iproute-5.12, iptables-1.8.4, and libnftnl-1.1.5

This commit updates iproute from 5.9 to 5.12, iptables from 1.4.21 to 1.8.4, and libnftnl from 1.0.8 to 1.1.5: - iproute 5.9 does not make use of libbpf, which causes the 'tc' utility (provided by iproute-tc) to report BTF debugging symbol-related warnings when eBPF programs are used with tc by the kernel's eBPF sample test programs, even though the programs appear to work: "BTF debug data section '.BTF' rejected: Invalid argument (22)!". - iptables 1.4.21 does not support the --object-pinned option, which is required to be able to use eBPF programs to match packets. - libnftnl >= 1.1.5 is a dependency for recent versions of iptables, and the version of libnftnl in StarlingX's CentOS 7 is 1.0.8. The versions which are used by this commit are the latest versions in CentOS 8-Stream as of this writing. Notes: - iptables software package bundles a version of ebtables different than the legacy version already included in StarlingX. The legacy version supports the broute table and the BROUTING chain and string matching, whereas the iptables version does not. The legacy version is deprecated by this commit based on feedback received from colleagues, mainly to avoid unexpected incompatibilities between ebtables-legacy and iptables' netfilter/nft-based versions. Verification: - All-in-One simplex installation and bootstrap was carried out successfully. - Installation and bootstrap was successful on two separate systems: One system consisting of 2 controller hosts, 4 compute hosts and 2 storage hosts, and another system consisting of 2 controller hosts and 2 compute hosts. - Configuration of aggregated links (after using ifenslave manually) and configuration of virtual function (VF) interfaces (also manually set up) were carried out with the iproute tools successfully as basic sanity tests. - The results of basic ebtables commands (insertion and removal of DROP rules) were observed in "ebtables -L" output and confirmed to take effect in a test bed consisting of two network namespaces connected by bridged interfaces, as a basic sanity test. - Sample eBPF test programs and scripts shipped with the v5.10 kernel were executed successfully, with the caveat that there is a need to install a recent version of LLVM to compile the eBPF test programs. (I built LLVM-13.0 from scratch.) Partial-Bug: #1949217 Depends-On: I24bb7c60e353643add5e63ae7ea7c6516d07c7bf Depends-On: I12d20797db91fecdac409b0535632ac97bd6ad47 Depends-On: If95c2d24c98cb2add5e24548bc45f505c94b4b79 Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com> Change-Id: I63d557112c653d59b88ac3a4798dee0e89246612
2021-10-27 11:11:07 -04:00 · 2021-10-27 11:11:07 -04:00 · 36673774ee
parent ccf50bd652
commit 36673774ee
14 changed files with 199 additions and 11 deletions
--- a/2
+++ b/2
@ -97,3 +97,5 @@ gpu/gpu-operator
 tools/kexec-tools
 tools/libbpf
 networking/iproute
+networking/iptables
+networking/libnftnl
--- a/centos_srpms_3rdparties.lst
+++ b/centos_srpms_3rdparties.lst
@ -1,4 +1,6 @@
-iproute-5.9.0-4.el8.src.rpm#https://vault.centos.org/centos/8.4.2105/BaseOS/Source/SPackages/iproute-5.9.0-4.el8.src.rpm
+iproute-5.12.0-4.el8.src.rpm#https://vault.centos.org/8-stream/BaseOS/Source/SPackages/iproute-5.12.0-4.el8.src.rpm
+iptables-1.8.4-21.el8.src.rpm#https://vault.centos.org/8-stream/BaseOS/Source/SPackages/iptables-1.8.4-21.el8.src.rpm
+libnftnl-1.1.5-4.el8.src.rpm#https://vault.centos.org/8-stream/BaseOS/Source/SPackages/libnftnl-1.1.5-4.el8.src.rpm
 libvirt-python-4.7.0-1.fc28.src.rpm#https://libvirt.org/sources/python/libvirt-python-4.7.0-1.fc28.src.rpm
 linuxptp-3.1.1-1.el8.src.rpm#http://vault.centos.org/8-stream/AppStream/Source/SPackages/linuxptp-3.1.1-1.el8.src.rpm
 python-daemon-2.2.3-7.el8.src.rpm#http://vault.centos.org/8.0.1905/virt/Source/ovirt-44/python-daemon-2.2.3-7.el8.src.rpm
