iptables-1.8.7-29.el9
- libxtables: Boost rule target checks by announcing chain names - libxtables: Implement notargets hash table - nft: Reject standard targets as chain names when restoring - xshared: Merge and share parse_chain() - xshared: Prefer xtables_chain_protos lookup over getprotoent - nft: Speed up immediate parsing - nft: Simplify immediate parsing Resolves: rhbz#2065330
This commit is contained in:
parent
63c9e2ff10
commit
a556128cb3
199
0027-nft-Simplify-immediate-parsing.patch
Normal file
199
0027-nft-Simplify-immediate-parsing.patch
Normal file
@ -0,0 +1,199 @@
|
||||
From c4bc02802cb95af82d30cb0ad605060694640e07 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 1 Mar 2022 18:59:31 +0100
|
||||
Subject: [PATCH] nft: Simplify immediate parsing
|
||||
|
||||
Implementations of parse_immediate callback are mostly trivial, the only
|
||||
relevant part is access to family-specific parts of struct
|
||||
iptables_command_state when setting goto flag for iptables and
|
||||
ip6tables. Refactor them into simple set_goto_flag callbacks.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit b5f2faea325a315bfb932ebc634f3298d4824cae)
|
||||
---
|
||||
iptables/nft-arp.c | 9 ---------
|
||||
iptables/nft-bridge.c | 9 ---------
|
||||
iptables/nft-ipv4.c | 12 +++---------
|
||||
iptables/nft-ipv6.c | 12 +++---------
|
||||
iptables/nft-shared.c | 17 +++++++----------
|
||||
iptables/nft-shared.h | 2 +-
|
||||
6 files changed, 14 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
||||
index 2a9387a18dffe..d55e06572b283 100644
|
||||
--- a/iptables/nft-arp.c
|
||||
+++ b/iptables/nft-arp.c
|
||||
@@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
|
||||
fw->arp.invflags |= flags;
|
||||
}
|
||||
|
||||
-static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
|
||||
- void *data)
|
||||
-{
|
||||
- struct iptables_command_state *cs = data;
|
||||
-
|
||||
- cs->jumpto = jumpto;
|
||||
-}
|
||||
-
|
||||
static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask)
|
||||
{
|
||||
mask->s_addr = ctx->bitwise.mask[0];
|
||||
@@ -552,7 +544,6 @@ struct nft_family_ops nft_family_ops_arp = {
|
||||
.print_payload = NULL,
|
||||
.parse_meta = nft_arp_parse_meta,
|
||||
.parse_payload = nft_arp_parse_payload,
|
||||
- .parse_immediate = nft_arp_parse_immediate,
|
||||
.print_header = nft_arp_print_header,
|
||||
.print_rule = nft_arp_print_rule,
|
||||
.save_rule = nft_arp_save_rule,
|
||||
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
|
||||
index d98fd527d9549..5807c0d32a97c 100644
|
||||
--- a/iptables/nft-bridge.c
|
||||
+++ b/iptables/nft-bridge.c
|
||||
@@ -251,14 +251,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
|
||||
}
|
||||
}
|
||||
|
||||
-static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
|
||||
- void *data)
|
||||
-{
|
||||
- struct iptables_command_state *cs = data;
|
||||
-
|
||||
- cs->jumpto = jumpto;
|
||||
-}
|
||||
-
|
||||
/* return 0 if saddr, 1 if daddr, -1 on error */
|
||||
static int
|
||||
lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
|
||||
@@ -889,7 +881,6 @@ struct nft_family_ops nft_family_ops_bridge = {
|
||||
.print_payload = NULL,
|
||||
.parse_meta = nft_bridge_parse_meta,
|
||||
.parse_payload = nft_bridge_parse_payload,
|
||||
- .parse_immediate = nft_bridge_parse_immediate,
|
||||
.parse_lookup = nft_bridge_parse_lookup,
|
||||
.parse_match = nft_bridge_parse_match,
|
||||
.parse_target = nft_bridge_parse_target,
|
||||
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||||
index 34f94bd8cc24a..80b8954f4a39d 100644
|
||||
--- a/iptables/nft-ipv4.c
|
||||
+++ b/iptables/nft-ipv4.c
|
||||
@@ -241,15 +241,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
|
||||
}
|
||||
}
|
||||
|
||||
-static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
|
||||
- void *data)
|
||||
+static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
|
||||
{
|
||||
- struct iptables_command_state *cs = data;
|
||||
-
|
||||
- cs->jumpto = jumpto;
|
||||
-
|
||||
- if (nft_goto)
|
||||
- cs->fw.ip.flags |= IPT_F_GOTO;
|
||||
+ cs->fw.ip.flags |= IPT_F_GOTO;
|
||||
}
|
||||
|
||||
static void print_fragment(unsigned int flags, unsigned int invflags,
