Cherry-Pick ipTables related fixes to fasttrack. (#12016)

microsoft · Jan 22, 2025 · 92e5370 · 92e5370
2 parents fa62dba + 1e978ac
commit 92e5370
Show file tree

Hide file tree

Showing 26 changed files with 120 additions and 55 deletions.
diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
@@ -6,8 +6,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-64k-signed-%{buildarch}
-Version:        6.6.57.1
-Release:        7%{?dist}
+Version:        6.6.64.2
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -105,6 +105,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Thu Jan 09 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.64.2-1
+- Auto-upgrade to 6.6.64.2
+
+* Wed Jan 08 2025 Tobias Brick <[email protected]> - 6.6.57.1-8
+- Bump release to match kernel
+
 * Sun Dec 22 2024 Ankita Pareek <[email protected]> - 6.6.57.1-7
 - Bump release to match kernel
 

diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        6.6.57.1
-Release:        7%{?dist}
+Version:        6.6.64.2
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,12 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Thu Jan 09 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.64.2-1
+- Auto-upgrade to 6.6.64.2
+
+* Wed Jan 08 2025 Tobias Brick <[email protected]> - 6.6.57.1-8
+- Bump release to match kernel
+
 * Sun Dec 22 2024 Ankita Pareek <[email protected]> - 6.6.57.1-7
 - Bump release to match kernel
 

diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
@@ -5,8 +5,8 @@
 %define kernelver %{version}-%{release}
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
-Version:        6.6.57.1
-Release:        7%{?dist}
+Version:        6.6.64.2
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,12 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Thu Jan 09 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.64.2-1
+- Auto-upgrade to 6.6.64.2
+
+* Wed Jan 08 2025 Tobias Brick <[email protected]> - 6.6.57.1-8
+- Bump release to match kernel
+
 * Sun Dec 22 2024 Ankita Pareek <[email protected]> - 6.6.57.1-7
 - Bump release to match kernel
 

diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
@@ -7,6 +7,6 @@
     "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
     "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
     "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-    "kernel-6.6.57.1.tar.gz": "1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3"
+    "kernel-6.6.64.2.tar.gz": "8b19b1d4db4add880154d1bf563625efc1b5f52e20792fc6e2628d63b74eb393"
   }
 }
diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec
@@ -10,7 +10,7 @@
 
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        6.6.57.1
+Version:        6.6.64.2
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -221,6 +221,9 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Thu Jan 09 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.64.2-1
+- Auto-upgrade to 6.6.64.2
+
 * Tue Oct 29 2024 CBL-Mariner Servicing Account <[email protected]> - 6.6.57.1-1
 - Auto-upgrade to 6.6.57.1
 

diff --git a/SPECS/iptables/iptables.conf b/SPECS/iptables/iptables.conf
@@ -0,0 +1,11 @@
+ip_tables
+iptable_filter
+iptable_mangle
+iptable_nat
+iptable_security
+ip6_tables
+ip6table_filter
+ip6table_mangle
+ip6table_nat
+ebt_ip
+nf_nat
diff --git a/SPECS/iptables/iptables.signatures.json b/SPECS/iptables/iptables.signatures.json
@@ -5,6 +5,7 @@
   "iptables": "a1981d0e5a7e6b0546d17fcddb5bdc6b639a136b5c2f7f2b2b54d18a41b3d6ac",
   "iptables-1.8.10.tar.xz": "5cc255c189356e317d070755ce9371eb63a1b783c34498fb8c30264f3cc59c9c",
   "iptables.service": "40c2a272a6abb4d3e50ff9ae83cedaa241ad5963f27cb5aee113d15597553620",
-  "iptables.stop": "749be754470183b3edf69ff53109806a81e0b4c4578858faf96d23d59966ef5d"
+  "iptables.stop": "749be754470183b3edf69ff53109806a81e0b4c4578858faf96d23d59966ef5d",
+  "iptables.conf": "9e5c56a57c320c264c8a31a41caa32afa797672b52b4fbb0664b7a82218fef11"
  }
 }
diff --git a/SPECS/iptables/iptables.spec b/SPECS/iptables/iptables.spec
@@ -1,7 +1,7 @@
 Summary:        Linux kernel packet control tool
 Name:           iptables
 Version:        1.8.10
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Source2:        iptables
 Source3:        iptables.stop
 Source4:        ip4save
 Source5:        ip6save
+Source6:        iptables.conf
 BuildRequires:  jansson-devel
 BuildRequires:  libmnl-devel
 BuildRequires:  libnftnl-devel
@@ -54,6 +55,9 @@ It contains the libraries and header files to create applications.
 %install
 %make_install
 
