import iptables-1.8.8-4.el9
This commit is contained in:
parent
9acc21c0be
commit
806586224b
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/iptables-1.8.7.tar.bz2
|
||||
SOURCES/iptables-1.8.8.tar.bz2
|
||||
|
@ -1 +1 @@
|
||||
05ef75415cb7cb7641f51d51e74f3ea29cc31ab1 SOURCES/iptables-1.8.7.tar.bz2
|
||||
98783621a5e58ff55f83b1350523f3de41af621d SOURCES/iptables-1.8.8.tar.bz2
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 635e4c4e7f3581a7cc8c04244ae3de239ad84935 Mon Sep 17 00:00:00 2001
|
||||
From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 17 Jun 2021 18:44:28 +0200
|
||||
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
|
||||
@ -116,10 +116,10 @@ index ea31e0842acd4..ec5b993a41e8b 100644
|
||||
.PP
|
||||
.BR "" "See " https://wiki.nftables.org
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index 1fa5ad9388cc0..5bdc0bb8a939e 100644
|
||||
index d75aae240bc05..ed1bf8f2db55b 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
@ -139,9 +139,9 @@ index 1fa5ad9388cc0..5bdc0bb8a939e 100644
|
||||
.B ebtables
|
||||
is an application program used to set up and maintain the
|
||||
tables of rules (inside the Linux kernel) that inspect
|
||||
@@ -1111,6 +1124,6 @@ table. Also there is no support for
|
||||
.B string
|
||||
match. And finally, this list is probably not complete.
|
||||
@@ -1069,6 +1082,6 @@ has not been implemented, although
|
||||
might replace them entirely given the inherent atomicity of nftables.
|
||||
Finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
-.BR xtables-nft "(8), " iptables "(8), " ip (8)
|
||||
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
|
||||
@ -205,7 +205,7 @@ index 99d89a1fe44ad..73d40bbfe9c52 100644
|
||||
iptables can use extended packet matching modules
|
||||
with the \fB\-m\fP or \fB\-\-match\fP
|
||||
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
|
||||
index b4b62f92740d1..1bbf7a0d98d0a 100644
|
||||
index 20216842d8358..8f4811c72f2ec 100644
|
||||
--- a/iptables/iptables-restore.8.in
|
||||
+++ b/iptables/iptables-restore.8.in
|
||||
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
|
||||
@ -228,7 +228,7 @@ index b4b62f92740d1..1bbf7a0d98d0a 100644
|
||||
.PP
|
||||
.B iptables-restore
|
||||
and
|
||||
@@ -87,7 +100,9 @@ from Rusty Russell.
|
||||
@@ -81,7 +94,9 @@ from Rusty Russell.
|
||||
.br
|
||||
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
|
||||
.SH SEE ALSO
|
||||
@ -273,7 +273,7 @@ index 7683fd3780f72..6fe50b2d446e5 100644
|
||||
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
|
||||
which details NAT, and the netfilter-hacking-HOWTO which details the
|
||||
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
|
||||
index 999cf339845f9..895cc7b111eb9 100644
|
||||
index 627ff0e4da7a4..a8b31206d45b2 100644
|
||||
--- a/iptables/iptables.8.in
|
||||
+++ b/iptables/iptables.8.in
|
||||
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
|
||||
@ -308,7 +308,7 @@ index 999cf339845f9..895cc7b111eb9 100644
|
||||
The packet-filtering-HOWTO details iptables usage for
|
||||
packet filtering, the NAT-HOWTO details NAT,
|
||||
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
|
||||
index b647a79eb64ed..bbccf009e8269 100644
|
||||
index a7f22c0d8c08e..e21d7ff23035f 100644
|
||||
--- a/iptables/xtables-monitor.8.in
|
||||
+++ b/iptables/xtables-monitor.8.in
|
||||
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
|
||||
@ -330,5 +330,5 @@ index b647a79eb64ed..bbccf009e8269 100644
|
||||
.B xtables-monitor
|
||||
is used to monitor changes to the ruleset or to show rule evaluation events
|
||||
--
|
||||
2.32.0
|
||||
2.34.1
|
||||
|
@ -1,51 +0,0 @@
|
||||
From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 28 Jan 2021 01:09:56 +0100
|
||||
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
|
||||
|
||||
Users are able to cause program abort by passing a table name that
|
||||
doesn't exist:
|
||||
|
||||
| # ebtables-nft -t dummy -P INPUT ACCEPT
|
||||
| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
|
||||
| Aborted
|
||||
|
||||
Avoid this by checking table existence just like iptables-nft does upon
|
||||
parsing '-t' optarg. Since the list of tables is known and fixed,
|
||||
checking the given name's length is pointless. So just drop that check
|
||||
in return.
|
||||
|
||||
With this patch in place, output looks much better:
|
||||
|
||||
| # ebtables-nft -t dummy -P INPUT ACCEPT
|
||||
| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
|
||||
| Perhaps iptables or your kernel needs to be upgraded.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
|
||||
---
|
||||
iptables/xtables-eb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||
index cfa9317c78e94..5bb34d6d292a9 100644
|
||||
--- a/iptables/xtables-eb.c
|
||||
+++ b/iptables/xtables-eb.c
|
||||
@@ -914,10 +914,10 @@ print_zero:
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"The -t option (seen in line %u) cannot be used in %s.\n",
|
||||
line, xt_params->program_name);
|
||||
- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "Table name length cannot exceed %d characters",
|
||||
- EBT_TABLE_MAXNAMELEN - 1);
|
||||
+ if (!nft_table_builtin_find(h, optarg))
|
||||
+ xtables_error(VERSION_PROBLEM,
|
||||
+ "table '%s' does not exist",
|
||||
+ optarg);
|
||||
*table = optarg;
|
||||
table_set = true;
|
||||
break;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001
|
||||
From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 21:51:49 +0200
|
||||
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
|
@ -1,196 +0,0 @@
|
||||
From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 2 Mar 2021 14:50:07 +0100
|
||||
Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
|
||||
|
||||
Iptables supports netmasks which are not prefixes to match on (or
|
||||
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
|
||||
available for real prefixes only, so translation is not as trivial -
|
||||
print bitmask syntax for those cases.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
|
||||
---
|
||||
extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++
|
||||
extensions/libxt_standard.t | 12 ++++++++++
|
||||
iptables/nft-ipv4.c | 42 ++++++++++++++++++++++----------
|
||||
iptables/nft-ipv6.c | 19 ++++++++++++---
|
||||
4 files changed, 106 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
|
||||
index 0e256c3727559..9ae9a5b54c1b9 100644
|
||||
--- a/extensions/generic.txlate
|
||||
+++ b/extensions/generic.txlate
|
||||
@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
|
||||
iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
|
||||
nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
|
||||
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
|
||||
+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
|
||||
+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
|
||||
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
|
||||
+
|
||||
+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
|
||||
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 0.0.0.0/16
|
||||
+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
|
||||
+
|
||||
+iptables-translate -I INPUT -s 0.0.0.0/0
|
||||
+nft insert rule ip filter INPUT counter
|
||||
+
|
||||
+iptables-translate -I INPUT ! -s 0.0.0.0/0
|
||||
+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -i iifname -s feed::/16
|
||||
+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
|
||||
+
|
||||
+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
|
||||
+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s ::/16
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT -s ::/0
|
||||
+nft insert rule ip6 filter INPUT counter
|
||||
+
|
||||
+ip6tables-translate -I INPUT ! -s ::/0
|
||||
+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
|
||||
+
|
||||
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
|
||||
nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
|
||||
|
||||
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
|
||||
index 4313f7b7bac9d..56d6da2e5884e 100644
|
||||
--- a/extensions/libxt_standard.t
|
||||
+++ b/extensions/libxt_standard.t
|
||||
@@ -9,3 +9,15 @@
|
||||
-j ACCEPT;=;OK
|
||||
-j RETURN;=;OK
|
||||
! -p 0 -j ACCEPT;=;FAIL
|
||||
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
|
||||
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
|
||||
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
|
||||
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
|
||||
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
|
||||
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
|
||||
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
|
||||
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
|
||||
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
|
||||
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
|
||||
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
|
||||
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index fdc15c6f04066..0d32a30010519 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
|
||||
" source or destination IP addresses");
|
||||
}
|
||||
|
||||
+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ bool inv, struct xt_xlate *xl)
|
||||
+{
|
||||
+ const char *op = inv ? "!= " : "";
|
||||
+ int cidr;
|
||||
+
|
||||
+ if (!inv && !addr->s_addr && !mask->s_addr)
|
||||
+ return;
|
||||
+
|
||||
+ cidr = xtables_ipmask_to_cidr(mask);
|
||||
+ switch (cidr) {
|
||||
+ case -1:
|
||||
+ /* inet_ntoa() is not reentrant */
|
||||
+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
|
||||
+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
|
||||
+ break;
|
||||
+ default:
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
|
||||
+ cidr);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
|
||||
{
|
||||
const struct iptables_command_state *cs = data;
|
||||
@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
|
||||
}
|
||||
}
|
||||
|
||||
- if (cs->fw.ip.src.s_addr != 0) {
|
||||
- xt_xlate_add(xl, "ip saddr %s%s%s ",
|
||||
- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
|
||||
- inet_ntoa(cs->fw.ip.src),
|
||||
- xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
|
||||
- }
|
||||
- if (cs->fw.ip.dst.s_addr != 0) {
|
||||
- xt_xlate_add(xl, "ip daddr %s%s%s ",
|
||||
- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
|
||||
- inet_ntoa(cs->fw.ip.dst),
|
||||
- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
|
||||
- }
|
||||
+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
|
||||
+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
|
||||
+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
|
||||
+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
|
||||
|
||||
ret = xlate_matches(cs, xl);
|
||||
if (!ret)
|
||||
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||
index 130ad3e6e7c44..46008fc5e762a 100644
|
||||
--- a/iptables/nft-ipv6.c
|
||||
+++ b/iptables/nft-ipv6.c
|
||||
@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
|
||||
const struct in6_addr *mask,
|
||||
int invert, struct xt_xlate *xl)
|
||||
{
|
||||
+ const char *op = invert ? "!= " : "";
|
||||
char addr_str[INET6_ADDRSTRLEN];
|
||||
+ int cidr;
|
||||
|
||||
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
|
||||
+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
|
||||
return;
|
||||
|
||||
inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
|
||||
- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
|
||||
- xtables_ip6mask_to_numeric(mask));
|
||||
+ cidr = xtables_ip6mask_to_cidr(mask);
|
||||
+ switch (cidr) {
|
||||
+ case -1:
|
||||
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
|
||||
+ xtables_ip6addr_to_numeric(mask),
|
||||
+ invert ? "!=" : "==", addr_str);
|
||||
+ break;
|
||||
+ case 128:
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
|
||||
+ break;
|
||||
+ default:
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
|
||||
+ }
|
||||
}
|
||||
|
||||
static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,120 +0,0 @@
|
||||
From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 27 Apr 2021 09:12:53 +0200
|
||||
Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
|
||||
|
||||
Both functions are obsolete, replace them by equivalent calls to
|
||||
inet_pton() and inet_ntop().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
|
||||
---
|
||||
extensions/libebt_among.c | 6 ++++--
|
||||
iptables/nft-ipv4.c | 23 ++++++++++++++---------
|
||||
2 files changed, 18 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
|
||||
index 2b9a1b6566684..7eb898f984bba 100644
|
||||
--- a/extensions/libebt_among.c
|
||||
+++ b/extensions/libebt_among.c
|
||||
@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
|
||||
if (sep) {
|
||||
*sep = '\0';
|
||||
|
||||
