rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import iptables-1.8.8-4.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 09:56:33 -04:00 committed by Stepan Oksanichenko
parent 9acc21c0be
commit 806586224b
33 changed files with 261 additions and 2549 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/iptables-1.8.7.tar.bz2 SOURCES/iptables-1.8.8.tar.bz2

2
.iptables.metadata
View File

@ -1 +1 @@
05ef75415cb7cb7641f51d51e74f3ea29cc31ab1 SOURCES/iptables-1.8.7.tar.bz2 98783621a5e58ff55f83b1350523f3de41af621d SOURCES/iptables-1.8.8.tar.bz2

22
SOURCES/0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch → SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
View File

@ -1,4 +1,4 @@
From 635e4c4e7f3581a7cc8c04244ae3de239ad84935 Mon Sep 17 00:00:00 2001 From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com> From: Phil Sutter <psutter@redhat.com>
Date: Thu, 17 Jun 2021 18:44:28 +0200 Date: Thu, 17 Jun 2021 18:44:28 +0200
Subject: [PATCH] doc: Add deprecation notices to all relevant man pages Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
@ -116,10 +116,10 @@ index ea31e0842acd4..ec5b993a41e8b 100644
.PP .PP
.BR "" "See " https://wiki.nftables.org .BR "" "See " https://wiki.nftables.org
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 1fa5ad9388cc0..5bdc0bb8a939e 100644 index d75aae240bc05..ed1bf8f2db55b 100644
--- a/iptables/ebtables-nft.8 --- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8
@@ -52,6 +52,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based) @@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
.br .br
.SH DESCRIPTION .SH DESCRIPTION
@ -139,9 +139,9 @@ index 1fa5ad9388cc0..5bdc0bb8a939e 100644
.B ebtables .B ebtables
is an application program used to set up and maintain the is an application program used to set up and maintain the
tables of rules (inside the Linux kernel) that inspect tables of rules (inside the Linux kernel) that inspect
@@ -1111,6 +1124,6 @@ table. Also there is no support for @@ -1069,6 +1082,6 @@ has not been implemented, although
.B string might replace them entirely given the inherent atomicity of nftables.
match. And finally, this list is probably not complete. Finally, this list is probably not complete.
.SH SEE ALSO .SH SEE ALSO
-.BR xtables-nft "(8), " iptables "(8), " ip (8) -.BR xtables-nft "(8), " iptables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8) +.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
@ -205,7 +205,7 @@ index 99d89a1fe44ad..73d40bbfe9c52 100644
iptables can use extended packet matching modules iptables can use extended packet matching modules
with the \fB\-m\fP or \fB\-\-match\fP with the \fB\-m\fP or \fB\-\-match\fP
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index b4b62f92740d1..1bbf7a0d98d0a 100644 index 20216842d8358..8f4811c72f2ec 100644
--- a/iptables/iptables-restore.8.in --- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in
@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables @@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
@ -228,7 +228,7 @@ index b4b62f92740d1..1bbf7a0d98d0a 100644
.PP .PP
.B iptables-restore .B iptables-restore
and and
@@ -87,7 +100,9 @@ from Rusty Russell. @@ -81,7 +94,9 @@ from Rusty Russell.
.br .br
Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore. Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
.SH SEE ALSO .SH SEE ALSO
@ -273,7 +273,7 @@ index 7683fd3780f72..6fe50b2d446e5 100644
The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
which details NAT, and the netfilter-hacking-HOWTO which details the which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 999cf339845f9..895cc7b111eb9 100644 index 627ff0e4da7a4..a8b31206d45b2 100644
--- a/iptables/iptables.8.in --- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in +++ b/iptables/iptables.8.in
@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP] @@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
@ -308,7 +308,7 @@ index 999cf339845f9..895cc7b111eb9 100644
The packet-filtering-HOWTO details iptables usage for The packet-filtering-HOWTO details iptables usage for
packet filtering, the NAT-HOWTO details NAT, packet filtering, the NAT-HOWTO details NAT,
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
index b647a79eb64ed..bbccf009e8269 100644 index a7f22c0d8c08e..e21d7ff23035f 100644
--- a/iptables/xtables-monitor.8.in --- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in +++ b/iptables/xtables-monitor.8.in
@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events @@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
@ -330,5 +330,5 @@ index b647a79eb64ed..bbccf009e8269 100644
.B xtables-monitor .B xtables-monitor
is used to monitor changes to the ruleset or to show rule evaluation events is used to monitor changes to the ruleset or to show rule evaluation events
-- --
2.32.0 2.34.1

51
SOURCES/0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
View File

@ -1,51 +0,0 @@
From cf2d347fe9cc384d4453a2a379e0dde8b97d081f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 28 Jan 2021 01:09:56 +0100
Subject: [PATCH] ebtables: Exit gracefully on invalid table names
Users are able to cause program abort by passing a table name that
doesn't exist:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables: nft-cache.c:455: fetch_chain_cache: Assertion `t' failed.
| Aborted
Avoid this by checking table existence just like iptables-nft does upon
parsing '-t' optarg. Since the list of tables is known and fixed,
checking the given name's length is pointless. So just drop that check
in return.
With this patch in place, output looks much better:
| # ebtables-nft -t dummy -P INPUT ACCEPT
| ebtables v1.8.7 (nf_tables): table 'dummy' does not exist
| Perhaps iptables or your kernel needs to be upgraded.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 30c1d443896311e69762d6b51b63908ec602574f)
---
iptables/xtables-eb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index cfa9317c78e94..5bb34d6d292a9 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -914,10 +914,10 @@ print_zero:
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
- if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
- xtables_error(PARAMETER_PROBLEM,
- "Table name length cannot exceed %d characters",
- EBT_TABLE_MAXNAMELEN - 1);
+ if (!nft_table_builtin_find(h, optarg))
+ xtables_error(VERSION_PROBLEM,
+ "table '%s' does not exist",
+ optarg);
*table = optarg;
table_set = true;
break;
--
2.31.1

2
SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch → SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
View File

@ -1,4 +1,4 @@
From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001 From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com> From: Phil Sutter <psutter@redhat.com>
Date: Fri, 16 Jul 2021 21:51:49 +0200 Date: Fri, 16 Jul 2021 21:51:49 +0200
Subject: [PATCH] extensions: SECMARK: Use a better context in test case Subject: [PATCH] extensions: SECMARK: Use a better context in test case

196
SOURCES/0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
View File

@ -1,196 +0,0 @@
From 14aed83fa22c5322637ec87a18d0d022d34b8d13 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 2 Mar 2021 14:50:07 +0100
Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
Iptables supports netmasks which are not prefixes to match on (or
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
available for real prefixes only, so translation is not as trivial -
print bitmask syntax for those cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
---
extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++
extensions/libxt_standard.t | 12 ++++++++++
iptables/nft-ipv4.c | 42 ++++++++++++++++++++++----------
iptables/nft-ipv6.c | 19 ++++++++++++---
4 files changed, 106 insertions(+), 15 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 0e256c3727559..9ae9a5b54c1b9 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
+
+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
+
+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
+
+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
+
+iptables-translate -I INPUT -s 0.0.0.0/16
+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
+
+iptables-translate -I INPUT -s 0.0.0.0/0
+nft insert rule ip filter INPUT counter
+
+iptables-translate -I INPUT ! -s 0.0.0.0/0
+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
+
+ip6tables-translate -I INPUT -i iifname -s feed::/16
+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
+
+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
+
+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
+
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
+
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
+
+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
+
+ip6tables-translate -I INPUT -s ::/16
+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
+
+ip6tables-translate -I INPUT -s ::/0
+nft insert rule ip6 filter INPUT counter
+
+ip6tables-translate -I INPUT ! -s ::/0
+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
+
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 4313f7b7bac9d..56d6da2e5884e 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -9,3 +9,15 @@
-j ACCEPT;=;OK
-j RETURN;=;OK
! -p 0 -j ACCEPT;=;FAIL
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index fdc15c6f04066..0d32a30010519 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
" source or destination IP addresses");
}
+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
+ const struct in_addr *mask,
+ bool inv, struct xt_xlate *xl)
+{
+ const char *op = inv ? "!= " : "";
+ int cidr;
+
+ if (!inv && !addr->s_addr && !mask->s_addr)
+ return;
+
+ cidr = xtables_ipmask_to_cidr(mask);
+ switch (cidr) {
+ case -1:
+ /* inet_ntoa() is not reentrant */
+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
+ break;
+ case 32:
+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
+ break;
+ default:
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
+ cidr);
+ }
+}
+
static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
{
const struct iptables_command_state *cs = data;
@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
}
}
- if (cs->fw.ip.src.s_addr != 0) {
- xt_xlate_add(xl, "ip saddr %s%s%s ",
- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
- inet_ntoa(cs->fw.ip.src),
- xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
- }
- if (cs->fw.ip.dst.s_addr != 0) {
- xt_xlate_add(xl, "ip daddr %s%s%s ",
- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
- inet_ntoa(cs->fw.ip.dst),
- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
- }
+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
ret = xlate_matches(cs, xl);
if (!ret)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 130ad3e6e7c44..46008fc5e762a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
const struct in6_addr *mask,
int invert, struct xt_xlate *xl)
{
+ const char *op = invert ? "!= " : "";
char addr_str[INET6_ADDRSTRLEN];
+ int cidr;
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
return;
inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
- xtables_ip6mask_to_numeric(mask));
+ cidr = xtables_ip6mask_to_cidr(mask);
+ switch (cidr) {
+ case -1:
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
+ xtables_ip6addr_to_numeric(mask),
+ invert ? "!=" : "==", addr_str);
+ break;
+ case 128:
+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
+ break;
+ default:
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
+ }
}
static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
--
2.31.1

