rpms/iptables
6
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables-1.8.10-5

Browse Source 
- Backport fixes from upstream
- Fix flatpak build
This commit is contained in:
Phil Sutter 2024-01-12 17:47:08 +01:00
parent 3611a44057
commit 86e59a1ef9
11 changed files with 589 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch Normal file
View File

@ -0,0 +1,81 @@
From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Oct 2023 17:27:42 +0200
Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL
pointer
Chain rename code missed to adjust the num_chains value which is used to
calculate the number of chain index buckets to allocate during an index
rebuild. So with the right number of chains present, the last chain in a
middle bucket being renamed (and ending up in another bucket) triggers
an index rebuild based on false data. The resulting NULL pointer index
bucket then causes a segfault upon reinsertion.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620)
---
.../testcases/chain/0008rename-segfault2_0 | 32 +++++++++++++++++++
libiptc/libiptc.c | 4 +++
2 files changed, 36 insertions(+)
create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
new file mode 100755
index 0000000000000..bc473d2511bbd
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Another funny rename bug in libiptc:
+# If there is a chain index bucket with only a single chain in it and it is not
+# the last one and that chain is renamed, a chain index rebuild is triggered.
+# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
+# extra index is allocated and remains NULL. The following insert of renamed
+# chain then segfaults.
+
+(
+ echo "*filter"
+ # first bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-a-$i - [0:0]"
+ done
+ # second bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-b-$i - [0:0]"
+ done
+ # third bucket, just make sure it exists
+ echo ":chain-c-0 - [0:0]"
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore
+
+# rename all chains of the middle bucket
+(
+ echo "*filter"
+ for ((i = 0; i < 40; i++)); do
+ echo "-E chain-b-$i chain-d-$i"
+ done
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore --noflush
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index e475063367c26..9712a36353b9a 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
return 0;
}
+ handle->num_chains--;
+
/* This only unlinks "c" from the list, thus no free(c) */
iptcc_chain_index_delete_chain(c, handle);
/* Change the name of the chain */
strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
+ handle->num_chains++;
+
/* Insert sorted into to list again */
iptc_insert_chain(handle, c);

81
0002-arptables-nft-remove-ARPT_INV-flags-usage.patch Normal file
View File

@ -0,0 +1,81 @@
From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 3 Nov 2023 17:33:22 +0100
Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage
ARPT_ and IPT_INV flags are not interchangeable, e.g.:
define IPT_INV_SRCDEVADDR 0x0080
define ARPT_INV_SRCDEVADDR 0x0010
as these flags can be tested by libarp_foo.so such checks can yield
incorrect results.
Because arptables-nft uses existing code, e.g. xt_mark, it makes
sense to unify this completely by converting the last users of
ARPT_INV_ constants.
Note that arptables-legacy does not do run-time module loading via
dlopen(). Functionaliy implemented by "extensions" in the
arptables-legacy git tree are built-in, so this doesn't break
arptables-legacy binaries.
Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68)
---
extensions/libarpt_mangle.c | 4 ++--
iptables/nft-arp.c | 2 +-
iptables/xshared.h | 4 +++-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
index 765edf34781f3..a846e97ec8f27 100644
--- a/extensions/libarpt_mangle.c
+++ b/extensions/libarpt_mangle.c
@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
- if (e->arp.invflags & ARPT_INV_ARPHLN)
+ if (e->arp.invflags & IPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! --h-length not allowed for "
"--mangle-mac-s");
@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
if (e->arp.arhln_mask == 0)
xtables_error(PARAMETER_PROBLEM,
"no --h-length defined");
- if (e->arp.invflags & ARPT_INV_ARPHLN)
+ if (e->arp.invflags & IPT_INV_ARPHLN)
xtables_error(PARAMETER_PROBLEM,
"! hln not allowed for --mangle-mac-d");
if (e->arp.arhln != 6)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index aed39ebdd5166..535dd6b83237b 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
&args->d.naddrs);
if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
+ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
xtables_error(PARAMETER_PROBLEM,
"! not allowed with multiple"
" source or destination IP addresses");
diff --git a/iptables/xshared.h b/iptables/xshared.h
index a200e0d620ad3..5586385456a4d 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,9 @@ struct xtables_target;
#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
-/* define invflags which won't collide with IPT ones */
+/* define invflags which won't collide with IPT ones.
+ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
+ */
#define IPT_INV_SRCDEVADDR 0x0080
#define IPT_INV_TGTDEVADDR 0x0100
#define IPT_INV_ARPHLN 0x0200

