import iptables-1.8.7-23.el9

This commit is contained in:
CentOS Sources 2021-11-03 20:30:59 -04:00 committed by Stepan Oksanichenko
commit 625178622b
32 changed files with 4811 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/iptables-1.8.7.tar.bz2

1
.iptables.metadata Normal file
View File

@ -0,0 +1 @@
05ef75415cb7cb7641f51d51e74f3ea29cc31ab1 SOURCES/iptables-1.8.7.tar.bz2

View File

@ -0,0 +1,51 @@
From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 28 Jan 2021 01:09:56 +0100
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
Users are able to cause program abort by passing a table name that
doesn't exist:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
| Aborted
Avoid this by checking table existence just like iptables-nft does upon
parsing '-t' optarg. Since the list of tables is known and fixed,
checking the given name's length is pointless. So just drop that check
in return.
With this patch in place, output looks much better:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
| Perhaps iptables or your kernel needs to be upgraded.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
---
iptables/xtables-eb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index cfa9317c78e94..5bb34d6d292a9 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -914,10 +914,10 @@ print_zero:
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
- xtables_error(PARAMETER_PROBLEM,
- "Table name length cannot exceed %d characters",
- EBT_TABLE_MAXNAMELEN - 1);
+ if (!nft_table_builtin_find(h, optarg))
+ xtables_error(VERSION_PROBLEM,
+ "table '%s' does not exist",
+ optarg);
*table = optarg;
table_set = true;
break;
--
2.31.1

View File

@ -0,0 +1,196 @@
From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 2 Mar 2021 14:50:07 +0100
Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
Iptables supports netmasks which are not prefixes to match on (or
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
available for real prefixes only, so translation is not as trivial -
print bitmask syntax for those cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
---
extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++
extensions/libxt_standard.t | 12 ++++++++++
iptables/nft-ipv4.c | 42 ++++++++++++++++++++++----------
iptables/nft-ipv6.c | 19 ++++++++++++---
4 files changed, 106 insertions(+), 15 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 0e256c3727559..9ae9a5b54c1b9 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
+
+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
+
+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
+
+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
+
+iptables-translate -I INPUT -s 0.0.0.0/16
+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
+
+iptables-translate -I INPUT -s 0.0.0.0/0
+nft insert rule ip filter INPUT counter
+
+iptables-translate -I INPUT ! -s 0.0.0.0/0
+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
+
+ip6tables-translate -I INPUT -i iifname -s feed::/16
+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
+
+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
+
+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
+
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
+
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
+
+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
+
+ip6tables-translate -I INPUT -s ::/16
+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
+
+ip6tables-translate -I INPUT -s ::/0
+nft insert rule ip6 filter INPUT counter
+
+ip6tables-translate -I INPUT ! -s ::/0
+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
+
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 4313f7b7bac9d..56d6da2e5884e 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -9,3 +9,15 @@
-j ACCEPT;=;OK
-j RETURN;=;OK
! -p 0 -j ACCEPT;=;FAIL
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index fdc15c6f04066..0d32a30010519 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
" source or destination IP addresses");
}
+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
+ const struct in_addr *mask,
+ bool inv, struct xt_xlate *xl)
+{
+ const char *op = inv ? "!= " : "";
+ int cidr;
+
+ if (!inv && !addr->s_addr && !mask->s_addr)
+ return;
+
+ cidr = xtables_ipmask_to_cidr(mask);
+ switch (cidr) {
+ case -1:
+ /* inet_ntoa() is not reentrant */
+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
+ break;
+ case 32:
+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
+ break;
+ default:
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
+ cidr);
+ }
+}
+
static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
{
const struct iptables_command_state *cs = data;
@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
}
}
- if (cs->fw.ip.src.s_addr != 0) {
- xt_xlate_add(xl, "ip saddr %s%s%s ",
- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
- inet_ntoa(cs->fw.ip.src),
- xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
- }
- if (cs->fw.ip.dst.s_addr != 0) {
- xt_xlate_add(xl, "ip daddr %s%s%s ",
- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
- inet_ntoa(cs->fw.ip.dst),
- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
- }
+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
ret = xlate_matches(cs, xl);
if (!ret)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 130ad3e6e7c44..46008fc5e762a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
const struct in6_addr *mask,
int invert, struct xt_xlate *xl)
{
+ const char *op = invert ? "!= " : "";
char addr_str[INET6_ADDRSTRLEN];
+ int cidr;
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
return;
inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
- xtables_ip6mask_to_numeric(mask));
+ cidr = xtables_ip6mask_to_cidr(mask);
+ switch (cidr) {
+ case -1:
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
+ xtables_ip6addr_to_numeric(mask),
+ invert ? "!=" : "==", addr_str);
+ break;
+ case 128:
+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
+ break;
+ default:
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
+ }
}
static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
--
2.31.1

View File

@ -0,0 +1,120 @@
From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 27 Apr 2021 09:12:53 +0200
Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
Both functions are obsolete, replace them by equivalent calls to
inet_pton() and inet_ntop().
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
---
extensions/libebt_among.c | 6 ++++--
iptables/nft-ipv4.c | 23 ++++++++++++++---------
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
index 2b9a1b6566684..7eb898f984bba 100644
--- a/extensions/libebt_among.c
+++ b/extensions/libebt_among.c
@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
if (sep) {
*sep = '\0';
- if (!inet_aton(sep + 1, &pair->in))
+ if (!inet_pton(AF_INET, sep + 1, &pair->in))
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address '%s'\n", sep + 1);
}
@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
int cnt, bool inv, bool have_ip)
{
const char *isep = inv ? "! " : "";
+ char abuf[INET_ADDRSTRLEN];
int i;
for (i = 0; i < cnt; i++) {
@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
printf("%s", ether_ntoa(&pairs[i].ether));
if (pairs[i].in.s_addr != INADDR_ANY)
- printf("=%s", inet_ntoa(pairs[i].in));
+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
+ abuf, sizeof(abuf)));
}
printf(" ");
}
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 0d32a30010519..a5b835b1f681d 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
static const char *mask_to_str(uint32_t mask)
{
- static char mask_str[sizeof("255.255.255.255")];
+ static char mask_str[INET_ADDRSTRLEN];
uint32_t bits, hmask = ntohl(mask);
struct in_addr mask_addr = {
.s_addr = mask,
@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
if (i >= 0)
sprintf(mask_str, "%u", i);
else
- sprintf(mask_str, "%s", inet_ntoa(mask_addr));
+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
return mask_str;
}
@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
static void save_ipv4_addr(char letter, const struct in_addr *addr,
uint32_t mask, int invert)
{
+ char addrbuf[INET_ADDRSTRLEN];
+
if (!mask && !invert && !addr->s_addr)
return;
- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
+ printf("%s-%c %s/%s ", invert ? "! " : "", letter,
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
mask_to_str(mask));
}
@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
const struct in_addr *mask,
bool inv, struct xt_xlate *xl)
{
+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
const char *op = inv ? "!= " : "";
int cidr;
if (!inv && !addr->s_addr && !mask->s_addr)
return;
+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
+
cidr = xtables_ipmask_to_cidr(mask);
switch (cidr) {
case -1:
- /* inet_ntoa() is not reentrant */
- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
+ inv ? "!=" : "==", abuf);
break;
case 32:
- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
break;
default:
- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
- cidr);
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
}
}
--
2.31.1

