iptables-1.8.10-3.el9
* Wed Jun 12 2024 Phil Sutter <psutter@redhat.com> [1.8.10-3.el9] - extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928] - spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463] - nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619] - spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922] Resolves: RHEL-26619, RHEL-32463, RHEL-32922, RHEL-40928
This commit is contained in:
parent
18727bce9f
commit
e74594c069
99
0004-nft-Fix-for-broken-recover_rule_compat.patch
Normal file
99
0004-nft-Fix-for-broken-recover_rule_compat.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 22 May 2024 18:26:58 +0200
|
||||||
|
Subject: [PATCH] nft: Fix for broken recover_rule_compat()
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-26619
|
||||||
|
Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
|
||||||
|
|
||||||
|
commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Tue Feb 27 18:47:39 2024 +0100
|
||||||
|
|
||||||
|
nft: Fix for broken recover_rule_compat()
|
||||||
|
|
||||||
|
When IPv4 rule generator was changed to emit payload instead of
|
||||||
|
meta expressions for l4proto matches, the code reinserting
|
||||||
|
NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
|
||||||
|
zeroing was broken by accident.
|
||||||
|
|
||||||
|
Make rule compat recovery aware of the alternative match, basically
|
||||||
|
reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
|
||||||
|
with NFTA_RULE_COMPAT") but add a test case this time to make sure
|
||||||
|
things stay intact.
|
||||||
|
|
||||||
|
Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
iptables/nft.c | 27 ++++++++++++++++---
|
||||||
|
.../nft-only/0011-zero-needs-compat_0 | 12 +++++++++
|
||||||
|
2 files changed, 35 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
|
||||||
|
diff --git a/iptables/nft.c b/iptables/nft.c
|
||||||
|
index 97fd4f4..c4caf29 100644
|
||||||
|
--- a/iptables/nft.c
|
||||||
|
+++ b/iptables/nft.c
|
||||||
|
@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
|
||||||
|
return strerror(err);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
|
||||||
|
+{
|
||||||
|
+ const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
|
||||||
|
+ uint32_t poff = offsetof(struct iphdr, protocol);
|
||||||
|
+ uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
|
||||||
|
+
|
||||||
|
+ if (!strcmp(name, "payload") &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
|
||||||
|
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (!strcmp(name, "meta") &&
|
||||||
|
+ nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
|
||||||
|
+ *dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int recover_rule_compat(struct nftnl_rule *r)
|
||||||
|
{
|
||||||
|
struct nftnl_expr_iter *iter;
|
||||||
|
@@ -3695,12 +3716,10 @@ next_expr:
|
||||||
|
if (!e)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
|
||||||
|
- nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
|
||||||
|
+ /* may be 'ip protocol' or 'meta l4proto' with identical RHS */
|
||||||
|
+ if (l4proto_expr_get_dreg(e, ®) < 0)
|
||||||
|
goto next_expr;
|
||||||
|
|
||||||
|
- reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
|
||||||
|
-
|
||||||
|
e = nftnl_expr_iter_next(iter);
|
||||||
|
if (!e)
|
||||||
|
goto out;
|
||||||
|
diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..e276a95
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
|
||||||
|
+for cmd in iptables ip6tables; do
|
||||||
|
+ $XT_MULTI $cmd -t mangle -A PREROUTING $rule
|
||||||
|
+ $XT_MULTI $cmd -t mangle -Z
|
||||||
|
+ $XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
|
||||||
|
+done
|
43
0005-extensions-libxt_sctp-Add-an-extra-assert.patch
Normal file
43
0005-extensions-libxt_sctp-Add-an-extra-assert.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 12 Jun 2024 22:49:48 +0200
|
||||||
|
Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-40928
|
||||||
|
Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
|
||||||
|
|
||||||
|
commit 0234117d24609070f08ef36a11795c3c8e4c19bf
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri May 17 15:20:05 2024 +0200
|
||||||
|
|
||||||
|
extensions: libxt_sctp: Add an extra assert()
|
||||||
|
|
||||||
|
The code is sane, but this keeps popping up in static code analyzers.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
extensions/libxt_sctp.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
