import iptables-1.8.4-20.el8
This commit is contained in:
parent
df2c1b9c8e
commit
b85241e8a3
|
@ -0,0 +1,177 @@
|
|||
From 3bd3af273ccfa550ed50ad19d4bcd04a29b88f5b Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu, 29 Apr 2021 15:28:59 +0200
|
||||
Subject: [PATCH] extensions: SECMARK: Implement revision 1
|
||||
|
||||
The changed data structure for communication with kernel allows to
|
||||
exclude the field 'secid' which is populated on kernel side. Thus
|
||||
this fixes the formerly always failing extension comparison breaking
|
||||
rule check and rule delete by content.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
|
||||
---
|
||||
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
|
||||
extensions/libxt_SECMARK.t | 4 ++
|
||||
include/linux/netfilter/xt_SECMARK.h | 6 ++
|
||||
3 files changed, 80 insertions(+), 20 deletions(-)
|
||||
create mode 100644 extensions/libxt_SECMARK.t
|
||||
|
||||
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
|
||||
index 6ba8606355daa..24249bd618ffe 100644
|
||||
--- a/extensions/libxt_SECMARK.c
|
||||
+++ b/extensions/libxt_SECMARK.c
|
||||
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
|
||||
XTOPT_TABLEEND,
|
||||
};
|
||||
|
||||
+static const struct xt_option_entry SECMARK_opts_v1[] = {
|
||||
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
|
||||
+ .flags = XTOPT_MAND | XTOPT_PUT,
|
||||
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
|
||||
+ XTOPT_TABLEEND,
|
||||
+};
|
||||
+
|
||||
static void SECMARK_parse(struct xt_option_call *cb)
|
||||
{
|
||||
struct xt_secmark_target_info *info = cb->data;
|
||||
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
|
||||
info->mode = SECMARK_MODE_SEL;
|
||||
}
|
||||
|
||||
-static void print_secmark(const struct xt_secmark_target_info *info)
|
||||
+static void SECMARK_parse_v1(struct xt_option_call *cb)
|
||||
+{
|
||||
+ struct xt_secmark_target_info_v1 *info = cb->data;
|
||||
+
|
||||
+ xtables_option_parse(cb);
|
||||
+ info->mode = SECMARK_MODE_SEL;
|
||||
+}
|
||||
+
|
||||
+static void print_secmark(__u8 mode, const char *secctx)
|
||||
{
|
||||
- switch (info->mode) {
|
||||
+ switch (mode) {
|
||||
case SECMARK_MODE_SEL:
|
||||
- printf("selctx %s", info->secctx);
|
||||
+ printf("selctx %s", secctx);
|
||||
break;
|
||||
-
|
||||
+
|
||||
default:
|
||||
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
||||
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
|
||||
(struct xt_secmark_target_info*)(target)->data;
|
||||
|
||||
printf(" SECMARK ");
|
||||
- print_secmark(info);
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
+}
|
||||
+
|
||||
+static void SECMARK_print_v1(const void *ip,
|
||||
+ const struct xt_entry_target *target, int numeric)
|
||||
+{
|
||||
+ const struct xt_secmark_target_info_v1 *info =
|
||||
+ (struct xt_secmark_target_info_v1 *)(target)->data;
|
||||
+
|
||||
+ printf(" SECMARK ");
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
}
|
||||
|
||||
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||
(struct xt_secmark_target_info*)target->data;
