iptables-1.8.7-11.el9
- Fix License name in spec file - Eliminate inet_aton() and inet_ntoa() - nft-arp: Make use of ipv4_addr_to_string() - Make legacy sub-packages obsolete older non-legacy ones - Fix dates in changelog - iptables.init: Fix functionality for iptables-nft - iptables.init: Ignore sysctl files not suffixed '.conf' - iptables.init: Drop unused NEW_MODUTILS check - iptables.init: Drop some trailing whitespace Resolves: RHBZ#1954581, RHBZ#1958262
This commit is contained in:
parent
b6b32fa391
commit
4a68e9f94a
@ -1,4 +1,4 @@
|
||||
From 30c1d443896311e69762d6b51b63908ec602574f Mon Sep 17 00:00:00 2001
|
||||
From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 28 Jan 2021 01:09:56 +0100
|
||||
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
|
||||
@ -22,7 +22,7 @@ With this patch in place, output looks much better:
|
||||
| Perhaps iptables or your kernel needs to be upgraded.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
|
||||
---
|
||||
iptables/xtables-eb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
@ -47,5 +47,5 @@ index cfa9317c78e94..5bb34d6d292a9 100644
|
||||
table_set = true;
|
||||
break;
|
||||
--
|
||||
2.28.0
|
||||
2.31.1
|
||||
|
||||
|
196
0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
Normal file
196
0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
Normal file
@ -0,0 +1,196 @@
|
||||
From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 2 Mar 2021 14:50:07 +0100
|
||||
Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
|
||||
|
||||
Iptables supports netmasks which are not prefixes to match on (or
|
||||
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
|
||||
available for real prefixes only, so translation is not as trivial -
|
||||
print bitmask syntax for those cases.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
|
||||
---
|
||||
extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++
|
||||
extensions/libxt_standard.t | 12 ++++++++++
|
||||
iptables/nft-ipv4.c | 42 ++++++++++++++++++++++----------
|
||||
iptables/nft-ipv6.c | 19 ++++++++++++---
|
||||
4 files changed, 106 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
|
||||
index 0e256c3727559..9ae9a5b54c1b9 100644
|
||||
--- a/extensions/generic.txlate
|
||||
+++ b/extensions/generic.txlate
|
||||
@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
|
||||
iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
|
||||
nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
|
||||
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
|
||||
+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
|
||||
+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
|
||||
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
|
||||
+
|
||||
+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
|
||||
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 0.0.0.0/16
|
||||
+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 0.0.0.0/0
|
||||
+nft insert rule ip filter INPUT counter
|
||||
+
|
||||
+iptables-translate -I INPUT ! -s 0.0.0.0/0
|
||||
+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -i iifname -s feed::/16
|
||||
+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
|
||||
+
|
||||
+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
|
||||
+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s ::/16
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s ::/0
|
||||
+nft insert rule ip6 filter INPUT counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT ! -s ::/0
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
|
||||
+
|
||||
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
|
||||
nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
|
||||
|
||||
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
|
||||
index 4313f7b7bac9d..56d6da2e5884e 100644
|
||||
--- a/extensions/libxt_standard.t
|
||||
+++ b/extensions/libxt_standard.t
|
||||
@@ -9,3 +9,15 @@
|
||||
-j ACCEPT;=;OK
|
||||
-j RETURN;=;OK
|
||||
! -p 0 -j ACCEPT;=;FAIL
|
||||
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
|
||||
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
|
||||
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
|
||||
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
|
||||
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
|
||||
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
|
||||
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
|
||||
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
|
||||
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
|
||||
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
|
||||
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
|
||||
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index fdc15c6f04066..0d32a30010519 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
|
||||
" source or destination IP addresses");
|
||||
}
|
||||
|
||||
+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ bool inv, struct xt_xlate *xl)
|
||||
+{
|
||||
+ const char *op = inv ? "!= " : "";
|
||||
+ int cidr;
|
||||
+
|
||||