63
0003-ebtables-Fix-corner-case-noflush-restore-bug.patch Normal file
View File

@ -0,0 +1,63 @@
From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 7 Nov 2023 19:12:14 +0100
Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
Report came from firwalld, but this is actually rather hard to trigger.
Since a regular chain line prevents it, typical dump/restore use-cases
are unaffected.
Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
Cc: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8)
---
.../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++
iptables/xtables-eb.c | 2 ++
2 files changed, 27 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
new file mode 100755
index 0000000000000..0def0ac58e7be
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
+# - with --noflush
+# - a second table after the broute one
+# - A policy command but no chain line for BROUTING chain
+
+set -e
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+$XT_MULTI ebtables-restore --noflush <<EOF
+*broute
+-P BROUTING ACCEPT
+*nat
+-P PREROUTING ACCEPT
+COMMIT
+EOF
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 08eec79d80400..a8ad57c735cc5 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
return NF_BR_LOCAL_OUT;
else if (strcmp(chain, "POSTROUTING") == 0)
return NF_BR_POST_ROUTING;
+ else if (strcmp(chain, "BROUTING") == 0)
+ return NF_BR_BROUTING;
/* placeholder for user defined chain */
return NF_BR_NUMHOOKS;

42
0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch Normal file
View File

@ -0,0 +1,42 @@
From 37622ca0f4c29c9a06b0d2f3f1abc6695c57d560 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 19 Nov 2023 13:18:26 +0100
Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused
Drop the boolean, it was meant to disable some existence checks in
do_parse() prior to the caching rework. Now that do_parse() runs before
any caching is done, the checks in question don't exist anymore so drop
this relict.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb)
---
iptables/xshared.h | 1 -
iptables/xtables-translate.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 5586385456a4d..c77556a1987dc 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -284,7 +284,6 @@ struct xt_cmd_parse {
bool restore;
int line;
int verbose;
- bool xlate;
struct xt_cmd_parse_ops *ops;
};
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 88e0a6b639494..c019cd2991305 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
.table = *table,
.restore = restore,
.line = line,
- .xlate = true,
.ops = &h->ops->cmd_parse,
};
struct iptables_command_state cs = {

31
0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch Normal file
View File

@ -0,0 +1,31 @@
From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 19 Nov 2023 13:25:36 +0100
Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON
Fixes: 51d9d9e081344 ("ebtables: Support verbose mode")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a)
---
iptables/xshared.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c77556a1987dc..815b9d3e98726 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -75,10 +75,10 @@ struct xtables_globals;
struct xtables_rule_match;
struct xtables_target;
-#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
-#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
-#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
+#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v"
+#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x"
+#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */
+#define EBT_OPTSTRING OPTSTRING_COMMON "h"
/* define invflags which won't collide with IPT ones.
* arptables-nft does NOT use the legacy ARPT_INV_* defines.