120
SOURCES/0003-Eliminate-inet_aton-and-inet_ntoa.patch
View File

@ -1,120 +0,0 @@
From 76a32fe33a948ddce6b9cacee5400d83b0a6cdba Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 27 Apr 2021 09:12:53 +0200
Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
Both functions are obsolete, replace them by equivalent calls to
inet_pton() and inet_ntop().
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
---
extensions/libebt_among.c | 6 ++++--
iptables/nft-ipv4.c | 23 ++++++++++++++---------
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
index 2b9a1b6566684..7eb898f984bba 100644
--- a/extensions/libebt_among.c
+++ b/extensions/libebt_among.c
@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
if (sep) {
*sep = '\0';
- if (!inet_aton(sep + 1, &pair->in))
+ if (!inet_pton(AF_INET, sep + 1, &pair->in))
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address '%s'\n", sep + 1);
}
@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
int cnt, bool inv, bool have_ip)
{
const char *isep = inv ? "! " : "";
+ char abuf[INET_ADDRSTRLEN];
int i;
for (i = 0; i < cnt; i++) {
@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
printf("%s", ether_ntoa(&pairs[i].ether));
if (pairs[i].in.s_addr != INADDR_ANY)
- printf("=%s", inet_ntoa(pairs[i].in));
+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
+ abuf, sizeof(abuf)));
}
printf(" ");
}
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 0d32a30010519..a5b835b1f681d 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
static const char *mask_to_str(uint32_t mask)
{
- static char mask_str[sizeof("255.255.255.255")];
+ static char mask_str[INET_ADDRSTRLEN];
uint32_t bits, hmask = ntohl(mask);
struct in_addr mask_addr = {
.s_addr = mask,
@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
if (i >= 0)
sprintf(mask_str, "%u", i);
else
- sprintf(mask_str, "%s", inet_ntoa(mask_addr));
+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
return mask_str;
}
@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
static void save_ipv4_addr(char letter, const struct in_addr *addr,
uint32_t mask, int invert)
{
+ char addrbuf[INET_ADDRSTRLEN];
+
if (!mask && !invert && !addr->s_addr)
return;
- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
+ printf("%s-%c %s/%s ", invert ? "! " : "", letter,
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
mask_to_str(mask));
}
@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
const struct in_addr *mask,
bool inv, struct xt_xlate *xl)
{
+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
const char *op = inv ? "!= " : "";
int cidr;
if (!inv && !addr->s_addr && !mask->s_addr)
return;
+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
+
cidr = xtables_ipmask_to_cidr(mask);
switch (cidr) {
case -1:
- /* inet_ntoa() is not reentrant */
- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
+ inv ? "!=" : "==", abuf);
break;
case 32:
- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
break;
default:
- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
- cidr);
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
}
}
--
2.31.1

29
SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch Normal file
View File

@ -0,0 +1,29 @@
From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 May 2022 16:51:58 +0200
Subject: [PATCH] xshared: Fix build for -Werror=format-security
Gcc complains about the omitted format string.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a)
---
iptables/xshared.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index fae5ddd5df93e..a8512d3808154 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
return;
if (args->family != NFPROTO_ARP)
- xtables_error(PARAMETER_PROBLEM, msg);
+ xtables_error(PARAMETER_PROBLEM, "%s", msg);
fprintf(stderr, "%s", msg);
}
--
2.34.1

181
SOURCES/0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
View File

@ -1,181 +0,0 @@
From 1285f9a043e4ef9d99d8788315dc4398299bb8a8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 27 Apr 2021 10:02:34 +0200
Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
This eliminates quite a bit of redundant code apart from also dropping
use of obsolete function gethostbyaddr().
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
---
iptables/nft-arp.c | 99 ++++------------------------------------------
iptables/xshared.c | 6 +--
iptables/xshared.h | 3 ++
3 files changed, 14 insertions(+), 94 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index c82ffdc95e300..2a9387a18dffe 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -42,78 +42,6 @@ char *arp_opcodes[] =
"ARP_NAK",
};
-static char *
-addr_to_dotted(const struct in_addr *addrp)
-{
- static char buf[20];
- const unsigned char *bytep;
-
- bytep = (const unsigned char *) &(addrp->s_addr);
- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
- return buf;
-}
-
-static char *
-addr_to_host(const struct in_addr *addr)
-{
- struct hostent *host;
-
- if ((host = gethostbyaddr((char *) addr,
- sizeof(struct in_addr), AF_INET)) != NULL)
- return (char *) host->h_name;
-
- return (char *) NULL;
-}
-
-static char *
-addr_to_network(const struct in_addr *addr)
-{
- struct netent *net;
-
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
- return (char *) net->n_name;
-
- return (char *) NULL;
-}
-
-static char *
-addr_to_anyname(const struct in_addr *addr)
-{
- char *name;
-
- if ((name = addr_to_host(addr)) != NULL ||
- (name = addr_to_network(addr)) != NULL)
- return name;
-
- return addr_to_dotted(addr);
-}
-
-static char *
-mask_to_dotted(const struct in_addr *mask)
-{
- int i;
- static char buf[22];
- u_int32_t maskaddr, bits;
-
- maskaddr = ntohl(mask->s_addr);
-
- if (maskaddr == 0xFFFFFFFFL)
- /* we don't want to see "/32" */
- return "";
-
- i = 32;
- bits = 0xFFFFFFFEL;
- while (--i >= 0 && maskaddr != bits)
- bits <<= 1;
- if (i >= 0)
- sprintf(buf, "/%d", i);
- else
- /* mask was not a decent combination of 1's and 0's */
- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
-
- return buf;
-}
-
static bool need_devaddr(struct arpt_devaddr_info *info)
{
int i;
@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
unsigned int format)
{
const struct arpt_entry *fw = &cs->arp;
- char buf[BUFSIZ];
char iface[IFNAMSIZ+2];
const char *sep = "";
int print_iface = 0;
@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
}
if (fw->arp.smsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
- ? "! " : "");
- if (format & FMT_NUMERIC)
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
- else
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
- strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
- sizeof(buf) - strlen(buf) - 1);
- printf("-s %s", buf);
+ printf("%s%s-s %s", sep,
+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
+ ipv4_addr_to_string(&fw->arp.src,
+ &fw->arp.smsk, format));
sep = " ";
}
@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
after_devsrc:
if (fw->arp.tmsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
- ? "! " : "");
- if (format & FMT_NUMERIC)
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
- else
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
- sizeof(buf) - strlen(buf) - 1);
- printf("-d %s", buf);
+ printf("%s%s-d %s", sep,
+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
+ ipv4_addr_to_string(&fw->arp.tgt,
+ &fw->arp.tmsk, format));
sep = " ";
}
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 71f689901e1d4..9a1f465a5a6d3 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -550,9 +550,9 @@ void debug_print_argv(struct argv_store *store)
}
#endif
-static const char *ipv4_addr_to_string(const struct in_addr *addr,
- const struct in_addr *mask,
- unsigned int format)
+const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format)
{
static char buf[BUFSIZ];
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 9159b2b1f3768..1e86aba8b2375 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
# define debug_print_argv(...) /* nothing */
#endif
+const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format);
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
--
2.31.1

61
SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch Normal file
View File

@ -0,0 +1,61 @@
From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Jun 2022 13:44:45 +0200
Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
Some repeated calls have been reduced recently, assert this in a test
evaluating strace output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
---
.../shell/testcases/ipt-save/0007-overhead_0 | 37 +++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
new file mode 100755
index 0000000000000..b86d71f209471
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Test recent performance improvements in iptables-save due to reduced
+# overhead.
+
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
+
+RULESET=$(
+ echo "*filter"
+ for ((i = 0; i < 100; i++)); do
+ echo ":mychain$i -"
+ echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
+ done
+ echo "COMMIT"
+)
+
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
+
+do_grep() { # (name, threshold, pattern)
+ local cnt=$(grep -c "$3")
+ [[ $cnt -le $2 ]] && return 0
+ echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
+ exit 1
+}
+
+# iptables prefers hard-coded protocol names instead of looking them up first
+
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
+
+# iptables-nft-save pointlessly checked whether chain jumps are targets
+
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
+
+exit 0
--
2.34.1

