From 08d57e3b000344aa0946a646eae78cbda3072567 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 13 May 2022 17:53:42 +0200 Subject: [PATCH] iptables-1.8.8-1.el9 - new version Resolves: rhbz#2084543 --- .gitignore | 1 + ...ion-notices-to-all-relevant-man-page.patch | 22 +- ...it-gracefully-on-invalid-table-names.patch | 51 -- ...RK-Use-a-better-context-in-test-case.patch | 2 +- ...late-Fix-translation-of-odd-netmasks.patch | 196 ------- 0003-Eliminate-inet_aton-and-inet_ntoa.patch | 120 ---- ...Fix-build-for-Werror-format-security.patch | 29 + ...-arp-Make-use-of-ipv4_addr_to_string.patch | 181 ------ ...leftover-variable-in-xtables_numeric.patch | 33 -- ...ons-libebt_ip6-Drop-unused-variables.patch | 49 -- ...-Fix-memleak-in-xtopt_parse_hostmask.patch | 29 - ...memleak-in-error-path-of-nft_cmd_new.patch | 34 -- ...er-size-warnings-copying-iface-names.patch | 56 -- ...-iptables-apply-Drop-unused-variable.patch | 29 - ...-libebt_ip6-Use-xtables_ip6parse_any.patch | 109 ---- ...duce-xtables_strdup-and-use-it-every.patch | 554 ------------------ ..._string-Avoid-buffer-size-warning-fo.patch | 31 - 0014-iptables-nft-fix-Z-option.patch | 104 ---- ...twise-expression-avoidance-detection.patch | 73 --- ...nsions-sctp-Fix-nftables-translation.patch | 80 --- ...nft-cache-Sort-chains-on-demand-only.patch | 211 ------- ...CH_PAGE_SIZE-to-support-huge-ruleset.patch | 56 -- ...bles_malloc-in-mnl_err_list_node_add.patch | 31 - ....8-Adjust-for-missing-atomic-options.patch | 130 ---- 0022-ebtables-Dump-atomic-waste.patch | 102 ---- ...ft-Fix-for-non-verbose-check-command.patch | 31 - ...ll-Assert-non-verbose-mode-is-silent.patch | 39 -- ...ensions-SECMARK-Implement-revision-1.patch | 177 ------ 0027-nft-Simplify-immediate-parsing.patch | 199 ------- 0028-nft-Speed-up-immediate-parsing.patch | 119 ---- ...tables_chain_protos-lookup-over-getp.patch | 104 ---- ...-xshared-Merge-and-share-parse_chain.patch | 164 ------ ...ard-targets-as-chain-names-when-rest.patch | 113 ---- ...ables-Implement-notargets-hash-table.patch | 140 ----- ...-rule-target-checks-by-announcing-ch.patch | 86 --- ..._to_name-from-xshared-in-more-places.patch | 156 ----- iptables.spec | 46 +- sources | 2 +- 38 files changed, 52 insertions(+), 3637 deletions(-) rename 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch => 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch (95%) delete mode 100644 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch rename 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch => 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch (92%) delete mode 100644 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch delete mode 100644 0003-Eliminate-inet_aton-and-inet_ntoa.patch create mode 100644 0003-xshared-Fix-build-for-Werror-format-security.patch delete mode 100644 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch delete mode 100644 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch delete mode 100644 0006-extensions-libebt_ip6-Drop-unused-variables.patch delete mode 100644 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch delete mode 100644 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch delete mode 100644 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch delete mode 100644 0010-iptables-apply-Drop-unused-variable.patch delete mode 100644 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch delete mode 100644 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch delete mode 100644 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch delete mode 100644 0014-iptables-nft-fix-Z-option.patch delete mode 100644 0015-nft-Fix-bitwise-expression-avoidance-detection.patch delete mode 100644 0016-extensions-sctp-Fix-nftables-translation.patch delete mode 100644 0018-nft-cache-Sort-chains-on-demand-only.patch delete mode 100644 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch delete mode 100644 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch delete mode 100644 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch delete mode 100644 0022-ebtables-Dump-atomic-waste.patch delete mode 100644 0023-nft-Fix-for-non-verbose-check-command.patch delete mode 100644 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch delete mode 100644 0025-extensions-SECMARK-Implement-revision-1.patch delete mode 100644 0027-nft-Simplify-immediate-parsing.patch delete mode 100644 0028-nft-Speed-up-immediate-parsing.patch delete mode 100644 0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch delete mode 100644 0030-xshared-Merge-and-share-parse_chain.patch delete mode 100644 0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch delete mode 100644 0032-libxtables-Implement-notargets-hash-table.patch delete mode 100644 0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch delete mode 100644 0034-Use-proto_to_name-from-xshared-in-more-places.patch diff --git a/.gitignore b/.gitignore index d5a31d9..90732d2 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ /iptables-1.8.5.tar.bz2 /iptables-1.8.6.tar.bz2 /iptables-1.8.7.tar.bz2 +/iptables-1.8.8.tar.bz2 diff --git a/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch b/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch similarity index 95% rename from 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch rename to 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch index d09a77e..cdffca9 100644 --- a/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +++ b/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch @@ -1,4 +1,4 @@ -From 635e4c4e7f3581a7cc8c04244ae3de239ad84935 Mon Sep 17 00:00:00 2001 +From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 17 Jun 2021 18:44:28 +0200 Subject: [PATCH] doc: Add deprecation notices to all relevant man pages @@ -116,10 +116,10 @@ index ea31e0842acd4..ec5b993a41e8b 100644 .PP .BR "" "See " https://wiki.nftables.org diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index 1fa5ad9388cc0..5bdc0bb8a939e 100644 +index d75aae240bc05..ed1bf8f2db55b 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 -@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) +@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) .br .SH DESCRIPTION @@ -139,9 +139,9 @@ index 1fa5ad9388cc0..5bdc0bb8a939e 100644 .B ebtables is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect -@@ -1111,6 +1124,6 @@ table. Also there is no support for - .B string - match. And finally, this list is probably not complete. +@@ -1069,6 +1082,6 @@ has not been implemented, although + might replace them entirely given the inherent atomicity of nftables. + Finally, this list is probably not complete. .SH SEE ALSO -.BR xtables-nft "(8), " iptables "(8), " ip (8) +.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) @@ -205,7 +205,7 @@ index 99d89a1fe44ad..73d40bbfe9c52 100644 iptables can use extended packet matching modules with the \fB\-m\fP or \fB\-\-match\fP diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in -index b4b62f92740d1..1bbf7a0d98d0a 100644 +index 20216842d8358..8f4811c72f2ec 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables @@ -228,7 +228,7 @@ index b4b62f92740d1..1bbf7a0d98d0a 100644 .PP .B iptables-restore and -@@ -87,7 +100,9 @@ from Rusty Russell. +@@ -81,7 +94,9 @@ from Rusty Russell. .br Andras Kis-Szabo contributed ip6tables-restore. .SH SEE ALSO @@ -273,7 +273,7 @@ index 7683fd3780f72..6fe50b2d446e5 100644 The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in -index 999cf339845f9..895cc7b111eb9 100644 +index 627ff0e4da7a4..a8b31206d45b2 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] @@ -308,7 +308,7 @@ index 999cf339845f9..895cc7b111eb9 100644 The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in -index b647a79eb64ed..bbccf009e8269 100644 +index a7f22c0d8c08e..e21d7ff23035f 100644 --- a/iptables/xtables-monitor.8.in +++ b/iptables/xtables-monitor.8.in @@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events @@ -330,5 +330,5 @@ index b647a79eb64ed..bbccf009e8269 100644 .B xtables-monitor is used to monitor changes to the ruleset or to show rule evaluation events -- -2.32.0 +2.34.1 diff --git a/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch b/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch deleted file mode 100644 index a3775af..0000000 --- a/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch +++ /dev/null @@ -1,51 +0,0 @@ -From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 28 Jan 2021 01:09:56 +0100 -Subject: [PATCH] ebtables: Exit gracefully on invalid table names - -Users are able to cause program abort by passing a table name that -doesn't exist: - -| # ebtables-nft -t dummy -P INPUT ACCEPT -| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. -| Aborted - -Avoid this by checking table existence just like iptables-nft does upon -parsing '-t' optarg. Since the list of tables is known and fixed, -checking the given name's length is pointless. So just drop that check -in return. - -With this patch in place, output looks much better: - -| # ebtables-nft -t dummy -P INPUT ACCEPT -| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist -| Perhaps iptables or your kernel needs to be upgraded. - -Signed-off-by: Phil Sutter -(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f) ---- - iptables/xtables-eb.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index cfa9317c78e94..5bb34d6d292a9 100644 ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -914,10 +914,10 @@ print_zero: - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); -- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) -- xtables_error(PARAMETER_PROBLEM, -- "Table name length cannot exceed %d characters", -- EBT_TABLE_MAXNAMELEN - 1); -+ if (!nft_table_builtin_find(h, optarg)) -+ xtables_error(VERSION_PROBLEM, -+ "table '%s' does not exist", -+ optarg); - *table = optarg; - table_set = true; - break; --- -2.31.1 - diff --git a/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch b/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch similarity index 92% rename from 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch rename to 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch index 0813ef1..e432d7a 100644 --- a/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch +++ b/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch @@ -1,4 +1,4 @@ -From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001 +From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 16 Jul 2021 21:51:49 +0200 Subject: [PATCH] extensions: SECMARK: Use a better context in test case diff --git a/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch b/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch deleted file mode 100644 index 9be2e9e..0000000 --- a/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 2 Mar 2021 14:50:07 +0100 -Subject: [PATCH] xtables-translate: Fix translation of odd netmasks - -Iptables supports netmasks which are not prefixes to match on (or -ignore) arbitrary bits in an address. Yet nftables' prefix notation is -available for real prefixes only, so translation is not as trivial - -print bitmask syntax for those cases. - -Signed-off-by: Phil Sutter -(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae) ---- - extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++ - extensions/libxt_standard.t | 12 ++++++++++ - iptables/nft-ipv4.c | 42 ++++++++++++++++++++++---------- - iptables/nft-ipv6.c | 19 ++++++++++++--- - 4 files changed, 106 insertions(+), 15 deletions(-) - -diff --git a/extensions/generic.txlate b/extensions/generic.txlate -index 0e256c3727559..9ae9a5b54c1b9 100644 ---- a/extensions/generic.txlate -+++ b/extensions/generic.txlate -@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter - iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 - nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter - -+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0 -+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter -+ -+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0 -+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter -+ -+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255 -+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter -+ -+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255 -+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter -+ -+iptables-translate -I INPUT -s 0.0.0.0/16 -+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter -+ -+iptables-translate -I INPUT -s 0.0.0.0/0 -+nft insert rule ip filter INPUT counter -+ -+iptables-translate -I INPUT ! -s 0.0.0.0/0 -+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter -+ -+ip6tables-translate -I INPUT -i iifname -s feed::/16 -+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter -+ -+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16 -+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter -+ -+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00:: -+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter -+ -+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0 -+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter -+ -+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff -+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter -+ -+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff -+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter -+ -+ip6tables-translate -I INPUT -s ::/16 -+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter -+ -+ip6tables-translate -I INPUT -s ::/0 -+nft insert rule ip6 filter INPUT counter -+ -+ip6tables-translate -I INPUT ! -s ::/0 -+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter -+ - ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 - nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter - -diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t -index 4313f7b7bac9d..56d6da2e5884e 100644 ---- a/extensions/libxt_standard.t -+++ b/extensions/libxt_standard.t -@@ -9,3 +9,15 @@ - -j ACCEPT;=;OK - -j RETURN;=;OK - ! -p 0 -j ACCEPT;=;FAIL -+-s 10.11.12.13/8;-s 10.0.0.0/8;OK -+-s 10.11.12.13/9;-s 10.0.0.0/9;OK -+-s 10.11.12.13/10;-s 10.0.0.0/10;OK -+-s 10.11.12.13/11;-s 10.0.0.0/11;OK -+-s 10.11.12.13/12;-s 10.0.0.0/12;OK -+-s 10.11.12.13/30;-s 10.11.12.12/30;OK -+-s 10.11.12.13/31;-s 10.11.12.12/31;OK -+-s 10.11.12.13/32;-s 10.11.12.13/32;OK -+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK -+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK -+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK -+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index fdc15c6f04066..0d32a30010519 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command, - " source or destination IP addresses"); - } - -+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, -+ const struct in_addr *mask, -+ bool inv, struct xt_xlate *xl) -+{ -+ const char *op = inv ? "!