iptables-1.8.11-6.el10

* Tue Nov 19 2024 Phil Sutter <psutter@redhat.com> [1.8.11-6.el10] - nft: Drop interface mask leftovers from post_parse callbacks (Phil Sutter) [RHEL-66725] - nft: fix interface comparisons in `-C` commands (Phil Sutter) [RHEL-66725] Resolves: RHEL-66725
2024-11-20 00:00:17 +01:00 · 2024-11-20 00:00:17 +01:00 · 3677684600
commit 3677684600
parent f28ec82e9d
3 changed files with 259 additions and 1 deletions
--- a/0004-nft-fix-interface-comparisons-in-C-commands.patch
+++ b/0004-nft-fix-interface-comparisons-in-C-commands.patch
@ -0,0 +1,180 @@
+From 9a0138cac4e6d120c288b9a1ab4e8b697cb79d5c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 19 Nov 2024 23:57:41 +0100
+Subject: [PATCH] nft: fix interface comparisons in `-C` commands
+
+JIRA: https://issues.redhat.com/browse/RHEL-66725
+Upstream Status: iptables commit 40406dbfaefbc204134452b2747bae4f6a122848
+
+commit 40406dbfaefbc204134452b2747bae4f6a122848
+Author: Jeremy Sowden <jeremy@azazel.net>
+Date:   Mon Nov 18 13:56:50 2024 +0000
+
+    nft: fix interface comparisons in `-C` commands
+
+    Commit 9ccae6397475 ("nft: Leave interface masks alone when parsing from
+    kernel") removed code which explicitly set interface masks to all ones.  The
+    result of this is that they are zero.  However, they are used to mask interfaces
+    in `is_same_interfaces`.  Consequently, the masked values are alway zero, the
+    comparisons are always true, and check commands which ought to fail succeed:
+
+      # iptables -N test
+      # iptables -A test -i lo \! -o lo -j REJECT
+      # iptables -v -L test
+      Chain test (0 references)
+       pkts bytes target     prot opt in     out     source               destination
+          0     0 REJECT     all  --  lo     !lo     anywhere             anywhere             reject-with icmp-port-unreachable
+      # iptables -v -C test -i abcdefgh \! -o abcdefgh -j REJECT
+      REJECT  all opt -- in lo out !lo  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
+
+    Remove the mask parameters from `is_same_interfaces`.  Add a test-case.
+
+    Fixes: 9ccae6397475 ("nft: Leave interface masks alone when parsing from kernel")
+    Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/nft-arp.c                            | 10 ++----
+ iptables/nft-ipv4.c                           |  4 +--
+ iptables/nft-ipv6.c                           |  6 +---
+ iptables/nft-shared.c                         | 36 +++++--------------
+ iptables/nft-shared.h                         |  6 +---
+ .../nft-only/0020-compare-interfaces_0        |  9 +++++
+ 6 files changed, 22 insertions(+), 49 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index 264864c..c11d64c 100644
+--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
+@@ -385,14 +385,8 @@ static bool nft_arp_is_same(const struct iptables_command_state *cs_a,
+ 		return false;
+ 	}
+ 
+-	return is_same_interfaces(a->arp.iniface,
+-				  a->arp.outiface,
+-				  (unsigned char *)a->arp.iniface_mask,
+-				  (unsigned char *)a->arp.outiface_mask,
+-				  b->arp.iniface,
+-				  b->arp.outiface,
+-				  (unsigned char *)b->arp.iniface_mask,
+-				  (unsigned char *)b->arp.outiface_mask);
+	return is_same_interfaces(a->arp.iniface, a->arp.outiface,
+				  b->arp.iniface, b->arp.outiface);
+ }
+ 
+ static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy)
+diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
+index 7409287..0c8bd29 100644
+--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
+@@ -113,9 +113,7 @@ static bool nft_ipv4_is_same(const struct iptables_command_state *a,
+ 	}
+ 
+ 	return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface,
+-				  a->fw.ip.iniface_mask, a->fw.ip.outiface_mask,
+-				  b->fw.ip.iniface, b->fw.ip.outiface,
+-				  b->fw.ip.iniface_mask, b->fw.ip.outiface_mask);
+				  b->fw.ip.iniface, b->fw.ip.outiface);
+ }
+ 
+ static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
+diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