33
SOURCES/0005-arptables-Support-x-exact-flag.patch Normal file
View File

@ -0,0 +1,33 @@
From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 7 Jun 2022 18:07:00 +0200
Subject: [PATCH] arptables: Support -x/--exact flag
Legacy arptables accepts but ignores the flag. Yet there are remains of
the functionality in sources, like OPT_EXPANDED define and a print_num()
function which acts on FMT_KILOMEGAGIGA flag being set or not. So
instead of mimicking legacy behaviour by explicitly ignoring -x flag for
arptables, just enable the feature for it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0)
---
iptables/xshared.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 14568bb00fb65..a50c8b7298072 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -69,7 +69,7 @@ struct xtables_target;
#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
/* define invflags which won't collide with IPT ones */
--
2.34.1

33
SOURCES/0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
View File

@ -1,33 +0,0 @@
From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:04:39 +0100
Subject: [PATCH] libxtables: Drop leftover variable in
xtables_numeric_to_ip6addr()
Variable 'err' was only used in removed debug code, so drop it as well.
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
---
libxtables/xtables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index bc42ba8221f3a..6947441fec659 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return NULL;
--
2.31.1

49
SOURCES/0006-extensions-libebt_ip6-Drop-unused-variables.patch
View File

@ -1,49 +0,0 @@
From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:13:50 +0100
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
They are being assigned to but never read.
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
---
extensions/libebt_ip6.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index b8a5a5d8c3a92..301bed9aadefd 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
static struct in6_addr *numeric_to_addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return (struct in6_addr *)NULL;
}
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
char buf[256];
char *p;
int i;
- int err;
strncpy(buf, address, sizeof(buf) - 1);
/* first the mask */
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
strcpy(buf, "::");
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
return;
}
--
2.31.1

91
SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch Normal file
View File

@ -0,0 +1,91 @@
From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 30 Jun 2022 18:04:39 +0200
Subject: [PATCH] libxtables: Fix unsupported extension warning corner case
Some extensions are not supported in revision 0 by user space anymore,
for those the warning in xtables_compatible_revision() does not print as
no revision 0 is tried.
To fix this, one has to track if none of the user space supported
revisions were accepted by the kernel. Therefore add respective logic to
xtables_find_{target,match}().
Note that this does not lead to duplicated warnings for unsupported
extensions that have a revision 0 because xtables_compatible_revision()
returns true for them to allow for extension's help output.
For the record, these ip6tables extensions are affected: set/SET,
socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
for both families.
Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37)
---
libxtables/xtables.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 96fd783a066cf..7abc63bcfd83e 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
bool found = false;
+ bool seen = false;
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
+ seen = true;
if (!found &&
xtables_fully_register_pending_match(ptr, prev)) {
found = true;
@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
dptr = &((*dptr)->next);
}
+ if (seen && !found)
+ fprintf(stderr,
+ "Warning: Extension %s is not supported, missing kernel module?\n",
+ name);
+
for (ptr = xtables_matches; ptr; ptr = ptr->next) {
if (extension_cmp(name, ptr->name, ptr->family)) {
struct xtables_match *clone;
@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
struct xtables_target **dptr;
struct xtables_target *ptr;
bool found = false;
+ bool seen = false;
/* Standard target? */
if (strcmp(name, "") == 0
@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
+ seen = true;
if (!found &&
xtables_fully_register_pending_target(ptr, prev)) {
found = true;
@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
dptr = &((*dptr)->next);
}
+ if (seen && !found)
+ fprintf(stderr,
+ "Warning: Extension %s is not supported, missing kernel module?\n",
+ name);
+
for (ptr = xtables_targets; ptr; ptr = ptr->next) {
if (extension_cmp(name, ptr->name, ptr->family)) {
struct xtables_target *clone;
--
2.34.1

29
SOURCES/0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
View File

@ -1,29 +0,0 @@
From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:04:30 +0200
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
The allocated hostmask duplicate needs to be freed again.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
---
libxtables/xtoptions.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d329f2ff7979e..0dcdf607f4678 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
cb->arg = p;
xtopt_parse_plenmask(cb);
cb->arg = orig_arg;
+ free(work);
}
static void xtopt_parse_ethermac(struct xt_option_call *cb)
--
2.31.1

34
SOURCES/0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
View File

@ -1,34 +0,0 @@
From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:55:20 +0200
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
If rule allocation fails, free the allocated 'cmd' before returning to
caller.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
---
iptables/nft-cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 5d33f1f00f574..9b0c964847615 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
if (state) {
rule = nft_rule_new(h, chain, table, state);
- if (!rule)
+ if (!rule) {
+ nft_cmd_free(cmd);
return NULL;
+ }
cmd->obj.rule = rule;
--
2.31.1

56
SOURCES/0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch
View File

@ -1,56 +0,0 @@
From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:58:06 +0200
Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
The call to strncpy() is actually not needed: source buffer is only
IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
avoid compiler warnings due to size parameter matching the destination
buffer size by performing the copy using (dumb) memcpy() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
---
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index a5b835b1f681d..34f94bd8cc24a 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
*/
cs->fw.ip.invflags = args->invflags;
- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
memcpy(cs->fw.ip.iniface_mask,
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
memcpy(cs->fw.ip.outiface_mask,
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 46008fc5e762a..d9c9400ad7dc3 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
*/
cs->fw6.ipv6.invflags = args->invflags;
- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
memcpy(cs->fw6.ipv6.iniface_mask,
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
memcpy(cs->fw6.ipv6.outiface_mask,
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
--
2.31.1

29
SOURCES/0010-iptables-apply-Drop-unused-variable.patch
View File

@ -1,29 +0,0 @@
From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:50:57 +0200
Subject: [PATCH] iptables-apply: Drop unused variable
It was assigned to but never read.
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
---
iptables/iptables-apply | 1 -
1 file changed, 1 deletion(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 4683b1b402d08..3a7df5e3cbc1f 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -231,7 +231,6 @@ case "$MODE" in
"$RUNCMD" &
CMD_PID=$!
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
- CMDTIMEOUT_PID=$!
if ! wait "$CMD_PID"; then
echo "failed."
echo "Error: unknown error running command: $RUNCMD" >&2
--
2.31.1

109
SOURCES/0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
View File

@ -1,109 +0,0 @@
From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 14:04:43 +0200
Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
The code was almost identical and suffered from the same problem as
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
corruption bugs").
The only functional change this involves is ebt_parse_ip6_address() will
now accept hostnames as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
---
extensions/libebt_ip6.c | 74 ++++++-----------------------------------
1 file changed, 10 insertions(+), 64 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index 301bed9aadefd..3cc39271d4658 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
}
-static struct in6_addr *numeric_to_addr(const char *num)
+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
+static void ebt_parse_ip6_address(char *address,
+ struct in6_addr *addr, struct in6_addr *msk)
{
- static struct in6_addr ap;
-
- if (inet_pton(AF_INET6, num, &ap) == 1)
- return &ap;
- return (struct in6_addr *)NULL;
-}
-
-static struct in6_addr *parse_ip6_mask(char *mask)
-{
- static struct in6_addr maskaddr;
struct in6_addr *addrp;
- unsigned int bits;
-
- if (mask == NULL) {
- /* no mask at all defaults to 128 bits */
- memset(&maskaddr, 0xff, sizeof maskaddr);
- return &maskaddr;
- }
- if ((addrp = numeric_to_addr(mask)) != NULL)
- return addrp;
- if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
- if (bits != 0) {
- char *p = (char *)&maskaddr;
- memset(p, 0xff, bits / 8);
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
- p[bits / 8] = 0xff << (8 - (bits & 7));
- return &maskaddr;
- }
+ unsigned int naddrs;
- memset(&maskaddr, 0, sizeof maskaddr);
- return &maskaddr;
-}
-
-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
- * The string pointed to by address can be altered. */
-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
-{
- struct in6_addr *tmp_addr;
- char buf[256];
- char *p;
- int i;
-
- strncpy(buf, address, sizeof(buf) - 1);
- /* first the mask */
- buf[sizeof(buf) - 1] = '\0';
- if ((p = strrchr(buf, '/')) != NULL) {
- *p = '\0';
- tmp_addr = parse_ip6_mask(p + 1);
- } else
- tmp_addr = parse_ip6_mask(NULL);
-
- *msk = *tmp_addr;
-
- /* if a null mask is given, the name is ignored, like in "any/0" */
- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
- strcpy(buf, "::");
-
- if (inet_pton(AF_INET6, buf, addr) < 1) {
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
- return;
- }
-
- for (i = 0; i < 4; i++)
- addr->s6_addr32[i] &= msk->s6_addr32[i];
+ xtables_ip6parse_any(address, &addrp, msk, &naddrs);
+ if (naddrs != 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IPv6 Address '%s' specified", address);
+ memcpy(addr, addrp, sizeof(*addr));
+ free(addrp);
}
#define OPT_SOURCE 0x01
--
2.31.1

