d/patches: drop all patches

All patches were applied upstream, so drop them.

The changelog patch has not been updated for years, I think is no longer
revelant, so drop it too.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>

debian/patches/0000-upstream-bump-build-dep-libnftnl.patch

-From 6992e2fe24b92421aaa18b1b24663e309da2eaba Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Mon, 2 Dec 2019 18:14:51 +0100
-Subject: build: bump dependency on libnftnl
-
-nftnl_set_list_lookup_byname() libnftnl requires 1.1.5.
-
-Reported-by: Phil Sutter <phil@nwl.cc>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index cab77a48..27e90703 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -131,7 +131,7 @@ if test "x$enable_nftables" = "xyes"; then
- 		exit 1
- 	fi
- 
--	PKG_CHECK_MODULES([libnftnl], [libnftnl >= 1.1.3], [nftables=1], [nftables=0])
-+	PKG_CHECK_MODULES([libnftnl], [libnftnl >= 1.1.5], [nftables=1], [nftables=0])
- 
- 	if test "$nftables" = 0;
- 	then
--- 
-cgit v1.2.1
-

debian/patches/0000-upstream-fix-restore-noflush.patch

-From a103fbfadf4c17b8b12caa57eef72deaaa71a18c Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Wed, 4 Dec 2019 09:56:06 +0100
-Subject: xtables-restore: Fix parser feed from line buffer
-
-When called with --noflush, xtables-restore would trip over chain lines:
-Parser uses strtok() to separate chain name, policy and counters which
-inserts nul-chars into the source string. Therefore strlen() can't be
-used anymore to find end of line. Fix this by caching line length before
-calling xtables_restore_parse_line().
-
-Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- .../tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 | 10 ++++++++++
- iptables/xtables-restore.c                                     |  4 +++-
- 2 files changed, 13 insertions(+), 1 deletion(-)
- create mode 100755 iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
-
-diff --git a/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
-new file mode 100755
-index 00000000..739e684a
---- /dev/null
-+++ b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
-@@ -0,0 +1,10 @@
-+#!/bin/sh -e
-+
-+# assert input feed from buffer doesn't trip over
-+# added nul-chars from parsing chain line.
-+
-+$XT_MULTI iptables-restore --noflush <<EOF
-+*filter
-+:foobar - [0:0]
-+-A foobar -j ACCEPT
-+COMMIT
-diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
-index 2f0fe7d4..dd907e0b 100644
---- a/iptables/xtables-restore.c
-+++ b/iptables/xtables-restore.c
-@@ -327,10 +327,12 @@ void xtables_restore_parse(struct nft_handle *h,
- 	line = 0;
- 	ptr = preload_buffer;
- 	while (*ptr) {
-+		size_t len = strlen(ptr);
-+
- 		h->error.lineno = ++line;
- 		DEBUGP("%s: buffered line %d: '%s'\n", __func__, line, ptr);
- 		xtables_restore_parse_line(h, p, &state, ptr);
--		ptr += strlen(ptr) + 1;
-+		ptr += len + 1;
- 	}
- 	if (*buffer) {
- 		h->error.lineno = ++line;
--- 
-cgit v1.2.1
-

