import iptables-1.8.7-23.el9
This commit is contained in:
commit
625178622b
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/iptables-1.8.7.tar.bz2
|
1
.iptables.metadata
Normal file
1
.iptables.metadata
Normal file
@ -0,0 +1 @@
|
||||
05ef75415cb7cb7641f51d51e74f3ea29cc31ab1 SOURCES/iptables-1.8.7.tar.bz2
|
@ -0,0 +1,51 @@
|
||||
From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 28 Jan 2021 01:09:56 +0100
|
||||
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
|
||||
|
||||
Users are able to cause program abort by passing a table name that
|
||||
doesn't exist:
|
||||
|
||||
| # ebtables-nft -t dummy -P INPUT ACCEPT
|
||||
| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
|
||||
| Aborted
|
||||
|
||||
Avoid this by checking table existence just like iptables-nft does upon
|
||||
parsing '-t' optarg. Since the list of tables is known and fixed,
|
||||
checking the given name's length is pointless. So just drop that check
|
||||
in return.
|
||||
|
||||
With this patch in place, output looks much better:
|
||||
|
||||
| # ebtables-nft -t dummy -P INPUT ACCEPT
|
||||
| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
|
||||
| Perhaps iptables or your kernel needs to be upgraded.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
|
||||
---
|
||||
iptables/xtables-eb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||
index cfa9317c78e94..5bb34d6d292a9 100644
|
||||
--- a/iptables/xtables-eb.c
|
||||
+++ b/iptables/xtables-eb.c
|
||||
@@ -914,10 +914,10 @@ print_zero:
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"The -t option (seen in line %u) cannot be used in %s.\n",
|
||||
line, xt_params->program_name);
|
||||
- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "Table name length cannot exceed %d characters",
|
||||
- EBT_TABLE_MAXNAMELEN - 1);
|
||||
+ if (!nft_table_builtin_find(h, optarg))
|
||||
+ xtables_error(VERSION_PROBLEM,
|
||||
+ "table '%s' does not exist",
|
||||
+ optarg);
|
||||
*table = optarg;
|
||||
table_set = true;
|
||||
break;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,196 @@
|
||||
From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 2 Mar 2021 14:50:07 +0100
|
||||
Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
|
||||
|
||||
Iptables supports netmasks which are not prefixes to match on (or
|
||||
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
|
||||
available for real prefixes only, so translation is not as trivial -
|
||||
print bitmask syntax for those cases.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
|
||||
---
|
||||
extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++
|
||||
extensions/libxt_standard.t | 12 ++++++++++
|
||||
iptables/nft-ipv4.c | 42 ++++++++++++++++++++++----------
|
||||
iptables/nft-ipv6.c | 19 ++++++++++++---
|
||||
4 files changed, 106 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
|
||||
index 0e256c3727559..9ae9a5b54c1b9 100644
|
||||
--- a/extensions/generic.txlate
|
||||
+++ b/extensions/generic.txlate
|
||||
@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
|
||||
iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
|
||||
nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
|
||||
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
|
||||
+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
|
||||
+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
|
||||
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
|
||||
+
|
||||
+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
|
||||
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 0.0.0.0/16
|
||||
+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 0.0.0.0/0
|
||||
+nft insert rule ip filter INPUT counter
|
||||
+
|
||||
+iptables-translate -I INPUT ! -s 0.0.0.0/0
|
||||
+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -i iifname -s feed::/16
|
||||
+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
|
||||
+
|
||||
+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
|
||||
+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s ::/16
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s ::/0
|
||||
+nft insert rule ip6 filter INPUT counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT ! -s ::/0
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
|
||||
+
|
||||
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
|
||||
nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
|
||||
|
||||
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
|
||||
index 4313f7b7bac9d..56d6da2e5884e 100644
|
||||
--- a/extensions/libxt_standard.t
|
||||
+++ b/extensions/libxt_standard.t
|
||||
@@ -9,3 +9,15 @@
|
||||
-j ACCEPT;=;OK
|
||||
-j RETURN;=;OK
|
||||
! -p 0 -j ACCEPT;=;FAIL
|
||||
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
|
||||
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
|
||||
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
|
||||
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
|
||||
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
|
||||
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
|
||||
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
|
||||
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
|
||||
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
|
||||
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
|
||||
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
|
||||
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index fdc15c6f04066..0d32a30010519 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
|
||||
" source or destination IP addresses");
|
||||
}
|
||||
|
||||
+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ bool inv, struct xt_xlate *xl)
|
||||
+{
|
||||
+ const char *op = inv ? "!= " : "";
|
||||
+ int cidr;
|
||||
+
|
||||
+ if (!inv && !addr->s_addr && !mask->s_addr)
|
||||
+ return;
|
||||
+
|
||||
+ cidr = xtables_ipmask_to_cidr(mask);
|
||||
+ switch (cidr) {
|
||||
+ case -1:
|
||||
+ /* inet_ntoa() is not reentrant */
|
||||
+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
|
||||
+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
|
||||
+ break;
|
||||
+ default:
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
|
||||
+ cidr);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
|
||||
{
|
||||
const struct iptables_command_state *cs = data;
|
||||
@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
|
||||
}
|
||||
}
|
||||
|
||||
- if (cs->fw.ip.src.s_addr != 0) {
|
||||
- xt_xlate_add(xl, "ip saddr %s%s%s ",
|
||||
- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
|
||||
- inet_ntoa(cs->fw.ip.src),
|
||||
- xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
|
||||
- }
|
||||
- if (cs->fw.ip.dst.s_addr != 0) {
|
||||
- xt_xlate_add(xl, "ip daddr %s%s%s ",
|
||||
- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
|
||||
- inet_ntoa(cs->fw.ip.dst),
|
||||
- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
|
||||
- }
|
||||
+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
|
||||
+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
|
||||
+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
|
||||
+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
|
||||
|
||||
ret = xlate_matches(cs, xl);
|
||||
if (!ret)
|
||||
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||
index 130ad3e6e7c44..46008fc5e762a 100644
|
||||
--- a/iptables/nft-ipv6.c
|
||||
+++ b/iptables/nft-ipv6.c
|
||||
@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
|
||||
const struct in6_addr *mask,
|
||||
int invert, struct xt_xlate *xl)
|
||||
{
|
||||
+ const char *op = invert ? "!= " : "";
|
||||
char addr_str[INET6_ADDRSTRLEN];
|
||||
+ int cidr;
|
||||
|
||||
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
|
||||
+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
|
||||
return;
|
||||
|
||||
inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
|
||||
- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
|
||||
- xtables_ip6mask_to_numeric(mask));
|
||||
+ cidr = xtables_ip6mask_to_cidr(mask);
|
||||
+ switch (cidr) {
|
||||
+ case -1:
|
||||
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
|
||||
+ xtables_ip6addr_to_numeric(mask),
|
||||
+ invert ? "!=" : "==", addr_str);
|
||||
+ break;
|
||||
+ case 128:
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
|
||||
+ break;
|
||||
+ default:
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
|
||||
+ }
|
||||
}
|
||||
|
||||
static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
|
||||
--
|
||||
2.31.1
|
||||
|
120
SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch
Normal file
120
SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch
Normal file
@ -0,0 +1,120 @@
|
||||
From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 27 Apr 2021 09:12:53 +0200
|
||||
Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
|
||||
|
||||
Both functions are obsolete, replace them by equivalent calls to
|
||||
inet_pton() and inet_ntop().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
|
||||
---
|
||||
extensions/libebt_among.c | 6 ++++--
|
||||
iptables/nft-ipv4.c | 23 ++++++++++++++---------
|
||||
2 files changed, 18 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
|
||||
index 2b9a1b6566684..7eb898f984bba 100644
|
||||
--- a/extensions/libebt_among.c
|
||||
+++ b/extensions/libebt_among.c
|
||||
@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
|
||||
if (sep) {
|
||||
*sep = '\0';
|
||||
|
||||
- if (!inet_aton(sep + 1, &pair->in))
|
||||
+ if (!inet_pton(AF_INET, sep + 1, &pair->in))
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"Invalid IP address '%s'\n", sep + 1);
|
||||
}
|
||||
@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
|
||||
int cnt, bool inv, bool have_ip)
|
||||
{
|
||||
const char *isep = inv ? "! " : "";
|
||||
+ char abuf[INET_ADDRSTRLEN];
|
||||
int i;
|
||||
|
||||
for (i = 0; i < cnt; i++) {
|
||||
@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
|
||||
|
||||
printf("%s", ether_ntoa(&pairs[i].ether));
|
||||
if (pairs[i].in.s_addr != INADDR_ANY)
|
||||
- printf("=%s", inet_ntoa(pairs[i].in));
|
||||
+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
|
||||
+ abuf, sizeof(abuf)));
|
||||
}
|
||||
printf(" ");
|
||||
}
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index 0d32a30010519..a5b835b1f681d 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
|
||||
|
||||
static const char *mask_to_str(uint32_t mask)
|
||||
{
|
||||
- static char mask_str[sizeof("255.255.255.255")];
|
||||
+ static char mask_str[INET_ADDRSTRLEN];
|
||||
uint32_t bits, hmask = ntohl(mask);
|
||||
struct in_addr mask_addr = {
|
||||
.s_addr = mask,
|
||||
@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
|
||||
if (i >= 0)
|
||||
sprintf(mask_str, "%u", i);
|
||||
else
|
||||
- sprintf(mask_str, "%s", inet_ntoa(mask_addr));
|
||||
+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
|
||||
|
||||
return mask_str;
|
||||
}
|
||||
@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
|
||||
static void save_ipv4_addr(char letter, const struct in_addr *addr,
|
||||
uint32_t mask, int invert)
|
||||
{
|
||||
+ char addrbuf[INET_ADDRSTRLEN];
|
||||
+
|
||||
if (!mask && !invert && !addr->s_addr)
|
||||
return;
|
||||
|
||||
- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
|
||||
+ printf("%s-%c %s/%s ", invert ? "! " : "", letter,
|
||||
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
|
||||
mask_to_str(mask));
|
||||
}
|
||||
|
||||
@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
|
||||
const struct in_addr *mask,
|
||||
bool inv, struct xt_xlate *xl)
|
||||
{
|
||||
+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
|
||||
const char *op = inv ? "!= " : "";
|
||||
int cidr;
|
||||
|
||||
if (!inv && !addr->s_addr && !mask->s_addr)
|
||||
return;
|
||||
|
||||
+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
|
||||
+
|
||||
cidr = xtables_ipmask_to_cidr(mask);
|
||||
switch (cidr) {
|
||||
case -1:
|
||||
- /* inet_ntoa() is not reentrant */
|
||||
- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
|
||||
- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
|
||||
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
|
||||
+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
|
||||
+ inv ? "!=" : "==", abuf);
|
||||
break;
|
||||
case 32:
|
||||
- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
|
