Compare commits

..

No commits in common. "imports/c8s/iptables-1.8.4-17.el8" and "c8" have entirely different histories.

180 changed files with 11388 additions and 2488 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/iptables-1.8.2.tar.bz2 SOURCES/iptables-1.8.5.tar.bz2
SOURCES/iptables-1.8.4.tar.bz2

View File

@ -1,2 +1 @@
215c4ef4c6cd29ef0dd265b4fa5ec51a4f930c92 SOURCES/iptables-1.8.2.tar.bz2 f177a58d0a71b00d68ef5792ae4676bcc0ad29e6 SOURCES/iptables-1.8.5.tar.bz2
cd5fe776fb2b0479b3234758fc333777caa1239b SOURCES/iptables-1.8.4.tar.bz2

View File

@ -0,0 +1,41 @@
From 4806ba770a3aaadd0a3975ac1ea92dff3ea87ee4 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 3 Jun 2020 15:38:48 +0200
Subject: [PATCH] build: resolve iptables-apply not getting installed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ip6tables-apply gets installed but iptables-apply does not.
That is wrong.
» make install DESTDIR=$PWD/r
» find r -name "*app*"
r/usr/local/sbin/ip6tables-apply
r/usr/local/share/man/man8/iptables-apply.8
r/usr/local/share/man/man8/ip6tables-apply.8
Fixes: v1.8.5~87
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit d4ed0c741fc789bb09d977d74d30875fdd50d08b)
---
iptables/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index dc66b3cc09c08..2024dbf5cb88c 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -56,7 +56,7 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \
ip6tables-save.8 iptables-extensions.8 \
iptables-apply.8 ip6tables-apply.8
-sbin_SCRIPT = iptables-apply
+sbin_SCRIPTS = iptables-apply
if ENABLE_NFTABLES
man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
--
2.40.0

View File

@ -1,35 +0,0 @@
From a69b9119bde58b372acb1c3914ee90f2ed48afb8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Sep 2018 11:39:50 +0200
Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/iptables-apply | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 819ca4a459c42..a685b6bbcd7dc 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
exit 2
fi
-COMMANDS=(tempfile "$SAVE" "$RESTORE")
+COMMANDS=(mktemp "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
umask 0700
-TMPFILE=$(tempfile -p iptap)
+TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
FPE USR1 SEGV USR2 PIPE ALRM TERM
--
2.24.0

View File

@ -1,59 +0,0 @@
From 25af0fd3a7edd9a9aa5ed7ed63188456ee6389ef Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 4 Dec 2019 09:56:06 +0100
Subject: [PATCH] xtables-restore: Fix parser feed from line buffer
When called with --noflush, xtables-restore would trip over chain lines:
Parser uses strtok() to separate chain name, policy and counters which
inserts nul-chars into the source string. Therefore strlen() can't be
used anymore to find end of line. Fix this by caching line length before
calling xtables_restore_parse_line().
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit a103fbfadf4c17b8b12caa57eef72deaaa71a18c)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../testcases/ipt-restore/0010-noflush-new-chain_0 | 10 ++++++++++
iptables/xtables-restore.c | 4 +++-
2 files changed, 13 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
diff --git a/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
new file mode 100755
index 0000000000000..739e684a21183
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+# assert input feed from buffer doesn't trip over
+# added nul-chars from parsing chain line.
+
+$XT_MULTI iptables-restore --noflush <<EOF
+*filter
+:foobar - [0:0]
+-A foobar -j ACCEPT
+COMMIT
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 2f0fe7d439d94..dd907e0b8ddd5 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -327,10 +327,12 @@ void xtables_restore_parse(struct nft_handle *h,
line = 0;
ptr = preload_buffer;
while (*ptr) {
+ size_t len = strlen(ptr);
+
h->error.lineno = ++line;
DEBUGP("%s: buffered line %d: '%s'\n", __func__, line, ptr);
xtables_restore_parse_line(h, p, &state, ptr);
- ptr += strlen(ptr) + 1;
+ ptr += len + 1;
}
if (*buffer) {
h->error.lineno = ++line;
--
2.24.0

View File

@ -0,0 +1,57 @@
From eaad1950f1952733c2770b29b593613cfe9af8a8 Mon Sep 17 00:00:00 2001
From: Arturo Borrero Gonzalez <arturo@netfilter.org>
Date: Tue, 16 Jun 2020 11:20:42 +0200
Subject: [PATCH] xtables-translate: don't fail if help was requested
If the user called `iptables-translate -h` then we have CMD_NONE and we should gracefully handle
this case in do_command_xlate().
Before this patch, you would see:
user@debian:~$ sudo iptables-translate -h
[..]
nft Unsupported command?
user@debian:~$ echo $?
1
After this patch:
user@debian:~$ sudo iptables-translate -h
[..]
user@debian:~$ echo $?
0
Fixes: d4409d449c10fa ("nft: Don't exit early after printing help texts")
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
(cherry picked from commit 2757c0b5e5fbbf569695469b331453cecefdf069)
---
iptables/xtables-translate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 5aa42496b5a48..363c8be15b3fa 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -249,7 +249,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
cs.restore = restore;
- if (!restore)
+ if (!restore && p.command != CMD_NONE)
printf("nft ");
switch (p.command) {
@@ -310,6 +310,9 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
break;
case CMD_SET_POLICY:
break;
+ case CMD_NONE:
+ ret = 1;
+ break;
default:
/* We should never reach this... */
printf("Unsupported command?\n");
--
2.40.0

View File

@ -1,61 +0,0 @@
From 7e63dd95957a264d15eefdda3ea9449a6c72eb86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
Date: Wed, 14 Nov 2018 07:35:28 +0100
Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
introduced support for gcc feature to check format string against passed
argument. This commit adds missing bits to extenstions's libipt_icmp.c
and libip6t_icmp6.c that were causing build to fail.
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 907e429d7548157016cd51aba4adc5d0c7d9f816)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libip6t_icmp6.c | 4 ++--
extensions/libipt_icmp.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
index 45a71875722c4..cc7bfaeb72fd7 100644
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
type_name = icmp6_type_xlate(icmptype);
if (type_name) {
- xt_xlate_add(xl, type_name);
+ xt_xlate_add(xl, "%s", type_name);
} else {
for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
if (icmpv6_codes[i].type == icmptype &&
@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
break;
if (i != ARRAY_SIZE(icmpv6_codes))
- xt_xlate_add(xl, icmpv6_codes[i].name);
+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
else
return 0;
}
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index 5418997668d4c..e76257c54708c 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
if (icmp_codes[i].type == icmptype &&
icmp_codes[i].code_min == code_min &&
icmp_codes[i].code_max == code_max) {
- xt_xlate_add(xl, icmp_codes[i].name);
+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
return 1;
}
}
--
2.21.0

View File

@ -1,31 +0,0 @@
From 5ee8338b9f1b5c02efca1a33185cf648cdf1aa20 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 Dec 2019 11:40:26 +0100
Subject: [PATCH] xtables-restore: Avoid access of uninitialized data
When flushing, 'buffer' is not written to prior to checking its first
byte's value. Therefore it needs to be initialized upon declaration.
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
(cherry picked from commit 48be21bf39f9af35d53af0e211cbd50dcfd12d08)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/xtables-restore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index dd907e0b8ddd5..63cc15cee9621 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -281,7 +281,7 @@ void xtables_restore_parse(struct nft_handle *h,
const struct nft_xt_restore_parse *p)
{
struct nft_xt_restore_state state = {};
- char preload_buffer[PREBUFSIZ] = {}, buffer[10240], *ptr;
+ char preload_buffer[PREBUFSIZ] = {}, buffer[10240] = {}, *ptr;
if (!h->noflush) {
nft_fake_cache(h);
--
2.24.0

View File

@ -0,0 +1,30 @@
From d9497b521e6f512f27bd1d4a88086f50418cb7b8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 16 Jun 2020 13:06:26 +0200
Subject: [PATCH] xtables-translate: Use proper clear_cs function
Avoid memleaks by performing a full free of any allocated data in local
iptables_command_state variable.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 63fa2b1cb98be66990912d7eb42eab5440437087)
---
iptables/xtables-translate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 363c8be15b3fa..575fb320dc408 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -319,7 +319,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
exit(1);
}
- xtables_rule_matches_free(&cs.matches);
+ nft_clear_iptables_command_state(&cs);
if (h->family == AF_INET) {
free(args.s.addr.v4);
--
2.40.0

View File

@ -1,31 +0,0 @@
From bda4f46d1a474e5cc13712a0302adcf723e3cc5c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 Dec 2019 13:15:01 +0100
Subject: [PATCH] extensions: time: Avoid undefined shift
Value 1 is signed by default and left-shifting by 31 is undefined for
those. Fix this by marking the value as unsigned.
Fixes: ad326ef9f734a ("Add the libxt_time iptables match")
(cherry picked from commit 98b221002960040bf3505811c06025b6b9b6984b)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 5a8cc5de13031..d001f5b7f448f 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -330,7 +330,7 @@ static void time_print_monthdays(uint32_t mask, bool human_readable)
printf(" ");
for (i = 1; i <= 31; ++i)
- if (mask & (1 << i)) {
+ if (mask & (1u << i)) {
if (nbdays++ > 0)
printf(",");
printf("%u", i);
--
2.24.0

View File

@ -0,0 +1,55 @@
From 94fcba7825b121cbb7d3ff73f4e80a798feccdee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
Date: Tue, 23 Jun 2020 16:09:02 -0700
Subject: [PATCH] libxtables: compiler warning fixes for NO_SHARED_LIBS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes two issues with NO_SHARED_LIBS:
- #include <dlfcn.h> is ifdef'ed out and thus dlclose()
triggers an undeclared function compiler warning
- dlreg_add() is unused and thus triggers an unused
function warning
Test: builds without warnings
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 6cb8af1ff3951e47def7a16db39289dc9d9c61fe)
---
libxtables/xtables.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 7fe42580f9b70..8907ba2069be7 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -206,6 +206,7 @@ struct xtables_target *xtables_targets;
static bool xtables_fully_register_pending_match(struct xtables_match *me);
static bool xtables_fully_register_pending_target(struct xtables_target *me);
+#ifndef NO_SHARED_LIBS
/* registry for loaded shared objects to close later */
struct dlreg {
struct dlreg *next;
@@ -237,6 +238,7 @@ static void dlreg_free(void)
dlreg = next;
}
}
+#endif
void xtables_init(void)
{
@@ -267,7 +269,9 @@ void xtables_init(void)
void xtables_fini(void)
{
+#ifndef NO_SHARED_LIBS
dlreg_free();
+#endif
}
void xtables_set_nfproto(uint8_t nfproto)
--
2.40.0

View File

@ -1,31 +0,0 @@
From 45aacdc1bbb3a889d9820c1fb587dc8df3cae763 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 Dec 2019 13:36:31 +0100
Subject: [PATCH] extensions: cluster: Avoid undefined shift
Value 1 is signed by default and left-shifting by 31 is undefined for
those. Fix this by marking the value as unsigned.
Fixes: 64a0e09894e52 ("extensions: libxt_cluster: Add translation to nft")
(cherry picked from commit 28c16371cdad16707674450b59919e3d97185694)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_cluster.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_cluster.c b/extensions/libxt_cluster.c
index c9c35ee22e3df..d164bf6960166 100644
--- a/extensions/libxt_cluster.c
+++ b/extensions/libxt_cluster.c
@@ -156,7 +156,7 @@ static int cluster_xlate(struct xt_xlate *xl,
xt_xlate_add(xl, "%s %u seed 0x%08x ", jhash_st,
info->total_nodes, info->hash_seed);
for (node = 0; node < 32; node++) {
- if (info->node_mask & (1 << node)) {
+ if (info->node_mask & (1u << node)) {
if (needs_set == 0) {
xt_xlate_add(xl, "{ ");
needs_set = 1;
--
2.24.0

View File

@ -0,0 +1,63 @@
From 0323122f6a3ef9ab2ded571685d3c64851c6df86 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 22 Jul 2020 13:04:34 +0200
Subject: [PATCH] extensions: libxt_conntrack: provide translation for DNAT and
SNAT --ctstate
iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct status dnat counter accept
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 26ec09bf6b9b674a7e3a65fc9c12599bd81dfe0f)
---
extensions/libxt_conntrack.c | 18 +++++++++++++-----
extensions/libxt_conntrack.txlate | 7 +++++++
2 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 6f3503933e664..7734509c9af84 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1249,11 +1249,19 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_STATE) {
- xt_xlate_add(xl, "%sct state %s", space,
- sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
- space = " ";
+ if ((sinfo->state_mask & XT_CONNTRACK_STATE_SNAT) ||
+ (sinfo->state_mask & XT_CONNTRACK_STATE_DNAT)) {
+ xt_xlate_add(xl, "%sct status %s%s", space,
+ sinfo->invert_flags & XT_CONNTRACK_STATUS ? "!=" : "",
+ sinfo->state_mask & XT_CONNTRACK_STATE_SNAT ? "snat" : "dnat");
+ space = " ";
+ } else {
+ xt_xlate_add(xl, "%sct state %s", space,
+ sinfo->invert_flags & XT_CONNTRACK_STATE ?
+ "!= " : "");
+ state_xlate_print(xl, sinfo->state_mask);
+ space = " ";
+ }
}
if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 8a3d0181c71ef..d374f8a035f00 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -42,3 +42,10 @@ nft add rule ip filter INPUT ct direction original counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW --ctproto tcp --ctorigsrc 192.168.0.1 --ctorigdst 192.168.0.1 --ctreplsrc 192.168.0.1 --ctrepldst 192.168.0.1 --ctorigsrcport 12 --ctorigdstport 14 --ctreplsrcport 16 --ctrepldstport 18 --ctexpire 10 --ctstatus SEEN_REPLY --ctdir ORIGINAL -j ACCEPT
nft add rule ip filter INPUT ct direction original ct original protocol 6 ct state new ct status seen-reply ct expiration 10 ct original saddr 192.168.0.1 ct original daddr 192.168.0.1 ct reply saddr 192.168.0.1 ct reply daddr 192.168.0.1 ct original proto-src 12 ct original proto-dst 14 ct reply proto-src 16 ct reply proto-dst 18 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctstate SNAT -j ACCEPT
+nft add rule ip filter INPUT ct status snat counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT
+nft add rule ip filter INPUT ct status dnat counter accept
+
--
2.40.0

View File

@ -1,32 +0,0 @@
From d3641eaed9ad19b74f3bababb3db53af0004488b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 Dec 2019 13:57:18 +0100
Subject: [PATCH] libxtables: Avoid buffer overrun in
xtables_compatible_revision()
The function is exported and accepts arbitrary strings as input. Calling
strcpy() without length checks is not OK.
(cherry picked from commit f7d3dbb82e7ed94ccbf10cf70a3c7b3f3aaef1a1)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 895f6988eaf57..777c2b08e9896 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -856,7 +856,8 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
xtables_load_ko(xtables_modprobe_program, true);
- strcpy(rev.name, name);
+ strncpy(rev.name, name, XT_EXTENSION_MAXNAMELEN - 1);
+ rev.name[XT_EXTENSION_MAXNAMELEN - 1] = '\0';
rev.revision = revision;
max_rev = getsockopt(sockfd, afinfo->ipproto, opt, &rev, &s);
--
2.24.0

View File

@ -0,0 +1,30 @@
From 13abbdd7789da8616a903b5b8dc5ff69fb2af2c7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 10 Jul 2020 21:12:34 +0200
Subject: [PATCH] nft: Drop pointless nft_xt_builtin_init() call
When renaming a chain, either everything is in place already or the
command will bail anyway. So just drop this superfluous call.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 7a700c47fe121c65c550ab24de3284abbb1e82f8)
---
iptables/nft.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 0c5a74fc232c6..e795d4ae6d241 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1934,8 +1934,6 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain,
return 0;
}
- nft_xt_builtin_init(h, table);
-
/* Config load changed errno. Ensure genuine info for our callers. */
errno = 0;
--
2.40.0

View File

@ -1,4 +1,4 @@
From 6d8a390bd13bac294ff9de225a49fe9e4de2d6e5 Mon Sep 17 00:00:00 2001 From a58c38e4c579f409669b5ab82d3b039528a129af Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Fri, 7 Aug 2020 13:48:28 +0200 Date: Fri, 7 Aug 2020 13:48:28 +0200
Subject: [PATCH] nft: Fix command name in ip6tables error message Subject: [PATCH] nft: Fix command name in ip6tables error message
@ -12,17 +12,16 @@ one.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13) (cherry picked from commit 3be40dcfb5af1438b6abdbda45a1e3b59c104e13)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/xtables-standalone.c | 12 ++++-------- iptables/xtables-standalone.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-) 1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
index 022d5dd44abbf..b5b7ccaf4e660 100644 index dd6fb7919d2e1..7b71db62f1ea6 100644
--- a/iptables/xtables-standalone.c --- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c +++ b/iptables/xtables-standalone.c
@@ -74,14 +74,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[]) @@ -75,14 +75,10 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
nft_fini(&h); xtables_fini();
if (!ret) { if (!ret) {
- if (errno == EINVAL) { - if (errno == EINVAL) {
@ -41,5 +40,5 @@ index 022d5dd44abbf..b5b7ccaf4e660 100644
exit(RESOURCE_PROBLEM); exit(RESOURCE_PROBLEM);
} }
-- --
2.28.0 2.40.0

View File

@ -1,40 +0,0 @@
From 5fe54ca701a38e283faf840903e9ed20eba8a6f4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 Dec 2019 16:01:29 +0100
Subject: [PATCH] xtables-translate: Guard strcpy() call in xlate_ifname()
The function potentially fed overlong strings to strcpy(). Given that
everything needed to avoid this is there, reorder code a bit to prevent
those inputs, too.
Fixes: 0ddd663e9c167 ("iptables-translate: add in/out ifname wildcard match translation to nft")
(cherry picked from commit 2861bdbbf062071487a49103513d129ce40e2652)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/xtables-translate.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index a42c60a3b64c6..77a186b905d73 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -32,14 +32,13 @@
void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
bool invert)
{
+ int ifaclen = strlen(ifname);
char iface[IFNAMSIZ];
- int ifaclen;
- if (ifname[0] == '\0')
+ if (ifaclen < 1 || ifaclen >= IFNAMSIZ)
return;
strcpy(iface, ifname);
- ifaclen = strlen(iface);
if (iface[ifaclen - 1] == '+')
iface[ifaclen - 1] = '*';
--
2.24.0

View File

@ -1,41 +0,0 @@
From 3a4d59e5cb35cf2395cfd8004dd16d45dd889e11 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 Dec 2019 16:35:51 +0100
Subject: [PATCH] extensions: among: Check call to fstat()
If this fails, a bogus length value may be passed to mmap().
Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
(cherry picked from commit 25b38bcbf2fdc019f438805c7d1ecd877af9c968)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libebt_among.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
index 2e87db3bc06fa..715d559f432c2 100644
--- a/extensions/libebt_among.c
+++ b/extensions/libebt_among.c
@@ -6,6 +6,7 @@
* August, 2003
*/
+#include <errno.h>
#include <ctype.h>
#include <fcntl.h>
#include <getopt.h>
@@ -137,7 +138,10 @@ static int bramong_parse(int c, char **argv, int invert,
if ((fd = open(optarg, O_RDONLY)) == -1)
xtables_error(PARAMETER_PROBLEM,
"Couldn't open file '%s'", optarg);
- fstat(fd, &stats);
+ if (fstat(fd, &stats) < 0)
+ xtables_error(PARAMETER_PROBLEM,
+ "fstat(%s) failed: '%s'",
+ optarg, strerror(errno));
flen = stats.st_size;
/* use mmap because the file will probably be big */
optarg = mmap(0, flen, PROT_READ | PROT_WRITE,
--
2.24.0

View File

@ -1,4 +1,4 @@
From c5f07a7d718f812f916686926567adbac6c1b125 Mon Sep 17 00:00:00 2001 From 529dee8412eb216a2432e063136ede732edb9cc1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Thu, 6 Aug 2020 18:52:34 +0200 Date: Thu, 6 Aug 2020 18:52:34 +0200
Subject: [PATCH] tests: shell: Merge and extend return codes test Subject: [PATCH] tests: shell: Merge and extend return codes test
@ -11,26 +11,18 @@ are deliberately ignored.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit cd3e83d1b04fd2683f0fb06e496ee5be08a96b4f) (cherry picked from commit cd3e83d1b04fd2683f0fb06e496ee5be08a96b4f)
Conflicts:
iptables/tests/shell/testcases/ip6tables/0004-return-codes_0
iptables/tests/shell/testcases/iptables/0004-return-codes_0
-> Missing upstream commit a7f1e208cdf9c ("nft: split parsing from
netlink commands") which added a few tests to both files.
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
.../testcases/ip6tables/0004-return-codes_0 | 38 ------- .../testcases/ip6tables/0004-return-codes_0 | 39 ------
.../testcases/iptables/0004-return-codes_0 | 104 ++++++++++-------- .../testcases/iptables/0004-return-codes_0 | 113 ++++++++++--------
2 files changed, 58 insertions(+), 84 deletions(-) 2 files changed, 61 insertions(+), 91 deletions(-)
delete mode 100755 iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 delete mode 100755 iptables/tests/shell/testcases/ip6tables/0004-return-codes_0
diff --git a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 b/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 diff --git a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 b/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0
deleted file mode 100755 deleted file mode 100755
index f023b7915498e..0000000000000 index c583b0ebd97c3..0000000000000
--- a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0 --- a/iptables/tests/shell/testcases/ip6tables/0004-return-codes_0
+++ /dev/null +++ /dev/null
@@ -1,38 +0,0 @@ @@ -1,39 +0,0 @@
-#!/bin/sh -#!/bin/sh
- -
-# make sure error return codes are as expected useful cases -# make sure error return codes are as expected useful cases
@ -59,6 +51,7 @@ index f023b7915498e..0000000000000
-# test rule adding -# test rule adding
-cmd 0 ip6tables -A INPUT -j ACCEPT -cmd 0 ip6tables -A INPUT -j ACCEPT
-cmd 1 ip6tables -A noexist -j ACCEPT -cmd 1 ip6tables -A noexist -j ACCEPT
-cmd 2 ip6tables -I INPUT -j foobar
- -
-# test rule checking -# test rule checking
-cmd 0 ip6tables -C INPUT -j ACCEPT -cmd 0 ip6tables -C INPUT -j ACCEPT
@ -70,10 +63,10 @@ index f023b7915498e..0000000000000
- -
-exit $global_rc -exit $global_rc
diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0
index ce02e0bcb128b..67f1698945753 100755 index f730bede1f612..dcd9dfd3c0806 100755
--- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 --- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0
+++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0
@@ -13,69 +13,81 @@ cmd() { # (rc, msg, cmd, [args ...]) @@ -13,75 +13,84 @@ cmd() { # (rc, msg, cmd, [args ...])
msg_exp="$1"; shift msg_exp="$1"; shift
} }
@ -149,12 +142,21 @@ index ce02e0bcb128b..67f1698945753 100755
# test chain rename # test chain rename
-cmd 0 iptables -E foo bar -cmd 0 iptables -E foo bar
-cmd 1 "$EEXIST_F" iptables -E foo bar -cmd 1 "$EEXIST_F" iptables -E foo bar
-cmd 1 "$ENOENT" iptables -E foo bar2
-cmd 0 iptables -N foo2
-cmd 1 "$EEXIST_F" iptables -E foo2 bar
+cmd 0 -E foo bar +cmd 0 -E foo bar
+cmd 1 "$EEXIST_F" -E foo bar +cmd 1 "$EEXIST_F" -E foo bar
+cmd 1 "$ENOENT" -E foo bar2
+cmd 0 -N foo2
+cmd 1 "$EEXIST_F" -E foo2 bar
# test rule adding # test rule adding
-cmd 0 iptables -A INPUT -j ACCEPT -cmd 0 iptables -A INPUT -j ACCEPT
-cmd 1 "$ENOENT" iptables -A noexist -j ACCEPT -cmd 1 "$ENOENT" iptables -A noexist -j ACCEPT
-cmd 2 "" iptables -I INPUT -j foobar
-cmd 2 "" iptables -R INPUT 1 -j foobar
-cmd 2 "" iptables -D INPUT -j foobar
+cmd 0 -A INPUT -j ACCEPT +cmd 0 -A INPUT -j ACCEPT
+cmd 1 "$ENOENT" -A noexist -j ACCEPT +cmd 1 "$ENOENT" -A noexist -j ACCEPT
+# next three differ: +# next three differ:
@ -202,5 +204,5 @@ index ce02e0bcb128b..67f1698945753 100755
exit $global_rc exit $global_rc
-- --
2.28.0 2.40.0

