iptables-1.8.10-3.el9

* Wed Jun 12 2024 Phil Sutter <psutter@redhat.com> [1.8.10-3.el9]
- extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928]
- spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463]
- nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619]
- spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922]
Resolves: RHEL-26619, RHEL-32463, RHEL-32922, RHEL-40928
This commit is contained in:
Phil Sutter 2024-06-12 22:52:05 +02:00
parent 18727bce9f
commit e74594c069
3 changed files with 168 additions and 2 deletions

View File

@ -0,0 +1,99 @@
From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 22 May 2024 18:26:58 +0200
Subject: [PATCH] nft: Fix for broken recover_rule_compat()
JIRA: https://issues.redhat.com/browse/RHEL-26619
Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Feb 27 18:47:39 2024 +0100
nft: Fix for broken recover_rule_compat()
When IPv4 rule generator was changed to emit payload instead of
meta expressions for l4proto matches, the code reinserting
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
zeroing was broken by accident.
Make rule compat recovery aware of the alternative match, basically
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
with NFTA_RULE_COMPAT") but add a test case this time to make sure
things stay intact.
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 27 ++++++++++++++++---
.../nft-only/0011-zero-needs-compat_0 | 12 +++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
diff --git a/iptables/nft.c b/iptables/nft.c
index 97fd4f4..c4caf29 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
return strerror(err);
}
+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
+{
+ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
+ uint32_t poff = offsetof(struct iphdr, protocol);
+ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
+
+ if (!strcmp(name, "payload") &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
+ return 0;
+ }
+ if (!strcmp(name, "meta") &&
+ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
+ return 0;
+ }
+ return -1;
+}
+
static int recover_rule_compat(struct nftnl_rule *r)
{
struct nftnl_expr_iter *iter;
@@ -3695,12 +3716,10 @@ next_expr:
if (!e)
goto out;
- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
+ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */
+ if (l4proto_expr_get_dreg(e, &reg) < 0)
goto next_expr;
- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
-
e = nftnl_expr_iter_next(iter);
if (!e)
goto out;
diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
new file mode 100755
index 0000000..e276a95
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+set -e
+
+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
+for cmd in iptables ip6tables; do
+ $XT_MULTI $cmd -t mangle -A PREROUTING $rule
+ $XT_MULTI $cmd -t mangle -Z
+ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
+done

View File

@ -0,0 +1,43 @@
From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 12 Jun 2024 22:49:48 +0200
Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
JIRA: https://issues.redhat.com/browse/RHEL-40928
Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
commit 0234117d24609070f08ef36a11795c3c8e4c19bf
Author: Phil Sutter <phil@nwl.cc>
Date: Fri May 17 15:20:05 2024 +0200
extensions: libxt_sctp: Add an extra assert()
The code is sane, but this keeps popping up in static code analyzers.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_sctp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 6e2b274..e8312f0 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -7,6 +7,7 @@
* libipt_ecn.c borrowed heavily from libipt_dscp.c
*
*/
+#include <assert.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
for (i = 7; i >= 0; i--) {
if (chunk_flags_mask & (1 << i)) {
+ assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
if (chunk_flags & (1 << i)) {
printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
} else {

View File

@ -1,5 +1,5 @@
%define iptables_rpmversion 1.8.10 %define iptables_rpmversion 1.8.10
%define iptables_specrelease 2 %define iptables_specrelease 3
# install init scripts to /usr/libexec with systemd # install init scripts to /usr/libexec with systemd
%global script_path %{_libexecdir}/iptables %global script_path %{_libexecdir}/iptables
@ -36,6 +36,8 @@ Source11: iptables-test.stderr.expect
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch
Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic 2.0
@ -264,6 +266,21 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8
touch %{buildroot}%{_mandir}/man8/arptables-restore.8 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
touch %{buildroot}%{_mandir}/man8/ebtables.8 touch %{buildroot}%{_mandir}/man8/ebtables.8
# add symlinks for compatibility to merged extensions
link_ext() { # (target, link)
local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so"
local targetname="${1}.so"
local link="%{buildroot}%{_libdir}/xtables/${2}.so"
[[ -e "$link" ]] && return 0
[[ -e "$targetfile" ]] || return 0
ln -s $targetname $link
}
for fam in ip ip6; do
link_ext libxt_LOG lib${fam}t_LOG
link_ext libxt_NAT lib${fam}t_SNAT
link_ext libxt_NAT lib${fam}t_MASQUERADE
done
%ldconfig_scriptlets %ldconfig_scriptlets
%post legacy %post legacy
@ -438,6 +455,7 @@ fi
%{_sbindir}/ip{,6}tables-nft* %{_sbindir}/ip{,6}tables-nft*
%{_sbindir}/ip{,6}tables{,-restore}-translate %{_sbindir}/ip{,6}tables{,-restore}-translate
%{_sbindir}/{eb,arp}tables-nft* %{_sbindir}/{eb,arp}tables-nft*
%{_sbindir}/ebtables-translate
%{_sbindir}/xtables-nft-multi %{_sbindir}/xtables-nft-multi
%{_sbindir}/xtables-monitor %{_sbindir}/xtables-monitor
%dir %{_libdir}/xtables %dir %{_libdir}/xtables
@ -451,9 +469,15 @@ fi
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore} %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
%ghost %{_libexecdir}/arptables-helper %ghost %{_libexecdir}/arptables-helper
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
%ghost %{_mandir}/man8/ebtables.8.gz %ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
%changelog %changelog
* Wed Jun 12 2024 Phil Sutter <psutter@redhat.com> [1.8.10-3.el9]
- extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928]
- spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463]
- nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619]
- spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922]
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9] * Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147] - ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]