|
||||
|
||||
printf(" --");
|
||||
- print_secmark(info);
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
}
|
||||
|
||||
-static struct xtables_target secmark_target = {
|
||||
- .family = NFPROTO_UNSPEC,
|
||||
- .name = "SECMARK",
|
||||
- .version = XTABLES_VERSION,
|
||||
- .revision = 0,
|
||||
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
- .help = SECMARK_help,
|
||||
- .print = SECMARK_print,
|
||||
- .save = SECMARK_save,
|
||||
- .x6_parse = SECMARK_parse,
|
||||
- .x6_options = SECMARK_opts,
|
||||
+static void SECMARK_save_v1(const void *ip,
|
||||
+ const struct xt_entry_target *target)
|
||||
+{
|
||||
+ const struct xt_secmark_target_info_v1 *info =
|
||||
+ (struct xt_secmark_target_info_v1 *)target->data;
|
||||
+
|
||||
+ printf(" --");
|
||||
+ print_secmark(info->mode, info->secctx);
|
||||
+}
|
||||
+
|
||||
+static struct xtables_target secmark_tg_reg[] = {
|
||||
+ {
|
||||
+ .family = NFPROTO_UNSPEC,
|
||||
+ .name = "SECMARK",
|
||||
+ .version = XTABLES_VERSION,
|
||||
+ .revision = 0,
|
||||
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
||||
+ .help = SECMARK_help,
|
||||
+ .print = SECMARK_print,
|
||||
+ .save = SECMARK_save,
|
||||
+ .x6_parse = SECMARK_parse,
|
||||
+ .x6_options = SECMARK_opts,
|
||||
+ },
|
||||
+ {
|
||||
+ .family = NFPROTO_UNSPEC,
|
||||
+ .name = "SECMARK",
|
||||
+ .version = XTABLES_VERSION,
|
||||
+ .revision = 1,
|
||||
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
|
||||
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
|
||||
+ .help = SECMARK_help,
|
||||
+ .print = SECMARK_print_v1,
|
||||
+ .save = SECMARK_save_v1,
|
||||
+ .x6_parse = SECMARK_parse_v1,
|
||||
+ .x6_options = SECMARK_opts_v1,
|
||||
+ }
|
||||
};
|
||||
|
||||
void _init(void)
|
||||
{
|
||||
- xtables_register_target(&secmark_target);
|
||||
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
|
||||
}
|
||||
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||
new file mode 100644
|
||||
index 0000000000000..39d4c09348bf4
|
||||
--- /dev/null
|
||||
+++ b/extensions/libxt_SECMARK.t
|
||||
@@ -0,0 +1,4 @@
|
||||
+:INPUT,FORWARD,OUTPUT
|
||||
+*security
|
||||
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||
+-j SECMARK;;FAIL
|
||||
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
|
||||
index 989092bd6274b..31760a286a854 100644
|
||||
--- a/include/linux/netfilter/xt_SECMARK.h
|
||||
+++ b/include/linux/netfilter/xt_SECMARK.h
|
||||
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
|
||||
char secctx[SECMARK_SECCTX_MAX];
|
||||
};
|
||||
|
||||
+struct xt_secmark_target_info_v1 {
|
||||
+ __u8 mode;
|
||||
+ char secctx[SECMARK_SECCTX_MAX];
|
||||
+ __u32 secid;
|
||||
+};
|
||||
+
|
||||
#endif /*_XT_SECMARK_H_target */
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
From b675a15b70215deab520ef1a8e52edad9129328e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 4 May 2021 16:03:24 +0200
|
||||
Subject: [PATCH] extensions: sctp: Fix nftables translation
|
||||
|
||||
If both sport and dport was present, incorrect nft syntax was generated.
