subroutines and variables of the language defined by this
- Package shall not be considered part of this Package, but are the
- equivalent of input as in Paragraph 6, provided these subroutines do
- not change the language in any way that would cause it to fail the
- regression tests for the language.
- .
- 8. Aggregation of this Package with a commercial distribution is always
- permitted provided that the use of this Package is embedded; that is,
- when no overt attempt is made to make this Package's interfaces visible
- to the end user of the commercial distribution.  Such use shall not be
- construed as a distribution of this Package.
- .
- 9. The name of the Copyright Holder may not be used to endorse or promote
- products derived from this software without specific prior written permission.
- .
- 10. THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
- IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
- WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- .
- 				The End
+License: Artistic
+ On Debian systems, the full text can be found in the file "/usr/share/common-licenses/Artistic"

debian/iptables.postinst

@@ -2,22 +2,6 @@
 
 set -e
 
-# compat symlinks for /sbin -> /usr/sbin move, to be dropped in buster+1
-if [ "$1" = "configure" ] ; then
-	LIST="/sbin/iptables
-	      /sbin/iptables-save
-	      /sbin/iptables-restore
-	      /sbin/ip6tables
-              /sbin/ip6tables-save
-              /sbin/ip6tables-restore"
-
-	for i in $LIST ; do
-		if [ ! -e "$i" ] ; then
-			ln -sf /usr$i $i
-		fi
-	done
-fi
-
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
 	update-alternatives \
 	  --install /usr/sbin/iptables iptables /usr/sbin/iptables-legacy 10 \

debian/iptables.prerm

@@ -11,7 +11,9 @@ if [ "$1" != "upgrade" ]; then
     update-alternatives --remove ebtables /usr/sbin/ebtables-nft
 fi
 
-# compat symlinks for /sbin -> /usr/sbin move, to be dropped in buster+1
+# remove compat symlinks for /sbin -> /usr/sbin move
+# This piece of code can be dropped eventually, when we are confident user
+# systems are left in a consistent state.
 if [ "$1" = "remove" ] ; then
 	LIST="/sbin/iptables
 	     /sbin/iptables-save

debian/libip4tc-dev.install

+usr/include/libiptc/ipt_kernel_headers.h
+usr/include/libiptc/libiptc.h
+usr/include/libiptc/libxtc.h
+usr/include/libiptc/xtcshared.h
 usr/lib/*/libip4tc.so
 usr/lib/*/pkgconfig/libip4tc.pc

debian/libiptc-dev.install

-usr/include/libiptc/ipt_kernel_headers.h
-usr/include/libiptc/libiptc.h
-usr/include/libiptc/libxtc.h
-usr/include/libiptc/xtcshared.h
-usr/lib/*/libiptc.so
 usr/lib/*/pkgconfig/libiptc.pc

debian/libiptc0.install

-usr/lib/*/libiptc.so.*

debian/libiptc0.symbols

-libiptc.so.0 libiptc0 #MINVER#
-* Build-Depends-Package: libiptc-dev

debian/libxtables12.symbols

@@ -19,6 +19,7 @@ libxtables.so.12 libxtables12 #MINVER#
  xtables_find_match_revision@Base 1.8.0
  xtables_find_target@Base 1.6.0+snapshot20161117
  xtables_find_target_revision@Base 1.8.0
+ xtables_fini@Base 1.8.5
  xtables_free_opts@Base 1.6.0+snapshot20161117
  xtables_getethertypebyname@Base 1.8.1
  xtables_getethertypebynumber@Base 1.8.1

debian/not-installed

+usr/lib/${DEB_TARGET_MULTIARCH}/libip4tc.la
+usr/lib/${DEB_TARGET_MULTIARCH}/libiptc.la
+usr/lib/${DEB_TARGET_MULTIARCH}/libxtables.la
+usr/lib/${DEB_TARGET_MULTIARCH}/libip6tc.la
+usr/bin/iptables-xml
+usr/share/xtables/pf.os
+etc/ethertypes