- if (!inet_aton(sep + 1, &pair->in))
|
||||
+ if (!inet_pton(AF_INET, sep + 1, &pair->in))
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"Invalid IP address '%s'\n", sep + 1);
|
||||
}
|
||||
@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
|
||||
int cnt, bool inv, bool have_ip)
|
||||
{
|
||||
const char *isep = inv ? "! " : "";
|
||||
+ char abuf[INET_ADDRSTRLEN];
|
||||
int i;
|
||||
|
||||
for (i = 0; i < cnt; i++) {
|
||||
@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
|
||||
|
||||
printf("%s", ether_ntoa(&pairs[i].ether));
|
||||
if (pairs[i].in.s_addr != INADDR_ANY)
|
||||
- printf("=%s", inet_ntoa(pairs[i].in));
|
||||
+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
|
||||
+ abuf, sizeof(abuf)));
|
||||
}
|
||||
printf(" ");
|
||||
}
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index 0d32a30010519..a5b835b1f681d 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
|
||||
|
||||
static const char *mask_to_str(uint32_t mask)
|
||||
{
|
||||
- static char mask_str[sizeof("255.255.255.255")];
|
||||
+ static char mask_str[INET_ADDRSTRLEN];
|
||||
uint32_t bits, hmask = ntohl(mask);
|
||||
struct in_addr mask_addr = {
|
||||
.s_addr = mask,
|
||||
@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
|
||||
if (i >= 0)
|
||||
sprintf(mask_str, "%u", i);
|
||||
else
|
||||
- sprintf(mask_str, "%s", inet_ntoa(mask_addr));
|
||||
+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
|
||||
|
||||
return mask_str;
|
||||
}
|
||||
@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
|
||||
static void save_ipv4_addr(char letter, const struct in_addr *addr,
|
||||
uint32_t mask, int invert)
|
||||
{
|
||||
+ char addrbuf[INET_ADDRSTRLEN];
|
||||
+
|
||||
if (!mask && !invert && !addr->s_addr)
|
||||
return;
|
||||
|
||||
- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
|
||||
+ printf("%s-%c %s/%s ", invert ? "! " : "", letter,
|
||||
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
|
||||
mask_to_str(mask));
|
||||
}
|
||||
|
||||
@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
|
||||
const struct in_addr *mask,
|
||||
bool inv, struct xt_xlate *xl)
|
||||
{
|
||||
+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
|
||||
const char *op = inv ? "!= " : "";
|
||||
int cidr;
|
||||
|
||||
if (!inv && !addr->s_addr && !mask->s_addr)
|
||||
return;
|
||||
|
||||
+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
|
||||
+
|
||||
cidr = xtables_ipmask_to_cidr(mask);
|
||||
switch (cidr) {
|
||||
case -1:
|
||||
- /* inet_ntoa() is not reentrant */
|
||||
- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
|
||||
- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
|
||||
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
|
||||
+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
|
||||
+ inv ? "!=" : "==", abuf);
|
||||
break;
|
||||
case 32:
|
||||
- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
|
||||
+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
|
||||
break;
|
||||
default:
|
||||
- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
|
||||
- cidr);
|
||||
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,29 @@
|
||||
From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 13 May 2022 16:51:58 +0200
|
||||
Subject: [PATCH] xshared: Fix build for -Werror=format-security
|
||||
|
||||
Gcc complains about the omitted format string.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a)
|
||||
---
|
||||
iptables/xshared.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index fae5ddd5df93e..a8512d3808154 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
|
||||
return;
|
||||
|
||||
if (args->family != NFPROTO_ARP)
|
||||
- xtables_error(PARAMETER_PROBLEM, msg);
|
||||
+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
|
||||
|
||||
fprintf(stderr, "%s", msg);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,181 +0,0 @@
|
||||
From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 27 Apr 2021 10:02:34 +0200
|
||||
Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
|
||||
|
||||
This eliminates quite a bit of redundant code apart from also dropping
|
||||
use of obsolete function gethostbyaddr().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
|
||||
---
|
||||
iptables/nft-arp.c | 99 ++++------------------------------------------
|
||||
iptables/xshared.c | 6 +--
|
||||
iptables/xshared.h | 3 ++
|
||||
3 files changed, 14 insertions(+), 94 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
||||
index c82ffdc95e300..2a9387a18dffe 100644
|
||||
--- a/iptables/nft-arp.c
|
||||
+++ b/iptables/nft-arp.c
|
||||
@@ -42,78 +42,6 @@ char *arp_opcodes[] =
|
||||
"ARP_NAK",
|
||||
};
|
||||
|
||||
-static char *
|
||||
-addr_to_dotted(const struct in_addr *addrp)
|
||||
-{
|
||||
- static char buf[20];
|
||||
- const unsigned char *bytep;
|
||||
-
|
||||
- bytep = (const unsigned char *) &(addrp->s_addr);
|
||||
- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
|
||||
- return buf;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_host(const struct in_addr *addr)
|
||||
-{
|
||||
- struct hostent *host;
|
||||
-
|
||||
- if ((host = gethostbyaddr((char *) addr,
|
||||
- sizeof(struct in_addr), AF_INET)) != NULL)
|
||||
- return (char *) host->h_name;
|
||||
-
|
||||
- return (char *) NULL;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_network(const struct in_addr *addr)
|
||||
-{
|
||||
- struct netent *net;
|
||||
-
|
||||
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
|
||||
- return (char *) net->n_name;
|
||||
-
|
||||
- return (char *) NULL;
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-addr_to_anyname(const struct in_addr *addr)
|
||||
-{
|
||||
- char *name;
|
||||
-
|
||||
- if ((name = addr_to_host(addr)) != NULL ||
|
||||
- (name = addr_to_network(addr)) != NULL)
|
||||
- return name;
|
||||
-
|
||||
- return addr_to_dotted(addr);
|
||||
-}
|
||||
-
|
||||
-static char *
|
||||
-mask_to_dotted(const struct in_addr *mask)
|
||||
-{
|
||||
- int i;
|
||||
- static char buf[22];
|
||||
- u_int32_t maskaddr, bits;
|
||||
-
|
||||
- maskaddr = ntohl(mask->s_addr);
|
||||
-
|
||||
- if (maskaddr == 0xFFFFFFFFL)
|
||||
- /* we don't want to see "/32" */
|
||||
- return "";
|
||||
-
|
||||
- i = 32;
|
||||
- bits = 0xFFFFFFFEL;
|
||||
- while (--i >= 0 && maskaddr != bits)
|
||||
- bits <<= 1;
|
||||
- if (i >= 0)
|
||||
- sprintf(buf, "/%d", i);
|
||||
- else
|
||||
- /* mask was not a decent combination of 1's and 0's */
|
||||
- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
|
||||
-
|
||||
- return buf;
|
||||
-}
|
||||
-
|
||||
static bool need_devaddr(struct arpt_devaddr_info *info)
|
||||
{
|
||||
int i;
|
||||
@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
unsigned int format)
|
||||
{
|
||||
const struct arpt_entry *fw = &cs->arp;
|
||||
- char buf[BUFSIZ];
|
||||
char iface[IFNAMSIZ+2];
|
||||
const char *sep = "";
|
||||
int print_iface = 0;
|
||||
@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
}
|
||||
|
||||
if (fw->arp.smsk.s_addr != 0L) {
|
||||
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
|
||||
- ? "! " : "");
|
||||
- if (format & FMT_NUMERIC)
|
||||
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
|
||||
- else
|
||||
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
|
||||
- strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
|
||||
- sizeof(buf) - strlen(buf) - 1);
|
||||
- printf("-s %s", buf);
|
||||
+ printf("%s%s-s %s", sep,
|
||||
+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
|
||||
+ ipv4_addr_to_string(&fw->arp.src,
|
||||
+ &fw->arp.smsk, format));
|
||||
sep = " ";
|
||||
}
|
||||
|
||||
@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
|
||||
after_devsrc:
|
||||
|
||||
if (fw->arp.tmsk.s_addr != 0L) {
|
||||
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
|
||||
- ? "! " : "");
|
||||
- if (format & FMT_NUMERIC)
|
||||
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
|
||||
- else
|
||||
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
|
||||
- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
|
||||
- sizeof(buf) - strlen(buf) - 1);
|
||||
- printf("-d %s", buf);
|
||||
+ printf("%s%s-d %s", sep,
|
||||
+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
|
||||
+ ipv4_addr_to_string(&fw->arp.tgt,
|
||||
+ &fw->arp.tmsk, format));
|
||||
sep = " ";
|
||||
}
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 71f689901e1d4..9a1f465a5a6d3 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store)
|
||||
}
|
||||
#endif
|
||||
|
||||
-static const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
- const struct in_addr *mask,
|
||||
- unsigned int format)
|
||||
+const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ unsigned int format)
|
||||
{
|
||||
static char buf[BUFSIZ];
|
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 9159b2b1f3768..1e86aba8b2375 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
|
||||
# define debug_print_argv(...) /* nothing */
|
||||
#endif
|
||||
|
||||
+const char *ipv4_addr_to_string(const struct in_addr *addr,
|
||||
+ const struct in_addr *mask,
|
||||
+ unsigned int format);
|
||||
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
|
||||
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,61 @@
|
||||
From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 2 Jun 2022 13:44:45 +0200
|
||||
Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
|
||||
|
||||
Some repeated calls have been reduced recently, assert this in a test
|
||||
evaluating strace output.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
|
||||
---
|
||||
.../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++
|
||||
1 file changed, 37 insertions(+)
|
||||
create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
||||
|
||||
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
||||
new file mode 100755
|
||||
index 0000000000000..b86d71f209471
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
|
||||
@@ -0,0 +1,37 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+# Test recent performance improvements in iptables-save due to reduced
|
||||
+# overhead.
|
||||
+
|
||||
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
|
||||
+
|
||||
+RULESET=$(
|
||||
+ echo "*filter"
|
||||
+ for ((i = 0; i < 100; i++)); do
|
||||
+ echo ":mychain$i -"
|
||||
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
|
||||
+ done
|
||||
+ echo "COMMIT"
|
||||
+)
|
||||
+
|
||||
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
|
||||
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
|
||||
+
|
||||
+do_grep() { # (name, threshold, pattern)
|
||||
+ local cnt=$(grep -c "$3")
|
||||
+ [[ $cnt -le $2 ]] && return 0
|
||||
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
|
||||
+ exit 1
|
||||
+}
|
||||
+
|
||||
+# iptables prefers hard-coded protocol names instead of looking them up first
|
||||
+
|
||||
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
|
||||
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
|
||||
+
|
||||
+# iptables-nft-save pointlessly checked whether chain jumps are targets
|
||||
+
|
||||
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
|
||||
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
|
||||
+
|
||||
+exit 0
|
||||
--
|
||||
2.34.1
|
||||
|
33
SOURCES/0005-arptables-Support-x-exact-flag.patch
Normal file
33
SOURCES/0005-arptables-Support-x-exact-flag.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 7 Jun 2022 18:07:00 +0200
|
||||
Subject: [PATCH] arptables: Support -x/--exact flag
|
||||
|
||||
Legacy arptables accepts but ignores the flag. Yet there are remains of
|
||||
the functionality in sources, like OPT_EXPANDED define and a print_num()
|
||||
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
|
||||
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
|
||||
arptables, just enable the feature for it.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0)
|
||||
---
|
||||
iptables/xshared.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 14568bb00fb65..a50c8b7298072 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -69,7 +69,7 @@ struct xtables_target;
|
||||
|
||||
#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
|
||||
#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
|
||||
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */
|
||||
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
|
||||
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
|
||||
|
||||
/* define invflags which won't collide with IPT ones */
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 13 Nov 2020 21:04:39 +0100
|
||||
Subject: [PATCH] libxtables: Drop leftover variable in
|
||||
xtables_numeric_to_ip6addr()
|
||||
|
||||
Variable 'err' was only used in removed debug code, so drop it as well.