554
SOURCES/0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
View File

@ -1,554 +0,0 @@
From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:56:06 +0200
Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
This wraps strdup(), checking for errors.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
---
extensions/libebt_ip.c | 3 ++-
extensions/libebt_ip6.c | 2 +-
extensions/libebt_stp.c | 3 ++-
extensions/libip6t_DNAT.c | 4 +---
extensions/libip6t_SNAT.c | 4 +---
extensions/libip6t_dst.c | 8 +++-----
extensions/libip6t_hbh.c | 7 +++----
extensions/libip6t_ipv6header.c | 2 +-
extensions/libip6t_mh.c | 2 +-
extensions/libip6t_rt.c | 7 +++----
extensions/libipt_DNAT.c | 8 ++------
extensions/libipt_SNAT.c | 4 +---
extensions/libxt_dccp.c | 2 +-
extensions/libxt_hashlimit.c | 5 +----
extensions/libxt_iprange.c | 4 +---
extensions/libxt_multiport.c | 6 ++----
extensions/libxt_sctp.c | 4 ++--
extensions/libxt_set.h | 4 ++--
extensions/libxt_tcp.c | 4 ++--
include/xtables.h | 1 +
iptables/iptables-xml.c | 4 ++--
iptables/nft-cache.c | 4 ++--
iptables/nft-cmd.c | 13 +++++++------
iptables/xshared.c | 2 +-
libxtables/xtables.c | 12 ++++++++++++
libxtables/xtoptions.c | 14 +++-----------
26 files changed, 60 insertions(+), 73 deletions(-)
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
index acb9bfcdbbd9f..51649ffb3c305 100644
--- a/extensions/libebt_ip.c
+++ b/extensions/libebt_ip.c
@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
+
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
else {
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index 3cc39271d4658..a686a285c3cb8 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
else {
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
index 81ba572c33c1a..3e9e24474eb61 100644
--- a/extensions/libebt_stp.c
+++ b/extensions/libebt_stp.c
@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
uint32_t low_nr, upp_nr;
int ret = 0;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
+
if ((cp = strchr(buffer, ':')) == NULL) {
low_nr = strtoul(buffer, &end, 10);
if (*end || low_nr < min || low_nr > max) {
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 89c5ceb153250..f1ad81436316b 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
const struct in6_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
start = strchr(arg, '[');
if (start == NULL) {
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 7d74b3d76a93c..6d19614c7c708 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
const struct in6_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
start = strchr(arg, '[');
if (start == NULL) {
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index fe7e3403468ce..bf0e3e436665d 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
{
char *buffer, *cp, *next, *range;
unsigned int i;
-
- buffer = strdup(optsstr);
- if (!buffer)
- xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(optsstr);
+
for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
{
next = strchr(cp, ',');
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 4cebecfd3d2f5..74e87cda7eea1 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
{
char *buffer, *cp, *next, *range;
unsigned int i;
-
- buffer = strdup(optsstr);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(optsstr);
+
for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
{
next=strchr(cp, ',');
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index 6f03087bb79d8..9e34562966f8b 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -147,7 +147,7 @@ parse_header(const char *flags) {
char *ptr;
char *buffer;
- buffer = strdup(flags);
+ buffer = xtables_strdup(flags);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
ret |= add_proto_to_mask(name_to_proto(ptr));
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index f4c0fd9fc0bca..64675405ac724 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
char *buffer;
char *cp;
- buffer = strdup(mhtype);
+ buffer = xtables_strdup(mhtype);
if ((cp = strchr(buffer, ':')) == NULL)
types[0] = types[1] = name_to_type(buffer);
else {
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 3cb3b249d8995..9708b5a0c42f3 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
{
char *buffer, *cp, *next;
unsigned int i;
-
- buffer = strdup(addrstr);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(addrstr);
+
for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
{
next=strchr(cp, ',');
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 4907a2e83d066..5b33fd23f6e36 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
memset(&range, 0, sizeof(range));
colon = strchr(arg, ':');
@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
colon = strchr(arg, ':');
if (colon) {
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index e92d811c2bc93..c655439ec9192 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
memset(&range, 0, sizeof(range));
colon = strchr(arg, ':');
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index aea3e20be4818..abd420fcc0032 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
uint16_t typemask = 0;
char *ptr, *buffer;
- buffer = strdup(typestring);
+ buffer = xtables_strdup(typestring);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
unsigned int i;
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 7f1d2a402c4fd..3f3c43010ee2a 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
static int parse_mode(uint32_t *mode, const char *option_arg)
{
char *tok;
- char *arg = strdup(option_arg);
-
- if (!arg)
- return -1;
+ char *arg = xtables_strdup(option_arg);
for (tok = strtok(arg, ",|");
tok;
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 8be2481497b8d..04ce7b364f1c6 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
uint8_t family, const char *optname)
{
- char *arg = strdup(oarg);
+ char *arg = xtables_strdup(oarg);
char *dash;
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
dash = strchr(arg, '-');
if (dash == NULL) {
iprange_parse_spec(arg, arg, range, family, optname);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 07ad4cfd4e519..4a42fa38238b9 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
char *buffer, *cp, *next;
unsigned int i;
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+ buffer = xtables_strdup(portstring);
for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
{
@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
char *buffer, *cp, *next, *range;
unsigned int i;
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+ buffer = xtables_strdup(portstring);
for (i=0; i<XT_MULTI_PORTS; i++)
multiinfo->pflags[i] = 0;
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 140de2653b1ef..59b34684cc7f7 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
DEBUGP("%s\n", portstring);
if ((cp = strchr(buffer, ':')) == NULL) {
ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
int found = 0;
char *chunk_flags;
- buffer = strdup(chunks);
+ buffer = xtables_strdup(chunks);
DEBUGP("Buffer: %s\n", buffer);
SCTP_CHUNKMAP_RESET(einfo->chunkmap);
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 41dfbd30fc7c1..ad895a7504d9d 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
static void
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
{
- char *saved = strdup(opt_arg);
+ char *saved = xtables_strdup(opt_arg);
char *ptr, *tmp = saved;
int i = 0;
@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
static void
parse_dirs(const char *opt_arg, struct xt_set_info *info)
{
- char *saved = strdup(opt_arg);
+ char *saved = xtables_strdup(opt_arg);
char *ptr, *tmp = saved;
while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 58f3c0a0c3c28..383e4db5b5e23 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
else {
@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
char *ptr;
char *buffer;
- buffer = strdup(flags);
+ buffer = xtables_strdup(flags);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
unsigned int i;
diff --git a/include/xtables.h b/include/xtables.h
index df1eaee326643..107ad7d65e6fc 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
extern void *xtables_calloc(size_t, size_t);
extern void *xtables_malloc(size_t);
extern void *xtables_realloc(void *, size_t);
+char *xtables_strdup(const char *);
extern int xtables_insmod(const char *, const char *, bool);
extern int xtables_load_ko(const char *, bool);
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 98d03dda98d2b..6cf059fb67292 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
"%s: line %u chain name invalid\n",
prog_name, line);
- chains[nextChain].chain = strdup(chain);
- chains[nextChain].policy = strdup(policy);
+ chains[nextChain].chain = xtables_strdup(chain);
+ chains[nextChain].policy = xtables_strdup(policy);
chains[nextChain].count = *ctr;
chains[nextChain].created = 0;
nextChain++;
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 6b6e6da40a826..7fd78654b280a 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
}
new = xtables_malloc(sizeof(*new));
- new->name = strdup(name);
+ new->name = xtables_strdup(name);
list_add_tail(&new->head, pos ? &pos->head : list);
}
@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
return;
if (!req->table)
- req->table = strdup(cmd->table);
+ req->table = xtables_strdup(cmd->table);
else
assert(!strcmp(req->table, cmd->table));
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 9b0c964847615..8dccdd734b156 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <string.h>
+#include <xtables.h>
#include "nft.h"
#include "nft-cmd.h"
@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
return NULL;
cmd->command = command;
- cmd->table = strdup(table);
+ cmd->table = xtables_strdup(table);
if (chain)
- cmd->chain = strdup(chain);
+ cmd->chain = xtables_strdup(chain);
cmd->rulenum = rulenum;
cmd->verbose = verbose;
@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
cmd->obj.rule = rule;
if (!state->target && strlen(state->jumpto) > 0)
- cmd->jumpto = strdup(state->jumpto);
+ cmd->jumpto = xtables_strdup(state->jumpto);
}
list_add_tail(&cmd->head, &h->cmd_list);
@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
if (!cmd)
return 0;
- cmd->rename = strdup(newname);
+ cmd->rename = xtables_strdup(newname);
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
if (!cmd)
return 0;
- cmd->policy = strdup(policy);
+ cmd->policy = xtables_strdup(policy);
if (counters)
cmd->counters = *counters;
@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
if (!cmd)
return 0;
- cmd->policy = strdup(policy);
+ cmd->policy = xtables_strdup(policy);
nft_cache_level_set(h, NFT_CL_RULES, cmd);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 9a1f465a5a6d3..4027d9240215e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
xtables_error(PARAMETER_PROBLEM,
"Trying to store NULL argument\n");
- store->argv[store->argc] = strdup(what);
+ store->argv[store->argc] = xtables_strdup(what);
store->argvattr[store->argc] = quoted;
store->argv[++store->argc] = NULL;
}
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 6947441fec659..1931e3896262a 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
return p;
}
+char *xtables_strdup(const char *s)
+{
+ char *dup = strdup(s);
+
+ if (!dup) {
+ perror("ip[6]tables: strdup failed");
+ exit(1);
+ }
+
+ return dup;
+}
+
static char *get_modprobe(void)
{
int procfile;
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 0dcdf607f4678..9d3ac5c8066cb 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
unsigned int maxiter;
int value;
- wp_arg = lo_arg = strdup(cb->arg);
- if (lo_arg == NULL)
- xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
+ wp_arg = lo_arg = xtables_strdup(cb->arg);
maxiter = entry->size / esize;
if (maxiter == 0)
@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
xtopt_parse_host(cb);
return;
}
- work = strdup(orig_arg);
- if (work == NULL)
- xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
+ work = xtables_strdup(orig_arg);
p = strchr(work, '/'); /* by def this can't be NULL now */
*p++ = '\0';
/*
@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
goto out;
}
lmap_this->id = id;
- lmap_this->name = strdup(cur);
- if (lmap_this->name == NULL) {
- free(lmap_this);
- goto out;
- }
+ lmap_this->name = xtables_strdup(cur);
lmap_this->next = NULL;
if (lmap_prev != NULL)
--
2.31.1

