From 367768460084e81fa6a2f7fc0e3a859ba5dc3c7d Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 20 Nov 2024 00:00:17 +0100 Subject: [PATCH] iptables-1.8.11-6.el10 * Tue Nov 19 2024 Phil Sutter [1.8.11-6.el10] - nft: Drop interface mask leftovers from post_parse callbacks (Phil Sutter) [RHEL-66725] - nft: fix interface comparisons in `-C` commands (Phil Sutter) [RHEL-66725] Resolves: RHEL-66725 --- ...-interface-comparisons-in-C-commands.patch | 180 ++++++++++++++++++ ...ce-mask-leftovers-from-post_parse-ca.patch | 72 +++++++ iptables.spec | 8 +- 3 files changed, 259 insertions(+), 1 deletion(-) create mode 100644 0004-nft-fix-interface-comparisons-in-C-commands.patch create mode 100644 0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch diff --git a/0004-nft-fix-interface-comparisons-in-C-commands.patch b/0004-nft-fix-interface-comparisons-in-C-commands.patch new file mode 100644 index 0000000..6de0652 --- /dev/null +++ b/0004-nft-fix-interface-comparisons-in-C-commands.patch @@ -0,0 +1,180 @@ +From 9a0138cac4e6d120c288b9a1ab4e8b697cb79d5c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 19 Nov 2024 23:57:41 +0100 +Subject: [PATCH] nft: fix interface comparisons in `-C` commands + +JIRA: https://issues.redhat.com/browse/RHEL-66725 +Upstream Status: iptables commit 40406dbfaefbc204134452b2747bae4f6a122848 + +commit 40406dbfaefbc204134452b2747bae4f6a122848 +Author: Jeremy Sowden +Date: Mon Nov 18 13:56:50 2024 +0000 + + nft: fix interface comparisons in `-C` commands + + Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from + kernel") removed code which explicitly set interface masks to all ones. The + result of this is that they are zero. However, they are used to mask interfaces + in `is_same_interfaces`. Consequently, the masked values are alway zero, the + comparisons are always true, and check commands which ought to fail succeed: + + # iptables -N test + # iptables -A test -i lo \! -o lo -j REJECT + # iptables -v -L test + Chain test (0 references) + pkts bytes target prot opt in out source destination + 0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable + # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT + REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable + + Remove the mask parameters from `is_same_interfaces`. Add a test-case. + + Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel") + Signed-off-by: Jeremy Sowden + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + iptables/nft-arp.c | 10 ++---- + iptables/nft-ipv4.c | 4 +-- + iptables/nft-ipv6.c | 6 +--- + iptables/nft-shared.c | 36 +++++-------------- + iptables/nft-shared.h | 6 +--- + .../nft-only/0020-compare-interfaces_0 | 9 +++++ + 6 files changed, 22 insertions(+), 49 deletions(-) + create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index 264864c..c11d64c 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a, + return false; + } + +- return is_same_interfaces(a->arp.iniface, +- a->arp.outiface, +- (unsigned char *)a->arp.iniface_mask, +- (unsigned char *)a->arp.outiface_mask, +- b->arp.iniface, +- b->arp.outiface, +- (unsigned char *)b->arp.iniface_mask, +- (unsigned char *)b->arp.outiface_mask); ++ return is_same_interfaces(a->arp.iniface, a->arp.outiface, ++ b->arp.iniface, b->arp.outiface); + } + + static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy) +diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c +index 7409287..0c8bd29 100644 +--- a/iptables/nft-ipv4.c ++++ b/iptables/nft-ipv4.c +@@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a, + } + + return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface, +- a->fw.ip.iniface_mask, a->fw.ip.outiface_mask, +- b->fw.ip.iniface, b->fw.ip.outiface, +- b->fw.ip.iniface_mask, b->fw.ip.outiface_mask); ++ b->fw.ip.iniface, b->fw.ip.outiface); + } + + static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs) +diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c +index b184f8a..4dbb2af 100644 +--- a/iptables/nft-ipv6.c ++++ b/iptables/nft-ipv6.c +@@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a, + } + + return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface, +- a->fw6.ipv6.iniface_mask, +- a->fw6.ipv6.outiface_mask, +- b->fw6.ipv6.iniface, b->fw6.ipv6.outiface, +- b->fw6.ipv6.iniface_mask, +- b->fw6.ipv6.outiface_mask); ++ b->fw6.ipv6.iniface, b->fw6.ipv6.outiface); + } + + static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs) +diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c +index 6775578..2c29e68 100644 +--- a/iptables/nft-shared.c ++++ b/iptables/nft-shared.c +@@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, + } + + bool is_same_interfaces(const char *a_iniface, const char *a_outiface, +- unsigned const char *a_iniface_mask, +- unsigned const char *a_outiface_mask, +- const char *b_iniface, const char *b_outiface, +- unsigned const char *b_iniface_mask, +- unsigned const char *b_outiface_mask) ++ const char *b_iniface, const char *b_outiface) + { +- int i; +- +- for (i = 0; i < IFNAMSIZ; i++) { +- if (a_iniface_mask[i] != b_iniface_mask[i]) { +- DEBUGP("different iniface mask %x, %x (%d)\n", +- a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i); +- return false; +- } +- if ((a_iniface[i] & a_iniface_mask[i]) +- != (b_iniface[i] & b_iniface_mask[i])) { +- DEBUGP("different iniface\n"); +- return false; +- } +- if (a_outiface_mask[i] != b_outiface_mask[i]) { +- DEBUGP("different outiface mask\n"); +- return false; +- } +- if ((a_outiface[i] & a_outiface_mask[i]) +- != (b_outiface[i] & b_outiface_mask[i])) { +- DEBUGP("different outiface\n"); +- return false; +- } ++ if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) { ++ DEBUGP("different iniface\n"); ++ return false; ++ } ++ if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) { ++ DEBUGP("different outiface\n"); ++ return false; + } +- + return true; + } + +diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h +index 51d1e46..b57aee1 100644 +--- a/iptables/nft-shared.h ++++ b/iptables/nft-shared.h +@@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint + void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv); + + bool is_same_interfaces(const char *a_iniface, const char *a_outiface, +- unsigned const char *a_iniface_mask, +- unsigned const char *a_outiface_mask, +- const char *b_iniface, const char *b_outiface, +- unsigned const char *b_iniface_mask, +- unsigned const char *b_outiface_mask); ++ const char *b_iniface, const char *b_outiface); + + void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op); + void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); +diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 +new file mode 100755 +index 0000000..278cd64 +--- /dev/null ++++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } ++ ++$XT_MULTI iptables -N test ++$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT ++$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1 ++ ++exit 0 diff --git a/0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch b/0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch new file mode 100644 index 0000000..19e5483 --- /dev/null +++ b/0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch @@ -0,0 +1,72 @@ +From c940eb159386586febce381144e966d053dd7337 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 19 Nov 2024 23:57:41 +0100 +Subject: [PATCH] nft: Drop interface mask leftovers from post_parse callbacks + +JIRA: https://issues.redhat.com/browse/RHEL-66725 +Upstream Status: iptables commit b3f3e256c263b9a1db49732696aba0dde084ef5e + +commit b3f3e256c263b9a1db49732696aba0dde084ef5e +Author: Phil Sutter +Date: Fri Nov 15 19:55:32 2024 +0100 + + nft: Drop interface mask leftovers from post_parse callbacks + + Fixed commit only adjusted the IPv4-specific callback for unclear + reasons. + + Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default") + Signed-off-by: Phil Sutter + Reviewed-by: Jeremy Sowden + +Signed-off-by: Phil Sutter +--- + iptables/nft-arp.c | 3 --- + iptables/xshared.c | 5 ----- + iptables/xshared.h | 1 - + 3 files changed, 9 deletions(-) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index c11d64c..fa2dd55 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -459,10 +459,7 @@ static void nft_arp_post_parse(int command, + cs->arp.arp.invflags = args->invflags; + + memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ); +- memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ); +- + memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ); +- memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ); + + cs->arp.counters.pcnt = args->pcnt_cnt; + cs->arp.counters.bcnt = args->bcnt_cnt; +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 2a5eef0..2f663f9 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -2104,12 +2104,7 @@ void ipv6_post_parse(int command, struct iptables_command_state *cs, + cs->fw6.ipv6.invflags = args->invflags; + + memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); +- memcpy(cs->fw6.ipv6.iniface_mask, +- args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); +- + memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); +- memcpy(cs->fw6.ipv6.outiface_mask, +- args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); + + if (args->goto_set) + cs->fw6.ipv6.flags |= IP6T_F_GOTO; +diff --git a/iptables/xshared.h b/iptables/xshared.h +index a111e79..af75673 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -262,7 +262,6 @@ struct xtables_args { + uint8_t flags; + uint16_t invflags; + char iniface[IFNAMSIZ], outiface[IFNAMSIZ]; +- unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + char bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ]; + bool goto_set; + const char *shostnetworkmask, *dhostnetworkmask; diff --git a/iptables.spec b/iptables.spec index ed7db17..d10b82c 100644 --- a/iptables.spec +++ b/iptables.spec @@ -16,7 +16,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.11 -Release: 5%{?dist} +Release: 6%{?dist} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -33,6 +33,8 @@ Source11: iptables-test.stderr.expect Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch3: 0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch +Patch4: 0004-nft-fix-interface-comparisons-in-C-commands.patch +Patch5: 0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -506,6 +508,10 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Tue Nov 19 2024 Phil Sutter [1.8.11-6.el10] +- nft: Drop interface mask leftovers from post_parse callbacks (Phil Sutter) [RHEL-66725] +- nft: fix interface comparisons in `-C` commands (Phil Sutter) [RHEL-66725] + * Thu Nov 14 2024 Phil Sutter [1.8.11-5.el10] - ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]