import iptables-1.8.7-28.el9
This commit is contained in:
parent
afe73678d8
commit
9acc21c0be
177
SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch
Normal file
177
SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch
Normal file
@ -0,0 +1,177 @@
|
|||||||
|
From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Thu, 29 Apr 2021 15:28:59 +0200
|
||||||
|
Subject: [PATCH] extensions: SECMARK: Implement revision 1
|
||||||
|
|
||||||
|
The changed data structure for communication with kernel allows to
|
||||||
|
exclude the field 'secid' which is populated on kernel side. Thus
|
||||||
|
this fixes the formerly always failing extension comparison breaking
|
||||||
|
rule check and rule delete by content.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
|
||||||
|
---
|
||||||
|
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
|
||||||
|
extensions/libxt_SECMARK.t | 4 ++
|
||||||
|
include/linux/netfilter/xt_SECMARK.h | 6 ++
|
||||||
|
3 files changed, 80 insertions(+), 20 deletions(-)
|
||||||
|
create mode 100644 extensions/libxt_SECMARK.t
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
|
||||||
|
index 6ba8606355daa..24249bd618ffe 100644
|
||||||
|
--- a/extensions/libxt_SECMARK.c
|
||||||
|
+++ b/extensions/libxt_SECMARK.c
|
||||||
|
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
|
||||||
|
XTOPT_TABLEEND,
|
||||||
|
};
|
||||||
|
|
||||||
|
+static const struct xt_option_entry SECMARK_opts_v1[] = {
|
||||||
|
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
|
||||||
|
+ .flags = XTOPT_MAND | XTOPT_PUT,
|
||||||
|
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
|
||||||
|
+ XTOPT_TABLEEND,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
static void SECMARK_parse(struct xt_option_call *cb)
|
||||||
|
{
|
||||||
|
struct xt_secmark_target_info *info = cb->data;
|
||||||
|
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
|
||||||
|
info->mode = SECMARK_MODE_SEL;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void print_secmark(const struct xt_secmark_target_info *info)
|
||||||
|
+static void SECMARK_parse_v1(struct xt_option_call *cb)
|
||||||
|
+{
|
||||||
|
+ struct xt_secmark_target_info_v1 *info = cb->data;
|
||||||
|
+
|
||||||
|
+ xtables_option_parse(cb);
|
||||||
|
+ info->mode = SECMARK_MODE_SEL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void print_secmark(__u8 mode, const char *secctx)
|
||||||
|
{
|
||||||
|
- switch (info->mode) {
|
||||||
|
+ switch (mode) {
|
||||||
|
case SECMARK_MODE_SEL:
|
||||||
|
- printf("selctx %s", info->secctx);
|
||||||
|
+ printf("selctx %s", secctx);
|
||||||
|
break;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
default:
|
||||||
|
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
||||||
|
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
|
||||||
|
(struct xt_secmark_target_info*)(target)->data;
|
||||||
|
|
||||||
|
printf(" SECMARK ");
|
||||||
|
- print_secmark(info);
|
||||||
|
+ print_secmark(info->mode, info->secctx);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void SECMARK_print_v1(const void *ip,
|
||||||
|
+ const struct xt_entry_target *target, int numeric)
|
||||||
|
+{
|
||||||
|
+ const struct xt_secmark_target_info_v1 *info =
|
||||||
|
+ (struct xt_secmark_target_info_v1 *)(target)->data;
|
||||||
|
+
|
||||||
|
+ printf(" SECMARK ");
|
||||||
|
+ print_secmark(info->mode, info->secctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||||
|
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||||
|
(struct xt_secmark_target_info*)target->data;
|
||||||
|
|
||||||
|
printf(" --");
|
||||||
|
- print_secmark(info);
|
||||||
|
+ print_secmark(info->mode, info->secctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static struct xtables_target secmark_target = {
|
||||||
|
- .family = NFPROTO_UNSPEC,
|
||||||
|
- .name = "SECMARK",
|
||||||
|
- .version = XTABLES_VERSION,
|
||||||
|
- .revision = 0,
|
||||||
|
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||||
|
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||||
|
- .help = SECMARK_help,
|
||||||
|
- .print = SECMARK_print,
|
||||||
|
- .save = SECMARK_save,
|
||||||
|
- .x6_parse = SECMARK_parse,
|
||||||
|
- .x6_options = SECMARK_opts,
|
||||||
|
+static void SECMARK_save_v1(const void *ip,
|
||||||
|
+ const struct xt_entry_target *target)
|
||||||
|
+{
|
||||||
|
+ const struct xt_secmark_target_info_v1 *info =
|
||||||
|
+ (struct xt_secmark_target_info_v1 *)target->data;
|
||||||
|
+
|
||||||
|
+ printf(" --");
|
||||||
|
+ print_secmark(info->mode, info->secctx);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct xtables_target secmark_tg_reg[] = {
|
||||||
|
+ {
|
||||||
|
+ .family = NFPROTO_UNSPEC,
|
||||||
|
+ .name = "SECMARK",
|
||||||
|
+ .version = XTABLES_VERSION,