View File

@ -1,43 +0,0 @@
From fe1ac5eaa8ae482c9112aed6b89f9f2e529f4516 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 10 Dec 2019 12:27:13 +0100
Subject: [PATCH] uapi: netfilter: Avoid undefined left-shift in xt_sctp.h
This is a backport of kernel commit 164166558aace ("netfilter: uapi:
Avoid undefined left-shift in xt_sctp.h").
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/linux/netfilter/xt_sctp.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
index a501e6196905d..5b28525a2482a 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/linux/netfilter/xt_sctp.h
@@ -40,19 +40,19 @@ struct xt_sctp_info {
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
(chunkmap)[type / bytes(__u32)] |= \
- 1 << (type % bytes(__u32)); \
+ 1u << (type % bytes(__u32)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
(chunkmap)[type / bytes(__u32)] &= \
- ~(1 << (type % bytes(__u32))); \
+ ~(1u << (type % bytes(__u32))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
((chunkmap)[type / bytes (__u32)] & \
- (1 << (type % bytes (__u32)))) ? 1: 0; \
+ (1u << (type % bytes (__u32)))) ? 1: 0; \
})
#define SCTP_CHUNKMAP_RESET(chunkmap) \
--
2.24.0

View File

@ -0,0 +1,37 @@
From fe5db6f78145aeac1b18d21c38c178b99cd7c04a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 7 Aug 2020 16:42:07 +0200
Subject: [PATCH] xtables-monitor: Fix ip6tables rule printing
When printing an ip6tables rule event, false family ops are used as they
are initially looked up for AF_INET and reused no matter the current
rule's family. In practice, this means that nft_rule_print_save() calls
the wrong rule_to_cs, save_rule and clear_cs callbacks. Therefore, if a
rule specifies a source or destination address, the address is not
printed.
Fix this by performing a family lookup each time rule_cb is called.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit ca69b0290dc509d72118f0a054a5c740cb913875)
---
iptables/xtables-monitor.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 57def83e2eea0..4008cc00d4694 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -93,6 +93,8 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
if (arg->nfproto && arg->nfproto != family)
goto err_free;
+ arg->h->ops = nft_family_ops_lookup(family);
+
if (arg->is_event)
printf(" EVENT: ");
switch (family) {
--
2.40.0

View File

@ -0,0 +1,39 @@
From 895077fbd8f11b717fd414a02d22dae99d94b390 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 29 Jul 2020 15:39:31 +0200
Subject: [PATCH] nft: cache: Check consistency with NFT_CL_FAKE, too
Athough this cache level fetches table names only, it shouldn't skip the
consistency check.
Fixes: f42bfb344af82 ("nft: cache: Re-establish cache consistency check")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b531365ce32f386d91c6a0bbc80ec4076e4babdd)
---
iptables/nft-cache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 638b18bc7e382..434cc10b82ce7 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -511,14 +511,14 @@ __nft_build_cache(struct nft_handle *h)
if (req->level >= NFT_CL_TABLES)
fetch_table_cache(h);
if (req->level == NFT_CL_FAKE)
- return;
+ goto genid_check;
if (req->level >= NFT_CL_CHAINS)
fetch_chain_cache(h, t, chains);
if (req->level >= NFT_CL_SETS)
fetch_set_cache(h, t, NULL);
if (req->level >= NFT_CL_RULES)
fetch_rule_cache(h, t);
-
+genid_check:
mnl_genid_get(h, &genid_check);
if (h->nft_genid != genid_check) {
flush_cache(h, h->cache, NULL);
--
2.40.0

View File

@ -1,98 +0,0 @@
From da36213a48f6114ab998a5fb37bae61d2a02d5f6 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 6 Feb 2020 15:08:41 +0100
Subject: [PATCH] xtables-translate: Fix for interface name corner-cases
There are two special situations xlate_ifname() didn't cover for:
* Interface name containing '*': This went unchanged, creating a command
nft wouldn't accept. Instead translate into '\*' which doesn't change
semantics.
* Interface name being '+': Can't translate into nft wildcard character
as nft doesn't accept asterisk-only interface names. Instead decide
what to do based on 'invert' value: Skip match creation if false,
match against an invalid interface name if true.
Also add a test to make sure future changes to this behaviour are
noticed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit e179e87a1179e272a9bdabb0220b17d61d099ee3)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/generic.txlate | 12 ++++++++++++
iptables/xtables-translate.c | 33 ++++++++++++++++++++++++++++-----
2 files changed, 40 insertions(+), 5 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index b38fbd1fe113b..c92d082abea78 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -18,3 +18,15 @@ nft add rule bridge filter FORWARD iifname != "iname" meta ibrname "ilogname" oi
ebtables-translate -I INPUT -p ip -d 1:2:3:4:5:6/ff:ff:ff:ff:00:00
nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:00 and ff:ff:ff:ff:00:00 == 01:02:03:04:00:00 counter
+
+# asterisk is not special in iptables and it is even a valid interface name
+iptables-translate -A FORWARD -i '*' -o 'eth*foo'
+nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
+
+# skip for always matching interface names
+iptables-translate -A FORWARD -i '+'
+nft add rule ip filter FORWARD counter
+
+# match against invalid interface name to simulate never matching rule
+iptables-translate -A FORWARD ! -i '+'
+nft add rule ip filter FORWARD iifname "INVAL/D" counter
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 77a186b905d73..c4e177c0d63ba 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -32,15 +32,38 @@
void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
bool invert)
{
- int ifaclen = strlen(ifname);
- char iface[IFNAMSIZ];
+ int ifaclen = strlen(ifname), i, j;
+ char iface[IFNAMSIZ * 2];
if (ifaclen < 1 || ifaclen >= IFNAMSIZ)
return;
- strcpy(iface, ifname);
- if (iface[ifaclen - 1] == '+')
- iface[ifaclen - 1] = '*';
+ for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
+ switch (ifname[i]) {
+ case '+':
+ iface[j] = '*';
+ break;
+ case '*':
+ iface[j++] = '\\';
+ /* fall through */
+ default:
+ iface[j] = ifname[i];
+ break;
+ }
+ }
+
+ if (ifaclen == 1 && ifname[0] == '+') {
+ /* Nftables does not support wildcard only string. Workaround
+ * is easy, given that this will match always or never
+ * depending on 'invert' value. To match always, simply don't
+ * generate an expression. To match never, use an invalid
+ * interface name (kernel doesn't accept '/' in names) to match
+ * against. */
+ if (!invert)
+ return;
+ strcpy(iface, "INVAL/D");
+ invert = false;
+ }
xt_xlate_add(xl, "%s %s\"%s\" ", nftmeta, invert ? "!= " : "", iface);
}
--
2.24.1

View File

@ -1,4 +1,4 @@
From 74a62264d4615ae7f76454e7ca406c46a62c7999 Mon Sep 17 00:00:00 2001 From ba2da85b5a8940035f57dd395205c726c0c68ec7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Mon, 28 Sep 2020 18:57:18 +0200 Date: Mon, 28 Sep 2020 18:57:18 +0200
Subject: [PATCH] nft: Fix for broken address mask match detection Subject: [PATCH] nft: Fix for broken address mask match detection
@ -37,13 +37,12 @@ Fix the cast, safe an extra op and gain 100% performance in ideal cases.
Fixes: 56859380eb328 ("xtables-compat: avoid unneeded bitwise ops") Fixes: 56859380eb328 ("xtables-compat: avoid unneeded bitwise ops")
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 72ed608bf1ea550ac13b5b880afc7ad3ffa0afd0) (cherry picked from commit 72ed608bf1ea550ac13b5b880afc7ad3ffa0afd0)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/nft-shared.c | 2 +- iptables/nft-shared.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 78e422781723f..f60f5df97fb86 100644 index c5a8f3fcc051d..7741d23befc5a 100644
--- a/iptables/nft-shared.c --- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c +++ b/iptables/nft-shared.c
@@ -165,7 +165,7 @@ void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op) @@ -165,7 +165,7 @@ void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op)
@ -56,5 +55,5 @@ index 78e422781723f..f60f5df97fb86 100644
add_payload(r, offset, len, NFT_PAYLOAD_NETWORK_HEADER); add_payload(r, offset, len, NFT_PAYLOAD_NETWORK_HEADER);
-- --
2.28.0 2.40.0

View File

@ -1,60 +0,0 @@
From 1e1fda9ac0a809c64fd13b4fb759becac824809e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 13 Feb 2020 14:01:50 +0100
Subject: [PATCH] xtables-translate: Fix for iface++
In legacy iptables, only the last plus sign remains special, any
previous ones are taken literally. Therefore xtables-translate must not
replace all of them with asterisk but just the last one.
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 94488d4eb912f5af4c88d148b39b38eb8a3c1f0b)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/generic.txlate | 4 ++++
iptables/xtables-translate.c | 6 +++---
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index c92d082abea78..0e256c3727559 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -23,6 +23,10 @@ nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:
iptables-translate -A FORWARD -i '*' -o 'eth*foo'
nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
+# escape all asterisks but translate only the first plus character
+iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++'
+nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter
+
# skip for always matching interface names
iptables-translate -A FORWARD -i '+'
nft add rule ip filter FORWARD counter
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index c4e177c0d63ba..0f95855b41aa4 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -40,9 +40,6 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
switch (ifname[i]) {
- case '+':
- iface[j] = '*';
- break;
case '*':
iface[j++] = '\\';
/* fall through */
@@ -65,6 +62,9 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
invert = false;
}
+ if (iface[j - 2] == '+')
+ iface[j - 2] = '*';
+
xt_xlate_add(xl, "%s %s\"%s\" ", nftmeta, invert ? "!= " : "", iface);
}
--
2.24.1

View File

@ -1,4 +1,4 @@
From 6adcdca2aaf8cba6ee452c88f41ad8695bebdcfc Mon Sep 17 00:00:00 2001 From e674863343bf3233d2d1cdd9e17adad5381796a9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Tue, 6 Oct 2020 19:07:19 +0200 Date: Tue, 6 Oct 2020 19:07:19 +0200
Subject: [PATCH] extensions: libipt_icmp: Fix translation of type 'any' Subject: [PATCH] extensions: libipt_icmp: Fix translation of type 'any'
@ -14,7 +14,6 @@ Fixes: aa158ca0fda65 ("extensions: libipt_icmp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de> Reviewed-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit ad4b17b98bbedf93d2182a4dc9a37e9cf3adfe1b) (cherry picked from commit ad4b17b98bbedf93d2182a4dc9a37e9cf3adfe1b)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
extensions/libipt_icmp.c | 5 +++++ extensions/libipt_icmp.c | 5 +++++
extensions/libipt_icmp.txlate | 3 +++ extensions/libipt_icmp.txlate | 3 +++
@ -48,5 +47,5 @@ index 434f8cc4eb1ae..a2aec8e26df75 100644
+iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT +iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j ACCEPT
+nft add rule ip filter INPUT ip protocol icmp counter accept +nft add rule ip filter INPUT ip protocol icmp counter accept
-- --
2.28.0 2.40.0

View File

@ -1,366 +0,0 @@
From bbd2dd9ee6db7d11ab5b2b10a63b3dfd8b8acc9d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 12 Feb 2020 21:26:06 +0100
Subject: [PATCH] tests: shell: Fix skip checks with --host mode
When testing host binaries, XT_MULTI variable contains just the program
name without path component which most skip checks didn't expect. Fix
them, and while being at it also reduce indenting level in two scripts
by moving the skip check up front with an early exit call.
Fixes: 416898e335322 ("tests/shell: Support testing host binaries")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 2b2b7948c1960ba4680677664ff58477be869de6)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../arptables/0001-arptables-save-restore_0 | 2 +-
.../0002-arptables-restore-defaults_0 | 2 +-
.../arptables/0003-arptables-verbose-output_0 | 2 +-
.../testcases/ebtables/0001-ebtables-basic_0 | 135 +++++++++---------
.../ebtables/0002-ebtables-save-restore_0 | 2 +-
.../ebtables/0003-ebtables-restore-defaults_0 | 2 +-
.../testcases/ebtables/0004-save-counters_0 | 2 +-
.../testcases/ebtables/0005-ifnamechecks_0 | 2 +-
.../firewalld-restore/0001-firewalld_0 | 2 +-
.../testcases/ipt-restore/0004-restore-race_0 | 2 +-
.../shell/testcases/nft-only/0001compat_0 | 15 +-
.../shell/testcases/nft-only/0002invflags_0 | 2 +-
.../nft-only/0003delete-with-comment_0 | 2 +-
13 files changed, 88 insertions(+), 84 deletions(-)
diff --git a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
index bf04dc0a3e15a..e64e9142ee98b 100755
--- a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
+++ b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
@@ -4,7 +4,7 @@ set -e
#set -x
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
# fill arptables manually
diff --git a/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0 b/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0
index 38d387f327ebb..afd0fcb460d85 100755
--- a/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0
+++ b/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0
@@ -3,7 +3,7 @@
set -e
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
# arptables-restore reuses preloaded targets and matches, make sure defaults
# apply to consecutive rules using the same target/match as a previous one
diff --git a/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0 b/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0
index 10c5ec33ada2c..952cfa7898371 100755
--- a/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0
+++ b/iptables/tests/shell/testcases/arptables/0003-arptables-verbose-output_0
@@ -4,7 +4,7 @@ set -e
set -x
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
$XT_MULTI arptables -N foo
diff --git a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
index c7f24a383f698..0c1eb4ca66f52 100755
--- a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
+++ b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
@@ -1,86 +1,89 @@
#!/bin/sh
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
get_entries_count() { # (chain)
$XT_MULTI ebtables -L $1 | sed -n 's/.*entries: \([0-9]*\).*/\1/p'
}
set -x
-case "$XT_MULTI" in
-*/xtables-nft-multi)
- for t in filter nat;do
- $XT_MULTI ebtables -t $t -L || exit 1
- $XT_MULTI ebtables -t $t -X || exit 1
- $XT_MULTI ebtables -t $t -F || exit 1
- done
-
- for t in broute foobar ;do
- $XT_MULTI ebtables -t $t -L &&
- $XT_MULTI ebtables -t $t -X &&
- $XT_MULTI ebtables -t $t -F
- if [ $? -eq 0 ]; then
- echo "Expect nonzero return for unsupported table"
- exit 1
- fi
- done
+for t in filter nat;do
+ $XT_MULTI ebtables -t $t -L || exit 1
+ $XT_MULTI ebtables -t $t -X || exit 1
+ $XT_MULTI ebtables -t $t -F || exit 1
+done
- $XT_MULTI ebtables -t filter -N FOO || exit 1
- $XT_MULTI ebtables -t filter -N FOO
+for t in broute foobar ;do
+ $XT_MULTI ebtables -t $t -L &&
+ $XT_MULTI ebtables -t $t -X &&
+ $XT_MULTI ebtables -t $t -F
if [ $? -eq 0 ]; then
- echo "Duplicate chain FOO"
- $XT_MULTI ebtables -t filter -L
+ echo "Expect nonzero return for unsupported table"
exit 1
fi
+done
- entries=$(get_entries_count FOO)
- if [ $entries -ne 0 ]; then
- echo "Unexpected entries count in empty unreferenced chain (expected 0, have $entries)"
- $XT_MULTI ebtables -L
- exit 1
- fi
- $XT_MULTI ebtables -A FORWARD -j FOO
- entries=$(get_entries_count FORWARD)
- if [ $entries -ne 1 ]; then
- echo "Unexpected entries count in FORWARD chain (expected 1, have $entries)"
- $XT_MULTI ebtables -L
- exit 1
- fi
+$XT_MULTI ebtables -t filter -N FOO || exit 1
+$XT_MULTI ebtables -t filter -N FOO
+if [ $? -eq 0 ]; then
+ echo "Duplicate chain FOO"
+ $XT_MULTI ebtables -t filter -L
+ exit 1
+fi
- entries=$(get_entries_count FOO)
- if [ $entries -ne 0 ]; then
- echo "Unexpected entries count in empty referenced chain (expected 0, have $entries)"
- $XT_MULTI ebtables -L
- exit 1
- fi
+entries=$(get_entries_count FOO)
+if [ $entries -ne 0 ]; then
+ echo "Unexpected entries count in empty unreferenced chain (expected 0, have $entries)"
+ $XT_MULTI ebtables -L
+ exit 1
+fi
- $XT_MULTI ebtables -A FOO -j ACCEPT
- entries=$(get_entries_count FOO)
- if [ $entries -ne 1 ]; then
- echo "Unexpected entries count in non-empty referenced chain (expected 1, have $entries)"
- $XT_MULTI ebtables -L
- exit 1
- fi
+$XT_MULTI ebtables -A FORWARD -j FOO
+entries=$(get_entries_count FORWARD)
+if [ $entries -ne 1 ]; then
+ echo "Unexpected entries count in FORWARD chain (expected 1, have $entries)"
+ $XT_MULTI ebtables -L
+ exit 1
+fi
- $XT_MULTI ebtables -t filter -N BAR || exit 1
- $XT_MULTI ebtables -t filter -N BAZ || exit 1
+entries=$(get_entries_count FOO)
+if [ $entries -ne 0 ]; then
+ echo "Unexpected entries count in empty referenced chain (expected 0, have $entries)"
+ $XT_MULTI ebtables -L
+ exit 1
+fi
- $XT_MULTI ebtables -t filter -L | grep -q FOO || exit 1
- $XT_MULTI ebtables -t filter -L | grep -q BAR || exit 1
- $XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1
+$XT_MULTI ebtables -A FOO -j ACCEPT
+entries=$(get_entries_count FOO)
+if [ $entries -ne 1 ]; then
+ echo "Unexpected entries count in non-empty referenced chain (expected 1, have $entries)"
+ $XT_MULTI ebtables -L
+ exit 1
+fi
- $XT_MULTI ebtables -t filter -L BAZ || exit 1
- $XT_MULTI ebtables -t filter -X BAZ || exit 1
- $XT_MULTI ebtables -t filter -L BAZ | grep -q BAZ
- if [ $? -eq 0 ]; then
- echo "Deleted chain -L BAZ ok, expected failure"
- $XT_MULTI ebtables -t filter -L
- exit 1
- fi
+$XT_MULTI ebtables -t filter -N BAR || exit 1
+$XT_MULTI ebtables -t filter -N BAZ || exit 1
- $XT_MULTI ebtables -t $t -F || exit 0
- ;;
-*)
- echo "skip $XT_MULTI"
- ;;
-esac
+$XT_MULTI ebtables -t filter -L | grep -q FOO || exit 1
+$XT_MULTI ebtables -t filter -L | grep -q BAR || exit 1
+$XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1
+
+$XT_MULTI ebtables -t filter -L BAZ || exit 1
+$XT_MULTI ebtables -t filter -X BAZ || exit 1
+$XT_MULTI ebtables -t filter -L BAZ | grep -q BAZ
+if [ $? -eq 0 ]; then
+ echo "Deleted chain -L BAZ ok, expected failure"
+ $XT_MULTI ebtables -t filter -L
+ exit 1
+fi
+
+$XT_MULTI ebtables -t $t -F || exit 0
diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
index e18d46551509d..b84f63a7c3672 100755
--- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
+++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
@@ -4,7 +4,7 @@ set -e
#set -x
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
# fill ebtables manually
diff --git a/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0 b/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0
index 62d224134456b..63891c1bb731a 100755
--- a/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0
+++ b/iptables/tests/shell/testcases/ebtables/0003-ebtables-restore-defaults_0
@@ -3,7 +3,7 @@
set -e
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
# ebtables-restore reuses preloaded targets and matches, make sure defaults
# apply to consecutive rules using the same target/match as a previous one
diff --git a/iptables/tests/shell/testcases/ebtables/0004-save-counters_0 b/iptables/tests/shell/testcases/ebtables/0004-save-counters_0
index 46966f433139a..d52db900604ef 100755
--- a/iptables/tests/shell/testcases/ebtables/0004-save-counters_0
+++ b/iptables/tests/shell/testcases/ebtables/0004-save-counters_0
@@ -3,7 +3,7 @@
set -e
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
$XT_MULTI ebtables --init-table
$XT_MULTI ebtables -A FORWARD -i nodev123 -o nodev432 -j ACCEPT
diff --git a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0
index 2163d364b318b..0b3acfd7613db 100755
--- a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0
+++ b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0
@@ -3,7 +3,7 @@
set -e
# there is no legacy backend to test
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
EXPECT='*filter
:INPUT ACCEPT
diff --git a/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0 b/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0
index 8bf0c2c6c194e..0174b03f4ebc7 100755
--- a/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0
+++ b/iptables/tests/shell/testcases/firewalld-restore/0001-firewalld_0
@@ -231,7 +231,7 @@ for table in nat mangle raw filter;do
done
case "$XT_MULTI" in
-*/xtables-nft-multi)
+*xtables-nft-multi)
# nft-multi displays chain names in different order, work around this for now
tmpfile2=$(mktemp)
sort "$tmpfile" > "$tmpfile2"
diff --git a/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0 b/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0
index 96a5e66d0ab81..9fc50615b8926 100755
--- a/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0004-restore-race_0
@@ -86,7 +86,7 @@ if [ $LINES1 -ne $LINES2 ]; then
fi
case "$XT_MULTI" in
-*/xtables-nft-multi)
+*xtables-nft-multi)
attempts=$((RANDOM%10))
attempts=$((attempts+1))
;;
diff --git a/iptables/tests/shell/testcases/nft-only/0001compat_0 b/iptables/tests/shell/testcases/nft-only/0001compat_0
index 4319ea5a6a797..a617c52f53695 100755
--- a/iptables/tests/shell/testcases/nft-only/0001compat_0
+++ b/iptables/tests/shell/testcases/nft-only/0001compat_0
@@ -5,17 +5,18 @@
# xtables: avoid bogus 'is incompatible' warning
case "$XT_MULTI" in
-*/xtables-nft-multi)
- nft -v >/dev/null || exit 0
- nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1
- nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1
-
- $XT_MULTI iptables -L -t filter || exit 1
- $XT_MULTI ip6tables -L -t filter || exit 1
+*xtables-nft-multi)
;;
*)
echo skip $XT_MULTI
+ exit 0
;;
esac
+nft -v >/dev/null || exit 0
+nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1
+nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1
+
+$XT_MULTI iptables -L -t filter || exit 1
+$XT_MULTI ip6tables -L -t filter || exit 1
exit 0
diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0
index 406b6081a98a4..fe33874dde7f2 100755
--- a/iptables/tests/shell/testcases/nft-only/0002invflags_0
+++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0
@@ -2,7 +2,7 @@
set -e
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT
$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT
diff --git a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
index 67af9fd897410..ccb009e469076 100755
--- a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
@@ -2,7 +2,7 @@
set -e
-[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
comment1="foo bar"
comment2="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
--
2.24.1