debian/patches/0000-upstream-xtables-restore-empty-lines.patch

-From 8e76391096f12212985c401ee83a67990aa27a29 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <phil@nwl.cc>
-Date: Tue, 11 Feb 2020 16:52:59 +0100
-Subject: xtables-restore: fix for --noflush and empty lines
-
-Lookahead buffer used for cache requirements estimate in restore
---noflush separates individual lines with nul-chars. Two consecutive
-nul-chars are interpreted as end of buffer and remaining buffer content
-is skipped.
-
-Sadly, reading an empty line (i.e., one containing a newline character
-only) caused double nul-chars to appear in buffer as well, leading to
-premature stop when reading cached lines from buffer.
-
-To fix that, make use of xtables_restore_parse_line() skipping empty
-lines without calling strtok() and just leave the newline character in
-place. A more intuitive approach, namely skipping empty lines while
-buffering, is deliberately not chosen as that would cause wrong values
-in 'line' variable.
-
-Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
-Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
-Signed-off-by: Phil Sutter <phil@nwl.cc>
-Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
----
- .../testcases/ipt-restore/0011-noflush-empty-line_0      | 16 ++++++++++++++++
- iptables/xtables-restore.c                               |  8 +++++---
- 2 files changed, 21 insertions(+), 3 deletions(-)
- create mode 100755 iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
-
-diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
-new file mode 100755
-index 00000000..bea1a690
---- /dev/null
-+++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
-@@ -0,0 +1,16 @@
-+#!/bin/bash -e
-+
-+# make sure empty lines won't break --noflush
-+
-+cat <<EOF | $XT_MULTI iptables-restore --noflush
-+# just a comment followed by innocent empty line
-+
-+*filter
-+-A FORWARD -j ACCEPT
-+COMMIT
-+EOF
-+
-+EXPECT='Chain FORWARD (policy ACCEPT)
-+target     prot opt source               destination         
-+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           '
-+diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
-diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
-index 63cc15ce..fb2ac8b5 100644
---- a/iptables/xtables-restore.c
-+++ b/iptables/xtables-restore.c
-@@ -293,11 +293,13 @@ void xtables_restore_parse(struct nft_handle *h,
- 		while (fgets(buffer, sizeof(buffer), p->in)) {
- 			size_t blen = strlen(buffer);
- 
--			/* drop trailing newline; xtables_restore_parse_line()
-+			/* Drop trailing newline; xtables_restore_parse_line()
- 			 * uses strtok() which replaces them by nul-characters,
- 			 * causing unpredictable string delimiting in
--			 * preload_buffer */
--			if (buffer[blen - 1] == '\n')
-+			 * preload_buffer.
-+			 * Unless this is an empty line which would fold into a
-+			 * spurious EoB indicator (double nul-char). */
-+			if (buffer[blen - 1] == '\n' && blen > 1)
- 				buffer[blen - 1] = '\0';
- 			else
- 				blen++;
--- 
-cgit v1.2.2
-

debian/patches/0103-lintian_allows_to.patch

-From: Laurence J. Lane
-Description: cleanup "allows to", triggered lintian grammar warning
-
---- a/extensions/libipt_ECN.man
-+++ b/extensions/libipt_ECN.man
-@@ -1,4 +1,4 @@
--This target allows to selectively work around known ECN blackholes.
-+This target selectively works around known ECN blackholes.
- It can only be used in the mangle table.
- .TP
- \fB\-\-ecn\-tcp\-remove\fP
---- a/extensions/libxt_AUDIT.man
-+++ b/extensions/libxt_AUDIT.man
-@@ -1,4 +1,4 @@
--This target allows to create audit records for packets hitting the target.
-+This target allows creates audit records for packets hitting the target.
- It can be used to record accepted, dropped, and rejected packets. See
- auditd(8) for additional details.
- .TP
---- a/extensions/libxt_CHECKSUM.man
-+++ b/extensions/libxt_CHECKSUM.man
-@@ -1,4 +1,4 @@
--This target allows to selectively work around broken/old applications.
-+This target selectively works around broken/old applications.
- It can only be used in the mangle table.
- .TP
- \fB\-\-checksum\-fill\fP
---- a/extensions/libxt_CT.man
-+++ b/extensions/libxt_CT.man
-@@ -1,4 +1,4 @@
--The CT target allows to set parameters for a packet or its associated
-+The CT target sets parameters for a packet or its associated
- connection. The target attaches a "template" connection tracking entry to
- the packet, which is then used by the conntrack core when initializing
- a new ct entry. This target is thus only valid in the "raw" table.
---- a/extensions/libxt_DSCP.man
-+++ b/extensions/libxt_DSCP.man
-@@ -1,4 +1,4 @@
--This target allows to alter the value of the DSCP bits within the TOS
-+This target alters the value of the DSCP bits within the TOS
- header of the IPv4 packet.  As this manipulates a packet, it can only
- be used in the mangle table.
- .TP
---- a/extensions/libxt_TCPMSS.man
-+++ b/extensions/libxt_TCPMSS.man
-@@ -1,4 +1,4 @@
--This target allows to alter the MSS value of TCP SYN packets, to control
-+This target alters the MSS value of TCP SYN packets, to control
- the maximum size for that connection (usually limiting it to your
- outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
- Of course, it can only be used
---- a/extensions/libxt_osf.c
-+++ b/extensions/libxt_osf.c
-@@ -40,7 +40,7 @@
- 		"--ttl level            Use some TTL check extensions to determine OS:\n"
- 		"       0                       true ip and fingerprint TTL comparison. Works for LAN.\n"
- 		"       1                       check if ip TTL is less than fingerprint one. Works for global addresses.\n"
--		"       2                       do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n"
-+		"       2                       do not compare TTL at all. This allows NMAP detection, but can produce false results.\n"
- 		"--log level            Log determined genres into dmesg even if they do not match desired one:\n"
- 		"       0                       log all matched or unknown signatures.\n"
- 		"       1                       log only first one.\n"
---- a/iptables/iptables.8.in
-+++ b/iptables/iptables.8.in
-@@ -245,13 +245,13 @@
- This option has no effect in iptables and iptables-restore.
- If a rule using the \fB\-4\fP option is inserted with (and only with)
- ip6tables-restore, it will be silently ignored. Any other uses will throw an
--error. This option allows to put both IPv4 and IPv6 rules in a single rule file
-+error. This option allows IPv4 and IPv6 rules in a single rule file
- for use with both iptables-restore and ip6tables-restore.
- .TP
- \fB\-6\fP, \fB\-\-ipv6\fP
- If a rule using the \fB\-6\fP option is inserted with (and only with)
- iptables-restore, it will be silently ignored. Any other uses will throw an
--error. This option allows to put both IPv4 and IPv6 rules in a single rule file
-+error. This option allows IPv4 and IPv6 rules in a single rule file
- for use with both iptables-restore and ip6tables-restore.
- This option has no effect in ip6tables and ip6tables-restore.
- .TP

