rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables-1.8.10-1

Browse Source 
- New version 1.8.10
- Drop compat sub-package

Resolves: rhbz#2243041
This commit is contained in:
Phil Sutter 2023-10-10 17:33:55 +02:00
parent dc297257aa
commit 97407d1230
20 changed files with 9 additions and 1392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -13,3 +13,4 @@
/iptables-1.8.7.tar.bz2
/iptables-1.8.8.tar.bz2
/iptables-1.8.9.tar.xz
/iptables-1.8.10.tar.xz

30
0001-extensions-NAT-Fix-for-Werror-format-security.patch
View File

@ -1,30 +0,0 @@
From ff8eacec604537d98eb912281fa0c5c6a83da717 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Jan 2023 14:38:44 +0100
Subject: [PATCH] extensions: NAT: Fix for -Werror=format-security
Have to pass either a string literal or format string to xt_xlate_add().
Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ed4082a7405a5838c205a34c1559e289949200cc)
---
extensions/libxt_NAT.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
index da9f22012c5d6..2a6343986d54f 100644
--- a/extensions/libxt_NAT.c
+++ b/extensions/libxt_NAT.c
@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
return 0;
- xt_xlate_add(xl, tgt);
+ xt_xlate_add(xl, "%s", tgt);
if (strlen(range_str))
xt_xlate_add(xl, " to %s", range_str);
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
--
2.40.0

132
0002-etc-Drop-xtables.conf.patch
View File

@ -1,132 +0,0 @@
From 55f3f1743934efa33df1ecbe11b31362fc45b03c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 17 Jan 2023 16:38:43 +0100
Subject: [PATCH] etc: Drop xtables.conf
The file is not used since the commit this one fixes. Also it wasn't
installed until recently, when commit 3822a992bc277 ("Makefile: Fix for
'make distcheck'") added it in the wrong spot in an attempt to reduce
differences between tarballs generated by 'make tarball' and 'make
dist'.
While being at it, drop stale xtables_config_main() prototype from
xtables-multi.h.
Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ca8fb6c21b298b3d96db2bfbf9c74d393bdd4728)
---
Makefile.am | 2 +-
etc/xtables.conf | 74 ----------------------------------------
iptables/xtables-multi.h | 1 -
3 files changed, 1 insertion(+), 76 deletions(-)
delete mode 100644 etc/xtables.conf
diff --git a/Makefile.am b/Makefile.am
index 451c3cb2d5887..299ab46d7b8e2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -20,7 +20,7 @@ EXTRA_DIST = autogen.sh iptables-test.py xlate-test.py
if ENABLE_NFTABLES
confdir = $(sysconfdir)
-dist_conf_DATA = etc/ethertypes etc/xtables.conf
+dist_conf_DATA = etc/ethertypes
endif
.PHONY: tarball
diff --git a/etc/xtables.conf b/etc/xtables.conf
deleted file mode 100644
index 3c54ced043d82..0000000000000
--- a/etc/xtables.conf
+++ /dev/null
@@ -1,74 +0,0 @@
-family ipv4 {
- table raw {
- chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
- chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
- }
-
- table mangle {
- chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
- chain INPUT hook NF_INET_LOCAL_IN prio -150
- chain FORWARD hook NF_INET_FORWARD prio -150
- chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
- chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
- }
-
- table filter {
- chain INPUT hook NF_INET_LOCAL_IN prio 0
- chain FORWARD hook NF_INET_FORWARD prio 0
- chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
- }
-
- table nat {
- chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
- chain INPUT hook NF_INET_LOCAL_IN prio 100
- chain OUTPUT hook NF_INET_LOCAL_OUT prio -100
- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
- }
-
- table security {
- chain INPUT hook NF_INET_LOCAL_IN prio 50
- chain FORWARD hook NF_INET_FORWARD prio 50
- chain OUTPUT hook NF_INET_LOCAL_OUT prio 50
- }
-}
-
-family ipv6 {
- table raw {
- chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
- chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
- }
-
- table mangle {
- chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
- chain INPUT hook NF_INET_LOCAL_IN prio -150
- chain FORWARD hook NF_INET_FORWARD prio -150
- chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
- chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
- }
-
- table filter {
- chain INPUT hook NF_INET_LOCAL_IN prio 0
- chain FORWARD hook NF_INET_FORWARD prio 0
- chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
- }
-
- table nat {
- chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
- chain INPUT hook NF_INET_LOCAL_IN prio 100
- chain OUTPUT hook NF_INET_LOCAL_OUT prio -100
- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
- }
-
- table security {
- chain INPUT hook NF_INET_LOCAL_IN prio 50
- chain FORWARD hook NF_INET_FORWARD prio 50
- chain OUTPUT hook NF_INET_LOCAL_OUT prio 50
- }
-}
-
-family arp {
- table filter {
- chain INPUT hook NF_ARP_IN prio 0
- chain OUTPUT hook NF_ARP_OUT prio 0
- }
-}
diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h
index 94c24d5a22c7e..833c11a2ac914 100644
--- a/iptables/xtables-multi.h
+++ b/iptables/xtables-multi.h
@@ -20,7 +20,6 @@ extern int xtables_arp_save_main(int, char **);
extern int xtables_eb_main(int, char **);
extern int xtables_eb_restore_main(int, char **);
extern int xtables_eb_save_main(int, char **);
-extern int xtables_config_main(int, char **);
extern int xtables_monitor_main(int, char **);
extern struct xtables_globals arptables_globals;
--
2.40.0