+index b184f8a..4dbb2af 100644
+--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
+@@ -99,11 +99,7 @@ static bool nft_ipv6_is_same(const struct iptables_command_state *a,
+ 	}
+ 
+ 	return is_same_interfaces(a->fw6.ipv6.iniface, a->fw6.ipv6.outiface,
+-				  a->fw6.ipv6.iniface_mask,
+-				  a->fw6.ipv6.outiface_mask,
+-				  b->fw6.ipv6.iniface, b->fw6.ipv6.outiface,
+-				  b->fw6.ipv6.iniface_mask,
+-				  b->fw6.ipv6.outiface_mask);
+				  b->fw6.ipv6.iniface, b->fw6.ipv6.outiface);
+ }
+ 
+ static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index 6775578..2c29e68 100644
+--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
+@@ -220,36 +220,16 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r,
+ }
+ 
+ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
+-			unsigned const char *a_iniface_mask,
+-			unsigned const char *a_outiface_mask,
+-			const char *b_iniface, const char *b_outiface,
+-			unsigned const char *b_iniface_mask,
+-			unsigned const char *b_outiface_mask)
+			const char *b_iniface, const char *b_outiface)
+ {
+-	int i;
+-
+-	for (i = 0; i < IFNAMSIZ; i++) {
+-		if (a_iniface_mask[i] != b_iniface_mask[i]) {
+-			DEBUGP("different iniface mask %x, %x (%d)\n",
+-			a_iniface_mask[i] & 0xff, b_iniface_mask[i] & 0xff, i);
+-			return false;
+-		}
+-		if ((a_iniface[i] & a_iniface_mask[i])
+-		    != (b_iniface[i] & b_iniface_mask[i])) {
+-			DEBUGP("different iniface\n");
+-			return false;
+-		}
+-		if (a_outiface_mask[i] != b_outiface_mask[i]) {
+-			DEBUGP("different outiface mask\n");
+-			return false;
+-		}
+-		if ((a_outiface[i] & a_outiface_mask[i])
+-		    != (b_outiface[i] & b_outiface_mask[i])) {
+-			DEBUGP("different outiface\n");
+-			return false;
+-		}
+	if (strncmp(a_iniface, b_iniface, IFNAMSIZ)) {
+		DEBUGP("different iniface\n");
+		return false;
+	}
+	if (strncmp(a_outiface, b_outiface, IFNAMSIZ)) {
+		DEBUGP("different outiface\n");
+		return false;
+ 	}
+-
+ 	return true;
+ }
+ 
+diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
+index 51d1e46..b57aee1 100644
+--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
+@@ -105,11 +105,7 @@ void add_l4proto(struct nft_handle *h, struct nftnl_rule *r, uint8_t proto, uint
+ void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
+ 
+ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
+-			unsigned const char *a_iniface_mask,
+-			unsigned const char *a_outiface_mask,
+-			const char *b_iniface, const char *b_outiface,
+-			unsigned const char *b_iniface_mask,
+-			unsigned const char *b_outiface_mask);
+			const char *b_iniface, const char *b_outiface);
+ 
+ void __get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, uint8_t *op);
+ void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
+diff --git a/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0 b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
+new file mode 100755
+index 0000000..278cd64
+--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0020-compare-interfaces_0
+@@ -0,0 +1,9 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+$XT_MULTI iptables -N test
+$XT_MULTI iptables -A test -i lo \! -o lo -j REJECT
+$XT_MULTI iptables -C test -i abcdefgh \! -o abcdefgh -j REJECT 2>/dev/null && exit 1
+
+exit 0
--- a/0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch
+++ b/0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch
@ -0,0 +1,72 @@
+From c940eb159386586febce381144e966d053dd7337 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 19 Nov 2024 23:57:41 +0100
+Subject: [PATCH] nft: Drop interface mask leftovers from post_parse callbacks
+
+JIRA: https://issues.redhat.com/browse/RHEL-66725
+Upstream Status: iptables commit b3f3e256c263b9a1db49732696aba0dde084ef5e
+
+commit b3f3e256c263b9a1db49732696aba0dde084ef5e
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Fri Nov 15 19:55:32 2024 +0100
+
+    nft: Drop interface mask leftovers from post_parse callbacks
+
+    Fixed commit only adjusted the IPv4-specific callback for unclear
+    reasons.