+# Create the /etc/modules-load.d directory if it doesn't exist
+install -vdm755 %{buildroot}/etc/modules-load.d
+
 #   Install daemon scripts
 install -vdm755 %{buildroot}%{_unitdir}
 install -m 644 %{SOURCE1} %{buildroot}%{_unitdir}
@@ -62,6 +66,7 @@ install -m 755 %{SOURCE2} %{buildroot}%{_sysconfdir}/systemd/scripts
 install -m 755 %{SOURCE3} %{buildroot}%{_sysconfdir}/systemd/scripts
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/systemd/scripts
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/systemd/scripts
+install -m 644 %{SOURCE6} %{buildroot}/etc/modules-load.d
 
 find %{buildroot} -name '*.a'  -delete
 find %{buildroot} -type f -name "*.la" -delete -print
@@ -123,6 +128,7 @@ fi
 /usr/share/xtables/iptables.xslt
 %ghost %{_sbindir}/ip{,6}tables{,-save,-restore}
 %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
+/etc/modules-load.d/iptables.conf
 
 %files devel
 %{_libdir}/*.so
@@ -131,6 +137,9 @@ fi
 %{_mandir}/man3/*
 
 %changelog
+* Thu Jan 16 2025 Dallas Delaney <[email protected]> - 1.8.10-4
+- Add back kernel modules that were removed by enabling nftables
+
 * Tue Nov 12 2024 Sumedh Sharma <[email protected]> - 1.8.10-3
 - Enable nftables and use alternatives.
 

diff --git a/SPECS/kernel-64k/config_aarch64 b/SPECS/kernel-64k/config_aarch64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.57.1 Kernel Configuration
+# Linux/arm64 6.6.64.2 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -529,7 +529,6 @@ CONFIG_ARM64_EPAN=y
 # end of ARMv8.7 architectural features
 
 CONFIG_ARM64_SVE=y
-CONFIG_ARM64_SME=y
 CONFIG_ARM64_PSEUDO_NMI=y
 # CONFIG_ARM64_DEBUG_PRIORITY_MASKING is not set
 CONFIG_RELOCATABLE=y
@@ -8770,10 +8769,8 @@ CONFIG_COMMON_CLK_MT8192=y
 # CONFIG_COMMON_CLK_MT8192_VENCSYS is not set
 CONFIG_COMMON_CLK_MT8195=y
 CONFIG_COMMON_CLK_MT8195_APUSYS=y
-CONFIG_COMMON_CLK_MT8195_AUDSYS=y
 CONFIG_COMMON_CLK_MT8195_IMP_IIC_WRAP=y
 CONFIG_COMMON_CLK_MT8195_MFGCFG=y
-CONFIG_COMMON_CLK_MT8195_MSDC=y
 CONFIG_COMMON_CLK_MT8195_SCP_ADSP=y
 CONFIG_COMMON_CLK_MT8195_VDOSYS=y
 CONFIG_COMMON_CLK_MT8195_VPPSYS=y
@@ -10411,6 +10408,8 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_IPE=y
 CONFIG_IPE_BOOT_POLICY=""
+CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING=y
+CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING=y
 
 #
 # IPE Trust Providers
@@ -10419,7 +10418,6 @@ CONFIG_IPE_PROP_DM_VERITY=y
 CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y
 CONFIG_IPE_PROP_FS_VERITY=y
 CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y
-CONFIG_IPE_PROP_INTENDED_PATHNAME=y
 # end of IPE Trust Providers
 
 CONFIG_INTEGRITY=y
@@ -10550,7 +10548,8 @@ CONFIG_CRYPTO_ENGINE=y
 # Public-key cryptography
 #
 CONFIG_CRYPTO_RSA=y
-# CONFIG_CRYPTO_DH is not set
+CONFIG_CRYPTO_DH=m
+# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set
 CONFIG_CRYPTO_ECC=m
 CONFIG_CRYPTO_ECDH=m
 # CONFIG_CRYPTO_ECDSA is not set

diff --git a/SPECS/kernel-64k/kernel-64k.signatures.json b/SPECS/kernel-64k/kernel-64k.signatures.json
@@ -1,10 +1,10 @@
 {
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
-    "config_aarch64": "2e511edb6a5a6236c6f7307f070df422bd6032b1e572f8f44ef4134ecea7d5b7",
+    "config_aarch64": "6f1c7d15f41c38d45b131e3fd33fa4161f732e4afa1c47fbb2aaea078fbb3183",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
-    "kernel-6.6.57.1.tar.gz": "1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3"
+    "kernel-6.6.64.2.tar.gz": "8b19b1d4db4add880154d1bf563625efc1b5f52e20792fc6e2628d63b74eb393"
   }
 }
diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec
@@ -24,8 +24,8 @@
 