|
||||
|
||||
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
|
||||
---
|
||||
extensions/libxt_sctp.c | 10 ++++------
|
||||
extensions/libxt_sctp.txlate | 10 +++++-----
|
||||
2 files changed, 9 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||
index 140de2653b1ef..ee4e99ebf11bf 100644
|
||||
--- a/extensions/libxt_sctp.c
|
||||
+++ b/extensions/libxt_sctp.c
|
||||
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
if (!einfo->flags)
|
||||
return 0;
|
||||
|
||||
- xt_xlate_add(xl, "sctp ");
|
||||
-
|
||||
if (einfo->flags & XT_SCTP_SRC_PORTS) {
|
||||
if (einfo->spts[0] != einfo->spts[1])
|
||||
- xt_xlate_add(xl, "sport%s %u-%u",
|
||||
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
|
||||
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
||||
einfo->spts[0], einfo->spts[1]);
|
||||
else
|
||||
- xt_xlate_add(xl, "sport%s %u",
|
||||
+ xt_xlate_add(xl, "sctp sport%s %u",
|
||||
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
|
||||
einfo->spts[0]);
|
||||
space = " ";
|
||||
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
|
||||
if (einfo->flags & XT_SCTP_DEST_PORTS) {
|
||||
if (einfo->dpts[0] != einfo->dpts[1])
|
||||
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
|
||||
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0], einfo->dpts[1]);
|
||||
else
|
||||
- xt_xlate_add(xl, "%sdport%s %u", space,
|
||||
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0]);
|
||||
}
|
||||
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
|
||||
index 72f4641ab021c..0d6c59e183675 100644
|
||||
--- a/extensions/libxt_sctp.txlate
|
||||
+++ b/extensions/libxt_sctp.txlate
|
||||
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
|
||||
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
|
||||
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
|
||||
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,159 @@
|
|||
From 48f38c4224f31d19176df83539501292fcc6092b Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 4 May 2021 16:26:42 +0200
|
||||
Subject: [PATCH] extensions: sctp: Translate --chunk-types option
|
||||
|
||||
The translation is not fully complete as it is not possible to map 'any'
|
||||
match type into nft syntax with a single rule. Also, 'only' match type
|
||||
translation is a bit poor as it explicitly lists all chunk types that
|
||||
are supposed to be missing.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit 5818be177110a09120dd8fe4bd2533acbf8da301)
|
||||
---
|
||||
extensions/libxt_sctp.c | 91 ++++++++++++++++++++++++++++--------
|
||||
extensions/libxt_sctp.txlate | 6 +++
|
||||
2 files changed, 78 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||
index ee4e99ebf11bf..5d8ab85cacf42 100644
|
||||
--- a/extensions/libxt_sctp.c
|
||||
+++ b/extensions/libxt_sctp.c
|
||||
@@ -92,28 +92,29 @@ struct sctp_chunk_names {
|
||||
const char *name;
|
||||
unsigned int chunk_type;
|
||||
const char *valid_flags;
|
||||
+ const char *nftname;
|
||||
};
|
||||
|
||||
/*'ALL' and 'NONE' will be treated specially. */
|
||||
static const struct sctp_chunk_names sctp_chunk_names[]
|
||||
-= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"},
|
||||
- { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"},
|
||||
- { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"},
|
||||
- { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"},
|
||||
- { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"},
|
||||
- { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"},
|
||||
- { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"},
|
||||
- { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"},
|
||||
- { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"},
|
||||
- { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"},
|
||||
- { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"},
|
||||
- { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"},
|
||||
- { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"},
|
||||
- { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"},
|
||||
- { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"},
|
||||
- { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"},
|
||||
- { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"},
|
||||
- { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"},
|
||||
+= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE", .nftname = "data" },
|
||||
+ { .name = "INIT", .chunk_type = 1, .valid_flags = "--------", .nftname = "init" },
|
||||
+ { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------", .nftname = "init-ack" },
|
||||
+ { .name = "SACK", .chunk_type = 3, .valid_flags = "--------", .nftname = "sack" },
|
||||
+ { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------", .nftname = "heartbeat" },
|
||||
+ { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------", .nftname = "heartbeat-ack" },
|
||||
+ { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T", .nftname = "abort" },
|
||||
+ { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------", .nftname = "shutdown" },