|
||||
|
||||
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
|
||||
---
|
||||
libxtables/xtables.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index bc42ba8221f3a..6947441fec659 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
|
||||
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
|
||||
{
|
||||
static struct in6_addr ap;
|
||||
- int err;
|
||||
|
||||
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
|
||||
+ if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||
return ≈
|
||||
|
||||
return NULL;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,49 +0,0 @@
|
||||
From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 13 Nov 2020 21:13:50 +0100
|
||||
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
|
||||
|
||||
They are being assigned to but never read.
|
||||
|
||||
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
|
||||
---
|
||||
extensions/libebt_ip6.c | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||
index b8a5a5d8c3a92..301bed9aadefd 100644
|
||||
--- a/extensions/libebt_ip6.c
|
||||
+++ b/extensions/libebt_ip6.c
|
||||
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
|
||||
static struct in6_addr *numeric_to_addr(const char *num)
|
||||
{
|
||||
static struct in6_addr ap;
|
||||
- int err;
|
||||
|
||||
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
|
||||
+ if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||
return ≈
|
||||
return (struct in6_addr *)NULL;
|
||||
}
|
||||
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
|
||||
char buf[256];
|
||||
char *p;
|
||||
int i;
|
||||
- int err;
|
||||
|
||||
strncpy(buf, address, sizeof(buf) - 1);
|
||||
/* first the mask */
|
||||
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
|
||||
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
|
||||
strcpy(buf, "::");
|
||||
|
||||
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
|
||||
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
|
||||
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,91 @@
|
||||
From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 30 Jun 2022 18:04:39 +0200
|
||||
Subject: [PATCH] libxtables: Fix unsupported extension warning corner case
|
||||
|
||||
Some extensions are not supported in revision 0 by user space anymore,
|
||||
for those the warning in xtables_compatible_revision() does not print as
|
||||
no revision 0 is tried.
|
||||
|
||||
To fix this, one has to track if none of the user space supported
|
||||
revisions were accepted by the kernel. Therefore add respective logic to
|
||||
xtables_find_{target,match}().
|
||||
|
||||
Note that this does not lead to duplicated warnings for unsupported
|
||||
extensions that have a revision 0 because xtables_compatible_revision()
|
||||
returns true for them to allow for extension's help output.
|
||||
|
||||
For the record, these ip6tables extensions are affected: set/SET,
|
||||
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
|
||||
for both families.
|
||||
|
||||
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37)
|
||||
---
|
||||
libxtables/xtables.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index 96fd783a066cf..7abc63bcfd83e 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
||||
struct xtables_match *ptr;
|
||||
const char *icmp6 = "icmp6";
|
||||
bool found = false;
|
||||
+ bool seen = false;
|
||||
|
||||
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
|
||||
ptr = *dptr;
|
||||
*dptr = (*dptr)->next;
|
||||
+ seen = true;
|
||||
if (!found &&
|
||||
xtables_fully_register_pending_match(ptr, prev)) {
|
||||
found = true;
|
||||
@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
|
||||
dptr = &((*dptr)->next);
|
||||
}
|
||||
|
||||
+ if (seen && !found)
|
||||
+ fprintf(stderr,
|
||||
+ "Warning: Extension %s is not supported, missing kernel module?\n",
|
||||
+ name);
|
||||
+
|
||||
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
|
||||
if (extension_cmp(name, ptr->name, ptr->family)) {
|
||||
struct xtables_match *clone;
|
||||
@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
struct xtables_target **dptr;
|
||||
struct xtables_target *ptr;
|
||||
bool found = false;
|
||||
+ bool seen = false;
|
||||
|
||||
/* Standard target? */
|
||||
if (strcmp(name, "") == 0
|
||||
@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
|
||||
ptr = *dptr;
|
||||
*dptr = (*dptr)->next;
|
||||
+ seen = true;
|
||||
if (!found &&
|
||||
xtables_fully_register_pending_target(ptr, prev)) {
|
||||
found = true;
|
||||
@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
dptr = &((*dptr)->next);
|
||||
}
|
||||
|
||||
+ if (seen && !found)
|
||||
+ fprintf(stderr,
|
||||
+ "Warning: Extension %s is not supported, missing kernel module?\n",
|
||||
+ name);
|
||||
+
|
||||
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
|
||||
if (extension_cmp(name, ptr->name, ptr->family)) {
|
||||
struct xtables_target *clone;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,29 +0,0 @@
|
||||
From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 11:04:30 +0200
|
||||
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
|
||||
|
||||
The allocated hostmask duplicate needs to be freed again.
|
||||
|
||||
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
|
||||
---
|
||||
libxtables/xtoptions.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
||||
index d329f2ff7979e..0dcdf607f4678 100644
|
||||
--- a/libxtables/xtoptions.c
|
||||
+++ b/libxtables/xtoptions.c
|
||||
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
|
||||
cb->arg = p;
|
||||
xtopt_parse_plenmask(cb);
|
||||
cb->arg = orig_arg;
|
||||
+ free(work);
|
||||
}
|
||||
|
||||
static void xtopt_parse_ethermac(struct xt_option_call *cb)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,34 +0,0 @@
|
||||
From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 11:55:20 +0200
|
||||
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
|
||||
|
||||
If rule allocation fails, free the allocated 'cmd' before returning to
|
||||
caller.
|
||||
|
||||
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
|
||||
---
|
||||
iptables/nft-cmd.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||
index 5d33f1f00f574..9b0c964847615 100644
|
||||
--- a/iptables/nft-cmd.c
|
||||
+++ b/iptables/nft-cmd.c
|
||||
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||
|
||||
if (state) {
|
||||
rule = nft_rule_new(h, chain, table, state);
|
||||
- if (!rule)
|
||||
+ if (!rule) {
|
||||
+ nft_cmd_free(cmd);
|
||||
return NULL;
|
||||
+ }
|
||||
|
||||
cmd->obj.rule = rule;
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,56 +0,0 @@
|
||||
From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 11:58:06 +0200
|
||||
Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
|
||||
|
||||
The call to strncpy() is actually not needed: source buffer is only
|
||||
IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
|
||||
avoid compiler warnings due to size parameter matching the destination
|
||||
buffer size by performing the copy using (dumb) memcpy() instead.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
|
||||
---
|
||||
iptables/nft-ipv4.c | 4 ++--
|
||||
iptables/nft-ipv6.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index a5b835b1f681d..34f94bd8cc24a 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
|
||||
*/
|
||||
cs->fw.ip.invflags = args->invflags;
|
||||
|
||||
- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
|
||||
memcpy(cs->fw.ip.iniface_mask,
|
||||
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
|
||||
memcpy(cs->fw.ip.outiface_mask,
|
||||
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||
index 46008fc5e762a..d9c9400ad7dc3 100644
|
||||
--- a/iptables/nft-ipv6.c
|
||||
+++ b/iptables/nft-ipv6.c
|
||||
@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
|
||||
*/
|
||||
cs->fw6.ipv6.invflags = args->invflags;
|
||||
|
||||
- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
|
||||
memcpy(cs->fw6.ipv6.iniface_mask,
|
||||
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
|
||||
+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
|
||||
memcpy(cs->fw6.ipv6.outiface_mask,
|
||||
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,29 +0,0 @@
|
||||
From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 12:50:57 +0200
|
||||
Subject: [PATCH] iptables-apply: Drop unused variable
|
||||
|
||||
It was assigned to but never read.
|
||||
|
||||
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
|
||||
---
|
||||
iptables/iptables-apply | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
|
||||
index 4683b1b402d08..3a7df5e3cbc1f 100755
|
||||
--- a/iptables/iptables-apply
|
||||
+++ b/iptables/iptables-apply
|
||||
@@ -231,7 +231,6 @@ case "$MODE" in
|
||||
"$RUNCMD" &
|
||||
CMD_PID=$!
|
||||
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
|
||||
- CMDTIMEOUT_PID=$!
|
||||
if ! wait "$CMD_PID"; then
|
||||
echo "failed."
|
||||
echo "Error: unknown error running command: $RUNCMD" >&2
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,109 +0,0 @@
|
||||
From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 14:04:43 +0200
|
||||
Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
|
||||
|
||||
The code was almost identical and suffered from the same problem as
|
||||
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
|
||||
corruption bugs").