||||
break;
|
||||
default:
|
||||
- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
|
||||
- cidr);
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
181
SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
Normal file
181
SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
Normal file
@ -0,0 +1,181 @@
|
||||
From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 27 Apr 2021 10:02:34 +0200
|
||||
Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
|
||||
|
||||
This eliminates quite a bit of redundant code apart from also dropping
|
||||
use of obsolete function gethostbyaddr().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
|
||||
---
|
||||
iptables/nft-arp.c | 99 ++++------------------------------------------
|
||||
iptables/xshared.c | 6 +--
|
||||
iptables/xshared.h | 3 ++
|
||||
3 files changed, 14 insertions(+), 94 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
||||
index c82ffdc95e300..2a9387a18dffe 100644
|
||||
--- a/iptables/nft-arp.c
|
||||
+++ b/iptables/nft-arp.c
|
||||
@@ -42,78 +42,6 @@ char *arp_opcodes[] =
|
||||
"ARP_NAK",
|
||||
};
|
||||
|
||||
-static char *
|
||||
-addr_to_dotted(const struct in_addr *addrp)
|
||||
-{
|
||||
- static char buf[20];
|
||||
- const unsigned char *bytep;
|
||||
-
|
||||
- bytep = (const unsigned char *) &(addrp->s_addr);
|
||||
- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
|
||||
- return buf;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_host(const struct in_addr *addr)
|
||||
-{
|
||||
- struct hostent *host;
|
||||
-
|
||||
- if ((host = gethostbyaddr((char *) addr,
|
||||
- sizeof(struct in_addr), AF_INET)) != NULL)
|
||||
- return (char *) host->h_name;
|
||||
-
|
||||
- return (char *) NULL;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_network(const struct in_addr *addr)
|
||||
-{
|
||||
- struct netent *net;
|
||||
-
|
||||
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
|
||||
- return (char *) net->n_name;
|
||||
-
|
||||
- return (char *) NULL;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_anyname(const struct in_addr *addr)
|
||||
-{
|
||||
- char *name;
|
||||
-
|
||||
- if ((name = addr_to_host(addr)) != NULL ||
|
||||
- (name = addr_to_network(addr)) != NULL)
|
||||
- return name;
|
||||
-
|
||||
- return addr_to_dotted(addr);
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-mask_to_dotted(const struct in_addr *mask)
|
||||
-{
|
||||
- int i;
|
||||
- static char buf[22];
|
||||
- u_int32_t maskaddr, bits;
|
||||
-
|
||||
- maskaddr = ntohl(mask->s_addr);
|
||||
-
|
||||
- if (maskaddr == 0xFFFFFFFFL)
|
||||
- /* we don't want to see "/32" */
|
||||
- return "";
|
||||
-
|
||||
- i = 32;
|
||||
- bits = 0xFFFFFFFEL;
|
||||
- while (--i >= 0 && maskaddr != bits)
|
||||
- bits <<= 1;
|
||||
- if (i >= 0)
|
||||
- sprintf(buf, "/%d", i);
|
||||
- else
|
||||
- /* mask was not a decent combination of 1's and 0's */
|
||||
- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
|
||||
-
|
||||
- return buf;
|
||||
-}
|
||||
-
|
||||
static bool need_devaddr(struct arpt_devaddr_info *info)
|
||||
{
|
||||
int i;
|
||||
@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
unsigned int format)
|
||||
{
|
||||
const struct arpt_entry *fw = &cs->arp;
|
||||
- char buf[BUFSIZ];
|
||||
char iface[IFNAMSIZ+2];
|
||||
const char *sep = "";
|
||||
int print_iface = 0;
|
||||
@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
}
|
||||
|
||||
if (fw->arp.smsk.s_addr != 0L) {
|
||||
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
|
||||
- ? "! " : "");
|
||||
- if (format & FMT_NUMERIC)
|
||||
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
|
||||
- else
|
||||
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
|
||||
- strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
|
||||
- sizeof(buf) - strlen(buf) - 1);
|
||||
- printf("-s %s", buf);
|
||||
+ printf("%s%s-s %s", sep,
|
||||
+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
|
||||
+ ipv4_addr_to_string(&fw->arp.src,
|
||||
+ &fw->arp.smsk, format));
|
||||
sep = " ";
|
||||
}
|
||||
|
||||
@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
after_devsrc:
|
||||
|
||||
if (fw->arp.tmsk.s_addr != 0L) {
|
||||
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
|
||||
- ? "! " : "");
|
||||
- if (format & FMT_NUMERIC)
|
||||
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
|
||||
- else
|
||||
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
|
||||
- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
|
||||
- sizeof(buf) - strlen(buf) - 1);
|
||||
- printf("-d %s", buf);
|
||||
+ printf("%s%s-d %s", sep,
|
||||
+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
|
||||
+ ipv4_addr_to_string(&fw->arp.tgt,
|
||||
+ &fw->arp.tmsk, format));
|
||||
sep = " ";
|
||||
}
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 71f689901e1d4..9a1f465a5a6d3 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store)
|
||||
}
|
||||
#endif
|
||||
|
||||
-static const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
- const struct in_addr *mask,
|
||||
- unsigned int format)
|
||||
+const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ unsigned int format)
|
||||
{
|
||||
static char buf[BUFSIZ];
|
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 9159b2b1f3768..1e86aba8b2375 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
|
||||
# define debug_print_argv(...) /* nothing */
|
||||
#endif
|
||||
|
||||
+const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ unsigned int format);
|
||||
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
|
||||
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,33 @@
|
||||
From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 13 Nov 2020 21:04:39 +0100
|
||||
Subject: [PATCH] libxtables: Drop leftover variable in
|
||||
xtables_numeric_to_ip6addr()
|
||||
|
||||
Variable 'err' was only used in removed debug code, so drop it as well.
|
||||
|
||||
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
|
||||
---
|
||||
libxtables/xtables.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index bc42ba8221f3a..6947441fec659 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
|
||||
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
|
||||
{
|
||||
static struct in6_addr ap;
|
||||
- int err;
|
||||
|
||||
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
|
||||
+ if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||
return ≈
|
||||
|
||||
return NULL;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,49 @@
|
||||
From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 13 Nov 2020 21:13:50 +0100
|
||||
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
|
||||
|
||||
They are being assigned to but never read.
|
||||
|
||||
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
|
||||
---
|
||||
extensions/libebt_ip6.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||
index b8a5a5d8c3a92..301bed9aadefd 100644
|
||||
--- a/extensions/libebt_ip6.c
|
||||
+++ b/extensions/libebt_ip6.c
|
||||
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
|
||||
static struct in6_addr *numeric_to_addr(const char *num)
|
||||
{
|
||||
static struct in6_addr ap;
|
||||
- int err;
|
||||
|
||||
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
|
||||
+ if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||
return ≈
|
||||
return (struct in6_addr *)NULL;
|
||||
}
|
||||
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
|
||||
char buf[256];
|
||||
char *p;
|
||||
int i;
|
||||
- int err;
|
||||
|
||||
strncpy(buf, address, sizeof(buf) - 1);
|
||||
/* first the mask */
|
||||
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
|
||||
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
|
||||
strcpy(buf, "::");
|
||||
|
||||
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
|
||||
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
|
||||
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,29 @@
|
||||
From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 11:04:30 +0200
|
||||
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
|
||||
|
||||
The allocated hostmask duplicate needs to be freed again.
|
||||
|
||||
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
|
||||
---
|
||||
libxtables/xtoptions.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
||||
index d329f2ff7979e..0dcdf607f4678 100644
|
||||
--- a/libxtables/xtoptions.c
|
||||
+++ b/libxtables/xtoptions.c
|
||||
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
|
||||
cb->arg = p;
|
||||
xtopt_parse_plenmask(cb);
|
||||
cb->arg = orig_arg;
|
||||
+ free(work);
|
||||
}
|
||||
|
||||
static void xtopt_parse_ethermac(struct xt_option_call *cb)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,34 @@
|
||||
From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 11:55:20 +0200
|
||||
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
|
||||
|
||||
If rule allocation fails, free the allocated 'cmd' before returning to
|
||||
caller.
|
||||
|
||||
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
|
||||
---
|
||||
iptables/nft-cmd.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||
index 5d33f1f00f574..9b0c964847615 100644
|
||||
--- a/iptables/nft-cmd.c
|
||||
+++ b/iptables/nft-cmd.c
|
||||
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||
|
||||
if (state) {
|
||||
rule = nft_rule_new(h, chain, table, state);
|
||||
- if (!rule)
|
||||
+ if (!rule) {
|
||||
+ nft_cmd_free(cmd);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
cmd->obj.rule = rule;
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,56 @@
|
||||
From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 11:58:06 +0200
|
||||
Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
|
||||
|
||||
The call to strncpy() is actually not needed: source buffer is only
|
||||
IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
|
||||
avoid compiler warnings due to size parameter matching the destination
|
||||
buffer size by performing the copy using (dumb) memcpy() instead.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
|
||||
---
|
||||
iptables/nft-ipv4.c | 4 ++--
|
||||
iptables/nft-ipv6.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index a5b835b1f681d..34f94bd8cc24a 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
|
||||
*/
|
||||
cs->fw.ip.invflags = args->invflags;
|
||||
|
||||
- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
|
||||
memcpy(cs->fw.ip.iniface_mask,
|
||||
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
|
||||
memcpy(cs->fw.ip.outiface_mask,
|
||||
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||
index 46008fc5e762a..d9c9400ad7dc3 100644
|
||||
--- a/iptables/nft-ipv6.c
|
||||
+++ b/iptables/nft-ipv6.c
|
||||
@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
|
||||
*/
|
||||
cs->fw6.ipv6.invflags = args->invflags;
|
||||
|
||||
- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
|
||||
memcpy(cs->fw6.ipv6.iniface_mask,
|
||||
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
|
||||
memcpy(cs->fw6.ipv6.outiface_mask,
|
||||
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
29
SOURCES/0010-iptables-apply-Drop-unused-variable.patch
Normal file
29
SOURCES/0010-iptables-apply-Drop-unused-variable.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 12:50:57 +0200
|
||||
Subject: [PATCH] iptables-apply: Drop unused variable
|
||||
|
||||
It was assigned to but never read.
|
||||
|
||||
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
|
||||
---
|
||||
iptables/iptables-apply | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
|
||||
index 4683b1b402d08..3a7df5e3cbc1f 100755
|
||||
--- a/iptables/iptables-apply
|
||||
+++ b/iptables/iptables-apply
|
||||
@@ -231,7 +231,6 @@ case "$MODE" in
|
||||
"$RUNCMD" &
|
||||
CMD_PID=$!
|
||||
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
|
||||
- CMDTIMEOUT_PID=$!
|
||||
if ! wait "$CMD_PID"; then
|
||||
echo "failed."
|
||||
echo "Error: unknown error running command: $RUNCMD" >&2
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,109 @@
|
||||
From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 14:04:43 +0200
|
||||
Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
|
||||
|
||||
The code was almost identical and suffered from the same problem as
|
||||
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
|
||||
corruption bugs").
