From 4a68e9f94a009775f3133e69780c375979740e2e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 12 May 2021 12:12:59 +0200 Subject: [PATCH] iptables-1.8.7-11.el9 - Fix License name in spec file - Eliminate inet_aton() and inet_ntoa() - nft-arp: Make use of ipv4_addr_to_string() - Make legacy sub-packages obsolete older non-legacy ones - Fix dates in changelog - iptables.init: Fix functionality for iptables-nft - iptables.init: Ignore sysctl files not suffixed '.conf' - iptables.init: Drop unused NEW_MODUTILS check - iptables.init: Drop some trailing whitespace Resolves: RHBZ#1954581, RHBZ#1958262 --- ...it-gracefully-on-invalid-table-names.patch | 6 +- ...late-Fix-translation-of-odd-netmasks.patch | 196 ++++++++++++++++++ 0003-Eliminate-inet_aton-and-inet_ntoa.patch | 120 +++++++++++ ...-arp-Make-use-of-ipv4_addr_to_string.patch | 181 ++++++++++++++++ iptables.init | 51 +++-- iptables.spec | 30 ++- 6 files changed, 556 insertions(+), 28 deletions(-) create mode 100644 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch create mode 100644 0003-Eliminate-inet_aton-and-inet_ntoa.patch create mode 100644 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch diff --git a/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch b/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch index ba625a2..a3775af 100644 --- a/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch +++ b/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch @@ -1,4 +1,4 @@ -From 30c1d443896311e69762d6b51b63908ec602574f Mon Sep 17 00:00:00 2001 +From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 28 Jan 2021 01:09:56 +0100 Subject: [PATCH] ebtables: Exit gracefully on invalid table names @@ -22,7 +22,7 @@ With this patch in place, output looks much better: | Perhaps iptables or your kernel needs to be upgraded. Signed-off-by: Phil Sutter -Signed-off-by: Phil Sutter +(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f) --- iptables/xtables-eb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) @@ -47,5 +47,5 @@ index cfa9317c78e94..5bb34d6d292a9 100644 table_set = true; break; -- -2.28.0 +2.31.1 diff --git a/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch b/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch new file mode 100644 index 0000000..9be2e9e --- /dev/null +++ b/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch @@ -0,0 +1,196 @@ +From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 2 Mar 2021 14:50:07 +0100 +Subject: [PATCH] xtables-translate: Fix translation of odd netmasks + +Iptables supports netmasks which are not prefixes to match on (or +ignore) arbitrary bits in an address. Yet nftables' prefix notation is +available for real prefixes only, so translation is not as trivial - +print bitmask syntax for those cases. + +Signed-off-by: Phil Sutter +(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae) +--- + extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++ + extensions/libxt_standard.t | 12 ++++++++++ + iptables/nft-ipv4.c | 42 ++++++++++++++++++++++---------- + iptables/nft-ipv6.c | 19 ++++++++++++--- + 4 files changed, 106 insertions(+), 15 deletions(-) + +diff --git a/extensions/generic.txlate b/extensions/generic.txlate +index 0e256c3727559..9ae9a5b54c1b9 100644 +--- a/extensions/generic.txlate ++++ b/extensions/generic.txlate +@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter + iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 + nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter + ++iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0 ++nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter ++ ++iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0 ++nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter ++ ++iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255 ++nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter ++ ++iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255 ++nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter ++ ++iptables-translate -I INPUT -s 0.0.0.0/16 ++nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter ++ ++iptables-translate -I INPUT -s 0.0.0.0/0 ++nft insert rule ip filter INPUT counter ++ ++iptables-translate -I INPUT ! -s 0.0.0.0/0 ++nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter ++ ++ip6tables-translate -I INPUT -i iifname -s feed::/16 ++nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter ++ ++ip6tables-translate -A INPUT -i iif+ ! -d feed::/16 ++nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter ++ ++ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00:: ++nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter ++ ++ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0 ++nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter ++ ++ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff ++nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter ++ ++ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff ++nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter ++ ++ip6tables-translate -I INPUT -s ::/16 ++nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter ++ ++ip6tables-translate -I INPUT -s ::/0 ++nft insert rule ip6 filter INPUT counter ++ ++ip6tables-translate -I INPUT ! -s ::/0 ++nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter ++ + ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 + nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter + +diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t +index 4313f7b7bac9d..56d6da2e5884e 100644 +--- a/extensions/libxt_standard.t ++++ b/extensions/libxt_standard.t +@@ -9,3 +9,15 @@ + -j ACCEPT;=;OK + -j RETURN;=;OK + ! -p 0 -j ACCEPT;=;FAIL ++-s 10.11.12.13/8;-s 10.0.0.0/8;OK ++-s 10.11.12.13/9;-s 10.0.0.0/9;OK ++-s 10.11.12.13/10;-s 10.0.0.0/10;OK ++-s 10.11.12.13/11;-s 10.0.0.0/11;OK ++-s 10.11.12.13/12;-s 10.0.0.0/12;OK ++-s 10.11.12.13/30;-s 10.11.12.12/30;OK ++-s 10.11.12.13/31;-s 10.11.12.12/31;OK ++-s 10.11.12.13/32;-s 10.11.12.13/32;OK ++-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK ++-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK ++-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK ++-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK +diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c +index fdc15c6f04066..0d32a30010519 100644 +--- a/iptables/nft-ipv4.c ++++ b/iptables/nft-ipv4.c +@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command, + " source or destination IP addresses"); + } + ++static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, ++ const struct in_addr *mask, ++ bool inv, struct xt_xlate *xl) ++{ ++ const char *op = inv ? "!= " : ""; ++ int cidr; ++ ++ if (!inv && !addr->s_addr && !mask->s_addr) ++ return; ++ ++ cidr = xtables_ipmask_to_cidr(mask); ++ switch (cidr) { ++ case -1: ++ /* inet_ntoa() is not reentrant */ ++ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); ++ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); ++ break; ++ case 32: ++ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); ++ break; ++ default: ++ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), ++ cidr); ++ } ++} ++ + static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) + { + const struct iptables_command_state *cs = data; +@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) + } + } + +- if (cs->fw.ip.src.s_addr != 0) { +- xt_xlate_add(xl, "ip saddr %s%s%s ", +- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "", +- inet_ntoa(cs->fw.ip.src), +- xtables_ipmask_to_numeric(&cs->fw.ip.smsk)); +- } +- if (cs->fw.ip.dst.s_addr != 0) { +- xt_xlate_add(xl, "ip daddr %s%s%s ", +- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "", +- inet_ntoa(cs->fw.ip.dst), +- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk)); +- } ++ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, ++ cs->fw.ip.invflags & IPT_INV_SRCIP, xl); ++ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk, ++ cs->fw.ip.invflags & IPT_INV_DSTIP, xl); + + ret = xlate_matches(cs, xl); + if (!ret) +diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c +index 130ad3e6e7c44..46008fc5e762a 100644 +--- a/iptables/nft-ipv6.c ++++ b/iptables/nft-ipv6.c +@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, + const struct in6_addr *mask, + int invert, struct xt_xlate *xl) + { ++ const char *op = invert ? "!= " : ""; + char addr_str[INET6_ADDRSTRLEN]; ++ int cidr; + +- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr)) ++ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask)) + return; + + inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN); +- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str, +- xtables_ip6mask_to_numeric(mask)); ++ cidr = xtables_ip6mask_to_cidr(mask); ++ switch (cidr) { ++ case -1: ++ xt_xlate_add(xl, "%s & %s %s %s ", selector, ++ xtables_ip6addr_to_numeric(mask), ++ invert ? "!