From 806586224b70d811dc7e98006b71bc2356cf91cc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 09:56:33 -0400 Subject: [PATCH] import iptables-1.8.8-4.el9 --- .gitignore | 2 +- .iptables.metadata | 2 +- ...on-notices-to-all-relevant-man-page.patch} | 22 +- ...it-gracefully-on-invalid-table-names.patch | 51 -- ...K-Use-a-better-context-in-test-case.patch} | 2 +- ...late-Fix-translation-of-odd-netmasks.patch | 196 ------- ...03-Eliminate-inet_aton-and-inet_ntoa.patch | 120 ---- ...Fix-build-for-Werror-format-security.patch | 29 + ...-arp-Make-use-of-ipv4_addr_to_string.patch | 181 ------ ...k-overhead-in-iptables-save-and-rest.patch | 61 ++ .../0005-arptables-Support-x-exact-flag.patch | 33 ++ ...leftover-variable-in-xtables_numeric.patch | 33 -- ...ons-libebt_ip6-Drop-unused-variables.patch | 49 -- ...nsupported-extension-warning-corner-.patch | 91 +++ ...-Fix-memleak-in-xtopt_parse_hostmask.patch | 29 - ...memleak-in-error-path-of-nft_cmd_new.patch | 34 -- ...er-size-warnings-copying-iface-names.patch | 56 -- ...-iptables-apply-Drop-unused-variable.patch | 29 - ...-libebt_ip6-Use-xtables_ip6parse_any.patch | 109 ---- ...duce-xtables_strdup-and-use-it-every.patch | 554 ------------------ ..._string-Avoid-buffer-size-warning-fo.patch | 31 - SOURCES/0014-iptables-nft-fix-Z-option.patch | 104 ---- ...twise-expression-avoidance-detection.patch | 73 --- ...nsions-sctp-Fix-nftables-translation.patch | 80 --- ...nft-cache-Sort-chains-on-demand-only.patch | 211 ------- ...CH_PAGE_SIZE-to-support-huge-ruleset.patch | 56 -- ...bles_malloc-in-mnl_err_list_node_add.patch | 31 - ....8-Adjust-for-missing-atomic-options.patch | 130 ---- SOURCES/0022-ebtables-Dump-atomic-waste.patch | 102 ---- ...ft-Fix-for-non-verbose-check-command.patch | 31 - ...ll-Assert-non-verbose-mode-is-silent.patch | 39 -- ...ensions-SECMARK-Implement-revision-1.patch | 177 ------ SPECS/iptables.spec | 62 +- 33 files changed, 261 insertions(+), 2549 deletions(-) rename SOURCES/{0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch => 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch} (95%) delete mode 100644 SOURCES/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch rename SOURCES/{0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch => 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch} (92%) delete mode 100644 SOURCES/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch delete mode 100644 SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch create mode 100644 SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch delete mode 100644 SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch create mode 100644 SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch create mode 100644 SOURCES/0005-arptables-Support-x-exact-flag.patch delete mode 100644 SOURCES/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch delete mode 100644 SOURCES/0006-extensions-libebt_ip6-Drop-unused-variables.patch create mode 100644 SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch delete mode 100644 SOURCES/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch delete mode 100644 SOURCES/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch delete mode 100644 SOURCES/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch delete mode 100644 SOURCES/0010-iptables-apply-Drop-unused-variable.patch delete mode 100644 SOURCES/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch delete mode 100644 SOURCES/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch delete mode 100644 SOURCES/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch delete mode 100644 SOURCES/0014-iptables-nft-fix-Z-option.patch delete mode 100644 SOURCES/0015-nft-Fix-bitwise-expression-avoidance-detection.patch delete mode 100644 SOURCES/0016-extensions-sctp-Fix-nftables-translation.patch delete mode 100644 SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch delete mode 100644 SOURCES/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch delete mode 100644 SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch delete mode 100644 SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch delete mode 100644 SOURCES/0022-ebtables-Dump-atomic-waste.patch delete mode 100644 SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch delete mode 100644 SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch delete mode 100644 SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch diff --git a/.gitignore b/.gitignore index 915bcf1..0221a1e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/iptables-1.8.7.tar.bz2 +SOURCES/iptables-1.8.8.tar.bz2 diff --git a/.iptables.metadata b/.iptables.metadata index 687b160..1065d12 100644 --- a/.iptables.metadata +++ b/.iptables.metadata @@ -1 +1 @@ -05ef75415cb7cb7641f51d51e74f3ea29cc31ab1 SOURCES/iptables-1.8.7.tar.bz2 +98783621a5e58ff55f83b1350523f3de41af621d SOURCES/iptables-1.8.8.tar.bz2 diff --git a/SOURCES/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch b/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch similarity index 95% rename from SOURCES/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch rename to SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch index d09a77e..cdffca9 100644 --- a/SOURCES/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +++ b/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch @@ -1,4 +1,4 @@ -From 635e4c4e7f3581a7cc8c04244ae3de239ad84935 Mon Sep 17 00:00:00 2001 +From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 17 Jun 2021 18:44:28 +0200 Subject: [PATCH] doc: Add deprecation notices to all relevant man pages @@ -116,10 +116,10 @@ index ea31e0842acd4..ec5b993a41e8b 100644 .PP .BR "" "See " https://wiki.nftables.org diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index 1fa5ad9388cc0..5bdc0bb8a939e 100644 +index d75aae240bc05..ed1bf8f2db55b 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 -@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) +@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) .br .SH DESCRIPTION @@ -139,9 +139,9 @@ index 1fa5ad9388cc0..5bdc0bb8a939e 100644 .B ebtables is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect -@@ -1111,6 +1124,6 @@ table. Also there is no support for - .B string - match. And finally, this list is probably not complete. +@@ -1069,6 +1082,6 @@ has not been implemented, although + might replace them entirely given the inherent atomicity of nftables. + Finally, this list is probably not complete. .SH SEE ALSO -.BR xtables-nft "(8), " iptables "(8), " ip (8) +.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) @@ -205,7 +205,7 @@ index 99d89a1fe44ad..73d40bbfe9c52 100644 iptables can use extended packet matching modules with the \fB\-m\fP or \fB\-\-match\fP diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in -index b4b62f92740d1..1bbf7a0d98d0a 100644 +index 20216842d8358..8f4811c72f2ec 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables @@ -228,7 +228,7 @@ index b4b62f92740d1..1bbf7a0d98d0a 100644 .PP .B iptables-restore and -@@ -87,7 +100,9 @@ from Rusty Russell. +@@ -81,7 +94,9 @@ from Rusty Russell. .br Andras Kis-Szabo contributed ip6tables-restore. .SH SEE ALSO @@ -273,7 +273,7 @@ index 7683fd3780f72..6fe50b2d446e5 100644 The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in -index 999cf339845f9..895cc7b111eb9 100644 +index 627ff0e4da7a4..a8b31206d45b2 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] @@ -308,7 +308,7 @@ index 999cf339845f9..895cc7b111eb9 100644 The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in -index b647a79eb64ed..bbccf009e8269 100644 +index a7f22c0d8c08e..e21d7ff23035f 100644 --- a/iptables/xtables-monitor.8.in +++ b/iptables/xtables-monitor.8.in @@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events @@ -330,5 +330,5 @@ index b647a79eb64ed..bbccf009e8269 100644 .B xtables-monitor is used to monitor changes to the ruleset or to show rule evaluation events -- -2.32.0 +2.34.1 diff --git a/SOURCES/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch b/SOURCES/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch deleted file mode 100644 index a3775af..0000000 --- a/SOURCES/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch +++ /dev/null @@ -1,51 +0,0 @@ -From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 28 Jan 2021 01:09:56 +0100 -Subject: [PATCH] ebtables: Exit gracefully on invalid table names - -Users are able to cause program abort by passing a table name that -doesn't exist: - -| # ebtables-nft -t dummy -P INPUT ACCEPT -| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed. -| Aborted - -Avoid this by checking table existence just like iptables-nft does upon -parsing '-t' optarg. Since the list of tables is known and fixed, -checking the given name's length is pointless. So just drop that check -in return. - -With this patch in place, output looks much better: - -| # ebtables-nft -t dummy -P INPUT ACCEPT -| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist -| Perhaps iptables or your kernel needs to be upgraded. - -Signed-off-by: Phil Sutter -(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f) ---- - iptables/xtables-eb.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index cfa9317c78e94..5bb34d6d292a9 100644 ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -914,10 +914,10 @@ print_zero: - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); -- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1) -- xtables_error(PARAMETER_PROBLEM, -- "Table name length cannot exceed %d characters", -- EBT_TABLE_MAXNAMELEN - 1); -+ if (!nft_table_builtin_find(h, optarg)) -+ xtables_error(VERSION_PROBLEM, -+ "table '%s' does not exist", -+ optarg); - *table = optarg; - table_set = true; - break; --- -2.31.1 - diff --git a/SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch b/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch similarity index 92% rename from SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch rename to SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch index 0813ef1..e432d7a 100644 --- a/SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch +++ b/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch @@ -1,4 +1,4 @@ -From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001 +From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 16 Jul 2021 21:51:49 +0200 Subject: [PATCH] extensions: SECMARK: Use a better context in test case diff --git a/SOURCES/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch b/SOURCES/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch deleted file mode 100644 index 9be2e9e..0000000 --- a/SOURCES/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 2 Mar 2021 14:50:07 +0100 -Subject: [PATCH] xtables-translate: Fix translation of odd netmasks - -Iptables supports netmasks which are not prefixes to match on (or -ignore) arbitrary bits in an address. Yet nftables' prefix notation is -available for real prefixes only, so translation is not as trivial - -print bitmask syntax for those cases. - -Signed-off-by: Phil Sutter -(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae) ---- - extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++ - extensions/libxt_standard.t | 12 ++++++++++ - iptables/nft-ipv4.c | 42 ++++++++++++++++++++++---------- - iptables/nft-ipv6.c | 19 ++++++++++++--- - 4 files changed, 106 insertions(+), 15 deletions(-) - -diff --git a/extensions/generic.txlate b/extensions/generic.txlate -index 0e256c3727559..9ae9a5b54c1b9 100644 ---- a/extensions/generic.txlate -+++ b/extensions/generic.txlate -@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter - iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8 - nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter - -+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0 -+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter -+ -+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0 -+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter -+ -+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255 -+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter -+ -+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255 -+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter -+ -+iptables-translate -I INPUT -s 0.0.0.0/16 -+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter -+ -+iptables-translate -I INPUT -s 0.0.0.0/0 -+nft insert rule ip filter INPUT counter -+ -+iptables-translate -I INPUT ! -s 0.0.0.0/0 -+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter -+ -+ip6tables-translate -I INPUT -i iifname -s feed::/16 -+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter -+ -+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16 -+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter -+ -+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00:: -+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter -+ -+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0 -+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter -+ -+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff -+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter -+ -+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff -+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter -+ -+ip6tables-translate -I INPUT -s ::/16 -+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter -+ -+ip6tables-translate -I INPUT -s ::/0 -+nft insert rule ip6 filter INPUT counter -+ -+ip6tables-translate -I INPUT ! -s ::/0 -+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter -+ - ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 - nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter - -diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t -index 4313f7b7bac9d..56d6da2e5884e 100644 ---- a/extensions/libxt_standard.t -+++ b/extensions/libxt_standard.t -@@ -9,3 +9,15 @@ - -j ACCEPT;=;OK - -j RETURN;=;OK - ! -p 0 -j ACCEPT;=;FAIL -+-s 10.11.12.13/8;-s 10.0.0.0/8;OK -+-s 10.11.12.13/9;-s 10.0.0.0/9;OK -+-s 10.11.12.13/10;-s 10.0.0.0/10;OK -+-s 10.11.12.13/11;-s 10.0.0.0/11;OK -+-s 10.11.12.13/12;-s 10.0.0.0/12;OK -+-s 10.11.12.13/30;-s 10.11.12.12/30;OK -+-s 10.11.12.13/31;-s 10.11.12.12/31;OK -+-s 10.11.12.13/32;-s 10.11.12.13/32;OK -+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK -+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK -+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK -+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index fdc15c6f04066..0d32a30010519 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command, - " source or destination IP addresses"); - } - -+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, -+ const struct in_addr *mask, -+ bool inv, struct xt_xlate *xl) -+{ -+ const char *op = inv ? "!= " : ""; -+ int cidr; -+ -+ if (!inv && !addr->s_addr && !mask->s_addr) -+ return; -+ -+ cidr = xtables_ipmask_to_cidr(mask); -+ switch (cidr) { -+ case -1: -+ /* inet_ntoa() is not reentrant */ -+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); -+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); -+ break; -+ case 32: -+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); -+ break; -+ default: -+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), -+ cidr); -+ } -+} -+ - static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) - { - const struct iptables_command_state *cs = data; -@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) - } - } - -- if (cs->fw.ip.src.s_addr != 0) { -- xt_xlate_add(xl, "ip saddr %s%s%s ", -- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "", -- inet_ntoa(cs->fw.ip.src), -- xtables_ipmask_to_numeric(&cs->fw.ip.smsk)); -- } -- if (cs->fw.ip.dst.s_addr != 0) { -- xt_xlate_add(xl, "ip daddr %s%s%s ", -- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "", -- inet_ntoa(cs->fw.ip.dst), -- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk)); -- } -+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, -+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl); -+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk, -+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl); - - ret = xlate_matches(cs, xl); - if (!ret) -diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c -index 130ad3e6e7c44..46008fc5e762a 100644 ---- a/iptables/nft-ipv6.c -+++ b/iptables/nft-ipv6.c -@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, - const struct in6_addr *mask, - int invert, struct xt_xlate *xl) - { -+ const char *op = invert ? "!= " : ""; - char addr_str[INET6_ADDRSTRLEN]; -+ int cidr; - -- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr)) -+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask)) - return; - - inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN); -- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str, -- xtables_ip6mask_to_numeric(mask)); -+ cidr = xtables_ip6mask_to_cidr(mask); -+ switch (cidr) { -+ case -1: -+ xt_xlate_add(xl, "%s & %s %s %s ", selector, -+ xtables_ip6addr_to_numeric(mask), -+ invert ? "!=" : "==", addr_str); -+ break; -+ case 128: -+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str); -+ break; -+ default: -+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr); -+ } - } - - static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) --- -2.31.1 - diff --git a/SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch b/SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch deleted file mode 100644 index e5ab459..0000000 --- a/SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 27 Apr 2021 09:12:53 +0200 -Subject: [PATCH] Eliminate inet_aton() and inet_ntoa() - -Both functions are obsolete, replace them by equivalent calls to -inet_pton() and inet_ntop(). - -Signed-off-by: Phil Sutter -(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3) ---- - extensions/libebt_among.c | 6 ++++-- - iptables/nft-ipv4.c | 23 ++++++++++++++--------- - 2 files changed, 18 insertions(+), 11 deletions(-) - -diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c -index 2b9a1b6566684..7eb898f984bba 100644 ---- a/extensions/libebt_among.c -+++ b/extensions/libebt_among.c -@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip) - if (sep) { - *sep = '\0'; - -- if (!inet_aton(sep + 1, &pair->in)) -+ if (!inet_pton(AF_INET, sep + 1, &pair->in)) - xtables_error(PARAMETER_PROBLEM, - "Invalid IP address '%s'\n", sep + 1); - } -@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs, - int cnt, bool inv, bool have_ip) - { - const char *isep = inv ? "! " : ""; -+ char abuf[INET_ADDRSTRLEN]; - int i; - - for (i = 0; i < cnt; i++) { -@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs, - - printf("%s", ether_ntoa(&pairs[i].ether)); - if (pairs[i].in.s_addr != INADDR_ANY) -- printf("=%s", inet_ntoa(pairs[i].in)); -+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in, -+ abuf, sizeof(abuf))); - } - printf(" "); - } -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index 0d32a30010519..a5b835b1f681d 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv) - - static const char *mask_to_str(uint32_t mask) - { -- static char mask_str[sizeof("255.255.255.255")]; -+ static char mask_str[INET_ADDRSTRLEN]; - uint32_t bits, hmask = ntohl(mask); - struct in_addr mask_addr = { - .s_addr = mask, -@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask) - if (i >= 0) - sprintf(mask_str, "%u", i); - else -- sprintf(mask_str, "%s", inet_ntoa(mask_addr)); -+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str)); - - return mask_str; - } -@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, - static void save_ipv4_addr(char letter, const struct in_addr *addr, - uint32_t mask, int invert) - { -+ char addrbuf[INET_ADDRSTRLEN]; -+ - if (!mask && !invert && !addr->s_addr) - return; - -- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr), -+ printf("%s-%c %s/%s ", invert ? "! " : "", letter, -+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)), - mask_to_str(mask)); - } - -@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, - const struct in_addr *mask, - bool inv, struct xt_xlate *xl) - { -+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN]; - const char *op = inv ? "!= " : ""; - int cidr; - - if (!inv && !addr->s_addr && !mask->s_addr) - return; - -+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf)); -+ - cidr = xtables_ipmask_to_cidr(mask); - switch (cidr) { - case -1: -- /* inet_ntoa() is not reentrant */ -- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); -- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); -+ xt_xlate_add(xl, "%s & %s %s %s ", selector, -+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)), -+ inv ? "!=" : "==", abuf); - break; - case 32: -- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); -+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf); - break; - default: -- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), -- cidr); -+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr); - } - } - --- -2.31.1 - diff --git a/SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch b/SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch new file mode 100644 index 0000000..182c174 --- /dev/null +++ b/SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch @@ -0,0 +1,29 @@ +From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 13 May 2022 16:51:58 +0200 +Subject: [PATCH] xshared: Fix build for -Werror=format-security + +Gcc complains about the omitted format string. + +Signed-off-by: Phil Sutter +(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a) +--- + iptables/xshared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index fae5ddd5df93e..a8512d3808154 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg) + return; + + if (args->family != NFPROTO_ARP) +- xtables_error(PARAMETER_PROBLEM, msg); ++ xtables_error(PARAMETER_PROBLEM, "%s", msg); + + fprintf(stderr, "%s", msg); + } +-- +2.34.1 + diff --git a/SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch b/SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch deleted file mode 100644 index 10b4794..0000000 --- a/SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 27 Apr 2021 10:02:34 +0200 -Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string() - -This eliminates quite a bit of redundant code apart from also dropping -use of obsolete function gethostbyaddr(). - -Signed-off-by: Phil Sutter -(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c) ---- - iptables/nft-arp.c | 99 ++++------------------------------------------ - iptables/xshared.c | 6 +-- - iptables/xshared.h | 3 ++ - 3 files changed, 14 insertions(+), 94 deletions(-) - -diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c -index c82ffdc95e300..2a9387a18dffe 100644 ---- a/iptables/nft-arp.c -+++ b/iptables/nft-arp.c -@@ -42,78 +42,6 @@ char *arp_opcodes[] = - "ARP_NAK", - }; - --static char * --addr_to_dotted(const struct in_addr *addrp) --{ -- static char buf[20]; -- const unsigned char *bytep; -- -- bytep = (const unsigned char *) &(addrp->s_addr); -- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]); -- return buf; --} -- --static char * --addr_to_host(const struct in_addr *addr) --{ -- struct hostent *host; -- -- if ((host = gethostbyaddr((char *) addr, -- sizeof(struct in_addr), AF_INET)) != NULL) -- return (char *) host->h_name; -- -- return (char *) NULL; --} -- --static char * --addr_to_network(const struct in_addr *addr) --{ -- struct netent *net; -- -- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL) -- return (char *) net->n_name; -- -- return (char *) NULL; --} -- --static char * --addr_to_anyname(const struct in_addr *addr) --{ -- char *name; -- -- if ((name = addr_to_host(addr)) != NULL || -- (name = addr_to_network(addr)) != NULL) -- return name; -- -- return addr_to_dotted(addr); --} -- --static char * --mask_to_dotted(const struct in_addr *mask) --{ -- int i; -- static char buf[22]; -- u_int32_t maskaddr, bits; -- -- maskaddr = ntohl(mask->s_addr); -- -- if (maskaddr == 0xFFFFFFFFL) -- /* we don't want to see "/32" */ -- return ""; -- -- i = 32; -- bits = 0xFFFFFFFEL; -- while (--i >= 0 && maskaddr != bits) -- bits <<= 1; -- if (i >= 0) -- sprintf(buf, "/%d", i); -- else -- /* mask was not a decent combination of 1's and 0's */ -- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask)); -- -- return buf; --} -- - static bool need_devaddr(struct arpt_devaddr_info *info) - { - int i; -@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - unsigned int format) - { - const struct arpt_entry *fw = &cs->arp; -- char buf[BUFSIZ]; - char iface[IFNAMSIZ+2]; - const char *sep = ""; - int print_iface = 0; -@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - } - - if (fw->arp.smsk.s_addr != 0L) { -- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP -- ? "! " : ""); -- if (format & FMT_NUMERIC) -- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); -- else -- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); -- strncat(buf, mask_to_dotted(&(fw->arp.smsk)), -- sizeof(buf) - strlen(buf) - 1); -- printf("-s %s", buf); -+ printf("%s%s-s %s", sep, -+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "", -+ ipv4_addr_to_string(&fw->arp.src, -+ &fw->arp.smsk, format)); - sep = " "; - } - -@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs, - after_devsrc: - - if (fw->arp.tmsk.s_addr != 0L) { -- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP -- ? "! " : ""); -- if (format & FMT_NUMERIC) -- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); -- else -- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); -- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), -- sizeof(buf) - strlen(buf) - 1); -- printf("-d %s", buf); -+ printf("%s%s-d %s", sep, -+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "", -+ ipv4_addr_to_string(&fw->arp.tgt, -+ &fw->arp.tmsk, format)); - sep = " "; - } - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 71f689901e1d4..9a1f465a5a6d3 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store) - } - #endif - --static const char *ipv4_addr_to_string(const struct in_addr *addr, -- const struct in_addr *mask, -- unsigned int format) -+const char *ipv4_addr_to_string(const struct in_addr *addr, -+ const struct in_addr *mask, -+ unsigned int format) - { - static char buf[BUFSIZ]; - -diff --git a/iptables/xshared.h b/iptables/xshared.h -index 9159b2b1f3768..1e86aba8b2375 100644 ---- a/iptables/xshared.h -+++ b/iptables/xshared.h -@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store); - # define debug_print_argv(...) /* nothing */ - #endif - -+const char *ipv4_addr_to_string(const struct in_addr *addr, -+ const struct in_addr *mask, -+ unsigned int format); - void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); - void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); - --- -2.31.1 - diff --git a/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch b/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch new file mode 100644 index 0000000..1994bff --- /dev/null +++ b/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch @@ -0,0 +1,61 @@ +From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Jun 2022 13:44:45 +0200 +Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore + +Some repeated calls have been reduced recently, assert this in a test +evaluating strace output. + +Signed-off-by: Phil Sutter +(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1) +--- + .../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++ + 1 file changed, 37 insertions(+) + create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0 + +diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 +new file mode 100755 +index 0000000000000..b86d71f209471 +--- /dev/null ++++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++# Test recent performance improvements in iptables-save due to reduced ++# overhead. ++ ++strace --version >/dev/null || { echo "skip for missing strace"; exit 0; } ++ ++RULESET=$( ++ echo "*filter" ++ for ((i = 0; i < 100; i++)); do ++ echo ":mychain$i -" ++ echo "-A FORWARD -p tcp --dport 22 -j mychain$i" ++ done ++ echo "COMMIT" ++) ++ ++RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null) ++SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null) ++ ++do_grep() { # (name, threshold, pattern) ++ local cnt=$(grep -c "$3") ++ [[ $cnt -le $2 ]] && return 0 ++ echo "ERROR: Too many $3 lookups for $1: $cnt > $2" ++ exit 1 ++} ++ ++# iptables prefers hard-coded protocol names instead of looking them up first ++ ++do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE" ++do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE" ++ ++# iptables-nft-save pointlessly checked whether chain jumps are targets ++ ++do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE" ++do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE" ++ ++exit 0 +-- +2.34.1 + diff --git a/SOURCES/0005-arptables-Support-x-exact-flag.patch b/SOURCES/0005-arptables-Support-x-exact-flag.patch new file mode 100644 index 0000000..98c11b8 --- /dev/null +++ b/SOURCES/0005-arptables-Support-x-exact-flag.patch @@ -0,0 +1,33 @@ +From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 7 Jun 2022 18:07:00 +0200 +Subject: [PATCH] arptables: Support -x/--exact flag + +Legacy arptables accepts but ignores the flag. Yet there are remains of +the functionality in sources, like OPT_EXPANDED define and a print_num() +function which acts on FMT_KILOMEGAGIGA flag being set or not. So +instead of mimicking legacy behaviour by explicitly ignoring -x flag for +arptables, just enable the feature for it. + +Signed-off-by: Phil Sutter +(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0) +--- + iptables/xshared.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 14568bb00fb65..a50c8b7298072 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -69,7 +69,7 @@ struct xtables_target; + + #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" + #define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" +-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */ ++#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ + #define EBT_OPTSTRING OPTSTRING_COMMON "hv" + + /* define invflags which won't collide with IPT ones */ +-- +2.34.1 + diff --git a/SOURCES/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch b/SOURCES/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch deleted file mode 100644 index 1ebf6d4..0000000 --- a/SOURCES/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 13 Nov 2020 21:04:39 +0100 -Subject: [PATCH] libxtables: Drop leftover variable in - xtables_numeric_to_ip6addr() - -Variable 'err' was only used in removed debug code, so drop it as well. - -Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code") -Signed-off-by: Phil Sutter -(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc) ---- - libxtables/xtables.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index bc42ba8221f3a..6947441fec659 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp) - struct in6_addr *xtables_numeric_to_ip6addr(const char *num) - { - static struct in6_addr ap; -- int err; - -- if ((err = inet_pton(AF_INET6, num, &ap)) == 1) -+ if (inet_pton(AF_INET6, num, &ap) == 1) - return ≈ - - return NULL; --- -2.31.1 - diff --git a/SOURCES/0006-extensions-libebt_ip6-Drop-unused-variables.patch b/SOURCES/0006-extensions-libebt_ip6-Drop-unused-variables.patch deleted file mode 100644 index f32c329..0000000 --- a/SOURCES/0006-extensions-libebt_ip6-Drop-unused-variables.patch +++ /dev/null @@ -1,49 +0,0 @@ -From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 13 Nov 2020 21:13:50 +0100 -Subject: [PATCH] extensions: libebt_ip6: Drop unused variables - -They are being assigned to but never read. - -Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension") -Signed-off-by: Phil Sutter -(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc) ---- - extensions/libebt_ip6.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c -index b8a5a5d8c3a92..301bed9aadefd 100644 ---- a/extensions/libebt_ip6.c -+++ b/extensions/libebt_ip6.c -@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match) - static struct in6_addr *numeric_to_addr(const char *num) - { - static struct in6_addr ap; -- int err; - -- if ((err=inet_pton(AF_INET6, num, &ap)) == 1) -+ if (inet_pton(AF_INET6, num, &ap) == 1) - return ≈ - return (struct in6_addr *)NULL; - } -@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i - char buf[256]; - char *p; - int i; -- int err; - - strncpy(buf, address, sizeof(buf) - 1); - /* first the mask */ -@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i - if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) - strcpy(buf, "::"); - -- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) { -+ if (inet_pton(AF_INET6, buf, addr) < 1) { - xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); - return; - } --- -2.31.1 - diff --git a/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch b/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch new file mode 100644 index 0000000..f76f38d --- /dev/null +++ b/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch @@ -0,0 +1,91 @@ +From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 30 Jun 2022 18:04:39 +0200 +Subject: [PATCH] libxtables: Fix unsupported extension warning corner case + +Some extensions are not supported in revision 0 by user space anymore, +for those the warning in xtables_compatible_revision() does not print as +no revision 0 is tried. + +To fix this, one has to track if none of the user space supported +revisions were accepted by the kernel. Therefore add respective logic to +xtables_find_{target,match}(). + +Note that this does not lead to duplicated warnings for unsupported +extensions that have a revision 0 because xtables_compatible_revision() +returns true for them to allow for extension's help output. + +For the record, these ip6tables extensions are affected: set/SET, +socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected +for both families. + +Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions") +Signed-off-by: Phil Sutter +(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37) +--- + libxtables/xtables.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 96fd783a066cf..7abc63bcfd83e 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, + struct xtables_match *ptr; + const char *icmp6 = "icmp6"; + bool found = false; ++ bool seen = false; + + if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, +@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, + if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { + ptr = *dptr; + *dptr = (*dptr)->next; ++ seen = true; + if (!found && + xtables_fully_register_pending_match(ptr, prev)) { + found = true; +@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, + dptr = &((*dptr)->next); + } + ++ if (seen && !found) ++ fprintf(stderr, ++ "Warning: Extension %s is not supported, missing kernel module?