|
||||
@@ -473,7 +467,7 @@ struct nft_family_ops nft_family_ops_ipv4 = {
|
||||
.is_same = nft_ipv4_is_same,
|
||||
.parse_meta = nft_ipv4_parse_meta,
|
||||
.parse_payload = nft_ipv4_parse_payload,
|
||||
- .parse_immediate = nft_ipv4_parse_immediate,
|
||||
+ .set_goto_flag = nft_ipv4_set_goto_flag,
|
||||
.print_header = print_header,
|
||||
.print_rule = nft_ipv4_print_rule,
|
||||
.save_rule = nft_ipv4_save_rule,
|
||||
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||||
index d9c9400ad7dc3..663401b49f94d 100644
|
||||
--- a/iptables/nft-ipv6.c
|
||||
+++ b/iptables/nft-ipv6.c
|
||||
@@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
|
||||
}
|
||||
}
|
||||
|
||||
-static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
|
||||
- void *data)
|
||||
+static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
|
||||
{
|
||||
- struct iptables_command_state *cs = data;
|
||||
-
|
||||
- cs->jumpto = jumpto;
|
||||
-
|
||||
- if (nft_goto)
|
||||
- cs->fw6.ipv6.flags |= IP6T_F_GOTO;
|
||||
+ cs->fw6.ipv6.flags |= IP6T_F_GOTO;
|
||||
}
|
||||
|
||||
static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
|
||||
@@ -415,7 +409,7 @@ struct nft_family_ops nft_family_ops_ipv6 = {
|
||||
.is_same = nft_ipv6_is_same,
|
||||
.parse_meta = nft_ipv6_parse_meta,
|
||||
.parse_payload = nft_ipv6_parse_payload,
|
||||
- .parse_immediate = nft_ipv6_parse_immediate,
|
||||
+ .set_goto_flag = nft_ipv6_set_goto_flag,
|
||||
.print_header = print_header,
|
||||
.print_rule = nft_ipv6_print_rule,
|
||||
.save_rule = nft_ipv6_save_rule,
|
||||
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
|
||||
index c1664b50f9383..bd0c8895d48bb 100644
|
||||
--- a/iptables/nft-shared.c
|
||||
+++ b/iptables/nft-shared.c
|
||||
@@ -510,9 +510,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters
|
||||
static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
||||
{
|
||||
const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
|
||||
- const char *jumpto = NULL;
|
||||
- bool nft_goto = false;
|
||||
- void *data = ctx->cs;
|
||||
+ struct iptables_command_state *cs = ctx->cs;
|
||||
int verdict;
|
||||
|
||||
if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
|
||||
@@ -535,23 +533,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
||||
/* Standard target? */
|
||||
switch(verdict) {
|
||||
case NF_ACCEPT:
|
||||
- jumpto = "ACCEPT";
|
||||
+ cs->jumpto = "ACCEPT";
|
||||
break;
|
||||
case NF_DROP:
|
||||
- jumpto = "DROP";
|
||||
+ cs->jumpto = "DROP";
|
||||
break;
|
||||
case NFT_RETURN:
|
||||
- jumpto = "RETURN";
|
||||
+ cs->jumpto = "RETURN";
|
||||
break;;
|
||||
case NFT_GOTO:
|
||||
- nft_goto = true;
|
||||
+ if (ctx->h->ops->set_goto_flag)
|
||||
+ ctx->h->ops->set_goto_flag(cs);
|
||||
/* fall through */
|
||||
case NFT_JUMP:
|
||||
- jumpto = chain;
|
||||
+ cs->jumpto = chain;
|
||||
break;
|
||||
}
|
||||
-
|
||||
- ctx->h->ops->parse_immediate(jumpto, nft_goto, data);
|
||||
}
|
||||
|
||||
static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
||||
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
|
||||
index da4ba9d2ba8de..e4ef16cc24f12 100644
|
||||
--- a/iptables/nft-shared.h
|
||||
+++ b/iptables/nft-shared.h
|
||||
@@ -89,7 +89,7 @@ struct nft_family_ops {
|
||||
void *data);
|
||||
void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
|
||||
void *data);
|
||||
- void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
|
||||
+ void (*set_goto_flag)(struct iptables_command_state *cs);
|
||||
|
||||
void (*print_table_header)(const char *tablename);
|
||||
void (*print_header)(unsigned int format, const char *chain,
|
||||
--
|
||||
2.34.1
|
||||
|
119
0028-nft-Speed-up-immediate-parsing.patch
Normal file
119
0028-nft-Speed-up-immediate-parsing.patch
Normal file
@ -0,0 +1,119 @@
|
||||
From 88dbd59dcf172b54e650f267c490d70ee55235d5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 1 Mar 2022 19:46:21 +0100
|
||||
Subject: [PATCH] nft: Speed up immediate parsing
|
||||
|
||||
Parsing of rules which jump to a chain pointlessly causes a call to
|
||||
xtables_find_target() despite the code already knowing the outcome.