debian/patches/0104-lintian_hyphens.patch

-From: Laurence J. Lane <ljlane@debian.org>
-Description: man page hyphen cleanup
-
-Index: pkg-iptables/extensions/libip6t_DNPT.man
-===================================================================
---- pkg-iptables.orig/extensions/libip6t_DNPT.man
-+++ pkg-iptables/extensions/libip6t_DNPT.man
-@@ -23,7 +23,7 @@ ip6tables \-t mangle \-I PREROUTING \-i
- .PP
- You may need to enable IPv6 neighbor proxy:
- .IP
--sysctl -w net.ipv6.conf.all.proxy_ndp=1
-+sysctl \-w net.ipv6.conf.all.proxy_ndp=1
- .PP
- You also have to use the
- .B NOTRACK
-Index: pkg-iptables/extensions/libip6t_SNPT.man
-===================================================================
---- pkg-iptables.orig/extensions/libip6t_SNPT.man
-+++ pkg-iptables/extensions/libip6t_SNPT.man
-@@ -23,7 +23,7 @@ ip6tables \-t mangle \-I PREROUTING \-i
- .PP
- You may need to enable IPv6 neighbor proxy:
- .IP
--sysctl -w net.ipv6.conf.all.proxy_ndp=1
-+sysctl \-w net.ipv6.conf.all.proxy_ndp=1
- .PP
- You also have to use the
- .B NOTRACK
-Index: pkg-iptables/extensions/libxt_HMARK.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_HMARK.man
-+++ pkg-iptables/extensions/libxt_HMARK.man
-@@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m c
-  \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
- \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
- .PP
--iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
-+iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000
- \-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
-Index: pkg-iptables/extensions/libxt_SET.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_SET.man
-+++ pkg-iptables/extensions/libxt_SET.man
-@@ -42,5 +42,5 @@ and
- \fB\-\-map\-queue\fP
- flags can be used in the OUTPUT, FORWARD and POSTROUTING chains.
- .PP
--Use of -j SET requires that ipset kernel support is provided, which, for
-+Use of \-j SET requires that ipset kernel support is provided, which, for
- standard kernels, is the case since Linux 2.6.39.
-Index: pkg-iptables/extensions/libxt_TOS.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_TOS.man
-+++ pkg-iptables/extensions/libxt_TOS.man
-@@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33
- a bug whereby IPv6 TOS mangling does not behave as documented and differs from
- the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
- needs to be inverted before applying it to the original TOS field. However, the
--aformentioned kernels forgo the inversion which breaks --set-tos and its
-+aformentioned kernels forgo the inversion which breaks \-\-set\-tos and its
- mnemonics.
-Index: pkg-iptables/extensions/libxt_bpf.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_bpf.man
-+++ pkg-iptables/extensions/libxt_bpf.man
-@@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-
- \fB\-\-bytecode\fP \fIcode\fP
- Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
- .PP
--The code format is similar to the output of the tcpdump -ddd command: one line
-+The code format is similar to the output of the tcpdump \-ddd command: one line
- that stores the number of instructions, followed by one line for each
- instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
- notation. Fields encode the operation, jump offset if true, jump offset if
-Index: pkg-iptables/extensions/libxt_cluster.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_cluster.man
-+++ pkg-iptables/extensions/libxt_cluster.man
-@@ -27,7 +27,7 @@ iptables \-A PREROUTING \-t mangle \-i e
- iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
- \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
- \-\-cluster\-hash\-seed 0xdeadbeef
--\-j MARK -\-set\-mark 0xffff
-+\-j MARK \-\-set\-mark 0xffff
- .IP
- iptables \-A PREROUTING \-t mangle \-i eth1
- \-m mark ! \-\-mark 0xffff \-j DROP
-Index: pkg-iptables/extensions/libxt_osf.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_osf.man
-+++ pkg-iptables/extensions/libxt_osf.man
-@@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 20
- OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
- fingerprints from a file, use:
- .PP
--\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
-+\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP
- .PP
- To remove them again,
- .PP
--\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
-+\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP
- .PP
- The fingerprint database can be downloaded from
- http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
-Index: pkg-iptables/extensions/libxt_set.man
-===================================================================
---- pkg-iptables.orig/extensions/libxt_set.man
-+++ pkg-iptables/extensions/libxt_set.man
-@@ -61,5 +61,5 @@ when the set was defined without counter
- The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 
- not clash with an option of other extensions.
- .PP
--Use of -m set requires that ipset kernel support is provided, which, for
-+Use of \-m set requires that ipset kernel support is provided, which, for
- standard kernels, is the case since Linux 2.6.39.

