!50 sync patches from upstream community

From: @yangl777 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw

backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch

@@ -0,0 +1,96 @@
+From 4646703f6d8eb46355752ec033945405ca482d4e Mon Sep 17 00:00:00 2001
+From: Ralf Baechle <ralf@linux-mips.org>
+Date: Tue, 7 Feb 2017 22:10:51 +0100
+Subject: [PATCH] arping: Fix ARP protocol field for AX.25 and NETROM
+
+Conflict:NA
+Reference:https://github.com/iputils/iputils/commit/4646703f6d8eb46355752ec033945405ca482d4e.patch
+
+AX.25 and NETROM differ from other, more ethernet-like protocols in that
+they are not using a DIX protocol number but the AX.25 PID.  The arping code
+doesn't handle this special case resulting in invalid ARP packets being sent.
+
+The interface bpq0 is an AX.25-over-ethernet interface.  Without this
+fix:
+
+ # arping -c 1 -I bpq0 172.20.1.3
+ ARPING 172.20.1.3 from 172.20.1.2 bpq0
+ Sent 1 probes (1 broadcast(s))
+ Received 0 response(s)
+
+With this fix:
+
+ # arping -c 1 -I bpq0 172.20.1.3
+ ARPING 172.20.1.3 from 172.20.1.2 bpq0
+ Unicast reply from 172.20.1.3 [88:98:60:A0:92:40:02]  1.402ms
+ Sent 1 probes (1 broadcast(s))
+ Received 1 response(s)
+
+Closes: https://github.com/iputils/iputils/pull/360
+
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+[ pvorel: add new lines for readability ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+ arping.c | 32 +++++++++++++++++++++++++++++---
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index 53fdbb48..5df6d9f0 100644
+--- a/arping.c
++++ b/arping.c
+@@ -37,6 +37,14 @@
+ 
+ #include "iputils_common.h"
+ 
++/*
++ * As of July 2021 AX.25 PID values are not currently defined in any
++ * userspace headers.
++ */
++#ifndef AX25_P_IP
++# define AX25_P_IP		0xcc	/* ARPA Internet Protocol     */
++#endif
++
+ #ifdef DEFAULT_DEVICE
+ # define DEFAULT_DEVICE_STR	DEFAULT_DEVICE
+ #else
+@@ -248,7 +256,17 @@ static int send_pack(struct run_state *ctl)
+ 	ah->ar_hrd = htons(ME->sll_hatype);
+ 	if (ah->ar_hrd == htons(ARPHRD_FDDI))
+ 		ah->ar_hrd = htons(ARPHRD_ETHER);
+-	ah->ar_pro = htons(ETH_P_IP);
++
++	/*
++	 * Exceptions everywhere. AX.25 uses the AX.25 PID value not the
++	 * DIX code for the protocol. Make these device structure fields.
++	 */
++	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
++	    ah->ar_hrd == htons(ARPHRD_NETROM))
++		ah->ar_pro = htons(AX25_P_IP);
++	else
++		ah->ar_pro = htons(ETH_P_IP);
++
+ 	ah->ar_hln = ME->sll_halen;
+ 	ah->ar_pln = 4;
+ 	ah->ar_op  = ctl->advert ? htons(ARPOP_REPLY) : htons(ARPOP_REQUEST);
+@@ -341,9 +359,17 @@ static int recv_pack(struct run_state *ctl, unsigned char *buf, ssize_t len,
+ 	    (FROM->sll_hatype != ARPHRD_FDDI || ah->ar_hrd != htons(ARPHRD_ETHER)))
+ 		return 0;
+ 
+-	/* Protocol must be IP. */
+-	if (ah->ar_pro != htons(ETH_P_IP))
++	/*
++	 * Protocol must be IP - but exceptions everywhere. AX.25 and NETROM
++	 * use the AX.25 PID value not the DIX code for the protocol.
++	 */
++	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
++	    ah->ar_hrd == htons(ARPHRD_NETROM)) {
++		if (ah->ar_pro != htons(AX25_P_IP))
++			return 0;
++	} else if (ah->ar_pro != htons(ETH_P_IP))
+ 		return 0;
++
+ 	if (ah->ar_pln != 4)
+ 		return 0;
+ 	if (ah->ar_hln != ((struct sockaddr_ll *)&ctl->me)->sll_halen)

