From 9457f3a99c8fc667a2af97563d8d3cfe2162ec0b Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 28 Jul 2023 22:59:25 +0200 Subject: [PATCH] iptables-1.8.5-8.el8 - Update fixes from upstream once more Related: rhbz#2211063 --- ...ptables-Fix-setting-of-ipv6-counters.patch | 107 ++++++ ...-Fix-handling-of-non-existent-chains.patch | 53 +++ ...context-structure-to-ops-add-to-impr.patch | 339 ++++++++++++++++++ ...ng-for-among-match-in-compare_matche.patch | 46 +++ ...t-pass-nft_rule_ctx-to-add_nft_among.patch | 67 ++++ iptables.spec | 10 +- 6 files changed, 621 insertions(+), 1 deletion(-) create mode 100644 0140-iptables-Fix-setting-of-ipv6-counters.patch create mode 100644 0141-iptables-Fix-handling-of-non-existent-chains.patch create mode 100644 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch create mode 100644 0143-nft-Special-casing-for-among-match-in-compare_matche.patch create mode 100644 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch diff --git a/0140-iptables-Fix-setting-of-ipv6-counters.patch b/0140-iptables-Fix-setting-of-ipv6-counters.patch new file mode 100644 index 0000000..52e16f9 --- /dev/null +++ b/0140-iptables-Fix-setting-of-ipv6-counters.patch @@ -0,0 +1,107 @@ +From 87cf690d64630c1c32986480036c594795224ee7 Mon Sep 17 00:00:00 2001 +From: Jacek Tomasiak +Date: Mon, 19 Jun 2023 12:44:54 +0200 +Subject: [PATCH] iptables: Fix setting of ipv6 counters + +When setting counters using ip6tables-nft -c X Y the X and Y values were +not stored. + +This is a fix based on 9baf3bf0e77dab6ca4b167554ec0e57b65d0af01 but +applied to the nft variant of ipv6 not the legacy. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1647 +Fixes: 0391677c1a0b2 ("xtables: add IPv6 support") +Signed-off-by: Jacek Tomasiak +Signed-off-by: Jacek Tomasiak +Signed-off-by: Phil Sutter +(cherry picked from commit ed839159edf8bda8e9196f1056c4038c22d78bfd) + +Conflicts: + iptables/xshared.c +-> Applied to iptables/nft-ipv6.c due to missing commit e4f5185d8f29a + ("nft: Move proto_parse and post_parse callbacks to xshared") +--- + iptables/nft-ipv6.c | 3 +++ + iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 | 6 +++--- + iptables/tests/shell/testcases/iptables/0003-list-rules_0 | 6 +++--- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c +index 1f73bbcb8771f..69d9bc41314fc 100644 +--- a/iptables/nft-ipv6.c ++++ b/iptables/nft-ipv6.c +@@ -298,6 +298,9 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, + if (args->goto_set) + cs->fw6.ipv6.flags |= IP6T_F_GOTO; + ++ /* nft-variants use cs->counters, legacy uses cs->fw6.counters */ ++ cs->counters.pcnt = args->pcnt_cnt; ++ cs->counters.bcnt = args->bcnt_cnt; + cs->fw6.counters.pcnt = args->pcnt_cnt; + cs->fw6.counters.bcnt = args->bcnt_cnt; + +diff --git a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 +index c98bdd6e501aa..09e39927ef390 100755 +--- a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 ++++ b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 +@@ -3,7 +3,7 @@ + set -e + + $XT_MULTI ip6tables -N foo +-$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT ++$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 + $XT_MULTI ip6tables -A FORWARD -i eth42 -o eth23 -g foo + $XT_MULTI ip6tables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT + +@@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 + -P FORWARD ACCEPT -c 0 0 + -P OUTPUT ACCEPT -c 0 0 + -N foo +--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT ++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT + -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' + + diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S) +@@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT + diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD) + + EXPECT='-P FORWARD ACCEPT -c 0 0 +--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT ++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT + -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' + + diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S FORWARD) +diff --git a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 +index d335d44257a49..d07bd151be76b 