View File

@ -0,0 +1,181 @@
From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 27 Apr 2021 10:02:34 +0200
Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
This eliminates quite a bit of redundant code apart from also dropping
use of obsolete function gethostbyaddr().
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
---
iptables/nft-arp.c | 99 ++++------------------------------------------
iptables/xshared.c | 6 +--
iptables/xshared.h | 3 ++
3 files changed, 14 insertions(+), 94 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index c82ffdc95e300..2a9387a18dffe 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -42,78 +42,6 @@ char *arp_opcodes[] =
"ARP_NAK",
};
-static char *
-addr_to_dotted(const struct in_addr *addrp)
-{
- static char buf[20];
- const unsigned char *bytep;
-
- bytep = (const unsigned char *) &(addrp->s_addr);
- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
- return buf;
-}
-
-static char *
-addr_to_host(const struct in_addr *addr)
-{
- struct hostent *host;
-
- if ((host = gethostbyaddr((char *) addr,
- sizeof(struct in_addr), AF_INET)) != NULL)
- return (char *) host->h_name;
-
- return (char *) NULL;
-}
-
-static char *
-addr_to_network(const struct in_addr *addr)
-{
- struct netent *net;
-
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
- return (char *) net->n_name;
-
- return (char *) NULL;
-}
-
-static char *
-addr_to_anyname(const struct in_addr *addr)
-{
- char *name;
-
- if ((name = addr_to_host(addr)) != NULL ||
- (name = addr_to_network(addr)) != NULL)
- return name;
-
- return addr_to_dotted(addr);
-}
-
-static char *
-mask_to_dotted(const struct in_addr *mask)
-{
- int i;
- static char buf[22];
- u_int32_t maskaddr, bits;
-
- maskaddr = ntohl(mask->s_addr);
-
- if (maskaddr == 0xFFFFFFFFL)
- /* we don't want to see "/32" */
- return "";
-
- i = 32;
- bits = 0xFFFFFFFEL;
- while (--i >= 0 && maskaddr != bits)
- bits <<= 1;
- if (i >= 0)
- sprintf(buf, "/%d", i);
- else
- /* mask was not a decent combination of 1's and 0's */
- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
-
- return buf;
-}
-
static bool need_devaddr(struct arpt_devaddr_info *info)
{
int i;
@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
unsigned int format)
{
const struct arpt_entry *fw = &cs->arp;
- char buf[BUFSIZ];
char iface[IFNAMSIZ+2];
const char *sep = "";
int print_iface = 0;
@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
}
if (fw->arp.smsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
- ? "! " : "");
- if (format & FMT_NUMERIC)
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
- else
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
- strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
- sizeof(buf) - strlen(buf) - 1);
- printf("-s %s", buf);
+ printf("%s%s-s %s", sep,
+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
+ ipv4_addr_to_string(&fw->arp.src,
+ &fw->arp.smsk, format));
sep = " ";
}
@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
after_devsrc:
if (fw->arp.tmsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
- ? "! " : "");
- if (format & FMT_NUMERIC)
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
- else
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
- sizeof(buf) - strlen(buf) - 1);
- printf("-d %s", buf);
+ printf("%s%s-d %s", sep,
+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
+ ipv4_addr_to_string(&fw->arp.tgt,
+ &fw->arp.tmsk, format));
sep = " ";
}
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 71f689901e1d4..9a1f465a5a6d3 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store)
}
#endif
-static const char *ipv4_addr_to_string(const struct in_addr *addr,
- const struct in_addr *mask,
- unsigned int format)
+const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format)
{
static char buf[BUFSIZ];
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 9159b2b1f3768..1e86aba8b2375 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
# define debug_print_argv(...) /* nothing */
#endif
+const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format);
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
--
2.31.1

View File

@ -0,0 +1,33 @@
From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:04:39 +0100
Subject: [PATCH] libxtables: Drop leftover variable in
xtables_numeric_to_ip6addr()
Variable 'err' was only used in removed debug code, so drop it as well.
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
---
libxtables/xtables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index bc42ba8221f3a..6947441fec659 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return NULL;
--
2.31.1

View File

@ -0,0 +1,49 @@
From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:13:50 +0100
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
They are being assigned to but never read.
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
---
extensions/libebt_ip6.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index b8a5a5d8c3a92..301bed9aadefd 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
static struct in6_addr *numeric_to_addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return (struct in6_addr *)NULL;
}
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
char buf[256];
char *p;
int i;
- int err;
strncpy(buf, address, sizeof(buf) - 1);
/* first the mask */
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
strcpy(buf, "::");
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
return;
}
--
2.31.1

View File

@ -0,0 +1,29 @@
From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:04:30 +0200
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
The allocated hostmask duplicate needs to be freed again.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
---
libxtables/xtoptions.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d329f2ff7979e..0dcdf607f4678 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
cb->arg = p;
xtopt_parse_plenmask(cb);
cb->arg = orig_arg;
+ free(work);
}
static void xtopt_parse_ethermac(struct xt_option_call *cb)
--
2.31.1

View File

@ -0,0 +1,34 @@
From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:55:20 +0200
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
If rule allocation fails, free the allocated 'cmd' before returning to
caller.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
---
iptables/nft-cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 5d33f1f00f574..9b0c964847615 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
if (state) {
rule = nft_rule_new(h, chain, table, state);
- if (!rule)
+ if (!rule) {
+ nft_cmd_free(cmd);
return NULL;
+ }
cmd->obj.rule = rule;
--
2.31.1