|
||||
|
||||
The only functional change this involves is ebt_parse_ip6_address() will
|
||||
now accept hostnames as well.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
|
||||
---
|
||||
extensions/libebt_ip6.c | 74 ++++++-----------------------------------
|
||||
1 file changed, 10 insertions(+), 64 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||
index 301bed9aadefd..3cc39271d4658 100644
|
||||
--- a/extensions/libebt_ip6.c
|
||||
+++ b/extensions/libebt_ip6.c
|
||||
@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
|
||||
memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
|
||||
}
|
||||
|
||||
-static struct in6_addr *numeric_to_addr(const char *num)
|
||||
+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
|
||||
+static void ebt_parse_ip6_address(char *address,
|
||||
+ struct in6_addr *addr, struct in6_addr *msk)
|
||||
{
|
||||
- static struct in6_addr ap;
|
||||
-
|
||||
- if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||
- return ≈
|
||||
- return (struct in6_addr *)NULL;
|
||||
-}
|
||||
-
|
||||
-static struct in6_addr *parse_ip6_mask(char *mask)
|
||||
-{
|
||||
- static struct in6_addr maskaddr;
|
||||
struct in6_addr *addrp;
|
||||
- unsigned int bits;
|
||||
-
|
||||
- if (mask == NULL) {
|
||||
- /* no mask at all defaults to 128 bits */
|
||||
- memset(&maskaddr, 0xff, sizeof maskaddr);
|
||||
- return &maskaddr;
|
||||
- }
|
||||
- if ((addrp = numeric_to_addr(mask)) != NULL)
|
||||
- return addrp;
|
||||
- if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
|
||||
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
|
||||
- if (bits != 0) {
|
||||
- char *p = (char *)&maskaddr;
|
||||
- memset(p, 0xff, bits / 8);
|
||||
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
|
||||
- p[bits / 8] = 0xff << (8 - (bits & 7));
|
||||
- return &maskaddr;
|
||||
- }
|
||||
+ unsigned int naddrs;
|
||||
|
||||
- memset(&maskaddr, 0, sizeof maskaddr);
|
||||
- return &maskaddr;
|
||||
-}
|
||||
-
|
||||
-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
|
||||
- * The string pointed to by address can be altered. */
|
||||
-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
|
||||
-{
|
||||
- struct in6_addr *tmp_addr;
|
||||
- char buf[256];
|
||||
- char *p;
|
||||
- int i;
|
||||
-
|
||||
- strncpy(buf, address, sizeof(buf) - 1);
|
||||
- /* first the mask */
|
||||
- buf[sizeof(buf) - 1] = '\0';
|
||||
- if ((p = strrchr(buf, '/')) != NULL) {
|
||||
- *p = '\0';
|
||||
- tmp_addr = parse_ip6_mask(p + 1);
|
||||
- } else
|
||||
- tmp_addr = parse_ip6_mask(NULL);
|
||||
-
|
||||
- *msk = *tmp_addr;
|
||||
-
|
||||
- /* if a null mask is given, the name is ignored, like in "any/0" */
|
||||
- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
|
||||
- strcpy(buf, "::");
|
||||
-
|
||||
- if (inet_pton(AF_INET6, buf, addr) < 1) {
|
||||
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- for (i = 0; i < 4; i++)
|
||||
- addr->s6_addr32[i] &= msk->s6_addr32[i];
|
||||
+ xtables_ip6parse_any(address, &addrp, msk, &naddrs);
|
||||
+ if (naddrs != 1)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "Invalid IPv6 Address '%s' specified", address);
|
||||
+ memcpy(addr, addrp, sizeof(*addr));
|
||||
+ free(addrp);
|
||||
}
|
||||
|
||||
#define OPT_SOURCE 0x01
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,554 @@
|
||||
From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 12:56:06 +0200
|
||||
Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
|
||||
|
||||
This wraps strdup(), checking for errors.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
|
||||
---
|
||||
extensions/libebt_ip.c | 3 ++-
|
||||
extensions/libebt_ip6.c | 2 +-
|
||||
extensions/libebt_stp.c | 3 ++-
|
||||
extensions/libip6t_DNAT.c | 4 +---
|
||||
extensions/libip6t_SNAT.c | 4 +---
|
||||
extensions/libip6t_dst.c | 8 +++-----
|
||||
extensions/libip6t_hbh.c | 7 +++----
|
||||
extensions/libip6t_ipv6header.c | 2 +-
|
||||
extensions/libip6t_mh.c | 2 +-
|
||||
extensions/libip6t_rt.c | 7 +++----
|
||||
extensions/libipt_DNAT.c | 8 ++------
|
||||
extensions/libipt_SNAT.c | 4 +---
|
||||
extensions/libxt_dccp.c | 2 +-
|
||||
extensions/libxt_hashlimit.c | 5 +----
|
||||
extensions/libxt_iprange.c | 4 +---
|
||||
extensions/libxt_multiport.c | 6 ++----
|
||||
extensions/libxt_sctp.c | 4 ++--
|
||||
extensions/libxt_set.h | 4 ++--
|
||||
extensions/libxt_tcp.c | 4 ++--
|
||||
include/xtables.h | 1 +
|
||||
iptables/iptables-xml.c | 4 ++--
|
||||
iptables/nft-cache.c | 4 ++--
|
||||
iptables/nft-cmd.c | 13 +++++++------
|
||||
iptables/xshared.c | 2 +-
|
||||
libxtables/xtables.c | 12 ++++++++++++
|
||||
libxtables/xtoptions.c | 14 +++-----------
|
||||
26 files changed, 60 insertions(+), 73 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
|
||||
index acb9bfcdbbd9f..51649ffb3c305 100644
|
||||
--- a/extensions/libebt_ip.c
|
||||
+++ b/extensions/libebt_ip.c
|
||||
@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
+
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
|
||||
else {
|
||||
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||
index 3cc39271d4658..a686a285c3cb8 100644
|
||||
--- a/extensions/libebt_ip6.c
|
||||
+++ b/extensions/libebt_ip6.c
|
||||
@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
|
||||
else {
|
||||
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
|
||||
index 81ba572c33c1a..3e9e24474eb61 100644
|
||||
--- a/extensions/libebt_stp.c
|
||||
+++ b/extensions/libebt_stp.c
|
||||
@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
|
||||
uint32_t low_nr, upp_nr;
|
||||
int ret = 0;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
+
|
||||
if ((cp = strchr(buffer, ':')) == NULL) {
|
||||
low_nr = strtoul(buffer, &end, 10);
|
||||
if (*end || low_nr < min || low_nr > max) {
|
||||
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
|
||||
index 89c5ceb153250..f1ad81436316b 100644
|
||||
--- a/extensions/libip6t_DNAT.c
|
||||
+++ b/extensions/libip6t_DNAT.c
|
||||
@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
|
||||
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
|
||||
const struct in6_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
|
||||
start = strchr(arg, '[');
|
||||
if (start == NULL) {
|
||||
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
|
||||
index 7d74b3d76a93c..6d19614c7c708 100644
|
||||
--- a/extensions/libip6t_SNAT.c
|
||||
+++ b/extensions/libip6t_SNAT.c
|
||||
@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
|
||||
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
|
||||
const struct in6_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
|
||||
start = strchr(arg, '[');
|
||||
if (start == NULL) {
|
||||
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
|
||||
index fe7e3403468ce..bf0e3e436665d 100644
|
||||
--- a/extensions/libip6t_dst.c
|
||||
+++ b/extensions/libip6t_dst.c
|
||||
@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
|
||||
{
|
||||
char *buffer, *cp, *next, *range;
|
||||
unsigned int i;
|
||||
-
|
||||
- buffer = strdup(optsstr);
|
||||
- if (!buffer)
|
||||
- xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
-
|
||||
+
|
||||
+ buffer = xtables_strdup(optsstr);
|
||||
+
|
||||
for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
|
||||
{
|
||||
next = strchr(cp, ',');
|
||||
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
|
||||
index 4cebecfd3d2f5..74e87cda7eea1 100644
|
||||
--- a/extensions/libip6t_hbh.c
|
||||
+++ b/extensions/libip6t_hbh.c
|
||||
@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
|
||||
{
|
||||
char *buffer, *cp, *next, *range;
|
||||
unsigned int i;
|
||||
-
|
||||
- buffer = strdup(optsstr);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
-
|
||||
+
|
||||
+ buffer = xtables_strdup(optsstr);
|
||||
+
|
||||
for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
|
||||
{
|
||||
next=strchr(cp, ',');
|
||||
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
|
||||
index 6f03087bb79d8..9e34562966f8b 100644
|
||||
--- a/extensions/libip6t_ipv6header.c
|
||||
+++ b/extensions/libip6t_ipv6header.c
|
||||
@@ -147,7 +147,7 @@ parse_header(const char *flags) {
|
||||
char *ptr;
|
||||
char *buffer;
|
||||
|
||||
- buffer = strdup(flags);
|
||||
+ buffer = xtables_strdup(flags);
|
||||
|
||||
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
|
||||
ret |= add_proto_to_mask(name_to_proto(ptr));
|
||||
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
|
||||
index f4c0fd9fc0bca..64675405ac724 100644
|
||||
--- a/extensions/libip6t_mh.c
|
||||
+++ b/extensions/libip6t_mh.c
|
||||
@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(mhtype);
|
||||
+ buffer = xtables_strdup(mhtype);
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
types[0] = types[1] = name_to_type(buffer);
|
||||
else {
|
||||
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
|
||||
index 3cb3b249d8995..9708b5a0c42f3 100644
|
||||
--- a/extensions/libip6t_rt.c
|
||||
+++ b/extensions/libip6t_rt.c
|
||||
@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
|
||||
{
|
||||
char *buffer, *cp, *next;
|
||||
unsigned int i;
|
||||
-
|
||||
- buffer = strdup(addrstr);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
-
|
||||
+
|
||||
+ buffer = xtables_strdup(addrstr);
|
||||
+
|
||||
for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
|
||||
{
|
||||
next=strchr(cp, ',');
|
||||
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
|
||||
index 4907a2e83d066..5b33fd23f6e36 100644
|
||||
--- a/extensions/libipt_DNAT.c
|
||||
+++ b/extensions/libipt_DNAT.c
|
||||
@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
|
||||
char *arg, *colon, *dash, *error;
|
||||
const struct in_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
memset(&range, 0, sizeof(range));
|
||||
colon = strchr(arg, ':');
|
||||
|
||||
@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
|
||||
char *arg, *colon, *dash, *error;
|
||||
const struct in_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
|
||||
colon = strchr(arg, ':');
|
||||
if (colon) {
|
||||
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
|
||||
index e92d811c2bc93..c655439ec9192 100644
|
||||
--- a/extensions/libipt_SNAT.c
|
||||
+++ b/extensions/libipt_SNAT.c
|
||||
@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
|
||||
char *arg, *colon, *dash, *error;
|
||||
const struct in_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
memset(&range, 0, sizeof(range));
|
||||
colon = strchr(arg, ':');
|
||||
|
||||
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
|
||||
index aea3e20be4818..abd420fcc0032 100644
|
||||
--- a/extensions/libxt_dccp.c
|
||||
+++ b/extensions/libxt_dccp.c
|
||||
@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
|
||||
uint16_t typemask = 0;
|
||||
char *ptr, *buffer;
|
||||
|
||||
- buffer = strdup(typestring);
|
||||
+ buffer = xtables_strdup(typestring);
|
||||
|