debian/patches/0105-lintian_spelling.patch

-From: Laurence J. Lane <ljlane@debian.org>
-Description: lintian spelling warning, s/specifing/specifying
-
---- a/libipq/ipq_set_verdict.3
-+++ b/libipq/ipq_set_verdict.3
-@@ -30,7 +30,7 @@
- .B ipq_set_verdict
- function issues a verdict on a packet previously obtained with
- .BR ipq_read ,
--specifing the intended disposition of the packet, and optionally
-+specifying the intended disposition of the packet, and optionally
- supplying a modified version of the payload data.
- .PP
- The

debian/patches/0201-660748-iptables_apply_man.patch

-From afc5ba9e94f86a11d50f3554efeafd402faddacb Mon Sep 17 00:00:00 2001
-From: "Laurence J. Lane" <ljlane@debian.org>
-Date: Mon, 2 Sep 2013 16:46:50 -0400
-Subject: [PATCH] iptables: mention iptables-reply in SEE ALSO
-
-Add iptables-apply(8) to the SEE ALSO section of *-save(8)
-and *-restore(8).
-
-References: http://bugs.debian.org/660748
-
-Signed-off-by: Laurence J. Lane <ljlane@debian.org>
----
- iptables/iptables-restore.8.in | 2 +-
- iptables/iptables-save.8.in    | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-Index: pkg-iptables/iptables/iptables-restore.8.in
-===================================================================
---- pkg-iptables.orig/iptables/iptables-restore.8.in
-+++ pkg-iptables/iptables/iptables-restore.8.in
-@@ -87,7 +87,7 @@ from Rusty Russell.
- .br
- Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
- .SH SEE ALSO
--\fBiptables\-save\fP(8), \fBiptables\fP(8)
-+\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
- .PP
- The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
- which details NAT, and the netfilter-hacking-HOWTO which details the
-Index: pkg-iptables/iptables/iptables-save.8.in
-===================================================================
---- pkg-iptables.orig/iptables/iptables-save.8.in
-+++ pkg-iptables/iptables/iptables-save.8.in
-@@ -62,7 +62,7 @@ Rusty Russell <rusty@rustcorp.com.au>
- .br
- Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
- .SH SEE ALSO
--\fBiptables\-restore\fP(8), \fBiptables\fP(8)
-+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
- .PP
- The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
- which details NAT, and the netfilter-hacking-HOWTO which details the

debian/patches/0202-725413-sctp_man_description.patch

-Subject: add SCTP extension man page description
-From: Laurence J. Lane <ljlane@debian.org>
-Bug: http://bugs.debian.org/725413
-
---- a/extensions/libxt_sctp.man
-+++ b/extensions/libxt_sctp.man
-@@ -1,3 +1,4 @@
-+This module matches Stream Control Transmission Protocol headers.
- .TP
- [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
- .TP