backport-fix-clockdiff-is-server-down.patch

@@ -0,0 +1,42 @@
+From 34b9bc30b24ea0557772c7c9153ab5065db762ea Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Mon, 27 Dec 2021 20:27:43 +0800
+Subject: [PATCH] fix clockdiff is server down
+
+---
+ clockdiff.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/clockdiff.c b/clockdiff.c
+index 7836658..7fbb9dc 100644
+--- a/clockdiff.c
++++ b/clockdiff.c
+@@ -322,7 +322,7 @@ static int measure_inner_loop(struct run_state *ctl, struct measure_vars *mv)
+ 		if (diff < RANGE) {
+ 			mv->min1 = delta1;
+ 			mv->min2 = delta2;
+-			return BREAK;
++			return GOOD;
+ 		}
+ 	}
+ 	return CONTINUE;
+@@ -416,6 +416,8 @@ static int measure(struct run_state *ctl)
+ 				case BREAK:
+ 					escape = 1;
+ 					break;
++                                case GOOD:
++                                        goto good_exit;
+ 				case CONTINUE:
+ 					continue;
+ 				default:
+@@ -423,6 +425,7 @@ static int measure(struct run_state *ctl)
+ 			}
+ 		}
+ 	}
++good_exit:
+ 	ctl->measure_delta = (mv.min1 - mv.min2) / 2 + PROCESSING_TIME;
+ 	return GOOD;
+ }
+-- 
+2.27.0
+

backport-ping-Fix-ping6-binding-to-VRF-and-address.patch

@@ -0,0 +1,97 @@
+From 7c65999f98bc4a1984594b7fad1af0eaf0b9d34b Mon Sep 17 00:00:00 2001
+From: Lahav Schlesinger <lschlesinger@drivenets.com>
+Date: Wed, 30 Jun 2021 13:06:13 +0300
+Subject: [PATCH] ping: Fix ping6 binding to VRF and address
+
+Since Linux kernel commit 1893ff20275b ("net/ipv6: Add l3mdev check to
+ipv6_chk_addr_and_flags") from v4.17-rc1 ping fails when trying to
+create IPv6 SOCK_RAW socket (e.g. if net.ipv4.ping_group_range = 1 0)
+and passing both -I <vrf_interface> and -I <local_ipv6_addr>.
+It works for IPv4 SOCK_RAW socket.
+
+    # ip netns add tmp_ns
+    # ip -n tmp_ns link add vrf_1 type vrf table 10001
+    # ip -n tmp_ns link add lo10 type dummy
+    # ip -n tmp_ns link set lo10 master vrf_1
+    # ip -n tmp_ns link set vrf_1 up
+    # ip -n tmp_ns link set lo10 up
+    # ip -n tmp_ns link set lo up
+    # ip -n tmp_ns addr add 1:2::3:4/128 dev lo10
+    # ip -n tmp_ns addr add 1.2.3.4/32 dev lo10
+
+    # ip netns exec tmp_ns ping -6 1:2::3:4 -I vrf_1 -I 1:2::3:4 -c 1 # IPv6 broken
+    ping: bind icmp socket: Cannot assign requested address
+
+    # ping  1.2.3.4 -I vrf_1 -I 1.2.3.4 -c 1 # IPv4 working
+    PING 1.2.3.4 (1.2.3.4) from 1.2.3.4 vrf_1: 56(84) bytes of data.
+    64 bytes from 1.2.3.4: icmp_seq=1 ttl=64 time=0.090 ms
+
+    --- 1.2.3.4 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
+
+ping fails because it doesn't actually bind to the VRF interface, while
+after 1893ff20275b, binding to an IPv6 address searches only on the same
+l3mdev as the device the function receives. If the socket wasn't
+SO_BINDTODEVICE-ed, then the kernel will only search for devices that
+are not ensalved to an l3mdev device (= in the default VRF), which will
+cause the bind() to fail.
+
+Only SOCK_RAW socket is affected. SOCK_DGRAM is not affected because
+Linux kernel doesn't check the device the socket was SO_BINDTODEVICE-ed
+to, but only the device from addr->sin6_scope_id (which if none is
+passed, it will again only search devices in the default VRF).
+
+NOTE: creating network namespace to reproduce the issue is needed just
+on systems with net.ipv4.ping_group_range = 0 2147483647 (e.g. current
+Fedora, openSUSE, Ubuntu), which causes to use SOCK_DGRAM socket.
+Alternatively to force SOCK_RAW to it'd be enough just to properly set
+net.ipv4.ping_group_range:
+
+    # echo "1 0" > /proc/sys/net/ipv4/ping_group_range
+
+Closes: https://github.com/iputils/iputils/pull/344
+
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Lahav Schlesinger <lschlesinger@drivenets.com>
+[ pvorel: adjusted commit message ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+
+Conflict: Modifying "rts->device" to "device" and "ping/ping6_common.c" to "ping6_common.c"
+Reference: https://github.com/iputils/iputils/commit/7c65999f98bc4a1984594b7fad1af0eaf0b9d34b.patch
+---
+ ping6_common.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/ping6_common.c b/ping6_common.c
+index ed6168d..4eaa4f6 100644
+--- a/ping6_common.c
++++ b/ping6_common.c
+@@ -678,6 +678,8 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock
+ 	if (device) {
+ 		struct cmsghdr *cmsg;
+ 		struct in6_pktinfo *ipi;
++		int rc;
++		int errno_save;
+ 
+ 		cmsg = (struct cmsghdr *)(cmsgbuf + cmsglen);
+ 		cmsglen += CMSG_SPACE(sizeof(*ipi));
+@@ -688,6 +690,15 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock
+ 		ipi = (struct in6_pktinfo *)CMSG_DATA(cmsg);
+ 		memset(ipi, 0, sizeof(*ipi));
+ 		ipi->ipi6_ifindex = if_name2index(device);
++
++		enable_capability_raw();
++		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
++				device, strlen(device) + 1);
++		errno_save = errno;
++		disable_capability_raw();
++
++		if (rc == -1)
++			error(2, errno_save, "SO_BINDTODEVICE %s", device);
+ 	}
+ 
+	if ((whereto.sin6_addr.s6_addr16[0] & htons(0xff00)) == htons(0xff00)) {
+-- 
+2.27.0
+