View File

@ -1,4 +1,4 @@
From e6eede725bbd395fb8b385aec4d0a32ce99e842c Mon Sep 17 00:00:00 2001 From 4616623e18cb1868960194cd7f695969c594a35b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Mon, 21 Sep 2020 13:42:06 +0200 Date: Mon, 21 Sep 2020 13:42:06 +0200
Subject: [PATCH] libxtables: Make sure extensions register in revision order Subject: [PATCH] libxtables: Make sure extensions register in revision order
@ -13,16 +13,15 @@ eventually.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b3ac87038f4e45141831d9ab485a2f627daba3f1) (cherry picked from commit b3ac87038f4e45141831d9ab485a2f627daba3f1)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
libxtables/xtables.c | 71 +++++++++++++++++++++++++++++++++++++++----- libxtables/xtables.c | 71 +++++++++++++++++++++++++++++++++++++++-----
1 file changed, 64 insertions(+), 7 deletions(-) 1 file changed, 64 insertions(+), 7 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 777c2b08e9896..13139d7f8ad62 100644 index 8907ba2069be7..de52e3e2bbc15 100644
--- a/libxtables/xtables.c --- a/libxtables/xtables.c
+++ b/libxtables/xtables.c +++ b/libxtables/xtables.c
@@ -902,8 +902,14 @@ static void xtables_check_options(const char *name, const struct option *opt) @@ -948,8 +948,14 @@ static void xtables_check_options(const char *name, const struct option *opt)
} }
} }
@ -37,7 +36,7 @@ index 777c2b08e9896..13139d7f8ad62 100644
if (me->next) { if (me->next) {
fprintf(stderr, "%s: match \"%s\" already registered\n", fprintf(stderr, "%s: match \"%s\" already registered\n",
xt_params->program_name, me->name); xt_params->program_name, me->name);
@@ -955,10 +961,34 @@ void xtables_register_match(struct xtables_match *me) @@ -1001,10 +1007,34 @@ void xtables_register_match(struct xtables_match *me)
if (me->extra_opts != NULL) if (me->extra_opts != NULL)
xtables_check_options(me->name, me->extra_opts); xtables_check_options(me->name, me->extra_opts);
@ -76,7 +75,7 @@ index 777c2b08e9896..13139d7f8ad62 100644
} }
/** /**
@@ -1097,6 +1127,9 @@ void xtables_register_matches(struct xtables_match *match, unsigned int n) @@ -1143,6 +1173,9 @@ void xtables_register_matches(struct xtables_match *match, unsigned int n)
void xtables_register_target(struct xtables_target *me) void xtables_register_target(struct xtables_target *me)
{ {
@ -86,7 +85,7 @@ index 777c2b08e9896..13139d7f8ad62 100644
if (me->next) { if (me->next) {
fprintf(stderr, "%s: target \"%s\" already registered\n", fprintf(stderr, "%s: target \"%s\" already registered\n",
xt_params->program_name, me->name); xt_params->program_name, me->name);
@@ -1152,9 +1185,33 @@ void xtables_register_target(struct xtables_target *me) @@ -1198,9 +1231,33 @@ void xtables_register_target(struct xtables_target *me)
if (me->family != afinfo->family && me->family != AF_UNSPEC) if (me->family != afinfo->family && me->family != AF_UNSPEC)
return; return;
@ -124,5 +123,5 @@ index 777c2b08e9896..13139d7f8ad62 100644
static bool xtables_fully_register_pending_target(struct xtables_target *me) static bool xtables_fully_register_pending_target(struct xtables_target *me)
-- --
2.28.0 2.40.0

View File

@ -1,78 +0,0 @@
From 5ea18ea8c0c99f2c71a5eaf32f4fbf6339ce8cc7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 11 Feb 2020 16:52:59 +0100
Subject: [PATCH] xtables-restore: fix for --noflush and empty lines
Lookahead buffer used for cache requirements estimate in restore
--noflush separates individual lines with nul-chars. Two consecutive
nul-chars are interpreted as end of buffer and remaining buffer content
is skipped.
Sadly, reading an empty line (i.e., one containing a newline character
only) caused double nul-chars to appear in buffer as well, leading to
premature stop when reading cached lines from buffer.
To fix that, make use of xtables_restore_parse_line() skipping empty
lines without calling strtok() and just leave the newline character in
place. A more intuitive approach, namely skipping empty lines while
buffering, is deliberately not chosen as that would cause wrong values
in 'line' variable.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
(cherry picked from commit 8e76391096f12212985c401ee83a67990aa27a29)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../ipt-restore/0011-noflush-empty-line_0 | 16 ++++++++++++++++
iptables/xtables-restore.c | 8 +++++---
2 files changed, 21 insertions(+), 3 deletions(-)
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
new file mode 100755
index 0000000000000..bea1a690bb624
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
@@ -0,0 +1,16 @@
+#!/bin/bash -e
+
+# make sure empty lines won't break --noflush
+
+cat <<EOF | $XT_MULTI iptables-restore --noflush
+# just a comment followed by innocent empty line
+
+*filter
+-A FORWARD -j ACCEPT
+COMMIT
+EOF
+
+EXPECT='Chain FORWARD (policy ACCEPT)
+target prot opt source destination
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 '
+diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 63cc15cee9621..fb2ac8b5c12a3 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -293,11 +293,13 @@ void xtables_restore_parse(struct nft_handle *h,
while (fgets(buffer, sizeof(buffer), p->in)) {
size_t blen = strlen(buffer);
- /* drop trailing newline; xtables_restore_parse_line()
+ /* Drop trailing newline; xtables_restore_parse_line()
* uses strtok() which replaces them by nul-characters,
* causing unpredictable string delimiting in
- * preload_buffer */
- if (buffer[blen - 1] == '\n')
+ * preload_buffer.
+ * Unless this is an empty line which would fold into a
+ * spurious EoB indicator (double nul-char). */
+ if (buffer[blen - 1] == '\n' && blen > 1)
buffer[blen - 1] = '\0';
else
blen++;
--
2.24.1

View File

@ -1,43 +0,0 @@
From 40e7bc3055f9bc34ccb6327f1f32c2fc524fb693 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 18 Feb 2020 16:43:16 +0100
Subject: [PATCH] iptables-test.py: Fix --host mode
In some cases, the script still called repo binaries. Avoid this when in
--host mode to allow testing without the need to compile sources in
beforehand.
Fixes: 1b5d762c1865e ("iptables-test: Support testing host binaries")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ba2af278e8836977a8cfb35c54dac60ca9b40000)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables-test.py | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/iptables-test.py b/iptables-test.py
index fdb4e6a3644e4..e986d7a318218 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -119,8 +119,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
elif splitted[0] == EBTABLES:
command = EBTABLES_SAVE
- path = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE
- command = path + " " + command
+ command = EXECUTEABLE + " " + command
if netns:
command = "ip netns exec ____iptables-container-test " + command
@@ -165,7 +164,7 @@ def execute_cmd(cmd, filename, lineno):
'''
global log_file
if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables ') or cmd.startswith('arptables '):
- cmd = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE + " " + cmd
+ cmd = EXECUTEABLE + " " + cmd
print("command: {}".format(cmd), file=log_file)
ret = subprocess.call(cmd, shell=True, universal_newlines=True,
--
2.25.1

View File

@ -1,4 +1,4 @@
From 1a842fb1cfb3b36f3081aee37c5fdd4a897d77d5 Mon Sep 17 00:00:00 2001 From 4b5e9e71fbad66aef1db079905cba2db032a7515 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Fri, 18 Sep 2020 18:48:14 +0200 Date: Fri, 18 Sep 2020 18:48:14 +0200
Subject: [PATCH] libxtables: Simplify pending extension registration Subject: [PATCH] libxtables: Simplify pending extension registration
@ -21,13 +21,12 @@ xtables_find_*().
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit a1eaaceb0460b338294e40bdd5bc5186320a478c) (cherry picked from commit a1eaaceb0460b338294e40bdd5bc5186320a478c)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
libxtables/xtables.c | 128 +++++++++++-------------------------------- libxtables/xtables.c | 128 +++++++++++--------------------------------
1 file changed, 33 insertions(+), 95 deletions(-) 1 file changed, 33 insertions(+), 95 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 13139d7f8ad62..409128333e0e6 100644 index de52e3e2bbc15..10d4e70328500 100644
--- a/libxtables/xtables.c --- a/libxtables/xtables.c
+++ b/libxtables/xtables.c +++ b/libxtables/xtables.c
@@ -203,8 +203,10 @@ struct xtables_match *xtables_matches; @@ -203,8 +203,10 @@ struct xtables_match *xtables_matches;
@ -41,9 +40,9 @@ index 13139d7f8ad62..409128333e0e6 100644
+static bool xtables_fully_register_pending_target(struct xtables_target *me, +static bool xtables_fully_register_pending_target(struct xtables_target *me,
+ struct xtables_target *prev); + struct xtables_target *prev);
void xtables_init(void) #ifndef NO_SHARED_LIBS
{ /* registry for loaded shared objects to close later */
@@ -616,6 +618,7 @@ struct xtables_match * @@ -662,6 +664,7 @@ struct xtables_match *
xtables_find_match(const char *name, enum xtables_tryload tryload, xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_rule_match **matches) struct xtables_rule_match **matches)
{ {
@ -51,7 +50,7 @@ index 13139d7f8ad62..409128333e0e6 100644
struct xtables_match **dptr; struct xtables_match **dptr;
struct xtables_match *ptr; struct xtables_match *ptr;
const char *icmp6 = "icmp6"; const char *icmp6 = "icmp6";
@@ -637,8 +640,12 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, @@ -683,8 +686,12 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr; ptr = *dptr;
*dptr = (*dptr)->next; *dptr = (*dptr)->next;
@ -65,7 +64,7 @@ index 13139d7f8ad62..409128333e0e6 100644
*dptr = ptr; *dptr = ptr;
} }
dptr = &((*dptr)->next); dptr = &((*dptr)->next);
@@ -732,6 +739,7 @@ xtables_find_match_revision(const char *name, enum xtables_tryload tryload, @@ -778,6 +785,7 @@ xtables_find_match_revision(const char *name, enum xtables_tryload tryload,
struct xtables_target * struct xtables_target *
xtables_find_target(const char *name, enum xtables_tryload tryload) xtables_find_target(const char *name, enum xtables_tryload tryload)
{ {
@ -73,7 +72,7 @@ index 13139d7f8ad62..409128333e0e6 100644
struct xtables_target **dptr; struct xtables_target **dptr;
struct xtables_target *ptr; struct xtables_target *ptr;
@@ -748,8 +756,12 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) @@ -794,8 +802,12 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr; ptr = *dptr;
*dptr = (*dptr)->next; *dptr = (*dptr)->next;
@ -87,7 +86,7 @@ index 13139d7f8ad62..409128333e0e6 100644
*dptr = ptr; *dptr = ptr;
} }
dptr = &((*dptr)->next); dptr = &((*dptr)->next);
@@ -1052,64 +1064,27 @@ static int xtables_target_prefer(const struct xtables_target *a, @@ -1098,64 +1110,27 @@ static int xtables_target_prefer(const struct xtables_target *a,
b->revision, b->family); b->revision, b->family);
} }
@ -160,7 +159,7 @@ index 13139d7f8ad62..409128333e0e6 100644
*i = me; *i = me;
me->m = NULL; me->m = NULL;
@@ -1214,11 +1189,11 @@ void xtables_register_target(struct xtables_target *me) @@ -1260,11 +1235,11 @@ void xtables_register_target(struct xtables_target *me)
#endif #endif
} }
@ -175,7 +174,7 @@ index 13139d7f8ad62..409128333e0e6 100644
if (strcmp(me->name, "standard") != 0) { if (strcmp(me->name, "standard") != 0) {
/* See if new target can be used. */ /* See if new target can be used. */
@@ -1227,54 +1202,17 @@ static bool xtables_fully_register_pending_target(struct xtables_target *me) @@ -1273,54 +1248,17 @@ static bool xtables_fully_register_pending_target(struct xtables_target *me)
return false; return false;
} }
@ -237,5 +236,5 @@ index 13139d7f8ad62..409128333e0e6 100644
me->t = NULL; me->t = NULL;
-- --
2.28.0 2.40.0

View File

@ -1,4 +1,4 @@
From cfcafd3638cdc06a8b4a1d267e58b5ad1e35922c Mon Sep 17 00:00:00 2001 From 1ae06e3a2da1c21a75b55609b99d1ab3ef6cf709 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Tue, 22 Sep 2020 20:01:15 +0200 Date: Tue, 22 Sep 2020 20:01:15 +0200
Subject: [PATCH] libxtables: Register multiple extensions in ascending order Subject: [PATCH] libxtables: Register multiple extensions in ascending order
@ -10,16 +10,15 @@ extensions' arrays, iterate over them from beginning to end.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit b5f1a3beac1d1f2b96c8be8ebec450f5ea758090) (cherry picked from commit b5f1a3beac1d1f2b96c8be8ebec450f5ea758090)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
libxtables/xtables.c | 14 ++++++++------ libxtables/xtables.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-) 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 409128333e0e6..28ffffedd8147 100644 index 10d4e70328500..7152c6576cd63 100644
--- a/libxtables/xtables.c --- a/libxtables/xtables.c
+++ b/libxtables/xtables.c +++ b/libxtables/xtables.c
@@ -1095,9 +1095,10 @@ static bool xtables_fully_register_pending_match(struct xtables_match *me, @@ -1141,9 +1141,10 @@ static bool xtables_fully_register_pending_match(struct xtables_match *me,
void xtables_register_matches(struct xtables_match *match, unsigned int n) void xtables_register_matches(struct xtables_match *match, unsigned int n)
{ {
@ -33,7 +32,7 @@ index 409128333e0e6..28ffffedd8147 100644
} }
void xtables_register_target(struct xtables_target *me) void xtables_register_target(struct xtables_target *me)
@@ -1223,9 +1224,10 @@ static bool xtables_fully_register_pending_target(struct xtables_target *me, @@ -1269,9 +1270,10 @@ static bool xtables_fully_register_pending_target(struct xtables_target *me,
void xtables_register_targets(struct xtables_target *target, unsigned int n) void xtables_register_targets(struct xtables_target *target, unsigned int n)
{ {
@ -48,5 +47,5 @@ index 409128333e0e6..28ffffedd8147 100644
/* receives a list of xtables_rule_match, release them */ /* receives a list of xtables_rule_match, release them */
-- --
2.28.0 2.40.0

View File

@ -1,274 +0,0 @@
From 51f895d54af6e163e0290520e124e9413438ccf4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 21 Feb 2020 14:55:52 +0100
Subject: [PATCH] xtables: Review nft_init()
Move common code into nft_init(), such as:
* initial zeroing nft_handle fields
* family ops lookup and assignment to 'ops' field
* setting of 'family' field
This requires minor adjustments in xtables_restore_main() so extra field
initialization doesn't happen before nft_init() call.
As a side-effect, this fixes segfaulting xtables-monitor binary when
printing rules for trace event as in that code-path 'ops' field wasn't
initialized.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit d0446ab11182f6ca2adc486a124895f09a220c6e)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 9 ++++++++-
iptables/nft.h | 2 +-
iptables/xtables-arp.c | 9 +--------
iptables/xtables-eb.c | 9 +--------
iptables/xtables-monitor.c | 2 +-
iptables/xtables-restore.c | 14 +++++++-------
iptables/xtables-save.c | 9 ++-------
iptables/xtables-standalone.c | 6 ++----
iptables/xtables-translate.c | 2 +-
iptables/xtables.c | 4 ----
10 files changed, 24 insertions(+), 42 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 3f2a62ae12c07..0287add3fb21f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -789,8 +789,10 @@ int nft_restart(struct nft_handle *h)
return 0;
}
-int nft_init(struct nft_handle *h, const struct builtin_table *t)
+int nft_init(struct nft_handle *h, int family, const struct builtin_table *t)
{
+ memset(h, 0, sizeof(*h));
+
h->nl = mnl_socket_open(NETLINK_NETFILTER);
if (h->nl == NULL)
return -1;
@@ -800,9 +802,14 @@ int nft_init(struct nft_handle *h, const struct builtin_table *t)
return -1;
}
+ h->ops = nft_family_ops_lookup(family);
+ if (!h->ops)
+ xtables_error(PARAMETER_PROBLEM, "Unknown family");
+
h->portid = mnl_socket_get_portid(h->nl);
h->tables = t;
h->cache = &h->__cache[0];
+ h->family = family;
INIT_LIST_HEAD(&h->obj_list);
INIT_LIST_HEAD(&h->err_list);
diff --git a/iptables/nft.h b/iptables/nft.h
index 51b5660314c0c..5cf260a6d2cd3 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -80,7 +80,7 @@ extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX];
int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
int (*cb)(const struct nlmsghdr *nlh, void *data),
void *data);
-int nft_init(struct nft_handle *h, const struct builtin_table *t);
+int nft_init(struct nft_handle *h, int family, const struct builtin_table *t);
void nft_fini(struct nft_handle *h);
int nft_restart(struct nft_handle *h);
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 9cfad76263d32..c8196f08baa59 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -500,17 +500,10 @@ int nft_init_arp(struct nft_handle *h, const char *pname)
init_extensionsa();
#endif
- memset(h, 0, sizeof(*h));
- h->family = NFPROTO_ARP;
-
- if (nft_init(h, xtables_arp) < 0)
+ if (nft_init(h, NFPROTO_ARP, xtables_arp) < 0)
xtables_error(OTHER_PROBLEM,
"Could not initialize nftables layer.");
- h->ops = nft_family_ops_lookup(h->family);
- if (h->ops == NULL)
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
-
return 0;
}
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 15b971da3d425..c006bc95ac681 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -739,16 +739,9 @@ int nft_init_eb(struct nft_handle *h, const char *pname)
init_extensionsb();
#endif
- memset(h, 0, sizeof(*h));
-
- h->family = NFPROTO_BRIDGE;
-
- if (nft_init(h, xtables_bridge) < 0)
+ if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0)
xtables_error(OTHER_PROBLEM,
"Could not initialize nftables layer.");
- h->ops = nft_family_ops_lookup(h->family);
- if (!h->ops)
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
/* manually registering ebt matches, given the original ebtables parser
* don't use '-m matchname' and the match can't be loaded dynamically when
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index a5245d1422af9..c2b31dbaa0795 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -615,7 +615,7 @@ int xtables_monitor_main(int argc, char *argv[])
init_extensions4();
#endif
- if (nft_init(&h, xtables_ipv4)) {
+ if (nft_init(&h, AF_INET, xtables_ipv4)) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index fb2ac8b5c12a3..11834c0ea98c5 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -360,15 +360,13 @@ static int
xtables_restore_main(int family, const char *progname, int argc, char *argv[])
{
const struct builtin_table *tables;
- struct nft_handle h = {
- .family = family,
- .restore = true,
- };
- int c;
struct nft_xt_restore_parse p = {
.commit = true,
.cb = &restore_cb,
};
+ bool noflush = false;
+ struct nft_handle h;
+ int c;
line = 0;
@@ -402,7 +400,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
print_usage(prog_name, PACKAGE_VERSION);
exit(0);
case 'n':
- h.noflush = 1;
+ noflush = true;
break;
case 'M':
xtables_modprobe_program = optarg;
@@ -464,13 +462,15 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
return 1;
}
- if (nft_init(&h, tables) < 0) {
+ if (nft_init(&h, family, tables) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
strerror(errno));
exit(EXIT_FAILURE);
}
+ h.noflush = noflush;
+ h.restore = true;
xtables_restore_parse(&h, &p);
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 3a52f8c3d8209..228282deaed07 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -139,10 +139,8 @@ xtables_save_main(int family, int argc, char *argv[],
struct do_output_data d = {
.format = FMT_NOCOUNTS,
};
+ struct nft_handle h;
bool dump = false;
- struct nft_handle h = {
- .family = family,
- };
FILE *file = NULL;
int ret, c;
@@ -242,16 +240,13 @@ xtables_save_main(int family, int argc, char *argv[],
return 1;
}
- if (nft_init(&h, tables) < 0) {
+ if (nft_init(&h, family, tables) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
strerror(errno));
exit(EXIT_FAILURE);
}
- h.ops = nft_family_ops_lookup(h.family);
- if (!h.ops)
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
ret = do_output(&h, tablename, &d);
nft_fini(&h);
diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
index 1a28c5480629f..022d5dd44abbf 100644
--- a/iptables/xtables-standalone.c
+++ b/iptables/xtables-standalone.c
@@ -44,9 +44,7 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
{
int ret;
char *table = "filter";
- struct nft_handle h = {
- .family = family,
- };
+ struct nft_handle h;
xtables_globals.program_name = progname;
ret = xtables_init_all(&xtables_globals, family);
@@ -61,7 +59,7 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
init_extensions4();
#endif
- if (nft_init(&h, xtables_ipv4) < 0) {
+ if (nft_init(&h, family, xtables_ipv4) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 0f95855b41aa4..76ad7eb69eca9 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -480,7 +480,7 @@ static int xtables_xlate_main_common(struct nft_handle *h,
return 1;
}
- if (nft_init(h, tables) < 0) {
+ if (nft_init(h, family, tables) < 0) {
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
xtables_globals.program_name,
xtables_globals.program_version,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 8f9dc628d0029..4b24d15c46295 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -571,10 +571,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
demand-load a protocol. */
opterr = 0;
- h->ops = nft_family_ops_lookup(h->family);
- if (h->ops == NULL)
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
-
opts = xt_params->orig_opts;
while ((cs->c = getopt_long(argc, argv,
"-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46",
--
2.26.2