148
0003-Proper-fix-for-unknown-argument-error-message.patch
View File

@ -1,148 +0,0 @@
From 01c76718d85985625ef53fb6b554bd44742ae6ef Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 25 Jan 2023 01:51:43 +0100
Subject: [PATCH] Proper fix for "unknown argument" error message
While commit 1b8210f848631 kind of fixed the corner-case of invalid
short-options packed with others, it broke error reporting for
long-options. Revert it and deploy a proper solution:
When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long
sets the variable 'optopt' to the invalid character's value. Use it for
reporting instead of optind if set.
To distinguish between invalid options and missing option arguments,
ebtables-translate optstring needs adjustment.
Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit d6eb6a9fd3878ce4fa01f8d4127f1735988bd07b)
---
.../testcases/iptables/0009-unknown-arg_0 | 31 +++++++++++++++++++
iptables/xshared.c | 9 ++++--
iptables/xtables-eb-translate.c | 8 ++---
iptables/xtables-eb.c | 17 ++++++----
4 files changed, 50 insertions(+), 15 deletions(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
new file mode 100755
index 0000000000000..ac6e743966196
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+rc=0
+
+check() {
+ local cmd="$1"
+ local msg="$2"
+
+ $XT_MULTI $cmd 2>&1 | grep -q "$msg" || {
+ echo "cmd: $XT_MULTI $1"
+ echo "exp: $msg"
+ echo "res: $($XT_MULTI $cmd 2>&1)"
+ rc=1
+ }
+}
+
+cmds="iptables ip6tables"
+[[ $XT_MULTI == *xtables-nft-multi ]] && {
+ cmds+=" ebtables"
+ cmds+=" iptables-translate"
+ cmds+=" ip6tables-translate"
+ cmds+=" ebtables-translate"
+}
+
+for cmd in $cmds; do
+ check "${cmd} --foo" 'unknown option "--foo"'
+ check "${cmd} -A" 'option "-A" requires an argument'
+ check "${cmd} -aL" 'unknown option "-a"'
+done
+
+exit $rc
diff --git a/iptables/xshared.c b/iptables/xshared.c
index f93529b11a319..ac51fac5ce9ed 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -192,9 +192,12 @@ static int command_default(struct iptables_command_state *cs,
if (cs->c == ':')
xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
"requires an argument", cs->argv[optind-1]);
- if (cs->c == '?')
- xtables_error(PARAMETER_PROBLEM, "unknown option "
- "\"%s\"", cs->argv[optind-1]);
+ if (cs->c == '?') {
+ char optoptstr[3] = {'-', optopt, '\0'};
+
+ xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"",
+ optopt ? optoptstr : cs->argv[optind - 1]);
+ }
xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
}
diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 13b6b864a5f24..0c35272051752 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -201,7 +201,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
printf("nft ");
/* Getopt saves the day */
while ((c = getopt_long(argc, argv,
- "-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
+ "-:A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
cs.c = c;
switch (c) {
case 'A': /* Add a rule */
@@ -491,11 +491,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
continue;
default:
ebt_check_inverse2(optarg, argc, argv);
-
- if (ebt_command_default(&cs))
- xtables_error(PARAMETER_PROBLEM,
- "Unknown argument: '%s'",
- argv[optind - 1]);
+ ebt_command_default(&cs);
if (command != 'A' && command != 'I' &&
command != 'D')
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 7214a767ffe96..412b5cccdc46a 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -640,7 +640,16 @@ int ebt_command_default(struct iptables_command_state *cs)
return 0;
}
}
- return 1;
+ if (cs->c == ':')
+ xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+ "requires an argument", cs->argv[optind - 1]);
+ if (cs->c == '?') {
+ char optoptstr[3] = {'-', optopt, '\0'};
+
+ xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"",
+ optopt ? optoptstr : cs->argv[optind - 1]);
+ }
+ xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
}
int nft_init_eb(struct nft_handle *h, const char *pname)
@@ -1084,11 +1093,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
continue;
default:
ebt_check_inverse2(optarg, argc, argv);
-
- if (ebt_command_default(&cs))
- xtables_error(PARAMETER_PROBLEM,
- "Unknown argument: '%s'",
- argv[optind]);
+ ebt_command_default(&cs);
if (command != 'A' && command != 'I' &&
command != 'D' && command != 'C' && command != 14)
--
2.40.0