||||
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
|
||||
unsigned int i;
|
||||
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
|
||||
index 7f1d2a402c4fd..3f3c43010ee2a 100644
|
||||
--- a/extensions/libxt_hashlimit.c
|
||||
+++ b/extensions/libxt_hashlimit.c
|
||||
@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
|
||||
static int parse_mode(uint32_t *mode, const char *option_arg)
|
||||
{
|
||||
char *tok;
|
||||
- char *arg = strdup(option_arg);
|
||||
-
|
||||
- if (!arg)
|
||||
- return -1;
|
||||
+ char *arg = xtables_strdup(option_arg);
|
||||
|
||||
for (tok = strtok(arg, ",|");
|
||||
tok;
|
||||
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
|
||||
index 8be2481497b8d..04ce7b364f1c6 100644
|
||||
--- a/extensions/libxt_iprange.c
|
||||
+++ b/extensions/libxt_iprange.c
|
||||
@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
|
||||
static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
|
||||
uint8_t family, const char *optname)
|
||||
{
|
||||
- char *arg = strdup(oarg);
|
||||
+ char *arg = xtables_strdup(oarg);
|
||||
char *dash;
|
||||
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
dash = strchr(arg, '-');
|
||||
if (dash == NULL) {
|
||||
iprange_parse_spec(arg, arg, range, family, optname);
|
||||
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
|
||||
index 07ad4cfd4e519..4a42fa38238b9 100644
|
||||
--- a/extensions/libxt_multiport.c
|
||||
+++ b/extensions/libxt_multiport.c
|
||||
@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
|
||||
char *buffer, *cp, *next;
|
||||
unsigned int i;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
|
||||
for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
|
||||
{
|
||||
@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
|
||||
char *buffer, *cp, *next, *range;
|
||||
unsigned int i;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
|
||||
for (i=0; i<XT_MULTI_PORTS; i++)
|
||||
multiinfo->pflags[i] = 0;
|
||||
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||
index 140de2653b1ef..59b34684cc7f7 100644
|
||||
--- a/extensions/libxt_sctp.c
|
||||
+++ b/extensions/libxt_sctp.c
|
||||
@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
DEBUGP("%s\n", portstring);
|
||||
if ((cp = strchr(buffer, ':')) == NULL) {
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
|
||||
@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
|
||||
int found = 0;
|
||||
char *chunk_flags;
|
||||
|
||||
- buffer = strdup(chunks);
|
||||
+ buffer = xtables_strdup(chunks);
|
||||
DEBUGP("Buffer: %s\n", buffer);
|
||||
|
||||
SCTP_CHUNKMAP_RESET(einfo->chunkmap);
|
||||
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
|
||||
index 41dfbd30fc7c1..ad895a7504d9d 100644
|
||||
--- a/extensions/libxt_set.h
|
||||
+++ b/extensions/libxt_set.h
|
||||
@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
|
||||
static void
|
||||
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
|
||||
{
|
||||
- char *saved = strdup(opt_arg);
|
||||
+ char *saved = xtables_strdup(opt_arg);
|
||||
char *ptr, *tmp = saved;
|
||||
int i = 0;
|
||||
|
||||
@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
|
||||
static void
|
||||
parse_dirs(const char *opt_arg, struct xt_set_info *info)
|
||||
{
|
||||
- char *saved = strdup(opt_arg);
|
||||
+ char *saved = xtables_strdup(opt_arg);
|
||||
char *ptr, *tmp = saved;
|
||||
|
||||
while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
|
||||
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
|
||||
index 58f3c0a0c3c28..383e4db5b5e23 100644
|
||||
--- a/extensions/libxt_tcp.c
|
||||
+++ b/extensions/libxt_tcp.c
|
||||
@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
|
||||
else {
|
||||
@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
|
||||
char *ptr;
|
||||
char *buffer;
|
||||
|
||||
- buffer = strdup(flags);
|
||||
+ buffer = xtables_strdup(flags);
|
||||
|
||||
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
|
||||
unsigned int i;
|
||||
diff --git a/include/xtables.h b/include/xtables.h
|
||||
index df1eaee326643..107ad7d65e6fc 100644
|
||||
--- a/include/xtables.h
|
||||
+++ b/include/xtables.h
|
||||
@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
|
||||
extern void *xtables_calloc(size_t, size_t);
|
||||
extern void *xtables_malloc(size_t);
|
||||
extern void *xtables_realloc(void *, size_t);
|
||||
+char *xtables_strdup(const char *);
|
||||
|
||||
extern int xtables_insmod(const char *, const char *, bool);
|
||||
extern int xtables_load_ko(const char *, bool);
|
||||
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
|
||||
index 98d03dda98d2b..6cf059fb67292 100644
|
||||
--- a/iptables/iptables-xml.c
|
||||
+++ b/iptables/iptables-xml.c
|
||||
@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
|
||||
"%s: line %u chain name invalid\n",
|
||||
prog_name, line);
|
||||
|
||||
- chains[nextChain].chain = strdup(chain);
|
||||
- chains[nextChain].policy = strdup(policy);
|
||||
+ chains[nextChain].chain = xtables_strdup(chain);
|
||||
+ chains[nextChain].policy = xtables_strdup(policy);
|
||||
chains[nextChain].count = *ctr;
|
||||
chains[nextChain].created = 0;
|
||||
nextChain++;
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 6b6e6da40a826..7fd78654b280a 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
|
||||
}
|
||||
|
||||
new = xtables_malloc(sizeof(*new));
|
||||
- new->name = strdup(name);
|
||||
+ new->name = xtables_strdup(name);
|
||||
list_add_tail(&new->head, pos ? &pos->head : list);
|
||||
}
|
||||
|
||||
@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
|
||||
return;
|
||||
|
||||
if (!req->table)
|
||||
- req->table = strdup(cmd->table);
|
||||
+ req->table = xtables_strdup(cmd->table);
|
||||
else
|
||||
assert(!strcmp(req->table, cmd->table));
|
||||
|
||||
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||
index 9b0c964847615..8dccdd734b156 100644
|
||||
--- a/iptables/nft-cmd.c
|
||||
+++ b/iptables/nft-cmd.c
|
||||
@@ -11,6 +11,7 @@
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <xtables.h>
|
||||
#include "nft.h"
|
||||
#include "nft-cmd.h"
|
||||
|
||||
@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||
return NULL;
|
||||
|
||||
cmd->command = command;
|
||||
- cmd->table = strdup(table);
|
||||
+ cmd->table = xtables_strdup(table);
|
||||
if (chain)
|
||||
- cmd->chain = strdup(chain);
|
||||
+ cmd->chain = xtables_strdup(chain);
|
||||
cmd->rulenum = rulenum;
|
||||
cmd->verbose = verbose;
|
||||
|
||||
@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||
cmd->obj.rule = rule;
|
||||
|
||||
if (!state->target && strlen(state->jumpto) > 0)
|
||||
- cmd->jumpto = strdup(state->jumpto);
|
||||
+ cmd->jumpto = xtables_strdup(state->jumpto);
|
||||
}
|
||||
|
||||
list_add_tail(&cmd->head, &h->cmd_list);
|
||||
@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- cmd->rename = strdup(newname);
|
||||
+ cmd->rename = xtables_strdup(newname);
|
||||
|
||||
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
|
||||
|
||||
@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- cmd->policy = strdup(policy);
|
||||
+ cmd->policy = xtables_strdup(policy);
|
||||
if (counters)
|
||||
cmd->counters = *counters;
|
||||
|
||||
@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- cmd->policy = strdup(policy);
|
||||
+ cmd->policy = xtables_strdup(policy);
|
||||
|
||||
nft_cache_level_set(h, NFT_CL_RULES, cmd);
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 9a1f465a5a6d3..4027d9240215e 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"Trying to store NULL argument\n");
|
||||
|
||||
- store->argv[store->argc] = strdup(what);
|
||||
+ store->argv[store->argc] = xtables_strdup(what);
|
||||
store->argvattr[store->argc] = quoted;
|
||||
store->argv[++store->argc] = NULL;
|
||||
}
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index 6947441fec659..1931e3896262a 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
|
||||
return p;
|
||||
}
|
||||
|
||||
+char *xtables_strdup(const char *s)
|
||||
+{
|
||||
+ char *dup = strdup(s);
|
||||
+
|
||||
+ if (!dup) {
|
||||
+ perror("ip[6]tables: strdup failed");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ return dup;
|
||||
+}
|
||||
+
|
||||
static char *get_modprobe(void)
|
||||
{
|
||||
int procfile;
|
||||
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
||||
index 0dcdf607f4678..9d3ac5c8066cb 100644
|
||||
--- a/libxtables/xtoptions.c
|
||||
+++ b/libxtables/xtoptions.c
|
||||
@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
|
||||
unsigned int maxiter;
|
||||
int value;
|
||||
|
||||
- wp_arg = lo_arg = strdup(cb->arg);
|
||||
- if (lo_arg == NULL)
|
||||
- xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
|
||||
+ wp_arg = lo_arg = xtables_strdup(cb->arg);
|
||||
|
||||
maxiter = entry->size / esize;
|
||||
if (maxiter == 0)
|
||||
@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
|
||||
xtopt_parse_host(cb);
|
||||
return;
|
||||
}
|
||||
- work = strdup(orig_arg);
|
||||
- if (work == NULL)
|
||||
- xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
|
||||
+ work = xtables_strdup(orig_arg);
|
||||
p = strchr(work, '/'); /* by def this can't be NULL now */
|
||||
*p++ = '\0';
|
||||
/*
|
||||
@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
|
||||
goto out;
|
||||
}
|
||||
lmap_this->id = id;
|
||||
- lmap_this->name = strdup(cur);
|
||||
- if (lmap_this->name == NULL) {
|
||||
- free(lmap_this);
|
||||
- goto out;
|
||||
- }
|
||||
+ lmap_this->name = xtables_strdup(cur);
|
||||
lmap_this->next = NULL;
|
||||
|
||||
if (lmap_prev != NULL)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 15:15:37 +0200
|
||||
Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
|
||||
strncpy()
|
||||
|
||||
If the target buffer does not need to be null-terminated, one may simply
|
||||
use memcpy() and thereby avoid any compiler warnings.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
|
||||
---
|
||||
extensions/libxt_string.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
|
||||
index 7c6366cbbf1b3..739a8e7fd66b6 100644
|
||||
--- a/extensions/libxt_string.c
|
||||
+++ b/extensions/libxt_string.c
|
||||
@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
|
||||
{
|
||||
/* xt_string does not need \0 at the end of the pattern */
|
||||
if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
|
||||
- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
|
||||
+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
|
||||
info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
104
SOURCES/0014-iptables-nft-fix-Z-option.patch
Normal file
104
SOURCES/0014-iptables-nft-fix-Z-option.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Wed, 24 Feb 2021 11:08:02 +0100
|
||||
Subject: [PATCH] iptables-nft: fix -Z option
|
||||
|
||||
it zeroes the rule counters, so it needs fully populated cache.
|
||||
Add a test case to cover this.