View File

@ -1,4 +1,4 @@
From d1b516014e4883f30ee2faf264dd89a6d7940e2c Mon Sep 17 00:00:00 2001 From 99bf566bfcabce101940b28a12f61c637ccfb489 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Sat, 3 Oct 2020 17:46:09 +0200 Date: Sat, 3 Oct 2020 17:46:09 +0200
Subject: [PATCH] nft: Make batch_add_chain() return the added batch object Subject: [PATCH] nft: Make batch_add_chain() return the added batch object
@ -11,22 +11,15 @@ While being at it, simplify a few callers and eliminate the need for a
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de> Reviewed-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 0d77e64e8d9b8a3984b01a4951524dc40f61f4b6) (cherry picked from commit 0d77e64e8d9b8a3984b01a4951524dc40f61f4b6)
Conflicts:
iptables/nft.c
-> Upstream changed good/bad return codes of nft_chain_restore()
function.
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/nft.c | 35 +++++++++++++++++------------------ iptables/nft.c | 35 +++++++++++++++++------------------
1 file changed, 17 insertions(+), 18 deletions(-) 1 file changed, 17 insertions(+), 18 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c diff --git a/iptables/nft.c b/iptables/nft.c
index e95e99f1d8d71..0efd18d57320f 100644 index e795d4ae6d241..ec5f7457e4784 100644
--- a/iptables/nft.c --- a/iptables/nft.c
+++ b/iptables/nft.c +++ b/iptables/nft.c
@@ -398,10 +398,11 @@ batch_set_add(struct nft_handle *h, enum obj_update_type type, @@ -389,10 +389,11 @@ batch_set_add(struct nft_handle *h, enum obj_update_type type,
return batch_add(h, type, s); return batch_add(h, type, s);
} }
@ -40,7 +33,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
} }
static struct obj_update * static struct obj_update *
@@ -910,7 +911,6 @@ int nft_chain_set(struct nft_handle *h, const char *table, @@ -920,7 +921,6 @@ int nft_chain_set(struct nft_handle *h, const char *table,
const struct xt_counters *counters) const struct xt_counters *counters)
{ {
struct nftnl_chain *c = NULL; struct nftnl_chain *c = NULL;
@ -48,7 +41,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
nft_fn = nft_chain_set; nft_fn = nft_chain_set;
@@ -924,10 +924,11 @@ int nft_chain_set(struct nft_handle *h, const char *table, @@ -934,10 +934,11 @@ int nft_chain_set(struct nft_handle *h, const char *table,
if (c == NULL) if (c == NULL)
return 0; return 0;
@ -62,7 +55,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
} }
static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m) static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m)
@@ -1734,7 +1735,6 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl @@ -1752,7 +1753,6 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
{ {
struct nftnl_chain_list *list; struct nftnl_chain_list *list;
struct nftnl_chain *c; struct nftnl_chain *c;
@ -70,7 +63,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
nft_fn = nft_chain_user_add; nft_fn = nft_chain_user_add;
@@ -1754,14 +1754,15 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl @@ -1772,14 +1772,15 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
if (h->family == NFPROTO_BRIDGE) if (h->family == NFPROTO_BRIDGE)
nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, NF_ACCEPT); nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, NF_ACCEPT);
@ -88,7 +81,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
} }
int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table) int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table)
@@ -1769,7 +1770,6 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table @@ -1787,7 +1788,6 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table
struct nftnl_chain_list *list; struct nftnl_chain_list *list;
struct nftnl_chain *c; struct nftnl_chain *c;
bool created = false; bool created = false;
@ -96,24 +89,25 @@ index e95e99f1d8d71..0efd18d57320f 100644
c = nft_chain_find(h, table, chain); c = nft_chain_find(h, table, chain);
if (c) { if (c) {
@@ -1794,13 +1794,14 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table @@ -1812,14 +1812,15 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table
if (!created) if (!created)
return 0; return 1;
- ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c);
+ if (!batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c)) + if (!batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c))
+ return -1; + return 0;
list = nft_chain_list_get(h, table, chain); list = nft_chain_list_get(h, table, chain);
if (list) if (list)
nftnl_chain_list_add(c, list); nftnl_chain_list_add(c, list);
- return ret; /* the core expects 1 for success and 0 for error */
+ return 0; - return ret == 0 ? 1 : 0;
+ return 1;
} }
/* From linux/netlink.h */ /* From linux/netlink.h */
@@ -1818,7 +1819,6 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data) @@ -1837,7 +1838,6 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
{ {
struct chain_user_del_data *d = data; struct chain_user_del_data *d = data;
struct nft_handle *h = d->handle; struct nft_handle *h = d->handle;
@ -121,7 +115,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
/* don't delete built-in chain */ /* don't delete built-in chain */
if (nft_chain_builtin(c)) if (nft_chain_builtin(c))
@@ -1834,8 +1834,7 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data) @@ -1849,8 +1849,7 @@ static int __nft_chain_user_del(struct nftnl_chain *c, void *data)
/* XXX This triggers a fast lookup from the kernel. */ /* XXX This triggers a fast lookup from the kernel. */
nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
@ -131,7 +125,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
return -1; return -1;
nftnl_chain_list_del(c); nftnl_chain_list_del(c);
@@ -1910,7 +1909,6 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, @@ -1925,7 +1924,6 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain,
{ {
struct nftnl_chain *c; struct nftnl_chain *c;
uint64_t handle; uint64_t handle;
@ -139,7 +133,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
nft_fn = nft_chain_user_rename; nft_fn = nft_chain_user_rename;
@@ -1941,10 +1939,11 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, @@ -1954,10 +1952,11 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain,
nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, newname); nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, newname);
nftnl_chain_set_u64(c, NFTNL_CHAIN_HANDLE, handle); nftnl_chain_set_u64(c, NFTNL_CHAIN_HANDLE, handle);
@ -153,7 +147,7 @@ index e95e99f1d8d71..0efd18d57320f 100644
} }
bool nft_table_find(struct nft_handle *h, const char *tablename) bool nft_table_find(struct nft_handle *h, const char *tablename)
@@ -3217,7 +3216,7 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data) @@ -3404,7 +3403,7 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)
nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0); nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0);
nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0); nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0);
nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
@ -163,5 +157,5 @@ index e95e99f1d8d71..0efd18d57320f 100644
} }
-- --
2.28.0 2.40.0

View File

@ -1,49 +0,0 @@
From 66b9f92ef41de90fc2b0359247c36bc6d128233d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 28 Feb 2020 20:32:13 +0100
Subject: [PATCH] nft: cache: Fix nft_release_cache() under stress
iptables-nft-restore calls nft_action(h, NFT_COMPAT_COMMIT) for each
COMMIT line in input. When restoring a dump containing multiple large
tables, chances are nft_rebuild_cache() has to run multiple times.
If the above happens, consecutive table contents are added to __cache[1]
which nft_rebuild_cache() then frees, so next commit attempt accesses
invalid memory.
Fix this by making nft_release_cache() (called after each successful
commit) return things into pre-rebuild state again, but keeping the
fresh cache copy.
Fixes: f6ad231d698c7 ("nft: keep original cache in case of ERESTART")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c550c81fd373e5753103d20f7902171f0fa79807)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft-cache.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 7345a27e2894b..6f21f2283e0fb 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -647,8 +647,14 @@ void nft_rebuild_cache(struct nft_handle *h)
void nft_release_cache(struct nft_handle *h)
{
- if (h->cache_index)
- flush_cache(h, &h->__cache[0], NULL);
+ if (!h->cache_index)
+ return;
+
+ flush_cache(h, &h->__cache[0], NULL);
+ memcpy(&h->__cache[0], &h->__cache[1], sizeof(h->__cache[0]));
+ memset(&h->__cache[1], 0, sizeof(h->__cache[1]));
+ h->cache_index = 0;
+ h->cache = &h->__cache[0];
}
struct nftnl_table_list *nftnl_table_list_get(struct nft_handle *h)
--
2.25.1

View File

@ -1,4 +1,4 @@
From 2dff9a669400644ec1e66d394b03d743eec2cd55 Mon Sep 17 00:00:00 2001 From 8ab5e29f192187bc12a2064036cf406de60b2cd5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Mon, 5 Oct 2020 15:54:35 +0200 Date: Mon, 5 Oct 2020 15:54:35 +0200
Subject: [PATCH] nft: Fix error reporting for refreshed transactions Subject: [PATCH] nft: Fix error reporting for refreshed transactions
@ -15,16 +15,15 @@ Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications")
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de> Reviewed-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit e98b825a037807bf6c918eb66ee9682cc4c46183) (cherry picked from commit e98b825a037807bf6c918eb66ee9682cc4c46183)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/nft.c | 5 +++-- iptables/nft.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-) 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c diff --git a/iptables/nft.c b/iptables/nft.c
index 0efd18d57320f..d661ac2cafda6 100644 index ec5f7457e4784..d3eb0840a9fc0 100644
--- a/iptables/nft.c --- a/iptables/nft.c
+++ b/iptables/nft.c +++ b/iptables/nft.c
@@ -2767,9 +2767,10 @@ retry: @@ -2832,9 +2832,10 @@ static int nft_action(struct nft_handle *h, int action)
h->nft_genid++; h->nft_genid++;
list_for_each_entry(n, &h->obj_list, head) { list_for_each_entry(n, &h->obj_list, head) {
@ -38,5 +37,5 @@ index 0efd18d57320f..d661ac2cafda6 100644
n->seq = seq++; n->seq = seq++;
switch (n->type) { switch (n->type) {
-- --
2.28.0 2.40.0

View File

@ -1,84 +0,0 @@
From 38c94a9f5ea03deffe0a34056a0f83a4af4641bb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Mar 2020 13:02:12 +0100
Subject: [PATCH] nft: cache: Fix iptables-save segfault under stress
If kernel ruleset is constantly changing, code called by
nft_is_table_compatible() may crash: For each item in table's chain
list, nft_is_chain_compatible() is called. This in turn calls
nft_build_cache() to fetch chain's rules. Though if kernel genid has changed
meanwhile, cache is flushed and rebuilt from scratch, thereby freeing
table's chain list - the foreach loop in nft_is_table_compatible() then
operates on freed memory.
A simple reproducer (may need a few calls):
| RULESET='*filter
| :INPUT ACCEPT [10517:1483527]
| :FORWARD ACCEPT [0:0]
| :OUTPUT ACCEPT [1714:105671]
| COMMIT
| '
|
| for ((i = 0; i < 100; i++)); do
| iptables-nft-restore <<< "$RULESET" &
| done &
| iptables-nft-save
To fix the problem, basically revert commit ab1cd3b510fa5 ("nft: ensure
cache consistency") so that __nft_build_cache() no longer flushes the
cache. Instead just record kernel's genid when fetching for the first
time. If kernel rule set changes until the changes are committed, the
commit simply fails and local cache is being rebuilt.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 200bc399651499f502ac0de45f4d4aa4c9d37ab6)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft-cache.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 6f21f2283e0fb..07265b7795e4f 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -452,15 +452,11 @@ __nft_build_cache(struct nft_handle *h, enum nft_cache_level level,
const struct builtin_table *t, const char *set,
const char *chain)
{
- uint32_t genid_start, genid_stop;
-
if (level <= h->cache_level)
return;
-retry:
- mnl_genid_get(h, &genid_start);
- if (h->cache_level && genid_start != h->nft_genid)
- flush_chain_cache(h, NULL);
+ if (!h->nft_genid)
+ mnl_genid_get(h, &h->nft_genid);
switch (h->cache_level) {
case NFT_CL_NONE:
@@ -487,18 +483,10 @@ retry:
break;
}
- mnl_genid_get(h, &genid_stop);
- if (genid_start != genid_stop) {
- flush_chain_cache(h, NULL);
- goto retry;
- }
-
if (!t && !chain)
h->cache_level = level;
else if (h->cache_level < NFT_CL_TABLES)
h->cache_level = NFT_CL_TABLES;
-
- h->nft_genid = genid_start;
}
void nft_build_cache(struct nft_handle *h, struct nftnl_chain *c)
--
2.25.1

View File

@ -1,127 +0,0 @@
From 654b2e2512630df07e3ea57f8d54e851e75b33f1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 13 Feb 2020 17:49:53 +0100
Subject: [PATCH] ebtables: among: Support mixed MAC and MAC/IP entries
Powered by Stefano's support for concatenated ranges, a full among match
replacement can be implemented. The trick is to add MAC-only elements as
a concatenation of MAC and zero-length prefix, i.e. a range from
0.0.0.0 till 255.255.255.255.
Although not quite needed, detection of pure MAC-only matches is left in
place. For those, no implicit 'meta protocol' match is added (which is
required otherwise at least to keep nft output correct) and no concat
type is used for the set.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c33bae9c6c7a49c8af16df846e6112fc4727e643)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libebt_among.c | 6 +-----
extensions/libebt_among.t | 2 +-
iptables/ebtables-nft.8 | 4 ----
iptables/nft.c | 20 +++++++++++++++++++-
4 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
index 715d559f432c2..2b9a1b6566684 100644
--- a/extensions/libebt_among.c
+++ b/extensions/libebt_among.c
@@ -63,10 +63,6 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
char *sep = index(buf, '=');
struct ether_addr *ether;
- if (have_ip ^ !!sep)
- xtables_error(PARAMETER_PROBLEM,
- "among: Mixed MAC and MAC=IP not allowed.");
-
if (sep) {
*sep = '\0';
@@ -205,7 +201,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
isep = ",";
printf("%s", ether_ntoa(&pairs[i].ether));
- if (have_ip)
+ if (pairs[i].in.s_addr != INADDR_ANY)
printf("=%s", inet_ntoa(pairs[i].in));
}
printf(" ");
diff --git a/extensions/libebt_among.t b/extensions/libebt_among.t
index 56b299161ff31..a02206f391cde 100644
--- a/extensions/libebt_among.t
+++ b/extensions/libebt_among.t
@@ -13,4 +13,4 @@
--among-src;=;FAIL
--among-src 00:11=10.0.0.1;=;FAIL
--among-src de:ad:0:be:ee:ff=10.256.0.1;=;FAIL
---among-src de:ad:0:be:ee:ff,c0:ff:ee:0:ba:be=192.168.1.1;=;FAIL
+--among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff;=;OK
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index a91f0c1aacb0f..1fa5ad9388cc0 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -551,10 +551,6 @@ Same as
.BR "--among-src-file " "[!] \fIfile\fP"
Same as
.BR --among-src " but the list is read in from the specified file."
-.PP
-Note that in this implementation of ebtables, among lists uses must be
-internally homogeneous regarding whether IP addresses are present or not. Mixed
-use of MAC addresses and MAC/IP address pairs is not supported yet.
.SS arp
Specify (R)ARP fields. The protocol must be specified as
.IR ARP " or " RARP .
diff --git a/iptables/nft.c b/iptables/nft.c
index 0287add3fb21f..4930b6de534d8 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1029,19 +1029,28 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
};
struct nftnl_expr *e;
struct nftnl_set *s;
+ uint32_t flags = 0;
int idx = 0;
if (ip) {
type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
len &= ~(NETLINK_ALIGN - 1);
+ flags = NFT_SET_INTERVAL;
}
- s = add_anon_set(h, table, 0, type, len, cnt);
+ s = add_anon_set(h, table, flags, type, len, cnt);
if (!s)
return -ENOMEM;
set_id = nftnl_set_get_u32(s, NFTNL_SET_ID);
+ if (ip) {
+ uint8_t field_len[2] = { ETH_ALEN, sizeof(struct in_addr) };
+
+ nftnl_set_set_data(s, NFTNL_SET_DESC_CONCAT,
+ field_len, sizeof(field_len));
+ }
+
for (idx = 0; idx < cnt; idx++) {
struct nftnl_set_elem *elem = nftnl_set_elem_alloc();
@@ -1049,6 +1058,15 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
return -ENOMEM;
nftnl_set_elem_set(elem, NFTNL_SET_ELEM_KEY,
&pairs[idx], len);
+ if (ip) {
+ struct in_addr tmp = pairs[idx].in;
+
+ if (tmp.s_addr == INADDR_ANY)
+ pairs[idx].in.s_addr = INADDR_BROADCAST;
+ nftnl_set_elem_set(elem, NFTNL_SET_ELEM_KEY_END,
+ &pairs[idx], len);
+ pairs[idx].in = tmp;
+ }
nftnl_set_elem_add(s, elem);
}
--
2.26.2

View File

@ -1,4 +1,4 @@
From 575a1e5589f813af7e838c045863b510b4740353 Mon Sep 17 00:00:00 2001 From 412c52e9ab9d5d1d1a1e5e09a122cca43895451a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Mon, 5 Oct 2020 16:06:49 +0200 Date: Mon, 5 Oct 2020 16:06:49 +0200
Subject: [PATCH] nft: Fix for concurrent noflush restore calls Subject: [PATCH] nft: Fix for concurrent noflush restore calls
@ -33,13 +33,6 @@ handle in that case.
Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications") Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications")
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit dac904bdcd9a18aabafee7275ccf0c2bd53800f3) (cherry picked from commit dac904bdcd9a18aabafee7275ccf0c2bd53800f3)
Conflicts:
iptables/nft.c
-> Upstream changed good/bad return codes of nft_chain_restore()
function.
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/nft.c | 58 ++++++++++--------- iptables/nft.c | 58 ++++++++++---------
.../ipt-restore/0016-concurrent-restores_0 | 53 +++++++++++++++++ .../ipt-restore/0016-concurrent-restores_0 | 53 +++++++++++++++++
@ -47,10 +40,10 @@ Signed-off-by: Phil Sutter <psutter@redhat.com>
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 create mode 100755 iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0
diff --git a/iptables/nft.c b/iptables/nft.c diff --git a/iptables/nft.c b/iptables/nft.c
index d661ac2cafda6..dc5490c085364 100644 index d3eb0840a9fc0..bdb633a82a655 100644
--- a/iptables/nft.c --- a/iptables/nft.c
+++ b/iptables/nft.c +++ b/iptables/nft.c
@@ -283,7 +283,6 @@ struct obj_update { @@ -265,7 +265,6 @@ struct obj_update {
struct list_head head; struct list_head head;
enum obj_update_type type:8; enum obj_update_type type:8;
uint8_t skip:1; uint8_t skip:1;
@ -58,7 +51,7 @@ index d661ac2cafda6..dc5490c085364 100644
unsigned int seq; unsigned int seq;
union { union {
struct nftnl_table *table; struct nftnl_table *table;
@@ -1650,7 +1649,7 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format) @@ -1668,7 +1667,7 @@ struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h,
static void static void
__nft_rule_flush(struct nft_handle *h, const char *table, __nft_rule_flush(struct nft_handle *h, const char *table,
@ -67,7 +60,7 @@ index d661ac2cafda6..dc5490c085364 100644
{ {
struct obj_update *obj; struct obj_update *obj;
struct nftnl_rule *r; struct nftnl_rule *r;
@@ -1672,7 +1671,7 @@ __nft_rule_flush(struct nft_handle *h, const char *table, @@ -1690,7 +1689,7 @@ __nft_rule_flush(struct nft_handle *h, const char *table,
return; return;
} }
@ -76,7 +69,7 @@ index d661ac2cafda6..dc5490c085364 100644
} }
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
@@ -1768,17 +1767,12 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl @@ -1786,17 +1785,12 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table) int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table)
{ {
struct nftnl_chain_list *list; struct nftnl_chain_list *list;
@ -95,8 +88,8 @@ index d661ac2cafda6..dc5490c085364 100644
+ if (!c) { + if (!c) {
c = nftnl_chain_alloc(); c = nftnl_chain_alloc();
if (!c) if (!c)
return -1; return 0;
@@ -1786,20 +1780,26 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table @@ -1804,20 +1798,26 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table
nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table); nftnl_chain_set_str(c, NFTNL_CHAIN_TABLE, table);
nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain); nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain);
created = true; created = true;
@ -117,22 +110,22 @@ index d661ac2cafda6..dc5490c085364 100644
+ } + }
- if (!created) - if (!created)
- return 0; - return 1;
+ __nft_rule_flush(h, table, chain, false, created); + __nft_rule_flush(h, table, chain, false, created);
- if (!batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c)) - if (!batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c))
+ obj = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); + obj = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c);
+ if (!obj) + if (!obj)
return -1; return 0;
- list = nft_chain_list_get(h, table, chain); - list = nft_chain_list_get(h, table, chain);
- if (list) - if (list)
- nftnl_chain_list_add(c, list); - nftnl_chain_list_add(c, list);
+ obj->skip = !created; + obj->skip = !created;
return 0; /* the core expects 1 for success and 0 for error */
} return 1;
@@ -2693,11 +2693,6 @@ static void nft_refresh_transaction(struct nft_handle *h) @@ -2751,11 +2751,6 @@ static void nft_refresh_transaction(struct nft_handle *h)
h->error.lineno = 0; h->error.lineno = 0;
list_for_each_entry_safe(n, tmp, &h->obj_list, head) { list_for_each_entry_safe(n, tmp, &h->obj_list, head) {
@ -144,7 +137,7 @@ index d661ac2cafda6..dc5490c085364 100644
switch (n->type) { switch (n->type) {
case NFT_COMPAT_TABLE_FLUSH: case NFT_COMPAT_TABLE_FLUSH:
tablename = nftnl_table_get_str(n->table, NFTNL_TABLE_NAME); tablename = nftnl_table_get_str(n->table, NFTNL_TABLE_NAME);
@@ -2723,14 +2718,22 @@ static void nft_refresh_transaction(struct nft_handle *h) @@ -2781,14 +2776,22 @@ static void nft_refresh_transaction(struct nft_handle *h)
c = nft_chain_find(h, tablename, chainname); c = nft_chain_find(h, tablename, chainname);
if (c) { if (c) {
@ -170,14 +163,14 @@ index d661ac2cafda6..dc5490c085364 100644
case NFT_COMPAT_TABLE_ADD: case NFT_COMPAT_TABLE_ADD:
case NFT_COMPAT_CHAIN_ADD: case NFT_COMPAT_CHAIN_ADD:
case NFT_COMPAT_CHAIN_ZERO: case NFT_COMPAT_CHAIN_ZERO:
@@ -2742,7 +2745,6 @@ static void nft_refresh_transaction(struct nft_handle *h) @@ -2800,7 +2803,6 @@ static void nft_refresh_transaction(struct nft_handle *h)
case NFT_COMPAT_RULE_INSERT: case NFT_COMPAT_RULE_INSERT:
case NFT_COMPAT_RULE_REPLACE: case NFT_COMPAT_RULE_REPLACE:
case NFT_COMPAT_RULE_DELETE: case NFT_COMPAT_RULE_DELETE:
- case NFT_COMPAT_RULE_FLUSH: - case NFT_COMPAT_RULE_FLUSH:
case NFT_COMPAT_SET_ADD: case NFT_COMPAT_SET_ADD:
break; case NFT_COMPAT_RULE_LIST:
} case NFT_COMPAT_RULE_CHECK:
diff --git a/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 b/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 diff --git a/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 b/iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0
new file mode 100755 new file mode 100755
index 0000000000000..53ec12fa368af index 0000000000000..53ec12fa368af
@ -238,5 +231,5 @@ index 0000000000000..53ec12fa368af
+ wait -n + wait -n
+done +done
-- --
2.28.0 2.40.0

View File

@ -1,4 +1,4 @@
From 674cce10a34e90f2791a3d58789793eef29e8f8b Mon Sep 17 00:00:00 2001 From bb80a77e8b0b2b557c4a2afd88446853e19236da Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Mon, 26 Oct 2020 17:25:03 +0100 Date: Mon, 26 Oct 2020 17:25:03 +0100
Subject: [PATCH] tests: shell: Improve concurrent noflush restore test a bit Subject: [PATCH] tests: shell: Improve concurrent noflush restore test a bit
@ -13,7 +13,6 @@ test is trying to provoke.
Fixes: dac904bdcd9a1 ("nft: Fix for concurrent noflush restore calls") Fixes: dac904bdcd9a1 ("nft: Fix for concurrent noflush restore calls")
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ed8c8b9316451a4499eeb592d2cf7d782bbe4e9a) (cherry picked from commit ed8c8b9316451a4499eeb592d2cf7d782bbe4e9a)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
.../ipt-restore/0016-concurrent-restores_0 | 14 ++++++++++++++ .../ipt-restore/0016-concurrent-restores_0 | 14 ++++++++++++++
1 file changed, 14 insertions(+) 1 file changed, 14 insertions(+)
@ -51,5 +50,5 @@ index 53ec12fa368af..aa746ab458a3c 100755
$XT_MULTI iptables-restore --noflush -w <<< "$RS2" & $XT_MULTI iptables-restore --noflush -w <<< "$RS2" &
wait -n wait -n
-- --
2.28.0 2.40.0