|
||||||
|
+ .revision = 0,
|
||||||
|
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||||
|
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||||
|
+ .help = SECMARK_help,
|
||||||
|
+ .print = SECMARK_print,
|
||||||
|
+ .save = SECMARK_save,
|
||||||
|
+ .x6_parse = SECMARK_parse,
|
||||||
|
+ .x6_options = SECMARK_opts,
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ .family = NFPROTO_UNSPEC,
|
||||||
|
+ .name = "SECMARK",
|
||||||
|
+ .version = XTABLES_VERSION,
|
||||||
|
+ .revision = 1,
|
||||||
|
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
|
||||||
|
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
|
||||||
|
+ .help = SECMARK_help,
|
||||||
|
+ .print = SECMARK_print_v1,
|
||||||
|
+ .save = SECMARK_save_v1,
|
||||||
|
+ .x6_parse = SECMARK_parse_v1,
|
||||||
|
+ .x6_options = SECMARK_opts_v1,
|
||||||
|
+ }
|
||||||
|
};
|
||||||
|
|
||||||
|
void _init(void)
|
||||||
|
{
|
||||||
|
- xtables_register_target(&secmark_target);
|
||||||
|
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
|
||||||
|
}
|
||||||
|
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000..39d4c09348bf4
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/extensions/libxt_SECMARK.t
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+:INPUT,FORWARD,OUTPUT
|
||||||
|
+*security
|
||||||
|
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||||
|
+-j SECMARK;;FAIL
|
||||||
|
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
|
||||||
|
index 989092bd6274b..31760a286a854 100644
|
||||||
|
--- a/include/linux/netfilter/xt_SECMARK.h
|
||||||
|
+++ b/include/linux/netfilter/xt_SECMARK.h
|
||||||
|
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
|
||||||
|
char secctx[SECMARK_SECCTX_MAX];
|
||||||
|
};
|
||||||
|
|
||||||
|
+struct xt_secmark_target_info_v1 {
|
||||||
|
+ __u8 mode;
|
||||||
|
+ char secctx[SECMARK_SECCTX_MAX];
|
||||||
|
+ __u32 secid;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
#endif /*_XT_SECMARK_H_target */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Fri, 16 Jul 2021 21:51:49 +0200
|
||||||
|
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
|
||||||
|
|
||||||
|
RHEL SELinux policies don't allow setting
|
||||||
|
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
|
||||||
|
'packet_type' attribute (identified via
|
||||||
|
'seinfo -xt | grep packet_type').
|
||||||
|
---
|
||||||
|
extensions/libxt_SECMARK.t | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||||
|
index 39d4c09348bf4..295e7a7244902 100644
|
||||||
|
--- a/extensions/libxt_SECMARK.t
|
||||||
|
+++ b/extensions/libxt_SECMARK.t
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
:INPUT,FORWARD,OUTPUT
|
||||||
|
*security
|
||||||
|
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||||
|
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
|
||||||
|
-j SECMARK;;FAIL
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -16,7 +16,7 @@ Name: iptables
|
|||||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||||
URL: https://www.netfilter.org/projects/iptables
|
URL: https://www.netfilter.org/projects/iptables
|
||||||
Version: 1.8.7
|
Version: 1.8.7
|
||||||
Release: 26%{?dist}
|
Release: 28%{?dist}
|
||||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||||
Source1: iptables.init
|
Source1: iptables.init
|
||||||
Source2: iptables-config
|
Source2: iptables-config
|
||||||
@ -53,6 +53,8 @@ Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch
|
|||||||
Patch22: 0022-ebtables-Dump-atomic-waste.patch
|
Patch22: 0022-ebtables-Dump-atomic-waste.patch
|
||||||
Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
|
Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
|
||||||
Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
|
Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
|
||||||
|
Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch
|
||||||
|
Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||||
|
|
||||||
# pf.os: ISC license
|
# pf.os: ISC license
|
||||||
# iptables-apply: Artistic 2.0
|
# iptables-apply: Artistic 2.0
|
||||||
@ -468,6 +470,12 @@ fi
|
|||||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28
|
||||||
|
- extensions: SECMARK: Use a better context in test case
|
||||||
|
|
||||||
|
* Fri Jan 28 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-27
|
||||||
|
- extensions: SECMARK: Implement revision 1
|
||||||
|
|
||||||
* Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26
|
* Mon Oct 11 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-26
|
||||||
- tests/shell: Assert non-verbose mode is silent
|
- tests/shell: Assert non-verbose mode is silent
|
||||||
- nft: Fix for non-verbose check command
|
- nft: Fix for non-verbose check command
|
||||||
|
Loading…
Reference in New Issue
Block a user