|
||||
|
||||
Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
|
||||
---
|
||||
iptables/nft-cmd.c | 2 +-
|
||||
.../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++
|
||||
2 files changed, 65 insertions(+), 1 deletion(-)
|
||||
create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
|
||||
|
||||
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||
index 8dccdd734b156..a0c76a795e59c 100644
|
||||
--- a/iptables/nft-cmd.c
|
||||
+++ b/iptables/nft-cmd.c
|
||||
@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
|
||||
+ nft_cache_level_set(h, NFT_CL_RULES, cmd);
|
||||
|
||||
return 1;
|
||||
}
|
||||
diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
|
||||
new file mode 100755
|
||||
index 0000000000000..36da1907e3b22
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
|
||||
@@ -0,0 +1,64 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+RC=0
|
||||
+COUNTR=$RANDOM$RANDOM
|
||||
+
|
||||
+$XT_MULTI iptables-restore -c <<EOF
|
||||
+*filter
|
||||
+:INPUT ACCEPT [1:23]
|
||||
+:FOO - [0:0]
|
||||
+[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
|
||||
+[22:123] -A FOO -m comment --comment one
|
||||
+[44:123] -A FOO -m comment --comment two
|
||||
+COMMIT
|
||||
+EOF
|
||||
+EXPECT="*filter
|
||||
+:INPUT ACCEPT [0:0]
|
||||
+:FORWARD ACCEPT [0:0]
|
||||
+:OUTPUT ACCEPT [0:0]
|
||||
+:FOO - [0:0]
|
||||
+[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
|
||||
+[0:0] -A FOO -m comment --comment one
|
||||
+[0:0] -A FOO -m comment --comment two
|
||||
+COMMIT"
|
||||
+
|
||||
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
|
||||
+if [ $COUNTER != "[12:345]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, expected 12:345"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+$XT_MULTI iptables -Z FOO
|
||||
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
|
||||
+if [ $COUNTER = "[0:0]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, should not have been zeroed"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+for c in one two; do
|
||||
+ COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
|
||||
+ if [ $COUNTER != "[0:0]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
|
||||
+ RC=1
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+$XT_MULTI iptables -Z
|
||||
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
|
||||
+
|
||||
+if [ $COUNTER != "[0:0]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
|
||||
+if [ $? -ne 0 ]; then
|
||||
+ echo "Diff error: counters were not zeroed"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
|
||||
+$XT_MULTI iptables -D FOO -m comment --comment one
|
||||
+$XT_MULTI iptables -D FOO -m comment --comment two
|
||||
+$XT_MULTI iptables -X FOO
|
||||
+exit $RC
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,73 @@
|
||||
From 5462c9908a3b2ba94fc4cf5c6cd0d5ed296093c5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 19 Feb 2021 16:54:57 +0100
|
||||
Subject: [PATCH] nft: Fix bitwise expression avoidance detection
|
||||
|
||||
Byte-boundary prefix detection was too sloppy: Any data following the
|
||||
first zero-byte was ignored. Add a follow-up loop making sure there are
|
||||
no stray bits in the designated host part.
|
||||
|
||||
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
|
||||
---
|
||||
iptables/nft-shared.c | 4 +++-
|
||||
.../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++
|
||||
2 files changed, 27 insertions(+), 1 deletion(-)
|
||||
create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
|
||||
|
||||
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
|
||||
index 10553ab26823b..c1664b50f9383 100644
|
||||
--- a/iptables/nft-shared.c
|
||||
+++ b/iptables/nft-shared.c
|
||||
@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
|
||||
{
|
||||
const unsigned char *m = mask;
|
||||
bool bitwise = false;
|
||||
- int i;
|
||||
+ int i, j;
|
||||
|
||||
for (i = 0; i < len; i++) {
|
||||
if (m[i] != 0xff) {
|
||||
@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ for (j = i + 1; !bitwise && j < len; j++)
|
||||
+ bitwise = !!m[j];
|
||||
|
||||
if (!bitwise)
|
||||
len = i;
|
||||
diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
|
||||
new file mode 100755
|
||||
index 0000000000000..7eb42f08da975
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
|
||||
@@ -0,0 +1,24 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+$XT_MULTI ip6tables-restore <<EOF
|
||||
+*filter
|
||||
+-A FORWARD -s feed:babe::/ffff::0
|
||||
+-A FORWARD -s feed:babe::/ffff:ff00::0
|
||||
+-A FORWARD -s feed:babe::/ffff:fff0::0
|
||||
+-A FORWARD -s feed:babe::/ffff:ffff::0
|
||||
+-A FORWARD -s feed:babe::/0:ffff::0
|
||||
+-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
|
||||
+COMMIT
|
||||
+EOF
|
||||
+
|
||||
+EXPECT='-P FORWARD ACCEPT
|
||||
+-A FORWARD -s feed::/16
|
||||
+-A FORWARD -s feed:ba00::/24
|
||||
+-A FORWARD -s feed:bab0::/28
|
||||
+-A FORWARD -s feed:babe::/32
|
||||
+-A FORWARD -s 0:babe::/0:ffff::
|
||||
+-A FORWARD -s feed::babe:0/ffff::ffff:0'
|
||||
+
|
||||
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
|
||||
--
|
||||
2.31.1
|
||||
|
80
SOURCES/0016-extensions-sctp-Fix-nftables-translation.patch
Normal file
80
SOURCES/0016-extensions-sctp-Fix-nftables-translation.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From c9c2e55eb6cebdb8d17cf0c8267a1eb3e8fb6e07 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 4 May 2021 16:03:24 +0200
|
||||
Subject: [PATCH] extensions: sctp: Fix nftables translation
|
||||
|
||||
If both sport and dport was present, incorrect nft syntax was generated.
|
||||
|
||||
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
|
||||
---
|
||||
extensions/libxt_sctp.c | 10 ++++------
|
||||
extensions/libxt_sctp.txlate | 10 +++++-----
|
||||
2 files changed, 9 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||
index 59b34684cc7f7..5ec1ca618405e 100644
|
||||
--- a/extensions/libxt_sctp.c
|
||||
+++ b/extensions/libxt_sctp.c
|
||||
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
if (!einfo->flags)
|
||||
return 0;
|
||||
|
||||
- xt_xlate_add(xl, "sctp ");
|
||||
-
|
||||
if (einfo->flags & XT_SCTP_SRC_PORTS) {
|
||||
if (einfo->spts[0] != einfo->spts[1])
|
||||
- xt_xlate_add(xl, "sport%s %u-%u",
|
||||
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
|
||||
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
||||
einfo->spts[0], einfo->spts[1]);
|
||||
else
|
||||
- xt_xlate_add(xl, "sport%s %u",
|
||||
+ xt_xlate_add(xl, "sctp sport%s %u",
|
||||
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
||||
einfo->spts[0]);
|
||||
space = " ";
|
||||
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
|
||||
if (einfo->flags & XT_SCTP_DEST_PORTS) {
|
||||
if (einfo->dpts[0] != einfo->dpts[1])
|
||||
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
|
||||
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0], einfo->dpts[1]);
|
||||
else
|
||||
- xt_xlate_add(xl, "%sdport%s %u", space,
|
||||
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0]);
|
||||
}
|
||||
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
|
||||
index 72f4641ab021c..0d6c59e183675 100644
|
||||
--- a/extensions/libxt_sctp.txlate
|
||||
+++ b/extensions/libxt_sctp.txlate
|
||||
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
|
||||
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,334 @@
|
||||
From 635e4c4e7f3581a7cc8c04244ae3de239ad84935 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 17 Jun 2021 18:44:28 +0200
|
||||
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
|
||||
|
||||
This is RHEL9 trying to friendly kick people towards nftables.
|
||||
---
|
||||
iptables/arptables-nft-restore.8 | 13 ++++++++++++-
|
||||
iptables/arptables-nft-save.8 | 14 +++++++++++++-
|
||||
iptables/arptables-nft.8 | 19 ++++++++++++++++++-
|
||||
iptables/ebtables-nft.8 | 15 ++++++++++++++-
|
||||
iptables/iptables-apply.8.in | 14 +++++++++++++-
|
||||
iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
|
||||
iptables/iptables-restore.8.in | 17 ++++++++++++++++-
|
||||
iptables/iptables-save.8.in | 15 ++++++++++++++-
|
||||
iptables/iptables.8.in | 17 +++++++++++++++++
|
||||
iptables/xtables-monitor.8.in | 11 +++++++++++
|
||||
10 files changed, 142 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
|
||||
index 09d9082cf9fd3..b1bf02998f9cc 100644
|
||||
--- a/iptables/arptables-nft-restore.8
|
||||
+++ b/iptables/arptables-nft-restore.8
|
||||
@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
|
||||
.SH SYNOPSIS
|
||||
\fBarptables\-restore
|
||||
.SH DESCRIPTION
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
.PP
|
||||
.B arptables-restore
|
||||
is used to restore ARP Tables from data specified on STDIN or
|
||||
@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
|
||||
.SH AUTHOR
|
||||
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
.SH SEE ALSO
|
||||
-\fBarptables\-save\fP(8), \fBarptables\fP(8)
|
||||
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||
.PP
|
||||
diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
|
||||
index 905e59854cc28..49bb0f6260f2f 100644
|
||||
--- a/iptables/arptables-nft-save.8
|
||||
+++ b/iptables/arptables-nft-save.8
|
||||
@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
|
||||
\fBarptables\-save\fP [\fB\-V\fP]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B arptables-save
|
||||
is used to dump the contents of an ARP Table in easily parseable format
|
||||
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
|
||||
@@ -43,5 +55,5 @@ Print version information and exit.
|
||||
.SH AUTHOR
|
||||
Jesper Dangaard Brouer <brouer@redhat.com>
|
||||
.SH SEE ALSO
|
||||
-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
|
||||
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
|
||||
.PP
|
||||
diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
|
||||
index ea31e0842acd4..ec5b993a41e8b 100644
|
||||
--- a/iptables/arptables-nft.8
|
||||
+++ b/iptables/arptables-nft.8
|
||||
@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
|
||||
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]
|
||||
|
||||
.SH DESCRIPTION
|
||||
+.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B arptables
|
||||
is a user space tool, it is used to set up and maintain the
|
||||
tables of ARP rules in the Linux kernel. These rules inspect
|
||||
@@ -340,9 +353,13 @@ bridges, the same may be achieved using
|
||||
chain in
|
||||
.BR ebtables .
|
||||
|
||||
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
|
||||
+will not receive new features. New setups should use \fBnft\fP(8). Existing
|
||||
+setups should migrate to \fBnft\fP(8) when possible.
|
||||
+
|
||||
.SH MAILINGLISTS
|
||||
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
.SH SEE ALSO
|
||||
-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index 1fa5ad9388cc0..5bdc0bb8a939e 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
+.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B ebtables
|
||||
is an application program used to set up and maintain the
|
||||
tables of rules (inside the Linux kernel) that inspect
|
||||
@@ -1111,6 +1124,6 @@ table. Also there is no support for
|
||||
.B string
|
||||
match. And finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
|
||||
index f0ed4e5f8d450..7f99a21ed2b61 100644
|
||||
--- a/iptables/iptables-apply.8.in
|
||||
+++ b/iptables/iptables-apply.8.in
|
||||
@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
|
||||
\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
iptables\-apply will try to apply a new rulesfile (as output by
|
||||
iptables-save, read by iptables-restore) or run a command to configure
|
||||
iptables and then prompt the user whether the changes are okay. If the
|
||||
@@ -47,7 +59,7 @@ Display usage information.
|
||||
Display version information.