= " : ""; -+ int cidr; -+ -+ if (!inv && !addr->s_addr && !mask->s_addr) -+ return; -+ -+ cidr = xtables_ipmask_to_cidr(mask); -+ switch (cidr) { -+ case -1: -+ /* inet_ntoa() is not reentrant */ -+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); -+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); -+ break; -+ case 32: -+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); -+ break; -+ default: -+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), -+ cidr); -+ } -+} -+ - static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) - { - const struct iptables_command_state *cs = data; -@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) - } - } - -- if (cs->fw.ip.src.s_addr != 0) { -- xt_xlate_add(xl, "ip saddr %s%s%s ", -- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "", -- inet_ntoa(cs->fw.ip.src), -- xtables_ipmask_to_numeric(&cs->fw.ip.smsk)); -- } -- if (cs->fw.ip.dst.s_addr != 0) { -- xt_xlate_add(xl, "ip daddr %s%s%s ", -- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "", -- inet_ntoa(cs->fw.ip.dst), -- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk)); -- } -+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, -+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl); -+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk, -+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl); - - ret = xlate_matches(cs, xl); - if (!ret) -diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c -index 130ad3e6e7c44..46008fc5e762a 100644 ---- a/iptables/nft-ipv6.c -+++ b/iptables/nft-ipv6.c -@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, - const struct in6_addr *mask, - int invert, struct xt_xlate *xl) - { -+ const char *op = invert ? "!= " : ""; - char addr_str[INET6_ADDRSTRLEN]; -+ int cidr; - -- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr)) -+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask)) - return; - - inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN); -- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str, -- xtables_ip6mask_to_numeric(mask)); -+ cidr = xtables_ip6mask_to_cidr(mask); -+ switch (cidr) { -+ case -1: -+ xt_xlate_add(xl, "%s & %s %s %s ", selector, -+ xtables_ip6addr_to_numeric(mask), -+ invert ? "!=" : "==", addr_str); -+ break; -+ case 128: -+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str); -+ break; -+ default: -+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr); -+ } - } - - static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) --- -2.31.1 - diff --git a/0003-Eliminate-inet_aton-and-inet_ntoa.patch b/0003-Eliminate-inet_aton-and-inet_ntoa.patch deleted file mode 100644 index e5ab459..0000000 --- a/0003-Eliminate-inet_aton-and-inet_ntoa.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 27 Apr 2021 09:12:53 +0200 -Subject: [PATCH] Eliminate inet_aton() and inet_ntoa() - -Both functions are obsolete, replace them by equivalent calls to -inet_pton() and inet_ntop(). - -Signed-off-by: Phil Sutter -(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3) ---- - extensions/libebt_among.c | 6 ++++-- - iptables/nft-ipv4.c | 23 ++++++++++++++--------- - 2 files changed, 18 insertions(+), 11 deletions(-) - -diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c -index 2b9a1b6566684..7eb898f984bba 100644 ---- a/extensions/libebt_among.c -+++ b/extensions/libebt_among.c -@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip) - if (sep) { - *sep = '\0'; - -- if (!inet_aton(sep + 1, &pair->in)) -+ if (!inet_pton(AF_INET, sep + 1, &pair->in)) - xtables_error(PARAMETER_PROBLEM, - "Invalid IP address '%s'\n", sep + 1); - } -@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs, - int cnt, bool inv, bool have_ip) - { - const char *isep = inv ? "! " : ""; -+ char abuf[INET_ADDRSTRLEN]; - int i; - - for (i = 0; i < cnt; i++) { -@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs, - - printf("%s", ether_ntoa(&pairs[i].ether)); - if (pairs[i].in.s_addr != INADDR_ANY) -- printf("=%s", inet_ntoa(pairs[i].in)); -+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in, -+ abuf, sizeof(abuf))); - } - printf(" "); - } -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index 0d32a30010519..a5b835b1f681d 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv) - - static const char *mask_to_str(uint32_t mask) - { -- static char mask_str[sizeof("255.255.255.255")]; -+ static char mask_str[INET_ADDRSTRLEN]; - uint32_t bits, hmask = ntohl(mask); - struct in_addr mask_addr = { - .s_addr = mask, -@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask) - if (i >= 0) - sprintf(mask_str, "%u", i); - else -- sprintf(mask_str, "%s", inet_ntoa(mask_addr)); -+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str)); - - return mask_str; - } -@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, - static void save_ipv4_addr(char letter, const struct in_addr *addr, - uint32_t mask, int invert) - { -+ char addrbuf[INET_ADDRSTRLEN]; -+ - if (!mask && !invert && !addr->s_addr) - return; - -- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr), -+ printf("%s-%c %s/%s ", invert ? "! " : "", letter, -+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)), - mask_to_str(mask)); - } - -@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, - const struct in_addr *mask, - bool inv, struct xt_xlate *xl) - { -+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN]; - const char *op = inv ? "!= " : ""; - int cidr; - - if (!inv && !addr->s_addr && !mask->s_addr) - return; - -+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf)); -+ - cidr = xtables_ipmask_to_cidr(mask); - switch (cidr) { - case -1: -- /* inet_ntoa() is not reentrant */ -- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); -- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); -+ xt_xlate_add(xl, "%s & %s %s %s ", selector, -+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)), -+ inv ? "!=" : "==", abuf); - break; - case 32: -- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); -+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf); - break; - default: -- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), -- cidr); -+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr); - } - } - --- -2.31.1 - diff --git a/0003-xshared-Fix-build-for-Werror-format-security.patch b/0003-xshared-Fix-build-for-Werror-format-security.patch new file mode 100644 index 0000000..182c174 --- /dev/null +++ b/0003-xshared-Fix-build-for-Werror-format-security.patch @@ -0,0 +1,29 @@ +From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 13 May 2022 16:51:58 +0200 +Subject: [PATCH] xshared: Fix build for -Werror=format-security + +Gcc complains about the omitted format string. + +Signed-off-by: Phil Sutter +(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a) +--- + iptables/xshared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index fae5ddd5df93e..a8512d3808154 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) + return; + + if (args->family != NFPROTO_ARP) +- xtables_error(PARAMETER_PROBLEM, msg); ++ xtables_error(PARAMETER_PROBLEM, "%s", msg); + + fprintf(stderr, "%s", msg); + } +-- +2.34.1 + diff --git a/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch b/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch deleted file mode 100644 index 10b4794..0000000 --- a/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 27 Apr 2021 10:02:34 +0200 -Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string() - -This eliminates quite a bit of redundant code apart from also dropping -use of obsolete function gethostbyaddr(). - -Signed-off-by: Phil Sutter -(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c) ---- - iptables/nft-arp.c | 99 ++++------------------------------------------ - iptables/xshared.c | 6 +-- - iptables/xshared.h | 3 ++ - 3 files changed, 14 insertions(+), 94 deletions(-) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index c82ffdc95e300..2a9387a18dffe 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -42,78 +42,6 @@ char *arp_opcodes[] = - "ARP_NAK", - }; - --static char * --addr_to_dotted(const struct in_addr *addrp) --{ -- static char buf[20]; -- const unsigned char *bytep; -- -- bytep = (const unsigned char *) &(addrp->s_addr); -- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]); -- return buf; --} -- --static char * --addr_to_host(const struct in_addr *addr) --{ -- struct hostent *host; -- -- if ((host = gethostbyaddr((char *) addr, -- sizeof(struct in_addr), AF_INET)) != NULL) -- return (char *) host->h_name; -- -- return (char *) NULL; --} -- --static char * --addr_to_network(const struct in_addr *addr) --{ -- struct netent *net; -- -- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL) -- return (char *) net->n_name; -- -- return (char *) NULL; --} -- --static char * --addr_to_anyname(const struct in_addr *addr) --{ -- char *name; -- -- if ((name = addr_to_host(addr)) != NULL || -- (name = addr_to_network(addr)) != NULL) -- return name; -- -- return addr_to_dotted(addr); --} -- --static char * --mask_to_dotted(const struct in_addr *mask) --{ -- int i; -- static char buf[22]; -- u_int32_t maskaddr, bits; -- -- maskaddr = ntohl(mask->s_addr); -- -- if (maskaddr == 0xFFFFFFFFL) -- /* we don't want to see "/32" */ -- return ""; -- -- i = 32; -- bits = 0xFFFFFFFEL; -- while (--i >= 0 && maskaddr != bits) -- bits <<= 1; -- if (i >= 0) -- sprintf(buf, "/%d", i); -- else -- /* mask was not a decent combination of 1's and 0's */ -- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask)); -- -- return buf; --} -- - static bool need_devaddr(struct arpt_devaddr_info *info) - { - int i; -@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - unsigned int format) - { - const struct arpt_entry *fw = &cs->arp; -- char buf[BUFSIZ]; - char iface[IFNAMSIZ+2]; - const char *sep = ""; - int print_iface = 0; -@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - } - - if (fw->arp.smsk.s_addr != 0L) { -- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP -- ? "! " : ""); -- if (format & FMT_NUMERIC) -- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); -- else -- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); -- strncat(buf, mask_to_dotted(&(fw->arp.smsk)), -- sizeof(buf) - strlen(buf) - 1); -- printf("-s %s", buf); -+ printf("%s%s-s %s", sep, -+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "", -+ ipv4_addr_to_string(&fw->arp.src, -+ &fw->arp.smsk, format)); - sep = " "; - } - -@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - after_devsrc: - - if (fw->arp.tmsk.s_addr != 0L) { -- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP -- ? "! " : ""); -- if (format & FMT_NUMERIC) -- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); -- else -- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); -- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), -- sizeof(buf) - strlen(buf) - 1); -- printf("-d %s", buf); -+ printf("%s%s-d %s", sep, -+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "", -+ ipv4_addr_to_string(&fw->arp.tgt, -+ &fw->arp.tmsk, format)); - sep = " "; - } - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 71f689901e1d4..9a1f465a5a6d3 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store) - } - #endif - --static const char *ipv4_addr_to_string(const struct in_addr *addr, -- const struct in_addr *mask, -- unsigned int format) -+const char *ipv4_addr_to_string(const struct in_addr *addr, -+ const struct in_addr *mask, -+ unsigned int format) - { - static char buf[BUFSIZ]; - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 9159b2b1f3768..1e86aba8b2375 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store); - # define debug_print_argv(...) /* nothing */ - #endif - -+const char *ipv4_addr_to_string(const struct in_addr *addr, -+ const struct in_addr *mask, -+ unsigned int format); - void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); - void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); - --- -2.31.1 - diff --git a/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch b/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch deleted file mode 100644 index 1ebf6d4..0000000 --- a/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 13 Nov 2020 21:04:39 +0100 -Subject: [PATCH] libxtables: Drop leftover variable in - xtables_numeric_to_ip6addr() - -Variable 'err' was only used in removed debug code, so drop it as well. - -Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code") -Signed-off-by: Phil Sutter -(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc) ---- - libxtables/xtables.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index bc42ba8221f3a..6947441fec659 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp) - struct in6_addr *xtables_numeric_to_ip6addr(const char *num) - { - static struct in6_addr ap; -- int err; - -- if ((err = inet_pton(AF_INET6, num, &ap)) == 1) -+ if (inet_pton(AF_INET6, num, &ap) == 1) - return ≈ - - return NULL; --- -2.31.1 - diff --git a/0006-extensions-libebt_ip6-Drop-unused-variables.patch b/0006-extensions-libebt_ip6-Drop-unused-variables.patch deleted file mode 100644 index f32c329..0000000 --- a/0006-extensions-libebt_ip6-Drop-unused-variables.patch +++ /dev/null @@ -1,49 +0,0 @@ -From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 13 Nov 2020 21:13:50 +0100 -Subject: [PATCH] extensions: libebt_ip6: Drop unused variables - -They are being assigned to but never read. - -Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") -Signed-off-by: Phil Sutter -(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc) ---- - extensions/libebt_ip6.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c -index b8a5a5d8c3a92..301bed9aadefd 100644 ---- a/extensions/libebt_ip6.c -+++ b/extensions/libebt_ip6.c -@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match) - static struct in6_addr *numeric_to_addr(const char *num) - { - static struct in6_addr ap; -- int err; - -- if ((err=inet_pton(AF_INET6, num, &ap)) == 1) -+ if (inet_pton(AF_INET6, num, &ap) == 1) - return ≈ - return (struct in6_addr *)NULL; - } -@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i - char buf[256]; - char *p; - int i; -- int err; - - strncpy(buf, address, sizeof(buf) - 1); - /* first the mask */ -@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i - if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) - strcpy(buf, "::"); - -- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) { -+ if (inet_pton(AF_INET6, buf, addr) < 1) { - xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); - return; - } --- -2.31.1 - diff --git a/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch b/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch deleted file mode 100644 index f1a7336..0000000 --- a/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch +++ /dev/null @@ -1,29 +0,0 @@ -From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 11:04:30 +0200 -Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask() - -The allocated hostmask duplicate needs to be freed again. - -Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") -Signed-off-by: Phil Sutter -(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e) ---- - libxtables/xtoptions.