View File

@ -1,157 +0,0 @@
From aa221d3a7ffc8e3245d9031173b306431ddfaf9f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 21 Feb 2020 13:18:32 +0100
Subject: [PATCH] xtables: Align effect of -4/-6 options with legacy
Legacy iptables doesn't accept -4 or -6 if they don't match the
symlink's native family. The only exception to that is iptables-restore
which simply ignores the lines introduced by non-matching options, which
is useful to create combined dump files for feeding into both
iptables-restore and ip6tables-restore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 1639b8ba5105542c73e0e1c35e70f245dab89d81)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../shell/testcases/iptables/0006-46-args_0 | 88 +++++++++++++++++++
iptables/xtables.c | 21 ++---
2 files changed, 96 insertions(+), 13 deletions(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0006-46-args_0
diff --git a/iptables/tests/shell/testcases/iptables/0006-46-args_0 b/iptables/tests/shell/testcases/iptables/0006-46-args_0
new file mode 100755
index 0000000000000..17a0a01829df5
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0006-46-args_0
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+RC=0
+
+$XT_MULTI iptables -6 -A FORWARD -j ACCEPT
+rc=$?
+if [[ $rc -ne 2 ]]; then
+ echo "'iptables -6' returned $rc instead of 2"
+ RC=1
+fi
+
+$XT_MULTI ip6tables -4 -A FORWARD -j ACCEPT
+rc=$?
+if [[ $rc -ne 2 ]]; then
+ echo "'ip6tables -4' returned $rc instead of 2"
+ RC=1
+fi
+
+RULESET='*filter
+-4 -A FORWARD -d 10.0.0.1 -j ACCEPT
+-6 -A FORWARD -d fec0:10::1 -j ACCEPT
+COMMIT
+'
+EXPECT4='-P FORWARD ACCEPT
+-A FORWARD -d 10.0.0.1/32 -j ACCEPT'
+EXPECT6='-P FORWARD ACCEPT
+-A FORWARD -d fec0:10::1/128 -j ACCEPT'
+EXPECT_EMPTY='-P FORWARD ACCEPT'
+
+echo "$RULESET" | $XT_MULTI iptables-restore || {
+ echo "iptables-restore failed!"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || {
+ echo "unexpected iptables ruleset"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || {
+ echo "unexpected non-empty ip6tables ruleset"
+ RC=1
+}
+
+$XT_MULTI iptables -F FORWARD
+
+echo "$RULESET" | $XT_MULTI ip6tables-restore || {
+ echo "ip6tables-restore failed!"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || {
+ echo "unexpected ip6tables ruleset"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || {
+ echo "unexpected non-empty iptables ruleset"
+ RC=1
+}
+
+$XT_MULTI ip6tables -F FORWARD
+
+$XT_MULTI iptables -4 -A FORWARD -d 10.0.0.1 -j ACCEPT || {
+ echo "iptables failed!"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT4") <($XT_MULTI iptables -S FORWARD) || {
+ echo "unexpected iptables ruleset"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI ip6tables -S FORWARD) || {
+ echo "unexpected non-empty ip6tables ruleset"
+ RC=1
+}
+
+$XT_MULTI iptables -F FORWARD
+
+$XT_MULTI ip6tables -6 -A FORWARD -d fec0:10::1 -j ACCEPT || {
+ echo "ip6tables failed!"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT6") <($XT_MULTI ip6tables -S FORWARD) || {
+ echo "unexpected ip6tables ruleset"
+ RC=1
+}
+diff -u -Z <(echo -e "$EXPECT_EMPTY") <($XT_MULTI iptables -S FORWARD) || {
+ echo "unexpected non-empty iptables ruleset"
+ RC=1
+}
+
+exit $RC
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 4b24d15c46295..8c2d21d42b7d2 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -913,27 +913,22 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case '4':
+ if (args->family == AF_INET)
+ break;
+
if (p->restore && args->family == AF_INET6)
return;
- if (args->family != AF_INET)
- exit_tryhelp(2);
-
- h->ops = nft_family_ops_lookup(args->family);
- break;
+ exit_tryhelp(2);
case '6':
+ if (args->family == AF_INET6)
+ break;
+
if (p->restore && args->family == AF_INET)
return;
- args->family = AF_INET6;
- xtables_set_nfproto(AF_INET6);
-
- h->ops = nft_family_ops_lookup(args->family);
- if (h->ops == NULL)
- xtables_error(PARAMETER_PROBLEM,
- "Unknown family");
- break;
+ exit_tryhelp(2);
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
--
2.26.2

View File

@ -1,4 +1,4 @@
From 87a2128fcfd4c5b0847a8c611652ade8c54d8185 Mon Sep 17 00:00:00 2001 From a48e8c5a7433c8f7d0f28ed321081b25f3b63a4a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Fri, 2 Oct 2020 09:44:38 +0200 Date: Fri, 2 Oct 2020 09:44:38 +0200
Subject: [PATCH] nft: Optimize class-based IP prefix matches Subject: [PATCH] nft: Optimize class-based IP prefix matches
@ -8,7 +8,6 @@ prefix lengths.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 323259001d617ae359430a03ee3d3e7f107684e0) (cherry picked from commit 323259001d617ae359430a03ee3d3e7f107684e0)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/nft-arp.c | 11 ++++++++--- iptables/nft-arp.c | 11 ++++++++---
iptables/nft-ipv4.c | 6 ++++-- iptables/nft-ipv4.c | 6 ++++--
@ -18,7 +17,7 @@ Signed-off-by: Phil Sutter <psutter@redhat.com>
5 files changed, 30 insertions(+), 11 deletions(-) 5 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index d4a86610ec217..ac400e484a4fa 100644 index 67f4529d93652..952f0c6916e59 100644
--- a/iptables/nft-arp.c --- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c +++ b/iptables/nft-arp.c
@@ -303,7 +303,8 @@ static bool nft_arp_parse_devaddr(struct nft_xt_ctx *ctx, @@ -303,7 +303,8 @@ static bool nft_arp_parse_devaddr(struct nft_xt_ctx *ctx,
@ -54,7 +53,7 @@ index d4a86610ec217..ac400e484a4fa 100644
if (inv) if (inv)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 70634f8fad84d..c84af2df90da7 100644 index afdecf9711e64..ce702041af0f4 100644
--- a/iptables/nft-ipv4.c --- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c
@@ -199,7 +199,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, @@ -199,7 +199,8 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
@ -78,7 +77,7 @@ index 70634f8fad84d..c84af2df90da7 100644
if (inv) if (inv)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index d01491bfdb689..cfced245a781c 100644 index 4008b7eab4f2a..c877ec6d10887 100644
--- a/iptables/nft-ipv6.c --- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c
@@ -146,7 +146,8 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, @@ -146,7 +146,8 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
@ -102,7 +101,7 @@ index d01491bfdb689..cfced245a781c 100644
if (inv) if (inv)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index f60f5df97fb86..b1237049d0a34 100644 index 7741d23befc5a..545e9c60fa015 100644
--- a/iptables/nft-shared.c --- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c +++ b/iptables/nft-shared.c
@@ -166,16 +166,22 @@ void add_addr(struct nftnl_rule *r, int offset, @@ -166,16 +166,22 @@ void add_addr(struct nftnl_rule *r, int offset,
@ -133,10 +132,10 @@ index f60f5df97fb86..b1237049d0a34 100644
add_cmp_ptr(r, op, data, len); add_cmp_ptr(r, op, data, len);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index bee99a7dd0c93..c7f1e366b75ee 100644 index 94437ffe7990c..811fb9a1ebe76 100644
--- a/iptables/nft-shared.h --- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h +++ b/iptables/nft-shared.h
@@ -252,4 +252,8 @@ void xtables_restore_parse(struct nft_handle *h, @@ -246,4 +246,8 @@ void xtables_restore_parse(struct nft_handle *h,
const struct nft_xt_restore_parse *p); const struct nft_xt_restore_parse *p);
void nft_check_xt_legacy(int family, bool is_ipt_save); void nft_check_xt_legacy(int family, bool is_ipt_save);
@ -146,5 +145,5 @@ index bee99a7dd0c93..c7f1e366b75ee 100644
+ +
#endif #endif
-- --
2.28.0 2.40.0

View File

@ -1,81 +0,0 @@
From ea9d40744307d7c49808d8fabfc904d525081055 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 21 Feb 2020 13:29:05 +0100
Subject: [PATCH] xtables: Drop -4 and -6 support from xtables-{save,restore}
Legacy tools don't support those options, either.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0f40a8bc49d3f7b815336199931a82f919f37c4e)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/xtables-restore.c | 9 +--------
iptables/xtables-save.c | 11 +----------
2 files changed, 2 insertions(+), 18 deletions(-)
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 11834c0ea98c5..c472ac9bf651b 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -379,7 +379,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
exit(1);
}
- while ((c = getopt_long(argc, argv, "bcvVthnM:T:46wW", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bcvVthnM:T:wW", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -408,13 +408,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
case 'T':
p.tablename = optarg;
break;
- case '4':
- h.family = AF_INET;
- break;
- case '6':
- h.family = AF_INET6;
- xtables_set_nfproto(AF_INET6);
- break;
case 'w': /* fallthrough. Ignored by xt-restore */
case 'W':
if (!optarg && xs_has_arg(argc, argv))
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 228282deaed07..28f7490275ce5 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -32,7 +32,7 @@
#define prog_name xtables_globals.program_name
#define prog_vers xtables_globals.program_version
-static const char *ipt_save_optstring = "bcdt:M:f:46V";
+static const char *ipt_save_optstring = "bcdt:M:f:V";
static const struct option ipt_save_options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "version", .has_arg = false, .val = 'V'},
@@ -40,8 +40,6 @@ static const struct option ipt_save_options[] = {
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "file", .has_arg = true, .val = 'f'},
- {.name = "ipv4", .has_arg = false, .val = '4'},
- {.name = "ipv6", .has_arg = false, .val = '6'},
{NULL},
};
@@ -187,13 +185,6 @@ xtables_save_main(int family, int argc, char *argv[],
case 'd':
dump = true;
break;
- case '4':
- h.family = AF_INET;
- break;
- case '6':
- h.family = AF_INET6;
- xtables_set_nfproto(AF_INET6);
- break;
case 'V':
printf("%s v%s (nf_tables)\n", prog_name, prog_vers);
exit(0);
--
2.26.2

View File

@ -1,4 +1,4 @@
From 03a484b63c5a61678555bcaca68fa36dc81468c1 Mon Sep 17 00:00:00 2001 From 06f53a3a19c829417c4083fdbbbeba14c92c7b04 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Fri, 30 Oct 2020 14:08:33 +0100 Date: Fri, 30 Oct 2020 14:08:33 +0100
Subject: [PATCH] ebtables: Optimize masked MAC address matches Subject: [PATCH] ebtables: Optimize masked MAC address matches
@ -11,7 +11,6 @@ value via parameter.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 274cb05edc58d6fa982a34c84b2f4cf6acc3e335) (cherry picked from commit 274cb05edc58d6fa982a34c84b2f4cf6acc3e335)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
iptables/nft-arp.c | 12 ++++++++---- iptables/nft-arp.c | 12 ++++++++----
iptables/nft-bridge.c | 22 ++++++++++------------ iptables/nft-bridge.c | 22 ++++++++++------------
@ -22,7 +21,7 @@ Signed-off-by: Phil Sutter <psutter@redhat.com>
6 files changed, 30 insertions(+), 24 deletions(-) 6 files changed, 30 insertions(+), 24 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index ac400e484a4fa..776b55949472b 100644 index 952f0c6916e59..5dc38da831aa0 100644
--- a/iptables/nft-arp.c --- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c +++ b/iptables/nft-arp.c
@@ -178,7 +178,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data) @@ -178,7 +178,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
@ -66,7 +65,7 @@ index ac400e484a4fa..776b55949472b 100644
sizeof(struct in_addr), op); sizeof(struct in_addr), op);
} }
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 3f85cbbf5e4cf..2aa15e2d1e69d 100644 index dbf11eb5e1fa8..c1a2c209cc1aa 100644
--- a/iptables/nft-bridge.c --- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c
@@ -159,20 +159,16 @@ static int nft_bridge_add(struct nft_handle *h, @@ -159,20 +159,16 @@ static int nft_bridge_add(struct nft_handle *h,
@ -117,7 +116,7 @@ index 3f85cbbf5e4cf..2aa15e2d1e69d 100644
fw->bitmask |= EBT_ISOURCE; fw->bitmask |= EBT_ISOURCE;
break; break;
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index c84af2df90da7..5bd0710781533 100644 index ce702041af0f4..fdc15c6f04066 100644
--- a/iptables/nft-ipv4.c --- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c
@@ -50,13 +50,15 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data) @@ -50,13 +50,15 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
@ -139,7 +138,7 @@ index c84af2df90da7..5bd0710781533 100644
sizeof(struct in_addr), op); sizeof(struct in_addr), op);
} }
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index cfced245a781c..6ece631d85f59 100644 index c877ec6d10887..130ad3e6e7c44 100644
--- a/iptables/nft-ipv6.c --- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c
@@ -51,7 +51,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data) @@ -51,7 +51,8 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
@ -163,7 +162,7 @@ index cfced245a781c..6ece631d85f59 100644
sizeof(struct in6_addr), op); sizeof(struct in6_addr), op);
} }
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b1237049d0a34..2aae0a3a49dfe 100644 index 545e9c60fa015..10553ab26823b 100644
--- a/iptables/nft-shared.c --- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c +++ b/iptables/nft-shared.c
@@ -20,7 +20,6 @@ @@ -20,7 +20,6 @@
@ -193,7 +192,7 @@ index b1237049d0a34..2aae0a3a49dfe 100644
if (bitwise) if (bitwise)
add_bitwise(r, mask, len); add_bitwise(r, mask, len);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index c7f1e366b75ee..520a296fb530c 100644 index 811fb9a1ebe76..6fc81d9ce08ef 100644
--- a/iptables/nft-shared.h --- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h +++ b/iptables/nft-shared.h
@@ -8,6 +8,7 @@ @@ -8,6 +8,7 @@
@ -204,7 +203,7 @@ index c7f1e366b75ee..520a296fb530c 100644
#include "xshared.h" #include "xshared.h"
@@ -124,7 +125,7 @@ void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op); @@ -121,7 +122,7 @@ void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op);
void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op); void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op);
void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op); void add_iniface(struct nftnl_rule *r, char *iface, uint32_t op);
void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op); void add_outiface(struct nftnl_rule *r, char *iface, uint32_t op);
@ -214,5 +213,5 @@ index c7f1e366b75ee..520a296fb530c 100644
void add_proto(struct nftnl_rule *r, int offset, size_t len, void add_proto(struct nftnl_rule *r, int offset, size_t len,
uint8_t proto, uint32_t op); uint8_t proto, uint32_t op);
-- --
2.28.0 2.40.0

View File

@ -1,42 +0,0 @@
From b29b3a215b9cbec20ea633e6a861accfc48b59bb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sat, 9 May 2020 13:36:49 +0200
Subject: [PATCH] nfnl_osf: Fix broken conversion to nfnl_query()
Due to missing NLM_F_ACK flag in request, nfnetlink code in kernel
didn't create an own ACK message but left it upon subsystem to ACK or
not. Since nfnetlink_osf doesn't ACK by itself, nfnl_query() got stuck
waiting for a reply.
Whoever did the conversion from deprecated nfnl_talk() obviously didn't
even test basic functionality of the tool.
Fixes: 52aa15098ebd6 ("nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c8332553caf48132403895bae750b3cd09a2efd8)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
utils/nfnl_osf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index 15d531975e11d..922d90ac135b7 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -378,9 +378,11 @@ static int osf_load_line(char *buffer, int len, int del)
memset(buf, 0, sizeof(buf));
if (del)
- nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE, NLM_F_REQUEST);
+ nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_REMOVE,
+ NLM_F_ACK | NLM_F_REQUEST);
else
- nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD, NLM_F_REQUEST | NLM_F_CREATE);
+ nfnl_fill_hdr(nfnlssh, nmh, 0, AF_UNSPEC, 0, OSF_MSG_ADD,
+ NLM_F_ACK | NLM_F_REQUEST | NLM_F_CREATE);
nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger));
--
2.26.2

View File

@ -1,80 +0,0 @@
From acc1fb93b3674f81c9d1daa0e4e855410d2568b0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sat, 9 May 2020 13:42:56 +0200
Subject: [PATCH] nfnl_osf: Improve error handling
For some error cases, no log message was created - hence apart from the
return code there was no indication of failing execution.
If a line load fails, don't abort but continue with the remaining
file contents. The current pf.os file in this repository serves as
proof-of-concept:
Lines 700 and 701: Duplicates of lines 698 and 699 because 'W*' and 'W0'
parse into the same data.
Line 704: Duplicate of line 702 because apart from 'W*' and 'W0', only
the first three fields on right-hand side are sent to the kernel.
When loading, these dups are ignored (they would bounce if NLM_F_EXCL
was given). Upon deletion, they cause ENOENT response from kernel. In
order to align duplicate-tolerance in both modes, just ignore that
ENOENT.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 3e09bd1888575cfec136574d2b0e810ba33f1cfb)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
utils/nfnl_osf.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index 922d90ac135b7..8008e83d8af4b 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -392,7 +392,7 @@ static int osf_load_line(char *buffer, int len, int del)
static int osf_load_entries(char *path, int del)
{
FILE *inf;
- int err = 0;
+ int err = 0, lineno = 0;
char buf[1024];
inf = fopen(path, "r");
@@ -402,7 +402,9 @@ static int osf_load_entries(char *path, int del)
}
while(fgets(buf, sizeof(buf), inf)) {
- int len;
+ int len, rc;
+
+ lineno++;
if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r')
continue;
@@ -414,9 +416,11 @@ static int osf_load_entries(char *path, int del)
buf[len] = '\0';
- err = osf_load_line(buf, len, del);
- if (err)
- break;
+ rc = osf_load_line(buf, len, del);
+ if (rc && (!del || errno != ENOENT)) {
+ ulog_err("Failed to load line %d", lineno);
+ err = rc;
+ }
memset(buf, 0, sizeof(buf));
}
@@ -448,6 +452,7 @@ int main(int argc, char *argv[])
if (!fingerprints) {
err = -ENOENT;
+ ulog("Missing fingerprints file argument.\n");
goto err_out_exit;
}
--
2.26.2

View File

@ -1,4 +1,4 @@
From 6aef90100bebe2b00d4edffe59fb9c43643816de Mon Sep 17 00:00:00 2001 From f07a5fdd6c2a5ffe962ba77b8bfa08673f3b9408 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Tue, 10 Nov 2020 14:50:46 +0100 Date: Tue, 10 Nov 2020 14:50:46 +0100
Subject: [PATCH] tests/shell: Add test for bitwise avoidance fixes Subject: [PATCH] tests/shell: Add test for bitwise avoidance fixes
@ -10,7 +10,6 @@ each situation.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 81a2e128512837b53e5b9ea501b6c8dc64eeca78) (cherry picked from commit 81a2e128512837b53e5b9ea501b6c8dc64eeca78)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
.../nft-only/0009-needless-bitwise_0 | 339 ++++++++++++++++++ .../nft-only/0009-needless-bitwise_0 | 339 ++++++++++++++++++
1 file changed, 339 insertions(+) 1 file changed, 339 insertions(+)
@ -362,5 +361,5 @@ index 0000000000000..c5c6e706a1029
+ +
+diff -u -Z <(echo "$EXPECT") <(nft --debug=netlink list ruleset | awk '/^table/{exit} {print}') +diff -u -Z <(echo "$EXPECT") <(nft --debug=netlink list ruleset | awk '/^table/{exit} {print}')
-- --
2.28.0 2.40.0

View File

@ -0,0 +1,61 @@
From d4e535422a9f4908b6d4b331b9e9cffe7ef161f3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 17 Nov 2020 11:38:27 +0100
Subject: [PATCH] ebtables: Fix for broken chain renaming
Loading extensions pollutes 'errno' value, hence before using it to
indicate failure it should be sanitized. This was done by the called
function before the parsing/netlink split and not migrated by accident.
Move it into calling code to clarify the connection.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 55b7c71dce7144f4dc0297c17abf0f04879ee247)
---
iptables/nft.c | 3 ---
iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 | 4 ++++
iptables/xtables-eb.c | 1 +
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index bdb633a82a655..bdf252198f155 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1932,9 +1932,6 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain,
return 0;
}
- /* Config load changed errno. Ensure genuine info for our callers. */
- errno = 0;
-
/* Find the old chain to be renamed */
c = nft_chain_find(h, table, chain);
if (c == NULL) {
diff --git a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0 b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
index 0c1eb4ca66f52..6f11bd12593dd 100755
--- a/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
+++ b/iptables/tests/shell/testcases/ebtables/0001-ebtables-basic_0
@@ -86,4 +86,8 @@ if [ $? -eq 0 ]; then
exit 1
fi
+$XT_MULTI ebtables -t filter -E FOO BAZ || exit 1
+$XT_MULTI ebtables -t filter -L | grep -q FOO && exit 1
+$XT_MULTI ebtables -t filter -L | grep -q BAZ || exit 1
+
$XT_MULTI ebtables -t $t -F || exit 0
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 375a95d1d5c75..6df5839f07436 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -853,6 +853,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
else if (strchr(argv[optind], ' ') != NULL)
xtables_error(PARAMETER_PROBLEM, "Use of ' ' not allowed in chain names");
+ errno = 0;
ret = nft_cmd_chain_user_rename(h, chain, *table,
argv[optind]);
if (ret != 0 && errno == ENOENT)
--
2.40.0

View File

@ -1,37 +0,0 @@
From 3b98024d952d265d50078c5b7ad04c9c65373733 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 29 May 2020 19:33:22 +0200
Subject: [PATCH] nft: cache: Reset genid when rebuilding cache
This is required in order to avoid a cache rebuild loop if
iptables-nft-restore is called with '--test' parameter and a dump
containing more than a single table.
If non-zero, __nft_build_cache() never updates genid and therefore the
incorrect genid (caused by increment in nft_action()) is never
corrected.
This is a RHEL-only fix, upstream rewrote the whole cache logic which
implicitly resolved this problem.
Fixes: 200bc39965149 ("nft: cache: Fix iptables-save segfault under stress")
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft-cache.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 07265b7795e4f..bc6e7f7eaebfb 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -629,6 +629,7 @@ void nft_rebuild_cache(struct nft_handle *h)
if (h->cache_level)
__nft_flush_cache(h);
+ h->nft_genid = 0;
h->cache_level = NFT_CL_NONE;
__nft_build_cache(h, level, NULL, NULL, NULL);
}
--
2.26.2

View File

@ -1,81 +0,0 @@
From 8ae56bbaa4119bdcf1d6abc8b78f21490657983c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 24 Apr 2020 11:32:08 +0200
Subject: [PATCH] nft: Fix for '-F' in iptables dumps
When restoring a dump which contains an explicit flush command,
previously added rules are removed from cache and the following commit
will try to create netlink messages based on freed memory.
Fix this by weeding any rule-based commands from obj_list if they
address the same chain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5bd3ab5c778033877d44a0c619ef6f98f34516af)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 4930b6de534d8..e95e99f1d8d71 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -411,6 +411,38 @@ batch_rule_add(struct nft_handle *h, enum obj_update_type type,
return batch_add(h, type, r);
}
+static void batch_obj_del(struct nft_handle *h, struct obj_update *o);
+
+static void batch_chain_flush(struct nft_handle *h,
+ const char *table, const char *chain)
+{
+ struct obj_update *obj, *tmp;
+
+ list_for_each_entry_safe(obj, tmp, &h->obj_list, head) {
+ struct nftnl_rule *r = obj->ptr;
+
+ switch (obj->type) {
+ case NFT_COMPAT_RULE_APPEND:
+ case NFT_COMPAT_RULE_INSERT:
+ case NFT_COMPAT_RULE_REPLACE:
+ case NFT_COMPAT_RULE_DELETE:
+ break;
+ default:
+ continue;
+ }
+
+ if (table &&
+ strcmp(table, nftnl_rule_get_str(r, NFTNL_RULE_TABLE)))
+ continue;
+
+ if (chain &&
+ strcmp(chain, nftnl_rule_get_str(r, NFTNL_RULE_CHAIN)))
+ continue;
+
+ batch_obj_del(h, obj);
+ }
+}
+
const struct builtin_table xtables_ipv4[NFT_TABLE_MAX] = {
[NFT_TABLE_RAW] = {
.name = "raw",
@@ -1671,6 +1703,7 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
}
if (chain || !verbose) {
+ batch_chain_flush(h, table, chain);
__nft_rule_flush(h, table, chain, verbose, false);
flush_rule_cache(h, table, c);
return 1;
@@ -1686,6 +1719,7 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
while (c != NULL) {
chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
+ batch_chain_flush(h, table, chain);
__nft_rule_flush(h, table, chain, verbose, false);
flush_rule_cache(h, table, c);
c = nftnl_chain_list_iter_next(iter);
--
2.27.0