|
||||
|
||||
The only functional change this involves is ebt_parse_ip6_address() will
|
||||
now accept hostnames as well.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
|
||||
---
|
||||
extensions/libebt_ip6.c | 74 ++++++-----------------------------------
|
||||
1 file changed, 10 insertions(+), 64 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||
index 301bed9aadefd..3cc39271d4658 100644
|
||||
--- a/extensions/libebt_ip6.c
|
||||
+++ b/extensions/libebt_ip6.c
|
||||
@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
|
||||
memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
|
||||
}
|
||||
|
||||
-static struct in6_addr *numeric_to_addr(const char *num)
|
||||
+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
|
||||
+static void ebt_parse_ip6_address(char *address,
|
||||
+ struct in6_addr *addr, struct in6_addr *msk)
|
||||
{
|
||||
- static struct in6_addr ap;
|
||||
-
|
||||
- if (inet_pton(AF_INET6, num, &ap) == 1)
|
||||
- return ≈
|
||||
- return (struct in6_addr *)NULL;
|
||||
-}
|
||||
-
|
||||
-static struct in6_addr *parse_ip6_mask(char *mask)
|
||||
-{
|
||||
- static struct in6_addr maskaddr;
|
||||
struct in6_addr *addrp;
|
||||
- unsigned int bits;
|
||||
-
|
||||
- if (mask == NULL) {
|
||||
- /* no mask at all defaults to 128 bits */
|
||||
- memset(&maskaddr, 0xff, sizeof maskaddr);
|
||||
- return &maskaddr;
|
||||
- }
|
||||
- if ((addrp = numeric_to_addr(mask)) != NULL)
|
||||
- return addrp;
|
||||
- if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
|
||||
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
|
||||
- if (bits != 0) {
|
||||
- char *p = (char *)&maskaddr;
|
||||
- memset(p, 0xff, bits / 8);
|
||||
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
|
||||
- p[bits / 8] = 0xff << (8 - (bits & 7));
|
||||
- return &maskaddr;
|
||||
- }
|
||||
+ unsigned int naddrs;
|
||||
|
||||
- memset(&maskaddr, 0, sizeof maskaddr);
|
||||
- return &maskaddr;
|
||||
-}
|
||||
-
|
||||
-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
|
||||
- * The string pointed to by address can be altered. */
|
||||
-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
|
||||
-{
|
||||
- struct in6_addr *tmp_addr;
|
||||
- char buf[256];
|
||||
- char *p;
|
||||
- int i;
|
||||
-
|
||||
- strncpy(buf, address, sizeof(buf) - 1);
|
||||
- /* first the mask */
|
||||
- buf[sizeof(buf) - 1] = '\0';
|
||||
- if ((p = strrchr(buf, '/')) != NULL) {
|
||||
- *p = '\0';
|
||||
- tmp_addr = parse_ip6_mask(p + 1);
|
||||
- } else
|
||||
- tmp_addr = parse_ip6_mask(NULL);
|
||||
-
|
||||
- *msk = *tmp_addr;
|
||||
-
|
||||
- /* if a null mask is given, the name is ignored, like in "any/0" */
|
||||
- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
|
||||
- strcpy(buf, "::");
|
||||
-
|
||||
- if (inet_pton(AF_INET6, buf, addr) < 1) {
|
||||
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- for (i = 0; i < 4; i++)
|
||||
- addr->s6_addr32[i] &= msk->s6_addr32[i];
|
||||
+ xtables_ip6parse_any(address, &addrp, msk, &naddrs);
|
||||
+ if (naddrs != 1)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "Invalid IPv6 Address '%s' specified", address);
|
||||
+ memcpy(addr, addrp, sizeof(*addr));
|
||||
+ free(addrp);
|
||||
}
|
||||
|
||||
#define OPT_SOURCE 0x01
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,554 +0,0 @@
|
||||
From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 12:56:06 +0200
|
||||
Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
|
||||
|
||||
This wraps strdup(), checking for errors.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
|
||||
---
|
||||
extensions/libebt_ip.c | 3 ++-
|
||||
extensions/libebt_ip6.c | 2 +-
|
||||
extensions/libebt_stp.c | 3 ++-
|
||||
extensions/libip6t_DNAT.c | 4 +---
|
||||
extensions/libip6t_SNAT.c | 4 +---
|
||||
extensions/libip6t_dst.c | 8 +++-----
|
||||
extensions/libip6t_hbh.c | 7 +++----
|
||||
extensions/libip6t_ipv6header.c | 2 +-
|
||||
extensions/libip6t_mh.c | 2 +-
|
||||
extensions/libip6t_rt.c | 7 +++----
|
||||
extensions/libipt_DNAT.c | 8 ++------
|
||||
extensions/libipt_SNAT.c | 4 +---
|
||||
extensions/libxt_dccp.c | 2 +-
|
||||
extensions/libxt_hashlimit.c | 5 +----
|
||||
extensions/libxt_iprange.c | 4 +---
|
||||
extensions/libxt_multiport.c | 6 ++----
|
||||
extensions/libxt_sctp.c | 4 ++--
|
||||
extensions/libxt_set.h | 4 ++--
|
||||
extensions/libxt_tcp.c | 4 ++--
|
||||
include/xtables.h | 1 +
|
||||
iptables/iptables-xml.c | 4 ++--
|
||||
iptables/nft-cache.c | 4 ++--
|
||||
iptables/nft-cmd.c | 13 +++++++------
|
||||
iptables/xshared.c | 2 +-
|
||||
libxtables/xtables.c | 12 ++++++++++++
|
||||
libxtables/xtoptions.c | 14 +++-----------
|
||||
26 files changed, 60 insertions(+), 73 deletions(-)
|
||||
|
||||
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
|
||||
index acb9bfcdbbd9f..51649ffb3c305 100644
|
||||
--- a/extensions/libebt_ip.c
|
||||
+++ b/extensions/libebt_ip.c
|
||||
@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
+
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
|
||||
else {
|
||||
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
|
||||
index 3cc39271d4658..a686a285c3cb8 100644
|
||||
--- a/extensions/libebt_ip6.c
|
||||
+++ b/extensions/libebt_ip6.c
|
||||
@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
|
||||
else {
|
||||
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
|
||||
index 81ba572c33c1a..3e9e24474eb61 100644
|
||||
--- a/extensions/libebt_stp.c
|
||||
+++ b/extensions/libebt_stp.c
|
||||
@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
|
||||
uint32_t low_nr, upp_nr;
|
||||
int ret = 0;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
+
|
||||
if ((cp = strchr(buffer, ':')) == NULL) {
|
||||
low_nr = strtoul(buffer, &end, 10);
|
||||
if (*end || low_nr < min || low_nr > max) {
|
||||
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
|
||||
index 89c5ceb153250..f1ad81436316b 100644
|
||||
--- a/extensions/libip6t_DNAT.c
|
||||
+++ b/extensions/libip6t_DNAT.c
|
||||
@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
|
||||
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
|
||||
const struct in6_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
|
||||
start = strchr(arg, '[');
|
||||
if (start == NULL) {
|
||||
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
|
||||
index 7d74b3d76a93c..6d19614c7c708 100644
|
||||
--- a/extensions/libip6t_SNAT.c
|
||||
+++ b/extensions/libip6t_SNAT.c
|
||||
@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
|
||||
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
|
||||
const struct in6_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
|
||||
start = strchr(arg, '[');
|
||||
if (start == NULL) {
|
||||
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
|
||||
index fe7e3403468ce..bf0e3e436665d 100644
|
||||
--- a/extensions/libip6t_dst.c
|
||||
+++ b/extensions/libip6t_dst.c
|
||||
@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
|
||||
{
|
||||
char *buffer, *cp, *next, *range;
|
||||
unsigned int i;
|
||||
-
|
||||
- buffer = strdup(optsstr);
|
||||
- if (!buffer)
|
||||
- xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
-
|
||||
+
|
||||
+ buffer = xtables_strdup(optsstr);
|
||||
+
|
||||
for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
|
||||
{
|
||||
next = strchr(cp, ',');
|
||||
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
|
||||
index 4cebecfd3d2f5..74e87cda7eea1 100644
|
||||
--- a/extensions/libip6t_hbh.c
|
||||
+++ b/extensions/libip6t_hbh.c
|
||||
@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
|
||||
{
|
||||
char *buffer, *cp, *next, *range;
|
||||
unsigned int i;
|
||||
-
|
||||
- buffer = strdup(optsstr);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
-
|
||||
+
|
||||
+ buffer = xtables_strdup(optsstr);
|
||||
+
|
||||
for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
|
||||
{
|
||||
next=strchr(cp, ',');
|
||||
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
|
||||
index 6f03087bb79d8..9e34562966f8b 100644
|
||||
--- a/extensions/libip6t_ipv6header.c
|
||||
+++ b/extensions/libip6t_ipv6header.c
|
||||
@@ -147,7 +147,7 @@ parse_header(const char *flags) {
|
||||
char *ptr;
|
||||
char *buffer;
|
||||
|
||||
- buffer = strdup(flags);
|
||||
+ buffer = xtables_strdup(flags);
|
||||
|
||||
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
|
||||
ret |= add_proto_to_mask(name_to_proto(ptr));
|
||||
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
|
||||
index f4c0fd9fc0bca..64675405ac724 100644
|
||||
--- a/extensions/libip6t_mh.c
|
||||
+++ b/extensions/libip6t_mh.c
|
||||
@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(mhtype);
|
||||
+ buffer = xtables_strdup(mhtype);
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
types[0] = types[1] = name_to_type(buffer);
|
||||
else {
|
||||
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
|
||||
index 3cb3b249d8995..9708b5a0c42f3 100644
|
||||
--- a/extensions/libip6t_rt.c
|
||||
+++ b/extensions/libip6t_rt.c
|
||||
@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
|
||||
{
|
||||
char *buffer, *cp, *next;
|
||||
unsigned int i;
|
||||
-
|
||||
- buffer = strdup(addrstr);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
-
|
||||
+
|
||||
+ buffer = xtables_strdup(addrstr);
|
||||
+
|
||||
for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
|
||||
{
|
||||
next=strchr(cp, ',');
|
||||
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
|
||||
index 4907a2e83d066..5b33fd23f6e36 100644
|
||||
--- a/extensions/libipt_DNAT.c
|
||||
+++ b/extensions/libipt_DNAT.c
|
||||
@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
|
||||
char *arg, *colon, *dash, *error;
|
||||
const struct in_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
memset(&range, 0, sizeof(range));
|
||||
colon = strchr(arg, ':');
|
||||
|
||||
@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
|
||||
char *arg, *colon, *dash, *error;
|
||||
const struct in_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
|
||||
colon = strchr(arg, ':');
|
||||
if (colon) {
|
||||
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
|
||||
index e92d811c2bc93..c655439ec9192 100644
|
||||
--- a/extensions/libipt_SNAT.c
|
||||
+++ b/extensions/libipt_SNAT.c
|
||||
@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
|
||||
char *arg, *colon, *dash, *error;
|
||||
const struct in_addr *ip;
|
||||
|
||||
- arg = strdup(orig_arg);
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
+ arg = xtables_strdup(orig_arg);
|
||||
memset(&range, 0, sizeof(range));
|
||||
colon = strchr(arg, ':');
|
||||
|
||||
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
|
||||
index aea3e20be4818..abd420fcc0032 100644
|
||||
--- a/extensions/libxt_dccp.c
|
||||
+++ b/extensions/libxt_dccp.c
|
||||
@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
|
||||
uint16_t typemask = 0;
|
||||
char *ptr, *buffer;
|
||||
|
||||
- buffer = strdup(typestring);
|
||||
+ buffer = xtables_strdup(typestring);
|
||||
|
||||
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
|
||||
unsigned int i;
|
||||
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
|
||||
index 7f1d2a402c4fd..3f3c43010ee2a 100644
|
||||
--- a/extensions/libxt_hashlimit.c
|
||||
+++ b/extensions/libxt_hashlimit.c
|
||||
@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
|
||||
static int parse_mode(uint32_t *mode, const char *option_arg)
|
||||
{
|
||||
char *tok;
|
||||
- char *arg = strdup(option_arg);
|
||||
-
|
||||
- if (!arg)
|
||||
- return -1;
|
||||
+ char *arg = xtables_strdup(option_arg);
|
||||
|
||||
for (tok = strtok(arg, ",|");
|
||||
tok;
|
||||
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
|
||||
index 8be2481497b8d..04ce7b364f1c6 100644
|
||||
--- a/extensions/libxt_iprange.c
|
||||
+++ b/extensions/libxt_iprange.c
|
||||
@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
|
||||
static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
|
||||
uint8_t family, const char *optname)
|
||||
{
|
||||
- char *arg = strdup(oarg);
|
||||
+ char *arg = xtables_strdup(oarg);
|
||||
char *dash;
|
||||
|
||||
- if (arg == NULL)
|
||||
- xtables_error(RESOURCE_PROBLEM, "strdup");
|
||||
dash = strchr(arg, '-');
|
||||
if (dash == NULL) {
|
||||
iprange_parse_spec(arg, arg, range, family, optname);
|
||||
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
|
||||
index 07ad4cfd4e519..4a42fa38238b9 100644
|
||||
--- a/extensions/libxt_multiport.c
|
||||
+++ b/extensions/libxt_multiport.c
|
||||
@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
|
||||
char *buffer, *cp, *next;
|
||||
unsigned int i;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
|
||||
for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
|
||||
{
|
||||
@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