View File

@ -0,0 +1,56 @@
From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:58:06 +0200
Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
The call to strncpy() is actually not needed: source buffer is only
IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
avoid compiler warnings due to size parameter matching the destination
buffer size by performing the copy using (dumb) memcpy() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
---
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index a5b835b1f681d..34f94bd8cc24a 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
*/
cs->fw.ip.invflags = args->invflags;
- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
memcpy(cs->fw.ip.iniface_mask,
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
memcpy(cs->fw.ip.outiface_mask,
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 46008fc5e762a..d9c9400ad7dc3 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
*/
cs->fw6.ipv6.invflags = args->invflags;
- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
memcpy(cs->fw6.ipv6.iniface_mask,
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
memcpy(cs->fw6.ipv6.outiface_mask,
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
--
2.31.1

View File

@ -0,0 +1,29 @@
From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:50:57 +0200
Subject: [PATCH] iptables-apply: Drop unused variable
It was assigned to but never read.
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
---
iptables/iptables-apply | 1 -
1 file changed, 1 deletion(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 4683b1b402d08..3a7df5e3cbc1f 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -231,7 +231,6 @@ case "$MODE" in
"$RUNCMD" &
CMD_PID=$!
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
- CMDTIMEOUT_PID=$!
if ! wait "$CMD_PID"; then
echo "failed."
echo "Error: unknown error running command: $RUNCMD" >&2
--
2.31.1

View File

@ -0,0 +1,109 @@
From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 14:04:43 +0200
Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
The code was almost identical and suffered from the same problem as
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
corruption bugs").
The only functional change this involves is ebt_parse_ip6_address() will
now accept hostnames as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
---
extensions/libebt_ip6.c | 74 ++++++-----------------------------------
1 file changed, 10 insertions(+), 64 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index 301bed9aadefd..3cc39271d4658 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
}
-static struct in6_addr *numeric_to_addr(const char *num)
+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
+static void ebt_parse_ip6_address(char *address,
+ struct in6_addr *addr, struct in6_addr *msk)
{
- static struct in6_addr ap;
-
- if (inet_pton(AF_INET6, num, &ap) == 1)
- return &ap;
- return (struct in6_addr *)NULL;
-}
-
-static struct in6_addr *parse_ip6_mask(char *mask)
-{
- static struct in6_addr maskaddr;
struct in6_addr *addrp;
- unsigned int bits;
-
- if (mask == NULL) {
- /* no mask at all defaults to 128 bits */
- memset(&maskaddr, 0xff, sizeof maskaddr);
- return &maskaddr;
- }
- if ((addrp = numeric_to_addr(mask)) != NULL)
- return addrp;
- if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
- if (bits != 0) {
- char *p = (char *)&maskaddr;
- memset(p, 0xff, bits / 8);
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
- p[bits / 8] = 0xff << (8 - (bits & 7));
- return &maskaddr;
- }
+ unsigned int naddrs;
- memset(&maskaddr, 0, sizeof maskaddr);
- return &maskaddr;
-}
-
-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
- * The string pointed to by address can be altered. */
-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
-{
- struct in6_addr *tmp_addr;
- char buf[256];
- char *p;
- int i;
-
- strncpy(buf, address, sizeof(buf) - 1);
- /* first the mask */
- buf[sizeof(buf) - 1] = '\0';
- if ((p = strrchr(buf, '/')) != NULL) {
- *p = '\0';
- tmp_addr = parse_ip6_mask(p + 1);
- } else
- tmp_addr = parse_ip6_mask(NULL);
-
- *msk = *tmp_addr;
-
- /* if a null mask is given, the name is ignored, like in "any/0" */
- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
- strcpy(buf, "::");
-
- if (inet_pton(AF_INET6, buf, addr) < 1) {
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
- return;
- }
-
- for (i = 0; i < 4; i++)
- addr->s6_addr32[i] &= msk->s6_addr32[i];
+ xtables_ip6parse_any(address, &addrp, msk, &naddrs);
+ if (naddrs != 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IPv6 Address '%s' specified", address);
+ memcpy(addr, addrp, sizeof(*addr));
+ free(addrp);
}
#define OPT_SOURCE 0x01
--
2.31.1

