7 changed files with 1 additions and 444 deletions
--- a/backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
+++ b/backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
@ -1,96 +0,0 @@
 From 4646703f6d8eb46355752ec033945405ca482d4e Mon Sep 17 00:00:00 2001
 From: Ralf Baechle <ralf@linux-mips.org>
 Date: Tue, 7 Feb 2017 22:10:51 +0100
 Subject: [PATCH] arping: Fix ARP protocol field for AX.25 and NETROM
 Conflict:NA
 Reference:https://github.com/iputils/iputils/commit/4646703f6d8eb46355752ec033945405ca482d4e.patch
 AX.25 and NETROM differ from other, more ethernet-like protocols in that
 they are not using a DIX protocol number but the AX.25 PID.  The arping code
 doesn't handle this special case resulting in invalid ARP packets being sent.
 The interface bpq0 is an AX.25-over-ethernet interface.  Without this
 fix:
 # arping -c 1 -I bpq0 172.20.1.3
 ARPING 172.20.1.3 from 172.20.1.2 bpq0
 Sent 1 probes (1 broadcast(s))
 Received 0 response(s)
 With this fix:
 # arping -c 1 -I bpq0 172.20.1.3
 ARPING 172.20.1.3 from 172.20.1.2 bpq0
 Unicast reply from 172.20.1.3 [88:98:60:A0:92:40:02]  1.402ms
 Sent 1 probes (1 broadcast(s))
 Received 1 response(s)
 Closes: https://github.com/iputils/iputils/pull/360
 Reviewed-by: Petr Vorel <pvorel@suse.cz>
 Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
 [ pvorel: add new lines for readability ]
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 ---
 arping.c | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)
 diff --git a/arping.c b/arping.c
 index 53fdbb48..5df6d9f0 100644
 --- a/arping.c
 +++ b/arping.c
@@ -37,6 +37,14 @@
 #include "iputils_common.h"
 +/*
 + * As of July 2021 AX.25 PID values are not currently defined in any
 + * userspace headers.
 + */
 +#ifndef AX25_P_IP
 +# define AX25_P_IP		0xcc	/* ARPA Internet Protocol     */
 +#endif
 +
 #ifdef DEFAULT_DEVICE
 # define DEFAULT_DEVICE_STR	DEFAULT_DEVICE
 #else
@@ -248,7 +256,17 @@ static int send_pack(struct run_state *ctl)
 	ah->ar_hrd = htons(ME->sll_hatype);
 	if (ah->ar_hrd == htons(ARPHRD_FDDI))
 		ah->ar_hrd = htons(ARPHRD_ETHER);
 -	ah->ar_pro = htons(ETH_P_IP);
 +
 +	/*
 +	 * Exceptions everywhere. AX.25 uses the AX.25 PID value not the
 +	 * DIX code for the protocol. Make these device structure fields.
 +	 */
 +	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
 +	    ah->ar_hrd == htons(ARPHRD_NETROM))
 +		ah->ar_pro = htons(AX25_P_IP);
 +	else
 +		ah->ar_pro = htons(ETH_P_IP);
 +
 	ah->ar_hln = ME->sll_halen;
 	ah->ar_pln = 4;
 	ah->ar_op  = ctl->advert ? htons(ARPOP_REPLY) : htons(ARPOP_REQUEST);
@@ -341,9 +359,17 @@ static int recv_pack(struct run_state *ctl, unsigned char *buf, ssize_t len,
 	    (FROM->sll_hatype != ARPHRD_FDDI || ah->ar_hrd != htons(ARPHRD_ETHER)))
 		return 0;
 -	/* Protocol must be IP. */
 -	if (ah->ar_pro != htons(ETH_P_IP))
 +	/*
 +	 * Protocol must be IP - but exceptions everywhere. AX.25 and NETROM
 +	 * use the AX.25 PID value not the DIX code for the protocol.