\n", ++ name); ++ + for (ptr = xtables_matches; ptr; ptr = ptr->next) { + if (extension_cmp(name, ptr->name, ptr->family)) { + struct xtables_match *clone; +@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) + struct xtables_target **dptr; + struct xtables_target *ptr; + bool found = false; ++ bool seen = false; + + /* Standard target? */ + if (strcmp(name, "") == 0 +@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) + if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { + ptr = *dptr; + *dptr = (*dptr)->next; ++ seen = true; + if (!found && + xtables_fully_register_pending_target(ptr, prev)) { + found = true; +@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) + dptr = &((*dptr)->next); + } + ++ if (seen && !found) ++ fprintf(stderr, ++ "Warning: Extension %s is not supported, missing kernel module?\n", ++ name); ++ + for (ptr = xtables_targets; ptr; ptr = ptr->next) { + if (extension_cmp(name, ptr->name, ptr->family)) { + struct xtables_target *clone; +-- +2.34.1 + diff --git a/SOURCES/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch b/SOURCES/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch deleted file mode 100644 index f1a7336..0000000 --- a/SOURCES/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch +++ /dev/null @@ -1,29 +0,0 @@ -From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 11:04:30 +0200 -Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask() - -The allocated hostmask duplicate needs to be freed again. - -Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") -Signed-off-by: Phil Sutter -(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e) ---- - libxtables/xtoptions.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index d329f2ff7979e..0dcdf607f4678 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) - cb->arg = p; - xtopt_parse_plenmask(cb); - cb->arg = orig_arg; -+ free(work); - } - - static void xtopt_parse_ethermac(struct xt_option_call *cb) --- -2.31.1 - diff --git a/SOURCES/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch b/SOURCES/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch deleted file mode 100644 index ee25117..0000000 --- a/SOURCES/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 11:55:20 +0200 -Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new() - -If rule allocation fails, free the allocated 'cmd' before returning to -caller. - -Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") -Signed-off-by: Phil Sutter -(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3) ---- - iptables/nft-cmd.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c -index 5d33f1f00f574..9b0c964847615 100644 ---- a/iptables/nft-cmd.c -+++ b/iptables/nft-cmd.c -@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, - - if (state) { - rule = nft_rule_new(h, chain, table, state); -- if (!rule) -+ if (!rule) { -+ nft_cmd_free(cmd); - return NULL; -+ } - - cmd->obj.rule = rule; - --- -2.31.1 - diff --git a/SOURCES/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch b/SOURCES/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch deleted file mode 100644 index 6d30b3f..0000000 --- a/SOURCES/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch +++ /dev/null @@ -1,56 +0,0 @@ -From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 11:58:06 +0200 -Subject: [PATCH] nft: Avoid buffer size warnings copying iface names - -The call to strncpy() is actually not needed: source buffer is only -IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to -avoid compiler warnings due to size parameter matching the destination -buffer size by performing the copy using (dumb) memcpy() instead. - -Signed-off-by: Phil Sutter -(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff) ---- - iptables/nft-ipv4.c | 4 ++-- - iptables/nft-ipv6.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c -index a5b835b1f681d..34f94bd8cc24a 100644 ---- a/iptables/nft-ipv4.c -+++ b/iptables/nft-ipv4.c -@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command, - */ - cs->fw.ip.invflags = args->invflags; - -- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); -+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw.ip.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); - -- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); -+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw.ip.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); - -diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c -index 46008fc5e762a..d9c9400ad7dc3 100644 ---- a/iptables/nft-ipv6.c -+++ b/iptables/nft-ipv6.c -@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, - */ - cs->fw6.ipv6.invflags = args->invflags; - -- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); -+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.iniface_mask, - args->iniface_mask, IFNAMSIZ*sizeof(unsigned char)); - -- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); -+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ); - memcpy(cs->fw6.ipv6.outiface_mask, - args->outiface_mask, IFNAMSIZ*sizeof(unsigned char)); - --- -2.31.1 - diff --git a/SOURCES/0010-iptables-apply-Drop-unused-variable.patch b/SOURCES/0010-iptables-apply-Drop-unused-variable.patch deleted file mode 100644 index e28558f..0000000 --- a/SOURCES/0010-iptables-apply-Drop-unused-variable.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 12:50:57 +0200 -Subject: [PATCH] iptables-apply: Drop unused variable - -It was assigned to but never read. - -Fixes: b45b4e3903414 ("iptables-apply: script and manpage update") -Signed-off-by: Phil Sutter -(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764) ---- - iptables/iptables-apply | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/iptables/iptables-apply b/iptables/iptables-apply -index 4683b1b402d08..3a7df5e3cbc1f 100755 ---- a/iptables/iptables-apply -+++ b/iptables/iptables-apply -@@ -231,7 +231,6 @@ case "$MODE" in - "$RUNCMD" & - CMD_PID=$! - ( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) & -- CMDTIMEOUT_PID=$! - if ! wait "$CMD_PID"; then - echo "failed." - echo "Error: unknown error running command: $RUNCMD" >&2 --- -2.31.1 - diff --git a/SOURCES/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch b/SOURCES/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch deleted file mode 100644 index 17c5ea6..0000000 --- a/SOURCES/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 14:04:43 +0200 -Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any() - -The code was almost identical and suffered from the same problem as -fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory -corruption bugs"). - -The only functional change this involves is ebt_parse_ip6_address() will -now accept hostnames as well. - -Signed-off-by: Phil Sutter -(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4) ---- - extensions/libebt_ip6.c | 74 ++++++----------------------------------- - 1 file changed, 10 insertions(+), 64 deletions(-) - -diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c -index 301bed9aadefd..3cc39271d4658 100644 ---- a/extensions/libebt_ip6.c -+++ b/extensions/libebt_ip6.c -@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match) - memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr)); - } - --static struct in6_addr *numeric_to_addr(const char *num) -+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */ -+static void ebt_parse_ip6_address(char *address, -+ struct in6_addr *addr, struct in6_addr *msk) - { -- static struct in6_addr ap; -- -- if (inet_pton(AF_INET6, num, &ap) == 1) -- return ≈ -- return (struct in6_addr *)NULL; --} -- --static struct in6_addr *parse_ip6_mask(char *mask) --{ -- static struct in6_addr maskaddr; - struct in6_addr *addrp; -- unsigned int bits; -- -- if (mask == NULL) { -- /* no mask at all defaults to 128 bits */ -- memset(&maskaddr, 0xff, sizeof maskaddr); -- return &maskaddr; -- } -- if ((addrp = numeric_to_addr(mask)) != NULL) -- return addrp; -- if (!xtables_strtoui(mask, NULL, &bits, 0, 128)) -- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask); -- if (bits != 0) { -- char *p = (char *)&maskaddr; -- memset(p, 0xff, bits / 8); -- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); -- p[bits / 8] = 0xff << (8 - (bits & 7)); -- return &maskaddr; -- } -+ unsigned int naddrs; - -- memset(&maskaddr, 0, sizeof maskaddr); -- return &maskaddr; --} -- --/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0]. -- * The string pointed to by address can be altered. */ --static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk) --{ -- struct in6_addr *tmp_addr; -- char buf[256]; -- char *p; -- int i; -- -- strncpy(buf, address, sizeof(buf) - 1); -- /* first the mask */ -- buf[sizeof(buf) - 1] = '\0'; -- if ((p = strrchr(buf, '/')) != NULL) { -- *p = '\0'; -- tmp_addr = parse_ip6_mask(p + 1); -- } else -- tmp_addr = parse_ip6_mask(NULL); -- -- *msk = *tmp_addr; -- -- /* if a null mask is given, the name is ignored, like in "any/0" */ -- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any))) -- strcpy(buf, "::"); -- -- if (inet_pton(AF_INET6, buf, addr) < 1) { -- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf); -- return; -- } -- -- for (i = 0; i < 4; i++) -- addr->s6_addr32[i] &= msk->s6_addr32[i]; -+ xtables_ip6parse_any(address, &addrp, msk, &naddrs); -+ if (naddrs != 1) -+ xtables_error(PARAMETER_PROBLEM, -+ "Invalid IPv6 Address '%s' specified", address); -+ memcpy(addr, addrp, sizeof(*addr)); -+ free(addrp); - } - - #define OPT_SOURCE 0x01 --- -2.31.1 - diff --git a/SOURCES/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch b/SOURCES/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch deleted file mode 100644 index 70d05fe..0000000 --- a/SOURCES/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch +++ /dev/null @@ -1,554 +0,0 @@ -From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 12:56:06 +0200 -Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere - -This wraps strdup(), checking for errors. - -Signed-off-by: Phil Sutter -(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a) ---- - extensions/libebt_ip.c | 3 ++- - extensions/libebt_ip6.c | 2 +- - extensions/libebt_stp.c | 3 ++- - extensions/libip6t_DNAT.c | 4 +--- - extensions/libip6t_SNAT.c | 4 +--- - extensions/libip6t_dst.c | 8 +++----- - extensions/libip6t_hbh.c | 7 +++---- - extensions/libip6t_ipv6header.c | 2 +- - extensions/libip6t_mh.c | 2 +- - extensions/libip6t_rt.c | 7 +++---- - extensions/libipt_DNAT.c | 8 ++------ - extensions/libipt_SNAT.c | 4 +--- - extensions/libxt_dccp.c | 2 +- - extensions/libxt_hashlimit.c | 5 +---- - extensions/libxt_iprange.c | 4 +--- - extensions/libxt_multiport.c | 6 ++---- - extensions/libxt_sctp.c | 4 ++-- - extensions/libxt_set.h | 4 ++-- - extensions/libxt_tcp.c | 4 ++-- - include/xtables.h | 1 + - iptables/iptables-xml.c | 4 ++-- - iptables/nft-cache.c | 4 ++-- - iptables/nft-cmd.c | 13 +++++++------ - iptables/xshared.c | 2 +- - libxtables/xtables.c | 12 ++++++++++++ - libxtables/xtoptions.c | 14 +++----------- - 26 files changed, 60 insertions(+), 73 deletions(-) - -diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c -index acb9bfcdbbd9f..51649ffb3c305 100644 ---- a/extensions/libebt_ip.c -+++ b/extensions/libebt_ip.c -@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); -+ - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = xtables_parse_port(buffer, NULL); - else { -diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c -index 3cc39271d4658..a686a285c3cb8 100644 ---- a/extensions/libebt_ip6.c -+++ b/extensions/libebt_ip6.c -@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports) - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = xtables_parse_port(buffer, NULL); - else { -diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c -index 81ba572c33c1a..3e9e24474eb61 100644 ---- a/extensions/libebt_stp.c -+++ b/extensions/libebt_stp.c -@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper, - uint32_t low_nr, upp_nr; - int ret = 0; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); -+ - if ((cp = strchr(buffer, ':')) == NULL) { - low_nr = strtoul(buffer, &end, 10); - if (*end || low_nr < min || low_nr > max) { -diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c -index 89c5ceb153250..f1ad81436316b 100644 ---- a/extensions/libip6t_DNAT.c -+++ b/extensions/libip6t_DNAT.c -@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev) - char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; - const struct in6_addr *ip; - -- arg = strdup(orig_arg); -- if (arg == NULL) -- xtables_error(RESOURCE_PROBLEM, "strdup"); -+ arg = xtables_strdup(orig_arg); - - start = strchr(arg, '['); - if (start == NULL) { -diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c -index 7d74b3d76a93c..6d19614c7c708 100644 ---- a/extensions/libip6t_SNAT.c -+++ b/extensions/libip6t_SNAT.c -@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range) - char *arg, *start, *end = NULL, *colon = NULL, *dash, *error; - const struct in6_addr *ip; - -- arg = strdup(orig_arg); -- if (arg == NULL) -- xtables_error(RESOURCE_PROBLEM, "strdup"); -+ arg = xtables_strdup(orig_arg); - - start = strchr(arg, '['); - if (start == NULL) { -diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c -index fe7e3403468ce..bf0e3e436665d 100644 ---- a/extensions/libip6t_dst.c -+++ b/extensions/libip6t_dst.c -@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts) - { - char *buffer, *cp, *next, *range; - unsigned int i; -- -- buffer = strdup(optsstr); -- if (!buffer) -- xtables_error(OTHER_PROBLEM, "strdup failed"); -- -+ -+ buffer = xtables_strdup(optsstr); -+ - for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++) - { - next = strchr(cp, ','); -diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c -index 4cebecfd3d2f5..74e87cda7eea1 100644 ---- a/extensions/libip6t_hbh.c -+++ b/extensions/libip6t_hbh.c -@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts) - { - char *buffer, *cp, *next, *range; - unsigned int i; -- -- buffer = strdup(optsstr); -- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed"); -- -+ -+ buffer = xtables_strdup(optsstr); -+ - for (cp=buffer, i=0; cp && ipflags[i] = 0; -diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c -index 140de2653b1ef..59b34684cc7f7 100644 ---- a/extensions/libxt_sctp.c -+++ b/extensions/libxt_sctp.c -@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring, - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); - DEBUGP("%s\n", portstring); - if ((cp = strchr(buffer, ':')) == NULL) { - ports[0] = ports[1] = xtables_parse_port(buffer, "sctp"); -@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo, - int found = 0; - char *chunk_flags; - -- buffer = strdup(chunks); -+ buffer = xtables_strdup(chunks); - DEBUGP("Buffer: %s\n", buffer); - - SCTP_CHUNKMAP_RESET(einfo->chunkmap); -diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h -index 41dfbd30fc7c1..ad895a7504d9d 100644 ---- a/extensions/libxt_set.h -+++ b/extensions/libxt_set.h -@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info) - static void - parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) - { -- char *saved = strdup(opt_arg); -+ char *saved = xtables_strdup(opt_arg); - char *ptr, *tmp = saved; - int i = 0; - -@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info) - static void - parse_dirs(const char *opt_arg, struct xt_set_info *info) - { -- char *saved = strdup(opt_arg); -+ char *saved = xtables_strdup(opt_arg); - char *ptr, *tmp = saved; - - while (info->dim < IPSET_DIM_MAX && tmp != NULL) { -diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c -index 58f3c0a0c3c28..383e4db5b5e23 100644 ---- a/extensions/libxt_tcp.c -+++ b/extensions/libxt_tcp.c -@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports) - char *buffer; - char *cp; - -- buffer = strdup(portstring); -+ buffer = xtables_strdup(portstring); - if ((cp = strchr(buffer, ':')) == NULL) - ports[0] = ports[1] = xtables_parse_port(buffer, "tcp"); - else { -@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags) - char *ptr; - char *buffer; - -- buffer = strdup(flags); -+ buffer = xtables_strdup(flags); - - for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) { - unsigned int i; -diff --git a/include/xtables.h b/include/xtables.h -index df1eaee326643..107ad7d65e6fc 100644 ---- a/include/xtables.h -+++ b/include/xtables.h -@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t); - extern void *xtables_calloc(size_t, size_t); - extern void *xtables_malloc(size_t); - extern void *xtables_realloc(void *, size_t); -+char *xtables_strdup(const char *); - - extern int xtables_insmod(const char *, const char *, bool); - extern int xtables_load_ko(const char *, bool); -diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c -index 98d03dda98d2b..6cf059fb67292 100644 ---- a/iptables/iptables-xml.c -+++ b/iptables/iptables-xml.c -@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr) - "%s: line %u chain name invalid\n", - prog_name, line); - -- chains[nextChain].chain = strdup(chain); -- chains[nextChain].policy = strdup(policy); -+ chains[nextChain].chain = xtables_strdup(chain); -+ chains[nextChain].policy = xtables_strdup(policy); - chains[nextChain].count = *ctr; - chains[nextChain].created = 0; - nextChain++; -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 6b6e6da40a826..7fd78654b280a 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name) - } - - new = xtables_malloc(sizeof(*new)); -- new->name = strdup(name); -+ new->name = xtables_strdup(name); - list_add_tail(&new->head, pos ? &pos->head : list); - } - -@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level, - return; - - if (!req->table) -- req->table = strdup(cmd->table); -+ req->table = xtables_strdup(cmd->table); - else - assert(!strcmp(req->table, cmd->table)); - -diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c -index 9b0c964847615..8dccdd734b156 100644 ---- a/iptables/nft-cmd.c -+++ b/iptables/nft-cmd.c -@@ -11,6 +11,7 @@ - - #include - #include -+#include - #include "nft.h" - #include "nft-cmd.h" - -@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, - return NULL; - - cmd->command = command; -- cmd->table = strdup(table); -+ cmd->table = xtables_strdup(table); - if (chain) -- cmd->chain = strdup(chain); -+ cmd->chain = xtables_strdup(chain); - cmd->rulenum = rulenum; - cmd->verbose = verbose; - -@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, - cmd->obj.rule = rule; - - if (!state->target && strlen(state->jumpto) > 0) -- cmd->jumpto = strdup(state->jumpto); -+ cmd->jumpto = xtables_strdup(state->jumpto); - } - - list_add_tail(&cmd->head, &h->cmd_list); -@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain, - if (!cmd) - return 0; - -- cmd->rename = strdup(newname); -+ cmd->rename = xtables_strdup(newname); - - nft_cache_level_set(h, NFT_CL_CHAINS, cmd); - -@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table, - if (!cmd) - return 0; - -- cmd->policy = strdup(policy); -+ cmd->policy = xtables_strdup(policy); - if (counters) - cmd->counters = *counters; - -@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table, - if (!cmd) - return 0; - -- cmd->policy = strdup(policy); -+ cmd->policy = xtables_strdup(policy); - - nft_cache_level_set(h, NFT_CL_RULES, cmd); - -diff --git a/iptables/xshared.c b/iptables/xshared.c -index 9a1f465a5a6d3..4027d9240215e 100644 ---- a/iptables/xshared.c -+++ b/iptables/xshared.c -@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted) - xtables_error(PARAMETER_PROBLEM, - "Trying to store NULL argument\n"); - -- store->argv[store->argc] = strdup(what); -+ store->argv[store->argc] = xtables_strdup(what); - store->argvattr[store->argc] = quoted; - store->argv[++store->argc] = NULL; - } -diff --git a/libxtables/xtables.c b/libxtables/xtables.c -index 6947441fec659..1931e3896262a 100644 ---- a/libxtables/xtables.c -+++ b/libxtables/xtables.c -@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size) - return p; - } - -+char *xtables_strdup(const char *s) -+{ -+ char *dup = strdup(s); -+ -+ if (!dup) { -+ perror("ip[6]tables: strdup failed"); -+ exit(1); -+ } -+ -+ return dup; -+} -+ - static char *get_modprobe(void) - { - int procfile; -diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c -index 0dcdf607f4678..9d3ac5c8066cb 100644 ---- a/libxtables/xtoptions.c -+++ b/libxtables/xtoptions.c -@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb) - unsigned int maxiter; - int value; - -- wp_arg = lo_arg = strdup(cb->arg); -- if (lo_arg == NULL) -- xt_params->exit_err(RESOURCE_PROBLEM, "strdup"); -+ wp_arg = lo_arg = xtables_strdup(cb->arg); - - maxiter = entry->size / esize; - if (maxiter == 0) -@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) - xtopt_parse_host(cb); - return; - } -- work = strdup(orig_arg); -- if (work == NULL) -- xt_params->exit_err(PARAMETER_PROBLEM, "strdup"); -+ work = xtables_strdup(orig_arg); - p = strchr(work, '/'); /* by def this can't be NULL now */ - *p++ = '\0'; - /* -@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file) - goto out; - } - lmap_this->id = id; -- lmap_this->name = strdup(cur); -- if (lmap_this->name == NULL) { -- free(lmap_this); -- goto out; -- } -+ lmap_this->name = xtables_strdup(cur); - lmap_this->next = NULL; - - if (lmap_prev != NULL) --- -2.31.1 - diff --git a/SOURCES/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch b/SOURCES/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch deleted file mode 100644 index f2ee196..0000000 --- a/SOURCES/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 2 Jun 2021 15:15:37 +0200 -Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for - strncpy() - -If the target buffer does not need to be null-terminated, one may simply -use memcpy() and thereby avoid any compiler warnings. - -Signed-off-by: Phil Sutter -(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb) ---- - extensions/libxt_string.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c -index 7c6366cbbf1b3..739a8e7fd66b6 100644 ---- a/extensions/libxt_string.c -+++ b/extensions/libxt_string.c -@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info) - { - /* xt_string does not need \0 at the end of the pattern */ - if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) { -- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); -+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE); - info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE); - return; - } --- -2.31.1 - diff --git a/SOURCES/0014-iptables-nft-fix-Z-option.patch b/SOURCES/0014-iptables-nft-fix-Z-option.patch deleted file mode 100644 index 0eca942..0000000 --- a/SOURCES/0014-iptables-nft-fix-Z-option.