sync some patches from openEuler-22.03-LTS

(cherry picked from commit 6ec561616acacf6be5c530256227380a2d1ea0b1)

backport-Improve-error-messages-for-unsupported-extensions.patch

@@ -0,0 +1,90 @@
+From 17534cb18ed0a5052dc45c117401251359dba6aa Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Feb 2022 17:47:22 +0100
+Subject: Improve error messages for unsupported extensions
+
+If a given extension was not supported by the kernel, iptables would
+print a rather confusing error message if extension parameters were
+given:
+
+| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko
+| # iptables -A FORWARD -j LOG --log-prefix foo
+| iptables v1.8.7 (legacy): unknown option "--log-prefix"
+
+Avoid this by pretending extension revision 0 is always supported. It is
+the same hack as used to successfully print extension help texts as
+unprivileged user, extended to all error codes to serve privileged ones
+as well.
+
+In addition, print a warning if kernel rejected revision 0 and it's not
+a permissions problem. This helps users find out which extension in a
+rule the kernel didn't like.
+
+Finally, the above commands result in these messages:
+
+| Warning: Extension LOG revision 0 not supported, missing kernel
+module?
+| iptables: No chain/target/match by that name.
+
+Or, for iptables-nft:
+
+| Warning: Extension LOG revision 0 not supported, missing kernel
+module?
+| iptables v1.8.7 (nf_tables):  RULE_APPEND failed (No such file or
+directory): rule in chain FORWARD
+
+Conflict: NA
+Reference:
+https://git.netfilter.org/iptables/commit/?id=17534cb18ed0a5052dc45c117401251359dba6aa
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft.c       | 13 +++++++++----
+ libxtables/xtables.c |  7 ++++++-
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index c9a4940..18bf21c 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3245,11 +3245,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
+ err:
+ 	mnl_socket_close(nl);
+ 
+-    /* pretend revision 0 is valid if not permitted to check -
+-    * this is required for printing extension help texts as user */
+-    if (ret < 0 && errno == EPERM && rev == 0)
++   /* pretend revision 0 is valid -
++    * this is required for printing extension help texts as user, also
++    * helps error messaging on unavailable kernel extension */
++    if (ret < 0 && rev == 0) {
++        if (errno != EPERM)
++            fprintf(stderr,
++                "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
++                name);
+         return 1;
+-
++    }
+ 	return ret < 0 ? 0 : 1;
+ }
+ 
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index bc42ba8..1f585e5 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -923,7 +923,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
+ 		/* Definitely don't support this? */
+ 		if (errno == ENOENT || errno == EPROTONOSUPPORT) {
+ 			close(sockfd);
+-			return 0;
++               /* Pretend revision 0 support for better error messaging */
++               if (revision == 0)
++                   fprintf(stderr,
++                       "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
++                       name);
++               return (revision == 0);
+ 		} else if (errno == ENOPROTOOPT) {
+ 			close(sockfd);
+ 			/* Assume only revision 0 support (old kernel) */
+-- 
+2.23.0
+

backport-libxtables-Register-only-the-highest-revision-extension.patch

@@ -0,0 +1,64 @@
+From 2dbb49d15fb44ddd521a734eca3be3f940b7c1ba Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Feb 2022 17:39:24 +0100
+Subject: libxtables: Register only the highest revision extension
+
+When fully registering extensions, ignore all consecutive ones with same
+name and family value. Since commit b3ac87038f4e4 ("libxtables: Make
+sure extensions register in revision order"), one may safely assume the
+list of pending extensions has highest revision numbers first. Since
+iptables is only interested in the highest revision the kernel supports,
+registration and compatibility checks may be skipped once the first
+matching extension in pending list has validated.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit/?id=2dbb49d15fb44ddd521a734eca3be3f940b7c1ba
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ libxtables/xtables.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index 50fd6a44..b34d62ac 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -697,6 +697,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
+ 	struct xtables_match **dptr;
+ 	struct xtables_match *ptr;
+ 	const char *icmp6 = "icmp6";
++	bool found = false;
+ 
+ 	if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
+ 		xtables_error(PARAMETER_PROBLEM,
+@@ -715,7 +716,9 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
+ 		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
+ 			ptr = *dptr;
+ 			*dptr = (*dptr)->next;
+-			if (xtables_fully_register_pending_match(ptr, prev)) {
++			if (!found &&
++			    xtables_fully_register_pending_match(ptr, prev)) {
++				found = true;
+ 				prev = ptr;
+ 				continue;
+ 			} else if (prev) {
+@@ -817,6 +820,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
+ 	struct xtables_target *prev = NULL;
+ 	struct xtables_target **dptr;
+ 	struct xtables_target *ptr;
++	bool found = false;
+ 
+ 	/* Standard target? */
+ 	if (strcmp(name, "") == 0
+@@ -831,7 +835,9 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
+ 		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
+ 			ptr = *dptr;
+ 			*dptr = (*dptr)->next;
+-			if (xtables_fully_register_pending_target(ptr, prev)) {
++			if (!found &&
++			    xtables_fully_register_pending_target(ptr, prev)) {
++				found = true;
+ 				prev = ptr;
+ 				continue;
+ 			} else if (prev) {
+-- 
+cgit v1.2.3

backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch

@@ -0,0 +1,95 @@
+From 0257293c68913dd5993c1cac44f2ee80af6d9792 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 26 Aug 2022 16:53:52 +0200
+Subject: [PATCH] nft: Expand extended error reporting to nft_cmd, too
+
+Introduce the same embedded 'error' struct in nft_cmd and initialize it
+with the current value from nft_handle. Then in preparation phase,
+update nft_handle's error.lineno with the value from the current
+nft_cmd.
+
+This serves two purposes:
+
+* Allocated batch objects (obj_update) get the right lineno value
+  instead of the COMMIT one.
+
+* Any error during preparation may be reported with line number. Do this
+  and change the relevant fprintf() call to use nft_handle's lineno
+  instead of the global 'line' variable.
+
+With this change, cryptic iptables-nft-restore error messages should
+finally be gone:
+
+| # iptables-nft-restore <<EOF
+| *filter
+| -A nonexist
+| COMMIT
+| EOF
+| iptables-nft-restore: line 2 failed: No chain/target/match by that name.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=0257293c68913dd5993c1cac44f2ee80af6d9792
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft-cmd.c         | 1 +
+ iptables/nft-cmd.h         | 3 +++
+ iptables/nft.c             | 2 ++
+ iptables/xtables-restore.c | 2 +-
+ 4 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index 9b0c964..f026c62 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -26,6 +26,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 	if (!cmd)
+ 		return NULL;
+ 
++	cmd->error.lineno = h->error.lineno;
+ 	cmd->command = command;
+ 	cmd->table = strdup(table);
+ 	if (chain)
+diff --git a/iptables/nft-cmd.h b/iptables/nft-cmd.h
+index ecf7655..3caa3ed 100644
+--- a/iptables/nft-cmd.h
++++ b/iptables/nft-cmd.h
+@@ -24,6 +24,9 @@ struct nft_cmd {
+ 	struct xt_counters		counters;
+ 	const char			*rename;
+ 	int				counters_save;
++	struct {
++		unsigned int		lineno;
++	} error;
+ };
+ 
+ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 3e24c86..996d5bc 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3050,6 +3050,8 @@ static int nft_prepare(struct nft_handle *h)
+ 	nft_cache_build(h);
+ 
+ 	list_for_each_entry_safe(cmd, next, &h->cmd_list, head) {
++		h->error.lineno = cmd->error.lineno;
++		
+ 		switch (cmd->command) {
+ 		case NFT_COMPAT_TABLE_FLUSH:
+ 			ret = nft_table_flush(h, cmd->table);
+diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
+index d273949..abeaf76 100644
+--- a/iptables/xtables-restore.c
++++ b/iptables/xtables-restore.c
+@@ -248,7 +248,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
+ 		return;
+ 	if (!ret) {
+ 		fprintf(stderr, "%s: line %u failed\n",
+-				xt_params->program_name, line);
++				xt_params->program_name, h->error.lineno);
+ 		exit(1);
+ 	}
+ }
+-- 
+2.33.0
+

backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch

@@ -0,0 +1,69 @@
+From 8468fd4f7c85c21ab375402bc80d0188412b6cbf Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 4 May 2022 11:19:16 +0200
+Subject: nft: Fix EPERM handling for extensions without rev 0
+
+Treating revision 0 as compatible in EPERM case works fine as long as
+there is a revision 0 of that extension defined in DSO. Fix the code for
+others: Extend the EPERM handling to all revisions and keep the existing
+warning for revision 0.
+
+Conflict: NA
+Reference:
+https://git.netfilter.org/iptables/commit/?id=8468fd4f7c85c21ab375402bc80d0188412b6cbf
+Fixes: 17534cb18ed0a ("Improve error messages for unsupported
+extensions")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft.c                                        | 11 +++++++----
+ .../shell/testcases/iptables/0008-unprivileged_0      |  7 +++++++
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 18bf21c..ebab3cc 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3245,15 +3245,18 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
+ err:
+ 	mnl_socket_close(nl);
+ 
+-   /* pretend revision 0 is valid -
++    /* ignore EPERM and errors for revision 0 -
+     * this is required for printing extension help texts as user, also
+     * helps error messaging on unavailable kernel extension */
+-    if (ret < 0 && rev == 0) {
+-        if (errno != EPERM)
++    if (ret < 0) {
++        if (errno == EPERM)
++            return 1;
++        if (rev == 0) {
+             fprintf(stderr,
+                 "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
+                 name);
+-        return 1;
++            return 1;
++        }
+     }
+ 	return ret < 0 ? 0 : 1;
+ }
+diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
+index 0914c88..1f1d342 100644
+--- a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
++++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
+@@ -34,6 +34,13 @@ let "rc+=$?"
+ grep_or_rc "DNAT target options:" <<< "$out"
+ let "rc+=$?"
+ 
++# TEE has no revision 0
++out=$(run $XT_MULTI iptables -j TEE --help)
++let "rc+=$?"
++grep_or_rc "TEE target options:" <<< "$out"
++let "rc+=$?"
++
++
+ out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
+ let "rc+=$?"
+ grep_or_rc "tcp match options:" <<< "$out"
+-- 
+2.23.0
+