|
||||
char *buffer, *cp, *next, *range;
|
||||
unsigned int i;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
|
||||
for (i=0; i<XT_MULTI_PORTS; i++)
|
||||
multiinfo->pflags[i] = 0;
|
||||
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||
index 140de2653b1ef..59b34684cc7f7 100644
|
||||
--- a/extensions/libxt_sctp.c
|
||||
+++ b/extensions/libxt_sctp.c
|
||||
@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
DEBUGP("%s\n", portstring);
|
||||
if ((cp = strchr(buffer, ':')) == NULL) {
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
|
||||
@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
|
||||
int found = 0;
|
||||
char *chunk_flags;
|
||||
|
||||
- buffer = strdup(chunks);
|
||||
+ buffer = xtables_strdup(chunks);
|
||||
DEBUGP("Buffer: %s\n", buffer);
|
||||
|
||||
SCTP_CHUNKMAP_RESET(einfo->chunkmap);
|
||||
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
|
||||
index 41dfbd30fc7c1..ad895a7504d9d 100644
|
||||
--- a/extensions/libxt_set.h
|
||||
+++ b/extensions/libxt_set.h
|
||||
@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
|
||||
static void
|
||||
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
|
||||
{
|
||||
- char *saved = strdup(opt_arg);
|
||||
+ char *saved = xtables_strdup(opt_arg);
|
||||
char *ptr, *tmp = saved;
|
||||
int i = 0;
|
||||
|
||||
@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
|
||||
static void
|
||||
parse_dirs(const char *opt_arg, struct xt_set_info *info)
|
||||
{
|
||||
- char *saved = strdup(opt_arg);
|
||||
+ char *saved = xtables_strdup(opt_arg);
|
||||
char *ptr, *tmp = saved;
|
||||
|
||||
while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
|
||||
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
|
||||
index 58f3c0a0c3c28..383e4db5b5e23 100644
|
||||
--- a/extensions/libxt_tcp.c
|
||||
+++ b/extensions/libxt_tcp.c
|
||||
@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
|
||||
char *buffer;
|
||||
char *cp;
|
||||
|
||||
- buffer = strdup(portstring);
|
||||
+ buffer = xtables_strdup(portstring);
|
||||
if ((cp = strchr(buffer, ':')) == NULL)
|
||||
ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
|
||||
else {
|
||||
@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
|
||||
char *ptr;
|
||||
char *buffer;
|
||||
|
||||
- buffer = strdup(flags);
|
||||
+ buffer = xtables_strdup(flags);
|
||||
|
||||
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
|
||||
unsigned int i;
|
||||
diff --git a/include/xtables.h b/include/xtables.h
|
||||
index df1eaee326643..107ad7d65e6fc 100644
|
||||
--- a/include/xtables.h
|
||||
+++ b/include/xtables.h
|
||||
@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
|
||||
extern void *xtables_calloc(size_t, size_t);
|
||||
extern void *xtables_malloc(size_t);
|
||||
extern void *xtables_realloc(void *, size_t);
|
||||
+char *xtables_strdup(const char *);
|
||||
|
||||
extern int xtables_insmod(const char *, const char *, bool);
|
||||
extern int xtables_load_ko(const char *, bool);
|
||||
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
|
||||
index 98d03dda98d2b..6cf059fb67292 100644
|
||||
--- a/iptables/iptables-xml.c
|
||||
+++ b/iptables/iptables-xml.c
|
||||
@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
|
||||
"%s: line %u chain name invalid\n",
|
||||
prog_name, line);
|
||||
|
||||
- chains[nextChain].chain = strdup(chain);
|
||||
- chains[nextChain].policy = strdup(policy);
|
||||
+ chains[nextChain].chain = xtables_strdup(chain);
|
||||
+ chains[nextChain].policy = xtables_strdup(policy);
|
||||
chains[nextChain].count = *ctr;
|
||||
chains[nextChain].created = 0;
|
||||
nextChain++;
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 6b6e6da40a826..7fd78654b280a 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
|
||||
}
|
||||
|
||||
new = xtables_malloc(sizeof(*new));
|
||||
- new->name = strdup(name);
|
||||
+ new->name = xtables_strdup(name);
|
||||
list_add_tail(&new->head, pos ? &pos->head : list);
|
||||
}
|
||||
|
||||
@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
|
||||
return;
|
||||
|
||||
if (!req->table)
|
||||
- req->table = strdup(cmd->table);
|
||||
+ req->table = xtables_strdup(cmd->table);
|
||||
else
|
||||
assert(!strcmp(req->table, cmd->table));
|
||||
|
||||
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||
index 9b0c964847615..8dccdd734b156 100644
|
||||
--- a/iptables/nft-cmd.c
|
||||
+++ b/iptables/nft-cmd.c
|
||||
@@ -11,6 +11,7 @@
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <xtables.h>
|
||||
#include "nft.h"
|
||||
#include "nft-cmd.h"
|
||||
|
||||
@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||
return NULL;
|
||||
|
||||
cmd->command = command;
|
||||
- cmd->table = strdup(table);
|
||||
+ cmd->table = xtables_strdup(table);
|
||||
if (chain)
|
||||
- cmd->chain = strdup(chain);
|
||||
+ cmd->chain = xtables_strdup(chain);
|
||||
cmd->rulenum = rulenum;
|
||||
cmd->verbose = verbose;
|
||||
|
||||
@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
|
||||
cmd->obj.rule = rule;
|
||||
|
||||
if (!state->target && strlen(state->jumpto) > 0)
|
||||
- cmd->jumpto = strdup(state->jumpto);
|
||||
+ cmd->jumpto = xtables_strdup(state->jumpto);
|
||||
}
|
||||
|
||||
list_add_tail(&cmd->head, &h->cmd_list);
|
||||
@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- cmd->rename = strdup(newname);
|
||||
+ cmd->rename = xtables_strdup(newname);
|
||||
|
||||
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
|
||||
|
||||
@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- cmd->policy = strdup(policy);
|
||||
+ cmd->policy = xtables_strdup(policy);
|
||||
if (counters)
|
||||
cmd->counters = *counters;
|
||||
|
||||
@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- cmd->policy = strdup(policy);
|
||||
+ cmd->policy = xtables_strdup(policy);
|
||||
|
||||
nft_cache_level_set(h, NFT_CL_RULES, cmd);
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 9a1f465a5a6d3..4027d9240215e 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
|
||||
xtables_error(PARAMETER_PROBLEM,
|
||||
"Trying to store NULL argument\n");
|
||||
|
||||
- store->argv[store->argc] = strdup(what);
|
||||
+ store->argv[store->argc] = xtables_strdup(what);
|
||||
store->argvattr[store->argc] = quoted;
|
||||
store->argv[++store->argc] = NULL;
|
||||
}
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index 6947441fec659..1931e3896262a 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
|
||||
return p;
|
||||
}
|
||||
|
||||
+char *xtables_strdup(const char *s)
|
||||
+{
|
||||
+ char *dup = strdup(s);
|
||||
+
|
||||
+ if (!dup) {
|
||||
+ perror("ip[6]tables: strdup failed");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ return dup;
|
||||
+}
|
||||
+
|
||||
static char *get_modprobe(void)
|
||||
{
|
||||
int procfile;
|
||||
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
|
||||
index 0dcdf607f4678..9d3ac5c8066cb 100644
|
||||
--- a/libxtables/xtoptions.c
|
||||
+++ b/libxtables/xtoptions.c
|
||||
@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
|
||||
unsigned int maxiter;
|
||||
int value;
|
||||
|
||||
- wp_arg = lo_arg = strdup(cb->arg);
|
||||
- if (lo_arg == NULL)
|
||||
- xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
|
||||
+ wp_arg = lo_arg = xtables_strdup(cb->arg);
|
||||
|
||||
maxiter = entry->size / esize;
|
||||
if (maxiter == 0)
|
||||
@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
|
||||
xtopt_parse_host(cb);
|
||||
return;
|
||||
}
|
||||
- work = strdup(orig_arg);
|
||||
- if (work == NULL)
|
||||
- xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
|
||||
+ work = xtables_strdup(orig_arg);
|
||||
p = strchr(work, '/'); /* by def this can't be NULL now */
|
||||
*p++ = '\0';
|
||||
/*
|
||||
@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
|
||||
goto out;
|
||||
}
|
||||
lmap_this->id = id;
|
||||
- lmap_this->name = strdup(cur);
|
||||
- if (lmap_this->name == NULL) {
|
||||
- free(lmap_this);
|
||||
- goto out;
|
||||
- }
|
||||
+ lmap_this->name = xtables_strdup(cur);
|
||||
lmap_this->next = NULL;
|
||||
|
||||
if (lmap_prev != NULL)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 2 Jun 2021 15:15:37 +0200
|
||||
Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
|
||||
strncpy()
|
||||
|
||||
If the target buffer does not need to be null-terminated, one may simply
|
||||
use memcpy() and thereby avoid any compiler warnings.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
|
||||
---
|
||||
extensions/libxt_string.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
|
||||
index 7c6366cbbf1b3..739a8e7fd66b6 100644
|
||||
--- a/extensions/libxt_string.c
|
||||
+++ b/extensions/libxt_string.c
|
||||
@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
|
||||
{
|
||||
/* xt_string does not need \0 at the end of the pattern */
|
||||
if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
|
||||
- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
|
||||
+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
|
||||
info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,104 +0,0 @@
|
||||
From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Wed, 24 Feb 2021 11:08:02 +0100
|
||||
Subject: [PATCH] iptables-nft: fix -Z option
|
||||
|
||||
it zeroes the rule counters, so it needs fully populated cache.
|
||||
Add a test case to cover this.
|
||||
|
||||
Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
Acked-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
|
||||
---
|
||||
iptables/nft-cmd.c | 2 +-
|
||||
.../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++
|
||||
2 files changed, 65 insertions(+), 1 deletion(-)
|
||||
create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
|
||||
|
||||
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
|
||||
index 8dccdd734b156..a0c76a795e59c 100644
|
||||
--- a/iptables/nft-cmd.c
|
||||
+++ b/iptables/nft-cmd.c
|
||||
@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
|
||||
if (!cmd)
|
||||
return 0;
|
||||
|
||||
- nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
|
||||
+ nft_cache_level_set(h, NFT_CL_RULES, cmd);
|
||||
|
||||
return 1;
|
||||
}
|
||||
diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
|
||||
new file mode 100755
|
||||
index 0000000000000..36da1907e3b22
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
|
||||
@@ -0,0 +1,64 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+RC=0
|
||||
+COUNTR=$RANDOM$RANDOM
|
||||
+
|
||||
+$XT_MULTI iptables-restore -c <<EOF
|
||||
+*filter
|
||||
+:INPUT ACCEPT [1:23]
|
||||
+:FOO - [0:0]
|
||||
+[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
|
||||
+[22:123] -A FOO -m comment --comment one
|
||||
+[44:123] -A FOO -m comment --comment two
|
||||
+COMMIT
|
||||
+EOF
|
||||
+EXPECT="*filter
|
||||
+:INPUT ACCEPT [0:0]
|
||||
+:FORWARD ACCEPT [0:0]
|
||||
+:OUTPUT ACCEPT [0:0]
|
||||
+:FOO - [0:0]
|
||||
+[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
|
||||
+[0:0] -A FOO -m comment --comment one
|
||||
+[0:0] -A FOO -m comment --comment two
|
||||
+COMMIT"
|
||||
+
|
||||
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
|
||||
+if [ $COUNTER != "[12:345]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, expected 12:345"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+$XT_MULTI iptables -Z FOO
|
||||
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
|
||||
+if [ $COUNTER = "[0:0]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, should not have been zeroed"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+for c in one two; do
|
||||
+ COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
|
||||
+ if [ $COUNTER != "[0:0]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
|
||||
+ RC=1
|
||||
+ fi
|
||||
+done
|
||||
+
|
||||
+$XT_MULTI iptables -Z
|
||||
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
|
||||
+
|
||||
+if [ $COUNTER != "[0:0]" ]; then
|
||||
+ echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
|
||||
+if [ $? -ne 0 ]; then
|
||||
+ echo "Diff error: counters were not zeroed"
|
||||
+ RC=1
|
||||
+fi
|
||||
+
|
||||
+$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
|
||||
+$XT_MULTI iptables -D FOO -m comment --comment one
|
||||
+$XT_MULTI iptables -D FOO -m comment --comment two
|
||||
+$XT_MULTI iptables -X FOO
|
||||
+exit $RC
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,73 +0,0 @@
|
||||
From 5462c9908a3b2ba94fc4cf5c6cd0d5ed296093c5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 19 Feb 2021 16:54:57 +0100
|
||||
Subject: [PATCH] nft: Fix bitwise expression avoidance detection
|
||||
|
||||
Byte-boundary prefix detection was too sloppy: Any data following the
|
||||
first zero-byte was ignored. Add a follow-up loop making sure there are
|
||||
no stray bits in the designated host part.