|
||||
|
||||
Avoid the significant delay for rulesets with many chain jumps by
|
||||
performing the (standard) target lookup only for accept/drop/return
|
||||
verdicts.
|
||||
|
||||
From a biased test-case on my VM:
|
||||
|
||||
| # iptables-nft-save | grep -c -- '-j'
|
||||
| 133943
|
||||
| # time ./old/iptables-nft-save >/dev/null
|
||||
| real 0m45.566s
|
||||
| user 0m1.308s
|
||||
| sys 0m8.430s
|
||||
| # time ./new/iptables-nft-save >/dev/null
|
||||
| real 0m3.547s
|
||||
| user 0m0.762s
|
||||
| sys 0m2.476s
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 07ee529f5a62838d68be59683be99bf6a7cda0f2)
|
||||
---
|
||||
iptables/nft-bridge.c | 1 +
|
||||
iptables/nft-shared.c | 37 ++++++++++++++++++-------------------
|
||||
2 files changed, 19 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
|
||||
index 5807c0d32a97c..4df71f0c775e3 100644
|
||||
--- a/iptables/nft-bridge.c
|
||||
+++ b/iptables/nft-bridge.c
|
||||
@@ -506,6 +506,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
|
||||
}
|
||||
|
||||
cs->target = t;
|
||||
+ cs->jumpto = t->name;
|
||||
}
|
||||
|
||||
static void nft_rule_to_ebtables_command_state(struct nft_handle *h,
|
||||
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
|
||||
index bd0c8895d48bb..1aaaa8159ff61 100644
|
||||
--- a/iptables/nft-shared.c
|
||||
+++ b/iptables/nft-shared.c
|
||||
@@ -511,6 +511,8 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
||||
{
|
||||
const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
|
||||
struct iptables_command_state *cs = ctx->cs;
|
||||
+ struct xt_entry_target *t;
|
||||
+ uint32_t size;
|
||||
int verdict;
|
||||
|
||||
if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
|
||||
@@ -547,8 +549,21 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
||||
/* fall through */
|
||||
case NFT_JUMP:
|
||||
cs->jumpto = chain;
|
||||
- break;
|
||||
+ /* fall through */
|
||||
+ default:
|
||||
+ return;
|
||||
}
|
||||
+
|
||||
+ cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
|
||||
+ if (!cs->target)
|
||||
+ return;
|
||||
+
|
||||
+ size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
|
||||
+ t = xtables_calloc(1, size);
|
||||
+ t->u.target_size = size;
|
||||
+ t->u.user.revision = cs->target->revision;
|
||||
+ strcpy(t->u.user.name, cs->jumpto);
|
||||
+ cs->target->t = t;
|
||||
}
|
||||
|
||||
static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
|
||||
@@ -676,25 +691,8 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
|
||||
}
|
||||
}
|
||||
|
||||
- if (cs->target != NULL) {
|
||||
- cs->jumpto = cs->target->name;
|
||||
- } else if (cs->jumpto != NULL) {
|
||||
- struct xt_entry_target *t;
|
||||
- uint32_t size;
|
||||
-
|
||||
- cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
|
||||
- if (!cs->target)
|
||||
- return;
|
||||
-
|
||||
- size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
|
||||
- t = xtables_calloc(1, size);
|
||||
- t->u.target_size = size;
|
||||
- t->u.user.revision = cs->target->revision;
|
||||
- strcpy(t->u.user.name, cs->jumpto);
|
||||
- cs->target->t = t;
|
||||
- } else {
|
||||
+ if (!cs->jumpto)
|
||||
cs->jumpto = "";
|
||||
- }
|
||||
}
|
||||
|
||||
void nft_clear_iptables_command_state(struct iptables_command_state *cs)
|
||||
@@ -983,6 +981,7 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data)
|
||||
struct iptables_command_state *cs = data;
|
||||
|
||||
cs->target = t;
|
||||
+ cs->jumpto = t->name;
|
||||
}
|
||||
|
||||
void nft_check_xt_legacy(int family, bool is_ipt_save)
|
||||
--
|
||||
2.34.1
|
||||
|
104
0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch
Normal file
104
0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From 970ab34aa07f2fdb6ad8a79bc5b7a1d9a5bcd482 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 1 Mar 2022 23:05:29 +0100
|
||||
Subject: [PATCH] xshared: Prefer xtables_chain_protos lookup over getprotoent
|
||||
|
||||
When dumping a large ruleset, common protocol matches such as for TCP
|
||||
port number significantly slow down rule printing due to repeated calls
|
||||
for getprotobynumber(). The latter does not involve any caching, so
|
||||
/etc/protocols is consulted over and over again.
|
||||
|
||||
As a simple countermeasure, make functions converting between proto
|
||||
number and name prefer the built-in list of "well-known" protocols. This
|
||||
is not a perfect solution, repeated rules for protocol names libxtables
|
||||
does not cache (e.g. igmp or dccp) will still be slow. Implementing
|
||||
getprotoent() result caching could solve this.