backport-xshared-Fix-response-to-unprivileged-users.patch

@@ -0,0 +1,130 @@
+From 26ecdf53960658771c0fc582f72a4025e2887f75 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 18 Jan 2022 22:39:08 +0100
+Subject: xshared: Fix response to unprivileged users
+
+Expected behaviour in both variants is:
+
+* Print help without error, append extension help if -m and/or -j
+  options are present
+* Indicate lack of permissions in an error message for anything else
+
+With iptables-nft, this was broken basically from day 1. Shared use of
+do_parse() then somewhat broke legacy: it started complaining about
+inability to create a lock file.
+
+Fix this by making iptables-nft assume extension revision 0 is present
+if permissions don't allow to verify. This is consistent with legacy.
+
+Second part is to exit directly after printing help - this avoids having
+to make the following code "nop-aware" to prevent privileged actions.
+
+Conflict: NA
+Reference:
+https://git.netfilter.org/iptables/commit/?id=26ecdf53960658771c0fc582f72a4025e2887f75
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+---
+ iptables/nft.c                                |  5 ++
+ .../testcases/iptables/0008-unprivileged_0    | 59 +++++++++++++++++++
+ iptables/xtables.c                            |  2 +-
+ 3 files changed, 65 insertions(+), 1 deletion(-)
+ create mode 100644 iptables/tests/shell/testcases/iptables/0008-unprivileged_0
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index bde4ca7..c9a4940 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3245,6 +3245,11 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
+ err:
+ 	mnl_socket_close(nl);
+ 
++    /* pretend revision 0 is valid if not permitted to check -
++    * this is required for printing extension help texts as user */
++    if (ret < 0 && errno == EPERM && rev == 0)
++        return 1;
++
+ 	return ret < 0 ? 0 : 1;
+ }
+ 
+diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
+new file mode 100644
+index 0000000..0914c88
+--- /dev/null
++++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
+@@ -0,0 +1,59 @@
++#!/bin/bash
++# iptables may print match/target specific help texts
++# help output should work for unprivileged users
++
++run() {
++   echo "running: $*" >&2
++   runuser -u nobody -- "$@"
++}
++
++grep_or_rc() {
++   declare -g rc
++   grep -q "$*" && return 0
++   echo "missing in output: $*" >&2
++   return 1
++}
++
++out=$(run $XT_MULTI iptables --help)
++let "rc+=$?"
++grep_or_rc "iptables -h (print this help information)" <<< "$out"
++let "rc+=$?"
++
++out=$(run $XT_MULTI iptables -m limit --help)
++let "rc+=$?"
++grep_or_rc "limit match options:" <<< "$out"
++let "rc+=$?"
++
++out=$(run $XT_MULTI iptables -p tcp --help)
++let "rc+=$?"
++grep_or_rc "tcp match options:" <<< "$out"
++let "rc+=$?"
++
++out=$(run $XT_MULTI iptables -j DNAT --help)
++let "rc+=$?"
++grep_or_rc "DNAT target options:" <<< "$out"
++let "rc+=$?"
++
++out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
++let "rc+=$?"
++grep_or_rc "tcp match options:" <<< "$out"
++let "rc+=$?"
++out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
++let "rc+=$?"
++grep_or_rc "DNAT target options:" <<< "$out"
++let "rc+=$?"
++
++
++run $XT_MULTI iptables -L 2>&1 | \
++       grep_or_rc "Permission denied"
++let "rc+=$?"
++
++run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \
++       grep_or_rc "Permission denied"
++let "rc+=$?"
++
++run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \
++       grep_or_rc "Permission denied"
++let "rc+=$?"
++
++exit $rc
+diff --git a/iptables/xtables.c b/iptables/xtables.c
+index 9779bd8..a16bba7 100644
+--- a/iptables/xtables.c
++++ b/iptables/xtables.c
+@@ -645,7 +645,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
+ 
+ 			printhelp(cs->matches);
+ 			p->command = CMD_NONE;
+-			return;
++			exit(0);
+ 
+ 			/*
+ 			 * Option selection
+-- 
+2.23.0
+