View File

@ -0,0 +1,554 @@
From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:56:06 +0200
Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
This wraps strdup(), checking for errors.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
---
extensions/libebt_ip.c | 3 ++-
extensions/libebt_ip6.c | 2 +-
extensions/libebt_stp.c | 3 ++-
extensions/libip6t_DNAT.c | 4 +---
extensions/libip6t_SNAT.c | 4 +---
extensions/libip6t_dst.c | 8 +++-----
extensions/libip6t_hbh.c | 7 +++----
extensions/libip6t_ipv6header.c | 2 +-
extensions/libip6t_mh.c | 2 +-
extensions/libip6t_rt.c | 7 +++----
extensions/libipt_DNAT.c | 8 ++------
extensions/libipt_SNAT.c | 4 +---
extensions/libxt_dccp.c | 2 +-
extensions/libxt_hashlimit.c | 5 +----
extensions/libxt_iprange.c | 4 +---
extensions/libxt_multiport.c | 6 ++----
extensions/libxt_sctp.c | 4 ++--
extensions/libxt_set.h | 4 ++--
extensions/libxt_tcp.c | 4 ++--
include/xtables.h | 1 +
iptables/iptables-xml.c | 4 ++--
iptables/nft-cache.c | 4 ++--
iptables/nft-cmd.c | 13 +++++++------
iptables/xshared.c | 2 +-
libxtables/xtables.c | 12 ++++++++++++
libxtables/xtoptions.c | 14 +++-----------
26 files changed, 60 insertions(+), 73 deletions(-)
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
index acb9bfcdbbd9f..51649ffb3c305 100644
--- a/extensions/libebt_ip.c
+++ b/extensions/libebt_ip.c
@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
+
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
else {
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index 3cc39271d4658..a686a285c3cb8 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
else {
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
index 81ba572c33c1a..3e9e24474eb61 100644
--- a/extensions/libebt_stp.c
+++ b/extensions/libebt_stp.c
@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
uint32_t low_nr, upp_nr;
int ret = 0;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
+
if ((cp = strchr(buffer, ':')) == NULL) {
low_nr = strtoul(buffer, &end, 10);
if (*end || low_nr < min || low_nr > max) {
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 89c5ceb153250..f1ad81436316b 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
const struct in6_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
start = strchr(arg, '[');
if (start == NULL) {
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 7d74b3d76a93c..6d19614c7c708 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
const struct in6_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
start = strchr(arg, '[');
if (start == NULL) {
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index fe7e3403468ce..bf0e3e436665d 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
{
char *buffer, *cp, *next, *range;
unsigned int i;
-
- buffer = strdup(optsstr);
- if (!buffer)
- xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(optsstr);
+
for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
{
next = strchr(cp, ',');
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 4cebecfd3d2f5..74e87cda7eea1 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
{
char *buffer, *cp, *next, *range;
unsigned int i;
-
- buffer = strdup(optsstr);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(optsstr);
+
for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
{
next=strchr(cp, ',');
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index 6f03087bb79d8..9e34562966f8b 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -147,7 +147,7 @@ parse_header(const char *flags) {
char *ptr;
char *buffer;
- buffer = strdup(flags);
+ buffer = xtables_strdup(flags);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
ret |= add_proto_to_mask(name_to_proto(ptr));
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index f4c0fd9fc0bca..64675405ac724 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
char *buffer;
char *cp;
- buffer = strdup(mhtype);
+ buffer = xtables_strdup(mhtype);
if ((cp = strchr(buffer, ':')) == NULL)
types[0] = types[1] = name_to_type(buffer);
else {
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 3cb3b249d8995..9708b5a0c42f3 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
{
char *buffer, *cp, *next;
unsigned int i;
-
- buffer = strdup(addrstr);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(addrstr);
+
for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
{
next=strchr(cp, ',');
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 4907a2e83d066..5b33fd23f6e36 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
memset(&range, 0, sizeof(range));
colon = strchr(arg, ':');
@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
colon = strchr(arg, ':');
if (colon) {
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index e92d811c2bc93..c655439ec9192 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
memset(&range, 0, sizeof(range));
colon = strchr(arg, ':');
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index aea3e20be4818..abd420fcc0032 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
uint16_t typemask = 0;
char *ptr, *buffer;
- buffer = strdup(typestring);
+ buffer = xtables_strdup(typestring);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
unsigned int i;
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 7f1d2a402c4fd..3f3c43010ee2a 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
static int parse_mode(uint32_t *mode, const char *option_arg)
{
char *tok;
- char *arg = strdup(option_arg);
-
- if (!arg)
- return -1;
+ char *arg = xtables_strdup(option_arg);
for (tok = strtok(arg, ",|");
tok;
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 8be2481497b8d..04ce7b364f1c6 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
uint8_t family, const char *optname)
{
- char *arg = strdup(oarg);
+ char *arg = xtables_strdup(oarg);
char *dash;
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
dash = strchr(arg, '-');
if (dash == NULL) {
iprange_parse_spec(arg, arg, range, family, optname);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 07ad4cfd4e519..4a42fa38238b9 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
char *buffer, *cp, *next;
unsigned int i;
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+ buffer = xtables_strdup(portstring);
for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
{
@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
char *buffer, *cp, *next, *range;
unsigned int i;
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+ buffer = xtables_strdup(portstring);
for (i=0; i<XT_MULTI_PORTS; i++)
multiinfo->pflags[i] = 0;
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 140de2653b1ef..59b34684cc7f7 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
DEBUGP("%s\n", portstring);
if ((cp = strchr(buffer, ':')) == NULL) {
ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
int found = 0;
char *chunk_flags;
- buffer = strdup(chunks);
+ buffer = xtables_strdup(chunks);
DEBUGP("Buffer: %s\n", buffer);
SCTP_CHUNKMAP_RESET(einfo->chunkmap);
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 41dfbd30fc7c1..ad895a7504d9d 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
static void
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
{
- char *saved = strdup(opt_arg);
+ char *saved = xtables_strdup(opt_arg);
char *ptr, *tmp = saved;
int i = 0;
@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
static void
parse_dirs(const char *opt_arg, struct xt_set_info *info)
{
- char *saved = strdup(opt_arg);
+ char *saved = xtables_strdup(opt_arg);
char *ptr, *tmp = saved;
while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 58f3c0a0c3c28..383e4db5b5e23 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
else {
@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
char *ptr;
char *buffer;
- buffer = strdup(flags);
+ buffer = xtables_strdup(flags);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
unsigned int i;
diff --git a/include/xtables.h b/include/xtables.h
index df1eaee326643..107ad7d65e6fc 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
extern void *xtables_calloc(size_t, size_t);
extern void *xtables_malloc(size_t);
extern void *xtables_realloc(void *, size_t);
+char *xtables_strdup(const char *);
extern int xtables_insmod(const char *, const char *, bool);
extern int xtables_load_ko(const char *, bool);
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 98d03dda98d2b..6cf059fb67292 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
"%s: line %u chain name invalid\n",
prog_name, line);
- chains[nextChain].chain = strdup(chain);
- chains[nextChain].policy = strdup(policy);
+ chains[nextChain].chain = xtables_strdup(chain);
+ chains[nextChain].policy = xtables_strdup(policy);
chains[nextChain].count = *ctr;
chains[nextChain].created = 0;
nextChain++;
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 6b6e6da40a826..7fd78654b280a 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
}
new = xtables_malloc(sizeof(*new));
- new->name = strdup(name);
+ new->name = xtables_strdup(name);
list_add_tail(&new->head, pos ? &pos->head : list);
}
@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
return;
if (!req->table)
- req->table = strdup(cmd->table);
+ req->table = xtables_strdup(cmd->table);
else
assert(!strcmp(req->table, cmd->table));
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 9b0c964847615..8dccdd734b156 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <string.h>
+#include <xtables.h>
#include "nft.h"
#include "nft-cmd.h"
@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
return NULL;
cmd->command = command;
- cmd->table = strdup(table);
+ cmd->table = xtables_strdup(table);
if (chain)
- cmd->chain = strdup(chain);
+ cmd->chain = xtables_strdup(chain);
cmd->rulenum = rulenum;
cmd->verbose = verbose;
@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
cmd->obj.rule = rule;
if (!state->target && strlen(state->jumpto) > 0)
- cmd->jumpto = strdup(state->jumpto);
+ cmd->jumpto = xtables_strdup(state->jumpto);
}
list_add_tail(&cmd->head, &h->cmd_list);
@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
if (!cmd)
return 0;
- cmd->rename = strdup(newname);
+ cmd->rename = xtables_strdup(newname);
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
if (!cmd)
return 0;
- cmd->policy = strdup(policy);
+ cmd->policy = xtables_strdup(policy);
if (counters)
cmd->counters = *counters;
@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
if (!cmd)
return 0;
- cmd->policy = strdup(policy);
+ cmd->policy = xtables_strdup(policy);
nft_cache_level_set(h, NFT_CL_RULES, cmd);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 9a1f465a5a6d3..4027d9240215e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
xtables_error(PARAMETER_PROBLEM,
"Trying to store NULL argument\n");
- store->argv[store->argc] = strdup(what);
+ store->argv[store->argc] = xtables_strdup(what);
store->argvattr[store->argc] = quoted;
store->argv[++store->argc] = NULL;
}
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 6947441fec659..1931e3896262a 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
return p;
}
+char *xtables_strdup(const char *s)
+{
+ char *dup = strdup(s);
+
+ if (!dup) {
+ perror("ip[6]tables: strdup failed");
+ exit(1);
+ }
+
+ return dup;
+}
+
static char *get_modprobe(void)
{
int procfile;
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 0dcdf607f4678..9d3ac5c8066cb 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
unsigned int maxiter;
int value;
- wp_arg = lo_arg = strdup(cb->arg);
- if (lo_arg == NULL)
- xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
+ wp_arg = lo_arg = xtables_strdup(cb->arg);
maxiter = entry->size / esize;
if (maxiter == 0)
@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
xtopt_parse_host(cb);
return;
}
- work = strdup(orig_arg);
- if (work == NULL)
- xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
+ work = xtables_strdup(orig_arg);
p = strchr(work, '/'); /* by def this can't be NULL now */
*p++ = '\0';
/*
@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
goto out;
}
lmap_this->id = id;
- lmap_this->name = strdup(cur);
- if (lmap_this->name == NULL) {
- free(lmap_this);
- goto out;
- }
+ lmap_this->name = xtables_strdup(cur);
lmap_this->next = NULL;
if (lmap_prev != NULL)
--
2.31.1