 +	 */
 +	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
 +	    ah->ar_hrd == htons(ARPHRD_NETROM)) {
 +		if (ah->ar_pro != htons(AX25_P_IP))
 +			return 0;
 +	} else if (ah->ar_pro != htons(ETH_P_IP))
 		return 0;
 +
 	if (ah->ar_pln != 4)
 		return 0;
 	if (ah->ar_hln != ((struct sockaddr_ll *)&ctl->me)->sll_halen)
--- a/backport-fix-clockdiff-is-server-down.patch
+++ b/backport-fix-clockdiff-is-server-down.patch
@ -1,42 +0,0 @@
 From 34b9bc30b24ea0557772c7c9153ab5065db762ea Mon Sep 17 00:00:00 2001
 From: root <root@localhost.localdomain>
 Date: Mon, 27 Dec 2021 20:27:43 +0800
 Subject: [PATCH] fix clockdiff is server down
 ---
 clockdiff.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/clockdiff.c b/clockdiff.c
 index 7836658..7fbb9dc 100644
 --- a/clockdiff.c
 +++ b/clockdiff.c
@@ -322,7 +322,7 @@ static int measure_inner_loop(struct run_state *ctl, struct measure_vars *mv)
 		if (diff < RANGE) {
 			mv->min1 = delta1;
 			mv->min2 = delta2;
 -			return BREAK;
 +			return GOOD;
 		}
 	}
 	return CONTINUE;
@@ -416,6 +416,8 @@ static int measure(struct run_state *ctl)
 				case BREAK:
 					escape = 1;
 					break;
 +                                case GOOD:
 +                                        goto good_exit;
 				case CONTINUE:
 					continue;
 				default:
@@ -423,6 +425,7 @@ static int measure(struct run_state *ctl)
 			}
 		}
 	}
 +good_exit:
 	ctl->measure_delta = (mv.min1 - mv.min2) / 2 + PROCESSING_TIME;
 	return GOOD;
 }
 -- 
 2.27.0
--- a/backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
+++ b/backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
@ -1,97 +0,0 @@
 From 7c65999f98bc4a1984594b7fad1af0eaf0b9d34b Mon Sep 17 00:00:00 2001
 From: Lahav Schlesinger <lschlesinger@drivenets.com>
 Date: Wed, 30 Jun 2021 13:06:13 +0300
 Subject: [PATCH] ping: Fix ping6 binding to VRF and address
 Since Linux kernel commit 1893ff20275b ("net/ipv6: Add l3mdev check to
 ipv6_chk_addr_and_flags") from v4.17-rc1 ping fails when trying to
 create IPv6 SOCK_RAW socket (e.g. if net.ipv4.ping_group_range = 1 0)
 and passing both -I <vrf_interface> and -I <local_ipv6_addr>.
 It works for IPv4 SOCK_RAW socket.
    # ip netns add tmp_ns
    # ip -n tmp_ns link add vrf_1 type vrf table 10001
    # ip -n tmp_ns link add lo10 type dummy
    # ip -n tmp_ns link set lo10 master vrf_1
    # ip -n tmp_ns link set vrf_1 up
    # ip -n tmp_ns link set lo10 up
    # ip -n tmp_ns link set lo up
    # ip -n tmp_ns addr add 1:2::3:4/128 dev lo10
    # ip -n tmp_ns addr add 1.2.3.4/32 dev lo10
    # ip netns exec tmp_ns ping -6 1:2::3:4 -I vrf_1 -I 1:2::3:4 -c 1 # IPv6 broken
    ping: bind icmp socket: Cannot assign requested address
    # ping  1.2.3.4 -I vrf_1 -I 1.2.3.4 -c 1 # IPv4 working
    PING 1.2.3.4 (1.2.3.4) from 1.2.3.4 vrf_1: 56(84) bytes of data.