100755 +--- a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 ++++ b/iptables/tests/shell/testcases/iptables/0003-list-rules_0 +@@ -3,7 +3,7 @@ + set -e + + $XT_MULTI iptables -N foo +-$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT ++$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42 + $XT_MULTI iptables -A FORWARD -i eth42 -o eth23 -g foo + $XT_MULTI iptables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT + +@@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0 + -P FORWARD ACCEPT -c 0 0 + -P OUTPUT ACCEPT -c 0 0 + -N foo +--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT ++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT + -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' + + diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S) +@@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT + diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S FORWARD) + + EXPECT='-P FORWARD ACCEPT -c 0 0 +--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT ++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT + -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo' + + diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S FORWARD) +-- +2.40.0 + diff --git a/0141-iptables-Fix-handling-of-non-existent-chains.patch b/0141-iptables-Fix-handling-of-non-existent-chains.patch new file mode 100644 index 0000000..ff1840c --- /dev/null +++ b/0141-iptables-Fix-handling-of-non-existent-chains.patch @@ -0,0 +1,53 @@ +From 66f7b6b160c53d142ebf5a0b4464ead198f2d7a7 Mon Sep 17 00:00:00 2001 +From: Jacek Tomasiak +Date: Mon, 19 Jun 2023 13:46:36 +0200 +Subject: [PATCH] iptables: Fix handling of non-existent chains + +Since 694612adf87 the "compatibility" check considers non-existent +chains as "incompatible". This broke some scripts which used calls +like `iptables -L CHAIN404` to test for chain existence and expect +"No chain/target/match by that name." in the output. + +This patch changes the logic of `nft_is_table_compatible()` to +report non-existent chains as "compatible" which restores the old +behavior. + +Fixes: 694612adf87 ("nft: Fix selective chain compatibility checks") +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1648 +Signed-off-by: Jacek Tomasiak +Signed-off-by: Jacek Tomasiak +Signed-off-by: Phil Sutter +(cherry picked from commit 82ccfb488eeac5507471099b9b4e6d136cc06e3b) +--- + iptables/nft.c | 2 +- + iptables/tests/shell/testcases/iptables/0004-return-codes_0 | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 9a56b1fbffcbc..7349904896228 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3594,7 +3594,7 @@ bool nft_is_table_compatible(struct nft_handle *h, + if (chain) { + struct nftnl_chain *c = nft_chain_find(h, table, chain); + +- return c && !nft_is_chain_compatible(c, h); ++ return !c || !nft_is_chain_compatible(c, h); + } + + clist = nft_chain_list_get(h, table, chain); +diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +index dcd9dfd3c0806..10e8c1f284080 100755 +--- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 ++++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +@@ -58,6 +58,7 @@ cmd 1 "$ENOENT" -Z bar + cmd 0 -E foo bar + cmd 1 "$EEXIST_F" -E foo bar + cmd 1 "$ENOENT" -E foo bar2 ++cmd 1 "$ENOENT" -L foo + cmd 0 -N foo2 + cmd 1 "$EEXIST_F" -E foo2 bar + +-- +2.40.0 + diff --git a/0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch b/0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch new file mode 100644 index 0000000..0118964 --- /dev/null +++ b/0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch @@ -0,0 +1,339 @@ +From 83ad886f653aa21e8c12903272ce8e7a863f56b3 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 11 Jul 2023 22:06:44 +0200 +Subject: [PATCH] nft-bridge: pass context structure to ops->add() to improve + anonymous set support + +Add context structure to improve bridge among support which creates an +anonymous set. This context structure specifies the command and it +allows to optionally store a anonymous set. + +Use this context to generate native bytecode only if this is an +add/insert/replace command. + +This fixes a dangling