View File

@ -0,0 +1,31 @@
From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 15:15:37 +0200
Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
strncpy()
If the target buffer does not need to be null-terminated, one may simply
use memcpy() and thereby avoid any compiler warnings.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
---
extensions/libxt_string.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 7c6366cbbf1b3..739a8e7fd66b6 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
{
/* xt_string does not need \0 at the end of the pattern */
if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
return;
}
--
2.31.1

View File

@ -0,0 +1,104 @@
From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 24 Feb 2021 11:08:02 +0100
Subject: [PATCH] iptables-nft: fix -Z option
it zeroes the rule counters, so it needs fully populated cache.
Add a test case to cover this.
Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
---
iptables/nft-cmd.c | 2 +-
.../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++
2 files changed, 65 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 8dccdd734b156..a0c76a795e59c 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
if (!cmd)
return 0;
- nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
+ nft_cache_level_set(h, NFT_CL_RULES, cmd);
return 1;
}
diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
new file mode 100755
index 0000000000000..36da1907e3b22
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+RC=0
+COUNTR=$RANDOM$RANDOM
+
+$XT_MULTI iptables-restore -c <<EOF
+*filter
+:INPUT ACCEPT [1:23]
+:FOO - [0:0]
+[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+[22:123] -A FOO -m comment --comment one
+[44:123] -A FOO -m comment --comment two
+COMMIT
+EOF
+EXPECT="*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FOO - [0:0]
+[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+[0:0] -A FOO -m comment --comment one
+[0:0] -A FOO -m comment --comment two
+COMMIT"
+
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+if [ $COUNTER != "[12:345]" ]; then
+ echo "Counter $COUNTER is wrong, expected 12:345"
+ RC=1
+fi
+
+$XT_MULTI iptables -Z FOO
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+if [ $COUNTER = "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should not have been zeroed"
+ RC=1
+fi
+
+for c in one two; do
+ COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
+ if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
+ RC=1
+ fi
+done
+
+$XT_MULTI iptables -Z
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+
+if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
+ RC=1
+fi
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
+if [ $? -ne 0 ]; then
+ echo "Diff error: counters were not zeroed"
+ RC=1
+fi
+
+$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+$XT_MULTI iptables -D FOO -m comment --comment one
+$XT_MULTI iptables -D FOO -m comment --comment two
+$XT_MULTI iptables -X FOO
+exit $RC
--
2.31.1

View File

@ -0,0 +1,73 @@
From 5462c9908a3b2ba94fc4cf5c6cd0d5ed296093c5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 19 Feb 2021 16:54:57 +0100
Subject: [PATCH] nft: Fix bitwise expression avoidance detection
Byte-boundary prefix detection was too sloppy: Any data following the
first zero-byte was ignored. Add a follow-up loop making sure there are
no stray bits in the designated host part.
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
---
iptables/nft-shared.c | 4 +++-
.../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 10553ab26823b..c1664b50f9383 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
{
const unsigned char *m = mask;
bool bitwise = false;
- int i;
+ int i, j;
for (i = 0; i < len; i++) {
if (m[i] != 0xff) {
@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
break;
}
}
+ for (j = i + 1; !bitwise && j < len; j++)
+ bitwise = !!m[j];
if (!bitwise)
len = i;
diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
new file mode 100755
index 0000000000000..7eb42f08da975
--- /dev/null
+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+$XT_MULTI ip6tables-restore <<EOF
+*filter
+-A FORWARD -s feed:babe::/ffff::0
+-A FORWARD -s feed:babe::/ffff:ff00::0
+-A FORWARD -s feed:babe::/ffff:fff0::0
+-A FORWARD -s feed:babe::/ffff:ffff::0
+-A FORWARD -s feed:babe::/0:ffff::0
+-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
+COMMIT
+EOF
+
+EXPECT='-P FORWARD ACCEPT
+-A FORWARD -s feed::/16
+-A FORWARD -s feed:ba00::/24
+-A FORWARD -s feed:bab0::/28
+-A FORWARD -s feed:babe::/32
+-A FORWARD -s 0:babe::/0:ffff::
+-A FORWARD -s feed::babe:0/ffff::ffff:0'
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
--
2.31.1