|
||||
|
||||
As a side-effect, explicit check for pseudo-protocol "all" may be
|
||||
dropped as it is contained in the built-in list and therefore immutable.
|
||||
|
||||
Also update xtables_chain_protos entries a bit to align with typical
|
||||
/etc/protocols contents. The testsuite assumes those names, so the
|
||||
preferred ones prior to this patch are indeed uncommon nowadays.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit b6196c7504d4d41827cea86c167926125cdbf1f3)
|
||||
---
|
||||
iptables/xshared.c | 8 ++++----
|
||||
libxtables/xtables.c | 19 ++++++-------------
|
||||
2 files changed, 10 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 4027d9240215e..68aea42146c36 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -52,16 +52,16 @@ proto_to_name(uint8_t proto, int nolookup)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
+ for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
|
||||
+ if (xtables_chain_protos[i].num == proto)
|
||||
+ return xtables_chain_protos[i].name;
|
||||
+
|
||||
if (proto && !nolookup) {
|
||||
struct protoent *pent = getprotobynumber(proto);
|
||||
if (pent)
|
||||
return pent->p_name;
|
||||
}
|
||||
|
||||
- for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
|
||||
- if (xtables_chain_protos[i].num == proto)
|
||||
- return xtables_chain_protos[i].name;
|
||||
-
|
||||
return NULL;
|
||||
}
|
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index 1931e3896262a..a991e4fcc9b92 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -2078,10 +2078,11 @@ const struct xtables_pprot xtables_chain_protos[] = {
|
||||
{"udp", IPPROTO_UDP},
|
||||
{"udplite", IPPROTO_UDPLITE},
|
||||
{"icmp", IPPROTO_ICMP},
|
||||
- {"icmpv6", IPPROTO_ICMPV6},
|
||||
{"ipv6-icmp", IPPROTO_ICMPV6},
|
||||
+ {"icmpv6", IPPROTO_ICMPV6},
|
||||
{"esp", IPPROTO_ESP},
|
||||
{"ah", IPPROTO_AH},
|
||||
+ {"mobility-header", IPPROTO_MH},
|
||||
{"ipv6-mh", IPPROTO_MH},
|
||||
{"mh", IPPROTO_MH},
|
||||
{"all", 0},
|
||||
@@ -2097,23 +2098,15 @@ xtables_parse_protocol(const char *s)
|
||||
if (xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX))
|
||||
return proto;
|
||||
|
||||
- /* first deal with the special case of 'all' to prevent
|
||||
- * people from being able to redefine 'all' in nsswitch
|
||||
- * and/or provoke expensive [not working] ldap/nis/...
|
||||
- * lookups */
|
||||
- if (strcmp(s, "all") == 0)
|
||||
- return 0;
|
||||
+ for (i = 0; xtables_chain_protos[i].name != NULL; ++i) {
|
||||
+ if (strcmp(s, xtables_chain_protos[i].name) == 0)
|
||||
+ return xtables_chain_protos[i].num;
|
||||
+ }
|
||||
|
||||
pent = getprotobyname(s);
|
||||
if (pent != NULL)
|
||||
return pent->p_proto;
|
||||
|
||||
- for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) {
|
||||
- if (xtables_chain_protos[i].name == NULL)
|
||||
- continue;
|
||||
- if (strcmp(s, xtables_chain_protos[i].name) == 0)
|
||||
- return xtables_chain_protos[i].num;
|
||||
- }
|
||||
xt_params->exit_err(PARAMETER_PROBLEM,
|
||||
"unknown protocol \"%s\" specified", s);
|
||||
return -1;
|
||||
--
|
||||
2.34.1
|
||||
|
164
0030-xshared-Merge-and-share-parse_chain.patch
Normal file
164
0030-xshared-Merge-and-share-parse_chain.patch
Normal file
@ -0,0 +1,164 @@
|
||||
From b65a9a258a0fc3c19a64a8426b28f7bcbe438cf5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 5 Apr 2019 13:21:19 +0200
|
||||
Subject: [PATCH] xshared: Merge and share parse_chain()
|
||||
|
||||
Have a common routine to perform chain name checks, combining all
|
||||
variants' requirements.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 1189d830ea4fd269da87761d400ebabca02e1ef3)
|
||||
|
||||
Conflicts:
|
||||
iptables/ip6tables.c
|
||||
iptables/xshared.c
|
||||
-> Context changes due to missing commit 9dc50b5b8e441
|
||||
("xshared: Merge invflags handling code")
|
||||
---
|
||||
iptables/ip6tables.c | 26 --------------------------
|
||||
iptables/iptables.c | 25 -------------------------
|
||||
iptables/xshared.c | 24 ++++++++++++++++++++++++
|
||||
iptables/xshared.h | 1 +
|
||||
iptables/xtables.c | 9 +--------
|
||||
5 files changed, 26 insertions(+), 59 deletions(-)
|
||||
|
||||
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
|
||||
index c95355b091568..f53d0a8d0f169 100644
|
||||
--- a/iptables/ip6tables.c
|
||||
+++ b/iptables/ip6tables.c
|
||||
@@ -248,32 +248,6 @@ static int is_exthdr(uint16_t proto)
|
||||
proto == IPPROTO_DSTOPTS);
|
||||
}
|
||||
|
||||
-static void
|
||||
-parse_chain(const char *chainname)
|
||||
-{
|
||||
- const char *ptr;
|
||||
-
|
||||
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name `%s' too long (must be under %u chars)",
|
||||
- chainname, XT_EXTENSION_MAXNAMELEN);
|
||||
-
|
||||
- if (*chainname == '-' || *chainname == '!')