31
SOURCES/0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
View File

@ -1,31 +0,0 @@
From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 15:15:37 +0200
Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
strncpy()
If the target buffer does not need to be null-terminated, one may simply
use memcpy() and thereby avoid any compiler warnings.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
---
extensions/libxt_string.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 7c6366cbbf1b3..739a8e7fd66b6 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
{
/* xt_string does not need \0 at the end of the pattern */
if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
return;
}
--
2.31.1

104
SOURCES/0014-iptables-nft-fix-Z-option.patch
View File

@ -1,104 +0,0 @@
From 176353549f03fd10c731d93e9b37aa05eb210ecb Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 24 Feb 2021 11:08:02 +0100
Subject: [PATCH] iptables-nft: fix -Z option
it zeroes the rule counters, so it needs fully populated cache.
Add a test case to cover this.
Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
---
iptables/nft-cmd.c | 2 +-
.../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++
2 files changed, 65 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 8dccdd734b156..a0c76a795e59c 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -188,7 +188,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
if (!cmd)
return 0;
- nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
+ nft_cache_level_set(h, NFT_CL_RULES, cmd);
return 1;
}
diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
new file mode 100755
index 0000000000000..36da1907e3b22
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+RC=0
+COUNTR=$RANDOM$RANDOM
+
+$XT_MULTI iptables-restore -c <<EOF
+*filter
+:INPUT ACCEPT [1:23]
+:FOO - [0:0]
+[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+[22:123] -A FOO -m comment --comment one
+[44:123] -A FOO -m comment --comment two
+COMMIT
+EOF
+EXPECT="*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FOO - [0:0]
+[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+[0:0] -A FOO -m comment --comment one
+[0:0] -A FOO -m comment --comment two
+COMMIT"
+
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+if [ $COUNTER != "[12:345]" ]; then
+ echo "Counter $COUNTER is wrong, expected 12:345"
+ RC=1
+fi
+
+$XT_MULTI iptables -Z FOO
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+if [ $COUNTER = "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should not have been zeroed"
+ RC=1
+fi
+
+for c in one two; do
+ COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
+ if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
+ RC=1
+ fi
+done
+
+$XT_MULTI iptables -Z
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+
+if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
+ RC=1
+fi
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
+if [ $? -ne 0 ]; then
+ echo "Diff error: counters were not zeroed"
+ RC=1
+fi
+
+$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+$XT_MULTI iptables -D FOO -m comment --comment one
+$XT_MULTI iptables -D FOO -m comment --comment two
+$XT_MULTI iptables -X FOO
+exit $RC
--
2.31.1

73
SOURCES/0015-nft-Fix-bitwise-expression-avoidance-detection.patch
View File

@ -1,73 +0,0 @@
From 5462c9908a3b2ba94fc4cf5c6cd0d5ed296093c5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 19 Feb 2021 16:54:57 +0100
Subject: [PATCH] nft: Fix bitwise expression avoidance detection
Byte-boundary prefix detection was too sloppy: Any data following the
first zero-byte was ignored. Add a follow-up loop making sure there are
no stray bits in the designated host part.
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
---
iptables/nft-shared.c | 4 +++-
.../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 10553ab26823b..c1664b50f9383 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
{
const unsigned char *m = mask;
bool bitwise = false;
- int i;
+ int i, j;
for (i = 0; i < len; i++) {
if (m[i] != 0xff) {
@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
break;
}
}
+ for (j = i + 1; !bitwise && j < len; j++)
+ bitwise = !!m[j];
if (!bitwise)
len = i;
diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
new file mode 100755
index 0000000000000..7eb42f08da975
--- /dev/null
+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+$XT_MULTI ip6tables-restore <<EOF
+*filter
+-A FORWARD -s feed:babe::/ffff::0
+-A FORWARD -s feed:babe::/ffff:ff00::0
+-A FORWARD -s feed:babe::/ffff:fff0::0
+-A FORWARD -s feed:babe::/ffff:ffff::0
+-A FORWARD -s feed:babe::/0:ffff::0
+-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
+COMMIT
+EOF
+
+EXPECT='-P FORWARD ACCEPT
+-A FORWARD -s feed::/16
+-A FORWARD -s feed:ba00::/24
+-A FORWARD -s feed:bab0::/28
+-A FORWARD -s feed:babe::/32
+-A FORWARD -s 0:babe::/0:ffff::
+-A FORWARD -s feed::babe:0/ffff::ffff:0'
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
--
2.31.1

80
SOURCES/0016-extensions-sctp-Fix-nftables-translation.patch
View File

@ -1,80 +0,0 @@
From c9c2e55eb6cebdb8d17cf0c8267a1eb3e8fb6e07 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 May 2021 16:03:24 +0200
Subject: [PATCH] extensions: sctp: Fix nftables translation
If both sport and dport was present, incorrect nft syntax was generated.
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
---
extensions/libxt_sctp.c | 10 ++++------
extensions/libxt_sctp.txlate | 10 +++++-----
2 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 59b34684cc7f7..5ec1ca618405e 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
if (!einfo->flags)
return 0;
- xt_xlate_add(xl, "sctp ");
-
if (einfo->flags & XT_SCTP_SRC_PORTS) {
if (einfo->spts[0] != einfo->spts[1])
- xt_xlate_add(xl, "sport%s %u-%u",
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
einfo->spts[0], einfo->spts[1]);
else
- xt_xlate_add(xl, "sport%s %u",
+ xt_xlate_add(xl, "sctp sport%s %u",
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
einfo->spts[0]);
space = " ";
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
if (einfo->flags & XT_SCTP_DEST_PORTS) {
if (einfo->dpts[0] != einfo->dpts[1])
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0], einfo->dpts[1]);
else
- xt_xlate_add(xl, "%sdport%s %u", space,
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0]);
}
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 72f4641ab021c..0d6c59e183675 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
--
2.31.1