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001 -From: Florian Westphal -Date: Wed, 24 Feb 2021 11:08:02 +0100 -Subject: [PATCH] iptables-nft: fix -Z option - -it zeroes the rule counters, so it needs fully populated cache. -Add a test case to cover this. - -Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands") -Signed-off-by: Florian Westphal -Acked-by: Phil Sutter -(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2) ---- - iptables/nft-cmd.c | 2 +- - .../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++ - 2 files changed, 65 insertions(+), 1 deletion(-) - create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0 - -diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c -index 8dccdd734b156..a0c76a795e59c 100644 ---- a/iptables/nft-cmd.c -+++ b/iptables/nft-cmd.c -@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain, - if (!cmd) - return 0; - -- nft_cache_level_set(h, NFT_CL_CHAINS, cmd); -+ nft_cache_level_set(h, NFT_CL_RULES, cmd); - - return 1; - } -diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 -new file mode 100755 -index 0000000000000..36da1907e3b22 ---- /dev/null -+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 -@@ -0,0 +1,64 @@ -+#!/bin/bash -+ -+RC=0 -+COUNTR=$RANDOM$RANDOM -+ -+$XT_MULTI iptables-restore -c < -Date: Fri, 19 Feb 2021 16:54:57 +0100 -Subject: [PATCH] nft: Fix bitwise expression avoidance detection - -Byte-boundary prefix detection was too sloppy: Any data following the -first zero-byte was ignored. Add a follow-up loop making sure there are -no stray bits in the designated host part. - -Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches") -Signed-off-by: Phil Sutter -(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba) ---- - iptables/nft-shared.c | 4 +++- - .../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++ - 2 files changed, 27 insertions(+), 1 deletion(-) - create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 - -diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c -index 10553ab26823b..c1664b50f9383 100644 ---- a/iptables/nft-shared.c -+++ b/iptables/nft-shared.c -@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, - { - const unsigned char *m = mask; - bool bitwise = false; -- int i; -+ int i, j; - - for (i = 0; i < len; i++) { - if (m[i] != 0xff) { -@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset, - break; - } - } -+ for (j = i + 1; !bitwise && j < len; j++) -+ bitwise = !!m[j]; - - if (!bitwise) - len = i; -diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 -new file mode 100755 -index 0000000000000..7eb42f08da975 ---- /dev/null -+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 -@@ -0,0 +1,24 @@ -+#!/bin/bash -+ -+set -e -+ -+$XT_MULTI ip6tables-restore < -Date: Tue, 4 May 2021 16:03:24 +0200 -Subject: [PATCH] extensions: sctp: Fix nftables translation - -If both sport and dport was present, incorrect nft syntax was generated. - -Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft") -Signed-off-by: Phil Sutter -(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167) ---- - extensions/libxt_sctp.c | 10 ++++------ - extensions/libxt_sctp.txlate | 10 +++++----- - 2 files changed, 9 insertions(+), 11 deletions(-) - -diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c -index 59b34684cc7f7..5ec1ca618405e 100644 ---- a/extensions/libxt_sctp.c -+++ b/extensions/libxt_sctp.c -@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl, - if (!einfo->flags) - return 0; - -- xt_xlate_add(xl, "sctp "); -- - if (einfo->flags & XT_SCTP_SRC_PORTS) { - if (einfo->spts[0] != einfo->spts[1]) -- xt_xlate_add(xl, "sport%s %u-%u", -+ xt_xlate_add(xl, "sctp sport%s %u-%u", - einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", - einfo->spts[0], einfo->spts[1]); - else -- xt_xlate_add(xl, "sport%s %u", -+ xt_xlate_add(xl, "sctp sport%s %u", - einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", - einfo->spts[0]); - space = " "; -@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl, - - if (einfo->flags & XT_SCTP_DEST_PORTS) { - if (einfo->dpts[0] != einfo->dpts[1]) -- xt_xlate_add(xl, "%sdport%s %u-%u", space, -+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space, - einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", - einfo->dpts[0], einfo->dpts[1]); - else -- xt_xlate_add(xl, "%sdport%s %u", space, -+ xt_xlate_add(xl, "%ssctp dport%s %u", space, - einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", - einfo->dpts[0]); - } -diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate -index 72f4641ab021c..0d6c59e183675 100644 ---- a/extensions/libxt_sctp.txlate -+++ b/extensions/libxt_sctp.txlate -@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT - nft add rule ip filter INPUT sctp dport != 50-56 counter accept - - iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept -+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept - - iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept -+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept - - iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept -+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept - - iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT --nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept -+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept - - iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT --nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept -+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept --- -2.31.1 - diff --git a/SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch b/SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch deleted file mode 100644 index 22f0f2b..0000000 --- a/SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 25 Mar 2021 16:24:39 +0100 -Subject: [PATCH] nft: cache: Sort chains on demand only - -Mandatory sorted insert of chains into cache significantly slows down -restoring of large rulesets. Since the sorted list of user-defined -chains is needed for listing and verbose output only, introduce -nft_cache_sort_chains() and call it where needed. - -Signed-off-by: Phil Sutter -(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915) ---- - iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++-------- - iptables/nft-cache.h | 1 + - iptables/nft.c | 12 +++++++ - iptables/nft.h | 1 + - iptables/xtables-save.c | 1 + - 5 files changed, 73 insertions(+), 13 deletions(-) - -diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c -index 7fd78654b280a..2c88301cc7445 100644 ---- a/iptables/nft-cache.c -+++ b/iptables/nft-cache.c -@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, - - h->cache->table[t->type].base_chains[hooknum] = nc; - } else { -- struct nft_chain_list *clist = h->cache->table[t->type].chains; -- struct list_head *pos = &clist->list; -- struct nft_chain *cur; -- const char *n; -- -- list_for_each_entry(cur, &clist->list, head) { -- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME); -- if (strcmp(cname, n) <= 0) { -- pos = &cur->head; -- break; -- } -- } -- list_add_tail(&nc->head, pos); -+ list_add_tail(&nc->head, -+ &h->cache->table[t->type].chains->list); - } - hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname)); - return 0; - } - -+static void __nft_chain_list_sort(struct list_head *list, -+ int (*cmp)(struct nft_chain *a, -+ struct nft_chain *b)) -+{ -+ struct nft_chain *pivot, *cur, *sav; -+ LIST_HEAD(sublist); -+ -+ if (list_empty(list)) -+ return; -+ -+ /* grab first item as pivot (dividing) value */ -+ pivot = list_entry(list->next, struct nft_chain, head); -+ list_del(&pivot->head); -+ -+ /* move any smaller value into sublist */ -+ list_for_each_entry_safe(cur, sav, list, head) { -+ if (cmp(pivot, cur) > 0) { -+ list_del(&cur->head); -+ list_add_tail(&cur->head, &sublist); -+ } -+ } -+ /* conquer divided */ -+ __nft_chain_list_sort(&sublist, cmp); -+ __nft_chain_list_sort(list, cmp); -+ -+ /* merge divided and pivot again */ -+ list_add_tail(&pivot->head, &sublist); -+ list_splice(&sublist, list); -+} -+ -+static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b) -+{ -+ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME); -+ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME); -+ -+ return strcmp(aname, bname); -+} -+ -+int nft_cache_sort_chains(struct nft_handle *h, const char *table) -+{ -+ const struct builtin_table *t = nft_table_builtin_find(h, table); -+ -+ if (!t) -+ return -1; -+ -+ if (h->cache->table[t->type].sorted) -+ return 0; -+ -+ __nft_chain_list_sort(&h->cache->table[t->type].chains->list, -+ nft_chain_cmp_byname); -+ h->cache->table[t->type].sorted = true; -+ return 0; -+} -+ - struct nftnl_chain_list_cb_data { - struct nft_handle *h; - const struct builtin_table *t; -@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c, - - flush_base_chain_cache(c->table[table->type].base_chains); - nft_chain_foreach(h, tablename, __flush_chain_cache, NULL); -+ c->table[table->type].sorted = false; - - if (c->table[table->type].sets) - nftnl_set_list_foreach(c->table[table->type].sets, -@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c, - if (c->table[i].chains) { - nft_chain_list_free(c->table[i].chains); - c->table[i].chains = NULL; -+ c->table[i].sorted = false; - } - - if (c->table[i].sets) { -diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h -index 20d96beede876..58a015265056c 100644 ---- a/iptables/nft-cache.h -+++ b/iptables/nft-cache.h -@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table, - void nft_cache_build(struct nft_handle *h); - int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t, - struct nftnl_chain *c); -+int nft_cache_sort_chains(struct nft_handle *h, const char *table); - - struct nft_chain * - nft_chain_find(struct nft_handle *h, const char *table, const char *chain); -diff --git a/iptables/nft.c b/iptables/nft.c -index bde4ca72d3fcc..8b14daeaed610 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, - return 1; - } - -+ nft_cache_sort_chains(h, table); -+ - ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d); - - /* the core expects 1 for success and 0 for error */ -@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, - goto out; - } - -+ if (verbose) -+ nft_cache_sort_chains(h, table); -+ - ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d); - out: - /* the core expects 1 for success and 0 for error */ -@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, - return 1; - } - -+ nft_cache_sort_chains(h, table); -+ - if (ops->print_table_header) - ops->print_table_header(table); - -@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, - return nft_rule_list_cb(c, &d); - } - -+ nft_cache_sort_chains(h, table); -+ - /* Dump policies and custom chains first */ - nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters); - -@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, - goto err; - } - -+ if (verbose) -+ nft_cache_sort_chains(h, table); -+ - ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d); - err: - /* the core expects 1 for success and 0 for error */ -diff --git a/iptables/nft.h b/iptables/nft.h -index 0910f82a2773c..4ac7e0099d567 100644 ---- a/iptables/nft.h -+++ b/iptables/nft.h -@@ -44,6 +44,7 @@ struct nft_cache { - struct nft_chain_list *chains; - struct nftnl_set_list *sets; - bool exists; -+ bool sorted; - } table[NFT_TABLE_MAX]; - }; - -diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c -index d7901c650ea70..cfce0472f3ee8 100644 ---- a/iptables/xtables-save.c -+++ b/iptables/xtables-save.c -@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data) - printf("*%s\n", tablename); - /* Dump out chain names first, - * thereby preventing dependency conflicts */ -+ nft_cache_sort_chains(h, tablename); - nft_chain_foreach(h, tablename, nft_chain_save, h); - nft_rule_save(h, tablename, d->format); - if (d->commit) --- -2.31.1 - diff --git a/SOURCES/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch b/SOURCES/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch deleted file mode 100644 index cca6d8c..0000000 --- a/SOURCES/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 6 Apr 2021 10:51:20 +0200 -Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets - -In order to support the same ruleset sizes as legacy iptables, the -kernel's limit of 1024 iovecs has to be overcome. Therefore increase -each iovec's size from 128KB to 2MB. - -While being at it, add a log message for failing sendmsg() call. This is -not supposed to happen, even if the transaction fails. Yet if it does, -users are left with only a "line XXX failed" message (with line number -being the COMMIT line). - -Signed-off-by: Phil Sutter -Signed-off-by: Florian Westphal -(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240) ---- - iptables/nft.