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index d329f2ff7979e..0dcdf607f4678 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) - cb->arg = p; - xtopt_parse_plenmask(cb); - cb->arg = orig_arg; -+ free(work); - } - - static void xtopt_parse_ethermac(struct xt_option_call *cb) --- -2.31.1 - diff --git a/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch b/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch deleted file mode 100644 index ee25117..0000000 --- a/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 11:55:20 +0200 -Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new() - -If rule allocation fails, free the allocated 'cmd' before returning to -caller. - -Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") -Signed-off-by: Phil Sutter -(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3) ---- - iptables/nft-cmd.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c -index 5d33f1f00f574..9b0c964847615 100644 ---- a/iptables/nft-cmd.c -+++ b/iptables/nft-cmd.c -@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, - - if (state) { - rule = nft_rule_new(h, chain, table, state); -- if (!rule) -+ if (!rule) { -+ nft_cmd_free(cmd); - return NULL; -+ } - - cmd->obj.rule = rule; - --- -2.31.1 - diff --git a/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch b/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch deleted file mode 100644 index 6d30b3f..0000000 --- a/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch +++ /dev/null @@ -1,56 +0,0 @@ -From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 11:58:06 +0200 -Subject: [PATCH] nft: Avoid buffer size warnings copying iface names - -The call to strncpy() is actually not needed: source buffer is only -IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to -avoid compiler warnings due to size parameter matching the destination -buffer size by performing the copy using (dumb) memcpy() instead. - -Signed-off-by: Phil Sutter -(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff) ---- - iptables/nft-ipv4.c | 4 ++-- - iptables/nft-ipv6.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index a5b835b1f681d..34f94bd8cc24a 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command, - */ - cs->fw.ip.invflags = args->invflags; - -- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); -+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw.ip.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); - -- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); -+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw.ip.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); - -diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c -index 46008fc5e762a..d9c9400ad7dc3 100644 ---- a/iptables/nft-ipv6.c -+++ b/iptables/nft-ipv6.c -@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, - */ - cs->fw6.ipv6.invflags = args->invflags; - -- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); -+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); - -- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); -+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); - --- -2.31.1 - diff --git a/0010-iptables-apply-Drop-unused-variable.patch b/0010-iptables-apply-Drop-unused-variable.patch deleted file mode 100644 index e28558f..0000000 --- a/0010-iptables-apply-Drop-unused-variable.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 12:50:57 +0200 -Subject: [PATCH] iptables-apply: Drop unused variable - -It was assigned to but never read. - -Fixes: b45b4e3903414 ("iptables-apply: script and manpage update") -Signed-off-by: Phil Sutter -(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764) ---- - iptables/iptables-apply | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/iptables/iptables-apply b/iptables/iptables-apply -index 4683b1b402d08..3a7df5e3cbc1f 100755 ---- a/iptables/iptables-apply -+++ b/iptables/iptables-apply -@@ -231,7 +231,6 @@ case "$MODE" in - "$RUNCMD" & - CMD_PID=$! - ( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) & -- CMDTIMEOUT_PID=$! - if ! wait "$CMD_PID"; then - echo "failed." - echo "Error: unknown error running command: $RUNCMD" >&2 --- -2.31.1 - diff --git a/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch b/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch deleted file mode 100644 index 17c5ea6..0000000 --- a/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 14:04:43 +0200 -Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any() - -The code was almost identical and suffered from the same problem as -fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory -corruption bugs"). - -The only functional change this involves is ebt_parse_ip6_address() will -now accept hostnames as well. - -Signed-off-by: Phil Sutter -(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4) ---- - extensions/libebt_ip6.c | 74 ++++++----------------------------------- - 1 file changed, 10 insertions(+), 64 deletions(-) - -diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c -index 301bed9aadefd..3cc39271d4658 100644 ---- a/extensions/libebt_ip6.c -+++ b/extensions/libebt_ip6.c -@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match) - memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr)); - } - --static struct in6_addr *numeric_to_addr(const char *num) -+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */ -+static void ebt_parse_ip6_address(char *address, -+ struct in6_addr *addr, struct in6_addr *msk) - { -- static struct in6_addr ap; -- -- if (inet_pton(AF_INET6, num, &ap) == 1) -- return ≈ -- return (struct in6_addr *)NULL; --} -- --static struct in6_addr *parse_ip6_mask(char *mask) --{ -- static struct in6_addr maskaddr; - struct in6_addr *addrp; -- unsigned int bits; -- -- if (mask == NULL) { -- /* no mask at all defaults to 128 bits */ -- memset(&maskaddr, 0xff, sizeof maskaddr); -- return &maskaddr; -- } -- if ((addrp = numeric_to_addr(mask)) != NULL) -- return addrp; -- if (!xtables_strtoui(mask, NULL, &bits, 0, 128)) -- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask); -- if (bits != 0) { -- char *p = (char *)&maskaddr; -- memset(p, 0xff, bits / 8); -- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); -- p[bits / 8] = 0xff << (8 - (bits & 7)); -- return &maskaddr; -- } -+ unsigned int naddrs; - -- memset(&maskaddr, 0, sizeof maskaddr); -- return &maskaddr; --} -- --/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0]. -- * The string pointed to by address can be altered. */ --static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk) --{ -- struct in6_addr *tmp_addr; -- char buf[256]; -- char *p; -- int i; -- -- strncpy(buf, address, sizeof(buf) - 1); -- /* first the mask */ -- buf[sizeof(buf) - 1] = '\0'; -- if ((p = strrchr(buf, '/')) != NULL) { -- *p = '\0'; -- tmp_addr = parse_ip6_mask(p + 1); -- } else -- tmp_addr = parse_ip6_mask(NULL); -- -- *msk = *tmp_addr; -- -- /* if a null mask is given, the name is ignored, like in "any/0" */ -- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) -- strcpy(buf, "::"); -- -- if (inet_pton(AF_INET6, buf, addr) < 1) { -- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); -- return; -- } -- -- for (i = 0; i < 4; i++) -- addr->s6_addr32[i] &= msk->s6_addr32[i]; -+ xtables_ip6parse_any(address, &addrp, msk, &naddrs); -+ if (naddrs != 1) -+ xtables_error(PARAMETER_PROBLEM, -+ "Invalid IPv6 Address '%s' specified", address); -+ memcpy(addr, addrp, sizeof(*addr)); -+ free(addrp); - } - - #define OPT_SOURCE 0x01 --- -2.31.1 - diff --git a/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch b/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch deleted file mode 100644 index 70d05fe..0000000 --- a/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch +++ /dev/null @@ -1,554 +0,0 @@ -From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 12:56:06 +0200 -Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere - -This wraps strdup(), checking for errors. - -Signed-off-by: Phil Sutter -(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a) ---- - extensions/libebt_ip.c | 3 ++- - extensions/libebt_ip6.c | 2 +- - extensions/libebt_stp.c | 3 ++- - extensions/libip6t_DNAT.c | 4 +--- - extensions/libip6t_SNAT.c | 4 +--- - extensions/libip6t_dst.c | 8 +++----- - extensions/libip6t_hbh.c | 7 +++---- - extensions/libip6t_ipv6header.c | 2 +- - extensions/libip6t_mh.c | 2 +- - extensions/libip6t_rt.c | 7 +++---- - extensions/libipt_DNAT.c | 8 ++------ - extensions/libipt_SNAT.c | 4 +--- - extensions/libxt_dccp.c | 2 +- - extensions/libxt_hashlimit.c | 5 +---- - extensions/libxt_iprange.c | 4 +--- - extensions/libxt_multiport.c | 6 ++---- - extensions/libxt_sctp.c | 4 ++-- - extensions/libxt_set.h | 4 ++-- - extensions/libxt_tcp.c | 4 ++-- - include/xtables.h | 1 + - iptables/iptables-xml.c | 4 ++-- - iptables/nft-cache.c | 4 ++-- - iptables/nft-cmd.c | 13 +++++++------ - iptables/xshared.c | 2 +- - libxtables/xtables.c | 12 ++++++++++++ - libxtables/xtoptions.c | 14 +++----------- - 26 files changed, 60 insertions(+), 73 deletions(-) - -diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c -index acb9bfcdbbd9f..51649ffb3c305 100644 ---- a/extensions/libebt_ip.c -+++ b/extensions/libebt_ip.c -@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); -+ - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = xtables_parse_port(buffer, NULL); - else { -diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c -index 3cc39271d4658..a686a285c3cb8 100644 ---- a/extensions/libebt_ip6.c -+++ b/extensions/libebt_ip6.c -@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = xtables_parse_port(buffer, NULL); - else { -diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c -index 81ba572c33c1a..3e9e24474eb61 100644 ---- a/extensions/libebt_stp.c -+++ b/extensions/libebt_stp.c -@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper, - uint32_t low_nr, upp_nr; - int ret = 0; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); -+ - if ((cp = strchr(buffer, ':')) == NULL) { - low_nr = strtoul(buffer, &end, 10); - if (*end || low_nr < min || low_nr > max) { -diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c -index 89c5ceb153250..f1ad81436316b 100644 ---- a/extensions/libip6t_DNAT.c -+++ b/extensions/libip6t_DNAT.c -@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev) - char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; - const struct in6_addr *ip; - -- arg = strdup(orig_arg); -- if (arg == NULL) -- xtables_error(RESOURCE_PROBLEM, "strdup"); -+ arg = xtables_strdup(orig_arg); - - start = strchr(arg, '['); - if (start == NULL) { -diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c -index 7d74b3d76a93c..6d19614c7c708 100644 ---- a/extensions/libip6t_SNAT.c -+++ b/extensions/libip6t_SNAT.c -@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) - char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; - const struct in6_addr *ip; - -- arg = strdup(orig_arg); -- if (arg == NULL) -- xtables_error(RESOURCE_PROBLEM, "strdup"); -+ arg = xtables_strdup(orig_arg); - - start = strchr(arg, '['); - if (start == NULL) { -diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c -index fe7e3403468ce..bf0e3e436665d 100644 ---- a/extensions/libip6t_dst.c -+++ b/extensions/libip6t_dst.c -@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts) - { - char *buffer, *cp, *next, *range; - unsigned int i; -- -- buffer = strdup(optsstr); -- if (!buffer) -- xtables_error(OTHER_PROBLEM, "strdup failed"); -- -+ -+ buffer = xtables_strdup(optsstr); -+ - for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++) - { - next = strchr(cp, ','); -diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c -index 4cebecfd3d2f5..74e87cda7eea1 100644 ---- a/extensions/libip6t_hbh.c -+++ b/extensions/libip6t_hbh.c -@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts) - { - char *buffer, *cp, *next, *range; - unsigned int i; -- -- buffer = strdup(optsstr); -- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); -- -+ -+ buffer = xtables_strdup(optsstr); -+ - for (cp=buffer, i=0; cp && ipflags[i] = 0; -diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c -index 140de2653b1ef..59b34684cc7f7 100644 ---- a/extensions/libxt_sctp.c -+++ b/extensions/libxt_sctp.c -@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring, - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); - DEBUGP("%s\n", portstring); - if ((cp = strchr(buffer, ':')) == NULL) { - ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); -@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo, - int found = 0; - char *chunk_flags; - -- buffer = strdup(chunks); -+ buffer = xtables_strdup(chunks); - DEBUGP("Buffer: %s\n", buffer); - - SCTP_CHUNKMAP_RESET(einfo->chunkmap); -diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h -index 41dfbd30fc7c1..ad895a7504d9d 100644 ---- a/extensions/libxt_set.h -+++ b/extensions/libxt_set.h -@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info) - static void - parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) - { -- char *saved = strdup(opt_arg); -+ char *saved = xtables_strdup(opt_arg); - char *ptr, *tmp = saved; - int i = 0; - -@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) - static void - parse_dirs(const char *opt_arg, struct xt_set_info *info) - { -- char *saved = strdup(opt_arg); -+ char *saved = xtables_strdup(opt_arg); - char *ptr, *tmp = saved; - - while (info->dim < IPSET_DIM_MAX && tmp != NULL) { -diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c -index 58f3c0a0c3c28..383e4db5b5e23 100644 ---- a/extensions/libxt_tcp.c -+++ b/extensions/libxt_tcp.c -@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports) - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = xtables_parse_port(buffer, "tcp"); - else { -@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags) - char *ptr; - char *buffer; - -- buffer = strdup(flags); -+ buffer = xtables_strdup(flags); - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - unsigned int i; -diff --git a/include/xtables.h b/include/xtables.h -index df1eaee326643..107ad7d65e6fc 100644 ---- a/include/xtables.h -+++ b/include/xtables.h -@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t); - extern void *xtables_calloc(size_t, size_t); - extern void *xtables_malloc(size_t); - extern void *xtables_realloc(void *, size_t); -+char *xtables_strdup(const char *); - - extern int xtables_insmod(const char *, const char *, bool); - extern int xtables_load_ko(const char *, bool); -diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c -index 98d03dda98d2b..6cf059fb67292 100644 ---- a/iptables/iptables-xml.c -+++ b/iptables/iptables-xml.c -@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr) - "%s: line %u chain name invalid\n", - prog_name, line); - -- chains[nextChain].chain = strdup(chain); -- chains[nextChain].policy = strdup(policy); -+ chains[nextChain].chain = xtables_strdup(chain); -+ chains[nextChain].policy = xtables_strdup(policy); - chains[nextChain].count = *ctr; - chains[nextChain].created = 0; - nextChain++; -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 6b6e6da40a826..7fd78654b280a 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name) - } - - new = xtables_malloc(sizeof(*new)); -- new->name = strdup(name); -+ new->name = xtables_strdup(name); - list_add_tail(&new->head, pos ? &pos->head : list); - } - -@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level, - return; - - if (!req->table) -- req->table = strdup(cmd->table); -+ req->table = xtables_strdup(cmd->table); - else - assert(!strcmp(req->table, cmd->table)); - -diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c -index 9b0c964847615..8dccdd734b156 100644 ---- a/iptables/nft-cmd.c -+++ b/iptables/nft-cmd.c -@@ -11,6 +11,7 @@ - - #include - #include -+#include - #include "nft.h" - #include "nft-cmd.h" - -@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, - return NULL; - - cmd->command = command; -- cmd->table = strdup(table); -+ cmd->table = xtables_strdup(table); - if (chain) -- cmd->chain = strdup(chain); -+ cmd->chain = xtables_strdup(chain); - cmd->rulenum = rulenum; - cmd->verbose = verbose; - -@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, - cmd->obj.rule = rule; - - if (!state->target && strlen(state->jumpto) > 0) -- cmd->jumpto = strdup(state->jumpto); -+ cmd->jumpto = xtables_strdup(state->jumpto); - } - - list_add_tail(&cmd->head, &h->cmd_list); -@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain, - if (!cmd) - return 0; - -- cmd->rename = strdup(newname); -+ cmd->rename = xtables_strdup(newname); - - nft_cache_level_set(h, NFT_CL_CHAINS, cmd); - -@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table, - if (!cmd) - return 0; - -- cmd->policy = strdup(policy); -+ cmd->policy = xtables_strdup(policy); - if (counters) - cmd->counters = *counters; - -@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table, - if (!cmd) - return 0; - -- cmd->policy = strdup(policy); -+ cmd->policy = xtables_strdup(policy); - - nft_cache_level_set(h, NFT_CL_RULES, cmd); - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 9a1f465a5a6d3..4027d9240215e 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted) - xtables_error(PARAMETER_PROBLEM, - "Trying to store NULL argument\n"); - -- store->argv[store->argc] = strdup(what); -+ store->argv[store->argc] = xtables_strdup(what); - store->argvattr[store->argc] = quoted; - store->argv[++store->argc] = NULL; - } -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index 6947441fec659..1931e3896262a 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size) - return p; - } - -+char *xtables_strdup(const char *s) -+{ -+ char *dup = strdup(s); -+ -+ if (!dup) { -+ perror("ip[6]tables: strdup failed"); -+ exit(1); -+ } -+ -+ return dup; -+} -+ - static char *get_modprobe(void) - { - int procfile; -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index 0dcdf607f4678..9d3ac5c8066cb 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb) - unsigned int maxiter; - int value; - -- wp_arg = lo_arg = strdup(cb->arg); -- if (lo_arg == NULL) -- xt_params->exit_err(RESOURCE_PROBLEM, "strdup"); -+ wp_arg = lo_arg = xtables_strdup(cb->arg); - - maxiter = entry->size / esize; - if (maxiter == 0) -@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) - xtopt_parse_host(cb); - return; - } -- work = strdup(orig_arg); -- if (work == NULL) -- xt_params->exit_err(PARAMETER_PROBLEM, "strdup"); -+ work = xtables_strdup(orig_arg); - p = strchr(work, '/'); /* by def this can't be NULL now */ - *p++ = '\0'; - /* -@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file) - goto out; - } - lmap_this->id = id; -- lmap_this->name = strdup(cur); -- if (lmap_this->name == NULL) { -- free(lmap_this); -- goto out; -- } -+ lmap_this->name = xtables_strdup(cur); - lmap_this->next = NULL; - - if (lmap_prev != NULL) --- -2.31.1 - diff --git a/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch b/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch deleted file mode 100644 index f2ee196..0000000 --- a/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 15:15:37 +0200 -Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for - strncpy() - -If the target buffer does not need to be null-terminated, one may simply -use memcpy() and thereby avoid any compiler warnings. - -Signed-off-by: Phil Sutter -(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb) ---- - extensions/libxt_string.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c -index 7c6366cbbf1b3..739a8e7fd66b6 100644 ---- a/extensions/libxt_string.c -+++ b/extensions/libxt_string.c -@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info) - { - /* xt_string does not need \0 at the end of the pattern */ - if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) { -- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); -+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); - info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE); - return; - } --- -2.31.1 - diff --git a/0014-iptables-nft-fix-Z-option.patch b/0014-iptables-nft-fix-Z-option.patch deleted file mode 100644 index 0eca942..0000000 --- a/0014-iptables-nft-fix-Z-option.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Wed, 24 Feb 2021 11:08:02 +0100 -Subject: [PATCH] iptables-nft: fix -Z option - -it zeroes the rule counters, so it needs fully populated cache. -Add a test case to cover this. - -Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands") -Signed-off-by: Florian Westphal -Acked-by: Phil Sutter -(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2) ---- - iptables/nft-cmd.c | 2 +- - .../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++ - 2 files changed, 65 insertions(+), 1 deletion(-) - create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0 - -diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c -index 8dccdd734b156..a0c76a795e59c 100644 ---- a/iptables/nft-cmd.c -+++ b/iptables/nft-cmd.c -@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain, - if (!cmd) - return 0; - -- nft_cache_level_set(h, NFT_CL_CHAINS, cmd); -+ nft_cache_level_set(h, NFT_CL_RULES, cmd); - - return 1; - } -diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 -new file mode 100755 -index 0000000000000..36da1907e3b22 ---- /dev/null -+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 -@@ -0,0 +1,64 @@ -+#!/bin/bash -+ -+RC=0 -+COUNTR=$RANDOM$RANDOM -+ -+$XT_MULTI iptables-restore -c < -Date: Fri, 19 Feb 2021 16:54:57 +0100 -Subject: [PATCH] nft: Fix bitwise expression avoidance detection - -Byte-boundary prefix detection was too sloppy: Any data following the -first zero-byte was ignored. Add a follow-up loop making sure there are -no stray bits in the designated host part. - -Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") -Signed-off-by: Phil Sutter -(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba) ---- - iptables/nft-shared.c | 4 +++- - .../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++ - 2 files changed, 27 insertions(+), 1 deletion(-) - create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 - -diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c -index 10553ab26823b..c1664b50f9383 100644 ---- a/iptables/nft-shared.c -+++ b/iptables/nft-shared.c -@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, - { - const unsigned char *m = mask; - bool bitwise = false; -- int i; -+ int i, j; - - for (i = 0; i < len; i++) { - if (m[i] != 0xff) { -@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, - break; - } - } -+ for (j = i + 1; !bitwise && j < len; j++) -+ bitwise = !!m[j]; - - if (!bitwise) - len = i; -diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 -new file mode 100755 -index 0000000000000..7eb42f08da975 ---- /dev/null -+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 -@@ -0,0 +1,24 @@ -+#!/bin/bash -+ -+set -e -+ -+$XT_MULTI ip6tables-restore < -Date: Tue, 4 May 2021 16:03:24 +0200 -Subject: [PATCH] extensions: sctp: Fix nftables translation - -If both sport and dport was present, incorrect nft syntax was generated. - -Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft") -Signed-off-by: Phil Sutter -(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167) ---- - extensions/libxt_sctp.c | 10 ++++------ - extensions/libxt_sctp.txlate | 10 +++++----- - 2 files changed, 9 insertions(+), 11 deletions(-) - -diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c -index 59b34684cc7f7..5ec1ca618405e 100644 ---- a/extensions/libxt_sctp.c -+++ b/extensions/libxt_sctp.c -@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl, - if (!einfo->flags) - return 0; - -- xt_xlate_add(xl, "sctp "); -- - if (einfo->flags & XT_SCTP_SRC_PORTS) { - if (einfo->spts[0] != einfo->spts[1]) -- xt_xlate_add(xl, "sport%s %u-%u", -+ xt_xlate_add(xl, "sctp sport%s %u-%u", - einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", - einfo->spts[0], einfo->spts[1]); - else -- xt_xlate_add(xl, "sport%s %u", -+ xt_xlate_add(xl, "sctp sport%s %u", - einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", - einfo->spts[0]); - space = " "; -@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl, - - if (einfo->flags & XT_SCTP_DEST_PORTS) { - if (einfo->dpts[0] != einfo->dpts[1]) -- xt_xlate_add(xl, "%sdport%s %u-%u", space, -+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space, - einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", - einfo->dpts[0], einfo->dpts[1]); - else -- xt_xlate_add(xl, "%sdport%s %u", space, -+ xt_xlate_add(xl, "%ssctp dport%s %u", space, - einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", - einfo->dpts[0]); - } -diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate -index 72f4641ab021c..0d6c59e183675 100644 ---- a/extensions/libxt_sctp.txlate -+++ b/extensions/libxt_sctp.txlate -@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT - nft add rule ip filter INPUT sctp dport != 50-56 counter accept - - iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept -+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept - - iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept -+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept - - iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept -+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept - - iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept -+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept - - iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT --nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept -+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept --- -2.31.1 - diff --git a/0018-nft-cache-Sort-chains-on-demand-only.patch b/0018-nft-cache-Sort-chains-on-demand-only.patch deleted file mode 100644 index 22f0f2b..0000000 --- a/0018-nft-cache-Sort-chains-on-demand-only.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 25 Mar 2021 16:24:39 +0100 -Subject: [PATCH] nft: cache: Sort chains on demand only - -Mandatory sorted insert of chains into cache significantly slows down -restoring of large rulesets. Since the sorted list of user-defined -chains is needed for listing and verbose output only, introduce -nft_cache_sort_chains() and call it where needed. - -Signed-off-by: Phil Sutter -(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915) ---- - iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++-------- - iptables/nft-cache.h | 1 + - iptables/nft.c | 12 +++++++ - iptables/nft.h | 1 + - iptables/xtables-save.c | 1 + - 5 files changed, 73 insertions(+), 13 deletions(-) - -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 7fd78654b280a..2c88301cc7445 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, - - h->cache->table[t->type].base_chains[hooknum] = nc; - } else { -- struct nft_chain_list *clist = h->cache->table[t->type].chains; -- struct list_head *pos = &clist->list; -- struct nft_chain *cur; -- const char *n; -- -- list_for_each_entry(cur, &clist->list, head) { -- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME); -- if (strcmp(cname, n) <= 0) { -- pos = &cur->head; -- break; -- } -- } -- list_add_tail(&nc->head, pos); -+ list_add_tail(&nc->head, -+ &h->cache->table[t->type].chains->list); - } - hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname)); - return 0; - } - -+static void __nft_chain_list_sort(struct list_head *list, -+ int (*cmp)(struct nft_chain *a, -+ struct nft_chain *b)) -+{ -+ struct nft_chain *pivot, *cur, *sav; -+ LIST_HEAD(sublist); -+ -+ if (list_empty(list)) -+ return; -+ -+ /* grab first item as pivot (dividing) value */ -+ pivot = list_entry(list->next, struct nft_chain, head); -+ list_del(&pivot->head); -+ -+ /* move any smaller value into sublist */ -+ list_for_each_entry_safe(cur, sav, list, head) { -+ if (cmp(pivot, cur) > 0) { -+ list_del(&cur->head); -+ list_add_tail(&cur->head, &sublist); -+ } -+ } -+ /* conquer divided */ -+ __nft_chain_list_sort(&sublist, cmp); -+ __nft_chain_list_sort(list, cmp); -+ -+ /* merge divided and pivot again */ -+ list_add_tail(&pivot->head, &sublist); -+ list_splice(&sublist, list); -+} -+ -+static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b) -+{ -+ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME); -+ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME); -+ -+ return strcmp(aname, bname); -+} -+ -+int nft_cache_sort_chains(struct nft_handle *h, const char *table) -+{ -+ const struct builtin_table *t = nft_table_builtin_find(h, table); -+ -+ if (!t) -+ return -1; -+ -+ if (h->cache->table[t->type].sorted) -+ return 0; -+ -+ __nft_chain_list_sort(&h->cache->table[t->type].chains->list, -+ nft_chain_cmp_byname); -+ h->cache->table[t->type].sorted = true; -+ return 0; -+} -+ - struct nftnl_chain_list_cb_data { - struct nft_handle *h; - const struct builtin_table *t; -@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c, - - flush_base_chain_cache(c->table[table->type].base_chains); - nft_chain_foreach(h, tablename, __flush_chain_cache, NULL); -+ c->table[table->type].sorted = false; - - if (c->table[table->type].sets) - nftnl_set_list_foreach(c->table[table->type].sets, -@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c, - if (c->table[i].chains) { - nft_chain_list_free(c->table[i].chains); - c->table[i].chains = NULL; -+ c->table[i].sorted = false; - } - - if (c->table[i].sets) { -diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h -index 20d96beede876..58a015265056c 100644 ---- a/iptables/nft-cache.h -+++ b/iptables/nft-cache.h -@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table, - void