211
SOURCES/0018-nft-cache-Sort-chains-on-demand-only.patch
View File

@ -1,211 +0,0 @@
From 743bcc5a632c7f5058ac03794f82b7ba52091cea Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 25 Mar 2021 16:24:39 +0100
Subject: [PATCH] nft: cache: Sort chains on demand only
Mandatory sorted insert of chains into cache significantly slows down
restoring of large rulesets. Since the sorted list of user-defined
chains is needed for listing and verbose output only, introduce
nft_cache_sort_chains() and call it where needed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit fdf64dcdace989589bac441805082e3b1fe6a915)
---
iptables/nft-cache.c | 71 +++++++++++++++++++++++++++++++++--------
iptables/nft-cache.h | 1 +
iptables/nft.c | 12 +++++++
iptables/nft.h | 1 +
iptables/xtables-save.c | 1 +
5 files changed, 73 insertions(+), 13 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 7fd78654b280a..2c88301cc7445 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -223,24 +223,67 @@ int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
h->cache->table[t->type].base_chains[hooknum] = nc;
} else {
- struct nft_chain_list *clist = h->cache->table[t->type].chains;
- struct list_head *pos = &clist->list;
- struct nft_chain *cur;
- const char *n;
-
- list_for_each_entry(cur, &clist->list, head) {
- n = nftnl_chain_get_str(cur->nftnl, NFTNL_CHAIN_NAME);
- if (strcmp(cname, n) <= 0) {
- pos = &cur->head;
- break;
- }
- }
- list_add_tail(&nc->head, pos);
+ list_add_tail(&nc->head,
+ &h->cache->table[t->type].chains->list);
}
hlist_add_head(&nc->hnode, chain_name_hlist(h, t, cname));
return 0;
}
+static void __nft_chain_list_sort(struct list_head *list,
+ int (*cmp)(struct nft_chain *a,
+ struct nft_chain *b))
+{
+ struct nft_chain *pivot, *cur, *sav;
+ LIST_HEAD(sublist);
+
+ if (list_empty(list))
+ return;
+
+ /* grab first item as pivot (dividing) value */
+ pivot = list_entry(list->next, struct nft_chain, head);
+ list_del(&pivot->head);
+
+ /* move any smaller value into sublist */
+ list_for_each_entry_safe(cur, sav, list, head) {
+ if (cmp(pivot, cur) > 0) {
+ list_del(&cur->head);
+ list_add_tail(&cur->head, &sublist);
+ }
+ }
+ /* conquer divided */
+ __nft_chain_list_sort(&sublist, cmp);
+ __nft_chain_list_sort(list, cmp);
+
+ /* merge divided and pivot again */
+ list_add_tail(&pivot->head, &sublist);
+ list_splice(&sublist, list);
+}
+
+static int nft_chain_cmp_byname(struct nft_chain *a, struct nft_chain *b)
+{
+ const char *aname = nftnl_chain_get_str(a->nftnl, NFTNL_CHAIN_NAME);
+ const char *bname = nftnl_chain_get_str(b->nftnl, NFTNL_CHAIN_NAME);
+
+ return strcmp(aname, bname);
+}
+
+int nft_cache_sort_chains(struct nft_handle *h, const char *table)
+{
+ const struct builtin_table *t = nft_table_builtin_find(h, table);
+
+ if (!t)
+ return -1;
+
+ if (h->cache->table[t->type].sorted)
+ return 0;
+
+ __nft_chain_list_sort(&h->cache->table[t->type].chains->list,
+ nft_chain_cmp_byname);
+ h->cache->table[t->type].sorted = true;
+ return 0;
+}
+
struct nftnl_chain_list_cb_data {
struct nft_handle *h;
const struct builtin_table *t;
@@ -663,6 +706,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
flush_base_chain_cache(c->table[table->type].base_chains);
nft_chain_foreach(h, tablename, __flush_chain_cache, NULL);
+ c->table[table->type].sorted = false;
if (c->table[table->type].sets)
nftnl_set_list_foreach(c->table[table->type].sets,
@@ -678,6 +722,7 @@ static int flush_cache(struct nft_handle *h, struct nft_cache *c,
if (c->table[i].chains) {
nft_chain_list_free(c->table[i].chains);
c->table[i].chains = NULL;
+ c->table[i].sorted = false;
}
if (c->table[i].sets) {
diff --git a/iptables/nft-cache.h b/iptables/nft-cache.h
index 20d96beede876..58a015265056c 100644
--- a/iptables/nft-cache.h
+++ b/iptables/nft-cache.h
@@ -16,6 +16,7 @@ int flush_rule_cache(struct nft_handle *h, const char *table,
void nft_cache_build(struct nft_handle *h);
int nft_cache_add_chain(struct nft_handle *h, const struct builtin_table *t,
struct nftnl_chain *c);
+int nft_cache_sort_chains(struct nft_handle *h, const char *table);
struct nft_chain *
nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
diff --git a/iptables/nft.c b/iptables/nft.c
index bde4ca72d3fcc..8b14daeaed610 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1754,6 +1754,8 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
return 1;
}
+ nft_cache_sort_chains(h, table);
+
ret = nft_chain_foreach(h, table, nft_rule_flush_cb, &d);
/* the core expects 1 for success and 0 for error */
@@ -1900,6 +1902,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain,
goto out;
}
+ if (verbose)
+ nft_cache_sort_chains(h, table);
+
ret = nft_chain_foreach(h, table, __nft_chain_user_del, &d);
out:
/* the core expects 1 for success and 0 for error */
@@ -2437,6 +2442,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
return 1;
}
+ nft_cache_sort_chains(h, table);
+
if (ops->print_table_header)
ops->print_table_header(table);
@@ -2540,6 +2547,8 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
return nft_rule_list_cb(c, &d);
}
+ nft_cache_sort_chains(h, table);
+
/* Dump policies and custom chains first */
nft_chain_foreach(h, table, nft_rule_list_chain_save, &counters);
@@ -3431,6 +3440,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
goto err;
}
+ if (verbose)
+ nft_cache_sort_chains(h, table);
+
ret = nft_chain_foreach(h, table, __nft_chain_zero_counters, &d);
err:
/* the core expects 1 for success and 0 for error */
diff --git a/iptables/nft.h b/iptables/nft.h
index 0910f82a2773c..4ac7e0099d567 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -44,6 +44,7 @@ struct nft_cache {
struct nft_chain_list *chains;
struct nftnl_set_list *sets;
bool exists;
+ bool sorted;
} table[NFT_TABLE_MAX];
};
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index d7901c650ea70..cfce0472f3ee8 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -87,6 +87,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
printf("*%s\n", tablename);
/* Dump out chain names first,
* thereby preventing dependency conflicts */
+ nft_cache_sort_chains(h, tablename);
nft_chain_foreach(h, tablename, nft_chain_save, h);
nft_rule_save(h, tablename, d->format);
if (d->commit)
--
2.31.1

56
SOURCES/0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
View File

@ -1,56 +0,0 @@
From 663151585d25996baee985b9b77b58627de16531 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 6 Apr 2021 10:51:20 +0200
Subject: [PATCH] nft: Increase BATCH_PAGE_SIZE to support huge rulesets
In order to support the same ruleset sizes as legacy iptables, the
kernel's limit of 1024 iovecs has to be overcome. Therefore increase
each iovec's size from 128KB to 2MB.
While being at it, add a log message for failing sendmsg() call. This is
not supposed to happen, even if the transaction fails. Yet if it does,
users are left with only a "line XXX failed" message (with line number
being the COMMIT line).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit a3e81c62e8c5abb4158f1f66df6bbcffd1b33240)
---
iptables/nft.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 8b14daeaed610..f1deb82f87576 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -88,11 +88,11 @@ int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
#define NFT_NLMSG_MAXSIZE (UINT16_MAX + getpagesize())
-/* selected batch page is 256 Kbytes long to load ruleset of
- * half a million rules without hitting -EMSGSIZE due to large
- * iovec.
+/* Selected batch page is 2 Mbytes long to support loading a ruleset of 3.5M
+ * rules matching on source and destination address as well as input and output
+ * interfaces. This is what legacy iptables supports.
*/
-#define BATCH_PAGE_SIZE getpagesize() * 32
+#define BATCH_PAGE_SIZE 2 * 1024 * 1024
static struct nftnl_batch *mnl_batch_init(void)
{
@@ -220,8 +220,10 @@ static int mnl_batch_talk(struct nft_handle *h, int numcmds)
int err = 0;
ret = mnl_nft_socket_sendmsg(h, numcmds);
- if (ret == -1)
+ if (ret == -1) {
+ fprintf(stderr, "sendmsg() failed: %s\n", strerror(errno));
return -1;
+ }
FD_ZERO(&readfds);
FD_SET(fd, &readfds);
--
2.31.1

