rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables-1.8.11-6.el10

Browse Source 
* Tue Nov 19 2024 Phil Sutter <psutter@redhat.com> [1.8.11-6.el10]
- nft: Drop interface mask leftovers from post_parse callbacks (Phil Sutter) [RHEL-66725]
- nft: fix interface comparisons in `-C` commands (Phil Sutter) [RHEL-66725]
Resolves: RHEL-66725
This commit is contained in:
Phil Sutter 2024-11-20 00:00:17 +01:00
parent f28ec82e9d
commit 3677684600
3 changed files with 259 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
0004-nft-fix-interface-comparisons-in-C-commands.patch Normal file
View File

@ -0,0 +1,180 @@
From 9a0138cac4e6d120c288b9a1ab4e8b697cb79d5c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 19 Nov 2024 23:57:41 +0100
Subject: [PATCH] nft: fix interface comparisons in `-C` commands
JIRA: https://issues.redhat.com/browse/RHEL-66725
Upstream Status: iptables commit 40406dbfaefbc204134452b2747bae4f6a122848
commit 40406dbfaefbc204134452b2747bae4f6a122848
Author: Jeremy Sowden <jeremy@azazel.net>
Date: Mon Nov 18 13:56:50 2024 +0000
nft: fix interface comparisons in `-C` commands
Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
kernel") removed code which explicitly set interface masks to all ones. The
result of this is that they are zero. However, they are used to mask interfaces
in `is_same_interfaces`. Consequently, the masked values are alway zero, the
comparisons are always true, and check commands which ought to fail succeed:
# iptables -N test
# iptables -A test -i lo \! -o lo -j REJECT
# iptables -v -L test
Chain test (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- lo !lo anywhere anywhere reject-with icmp-port-unreachable
# iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
REJECT all opt -- in lo out !lo 0.0.0.0/0 -> 0.0.0.0/0 reject-with icmp-port-unreachable
Remove the mask parameters from `is_same_interfaces`. Add a test-case.
Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft-arp.c | 10 ++----
iptables/nft-ipv4.c | 4 +--
iptables/nft-ipv6.c | 6 +---
iptables/nft-shared.c | 36 +++++--------------
iptables/nft-shared.h | 6 +---
.../nft-only/0020-compare-interfaces_0 | 9 +++++
6 files changed, 22 insertions(+), 49 deletions(-)
create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 264864c..c11d64c 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a,
return false;
}
- return is_same_interfaces(a->arp.iniface,
- a->arp.outiface,
- (unsigned char *)a->arp.iniface_mask,
- (unsigned char *)a->arp.outiface_mask,
- b->arp.iniface,
- b->arp.outiface,
- (unsigned char *)b->arp.iniface_mask,
- (unsigned char *)b->arp.outiface_mask);
+ return is_same_interfaces(a->arp.iniface, a->arp.outiface,
+ b->arp.iniface, b->arp.outiface);
}
static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 7409287..0c8bd29 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a,
}
return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface,
- a->fw.ip.iniface_mask, a->fw.ip.outiface_mask,
- b->fw.ip.iniface, b->fw.ip.outiface,
- b->fw.ip.iniface_mask, b->fw.ip.outiface_mask);
+ b->fw.ip.iniface, b->fw.ip.outiface);
}
static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index b184f8a..4dbb2af 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a,
}
return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface,
- a->fw6.ipv6.iniface_mask,
- a->fw6.ipv6.outiface_mask,
- b->fw6.ipv6.iniface, b->fw6.ipv6.outiface,
- b->fw6.ipv6.iniface_mask,
- b->fw6.ipv6.outiface_mask);
+ b->fw6.ipv6.iniface, b->fw6.ipv6.outiface);
}
static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 6775578..2c29e68 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r,
}
bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
- unsigned const char *a_iniface_mask,
- unsigned const char *a_outiface_mask,
- const char *b_iniface, const char *b_outiface,
- unsigned const char *b_iniface_mask,
- unsigned const char *b_outiface_mask)
+ const char *b_iniface, const char *b_outiface)
{
- int i;
-
- for (i = 0; i < IFNAMSIZ; i++) {
- if (a_iniface_mask[i] != b_iniface_mask[i]) {
- DEBUGP("different iniface mask %x, %x (%d)\n",
- a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i);
- return false;
- }
- if ((a_iniface[i] & a_iniface_mask[i])
- != (b_iniface[i] & b_iniface_mask[i])) {
- DEBUGP("different iniface\n");
- return false;
- }
- if (a_outiface_mask[i] != b_outiface_mask[i]) {
- DEBUGP("different outiface mask\n");
- return false;
- }
- if ((a_outiface[i] & a_outiface_mask[i])
- != (b_outiface[i] & b_outiface_mask[i])) {
- DEBUGP("different outiface\n");
- return false;
- }
+ if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) {
+ DEBUGP("different iniface\n");
+ return false;
+ }
+ if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) {
+ DEBUGP("different outiface\n");
+ return false;
}
-
return true;
}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 51d1e46..b57aee1 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint
void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
- unsigned const char *a_iniface_mask,
- unsigned const char *a_outiface_mask,
- const char *b_iniface, const char *b_outiface,
- unsigned const char *b_iniface_mask,
- unsigned const char *b_outiface_mask);
+ const char *b_iniface, const char *b_outiface);
void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
new file mode 100755
index 0000000..278cd64
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+$XT_MULTI iptables -N test
+$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT
+$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1
+
+exit 0