nft_cache_build(struct nft_handle *h); - int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, - struct nftnl_chain *c); -+int nft_cache_sort_chains(struct nft_handle *h, const char *table); - - struct nft_chain * - nft_chain_find(struct nft_handle *h, const char *table, const char *chain); -diff --git a/iptables/nft.c b/iptables/nft.c -index bde4ca72d3fcc..8b14daeaed610 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, - return 1; - } - -+ nft_cache_sort_chains(h, table); -+ - ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d); - - /* the core expects 1 for success and 0 for error */ -@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, - goto out; - } - -+ if (verbose) -+ nft_cache_sort_chains(h, table); -+ - ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d); - out: - /* the core expects 1 for success and 0 for error */ -@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, - return 1; - } - -+ nft_cache_sort_chains(h, table); -+ - if (ops->print_table_header) - ops->print_table_header(table); - -@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, - return nft_rule_list_cb(c, &d); - } - -+ nft_cache_sort_chains(h, table); -+ - /* Dump policies and custom chains first */ - nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters); - -@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, - goto err; - } - -+ if (verbose) -+ nft_cache_sort_chains(h, table); -+ - ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d); - err: - /* the core expects 1 for success and 0 for error */ -diff --git a/iptables/nft.h b/iptables/nft.h -index 0910f82a2773c..4ac7e0099d567 100644 ---- a/iptables/nft.h -+++ b/iptables/nft.h -@@ -44,6 +44,7 @@ struct nft_cache { - struct nft_chain_list *chains; - struct nftnl_set_list *sets; - bool exists; -+ bool sorted; - } table[NFT_TABLE_MAX]; - }; - -diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c -index d7901c650ea70..cfce0472f3ee8 100644 ---- a/iptables/xtables-save.c -+++ b/iptables/xtables-save.c -@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data) - printf("*%s\n", tablename); - /* Dump out chain names first, - * thereby preventing dependency conflicts */ -+ nft_cache_sort_chains(h, tablename); - nft_chain_foreach(h, tablename, nft_chain_save, h); - nft_rule_save(h, tablename, d->format); - if (d->commit) --- -2.31.1 - diff --git a/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch b/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch deleted file mode 100644 index cca6d8c..0000000 --- a/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 6 Apr 2021 10:51:20 +0200 -Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets - -In order to support the same ruleset sizes as legacy iptables, the -kernel's limit of 1024 iovecs has to be overcome. Therefore increase -each iovec's size from 128KB to 2MB. - -While being at it, add a log message for failing sendmsg() call. This is -not supposed to happen, even if the transaction fails. Yet if it does, -users are left with only a "line XXX failed" message (with line number -being the COMMIT line). - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal -(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240) ---- - iptables/nft.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 8b14daeaed610..f1deb82f87576 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, - - #define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize()) - --/* selected batch page is 256 Kbytes long to load ruleset of -- * half a million rules without hitting -EMSGSIZE due to large -- * iovec. -+/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M -+ * rules matching on source and destination address as well as input and output -+ * interfaces. This is what legacy iptables supports. - */ --#define BATCH_PAGE_SIZE getpagesize() * 32 -+#define BATCH_PAGE_SIZE 2 * 1024 * 1024 - - static struct nftnl_batch *mnl_batch_init(void) - { -@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds) - int err = 0; - - ret = mnl_nft_socket_sendmsg(h, numcmds); -- if (ret == -1) -+ if (ret == -1) { -+ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno)); - return -1; -+ } - - FD_ZERO(&readfds); - FD_SET(fd, &readfds); --- -2.31.1 - diff --git a/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch b/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch deleted file mode 100644 index 9ad1e18..0000000 --- a/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 000c159641522abf56ccb4deebfc558e8bb41302 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 31 Aug 2021 12:26:20 +0200 -Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add() - -The function called malloc() without checking for memory allocation -failure. Simply replace the call by xtables_malloc() to fix that. - -Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API") -Signed-off-by: Phil Sutter -(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93) ---- - iptables/nft.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index f1deb82f87576..83054e528cae1 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -143,7 +143,7 @@ struct mnl_err { - static void mnl_err_list_node_add(struct list_head *err_list, int error, - int seqnum) - { -- struct mnl_err *err = malloc(sizeof(struct mnl_err)); -+ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err)); - - err->seqnum = seqnum; - err->err = error; --- -2.33.0 - diff --git a/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch b/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch deleted file mode 100644 index 377486a..0000000 --- a/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch +++ /dev/null @@ -1,130 +0,0 @@ -From f73416517ac7bb6868ff4c0199fcd4327c9dffa5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 28 Jul 2021 17:53:53 +0200 -Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options - -Drop any reference to them (and the environment variable) but list them -in BUGS section hinting at ebtables-save and -restore tools. - -Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page") -Signed-off-by: Phil Sutter -Acked-by: Pablo Neira Ayuso -(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39) ---- - iptables/ebtables-nft.8 | 64 ++++++----------------------------------- - 1 file changed, 8 insertions(+), 56 deletions(-) - -diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index 5bdc0bb8a939e..85f6738d7d1aa 100644 ---- a/iptables/ebtables-nft.8 -+++ b/iptables/ebtables-nft.8 -@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based) - .br - .BR "ebtables " [ -t " table ] " --init-table - .br --.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit --.br --.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init --.br --.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save --.br - - .SH DESCRIPTION - .PP -@@ -162,11 +156,9 @@ a table, the commands apply to the default filter table. - Only one command may be used on the command line at a time, except when - the commands - .BR -L " and " -Z --are combined, the commands -+are combined or the commands - .BR -N " and " -P --are combined, or when --.B --atomic-file --is used. -+are combined. - .TP - .B "-A, --append" - Append a rule to the end of the selected chain. -@@ -326,39 +318,6 @@ of the ebtables kernel table. - .TP - .B "--init-table" - Replace the current table data by the initial table data. --.TP --.B "--atomic-init" --Copy the kernel's initial data of the table to the specified --file. This can be used as the first action, after which rules are added --to the file. The file can be specified using the --.B --atomic-file --command or through the --.IR EBTABLES_ATOMIC_FILE " environment variable." --.TP --.B "--atomic-save" --Copy the kernel's current data of the table to the specified --file. This can be used as the first action, after which rules are added --to the file. The file can be specified using the --.B --atomic-file --command or through the --.IR EBTABLES_ATOMIC_FILE " environment variable." --.TP --.B "--atomic-commit" --Replace the kernel table data with the data contained in the specified --file. This is a useful command that allows you to load all your rules of a --certain table into the kernel at once, saving the kernel a lot of precious --time and allowing atomic updates of the tables. The file which contains --the table data is constructed by using either the --.B "--atomic-init" --or the --.B "--atomic-save" --command to generate a starting file. After that, using the --.B "--atomic-file" --command when constructing rules or setting the --.IR EBTABLES_ATOMIC_FILE " environment variable" --allows you to extend the file and build the complete table before --committing it to the kernel. This command can be very useful in boot scripts --to populate the ebtables tables in a fast way. - .SS MISCELLANOUS COMMANDS - .TP - .B "-V, --version" -@@ -384,16 +343,6 @@ a target extension (see - .BR "TARGET EXTENSIONS" ")" - or a user-defined chain name. - .TP --.B --atomic-file "\fIfile\fP" --Let the command operate on the specified --.IR file . --The data of the table to --operate on will be extracted from the file and the result of the operation --will be saved back into the file. If specified, this option should come --before the command specification. An alternative that should be preferred, --is setting the --.IR EBTABLES_ATOMIC_FILE " environment variable." --.TP - .B -M, --modprobe "\fIprogram\fP" - When talking to the kernel, use this - .I program -@@ -1113,8 +1062,6 @@ arp message and the hardware address length in the arp header is 6 bytes. - .br - .SH FILES - .I /etc/ethertypes --.SH ENVIRONMENT VARIABLES --.I EBTABLES_ATOMIC_FILE - .SH MAILINGLISTS - .BR "" "See " http://netfilter.org/mailinglists.html - .SH BUGS -@@ -1122,7 +1069,12 @@ The version of ebtables this man page ships with does not support the - .B broute - table. Also there is no support for - .B string --match. And finally, this list is probably not complete. -+match. Further, support for atomic-options -+.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit ) -+has not been implemented, although -+.BR ebtables-save " and " ebtables-restore -+might replace them entirely given the inherent atomicity of nftables. -+Finally, this list is probably not complete. - .SH SEE ALSO - .BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) - .PP --- -2.33.0 - diff --git a/0022-ebtables-Dump-atomic-waste.patch b/0022-ebtables-Dump-atomic-waste.patch deleted file mode 100644 index b5be6cb..0000000 --- a/0022-ebtables-Dump-atomic-waste.patch +++ /dev/null @@ -1,102 +0,0 @@ -From cb68daac1f24c94a48450a683a5f765dc00da164 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 30 Jul 2021 12:25:10 +0200 -Subject: [PATCH] ebtables: Dump atomic waste - -With ebtables-nft.8 now educating people about the missing -functionality, get rid of atomic remains in source code. This eliminates -mostly comments except for --atomic-commit which was treated as alias of ---init-table. People not using the latter are probably trying to -atomic-commit from an atomic-file which in turn is not supported, so no -point keeping it. - -Signed-off-by: Phil Sutter -(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0) ---- - iptables/xtables-eb.c | 53 ------------------------------------------- - 1 file changed, 53 deletions(-) - -diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index 5bb34d6d292a9..aeb4d92166431 100644 ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -211,10 +211,6 @@ struct option ebt_original_options[] = - { "new-chain" , required_argument, 0, 'N' }, - { "rename-chain" , required_argument, 0, 'E' }, - { "delete-chain" , optional_argument, 0, 'X' }, -- { "atomic-init" , no_argument , 0, 7 }, -- { "atomic-commit" , no_argument , 0, 8 }, -- { "atomic-file" , required_argument, 0, 9 }, -- { "atomic-save" , no_argument , 0, 10 }, - { "init-table" , no_argument , 0, 11 }, - { "concurrent" , no_argument , 0, 13 }, - { 0 } -@@ -320,10 +316,6 @@ static void print_help(const struct xtables_target *t, - "--new-chain -N chain : create a user defined chain\n" - "--rename-chain -E old new : rename a chain\n" - "--delete-chain -X [chain] : delete a user defined chain\n" --"--atomic-commit : update the kernel w/t table contained in \n" --"--atomic-init : put the initial kernel table into \n" --"--atomic-save : put the current kernel table into \n" --"--atomic-file file : set to file\n\n" - "Options:\n" - "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" - "--src -s [!] address[/mask]: source mac address\n" -@@ -1088,54 +1080,9 @@ print_zero: - "Use --Lmac2 with -L"); - flags |= LIST_MAC2; - break; -- case 8 : /* atomic-commit */ --/* -- replace->command = c; -- if (OPT_COMMANDS) -- ebt_print_error2("Multiple commands are not allowed"); -- replace->flags |= OPT_COMMAND; -- if (!replace->filename) -- ebt_print_error2("No atomic file specified");*/ -- /* Get the information from the file */ -- /*ebt_get_table(replace, 0);*/ -- /* We don't want the kernel giving us its counters, -- * they would overwrite the counters extracted from -- * the file */ -- /*replace->num_counters = 0;*/ -- /* Make sure the table will be written to the kernel */ -- /*free(replace->filename); -- replace->filename = NULL; -- break;*/ -- /*case 7 :*/ /* atomic-init */ -- /*case 10:*/ /* atomic-save */ - case 11: /* init-table */ - nft_cmd_table_flush(h, *table, false); - return 1; -- /* -- replace->command = c; -- if (OPT_COMMANDS) -- ebt_print_error2("Multiple commands are not allowed"); -- if (c != 11 && !replace->filename) -- ebt_print_error2("No atomic file specified"); -- replace->flags |= OPT_COMMAND; -- { -- char *tmp = replace->filename;*/ -- -- /* Get the kernel table */ -- /*replace->filename = NULL; -- ebt_get_kernel_table(replace, c == 10 ? 0 : 1); -- replace->filename = tmp; -- } -- break; -- case 9 :*/ /* atomic */ -- /* -- if (OPT_COMMANDS) -- ebt_print_error2("--atomic has to come before the command");*/ -- /* A possible memory leak here, but this is not -- * executed in daemon mode */ -- /*replace->filename = (char *)malloc(strlen(optarg) + 1); -- strcpy(replace->filename, optarg); -- break; */ - case 13 : - break; - case 1 : --- -2.33.0 - diff --git a/0023-nft-Fix-for-non-verbose-check-command.patch b/0023-nft-Fix-for-non-verbose-check-command.patch deleted file mode 100644 index da2f873..0000000 --- a/0023-nft-Fix-for-non-verbose-check-command.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 3 Aug 2021 10:55:20 +0200 -Subject: [PATCH] nft: Fix for non-verbose check command - -Check command was unconditionally verbose since v1.8.5. Make it respect ---verbose option again. - -Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") -Signed-off-by: Phil Sutter -(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0) ---- - iptables/nft.