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
|
||||
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
|
||||
.SH LEGALESE
|
||||
.PP
|
||||
Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
|
||||
diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
|
||||
index 99d89a1fe44ad..73d40bbfe9c52 100644
|
||||
--- a/iptables/iptables-extensions.8.tmpl.in
|
||||
+++ b/iptables/iptables-extensions.8.tmpl.in
|
||||
@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
|
||||
.PP
|
||||
\fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
|
||||
[\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
|
||||
+.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details. There is also
|
||||
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
|
||||
+to help with the migration.
|
||||
.SH MATCH EXTENSIONS
|
||||
iptables can use extended packet matching modules
|
||||
with the \fB\-m\fP or \fB\-\-match\fP
|
||||
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
|
||||
index b4b62f92740d1..1bbf7a0d98d0a 100644
|
||||
--- a/iptables/iptables-restore.8.in
|
||||
+++ b/iptables/iptables-restore.8.in
|
||||
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
|
||||
[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
|
||||
[\fBfile\fP]
|
||||
.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details. There is also
|
||||
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
|
||||
+to help with the migration.
|
||||
.PP
|
||||
.B iptables-restore
|
||||
and
|
||||
@@ -87,7 +100,9 @@ from Rusty Russell.
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
|
||||
.SH SEE ALSO
|
||||
-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
|
||||
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
|
||||
+\fBip6tables\-restore\-translate\fP(8)
|
||||
.PP
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
|
||||
index 7683fd3780f72..6fe50b2d446e5 100644
|
||||
--- a/iptables/iptables-save.8.in
|
||||
+++ b/iptables/iptables-save.8.in
|
||||
@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
|
||||
[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
+.PP
|
||||
.B iptables-save
|
||||
and
|
||||
.B ip6tables-save
|
||||
@@ -62,7 +74,8 @@ Rusty Russell <rusty@rustcorp.com.au>
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
|
||||
.SH SEE ALSO
|
||||
-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
|
||||
+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8),
|
||||
+\fBnft\fP(8)
|
||||
.PP
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
|
||||
index 999cf339845f9..895cc7b111eb9 100644
|
||||
--- a/iptables/iptables.8.in
|
||||
+++ b/iptables/iptables.8.in
|
||||
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
|
||||
.PP
|
||||
target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
|
||||
.SH DESCRIPTION
|
||||
+These tools are
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details. There is also
|
||||
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
|
||||
+to help with the migration.
|
||||
+.PP
|
||||
\fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
|
||||
tables of IPv4 and IPv6 packet
|
||||
filter rules in the Linux kernel. Several different tables
|
||||
@@ -447,6 +461,9 @@ There are several other changes in iptables.
|
||||
\fBiptables\-save\fP(8),
|
||||
\fBiptables\-restore\fP(8),
|
||||
\fBiptables\-extensions\fP(8),
|
||||
+\fBnft\fP(8),
|
||||
+\fBiptables\-translate\fP(8),
|
||||
+\fBip6tables\-translate\fP(8)
|
||||
.PP
|
||||
The packet-filtering-HOWTO details iptables usage for
|
||||
packet filtering, the NAT-HOWTO details NAT,
|
||||
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
|
||||
index b647a79eb64ed..bbccf009e8269 100644
|
||||
--- a/iptables/xtables-monitor.8.in
|
||||
+++ b/iptables/xtables-monitor.8.in
|
||||
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
|
||||
.PP
|
||||
\
|
||||
.SH DESCRIPTION
|
||||
+This tool is
|
||||
+.B deprecated
|
||||
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
|
||||
+features. New setups should use
|
||||
+.BR nft (8).
|
||||
+Existing setups should migrate to
|
||||
+.BR nft (8)
|
||||
+when possible. See
|
||||
+.UR https://red.ht/nft_your_tables
|
||||
+.UE
|
||||
+for details.
|
||||
.PP
|
||||
.B xtables-monitor
|
||||
is used to monitor changes to the ruleset or to show rule evaluation events
|
||||
--
|
||||
2.32.0
|
||||
|
211
SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch
Normal file
211
SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch
Normal file
@ -0,0 +1,211 @@
|
||||
From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 25 Mar 2021 16:24:39 +0100
|
||||
Subject: [PATCH] nft: cache: Sort chains on demand only
|
||||
|
||||
Mandatory sorted insert of chains into cache significantly slows down
|
||||
restoring of large rulesets. Since the sorted list of user-defined
|
||||
chains is needed for listing and verbose output only, introduce
|
||||
nft_cache_sort_chains() and call it where needed.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915)
|
||||
---
|
||||
iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++--------
|
||||
iptables/nft-cache.h | 1 +
|
||||
iptables/nft.c | 12 +++++++
|
||||
iptables/nft.h | 1 +
|
||||
iptables/xtables-save.c | 1 +
|
||||
5 files changed, 73 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 7fd78654b280a..2c88301cc7445 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
|
||||
|
||||
h->cache->table[t->type].base_chains[hooknum] = nc;
|
||||
} else {
|
||||
- struct nft_chain_list *clist = h->cache->table[t->type].chains;
|
||||
- struct list_head *pos = &clist->list;
|
||||
- struct nft_chain *cur;
|
||||
- const char *n;
|
||||
-
|
||||
- list_for_each_entry(cur, &clist->list, head) {
|
||||
- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME);
|
||||
- if (strcmp(cname, n) <= 0) {
|
||||
- pos = &cur->head;
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- list_add_tail(&nc->head, pos);
|
||||
+ list_add_tail(&nc->head,
|
||||
+ &h->cache->table[t->type].chains->list);
|
||||
}
|
||||
hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname));
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void __nft_chain_list_sort(struct list_head *list,
|
||||
+ int (*cmp)(struct nft_chain *a,
|
||||
+ struct nft_chain *b))
|
||||
+{
|
||||
+ struct nft_chain *pivot, *cur, *sav;
|
||||
+ LIST_HEAD(sublist);
|
||||
+
|
||||
+ if (list_empty(list))
|
||||
+ return;
|
||||
+
|
||||
+ /* grab first item as pivot (dividing) value */
|
||||
+ pivot = list_entry(list->next, struct nft_chain, head);
|
||||
+ list_del(&pivot->head);
|
||||
+
|
||||
+ /* move any smaller value into sublist */
|
||||
+ list_for_each_entry_safe(cur, sav, list, head) {
|
||||
+ if (cmp(pivot, cur) > 0) {
|
||||
+ list_del(&cur->head);
|
||||
+ list_add_tail(&cur->head, &sublist);
|
||||
+ }
|
||||
+ }
|
||||
+ /* conquer divided */
|
||||
+ __nft_chain_list_sort(&sublist, cmp);
|
||||
+ __nft_chain_list_sort(list, cmp);
|
||||
+
|
||||
+ /* merge divided and pivot again */
|
||||
+ list_add_tail(&pivot->head, &sublist);
|
||||
+ list_splice(&sublist, list);
|
||||
+}
|
||||
+
|
||||
+static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b)
|
||||
+{
|
||||
+ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME);
|
||||
+ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME);
|
||||
+
|
||||
+ return strcmp(aname, bname);
|
||||
+}
|
||||
+
|
||||
+int nft_cache_sort_chains(struct nft_handle *h, const char *table)
|
||||
+{
|
||||
+ const struct builtin_table *t = nft_table_builtin_find(h, table);
|
||||
+
|
||||
+ if (!t)
|
||||
+ return -1;
|
||||
+
|
||||
+ if (h->cache->table[t->type].sorted)
|
||||
+ return 0;
|
||||
+
|
||||
+ __nft_chain_list_sort(&h->cache->table[t->type].chains->list,
|
||||
+ nft_chain_cmp_byname);
|
||||
+ h->cache->table[t->type].sorted = true;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
struct nftnl_chain_list_cb_data {
|
||||
struct nft_handle *h;
|
||||
const struct builtin_table *t;
|
||||
@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
|
||||
|
||||
flush_base_chain_cache(c->table[table->type].base_chains);
|
||||
nft_chain_foreach(h, tablename, __flush_chain_cache, NULL);
|
||||
+ c->table[table->type].sorted = false;
|
||||
|
||||
if (c->table[table->type].sets)
|
||||
nftnl_set_list_foreach(c->table[table->type].sets,
|
||||
@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
|
||||
if (c->table[i].chains) {
|
||||
nft_chain_list_free(c->table[i].chains);
|
||||
c->table[i].chains = NULL;
|
||||
+ c->table[i].sorted = false;
|
||||
}
|
||||
|
||||
if (c->table[i].sets) {
|
||||
diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
|
||||
index 20d96beede876..58a015265056c 100644
|
||||
--- a/iptables/nft-cache.h
|
||||
+++ b/iptables/nft-cache.h
|
||||
@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table,
|
||||
void nft_cache_build(struct nft_handle *h);
|
||||
int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
|
||||
struct nftnl_chain *c);
|
||||
+int nft_cache_sort_chains(struct nft_handle *h, const char *table);
|
||||
|
||||
struct nft_chain *
|
||||
nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index bde4ca72d3fcc..8b14daeaed610 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d);
|
||||
|
||||
/* the core expects 1 for success and 0 for error */
|
||||
@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (verbose)
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d);
|
||||
out:
|
||||
/* the core expects 1 for success and 0 for error */
|
||||
@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
if (ops->print_table_header)
|
||||
ops->print_table_header(table);
|
||||
|
||||
@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
|
||||
return nft_rule_list_cb(c, &d);
|
||||
}
|
||||
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
/* Dump policies and custom chains first */
|
||||
nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters);
|
||||
|
||||
@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (verbose)
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d);
|
||||
err:
|
||||
/* the core expects 1 for success and 0 for error */
|
||||
diff --git a/iptables/nft.h b/iptables/nft.h
|
||||
index 0910f82a2773c..4ac7e0099d567 100644
|
||||
--- a/iptables/nft.h
|
||||
+++ b/iptables/nft.h
|
||||
@@ -44,6 +44,7 @@ struct nft_cache {
|
||||
struct nft_chain_list *chains;
|
||||
struct nftnl_set_list *sets;
|
||||
bool exists;
|
||||
+ bool sorted;
|
||||
} table[NFT_TABLE_MAX];
|
||||
};
|
||||
|
||||
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
|
||||
index d7901c650ea70..cfce0472f3ee8 100644
|
||||
--- a/iptables/xtables-save.c
|
||||
+++ b/iptables/xtables-save.c
|
||||
@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
|
||||
printf("*%s\n", tablename);
|
||||
/* Dump out chain names first,
|
||||
* thereby preventing dependency conflicts */
|
||||
+ nft_cache_sort_chains(h, tablename);
|
||||
nft_chain_foreach(h, tablename, nft_chain_save, h);
|
||||
nft_rule_save(h, tablename, d->format);
|
||||
if (d->commit)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 6 Apr 2021 10:51:20 +0200
|
||||
Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets
|
||||
|
||||
In order to support the same ruleset sizes as legacy iptables, the
|
||||
kernel's limit of 1024 iovecs has to be overcome. Therefore increase
|
||||
each iovec's size from 128KB to 2MB.
|
||||
|
||||
While being at it, add a log message for failing sendmsg() call. This is
|
||||
not supposed to happen, even if the transaction fails. Yet if it does,
|
||||
users are left with only a "line XXX failed" message (with line number
|
||||
being the COMMIT line).