--- a/networking/iproute/centos/meta_patches/iproute.spec-Modify-Release-field-for-StarlingX.patch
+++ b/networking/iproute/centos/meta_patches/iproute.spec-Modify-Release-field-for-StarlingX.patch
@ -1,6 +1,6 @@
-From 36bc0ef90f0b05a91728c5f8633988131af8a0af Mon Sep 17 00:00:00 2001
+From 8b090dec49da1d238ce9e6be1b4b9627707a1c2f Mon Sep 17 00:00:00 2001
 From: "M. Vefa Bicakci" <vefa.bicakci@windriver.com>
-Date: Fri, 22 Oct 2021 16:37:34 -0400
+Date: Wed, 27 Oct 2021 11:59:52 -0400
 Subject: [PATCH] iproute.spec: Modify Release field for StarlingX

 This commit modifies the Release field of the iproute package's spec
@ -12,16 +12,18 @@ Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com>
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/SPECS/iproute.spec b/SPECS/iproute.spec
-index 6ef0b529e0ce..b8f7ad1833df 100644
+index 1b5b5a719fdc..20869a9defbd 100644
 --- a/SPECS/iproute.spec
 +++ b/SPECS/iproute.spec
-@@ -1,5 +1,5 @@
- %define rpmversion 5.9.0
-%define specrelease 4%{?dist}
-+%define specrelease 4%{?_tis_dist}.%{tis_patch_ver}
- %define pkg_release %{specrelease}%{?buildid}
- 
+@@ -1,7 +1,7 @@
 Summary:            Advanced IP routing and network device configuration tools
+ Name:               iproute
+ Version:            5.12.0
+-Release:            4%{?dist}%{?buildid}
+Release:            4%{?_tis_dist}.%{tis_patch_ver}%{?buildid}
+ Group:              Applications/System
+ URL:                http://kernel.org/pub/linux/utils/net/%{name}2/
+ Source0:            http://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.xz
 -- 
 2.29.2

--- a/networking/iproute/centos/srpm_path
+++ b/networking/iproute/centos/srpm_path
@ -1 +1 @@
-mirror:Source/iproute-5.9.0-4.el8.src.rpm
+mirror:Source/iproute-5.12.0-4.el8.src.rpm
--- a/networking/iptables/centos/build_srpm.data
+++ b/networking/iptables/centos/build_srpm.data
@ -0,0 +1,2 @@
+COPY_LIST="$DISTRO/patches/*"
+TIS_PATCH_VER=PKG_GITREVCOUNT
--- a/networking/iptables/centos/meta_patches/PATCH_ORDER
+++ b/networking/iptables/centos/meta_patches/PATCH_ORDER
@ -0,0 +1,2 @@
+iptables.spec-Modify-Release-field-for-StarlingX.patch
+iptables.spec-Add-a-patch-for-compat.-with-older-gli.patch
--- a/networking/iptables/centos/meta_patches/iptables.spec-Add-a-patch-for-compat.-with-older-gli.patch
+++ b/networking/iptables/centos/meta_patches/iptables.spec-Add-a-patch-for-compat.-with-older-gli.patch
@ -0,0 +1,43 @@
+From 281334baa2ea1b21abc9e70fe27980f81a19bca1 Mon Sep 17 00:00:00 2001
+From: "M. Vefa Bicakci" <vefa.bicakci@windriver.com>
+Date: Wed, 27 Oct 2021 14:45:36 -0400
+Subject: [PATCH] iptables.spec: Add a patch for compat. with older glibc
+
+This patch avoids the following compilation failures, which according to
+the description of the imported patch, occurs due to the older version
+of glibc in StarlingX:
+
+xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named 'th_sport'
+    printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+
+xtables-monitor.c:406:66: error: 'const struct tcphdr' has no member named 'th_dport'
+    printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+
+Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com>
+---
+ SPECS/iptables.spec | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
+index cb4ac571791e..befe5ec262f1 100644
+--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
+@@ -32,6 +32,7 @@ Source10: ebtables-config
+ %if 0%{?bootstrap}
+ Source11: %{url}/files/%{name}-%{version_old}.tar.bz2
+ Source12: 0003-extensions-format-security-fixes-in-libip-6-t_icmp.patch
+Source13: 0013-xtables-monitor-fix-build-with-older-glibc.patch
+ %endif
+ 
+ Patch01: 0001-iptables-apply-Use-mktemp-instead-of-tempfile.patch
+@@ -231,6 +232,7 @@ replacement of the legacy tool.