232
0004-ebtables-Refuse-unselected-targets-options.patch
View File

@ -1,232 +0,0 @@
From a53dfa149429c49789947e61c325f9a11e9a83d3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 25 Jan 2023 02:01:56 +0100
Subject: [PATCH] ebtables: Refuse unselected targets' options
Unlike legacy, ebtables-nft would allow e.g.:
| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be
While the result is correct, it may mislead users into believing
multiple targets are possible per rule. Better follow legacy's behaviour
and reject target options unless they have been "enabled" by a previous
'-j' option.
To achieve this, one needs to distinguish targets from watchers also
attached to 'xtables_targets' and otherwise behaving like regular
matches. Introduce XTABLES_EXT_WATCHER to mark the two.
The above works already, but error messages are misleading when using
the now unsupported syntax since target options have been merged
already. Solve this by not pre-loading the targets at all, code will
just fall back to loading ad '-j' parsing time as iptables does.
Note how this also fixes for 'counter' statement being in wrong position
of ebtables-translate output.
Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 27d37863a486352511dac385bde8f3d20526be5b)
---
extensions/libebt_dnat.txlate | 12 ++++----
extensions/libebt_log.c | 1 +
extensions/libebt_mark.txlate | 16 +++++-----
extensions/libebt_nflog.c | 1 +
extensions/libebt_snat.txlate | 8 ++---
include/xtables.h | 1 +
.../ebtables/0002-ebtables-save-restore_0 | 4 +--
iptables/xtables-eb.c | 29 +++++++------------
8 files changed, 33 insertions(+), 39 deletions(-)
diff --git a/extensions/libebt_dnat.txlate b/extensions/libebt_dnat.txlate
index 9f305c76c954f..531a22aa3e14f 100644
--- a/extensions/libebt_dnat.txlate
+++ b/extensions/libebt_dnat.txlate
@@ -1,8 +1,8 @@
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue'
diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c
index 045062196d20d..9f8d158956802 100644
--- a/extensions/libebt_log.c
+++ b/extensions/libebt_log.c
@@ -197,6 +197,7 @@ static int brlog_xlate(struct xt_xlate *xl,
static struct xtables_target brlog_target = {
.name = "log",
.revision = 0,
+ .ext_flags = XTABLES_EXT_WATCHER,
.version = XTABLES_VERSION,
.family = NFPROTO_BRIDGE,
.size = XT_ALIGN(sizeof(struct ebt_log_info)),
diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate
index d006e8ac94008..4ace1a1f5cfde 100644
--- a/extensions/libebt_mark.txlate
+++ b/extensions/libebt_mark.txlate
@@ -1,11 +1,11 @@
-ebtables-translate -A INPUT --mark-set 42
-nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter'
+ebtables-translate -A INPUT -j mark --mark-set 42
+nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept'
-ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN
-nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter'
+ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN
+nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return'
-ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT
-nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter'
+ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT
+nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept'
-ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP
-nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter'
+ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP
+nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop'
diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c
index 115e15da45845..762d6d5d8bbe2 100644
--- a/extensions/libebt_nflog.c
+++ b/extensions/libebt_nflog.c
@@ -146,6 +146,7 @@ static int brnflog_xlate(struct xt_xlate *xl,
static struct xtables_target brnflog_watcher = {
.name = "nflog",
.revision = 0,
+ .ext_flags = XTABLES_EXT_WATCHER,
.version = XTABLES_VERSION,
.family = NFPROTO_BRIDGE,
.size = XT_ALIGN(sizeof(struct ebt_nflog_info)),
diff --git a/extensions/libebt_snat.txlate b/extensions/libebt_snat.txlate
index 857a6052aed1a..37343d3a14754 100644
--- a/extensions/libebt_snat.txlate
+++ b/extensions/libebt_snat.txlate
@@ -1,5 +1,5 @@
-ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff
-nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff
+nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept'
-ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
-nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter'
+ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
+nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue'
diff --git a/include/xtables.h b/include/xtables.h
index 4ffc8ec5a17e9..087a1d600f9ae 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -203,6 +203,7 @@ struct xtables_lmap {
enum xtables_ext_flags {
XTABLES_EXT_ALIAS = 1 << 0,
+ XTABLES_EXT_WATCHER = 1 << 1,
};
struct xt_xlate;
diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
index 1091a4e80bebe..b4f9728bb9b6f 100755
--- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
+++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
@@ -38,7 +38,7 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT
$XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT
$XT_MULTI ebtables -A foo --log
-$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT
+$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT
$XT_MULTI ebtables -A foo --nflog
$XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT
$XT_MULTI ebtables -A foo --stp-type config -j ACCEPT
@@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo
$XT_MULTI ebtables -N bar
$XT_MULTI ebtables -P bar RETURN
-$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT
+$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT
#$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01
$XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 412b5cccdc46a..3a73e79725489 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -468,14 +468,14 @@ static void ebt_load_match(const char *name)
xtables_error(OTHER_PROBLEM, "Can't alloc memory");
}
-static void __ebt_load_watcher(const char *name, const char *typename)
+static void ebt_load_watcher(const char *name)
{
struct xtables_target *watcher;
size_t size;
watcher = xtables_find_target(name, XTF_TRY_LOAD);
if (!watcher) {
- fprintf(stderr, "Unable to load %s %s\n", name, typename);
+ fprintf(stderr, "Unable to load %s watcher\n", name);
return;
}
@@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename)
xtables_error(OTHER_PROBLEM, "Can't alloc memory");
}
-static void ebt_load_watcher(const char *name)
-{
- return __ebt_load_watcher(name, "watcher");
-}
-
-static void ebt_load_target(const char *name)
-{
- return __ebt_load_watcher(name, "target");
-}
-
void ebt_load_match_extensions(void)
{
opts = ebt_original_options;
@@ -522,13 +512,6 @@ void ebt_load_match_extensions(void)
ebt_load_watcher("log");
ebt_load_watcher("nflog");
-
- ebt_load_target("mark");
- ebt_load_target("dnat");
- ebt_load_target("snat");
- ebt_load_target("arpreply");
- ebt_load_target("redirect");
- ebt_load_target("standard");
}
void ebt_add_match(struct xtables_match *m,
@@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs)
/* Is it a watcher option? */
for (t = xtables_targets; t; t = t->next) {
+ if (!(t->ext_flags & XTABLES_EXT_WATCHER))
+ continue;
+
if (t->parse &&
t->parse(cs->c - t->option_offset, cs->argv,
ebt_invert, &t->tflags, NULL, &t->t)) {
@@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
optind = 0;
opterr = false;
+ for (t = xtables_targets; t; t = t->next) {
+ t->tflags = 0;
+ t->used = 0;
+ }
+
/* Getopt saves the day */
while ((c = getopt_long(argc, argv, EBT_OPTSTRING,
opts, NULL)) != -1) {
--
2.40.0

31
0005-tests-xlate-Properly-split-input-in-replay-mode.patch
View File

@ -1,31 +0,0 @@
From bb7f92a40360b49535dd3675f47cf989755a4978 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 3 Feb 2023 18:48:33 +0100
Subject: [PATCH] tests: xlate: Properly split input in replay mode
Source command may contain quotes, using shlex.split() does the right
thing there.
Fixes: 7705b2daa3bdc ("tests: xlate: Use --check to verify replay")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 914350a4586d2817ca7c4919c53142562f27bdaf)
---
xlate-test.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xlate-test.py b/xlate-test.py
index 4cb1401b71677..217d2f0062682 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -64,7 +64,7 @@ xtables_nft_multi = 'xtables-nft-multi'
if sourceline.find(';') >= 0:
sourceline, searchline = sourceline.split(';')
- srcwords = sourceline.split()
+ srcwords = shlex.split(sourceline)
srccmd = srcwords[0]
ipt = srccmd.split('-')[0]
--
2.40.0