anonymous set that is created on rule removal. + +Fixes: 26753888720d ("nft: bridge: Rudimental among extension support") +Reported-and-tested-by: Igor Raits +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 4e95200ded923f0eb5579c33b91176193c59dbe0) + +Conflicts: + iptables/nft-arp.c + iptables/nft-bridge.c + iptables/nft-ipv4.c + iptables/nft-ipv6.c + iptables/nft-shared.h + iptables/nft.c + iptables/nft.h +-> Manually applied, too many conflicts. +--- + iptables/nft-arp.c | 3 ++- + iptables/nft-bridge.c | 9 +++++---- + iptables/nft-cmd.c | 6 +++++- + iptables/nft-ipv4.c | 5 +++-- + iptables/nft-ipv6.c | 5 +++-- + iptables/nft-shared.h | 4 +++- + iptables/nft.c | 42 +++++++++++++++++++++++++++++------------- + iptables/nft.h | 9 ++++++--- + 8 files changed, 56 insertions(+), 27 deletions(-) + +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index fa1676e7fd878..2b6bda617e32c 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -54,7 +54,8 @@ static bool need_devaddr(struct arpt_devaddr_info *info) + return false; + } + +-static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data) ++static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx, ++ struct nftnl_rule *r, void *data) + { + struct iptables_command_state *cs = data; + struct arpt_entry *fw = &cs->arp; +diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c +index 48bcda61cfb9c..11422a187097c 100644 +--- a/iptables/nft-bridge.c ++++ b/iptables/nft-bridge.c +@@ -131,17 +131,18 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) + + static int + nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw, +- struct nftnl_rule *r, struct xt_entry_match *m) ++ struct nft_rule_ctx *ctx, struct nftnl_rule *r, ++ struct xt_entry_match *m) + { + if (!strcmp(m->u.user.name, "802_3") && + !(fw->bitmask & EBT_802_3)) + xtables_error(PARAMETER_PROBLEM, + "For 802.3 DSAP/SSAP filtering the protocol must be LENGTH"); + +- return add_match(h, r, m); ++ return add_match(h, ctx, r, m); + } + +-static int nft_bridge_add(struct nft_handle *h, ++static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx, + struct nftnl_rule *r, void *data) + { + struct iptables_command_state *cs = data; +@@ -202,7 +203,7 @@ static int nft_bridge_add(struct nft_handle *h, + + for (iter = cs->match_list; iter; iter = iter->next) { + if (iter->ismatch) { +- if (nft_bridge_add_match(h, fw, r, iter->u.match->m)) ++ if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m)) + break; + } else { + if (add_target(r, iter->u.watcher->t)) +diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c +index fd038503d87e1..9d1c082ef62d0 100644 +--- a/iptables/nft-cmd.c ++++ b/iptables/nft-cmd.c +@@ -13,12 +13,16 @@ + #include + #include "nft.h" + #include "nft-cmd.h" ++#include + + struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + const char *table, const char *chain, + struct iptables_command_state *state, + int rulenum, bool verbose) + { ++ struct nft_rule_ctx ctx = { ++ .command = command, ++ }; + struct nftnl_rule *rule; + struct nft_cmd *cmd; + +@@ -34,7 +38,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + cmd->verbose = verbose; + + if (state) { +- rule = nft_rule_new(h, chain, table, state); ++ rule = nft_rule_new(h, &ctx, chain, table, state); + if (!rule) { + nft_cmd_free(cmd); + return NULL; +diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c +index a70e9ece248fe..e06d086bbf82a 100644 +--- a/iptables/nft-ipv4.c ++++ b/iptables/nft-ipv4.c +@@ -26,7 +26,8 @@ + #include "nft.h" + #include "nft-shared.h" + +-static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data) ++static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx, ++ struct nftnl_rule *r, void *data) + { + struct iptables_command_state *cs = data; + struct xtables_rule_match *matchp; +@@ -79,7 +80,7 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data) + add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); + + for (matchp = cs->matches; matchp; matchp = matchp->next) { +- ret = add_match(h, r, matchp->match->m); ++ ret = add_match(h, ctx, r, matchp->match->m); + if (ret < 0) + return ret; + } +diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c +index 69d9bc41314fc..7c8e8b82cf521 100644 +--- a/iptables/nft-ipv6.c ++++ b/iptables/nft-ipv6.c +@@ -25,7 +25,8 @@ + #include "nft.h" + #include "nft-shared.h" + +-static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data) ++static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx, ++ struct nftnl_rule *r, void *data) + { + struct iptables_command_state *cs = data; + struct xtables_rule_match *matchp; +@@ -68,7 +69,7 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data) + add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO); + + for (matchp = cs->matches; matchp; matchp = matchp->next) { +- ret = add_match(h, r, matchp->match->m); ++ ret = add_match(h, ctx, r, matchp->match->m); + if (ret < 0) + return ret; + } +diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h +index e3c1b202b8638..c29ad12e9151a 100644 +--- a/iptables/nft-shared.h ++++ b/iptables/nft-shared.h +@@ -35,6 +35,7 @@ + | FMT_NUMERIC | FMT_NOTABLE) + #define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab)) + ++struct nft_rule_ctx; + struct xtables_args; + struct nft_handle; + struct xt_xlate; +@@ -74,7 +75,8 @@ struct nft_xt_ctx { + }; + + struct nft_family_ops { +- int (*add)(struct nft_handle *h, struct nftnl_rule *r, void *data); ++ int (*add)(struct nft_handle *h, struct nft_rule_ctx *ctx, ++ struct nftnl_rule *r, void *data); + bool (*is_same)(const void *data_a, + const void *data_b); + void (*print_payload)(struct nftnl_expr *e, +diff --git a/iptables/nft.c b/iptables/nft.c +index 7349904896228..936204a432621 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1064,7 +1064,8 @@ gen_lookup(uint32_t sreg, const char *set_name, uint32_t set_id, uint32_t flags) + #define NFT_DATATYPE_ETHERADDR 9 + + static int __add_nft_among(struct nft_handle *h, const char *table, +- struct nftnl_rule *r, struct nft_among_pair *pairs, ++ struct nft_rule_ctx *ctx, struct nftnl_rule *r, ++ struct nft_among_pair *pairs, + int cnt, bool dst, bool inv, bool ip) + { + uint32_t set_id, type = NFT_DATATYPE_ETHERADDR, len = ETH_ALEN; +@@ -1142,7 +1143,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table, + return 0; + } + +-static int add_nft_among(struct nft_handle *h, ++static int add_nft_among(struct nft_handle *h, struct nft_rule_ctx *ctx, + struct nftnl_rule *r, struct xt_entry_match *m) + { + struct nft_among_data *data = (struct nft_among_data *)m->data; +@@ -1157,25 +1158,33 @@ static int add_nft_among(struct nft_handle *h, + } + + if (data->src.cnt) +- __add_nft_among(h, table, r, data->pairs, data->src.cnt, ++ __add_nft_among(h, table, ctx, r, data->pairs, data->src.cnt, + false, data->src.inv, data->src.ip); + if (data->dst.cnt) +- __add_nft_among(h, table, r, data->pairs + data->src.cnt, ++ __add_nft_among(h, table, ctx, r, data->pairs + data->src.cnt, + data->dst.cnt, true, data->dst.inv, + data->dst.ip); + return 0; + } + +-int add_match(struct nft_handle *h, ++int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, + struct nftnl_rule *r, struct xt_entry_match *m) + { + struct nftnl_expr *expr; + int ret; + +- if (!strcmp(m->u.user.name, "limit")) +- return add_nft_limit(r, m); +- else if (!strcmp(m->u.user.name, "among")) +- return add_nft_among(h, r, m); ++ switch (ctx->command) { ++ case NFT_COMPAT_RULE_APPEND: ++ case NFT_COMPAT_RULE_INSERT: ++ case NFT_COMPAT_RULE_REPLACE: ++ if (!strcmp(m->u.user.name, "limit")) ++ return add_nft_limit(r, m); ++ else if (!strcmp(m->u.user.name, "among")) ++ return add_nft_among(h, ctx, r, m); ++ break; ++ default: ++ break; ++ } + + expr = nftnl_expr_alloc("match"); + if (expr == NULL) +@@ -1378,7 +1387,8 @@ void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv) + } + + struct nftnl_rule * +-nft_rule_new(struct nft_handle *h, const char *chain, const char *table, ++nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *ctx, ++ const char *chain, const char *table, + void *data) + { + struct nftnl_rule *r; +@@ -1391,7 +1401,7 @@ nft_rule_new(struct nft_handle *h, const char *chain, const char *table, + nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table); + nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain); + +- if (h->ops->add(h, r, data) < 0) ++ if (h->ops->add(h, ctx, r, data) < 0) + goto err; + + return r; +@@ -2599,6 +2609,9 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, + { + struct iptables_command_state cs = {}; + struct nftnl_rule *r, *new_rule; ++ struct nft_rule_ctx ctx = { ++ .command = NFT_COMPAT_RULE_APPEND, ++ }; + struct nftnl_chain *c; + int ret = 0; + +@@ -2617,7 +2630,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, + + h->ops->rule_to_cs(h, r, &cs); + cs.counters.pcnt = cs.counters.bcnt = 0; +- new_rule = nft_rule_new(h, chain, table, &cs); ++ new_rule = nft_rule_new(h, &ctx, chain, table, &cs); + h->ops->clear_cs(&cs); + + if (!new_rule) +@@ -2981,6 +2994,9 @@ static int ebt_add_policy_rule(struct nftnl_chain *c, void *data) + .eb.bitmask = EBT_NOPROTO, + }; + struct nftnl_udata_buf *udata; ++ struct nft_rule_ctx ctx = { ++ .command = NFT_COMPAT_RULE_APPEND, ++ }; + struct nft_handle *h = data; + struct nftnl_rule *r; + const char *pname; +@@ -3008,7 +3024,7 @@ static int ebt_add_policy_rule(struct nftnl_chain *c, void *data) + + command_jump(&cs, pname); + +- r = nft_rule_new(h, nftnl_chain_get_str(c, NFTNL_CHAIN_NAME), ++ r = nft_rule_new(h, &ctx, nftnl_chain_get_str(c, NFTNL_CHAIN_NAME), + nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE), &cs); + ebt_cs_clean(&cs); + +diff --git a/iptables/nft.h b/iptables/nft.h +index bd783231156b7..7baceaa44f698 100644 +--- a/iptables/nft.h ++++ b/iptables/nft.h +@@ -165,9 +165,11 @@ struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h, + /* + * Operations with rule-set. + */ +-struct nftnl_rule; ++struct nft_rule_ctx { ++ int command; ++}; + +-struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, void *data); ++struct nftnl_rule *nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *rule, const char *chain, const char *table, void *data); + int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose); + int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose); + int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose); +@@ -185,7 +187,8 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char * + */ + int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); + int add_verdict(struct nftnl_rule *r, int verdict); +-int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m); ++int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, ++ struct nftnl_rule *r, struct xt_entry_match *m); + int add_target(struct nftnl_rule *r, struct xt_entry_target *t); + int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); + int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); +-- +2.40.0 + diff --git a/0143-nft-Special-casing-for-among-match-in-compare_matche.patch b/0143-nft-Special-casing-for-among-match-in-compare_matche.patch new file mode 100644 index 0000000..7f5f353 --- /dev/null +++ b/0143-nft-Special-casing-for-among-match-in-compare_matche.patch @@ -0,0 +1,46 @@ +From 1dcbf8ed6849543fcaffb8af0d50e08e27232ce2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 21 Jul 2023 13:14:36 +0200 +Subject: [PATCH] nft: Special casing for among match in compare_matches() + +When other extensions may have "garbage" appended to their data which +should not be considered for match comparison, among match is the +opposite in that it extends its data beyond the value in 'size' field. +Add special casing to cover for this, avoiding false-positive rule +comparison. + +Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support") +Signed-off-by: Phil Sutter +(cherry picked from commit 10583537004f7ecd4aa11f6c12b7ba73fb77fc11) +--- + iptables/nft-shared.