+ pushd bootstrap_ver
+ %{__tar} --strip-components=1 -xf %{SOURCE11}
+ %{__patch} -p1 <%{SOURCE12}
+%{__patch} -p1 <%{SOURCE13}
+ popd
+ %endif
+ 
+-- 
+2.29.2
+
--- a/networking/iptables/centos/meta_patches/iptables.spec-Modify-Release-field-for-StarlingX.patch
+++ b/networking/iptables/centos/meta_patches/iptables.spec-Modify-Release-field-for-StarlingX.patch
@ -0,0 +1,29 @@
+From b64b3b0adc9391431fad330485993981fba5303c Mon Sep 17 00:00:00 2001
+From: "M. Vefa Bicakci" <vefa.bicakci@windriver.com>
+Date: Wed, 27 Oct 2021 12:30:19 -0400
+Subject: [PATCH] iptables.spec: Modify Release field for StarlingX
+
+This commit modifies the Release field of the iptables package's spec
+file for StarlingX.
+
+Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com>
+---
+ SPECS/iptables.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
+index 58df10b96201..cb4ac571791e 100644
+--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
+@@ -17,7 +17,7 @@ Name: iptables
+ Summary: Tools for managing Linux kernel packet filtering capabilities
+ URL: http://www.netfilter.org/projects/iptables
+ Version: 1.8.4
+-Release: 21%{?dist}
+Release: 21%{?_tis_dist}.%{tis_patch_ver}
+ Source: %{url}/files/%{name}-%{version}.tar.bz2
+ Source1: iptables.init
+ Source2: iptables-config
+-- 
+2.29.2
+
--- a/networking/iptables/centos/patches/0013-xtables-monitor-fix-build-with-older-glibc.patch
+++ b/networking/iptables/centos/patches/0013-xtables-monitor-fix-build-with-older-glibc.patch
@ -0,0 +1,75 @@
+From 7c8791edac3e74f6ce0bf21f98bc820db8e55e62 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Fri, 16 Nov 2018 07:23:32 +0200
+Subject: [PATCH] xtables-monitor: fix build with older glibc
+
+glibc older than 2.19 only expose BSD style fields of struct tcphdr when
+_BSD_SOURCE is define. Current glibc however, warn that _BSD_SOURCE is
+deprecated. Migrate to the GNU style of tcphdr fields to make the code
+compatible with any glibc version.
+
+Fix the following build failure:
+
+xtables-monitor.c: In function 'trace_print_packet':
+xtables-monitor.c:406:43: error: 'const struct tcphdr' has no member named 'th_sport'
+    printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+                                           ^
+xtables-monitor.c:406:66: error: 'const struct tcphdr' has no member named 'th_dport'
+    printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+                                                                  ^
+...