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240)
|
||||
---
|
||||
iptables/nft.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index 8b14daeaed610..f1deb82f87576 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
|
||||
|
||||
#define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize())
|
||||
|
||||
-/* selected batch page is 256 Kbytes long to load ruleset of
|
||||
- * half a million rules without hitting -EMSGSIZE due to large
|
||||
- * iovec.
|
||||
+/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M
|
||||
+ * rules matching on source and destination address as well as input and output
|
||||
+ * interfaces. This is what legacy iptables supports.
|
||||
*/
|
||||
-#define BATCH_PAGE_SIZE getpagesize() * 32
|
||||
+#define BATCH_PAGE_SIZE 2 * 1024 * 1024
|
||||
|
||||
static struct nftnl_batch *mnl_batch_init(void)
|
||||
{
|
||||
@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds)
|
||||
int err = 0;
|
||||
|
||||
ret = mnl_nft_socket_sendmsg(h, numcmds);
|
||||
- if (ret == -1)
|
||||
+ if (ret == -1) {
|
||||
+ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno));
|
||||
return -1;
|
||||
+ }
|
||||
|
||||
FD_ZERO(&readfds);
|
||||
FD_SET(fd, &readfds);
|
||||
--
|
||||
2.31.1
|
||||
|
73
SOURCES/arptables-nft-helper
Normal file
73
SOURCES/arptables-nft-helper
Normal file
@ -0,0 +1,73 @@
|
||||
#!/bin/sh
|
||||
|
||||
ARPTABLES_CONFIG=/etc/sysconfig/arptables
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ ! -x /usr/sbin/arptables ]; then
|
||||
exit 4
|
||||
fi
|
||||
|
||||
# don't do squat if we don't have the config file
|
||||
if [ -f $ARPTABLES_CONFIG ]; then
|
||||
printf "Applying arptables firewall rules: "
|
||||
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
|
||||
success || \
|
||||
failure
|
||||
touch /var/lock/subsys/arptables
|
||||
else
|
||||
failure
|
||||
echo "Configuration file /etc/sysconfig/arptables missing"
|
||||
exit 6
|
||||
fi
|
||||
}
|
||||
|
||||
stop() {
|
||||
printf "Removing user defined chains: "
|
||||
arptables -X && success || failure
|
||||
printf "Flushing all chains: "
|
||||
arptables -F && success || failure
|
||||
printf "Resetting built-in chains to the default ACCEPT policy: "
|
||||
arptables -P INPUT ACCEPT && \
|
||||
arptables -P OUTPUT ACCEPT && \
|
||||
success || \
|
||||
failure
|
||||
rm -f /var/lock/subsys/arptables
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
|
||||
restart|reload)
|
||||
# "restart" is really just "start" as this isn't a daemon,
|
||||
# and "start" clears any pre-defined rules anyway.
|
||||
# This is really only here to make those who expect it happy
|
||||
start
|
||||
;;
|
||||
|
||||
condrestart|try-restart|force-reload)
|
||||
[ -e /var/lock/subsys/arptables ] && start
|
||||
;;
|
||||
|
||||
*)
|
||||
exit 2
|
||||
esac
|
||||
|
||||
exit 0
|
12
SOURCES/arptables.service
Normal file
12
SOURCES/arptables.service
Normal file
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Automates a packet filtering firewall with arptables
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/libexec/arptables-helper start
|
||||
ExecStop=/usr/libexec/arptables-helper stop
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
11
SOURCES/ebtables-config
Normal file
11
SOURCES/ebtables-config
Normal file
@ -0,0 +1,11 @@
|
||||
# Save current firewall rules on stop.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules if firewall gets stopped
|
||||
# (e.g. on system shutdown).
|
||||
EBTABLES_SAVE_ON_STOP="no"
|
||||
|
||||
# Save (and restore) rule counters.
|
||||
# Value: yes|no, default: no
|
||||
# Save rule counters when saving a kernel table to a file. If the
|
||||
# rule counters were saved, they will be restored when restoring the table.
|
||||
EBTABLES_SAVE_COUNTER="no"
|
104
SOURCES/ebtables-helper
Normal file
104
SOURCES/ebtables-helper
Normal file
@ -0,0 +1,104 @@
|
||||
#!/bin/bash
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
# internal variables
|
||||
EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
|
||||
EBTABLES_DATA=/etc/sysconfig/ebtables
|
||||
EBTABLES_TABLES="filter nat"
|
||||
if ebtables --version | grep -q '(legacy)'; then
|
||||
EBTABLES_TABLES+=" broute"
|
||||
fi
|
||||
VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
|
||||
|
||||
# ebtables-config defaults
|
||||
EBTABLES_SAVE_ON_STOP="no"
|
||||
EBTABLES_SAVE_COUNTER="no"
|
||||
|
||||
# load config if existing
|
||||
[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
|
||||
|
||||
initialize() {
|
||||
local ret=0
|
||||
for table in $EBTABLES_TABLES; do
|
||||
ebtables -t $table --init-table || ret=1
|
||||
done
|
||||
return $ret
|
||||
}
|
||||
|
||||
sanitize_dump() {
|
||||
local drop=false
|
||||
|
||||
export EBTABLES_TABLES
|
||||
|
||||
cat $1 | while read line; do
|
||||
case $line in
|
||||
\**)
|
||||
drop=false
|
||||
local table="${line#\*}"
|
||||
local found=false
|
||||
for t in $EBTABLES_TABLES; do
|
||||
if [[ $t == "$table" ]]; then
|
||||
found=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
$found || drop=true
|
||||
;;
|
||||
esac
|
||||
$drop || echo "$line"
|
||||
done
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ -f $EBTABLES_DATA ]; then
|
||||
echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
|
||||
sanitize_dump $EBTABLES_DATA | ebtables-restore
|
||||
else
|
||||
echo -n $"ebtables: no stored ruleset, initializing empty tables: "
|
||||
initialize
|
||||
fi
|
||||
local ret=$?
|
||||
touch $VAR_SUBSYS_EBTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
|
||||
export EBTABLES_SAVE_COUNTER
|
||||
ebtables-save >$EBTABLES_DATA && success || failure
|
||||
}
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
|
||||
start && success || failure
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
echo -n $"ebtables: stopping firewall: "
|
||||
initialize && success || failure
|
||||
RETVAL=$?
|
||||
rm -f $VAR_SUBSYS_EBTABLES
|
||||
;;
|
||||
save)
|
||||
save
|
||||
;;
|
||||
*)
|
||||
echo "usage: ${0##*/} {start|stop|save}" >&2
|
||||
RETVAL=2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
11
SOURCES/ebtables.service
Normal file
11
SOURCES/ebtables.service
Normal file
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=Ethernet Bridge Filtering tables
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/ebtables-helper start
|
||||
ExecStop=/usr/libexec/ebtables-helper stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
59
SOURCES/iptables-config
Normal file
59
SOURCES/iptables-config
Normal file
@ -0,0 +1,59 @@
|
||||
# Load additional iptables modules (nat helpers)
|
||||
# Default: -none-
|
||||
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
|
||||
# are loaded after the firewall rules are applied. Options for the helpers are
|
||||
# stored in /etc/modprobe.conf.
|
||||
IPTABLES_MODULES=""
|
||||
|
||||
# Save current firewall rules on stop.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
|
||||
# (e.g. on system shutdown).
|
||||
IPTABLES_SAVE_ON_STOP="no"
|
||||
|
||||
# Save current firewall rules on restart.
|
||||
# Value: yes|no, default: no
|
||||
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
|
||||
# restarted.
|
||||
IPTABLES_SAVE_ON_RESTART="no"
|
||||
|
||||
# Save (and restore) rule and chain counter.
|
||||
# Value: yes|no, default: no
|
||||
# Save counters for rules and chains to /etc/sysconfig/iptables if
|
||||
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
|
||||
# SAVE_ON_RESTART is enabled.
|
||||
IPTABLES_SAVE_COUNTER="no"
|
||||
|
||||
# Numeric status output
|
||||
# Value: yes|no, default: yes
|
||||
# Print IP addresses and port numbers in numeric format in the status output.
|
||||
IPTABLES_STATUS_NUMERIC="yes"
|
||||
|
||||
# Verbose status output
|
||||
# Value: yes|no, default: yes
|
||||
# Print info about the number of packets and bytes plus the "input-" and
|
||||
# "outputdevice" in the status output.
|
||||
IPTABLES_STATUS_VERBOSE="no"
|
||||
|
||||
# Status output with numbered lines
|
||||
# Value: yes|no, default: yes
|
||||
# Print a counter/number for every rule in the status output.
|
||||
IPTABLES_STATUS_LINENUMBERS="yes"
|
||||
|
||||
# Reload sysctl settings on start and restart
|
||||
# Default: -none-
|
||||
# Space separated list of sysctl items which are to be reloaded on start.
|
||||
# List items will be matched by fgrep.
|
||||
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
|
||||
|
||||
# Set wait option for iptables-restore calls in seconds
|
||||
# Default: 600
|
||||
# Set to 0 to deactivate the wait.
|
||||
#IPTABLES_RESTORE_WAIT=600
|
||||
|
||||
# Set wait interval option for iptables-restore calls in microseconds
|
||||
# Default: 1000000
|
||||
# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
|
||||
# second.
|
||||
# Only usable with IPTABLES_RESTORE_WAIT > 0
|
||||
#IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
450
SOURCES/iptables.init
Executable file
450
SOURCES/iptables.init
Executable file
@ -0,0 +1,450 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# iptables Start iptables firewall
|
||||
#
|
||||
# chkconfig: 2345 08 92
|
||||
# description: Starts, stops and saves iptables firewall
|
||||
#
|
||||
# config: /etc/sysconfig/iptables
|
||||
# config: /etc/sysconfig/iptables-config
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: iptables
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: start and stop iptables firewall
|
||||
# Description: Start, stop and save iptables firewall
|
||||
### END INIT INFO
|
||||
|
||||
# compat for removed initscripts dependency
|
||||
|
||||
success() {
|
||||
echo -n "[ OK ]"
|
||||
return 0
|
||||
}
|
||||
|
||||
warning() {
|
||||
echo -n "[WARNING]"
|
||||
return 1
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo -n "[FAILED]"
|
||||
return 1
|
||||
}
|
||||
|
||||
IPTABLES=iptables
|
||||
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
|
||||
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
|
||||
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
|
||||
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
|
||||
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
|
||||
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
|
||||
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
|
||||
|
||||
# only usable for root
|
||||
if [ $EUID != 0 ]; then
|
||||
echo -n $"${IPTABLES}: Only usable by root."; warning; echo
|
||||
exit 4
|
||||
fi
|
||||
|
||||
if [ ! -x /sbin/$IPTABLES ]; then
|
||||
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
|
||||
exit 5
|
||||
fi
|
||||
|
||||
# Default firewall configuration:
|
||||
IPTABLES_MODULES=""
|
||||
IPTABLES_SAVE_ON_STOP="no"
|
||||
IPTABLES_SAVE_ON_RESTART="no"
|
||||
IPTABLES_SAVE_COUNTER="no"
|
||||
IPTABLES_STATUS_NUMERIC="yes"
|
||||
IPTABLES_STATUS_VERBOSE="no"
|
||||
IPTABLES_STATUS_LINENUMBERS="yes"
|
||||
IPTABLES_SYSCTL_LOAD_LIST=""
|
||||
IPTABLES_RESTORE_WAIT=600
|
||||
IPTABLES_RESTORE_WAIT_INTERVAL=1000000
|
||||
|
||||
# Load firewall configuration.
|
||||
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
|
||||
|
||||
is_iptables_nft() {
|
||||
iptables --version | grep -q '(nf_tables)'
|
||||
}
|
||||
|
||||
netfilter_active() {
|
||||
is_iptables_nft && return 0
|
||||
[ -e "$PROC_IPTABLES_NAMES" ]
|
||||
}
|
||||
|
||||
netfilter_tables() {
|
||||
netfilter_active || return 1
|
||||
is_iptables_nft && {
|
||||
# explicitly omit security table from this list as
|
||||
# it should be reserved for SELinux use
|
||||
echo "raw mangle filter nat"
|
||||
return 0
|
||||
}
|
||||
cat "$PROC_IPTABLES_NAMES" 2>/dev/null
|
||||
}
|
||||
|
||||
# Get active tables
|
||||
NF_TABLES=$(netfilter_tables)