    64 bytes from 1.2.3.4: icmp_seq=1 ttl=64 time=0.090 ms
    --- 1.2.3.4 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
 ping fails because it doesn't actually bind to the VRF interface, while
 after 1893ff20275b, binding to an IPv6 address searches only on the same
 l3mdev as the device the function receives. If the socket wasn't
 SO_BINDTODEVICE-ed, then the kernel will only search for devices that
 are not ensalved to an l3mdev device (= in the default VRF), which will
 cause the bind() to fail.
 Only SOCK_RAW socket is affected. SOCK_DGRAM is not affected because
 Linux kernel doesn't check the device the socket was SO_BINDTODEVICE-ed
 to, but only the device from addr->sin6_scope_id (which if none is
 passed, it will again only search devices in the default VRF).
 NOTE: creating network namespace to reproduce the issue is needed just
 on systems with net.ipv4.ping_group_range = 0 2147483647 (e.g. current
 Fedora, openSUSE, Ubuntu), which causes to use SOCK_DGRAM socket.
 Alternatively to force SOCK_RAW to it'd be enough just to properly set
 net.ipv4.ping_group_range:
    # echo "1 0" > /proc/sys/net/ipv4/ping_group_range
 Closes: https://github.com/iputils/iputils/pull/344
 Reviewed-by: Petr Vorel <pvorel@suse.cz>
 Signed-off-by: Lahav Schlesinger <lschlesinger@drivenets.com>
 [ pvorel: adjusted commit message ]
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 Conflict: Modifying "rts->device" to "device" and "ping/ping6_common.c" to "ping6_common.c"
 Reference: https://github.com/iputils/iputils/commit/7c65999f98bc4a1984594b7fad1af0eaf0b9d34b.patch
 ---
 ping6_common.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/ping6_common.c b/ping6_common.c
 index ed6168d..4eaa4f6 100644
 --- a/ping6_common.c
 +++ b/ping6_common.c
@@ -678,6 +678,8 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock
 	if (device) {
 		struct cmsghdr *cmsg;
 		struct in6_pktinfo *ipi;
 +		int rc;
 +		int errno_save;
 		cmsg = (struct cmsghdr *)(cmsgbuf + cmsglen);
 		cmsglen += CMSG_SPACE(sizeof(*ipi));
@@ -688,6 +690,15 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock
 		ipi = (struct in6_pktinfo *)CMSG_DATA(cmsg);
 		memset(ipi, 0, sizeof(*ipi));
 		ipi->ipi6_ifindex = if_name2index(device);
 +
 +		enable_capability_raw();
 +		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
 +				device, strlen(device) + 1);
 +		errno_save = errno;
 +		disable_capability_raw();
 +
 +		if (rc == -1)
 +			error(2, errno_save, "SO_BINDTODEVICE %s", device);
 	}
 	if ((whereto.sin6_addr.s6_addr16[0] & htons(0xff00)) == htons(0xff00)) {
 -- 
 2.27.0
--- a/backport-ping6-Avoid-binding-to-non-VRF.patch
+++ b/backport-ping6-Avoid-binding-to-non-VRF.patch
@ -1,56 +0,0 @@
 From f52b582248f1f870e870a9973621805d969906b4 Mon Sep 17 00:00:00 2001
 From: Petr Vorel <pvorel@suse.cz>
 Date: Tue, 9 Nov 2021 02:39:56 +0100
 Subject: [PATCH] ping6: Avoid binding to non-VRF
 This fixes permission issue when specifying just address (without VRF)
 unless having CAP_NET_ADMIN (i.e. root) permission:
    $ ./builddir/ping/ping -c1 -I lo ::1
    ./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted
 because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on
 opt_strictsource.
 Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address")
 Signed-off-by: Petr Vorel <pvorel@suse.cz>
 Conflict: Modifying "rts->opt_strictsource" to "options & F_STRICTSOURCE" and "rts->device" to "device","ping/ping6_common.c" to "ping6_common.c"
 Reference: https://github.com/iputils/iputils/commit/f52b582248f1f870e870a9973621805d969906b4.patch
 ---
 ping6_common.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
 diff --git a/ping6_common.c b/ping6_common.c
 index 4eaa4f6..eb7ca70 100644
 --- a/ping6_common.c
 +++ b/ping6_common.c
@@ -691,14 +691,16 @@ int ping6_run(int argc, char **argv, struct addrinfo *ai, struct socket_st *sock
 		memset(ipi, 0, sizeof(*ipi));
 		ipi->ipi6_ifindex = if_name2index(device);
 -		enable_capability_raw();
 -		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
 -				device, strlen(device) + 1);
 -		errno_save = errno;
 -		disable_capability_raw();
 -
 -		if (rc == -1)
 -			error(2, errno_save, "SO_BINDTODEVICE %s", device);
 +		if (options & F_STRICTSOURCE) {
 +			enable_capability_raw();
 +			rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
 +					device, strlen(device) + 1);
 +			errno_save = errno;
 +			disable_capability_raw();
 +
 +			if (rc == -1)
 +				error(2, errno_save, "SO_BINDTODEVICE %s", device);
 +		}
 	}
 	if ((whereto.sin6_addr.s6_addr16[0] & htons(0xff00)) == htons(0xff00)) {
 -- 
 2.27.0
--- a/bugfix-arpping-make-update-neighbours-work-again.patch
+++ b/bugfix-arpping-make-update-neighbours-work-again.patch
@ -1,77 +0,0 @@
 From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001
 From: lac-0073 <61903197+lac-0073@users.noreply.github.com>
 Date: Mon, 26 Oct 2020 09:45:42 +0800
 Subject: [PATCH] arpping: make update neighbours work again
 The arping is using inconsistent sender_ip_addr and target_ip_addr in
 messages.  This causes the client receiving the arp message not to update
 the arp table entries.
 The specific performance is as follows:
 There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the
 same IP subnet as eth0.  This IP was originally used on another machine 1,
 and th IP needs to be changed back to the machine 1.  When using the arping
 command to announce what ethernet address has IP 10.20.30.3, the arp table
 on machine 3 is not updated.
 Machine 3 original arp table:
    10.20.30.3  machine 2 eth0:0    00:00:00:00:00:02
    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
 Create interface eth0:0 on machine 1, and use the arping command to send arp
 packets.  Expected outcome on machine 3:
    10.20.30.3  machine 1 eth0:0    00:00:00:00:00:01
    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
 Actual results on machine 3:
    10.20.30.3  machine 2 eth0:0    00:00:00:00:00:02
    10.20.30.2  machine 2 eth0      00:00:00:00:00:02
    10.20.30.1  machine 1 eth0      00:00:00:00:00:01
 Fixes: https://github.com/iputils/iputils/issues/298
 Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339
 Signed-off-by: Aichun Li <liaichun@huawei.com>
 ---
 arping.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)
 diff --git a/arping.c b/arping.c
 index a002786..53fdbb4 100644
 --- a/arping.c
 +++ b/arping.c
@@ -968,7 +968,7 @@ int main(int argc, char **argv)
 		}
 		memset(&saddr, 0, sizeof(saddr));
 		saddr.sin_family = AF_INET;
 -		if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
 +		if (ctl.source || ctl.gsrc.s_addr) {
 			saddr.sin_addr = ctl.gsrc;
 			if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
 				error(2, errno, "bind");
@@ -979,12 +979,14 @@ int main(int argc, char **argv)
 			saddr.sin_port = htons(1025);
 			saddr.sin_addr = ctl.gdst;
 -			if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
 -				error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
 -			if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
 -				error(2, errno, "connect");
 -			if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
 -				error(2, errno, "getsockname");
 +			if (!ctl.unsolicited) {
 +				if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
 +					error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
 +				if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
 +					error(2, errno, "connect");
 +				if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
 +					error(2, errno, "getsockname");
 +			}
 			ctl.gsrc = saddr.sin_addr;
 		}
 		close(probe_fd);
--- a/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
+++ b/bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
@ -1,37 +0,0 @@
 From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
 From: Sami Kerola <kerolasa@iki.fi>
 Date: Wed, 3 Mar 2021 20:51:18 +0000
 Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file
 Quoting systemd.exec(5) manual page 'Specifically this means that the
 process will have zero process capabilities on the host's user namespace'.