debian/patches/0301-install_iptables_apply.patch

-From 1f6e159b2c353f287142d8e0e1dc86e2fb38d277 Mon Sep 17 00:00:00 2001
-From: "Laurence J. Lane" <ljlane@debian.org>
-Date: Fri, 6 Sep 2013 18:36:05 -0400
-Subject: [PATCH] build: install iptables-apply
-
-Signed-off-by: Laurence J. Lane <ljlane@debian.org>
----
- iptables/Makefile.am       | 5 ++++-
- iptables/ip6tables-apply.8 | 1 +
- 2 files changed, 5 insertions(+), 1 deletion(-)
- create mode 100644 iptables/ip6tables-apply.8
-
-Index: pkg-iptables/iptables/Makefile.am
-===================================================================
---- pkg-iptables.orig/iptables/Makefile.am
-+++ pkg-iptables/iptables/Makefile.am
-@@ -53,7 +53,11 @@ sbin_PROGRAMS	+= xtables-nft-multi
- endif
- man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
-                    iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
--                   ip6tables-save.8 iptables-extensions.8
-+                   ip6tables-save.8 iptables-extensions.8 \
-+                   iptables-apply.8 ip6tables-apply.8
-+
-+sbin_SCRIPT      = iptables-apply
-+
- if ENABLE_NFTABLES
- man_MANS	+= xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
-                    iptables-translate.8 ip6tables-translate.8 \
-@@ -106,3 +110,4 @@ install-exec-hook:
- 	for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
- 	for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
- 	for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
-+	${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply"
-Index: pkg-iptables/iptables/ip6tables-apply.8
-===================================================================
---- /dev/null
-+++ pkg-iptables/iptables/ip6tables-apply.8
-@@ -0,0 +1 @@
-+.so man8/iptables-apply.8