+ if (!inv && !addr->s_addr && !mask->s_addr)
|
||||
+ return;
|
||||
+
|
||||
+ cidr = xtables_ipmask_to_cidr(mask);
|
||||
+ switch (cidr) {
|
||||
+ case -1:
|
||||
+ /* inet_ntoa() is not reentrant */
|
||||
+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
|
||||
+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
|
||||
+ break;
|
||||
+ default:
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
|
||||
+ cidr);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
|
||||
{
|
||||
const struct iptables_command_state *cs = data;
|
||||
@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
|
||||
}
|
||||
}
|
||||
|
||||
- if (cs->fw.ip.src.s_addr != 0) {
|
||||
- xt_xlate_add(xl, "ip saddr %s%s%s ",
|
||||
- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
|
||||
- inet_ntoa(cs->fw.ip.src),
|
||||
- xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
|
||||
- }
|
||||
- if (cs->fw.ip.dst.s_addr != 0) {
|
||||
- xt_xlate_add(xl, "ip daddr %s%s%s ",
|
||||
- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
|
||||
- inet_ntoa(cs->fw.ip.dst),
|
||||
- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
|
||||
- }
|
||||
+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
|
||||
+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
|
||||
+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
|
||||
+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
|
||||
|
||||
ret = xlate_matches(cs, xl);
|
||||
if (!ret)
|
||||
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||
index 130ad3e6e7c44..46008fc5e762a 100644
|
||||
--- a/iptables/nft-ipv6.c
|
||||
+++ b/iptables/nft-ipv6.c
|
||||
@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
|
||||
const struct in6_addr *mask,
|
||||
int invert, struct xt_xlate *xl)
|
||||
{
|
||||
+ const char *op = invert ? "!= " : "";
|
||||
char addr_str[INET6_ADDRSTRLEN];
|
||||
+ int cidr;
|
||||
|
||||
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
|
||||
+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
|
||||
return;
|
||||
|
||||
inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
|
||||
- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
|
||||
- xtables_ip6mask_to_numeric(mask));
|
||||
+ cidr = xtables_ip6mask_to_cidr(mask);
|
||||
+ switch (cidr) {
|
||||
+ case -1:
|
||||
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
|
||||
+ xtables_ip6addr_to_numeric(mask),
|
||||
+ invert ? "!=" : "==", addr_str);
|
||||
+ break;
|
||||
+ case 128:
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
|
||||
+ break;
|
||||
+ default:
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
|
||||
+ }
|
||||
}
|
||||
|
||||
static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
|
||||
--
|
||||
2.31.1
|
||||
|
120
0003-Eliminate-inet_aton-and-inet_ntoa.patch
Normal file
120
0003-Eliminate-inet_aton-and-inet_ntoa.patch
Normal file
@ -0,0 +1,120 @@
|
||||
From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 27 Apr 2021 09:12:53 +0200
|
||||
Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
|
||||
|
||||
Both functions are obsolete, replace them by equivalent calls to
|
||||
inet_pton() and inet_ntop().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
|
||||
---
|
||||
extensions/libebt_among.c | 6 ++++--
|
||||
iptables/nft-ipv4.c | 23 ++++++++++++++---------
|
||||
2 files changed, 18 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
|
||||
index 2b9a1b6566684..7eb898f984bba 100644
|
||||
--- a/extensions/libebt_among.c
|
||||
+++ b/extensions/libebt_among.c
|
||||
@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
|
||||
if (sep) {
|
||||
*sep = '\0';
|
||||
|
||||
- if (!inet_aton(sep + 1, &pair->in))
|
||||
+ if (!inet_pton(AF_INET, sep + 1, &pair->in))
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"Invalid IP address '%s'\n", sep + 1);
|
||||
}
|
||||
@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
|
||||
int cnt, bool inv, bool have_ip)
|
||||
{
|
||||
const char *isep = inv ? "! " : "";
|
||||
+ char abuf[INET_ADDRSTRLEN];
|
||||
int i;
|
||||
|
||||
for (i = 0; i < cnt; i++) {
|
||||
@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
|
||||
|
||||
printf("%s", ether_ntoa(&pairs[i].ether));
|
||||
if (pairs[i].in.s_addr != INADDR_ANY)
|
||||
- printf("=%s", inet_ntoa(pairs[i].in));
|
||||
+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
|
||||
+ abuf, sizeof(abuf)));
|
||||
}
|
||||
printf(" ");
|
||||
}
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index 0d32a30010519..a5b835b1f681d 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
|
||||
|
||||
static const char *mask_to_str(uint32_t mask)
|
||||
{
|
||||
- static char mask_str[sizeof("255.255.255.255")];
|
||||
+ static char mask_str[INET_ADDRSTRLEN];
|
||||
uint32_t bits, hmask = ntohl(mask);
|
||||
struct in_addr mask_addr = {
|
||||
.s_addr = mask,
|
||||
@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
|
||||
if (i >= 0)
|
||||
sprintf(mask_str, "%u", i);
|
||||
else
|
||||
- sprintf(mask_str, "%s", inet_ntoa(mask_addr));
|
||||