View File

@ -0,0 +1,374 @@
From 38e8df1b4409387145c79fc358419d59b5ec3800 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 3 Nov 2020 12:21:29 +0100
Subject: [PATCH] xtables-arp: Don't use ARPT_INV_*
Arptables invflags are partly identical to IPT_INV_* ones but the bits
are differently assigned. Eliminate this incompatibility by definition
of the unique invflags in nft-arp.h on bits that don't collide with
IPT_INV_* ones, then use those in combination with IPT_INV_* ones in
arptables-specific code.
Note that ARPT_INV_ARPPRO is replaced by IPT_INV_PROTO although these
are in fact different options - yet since '-p' option is not supported
by arptables, this does not lead to a collision.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 44457c0805905ea22b4ecf9156648e774dd29155)
---
iptables/nft-arp.c | 92 ++++++++++++++++--------------------------
iptables/nft-arp.h | 7 ++++
iptables/xtables-arp.c | 22 +++++-----
3 files changed, 53 insertions(+), 68 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 5dc38da831aa0..c82ffdc95e300 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -134,34 +134,34 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
int ret = 0;
if (fw->arp.iniface[0] != '\0') {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_VIA_IN);
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_IN);
add_iniface(r, fw->arp.iniface, op);
}
if (fw->arp.outiface[0] != '\0') {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_VIA_OUT);
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_OUT);
add_outiface(r, fw->arp.outiface, op);
}
if (fw->arp.arhrd != 0 ||
- fw->arp.invflags & ARPT_INV_ARPHRD) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPHRD);
+ fw->arp.invflags & IPT_INV_ARPHRD) {
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPHRD);
add_payload(r, offsetof(struct arphdr, ar_hrd), 2,
NFT_PAYLOAD_NETWORK_HEADER);
add_cmp_u16(r, fw->arp.arhrd, op);
}
if (fw->arp.arpro != 0 ||
- fw->arp.invflags & ARPT_INV_ARPPRO) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPPRO);
+ fw->arp.invflags & IPT_INV_PROTO) {
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_PROTO);
add_payload(r, offsetof(struct arphdr, ar_pro), 2,
NFT_PAYLOAD_NETWORK_HEADER);
add_cmp_u16(r, fw->arp.arpro, op);
}
if (fw->arp.arhln != 0 ||
- fw->arp.invflags & ARPT_INV_ARPHLN) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPHLN);
+ fw->arp.invflags & IPT_INV_ARPHLN) {
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPHLN);
add_proto(r, offsetof(struct arphdr, ar_hln), 1,
fw->arp.arhln, op);
}
@@ -169,15 +169,15 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
add_proto(r, offsetof(struct arphdr, ar_pln), 1, 4, NFT_CMP_EQ);
if (fw->arp.arpop != 0 ||
- fw->arp.invflags & ARPT_INV_ARPOP) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_ARPOP);
+ fw->arp.invflags & IPT_INV_ARPOP) {
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_ARPOP);
add_payload(r, offsetof(struct arphdr, ar_op), 2,
NFT_PAYLOAD_NETWORK_HEADER);
add_cmp_u16(r, fw->arp.arpop, op);
}
if (need_devaddr(&fw->arp.src_devaddr)) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_SRCDEVADDR);
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_SRCDEVADDR);
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
sizeof(struct arphdr),
&fw->arp.src_devaddr.addr,
@@ -188,8 +188,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
if (fw->arp.src.s_addr != 0 ||
fw->arp.smsk.s_addr != 0 ||
- fw->arp.invflags & ARPT_INV_SRCIP) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_SRCIP);
+ fw->arp.invflags & IPT_INV_SRCIP) {
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_SRCIP);
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
sizeof(struct arphdr) + fw->arp.arhln,
&fw->arp.src.s_addr, &fw->arp.smsk.s_addr,
@@ -198,7 +198,7 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
if (need_devaddr(&fw->arp.tgt_devaddr)) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTDEVADDR);
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_TGTDEVADDR);
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr),
&fw->arp.tgt_devaddr.addr,
@@ -208,8 +208,8 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
if (fw->arp.tgt.s_addr != 0 ||
fw->arp.tmsk.s_addr != 0 ||
- fw->arp.invflags & ARPT_INV_TGTIP) {
- op = nft_invflags2cmp(fw->arp.invflags, ARPT_INV_TGTIP);
+ fw->arp.invflags & IPT_INV_DSTIP) {
+ op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_DSTIP);
add_addr(r, NFT_PAYLOAD_NETWORK_HEADER,
sizeof(struct arphdr) + fw->arp.arhln + sizeof(struct in_addr) + fw->arp.arhln,
&fw->arp.tgt.s_addr, &fw->arp.tmsk.s_addr,
@@ -240,28 +240,6 @@ static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
return ret;
}
-static uint16_t ipt_to_arpt_flags(uint8_t invflags)
-{
- uint16_t result = 0;
-
- if (invflags & IPT_INV_VIA_IN)
- result |= ARPT_INV_VIA_IN;
-
- if (invflags & IPT_INV_VIA_OUT)
- result |= ARPT_INV_VIA_OUT;
-
- if (invflags & IPT_INV_SRCIP)
- result |= ARPT_INV_SRCIP;
-
- if (invflags & IPT_INV_DSTIP)
- result |= ARPT_INV_TGTIP;
-
- if (invflags & IPT_INV_PROTO)
- result |= ARPT_INV_ARPPRO;
-
- return result;
-}
-
static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
void *data)
{
@@ -273,7 +251,7 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
fw->arp.outiface, fw->arp.outiface_mask,
&flags);
- fw->arp.invflags |= ipt_to_arpt_flags(flags);
+ fw->arp.invflags |= flags;
}
static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
@@ -330,33 +308,33 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
fw->arp.arhrd = ar_hrd;
fw->arp.arhrd_mask = 0xffff;
if (inv)
- fw->arp.invflags |= ARPT_INV_ARPHRD;
+ fw->arp.invflags |= IPT_INV_ARPHRD;
break;
case offsetof(struct arphdr, ar_pro):
get_cmp_data(e, &ar_pro, sizeof(ar_pro), &inv);
fw->arp.arpro = ar_pro;
fw->arp.arpro_mask = 0xffff;
if (inv)
- fw->arp.invflags |= ARPT_INV_ARPPRO;
+ fw->arp.invflags |= IPT_INV_PROTO;
break;
case offsetof(struct arphdr, ar_op):
get_cmp_data(e, &ar_op, sizeof(ar_op), &inv);
fw->arp.arpop = ar_op;
fw->arp.arpop_mask = 0xffff;
if (inv)
- fw->arp.invflags |= ARPT_INV_ARPOP;
+ fw->arp.invflags |= IPT_INV_ARPOP;
break;
case offsetof(struct arphdr, ar_hln):
get_cmp_data(e, &ar_hln, sizeof(ar_hln), &inv);
fw->arp.arhln = ar_hln;
fw->arp.arhln_mask = 0xff;
if (inv)
- fw->arp.invflags |= ARPT_INV_ARPOP;
+ fw->arp.invflags |= IPT_INV_ARPOP;
break;
default:
if (ctx->payload.offset == sizeof(struct arphdr)) {
if (nft_arp_parse_devaddr(ctx, e, &fw->arp.src_devaddr))
- fw->arp.invflags |= ARPT_INV_SRCDEVADDR;
+ fw->arp.invflags |= IPT_INV_SRCDEVADDR;
} else if (ctx->payload.offset == sizeof(struct arphdr) +
fw->arp.arhln) {
get_cmp_data(e, &addr, sizeof(addr), &inv);
@@ -371,12 +349,12 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
}
if (inv)
- fw->arp.invflags |= ARPT_INV_SRCIP;
+ fw->arp.invflags |= IPT_INV_SRCIP;
} else if (ctx->payload.offset == sizeof(struct arphdr) +
fw->arp.arhln +
sizeof(struct in_addr)) {
if (nft_arp_parse_devaddr(ctx, e, &fw->arp.tgt_devaddr))
- fw->arp.invflags |= ARPT_INV_TGTDEVADDR;
+ fw->arp.invflags |= IPT_INV_TGTDEVADDR;
} else if (ctx->payload.offset == sizeof(struct arphdr) +
fw->arp.arhln +
sizeof(struct in_addr) +
@@ -393,7 +371,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
}
if (inv)
- fw->arp.invflags |= ARPT_INV_TGTIP;
+ fw->arp.invflags |= IPT_INV_DSTIP;
}
break;
}
@@ -448,7 +426,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
else strcat(iface, "any");
}
if (print_iface) {
- printf("%s%s-i %s", sep, fw->arp.invflags & ARPT_INV_VIA_IN ?
+ printf("%s%s-i %s", sep, fw->arp.invflags & IPT_INV_VIA_IN ?
"! " : "", iface);
sep = " ";
}
@@ -466,13 +444,13 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
else strcat(iface, "any");
}
if (print_iface) {
- printf("%s%s-o %s", sep, fw->arp.invflags & ARPT_INV_VIA_OUT ?
+ printf("%s%s-o %s", sep, fw->arp.invflags & IPT_INV_VIA_OUT ?
"! " : "", iface);
sep = " ";
}
if (fw->arp.smsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_SRCIP
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
? "! " : "");
if (format & FMT_NUMERIC)
sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
@@ -489,7 +467,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
break;
if (i == ARPT_DEV_ADDR_LEN_MAX)
goto after_devsrc;
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_SRCDEVADDR
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCDEVADDR
? "! " : "");
printf("--src-mac ");
xtables_print_mac_and_mask((unsigned char *)fw->arp.src_devaddr.addr,
@@ -498,7 +476,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
after_devsrc:
if (fw->arp.tmsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_TGTIP
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
? "! " : "");
if (format & FMT_NUMERIC)
sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
@@ -515,7 +493,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
break;
if (i == ARPT_DEV_ADDR_LEN_MAX)
goto after_devdst;
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_TGTDEVADDR
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_TGTDEVADDR
? "! " : "");
printf("--dst-mac ");
xtables_print_mac_and_mask((unsigned char *)fw->arp.tgt_devaddr.addr,
@@ -525,7 +503,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
after_devdst:
if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) {
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPHLN
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHLN
? "! " : "");
printf("--h-length %d", fw->arp.arhln);
if (fw->arp.arhln_mask != 255)
@@ -536,7 +514,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
if (fw->arp.arpop_mask != 0) {
int tmp = ntohs(fw->arp.arpop);
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPOP
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPOP
? "! " : "");
if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC))
printf("--opcode %s", arp_opcodes[tmp-1]);
@@ -551,7 +529,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) {
uint16_t tmp = ntohs(fw->arp.arhrd);
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPHRD
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHRD
? "! " : "");
if (tmp == 1 && !(format & FMT_NUMERIC))
printf("--h-type %s", "Ethernet");
@@ -565,7 +543,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
if (fw->arp.arpro_mask != 0) {
int tmp = ntohs(fw->arp.arpro);
- printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPPRO
+ printf("%s%s", sep, fw->arp.invflags & IPT_INV_PROTO
? "! " : "");
if (tmp == 0x0800 && !(format & FMT_NUMERIC))
printf("--proto-type %s", "IPv4");
diff --git a/iptables/nft-arp.h b/iptables/nft-arp.h
index 3411fc3d7c7b3..0d93a31f563b1 100644
--- a/iptables/nft-arp.h
+++ b/iptables/nft-arp.h
@@ -4,4 +4,11 @@
extern char *arp_opcodes[];
#define NUMOPCODES 9
+/* define invflags which won't collide with IPT ones */
+#define IPT_INV_SRCDEVADDR 0x0080
+#define IPT_INV_TGTDEVADDR 0x0100
+#define IPT_INV_ARPHLN 0x0200
+#define IPT_INV_ARPOP 0x0400
+#define IPT_INV_ARPHRD 0x0800
+
#endif
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 8632774dfb705..3a35dcd107e19 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -113,22 +113,22 @@ struct xtables_globals arptables_globals = {
static int inverse_for_options[] =
{
/* -n */ 0,
-/* -s */ ARPT_INV_SRCIP,
-/* -d */ ARPT_INV_TGTIP,
+/* -s */ IPT_INV_SRCIP,
+/* -d */ IPT_INV_DSTIP,
/* -p */ 0,
/* -j */ 0,
/* -v */ 0,
/* -x */ 0,
-/* -i */ ARPT_INV_VIA_IN,
-/* -o */ ARPT_INV_VIA_OUT,
+/* -i */ IPT_INV_VIA_IN,
+/* -o */ IPT_INV_VIA_OUT,
/*--line*/ 0,
/* -c */ 0,
-/* 2 */ ARPT_INV_SRCDEVADDR,
-/* 3 */ ARPT_INV_TGTDEVADDR,
-/* -l */ ARPT_INV_ARPHLN,
-/* 4 */ ARPT_INV_ARPOP,
-/* 5 */ ARPT_INV_ARPHRD,
-/* 6 */ ARPT_INV_ARPPRO,
+/* 2 */ IPT_INV_SRCDEVADDR,
+/* 3 */ IPT_INV_TGTDEVADDR,
+/* -l */ IPT_INV_ARPHLN,
+/* 4 */ IPT_INV_ARPOP,
+/* 5 */ IPT_INV_ARPHRD,
+/* 6 */ IPT_INV_PROTO,
};
/***********************************************/
@@ -901,7 +901,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
&dmasks, &ndaddrs);
if ((nsaddrs > 1 || ndaddrs > 1) &&
- (cs.arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
+ (cs.arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple"
" source or destination IP addresses");
--
2.40.0

View File

@ -1,37 +0,0 @@
From dd98af599516806e2eb3e1186d0ad52ce7c6b4b5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 21 Apr 2020 14:10:53 +0200
Subject: [PATCH] tests: shell: Test -F in dump files
While not really useful, iptables-nft-restore shouldn't segfault either.
This tests the problem described in nfbz#1407.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit f2ace0cdf25a5911ac84015829d65d6050a5e82d)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
.../tests/shell/testcases/ipt-restore/0012-dash-F_0 | 12 ++++++++++++
1 file changed, 12 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0
diff --git a/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0 b/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0
new file mode 100755
index 0000000000000..fd82afa1bc8ce
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0012-dash-F_0
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# make sure -F lines don't cause segfaults
+
+RULESET='*nat
+-F PREROUTING
+-A PREROUTING -j ACCEPT
+-F PREROUTING
+COMMIT'
+
+echo -e "$RULESET" | $XT_MULTI iptables-restore
+echo -e "$RULESET" | $XT_MULTI iptables-restore -n
--
2.27.0

View File

@ -0,0 +1,517 @@
From 003b063b1b40503bc996a4f88c1941c91a0c550b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 30 Oct 2020 12:42:57 +0100
Subject: [PATCH] xshared: Merge some command option-related code
Add OPT_FRAGMENT define into the enum of other OPT_* defines at the
right position and adjust the arptables-specific ones that follow
accordingly. Appropriately adjust inverse_for_options array in
xtables-arp.c.
Extend optflags from iptables.c by the arptables values for the sake of
completeness, then move it to xshared.h along with NUMBER_OF_OPT
definition. As a side-effect, this fixes for wrong ordering of entries
in arptables' 'optflags' copy.
Add arptables-specific bits to commands_v_options table (the speicific
options are matches on ARP header fields, just treat them like '-s'
option. This is also just a cosmetic change, arptables doesn't have a
generic_opt_check() implementation and hence doesn't use such a table.
With things potentially ready for common use, move commands_v_options
table along with generic_opt_check() and opt2char() into xshared.c and
drop the local (identical) implementations from iptables.c, ip6tables.c
xtables.c and xtables-arp.c. While doing so, fix ordering of entries in
that table: the row for CMD_ZERO_NUM was in the wrong position. Since
all moved rows though are identical, this had no effect in practice.
Fixes: d960a991350ca ("xtables-arp: Integrate OPT_* defines into xshared.h")
Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8bd4b4f79b5de483353a8c0d0962e71934b7bdd2)
---
iptables/ip6tables.c | 79 -----------------------------------------
iptables/iptables.c | 80 ------------------------------------------
iptables/xshared.c | 74 ++++++++++++++++++++++++++++++++++++++
iptables/xshared.h | 20 +++++++----
iptables/xtables-arp.c | 14 +-------
iptables/xtables.c | 80 ------------------------------------------
6 files changed, 89 insertions(+), 258 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 576c2cf8b0d9f..c95355b091568 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -45,10 +45,6 @@
#include "ip6tables-multi.h"
#include "xshared.h"
-#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
-static const char optflags[]
-= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c'};
-
static const char unsupported_rev[] = " [unsupported revision]";
static struct option original_opts[] = {
@@ -100,36 +96,6 @@ struct xtables_globals ip6tables_globals = {
.compat_rev = xtables_compatible_revision,
};
-/* Table of legal combinations of commands and options. If any of the
- * given commands make an option legal, that option is legal (applies to
- * CMD_LIST and CMD_ZERO only).
- * Key:
- * + compulsory
- * x illegal
- * optional
- */
-
-static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
-/* Well, it's better than "Re: Linux vs FreeBSD" */
-{
- /* -n -s -d -p -j -v -x -i -o --line -c */
-/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' '},
-/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x'},
-/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x'},
-/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' '},
-/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' '},
-/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x'},
-/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' '},
-/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x'},
-/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x'},
-/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x'},
-};
-
static const unsigned int inverse_for_options[NUMBER_OF_OPT] =
{
/* -n */ 0,
@@ -264,51 +230,6 @@ ip6tables_exit_error(enum xtables_exittype status, const char *msg, ...)
exit(status);
}
-static void
-generic_opt_check(int command, int options)
-{
- int i, j, legal = 0;
-
- /* Check that commands are valid with options. Complicated by the
- * fact that if an option is legal with *any* command given, it is
- * legal overall (ie. -z and -l).
- */
- for (i = 0; i < NUMBER_OF_OPT; i++) {
- legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
-
- for (j = 0; j < NUMBER_OF_CMD; j++) {
- if (!(command & (1<<j)))
- continue;
-
- if (!(options & (1<<i))) {
- if (commands_v_options[j][i] == '+')
- xtables_error(PARAMETER_PROBLEM,
- "You need to supply the `-%c' "
- "option for this command\n",
- optflags[i]);
- } else {
- if (commands_v_options[j][i] != 'x')
- legal = 1;
- else if (legal == 0)
- legal = -1;
- }
- }
- if (legal == -1)
- xtables_error(PARAMETER_PROBLEM,
- "Illegal option `-%c' with this command\n",
- optflags[i]);
- }
-}
-
-static char
-opt2char(int option)
-{
- const char *ptr;
- for (ptr = optflags; option > 1; option >>= 1, ptr++);
-
- return *ptr;
-}
-
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 88ef6cf666d4b..7d6183116d265 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -41,11 +41,6 @@
#include <fcntl.h>
#include "xshared.h"
-#define OPT_FRAGMENT 0x00800U
-#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
-static const char optflags[]
-= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f'};
-
static const char unsupported_rev[] = " [unsupported revision]";
static struct option original_opts[] = {
@@ -99,36 +94,6 @@ struct xtables_globals iptables_globals = {
.compat_rev = xtables_compatible_revision,
};
-/* Table of legal combinations of commands and options. If any of the
- * given commands make an option legal, that option is legal (applies to
- * CMD_LIST and CMD_ZERO only).
- * Key:
- * + compulsory
- * x illegal
- * optional
- */
-
-static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
-/* Well, it's better than "Re: Linux vs FreeBSD" */
-{
- /* -n -s -d -p -j -v -x -i -o --line -c -f */
-/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
-/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
-/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
-/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
-/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x'},
-/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'},
-/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
-};
-
static const int inverse_for_options[NUMBER_OF_OPT] =
{
/* -n */ 0,
@@ -263,51 +228,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
exit(status);
}
-static void
-generic_opt_check(int command, int options)
-{
- int i, j, legal = 0;
-
- /* Check that commands are valid with options. Complicated by the
- * fact that if an option is legal with *any* command given, it is
- * legal overall (ie. -z and -l).
- */
- for (i = 0; i < NUMBER_OF_OPT; i++) {
- legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
-
- for (j = 0; j < NUMBER_OF_CMD; j++) {
- if (!(command & (1<<j)))
- continue;
-
- if (!(options & (1<<i))) {
- if (commands_v_options[j][i] == '+')
- xtables_error(PARAMETER_PROBLEM,
- "You need to supply the `-%c' "
- "option for this command\n",
- optflags[i]);
- } else {
- if (commands_v_options[j][i] != 'x')
- legal = 1;
- else if (legal == 0)
- legal = -1;
- }
- }
- if (legal == -1)
- xtables_error(PARAMETER_PROBLEM,
- "Illegal option `-%c' with this command\n",
- optflags[i]);
- }
-}
-
-static char
-opt2char(int option)
-{
- const char *ptr;
- for (ptr = optflags; option > 1; option >>= 1, ptr++);
-
- return *ptr;
-}
-
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
diff --git a/iptables/xshared.c b/iptables/xshared.c
index c1d1371a6d54a..fe37c30a085d6 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -774,3 +774,77 @@ int parse_rulenumber(const char *rule)
return rulenum;
}
+
+/* Table of legal combinations of commands and options. If any of the
+ * given commands make an option legal, that option is legal (applies to
+ * CMD_LIST and CMD_ZERO only).
+ * Key:
+ * + compulsory
+ * x illegal
+ * optional
+ */
+static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
+/* Well, it's better than "Re: Linux vs FreeBSD" */
+{
+ /* -n -s -d -p -j -v -x -i -o --line -c -f 2 3 l 4 5 6 */
+/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' ',' ',' ',' ',' ',' ',' '},
+/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' ',' ',' ',' ',' ',' ',' '},
+/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' ',' ',' ',' ',' ',' ',' '},
+/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' ',' ',' ',' ',' ',' ',' '},
+/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x','x','x','x','x','x','x'},
+/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x','x','x','x','x','x','x'},
+/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x','x','x','x','x','x','x'},
+/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' ',' ',' ',' ',' ',' ',' '},
+};
+
+void generic_opt_check(int command, int options)
+{
+ int i, j, legal = 0;
+
+ /* Check that commands are valid with options. Complicated by the
+ * fact that if an option is legal with *any* command given, it is
+ * legal overall (ie. -z and -l).
+ */
+ for (i = 0; i < NUMBER_OF_OPT; i++) {
+ legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
+
+ for (j = 0; j < NUMBER_OF_CMD; j++) {
+ if (!(command & (1<<j)))
+ continue;
+
+ if (!(options & (1<<i))) {
+ if (commands_v_options[j][i] == '+')
+ xtables_error(PARAMETER_PROBLEM,
+ "You need to supply the `-%c' "
+ "option for this command\n",
+ optflags[i]);
+ } else {
+ if (commands_v_options[j][i] != 'x')
+ legal = 1;
+ else if (legal == 0)
+ legal = -1;
+ }
+ }
+ if (legal == -1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Illegal option `-%c' with this command\n",
+ optflags[i]);
+ }
+}
+
+char opt2char(int option)
+{
+ const char *ptr;
+
+ for (ptr = optflags; option > 1; option >>= 1, ptr++)
+ ;
+
+ return *ptr;
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c41bd054bf36f..9159b2b1f3768 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -30,15 +30,20 @@ enum {
OPT_VIANAMEOUT = 1 << 8,
OPT_LINENUMBERS = 1 << 9,
OPT_COUNTERS = 1 << 10,
+ OPT_FRAGMENT = 1 << 11,
/* below are for arptables only */
- OPT_S_MAC = 1 << 11,
- OPT_D_MAC = 1 << 12,
- OPT_H_LENGTH = 1 << 13,
- OPT_OPCODE = 1 << 14,
- OPT_H_TYPE = 1 << 15,
- OPT_P_TYPE = 1 << 16,
+ OPT_S_MAC = 1 << 12,
+ OPT_D_MAC = 1 << 13,
+ OPT_H_LENGTH = 1 << 14,
+ OPT_OPCODE = 1 << 15,
+ OPT_H_TYPE = 1 << 16,
+ OPT_P_TYPE = 1 << 17,
};
+#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
+static const char optflags[]
+= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f', 2, 3, 'l', 4, 5, 6 };
+
enum {
CMD_NONE = 0,
CMD_INSERT = 1 << 0,
@@ -216,4 +221,7 @@ void add_command(unsigned int *cmd, const int newcmd,
const int othercmds, int invert);
int parse_rulenumber(const char *rule);
+void generic_opt_check(int command, int options);
+char opt2char(int option);
+
#endif /* IPTABLES_XSHARED_H */
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 3a35dcd107e19..0695504892b74 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -53,10 +53,6 @@
#include "nft-arp.h"
#include <linux/netfilter_arp/arp_tables.h>
-#define NUMBER_OF_OPT 16
-static const char optflags[NUMBER_OF_OPT]
-= { 'n', 's', 'd', 2, 3, 7, 8, 4, 5, 6, 'j', 'v', 'i', 'o', '0', 'c'};
-
static struct option original_opts[] = {
{ "append", 1, 0, 'A' },
{ "delete", 1, 0, 'D' },
@@ -123,6 +119,7 @@ static int inverse_for_options[] =
/* -o */ IPT_INV_VIA_OUT,
/*--line*/ 0,
/* -c */ 0,
+/* -f */ 0,
/* 2 */ IPT_INV_SRCDEVADDR,
/* 3 */ IPT_INV_TGTDEVADDR,
/* -l */ IPT_INV_ARPHLN,
@@ -327,15 +324,6 @@ printhelp(void)
}
}
-static char
-opt2char(int option)
-{
- const char *ptr;
- for (ptr = optflags; option > 1; option >>= 1, ptr++);
-
- return *ptr;
-}
-
static int
check_inverse(const char option[], int *invert, int *optidx, int argc)
{
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 9d2e441e0b773..9779bd83d53b3 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -43,11 +43,6 @@
#include "nft-shared.h"
#include "nft.h"
-#define OPT_FRAGMENT 0x00800U
-#define NUMBER_OF_OPT ARRAY_SIZE(optflags)
-static const char optflags[]
-= { 'n', 's', 'd', 'p', 'j', 'v', 'x', 'i', 'o', '0', 'c', 'f'};
-
static struct option original_opts[] = {
{.name = "append", .has_arg = 1, .val = 'A'},
{.name = "delete", .has_arg = 1, .val = 'D'},
@@ -99,36 +94,6 @@ struct xtables_globals xtables_globals = {
.compat_rev = nft_compatible_revision,
};
-/* Table of legal combinations of commands and options. If any of the
- * given commands make an option legal, that option is legal (applies to
- * CMD_LIST and CMD_ZERO only).
- * Key:
- * + compulsory
- * x illegal
- * optional
- */
-
-static const char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
-/* Well, it's better than "Re: Linux vs FreeBSD" */
-{
- /* -n -s -d -p -j -v -x -i -o --line -c -f */
-/*INSERT*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
-/*DELETE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
-/*DELETE_NUM*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*REPLACE*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
-/*APPEND*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x',' ',' '},
-/*LIST*/ {' ','x','x','x','x',' ',' ','x','x',' ','x','x'},
-/*FLUSH*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*ZERO*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*ZERO_NUM*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*NEW_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*DEL_CHAIN*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*SET_POLICY*/{'x','x','x','x','x',' ','x','x','x','x',' ','x'},
-/*RENAME*/ {'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*LIST_RULES*/{'x','x','x','x','x',' ','x','x','x','x','x','x'},
-/*CHECK*/ {'x',' ',' ',' ',' ',' ','x',' ',' ','x','x',' '},
-};
-
static const int inverse_for_options[NUMBER_OF_OPT] =
{
/* -n */ 0,
@@ -262,51 +227,6 @@ xtables_exit_error(enum xtables_exittype status, const char *msg, ...)
exit(status);
}
-static void
-generic_opt_check(int command, int options)
-{
- int i, j, legal = 0;
-
- /* Check that commands are valid with options. Complicated by the
- * fact that if an option is legal with *any* command given, it is
- * legal overall (ie. -z and -l).
- */
- for (i = 0; i < NUMBER_OF_OPT; i++) {
- legal = 0; /* -1 => illegal, 1 => legal, 0 => undecided. */
-
- for (j = 0; j < NUMBER_OF_CMD; j++) {
- if (!(command & (1<<j)))
- continue;
-
- if (!(options & (1<<i))) {
- if (commands_v_options[j][i] == '+')
- xtables_error(PARAMETER_PROBLEM,
- "You need to supply the `-%c' "
- "option for this command\n",
- optflags[i]);
- } else {
- if (commands_v_options[j][i] != 'x')
- legal = 1;
- else if (legal == 0)
- legal = -1;
- }
- }
- if (legal == -1)
- xtables_error(PARAMETER_PROBLEM,
- "Illegal option `-%c' with this command\n",
- optflags[i]);
- }
-}
-
-static char
-opt2char(int option)
-{
- const char *ptr;
- for (ptr = optflags; option > 1; option >>= 1, ptr++);
-
- return *ptr;
-}
-
/*
* All functions starting with "parse" should succeed, otherwise
* the program fails.
--
2.40.0