debian/patches/0401-580941-iptables_apply_update.patch

-From dafbc722de7bf7445a7650e5fe0778ac798dcd18 Mon Sep 17 00:00:00 2001
-From: Laurence J. Lane <ljlane@debian.org>
-Subject: [PATCH] iptables: update iptables-apply to v1.1
-Bug: http://bugs.debian.org/580941
-
-This is GW's update to iptables-apply. It does a code
-cleanup and adds two options: one runs a command and
-the other writes the sucessful rules file.
-
-I modified the script to use mktemp instead of tempfile. I also
-fixed a couple of hyphens in the man page addition.
-
-Signed-off-by: Laurence J. Lane <ljlane@debian.org>
----
- iptables-apply      |  310 ++++++++++++++++++++++++++++++++++++----------------
- iptables-apply.8.in |   48 +++++---
- 2 files changed, 247 insertions(+), 111 deletions(-)
-
---- a/iptables/iptables-apply
-+++ b/iptables/iptables-apply
-@@ -1,174 +1,294 @@
- #!/bin/bash
--#
- # iptables-apply -- a safer way to update iptables remotely
- #
--# Copyright © Martin F. Krafft <madduck@madduck.net>
-+# Usage:
-+#   iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
-+#
-+# Versions:
-+#   * 1.0 Copyright 2006 Martin F. Krafft <madduck@madduck.net>
-+#         Original version
-+#   * 1.1 Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>
-+#         Added parameter -c (run command)
-+#         Added parameter -w (save successfully applied rules to file)
-+#         Major code cleanup
-+#
- # Released under the terms of the Artistic Licence 2.0
- #
- set -eu
- 
--PROGNAME="${0##*/}";
--VERSION=1.0
-+PROGNAME="${0##*/}"
-+VERSION=1.1
-+
-+
-+### Default settings
-+
-+DEF_TIMEOUT=10
-+
-+MODE=0  # apply rulesfile mode
-+# MODE=1  # run command mode
-+
-+case "$PROGNAME" in
-+	(*6*)
-+		SAVE=ip6tables-save
-+		RESTORE=ip6tables-restore
-+		DEF_RULESFILE="/etc/network/ip6tables.up.rules"
-+		DEF_SAVEFILE="$DEF_RULESFILE"
-+		DEF_RUNCMD="/etc/network/ip6tables.up.run"
-+		;;
-+	(*)
-+		SAVE=iptables-save
-+		RESTORE=iptables-restore
-+		DEF_RULESFILE="/etc/network/iptables.up.rules"
-+		DEF_SAVEFILE="$DEF_RULESFILE"
-+		DEF_RUNCMD="/etc/network/iptables.up.run"
-+		;;
-+esac
-+
- 
--TIMEOUT=10
-+### Functions
- 
--function blurb()
--{
--	cat <<-_eof
-+function blurb() {
-+	cat <<-__EOF__
- 	$PROGNAME $VERSION -- a safer way to update iptables remotely
--	_eof
-+	__EOF__
- }
- 
--function copyright()
--{
--	cat <<-_eof
--	$PROGNAME is C Martin F. Krafft <madduck@madduck.net>.
--
--	The program has been published under the terms of the Artistic Licence 2.0
--	_eof
-+function copyright() {
-+	cat <<-__EOF__
-+	$PROGNAME has been published under the terms of the Artistic Licence 2.0.
-+
-+	Original version - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
-+	Version 1.1 - Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>.
-+	__EOF__
- }
- 
--function about()
--{
-+function about() {
- 	blurb
- 	echo
- 	copyright
- }
- 
--function usage()
--{
--	cat <<-_eof
--	Usage: $PROGNAME [options] ruleset
--
--	The script will try to apply a new ruleset (as output by iptables-save/read
--	by iptables-restore) to iptables, then prompt the user whether the changes
--	are okay. If the new ruleset cut the existing connection, the user will not
--	be able to answer affirmatively. In this case, the script rolls back to the
--	previous ruleset.
--
--	The following options may be specified, using standard conventions:
--
--	-t | --timeout	Specify the timeout in seconds (default: $TIMEOUT)
--	-V | --version	Display version information
--	-h | --help	Display this help text
--	_eof
-+function usage() {
-+	blurb
-+	echo
-+	cat <<-__EOF__
-+	Usage:
-+	  $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
-+
-+	The script will try to apply a new rulesfile (as output by iptables-save,
-+	read by iptables-restore) or run a command to configure iptables and then
-+	prompt the user whether the changes are okay. If the new iptables rules cut
-+	the existing connection, the user will not be able to answer affirmatively.
-+	In this case, the script rolls back to the previous working iptables rules
-+	after the timeout expires.
-+
-+	Successfully applied rules can also be written to savefile and later used
-+	to roll back to this state. This can be used to implement a store last good
-+	configuration mechanism when experimenting with an iptables setup script:
-+	  $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD
-+
-+	When called as ip6tables-apply, the script will use ip6tables-save/-restore
-+	and IPv6 default values instead. Default value for rulesfile is
-+	'$DEF_RULESFILE'.
-+
-+	Options:
-+
-+	-t seconds, --timeout seconds
-+	  Specify the timeout in seconds (default: $DEF_TIMEOUT).
-+	-w savefile, --write savefile
-+	  Specify the savefile where successfully applied rules will be written to
-+	  (default if empty string is given: $DEF_SAVEFILE).
-+	-c runcmd, --command runcmd
-+	  Run command runcmd to configure iptables instead of applying a rulesfile
-+	  (default: $DEF_RUNCMD).
-+	-h, --help
-+	  Display this help text.