28
0006-ebtables-Align-line-number-formatting-with-legacy.patch Normal file
View File

@ -0,0 +1,28 @@
From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 21 Nov 2023 22:58:47 +0100
Subject: [PATCH] ebtables: Align line number formatting with legacy
Legacy ebtables appends a dot to the number printed in first column if
--Ln flag was given.
Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf)
---
iptables/nft-bridge.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index d9a8ad2b0f373..e414ef5584392 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
struct iptables_command_state cs = {};
if (format & FMT_LINENUMBERS)
- printf("%d ", num);
+ printf("%d. ", num);
nft_rule_to_ebtables_command_state(h, r, &cs);
__nft_bridge_save_rule(&cs, format);

44
0007-man-Do-not-escape-exclamation-marks.patch Normal file
View File

@ -0,0 +1,44 @@
From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 13:29:17 +0100
Subject: [PATCH] man: Do not escape exclamation marks
This appears to be not necessary, also mandoc complains about it:
| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!
Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a)
---
extensions/libip6t_DNPT.man | 2 +-
extensions/libip6t_SNPT.man | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
index 9b060f5b7179b..72c6ae5d422a2 100644
--- a/extensions/libip6t_DNPT.man
+++ b/extensions/libip6t_DNPT.man
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
.PP
You have to use the SNPT target to undo the translation. Example:
.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
.IP
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
index 97e0071b43cc1..0c926978377a7 100644
--- a/extensions/libip6t_SNPT.man
+++ b/extensions/libip6t_SNPT.man
@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
.PP
You have to use the DNPT target to undo the translation. Example:
.IP
-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
+ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
\-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
.IP
ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64

49
0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch Normal file
View File

@ -0,0 +1,49 @@
From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 20:21:49 +0100
Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
In order to parse the mask, xtopt_parse_hostmask() calls
xtopt_parse_plenmask() thereby limiting netmask support to prefix
lengths (alternatively specified in IP address notation).
In order to lift this impractical restriction, make
xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
fall back to xtopt_parse_mask() which correctly initializes val.hmask
itself and indicates non-CIDR-compatible masks by setting val.hlen to
-1.
So in order to support these odd masks, it is sufficient for
xtopt_parse_plenmask() to skip its mask building from val.hlen value and
take whatever val.hmask contains.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232)
---
libxtables/xtoptions.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index b16bbfbe32311..d91a78f470eda 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
xtopt_parse_plen(cb);
+ /* may not be convertible to CIDR notation */
+ if (cb->val.hlen == (uint8_t)-1)
+ goto out_put;
+
memset(mask, 0xFF, sizeof(union nf_inet_addr));
/* This shifting is AF-independent. */
if (cb->val.hlen == 0) {
@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
mask[1] = htonl(mask[1]);
mask[2] = htonl(mask[2]);
mask[3] = htonl(mask[3]);
+out_put:
if (entry->flags & XTOPT_PUT)
memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
}

114
0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch Normal file
View File