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 83054e528cae1..a470939db54fb 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h) - case NFT_COMPAT_RULE_CHECK: - assert_chain_exists(h, cmd->table, cmd->jumpto); - ret = nft_rule_check(h, cmd->chain, cmd->table, -- cmd->obj.rule, cmd->rulenum); -+ cmd->obj.rule, cmd->verbose); - break; - case NFT_COMPAT_RULE_ZERO: - ret = nft_rule_zero_counters(h, cmd->chain, cmd->table, --- -2.33.0 - diff --git a/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch b/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch deleted file mode 100644 index 3b6b62f..0000000 --- a/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 3 Aug 2021 11:32:34 +0200 -Subject: [PATCH] tests/shell: Assert non-verbose mode is silent - -Unexpected output from iptables commands might mess up error-checking in -scripts for instance, so do a quick test of the most common commands. - -Note: Test adds two rules to make sure flush command operates on a -non-empty chain. - -Signed-off-by: Phil Sutter -(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2) ---- - .../shell/testcases/iptables/0002-verbose-output_0 | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -index b1ef91f61f481..5d2af4c8d2ab2 100755 ---- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -+++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar) - diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar) - - diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar) -+ -+# make sure non-verbose mode is silent -+diff -u <(echo -n "") <( -+ $XT_MULTI iptables -N foobar -+ $XT_MULTI iptables -A foobar $RULE1 -+ $XT_MULTI iptables -A foobar $RULE2 -+ $XT_MULTI iptables -C foobar $RULE1 -+ $XT_MULTI iptables -D foobar $RULE2 -+ $XT_MULTI iptables -F foobar -+ $XT_MULTI iptables -X foobar -+) --- -2.33.0 - diff --git a/0025-extensions-SECMARK-Implement-revision-1.patch b/0025-extensions-SECMARK-Implement-revision-1.patch deleted file mode 100644 index c40010b..0000000 --- a/0025-extensions-SECMARK-Implement-revision-1.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 29 Apr 2021 15:28:59 +0200 -Subject: [PATCH] extensions: SECMARK: Implement revision 1 - -The changed data structure for communication with kernel allows to -exclude the field 'secid' which is populated on kernel side. Thus -this fixes the formerly always failing extension comparison breaking -rule check and rule delete by content. - -Signed-off-by: Phil Sutter -(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72) ---- - extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++------- - extensions/libxt_SECMARK.t | 4 ++ - include/linux/netfilter/xt_SECMARK.h | 6 ++ - 3 files changed, 80 insertions(+), 20 deletions(-) - create mode 100644 extensions/libxt_SECMARK.t - -diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c -index 6ba8606355daa..24249bd618ffe 100644 ---- a/extensions/libxt_SECMARK.c -+++ b/extensions/libxt_SECMARK.c -@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = { - XTOPT_TABLEEND, - }; - -+static const struct xt_option_entry SECMARK_opts_v1[] = { -+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING, -+ .flags = XTOPT_MAND | XTOPT_PUT, -+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)}, -+ XTOPT_TABLEEND, -+}; -+ - static void SECMARK_parse(struct xt_option_call *cb) - { - struct xt_secmark_target_info *info = cb->data; -@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb) - info->mode = SECMARK_MODE_SEL; - } - --static void print_secmark(const struct xt_secmark_target_info *info) -+static void SECMARK_parse_v1(struct xt_option_call *cb) -+{ -+ struct xt_secmark_target_info_v1 *info = cb->data; -+ -+ xtables_option_parse(cb); -+ info->mode = SECMARK_MODE_SEL; -+} -+ -+static void print_secmark(__u8 mode, const char *secctx) - { -- switch (info->mode) { -+ switch (mode) { - case SECMARK_MODE_SEL: -- printf("selctx %s", info->secctx); -+ printf("selctx %s", secctx); - break; -- -+ - default: -- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); -+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode); - } - } - -@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target, - (struct xt_secmark_target_info*)(target)->data; - - printf(" SECMARK "); -- print_secmark(info); -+ print_secmark(info->mode, info->secctx); -+} -+ -+static void SECMARK_print_v1(const void *ip, -+ const struct xt_entry_target *target, int numeric) -+{ -+ const struct xt_secmark_target_info_v1 *info = -+ (struct xt_secmark_target_info_v1 *)(target)->data; -+ -+ printf(" SECMARK "); -+ print_secmark(info->mode, info->secctx); - } - - static void SECMARK_save(const void *ip, const struct xt_entry_target *target) -@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target) - (struct xt_secmark_target_info*)target->data; - - printf(" --"); -- print_secmark(info); -+ print_secmark(info->mode, info->secctx); - } - --static struct xtables_target secmark_target = { -- .family = NFPROTO_UNSPEC, -- .name = "SECMARK", -- .version = XTABLES_VERSION, -- .revision = 0, -- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -- .help = SECMARK_help, -- .print = SECMARK_print, -- .save = SECMARK_save, -- .x6_parse = SECMARK_parse, -- .x6_options = SECMARK_opts, -+static void SECMARK_save_v1(const void *ip, -+ const struct xt_entry_target *target) -+{ -+ const struct xt_secmark_target_info_v1 *info = -+ (struct xt_secmark_target_info_v1 *)target->data; -+ -+ printf(" --"); -+ print_secmark(info->mode, info->secctx); -+} -+ -+static struct xtables_target secmark_tg_reg[] = { -+ { -+ .family = NFPROTO_UNSPEC, -+ .name = "SECMARK", -+ .version = XTABLES_VERSION, -+ .revision = 0, -+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -+ .help = SECMARK_help, -+ .print = SECMARK_print, -+ .save = SECMARK_save, -+ .x6_parse = SECMARK_parse, -+ .x6_options = SECMARK_opts, -+ }, -+ { -+ .family = NFPROTO_UNSPEC, -+ .name = "SECMARK", -+ .version = XTABLES_VERSION, -+ .revision = 1, -+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)), -+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)), -+ .help = SECMARK_help, -+ .print = SECMARK_print_v1, -+ .save = SECMARK_save_v1, -+ .x6_parse = SECMARK_parse_v1, -+ .x6_options = SECMARK_opts_v1, -+ } - }; - - void _init(void) - { -- xtables_register_target(&secmark_target); -+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); - } -diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t -new file mode 100644 -index 0000000000000..39d4c09348bf4 ---- /dev/null -+++ b/extensions/libxt_SECMARK.t -@@ -0,0 +1,4 @@ -+:INPUT,FORWARD,OUTPUT -+*security -+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK -+-j SECMARK;;FAIL -diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h -index 989092bd6274b..31760a286a854 100644 ---- a/include/linux/netfilter/xt_SECMARK.h -+++ b/include/linux/netfilter/xt_SECMARK.h -@@ -19,4 +19,10 @@ struct xt_secmark_target_info { - char secctx[SECMARK_SECCTX_MAX]; - }; - -+struct xt_secmark_target_info_v1 { -+ __u8 mode; -+ char secctx[SECMARK_SECCTX_MAX]; -+ __u32 secid; -+}; -+ - #endif /*_XT_SECMARK_H_target */ --- -2.34.1 - diff --git a/0027-nft-Simplify-immediate-parsing.patch b/0027-nft-Simplify-immediate-parsing.patch deleted file mode 100644 index b457dbc..0000000 --- a/0027-nft-Simplify-immediate-parsing.patch +++ /dev/null @@ -1,199 +0,0 @@ -From c4bc02802cb95af82d30cb0ad605060694640e07 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 1 Mar 2022 18:59:31 +0100 -Subject: [PATCH] nft: Simplify immediate parsing - -Implementations of parse_immediate callback are mostly trivial, the only -relevant part is access to family-specific parts of struct -iptables_command_state when setting goto flag for iptables and -ip6tables. Refactor them into simple set_goto_flag callbacks. - -Signed-off-by: Phil Sutter -Acked-by: Florian Westphal -(cherry picked from commit b5f2faea325a315bfb932ebc634f3298d4824cae) ---- - iptables/nft-arp.c | 9 --------- - iptables/nft-bridge.c | 9 --------- - iptables/nft-ipv4.c | 12 +++--------- - iptables/nft-ipv6.c | 12 +++--------- - iptables/nft-shared.c | 17 +++++++---------- - iptables/nft-shared.h | 2 +- - 6 files changed, 14 insertions(+), 47 deletions(-) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index 2a9387a18dffe..d55e06572b283 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - fw->arp.invflags |= flags; - } - --static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto, -- void *data) --{ -- struct iptables_command_state *cs = data; -- -- cs->jumpto = jumpto; --} -- - static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask) - { - mask->s_addr = ctx->bitwise.mask[0]; -@@ -552,7 +544,6 @@ struct nft_family_ops nft_family_ops_arp = { - .print_payload = NULL, - .parse_meta = nft_arp_parse_meta, - .parse_payload = nft_arp_parse_payload, -- .parse_immediate = nft_arp_parse_immediate, - .print_header = nft_arp_print_header, - .print_rule = nft_arp_print_rule, - .save_rule = nft_arp_save_rule, -diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c -index d98fd527d9549..5807c0d32a97c 100644 ---- a/iptables/nft-bridge.c -+++ b/iptables/nft-bridge.c -@@ -251,14 +251,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx, - } - } - --static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto, -- void *data) --{ -- struct iptables_command_state *cs = data; -- -- cs->jumpto = jumpto; --} -- - /* return 0 if saddr, 1 if daddr, -1 on error */ - static int - lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len) -@@ -889,7 +881,6 @@ struct nft_family_ops nft_family_ops_bridge = { - .print_payload = NULL, - .parse_meta = nft_bridge_parse_meta, - .parse_payload = nft_bridge_parse_payload, -- .parse_immediate = nft_bridge_parse_immediate, - .parse_lookup = nft_bridge_parse_lookup, - .parse_match = nft_bridge_parse_match, - .parse_target = nft_bridge_parse_target, -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index 34f94bd8cc24a..80b8954f4a39d 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -241,15 +241,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, - } - } - --static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto, -- void *data) -+static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) - { -- struct iptables_command_state *cs = data; -- -- cs->jumpto = jumpto; -- -- if (nft_goto) -- cs->fw.ip.flags |= IPT_F_GOTO; -+ cs->fw.ip.flags |= IPT_F_GOTO; - } - - static void print_fragment(unsigned int flags, unsigned int invflags, -@@ -473,7 +467,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { - .is_same = nft_ipv4_is_same, - .parse_meta = nft_ipv4_parse_meta, - .parse_payload = nft_ipv4_parse_payload, -- .parse_immediate = nft_ipv4_parse_immediate, -+ .set_goto_flag = nft_ipv4_set_goto_flag, - .print_header = print_header, - .print_rule = nft_ipv4_print_rule, - .save_rule = nft_ipv4_save_rule, -diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c -index d9c9400ad7dc3..663401b49f94d 100644 ---- a/iptables/nft-ipv6.c -+++ b/iptables/nft-ipv6.c -@@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, - } - } - --static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto, -- void *data) -+static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) - { -- struct iptables_command_state *cs = data; -- -- cs->jumpto = jumpto; -- -- if (nft_goto) -- cs->fw6.ipv6.flags |= IP6T_F_GOTO; -+ cs->fw6.ipv6.flags |= IP6T_F_GOTO; - } - - static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, -@@ -415,7 +409,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { - .is_same = nft_ipv6_is_same, - .parse_meta = nft_ipv6_parse_meta, - .parse_payload = nft_ipv6_parse_payload, -- .parse_immediate = nft_ipv6_parse_immediate, -+ .set_goto_flag = nft_ipv6_set_goto_flag, - .print_header = print_header, - .print_rule = nft_ipv6_print_rule, - .save_rule = nft_ipv6_save_rule, -diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c -index c1664b50f9383..bd0c8895d48bb 100644 ---- a/iptables/nft-shared.c -+++ b/iptables/nft-shared.c -@@ -510,9 +510,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters - static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) - { - const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN); -- const char *jumpto = NULL; -- bool nft_goto = false; -- void *data = ctx->cs; -+ struct iptables_command_state *cs = ctx->cs; - int verdict; - - if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) { -@@ -535,23 +533,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) - /* Standard target? */ - switch(verdict) { - case NF_ACCEPT: -- jumpto = "ACCEPT"; -+ cs->jumpto = "ACCEPT"; - break; - case NF_DROP: -- jumpto = "DROP"; -+ cs->jumpto = "DROP"; - break; - case NFT_RETURN: -- jumpto = "RETURN"; -+ cs->jumpto = "RETURN"; - break;; - case NFT_GOTO: -- nft_goto = true; -+ if (ctx->h->ops->set_goto_flag) -+ ctx->h->ops->set_goto_flag(cs); - /* fall through */ - case NFT_JUMP: -- jumpto = chain; -+ cs->jumpto = chain; - break; - } -- -- ctx->h->ops->parse_immediate(jumpto, nft_goto, data); - } - - static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e) -diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h -index da4ba9d2ba8de..e4ef16cc24f12 100644 ---- a/iptables/nft-shared.h -+++ b/iptables/nft-shared.h -@@ -89,7 +89,7 @@ struct nft_family_ops { - void *data); - void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e, - void *data); -- void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data); -+ void (*set_goto_flag)(struct iptables_command_state *cs); - - void (*print_table_header)(const char *tablename); - void (*print_header)(unsigned int format, const char *chain, --- -2.34.1 - diff --git a/0028-nft-Speed-up-immediate-parsing.patch b/0028-nft-Speed-up-immediate-parsing.patch deleted file mode 100644 index 051c4b6..0000000 --- a/0028-nft-Speed-up-immediate-parsing.