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 8b14daeaed610..f1deb82f87576 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh, - - #define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize()) - --/* selected batch page is 256 Kbytes long to load ruleset of -- * half a million rules without hitting -EMSGSIZE due to large -- * iovec. -+/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M -+ * rules matching on source and destination address as well as input and output -+ * interfaces. This is what legacy iptables supports. - */ --#define BATCH_PAGE_SIZE getpagesize() * 32 -+#define BATCH_PAGE_SIZE 2 * 1024 * 1024 - - static struct nftnl_batch *mnl_batch_init(void) - { -@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds) - int err = 0; - - ret = mnl_nft_socket_sendmsg(h, numcmds); -- if (ret == -1) -+ if (ret == -1) { -+ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno)); - return -1; -+ } - - FD_ZERO(&readfds); - FD_SET(fd, &readfds); --- -2.31.1 - diff --git a/SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch b/SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch deleted file mode 100644 index 9ad1e18..0000000 --- a/SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 000c159641522abf56ccb4deebfc558e8bb41302 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 31 Aug 2021 12:26:20 +0200 -Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add() - -The function called malloc() without checking for memory allocation -failure. Simply replace the call by xtables_malloc() to fix that. - -Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API") -Signed-off-by: Phil Sutter -(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93) ---- - iptables/nft.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index f1deb82f87576..83054e528cae1 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -143,7 +143,7 @@ struct mnl_err { - static void mnl_err_list_node_add(struct list_head *err_list, int error, - int seqnum) - { -- struct mnl_err *err = malloc(sizeof(struct mnl_err)); -+ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err)); - - err->seqnum = seqnum; - err->err = error; --- -2.33.0 - diff --git a/SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch b/SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch deleted file mode 100644 index 377486a..0000000 --- a/SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch +++ /dev/null @@ -1,130 +0,0 @@ -From f73416517ac7bb6868ff4c0199fcd4327c9dffa5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 28 Jul 2021 17:53:53 +0200 -Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options - -Drop any reference to them (and the environment variable) but list them -in BUGS section hinting at ebtables-save and -restore tools. - -Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page") -Signed-off-by: Phil Sutter -Acked-by: Pablo Neira Ayuso -(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39) ---- - iptables/ebtables-nft.8 | 64 ++++++----------------------------------- - 1 file changed, 8 insertions(+), 56 deletions(-) - -diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 -index 5bdc0bb8a939e..85f6738d7d1aa 100644 ---- a/iptables/ebtables-nft.8 -+++ b/iptables/ebtables-nft.8 -@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based) - .br - .BR "ebtables " [ -t " table ] " --init-table - .br --.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit --.br --.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init --.br --.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save --.br - - .SH DESCRIPTION - .PP -@@ -162,11 +156,9 @@ a table, the commands apply to the default filter table. - Only one command may be used on the command line at a time, except when - the commands - .BR -L " and " -Z --are combined, the commands -+are combined or the commands - .BR -N " and " -P --are combined, or when --.B --atomic-file --is used. -+are combined. - .TP - .B "-A, --append" - Append a rule to the end of the selected chain. -@@ -326,39 +318,6 @@ of the ebtables kernel table. - .TP - .B "--init-table" - Replace the current table data by the initial table data. --.TP --.B "--atomic-init" --Copy the kernel's initial data of the table to the specified --file. This can be used as the first action, after which rules are added --to the file. The file can be specified using the --.B --atomic-file --command or through the --.IR EBTABLES_ATOMIC_FILE " environment variable." --.TP --.B "--atomic-save" --Copy the kernel's current data of the table to the specified --file. This can be used as the first action, after which rules are added --to the file. The file can be specified using the --.B --atomic-file --command or through the --.IR EBTABLES_ATOMIC_FILE " environment variable." --.TP --.B "--atomic-commit" --Replace the kernel table data with the data contained in the specified --file. This is a useful command that allows you to load all your rules of a --certain table into the kernel at once, saving the kernel a lot of precious --time and allowing atomic updates of the tables. The file which contains --the table data is constructed by using either the --.B "--atomic-init" --or the --.B "--atomic-save" --command to generate a starting file. After that, using the --.B "--atomic-file" --command when constructing rules or setting the --.IR EBTABLES_ATOMIC_FILE " environment variable" --allows you to extend the file and build the complete table before --committing it to the kernel. This command can be very useful in boot scripts --to populate the ebtables tables in a fast way. - .SS MISCELLANOUS COMMANDS - .TP - .B "-V, --version" -@@ -384,16 +343,6 @@ a target extension (see - .BR "TARGET EXTENSIONS" ")" - or a user-defined chain name. - .TP --.B --atomic-file "\fIfile\fP" --Let the command operate on the specified --.IR file . --The data of the table to --operate on will be extracted from the file and the result of the operation --will be saved back into the file. If specified, this option should come --before the command specification. An alternative that should be preferred, --is setting the --.IR EBTABLES_ATOMIC_FILE " environment variable." --.TP - .B -M, --modprobe "\fIprogram\fP" - When talking to the kernel, use this - .I program -@@ -1113,8 +1062,6 @@ arp message and the hardware address length in the arp header is 6 bytes. - .br - .SH FILES - .I /etc/ethertypes --.SH ENVIRONMENT VARIABLES --.I EBTABLES_ATOMIC_FILE - .SH MAILINGLISTS - .BR "" "See " http://netfilter.org/mailinglists.html - .SH BUGS -@@ -1122,7 +1069,12 @@ The version of ebtables this man page ships with does not support the - .B broute - table. Also there is no support for - .B string --match. And finally, this list is probably not complete. -+match. Further, support for atomic-options -+.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit ) -+has not been implemented, although -+.BR ebtables-save " and " ebtables-restore -+might replace them entirely given the inherent atomicity of nftables. -+Finally, this list is probably not complete. - .SH SEE ALSO - .BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) - .PP --- -2.33.0 - diff --git a/SOURCES/0022-ebtables-Dump-atomic-waste.patch b/SOURCES/0022-ebtables-Dump-atomic-waste.patch deleted file mode 100644 index b5be6cb..0000000 --- a/SOURCES/0022-ebtables-Dump-atomic-waste.patch +++ /dev/null @@ -1,102 +0,0 @@ -From cb68daac1f24c94a48450a683a5f765dc00da164 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 30 Jul 2021 12:25:10 +0200 -Subject: [PATCH] ebtables: Dump atomic waste - -With ebtables-nft.8 now educating people about the missing -functionality, get rid of atomic remains in source code. This eliminates -mostly comments except for --atomic-commit which was treated as alias of ---init-table. People not using the latter are probably trying to -atomic-commit from an atomic-file which in turn is not supported, so no -point keeping it. - -Signed-off-by: Phil Sutter -(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0) ---- - iptables/xtables-eb.c | 53 ------------------------------------------- - 1 file changed, 53 deletions(-) - -diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c -index 5bb34d6d292a9..aeb4d92166431 100644 ---- a/iptables/xtables-eb.c -+++ b/iptables/xtables-eb.c -@@ -211,10 +211,6 @@ struct option ebt_original_options[] = - { "new-chain" , required_argument, 0, 'N' }, - { "rename-chain" , required_argument, 0, 'E' }, - { "delete-chain" , optional_argument, 0, 'X' }, -- { "atomic-init" , no_argument , 0, 7 }, -- { "atomic-commit" , no_argument , 0, 8 }, -- { "atomic-file" , required_argument, 0, 9 }, -- { "atomic-save" , no_argument , 0, 10 }, - { "init-table" , no_argument , 0, 11 }, - { "concurrent" , no_argument , 0, 13 }, - { 0 } -@@ -320,10 +316,6 @@ static void print_help(const struct xtables_target *t, - "--new-chain -N chain : create a user defined chain\n" - "--rename-chain -E old new : rename a chain\n" - "--delete-chain -X [chain] : delete a user defined chain\n" --"--atomic-commit : update the kernel w/t table contained in \n" --"--atomic-init : put the initial kernel table into \n" --"--atomic-save : put the current kernel table into \n" --"--atomic-file file : set to file\n\n" - "Options:\n" - "--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n" - "--src -s [!] address[/mask]: source mac address\n" -@@ -1088,54 +1080,9 @@ print_zero: - "Use --Lmac2 with -L"); - flags |= LIST_MAC2; - break; -- case 8 : /* atomic-commit */ --/* -- replace->command = c; -- if (OPT_COMMANDS) -- ebt_print_error2("Multiple commands are not allowed"); -- replace->flags |= OPT_COMMAND; -- if (!replace->filename) -- ebt_print_error2("No atomic file specified");*/ -- /* Get the information from the file */ -- /*ebt_get_table(replace, 0);*/ -- /* We don't want the kernel giving us its counters, -- * they would overwrite the counters extracted from -- * the file */ -- /*replace->num_counters = 0;*/ -- /* Make sure the table will be written to the kernel */ -- /*free(replace->filename); -- replace->filename = NULL; -- break;*/ -- /*case 7 :*/ /* atomic-init */ -- /*case 10:*/ /* atomic-save */ - case 11: /* init-table */ - nft_cmd_table_flush(h, *table, false); - return 1; -- /* -- replace->command = c; -- if (OPT_COMMANDS) -- ebt_print_error2("Multiple commands are not allowed"); -- if (c != 11 && !replace->filename) -- ebt_print_error2("No atomic file specified"); -- replace->flags |= OPT_COMMAND; -- { -- char *tmp = replace->filename;*/ -- -- /* Get the kernel table */ -- /*replace->filename = NULL; -- ebt_get_kernel_table(replace, c == 10 ? 