@ -0,0 +1,114 @@
From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 19 Dec 2023 00:56:07 +0100
Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting
Parameter 'wait' passed to xtables_lock() signals three modes of
operation, depending on its value:
0: --wait not specified, do not wait if lock is busy
-1: --wait specified without value, wait indefinitely until lock becomes
free
>0: Wait for 'wait' seconds for lock to become free, abort otherwise
Since fixed commit, the first two cases were treated the same apart from
calling alarm(0), but that is a nop if no alarm is pending. Fix the code
by requesting a non-blocking flock() in the second case. While at it,
restrict the alarm setup to the third case only.
Cc: Jethro Beekman <jethro@fortanix.com>
Cc: howardjohn@google.com
Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728
Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9)
---
.../shell/testcases/iptables/0010-wait_0 | 55 +++++++++++++++++++
iptables/xshared.c | 4 +-
2 files changed, 57 insertions(+), 2 deletions(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0
diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0
new file mode 100755
index 0000000000000..4481f966ce435
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0010-wait_0
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+case "$XT_MULTI" in
+*xtables-legacy-multi)
+ ;;
+*)
+ echo skip $XT_MULTI
+ exit 0
+ ;;
+esac
+
+coproc RESTORE { $XT_MULTI iptables-restore; }
+echo "*filter" >&${RESTORE[1]}
+
+
+$XT_MULTI iptables -A FORWARD -j ACCEPT &
+ipt_pid=$!
+
+waitpid -t 1 $ipt_pid
+[[ $? -eq 3 ]] && {
+ echo "process waits when it should not"
+ exit 1
+}
+wait $ipt_pid
+[[ $? -eq 0 ]] && {
+ echo "process exited 0 despite busy lock"
+ exit 1
+}
+
+t0=$(date +%s)
+$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT
+t1=$(date +%s)
+[[ $((t1 - t0)) -ge 3 ]] || {
+ echo "wait time not expired"
+ exit 1
+}
+
+$XT_MULTI iptables -w -A FORWARD -j ACCEPT &
+ipt_pid=$!
+
+waitpid -t 3 $ipt_pid
+[[ $? -eq 3 ]] || {
+ echo "no indefinite wait"
+ exit 1
+}
+kill $ipt_pid
+waitpid -t 3 $ipt_pid
+[[ $? -eq 3 ]] && {
+ echo "killed waiting iptables call did not exit in time"
+ exit 1
+}
+
+kill $RESTORE_PID
+wait
+exit 0
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 5f75a0a57a023..690502c457dd0 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -270,7 +270,7 @@ static int xtables_lock(int wait)
return XT_LOCK_FAILED;
}
- if (wait != -1) {
+ if (wait > 0) {
sigact_alarm.sa_handler = alarm_ignore;
sigact_alarm.sa_flags = SA_RESETHAND;
sigemptyset(&sigact_alarm.sa_mask);
@@ -278,7 +278,7 @@ static int xtables_lock(int wait)
alarm(wait);
}
- if (flock(fd, LOCK_EX) == 0)
+ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0)
return fd;
if (errno == EINTR) {

40
0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch Normal file
View File

@ -0,0 +1,40 @@
From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 17 Dec 2023 13:02:36 +0100
Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
Do as the comment in xtopt_parse_hostmask() claims and omit
XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
will catch the incompatibility.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31)
---
include/xtables.h | 1 -
libxtables/xtoptions.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/include/xtables.h b/include/xtables.h
index 087a1d600f9ae..9def9b43b6e58 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -61,7 +61,6 @@ struct in_addr;
* %XTTYPE_SYSLOGLEVEL: syslog level by name or number
* %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr)
* %XTTYPE_HOSTMASK: one host or address, with an optional prefix length
- * (ptr: union nf_inet_addr; only host portion is stored)
* %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t)
* %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO)
* %XTTYPE_PORTRC: colon-separated port range (names acceptable),
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d91a78f470eda..ba68056dc99f7 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = {
[XTTYPE_STRING] = -1,
[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
[XTTYPE_HOST] = sizeof(union nf_inet_addr),
- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr),
[XTTYPE_PROTOCOL] = sizeof(uint8_t),
[XTTYPE_PORT] = sizeof(uint16_t),
[XTTYPE_PORTRC] = sizeof(uint16_t[2]),

17
iptables.spec
View File

@ -11,7 +11,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables
Version: 1.8.10
Release: 4%{?dist}
Release: 5%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init
Source2: iptables-config
@ -20,6 +20,17 @@ Source4: sysconfig_iptables
Source5: sysconfig_ip6tables
Source6: arptables-nft-helper
Patch001: 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch
Patch002: 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch
Patch003: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
Patch004: 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch
Patch005: 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch
Patch006: 0006-ebtables-Align-line-number-formatting-with-legacy.patch
Patch007: 0007-man-Do-not-escape-exclamation-marks.patch
Patch008: 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch
Patch009: 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch
Patch010: 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
License: GPL-2.0-only AND Artistic-2.0 AND ISC
@ -415,6 +426,10 @@ fi
%changelog
* Thu Jan 11 2024 Phil Sutter <psutter@redhat.com> - 1.8.10-5
- Backport fixes from upstream
- Fix flatpak build
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> - 1.8.10-4
- The actual obsoletes fix