48
0006-extensions-libebt_redirect-Fix-target-translation.patch
View File

@ -1,48 +0,0 @@
From 75d208e729b3256fdbbf31709215d30064389d47 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 31 Jan 2023 22:28:24 +0100
Subject: [PATCH] extensions: libebt_redirect: Fix target translation
While EBT_ACCEPT is the default verdict for ebtables targets, omitting
it from translation implicitly converts it into 'continue'. Omit the
non-default EBT_CONTINUE instead.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit bb6b243c481f90f7dc4a0bd89187ee2bb823f1f6)
---
extensions/libebt_redirect.c | 2 +-
extensions/libebt_redirect.txlate | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
create mode 100644 extensions/libebt_redirect.txlate
diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index 4d4c7a02cea89..389f3ccb53f60 100644
--- a/extensions/libebt_redirect.c
+++ b/extensions/libebt_redirect.c
@@ -84,7 +84,7 @@ static int brredir_xlate(struct xt_xlate *xl,
const struct ebt_redirect_info *red = (const void*)params->target->data;
xt_xlate_add(xl, "meta set pkttype host");
- if (red->target != EBT_ACCEPT)
+ if (red->target != EBT_CONTINUE)
xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
return 1;
}
diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
new file mode 100644
index 0000000000000..f0dd5deaf6406
--- /dev/null
+++ b/extensions/libebt_redirect.txlate
@@ -0,0 +1,8 @@
+ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept'
+
+ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return'
+
+ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host'
--
2.40.0

48
0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch
View File

@ -1,48 +0,0 @@
From 345fb0551048b4b3c9f3f0a136c952a4ae5bf262 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 31 Jan 2023 23:32:50 +0100
Subject: [PATCH] extensions: libebt_redirect: Fix for wrong syntax in
translation
Meta key comes before 'set' in meta statement.
Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 6d1263002c2a9fc6dfa59c764dee767a084d428d)
---
extensions/libebt_redirect.c | 2 +-
extensions/libebt_redirect.txlate | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
index 389f3ccb53f60..7821935e137aa 100644
--- a/extensions/libebt_redirect.c
+++ b/extensions/libebt_redirect.c
@@ -83,7 +83,7 @@ static int brredir_xlate(struct xt_xlate *xl,
{
const struct ebt_redirect_info *red = (const void*)params->target->data;
- xt_xlate_add(xl, "meta set pkttype host");
+ xt_xlate_add(xl, "meta pkttype set host");
if (red->target != EBT_CONTINUE)
xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
return 1;
diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
index f0dd5deaf6406..d073ec774c4fa 100644
--- a/extensions/libebt_redirect.txlate
+++ b/extensions/libebt_redirect.txlate
@@ -1,8 +1,8 @@
ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept'
+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept'
ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return'
+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return'
ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host'
+nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host'
--
2.40.0

50
0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch
View File

@ -1,50 +0,0 @@
From 6177d53b1b5748d64eba68b42b173427815e454f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 3 Feb 2023 18:58:36 +0100
Subject: [PATCH] extensions: libebt_ip: Do not use 'ip dscp' for translation
Converting from TOS field match to DSCP one is irreversible, so replay
testing is not possible. Use a raw payload expression to produce
something that translates 1:1 back into an 'ip' match.
Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 744c56bda974caaa274318d2825b3e43b55bf145)
---
extensions/libebt_ip.c | 4 ++--
extensions/libebt_ip.txlate | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
index fd87dae7e2c62..8b381aa10b5b7 100644
--- a/extensions/libebt_ip.c
+++ b/extensions/libebt_ip.c
@@ -442,10 +442,10 @@ static int brip_xlate(struct xt_xlate *xl,
brip_xlate_nh(xl, info, EBT_IP_DEST);
if (info->bitmask & EBT_IP_TOS) {
- xt_xlate_add(xl, "ip dscp ");
+ xt_xlate_add(xl, "@nh,8,8 ");
if (info->invflags & EBT_IP_TOS)
xt_xlate_add(xl, "!= ");
- xt_xlate_add(xl, "0x%02x ", info->tos & 0x3f); /* remove ECN bits */
+ xt_xlate_add(xl, "0x%02x ", info->tos);
}
if (info->bitmask & EBT_IP_PROTO) {
struct protoent *pe;
diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
index 75c1db246fb81..562e3157d7b92 100644
--- a/extensions/libebt_ip.txlate
+++ b/extensions/libebt_ip.txlate
@@ -5,7 +5,7 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1
nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter'
ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff
-nft 'insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter'
+nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter'
ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22
nft 'add rule bridge filter FORWARD tcp dport 22 counter'
--
2.40.0