|
||||
|
||||
|
||||
flush_n_delete() {
|
||||
# Flush firewall rules and delete chains.
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
[ -z "$NF_TABLES" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Flushing firewall rules: "
|
||||
ret=0
|
||||
# For all tables
|
||||
for i in $NF_TABLES; do
|
||||
# Flush firewall rules.
|
||||
$IPTABLES -t $i -F;
|
||||
let ret+=$?;
|
||||
|
||||
# Delete firewall chains.
|
||||
$IPTABLES -t $i -X;
|
||||
let ret+=$?;
|
||||
|
||||
# Set counter to zero.
|
||||
$IPTABLES -t $i -Z;
|
||||
let ret+=$?;
|
||||
done
|
||||
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
return $ret
|
||||
}
|
||||
|
||||
set_policy() {
|
||||
# Set policy for configured tables.
|
||||
policy=$1
|
||||
|
||||
# Check if iptable module is loaded
|
||||
netfilter_active || return 0
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
tables=$(netfilter_tables)
|
||||
[ -z "$tables" ] && return 1
|
||||
|
||||
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
|
||||
ret=0
|
||||
for i in $tables; do
|
||||
echo -n "$i "
|
||||
case "$i" in
|
||||
raw)
|
||||
$IPTABLES -t raw -P PREROUTING $policy \
|
||||
&& $IPTABLES -t raw -P OUTPUT $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
filter)
|
||||
$IPTABLES -t filter -P INPUT $policy \
|
||||
&& $IPTABLES -t filter -P OUTPUT $policy \
|
||||
&& $IPTABLES -t filter -P FORWARD $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
nat)
|
||||
$IPTABLES -t nat -P PREROUTING $policy \
|
||||
&& $IPTABLES -t nat -P POSTROUTING $policy \
|
||||
&& $IPTABLES -t nat -P OUTPUT $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
mangle)
|
||||
$IPTABLES -t mangle -P PREROUTING $policy \
|
||||
&& $IPTABLES -t mangle -P POSTROUTING $policy \
|
||||
&& $IPTABLES -t mangle -P INPUT $policy \
|
||||
&& $IPTABLES -t mangle -P OUTPUT $policy \
|
||||
&& $IPTABLES -t mangle -P FORWARD $policy \
|
||||
|| let ret+=1
|
||||
;;
|
||||
*)
|
||||
let ret+=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
return $ret
|
||||
}
|
||||
|
||||
load_sysctl() {
|
||||
# load matched sysctl values
|
||||
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
|
||||
echo -n $"Loading sysctl settings: "
|
||||
ret=0
|
||||
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
|
||||
fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
return $ret
|
||||
}
|
||||
|
||||
start() {
|
||||
# Do not start if there is no config file.
|
||||
if [ ! -f "$IPTABLES_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: No config file."; warning; echo
|
||||
return 6
|
||||
fi
|
||||
|
||||
# check if ipv6 module load is deactivated
|
||||
if [ "${_IPV}" = "ipv6" ] \
|
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
|
||||
echo $"${IPTABLES}: ${_IPV} is disabled."
|
||||
return 150
|
||||
fi
|
||||
|
||||
echo -n $"${IPTABLES}: Applying firewall rules: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
fi
|
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo;
|
||||
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
|
||||
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo; return 1
|
||||
fi
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
modprobe $mod > /dev/null 2>&1
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
|
||||
# Load sysctl settings
|
||||
load_sysctl
|
||||
|
||||
touch $VAR_SUBSYS_IPTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
stop() {
|
||||
# Do not stop if iptables module is not loaded.
|
||||
netfilter_active || return 0
|
||||
|
||||
# Set default chain policy to ACCEPT, in order to not break shutdown
|
||||
# on systems where the default policy is DROP and root device is
|
||||
# network-based (i.e.: iSCSI, NFS)
|
||||
set_policy ACCEPT
|
||||
# And then, flush the rules and delete chains
|
||||
flush_n_delete
|
||||
|
||||
rm -f $VAR_SUBSYS_IPTABLES
|
||||
return $ret
|
||||
}
|
||||
|
||||
save() {
|
||||
# Check if iptable module is loaded
|
||||
if ! netfilter_active; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
return 0
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ -z "$NF_TABLES" ]; then
|
||||
echo -n $"${IPTABLES}: Nothing to save."; warning; echo
|
||||
return 6
|
||||
fi
|
||||
|
||||
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
|
||||
ret=0
|
||||
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
|
||||
&& chmod 600 "$TMP_FILE" \
|
||||
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
|
||||
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|
||||
|| ret=1
|
||||
if [ $ret -eq 0 ]; then
|
||||
if [ -e $IPTABLES_DATA ]; then
|
||||
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
|
||||
&& chmod 600 $IPTABLES_DATA.save \
|
||||
&& restorecon $IPTABLES_DATA.save \
|
||||
|| ret=1
|
||||
fi
|
||||
if [ $ret -eq 0 ]; then
|
||||
mv -f $TMP_FILE $IPTABLES_DATA \
|
||||
&& chmod 600 $IPTABLES_DATA \
|
||||
&& restorecon $IPTABLES_DATA \
|
||||
|| ret=1
|
||||
fi
|
||||
fi
|
||||
rm -f $TMP_FILE
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
return $ret
|
||||
}
|
||||
|
||||
status() {
|
||||
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
|
||||
echo $"${IPTABLES}: Firewall is not running."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Do not print status if lockfile is missing and iptables modules are not
|
||||
# loaded.
|
||||
# Check if iptable modules are loaded
|
||||
if ! netfilter_active; then
|
||||
echo $"${IPTABLES}: Firewall modules are not loaded."
|
||||
return 3
|
||||
fi
|
||||
|
||||
# Check if firewall is configured (has tables)
|
||||
if [ -z "$NF_TABLES" ]; then
|
||||
echo $"${IPTABLES}: Firewall is not configured. "
|
||||
return 3
|
||||
fi
|
||||
|
||||
NUM=
|
||||
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
|
||||
VERBOSE=
|
||||
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
|
||||
COUNT=
|
||||
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
|
||||
|
||||
for table in $NF_TABLES; do
|
||||
echo $"Table: $table"
|
||||
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
reload() {
|
||||
# Do not reload if there is no config file.
|
||||
if [ ! -f "$IPTABLES_DATA" ]; then
|
||||
echo -n $"${IPTABLES}: No config file."; warning; echo
|
||||
return 6
|
||||
fi
|
||||
|
||||
# check if ipv6 module load is deactivated
|
||||
if [ "${_IPV}" = "ipv6" ] \
|
||||
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
|
||||
echo $"${IPTABLES}: ${_IPV} is disabled."
|
||||
return 150
|
||||
fi
|
||||
|
||||
echo -n $"${IPTABLES}: Trying to reload firewall rules: "
|
||||
|
||||
OPT=
|
||||
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
|
||||
if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
|
||||
OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
|
||||
if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
|
||||
OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
|
||||
fi
|
||||
fi
|
||||
|
||||
$IPTABLES-restore $OPT $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
success; echo
|
||||
else
|
||||
failure; echo; echo "Firewall rules are not changed."; return 1
|
||||
fi
|
||||
|
||||
# Load additional modules (helpers)
|
||||
if [ -n "$IPTABLES_MODULES" ]; then
|
||||
echo -n $"${IPTABLES}: Loading additional modules: "
|
||||
ret=0
|
||||
for mod in $IPTABLES_MODULES; do
|
||||
echo -n "$mod "
|
||||
modprobe $mod > /dev/null 2>&1
|
||||
let ret+=$?;
|
||||
done
|
||||
[ $ret -eq 0 ] && success || failure
|
||||
echo
|
||||
fi
|
||||
|
||||
# Load sysctl settings
|
||||
load_sysctl
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
||||
restart() {
|
||||
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
|
||||
start
|
||||
RETVAL=$?
|
||||
;;
|
||||
stop)
|
||||
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
|
||||
stop
|
||||
RETVAL=$?
|
||||
;;
|
||||
restart|force-reload)
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
reload)
|
||||
[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
|
||||
restart
|
||||
RETVAL=$?
|
||||
;;
|
||||
status)
|
||||
status
|
||||
RETVAL=$?
|
||||
;;
|
||||
panic)
|
||||
set_policy DROP
|
||||
RETVAL=$?
|
||||
;;
|
||||
save)
|
||||
save
|
||||
RETVAL=$?
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
|
||||
RETVAL=2
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
17
SOURCES/iptables.service
Normal file
17
SOURCES/iptables.service
Normal file
@ -0,0 +1,17 @@
|
||||
[Unit]
|
||||
Description=IPv4 firewall with iptables
|
||||
AssertPathExists=/etc/sysconfig/iptables
|
||||
Before=network-pre.target
|
||||
Wants=network-pre.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/iptables/iptables.init start
|
||||
ExecReload=/usr/libexec/iptables/iptables.init reload
|
||||
ExecStop=/usr/libexec/iptables/iptables.init stop
|
||||
Environment=BOOTUP=serial
|
||||
Environment=CONSOLETYPE=serial
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
15
SOURCES/sysconfig_ip6tables
Normal file
15
SOURCES/sysconfig_ip6tables
Normal file
@ -0,0 +1,15 @@
|
||||
# sample configuration for ip6tables service
|
||||
# you can edit this manually or use system-config-firewall
|
||||
# please do not ask us to add additional ports/services to this default configuration
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p ipv6-icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
||||
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
||||
COMMIT
|
14
SOURCES/sysconfig_iptables
Normal file
14
SOURCES/sysconfig_iptables
Normal file
@ -0,0 +1,14 @@
|
||||
# sample configuration for iptables service
|
||||
# you can edit this manually or use system-config-firewall
|
||||
# please do not ask us to add additional ports/services to this default configuration
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
COMMIT
|
1713
SPECS/iptables.spec
Normal file
1713
SPECS/iptables.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user