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 88dbd59dcf172b54e650f267c490d70ee55235d5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 1 Mar 2022 19:46:21 +0100 -Subject: [PATCH] nft: Speed up immediate parsing - -Parsing of rules which jump to a chain pointlessly causes a call to -xtables_find_target() despite the code already knowing the outcome. - -Avoid the significant delay for rulesets with many chain jumps by -performing the (standard) target lookup only for accept/drop/return -verdicts. - -From a biased test-case on my VM: - -| # iptables-nft-save | grep -c -- '-j' -| 133943 -| # time ./old/iptables-nft-save >/dev/null -| real 0m45.566s -| user 0m1.308s -| sys 0m8.430s -| # time ./new/iptables-nft-save >/dev/null -| real 0m3.547s -| user 0m0.762s -| sys 0m2.476s - -Signed-off-by: Phil Sutter -Acked-by: Florian Westphal -(cherry picked from commit 07ee529f5a62838d68be59683be99bf6a7cda0f2) ---- - iptables/nft-bridge.c | 1 + - iptables/nft-shared.c | 37 ++++++++++++++++++------------------- - 2 files changed, 19 insertions(+), 19 deletions(-) - -diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c -index 5807c0d32a97c..4df71f0c775e3 100644 ---- a/iptables/nft-bridge.c -+++ b/iptables/nft-bridge.c -@@ -506,6 +506,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data) - } - - cs->target = t; -+ cs->jumpto = t->name; - } - - static void nft_rule_to_ebtables_command_state(struct nft_handle *h, -diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c -index bd0c8895d48bb..1aaaa8159ff61 100644 ---- a/iptables/nft-shared.c -+++ b/iptables/nft-shared.c -@@ -511,6 +511,8 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) - { - const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN); - struct iptables_command_state *cs = ctx->cs; -+ struct xt_entry_target *t; -+ uint32_t size; - int verdict; - - if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) { -@@ -547,8 +549,21 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) - /* fall through */ - case NFT_JUMP: - cs->jumpto = chain; -- break; -+ /* fall through */ -+ default: -+ return; - } -+ -+ cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); -+ if (!cs->target) -+ return; -+ -+ size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size; -+ t = xtables_calloc(1, size); -+ t->u.target_size = size; -+ t->u.user.revision = cs->target->revision; -+ strcpy(t->u.user.name, cs->jumpto); -+ cs->target->t = t; - } - - static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e) -@@ -676,25 +691,8 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h, - } - } - -- if (cs->target != NULL) { -- cs->jumpto = cs->target->name; -- } else if (cs->jumpto != NULL) { -- struct xt_entry_target *t; -- uint32_t size; -- -- cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); -- if (!cs->target) -- return; -- -- size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size; -- t = xtables_calloc(1, size); -- t->u.target_size = size; -- t->u.user.revision = cs->target->revision; -- strcpy(t->u.user.name, cs->jumpto); -- cs->target->t = t; -- } else { -+ if (!cs->jumpto) - cs->jumpto = ""; -- } - } - - void nft_clear_iptables_command_state(struct iptables_command_state *cs) -@@ -983,6 +981,7 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data) - struct iptables_command_state *cs = data; - - cs->target = t; -+ cs->jumpto = t->name; - } - - void nft_check_xt_legacy(int family, bool is_ipt_save) --- -2.34.1 - diff --git a/0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch b/0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch deleted file mode 100644 index ef1a256..0000000 --- a/0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 970ab34aa07f2fdb6ad8a79bc5b7a1d9a5bcd482 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 1 Mar 2022 23:05:29 +0100 -Subject: [PATCH] xshared: Prefer xtables_chain_protos lookup over getprotoent - -When dumping a large ruleset, common protocol matches such as for TCP -port number significantly slow down rule printing due to repeated calls -for getprotobynumber(). The latter does not involve any caching, so -/etc/protocols is consulted over and over again. - -As a simple countermeasure, make functions converting between proto -number and name prefer the built-in list of "well-known" protocols. This -is not a perfect solution, repeated rules for protocol names libxtables -does not cache (e.g. igmp or dccp) will still be slow. Implementing -getprotoent() result caching could solve this. - -As a side-effect, explicit check for pseudo-protocol "all" may be -dropped as it is contained in the built-in list and therefore immutable. - -Also update xtables_chain_protos entries a bit to align with typical -/etc/protocols contents. The testsuite assumes those names, so the -preferred ones prior to this patch are indeed uncommon nowadays. - -Signed-off-by: Phil Sutter -Acked-by: Florian Westphal -(cherry picked from commit b6196c7504d4d41827cea86c167926125cdbf1f3) ---- - iptables/xshared.c | 8 ++++---- - libxtables/xtables.c | 19 ++++++------------- - 2 files changed, 10 insertions(+), 17 deletions(-) - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 4027d9240215e..68aea42146c36 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -52,16 +52,16 @@ proto_to_name(uint8_t proto, int nolookup) - { - unsigned int i; - -+ for (i = 0; xtables_chain_protos[i].name != NULL; ++i) -+ if (xtables_chain_protos[i].num == proto) -+ return xtables_chain_protos[i].name; -+ - if (proto && !nolookup) { - struct protoent *pent = getprotobynumber(proto); - if (pent) - return pent->p_name; - } - -- for (i = 0; xtables_chain_protos[i].name != NULL; ++i) -- if (xtables_chain_protos[i].num == proto) -- return xtables_chain_protos[i].name; -- - return NULL; - } - -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index 1931e3896262a..a991e4fcc9b92 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -2078,10 +2078,11 @@ const struct xtables_pprot xtables_chain_protos[] = { - {"udp", IPPROTO_UDP}, - {"udplite", IPPROTO_UDPLITE}, - {"icmp", IPPROTO_ICMP}, -- {"icmpv6", IPPROTO_ICMPV6}, - {"ipv6-icmp", IPPROTO_ICMPV6}, -+ {"icmpv6", IPPROTO_ICMPV6}, - {"esp", IPPROTO_ESP}, - {"ah", IPPROTO_AH}, -+ {"mobility-header", IPPROTO_MH}, - {"ipv6-mh", IPPROTO_MH}, - {"mh", IPPROTO_MH}, - {"all", 0}, -@@ -2097,23 +2098,15 @@ xtables_parse_protocol(const char *s) - if (xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX)) - return proto; - -- /* first deal with the special case of 'all' to prevent -- * people from being able to redefine 'all' in nsswitch -- * and/or provoke expensive [not working] ldap/nis/... -- * lookups */ -- if (strcmp(s, "all") == 0) -- return 0; -+ for (i = 0; xtables_chain_protos[i].name != NULL; ++i) { -+ if (strcmp(s, xtables_chain_protos[i].name) == 0) -+ return xtables_chain_protos[i].num; -+ } - - pent = getprotobyname(s); - if (pent != NULL) - return pent->p_proto; - -- for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) { -- if (xtables_chain_protos[i].name == NULL) -- continue; -- if (strcmp(s, xtables_chain_protos[i].name) == 0) -- return xtables_chain_protos[i].num; -- } - xt_params->exit_err(PARAMETER_PROBLEM, - "unknown protocol \"%s\" specified", s); - return -1; --- -2.34.1 - diff --git a/0030-xshared-Merge-and-share-parse_chain.patch b/0030-xshared-Merge-and-share-parse_chain.patch deleted file mode 100644 index ef8ea58..0000000 --- a/0030-xshared-Merge-and-share-parse_chain.patch +++ /dev/null @@ -1,164 +0,0 @@ -From b65a9a258a0fc3c19a64a8426b28f7bcbe438cf5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 5 Apr 2019 13:21:19 +0200 -Subject: [PATCH] xshared: Merge and share parse_chain() - -Have a common routine to perform chain name checks, combining all -variants' requirements. - -Signed-off-by: Phil Sutter -(cherry picked from commit 1189d830ea4fd269da87761d400ebabca02e1ef3) - -Conflicts: - iptables/ip6tables.c - iptables/xshared.c --> Context changes due to missing commit 9dc50b5b8e441 - ("xshared: Merge invflags handling code") ---- - iptables/ip6tables.c | 26 -------------------------- - iptables/iptables.c | 25 ------------------------- - iptables/xshared.c | 24 ++++++++++++++++++++++++ - iptables/xshared.h | 1 + - iptables/xtables.c | 9 +-------- - 5 files changed, 26 insertions(+), 59 deletions(-) - -diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c -index c95355b091568..f53d0a8d0f169 100644 ---- a/iptables/ip6tables.c -+++ b/iptables/ip6tables.c -@@ -248,32 +248,6 @@ static int is_exthdr(uint16_t proto) - proto == IPPROTO_DSTOPTS); - } - --static void --parse_chain(const char *chainname) --{ -- const char *ptr; -- -- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) -- xtables_error(PARAMETER_PROBLEM, -- "chain name `%s' too long (must be under %u chars)", -- chainname, XT_EXTENSION_MAXNAMELEN); -- -- if (*chainname == '-' || *chainname == '!') -- xtables_error(PARAMETER_PROBLEM, -- "chain name not allowed to start " -- "with `%c'\n", *chainname); -- -- if (xtables_find_target(chainname, XTF_TRY_LOAD)) -- xtables_error(PARAMETER_PROBLEM, -- "chain name may not clash " -- "with target name\n"); -- -- for (ptr = chainname; *ptr; ptr++) -- if (isspace(*ptr)) -- xtables_error(PARAMETER_PROBLEM, -- "Invalid chain name `%s'", chainname); --} -- - static void - set_option(unsigned int *options, unsigned int option, uint8_t *invflg, - int invert) -diff --git a/iptables/iptables.c b/iptables/iptables.c -index 7d6183116d265..18cc4f7690a24 100644 ---- a/iptables/iptables.c -+++ b/iptables/iptables.c -@@ -239,31 +239,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...) - - /* Christophe Burki wants `-p 6' to imply `-m tcp'. */ - --static void --parse_chain(const char *chainname) --{ -- const char *ptr; -- -- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) -- xtables_error(PARAMETER_PROBLEM, -- "chain name `%s' too long (must be under %u chars)", -- chainname, XT_EXTENSION_MAXNAMELEN); -- -- if (*chainname == '-' || *chainname == '!') -- xtables_error(PARAMETER_PROBLEM, -- "chain name not allowed to start " -- "with `%c'\n", *chainname); -- -- if (xtables_find_target(chainname, XTF_TRY_LOAD)) -- xtables_error(PARAMETER_PROBLEM, -- "chain name may not clash " -- "with target name\n"); -- -- for (ptr = chainname; *ptr; ptr++) -- if (isspace(*ptr)) -- xtables_error(PARAMETER_PROBLEM, -- "Invalid chain name `%s'", chainname); --} - - static void - set_option(unsigned int *options, unsigned int option, uint8_t *invflg, -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 68aea42146c36..d71724a2591dc 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -853,3 +853,27 @@ char opt2char(int option) - - return *ptr; - } -+ -+void parse_chain(const char *chainname) -+{ -+ const char *ptr; -+ -+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN) -+ xtables_error(PARAMETER_PROBLEM, -+ "chain name `%s' too long (must be under %u chars)", -+ chainname, XT_EXTENSION_MAXNAMELEN); -+ -+ if (*chainname == '-' || *chainname == '!') -+ xtables_error(PARAMETER_PROBLEM, -+ "chain name not allowed to start with `%c'\n", -+ *chainname); -+ -+ if (xtables_find_target(chainname, XTF_TRY_LOAD)) -+ xtables_error(PARAMETER_PROBLEM, -+ "chain name may not clash with target name\n"); -+ -+ for (ptr = chainname; *ptr; ptr++) -+ if (isspace(*ptr)) -+ xtables_error(PARAMETER_PROBLEM, -+ "Invalid chain name `%s'", chainname); -+} -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 1e86aba8b2375..4f52117d5228d 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -223,6 +223,7 @@ char cmd2char(int option); - void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert); - int parse_rulenumber(const char *rule); -+void parse_chain(const char *chainname); - - void generic_opt_check(int command, int options); - char opt2char(int option); -diff --git a/iptables/xtables.c b/iptables/xtables.c -index 9779bd83d53b3..54f887f80497e 100644 ---- a/iptables/xtables.c -+++ b/iptables/xtables.c -@@ -587,14 +587,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], - break; - - case 'N': -- if (optarg && (*optarg == '-' || *optarg == '!')) -- xtables_error(PARAMETER_PROBLEM, -- "chain name not allowed to start " -- "with `%c'\n", *optarg); -- if (xtables_find_target(optarg, XTF_TRY_LOAD)) -- xtables_error(PARAMETER_PROBLEM, -- "chain name may not clash " -- "with target name\n"); -+ parse_chain(optarg); - add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, - cs->invert); - p->chain = optarg; --- -2.34.1 - diff --git a/0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch b/0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch deleted file mode 100644 index e76173c..0000000 --- a/0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch +++ /dev/null @@ -1,113 +0,0 @@ -From dfd4dc4b930101659aed2d46b3ec70a6df3a520d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 16 Mar 2022 17:14:07 +0100 -Subject: [PATCH] nft: Reject standard targets as chain names when restoring - -Reuse parse_chain() called from do_parse() for '-N' and rename it for a -better description of what it does. - -Note that by itself, this patch will likely kill iptables-restore -performance for big rulesets due to the extra extension lookup for chain -lines. A following patch announcing those chains to libxtables will -alleviate that. - -Signed-off-by: Phil Sutter -Reviewed-by: Florian Westphal -(cherry picked from commit b1aee6b2238794446feba41778f88703784560f7) - -Conflicts: - iptables/xshared.c --> Parts manually applied due to unmerged do_parse() function. ---- - iptables/ip6tables.c | 2 +- - iptables/iptables.c | 2 +- - iptables/xshared.c | 2 +- - iptables/xshared.h | 2 +- - iptables/xtables-restore.c | 5 +---- - iptables/xtables.c | 2 +- - 6 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c -index f53d0a8d0f169..4422e28276ab5 100644 ---- a/iptables/ip6tables.c -+++ b/iptables/ip6tables.c -@@ -1168,7 +1168,7 @@ int do_command6(int argc, char *argv[], char **table, - break; - - case 'N': -- parse_chain(optarg); -+ assert_valid_chain_name(optarg); - add_command(&command, CMD_NEW_CHAIN, CMD_NONE, - cs.invert); - chain = optarg; -diff --git a/iptables/iptables.c b/iptables/iptables.c -index 18cc4f7690a24..bbb87f16f8d1d 100644 ---- a/iptables/iptables.c -+++ b/iptables/iptables.c -@@ -1163,7 +1163,7 @@ int do_command4(int argc, char *argv[], char **table, - break; - - case 'N': -- parse_chain(optarg); -+ assert_valid_chain_name(optarg); - add_command(&command, CMD_NEW_CHAIN, CMD_NONE, - cs.invert); - chain = optarg; -diff --git a/iptables/xshared.c b/iptables/xshared.c -index d71724a2591dc..171b0bdb7ca27 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -854,7 +854,7 @@ char opt2char(int option) - return *ptr; - } - --void parse_chain(const char *chainname) -+void assert_valid_chain_name(const char *chainname) - { - const char *ptr; - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 4f52117d5228d..84f1a559aafb2 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -223,7 +223,7 @@ char cmd2char(int option); - void add_command(unsigned int *cmd, const int newcmd, - const int othercmds, int invert); - int parse_rulenumber(const char *rule); --void parse_chain(const char *chainname); -+void assert_valid_chain_name(const char *chainname); - - void generic_opt_check(int command, int options); - char opt2char(int option); -diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c -index d27394972d90c..074efeab0b4e7 100644 ---- a/iptables/xtables-restore.c -+++ b/iptables/xtables-restore.c -@@ -155,10 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h, - "%s: line %u chain name invalid\n", - xt_params->program_name, line); - -- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) -- xtables_error(PARAMETER_PROBLEM, -- "Invalid chain name `%s' (%u chars max)", -- chain, XT_EXTENSION_MAXNAMELEN - 1); -+ assert_valid_chain_name(chain); - - policy = strtok(NULL, " \t\n"); - DEBUGP("line %u, policy '%s'\n", line, policy); -diff --git a/iptables/xtables.c b/iptables/xtables.c -index 54f887f80497e..a9b9e12e55c2f 100644 ---- a/iptables/xtables.c -+++ b/iptables/xtables.c -@@ -587,7 +587,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], - break; - - case 'N': -- parse_chain(optarg); -+ assert_valid_chain_name(optarg); - add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE, - cs->invert); - p->chain = optarg; --- -2.34.1 - diff --git a/0032-libxtables-Implement-notargets-hash-table.patch b/0032-libxtables-Implement-notargets-hash-table.patch deleted file mode 100644 index f865dd9..0000000 --- a/0032-libxtables-Implement-notargets-hash-table.