View File

@ -0,0 +1,80 @@
From c9c2e55eb6cebdb8d17cf0c8267a1eb3e8fb6e07 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 May 2021 16:03:24 +0200
Subject: [PATCH] extensions: sctp: Fix nftables translation
If both sport and dport was present, incorrect nft syntax was generated.
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
---
extensions/libxt_sctp.c | 10 ++++------
extensions/libxt_sctp.txlate | 10 +++++-----
2 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 59b34684cc7f7..5ec1ca618405e 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
if (!einfo->flags)
return 0;
- xt_xlate_add(xl, "sctp ");
-
if (einfo->flags & XT_SCTP_SRC_PORTS) {
if (einfo->spts[0] != einfo->spts[1])
- xt_xlate_add(xl, "sport%s %u-%u",
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
einfo->spts[0], einfo->spts[1]);
else
- xt_xlate_add(xl, "sport%s %u",
+ xt_xlate_add(xl, "sctp sport%s %u",
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
einfo->spts[0]);
space = " ";
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
if (einfo->flags & XT_SCTP_DEST_PORTS) {
if (einfo->dpts[0] != einfo->dpts[1])
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0], einfo->dpts[1]);
else
- xt_xlate_add(xl, "%sdport%s %u", space,
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0]);
}
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 72f4641ab021c..0d6c59e183675 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
--
2.31.1

View File

@ -0,0 +1,334 @@
From 635e4c4e7f3581a7cc8c04244ae3de239ad84935 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 17 Jun 2021 18:44:28 +0200
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
This is RHEL9 trying to friendly kick people towards nftables.
---
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
iptables/arptables-nft-save.8 | 14 +++++++++++++-
iptables/arptables-nft.8 | 19 ++++++++++++++++++-
iptables/ebtables-nft.8 | 15 ++++++++++++++-
iptables/iptables-apply.8.in | 14 +++++++++++++-
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
iptables/iptables-restore.8.in | 17 ++++++++++++++++-
iptables/iptables-save.8.in | 15 ++++++++++++++-
iptables/iptables.8.in | 17 +++++++++++++++++
iptables/xtables-monitor.8.in | 11 +++++++++++
10 files changed, 142 insertions(+), 7 deletions(-)
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
index 09d9082cf9fd3..b1bf02998f9cc 100644
--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
.SH SYNOPSIS
\fBarptables\-restore
.SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
.PP
.B arptables-restore
is used to restore ARP Tables from data specified on STDIN or
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
-\fBarptables\-save\fP(8), \fBarptables\fP(8)
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
.PP
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
index 905e59854cc28..49bb0f6260f2f 100644
--- a/iptables/arptables-nft-save.8
+++ b/iptables/arptables-nft-save.8
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
\fBarptables\-save\fP [\fB\-V\fP]
.SH DESCRIPTION
.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B arptables-save
is used to dump the contents of an ARP Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
@@ -43,5 +55,5 @@ Print version information and exit.
.SH AUTHOR
Jesper Dangaard Brouer <brouer@redhat.com>
.SH SEE ALSO
-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
.PP
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
index ea31e0842acd4..ec5b993a41e8b 100644
--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
.SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B arptables
is a user space tool, it is used to set up and maintain the
tables of ARP rules in the Linux kernel. These rules inspect
@@ -340,9 +353,13 @@ bridges, the same may be achieved using
chain in
.BR ebtables .
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
+will not receive new features. New setups should use \fBnft\fP(8). Existing
+setups should migrate to \fBnft\fP(8) when possible.
+
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
.PP
.BR "" "See " https://wiki.nftables.org
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 1fa5ad9388cc0..5bdc0bb8a939e 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
.br
.SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B ebtables
is an application program used to set up and maintain the
tables of rules (inside the Linux kernel) that inspect
@@ -1111,6 +1124,6 @@ table. Also there is no support for
.B string
match. And finally, this list is probably not complete.
.SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
.PP
.BR "" "See " https://wiki.nftables.org
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
index f0ed4e5f8d450..7f99a21ed2b61 100644
--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
.SH "DESCRIPTION"
.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
iptables\-apply will try to apply a new rulesfile (as output by
iptables-save, read by iptables-restore) or run a command to configure
iptables and then prompt the user whether the changes are okay. If the
@@ -47,7 +59,7 @@ Display usage information.
Display version information.
.SH "SEE ALSO"
.PP
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
.SH LEGALESE
.PP
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
index 99d89a1fe44ad..73d40bbfe9c52 100644
--- a/iptables/iptables-extensions.8.tmpl.in
+++ b/iptables/iptables-extensions.8.tmpl.in
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
.PP
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
.SH MATCH EXTENSIONS
iptables can use extended packet matching modules
with the \fB\-m\fP or \fB\-\-match\fP
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index b4b62f92740d1..1bbf7a0d98d0a 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
[\fBfile\fP]
.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
+to help with the migration.
.PP
.B iptables-restore
and
@@ -87,7 +100,9 @@ from Rusty Russell.
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO
-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
+\fBip6tables\-restore\-translate\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 7683fd3780f72..6fe50b2d446e5 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.SH DESCRIPTION
.PP
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
.B iptables-save
and
.B ip6tables-save
@@ -62,7 +74,8 @@ Rusty Russell <rusty@rustcorp.com.au>
.br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
.SH SEE ALSO
-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8)
.PP
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 999cf339845f9..895cc7b111eb9 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
.PP
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
+.PP
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
tables of IPv4 and IPv6 packet
filter rules in the Linux kernel. Several different tables
@@ -447,6 +461,9 @@ There are several other changes in iptables.
\fBiptables\-save\fP(8),
\fBiptables\-restore\fP(8),
\fBiptables\-extensions\fP(8),
+\fBnft\fP(8),
+\fBiptables\-translate\fP(8),
+\fBip6tables\-translate\fP(8)
.PP
The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT,
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
index b647a79eb64ed..bbccf009e8269 100644
--- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
.PP
\
.SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
.PP
.B xtables-monitor
is used to monitor changes to the ruleset or to show rule evaluation events
--
2.32.0