85
0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch
View File

@ -1,85 +0,0 @@
From 1429ad5300d85ae9e3f6114f609afb1ac6808c71 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 3 Feb 2023 17:37:40 +0100
Subject: [PATCH] extensions: libebt_ip: Translation has to match on ether type
On one hand, nft refuses th expression in bridge family if layer3
protocol has not been assured by a previous match. On the other, ebt_ip
kernel module will only match on IPv4 packets, so there might be a
functional change in the translation versus the original.
Instead of just always emitting an 'ether type' match, decide whether
it's actually needed - explicit "ip <something>" payload matches (or
icmp ones) cause implicit creation of a match on IPv4 by nft.
Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b860e658200af8fdeced2896a1a6c2f0f0692b70)
---
extensions/libebt_ip.c | 21 +++++++++++++++++++++
extensions/libebt_ip.txlate | 6 +++---
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
index 8b381aa10b5b7..68f34bff97deb 100644
--- a/extensions/libebt_ip.c
+++ b/extensions/libebt_ip.c
@@ -432,6 +432,24 @@ static void brip_xlate_nh(struct xt_xlate *xl,
xtables_ipmask_to_numeric(maskp));
}
+static bool may_skip_ether_type_dep(uint8_t flags)
+{
+ /* these convert to "ip (s|d)addr" matches */
+ if (flags & (EBT_IP_SOURCE | EBT_IP_DEST))
+ return true;
+
+ /* icmp match triggers implicit ether type dependency in nft */
+ if (flags & EBT_IP_ICMP)
+ return true;
+
+ /* allow if "ip protocol" match is created by brip_xlate() */
+ if (flags & EBT_IP_PROTO &&
+ !(flags & (EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP)))
+ return true;
+
+ return false;
+}
+
static int brip_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
@@ -441,6 +459,9 @@ static int brip_xlate(struct xt_xlate *xl,
brip_xlate_nh(xl, info, EBT_IP_SOURCE);
brip_xlate_nh(xl, info, EBT_IP_DEST);
+ if (!may_skip_ether_type_dep(info->bitmask))
+ xt_xlate_add(xl, "ether type ip ");
+
if (info->bitmask & EBT_IP_TOS) {
xt_xlate_add(xl, "@nh,8,8 ");
if (info->invflags & EBT_IP_TOS)
diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
index 562e3157d7b92..28996832225cb 100644
--- a/extensions/libebt_ip.txlate
+++ b/extensions/libebt_ip.txlate
@@ -5,13 +5,13 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1
nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter'
ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff
-nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter'
+nft 'insert rule bridge filter OUTPUT oifname "eth0" ether type ip @nh,8,8 0xff counter'
ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22
-nft 'add rule bridge filter FORWARD tcp dport 22 counter'
+nft 'add rule bridge filter FORWARD ether type ip tcp dport 22 counter'
ebtables-translate -A FORWARD -p ip --ip-proto udp --ip-sport 1024:65535
-nft 'add rule bridge filter FORWARD udp sport 1024-65535 counter'
+nft 'add rule bridge filter FORWARD ether type ip udp sport 1024-65535 counter'
ebtables-translate -A FORWARD -p ip --ip-proto 253
nft 'add rule bridge filter FORWARD ip protocol 253 counter'
--
2.40.0

36
0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch
View File

@ -1,36 +0,0 @@
From 94052918c2fd1508afa15a9a83965755d354d69b Mon Sep 17 00:00:00 2001
From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 21 Feb 2023 12:19:42 -0500
Subject: [PATCH] xt_sctp: add the missing chunk types in sctp_help
Add the missing chunk types in sctp_help(), so that the help cmd can
display these chunk types as below:
# iptables -p sctp --help
chunktypes - ... I_DATA RE_CONFIG PAD ... I_FORWARD_TSN ALL NONE
Fixes: 6b04d9c34e25 ("xt_sctp: support a couple of new chunk types")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit f7c8d896f3305471746a8690f73587a65854d8fa)
---
extensions/libxt_sctp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index fe5f5621a033d..6e2b2745dcbd5 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -50,7 +50,7 @@ static void sctp_help(void)
" --dport ...\n"
"[!] --chunk-types (all|any|none) (chunktype[:flags])+ match if all, any or none of\n"
" chunktypes are present\n"
-"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n");
+"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN ALL NONE\n");
}
static const struct option sctp_opts[] = {
--
2.40.0

101
0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch
View File

@ -1,101 +0,0 @@
From 3311bf0d0fefd845d8d1d01b178bcd6701473a43 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 22 Feb 2023 16:36:16 +0100
Subject: [PATCH] include: Add missing linux/netfilter/xt_LOG.h
When merging IP-version-specific LOG extensions, a dependency to that
header was introduced without caching it. Fix this and drop the now
unused ip{,6}t_LOG.h files.
Reported-by: Thomas Devoogdt <thomas@devoogdt.com>
Fixes: 87e4f1bf0b87b ("extensions: libip*t_LOG: Merge extensions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8030e5444681e16ac2f481ddad73e33fab376147)
---
include/linux/netfilter/xt_LOG.h | 20 ++++++++++++++++++++
include/linux/netfilter_ipv4/ipt_LOG.h | 19 -------------------
include/linux/netfilter_ipv6/ip6t_LOG.h | 19 -------------------
3 files changed, 20 insertions(+), 38 deletions(-)
create mode 100644 include/linux/netfilter/xt_LOG.h
delete mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h
delete mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h
diff --git a/include/linux/netfilter/xt_LOG.h b/include/linux/netfilter/xt_LOG.h
new file mode 100644
index 0000000000000..167d4ddd2476b
--- /dev/null
+++ b/include/linux/netfilter/xt_LOG.h
@@ -0,0 +1,20 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+#ifndef _XT_LOG_H
+#define _XT_LOG_H
+
+/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
+#define XT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
+#define XT_LOG_TCPOPT 0x02 /* Log TCP options */
+#define XT_LOG_IPOPT 0x04 /* Log IP options */
+#define XT_LOG_UID 0x08 /* Log UID owning local socket */
+#define XT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
+#define XT_LOG_MACDECODE 0x20 /* Decode MAC header */
+#define XT_LOG_MASK 0x2f
+
+struct xt_log_info {
+ unsigned char level;
+ unsigned char logflags;
+ char prefix[30];
+};
+
+#endif /* _XT_LOG_H */
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
deleted file mode 100644
index dcdbadf9fd4a9..0000000000000
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _IPT_LOG_H
-#define _IPT_LOG_H
-
-/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
-#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
-#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
-#define IPT_LOG_IPOPT 0x04 /* Log IP options */
-#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
-#define IPT_LOG_NFLOG 0x10 /* Unsupported, don't reuse */
-#define IPT_LOG_MACDECODE 0x20 /* Decode MAC header */
-#define IPT_LOG_MASK 0x2f
-
-struct ipt_log_info {
- unsigned char level;
- unsigned char logflags;
- char prefix[30];
-};
-
-#endif /*_IPT_LOG_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
deleted file mode 100644
index 9dd5579e02ec7..0000000000000
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _IP6T_LOG_H
-#define _IP6T_LOG_H
-
-/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
-#define IP6T_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
-#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
-#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
-#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
-#define IP6T_LOG_NFLOG 0x10 /* Unsupported, don't use */
-#define IP6T_LOG_MACDECODE 0x20 /* Decode MAC header */
-#define IP6T_LOG_MASK 0x2f
-
-struct ip6t_log_info {
- unsigned char level;
- unsigned char logflags;
- char prefix[30];
-};
-
-#endif /*_IPT_LOG_H*/
--
2.40.0