-+	-V, --version
-+	  Display version information.
-+
-+	__EOF__
-+}
-+
-+function checkcommands() {
-+	for cmd in "${COMMANDS[@]}"; do
-+		if ! command -v "$cmd" >/dev/null; then
-+			echo "Error: needed command not found: $cmd" >&2
-+			exit 127
-+		fi
-+	done
-+}
-+
-+function revertrules() {
-+	echo -n "Reverting to old iptables rules... "
-+	"$RESTORE" <"$TMPFILE"
-+	echo "done."
- }
- 
--SHORTOPTS="t:Vh";
--LONGOPTS="timeout:,version,help";
-+
-+### Parsing and checking parameters
-+
-+TIMEOUT="$DEF_TIMEOUT"
-+SAVEFILE=""
-+
-+SHORTOPTS="t:w:chV";
-+LONGOPTS="timeout:,write:,command,help,version";
- 
- OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $?
- for opt in $OPTS; do
- 	case "$opt" in
--		(-*) unset OPT_STATE;;
-+		(-*)
-+			unset OPT_STATE
-+			;;
- 		(*)
- 			case "${OPT_STATE:-}" in
--				(SET_TIMEOUT)
--					eval TIMEOUT=$opt
--					case "$TIMEOUT" in
--						([0-9]*) :;;
--						(*)
--							echo "E: non-numeric timeout value." >&2
--							exit 1
--							;;
--					esac
-+				(SET_TIMEOUT) eval TIMEOUT=$opt;;
-+				(SET_SAVEFILE)
-+					eval SAVEFILE=$opt
-+					[ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE"
- 					;;
- 			esac
- 			;;
- 	esac
- 
- 	case "$opt" in
-+		(-t|--timeout) OPT_STATE="SET_TIMEOUT";;
-+		(-w|--write) OPT_STATE="SET_SAVEFILE";;
-+		(-c|--command) MODE=1;;
- 		(-h|--help) usage >&2; exit 0;;
- 		(-V|--version) about >&2; exit 0;;
--		(-t|--timeout) OPT_STATE=SET_TIMEOUT;;
- 		(--) break;;
- 	esac
- 	shift
- done
- 
--case "$PROGNAME" in
--	(*6*)
--		SAVE=ip6tables-save
--		RESTORE=ip6tables-restore
--		DEFAULT_FILE=/etc/network/ip6tables
--		;;
--	(*)
--		SAVE=iptables-save
--		RESTORE=iptables-restore
--		DEFAULT_FILE=/etc/network/iptables
--		;;
--esac
--
--FILE="${1:-$DEFAULT_FILE}";
--
--if [[ -z "$FILE" ]]; then
--	echo "E: missing file argument." >&2
-+# Validate parameters
-+if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then
-+	TIMEOUT=$(($TIMEOUT))
-+else
-+	echo "Error: timeout must be a positive number" >&2
- 	exit 1
- fi
- 
--if [[ ! -r "$FILE" ]]; then
--	echo "E: cannot read $FILE" >&2
--	exit 2
-+if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then
-+	echo "Error: savefile not writable: $SAVEFILE" >&2
-+	exit 8
- fi
- 
--COMMANDS=(tempfile "$SAVE" "$RESTORE")
-+case "$MODE" in
-+	(1)
-+		# Treat parameter as runcmd (run command mode)
-+		RUNCMD="${1:-$DEF_RUNCMD}"
-+		if [ ! -x "$RUNCMD" ]; then
-+			echo "Error: runcmd not executable: $RUNCMD" >&2
-+			exit 6
-+		fi
- 
--for cmd in "${COMMANDS[@]}"; do
--	if ! command -v $cmd >/dev/null; then
--		echo "E: command not found: $cmd" >&2
--		exit 127
--	fi
--done
-+		# Needed commands
-+		COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD")
-+		checkcommands
-+		;;
-+	(*)
-+		# Treat parameter as rulesfile (apply rulesfile mode)
-+		RULESFILE="${1:-$DEF_RULESFILE}";
-+		if [ ! -r "$RULESFILE" ]; then
-+			echo "Error: rulesfile not readable: $RULESFILE" >&2
-+			exit 2
-+		fi
- 
--umask 0700
-+		# Needed commands
-+		COMMANDS=(mktemp "$SAVE" "$RESTORE")
-+		checkcommands
-+		;;
-+esac
- 
--TMPFILE=$(tempfile -p iptap)
-+
-+### Begin work
-+
-+# Store old iptables rules to temporary file
-+TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX`
- trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
- 		      FPE USR1 SEGV USR2 PIPE ALRM TERM
- 
- if ! "$SAVE" >"$TMPFILE"; then
-+	# An error occured
- 	if ! grep -q ipt /proc/modules 2>/dev/null; then
--		echo "E: iptables support lacking from the kernel." >&2
-+		echo "Error: iptables support lacking from the kernel" >&2
- 		exit 3
- 	else
--		echo "E: unknown error saving current iptables ruleset." >&2
-+		echo "Error: unknown error saving old iptables rules: $TMPFILE" >&2
- 		exit 4
- 	fi
- fi
- 
-+# Legacy to stop the fail2ban daemon if present
- [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop
- 
--echo -n "Applying new ruleset... "
--if ! "$RESTORE" <"$FILE"; then
--	echo "failed."
--	echo "E: unknown error applying new iptables ruleset." >&2
--	exit 5
--else
--	echo "done."
--fi
-+# Configure iptables
-+case "$MODE" in
-+	(1)
-+		# Run command in background and kill it if it times out
-+		echo -n "Running command '$RUNCMD'... "
-+		"$RUNCMD" &
-+		CMD_PID=$!
-+		( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
-+		CMDTIMEOUT_PID=$!
-+		if ! wait "$CMD_PID"; then
-+			echo "failed."
-+			echo "Error: unknown error running command: $RUNCMD" >&2
-+			revertrules
-+			exit 7
-+		else
-+			echo "done."
-+		fi
-+		;;
-+	(*)
-+		# Apply iptables rulesfile
-+		echo -n "Applying new iptables rules from '$RULESFILE'... "
-+		if ! "$RESTORE" <"$RULESFILE"; then
-+			echo "failed."
-+			echo "Error: unknown error applying new iptables rules: $RULESFILE" >&2
-+			revertrules
-+			exit 5
-+		else
-+			echo "done."
-+		fi
-+		;;
-+esac
- 
-+# Prompt user for confirmation
- echo -n "Can you establish NEW connections to the machine? (y/N) "
- 
--read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