View File

@ -1,4 +1,4 @@
From f5185f4efad409fc7ec4ae05267b642ee4103a6c Mon Sep 17 00:00:00 2001 From 8d0f11ea353caa254b65b4fde240e5d3a8fe12a7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Fri, 4 Dec 2020 17:44:51 +0100 Date: Fri, 4 Dec 2020 17:44:51 +0100
Subject: [PATCH] tests/shell: Test for fixed extension registration Subject: [PATCH] tests/shell: Test for fixed extension registration
@ -11,7 +11,6 @@ effective.
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 93d0c97e8b6713f51ba679e01a1338d4f9076e7c) (cherry picked from commit 93d0c97e8b6713f51ba679e01a1338d4f9076e7c)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
.../0017-pointless-compat-checks_0 | 25 +++++++++++++++++++ .../0017-pointless-compat-checks_0 | 25 +++++++++++++++++++
1 file changed, 25 insertions(+) 1 file changed, 25 insertions(+)
@ -49,5 +48,5 @@ index 0000000000000..cf73de32df409
+# patched only 12 but keep a certain margin for future changes +# patched only 12 but keep a certain margin for future changes
+[[ $socketcount -lt 20 ]] +[[ $socketcount -lt 20 ]]
-- --
2.28.0 2.40.0

View File

@ -1,4 +1,4 @@
From 98794894774a39927bc975921fc9e40f00db937b Mon Sep 17 00:00:00 2001 From 8a10ad0e149cf1c6d0c34bd554a8e0a35cdf3e8d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc> From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Dec 2020 13:37:06 +0100 Date: Wed, 2 Dec 2020 13:37:06 +0100
Subject: [PATCH] extensions: dccp: Fix for DCCP type 'INVALID' Subject: [PATCH] extensions: dccp: Fix for DCCP type 'INVALID'
@ -27,7 +27,6 @@ Fixes: e40b11d7ef827 ("add support for new 'dccp' protocol match")
Fixes: c94a998724143 ("extensions: libxt_dccp: Add translation to nft") Fixes: c94a998724143 ("extensions: libxt_dccp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 4bcbc8e11a2764f4537dc405962f83cd072cccfe) (cherry picked from commit 4bcbc8e11a2764f4537dc405962f83cd072cccfe)
Signed-off-by: Phil Sutter <psutter@redhat.com>
--- ---
extensions/libxt_dccp.c | 58 ++++++++++++++++++++++-------------- extensions/libxt_dccp.c | 58 ++++++++++++++++++++++--------------
extensions/libxt_dccp.txlate | 12 ++++++-- extensions/libxt_dccp.txlate | 12 ++++++--
@ -173,5 +172,5 @@ index b47dc65f5bc4f..ea853f6acf627 100644
-nft add rule ip filter INPUT dccp sport 200 dport 100 counter -nft add rule ip filter INPUT dccp sport 200 dport 100 counter
+nft add rule ip filter INPUT dccp sport 200 dccp dport 100 counter +nft add rule ip filter INPUT dccp sport 200 dccp dport 100 counter
-- --
2.28.0 2.40.0

View File

@ -0,0 +1,85 @@
From 524f17b1027cb3b6bd5484c644d4dc226d137d91 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sat, 12 Dec 2020 16:15:32 +0100
Subject: [PATCH] xtables-monitor: fix rule printing
trace_print_rule does a rule dump. This prints unrelated rules
in the same chain. Instead the function should only request the
specific handle.
Furthermore, flush output buffer afterwards so this plays nice when
output isn't a terminal.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 07af4da52ab3002c9cb510863b4eb7aaca4fb43b)
---
iptables/xtables-monitor.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 4008cc00d4694..364e600e1b38a 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -227,12 +227,12 @@ static void trace_print_rule(const struct nftnl_trace *nlt, struct cb_arg *args)
exit(EXIT_FAILURE);
}
- nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, NLM_F_DUMP, 0);
+ nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family, 0, 0);
nftnl_rule_set_u32(r, NFTNL_RULE_FAMILY, family);
nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain);
nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table);
- nftnl_rule_set_u64(r, NFTNL_RULE_POSITION, handle);
+ nftnl_rule_set_u64(r, NFTNL_RULE_HANDLE, handle);
nftnl_rule_nlmsg_build_payload(nlh, r);
nftnl_rule_free(r);
@@ -248,24 +248,21 @@ static void trace_print_rule(const struct nftnl_trace *nlt, struct cb_arg *args)
}
portid = mnl_socket_get_portid(nl);
- if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
- perror("mnl_socket_send");
- exit(EXIT_FAILURE);
- }
+ if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+ perror("mnl_socket_send");
+ exit(EXIT_FAILURE);
+ }
ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
- while (ret > 0) {
+ if (ret > 0) {
args->is_event = false;
- ret = mnl_cb_run(buf, ret, 0, portid, rule_cb, args);
- if (ret <= 0)
- break;
- ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
- }
- if (ret == -1) {
- perror("error");
- exit(EXIT_FAILURE);
- }
- mnl_socket_close(nl);
+ ret = mnl_cb_run(buf, ret, 0, portid, rule_cb, args);
+ }
+ if (ret == -1) {
+ perror("error");
+ exit(EXIT_FAILURE);
+ }
+ mnl_socket_close(nl);
}
static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *args)
@@ -531,6 +528,7 @@ static int trace_cb(const struct nlmsghdr *nlh, struct cb_arg *arg)
err_free:
nftnl_trace_free(nlt);
err:
+ fflush(stdout);
return MNL_CB_OK;
}
--
2.40.0

View File

@ -0,0 +1,38 @@
From 7de2651bdbbabfc08ef040d2cb9867c8375e3984 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sat, 12 Dec 2020 16:15:33 +0100
Subject: [PATCH] xtables-monitor: fix packet family protocol
This prints the family passed on the command line (which might be 0).
Print the table family instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 946923b640afc2249cf98743ff60a97291108701)
---
iptables/xtables-monitor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 364e600e1b38a..8850a12032d26 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -273,14 +273,14 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
uint32_t mark;
char name[IFNAMSIZ];
- printf("PACKET: %d %08x ", args->nfproto, nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID));
+ family = nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY);
+ printf("PACKET: %d %08x ", family, nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID));
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_IIF))
printf("IN=%s ", if_indextoname(nftnl_trace_get_u32(nlt, NFTNL_TRACE_IIF), name));
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_OIF))
printf("OUT=%s ", if_indextoname(nftnl_trace_get_u32(nlt, NFTNL_TRACE_OIF), name));
- family = nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY);
nfproto = family;
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_NFPROTO)) {
nfproto = nftnl_trace_get_u32(nlt, NFTNL_TRACE_NFPROTO);
--
2.40.0

View File

@ -1,80 +0,0 @@
From 2c183a2457d8640aaee3a98fc8fea70bf64d46f2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sat, 29 Feb 2020 02:08:26 +0100
Subject: [PATCH] nft: cache: Make nft_rebuild_cache() respect fake cache
If transaction needed a refresh in nft_action(), restore with flush
would fetch a full cache instead of merely refreshing table list
contained in "fake" cache.
To fix this, nft_rebuild_cache() must distinguish between fake cache and
full rule cache. Therefore introduce NFT_CL_FAKE to be distinguished
from NFT_CL_RULES.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 40ad7793d1884f28767cf58c96e9d76ae0a18db1)
RHEL-only fix: Make nft_rebuild_cache() check 'level' instead of
'h->cache_level' as the latter may be reset by __nft_flush_cache().
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft-cache.c | 13 +++++++++----
iptables/nft.h | 3 ++-
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index bc6e7f7eaebfb..9623b463f0dd5 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -480,6 +480,7 @@ __nft_build_cache(struct nft_handle *h, enum nft_cache_level level,
break;
/* fall through */
case NFT_CL_RULES:
+ case NFT_CL_FAKE:
break;
}
@@ -516,7 +517,7 @@ void nft_fake_cache(struct nft_handle *h)
h->cache->table[type].chains = nftnl_chain_list_alloc();
}
- h->cache_level = NFT_CL_RULES;
+ h->cache_level = NFT_CL_FAKE;
mnl_genid_get(h, &h->nft_genid);
}
@@ -629,9 +630,13 @@ void nft_rebuild_cache(struct nft_handle *h)
if (h->cache_level)
__nft_flush_cache(h);
- h->nft_genid = 0;
- h->cache_level = NFT_CL_NONE;
- __nft_build_cache(h, level, NULL, NULL, NULL);
+ if (level == NFT_CL_FAKE) {
+ nft_fake_cache(h);
+ } else {
+ h->nft_genid = 0;
+ h->cache_level = NFT_CL_NONE;
+ __nft_build_cache(h, level, NULL, NULL, NULL);
+ }
}
void nft_release_cache(struct nft_handle *h)
diff --git a/iptables/nft.h b/iptables/nft.h
index 5cf260a6d2cd3..2094b01455194 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -32,7 +32,8 @@ enum nft_cache_level {
NFT_CL_TABLES,
NFT_CL_CHAINS,
NFT_CL_SETS,
- NFT_CL_RULES
+ NFT_CL_RULES,
+ NFT_CL_FAKE /* must be last entry */
};
struct nft_cache {
--
2.28.0

View File

@ -0,0 +1,101 @@
From 46fffddb8ae11d3e46f55ca0bb356a2549671652 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sat, 12 Dec 2020 16:15:34 +0100
Subject: [PATCH] xtables-monitor: print packet first
The trace mode should first print the packet that was received and
then the rule/verdict.
Furthermore, the monitor did sometimes print an extra newline.
After this patch, output is more consistent with nft monitor.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 180ba723d0b305fab9287d3bc5f845a43d9eb793)
---
iptables/xtables-monitor.c | 34 +++++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 8850a12032d26..e6b6e76b9fdc9 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -106,6 +106,7 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
printf("-0 ");
break;
default:
+ puts("");
goto err_free;
}
@@ -433,9 +434,18 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
mark = nftnl_trace_get_u32(nlt, NFTNL_TRACE_MARK);
if (mark)
printf("MARK=0x%x ", mark);
+ puts("");
+}
+
+static void trace_print_hdr(const struct nftnl_trace *nlt)
+{
+ printf(" TRACE: %d %08x %s:%s", nftnl_trace_get_u32(nlt, NFTNL_TABLE_FAMILY),
+ nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID),
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE),
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN));
}
-static void print_verdict(struct nftnl_trace *nlt, uint32_t verdict)
+static void print_verdict(const struct nftnl_trace *nlt, uint32_t verdict)
{
const char *chain;
@@ -496,35 +506,37 @@ static int trace_cb(const struct nlmsghdr *nlh, struct cb_arg *arg)
arg->nfproto != nftnl_trace_get_u32(nlt, NFTNL_TABLE_FAMILY))
goto err_free;
- printf(" TRACE: %d %08x %s:%s", nftnl_trace_get_u32(nlt, NFTNL_TABLE_FAMILY),
- nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID),
- nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE),
- nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN));
-
switch (nftnl_trace_get_u32(nlt, NFTNL_TRACE_TYPE)) {
case NFT_TRACETYPE_RULE:
verdict = nftnl_trace_get_u32(nlt, NFTNL_TRACE_VERDICT);
- printf(":rule:0x%llx:", (unsigned long long)nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE));
- print_verdict(nlt, verdict);
- if (nftnl_trace_is_set(nlt, NFTNL_TRACE_RULE_HANDLE))
- trace_print_rule(nlt, arg);
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_LL_HEADER) ||
nftnl_trace_is_set(nlt, NFTNL_TRACE_NETWORK_HEADER))
trace_print_packet(nlt, arg);
+
+ if (nftnl_trace_is_set(nlt, NFTNL_TRACE_RULE_HANDLE)) {
+ trace_print_hdr(nlt);
+ printf(":rule:0x%" PRIx64":", nftnl_trace_get_u64(nlt, NFTNL_TRACE_RULE_HANDLE));
+ print_verdict(nlt, verdict);
+ printf(" ");
+ trace_print_rule(nlt, arg);
+ }
break;
case NFT_TRACETYPE_POLICY:
+ trace_print_hdr(nlt);
printf(":policy:");
verdict = nftnl_trace_get_u32(nlt, NFTNL_TRACE_POLICY);
print_verdict(nlt, verdict);
+ puts("");
break;
case NFT_TRACETYPE_RETURN:
+ trace_print_hdr(nlt);
printf(":return:");
trace_print_return(nlt);
+ puts("");
break;
}
- puts("");
err_free:
nftnl_trace_free(nlt);
err:
--
2.40.0

View File

@ -0,0 +1,30 @@
From bc9b418dc22fb7d81bfded431c74ea84f62340bd Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 14 Dec 2020 17:11:23 +0100
Subject: [PATCH] xtables-monitor:
'LL=0x304' is not very convenient, print LOOPBACK instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 98ed6f6fc6d97663a33de67afff60196052880b1)
---
iptables/xtables-monitor.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index e6b6e76b9fdc9..4b9809805fb5b 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -306,6 +306,9 @@ static void trace_print_packet(const struct nftnl_trace *nlt, struct cb_arg *arg
printf("MACDST=%s ", ether_ntoa((const void *)eh->h_dest));
printf("MACPROTO=%04x ", ntohs(eh->h_proto));
break;
+ case ARPHRD_LOOPBACK:
+ printf("LOOPBACK ");
+ break;
default:
printf("LL=0x%x ", type);
for (i = 0 ; i < len; i++)
--
2.40.0

View File

@ -0,0 +1,41 @@
From 06bf588263f81b0d254d49b584b26445a788638d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 23 Sep 2020 19:13:45 +0200
Subject: [PATCH] nft: Fix selective chain compatibility checks
Since commit 80251bc2a56ed ("nft: remove cache build calls"), 'chain'
parameter passed to nft_chain_list_get() is no longer effective.
Before, it was used to fetch only that single chain from kernel when
populating the cache. So the returned list of chains for which
compatibility checks are done would contain only that single chain.
Re-establish the single chain compat checking by introducing a dedicated
code path to nft_is_chain_compatible() doing so.
Fixes: 80251bc2a56ed ("nft: remove cache build calls")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 694612adf87fb614f16a2b678f32745d5c9d7876)
---
iptables/nft.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index bdf252198f155..7f87d46dcc44c 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3575,6 +3575,12 @@ bool nft_is_table_compatible(struct nft_handle *h,
{
struct nftnl_chain_list *clist;
+ if (chain) {
+ struct nftnl_chain *c = nft_chain_find(h, table, chain);
+
+ return c && !nft_is_chain_compatible(c, h);
+ }
+
clist = nft_chain_list_get(h, table, chain);
if (clist == NULL)
return false;
--
2.40.0

View File

@ -0,0 +1,104 @@
From 4f52c310cf3854a64ef9a518c223e0581ec9a308 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 24 Feb 2021 11:08:02 +0100
Subject: [PATCH] iptables-nft: fix -Z option
it zeroes the rule counters, so it needs fully populated cache.
Add a test case to cover this.
Fixes: 9d07514ac5c7a ("nft: calculate cache requirements from list of commands")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5f1fcacebf9b4529950b6e3f88327049a0ea7cd2)
---
iptables/nft-cmd.c | 2 +-
.../testcases/iptables/0007-zero-counters_0 | 64 +++++++++++++++++++
2 files changed, 65 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0007-zero-counters_0
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 9c0901e78703a..ed53c061edc6f 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -185,7 +185,7 @@ int nft_cmd_chain_zero_counters(struct nft_handle *h, const char *chain,
if (!cmd)
return 0;
- nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
+ nft_cache_level_set(h, NFT_CL_RULES, cmd);
return 1;
}
diff --git a/iptables/tests/shell/testcases/iptables/0007-zero-counters_0 b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
new file mode 100755
index 0000000000000..36da1907e3b22
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0007-zero-counters_0
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+RC=0
+COUNTR=$RANDOM$RANDOM
+
+$XT_MULTI iptables-restore -c <<EOF
+*filter
+:INPUT ACCEPT [1:23]
+:FOO - [0:0]
+[12:345] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+[22:123] -A FOO -m comment --comment one
+[44:123] -A FOO -m comment --comment two
+COMMIT
+EOF
+EXPECT="*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FOO - [0:0]
+[0:0] -A INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+[0:0] -A FOO -m comment --comment one
+[0:0] -A FOO -m comment --comment two
+COMMIT"
+
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+if [ $COUNTER != "[12:345]" ]; then
+ echo "Counter $COUNTER is wrong, expected 12:345"
+ RC=1
+fi
+
+$XT_MULTI iptables -Z FOO
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+if [ $COUNTER = "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should not have been zeroed"
+ RC=1
+fi
+
+for c in one two; do
+ COUNTER=$($XT_MULTI iptables-save -c |grep "comment $c"| cut -f 1 -d " ")
+ if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, should have been zeroed at rule $c"
+ RC=1
+ fi
+done
+
+$XT_MULTI iptables -Z
+COUNTER=$($XT_MULTI iptables-save -c |grep "comment $COUNTR"| cut -f 1 -d " ")
+
+if [ $COUNTER != "[0:0]" ]; then
+ echo "Counter $COUNTER is wrong, expected 0:0 after -Z"
+ RC=1
+fi
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save -c | grep -v '^#')
+if [ $? -ne 0 ]; then
+ echo "Diff error: counters were not zeroed"
+ RC=1
+fi
+
+$XT_MULTI iptables -D INPUT -i lo -p icmp -m comment --comment "$COUNTR"
+$XT_MULTI iptables -D FOO -m comment --comment one
+$XT_MULTI iptables -D FOO -m comment --comment two
+$XT_MULTI iptables -X FOO
+exit $RC
--
2.40.0