View File

@ -0,0 +1,211 @@
From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 25 Mar 2021 16:24:39 +0100
Subject: [PATCH] nft: cache: Sort chains on demand only
Mandatory sorted insert of chains into cache significantly slows down
restoring of large rulesets. Since the sorted list of user-defined
chains is needed for listing and verbose output only, introduce
nft_cache_sort_chains() and call it where needed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915)
---
iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++--------
iptables/nft-cache.h | 1 +
iptables/nft.c | 12 +++++++
iptables/nft.h | 1 +
iptables/xtables-save.c | 1 +
5 files changed, 73 insertions(+), 13 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 7fd78654b280a..2c88301cc7445 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
h->cache->table[t->type].base_chains[hooknum] = nc;
} else {
- struct nft_chain_list *clist = h->cache->table[t->type].chains;
- struct list_head *pos = &clist->list;
- struct nft_chain *cur;
- const char *n;
-
- list_for_each_entry(cur, &clist->list, head) {
- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME);
- if (strcmp(cname, n) <= 0) {
- pos = &cur->head;
- break;
- }
- }
- list_add_tail(&nc->head, pos);
+ list_add_tail(&nc->head,
+ &h->cache->table[t->type].chains->list);
}
hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname));
return 0;
}
+static void __nft_chain_list_sort(struct list_head *list,
+ int (*cmp)(struct nft_chain *a,
+ struct nft_chain *b))
+{
+ struct nft_chain *pivot, *cur, *sav;
+ LIST_HEAD(sublist);
+
+ if (list_empty(list))
+ return;
+
+ /* grab first item as pivot (dividing) value */
+ pivot = list_entry(list->next, struct nft_chain, head);
+ list_del(&pivot->head);
+
+ /* move any smaller value into sublist */
+ list_for_each_entry_safe(cur, sav, list, head) {
+ if (cmp(pivot, cur) > 0) {
+ list_del(&cur->head);
+ list_add_tail(&cur->head, &sublist);
+ }
+ }
+ /* conquer divided */
+ __nft_chain_list_sort(&sublist, cmp);
+ __nft_chain_list_sort(list, cmp);
+
+ /* merge divided and pivot again */
+ list_add_tail(&pivot->head, &sublist);
+ list_splice(&sublist, list);
+}
+
+static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b)
+{
+ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME);
+ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME);
+
+ return strcmp(aname, bname);
+}
+
+int nft_cache_sort_chains(struct nft_handle *h, const char *table)
+{
+ const struct builtin_table *t = nft_table_builtin_find(h, table);
+
+ if (!t)
+ return -1;
+
+ if (h->cache->table[t->type].sorted)
+ return 0;
+
+ __nft_chain_list_sort(&h->cache->table[t->type].chains->list,
+ nft_chain_cmp_byname);
+ h->cache->table[t->type].sorted = true;
+ return 0;
+}
+
struct nftnl_chain_list_cb_data {
struct nft_handle *h;
const struct builtin_table *t;
@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
flush_base_chain_cache(c->table[table->type].base_chains);
nft_chain_foreach(h, tablename, __flush_chain_cache, NULL);
+ c->table[table->type].sorted = false;
if (c->table[table->type].sets)
nftnl_set_list_foreach(c->table[table->type].sets,
@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
if (c->table[i].chains) {
nft_chain_list_free(c->table[i].chains);
c->table[i].chains = NULL;
+ c->table[i].sorted = false;
}
if (c->table[i].sets) {
diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
index 20d96beede876..58a015265056c 100644
--- a/iptables/nft-cache.h
+++ b/iptables/nft-cache.h
@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table,
void nft_cache_build(struct nft_handle *h);
int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
struct nftnl_chain *c);
+int nft_cache_sort_chains(struct nft_handle *h, const char *table);
struct nft_chain *
nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
diff --git a/iptables/nft.c b/iptables/nft.c
index bde4ca72d3fcc..8b14daeaed610 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
return 1;
}
+ nft_cache_sort_chains(h, table);
+
ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d);
/* the core expects 1 for success and 0 for error */
@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain,
goto out;
}
+ if (verbose)
+ nft_cache_sort_chains(h, table);
+
ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d);
out:
/* the core expects 1 for success and 0 for error */
@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
return 1;
}
+ nft_cache_sort_chains(h, table);
+
if (ops->print_table_header)
ops->print_table_header(table);
@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
return nft_rule_list_cb(c, &d);
}
+ nft_cache_sort_chains(h, table);
+
/* Dump policies and custom chains first */
nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters);
@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
goto err;
}
+ if (verbose)
+ nft_cache_sort_chains(h, table);
+
ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d);
err:
/* the core expects 1 for success and 0 for error */
diff --git a/iptables/nft.h b/iptables/nft.h
index 0910f82a2773c..4ac7e0099d567 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -44,6 +44,7 @@ struct nft_cache {
struct nft_chain_list *chains;
struct nftnl_set_list *sets;
bool exists;
+ bool sorted;
} table[NFT_TABLE_MAX];
};
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index d7901c650ea70..cfce0472f3ee8 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
printf("*%s\n", tablename);
/* Dump out chain names first,
* thereby preventing dependency conflicts */
+ nft_cache_sort_chains(h, tablename);
nft_chain_foreach(h, tablename, nft_chain_save, h);
nft_rule_save(h, tablename, d->format);
if (d->commit)
--
2.31.1

View File

@ -0,0 +1,56 @@
From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 6 Apr 2021 10:51:20 +0200
Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets
In order to support the same ruleset sizes as legacy iptables, the
kernel's limit of 1024 iovecs has to be overcome. Therefore increase
each iovec's size from 128KB to 2MB.
While being at it, add a log message for failing sendmsg() call. This is
not supposed to happen, even if the transaction fails. Yet if it does,
users are left with only a "line XXX failed" message (with line number
being the COMMIT line).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240)
---
iptables/nft.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 8b14daeaed610..f1deb82f87576 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
#define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize())
-/* selected batch page is 256 Kbytes long to load ruleset of
- * half a million rules without hitting -EMSGSIZE due to large
- * iovec.
+/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M
+ * rules matching on source and destination address as well as input and output
+ * interfaces. This is what legacy iptables supports.
*/
-#define BATCH_PAGE_SIZE getpagesize() * 32
+#define BATCH_PAGE_SIZE 2 * 1024 * 1024
static struct nftnl_batch *mnl_batch_init(void)
{
@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds)
int err = 0;
ret = mnl_nft_socket_sendmsg(h, numcmds);
- if (ret == -1)
+ if (ret == -1) {
+ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno));
return -1;
+ }
FD_ZERO(&readfds);
FD_SET(fd, &readfds);
--
2.31.1

View File

@ -0,0 +1,73 @@
#!/bin/sh
ARPTABLES_CONFIG=/etc/sysconfig/arptables
# compat for removed initscripts dependency
success() {
echo "[ OK ]"
return 0
}
failure() {
echo "[FAILED]"
return 1
}
start() {
if [ ! -x /usr/sbin/arptables ]; then
exit 4
fi
# don't do squat if we don't have the config file
if [ -f $ARPTABLES_CONFIG ]; then
printf "Applying arptables firewall rules: "
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
success || \
failure
touch /var/lock/subsys/arptables
else
failure
echo "Configuration file /etc/sysconfig/arptables missing"
exit 6
fi
}
stop() {
printf "Removing user defined chains: "
arptables -X && success || failure
printf "Flushing all chains: "
arptables -F && success || failure
printf "Resetting built-in chains to the default ACCEPT policy: "
arptables -P INPUT ACCEPT && \
arptables -P OUTPUT ACCEPT && \
success || \
failure
rm -f /var/lock/subsys/arptables
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
condrestart|try-restart|force-reload)
[ -e /var/lock/subsys/arptables ] && start
;;
*)
exit 2
esac
exit 0