|
||||
+ { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------", .nftname = "shutdown-ack" },
|
||||
+ { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------", .nftname = "error" },
|
||||
+ { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------", .nftname = "cookie-echo" },
|
||||
+ { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------", .nftname = "cookie-ack" },
|
||||
+ { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" },
|
||||
+ { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" },
|
||||
+ { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" },
|
||||
+ { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" },
|
||||
+ { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" },
|
||||
+ { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" },
|
||||
};
|
||||
|
||||
static void
|
||||
@@ -485,12 +486,52 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match)
|
||||
}
|
||||
}
|
||||
|
||||
+static const char *sctp_xlate_chunk(struct xt_xlate *xl, const char *space,
|
||||
+ const struct xt_sctp_info *einfo,
|
||||
+ const struct sctp_chunk_names *scn)
|
||||
+{
|
||||
+ bool inv = einfo->invflags & XT_SCTP_CHUNK_TYPES;
|
||||
+ const struct xt_sctp_flag_info *flag_info = NULL;
|
||||
+ int i;
|
||||
+
|
||||
+ if (!scn->nftname)
|
||||
+ return space;
|
||||
+
|
||||
+ if (!SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, scn->chunk_type)) {
|
||||
+ if (einfo->chunk_match_type != SCTP_CHUNK_MATCH_ONLY)
|
||||
+ return space;
|
||||
+
|
||||
+ xt_xlate_add(xl, "%ssctp chunk %s %s", space,
|
||||
+ scn->nftname, inv ? "exists" : "missing");
|
||||
+ return " ";
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < einfo->flag_count; i++) {
|
||||
+ if (einfo->flag_info[i].chunktype == scn->chunk_type) {
|
||||
+ flag_info = &einfo->flag_info[i];
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!flag_info) {
|
||||
+ xt_xlate_add(xl, "%ssctp chunk %s %s", space,
|
||||
+ scn->nftname, inv ? "missing" : "exists");
|
||||
+ return " ";
|
||||
+ }
|
||||
+
|
||||
+ xt_xlate_add(xl, "%ssctp chunk %s flags & 0x%x %s 0x%x", space,
|
||||
+ scn->nftname, flag_info->flag_mask,
|
||||
+ inv ? "!=" : "==", flag_info->flag);
|
||||
+
|
||||
+ return " ";
|
||||
+}
|
||||
+
|
||||
static int sctp_xlate(struct xt_xlate *xl,
|
||||
const struct xt_xlate_mt_params *params)
|
||||
{
|
||||
const struct xt_sctp_info *einfo =
|
||||
(const struct xt_sctp_info *)params->match->data;
|
||||
- char *space = "";
|
||||
+ const char *space = "";
|
||||
|
||||
if (!einfo->flags)
|
||||
return 0;
|
||||
@@ -516,6 +557,18 @@ static int sctp_xlate(struct xt_xlate *xl,
|
||||
xt_xlate_add(xl, "%ssctp dport%s %u", space,
|
||||
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
|
||||
einfo->dpts[0]);
|
||||
+ space = " ";
|
||||
+ }
|
||||
+
|
||||
+ if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
|
||||
+ int i;
|
||||
+
|
||||
+ if (einfo->chunk_match_type == SCTP_CHUNK_MATCH_ANY)
|
||||
+ return 0;
|
||||
+
|
||||
+ for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); i++)
|
||||
+ space = sctp_xlate_chunk(xl, space, einfo,
|
||||
+ &sctp_chunk_names[i]);
|
||||
}
|
||||
|
||||
return 1;
|
||||
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
|
||||
index 0d6c59e183675..bb817525db8d8 100644
|
||||
--- a/extensions/libxt_sctp.txlate
|
||||
+++ b/extensions/libxt_sctp.txlate
|
||||
@@ -36,3 +36,9 @@ nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
|
||||
|
||||
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
|
||||
nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
|
||||
+
|
||||
+iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:T -j ACCEPT
|
||||
+nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept
|
||||
+
|
||||
+iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT
|
||||
+nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
From 2a45c01c4d3892871b3d3d6b67d10cb62abc561e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 21:51:49 +0200
|
||||
Subject: [PATCH] extensions: SECMARK: Use a better context in test case
|
||||
|
||||
RHEL SELinux policies don't allow setting
|
||||
system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
|
||||
'packet_type' attribute (identified via
|
||||
'seinfo -xt | grep packet_type').
|
||||
---
|
||||
extensions/libxt_SECMARK.t | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
|
||||
index 39d4c09348bf4..295e7a7244902 100644
|
||||
--- a/extensions/libxt_SECMARK.t
|
||||
+++ b/extensions/libxt_SECMARK.t
|
||||
@@ -1,4 +1,4 @@
|
||||
:INPUT,FORWARD,OUTPUT
|
||||
*security
|
||||
--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
|
||||
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
|
||||
-j SECMARK;;FAIL
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
From 681cb811e4cb8c5f22fd0fae60a3533289657705 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 4 Aug 2021 17:14:05 +0200
|
||||
Subject: [PATCH] nft: cache: Retry if kernel returns EINTR
|
||||
|
||||
In case of parallel ruleset updates, recvfrom() calls may return EINTR.