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name not allowed to start "
|
||||
- "with `%c'\n", *chainname);
|
||||
-
|
||||
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name may not clash "
|
||||
- "with target name\n");
|
||||
-
|
||||
- for (ptr = chainname; *ptr; ptr++)
|
||||
- if (isspace(*ptr))
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "Invalid chain name `%s'", chainname);
|
||||
-}
|
||||
-
|
||||
static void
|
||||
set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
|
||||
int invert)
|
||||
diff --git a/iptables/iptables.c b/iptables/iptables.c
|
||||
index 7d6183116d265..18cc4f7690a24 100644
|
||||
--- a/iptables/iptables.c
|
||||
+++ b/iptables/iptables.c
|
||||
@@ -239,31 +239,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
|
||||
|
||||
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
|
||||
|
||||
-static void
|
||||
-parse_chain(const char *chainname)
|
||||
-{
|
||||
- const char *ptr;
|
||||
-
|
||||
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name `%s' too long (must be under %u chars)",
|
||||
- chainname, XT_EXTENSION_MAXNAMELEN);
|
||||
-
|
||||
- if (*chainname == '-' || *chainname == '!')
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name not allowed to start "
|
||||
- "with `%c'\n", *chainname);
|
||||
-
|
||||
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name may not clash "
|
||||
- "with target name\n");
|
||||
-
|
||||
- for (ptr = chainname; *ptr; ptr++)
|
||||
- if (isspace(*ptr))
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "Invalid chain name `%s'", chainname);
|
||||
-}
|
||||
|
||||
static void
|
||||
set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index 68aea42146c36..d71724a2591dc 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -853,3 +853,27 @@ char opt2char(int option)
|
||||
|
||||
return *ptr;
|
||||
}
|
||||
+
|
||||
+void parse_chain(const char *chainname)
|
||||
+{
|
||||
+ const char *ptr;
|
||||
+
|
||||
+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "chain name `%s' too long (must be under %u chars)",
|
||||
+ chainname, XT_EXTENSION_MAXNAMELEN);
|
||||
+
|
||||
+ if (*chainname == '-' || *chainname == '!')
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "chain name not allowed to start with `%c'\n",
|
||||
+ *chainname);
|
||||
+
|
||||
+ if (xtables_find_target(chainname, XTF_TRY_LOAD))
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "chain name may not clash with target name\n");
|
||||
+
|
||||
+ for (ptr = chainname; *ptr; ptr++)
|
||||
+ if (isspace(*ptr))
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "Invalid chain name `%s'", chainname);
|
||||
+}
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 1e86aba8b2375..4f52117d5228d 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -223,6 +223,7 @@ char cmd2char(int option);
|
||||
void add_command(unsigned int *cmd, const int newcmd,
|
||||
const int othercmds, int invert);
|
||||
int parse_rulenumber(const char *rule);
|
||||
+void parse_chain(const char *chainname);
|
||||
|
||||
void generic_opt_check(int command, int options);
|
||||
char opt2char(int option);
|
||||
diff --git a/iptables/xtables.c b/iptables/xtables.c
|
||||
index 9779bd83d53b3..54f887f80497e 100644
|
||||
--- a/iptables/xtables.c
|
||||
+++ b/iptables/xtables.c
|
||||
@@ -587,14 +587,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
|
||||
break;
|
||||
|
||||
case 'N':
|
||||
- if (optarg && (*optarg == '-' || *optarg == '!'))