debian/patches/0000-upstream-fix-xtables-translate.patch

+From 2757c0b5e5fbbf569695469b331453cecefdf069 Mon Sep 17 00:00:00 2001
+From: Arturo Borrero Gonzalez <arturo@netfilter.org>
+Date: Tue, 16 Jun 2020 11:20:42 +0200
+Subject: xtables-translate: don't fail if help was requested
+
+If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle
+this case in do_command_xlate().
+
+Before this patch, you would see:
+
+ user@debian:~$ sudo iptables-translate -h
+ [..]
+ nft Unsupported command?
+ user@debian:~$ echo $?
+ 1
+
+After this patch:
+
+ user@debian:~$ sudo iptables-translate -h
+ [..]
+ user@debian:~$ echo $?
+ 0
+
+Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts")
+Acked-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
+---
+ iptables/xtables-translate.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
+index 5aa42496..363c8be1 100644
+--- a/iptables/xtables-translate.c
++++ b/iptables/xtables-translate.c
+@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
+ 
+ 	cs.restore = restore;
+ 
+-	if (!restore)
++	if (!restore && p.command != CMD_NONE)
+ 		printf("nft ");
+ 
+ 	switch (p.command) {
+@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
+ 		break;
+ 	case CMD_SET_POLICY:
+ 		break;
++	case CMD_NONE:
++		ret = 1;
++		break;
+ 	default:
+ 		/* We should never reach this... */
+ 		printf("Unsupported command?\n");
+-- 
+cgit v1.2.3
+

debian/patches/0103-lintian_allows_to.patch

-From: Laurence J. Lane
-Description: cleanup "allows to", triggered lintian grammar warning
-
---- a/extensions/libipt_ECN.man
-+++ b/extensions/libipt_ECN.man
-@@ -1,4 +1,4 @@
--This target allows to selectively work around known ECN blackholes.
-+This target selectively works around known ECN blackholes.
- It can only be used in the mangle table.
- .TP
- \fB\-\-ecn\-tcp\-remove\fP
---- a/extensions/libxt_AUDIT.man
-+++ b/extensions/libxt_AUDIT.man
-@@ -1,4 +1,4 @@
--This target allows to create audit records for packets hitting the target.
-+This target allows creates audit records for packets hitting the target.
- It can be used to record accepted, dropped, and rejected packets. See
- auditd(8) for additional details.
- .TP
---- a/extensions/libxt_CHECKSUM.man
-+++ b/extensions/libxt_CHECKSUM.man
-@@ -1,4 +1,4 @@
--This target allows to selectively work around broken/old applications.
-+This target selectively works around broken/old applications.
- It can only be used in the mangle table.
- .TP
- \fB\-\-checksum\-fill\fP
---- a/extensions/libxt_CT.man
-+++ b/extensions/libxt_CT.man
-@@ -1,4 +1,4 @@
--The CT target allows to set parameters for a packet or its associated
-+The CT target sets parameters for a packet or its associated
- connection. The target attaches a "template" connection tracking entry to
- the packet, which is then used by the conntrack core when initializing
- a new ct entry. This target is thus only valid in the "raw" table.
---- a/extensions/libxt_DSCP.man
-+++ b/extensions/libxt_DSCP.man
-@@ -1,4 +1,4 @@
--This target allows to alter the value of the DSCP bits within the TOS
-+This target alters the value of the DSCP bits within the TOS
- header of the IPv4 packet.  As this manipulates a packet, it can only
- be used in the mangle table.
- .TP
---- a/extensions/libxt_TCPMSS.man
-+++ b/extensions/libxt_TCPMSS.man
-@@ -1,4 +1,4 @@
--This target allows to alter the MSS value of TCP SYN packets, to control
-+This target alters the MSS value of TCP SYN packets, to control
- the maximum size for that connection (usually limiting it to your
- outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
- Of course, it can only be used
---- a/extensions/libxt_osf.c
-+++ b/extensions/libxt_osf.c
-@@ -40,7 +40,7 @@
- 		"--ttl level            Use some TTL check extensions to determine OS:\n"
- 		"       0                       true ip and fingerprint TTL comparison. Works for LAN.\n"
- 		"       1                       check if ip TTL is less than fingerprint one. Works for global addresses.\n"
--		"       2                       do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n"
-+		"       2                       do not compare TTL at all. This allows NMAP detection, but can produce false results.\n"
- 		"--log level            Log determined genres into dmesg even if they do not match desired one:\n"
- 		"       0                       log all matched or unknown signatures.\n"
- 		"       1                       log only first one.\n"
---- a/iptables/iptables.8.in
-+++ b/iptables/iptables.8.in
-@@ -245,13 +245,13 @@
- This option has no effect in iptables and iptables-restore.
- If a rule using the \fB\-4\fP option is inserted with (and only with)
- ip6tables-restore, it will be silently ignored. Any other uses will throw an
--error. This option allows to put both IPv4 and IPv6 rules in a single rule file
-+error. This option allows IPv4 and IPv6 rules in a single rule file
- for use with both iptables-restore and ip6tables-restore.
- .TP
- \fB\-6\fP, \fB\-\-ipv6\fP
- If a rule using the \fB\-6\fP option is inserted with (and only with)
- iptables-restore, it will be silently ignored. Any other uses will throw an
--error. This option allows to put both IPv4 and IPv6 rules in a single rule file
-+error. This option allows IPv4 and IPv6 rules in a single rule file
- for use with both iptables-restore and ip6tables-restore.
- This option has no effect in ip6tables and ip6tables-restore.
- .TP