|
||||
Due to the fact that cache fetches may get triggered while iterating
|
||||
over cache elements, __nft_build_cache must not restart based on
|
||||
comparing before and after generation ID like upstream does. Instead,
|
||||
just retry the recvfrom() calls until they either succeed or return a
|
||||
different error than EINTR.
|
||||
---
|
||||
iptables/nft-cache.c | 18 ++++++++++++++----
|
||||
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
|
||||
index 9623b463f0dd5..699dc66a95cd1 100644
|
||||
--- a/iptables/nft-cache.c
|
||||
+++ b/iptables/nft-cache.c
|
||||
@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h)
|
||||
nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family,
|
||||
NLM_F_DUMP, h->seq);
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_table_list_cb, list);
|
||||
- if (ret < 0 && errno == EINTR)
|
||||
+ if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
+ goto retry;
|
||||
+ }
|
||||
|
||||
h->cache->tables = list;
|
||||
|
||||
@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h,
|
||||
NLM_F_DUMP, h->seq);
|
||||
}
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
|
||||
if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
- return ret;
|
||||
+ goto retry;
|
||||
}
|
||||
|
||||
if (t && set) {
|
||||
@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h,
|
||||
h->seq);
|
||||
}
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
|
||||
- if (ret < 0 && errno == EINTR)
|
||||
+ if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
+ goto retry;
|
||||
+ }
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data)
|
||||
NLM_F_DUMP, h->seq);
|
||||
nftnl_rule_nlmsg_build_payload(nlh, rule);
|
||||
|
||||
+retry:
|
||||
ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c);
|
||||
- if (ret < 0 && errno == EINTR)
|
||||
+ if (ret < 0 && errno == EINTR) {
|
||||
assert(nft_restart(h) >= 0);
|
||||
+ goto retry;
|
||||
+ }
|
||||
|
||||
nftnl_rule_free(rule);
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -17,7 +17,7 @@ Name: iptables
|
|||
Summary: Tools for managing Linux kernel packet filtering capabilities
|
||||
URL: http://www.netfilter.org/projects/iptables
|
||||
Version: 1.8.4
|
||||
Release: 19%{?dist}
|
||||
Release: 20%{?dist}
|
||||
Source: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: iptables.init
|
||||
Source2: iptables-config
|
||||
|
@ -87,6 +87,11 @@ Patch50: 0050-xtables-translate-Fix-translation-of-odd-netmasks.patch
|
|||
Patch51: 0051-Eliminate-inet_aton-and-inet_ntoa.patch
|
||||
Patch52: 0052-xtables-arp-Don-t-use-ARPT_INV_.patch
|
||||
Patch53: 0053-nft-arp-Make-use-of-ipv4_addr_to_string.patch
|
||||
Patch54: 0054-extensions-SECMARK-Implement-revision-1.patch
|
||||
Patch55: 0055-extensions-sctp-Fix-nftables-translation.patch
|
||||
Patch56: 0056-extensions-sctp-Translate-chunk-types-option.patch
|
||||
Patch57: 0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||
Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch
|
||||
|
||||
# pf.os: ISC license
|
||||
# iptables-apply: Artistic Licence 2.0
|
||||
|
@ -495,6 +500,13 @@ done
|
|||
%doc %{_mandir}/man8/ebtables*.8*
|
||||
|
||||
%changelog
|
||||
* Wed Aug 04 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-20
|
||||
- extensions: SECMARK: Use a better context in test case
|
||||
- extensions: sctp: Translate --chunk-types option
|
||||
- extensions: sctp: Fix nftables translation
|
||||
- extensions: SECMARK: Implement revision 1
|
||||
- nft: cache: Retry if kernel returns EINTR
|
||||
|
||||
* Fri Jun 18 2021 Phil Sutter <psutter@redhat.com> - 1.8.4-19
|
||||
- Fix for rpminspect results
|
||||
|
||||
|
|
Loading…
Reference in New Issue