+
+    Fixes: fe70364b36119 ("xshared: Do not populate interface masks per default")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Reviewed-by: Jeremy Sowden <jeremy@azazel.net>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/nft-arp.c | 3 ---
+ iptables/xshared.c | 5 -----
+ iptables/xshared.h | 1 -
+ 3 files changed, 9 deletions(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index c11d64c..fa2dd55 100644
+--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
+@@ -459,10 +459,7 @@ static void nft_arp_post_parse(int command,
+ 	cs->arp.arp.invflags = args->invflags;
+ 
+ 	memcpy(cs->arp.arp.iniface, args->iniface, IFNAMSIZ);
+-	memcpy(cs->arp.arp.iniface_mask, args->iniface_mask, IFNAMSIZ);
+-
+ 	memcpy(cs->arp.arp.outiface, args->outiface, IFNAMSIZ);
+-	memcpy(cs->arp.arp.outiface_mask, args->outiface_mask, IFNAMSIZ);
+ 
+ 	cs->arp.counters.pcnt = args->pcnt_cnt;
+ 	cs->arp.counters.bcnt = args->bcnt_cnt;
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 2a5eef0..2f663f9 100644
+--- a/iptables/xshared.c
+++ b/iptables/xshared.c
+@@ -2104,12 +2104,7 @@ void ipv6_post_parse(int command, struct iptables_command_state *cs,
+ 	cs->fw6.ipv6.invflags = args->invflags;
+ 
+ 	memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
+-	memcpy(cs->fw6.ipv6.iniface_mask,
+-	       args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
+-
+ 	memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
+-	memcpy(cs->fw6.ipv6.outiface_mask,
+-	       args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
+ 
+ 	if (args->goto_set)
+ 		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index a111e79..af75673 100644
+--- a/iptables/xshared.h
+++ b/iptables/xshared.h
+@@ -262,7 +262,6 @@ struct xtables_args {
+ 	uint8_t		flags;
+ 	uint16_t	invflags;
+ 	char		iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+-	unsigned char	iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+ 	char		bri_iniface[IFNAMSIZ], bri_outiface[IFNAMSIZ];
+ 	bool		goto_set;
+ 	const char	*shostnetworkmask, *dhostnetworkmask;
--- a/iptables.spec
+++ b/iptables.spec
@ -16,7 +16,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.11
-Release: 5%{?dist}
+Release: 6%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@ -33,6 +33,8 @@ Source11: iptables-test.stderr.expect
 Patch1:             0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch2:             0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
 Patch3:             0003-ip-6-tables-translate-fix-test-failures-when-WESP-is.patch
+Patch4:             0004-nft-fix-interface-comparisons-in-C-commands.patch
+Patch5:             0005-nft-Drop-interface-mask-leftovers-from-post_parse-ca.patch

 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@ -506,6 +508,10 @@ fi
 %ghost %{_mandir}/man8/ebtables.8.gz

 %changelog
+* Tue Nov 19 2024 Phil Sutter <psutter@redhat.com> [1.8.11-6.el10]
+- nft: Drop interface mask leftovers from post_parse callbacks (Phil Sutter) [RHEL-66725]
+- nft: fix interface comparisons in `-C` commands (Phil Sutter) [RHEL-66725]
+
 * Thu Nov 14 2024 Phil Sutter <psutter@redhat.com> [1.8.11-5.el10]
 - ip[6]tables-translate: fix test failures when WESP is defined (Phil Sutter) [RHEL-66725]