0 : 1); -- replace->filename = tmp; -- } -- break; -- case 9 :*/ /* atomic */ -- /* -- if (OPT_COMMANDS) -- ebt_print_error2("--atomic has to come before the command");*/ -- /* A possible memory leak here, but this is not -- * executed in daemon mode */ -- /*replace->filename = (char *)malloc(strlen(optarg) + 1); -- strcpy(replace->filename, optarg); -- break; */ - case 13 : - break; - case 1 : --- -2.33.0 - diff --git a/SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch b/SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch deleted file mode 100644 index da2f873..0000000 --- a/SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 3 Aug 2021 10:55:20 +0200 -Subject: [PATCH] nft: Fix for non-verbose check command - -Check command was unconditionally verbose since v1.8.5. Make it respect ---verbose option again. - -Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") -Signed-off-by: Phil Sutter -(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0) ---- - iptables/nft.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/iptables/nft.c b/iptables/nft.c -index 83054e528cae1..a470939db54fb 100644 ---- a/iptables/nft.c -+++ b/iptables/nft.c -@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h) - case NFT_COMPAT_RULE_CHECK: - assert_chain_exists(h, cmd->table, cmd->jumpto); - ret = nft_rule_check(h, cmd->chain, cmd->table, -- cmd->obj.rule, cmd->rulenum); -+ cmd->obj.rule, cmd->verbose); - break; - case NFT_COMPAT_RULE_ZERO: - ret = nft_rule_zero_counters(h, cmd->chain, cmd->table, --- -2.33.0 - diff --git a/SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch b/SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch deleted file mode 100644 index 3b6b62f..0000000 --- a/SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 3 Aug 2021 11:32:34 +0200 -Subject: [PATCH] tests/shell: Assert non-verbose mode is silent - -Unexpected output from iptables commands might mess up error-checking in -scripts for instance, so do a quick test of the most common commands. - -Note: Test adds two rules to make sure flush command operates on a -non-empty chain. - -Signed-off-by: Phil Sutter -(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2) ---- - .../shell/testcases/iptables/0002-verbose-output_0 | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -index b1ef91f61f481..5d2af4c8d2ab2 100755 ---- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -+++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 -@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar) - diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar) - - diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar) -+ -+# make sure non-verbose mode is silent -+diff -u <(echo -n "") <( -+ $XT_MULTI iptables -N foobar -+ $XT_MULTI iptables -A foobar $RULE1 -+ $XT_MULTI iptables -A foobar $RULE2 -+ $XT_MULTI iptables -C foobar $RULE1 -+ $XT_MULTI iptables -D foobar $RULE2 -+ $XT_MULTI iptables -F foobar -+ $XT_MULTI iptables -X foobar -+) --- -2.33.0 - diff --git a/SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch b/SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch deleted file mode 100644 index c40010b..0000000 --- a/SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 29 Apr 2021 15:28:59 +0200 -Subject: [PATCH] extensions: SECMARK: Implement revision 1 - -The changed data structure for communication with kernel allows to -exclude the field 'secid' which is populated on kernel side. Thus -this fixes the formerly always failing extension comparison breaking -rule check and rule delete by content. - -Signed-off-by: Phil Sutter -(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72) ---- - extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++------- - extensions/libxt_SECMARK.t | 4 ++ - include/linux/netfilter/xt_SECMARK.h | 6 ++ - 3 files changed, 80 insertions(+), 20 deletions(-) - create mode 100644 extensions/libxt_SECMARK.t - -diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c -index 6ba8606355daa..24249bd618ffe 100644 ---- a/extensions/libxt_SECMARK.c -+++ b/extensions/libxt_SECMARK.c -@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = { - XTOPT_TABLEEND, - }; - -+static const struct xt_option_entry SECMARK_opts_v1[] = { -+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING, -+ .flags = XTOPT_MAND | XTOPT_PUT, -+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)}, -+ XTOPT_TABLEEND, -+}; -+ - static void SECMARK_parse(struct xt_option_call *cb) - { - struct xt_secmark_target_info *info = cb->data; -@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb) - info->mode = SECMARK_MODE_SEL; - } - --static void print_secmark(const struct xt_secmark_target_info *info) -+static void SECMARK_parse_v1(struct xt_option_call *cb) -+{ -+ struct xt_secmark_target_info_v1 *info = cb->data; -+ -+ xtables_option_parse(cb); -+ info->mode = SECMARK_MODE_SEL; -+} -+ -+static void print_secmark(__u8 mode, const char *secctx) - { -- switch (info->mode) { -+ switch (mode) { - case SECMARK_MODE_SEL: -- printf("selctx %s", info->secctx); -+ printf("selctx %s", secctx); - break; -- -+ - default: -- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); -+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode); - } - } - -@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target, - (struct xt_secmark_target_info*)(target)->data; - - printf(" SECMARK "); -- print_secmark(info); -+ print_secmark(info->mode, info->secctx); -+} -+ -+static void SECMARK_print_v1(const void *ip, -+ const struct xt_entry_target *target, int numeric) -+{ -+ const struct xt_secmark_target_info_v1 *info = -+ (struct xt_secmark_target_info_v1 *)(target)->data; -+ -+ printf(" SECMARK "); -+ print_secmark(info->mode, info->secctx); - } - - static void SECMARK_save(const void *ip, const struct xt_entry_target *target) -@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target) - (struct xt_secmark_target_info*)target->data; - - printf(" --"); -- print_secmark(info); -+ print_secmark(info->mode, info->secctx); - } - --static struct xtables_target secmark_target = { -- .family = NFPROTO_UNSPEC, -- .name = "SECMARK", -- .version = XTABLES_VERSION, -- .revision = 0, -- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -- .help = SECMARK_help, -- .print = SECMARK_print, -- .save = SECMARK_save, -- .x6_parse = SECMARK_parse, -- .x6_options = SECMARK_opts, -+static void SECMARK_save_v1(const void *ip, -+ const struct xt_entry_target *target) -+{ -+ const struct xt_secmark_target_info_v1 *info = -+ (struct xt_secmark_target_info_v1 *)target->data; -+ -+ printf(" --"); -+ print_secmark(info->mode, info->secctx); -+} -+ -+static struct xtables_target secmark_tg_reg[] = { -+ { -+ .family = NFPROTO_UNSPEC, -+ .name = "SECMARK", -+ .version = XTABLES_VERSION, -+ .revision = 0, -+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), -+ .help = SECMARK_help, -+ .print = SECMARK_print, -+ .save = SECMARK_save, -+ .x6_parse = SECMARK_parse, -+ .x6_options = SECMARK_opts, -+ }, -+ { -+ .family = NFPROTO_UNSPEC, -+ .name = "SECMARK", -+ .version = XTABLES_VERSION, -+ .revision = 1, -+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)), -+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)), -+ .help = SECMARK_help, -+ .print = SECMARK_print_v1, -+ .save = SECMARK_save_v1, -+ .x6_parse = SECMARK_parse_v1, -+ .x6_options = SECMARK_opts_v1, -+ } - }; - - void _init(void) - { -- xtables_register_target(&secmark_target); -+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); - } -diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t -new file mode 100644 -index 0000000000000..39d4c09348bf4 ---- /dev/null -+++ b/extensions/libxt_SECMARK.t -@@ -0,0 +1,4 @@ -+:INPUT,FORWARD,OUTPUT -+*security -+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK -+-j SECMARK;;FAIL -diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h -index 989092bd6274b..31760a286a854 100644 ---- a/include/linux/netfilter/xt_SECMARK.h -+++ b/include/linux/netfilter/xt_SECMARK.h -@@ -19,4 +19,10 @@ struct xt_secmark_target_info { - char secctx[SECMARK_SECCTX_MAX]; - }; - -+struct xt_secmark_target_info_v1 { -+ __u8 mode; -+ char secctx[SECMARK_SECCTX_MAX]; -+ __u32 secid; -+}; -+ - #endif /*_XT_SECMARK_H_target */ --- -2.34.1 - diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index b6b263a..30558d0 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -15,8 +15,8 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables -Version: 1.8.7 -Release: 28%{?dist} +Version: 1.8.8 +Release: 4%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -29,32 +29,12 @@ Source8: ebtables-helper Source9: ebtables.service Source10: ebtables-config -Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch -Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch -Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch -Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch -Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch -Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch -Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch -Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch -Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch -Patch10: 0010-iptables-apply-Drop-unused-variable.patch -Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch -Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch -Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch -Patch14: 0014-iptables-nft-fix-Z-option.patch -Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch -Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch -Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch -Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch -Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch -Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch -Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch -Patch22: 0022-ebtables-Dump-atomic-waste.patch -Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch -Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch -Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch -Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch +Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch +Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch +Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch +Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch +Patch05: 0005-arptables-Support-x-exact-flag.patch +Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -72,7 +52,7 @@ BuildRequires: bison BuildRequires: flex BuildRequires: gcc BuildRequires: pkgconfig(libmnl) >= 1.0 -BuildRequires: pkgconfig(libnftnl) >= 1.1.5 +BuildRequires: pkgconfig(libnftnl) >= 1.1.6 # libpcap-devel for nfbpf_compile BuildRequires: libpcap-devel BuildRequires: autoconf @@ -470,6 +450,30 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Tue Jul 05 2022 Phil Sutter - 1.8.8-4 +- libxtables: Fix unsupported extension warning corner case + +* Wed Jun 08 2022 Phil Sutter - 1.8.8-3 +- arptables: Support -x/--exact flag + +* Thu Jun 02 2022 Phil Sutter - 1.8.8-2 +- tests: shell: Check overhead in iptables-save and -restore + +* Fri May 13 2022 Phil Sutter - 1.8.8-1 +- new version + +* Fri Mar 18 2022 Phil Sutter - 1.8.7-30 +- Use proto_to_name() from xshared in more places + +* Fri Mar 18 2022 Phil Sutter - 1.8.7-29 +- libxtables: Boost rule target checks by announcing chain names +- libxtables: Implement notargets hash table +- nft: Reject standard targets as chain names when restoring +- xshared: Merge and share parse_chain() +- xshared: Prefer xtables_chain_protos lookup over getprotoent +- nft: Speed up immediate parsing +- nft: Simplify immediate parsing + * Wed Feb 16 2022 Phil Sutter - 1.8.7-28 - extensions: SECMARK: Use a better context in test case