31
SOURCES/0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch
View File

@ -1,31 +0,0 @@
From 000c159641522abf56ccb4deebfc558e8bb41302 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 31 Aug 2021 12:26:20 +0200
Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add()
The function called malloc() without checking for memory allocation
failure. Simply replace the call by xtables_malloc() to fix that.
Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93)
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index f1deb82f87576..83054e528cae1 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -143,7 +143,7 @@ struct mnl_err {
static void mnl_err_list_node_add(struct list_head *err_list, int error,
int seqnum)
{
- struct mnl_err *err = malloc(sizeof(struct mnl_err));
+ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err));
err->seqnum = seqnum;
err->err = error;
--
2.33.0

130
SOURCES/0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
View File

@ -1,130 +0,0 @@
From f73416517ac7bb6868ff4c0199fcd4327c9dffa5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 28 Jul 2021 17:53:53 +0200
Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options
Drop any reference to them (and the environment variable) but list them
in BUGS section hinting at ebtables-save and -restore tools.
Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39)
---
iptables/ebtables-nft.8 | 64 ++++++-----------------------------------
1 file changed, 8 insertions(+), 56 deletions(-)
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 5bdc0bb8a939e..85f6738d7d1aa 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
.br
.BR "ebtables " [ -t " table ] " --init-table
.br
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
-.br
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
-.br
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
-.br
.SH DESCRIPTION
.PP
@@ -162,11 +156,9 @@ a table, the commands apply to the default filter table.
Only one command may be used on the command line at a time, except when
the commands
.BR -L " and " -Z
-are combined, the commands
+are combined or the commands
.BR -N " and " -P
-are combined, or when
-.B --atomic-file
-is used.
+are combined.
.TP
.B "-A, --append"
Append a rule to the end of the selected chain.
@@ -326,39 +318,6 @@ of the ebtables kernel table.
.TP
.B "--init-table"
Replace the current table data by the initial table data.
-.TP
-.B "--atomic-init"
-Copy the kernel's initial data of the table to the specified
-file. This can be used as the first action, after which rules are added
-to the file. The file can be specified using the
-.B --atomic-file
-command or through the
-.IR EBTABLES_ATOMIC_FILE " environment variable."
-.TP
-.B "--atomic-save"
-Copy the kernel's current data of the table to the specified
-file. This can be used as the first action, after which rules are added
-to the file. The file can be specified using the
-.B --atomic-file
-command or through the
-.IR EBTABLES_ATOMIC_FILE " environment variable."
-.TP
-.B "--atomic-commit"
-Replace the kernel table data with the data contained in the specified
-file. This is a useful command that allows you to load all your rules of a
-certain table into the kernel at once, saving the kernel a lot of precious
-time and allowing atomic updates of the tables. The file which contains
-the table data is constructed by using either the
-.B "--atomic-init"
-or the
-.B "--atomic-save"
-command to generate a starting file. After that, using the
-.B "--atomic-file"
-command when constructing rules or setting the
-.IR EBTABLES_ATOMIC_FILE " environment variable"
-allows you to extend the file and build the complete table before
-committing it to the kernel. This command can be very useful in boot scripts
-to populate the ebtables tables in a fast way.
.SS MISCELLANOUS COMMANDS
.TP
.B "-V, --version"
@@ -384,16 +343,6 @@ a target extension (see
.BR "TARGET EXTENSIONS" ")"
or a user-defined chain name.
.TP
-.B --atomic-file "\fIfile\fP"
-Let the command operate on the specified
-.IR file .
-The data of the table to
-operate on will be extracted from the file and the result of the operation
-will be saved back into the file. If specified, this option should come
-before the command specification. An alternative that should be preferred,
-is setting the
-.IR EBTABLES_ATOMIC_FILE " environment variable."
-.TP
.B -M, --modprobe "\fIprogram\fP"
When talking to the kernel, use this
.I program
@@ -1113,8 +1062,6 @@ arp message and the hardware address length in the arp header is 6 bytes.
.br
.SH FILES
.I /etc/ethertypes
-.SH ENVIRONMENT VARIABLES
-.I EBTABLES_ATOMIC_FILE
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH BUGS
@@ -1122,7 +1069,12 @@ The version of ebtables this man page ships with does not support the
.B broute
table. Also there is no support for
.B string
-match. And finally, this list is probably not complete.
+match. Further, support for atomic-options
+.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit )
+has not been implemented, although
+.BR ebtables-save " and " ebtables-restore
+might replace them entirely given the inherent atomicity of nftables.
+Finally, this list is probably not complete.
.SH SEE ALSO
.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
.PP
--
2.33.0

102
SOURCES/0022-ebtables-Dump-atomic-waste.patch
View File

@ -1,102 +0,0 @@
From cb68daac1f24c94a48450a683a5f765dc00da164 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 30 Jul 2021 12:25:10 +0200
Subject: [PATCH] ebtables: Dump atomic waste
With ebtables-nft.8 now educating people about the missing
functionality, get rid of atomic remains in source code. This eliminates
mostly comments except for --atomic-commit which was treated as alias of
--init-table. People not using the latter are probably trying to
atomic-commit from an atomic-file which in turn is not supported, so no
point keeping it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0)
---
iptables/xtables-eb.c | 53 -------------------------------------------
1 file changed, 53 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 5bb34d6d292a9..aeb4d92166431 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -211,10 +211,6 @@ struct option ebt_original_options[] =
{ "new-chain" , required_argument, 0, 'N' },
{ "rename-chain" , required_argument, 0, 'E' },
{ "delete-chain" , optional_argument, 0, 'X' },
- { "atomic-init" , no_argument , 0, 7 },
- { "atomic-commit" , no_argument , 0, 8 },
- { "atomic-file" , required_argument, 0, 9 },
- { "atomic-save" , no_argument , 0, 10 },
{ "init-table" , no_argument , 0, 11 },
{ "concurrent" , no_argument , 0, 13 },
{ 0 }
@@ -320,10 +316,6 @@ static void print_help(const struct xtables_target *t,
"--new-chain -N chain : create a user defined chain\n"
"--rename-chain -E old new : rename a chain\n"
"--delete-chain -X [chain] : delete a user defined chain\n"
-"--atomic-commit : update the kernel w/t table contained in <FILE>\n"
-"--atomic-init : put the initial kernel table into <FILE>\n"
-"--atomic-save : put the current kernel table into <FILE>\n"
-"--atomic-file file : set <FILE> to file\n\n"
"Options:\n"
"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n"
"--src -s [!] address[/mask]: source mac address\n"
@@ -1088,54 +1080,9 @@ print_zero:
"Use --Lmac2 with -L");
flags |= LIST_MAC2;
break;
- case 8 : /* atomic-commit */
-/*
- replace->command = c;
- if (OPT_COMMANDS)
- ebt_print_error2("Multiple commands are not allowed");
- replace->flags |= OPT_COMMAND;
- if (!replace->filename)
- ebt_print_error2("No atomic file specified");*/
- /* Get the information from the file */
- /*ebt_get_table(replace, 0);*/
- /* We don't want the kernel giving us its counters,
- * they would overwrite the counters extracted from
- * the file */
- /*replace->num_counters = 0;*/
- /* Make sure the table will be written to the kernel */
- /*free(replace->filename);
- replace->filename = NULL;
- break;*/
- /*case 7 :*/ /* atomic-init */
- /*case 10:*/ /* atomic-save */
case 11: /* init-table */
nft_cmd_table_flush(h, *table, false);
return 1;
- /*
- replace->command = c;
- if (OPT_COMMANDS)
- ebt_print_error2("Multiple commands are not allowed");
- if (c != 11 && !replace->filename)
- ebt_print_error2("No atomic file specified");
- replace->flags |= OPT_COMMAND;
- {
- char *tmp = replace->filename;*/
-
- /* Get the kernel table */
- /*replace->filename = NULL;
- ebt_get_kernel_table(replace, c == 10 ? 0 : 1);
- replace->filename = tmp;
- }
- break;
- case 9 :*/ /* atomic */
- /*
- if (OPT_COMMANDS)
- ebt_print_error2("--atomic has to come before the command");*/
- /* A possible memory leak here, but this is not
- * executed in daemon mode */
- /*replace->filename = (char *)malloc(strlen(optarg) + 1);
- strcpy(replace->filename, optarg);
- break; */
case 13 :
break;
case 1 :
--
2.33.0

31
SOURCES/0023-nft-Fix-for-non-verbose-check-command.patch
View File

@ -1,31 +0,0 @@
From 5b88835a68a886f58c230599a82a6588f6fc5214 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 3 Aug 2021 10:55:20 +0200
Subject: [PATCH] nft: Fix for non-verbose check command
Check command was unconditionally verbose since v1.8.5. Make it respect
--verbose option again.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0)
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 83054e528cae1..a470939db54fb 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h)
case NFT_COMPAT_RULE_CHECK:
assert_chain_exists(h, cmd->table, cmd->jumpto);
ret = nft_rule_check(h, cmd->chain, cmd->table,
- cmd->obj.rule, cmd->rulenum);
+ cmd->obj.rule, cmd->verbose);
break;
case NFT_COMPAT_RULE_ZERO:
ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
--
2.33.0