+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
|
||||
|
||||
return mask_str;
|
||||
}
|
||||
@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
|
||||
static void save_ipv4_addr(char letter, const struct in_addr *addr,
|
||||
uint32_t mask, int invert)
|
||||
{
|
||||
+ char addrbuf[INET_ADDRSTRLEN];
|
||||
+
|
||||
if (!mask && !invert && !addr->s_addr)
|
||||
return;
|
||||
|
||||
- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
|
||||
+ printf("%s-%c %s/%s ", invert ? "! " : "", letter,
|
||||
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
|
||||
mask_to_str(mask));
|
||||
}
|
||||
|
||||
@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
|
||||
const struct in_addr *mask,
|
||||
bool inv, struct xt_xlate *xl)
|
||||
{
|
||||
+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
|
||||
const char *op = inv ? "!= " : "";
|
||||
int cidr;
|
||||
|
||||
if (!inv && !addr->s_addr && !mask->s_addr)
|
||||
return;
|
||||
|
||||
+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
|
||||
+
|
||||
cidr = xtables_ipmask_to_cidr(mask);
|
||||
switch (cidr) {
|
||||
case -1:
|
||||
- /* inet_ntoa() is not reentrant */
|
||||
- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
|
||||
- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
|
||||
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
|
||||
+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
|
||||
+ inv ? "!=" : "==", abuf);
|
||||
break;
|
||||
case 32:
|
||||
- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
|
||||
break;
|
||||
default:
|
||||
- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
|
||||
- cidr);
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
181
0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
Normal file
181
0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
Normal file
@ -0,0 +1,181 @@
|
||||
From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 27 Apr 2021 10:02:34 +0200
|
||||
Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
|
||||
|
||||
This eliminates quite a bit of redundant code apart from also dropping
|
||||
use of obsolete function gethostbyaddr().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
|
||||
---
|
||||
iptables/nft-arp.c | 99 ++++------------------------------------------
|
||||
iptables/xshared.c | 6 +--
|
||||
iptables/xshared.h | 3 ++
|
||||
3 files changed, 14 insertions(+), 94 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
||||
index c82ffdc95e300..2a9387a18dffe 100644
|
||||
--- a/iptables/nft-arp.c
|
||||
+++ b/iptables/nft-arp.c
|
||||
@@ -42,78 +42,6 @@ char *arp_opcodes[] =
|
||||
"ARP_NAK",
|
||||
};
|
||||
|
||||
-static char *
|
||||
-addr_to_dotted(const struct in_addr *addrp)
|
||||
-{
|
||||
- static char buf[20];
|
||||
- const unsigned char *bytep;
|
||||
-
|
||||
- bytep = (const unsigned char *) &(addrp->s_addr);
|
||||
- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
|
||||
- return buf;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_host(const struct in_addr *addr)
|
||||
-{
|
||||
- struct hostent *host;
|
||||
-
|
||||
- if ((host = gethostbyaddr((char *) addr,
|
||||
- sizeof(struct in_addr), AF_INET)) != NULL)
|
||||
- return (char *) host->h_name;
|
||||
-
|
||||
- return (char *) NULL;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_network(const struct in_addr *addr)
|
||||
-{
|
||||
- struct netent *net;
|
||||
-
|
||||
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
|
||||
- return (char *) net->n_name;
|
||||
-
|
||||
- return (char *) NULL;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_anyname(const struct in_addr *addr)
|
||||
-{
|
||||
- char *name;
|
||||
-
|
||||
- if ((name = addr_to_host(addr)) != NULL ||
|
||||
- (name = addr_to_network(addr)) != NULL)
|
||||
- return name;
|
||||
-
|
||||
- return addr_to_dotted(addr);
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-mask_to_dotted(const struct in_addr *mask)
|
||||
-{
|
||||
- int i;
|
||||
- static char buf[22];
|
||||
- u_int32_t maskaddr, bits;
|
||||
-
|
||||
- maskaddr = ntohl(mask->s_addr);
|
||||
-
|
||||
- if (maskaddr == 0xFFFFFFFFL)
|
||||
- /* we don't want to see "/32" */
|
||||
- return "";
|
||||
-
|
||||
- i = 32;
|
||||
- bits = 0xFFFFFFFEL;
|
||||
- while (--i >= 0 && maskaddr != bits)
|
||||
- bits <<= 1;
|
||||
- if (i >= 0)
|
||||
- sprintf(buf, "/%d", i);
|
||||
- else
|
||||
- /* mask was not a decent combination of 1's and 0's */
|
||||
- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
|
||||
-
|
||||
- return buf;
|
||||
-}
|
||||
-
|
||||
static bool need_devaddr(struct arpt_devaddr_info *info)
|
||||
{
|
||||
int i;
|
||||
@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
unsigned int format)
|
||||
{
|
||||
const struct arpt_entry *fw = &cs->arp;
|
||||
- char buf[BUFSIZ];
|
||||
char iface[IFNAMSIZ+2];
|
||||
const char *sep = "";
|
||||
int print_iface = 0;
|
||||
@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
}
|
||||
|
||||
if (fw->arp.smsk.s_addr != 0L) {
|
||||
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
|
||||
- ? "! " : "");