 Summary:        Linux Kernel
 Name:           kernel-64k
-Version:        6.6.57.1
-Release:        7%{?dist}
+Version:        6.6.64.2
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -370,6 +370,13 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Thu Jan 09 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.64.2-1
+- Auto-upgrade to 6.6.64.2
+
+* Wed Jan 08 2025 Tobias Brick <[email protected]> - 6.6.57.1-8
+- Enable dh kernel module (CONFIG_CRYPTO_DH) in aarch64
+- Bump release to match kernel
+
 * Sun Dec 22 2024 Ankita Pareek <[email protected]> - 6.6.57.1-7
 - Bump release to match kernel
 

diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json
@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "kernel-6.6.57.1.tar.gz": "1b967b2dd19d13561fb28c5cf05fd35b8990a2ea70cc802c33d8dd1297a6fee3"
+    "kernel-6.6.64.2.tar.gz": "8b19b1d4db4add880154d1bf563625efc1b5f52e20792fc6e2628d63b74eb393"
   }
 }
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
@@ -13,8 +13,8 @@
 
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        6.6.57.1
-Release:        7%{?dist}
+Version:        6.6.64.2
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,12 @@ done
 %endif
 
 %changelog
+* Thu Jan 09 2025 CBL-Mariner Servicing Account <[email protected]> - 6.6.64.2-1
+- Auto-upgrade to 6.6.64.2
+
+* Wed Jan 08 2025 Tobias Brick <[email protected]> - 6.6.57.1-8
+- Bump release to match kernel
+
 * Sun Dec 22 2024 Ankita Pareek <[email protected]> - 6.6.57.1-7
 - Bump release to match kernel
 

diff --git a/SPECS/kernel/config b/SPECS/kernel/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.6.57.1 Kernel Configuration
+# Linux/x86_64 6.6.64.2 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -507,7 +507,6 @@ CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_DYNAMIC_MEMORY_LAYOUT=y
 CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
-# CONFIG_ADDRESS_MASKING is not set
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_COMPAT_VDSO is not set
 # CONFIG_LEGACY_VSYSCALL_XONLY is not set
@@ -7366,6 +7365,8 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_IPE=y
 CONFIG_IPE_BOOT_POLICY=""
+CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING=y
+CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING=y
 
 #
 # IPE Trust Providers
@@ -7374,7 +7375,6 @@ CONFIG_IPE_PROP_DM_VERITY=y
 CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y
 CONFIG_IPE_PROP_FS_VERITY=y
 CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y
-CONFIG_IPE_PROP_INTENDED_PATHNAME=y
 # end of IPE Trust Providers
 
 CONFIG_INTEGRITY=y

diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.57.1 Kernel Configuration
+# Linux/arm64 6.6.64.2 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -527,7 +527,6 @@ CONFIG_ARM64_EPAN=y
 # end of ARMv8.7 architectural features
 
 CONFIG_ARM64_SVE=y
-CONFIG_ARM64_SME=y
 CONFIG_ARM64_PSEUDO_NMI=y
 # CONFIG_ARM64_DEBUG_PRIORITY_MASKING is not set
 CONFIG_RELOCATABLE=y
@@ -8777,10 +8776,8 @@ CONFIG_COMMON_CLK_MT8192=y
 # CONFIG_COMMON_CLK_MT8192_VENCSYS is not set
 CONFIG_COMMON_CLK_MT8195=y
 CONFIG_COMMON_CLK_MT8195_APUSYS=y
-CONFIG_COMMON_CLK_MT8195_AUDSYS=y
 CONFIG_COMMON_CLK_MT8195_IMP_IIC_WRAP=y
 CONFIG_COMMON_CLK_MT8195_MFGCFG=y
-CONFIG_COMMON_CLK_MT8195_MSDC=y
 CONFIG_COMMON_CLK_MT8195_SCP_ADSP=y
 CONFIG_COMMON_CLK_MT8195_VDOSYS=y
 CONFIG_COMMON_CLK_MT8195_VPPSYS=y
@@ -10421,6 +10418,8 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
 CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_IPE=y
 CONFIG_IPE_BOOT_POLICY=""
+CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING=y
+CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING=y
 
 #
 # IPE Trust Providers
@@ -10429,7 +10428,6 @@ CONFIG_IPE_PROP_DM_VERITY=y
 CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y
 CONFIG_IPE_PROP_FS_VERITY=y
 CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y
-CONFIG_IPE_PROP_INTENDED_PATHNAME=y
 # end of IPE Trust Providers
 
 CONFIG_INTEGRITY=y
@@ -10560,7 +10558,8 @@ CONFIG_CRYPTO_ENGINE=y
 # Public-key cryptography
 #
 CONFIG_CRYPTO_RSA=y
-# CONFIG_CRYPTO_DH is not set
+CONFIG_CRYPTO_DH=m
+# CONFIG_CRYPTO_DH_RFC7919_GROUPS is not set
 CONFIG_CRYPTO_ECC=m
 CONFIG_CRYPTO_ECDH=m
 # CONFIG_CRYPTO_ECDSA is not set