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 7241ebe5cff638bb1422448679d672aa52b3c367 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 15 Dec 2020 15:40:56 +0100 -Subject: [PATCH] libxtables: Implement notargets hash table - -Target lookup is relatively costly due to the filesystem access. Avoid -this overhead in huge rulesets which contain many chain jumps by caching -the failed lookups into a hashtable for later. - -Signed-off-by: Phil Sutter -Acked-by: Florian Westphal -(cherry picked from commit f58b0d7406451afbb4b9b6c7888990c964fa7c79) ---- - libxtables/xtables.c | 75 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 75 insertions(+) - -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index a991e4fcc9b92..e8e900e869e1e 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -48,6 +48,7 @@ - #include - #include - #include -+#include - - #ifndef NO_SHARED_LIBS - #include -@@ -242,6 +243,71 @@ static void dlreg_free(void) - } - #endif - -+struct notarget { -+ struct hlist_node node; -+ char name[]; -+}; -+ -+#define NOTARGET_HSIZE 512 -+static struct hlist_head notargets[NOTARGET_HSIZE]; -+ -+static void notargets_hlist_init(void) -+{ -+ int i; -+ -+ for (i = 0; i < NOTARGET_HSIZE; i++) -+ INIT_HLIST_HEAD(¬argets[i]); -+} -+ -+static void notargets_hlist_free(void) -+{ -+ struct hlist_node *pos, *n; -+ struct notarget *cur; -+ int i; -+ -+ for (i = 0; i < NOTARGET_HSIZE; i++) { -+ hlist_for_each_entry_safe(cur, pos, n, ¬argets[i], node) { -+ hlist_del(&cur->node); -+ free(cur); -+ } -+ } -+} -+ -+static uint32_t djb_hash(const char *key) -+{ -+ uint32_t i, hash = 5381; -+ -+ for (i = 0; i < strlen(key); i++) -+ hash = ((hash << 5) + hash) + key[i]; -+ -+ return hash; -+} -+ -+static struct notarget *notargets_hlist_lookup(const char *name) -+{ -+ uint32_t key = djb_hash(name) % NOTARGET_HSIZE; -+ struct hlist_node *node; -+ struct notarget *cur; -+ -+ hlist_for_each_entry(cur, node, ¬argets[key], node) { -+ if (!strcmp(name, cur->name)) -+ return cur; -+ } -+ return NULL; -+} -+ -+static void notargets_hlist_insert(const char *name) -+{ -+ struct notarget *cur; -+ -+ if (!name) -+ return; -+ -+ cur = xtables_malloc(sizeof(*cur) + strlen(name) + 1); -+ strcpy(cur->name, name); -+ hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]); -+} -+ - void xtables_init(void) - { - xtables_libdir = getenv("XTABLES_LIBDIR"); -@@ -267,6 +333,8 @@ void xtables_init(void) - return; - } - xtables_libdir = XTABLES_LIBDIR; -+ -+ notargets_hlist_init(); - } - - void xtables_fini(void) -@@ -274,6 +342,7 @@ void xtables_fini(void) - #ifndef NO_SHARED_LIBS - dlreg_free(); - #endif -+ notargets_hlist_free(); - } - - void xtables_set_nfproto(uint8_t nfproto) -@@ -808,6 +877,10 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) - || strcmp(name, XTC_LABEL_QUEUE) == 0 - || strcmp(name, XTC_LABEL_RETURN) == 0) - name = "standard"; -+ /* known non-target? */ -+ else if (notargets_hlist_lookup(name) && -+ tryload != XTF_LOAD_MUST_SUCCEED) -+ return NULL; - - /* Trigger delayed initialization */ - for (dptr = &xtables_pending_targets; *dptr; ) { -@@ -871,6 +944,8 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) - - if (ptr) - ptr->used = 1; -+ else -+ notargets_hlist_insert(name); - - return ptr; - } --- -2.34.1 - diff --git a/0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch b/0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch deleted file mode 100644 index ee84561..0000000 --- a/0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 2b17d7f73969459ee0d6503f10ac4122452431d1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 4 Mar 2022 12:50:01 +0100 -Subject: [PATCH] libxtables: Boost rule target checks by announcing chain - names - -When restoring a ruleset, feed libxtables with chain names from -respective lines to avoid an extension search. - -While the user's intention is clear, this effectively disables the -sanity check for clashes with target extensions. But: - -* The check yielded only a warning and the clashing chain was finally - accepted. - -* Users crafting iptables dumps for feeding into iptables-restore likely - know what they're doing. - -Signed-off-by: Phil Sutter -Acked-by: Florian Westphal -(cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518) ---- - include/xtables.h | 3 +++ - iptables/iptables-restore.c | 1 + - iptables/xtables-restore.c | 1 + - libxtables/xtables.c | 6 ++++++ - 4 files changed, 11 insertions(+) - -diff --git a/include/xtables.h b/include/xtables.h -index 107ad7d65e6fc..b5a6764abfa4e 100644 ---- a/include/xtables.h -+++ b/include/xtables.h -@@ -637,6 +637,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment); - const char *xt_xlate_get_comment(struct xt_xlate *xl); - const char *xt_xlate_get(struct xt_xlate *xl); - -+/* informed target lookups */ -+void xtables_announce_chain(const char *name); -+ - #ifdef XTABLES_INTERNAL - - /* Shipped modules rely on this... */ -diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c -index cc2c2b8b10086..a34d95015c93c 100644 ---- a/iptables/iptables-restore.c -+++ b/iptables/iptables-restore.c -@@ -311,6 +311,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, - cb->ops->strerror(errno)); - } - -+ xtables_announce_chain(chain); - ret = 1; - - } else if (in_table) { -diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c -index 074efeab0b4e7..7e347e49aaaaa 100644 ---- a/iptables/xtables-restore.c -+++ b/iptables/xtables-restore.c -@@ -155,6 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h, - "%s: line %u chain name invalid\n", - xt_params->program_name, line); - -+ xtables_announce_chain(chain); - assert_valid_chain_name(chain); - - policy = strtok(NULL, " \t\n"); -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index e8e900e869e1e..64d347e6ed434 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -308,6 +308,12 @@ static void notargets_hlist_insert(const char *name) - hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]); - } - -+void xtables_announce_chain(const char *name) -+{ -+ if (!notargets_hlist_lookup(name)) -+ notargets_hlist_insert(name); -+} -+ - void xtables_init(void) - { - xtables_libdir = getenv("XTABLES_LIBDIR"); --- -2.34.1 - diff --git a/0034-Use-proto_to_name-from-xshared-in-more-places.patch b/0034-Use-proto_to_name-from-xshared-in-more-places.patch deleted file mode 100644 index d84155c..0000000 --- a/0034-Use-proto_to_name-from-xshared-in-more-places.patch +++ /dev/null @@ -1,156 +0,0 @@ -From dd052eb7326574b34a03e6f40862e2e59ce9e123 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 17 Nov 2020 00:57:10 +0100 -Subject: [PATCH] Use proto_to_name() from xshared in more places - -Share the common proto name lookup code. While being at it, make proto -number variable 16bit, values may exceed 256. - -This aligns iptables-nft '-p' argument printing with legacy iptables. In -practice, this should make a difference only in corner cases. - -Signed-off-by: Phil Sutter -(cherry picked from commit 556f704458cdb509d395ddb7d2629987d60e762e) ---- - include/xtables.h | 2 +- - iptables/ip6tables.c | 22 +++++----------------- - iptables/iptables.c | 20 +++++--------------- - iptables/nft-shared.c | 6 +++--- - iptables/xshared.c | 2 +- - iptables/xshared.h | 2 +- - 6 files changed, 16 insertions(+), 38 deletions(-) - -diff --git a/include/xtables.h b/include/xtables.h -index b5a6764abfa4e..aec50573b835c 100644 ---- a/include/xtables.h -+++ b/include/xtables.h -@@ -395,7 +395,7 @@ struct xtables_rule_match { - */ - struct xtables_pprot { - const char *name; -- uint8_t num; -+ uint16_t num; - }; - - enum xtables_tryload { -diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c -index 4422e28276ab5..897f30d5ef4b0 100644 ---- a/iptables/ip6tables.c -+++ b/iptables/ip6tables.c -@@ -770,28 +770,16 @@ print_iface(char letter, const char *iface, const unsigned char *mask, - } - } - --/* The ip6tables looks up the /etc/protocols. */ - static void print_proto(uint16_t proto, int invert) - { - if (proto) { -- unsigned int i; -+ const char *pname = proto_to_name(proto, 0); - const char *invertstr = invert ? " !" : ""; - -- const struct protoent *pent = getprotobynumber(proto); -- if (pent) { -- printf("%s -p %s", -- invertstr, pent->p_name); -- return; -- } -- -- for (i = 0; xtables_chain_protos[i].name != NULL; ++i) -- if (xtables_chain_protos[i].num == proto) { -- printf("%s -p %s", -- invertstr, xtables_chain_protos[i].name); -- return; -- } -- -- printf("%s -p %u", invertstr, proto); -+ if (pname) -+ printf("%s -p %s", invertstr, pname); -+ else -+ printf("%s -p %u", invertstr, proto); - } - } - -diff --git a/iptables/iptables.c b/iptables/iptables.c -index bbb87f16f8d1d..9964d14ed8195 100644 ---- a/iptables/iptables.c -+++ b/iptables/iptables.c -@@ -739,23 +739,13 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, - static void print_proto(uint16_t proto, int invert) - { - if (proto) { -- unsigned int i; -+ const char *pname = proto_to_name(proto, 0); - const char *invertstr = invert ? " !" : ""; - -- const struct protoent *pent = getprotobynumber(proto); -- if (pent) { -- printf("%s -p %s", invertstr, pent->p_name); -- return; -- } -- -- for (i = 0; xtables_chain_protos[i].name != NULL; ++i) -- if (xtables_chain_protos[i].num == proto) { -- printf("%s -p %s", -- invertstr, xtables_chain_protos[i].name); -- return; -- } -- -- printf("%s -p %u", invertstr, proto); -+ if (pname) -+ printf("%s -p %s", invertstr, pname); -+ else -+ printf("%s -p %u", invertstr, proto); - } - } - -diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c -index 1aaaa8159ff61..bd953d761b6ec 100644 ---- a/iptables/nft-shared.c -+++ b/iptables/nft-shared.c -@@ -821,13 +821,13 @@ void save_rule_details(const struct iptables_command_state *cs, - } - - if (proto > 0) { -- const struct protoent *pent = getprotobynumber(proto); -+ const char *pname = proto_to_name(proto, 0); - - if (invflags & XT_INV_PROTO) - printf("! "); - -- if (pent) -- printf("-p %s ", pent->p_name); -+ if (pname) -+ printf("-p %s ", pname); - else - printf("-p %u ", proto); - } -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 171b0bdb7ca27..5a1f8169b00ea 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -48,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t, - } - - const char * --proto_to_name(uint8_t proto, int nolookup) -+proto_to_name(uint16_t proto, int nolookup) - { - unsigned int i; - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 84f1a559aafb2..674a36635ffd0 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -152,7 +152,7 @@ enum { - - extern void print_extension_helps(const struct xtables_target *, - const struct xtables_rule_match *); --extern const char *proto_to_name(uint8_t, int); -+extern const char *proto_to_name(uint16_t, int); - extern int command_default(struct iptables_command_state *, - struct xtables_globals *); - extern struct xtables_match *load_proto(struct iptables_command_state *); --- -2.34.1 - diff --git a/iptables.spec b/iptables.spec index 0817e69..f12b868 100644 --- a/iptables.spec +++ b/iptables.spec @@ -15,8 +15,8 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables -Version: 1.8.7 -Release: 30%{?dist} +Version: 1.8.8 +Release: 1%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -29,40 +29,9 @@ Source8: ebtables-helper Source9: ebtables.service Source10: ebtables-config -Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch -Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch -Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch -Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch -Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch -Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch -Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch -Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch -Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch -Patch10: 0010-iptables-apply-Drop-unused-variable.patch -Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch -Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch -Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch -Patch14: 0014-iptables-nft-fix-Z-option.patch -Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch -Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch -Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch -Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch -Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch -Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch -Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch -Patch22: 0022-ebtables-Dump-atomic-waste.patch -Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch -Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch -Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch -Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch -Patch27: 0027-nft-Simplify-immediate-parsing.patch -Patch28: 0028-nft-Speed-up-immediate-parsing.patch -Patch29: 0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch -Patch30: 0030-xshared-Merge-and-share-parse_chain.patch -Patch31: 0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch -Patch32: 0032-libxtables-Implement-notargets-hash-table.patch -Patch33: 0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch -Patch34: 0034-Use-proto_to_name-from-xshared-in-more-places.patch +Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch +Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -80,7 +49,7 @@ BuildRequires: bison BuildRequires: flex BuildRequires: gcc BuildRequires: pkgconfig(libmnl) >= 1.0 -BuildRequires: pkgconfig(libnftnl) >= 1.1.5 +BuildRequires: pkgconfig(libnftnl) >= 1.1.6 # libpcap-devel for nfbpf_compile BuildRequires: libpcap-devel BuildRequires: autoconf @@ -478,6 +447,9 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Fri May 13 2022 Phil Sutter - 1.8.8-1 +- new version + * Fri Mar 18 2022 Phil Sutter - 1.8.7-30 - Use proto_to_name() from xshared in more places diff --git a/sources b/sources index e9a1323..014f6c0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (iptables-1.8.7.tar.bz2) = c0a33fafbf1139157a9f52860938ebedc282a1394a68dcbd58981159379eb525919f999b25925f2cb4d6b18089bd99a94b00b3e73cff5cb0a0e47bdff174ed75 +SHA512 (iptables-1.8.8.tar.bz2) = f21df23279a77531a23f3fcb1b8f0f8ec0c726bda236dd0e33af74b06753baff6ce3f26fb9fcceb6fada560656ba901e68fc6452eb840ac1b206bc4654950f59