|
||||
- if (format & FMT_NUMERIC)
|
||||
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
|
||||
- else
|
||||
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
|
||||
- strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
|
||||
- sizeof(buf) - strlen(buf) - 1);
|
||||
- printf("-s %s", buf);
|
||||
+ printf("%s%s-s %s", sep,
|
||||
+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
|
||||
+ ipv4_addr_to_string(&fw->arp.src,
|
||||
+ &fw->arp.smsk, format));
|
||||
sep = " ";
|
||||
}
|
||||
|
||||
@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
after_devsrc:
|
||||
|
||||
if (fw->arp.tmsk.s_addr != 0L) {
|
||||
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
|
||||
- ? "! " : "");
|
||||
- if (format & FMT_NUMERIC)
|
||||
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
|
||||
- else
|
||||
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
|
||||
- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
|
||||
- sizeof(buf) - strlen(buf) - 1);
|
||||
- printf("-d %s", buf);
|
||||
+ printf("%s%s-d %s", sep,
|
||||
+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
|
||||
+ ipv4_addr_to_string(&fw->arp.tgt,
|
||||
+ &fw->arp.tmsk, format));
|
||||
sep = " ";
|
||||
}
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 71f689901e1d4..9a1f465a5a6d3 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store)
|
||||
}
|
||||
#endif
|
||||
|
||||
-static const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
- const struct in_addr *mask,
|
||||
- unsigned int format)
|
||||
+const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ unsigned int format)
|
||||
{
|
||||
static char buf[BUFSIZ];
|
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 9159b2b1f3768..1e86aba8b2375 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
|
||||
# define debug_print_argv(...) /* nothing */
|
||||
#endif
|
||||
|
||||
+const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ unsigned int format);
|
||||
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
|
||||
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then
|
||||
exit 5
|
||||
fi
|
||||
|
||||
# Old or new modutils
|
||||
/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
|
||||
&& NEW_MODUTILS=1 \
|
||||
|| NEW_MODUTILS=0
|
||||
|
||||
# Default firewall configuration:
|
||||
IPTABLES_MODULES=""
|
||||
IPTABLES_SAVE_ON_STOP="no"
|
||||
@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
||||
# Load firewall configuration.
|
||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
||||
|
||||
is_iptables_nft() {
|
||||
iptables --version | grep -q '(nf_tables)'
|
||||
}
|
||||
|
||||
netfilter_active() {
|
||||
is_iptables_nft && return 0
|
||||
[ -e "$PROC_IPTABLES_NAMES" ]
|
||||
}
|
||||
|
||||
netfilter_tables() {
|
||||
netfilter_active || return 1
|
||||
is_iptables_nft && {
|
||||
# explicitly omit security table from this list as
|
||||
# it should be reserved for SELinux use
|
||||
echo "raw mangle filter nat"
|
||||
return 0
|
||||
}
|
||||
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
|
||||
}
|
||||
|
||||
# Get active tables
|
||||
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
NF_TABLES=$(netfilter_tables)
|
||||
|
||||
|
||||
flush_n_delete() {
|
||||
# Flush firewall rules and delete chains.
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
@ -113,10 +128,10 @@ set_policy() {
|
||||
policy=$1
|
||||
|
||||
# Check if iptable module is loaded
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
|
||||
tables=$(netfilter_tables)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||
@ -166,7 +181,7 @@ load_sysctl() {
|
||||
echo -n $"Loading sysctl settings: "
|
||||
ret=0
|
||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
||||
fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
|
||||
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
@ -217,7 +232,7 @@ start() {
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
@ -230,7 +245,7 @@ start() {
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
|
||||
|
||||
# Load sysctl settings
|
||||
load_sysctl
|
||||
|
||||
@ -240,7 +255,7 @@ start() {
|
||||
|
||||
stop() {
|
||||
# Do not stop if iptables module is not loaded.
|
||||
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
|
||||
netfilter_active || return 0
|
||||
|
||||
# Set default chain policy to ACCEPT, in order to not break shutdown
|
||||
# on systems where the default policy is DROP and root device is
|
||||
@ -248,14 +263,14 @@ stop() {
|
||||
set_policy ACCEPT
|
||||
# And then, flush the rules and delete chains
|
||||
flush_n_delete
|
||||
|
||||
|
||||
rm -f $VAR_SUBSYS_IPTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
# Check if iptable module is loaded
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
if ! netfilter_active; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
return 0
|
||||
fi
|
||||
@ -298,7 +313,7 @@ save() {
|
||||
}
|
||||
|
||||
status() {
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
|
||||
echo $"${IPTABLES}: Firewall is not running."