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name not allowed to start "
|
||||
- "with `%c'\n", *optarg);
|
||||
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "chain name may not clash "
|
||||
- "with target name\n");
|
||||
+ parse_chain(optarg);
|
||||
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
|
||||
cs->invert);
|
||||
p->chain = optarg;
|
||||
--
|
||||
2.34.1
|
||||
|
113
0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch
Normal file
113
0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch
Normal file
@ -0,0 +1,113 @@
|
||||
From dfd4dc4b930101659aed2d46b3ec70a6df3a520d Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed, 16 Mar 2022 17:14:07 +0100
|
||||
Subject: [PATCH] nft: Reject standard targets as chain names when restoring
|
||||
|
||||
Reuse parse_chain() called from do_parse() for '-N' and rename it for a
|
||||
better description of what it does.
|
||||
|
||||
Note that by itself, this patch will likely kill iptables-restore
|
||||
performance for big rulesets due to the extra extension lookup for chain
|
||||
lines. A following patch announcing those chains to libxtables will
|
||||
alleviate that.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Reviewed-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit b1aee6b2238794446feba41778f88703784560f7)
|
||||
|
||||
Conflicts:
|
||||
iptables/xshared.c
|
||||
-> Parts manually applied due to unmerged do_parse() function.
|
||||
---
|
||||
iptables/ip6tables.c | 2 +-
|
||||
iptables/iptables.c | 2 +-
|
||||
iptables/xshared.c | 2 +-
|
||||
iptables/xshared.h | 2 +-
|
||||
iptables/xtables-restore.c | 5 +----
|
||||
iptables/xtables.c | 2 +-
|
||||
6 files changed, 6 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
|
||||
index f53d0a8d0f169..4422e28276ab5 100644
|
||||
--- a/iptables/ip6tables.c
|
||||
+++ b/iptables/ip6tables.c
|
||||
@@ -1168,7 +1168,7 @@ int do_command6(int argc, char *argv[], char **table,
|
||||
break;
|
||||
|
||||
case 'N':
|
||||
- parse_chain(optarg);
|
||||
+ assert_valid_chain_name(optarg);
|
||||
add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
|
||||
cs.invert);
|
||||
chain = optarg;
|
||||
diff --git a/iptables/iptables.c b/iptables/iptables.c
|
||||
index 18cc4f7690a24..bbb87f16f8d1d 100644
|
||||
--- a/iptables/iptables.c
|
||||
+++ b/iptables/iptables.c
|
||||
@@ -1163,7 +1163,7 @@ int do_command4(int argc, char *argv[], char **table,
|
||||
break;
|
||||
|
||||
case 'N':
|
||||
- parse_chain(optarg);
|
||||
+ assert_valid_chain_name(optarg);
|
||||
add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
|
||||
cs.invert);
|
||||
chain = optarg;
|
||||
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
||||
index d71724a2591dc..171b0bdb7ca27 100644
|
||||
--- a/iptables/xshared.c
|
||||
+++ b/iptables/xshared.c
|
||||
@@ -854,7 +854,7 @@ char opt2char(int option)
|
||||
return *ptr;
|
||||
}
|
||||
|
||||
-void parse_chain(const char *chainname)
|
||||
+void assert_valid_chain_name(const char *chainname)
|
||||
{
|
||||
const char *ptr;
|
||||
|
||||
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||||
index 4f52117d5228d..84f1a559aafb2 100644
|
||||
--- a/iptables/xshared.h
|
||||
+++ b/iptables/xshared.h
|
||||
@@ -223,7 +223,7 @@ char cmd2char(int option);
|
||||
void add_command(unsigned int *cmd, const int newcmd,
|
||||
const int othercmds, int invert);
|
||||
int parse_rulenumber(const char *rule);
|
||||
-void parse_chain(const char *chainname);
|
||||
+void assert_valid_chain_name(const char *chainname);
|
||||
|
||||
void generic_opt_check(int command, int options);
|
||||
char opt2char(int option);
|
||||
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
||||
index d27394972d90c..074efeab0b4e7 100644
|
||||
--- a/iptables/xtables-restore.c
|
||||
+++ b/iptables/xtables-restore.c
|
||||
@@ -155,10 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
|
||||
"%s: line %u chain name invalid\n",
|
||||
xt_params->program_name, line);
|
||||
|
||||
- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
|
||||
- xtables_error(PARAMETER_PROBLEM,
|
||||
- "Invalid chain name `%s' (%u chars max)",
|
||||
- chain, XT_EXTENSION_MAXNAMELEN - 1);
|
||||
+ assert_valid_chain_name(chain);
|
||||
|
||||
policy = strtok(NULL, " \t\n");
|
||||
DEBUGP("line %u, policy '%s'\n", line, policy);
|
||||
diff --git a/iptables/xtables.c b/iptables/xtables.c
|
||||
index 54f887f80497e..a9b9e12e55c2f 100644
|
||||
--- a/iptables/xtables.c
|
||||
+++ b/iptables/xtables.c
|
||||
@@ -587,7 +587,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
|
||||
break;
|
||||
|
||||
case 'N':
|
||||
- parse_chain(optarg);
|
||||
+ assert_valid_chain_name(optarg);
|
||||