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/xtables-monitor.c | 30 ++++++++++++++----------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
+index 3b1ca777a28a..5d1611122df5 100644
+--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
+@@ -403,26 +403,24 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
+ 		case IPPROTO_UDP:
+ 			if (len < 4)
+ 				break;
+-			printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+			printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
+ 			break;
+ 		case IPPROTO_TCP:
+ 			if (len < sizeof(*tcph))
+ 				break;
+-			printf("SPORT=%d DPORT=%d ", ntohs(tcph->th_sport), ntohs(tcph->th_dport));
+-			if (tcph->th_flags & (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)) {
+-				if (tcph->th_flags & TH_SYN)
+-					printf("SYN ");
+-				if (tcph->th_flags & TH_ACK)
+-					printf("ACK ");
+-				if (tcph->th_flags & TH_FIN)
+-					printf("FIN ");
+-				if (tcph->th_flags & TH_RST)
+-					printf("RST ");
+-				if (tcph->th_flags & TH_PUSH)
+-					printf("PSH ");
+-				if (tcph->th_flags & TH_URG)
+-					printf("URG ");
+-			}
+			printf("SPORT=%d DPORT=%d ", ntohs(tcph->source), ntohs(tcph->dest));
+			if (tcph->syn)
+				printf("SYN ");
+			if (tcph->ack)
+				printf("ACK ");
+			if (tcph->fin)
+				printf("FIN ");
+			if (tcph->rst)
+				printf("RST ");
+			if (tcph->psh)
+				printf("PSH ");
+			if (tcph->urg)
+				printf("URG ");
+ 			break;
+ 		default:
+ 			break;
+-- 
+2.29.2
+
--- a/networking/iptables/centos/srpm_path
+++ b/networking/iptables/centos/srpm_path
@ -0,0 +1 @@
+mirror:Source/iptables-1.8.4-21.el8.src.rpm
--- a/networking/libnftnl/centos/build_srpm.data
+++ b/networking/libnftnl/centos/build_srpm.data
@ -0,0 +1 @@
+TIS_PATCH_VER=PKG_GITREVCOUNT
--- a/networking/libnftnl/centos/meta_patches/PATCH_ORDER
+++ b/networking/libnftnl/centos/meta_patches/PATCH_ORDER
@ -0,0 +1 @@
+libnftnl.spec-Modify-Release-field-for-StarlingX.patch
--- a/networking/libnftnl/centos/meta_patches/libnftnl.spec-Modify-Release-field-for-StarlingX.patch
+++ b/networking/libnftnl/centos/meta_patches/libnftnl.spec-Modify-Release-field-for-StarlingX.patch
@ -0,0 +1,27 @@
+From 1f7f2beb8a94133938891fdff1fdd179603dd120 Mon Sep 17 00:00:00 2001
+From: "M. Vefa Bicakci" <vefa.bicakci@windriver.com>
+Date: Wed, 27 Oct 2021 13:38:14 -0400
+Subject: [PATCH] libnftnl.spec: Modify Release field for StarlingX
+
+This commit modifies the Release field of the libnftnl package's spec
+file for StarlingX.
+
+Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com>
+---
+ SPECS/libnftnl.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec
+index 4769895895b7..19681de0c2af 100644
+--- a/SPECS/libnftnl.spec
+++ b/SPECS/libnftnl.spec
+@@ -1,5 +1,5 @@
+ %define rpmversion 1.1.5
+-%define specrelease 4%{?dist}
+%define specrelease 4%{?_tis_dist}.%{tis_patch_ver}
+ 
+ Name:           libnftnl
+ Version:        %{rpmversion}
+-- 
+2.29.2
+
--- a/networking/libnftnl/centos/srpm_path
+++ b/networking/libnftnl/centos/srpm_path
@ -0,0 +1 @@
+mirror:Source/libnftnl-1.1.5-4.el8.src.rpm
				`@ -0,0 +1 @@`
				`libnftnl.spec-Modify-Release-field-for-StarlingX.patch`