67
0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch
View File

@ -1,67 +0,0 @@
From 1d37530ed4a9ece32ed94faa916845a883f8fd05 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Feb 2023 18:09:25 +0100
Subject: [PATCH] nft-restore: Fix for deletion of new, referenced rule
Combining multiple corner-cases here:
* Insert a rule before another new one which is not the first. Triggers
NFTNL_RULE_ID assignment of the latter.
* Delete the referenced new rule in the same batch again. Causes
overwriting of the previously assigned RULE_ID.
Consequently, iptables-nft-restore fails during *insert*, because the
reference is dangling.
Reported-by: Eric Garver <eric@garver.life>
Fixes: 760b35b46e4cc ("nft: Fix for add and delete of same rule in single batch")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Tested-by: Eric Garver <eric@garver.life>
(cherry picked from commit 5fd85822bd12a02f1a921243f605fc6238d705b4)
---
iptables/nft.c | 3 ++-
.../ipt-restore/0003-restore-ordering_0 | 16 ++++++++++++++++
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 63468cf3b1344..5896fd410ca78 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2343,7 +2343,8 @@ static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r)
nftnl_rule_list_del(r);
- if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE))
+ if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE) &&
+ !nftnl_rule_get_u32(r, NFTNL_RULE_ID))
nftnl_rule_set_u32(r, NFTNL_RULE_ID, ++h->rule_id);
obj = batch_rule_add(h, NFT_COMPAT_RULE_DELETE, r);
diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
index 3f1d229e915ff..5482b7ea17298 100755
--- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
@@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT
-A FORWARD -m comment --comment "rule 3" -j ACCEPT'
diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
+
+# test adding, referencing and deleting the same rule in a batch
+
+$XT_MULTI iptables-restore <<EOF
+*filter
+-A FORWARD -m comment --comment "first rule" -j ACCEPT
+-A FORWARD -m comment --comment "referenced rule" -j ACCEPT
+-I FORWARD 2 -m comment --comment "referencing rule" -j ACCEPT
+-D FORWARD -m comment --comment "referenced rule" -j ACCEPT
+COMMIT
+EOF
+
+EXPECT='-A FORWARD -m comment --comment "first rule" -j ACCEPT
+-A FORWARD -m comment --comment "referencing rule" -j ACCEPT'
+
+diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
--
2.40.0

33
0013-ip6tables-Fix-checking-existence-of-rule.patch
View File

@ -1,33 +0,0 @@
From f6338ac2776094b3fc27227511de53b5f96be16d Mon Sep 17 00:00:00 2001
From: Markus Boehme <markubo@amazon.com>
Date: Mon, 3 Apr 2023 23:13:47 +0200
Subject: [PATCH] ip6tables: Fix checking existence of rule
Pass the proper entry size when creating a match mask for checking the
existence of a rule. Failing to do so causes wrong results.
Reported-by: Jonathan Caicedo <jonathan@jcaicedo.com>
Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables")
Signed-off-by: Markus Boehme <markubo@amazon.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 78850e7dba64a949c440dbdbe557f59409c6db48)
---
iptables/ip6tables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 345af4519bfe7..9afc32c1a21ed 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -331,7 +331,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
int ret = 1;
unsigned char *mask;
- mask = make_delete_mask(matches, target, sizeof(fw));
+ mask = make_delete_mask(matches, target, sizeof(*fw));
for (i = 0; i < nsaddrs; i++) {
fw->ipv6.src = saddrs[i];
fw->ipv6.smsk = smasks[i];
--
2.40.0

29
0014-nft-shared-Drop-unused-include.patch
View File

@ -1,29 +0,0 @@
From 1bf20a3bd929060cb9afdd798292f0463243e26d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 29 Mar 2023 16:22:16 +0200
Subject: [PATCH] nft-shared: Drop unused include
Code does not refer to struct xt_comment_info anymore.
Fixes: 3bb497c61d743 ("xtables: Fix for deleting rules with comment")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 465470184950d9035dcd1101c1f413f8a2051427)
---
iptables/nft-shared.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 4a7b5406892c4..4ba44a4aa4d17 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -22,7 +22,6 @@
#include <xtables.h>
#include <linux/netfilter/nf_log.h>
-#include <linux/netfilter/xt_comment.h>
#include <linux/netfilter/xt_limit.h>
#include <linux/netfilter/xt_NFLOG.h>
#include <linux/netfilter/xt_mark.h>
--
2.40.0

31
0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch
View File

@ -1,31 +0,0 @@
From 9a4b3bde58819e55a2d852800e87e66629a87081 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 28 Apr 2023 14:33:43 +0200
Subject: [PATCH] arptables: Fix parsing of inverted 'arp operation' match
The wrong bit was set in 'invflags', probably due to copy'n'paste from
the previous case.
Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 092e4b022152addc94524e2ba0cb608dac1a3a08)
---
iptables/nft-arp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 210f43d2cefbe..8fae5adc50216 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -244,7 +244,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
fw->arp.arhln = ar_hln;
fw->arp.arhln_mask = 0xff;
if (inv)
- fw->arp.invflags |= IPT_INV_ARPOP;
+ fw->arp.invflags |= IPT_INV_ARPHLN;
break;
case offsetof(struct arphdr, ar_pln):
get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv);
--
2.40.0