|
||||
|
||||
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
|
||||
---
|
||||
iptables/nft-shared.c | 4 +++-
|
||||
.../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++
|
||||
2 files changed, 27 insertions(+), 1 deletion(-)
|
||||
create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
|
||||
|
||||
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
|
||||
index 10553ab26823b..c1664b50f9383 100644
|
||||
--- a/iptables/nft-shared.c
|
||||
+++ b/iptables/nft-shared.c
|
||||
@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
|
||||
{
|
||||
const unsigned char *m = mask;
|
||||
bool bitwise = false;
|
||||
- int i;
|
||||
+ int i, j;
|
||||
|
||||
for (i = 0; i < len; i++) {
|
||||
if (m[i] != 0xff) {
|
||||
@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ for (j = i + 1; !bitwise && j < len; j++)
|
||||
+ bitwise = !!m[j];
|
||||
|
||||
if (!bitwise)
|
||||
len = i;
|
||||
diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
|
||||
new file mode 100755
|
||||
index 0000000000000..7eb42f08da975
|
||||
--- /dev/null
|
||||
+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
|
||||
@@ -0,0 +1,24 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+$XT_MULTI ip6tables-restore <<EOF
|
||||
+*filter
|
||||
+-A FORWARD -s feed:babe::/ffff::0
|
||||
+-A FORWARD -s feed:babe::/ffff:ff00::0
|
||||
+-A FORWARD -s feed:babe::/ffff:fff0::0
|
||||
+-A FORWARD -s feed:babe::/ffff:ffff::0
|
||||
+-A FORWARD -s feed:babe::/0:ffff::0
|
||||
+-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
|
||||
+COMMIT
|
||||
+EOF
|
||||
+
|
||||
+EXPECT='-P FORWARD ACCEPT
|
||||
+-A FORWARD -s feed::/16
|
||||
+-A FORWARD -s feed:ba00::/24
|
||||
+-A FORWARD -s feed:bab0::/28
|
||||
+-A FORWARD -s feed:babe::/32
|
||||
+-A FORWARD -s 0:babe::/0:ffff::
|
||||
+-A FORWARD -s feed::babe:0/ffff::ffff:0'
|
||||
+
|
||||
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,80 +0,0 @@
|
||||
From c9c2e55eb6cebdb8d17cf0c8267a1eb3e8fb6e07 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 4 May 2021 16:03:24 +0200
|
||||
Subject: [PATCH] extensions: sctp: Fix nftables translation
|
||||
|
||||
If both sport and dport was present, incorrect nft syntax was generated.
|
||||
|
||||
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
|
||||
---
|
||||
extensions/libxt_sctp.c | 10 ++++------
|
||||
extensions/libxt_sctp.txlate | 10 +++++-----
|
||||
2 files changed, 9 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||
index 59b34684cc7f7..5ec1ca618405e 100644
|
||||
--- a/extensions/libxt_sctp.c
|
||||
+++ b/extensions/libxt_sctp.c
|
||||
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
if (!einfo->flags)
|
||||
return 0;
|
||||
|
||||
- xt_xlate_add(xl, "sctp ");
|
||||
-
|
||||
if (einfo->flags & XT_SCTP_SRC_PORTS) {
|
||||
if (einfo->spts[0] != einfo->spts[1])
|
||||
- xt_xlate_add(xl, "sport%s %u-%u",
|
||||
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
|
||||
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
||||
einfo->spts[0], einfo->spts[1]);
|
||||
else
|
||||
- xt_xlate_add(xl, "sport%s %u",
|
||||
+ xt_xlate_add(xl, "sctp sport%s %u",
|
||||
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
||||
einfo->spts[0]);
|
||||
space = " ";
|
||||
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
|
||||
if (einfo->flags & XT_SCTP_DEST_PORTS) {
|
||||
if (einfo->dpts[0] != einfo->dpts[1])
|
||||
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
|
||||
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0], einfo->dpts[1]);
|
||||
else
|
||||
- xt_xlate_add(xl, "%sdport%s %u", space,
|
||||
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0]);
|
||||
}
|
||||
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
|
||||
index 72f4641ab021c..0d6c59e183675 100644
|
||||
--- a/extensions/libxt_sctp.txlate
|
||||
+++ b/extensions/libxt_sctp.txlate
|
||||
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
|
||||
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,211 +0,0 @@
|
||||
From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 25 Mar 2021 16:24:39 +0100
|
||||
Subject: [PATCH] nft: cache: Sort chains on demand only
|
||||
|
||||
Mandatory sorted insert of chains into cache significantly slows down
|
||||
restoring of large rulesets. Since the sorted list of user-defined
|
||||
chains is needed for listing and verbose output only, introduce
|
||||
nft_cache_sort_chains() and call it where needed.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915)
|
||||
---
|
||||
iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++--------
|
||||
iptables/nft-cache.h | 1 +
|
||||
iptables/nft.c | 12 +++++++
|
||||
iptables/nft.h | 1 +
|
||||
iptables/xtables-save.c | 1 +
|
||||
5 files changed, 73 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 7fd78654b280a..2c88301cc7445 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
|
||||
|
||||
h->cache->table[t->type].base_chains[hooknum] = nc;
|
||||
} else {
|
||||
- struct nft_chain_list *clist = h->cache->table[t->type].chains;
|
||||
- struct list_head *pos = &clist->list;
|
||||
- struct nft_chain *cur;
|
||||
- const char *n;
|
||||
-
|
||||
- list_for_each_entry(cur, &clist->list, head) {
|
||||
- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME);
|
||||
- if (strcmp(cname, n) <= 0) {
|
||||
- pos = &cur->head;
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
- list_add_tail(&nc->head, pos);
|
||||
+ list_add_tail(&nc->head,
|
||||
+ &h->cache->table[t->type].chains->list);
|
||||
}
|
||||
hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname));
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void __nft_chain_list_sort(struct list_head *list,
|
||||
+ int (*cmp)(struct nft_chain *a,
|
||||
+ struct nft_chain *b))
|
||||
+{
|
||||
+ struct nft_chain *pivot, *cur, *sav;
|
||||
+ LIST_HEAD(sublist);
|
||||
+
|
||||
+ if (list_empty(list))
|
||||
+ return;
|
||||
+
|
||||
+ /* grab first item as pivot (dividing) value */
|
||||
+ pivot = list_entry(list->next, struct nft_chain, head);
|
||||
+ list_del(&pivot->head);
|
||||
+
|
||||
+ /* move any smaller value into sublist */
|
||||
+ list_for_each_entry_safe(cur, sav, list, head) {
|
||||
+ if (cmp(pivot, cur) > 0) {
|
||||
+ list_del(&cur->head);
|
||||
+ list_add_tail(&cur->head, &sublist);
|
||||
+ }
|
||||
+ }
|
||||
+ /* conquer divided */
|
||||
+ __nft_chain_list_sort(&sublist, cmp);
|
||||
+ __nft_chain_list_sort(list, cmp);
|
||||
+
|
||||
+ /* merge divided and pivot again */
|
||||
+ list_add_tail(&pivot->head, &sublist);
|
||||
+ list_splice(&sublist, list);
|
||||
+}
|
||||
+
|
||||
+static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b)
|
||||
+{
|
||||
+ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME);
|
||||
+ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME);
|
||||
+
|
||||
+ return strcmp(aname, bname);
|
||||
+}
|
||||
+
|
||||
+int nft_cache_sort_chains(struct nft_handle *h, const char *table)
|
||||
+{
|
||||
+ const struct builtin_table *t = nft_table_builtin_find(h, table);
|
||||
+
|
||||
+ if (!t)
|
||||
+ return -1;
|
||||
+
|
||||
+ if (h->cache->table[t->type].sorted)
|
||||
+ return 0;
|
||||
+
|
||||
+ __nft_chain_list_sort(&h->cache->table[t->type].chains->list,
|
||||
+ nft_chain_cmp_byname);
|
||||
+ h->cache->table[t->type].sorted = true;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
struct nftnl_chain_list_cb_data {
|
||||
struct nft_handle *h;
|
||||
const struct builtin_table *t;
|
||||
@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
|
||||
|
||||
flush_base_chain_cache(c->table[table->type].base_chains);
|
||||
nft_chain_foreach(h, tablename, __flush_chain_cache, NULL);
|
||||
+ c->table[table->type].sorted = false;
|
||||
|
||||
if (c->table[table->type].sets)
|
||||
nftnl_set_list_foreach(c->table[table->type].sets,
|
||||
@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
|
||||
if (c->table[i].chains) {
|
||||
nft_chain_list_free(c->table[i].chains);
|
||||
c->table[i].chains = NULL;
|
||||
+ c->table[i].sorted = false;
|
||||
}
|
||||
|
||||
if (c->table[i].sets) {
|
||||
diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
|
||||
index 20d96beede876..58a015265056c 100644
|
||||
--- a/iptables/nft-cache.h
|
||||
+++ b/iptables/nft-cache.h
|
||||
@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table,
|
||||
void nft_cache_build(struct nft_handle *h);
|
||||
int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
|
||||
struct nftnl_chain *c);
|
||||
+int nft_cache_sort_chains(struct nft_handle *h, const char *table);
|
||||
|
||||
struct nft_chain *
|
||||
nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index bde4ca72d3fcc..8b14daeaed610 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d);
|
||||
|
||||
/* the core expects 1 for success and 0 for error */
|
||||
@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (verbose)
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d);
|
||||
out:
|
||||
/* the core expects 1 for success and 0 for error */
|
||||
@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
if (ops->print_table_header)
|
||||
ops->print_table_header(table);
|
||||
|
||||
@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
|
||||
return nft_rule_list_cb(c, &d);
|
||||
}
|
||||
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
/* Dump policies and custom chains first */
|
||||
nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters);
|
||||
|
||||
@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (verbose)
|
||||
+ nft_cache_sort_chains(h, table);
|
||||
+
|
||||
ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d);
|
||||
err:
|
||||
/* the core expects 1 for success and 0 for error */
|
||||
diff --git a/iptables/nft.h b/iptables/nft.h
|
||||
index 0910f82a2773c..4ac7e0099d567 100644
|
||||
--- a/iptables/nft.h
|
||||
+++ b/iptables/nft.h
|
||||
@@ -44,6 +44,7 @@ struct nft_cache {
|
||||
struct nft_chain_list *chains;
|
||||
struct nftnl_set_list *sets;
|
||||
bool exists;
|
||||
+ bool sorted;
|
||||
} table[NFT_TABLE_MAX];
|
||||
};
|
||||
|
||||
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
|
||||
index d7901c650ea70..cfce0472f3ee8 100644
|
||||
--- a/iptables/xtables-save.c
|
||||
+++ b/iptables/xtables-save.c
|
||||
@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
|
||||
printf("*%s\n", tablename);
|
||||
/* Dump out chain names first,
|
||||
* thereby preventing dependency conflicts */
|
||||
+ nft_cache_sort_chains(h, tablename);
|
||||
nft_chain_foreach(h, tablename, nft_chain_save, h);
|
||||
nft_rule_save(h, tablename, d->format);
|
||||
if (d->commit)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,56 +0,0 @@
|
||||
From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 6 Apr 2021 10:51:20 +0200
|
||||
Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets
|
||||
|
||||
In order to support the same ruleset sizes as legacy iptables, the
|
||||
kernel's limit of 1024 iovecs has to be overcome. Therefore increase
|
||||
each iovec's size from 128KB to 2MB.
|
||||
|
||||
While being at it, add a log message for failing sendmsg() call. This is
|
||||
not supposed to happen, even if the transaction fails. Yet if it does,
|
||||
users are left with only a "line XXX failed" message (with line number
|
||||
being the COMMIT line).
