diff --git a/0034-Use-proto_to_name-from-xshared-in-more-places.patch b/0034-Use-proto_to_name-from-xshared-in-more-places.patch new file mode 100644 index 0000000..d84155c --- /dev/null +++ b/0034-Use-proto_to_name-from-xshared-in-more-places.patch @@ -0,0 +1,156 @@ +From dd052eb7326574b34a03e6f40862e2e59ce9e123 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 17 Nov 2020 00:57:10 +0100 +Subject: [PATCH] Use proto_to_name() from xshared in more places + +Share the common proto name lookup code. While being at it, make proto +number variable 16bit, values may exceed 256. + +This aligns iptables-nft '-p' argument printing with legacy iptables. In +practice, this should make a difference only in corner cases. + +Signed-off-by: Phil Sutter +(cherry picked from commit 556f704458cdb509d395ddb7d2629987d60e762e) +--- + include/xtables.h | 2 +- + iptables/ip6tables.c | 22 +++++----------------- + iptables/iptables.c | 20 +++++--------------- + iptables/nft-shared.c | 6 +++--- + iptables/xshared.c | 2 +- + iptables/xshared.h | 2 +- + 6 files changed, 16 insertions(+), 38 deletions(-) + +diff --git a/include/xtables.h b/include/xtables.h +index b5a6764abfa4e..aec50573b835c 100644 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -395,7 +395,7 @@ struct xtables_rule_match { + */ + struct xtables_pprot { + const char *name; +- uint8_t num; ++ uint16_t num; + }; + + enum xtables_tryload { +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 4422e28276ab5..897f30d5ef4b0 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -770,28 +770,16 @@ print_iface(char letter, const char *iface, const unsigned char *mask, + } + } + +-/* The ip6tables looks up the /etc/protocols. */ + static void print_proto(uint16_t proto, int invert) + { + if (proto) { +- unsigned int i; ++ const char *pname = proto_to_name(proto, 0); + const char *invertstr = invert ? " !" : ""; + +- const struct protoent *pent = getprotobynumber(proto); +- if (pent) { +- printf("%s -p %s", +- invertstr, pent->p_name); +- return; +- } +- +- for (i = 0; xtables_chain_protos[i].name != NULL; ++i) +- if (xtables_chain_protos[i].num == proto) { +- printf("%s -p %s", +- invertstr, xtables_chain_protos[i].name); +- return; +- } +- +- printf("%s -p %u", invertstr, proto); ++ if (pname) ++ printf("%s -p %s", invertstr, pname); ++ else ++ printf("%s -p %u", invertstr, proto); + } + } + +diff --git a/iptables/iptables.c b/iptables/iptables.c +index bbb87f16f8d1d..9964d14ed8195 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -739,23 +739,13 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric, + static void print_proto(uint16_t proto, int invert) + { + if (proto) { +- unsigned int i; ++ const char *pname = proto_to_name(proto, 0); + const char *invertstr = invert ? " !" : ""; + +- const struct protoent *pent = getprotobynumber(proto); +- if (pent) { +- printf("%s -p %s", invertstr, pent->p_name); +- return; +- } +- +- for (i = 0; xtables_chain_protos[i].name != NULL; ++i) +- if (xtables_chain_protos[i].num == proto) { +- printf("%s -p %s", +- invertstr, xtables_chain_protos[i].name); +- return; +- } +- +- printf("%s -p %u", invertstr, proto); ++ if (pname) ++ printf("%s -p %s", invertstr, pname); ++ else ++ printf("%s -p %u", invertstr, proto); + } + } + +diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c +index 1aaaa8159ff61..bd953d761b6ec 100644 +--- a/iptables/nft-shared.c ++++ b/iptables/nft-shared.c +@@ -821,13 +821,13 @@ void save_rule_details(const struct iptables_command_state *cs, + } + + if (proto > 0) { +- const struct protoent *pent = getprotobynumber(proto); ++ const char *pname = proto_to_name(proto, 0); + + if (invflags & XT_INV_PROTO) + printf("! "); + +- if (pent) +- printf("-p %s ", pent->p_name); ++ if (pname) ++ printf("-p %s ", pname); + else + printf("-p %u ", proto); + } +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 171b0bdb7ca27..5a1f8169b00ea 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -48,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t, + } + + const char * +-proto_to_name(uint8_t proto, int nolookup) ++proto_to_name(uint16_t proto, int nolookup) + { + unsigned int i; + +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 84f1a559aafb2..674a36635ffd0 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -152,7 +152,7 @@ enum { + + extern void print_extension_helps(const struct xtables_target *, + const struct xtables_rule_match *); +-extern const char *proto_to_name(uint8_t, int); ++extern const char *proto_to_name(uint16_t, int); + extern int command_default(struct iptables_command_state *, + struct xtables_globals *); + extern struct xtables_match *load_proto(struct iptables_command_state *); +-- +2.34.1 + diff --git a/iptables.spec b/iptables.spec index dc277e5..0817e69 100644 --- a/iptables.spec +++ b/iptables.spec @@ -16,7 +16,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 29%{?dist} +Release: 30%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -62,6 +62,7 @@ Patch30: 0030-xshared-Merge-and-share-parse_chain.patch Patch31: 0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch Patch32: 0032-libxtables-Implement-notargets-hash-table.patch Patch33: 0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch +Patch34: 0034-Use-proto_to_name-from-xshared-in-more-places.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -477,6 +478,9 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Fri Mar 18 2022 Phil Sutter - 1.8.7-30 +- Use proto_to_name() from xshared in more places + * Fri Mar 18 2022 Phil Sutter - 1.8.7-29 - libxtables: Boost rule target checks by announcing chain names - libxtables: Implement notargets hash table