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
|
||||
cs->invert);
|
||||
p->chain = optarg;
|
||||
--
|
||||
2.34.1
|
||||
|
140
0032-libxtables-Implement-notargets-hash-table.patch
Normal file
140
0032-libxtables-Implement-notargets-hash-table.patch
Normal file
@ -0,0 +1,140 @@
|
||||
From 7241ebe5cff638bb1422448679d672aa52b3c367 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 15 Dec 2020 15:40:56 +0100
|
||||
Subject: [PATCH] libxtables: Implement notargets hash table
|
||||
|
||||
Target lookup is relatively costly due to the filesystem access. Avoid
|
||||
this overhead in huge rulesets which contain many chain jumps by caching
|
||||
the failed lookups into a hashtable for later.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit f58b0d7406451afbb4b9b6c7888990c964fa7c79)
|
||||
---
|
||||
libxtables/xtables.c | 75 ++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 75 insertions(+)
|
||||
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index a991e4fcc9b92..e8e900e869e1e 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -48,6 +48,7 @@
|
||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||
#include <linux/netfilter_ipv6/ip6_tables.h>
|
||||
#include <libiptc/libxtc.h>
|
||||
+#include <libiptc/linux_list.h>
|
||||
|
||||
#ifndef NO_SHARED_LIBS
|
||||
#include <dlfcn.h>
|
||||
@@ -242,6 +243,71 @@ static void dlreg_free(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
+struct notarget {
|
||||
+ struct hlist_node node;
|
||||
+ char name[];
|
||||
+};
|
||||
+
|
||||
+#define NOTARGET_HSIZE 512
|
||||
+static struct hlist_head notargets[NOTARGET_HSIZE];
|
||||
+
|
||||
+static void notargets_hlist_init(void)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < NOTARGET_HSIZE; i++)
|
||||
+ INIT_HLIST_HEAD(¬argets[i]);
|
||||
+}
|
||||
+
|
||||
+static void notargets_hlist_free(void)
|
||||
+{
|
||||
+ struct hlist_node *pos, *n;
|
||||
+ struct notarget *cur;
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < NOTARGET_HSIZE; i++) {
|
||||
+ hlist_for_each_entry_safe(cur, pos, n, ¬argets[i], node) {
|
||||
+ hlist_del(&cur->node);
|
||||
+ free(cur);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static uint32_t djb_hash(const char *key)
|
||||
+{
|
||||
+ uint32_t i, hash = 5381;
|
||||
+
|
||||
+ for (i = 0; i < strlen(key); i++)
|
||||
+ hash = ((hash << 5) + hash) + key[i];
|
||||
+
|
||||
+ return hash;
|
||||
+}
|
||||
+
|
||||
+static struct notarget *notargets_hlist_lookup(const char *name)
|
||||
+{
|
||||
+ uint32_t key = djb_hash(name) % NOTARGET_HSIZE;
|
||||
+ struct hlist_node *node;
|
||||
+ struct notarget *cur;
|
||||
+
|
||||
+ hlist_for_each_entry(cur, node, ¬argets[key], node) {
|
||||
+ if (!strcmp(name, cur->name))
|
||||
+ return cur;
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+static void notargets_hlist_insert(const char *name)
|
||||
+{
|
||||
+ struct notarget *cur;
|
||||
+
|
||||
+ if (!name)
|
||||
+ return;
|
||||
+
|
||||
+ cur = xtables_malloc(sizeof(*cur) + strlen(name) + 1);
|
||||
+ strcpy(cur->name, name);
|
||||
+ hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]);
|
||||
+}
|
||||
+
|
||||
void xtables_init(void)
|
||||
{
|
||||
xtables_libdir = getenv("XTABLES_LIBDIR");
|
||||
@@ -267,6 +333,8 @@ void xtables_init(void)
|
||||
return;
|
||||
}
|
||||
xtables_libdir = XTABLES_LIBDIR;
|
||||
+
|
||||
+ notargets_hlist_init();
|
||||
}
|
||||
|
||||
void xtables_fini(void)
|
||||
@@ -274,6 +342,7 @@ void xtables_fini(void)
|
||||
#ifndef NO_SHARED_LIBS
|
||||
dlreg_free();
|
||||
#endif
|
||||
+ notargets_hlist_free();
|
||||
}
|
||||
|
||||
void xtables_set_nfproto(uint8_t nfproto)
|
||||
@@ -808,6 +877,10 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
|| strcmp(name, XTC_LABEL_QUEUE) == 0
|
||||
|| strcmp(name, XTC_LABEL_RETURN) == 0)
|
||||
name = "standard";
|
||||
+ /* known non-target? */
|
||||
+ else if (notargets_hlist_lookup(name) &&
|
||||
+ tryload != XTF_LOAD_MUST_SUCCEED)
|
||||
+ return NULL;
|
||||
|
||||
/* Trigger delayed initialization */
|
||||
for (dptr = &xtables_pending_targets; *dptr; ) {
|
||||
@@ -871,6 +944,8 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|
||||
|
||||
if (ptr)
|
||||
ptr->used = 1;
|
||||
+ else
|
||||
+ notargets_hlist_insert(name);
|
||||
|
||||
return ptr;
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,86 @@
|
||||
From 2b17d7f73969459ee0d6503f10ac4122452431d1 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri, 4 Mar 2022 12:50:01 +0100
|
||||
Subject: [PATCH] libxtables: Boost rule target checks by announcing chain
|
||||
names
|
||||
|
||||
When restoring a ruleset, feed libxtables with chain names from
|
||||
respective lines to avoid an extension search.