|
||||||
|
index 6e2b274..e8312f0 100644
|
||||||
|
--- a/extensions/libxt_sctp.c
|
||||||
|
+++ b/extensions/libxt_sctp.c
|
||||||
|
@@ -7,6 +7,7 @@
|
||||||
|
* libipt_ecn.c borrowed heavily from libipt_dscp.c
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
+#include <assert.h>
|
||||||
|
#include <stdbool.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
|
||||||
|
|
||||||
|
for (i = 7; i >= 0; i--) {
|
||||||
|
if (chunk_flags_mask & (1 << i)) {
|
||||||
|
+ assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
|
||||||
|
if (chunk_flags & (1 << i)) {
|
||||||
|
printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
|
||||||
|
} else {
|
@ -1,5 +1,5 @@
|
|||||||
%define iptables_rpmversion 1.8.10
|
%define iptables_rpmversion 1.8.10
|
||||||
%define iptables_specrelease 2
|
%define iptables_specrelease 3
|
||||||
|
|
||||||
# install init scripts to /usr/libexec with systemd
|
# install init scripts to /usr/libexec with systemd
|
||||||
%global script_path %{_libexecdir}/iptables
|
%global script_path %{_libexecdir}/iptables
|
||||||
@ -36,6 +36,8 @@ Source11: iptables-test.stderr.expect
|
|||||||
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
Patch1: 0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
|
||||||
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
Patch2: 0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
|
||||||
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
|
Patch3: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
|
||||||
|
Patch4: 0004-nft-Fix-for-broken-recover_rule_compat.patch
|
||||||
|
Patch5: 0005-extensions-libxt_sctp-Add-an-extra-assert.patch
|
||||||
|
|
||||||
# pf.os: ISC license
|
# pf.os: ISC license
|
||||||
# iptables-apply: Artistic 2.0
|
# iptables-apply: Artistic 2.0
|
||||||
@ -264,6 +266,21 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8
|
|||||||
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
|
touch %{buildroot}%{_mandir}/man8/arptables-restore.8
|
||||||
touch %{buildroot}%{_mandir}/man8/ebtables.8
|
touch %{buildroot}%{_mandir}/man8/ebtables.8
|
||||||
|
|
||||||
|
# add symlinks for compatibility to merged extensions
|
||||||
|
link_ext() { # (target, link)
|
||||||
|
local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so"
|
||||||
|
local targetname="${1}.so"
|
||||||
|
local link="%{buildroot}%{_libdir}/xtables/${2}.so"
|
||||||
|
[[ -e "$link" ]] && return 0
|
||||||
|
[[ -e "$targetfile" ]] || return 0
|
||||||
|
ln -s $targetname $link
|
||||||
|
}
|
||||||
|
for fam in ip ip6; do
|
||||||
|
link_ext libxt_LOG lib${fam}t_LOG
|
||||||
|
link_ext libxt_NAT lib${fam}t_SNAT
|
||||||
|
link_ext libxt_NAT lib${fam}t_MASQUERADE
|
||||||
|
done
|
||||||
|
|
||||||
%ldconfig_scriptlets
|
%ldconfig_scriptlets
|
||||||
|
|
||||||
%post legacy
|
%post legacy
|
||||||
@ -438,6 +455,7 @@ fi
|
|||||||
%{_sbindir}/ip{,6}tables-nft*
|
%{_sbindir}/ip{,6}tables-nft*
|
||||||
%{_sbindir}/ip{,6}tables{,-restore}-translate
|
%{_sbindir}/ip{,6}tables{,-restore}-translate
|
||||||
%{_sbindir}/{eb,arp}tables-nft*
|
%{_sbindir}/{eb,arp}tables-nft*
|
||||||
|
%{_sbindir}/ebtables-translate
|
||||||
%{_sbindir}/xtables-nft-multi
|
%{_sbindir}/xtables-nft-multi
|
||||||
%{_sbindir}/xtables-monitor
|
%{_sbindir}/xtables-monitor
|
||||||
%dir %{_libdir}/xtables
|
%dir %{_libdir}/xtables
|
||||||
@ -451,9 +469,15 @@ fi
|
|||||||
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
|
%ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
|
||||||
%ghost %{_libexecdir}/arptables-helper
|
%ghost %{_libexecdir}/arptables-helper
|
||||||
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
|
%ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
|
||||||
%ghost %{_mandir}/man8/ebtables.8.gz
|
%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 12 2024 Phil Sutter <psutter@redhat.com> [1.8.10-3.el9]
|
||||||
|
- extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928]
|
||||||
|
- spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463]
|
||||||
|
- nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619]
|
||||||
|
- spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922]
|
||||||
|
|
||||||
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
|
* Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
|
||||||
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
|
- ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user