debian/patches/0105-lintian_spelling.patch

-From: Laurence J. Lane <ljlane@debian.org>
-Description: lintian spelling warning, s/specifing/specifying
-
---- a/libipq/ipq_set_verdict.3
-+++ b/libipq/ipq_set_verdict.3
-@@ -30,7 +30,7 @@
- .B ipq_set_verdict
- function issues a verdict on a packet previously obtained with
- .BR ipq_read ,
--specifing the intended disposition of the packet, and optionally
-+specifying the intended disposition of the packet, and optionally
- supplying a modified version of the payload data.
- .PP
- The

debian/patches/0201-660748-iptables_apply_man.patch

-From afc5ba9e94f86a11d50f3554efeafd402faddacb Mon Sep 17 00:00:00 2001
-From: "Laurence J. Lane" <ljlane@debian.org>
-Date: Mon, 2 Sep 2013 16:46:50 -0400
-Subject: [PATCH] iptables: mention iptables-reply in SEE ALSO
-
-Add iptables-apply(8) to the SEE ALSO section of *-save(8)
-and *-restore(8).
-
-References: http://bugs.debian.org/660748
-
-Signed-off-by: Laurence J. Lane <ljlane@debian.org>
----
- iptables/iptables-restore.8.in | 2 +-
- iptables/iptables-save.8.in    | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-Index: pkg-iptables/iptables/iptables-restore.8.in
-===================================================================
---- pkg-iptables.orig/iptables/iptables-restore.8.in
-+++ pkg-iptables/iptables/iptables-restore.8.in
-@@ -87,7 +87,7 @@ from Rusty Russell.
- .br
- Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
- .SH SEE ALSO
--\fBiptables\-save\fP(8), \fBiptables\fP(8)
-+\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
- .PP
- The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
- which details NAT, and the netfilter-hacking-HOWTO which details the
-Index: pkg-iptables/iptables/iptables-save.8.in
-===================================================================
---- pkg-iptables.orig/iptables/iptables-save.8.in
-+++ pkg-iptables/iptables/iptables-save.8.in
-@@ -62,7 +62,7 @@ Rusty Russell <rusty@rustcorp.com.au>
- .br
- Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
- .SH SEE ALSO
--\fBiptables\-restore\fP(8), \fBiptables\fP(8)
-+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
- .PP
- The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
- which details NAT, and the netfilter-hacking-HOWTO which details the

debian/patches/0202-725413-sctp_man_description.patch

-Subject: add SCTP extension man page description
-From: Laurence J. Lane <ljlane@debian.org>
-Bug: http://bugs.debian.org/725413
-
---- a/extensions/libxt_sctp.man
-+++ b/extensions/libxt_sctp.man
-@@ -1,3 +1,4 @@
-+This module matches Stream Control Transmission Protocol headers.
- .TP
- [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
- .TP

debian/patches/notes

-01xx - debian specific patches
-02xx - documentation patches
-03xx - makefile/build patches
-04xx - code patches
-05xx - miscellaneous patches