 That does not combine will with CAP_NET_RAW that needs to take effect host's
 namespace.
 Secondly add CapabilityBoundingSet that is will ensure capabilities are
 limited to the one and only capability it needs.
 Fixes: https://github.com/iputils/iputils/issues/314
 Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
 Signed-off-by: Sami Kerola <kerolasa@iki.fi>
 ---
 systemd/rdisc.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
 index 4e2a1ec..6ef7fc3 100644
 --- a/systemd/rdisc.service.in
 +++ b/systemd/rdisc.service.in
@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
 ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
 AmbientCapabilities=CAP_NET_RAW
 +CapabilityBoundingSet=CAP_NET_RAW
 PrivateTmp=yes
 -PrivateUsers=yes
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 -- 
 2.23.0
--- a/iputils.spec
+++ b/iputils.spec
@ -1,6 +1,6 @@
 Name:            iputils
 Version:         20190709
-Release:         9
+Release:         5
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
@ -16,16 +16,10 @@ Patch100:        iputils-ifenslave.patch
 Patch6000:       0001-iputils-arpings.patch
 Patch6001:       0002-iputils-arpings-count.patch
 Patch6002:       bugfix-arpping-make-update-neighbours-work-again.patch
 Patch6003:       bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
 Patch6004:       backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
 Patch6005:       backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
 Patch6006:       backport-ping6-Avoid-binding-to-non-VRF.patch
 Patch9000:       bugfix-fix-ping-dead-loop.patch
 Patch9001:       bugfix-arping-w-does-not-take-effect.patch
 Patch9002:       bugfix-fix-update-problem.patch
 Patch9003:       backport-fix-clockdiff-is-server-down.patch
 BuildRequires:   gcc meson libidn2-devel openssl-devel libcap-devel libxslt
 BuildRequires:   docbook5-style-xsl systemd glibc-kernheaders gettext
@ -50,15 +44,9 @@ cp %{SOURCE4} %{SOURCE5} .
 %patch100  -p1
 %patch6000 -p1
 %patch6001 -p1
 %patch6002 -p1
 %patch6003 -p1
 %patch6004 -p1
 %patch6005 -p1
 %patch6006 -p1
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
 %patch9003 -p1
 %build
  export CFLAGS="-fpie"
@ -113,32 +101,6 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_mandir}/man8/*.8.gz
 %changelog
 * Sat May 14 2022 yanglu <yanglu72@h-partners.com> - 20190709-9
 - Type:bugfix
 - Id:NA
 - SUG:NA
 - DESC:fix ping6 binding to VRF and address
       Avoid binding to non-VRF
       Fix ARP protocol field for AX.25 and NETROM
 * Mon Dec 27 2021 liugang <liuganga@uniontech.com> - 20190709-8
 - Type:bugfix
 - Id:NA
 - SUG:NA
 - DESC:fix clockdiff is server down
 * Mon May 17 2021 gaihuiying <gaihuiying1@huawei.com> - 20190709-7
 - Type:bugfix
 - Id:NA
 - SUG:NA
 - DESC:sync 21.03 patch to fix rdisc service failed
 * Thu Dec 10 2020 lunankun <lunankun@huawei.com> - 20190709-6
 - Type:bugfix
 - Id:NA
 - SUG:NA
 - DESC: fix arping update neighbours
 * Fri May 22 2020 liaichun <liaichun@huawei.com> - 20190709-5
 - Type:bugfix
 - Id:NA