NEWS: announce legacy iptables/libiptc support will be dropped in v259

nftables is available since kernel 3.13 (released on 19 January 2014). Major distributions have already provided nftables, and marked/called iptables as deprecated or legacy. Moreover, currently, iptables/libiptc backend does not support IPv6. Hence, it is not necessary to keep iptables/libiptc backend anymore. Let's drop it in the next release. Note, fedora/centos have already disabled iptables/libiptc support since v249.
pcrlock: Return positive exit status
2025-10-04 19:24:44 +02:00 · 2025-07-27 09:15:28 +02:00 · 2025-07-27 01:03:13 +01:00 · 2025-07-27 01:00:38 +01:00 · 2025-07-27 00:59:52 +01:00 · 2025-07-27 00:58:02 +01:00
6 changed files with 59 additions and 28 deletions
--- a/4
+++ b/4
@ -170,6 +170,10 @@ CHANGES WITH 258 in spe:
        * The meson option '-Dintegration-tests=' has been deprecated, and will
          be removed in a future release.

+        * The legacy iptables support through libiptc will be removed in v259.
+          Only nftables backend will be supported by systemd-networkd and
+          systemd-nspawn since v259.
+
        Service manager/PID1:

        * The PrivateUsers= unit setting now accepts a new value "full", which
--- a/man/repart.d.xml
+++ b/man/repart.d.xml
@ -623,7 +623,7 @@
        <citerefentry project="url"><refentrytitle url="https://btrfs.readthedocs.io/en/latest/btrfs.html">btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

        <para>Note that this option is only supported in combination with <option>--offline=yes</option>
-        since <filename>btrfs-progs</filename> 6.11 or newer.</para>
+        since <filename>btrfs-progs</filename> 6.12 or newer.</para>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
@ -640,7 +640,7 @@
        </para>

        <para>Note that this option is only supported in combination with <option>--offline=yes</option>
-        since <filename>btrfs-progs</filename> 6.11 or newer.</para>
+        since <filename>btrfs-progs</filename> 6.12 or newer.</para>

        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>
--- a/src/locale/localed-util.c
+++ b/src/locale/localed-util.c
@ -9,6 +9,7 @@
 #include "copy.h"
 #include "env-file.h"
 #include "errno-util.h"
+#include "escape.h"
 #include "extract-word.h"
 #include "fd-util.h"
 #include "fileio.h"
@ -60,15 +61,16 @@ static int verify_keymap(const char *keymap, int log_level, sd_bus_error *error)
        assert(keymap);

        r = keymap_exists(keymap); /* This also verifies that the keymap name is kosher. */
+        if (r <= 0) {
+                _cleanup_free_ char *escaped = cescape(keymap);
                if (r < 0) {
                        if (error)
-                        sd_bus_error_set_errnof(error, r, "Failed to check keymap %s: %m", keymap);
-                return log_full_errno(log_level, r, "Failed to check keymap %s: %m", keymap);
+                                sd_bus_error_set_errnof(error, r, "Failed to check keymap %s: %m", strna(escaped));
+                        return log_full_errno(log_level, r, "Failed to check keymap %s: %m", strna(escaped));
                }
-        if (r == 0) {
                if (error)
-                        sd_bus_error_setf(error, SD_BUS_ERROR_FAILED, "Keymap %s is not installed.", keymap);
-                return log_full_errno(log_level, SYNTHETIC_ERRNO(ENOENT), "Keymap %s is not installed.", keymap);
+                        sd_bus_error_setf(error, SD_BUS_ERROR_FAILED, "Keymap %s is not installed.", strna(escaped));
+                return log_full_errno(log_level, SYNTHETIC_ERRNO(ENOENT), "Keymap %s is not installed.", strna(escaped));
        }

        return 0;
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@ -4846,7 +4846,13 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
 }

 static int verb_make_policy(int argc, char *argv[], void *userdata) {
-        return make_policy(arg_force, arg_recovery_pin);
+        int r;
+
+        r = make_policy(arg_force, arg_recovery_pin);
+        if (r < 0)
+                return r;
+
+        return 0;
 }

 static int undefine_policy_nv_index(
@ -5454,4 +5460,4 @@ static int run(int argc, char *argv[]) {
        return pcrlock_main(argc, argv);
 }

-DEFINE_MAIN_FUNCTION(run);
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
--- a/test/units/TEST-04-JOURNAL.LogFilterPatterns.sh
+++ b/test/units/TEST-04-JOURNAL.LogFilterPatterns.sh
@ -88,6 +88,22 @@ add_logs_filtering_override "logs-filtering.service" "11-reset" ""
 add_logs_filtering_override "logs-filtering.service" "12-allow-with-spaces" "foo bar"
 [[ -n $(run_service_and_fetch_logs "logs-filtering.service") ]]