=" : "==", addr_str); ++ break; ++ case 128: ++ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str); ++ break; ++ default: ++ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr); ++ } + } + + static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) +-- +2.31.1 + diff --git a/0003-Eliminate-inet_aton-and-inet_ntoa.patch b/0003-Eliminate-inet_aton-and-inet_ntoa.patch new file mode 100644 index 0000000..e5ab459 --- /dev/null +++ b/0003-Eliminate-inet_aton-and-inet_ntoa.patch @@ -0,0 +1,120 @@ +From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 27 Apr 2021 09:12:53 +0200 +Subject: [PATCH] Eliminate inet_aton() and inet_ntoa() + +Both functions are obsolete, replace them by equivalent calls to +inet_pton() and inet_ntop(). + +Signed-off-by: Phil Sutter +(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3) +--- + extensions/libebt_among.c | 6 ++++-- + iptables/nft-ipv4.c | 23 ++++++++++++++--------- + 2 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c +index 2b9a1b6566684..7eb898f984bba 100644 +--- a/extensions/libebt_among.c ++++ b/extensions/libebt_among.c +@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip) + if (sep) { + *sep = '\0'; + +- if (!inet_aton(sep + 1, &pair->in)) ++ if (!inet_pton(AF_INET, sep + 1, &pair->in)) + xtables_error(PARAMETER_PROBLEM, + "Invalid IP address '%s'\n", sep + 1); + } +@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs, + int cnt, bool inv, bool have_ip) + { + const char *isep = inv ? "! " : ""; ++ char abuf[INET_ADDRSTRLEN]; + int i; + + for (i = 0; i < cnt; i++) { +@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs, + + printf("%s", ether_ntoa(&pairs[i].ether)); + if (pairs[i].in.s_addr != INADDR_ANY) +- printf("=%s", inet_ntoa(pairs[i].in)); ++ printf("=%s", inet_ntop(AF_INET, &pairs[i].in, ++ abuf, sizeof(abuf))); + } + printf(" "); + } +diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c +index 0d32a30010519..a5b835b1f681d 100644 +--- a/iptables/nft-ipv4.c ++++ b/iptables/nft-ipv4.c +@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv) + + static const char *mask_to_str(uint32_t mask) + { +- static char mask_str[sizeof("255.255.255.255")]; ++ static char mask_str[INET_ADDRSTRLEN]; + uint32_t bits, hmask = ntohl(mask); + struct in_addr mask_addr = { + .s_addr = mask, +@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask) + if (i >= 0) + sprintf(mask_str, "%u", i); + else +- sprintf(mask_str, "%s", inet_ntoa(mask_addr)); ++ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str)); + + return mask_str; + } +@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, + static void save_ipv4_addr(char letter, const struct in_addr *addr, + uint32_t mask, int invert) + { ++ char addrbuf[INET_ADDRSTRLEN]; ++ + if (!mask && !invert && !addr->s_addr) + return; + +- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr), ++ printf("%s-%c %s/%s ", invert ? "! " : "", letter, ++ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)), + mask_to_str(mask)); + } + +@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, + const struct in_addr *mask, + bool inv, struct xt_xlate *xl) + { ++ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN]; + const char *op = inv ? "!= " : ""; + int cidr; + + if (!inv && !addr->s_addr && !mask->s_addr) + return; + ++ inet_ntop(AF_INET, addr, abuf, sizeof(abuf)); ++ + cidr = xtables_ipmask_to_cidr(mask); + switch (cidr) { + case -1: +- /* inet_ntoa() is not reentrant */ +- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); +- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); ++ xt_xlate_add(xl, "%s & %s %s %s ", selector, ++ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)), ++ inv ? "!=" : "==", abuf); + break; + case 32: +- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); ++ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf); + break; + default: +- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), +- cidr); ++ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr); + } + } + +-- +2.31.1 + diff --git a/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch b/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch new file mode 100644 index 0000000..10b4794 --- /dev/null +++ b/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch @@ -0,0 +1,181 @@ +From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 27 Apr 2021 10:02:34 +0200 +Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string() + +This eliminates quite a bit of redundant code apart from also dropping +use of obsolete function gethostbyaddr(). + +Signed-off-by: Phil Sutter +(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c) +--- + iptables/nft-arp.c | 99 ++++------------------------------------------ + iptables/xshared.c | 6 +-- + iptables/xshared.h | 3 ++ + 3 files changed, 14 insertions(+), 94 deletions(-) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index c82ffdc95e300..2a9387a18dffe 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -42,78 +42,6 @@ char *arp_opcodes[] = + "ARP_NAK", + }; + +-static char * +-addr_to_dotted(const struct in_addr *addrp) +-{ +- static char buf[20]; +- const unsigned char *bytep; +- +- bytep = (const unsigned char *) &(addrp->s_addr); +- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]); +- return buf; +-} +- +-static char * +-addr_to_host(const struct in_addr *addr) +-{ +- struct hostent *host; +- +- if ((host = gethostbyaddr((char *) addr, +- sizeof(struct in_addr), AF_INET)) != NULL) +- return (char *) host->h_name; +- +- return (char *) NULL; +-} +- +-static char * +-addr_to_network(const struct in_addr *addr) +-{ +- struct netent *net; +- +- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL) +- return (char *) net->n_name; +- +- return (char *) NULL; +-} +- +-static char * +-addr_to_anyname(const struct in_addr *addr) +-{ +- char *name; +- +- if ((name = addr_to_host(addr)) != NULL || +- (name = addr_to_network(addr)) != NULL) +- return name; +- +- return addr_to_dotted(addr); +-} +- +-static char * +-mask_to_dotted(const struct in_addr *mask) +-{ +- int i; +- static char buf[22]; +- u_int32_t maskaddr, bits; +- +- maskaddr = ntohl(mask->s_addr); +- +- if (maskaddr == 0xFFFFFFFFL) +- /* we don't want to see "/32" */ +- return ""; +- +- i = 32; +- bits = 0xFFFFFFFEL; +- while (--i >= 0 && maskaddr != bits) +- bits <<= 1; +- if (i >= 0) +- sprintf(buf, "/%d", i); +- else +- /* mask was not a decent combination of 1's and 0's */ +- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask)); +- +- return buf; +-} +- + static bool need_devaddr(struct arpt_devaddr_info *info) + { + int i; +@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, + unsigned int format) + { + const struct arpt_entry *fw = &cs->arp; +- char buf[BUFSIZ]; + char iface[IFNAMSIZ+2]; + const char *sep = ""; + int print_iface = 0; +@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, + } + + if (fw->arp.smsk.s_addr != 0L) { +- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP +- ? "! " : ""); +- if (format & FMT_NUMERIC) +- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); +- else +- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); +- strncat(buf, mask_to_dotted(&(fw->arp.smsk)), +- sizeof(buf) - strlen(buf) - 1); +- printf("-s %s", buf); ++ printf("%s%s-s %s", sep, ++ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "", ++ ipv4_addr_to_string(&fw->arp.src, ++ &fw->arp.smsk, format)); + sep = " "; + } + +@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, + after_devsrc: + + if (fw->arp.tmsk.s_addr != 0L) { +- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP +- ? "! " : ""); +- if (format & FMT_NUMERIC) +- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); +- else +- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); +- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), +- sizeof(buf) - strlen(buf) - 1); +- printf("-d %s", buf); ++ printf("%s%s-d %s", sep, ++ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "", ++ ipv4_addr_to_string(&fw->arp.tgt, ++ &fw->arp.tmsk, format)); + sep = " "; + } + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 71f689901e1d4..9a1f465a5a6d3 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store) + } + #endif + +-static const char *ipv4_addr_to_string(const struct in_addr *addr, +- const struct in_addr *mask, +- unsigned int format) ++const char *ipv4_addr_to_string(const struct in_addr *addr, ++ const struct in_addr *mask, ++ unsigned int format) + { + static char buf[BUFSIZ]; + +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 9159b2b1f3768..1e86aba8b2375 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store); + # define debug_print_argv(...) /* nothing */ + #endif + ++const char *ipv4_addr_to_string(const struct in_addr *addr, ++ const struct in_addr *mask, ++ unsigned int format); + void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); + void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); + +-- +2.31.1 + diff --git a/iptables.init b/iptables.init index 51155b0..ffbd742 100755 --- a/iptables.init +++ b/iptables.init @@ -55,11 +55,6 @@ if [ ! -x /sbin/$IPTABLES ]; then exit 5 fi -# Old or new modutils -/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ - && NEW_MODUTILS=1 \ - || NEW_MODUTILS=0 - # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_SAVE_ON_STOP="no" @@ -75,13 +70,33 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000 # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" +is_iptables_nft() { + iptables --version | grep -q '(nf_tables)' +} + +netfilter_active() { + is_iptables_nft && return 0 + [ -e "$PROC_IPTABLES_NAMES" ] +} + +netfilter_tables() { + netfilter_active || return 1 + is_iptables_nft && { + # explicitly omit security table from this list as + # it should be reserved for SELinux use + echo "raw mangle filter nat" + return 0 + } + cat "$PROC_IPTABLES_NAMES" 2>/dev/null +} + # Get active tables -NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) +NF_TABLES=$(netfilter_tables) flush_n_delete() { # Flush firewall rules and delete chains. - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + netfilter_active || return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 @@ -113,10 +128,10 @@ set_policy() { policy=$1 # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + netfilter_active || return 0 # Check if firewall is configured (has tables) - tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + tables=$(netfilter_tables) [ -z "$tables" ] && return 1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " @@ -166,7 +181,7 @@ load_sysctl() { echo -n $"Loading sysctl settings: " ret=0 for item in $IPTABLES_SYSCTL_LOAD_LIST; do - fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null + fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null let ret+=$?; done [ $ret -eq 0 ] && success || failure @@ -217,7 +232,7 @@ start() { return 1 fi fi - + # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " @@ -230,7 +245,7 @@ start() { [ $ret -eq 0 ] && success || failure echo fi - + # Load sysctl settings load_sysctl @@ -240,7 +255,7 @@ start() { stop() { # Do not stop if iptables module is not loaded. - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + netfilter_active || return 0 # Set default chain policy to ACCEPT, in order to not break shutdown # on systems where the default policy is DROP and root device is @@ -248,14 +263,14 @@ stop() { set_policy ACCEPT # And then, flush the rules and delete chains flush_n_delete - + rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + if ! netfilter_active; then echo -n $"${IPTABLES}: Nothing to save."; warning; echo return 0 fi @@ -298,7 +313,7 @@ save() { } status() { - if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then echo $"${IPTABLES}: Firewall is not running." return 3 fi @@ -306,7 +321,7 @@ status() { # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + if ! netfilter_active; then echo $"${IPTABLES}: Firewall modules are not loaded." return 3 fi @@ -319,7 +334,7 @@ status() { NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" - VERBOSE= + VERBOSE= [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" diff --git a/iptables.spec b/iptables.spec index 2f4b4f9..3f1cbec 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 10%{?dist} +Release: 11%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -25,10 +25,13 @@ Source9: ebtables.service Source10: ebtables-config Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch +Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch +Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch +Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch # pf.os: ISC license -# iptables-apply: Artistic Licence 2.0 -License: GPLv2 and Artistic Licence 2.0 and ISC +# iptables-apply: Artistic 2.0 +License: GPLv2 and Artistic 2.0 and ISC # libnetfilter_conntrack is needed for xt_connlabel BuildRequires: pkgconfig(libnetfilter_conntrack) @@ -62,6 +65,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Conflicts: setup < 2.10.4-1 Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives +Obsoletes: %{name} < %{version}-%{release} %if 0%{?rhel} < 9 Provides: iptables %endif @@ -84,6 +88,7 @@ and logic for those is kept in per-extension shared object files. %package legacy-libs Summary: iptables legacy libraries +Obsoletes: %{name}-libs < %{version}-%{release} %description legacy-libs iptables libraries. @@ -418,6 +423,17 @@ fi %changelog +* Wed May 12 2021 Phil Sutter - 1.8.7-11 +- Fix License name in spec file +- Eliminate inet_aton() and inet_ntoa() +- nft-arp: Make use of ipv4_addr_to_string() +- Make legacy sub-packages obsolete older non-legacy ones +- Fix dates in changelog +- iptables.init: Fix functionality for iptables-nft +- iptables.init: Ignore sysctl files not suffixed '.conf' +- iptables.init: Drop unused NEW_MODUTILS check +- iptables.init: Drop some trailing whitespace + * Fri Apr 23 2021 Phil Sutter - 1.8.7-10 - Add provides to iptables-nft-services @@ -460,13 +476,13 @@ fi * Sat Jan 16 2021 Kevin Fenzi - 1.8.7-1 - Update to 1.8.7. Fixes rhbz#1916948 -* Thu Nov 19 17:32:24 CET 2020 Tom Stellard - 1.8.6-5 +* Thu Nov 19 2020 Tom Stellard - 1.8.6-5 - Use make macros -* Tue Nov 17 14:05:30 CET 2020 Phil Sutter - 1.8.6-4 +* Tue Nov 17 2020 Phil Sutter - 1.8.6-4 - ebtables: Fix for broken chain renaming -* Mon Nov 16 13:39:22 CET 2020 Phil Sutter - 1.8.6-3 +* Mon Nov 16 2020 Phil Sutter - 1.8.6-3 - Drop obsolete StandardOutput setting from unit file - Remove StandardError setting from unit file, its value is default @@ -476,7 +492,7 @@ fi * Sat Oct 31 2020 Kevin Fenzi - 1.8.6-1 - Update to 1.8.6. Fixes bug #1893453 -* Tue Aug 25 15:56:10 GMT 2020 Phil Sutter - 1.8.5-3 +* Tue Aug 25 2020 Phil Sutter - 1.8.5-3 - nft: cache: Check consistency with NFT_CL_FAKE, too - nft: Fix command name in ip6tables error message