iptables-1.8.8-4.el9

- libxtables: Fix unsupported extension warning corner case

Resolves: rhbz#2103988
This commit is contained in:
Phil Sutter 2022-07-05 15:49:16 +02:00
parent 7d8e51ef99
commit 3c61c034bd
2 changed files with 96 additions and 1 deletions

View File

@ -0,0 +1,91 @@
From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 30 Jun 2022 18:04:39 +0200
Subject: [PATCH] libxtables: Fix unsupported extension warning corner case
Some extensions are not supported in revision 0 by user space anymore,
for those the warning in xtables_compatible_revision() does not print as
no revision 0 is tried.
To fix this, one has to track if none of the user space supported
revisions were accepted by the kernel. Therefore add respective logic to
xtables_find_{target,match}().
Note that this does not lead to duplicated warnings for unsupported
extensions that have a revision 0 because xtables_compatible_revision()
returns true for them to allow for extension's help output.
For the record, these ip6tables extensions are affected: set/SET,
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
for both families.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37)
---
libxtables/xtables.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 96fd783a066cf..7abc63bcfd83e 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
bool found = false;
+ bool seen = false;
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
+ seen = true;
if (!found &&
xtables_fully_register_pending_match(ptr, prev)) {
found = true;
@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
dptr = &((*dptr)->next);
}
+ if (seen && !found)
+ fprintf(stderr,
+ "Warning: Extension %s is not supported, missing kernel module?\n",
+ name);
+
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
if (extension_cmp(name, ptr->name, ptr->family)) {
struct xtables_match *clone;
@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
struct xtables_target **dptr;
struct xtables_target *ptr;
bool found = false;
+ bool seen = false;
/* Standard target? */
if (strcmp(name, "") == 0
@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
+ seen = true;
if (!found &&
xtables_fully_register_pending_target(ptr, prev)) {
found = true;
@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
dptr = &((*dptr)->next);
}
+ if (seen && !found)
+ fprintf(stderr,
+ "Warning: Extension %s is not supported, missing kernel module?\n",
+ name);
+
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
if (extension_cmp(name, ptr->name, ptr->family)) {
struct xtables_target *clone;
--
2.34.1

View File

@ -16,7 +16,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.8 Version: 1.8.8
Release: 3%{?dist} Release: 4%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2 Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -34,6 +34,7 @@ Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch
Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
Patch05: 0005-arptables-Support-x-exact-flag.patch Patch05: 0005-arptables-Support-x-exact-flag.patch
Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic 2.0
@ -449,6 +450,9 @@ fi
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables.8.gz
%changelog %changelog
* Tue Jul 05 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-4
- libxtables: Fix unsupported extension warning corner case
* Wed Jun 08 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-3 * Wed Jun 08 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-3
- arptables: Support -x/--exact flag - arptables: Support -x/--exact flag