From b85241e8a3b1cf5050080e363a27d2f86e04067d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 24 Aug 2021 22:29:45 +0000 Subject: [PATCH] import iptables-1.8.4-20.el8 --- ...ensions-SECMARK-Implement-revision-1.patch | 177 ++++++++++++++++++ ...nsions-sctp-Fix-nftables-translation.patch | 80 ++++++++ ...ns-sctp-Translate-chunk-types-option.patch | 159 ++++++++++++++++ ...RK-Use-a-better-context-in-test-case.patch | 26 +++ ...-cache-Retry-if-kernel-returns-EINTR.patch | 77 ++++++++ SPECS/iptables.spec | 14 +- 6 files changed, 532 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0054-extensions-SECMARK-Implement-revision-1.patch create mode 100644 SOURCES/0055-extensions-sctp-Fix-nftables-translation.patch create mode 100644 SOURCES/0056-extensions-sctp-Translate-chunk-types-option.patch create mode 100644 SOURCES/0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch create mode 100644 SOURCES/0058-nft-cache-Retry-if-kernel-returns-EINTR.patch diff --git a/SOURCES/0054-extensions-SECMARK-Implement-revision-1.patch b/SOURCES/0054-extensions-SECMARK-Implement-revision-1.patch new file mode 100644 index 0000000..b271812 --- /dev/null +++ b/SOURCES/0054-extensions-SECMARK-Implement-revision-1.patch @@ -0,0 +1,177 @@ +From 3bd3af273ccfa550ed50ad19d4bcd04a29b88f5b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 29 Apr 2021 15:28:59 +0200 +Subject: [PATCH] extensions: SECMARK: Implement revision 1 + +The changed data structure for communication with kernel allows to +exclude the field 'secid' which is populated on kernel side. Thus +this fixes the formerly always failing extension comparison breaking +rule check and rule delete by content. + +Signed-off-by: Phil Sutter +(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72) +--- + extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++------- + extensions/libxt_SECMARK.t | 4 ++ + include/linux/netfilter/xt_SECMARK.h | 6 ++ + 3 files changed, 80 insertions(+), 20 deletions(-) + create mode 100644 extensions/libxt_SECMARK.t + +diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c +index 6ba8606355daa..24249bd618ffe 100644 +--- a/extensions/libxt_SECMARK.c ++++ b/extensions/libxt_SECMARK.c +@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = { + XTOPT_TABLEEND, + }; + ++static const struct xt_option_entry SECMARK_opts_v1[] = { ++ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING, ++ .flags = XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)}, ++ XTOPT_TABLEEND, ++}; ++ + static void SECMARK_parse(struct xt_option_call *cb) + { + struct xt_secmark_target_info *info = cb->data; +@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb) + info->mode = SECMARK_MODE_SEL; + } + +-static void print_secmark(const struct xt_secmark_target_info *info) ++static void SECMARK_parse_v1(struct xt_option_call *cb) ++{ ++ struct xt_secmark_target_info_v1 *info = cb->data; ++ ++ xtables_option_parse(cb); ++ info->mode = SECMARK_MODE_SEL; ++} ++ ++static void print_secmark(__u8 mode, const char *secctx) + { +- switch (info->mode) { ++ switch (mode) { + case SECMARK_MODE_SEL: +- printf("selctx %s", info->secctx); ++ printf("selctx %s", secctx); + break; +- ++ + default: +- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); ++ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode); + } + } + +@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target, + (struct xt_secmark_target_info*)(target)->data; + + printf(" SECMARK "); +- print_secmark(info); ++ print_secmark(info->mode, info->secctx); ++} ++ ++static void SECMARK_print_v1(const void *ip, ++ const struct xt_entry_target *target, int numeric) ++{ ++ const struct xt_secmark_target_info_v1 *info = ++ (struct xt_secmark_target_info_v1 *)(target)->data; ++ ++ printf(" SECMARK "); ++ print_secmark(info->mode, info->secctx); + } + + static void SECMARK_save(const void *ip, const struct xt_entry_target *target) +@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target) + (struct xt_secmark_target_info*)target->data; + + printf(" --"); +- print_secmark(info); ++ print_secmark(info->mode, info->secctx); + } + +-static struct xtables_target secmark_target = { +- .family = NFPROTO_UNSPEC, +- .name = "SECMARK", +- .version = XTABLES_VERSION, +- .revision = 0, +- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), +- .help = SECMARK_help, +- .print = SECMARK_print, +- .save = SECMARK_save, +- .x6_parse = SECMARK_parse, +- .x6_options = SECMARK_opts, ++static void SECMARK_save_v1(const void *ip, ++ const struct xt_entry_target *target) ++{ ++ const struct xt_secmark_target_info_v1 *info = ++ (struct xt_secmark_target_info_v1 *)target->data; ++ ++ printf(" --"); ++ print_secmark(info->mode, info->secctx); ++} ++ ++static struct xtables_target secmark_tg_reg[] = { ++ { ++ .family = NFPROTO_UNSPEC, ++ .name = "SECMARK", ++ .version = XTABLES_VERSION, ++ .revision = 0, ++ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), ++ .help = SECMARK_help, ++ .print = SECMARK_print, ++ .save = SECMARK_save, ++ .x6_parse = SECMARK_parse, ++ .x6_options = SECMARK_opts, ++ }, ++ { ++ .family = NFPROTO_UNSPEC, ++ .name = "SECMARK", ++ .version = XTABLES_VERSION, ++ .revision = 1, ++ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)), ++ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)), ++ .help = SECMARK_help, ++ .print = SECMARK_print_v1, ++ .save = SECMARK_save_v1, ++ .x6_parse = SECMARK_parse_v1, ++ .x6_options = SECMARK_opts_v1, ++ } + }; + + void _init(void) + { +- xtables_register_target(&secmark_target); ++ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); + } +diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t +new file mode 100644 +index 0000000000000..39d4c09348bf4 +--- /dev/null ++++ b/extensions/libxt_SECMARK.t +@@ -0,0 +1,4 @@ ++:INPUT,FORWARD,OUTPUT ++*security ++-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK ++-j SECMARK;;FAIL +diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h +index 989092bd6274b..31760a286a854 100644 +--- a/include/linux/netfilter/xt_SECMARK.h ++++ b/include/linux/netfilter/xt_SECMARK.h +@@ -19,4 +19,10 @@ struct xt_secmark_target_info { + char secctx[SECMARK_SECCTX_MAX]; + }; + ++struct xt_secmark_target_info_v1 { ++ __u8 mode; ++ char secctx[SECMARK_SECCTX_MAX]; ++ __u32 secid; ++}; ++ + #endif /*_XT_SECMARK_H_target */ +-- +2.31.1 + diff --git a/SOURCES/0055-extensions-sctp-Fix-nftables-translation.patch b/SOURCES/0055-extensions-sctp-Fix-nftables-translation.patch new file mode 100644 index 0000000..5253354 --- /dev/null +++ b/SOURCES/0055-extensions-sctp-Fix-nftables-translation.patch @@ -0,0 +1,80 @@ +From b675a15b70215deab520ef1a8e52edad9129328e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 4 May 2021 16:03:24 +0200 +Subject: [PATCH] extensions: sctp: Fix nftables translation + +If both sport and dport was present, incorrect nft syntax was generated. + +Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft") +Signed-off-by: Phil Sutter +(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167) +--- + extensions/libxt_sctp.c | 10 ++++------ + extensions/libxt_sctp.txlate | 10 +++++----- + 2 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index 140de2653b1ef..ee4e99ebf11bf 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl, + if (!einfo->flags) + return 0; + +- xt_xlate_add(xl, "sctp "); +- + if (einfo->flags & XT_SCTP_SRC_PORTS) { + if (einfo->spts[0] != einfo->spts[1]) +- xt_xlate_add(xl, "sport%s %u-%u", ++ xt_xlate_add(xl, "sctp sport%s %u-%u", + einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", + einfo->spts[0], einfo->spts[1]); + else +- xt_xlate_add(xl, "sport%s %u", ++ xt_xlate_add(xl, "sctp sport%s %u", + einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "", + einfo->spts[0]); + space = " "; +@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl, + + if (einfo->flags & XT_SCTP_DEST_PORTS) { + if (einfo->dpts[0] != einfo->dpts[1]) +- xt_xlate_add(xl, "%sdport%s %u-%u", space, ++ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space, + einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", + einfo->dpts[0], einfo->dpts[1]); + else +- xt_xlate_add(xl, "%sdport%s %u", space, ++ xt_xlate_add(xl, "%ssctp dport%s %u", space, + einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", + einfo->dpts[0]); + } +diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate +index 72f4641ab021c..0d6c59e183675 100644 +--- a/extensions/libxt_sctp.txlate ++++ b/extensions/libxt_sctp.txlate +@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT + nft add rule ip filter INPUT sctp dport != 50-56 counter accept + + iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT +-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept ++nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept + + iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT +-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept ++nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept + + iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT +-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept ++nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept + + iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT +-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept ++nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept + + iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT +-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept ++nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept +-- +2.31.1 + diff --git a/SOURCES/0056-extensions-sctp-Translate-chunk-types-option.patch b/SOURCES/0056-extensions-sctp-Translate-chunk-types-option.patch new file mode 100644 index 0000000..9a23f2c --- /dev/null +++ b/SOURCES/0056-extensions-sctp-Translate-chunk-types-option.patch @@ -0,0 +1,159 @@ +From 48f38c4224f31d19176df83539501292fcc6092b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 4 May 2021 16:26:42 +0200 +Subject: [PATCH] extensions: sctp: Translate --chunk-types option + +The translation is not fully complete as it is not possible to map 'any' +match type into nft syntax with a single rule. Also, 'only' match type +translation is a bit poor as it explicitly lists all chunk types that +are supposed to be missing. + +Signed-off-by: Phil Sutter +(cherry picked from commit 5818be177110a09120dd8fe4bd2533acbf8da301) +--- + extensions/libxt_sctp.c | 91 ++++++++++++++++++++++++++++-------- + extensions/libxt_sctp.txlate | 6 +++ + 2 files changed, 78 insertions(+), 19 deletions(-) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index ee4e99ebf11bf..5d8ab85cacf42 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -92,28 +92,29 @@ struct sctp_chunk_names { + const char *name; + unsigned int chunk_type; + const char *valid_flags; ++ const char *nftname; + }; + + /*'ALL' and 'NONE' will be treated specially. */ + static const struct sctp_chunk_names sctp_chunk_names[] +-= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"}, +- { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"}, +- { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"}, +- { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"}, +- { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"}, +- { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"}, +- { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"}, +- { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"}, +- { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"}, +- { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"}, +- { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"}, +- { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"}, +- { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"}, +- { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"}, +- { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"}, +- { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"}, +- { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"}, +- { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"}, ++= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE", .nftname = "data" }, ++ { .name = "INIT", .chunk_type = 1, .valid_flags = "--------", .nftname = "init" }, ++ { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------", .nftname = "init-ack" }, ++ { .name = "SACK", .chunk_type = 3, .valid_flags = "--------", .nftname = "sack" }, ++ { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------", .nftname = "heartbeat" }, ++ { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------", .nftname = "heartbeat-ack" }, ++ { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T", .nftname = "abort" }, ++ { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------", .nftname = "shutdown" }, ++ { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------", .nftname = "shutdown-ack" }, ++ { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------", .nftname = "error" }, ++ { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------", .nftname = "cookie-echo" }, ++ { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------", .nftname = "cookie-ack" }, ++ { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" }, ++ { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" }, ++ { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" }, ++ { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" }, ++ { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" }, ++ { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" }, + }; + + static void +@@ -485,12 +486,52 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match) + } + } + ++static const char *sctp_xlate_chunk(struct xt_xlate *xl, const char *space, ++ const struct xt_sctp_info *einfo, ++ const struct sctp_chunk_names *scn) ++{ ++ bool inv = einfo->invflags & XT_SCTP_CHUNK_TYPES; ++ const struct xt_sctp_flag_info *flag_info = NULL; ++ int i; ++ ++ if (!scn->nftname) ++ return space; ++ ++ if (!SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, scn->chunk_type)) { ++ if (einfo->chunk_match_type != SCTP_CHUNK_MATCH_ONLY) ++ return space; ++ ++ xt_xlate_add(xl, "%ssctp chunk %s %s", space, ++ scn->nftname, inv ? "exists" : "missing"); ++ return " "; ++ } ++ ++ for (i = 0; i < einfo->flag_count; i++) { ++ if (einfo->flag_info[i].chunktype == scn->chunk_type) { ++ flag_info = &einfo->flag_info[i]; ++ break; ++ } ++ } ++ ++ if (!flag_info) { ++ xt_xlate_add(xl, "%ssctp chunk %s %s", space, ++ scn->nftname, inv ? "missing" : "exists"); ++ return " "; ++ } ++ ++ xt_xlate_add(xl, "%ssctp chunk %s flags & 0x%x %s 0x%x", space, ++ scn->nftname, flag_info->flag_mask, ++ inv ? "!=" : "==", flag_info->flag); ++ ++ return " "; ++} ++ + static int sctp_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) + { + const struct xt_sctp_info *einfo = + (const struct xt_sctp_info *)params->match->data; +- char *space = ""; ++ const char *space = ""; + + if (!einfo->flags) + return 0; +@@ -516,6 +557,18 @@ static int sctp_xlate(struct xt_xlate *xl, + xt_xlate_add(xl, "%ssctp dport%s %u", space, + einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "", + einfo->dpts[0]); ++ space = " "; ++ } ++ ++ if (einfo->flags & XT_SCTP_CHUNK_TYPES) { ++ int i; ++ ++ if (einfo->chunk_match_type == SCTP_CHUNK_MATCH_ANY) ++ return 0; ++ ++ for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); i++) ++ space = sctp_xlate_chunk(xl, space, einfo, ++ &sctp_chunk_names[i]); + } + + return 1; +diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate +index 0d6c59e183675..bb817525db8d8 100644 +--- a/extensions/libxt_sctp.txlate ++++ b/extensions/libxt_sctp.txlate +@@ -36,3 +36,9 @@ nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept + + iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT + nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept ++ ++iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:T -j ACCEPT ++nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept ++ ++iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT ++nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept +-- +2.31.1 + diff --git a/SOURCES/0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch b/SOURCES/0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch new file mode 100644 index 0000000..6498fa6 --- /dev/null +++ b/SOURCES/0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch @@ -0,0 +1,26 @@ +From 2a45c01c4d3892871b3d3d6b67d10cb62abc561e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 16 Jul 2021 21:51:49 +0200 +Subject: [PATCH] extensions: SECMARK: Use a better context in test case + +RHEL SELinux policies don't allow setting +system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has +'packet_type' attribute (identified via +'seinfo -xt | grep packet_type'). +--- + extensions/libxt_SECMARK.t | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t +index 39d4c09348bf4..295e7a7244902 100644 +--- a/extensions/libxt_SECMARK.t ++++ b/extensions/libxt_SECMARK.t +@@ -1,4 +1,4 @@ + :INPUT,FORWARD,OUTPUT + *security +--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK ++-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK + -j SECMARK;;FAIL +-- +2.31.1 + diff --git a/SOURCES/0058-nft-cache-Retry-if-kernel-returns-EINTR.patch b/SOURCES/0058-nft-cache-Retry-if-kernel-returns-EINTR.patch new file mode 100644 index 0000000..09af587 --- /dev/null +++ b/SOURCES/0058-nft-cache-Retry-if-kernel-returns-EINTR.patch @@ -0,0 +1,77 @@ +From 681cb811e4cb8c5f22fd0fae60a3533289657705 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 4 Aug 2021 17:14:05 +0200 +Subject: [PATCH] nft: cache: Retry if kernel returns EINTR + +In case of parallel ruleset updates, recvfrom() calls may return EINTR. +Due to the fact that cache fetches may get triggered while iterating +over cache elements, __nft_build_cache must not restart based on +comparing before and after generation ID like upstream does. Instead, +just retry the recvfrom() calls until they either succeed or return a +different error than EINTR. +--- + iptables/nft-cache.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 9623b463f0dd5..699dc66a95cd1 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -98,9 +98,12 @@ static int fetch_table_cache(struct nft_handle *h) + nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, h->family, + NLM_F_DUMP, h->seq); + ++retry: + ret = mnl_talk(h, nlh, nftnl_table_list_cb, list); +- if (ret < 0 && errno == EINTR) ++ if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); ++ goto retry; ++ } + + h->cache->tables = list; + +@@ -275,10 +278,11 @@ static int fetch_set_cache(struct nft_handle *h, + NLM_F_DUMP, h->seq); + } + ++retry: + ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d); + if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); +- return ret; ++ goto retry; + } + + if (t && set) { +@@ -355,9 +359,12 @@ static int fetch_chain_cache(struct nft_handle *h, + h->seq); + } + ++retry: + ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d); +- if (ret < 0 && errno == EINTR) ++ if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); ++ goto retry; ++ } + + return ret; + } +@@ -404,9 +411,12 @@ static int nft_rule_list_update(struct nftnl_chain *c, void *data) + NLM_F_DUMP, h->seq); + nftnl_rule_nlmsg_build_payload(nlh, rule); + ++retry: + ret = mnl_talk(h, nlh, nftnl_rule_list_cb, c); +- if (ret < 0 && errno == EINTR) ++ if (ret < 0 && errno == EINTR) { + assert(nft_restart(h) >= 0); ++ goto retry; ++ } + + nftnl_rule_free(rule); + +-- +2.32.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 62968ed..71c5f1d 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -17,7 +17,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: http://www.netfilter.org/projects/iptables Version: 1.8.4 -Release: 19%{?dist} +Release: 20%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -87,6 +87,11 @@ Patch50: 0050-xtables-translate-Fix-translation-of-odd-netmasks.patch Patch51: 0051-Eliminate-inet_aton-and-inet_ntoa.patch Patch52: 0052-xtables-arp-Don-t-use-ARPT_INV_.patch Patch53: 0053-nft-arp-Make-use-of-ipv4_addr_to_string.patch +Patch54: 0054-extensions-SECMARK-Implement-revision-1.patch +Patch55: 0055-extensions-sctp-Fix-nftables-translation.patch +Patch56: 0056-extensions-sctp-Translate-chunk-types-option.patch +Patch57: 0057-extensions-SECMARK-Use-a-better-context-in-test-case.patch +Patch58: 0058-nft-cache-Retry-if-kernel-returns-EINTR.patch # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 @@ -495,6 +500,13 @@ done %doc %{_mandir}/man8/ebtables*.8* %changelog +* Wed Aug 04 2021 Phil Sutter - 1.8.4-20 +- extensions: SECMARK: Use a better context in test case +- extensions: sctp: Translate --chunk-types option +- extensions: sctp: Fix nftables translation +- extensions: SECMARK: Implement revision 1 +- nft: cache: Retry if kernel returns EINTR + * Fri Jun 18 2021 Phil Sutter - 1.8.4-19 - Fix for rpminspect results