|
||||
|
||||
While the user's intention is clear, this effectively disables the
|
||||
sanity check for clashes with target extensions. But:
|
||||
|
||||
* The check yielded only a warning and the clashing chain was finally
|
||||
accepted.
|
||||
|
||||
* Users crafting iptables dumps for feeding into iptables-restore likely
|
||||
know what they're doing.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518)
|
||||
---
|
||||
include/xtables.h | 3 +++
|
||||
iptables/iptables-restore.c | 1 +
|
||||
iptables/xtables-restore.c | 1 +
|
||||
libxtables/xtables.c | 6 ++++++
|
||||
4 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/include/xtables.h b/include/xtables.h
|
||||
index 107ad7d65e6fc..b5a6764abfa4e 100644
|
||||
--- a/include/xtables.h
|
||||
+++ b/include/xtables.h
|
||||
@@ -637,6 +637,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
|
||||
const char *xt_xlate_get_comment(struct xt_xlate *xl);
|
||||
const char *xt_xlate_get(struct xt_xlate *xl);
|
||||
|
||||
+/* informed target lookups */
|
||||
+void xtables_announce_chain(const char *name);
|
||||
+
|
||||
#ifdef XTABLES_INTERNAL
|
||||
|
||||
/* Shipped modules rely on this... */
|
||||
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
|
||||
index cc2c2b8b10086..a34d95015c93c 100644
|
||||
--- a/iptables/iptables-restore.c
|
||||
+++ b/iptables/iptables-restore.c
|
||||
@@ -311,6 +311,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
|
||||
cb->ops->strerror(errno));
|
||||
}
|
||||
|
||||
+ xtables_announce_chain(chain);
|
||||
ret = 1;
|
||||
|
||||
} else if (in_table) {
|
||||
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
||||
index 074efeab0b4e7..7e347e49aaaaa 100644
|
||||
--- a/iptables/xtables-restore.c
|
||||
+++ b/iptables/xtables-restore.c
|
||||
@@ -155,6 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
|
||||
"%s: line %u chain name invalid\n",
|
||||
xt_params->program_name, line);
|
||||
|
||||
+ xtables_announce_chain(chain);
|
||||
assert_valid_chain_name(chain);
|
||||
|
||||
policy = strtok(NULL, " \t\n");
|
||||
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
||||
index e8e900e869e1e..64d347e6ed434 100644
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -308,6 +308,12 @@ static void notargets_hlist_insert(const char *name)
|
||||
hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]);
|
||||
}
|
||||
|
||||
+void xtables_announce_chain(const char *name)
|
||||
+{
|
||||
+ if (!notargets_hlist_lookup(name))
|
||||
+ notargets_hlist_insert(name);
|
||||
+}
|
||||
+
|
||||
void xtables_init(void)
|
||||
{
|
||||
xtables_libdir = getenv("XTABLES_LIBDIR");
|
||||
--
|
||||
2.34.1
|
||||
|
@ -16,7 +16,7 @@ Name: iptables
|
||||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: https://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.7
|
||||
Release: 28%{?dist}
|
||||
Release: 29%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
@ -55,6 +55,13 @@ Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch
|
||||
Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch
|
||||
Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch
|
||||
Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch27: 0027-nft-Simplify-immediate-parsing.patch
|
||||
Patch28: 0028-nft-Speed-up-immediate-parsing.patch
|
||||
Patch29: 0029-xshared-Prefer-xtables_chain_protos-lookup-over-getp.patch
|
||||
Patch30: 0030-xshared-Merge-and-share-parse_chain.patch
|
||||
Patch31: 0031-nft-Reject-standard-targets-as-chain-names-when-rest.patch
|
||||
Patch32: 0032-libxtables-Implement-notargets-hash-table.patch
|
||||
Patch33: 0033-libxtables-Boost-rule-target-checks-by-announcing-ch.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic 2.0
|
||||
@ -470,6 +477,15 @@ fi
|
||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
||||
|
||||
%changelog
|
||||
* Fri Mar 18 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-29
|
||||
- libxtables: Boost rule target checks by announcing chain names
|
||||
- libxtables: Implement notargets hash table
|
||||
- nft: Reject standard targets as chain names when restoring
|
||||
- xshared: Merge and share parse_chain()
|
||||
- xshared: Prefer xtables_chain_protos lookup over getprotoent
|
||||
- nft: Speed up immediate parsing
|
||||
- nft: Simplify immediate parsing
|
||||
|
||||
* Wed Feb 16 2022 Phil Sutter <psutter@redhat.com> - 1.8.7-28
|
||||
- extensions: SECMARK: Use a better context in test case
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user