backport-ping6-Avoid-binding-to-non-VRF.patch

@@ -0,0 +1,56 @@
+From f52b582248f1f870e870a9973621805d969906b4 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Tue, 9 Nov 2021 02:39:56 +0100
+Subject: [PATCH] ping6: Avoid binding to non-VRF
+
+This fixes permission issue when specifying just address (without VRF)
+unless having CAP_NET_ADMIN (i.e. root) permission:
+
+    $ ./builddir/ping/ping -c1 -I lo ::1
+    ./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted
+
+because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on
+opt_strictsource.
+
+Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address")
+
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+
+Conflict: Modifying "rts->opt_strictsource" to "options & F_STRICTSOURCE" and "rts->device" to "device","ping/ping6_common.c" to "ping6_common.c"
+Reference: https://github.com/iputils/iputils/commit/f52b582248f1f870e870a9973621805d969906b4.patch
+---
+ ping6_common.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/ping6_common.c b/ping6_common.c
+index 4eaa4f6..eb7ca70 100644
+--- a/ping6_common.c
++++ b/ping6_common.c
+@@ -691,14 +691,16 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock
+ 		memset(ipi, 0, sizeof(*ipi));
+ 		ipi->ipi6_ifindex = if_name2index(device);
+ 
+-		enable_capability_raw();
+-		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
+-				device, strlen(device) + 1);
+-		errno_save = errno;
+-		disable_capability_raw();
+-
+-		if (rc == -1)
+-			error(2, errno_save, "SO_BINDTODEVICE %s", device);
++		if (options & F_STRICTSOURCE) {
++			enable_capability_raw();
++			rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
++					device, strlen(device) + 1);
++			errno_save = errno;
++			disable_capability_raw();
++
++			if (rc == -1)
++				error(2, errno_save, "SO_BINDTODEVICE %s", device);
++		}
+ 	}
+ 
+	if ((whereto.sin6_addr.s6_addr16[0] & htons(0xff00)) == htons(0xff00)) {
+-- 
+2.27.0
+

bugfix-arpping-make-update-neighbours-work-again.patch

@@ -0,0 +1,77 @@
+From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001
+From: lac-0073 <61903197+lac-0073@users.noreply.github.com>
+Date: Mon, 26 Oct 2020 09:45:42 +0800
+Subject: [PATCH] arpping: make update neighbours work again
+
+The arping is using inconsistent sender_ip_addr and target_ip_addr in
+messages.  This causes the client receiving the arp message not to update
+the arp table entries.
+
+The specific performance is as follows:
+
+There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the
+same IP subnet as eth0.  This IP was originally used on another machine 1,
+and th IP needs to be changed back to the machine 1.  When using the arping
+command to announce what ethernet address has IP 10.20.30.3, the arp table
+on machine 3 is not updated.
+
+Machine 3 original arp table:
+
+    10.20.30.3  machine 2 eth0:0    00:00:00:00:00:02
+    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
+    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
+
+Create interface eth0:0 on machine 1, and use the arping command to send arp
+packets.  Expected outcome on machine 3:
+
+    10.20.30.3  machine 1 eth0:0    00:00:00:00:00:01
+    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
+    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
+
+Actual results on machine 3:
+
+    10.20.30.3  machine 2 eth0:0    00:00:00:00:00:02
+    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
+    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
+
+Fixes: https://github.com/iputils/iputils/issues/298
+Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339
+Signed-off-by: Aichun Li <liaichun@huawei.com>
+---
+ arping.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index a002786..53fdbb4 100644
+--- a/arping.c
++++ b/arping.c
+@@ -968,7 +968,7 @@ int main(int argc, char **argv)
+ 		}
+ 		memset(&saddr, 0, sizeof(saddr));
+ 		saddr.sin_family = AF_INET;
+-		if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
++		if (ctl.source || ctl.gsrc.s_addr) {
+ 			saddr.sin_addr = ctl.gsrc;
+ 			if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+ 				error(2, errno, "bind");
+@@ -979,12 +979,14 @@ int main(int argc, char **argv)
+ 			saddr.sin_port = htons(1025);
+ 			saddr.sin_addr = ctl.gdst;
+ 
+-			if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
+-				error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
+-			if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+-				error(2, errno, "connect");
+-			if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
+-				error(2, errno, "getsockname");
++			if (!ctl.unsolicited) {
++				if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
++					error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
++				if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
++					error(2, errno, "connect");
++				if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
++					error(2, errno, "getsockname");
++			}
+ 			ctl.gsrc = saddr.sin_addr;
+ 		}
+ 		close(probe_fd);

bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch

@@ -0,0 +1,37 @@
+From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
+From: Sami Kerola <kerolasa@iki.fi>
+Date: Wed, 3 Mar 2021 20:51:18 +0000
+Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file
+
+Quoting systemd.exec(5) manual page 'Specifically this means that the
+process will have zero process capabilities on the host's user namespace'.
+That does not combine will with CAP_NET_RAW that needs to take effect host's
+namespace.
+
+Secondly add CapabilityBoundingSet that is will ensure capabilities are
+limited to the one and only capability it needs.
+
+Fixes: https://github.com/iputils/iputils/issues/314
+Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
+Signed-off-by: Sami Kerola <kerolasa@iki.fi>
+---
+ systemd/rdisc.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
+index 4e2a1ec..6ef7fc3 100644
+--- a/systemd/rdisc.service.in
++++ b/systemd/rdisc.service.in
+@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
+ ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
+ 
+ AmbientCapabilities=CAP_NET_RAW
++CapabilityBoundingSet=CAP_NET_RAW
+ PrivateTmp=yes
+-PrivateUsers=yes
+ ProtectSystem=strict
+ ProtectHome=yes
+ ProtectControlGroups=yes
+-- 
+2.23.0
+

iputils.spec

@@ -1,6 +1,6 @@
 Name:            iputils
 Version:         20190709
-Release:         5
+Release:         9
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
@@ -16,10 +16,16 @@ Patch100:        iputils-ifenslave.patch
 
 Patch6000:       0001-iputils-arpings.patch
 Patch6001:       0002-iputils-arpings-count.patch
+Patch6002:       bugfix-arpping-make-update-neighbours-work-again.patch
+Patch6003:       bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
+Patch6004:       backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
+Patch6005:       backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
+Patch6006:       backport-ping6-Avoid-binding-to-non-VRF.patch
 
 Patch9000:       bugfix-fix-ping-dead-loop.patch
 Patch9001:       bugfix-arping-w-does-not-take-effect.patch
 Patch9002:       bugfix-fix-update-problem.patch
+Patch9003:       backport-fix-clockdiff-is-server-down.patch
 
 BuildRequires:   gcc meson libidn2-devel openssl-devel libcap-devel libxslt
 BuildRequires:   docbook5-style-xsl systemd glibc-kernheaders gettext
@@ -44,9 +50,15 @@ cp %{SOURCE4} %{SOURCE5} .
 %patch100  -p1
 %patch6000 -p1
 %patch6001 -p1
+%patch6002 -p1
+%patch6003 -p1
+%patch6004 -p1
+%patch6005 -p1
+%patch6006 -p1
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
+%patch9003 -p1
 
 %build
   export CFLAGS="-fpie"
@@ -101,6 +113,32 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_mandir}/man8/*.8.gz
 
 %changelog
+* Sat May 14 2022 yanglu <yanglu72@h-partners.com> - 20190709-9
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:fix ping6 binding to VRF and address
+       Avoid binding to non-VRF
+       Fix ARP protocol field for AX.25 and NETROM
+
+* Mon Dec 27 2021 liugang <liuganga@uniontech.com> - 20190709-8
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:fix clockdiff is server down
+
+* Mon May 17 2021 gaihuiying <gaihuiying1@huawei.com> - 20190709-7
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:sync 21.03 patch to fix rdisc service failed
+
+* Thu Dec 10 2020 lunankun <lunankun@huawei.com> - 20190709-6
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC: fix arping update neighbours
+
 * Fri May 22 2020 liaichun <liaichun@huawei.com> - 20190709-5
 - Type:bugfix
 - Id:NA