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240)
|
||||
---
|
||||
iptables/nft.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index 8b14daeaed610..f1deb82f87576 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
|
||||
|
||||
#define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize())
|
||||
|
||||
-/* selected batch page is 256 Kbytes long to load ruleset of
|
||||
- * half a million rules without hitting -EMSGSIZE due to large
|
||||
- * iovec.
|
||||
+/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M
|
||||
+ * rules matching on source and destination address as well as input and output
|
||||
+ * interfaces. This is what legacy iptables supports.
|
||||
*/
|
||||
-#define BATCH_PAGE_SIZE getpagesize() * 32
|
||||
+#define BATCH_PAGE_SIZE 2 * 1024 * 1024
|
||||
|
||||
static struct nftnl_batch *mnl_batch_init(void)
|
||||
{
|
||||
@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds)
|
||||
int err = 0;
|
||||
|
||||
ret = mnl_nft_socket_sendmsg(h, numcmds);
|
||||
- if (ret == -1)
|
||||
+ if (ret == -1) {
|
||||
+ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno));
|
||||
return -1;
|
||||
+ }
|
||||
|
||||
FD_ZERO(&readfds);
|
||||
FD_SET(fd, &readfds);
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 000c159641522abf56ccb4deebfc558e8bb41302 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 31 Aug 2021 12:26:20 +0200
|
||||
Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add()
|
||||
|
||||
The function called malloc() without checking for memory allocation
|
||||
failure. Simply replace the call by xtables_malloc() to fix that.
|
||||
|
||||
Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93)
|
||||
---
|
||||
iptables/nft.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index f1deb82f87576..83054e528cae1 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -143,7 +143,7 @@ struct mnl_err {
|
||||
static void mnl_err_list_node_add(struct list_head *err_list, int error,
|
||||
int seqnum)
|
||||
{
|
||||
- struct mnl_err *err = malloc(sizeof(struct mnl_err));
|
||||
+ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err));
|
||||
|
||||
err->seqnum = seqnum;
|
||||
err->err = error;
|
||||
--
|
||||
2.33.0
|
||||
|
@ -1,130 +0,0 @@
|
||||
From f73416517ac7bb6868ff4c0199fcd4327c9dffa5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 28 Jul 2021 17:53:53 +0200
|
||||
Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options
|
||||
|
||||
Drop any reference to them (and the environment variable) but list them
|
||||
in BUGS section hinting at ebtables-save and -restore tools.
|
||||
|
||||
Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39)
|
||||
---
|
||||
iptables/ebtables-nft.8 | 64 ++++++-----------------------------------
|
||||
1 file changed, 8 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
|
||||
index 5bdc0bb8a939e..85f6738d7d1aa 100644
|
||||
--- a/iptables/ebtables-nft.8
|
||||
+++ b/iptables/ebtables-nft.8
|
||||
@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
|
||||
.br
|
||||
.BR "ebtables " [ -t " table ] " --init-table
|
||||
.br
|
||||
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
|
||||
-.br
|
||||
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
|
||||
-.br
|
||||
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
|
||||
-.br
|
||||
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
@@ -162,11 +156,9 @@ a table, the commands apply to the default filter table.
|
||||
Only one command may be used on the command line at a time, except when
|
||||
the commands
|
||||
.BR -L " and " -Z
|
||||
-are combined, the commands
|
||||
+are combined or the commands
|
||||
.BR -N " and " -P
|
||||
-are combined, or when
|
||||
-.B --atomic-file
|
||||
-is used.
|
||||
+are combined.
|
||||
.TP
|
||||
.B "-A, --append"
|
||||
Append a rule to the end of the selected chain.
|
||||
@@ -326,39 +318,6 @@ of the ebtables kernel table.
|
||||
.TP
|
||||
.B "--init-table"
|
||||
Replace the current table data by the initial table data.
|
||||
-.TP
|
||||
-.B "--atomic-init"
|
||||
-Copy the kernel's initial data of the table to the specified
|
||||
-file. This can be used as the first action, after which rules are added
|
||||
-to the file. The file can be specified using the
|
||||
-.B --atomic-file
|
||||
-command or through the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable."
|
||||
-.TP
|
||||
-.B "--atomic-save"
|
||||
-Copy the kernel's current data of the table to the specified
|
||||
-file. This can be used as the first action, after which rules are added
|
||||
-to the file. The file can be specified using the
|
||||
-.B --atomic-file
|
||||
-command or through the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable."
|
||||
-.TP
|
||||
-.B "--atomic-commit"
|
||||
-Replace the kernel table data with the data contained in the specified
|
||||
-file. This is a useful command that allows you to load all your rules of a
|
||||
-certain table into the kernel at once, saving the kernel a lot of precious
|
||||
-time and allowing atomic updates of the tables. The file which contains
|
||||
-the table data is constructed by using either the
|
||||
-.B "--atomic-init"
|
||||
-or the
|
||||
-.B "--atomic-save"
|
||||
-command to generate a starting file. After that, using the
|
||||
-.B "--atomic-file"
|
||||
-command when constructing rules or setting the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable"
|
||||
-allows you to extend the file and build the complete table before
|
||||
-committing it to the kernel. This command can be very useful in boot scripts
|
||||
-to populate the ebtables tables in a fast way.
|
||||
.SS MISCELLANOUS COMMANDS
|
||||
.TP
|
||||
.B "-V, --version"
|
||||
@@ -384,16 +343,6 @@ a target extension (see
|
||||
.BR "TARGET EXTENSIONS" ")"
|
||||
or a user-defined chain name.
|
||||
.TP
|
||||
-.B --atomic-file "\fIfile\fP"
|
||||
-Let the command operate on the specified
|
||||
-.IR file .
|
||||
-The data of the table to
|
||||
-operate on will be extracted from the file and the result of the operation
|
||||
-will be saved back into the file. If specified, this option should come
|
||||
-before the command specification. An alternative that should be preferred,
|
||||
-is setting the
|
||||
-.IR EBTABLES_ATOMIC_FILE " environment variable."
|
||||
-.TP
|
||||
.B -M, --modprobe "\fIprogram\fP"
|
||||
When talking to the kernel, use this
|
||||
.I program
|
||||
@@ -1113,8 +1062,6 @@ arp message and the hardware address length in the arp header is 6 bytes.
|
||||
.br
|
||||
.SH FILES
|
||||
.I /etc/ethertypes
|
||||
-.SH ENVIRONMENT VARIABLES
|
||||
-.I EBTABLES_ATOMIC_FILE
|
||||
.SH MAILINGLISTS
|
||||
.BR "" "See " http://netfilter.org/mailinglists.html
|
||||
.SH BUGS
|
||||
@@ -1122,7 +1069,12 @@ The version of ebtables this man page ships with does not support the
|
||||
.B broute
|
||||
table. Also there is no support for
|
||||
.B string
|
||||
-match. And finally, this list is probably not complete.
|
||||
+match. Further, support for atomic-options
|
||||
+.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit )
|
||||
+has not been implemented, although
|
||||
+.BR ebtables-save " and " ebtables-restore
|
||||
+might replace them entirely given the inherent atomicity of nftables.
|
||||
+Finally, this list is probably not complete.
|
||||
.SH SEE ALSO
|
||||
.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
|
||||
.PP
|
||||
--
|
||||
2.33.0
|
||||
|
@ -1,102 +0,0 @@
|
||||
From cb68daac1f24c94a48450a683a5f765dc00da164 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 30 Jul 2021 12:25:10 +0200
|
||||
Subject: [PATCH] ebtables: Dump atomic waste
|
||||
|
||||
With ebtables-nft.8 now educating people about the missing
|
||||
functionality, get rid of atomic remains in source code. This eliminates
|
||||
mostly comments except for --atomic-commit which was treated as alias of
|
||||
--init-table. People not using the latter are probably trying to
|
||||
atomic-commit from an atomic-file which in turn is not supported, so no
|
||||
point keeping it.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0)
|
||||
---
|
||||
iptables/xtables-eb.c | 53 -------------------------------------------
|
||||
1 file changed, 53 deletions(-)
|
||||
|
||||
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
||||
index 5bb34d6d292a9..aeb4d92166431 100644
|
||||
--- a/iptables/xtables-eb.c
|
||||
+++ b/iptables/xtables-eb.c
|
||||
@@ -211,10 +211,6 @@ struct option ebt_original_options[] =
|
||||
{ "new-chain" , required_argument, 0, 'N' },
|
||||
{ "rename-chain" , required_argument, 0, 'E' },
|
||||
{ "delete-chain" , optional_argument, 0, 'X' },
|
||||
- { "atomic-init" , no_argument , 0, 7 },
|
||||
- { "atomic-commit" , no_argument , 0, 8 },
|
||||
- { "atomic-file" , required_argument, 0, 9 },
|
||||
- { "atomic-save" , no_argument , 0, 10 },
|
||||
{ "init-table" , no_argument , 0, 11 },
|
||||
{ "concurrent" , no_argument , 0, 13 },
|
||||
{ 0 }
|
||||
@@ -320,10 +316,6 @@ static void print_help(const struct xtables_target *t,
|
||||
"--new-chain -N chain : create a user defined chain\n"
|
||||
"--rename-chain -E old new : rename a chain\n"
|
||||
"--delete-chain -X [chain] : delete a user defined chain\n"
|
||||
-"--atomic-commit : update the kernel w/t table contained in <FILE>\n"
|
||||
-"--atomic-init : put the initial kernel table into <FILE>\n"
|
||||
-"--atomic-save : put the current kernel table into <FILE>\n"
|
||||
-"--atomic-file file : set <FILE> to file\n\n"
|
||||
"Options:\n"
|
||||
"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n"
|
||||
"--src -s [!] address[/mask]: source mac address\n"
|
||||
@@ -1088,54 +1080,9 @@ print_zero:
|
||||
"Use --Lmac2 with -L");
|
||||
flags |= LIST_MAC2;
|
||||
break;
|
||||
- case 8 : /* atomic-commit */
|
||||
-/*
|
||||
- replace->command = c;
|
||||
- if (OPT_COMMANDS)
|
||||
- ebt_print_error2("Multiple commands are not allowed");
|
||||
- replace->flags |= OPT_COMMAND;
|
||||
- if (!replace->filename)
|
||||
- ebt_print_error2("No atomic file specified");*/
|
||||
- /* Get the information from the file */
|
||||
- /*ebt_get_table(replace, 0);*/
|
||||
- /* We don't want the kernel giving us its counters,
|
||||
- * they would overwrite the counters extracted from
|
||||
- * the file */
|
||||
- /*replace->num_counters = 0;*/
|
||||
- /* Make sure the table will be written to the kernel */
|
||||
- /*free(replace->filename);
|
||||
- replace->filename = NULL;
|
||||
- break;*/
|
||||
- /*case 7 :*/ /* atomic-init */
|
||||
- /*case 10:*/ /* atomic-save */
|
||||
case 11: /* init-table */
|
||||
nft_cmd_table_flush(h, *table, false);
|
||||
return 1;
|
||||
- /*
|
||||
- replace->command = c;
|
||||
- if (OPT_COMMANDS)
|
||||
- ebt_print_error2("Multiple commands are not allowed");
|
||||
- if (c != 11 && !replace->filename)
|
||||
- ebt_print_error2("No atomic file specified");
|
||||
- replace->flags |= OPT_COMMAND;
|
||||
- {
|
||||
- char *tmp = replace->filename;*/
|
||||
-
|
||||
- /* Get the kernel table */
|
||||
- /*replace->filename = NULL;
|
||||
- ebt_get_kernel_table(replace, c == 10 ? 0 : 1);
|
||||
- replace->filename = tmp;
|
||||
- }
|
||||
- break;
|
||||
- case 9 :*/ /* atomic */
|
||||
- /*
|
||||
- if (OPT_COMMANDS)
|
||||
- ebt_print_error2("--atomic has to come before the command");*/
|
||||
- /* A possible memory leak here, but this is not
|
||||
- * executed in daemon mode */
|
||||
- /*replace->filename = (char *)malloc(strlen(optarg) + 1);
|
||||
- strcpy(replace->filename, optarg);
|
||||
- break; */
|
||||
case 13 :
|
||||
break;
|
||||
case 1 :
|
||||
--
|
||||
2.33.0
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 3 Aug 2021 10:55:20 +0200
|
||||
Subject: [PATCH] nft: Fix for non-verbose check command
|
||||
|
||||
Check command was unconditionally verbose since v1.8.5. Make it respect
|
||||
--verbose option again.