-+read -n1 -t "$TIMEOUT" ret 2>&1 || :
- case "${ret:-}" in
- 	(y*|Y*)
-+		# Success
- 		echo
-+
-+		if [ ! -z "$SAVEFILE" ]; then
-+			# Write successfully applied rules to the savefile
-+			echo "Writing successfully applied rules to '$SAVEFILE'..."
-+			if ! "$SAVE" >"$SAVEFILE"; then
-+				echo "Error: unknown error writing successfully applied rules: $SAVEFILE" >&2
-+				exit 9
-+			fi
-+		fi
-+
- 		echo "... then my job is done. See you next time."
- 		;;
- 	(*)
--		if [[ -z "${ret:-}" ]]; then
--			echo "apparently not..."
-+		# Failed
-+		echo
-+		if [ -z "${ret:-}" ]; then
-+			echo "Timeout! Something happened (or did not). Better play it safe..."
- 		else
--			echo
-+			echo "No affirmative response! Better play it safe..."
- 		fi
--		echo "Timeout. Something happened (or did not). Better play it safe..."
--		echo -n "Reverting to old ruleset... "
--		"$RESTORE" <"$TMPFILE";
--		echo "done."
-+		revertrules
- 		exit 255
- 		;;
- esac
- 
-+# Legacy to start the fail2ban daemon again
- [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start
- 
- exit 0
---- a/iptables/iptables-apply.8.in
-+++ b/iptables/iptables-apply.8.in
-@@ -1,6 +1,6 @@
- .\"     Title: iptables-apply
--.\"    Author: Martin F. Krafft
--.\"      Date: Jun 04, 2006
-+.\"    Author: Martin F. Krafft, GW
-+.\"      Date: May 10, 2010
- .\"
- .TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
- .\" disable hyphenation
-@@ -8,23 +8,37 @@
- .SH NAME
- iptables-apply \- a safer way to update iptables remotely
- .SH SYNOPSIS
--\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
-+\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
- .SH "DESCRIPTION"
- .PP
--iptables\-apply will try to apply a new ruleset (as output by
--iptables\-save/read by iptables\-restore) to iptables, then prompt the
--user whether the changes are okay. If the new ruleset cut the existing
--connection, the user will not be able to answer affirmatively. In this
--case, the script rolls back to the previous ruleset after the timeout
--expired. The timeout can be set with \fB\-t\fP.
--.PP
--When called as \fBip6tables\-apply\fP, the script will use
--ip6tables\-save/\-restore instead.
-+iptables\-apply will try to apply a new rulesfile (as output by
-+iptables-save, read by iptables-restore) or run a command to configure
-+iptables and then prompt the user whether the changes are okay. If the
-+new iptables rules cut the existing connection, the user will not be
-+able to answer affirmatively. In this case, the script rolls back to
-+the previous working iptables rules after the timeout expires.
-+.PP
-+Successfully applied rules can also be written to savefile and later used
-+to roll back to this state. This can be used to implement a store last good
-+configuration mechanism when experimenting with an iptables setup script:
-+iptables-apply \-w /etc/network/iptables.up.rules \-c /etc/network/iptables.up.run
-+.PP
-+When called as ip6tables\-apply, the script will use
-+ip6tables\-save/\-restore and IPv6 default values instead. Default
-+value for rulesfile is '/etc/network/iptables.up.rules'.
- .SH OPTIONS
- .TP
- \fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
--Sets the timeout after which the script will roll back to the previous
--ruleset.
-+Sets the timeout in seconds after which the script will roll back
-+to the previous ruleset (default: 10).
-+.TP
-+\fB\-w\fP \fIsavefile\fR, \fB\-\-write\fP \fIsavefile\fR
-+Specify the savefile where successfully applied rules will be written to
-+(default if empty string is given: /etc/network/iptables.up.rules).
-+.TP
-+\fB\-c\fP \fIruncmd\fR, \fB\-\-command\fP \fIruncmd\fR
-+Run command runcmd to configure iptables instead of applying a rulesfile
-+(default: /etc/network/iptables.up.run).
- .TP
- \fB\-h\fP, \fB\-\-help\fP
- Display usage information.
-@@ -36,9 +50,11 @@
- \fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
- .SH LEGALESE
- .PP
--iptables\-apply is copyright by Martin F. Krafft.
-+Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
-+Version 1.1 - Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>.
- .PP
--This manual page was written by Martin F. Krafft <madduck@madduck.net>
-+This manual page was written by Martin F. Krafft <madduck@madduck.net> and
-+extended by GW <gw.2010@tnode.com or http://gw.tnode.com/>.
- .PP
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the Artistic License 2.0.

debian/patches/notes

-01xx - debian specific patches
-02xx - documentation patches
-03xx - makefile/build patches
-04xx - code patches
-05xx - miscellaneous patches

debian/patches/series

-0000-upstream-bump-build-dep-libnftnl.patch
-0000-upstream-fix-restore-noflush.patch
-0000-upstream-xtables-restore-empty-lines.patch
-0101-changelog.patch
-0103-lintian_allows_to.patch
-0104-lintian_hyphens.patch
-0105-lintian_spelling.patch
-0201-660748-iptables_apply_man.patch
-0202-725413-sctp_man_description.patch
-0301-install_iptables_apply.patch
-0401-580941-iptables_apply_update.patch