|
||||
return 3
|
||||
fi
|
||||
@ -306,7 +321,7 @@ status() {
|
||||
# Do not print status if lockfile is missing and iptables modules are not
|
||||
# loaded.
|
||||
# Check if iptable modules are loaded
|
||||
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
|
||||
if ! netfilter_active; then
|
||||
echo $"${IPTABLES}: Firewall modules are not loaded."
|
||||
return 3
|
||||
fi
|
||||
@ -319,7 +334,7 @@ status() {
|
||||
|
||||
NUM=
|
||||
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
|
||||
VERBOSE=
|
||||
VERBOSE=
|
||||
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
|
||||
COUNT=
|
||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
||||
|
@ -11,7 +11,7 @@ Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.7
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -25,10 +25,13 @@ Source9: ebtables.service
|
||||
Source10: ebtables-config
|
||||
|
||||
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
|
||||
Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
|
||||
Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
|
||||
Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic Licence 2.0
|
||||
License: GPLv2 and Artistic Licence 2.0 and ISC
|
||||
# iptables-apply: Artistic 2.0
|
||||
License: GPLv2 and Artistic 2.0 and ISC
|
||||
|
||||
# libnetfilter_conntrack is needed for xt_connlabel
|
||||
BuildRequires: pkgconfig(libnetfilter_conntrack)
|
||||
@ -62,6 +65,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Conflicts: setup < 2.10.4-1
|
||||
Requires(post): %{_sbindir}/update-alternatives
|
||||
Requires(postun): %{_sbindir}/update-alternatives
|
||||
Obsoletes: %{name} < %{version}-%{release}
|
||||
%if 0%{?rhel} < 9
|
||||
Provides: iptables
|
||||
%endif
|
||||
@ -84,6 +88,7 @@ and logic for those is kept in per-extension shared object files.
|
||||
|
||||
%package legacy-libs
|
||||
Summary: iptables legacy libraries
|
||||
Obsoletes: %{name}-libs < %{version}-%{release}
|
||||
|
||||
%description legacy-libs
|
||||
iptables libraries.
|
||||
@ -418,6 +423,17 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
|
||||
- Fix License name in spec file
|
||||
- Eliminate inet_aton() and inet_ntoa()
|
||||
- nft-arp: Make use of ipv4_addr_to_string()
|
||||
- Make legacy sub-packages obsolete older non-legacy ones
|
||||
- Fix dates in changelog
|
||||
- iptables.init: Fix functionality for iptables-nft
|
||||
- iptables.init: Ignore sysctl files not suffixed '.conf'
|
||||
- iptables.init: Drop unused NEW_MODUTILS check
|
||||
- iptables.init: Drop some trailing whitespace
|
||||
|
||||
* Fri Apr 23 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-10
|
||||
- Add provides to iptables-nft-services
|
||||
|
||||
@ -460,13 +476,13 @@ fi
|
||||
* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.8.7-1
|
||||
- Update to 1.8.7. Fixes rhbz#1916948
|
||||
|
||||
* Thu Nov 19 17:32:24 CET 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5
|
||||
* Thu Nov 19 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-5
|
||||
- Use make macros
|
||||
|
||||
* Tue Nov 17 14:05:30 CET 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4
|
||||
* Tue Nov 17 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-4
|
||||
- ebtables: Fix for broken chain renaming
|
||||
|
||||
* Mon Nov 16 13:39:22 CET 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3
|
||||
* Mon Nov 16 2020 Phil Sutter <psutter@redhat.com> - 1.8.6-3
|
||||
- Drop obsolete StandardOutput setting from unit file
|
||||
- Remove StandardError setting from unit file, its value is default
|
||||
|
||||
@ -476,7 +492,7 @@ fi
|
||||
* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.8.6-1
|
||||
- Update to 1.8.6. Fixes bug #1893453
|
||||
|
||||
* Tue Aug 25 15:56:10 GMT 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
|
||||
* Tue Aug 25 2020 Phil Sutter <psutter@redhat.com> - 1.8.5-3
|
||||
- nft: cache: Check consistency with NFT_CL_FAKE, too
|
||||
- nft: Fix command name in ip6tables error message
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user