backport-xtables-restore-Extend-failure-error-message.patch

@@ -0,0 +1,44 @@
+From c70a33d219ccb43e6f59aa1b9bbab5dcb13f3443 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 25 Aug 2022 11:53:04 +0200
+Subject: [PATCH] xtables-restore: Extend failure error message
+
+If a line causes zero 'ret' value and errno is set, call nft_strerror()
+for a more detailed error message. While not perfect, it helps with
+debugging ominous "line NN failed" messages pointing at COMMIT:
+
+| # iptables-nft-restore <<EOF
+| *filter
+| -A nonexist
+| COMMIT
+| EOF
+| iptables-nft-restore: line 3 failed: No chain/target/match by that name.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=c70a33d219ccb43e6f59aa1b9bbab5dcb13f3443
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/xtables-restore.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
+index abeaf76..5940e9a 100644
+--- a/iptables/xtables-restore.c
++++ b/iptables/xtables-restore.c
+@@ -247,8 +247,11 @@ static void xtables_restore_parse_line(struct nft_handle *h,
+ 	    (strcmp(p->tablename, state->curtable->name) != 0))
+ 		return;
+ 	if (!ret) {
+-		fprintf(stderr, "%s: line %u failed\n",
++		fprintf(stderr, "%s: line %u failed",
+ 				xt_params->program_name, h->error.lineno);
++		if (errno)
++			fprintf(stderr,	": %s.", nft_strerror(errno));
++		fprintf(stderr, "\n");
+ 		exit(1);
+ 	}
+ }
+-- 
+2.33.0
+

enabled-makecheck-in-extensions.patch

@@ -0,0 +1,35 @@
+From 54c670ada541aa61ab9ab7907ab245718137efb8 Mon Sep 17 00:00:00 2001
+From: huangyu <huangyu106@huawei.com>
+Date: Sat, 26 Nov 2022 18:08:31 +0800
+Subject: [PATCH] enable makecheck in extensions
+
+Signed-off-by: huangyu <huangyu106@huawei.com>
+---
+ extensions/GNUmakefile.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
+index 956ccb3..70515c4 100644
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -79,7 +79,7 @@ targets_install :=
+ 
+ .SECONDARY:
+ 
+-.PHONY: all install uninstall clean distclean FORCE
++.PHONY: all install uninstall check clean distclean FORCE
+ 
+ all: ${targets}
+ 
+@@ -105,6 +105,8 @@ uninstall:
+ 		rmdir -p --ignore-fail-on-non-empty "$$dir"; \
+ 	}
+ 
++check:
++
+ clean:
+ 	rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c initexta.c;
+ 	rm -f .*.d .*.dd;
+-- 
+2.23.0
+

iptables.spec

@@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.7
-Release:	  8
+Release:	  11
 Summary:	  IP packet filter administration utilities
 License:	  GPLv2 and Artistic Licence 2.0 and ISC
 URL:		  https://www.netfilter.org/
@@ -15,6 +15,13 @@ Source5:          sysconfig_ip6tables
 
 Patch0:		  bugfix-add-check-fw-in-entry.patch
 Patch1:           tests-extensions-add-some-testcases.patch
+Patch2:           backport-xshared-Fix-response-to-unprivileged-users.patch
+Patch3:           backport-Improve-error-messages-for-unsupported-extensions.patch
+Patch4:           backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch
+Patch5:           backport-libxtables-Register-only-the-highest-revision-extension.patch
+Patch6:           backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch
+Patch7:           backport-xtables-restore-Extend-failure-error-message.patch
+Patch8:           enabled-makecheck-in-extensions.patch
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@@ -79,6 +86,9 @@ rm -f include/linux/types.h
 
 %make_build
 
+%check
+make check
+
 %install
 %make_install 
 
@@ -320,6 +330,24 @@ fi
 %{_mandir}/man8/xtables-legacy*
 
 %changelog
+* Wed Nov 30 2022 huangyu <huangyu106@huawei.com> - 1.8.7-11
+- Type:feature
+- ID:NA
+- SUG:NA
+- DESC:enabled DT test
+
+* Mon Nov 21 2022 huangyu <huangyu106@huawei.com> - 1.8.7-10
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:add some patches
+
+* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 1.8.7-9
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:add some patches
+
 * Fri Jul 01 2022 xingwei <xingwei14@h-partners.com> - 1.8.7-8
 - Type:bugfix
 - ID:NA