|
||||
|
||||
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0)
|
||||
---
|
||||
iptables/nft.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||
index 83054e528cae1..a470939db54fb 100644
|
||||
--- a/iptables/nft.c
|
||||
+++ b/iptables/nft.c
|
||||
@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h)
|
||||
case NFT_COMPAT_RULE_CHECK:
|
||||
assert_chain_exists(h, cmd->table, cmd->jumpto);
|
||||
ret = nft_rule_check(h, cmd->chain, cmd->table,
|
||||
- cmd->obj.rule, cmd->rulenum);
|
||||
+ cmd->obj.rule, cmd->verbose);
|
||||
break;
|
||||
case NFT_COMPAT_RULE_ZERO:
|
||||
ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
|
||||
--
|
||||
2.33.0
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 3 Aug 2021 11:32:34 +0200
|
||||
Subject: [PATCH] tests/shell: Assert non-verbose mode is silent
|
||||
|
||||
Unexpected output from iptables commands might mess up error-checking in
|
||||
scripts for instance, so do a quick test of the most common commands.
|
||||
|
||||
Note: Test adds two rules to make sure flush command operates on a
|
||||
non-empty chain.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2)
|
||||
---
|
||||
.../shell/testcases/iptables/0002-verbose-output_0 | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
|
||||
index b1ef91f61f481..5d2af4c8d2ab2 100755
|
||||
--- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
|
||||
+++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
|
||||
@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar)
|
||||
diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar)
|
||||
|
||||
diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar)
|
||||
+
|
||||
+# make sure non-verbose mode is silent
|
||||
+diff -u <(echo -n "") <(
|
||||
+ $XT_MULTI iptables -N foobar
|
||||
+ $XT_MULTI iptables -A foobar $RULE1
|
||||
+ $XT_MULTI iptables -A foobar $RULE2
|
||||
+ $XT_MULTI iptables -C foobar $RULE1
|
||||
+ $XT_MULTI iptables -D foobar $RULE2
|
||||
+ $XT_MULTI iptables -F foobar
|
||||
+ $XT_MULTI iptables -X foobar
|
||||
+)
|
||||
--
|
||||
2.33.0
|
||||
|
@ -1,177 +0,0 @@
|
||||
From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 29 Apr 2021 15:28:59 +0200
|
||||
Subject: [PATCH] extensions: SECMARK: Implement revision 1
|
||||
|
||||
The changed data structure for communication with kernel allows to
|
||||
exclude the field 'secid' which is populated on kernel side. Thus
|
||||
this fixes the formerly always failing extension comparison breaking
|
||||
rule check and rule delete by content.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
|
||||
---
|
||||
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
|
||||
extensions/libxt_SECMARK.t | 4 ++
|
||||
include/linux/netfilter/xt_SECMARK.h | 6 ++
|
||||
3 files changed, 80 insertions(+), 20 deletions(-)
|
||||
create mode 100644 extensions/libxt_SECMARK.t
|
||||
|
||||
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
|
||||
index 6ba8606355daa..24249bd618ffe 100644
|
||||
--- a/extensions/libxt_SECMARK.c
|
||||
+++ b/extensions/libxt_SECMARK.c
|
||||
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
|
||||
XTOPT_TABLEEND,
|
||||
};
|
||||
|
||||
+static const struct xt_option_entry SECMARK_opts_v1[] = {
|
||||
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
|
||||
+ .flags = XTOPT_MAND | XTOPT_PUT,
|
||||
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
|
||||
+ XTOPT_TABLEEND,
|
||||
+};
|
||||
+
|
||||
static void SECMARK_parse(struct xt_option_call *cb)
|
||||
{
|
||||
struct xt_secmark_target_info *info = cb->data;
|
||||
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
|
||||
info->mode = SECMARK_MODE_SEL;
|
||||
}
|
||||
|
||||
-static void print_secmark(const struct xt_secmark_target_info *info)
|
||||
+static void SECMARK_parse_v1(struct xt_option_call *cb)
|
||||
+{
|
||||
+ struct xt_secmark_target_info_v1 *info = cb->data;
|
||||
+
|
||||
+ xtables_option_parse(cb);
|
||||
+ info->mode = SECMARK_MODE_SEL;
|
||||
+}
|
||||
+
|
||||
+static void print_secmark(__u8 mode, const char *secctx)
|
||||
{
|
||||
- switch (info->mode) {
|
||||
+ switch (mode) {
|
||||
case SECMARK_MODE_SEL:
|
||||
- printf("selctx %s", info->secctx);
|
||||
+ printf("selctx %s", secctx);
|
||||
break;
|
||||
-
|
||||
+
|
||||
default:
|
||||
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
||||
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
|
||||
(struct xt_secmark_target_info*)(target)->data;
|
||||
|
||||
printf(" SECMARK ");
|
||||
- print_secmark(info);
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
+}
|
||||
+
|
||||
+static void SECMARK_print_v1(const void *ip,
|
||||
+ const struct xt_entry_target *target, int numeric)
|
||||
+{
|
||||
+ const struct xt_secmark_target_info_v1 *info =
|
||||
+ (struct xt_secmark_target_info_v1 *)(target)->data;
|
||||
+
|
||||
+ printf(" SECMARK ");
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
}
|
||||
|
||||
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||
(struct xt_secmark_target_info*)target->data;
|
||||
|
||||
printf(" --");
|
||||
- print_secmark(info);
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
}
|
||||
|
||||
-static struct xtables_target secmark_target = {
|
||||
- .family = NFPROTO_UNSPEC,
|
||||
- .name = "SECMARK",
|
||||
- .version = XTABLES_VERSION,
|
||||
- .revision = 0,
|
||||
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
- .help = SECMARK_help,
|
||||
- .print = SECMARK_print,
|
||||
- .save = SECMARK_save,
|
||||
- .x6_parse = SECMARK_parse,
|
||||
- .x6_options = SECMARK_opts,
|
||||
+static void SECMARK_save_v1(const void *ip,
|
||||
+ const struct xt_entry_target *target)
|
||||
+{
|
||||
+ const struct xt_secmark_target_info_v1 *info =
|
||||
+ (struct xt_secmark_target_info_v1 *)target->data;
|
||||
+
|
||||
+ printf(" --");
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
+}
|
||||
+
|
||||
+static struct xtables_target secmark_tg_reg[] = {
|
||||
+ {
|
||||
+ .family = NFPROTO_UNSPEC,
|
||||
+ .name = "SECMARK",
|
||||
+ .version = XTABLES_VERSION,
|
||||
+ .revision = 0,
|
||||
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
+ .help = SECMARK_help,
|
||||
+ .print = SECMARK_print,
|
||||
+ .save = SECMARK_save,
|
||||
+ .x6_parse = SECMARK_parse,
|
||||
+ .x6_options = SECMARK_opts,
|
||||
+ },
|
||||
+ {
|
||||
+ .family = NFPROTO_UNSPEC,
|
||||
+ .name = "SECMARK",
|
||||
+ .version = XTABLES_VERSION,
|
||||
+ .revision = 1,
|
||||
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
|
||||
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
|
||||
+ .help = SECMARK_help,
|
||||
+ .print = SECMARK_print_v1,
|
||||
+ .save = SECMARK_save_v1,
|
||||
+ .x6_parse = SECMARK_parse_v1,
|
||||
+ .x6_options = SECMARK_opts_v1,
|
||||
+ }
|
||||
};
|
||||
|
||||
void _init(void)
|
||||
{
|
||||
- xtables_register_target(&secmark_target);
|
||||
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
|
||||
}
|
||||
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||
new file mode 100644
|
||||
index 0000000000000..39d4c09348bf4
|
||||
--- /dev/null
|
||||
+++ b/extensions/libxt_SECMARK.t
|
||||
@@ -0,0 +1,4 @@
|
||||
+:INPUT,FORWARD,OUTPUT
|
||||
+*security
|
||||
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||
+-j SECMARK;;FAIL
|
||||
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
|
||||
index 989092bd6274b..31760a286a854 100644
|
||||
--- a/include/linux/netfilter/xt_SECMARK.h
|
||||
+++ b/include/linux/netfilter/xt_SECMARK.h
|
||||
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
|
||||
char secctx[SECMARK_SECCTX_MAX];
|
||||
};
|
||||
|
||||
+struct xt_secmark_target_info_v1 {
|
||||
+ __u8 mode;
|
||||
+ char secctx[SECMARK_SECCTX_MAX];
|
||||
+ __u32 secid;
|
||||
+};
|
||||
+
|
||||
#endif /*_XT_SECMARK_H_target */
|
||||
--
|
||||
2.34.1
|
||||
|
@ -15,8 +15,8 @@
|
||||
Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.7
|
||||
Release: 28%{?dist}
|
||||
Version: 1.8.8
|
||||
Release: 4%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -29,32 +29,12 @@ Source8: ebtables-helper
|
||||
Source9: ebtables.service
|
||||
Source10: ebtables-config
|
||||
|
||||
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
|
||||
Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
|
||||
Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
|
||||
Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
|
||||
Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
|
||||
Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch
|
||||
Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
|
||||
Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
|
||||
Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch
|
||||
Patch10: 0010-iptables-apply-Drop-unused-variable.patch
|
||||
Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
|
||||
Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
|
||||
Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
|
||||
Patch14: 0014-iptables-nft-fix-Z-option.patch
|
||||
Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch
|
||||
Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch
|
||||
Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||
Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch
|
||||
Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
|
||||
Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch
|
||||
Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
|
||||
Patch22: 0022-ebtables-Dump-atomic-waste.patch
|
||||
Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
|
||||
Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
|
||||
Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch
|
||||
Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||
Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch
|
||||
Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
|
||||
Patch05: 0005-arptables-Support-x-exact-flag.patch
|
||||
Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic 2.0
|
||||
@ -72,7 +52,7 @@ BuildRequires: bison
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc
|
||||
BuildRequires: pkgconfig(libmnl) >= 1.0
|
||||
BuildRequires: pkgconfig(libnftnl) >= 1.1.5
|
||||
BuildRequires: pkgconfig(libnftnl) >= 1.1.6
|
||||
# libpcap-devel for nfbpf_compile
|
||||
BuildRequires: libpcap-devel
|
||||
BuildRequires: autoconf
|
||||
@ -470,6 +450,30 @@ fi
|
||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||
|
||||
%changelog
|
||||
* Tue Jul 05 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-4
|
||||
- libxtables: Fix unsupported extension warning corner case
|
||||
|
||||
* Wed Jun 08 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-3
|
||||
- arptables: Support -x/--exact flag
|
||||
|
||||
* Thu Jun 02 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-2
|
||||
- tests: shell: Check overhead in iptables-save and -restore
|
||||
|
||||
* Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1
|
||||
- new version
|
||||
|
||||
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-30
|
||||
- Use proto_to_name() from xshared in more places
|
||||
|
||||
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-29
|
||||
- libxtables: Boost rule target checks by announcing chain names
|
||||
- libxtables: Implement notargets hash table
|
||||
- nft: Reject standard targets as chain names when restoring
|
||||
- xshared: Merge and share parse_chain()
|
||||
- xshared: Prefer xtables_chain_protos lookup over getprotoent
|
||||
- nft: Speed up immediate parsing
|
||||
- nft: Simplify immediate parsing
|
||||
|
||||
* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28
|
||||
- extensions: SECMARK: Use a better context in test case
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user