+add_logs_filtering_override "logs-filtering.service" "13-reset" ""
+add_logs_filtering_override "logs-filtering.service" "14-exclude-head" "~^Logging"
+[[ -z $(run_service_and_fetch_logs "logs-filtering.service") ]]
+
+add_logs_filtering_override "logs-filtering.service" "15-reset" ""
+add_logs_filtering_override "logs-filtering.service" "16-exclude-head-no-match" "~^foo"
+[[ -n $(run_service_and_fetch_logs "logs-filtering.service") ]]
+
+add_logs_filtering_override "logs-filtering.service" "17-reset" ""
+add_logs_filtering_override "logs-filtering.service" "18-include-head" "^Logging"
+[[ -n $(run_service_and_fetch_logs "logs-filtering.service") ]]
+
+add_logs_filtering_override "logs-filtering.service" "19-reset" ""
+add_logs_filtering_override "logs-filtering.service" "20-include-head-no-match" "^foo"
+[[ -z $(run_service_and_fetch_logs "logs-filtering.service") ]]
+
 add_logs_filtering_override "delegated-cgroup-filtering.service" "00-allow-all" ".*"
 [[ -n $(run_service_and_fetch_logs "delegated-cgroup-filtering.service") ]]

--- a/test/units/TEST-74-AUX-UTILS.socket-activate.sh
+++ b/test/units/TEST-74-AUX-UTILS.socket-activate.sh
@ -6,25 +6,28 @@ set -o pipefail
 # shellcheck source=test/units/util.sh
 . "$(dirname "$0")"/util.sh

-CAT_PID="$(systemd-notify --fork -- systemd-socket-activate -l 1234 --accept --inetd cat)"
+PID="$(systemd-notify --fork -- systemd-socket-activate -l 1234 --accept --inetd cat)"
+assert_in systemd-socket "$(cat /proc/"$PID"/comm)"
 assert_eq "$(echo -n hello | socat - 'TCP:localhost:1234')" hello
-kill "$CAT_PID"
+assert_in systemd-socket "$(cat /proc/"$PID"/comm)"
+kill "$PID"
+wait "$PID" || :

-# Check whether socat's ACCEPT-FD is available (introduced in v1.8)
-systemd-socket-activate -l 1234 --now socat ACCEPT-FD:3 PIPE &
-sleep 1
-jobs >/dev/null
-if kill %% &>/dev/null; then
-    systemd-socket-activate -l 1234 --now socat ACCEPT-FD:3 PIPE &
-    SOCAT_PID="$!"
+PID=$(systemd-notify --fork -- systemd-socket-activate -l 1234 --now socat ACCEPT-FD:3 PIPE)
+for _ in {1..100}; do
+    sleep 0.1
+    if [[ ! -d "/proc/$PID" ]]; then
+        # ACCEPT-FD is available since socat v1.8
+        : "systemd-socket-activate or socat died. Maybe socat does not support ACCEPT-FD. Skipping test."
+        break
+    fi

-    # unfortunately we need to sleep since socket-activate only sends sd_notify when --accept is passed,
-    # so we can't rely on that to avoid a race.
-    sleep 1
-
-    assert_in socat "$(</proc/"$SOCAT_PID"/comm)"
+    if [[ "$(cat /proc/"$PID"/comm || :)" =~ socat ]]; then
        assert_eq "$(echo -n bye | socat - 'TCP:localhost:1234')" bye
-fi
+        wait "$PID" || :
+        break
+    fi
+done

 # --accept is not allowed with --now
 (! systemd-socket-activate -l 1234 --accept --now cat)
Author	SHA1	Message	Date
Yu Watanabe	5c68c51045	NEWS: announce legacy iptables/libiptc support will be dropped in v259 nftables is available since kernel 3.13 (released on 19 January 2014). Major distributions have already provided nftables, and marked/called iptables as deprecated or legacy. Moreover, currently, iptables/libiptc backend does not support IPv6. Hence, it is not necessary to keep iptables/libiptc backend anymore. Let's drop it in the next release. Note, fedora/centos have already disabled iptables/libiptc support since v249.	2025-07-27 09:15:28 +02:00
Valentin David	5e2ad03dd8	pcrlock: Return positive exit status Follow-up for 89e83aada829a6d92e29f321168d2bb1462c678d. `is-supported` expects to return a positive exit status. To achieve that, verb_make_policy() needs to return 0 on success. Finishes the fix for #38019. Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>	2025-07-27 01:03:13 +01:00
Yu Watanabe	7db7b75ab3	TEST-04-JOURNAL: add more test cases for LogFilterPatterns= For issue #38361.	2025-07-27 01:00:38 +01:00
Yu Watanabe	a77506c75f	test: several cleanups for TEST-74-AUX-UTILS.socket-activate.sh - wait after kill, - try --now only once, - ignore error in reading /proc/$PID/comm when --now is set, as the process may be already died. Follow-up for 9e0d0c3fdfe5043d71a8d54f1e6fcc152fbc3e58. Hopefully fixes #38352.	2025-07-27 00:59:52 +01:00
Yu Watanabe	0464222aed	locale: escape invalid keymap on logging The keymap string may come from dbus method and may contain invalid characters.	2025-07-27 00:58:02 +01:00
Yu Watanabe	e9eaa66ed8	man/repart: fix the required btrfs-progs version Follow-up for 12c29e5b3a1d9294f2a1c0a4a83335fa23c272b8. Prompted by #38355.	2025-07-27 00:56:28 +01:00