72
0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch Normal file
View File

@ -0,0 +1,72 @@
From c940eb159386586febce381144e966d053dd7337 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 19 Nov 2024 23:57:41 +0100
Subject: [PATCH] nft: Drop interface mask leftovers from post_parse callbacks
JIRA: https://issues.redhat.com/browse/RHEL-66725
Upstream Status: iptables commit b3f3e256c263b9a1db49732696aba0dde084ef5e
commit b3f3e256c263b9a1db49732696aba0dde084ef5e
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Nov 15 19:55:32 2024 +0100
nft: Drop interface mask leftovers from post_parse callbacks
Fixed commit only adjusted the IPv4-specific callback for unclear
reasons.
Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft-arp.c | 3 ---
iptables/xshared.c | 5 -----
iptables/xshared.h | 1 -
3 files changed, 9 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index c11d64c..fa2dd55 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -459,10 +459,7 @@ static void nft_arp_post_parse(int command,
cs->arp.arp.invflags = args->invflags;
memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ);
- memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ);
-
memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ);
- memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ);
cs->arp.counters.pcnt = args->pcnt_cnt;
cs->arp.counters.bcnt = args->bcnt_cnt;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 2a5eef0..2f663f9 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -2104,12 +2104,7 @@ void ipv6_post_parse(int command, struct iptables_command_state *cs,
cs->fw6.ipv6.invflags = args->invflags;
memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
- memcpy(cs->fw6.ipv6.iniface_mask,
- args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
-
memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
- memcpy(cs->fw6.ipv6.outiface_mask,
- args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
if (args->goto_set)
cs->fw6.ipv6.flags |= IP6T_F_GOTO;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index a111e79..af75673 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -262,7 +262,6 @@ struct xtables_args {
uint8_t flags;
uint16_t invflags;
char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
- unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
char bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ];
bool goto_set;
const char *shostnetworkmask, *dhostnetworkmask;

8
iptables.spec
View File

@ -16,7 +16,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.11 Version: 1.8.11
Release: 5%{?dist} Release: 6%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.xz Source: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -33,6 +33,8 @@ Source11: iptables-test.stderr.expect
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch3: 0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch Patch3: 0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
Patch4: 0004-nft-fix-interface-comparisons-in-C-commands.patch
Patch5: 0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic Licence 2.0 # iptables-apply: Artistic Licence 2.0
@ -506,6 +508,10 @@ fi
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables.8.gz
%changelog %changelog
* Tue Nov 19 2024 Phil Sutter <psutter@redhat.com> [1.8.11-6.el10]
- nft: Drop interface mask leftovers from post_parse callbacks (Phil Sutter) [RHEL-66725]
- nft: fix interface comparisons in `-C` commands (Phil Sutter) [RHEL-66725]
* Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10] * Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
- ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725] - ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]