42
0016-arptables-Don-t-omit-standard-matches-if-inverted.patch
View File

@ -1,42 +0,0 @@
From a900100d6d4be7c52e4cfd1ab06ce3ac626d71a1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 28 Apr 2023 14:37:47 +0200
Subject: [PATCH] arptables: Don't omit standard matches if inverted
Inverted --h-len and --h-type matches were omitted from output by
accident if they matched on their standard value.
Fixes: 84331e3ed3f8e ("arptables-nft: Don't print default h-len/h-type values")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 79f93b0943fa0e46ba29bb476362634509eb594e)
---
iptables/nft-arp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 8fae5adc50216..df3ad430cf701 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -408,7 +408,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
after_devdst:
- if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) {
+ if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6 ||
+ fw->arp.invflags & IPT_INV_ARPHLN) {
printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHLN
? "! " : "");
printf("--h-length %d", fw->arp.arhln);
@@ -432,7 +433,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
sep = " ";
}
- if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) {
+ if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1) ||
+ fw->arp.invflags & IPT_INV_ARPHRD) {
uint16_t tmp = ntohs(fw->arp.arhrd);
printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHRD
--
2.40.0

211
0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch
View File

@ -1,211 +0,0 @@
From 174ef8164bc3b1f9454f77b3747f1591ea5b5a9f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 28 Apr 2023 14:41:08 +0200
Subject: [PATCH] xshared: Fix parsing of option arguments in same word
When merging commandline parsers, a decision between 'argv[optind - 1]'
and 'optarg' had to be made in some spots. While the implementation of
check_inverse() required the former, use of the latter allows for the
common syntax of '--opt=arg' or even '-oarg' as 'optarg' will point at
the suffix while 'argv[optind - 1]' will just point at the following
option.
Fix the mess by making check_inverse() update optarg pointer if needed
so calling code may refer to and always correct 'optarg'.
Fixes: 0af80a91b0a98 ("nft: Merge xtables-arp-standalone.c into xtables-standalone.c")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1677
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 90a7a183a208b691810b8519cc57d3d9d3b7eb60)
---
extensions/libarpt_standard.t | 2 ++
extensions/libxt_standard.t | 3 ++
iptables/xshared.c | 61 +++++++++++++++++------------------
3 files changed, 35 insertions(+), 31 deletions(-)
diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t
index e84a00b780488..007fa2b8335e8 100644
--- a/extensions/libarpt_standard.t
+++ b/extensions/libarpt_standard.t
@@ -12,3 +12,5 @@
-i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK
--source-mac Unicast;--src-mac 00:00:00:00:00:00/01:00:00:00:00:00;OK
! --src-mac Multicast;! --src-mac 01:00:00:00:00:00/01:00:00:00:00:00;OK
+--src-mac=01:02:03:04:05:06 --dst-mac=07:08:09:0A:0B:0C --h-length=6 --opcode=Request --h-type=Ethernet --proto-type=ipv4;--src-mac 01:02:03:04:05:06 --dst-mac 07:08:09:0a:0b:0c --opcode 1 --proto-type 0x800;OK
+--src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 1 ! --proto-type 0x800;OK
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 56d6da2e5884e..6ed978e442b80 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -21,3 +21,6 @@
-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
+:FORWARD
+--protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
+-ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
diff --git a/iptables/xshared.c b/iptables/xshared.c
index ac51fac5ce9ed..17aed04e02b09 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1318,7 +1318,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
}
static void check_inverse(struct xtables_args *args, const char option[],
- bool *invert, int *optidx, int argc)
+ bool *invert, int argc, char **argv)
{
switch (args->family) {
case NFPROTO_ARP:
@@ -1337,12 +1337,11 @@ static void check_inverse(struct xtables_args *args, const char option[],
xtables_error(PARAMETER_PROBLEM,
"Multiple `!' flags not allowed");
*invert = true;
- if (optidx) {
- *optidx = *optidx + 1;
- if (argc && *optidx > argc)
- xtables_error(PARAMETER_PROBLEM,
- "no argument following `!'");
- }
+ optind++;
+ if (optind > argc)
+ xtables_error(PARAMETER_PROBLEM, "no argument following `!'");
+
+ optarg = argv[optind - 1];
}
static const char *optstring_lookup(int family)
@@ -1555,16 +1554,16 @@ void do_parse(int argc, char *argv[],
* Option selection
*/
case 'p':
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_PROTOCOL,
&args->invflags, invert);
/* Canonicalize into lower case */
- for (cs->protocol = argv[optind - 1];
+ for (cs->protocol = optarg;
*cs->protocol; cs->protocol++)
*cs->protocol = tolower(*cs->protocol);
- cs->protocol = argv[optind - 1];
+ cs->protocol = optarg;
args->proto = xtables_parse_protocol(cs->protocol);
if (args->proto == 0 &&
@@ -1578,17 +1577,17 @@ void do_parse(int argc, char *argv[],
break;
case 's':
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_SOURCE,
&args->invflags, invert);
- args->shostnetworkmask = argv[optind - 1];
+ args->shostnetworkmask = optarg;
break;
case 'd':
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_DESTINATION,
&args->invflags, invert);
- args->dhostnetworkmask = argv[optind - 1];
+ args->dhostnetworkmask = optarg;
break;
#ifdef IPT_F_GOTO
@@ -1601,71 +1600,71 @@ void do_parse(int argc, char *argv[],
#endif
case 2:/* src-mac */
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_S_MAC, &args->invflags,
invert);
- args->src_mac = argv[optind - 1];
+ args->src_mac = optarg;
break;
case 3:/* dst-mac */
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_D_MAC, &args->invflags,
invert);
- args->dst_mac = argv[optind - 1];
+ args->dst_mac = optarg;
break;
case 'l':/* hardware length */
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_H_LENGTH, &args->invflags,
invert);
- args->arp_hlen = argv[optind - 1];
+ args->arp_hlen = optarg;
break;
case 8: /* was never supported, not even in arptables-legacy */
xtables_error(PARAMETER_PROBLEM, "not supported");
case 4:/* opcode */
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_OPCODE, &args->invflags,
invert);
- args->arp_opcode = argv[optind - 1];
+ args->arp_opcode = optarg;
break;
case 5:/* h-type */
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_H_TYPE, &args->invflags,
invert);
- args->arp_htype = argv[optind - 1];
+ args->arp_htype = optarg;
break;
case 6:/* proto-type */
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_P_TYPE, &args->invflags,
invert);
- args->arp_ptype = argv[optind - 1];
+ args->arp_ptype = optarg;
break;
case 'j':
set_option(&cs->options, OPT_JUMP, &args->invflags,
invert);
- command_jump(cs, argv[optind - 1]);
+ command_jump(cs, optarg);
break;
case 'i':
check_empty_interface(args, optarg);
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_VIANAMEIN,
&args->invflags, invert);
- xtables_parse_interface(argv[optind - 1],
+ xtables_parse_interface(optarg,
args->iniface,
args->iniface_mask);
break;
case 'o':
check_empty_interface(args, optarg);
- check_inverse(args, optarg, &invert, &optind, argc);
+ check_inverse(args, optarg, &invert, argc, argv);
set_option(&cs->options, OPT_VIANAMEOUT,
&args->invflags, invert);
- xtables_parse_interface(argv[optind - 1],
+ xtables_parse_interface(optarg,
args->outiface,
args->outiface_mask);
break;
--
2.40.0