39
SOURCES/0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
View File

@ -1,39 +0,0 @@
From 5d5c82f9bbdc8326132333f7713dfb5d457aafab Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 3 Aug 2021 11:32:34 +0200
Subject: [PATCH] tests/shell: Assert non-verbose mode is silent
Unexpected output from iptables commands might mess up error-checking in
scripts for instance, so do a quick test of the most common commands.
Note: Test adds two rules to make sure flush command operates on a
non-empty chain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8629c53f933a16f1d68d19fb163c879453a3dcf2)
---
.../shell/testcases/iptables/0002-verbose-output_0 | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0 b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
index b1ef91f61f481..5d2af4c8d2ab2 100755
--- a/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
+++ b/iptables/tests/shell/testcases/iptables/0002-verbose-output_0
@@ -54,3 +54,14 @@ diff -u <(echo "Flushing chain \`foobar'") <($XT_MULTI iptables -v -F foobar)
diff -u <(echo "Zeroing chain \`foobar'") <($XT_MULTI iptables -v -Z foobar)
diff -u <(echo "Deleting chain \`foobar'") <($XT_MULTI iptables -v -X foobar)
+
+# make sure non-verbose mode is silent
+diff -u <(echo -n "") <(
+ $XT_MULTI iptables -N foobar
+ $XT_MULTI iptables -A foobar $RULE1
+ $XT_MULTI iptables -A foobar $RULE2
+ $XT_MULTI iptables -C foobar $RULE1
+ $XT_MULTI iptables -D foobar $RULE2
+ $XT_MULTI iptables -F foobar
+ $XT_MULTI iptables -X foobar
+)
--
2.33.0

177
SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch
View File

@ -1,177 +0,0 @@
From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 29 Apr 2021 15:28:59 +0200
Subject: [PATCH] extensions: SECMARK: Implement revision 1
The changed data structure for communication with kernel allows to
exclude the field 'secid' which is populated on kernel side. Thus
this fixes the formerly always failing extension comparison breaking
rule check and rule delete by content.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
---
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
extensions/libxt_SECMARK.t | 4 ++
include/linux/netfilter/xt_SECMARK.h | 6 ++
3 files changed, 80 insertions(+), 20 deletions(-)
create mode 100644 extensions/libxt_SECMARK.t
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 6ba8606355daa..24249bd618ffe 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
XTOPT_TABLEEND,
};
+static const struct xt_option_entry SECMARK_opts_v1[] = {
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_PUT,
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
+ XTOPT_TABLEEND,
+};
+
static void SECMARK_parse(struct xt_option_call *cb)
{
struct xt_secmark_target_info *info = cb->data;
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
info->mode = SECMARK_MODE_SEL;
}
-static void print_secmark(const struct xt_secmark_target_info *info)
+static void SECMARK_parse_v1(struct xt_option_call *cb)
+{
+ struct xt_secmark_target_info_v1 *info = cb->data;
+
+ xtables_option_parse(cb);
+ info->mode = SECMARK_MODE_SEL;
+}
+
+static void print_secmark(__u8 mode, const char *secctx)
{
- switch (info->mode) {
+ switch (mode) {
case SECMARK_MODE_SEL:
- printf("selctx %s", info->secctx);
+ printf("selctx %s", secctx);
break;
-
+
default:
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
}
}
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
(struct xt_secmark_target_info*)(target)->data;
printf(" SECMARK ");
- print_secmark(info);
+ print_secmark(info->mode, info->secctx);
+}
+
+static void SECMARK_print_v1(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_secmark_target_info_v1 *info =
+ (struct xt_secmark_target_info_v1 *)(target)->data;
+
+ printf(" SECMARK ");
+ print_secmark(info->mode, info->secctx);
}
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
(struct xt_secmark_target_info*)target->data;
printf(" --");
- print_secmark(info);
+ print_secmark(info->mode, info->secctx);
}
-static struct xtables_target secmark_target = {
- .family = NFPROTO_UNSPEC,
- .name = "SECMARK",
- .version = XTABLES_VERSION,
- .revision = 0,
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .help = SECMARK_help,
- .print = SECMARK_print,
- .save = SECMARK_save,
- .x6_parse = SECMARK_parse,
- .x6_options = SECMARK_opts,
+static void SECMARK_save_v1(const void *ip,
+ const struct xt_entry_target *target)
+{
+ const struct xt_secmark_target_info_v1 *info =
+ (struct xt_secmark_target_info_v1 *)target->data;
+
+ printf(" --");
+ print_secmark(info->mode, info->secctx);
+}
+
+static struct xtables_target secmark_tg_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "SECMARK",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+ .help = SECMARK_help,
+ .print = SECMARK_print,
+ .save = SECMARK_save,
+ .x6_parse = SECMARK_parse,
+ .x6_options = SECMARK_opts,
+ },
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "SECMARK",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
+ .help = SECMARK_help,
+ .print = SECMARK_print_v1,
+ .save = SECMARK_save_v1,
+ .x6_parse = SECMARK_parse_v1,
+ .x6_options = SECMARK_opts_v1,
+ }
};
void _init(void)
{
- xtables_register_target(&secmark_target);
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
}
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
new file mode 100644
index 0000000000000..39d4c09348bf4
--- /dev/null
+++ b/extensions/libxt_SECMARK.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+*security
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK;;FAIL
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
index 989092bd6274b..31760a286a854 100644
--- a/include/linux/netfilter/xt_SECMARK.h
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
char secctx[SECMARK_SECCTX_MAX];
};
+struct xt_secmark_target_info_v1 {
+ __u8 mode;
+ char secctx[SECMARK_SECCTX_MAX];
+ __u32 secid;
+};
+
#endif /*_XT_SECMARK_H_target */
--
2.34.1

62
SPECS/iptables.spec
View File

@ -15,8 +15,8 @@
Name: iptables Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.7 Version: 1.8.8
Release: 28%{?dist} Release: 4%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2 Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -29,32 +29,12 @@ Source8: ebtables-helper
Source9: ebtables.service Source9: ebtables.service
Source10: ebtables-config Source10: ebtables-config
Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch Patch01: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch Patch02: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch Patch03: 0003-xshared-Fix-build-for-Werror-format-security.patch
Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch Patch04: 0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch Patch05: 0005-arptables-Support-x-exact-flag.patch
Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch Patch06: 0006-libxtables-Fix-unsupported-extension-warning-corner-.patch
Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch
Patch10: 0010-iptables-apply-Drop-unused-variable.patch
Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
Patch14: 0014-iptables-nft-fix-Z-option.patch
Patch15: 0015-nft-Fix-bitwise-expression-avoidance-detection.patch
Patch16: 0016-extensions-sctp-Fix-nftables-translation.patch
Patch17: 0017-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch18: 0018-nft-cache-Sort-chains-on-demand-only.patch
Patch19: 0019-nft-Increase-BATCH_PAGE_SIZE-to-support-huge-ruleset.patch
Patch20: 0020-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch
Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
Patch22: 0022-ebtables-Dump-atomic-waste.patch
Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch
Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic 2.0
@ -72,7 +52,7 @@ BuildRequires: bison
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc BuildRequires: gcc
BuildRequires: pkgconfig(libmnl) >= 1.0 BuildRequires: pkgconfig(libmnl) >= 1.0
BuildRequires: pkgconfig(libnftnl) >= 1.1.5 BuildRequires: pkgconfig(libnftnl) >= 1.1.6
# libpcap-devel for nfbpf_compile # libpcap-devel for nfbpf_compile
BuildRequires: libpcap-devel BuildRequires: libpcap-devel
BuildRequires: autoconf BuildRequires: autoconf
@ -470,6 +450,30 @@ fi
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables.8.gz
%changelog %changelog
* Tue Jul 05 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-4
- libxtables: Fix unsupported extension warning corner case
* Wed Jun 08 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-3
- arptables: Support -x/--exact flag
* Thu Jun 02 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-2
- tests: shell: Check overhead in iptables-save and -restore
* Fri May 13 2022 Phil Sutter <psutter@redhat.com> - 1.8.8-1
- new version
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-30
- Use proto_to_name() from xshared in more places
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-29
- libxtables: Boost rule target checks by announcing chain names
- libxtables: Implement notargets hash table
- nft: Reject standard targets as chain names when restoring
- xshared: Merge and share parse_chain()
- xshared: Prefer xtables_chain_protos lookup over getprotoent
- nft: Speed up immediate parsing
- nft: Simplify immediate parsing
* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28 * Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28
- extensions: SECMARK: Use a better context in test case - extensions: SECMARK: Use a better context in test case