12
SOURCES/arptables.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Automates a packet filtering firewall with arptables
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/libexec/arptables-helper start
ExecStop=/usr/libexec/arptables-helper stop
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

11
SOURCES/ebtables-config Normal file
View File

@ -0,0 +1,11 @@
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules if firewall gets stopped
# (e.g. on system shutdown).
EBTABLES_SAVE_ON_STOP="no"
# Save (and restore) rule counters.
# Value: yes|no, default: no
# Save rule counters when saving a kernel table to a file. If the
# rule counters were saved, they will be restored when restoring the table.
EBTABLES_SAVE_COUNTER="no"

104
SOURCES/ebtables-helper Normal file
View File

@ -0,0 +1,104 @@
#!/bin/bash
# compat for removed initscripts dependency
success() {
echo "[ OK ]"
return 0
}
failure() {
echo "[FAILED]"
return 1
}
# internal variables
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
EBTABLES_DATA=/etc/sysconfig/ebtables
EBTABLES_TABLES="filter nat"
if ebtables --version | grep -q '(legacy)'; then
EBTABLES_TABLES+=" broute"
fi
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
# ebtables-config defaults
EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_COUNTER="no"
# load config if existing
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
initialize() {
local ret=0
for table in $EBTABLES_TABLES; do
ebtables -t $table --init-table || ret=1
done
return $ret
}
sanitize_dump() {
local drop=false
export EBTABLES_TABLES
cat $1 | while read line; do
case $line in
\**)
drop=false
local table="${line#\*}"
local found=false
for t in $EBTABLES_TABLES; do
if [[ $t == "$table" ]]; then
found=true
break
fi
done
$found || drop=true
;;
esac
$drop || echo "$line"
done
}
start() {
if [ -f $EBTABLES_DATA ]; then
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
sanitize_dump $EBTABLES_DATA | ebtables-restore
else
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
initialize
fi
local ret=$?
touch $VAR_SUBSYS_EBTABLES
return $ret
}
save() {
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
export EBTABLES_SAVE_COUNTER
ebtables-save >$EBTABLES_DATA && success || failure
}
case $1 in
start)
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
start && success || failure
RETVAL=$?
;;
stop)
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
echo -n $"ebtables: stopping firewall: "
initialize && success || failure
RETVAL=$?
rm -f $VAR_SUBSYS_EBTABLES
;;
save)
save
;;
*)
echo "usage: ${0##*/} {start|stop|save}" >&2
RETVAL=2
;;
esac
exit $RETVAL

11
SOURCES/ebtables.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Ethernet Bridge Filtering tables
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ebtables-helper start
ExecStop=/usr/libexec/ebtables-helper stop
[Install]
WantedBy=multi-user.target

59
SOURCES/iptables-config Normal file
View File

@ -0,0 +1,59 @@
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
# Set wait option for iptables-restore calls in seconds
# Default: 600
# Set to 0 to deactivate the wait.
#IPTABLES_RESTORE_WAIT=600
# Set wait interval option for iptables-restore calls in microseconds
# Default: 1000000
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
# second.
# Only usable with IPTABLES_RESTORE_WAIT > 0
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000

450
SOURCES/iptables.init Executable file
View File

@ -0,0 +1,450 @@
#!/bin/bash
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# compat for removed initscripts dependency
success() {
echo -n "[ OK ]"
return 0
}
warning() {
echo -n "[WARNING]"
return 1
}
failure() {
echo -n "[FAILED]"
return 1
}
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
# only usable for root
if [ $EUID != 0 ]; then
echo -n $"${IPTABLES}: Only usable by root."; warning; echo
exit 4
fi
if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST=""
IPTABLES_RESTORE_WAIT=600
IPTABLES_RESTORE_WAIT_INTERVAL=1000000
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
is_iptables_nft() {
iptables --version | grep -q '(nf_tables)'
}
netfilter_active() {
is_iptables_nft && return 0
[ -e "$PROC_IPTABLES_NAMES" ]
}
netfilter_tables() {
netfilter_active || return 1
is_iptables_nft && {
# explicitly omit security table from this list as
# it should be reserved for SELinux use
echo "raw mangle filter nat"
return 0
}
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
}
# Get active tables
NF_TABLES=$(netfilter_tables)
flush_n_delete() {
# Flush firewall rules and delete chains.
netfilter_active || return 0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1
echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=0
# For all tables
for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
netfilter_active || return 0
# Check if firewall is configured (has tables)
tables=$(netfilter_tables)
[ -z "$tables" ] && return 1
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
load_sysctl() {
# load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: "
ret=0
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
return $ret
}
start() {
# Do not start if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
fi
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
netfilter_active || return 0
# Set default chain policy to ACCEPT, in order to not break shutdown
# on systems where the default policy is DROP and root device is
# network-based (i.e.: iSCSI, NFS)
set_policy ACCEPT
# And then, flush the rules and delete chains
flush_n_delete
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
if ! netfilter_active; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 0
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
return 6
fi
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
&& restorecon $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
mv -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
&& restorecon $IPTABLES_DATA \
|| ret=1
fi
fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
if ! netfilter_active; then
echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
reload() {
# Do not reload if there is no config file.
if [ ! -f "$IPTABLES_DATA" ]; then
echo -n $"${IPTABLES}: No config file."; warning; echo
return 6
fi
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Trying to reload firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
fi
fi
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; echo "Firewall rules are not changed."; return 1
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
return $ret
}
restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
reload)
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
RETVAL=$?
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
panic)
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
exit $RETVAL

17
SOURCES/iptables.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=IPv4 firewall with iptables
AssertPathExists=/etc/sysconfig/iptables
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/iptables/iptables.init start
ExecReload=/usr/libexec/iptables/iptables.init reload
ExecStop=/usr/libexec/iptables/iptables.init stop
Environment=BOOTUP=serial
Environment=CONSOLETYPE=serial
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,15 @@
# sample configuration for ip6tables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

View File

@ -0,0 +1,14 @@
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

1713
SPECS/iptables.spec Normal file

File diff suppressed because it is too large Load Diff