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c +index ed093c07d7617..0b5745f7e82f4 100644 +--- a/iptables/nft-shared.c ++++ b/iptables/nft-shared.c +@@ -911,6 +911,7 @@ bool compare_matches(struct xtables_rule_match *mt1, + for (mp1 = mt1, mp2 = mt2; mp1 && mp2; mp1 = mp1->next, mp2 = mp2->next) { + struct xt_entry_match *m1 = mp1->match->m; + struct xt_entry_match *m2 = mp2->match->m; ++ size_t cmplen = mp1->match->userspacesize; + + if (strcmp(m1->u.user.name, m2->u.user.name) != 0) { + DEBUGP("mismatching match name\n"); +@@ -922,8 +923,10 @@ bool compare_matches(struct xtables_rule_match *mt1, + return false; + } + +- if (memcmp(m1->data, m2->data, +- mp1->match->userspacesize) != 0) { ++ if (!strcmp(m1->u.user.name, "among")) ++ cmplen = m1->u.match_size - sizeof(*m1); ++ ++ if (memcmp(m1->data, m2->data, cmplen) != 0) { + DEBUGP("mismatch match data\n"); + return false; + } +-- +2.40.0 + diff --git a/0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch b/0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch new file mode 100644 index 0000000..8ca59c4 --- /dev/null +++ b/0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch @@ -0,0 +1,67 @@ +From 4cde53b041a39a0fe9a1c2701b00216f34510f7b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 15 Jul 2023 01:35:39 +0200 +Subject: [PATCH] nft: Do not pass nft_rule_ctx to add_nft_among() + +It is not used, must be a left-over from an earlier version of the fixed +commit. + +Fixes: 4e95200ded923 ("nft-bridge: pass context structure to ops->add() to improve anonymous set support") +Signed-off-by: Phil Sutter +(cherry picked from commit bd71c11a95ab2b44794843fd8a3698039a7db211) + +Conflicts: + iptables/nft.c +-> Context conflict due to missing other native expression conversions. +--- + iptables/nft.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 936204a432621..c3b819f1934a8 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -1064,8 +1064,7 @@ gen_lookup(uint32_t sreg, const char *set_name, uint32_t set_id, uint32_t flags) + #define NFT_DATATYPE_ETHERADDR 9 + + static int __add_nft_among(struct nft_handle *h, const char *table, +- struct nft_rule_ctx *ctx, struct nftnl_rule *r, +- struct nft_among_pair *pairs, ++ struct nftnl_rule *r, struct nft_among_pair *pairs, + int cnt, bool dst, bool inv, bool ip) + { + uint32_t set_id, type = NFT_DATATYPE_ETHERADDR, len = ETH_ALEN; +@@ -1143,7 +1142,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table, + return 0; + } + +-static int add_nft_among(struct nft_handle *h, struct nft_rule_ctx *ctx, ++static int add_nft_among(struct nft_handle *h, + struct nftnl_rule *r, struct xt_entry_match *m) + { + struct nft_among_data *data = (struct nft_among_data *)m->data; +@@ -1158,10 +1157,10 @@ static int add_nft_among(struct nft_handle *h, struct nft_rule_ctx *ctx, + } + + if (data->src.cnt) +- __add_nft_among(h, table, ctx, r, data->pairs, data->src.cnt, ++ __add_nft_among(h, table, r, data->pairs, data->src.cnt, + false, data->src.inv, data->src.ip); + if (data->dst.cnt) +- __add_nft_among(h, table, ctx, r, data->pairs + data->src.cnt, ++ __add_nft_among(h, table, r, data->pairs + data->src.cnt, + data->dst.cnt, true, data->dst.inv, + data->dst.ip); + return 0; +@@ -1180,7 +1179,7 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, + if (!strcmp(m->u.user.name, "limit")) + return add_nft_limit(r, m); + else if (!strcmp(m->u.user.name, "among")) +- return add_nft_among(h, ctx, r, m); ++ return add_nft_among(h, r, m); + break; + default: + break; +-- +2.40.0 + diff --git a/iptables.spec b/iptables.spec index 8a891d1..8404004 100644 --- a/iptables.spec +++ b/iptables.spec @@ -10,7 +10,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.5 -Release: 7%{?dist} +Release: 8%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -163,6 +163,11 @@ Patch136: 0136-tests-iptables-test-Fix-conditional-colors-on-stderr.patch Patch137: 0137-tests-shell-update-format-of-registers-in-bitwise-pa.patch Patch138: 0138-tests-shell-Fix-nft-only-0009-needless-bitwise_0.patch Patch139: 0139-tests-shell-Sanitize-nft-only-0009-needless-bitwise_.patch +Patch140: 0140-iptables-Fix-setting-of-ipv6-counters.patch +Patch141: 0141-iptables-Fix-handling-of-non-existent-chains.patch +Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch +Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch +Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -535,6 +540,9 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Fri Jul 28 2023 Phil Sutter - 1.8.5-8 +- Update fixes from upstream once more + * Wed Jul 19 2023 Phil Sutter - 1.8.5-7 - Fix shell test-case for older gawk version