44
iptables.spec
View File

@ -10,8 +10,8 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables
Version: 1.8.9
Release: 6%{?dist}
Version: 1.8.10
Release: 1%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.xz
Source1: iptables.init
Source2: iptables-config
@ -20,24 +20,6 @@ Source4: sysconfig_iptables
Source5: sysconfig_ip6tables
Source6: arptables-nft-helper
Patch001: 0001-extensions-NAT-Fix-for-Werror-format-security.patch
Patch002: 0002-etc-Drop-xtables.conf.patch
Patch003: 0003-Proper-fix-for-unknown-argument-error-message.patch
Patch004: 0004-ebtables-Refuse-unselected-targets-options.patch
Patch005: 0005-tests-xlate-Properly-split-input-in-replay-mode.patch
Patch006: 0006-extensions-libebt_redirect-Fix-target-translation.patch
Patch007: 0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch
Patch008: 0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch
Patch009: 0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch
Patch010: 0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch
Patch011: 0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch
Patch012: 0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch
Patch013: 0013-ip6tables-Fix-checking-existence-of-rule.patch
Patch014: 0014-nft-shared-Drop-unused-include.patch
Patch015: 0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch
Patch016: 0016-arptables-Don-t-omit-standard-matches-if-inverted.patch
Patch017: 0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch
# pf.os: ISC license
# iptables-apply: Artistic Licence 2.0
License: GPL-2.0-only AND Artistic-2.0 AND ISC
@ -54,7 +36,7 @@ BuildRequires: bison
BuildRequires: flex
BuildRequires: gcc
BuildRequires: pkgconfig(libmnl) >= 1.0
BuildRequires: pkgconfig(libnftnl) >= 1.1.6
BuildRequires: pkgconfig(libnftnl) >= 1.2.6
# libpcap-devel for nfbpf_compile
BuildRequires: libpcap-devel
BuildRequires: autoconf
@ -67,17 +49,6 @@ The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.
%package compat
Summary: Temporary transitioning package
Obsoletes: %{name} < 1.8.7-4
Requires: %{name}-legacy = %{version}-%{release}
Requires: %{name}-utils = %{version}-%{release}
%description compat
This package only exists to help transition iptables users to the new
package split. It will be removed after one distribution release cycle, please
do not reference it or depend on it in any way.
%package legacy
Summary: Legacy tools for managing Linux kernel packet filtering capabilities
Requires: %{name}-legacy-libs%{?_isa} = %{version}-%{release}
@ -252,9 +223,6 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
touch %{buildroot}%{_mandir}/man8/ebtables.8
# Drop xtables.conf, it's not used
rm -f %{buildroot}%{_sysconfdir}/xtables.conf
# fix absolute symlink
rm -f %{buildroot}%{_bindir}/iptables-xml
ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml
@ -371,8 +339,6 @@ if [ $1 -eq 0 ]; then
done
fi
%files compat
%files legacy
%{_sbindir}/ip{,6}tables-legacy*
%{_sbindir}/xtables-legacy-multi
@ -447,6 +413,10 @@ fi
%changelog
* Tue Oct 10 2023 Phil Sutter <psutter@redhat.com> - 1.8.10-1
- New version 1.8.10
- Drop compat sub-package
* Tue Aug 15 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-6
- Convert license to SPDX format

2
sources
View File

@ -1 +1 @@
SHA512 (iptables-1.8.9.tar.xz) = e367bf286135e39b7401e852de25c1ed06d44befdffd92ed1566eb2ae9704b48ac9196cb971f43c6c83c6ad4d910443d32064bcdf618cfcef6bcab113e31ff70
SHA512 (iptables-1.8.10.tar.xz) = 71e6ed2260859157d61981a4fe5039dc9e8d7da885a626a4b5dae8164c509a9d9f874286b9468bb6a462d6e259d4d32d5967777ecefdd8a293011ae80c00f153