View File

@ -0,0 +1,73 @@
From 7b60fadf23fd4b712dd7522c06b6e7b4f3190fc6 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 19 Feb 2021 16:54:57 +0100
Subject: [PATCH] nft: Fix bitwise expression avoidance detection
Byte-boundary prefix detection was too sloppy: Any data following the
first zero-byte was ignored. Add a follow-up loop making sure there are
no stray bits in the designated host part.
Fixes: 323259001d617 ("nft: Optimize class-based IP prefix matches")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 330f5df03ad589b46865ceedf2a54cf10a4225ba)
---
iptables/nft-shared.c | 4 +++-
.../testcases/ip6tables/0004-address-masks_0 | 24 +++++++++++++++++++
2 files changed, 27 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 10553ab26823b..c1664b50f9383 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -166,7 +166,7 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
{
const unsigned char *m = mask;
bool bitwise = false;
- int i;
+ int i, j;
for (i = 0; i < len; i++) {
if (m[i] != 0xff) {
@@ -174,6 +174,8 @@ void add_addr(struct nftnl_rule *r, enum nft_payload_bases base, int offset,
break;
}
}
+ for (j = i + 1; !bitwise && j < len; j++)
+ bitwise = !!m[j];
if (!bitwise)
len = i;
diff --git a/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0 b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
new file mode 100755
index 0000000000000..7eb42f08da975
--- /dev/null
+++ b/iptables/tests/shell/testcases/ip6tables/0004-address-masks_0
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+$XT_MULTI ip6tables-restore <<EOF
+*filter
+-A FORWARD -s feed:babe::/ffff::0
+-A FORWARD -s feed:babe::/ffff:ff00::0
+-A FORWARD -s feed:babe::/ffff:fff0::0
+-A FORWARD -s feed:babe::/ffff:ffff::0
+-A FORWARD -s feed:babe::/0:ffff::0
+-A FORWARD -s feed:c0ff::babe:f00/ffff::ffff:0
+COMMIT
+EOF
+
+EXPECT='-P FORWARD ACCEPT
+-A FORWARD -s feed::/16
+-A FORWARD -s feed:ba00::/24
+-A FORWARD -s feed:bab0::/28
+-A FORWARD -s feed:babe::/32
+-A FORWARD -s 0:babe::/0:ffff::
+-A FORWARD -s feed::babe:0/ffff::ffff:0'
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
--
2.40.0

View File

@ -0,0 +1,196 @@
From 810da6ff3a0a0b9bdb608edc0b68fc5cedac97e0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 2 Mar 2021 14:50:07 +0100
Subject: [PATCH] xtables-translate: Fix translation of odd netmasks
Iptables supports netmasks which are not prefixes to match on (or
ignore) arbitrary bits in an address. Yet nftables' prefix notation is
available for real prefixes only, so translation is not as trivial -
print bitmask syntax for those cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 46f9d3a9a61ee80fa94b7fa7b3b36045c92606ae)
---
extensions/generic.txlate | 48 +++++++++++++++++++++++++++++++++++++
extensions/libxt_standard.t | 12 ++++++++++
iptables/nft-ipv4.c | 42 ++++++++++++++++++++++----------
iptables/nft-ipv6.c | 19 ++++++++++++---
4 files changed, 106 insertions(+), 15 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 0e256c3727559..9ae9a5b54c1b9 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -10,6 +10,54 @@ nft insert rule ip filter INPUT iifname "iifname" ip saddr 10.0.0.0/8 counter
iptables-translate -A INPUT -i iif+ ! -d 10.0.0.0/8
nft add rule ip filter INPUT iifname "iif*" ip daddr != 10.0.0.0/8 counter
+iptables-translate -I INPUT -s 10.11.12.13/255.255.0.0
+nft insert rule ip filter INPUT ip saddr 10.11.0.0/16 counter
+
+iptables-translate -I INPUT -s 10.11.12.13/255.0.255.0
+nft insert rule ip filter INPUT ip saddr & 255.0.255.0 == 10.0.12.0 counter
+
+iptables-translate -I INPUT -s 10.11.12.13/0.255.0.255
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 == 0.11.0.13 counter
+
+iptables-translate -I INPUT ! -s 10.11.12.13/0.255.0.255
+nft insert rule ip filter INPUT ip saddr & 0.255.0.255 != 0.11.0.13 counter
+
+iptables-translate -I INPUT -s 0.0.0.0/16
+nft insert rule ip filter INPUT ip saddr 0.0.0.0/16 counter
+
+iptables-translate -I INPUT -s 0.0.0.0/0
+nft insert rule ip filter INPUT counter
+
+iptables-translate -I INPUT ! -s 0.0.0.0/0
+nft insert rule ip filter INPUT ip saddr != 0.0.0.0/0 counter
+
+ip6tables-translate -I INPUT -i iifname -s feed::/16
+nft insert rule ip6 filter INPUT iifname "iifname" ip6 saddr feed::/16 counter
+
+ip6tables-translate -A INPUT -i iif+ ! -d feed::/16
+nft add rule ip6 filter INPUT iifname "iif*" ip6 daddr != feed::/16 counter
+
+ip6tables-translate -I INPUT -s feed:babe::1/ffff:ff00::
+nft insert rule ip6 filter INPUT ip6 saddr feed:ba00::/24 counter
+
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/ffff:0:ffff:0:ffff:0:ffff:0
+nft insert rule ip6 filter INPUT ip6 saddr & ffff:0:ffff:0:ffff:0:ffff:0 == feed:0:c0ff:0:c0be:0:5678:0 counter
+
+ip6tables-translate -I INPUT -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff == 0:babe:0:ee00:0:1234:0:90ab counter
+
+ip6tables-translate -I INPUT ! -s feed:babe:c0ff:ee00:c0be:1234:5678:90ab/0:ffff:0:ffff:0:ffff:0:ffff
+nft insert rule ip6 filter INPUT ip6 saddr & 0:ffff:0:ffff:0:ffff:0:ffff != 0:babe:0:ee00:0:1234:0:90ab counter
+
+ip6tables-translate -I INPUT -s ::/16
+nft insert rule ip6 filter INPUT ip6 saddr ::/16 counter
+
+ip6tables-translate -I INPUT -s ::/0
+nft insert rule ip6 filter INPUT counter
+
+ip6tables-translate -I INPUT ! -s ::/0
+nft insert rule ip6 filter INPUT ip6 saddr != ::/0 counter
+
ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
nft insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 4313f7b7bac9d..56d6da2e5884e 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -9,3 +9,15 @@
-j ACCEPT;=;OK
-j RETURN;=;OK
! -p 0 -j ACCEPT;=;FAIL
+-s 10.11.12.13/8;-s 10.0.0.0/8;OK
+-s 10.11.12.13/9;-s 10.0.0.0/9;OK
+-s 10.11.12.13/10;-s 10.0.0.0/10;OK
+-s 10.11.12.13/11;-s 10.0.0.0/11;OK
+-s 10.11.12.13/12;-s 10.0.0.0/12;OK
+-s 10.11.12.13/30;-s 10.11.12.12/30;OK
+-s 10.11.12.13/31;-s 10.11.12.12/31;OK
+-s 10.11.12.13/32;-s 10.11.12.13/32;OK
+-s 10.11.12.13/255.0.0.0;-s 10.0.0.0/8;OK
+-s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
+-s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
+-s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index fdc15c6f04066..0d32a30010519 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command,
" source or destination IP addresses");
}
+static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
+ const struct in_addr *mask,
+ bool inv, struct xt_xlate *xl)
+{
+ const char *op = inv ? "!= " : "";
+ int cidr;
+
+ if (!inv && !addr->s_addr && !mask->s_addr)
+ return;
+
+ cidr = xtables_ipmask_to_cidr(mask);
+ switch (cidr) {
+ case -1:
+ /* inet_ntoa() is not reentrant */
+ xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
+ xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
+ break;
+ case 32:
+ xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
+ break;
+ default:
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
+ cidr);
+ }
+}
+
static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
{
const struct iptables_command_state *cs = data;
@@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
}
}
- if (cs->fw.ip.src.s_addr != 0) {
- xt_xlate_add(xl, "ip saddr %s%s%s ",
- cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "",
- inet_ntoa(cs->fw.ip.src),
- xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
- }
- if (cs->fw.ip.dst.s_addr != 0) {
- xt_xlate_add(xl, "ip daddr %s%s%s ",
- cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "",
- inet_ntoa(cs->fw.ip.dst),
- xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
- }
+ xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk,
+ cs->fw.ip.invflags & IPT_INV_SRCIP, xl);
+ xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk,
+ cs->fw.ip.invflags & IPT_INV_DSTIP, xl);
ret = xlate_matches(cs, xl);
if (!ret)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 130ad3e6e7c44..46008fc5e762a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr,
const struct in6_addr *mask,
int invert, struct xt_xlate *xl)
{
+ const char *op = invert ? "!= " : "";
char addr_str[INET6_ADDRSTRLEN];
+ int cidr;
- if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr))
+ if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask))
return;
inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN);
- xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str,
- xtables_ip6mask_to_numeric(mask));
+ cidr = xtables_ip6mask_to_cidr(mask);
+ switch (cidr) {
+ case -1:
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
+ xtables_ip6addr_to_numeric(mask),
+ invert ? "!=" : "==", addr_str);
+ break;
+ case 128:
+ xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str);
+ break;
+ default:
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr);
+ }
}
static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
--
2.40.0

View File

@ -0,0 +1,129 @@
From db7d25c14b8db7f7ea514e1f81acb82fafb3c9d7 Mon Sep 17 00:00:00 2001
From: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Date: Thu, 1 Apr 2021 16:47:07 +0300
Subject: [PATCH] extensions: libxt_conntrack: use bitops for state negation
Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled
statemask flags. But if we have inverted conntrack ctstate condition then we have to use more
complex expression because nft not supports syntax like "ct state != related,established".
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 18e334da7363ba186edb1700056e26ded27ca5ba)
---
extensions/libxt_conntrack.c | 38 ++++++++++++++++++++-----------
extensions/libxt_conntrack.txlate | 5 +++-
2 files changed, 29 insertions(+), 14 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509c9af84..91f9e4aa994f8 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1148,30 +1148,43 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
state_print_state(sinfo->statemask);
}
-static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
+static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
{
const char *sep = "";
+ int one_flag_set;
+
+ one_flag_set = !(statemask & (statemask - 1));
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, "& (");
+ else if (inverted)
+ xt_xlate_add(xl, "& ");
if (statemask & XT_CONNTRACK_STATE_INVALID) {
xt_xlate_add(xl, "%s%s", sep, "invalid");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
xt_xlate_add(xl, "%s%s", sep, "new");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
xt_xlate_add(xl, "%s%s", sep, "related");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
xt_xlate_add(xl, "%s%s", sep, "established");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
xt_xlate_add(xl, "%s%s", sep, "untracked");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, ") == 0");
+ else if (inverted)
+ xt_xlate_add(xl, " == 0");
}
static int state_xlate(struct xt_xlate *xl,
@@ -1180,9 +1193,9 @@ static int state_xlate(struct xt_xlate *xl,
const struct xt_conntrack_mtinfo3 *sinfo =
(const void *)params->match->data;
- xt_xlate_add(xl, "ct state %s", sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
+ xt_xlate_add(xl, "ct state ");
+ state_xlate_print(xl, sinfo->state_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATE);
xt_xlate_add(xl, " ");
return 1;
}
@@ -1256,10 +1269,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
sinfo->state_mask & XT_CONNTRACK_STATE_SNAT ? "snat" : "dnat");
space = " ";
} else {
- xt_xlate_add(xl, "%sct state %s", space,
- sinfo->invert_flags & XT_CONNTRACK_STATE ?
- "!= " : "");
- state_xlate_print(xl, sinfo->state_mask);
+ xt_xlate_add(xl, "%sct state ", space);
+ state_xlate_print(xl, sinfo->state_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATE);
space = " ";
}
}
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index d374f8a035f00..5ab85b177c396 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,7 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
nft add rule ip filter INPUT ct state new,related counter accept
ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state != new,related counter accept
+nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept
+
+ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
+nft add rule ip6 filter INPUT ct state & new == 0 counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct original protocol 17 counter accept
--
2.40.0

View File

@ -0,0 +1,120 @@
From ca4b90e5fc460fe522ceff2206ae5d32d32d2b40 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 27 Apr 2021 09:12:53 +0200
Subject: [PATCH] Eliminate inet_aton() and inet_ntoa()
Both functions are obsolete, replace them by equivalent calls to
inet_pton() and inet_ntop().
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit acac2dbe64e5120394fa715bb5fe95c42d08b8b3)
---
extensions/libebt_among.c | 6 ++++--
iptables/nft-ipv4.c | 23 ++++++++++++++---------
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
index 2b9a1b6566684..7eb898f984bba 100644
--- a/extensions/libebt_among.c
+++ b/extensions/libebt_among.c
@@ -66,7 +66,7 @@ parse_nft_among_pair(char *buf, struct nft_among_pair *pair, bool have_ip)
if (sep) {
*sep = '\0';
- if (!inet_aton(sep + 1, &pair->in))
+ if (!inet_pton(AF_INET, sep + 1, &pair->in))
xtables_error(PARAMETER_PROBLEM,
"Invalid IP address '%s'\n", sep + 1);
}
@@ -194,6 +194,7 @@ static void __bramong_print(struct nft_among_pair *pairs,
int cnt, bool inv, bool have_ip)
{
const char *isep = inv ? "! " : "";
+ char abuf[INET_ADDRSTRLEN];
int i;
for (i = 0; i < cnt; i++) {
@@ -202,7 +203,8 @@ static void __bramong_print(struct nft_among_pair *pairs,
printf("%s", ether_ntoa(&pairs[i].ether));
if (pairs[i].in.s_addr != INADDR_ANY)
- printf("=%s", inet_ntoa(pairs[i].in));
+ printf("=%s", inet_ntop(AF_INET, &pairs[i].in,
+ abuf, sizeof(abuf)));
}
printf(" ");
}
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 0d32a30010519..a5b835b1f681d 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -136,7 +136,7 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nftnl_expr *e, bool *inv)
static const char *mask_to_str(uint32_t mask)
{
- static char mask_str[sizeof("255.255.255.255")];
+ static char mask_str[INET_ADDRSTRLEN];
uint32_t bits, hmask = ntohl(mask);
struct in_addr mask_addr = {
.s_addr = mask,
@@ -155,7 +155,7 @@ static const char *mask_to_str(uint32_t mask)
if (i >= 0)
sprintf(mask_str, "%u", i);
else
- sprintf(mask_str, "%s", inet_ntoa(mask_addr));
+ inet_ntop(AF_INET, &mask_addr, mask_str, sizeof(mask_str));
return mask_str;
}
@@ -298,10 +298,13 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
static void save_ipv4_addr(char letter, const struct in_addr *addr,
uint32_t mask, int invert)
{
+ char addrbuf[INET_ADDRSTRLEN];
+
if (!mask && !invert && !addr->s_addr)
return;
- printf("%s-%c %s/%s ", invert ? "! " : "", letter, inet_ntoa(*addr),
+ printf("%s-%c %s/%s ", invert ? "! " : "", letter,
+ inet_ntop(AF_INET, addr, addrbuf, sizeof(addrbuf)),
mask_to_str(mask));
}
@@ -387,25 +390,27 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr,
const struct in_addr *mask,
bool inv, struct xt_xlate *xl)
{
+ char mbuf[INET_ADDRSTRLEN], abuf[INET_ADDRSTRLEN];
const char *op = inv ? "!= " : "";
int cidr;
if (!inv && !addr->s_addr && !mask->s_addr)
return;
+ inet_ntop(AF_INET, addr, abuf, sizeof(abuf));
+
cidr = xtables_ipmask_to_cidr(mask);
switch (cidr) {
case -1:
- /* inet_ntoa() is not reentrant */
- xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask));
- xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr));
+ xt_xlate_add(xl, "%s & %s %s %s ", selector,
+ inet_ntop(AF_INET, mask, mbuf, sizeof(mbuf)),
+ inv ? "!=" : "==", abuf);
break;
case 32:
- xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr));
+ xt_xlate_add(xl, "%s %s%s ", selector, op, abuf);
break;
default:
- xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr),
- cidr);
+ xt_xlate_add(xl, "%s %s%s/%d ", selector, op, abuf, cidr);
}
}
--
2.40.0

View File

@ -0,0 +1,181 @@
From ab2ec9ca900843d6cb9fa839a9afe0ea968ce263 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 27 Apr 2021 10:02:34 +0200
Subject: [PATCH] nft-arp: Make use of ipv4_addr_to_string()
This eliminates quite a bit of redundant code apart from also dropping
use of obsolete function gethostbyaddr().
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 1e984079817a3c804eae25dea937d63d18c57a6c)
---
iptables/nft-arp.c | 99 ++++------------------------------------------
iptables/xshared.c | 6 +--
iptables/xshared.h | 3 ++
3 files changed, 14 insertions(+), 94 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index c82ffdc95e300..2a9387a18dffe 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -42,78 +42,6 @@ char *arp_opcodes[] =
"ARP_NAK",
};
-static char *
-addr_to_dotted(const struct in_addr *addrp)
-{
- static char buf[20];
- const unsigned char *bytep;
-
- bytep = (const unsigned char *) &(addrp->s_addr);
- sprintf(buf, "%d.%d.%d.%d", bytep[0], bytep[1], bytep[2], bytep[3]);
- return buf;
-}
-
-static char *
-addr_to_host(const struct in_addr *addr)
-{
- struct hostent *host;
-
- if ((host = gethostbyaddr((char *) addr,
- sizeof(struct in_addr), AF_INET)) != NULL)
- return (char *) host->h_name;
-
- return (char *) NULL;
-}
-
-static char *
-addr_to_network(const struct in_addr *addr)
-{
- struct netent *net;
-
- if ((net = getnetbyaddr((long) ntohl(addr->s_addr), AF_INET)) != NULL)
- return (char *) net->n_name;
-
- return (char *) NULL;
-}
-
-static char *
-addr_to_anyname(const struct in_addr *addr)
-{
- char *name;
-
- if ((name = addr_to_host(addr)) != NULL ||
- (name = addr_to_network(addr)) != NULL)
- return name;
-
- return addr_to_dotted(addr);
-}
-
-static char *
-mask_to_dotted(const struct in_addr *mask)
-{
- int i;
- static char buf[22];
- u_int32_t maskaddr, bits;
-
- maskaddr = ntohl(mask->s_addr);
-
- if (maskaddr == 0xFFFFFFFFL)
- /* we don't want to see "/32" */
- return "";
-
- i = 32;
- bits = 0xFFFFFFFEL;
- while (--i >= 0 && maskaddr != bits)
- bits <<= 1;
- if (i >= 0)
- sprintf(buf, "/%d", i);
- else
- /* mask was not a decent combination of 1's and 0's */
- snprintf(buf, sizeof(buf), "/%s", addr_to_dotted(mask));
-
- return buf;
-}
-
static bool need_devaddr(struct arpt_devaddr_info *info)
{
int i;
@@ -403,7 +331,6 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
unsigned int format)
{
const struct arpt_entry *fw = &cs->arp;
- char buf[BUFSIZ];
char iface[IFNAMSIZ+2];
const char *sep = "";
int print_iface = 0;
@@ -450,15 +377,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
}
if (fw->arp.smsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_SRCIP
- ? "! " : "");
- if (format & FMT_NUMERIC)
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
- else
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
- strncat(buf, mask_to_dotted(&(fw->arp.smsk)),
- sizeof(buf) - strlen(buf) - 1);
- printf("-s %s", buf);
+ printf("%s%s-s %s", sep,
+ fw->arp.invflags & IPT_INV_SRCIP ? "! " : "",
+ ipv4_addr_to_string(&fw->arp.src,
+ &fw->arp.smsk, format));
sep = " ";
}
@@ -476,15 +398,10 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
after_devsrc:
if (fw->arp.tmsk.s_addr != 0L) {
- printf("%s%s", sep, fw->arp.invflags & IPT_INV_DSTIP
- ? "! " : "");
- if (format & FMT_NUMERIC)
- sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
- else
- sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
- strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),
- sizeof(buf) - strlen(buf) - 1);
- printf("-d %s", buf);
+ printf("%s%s-d %s", sep,
+ fw->arp.invflags & IPT_INV_DSTIP ? "! " : "",
+ ipv4_addr_to_string(&fw->arp.tgt,
+ &fw->arp.tmsk, format));
sep = " ";
}
diff --git a/iptables/xshared.c b/iptables/xshared.c
index fe37c30a085d6..3bcf24735c8fb 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -545,9 +545,9 @@ void debug_print_argv(struct argv_store *store)
}
#endif
-static const char *ipv4_addr_to_string(const struct in_addr *addr,
- const struct in_addr *mask,
- unsigned int format)
+const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format)
{
static char buf[BUFSIZ];
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 9159b2b1f3768..1e86aba8b2375 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -206,6 +206,9 @@ void debug_print_argv(struct argv_store *store);
# define debug_print_argv(...) /* nothing */
#endif
+const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format);
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
--
2.40.0

View File

@ -0,0 +1,177 @@
From b16a9bc7fa224139763686d3ecc1741b891ac6ce Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 29 Apr 2021 15:28:59 +0200
Subject: [PATCH] extensions: SECMARK: Implement revision 1
The changed data structure for communication with kernel allows to
exclude the field 'secid' which is populated on kernel side. Thus
this fixes the formerly always failing extension comparison breaking
rule check and rule delete by content.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72)
---
extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++-------
extensions/libxt_SECMARK.t | 4 ++
include/linux/netfilter/xt_SECMARK.h | 6 ++
3 files changed, 80 insertions(+), 20 deletions(-)
create mode 100644 extensions/libxt_SECMARK.t
diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c
index 6ba8606355daa..24249bd618ffe 100644
--- a/extensions/libxt_SECMARK.c
+++ b/extensions/libxt_SECMARK.c
@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = {
XTOPT_TABLEEND,
};
+static const struct xt_option_entry SECMARK_opts_v1[] = {
+ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING,
+ .flags = XTOPT_MAND | XTOPT_PUT,
+ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)},
+ XTOPT_TABLEEND,
+};
+
static void SECMARK_parse(struct xt_option_call *cb)
{
struct xt_secmark_target_info *info = cb->data;
@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb)
info->mode = SECMARK_MODE_SEL;
}
-static void print_secmark(const struct xt_secmark_target_info *info)
+static void SECMARK_parse_v1(struct xt_option_call *cb)
+{
+ struct xt_secmark_target_info_v1 *info = cb->data;
+
+ xtables_option_parse(cb);
+ info->mode = SECMARK_MODE_SEL;
+}
+
+static void print_secmark(__u8 mode, const char *secctx)
{
- switch (info->mode) {
+ switch (mode) {
case SECMARK_MODE_SEL:
- printf("selctx %s", info->secctx);
+ printf("selctx %s", secctx);
break;
-
+
default:
- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
+ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode);
}
}
@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target,
(struct xt_secmark_target_info*)(target)->data;
printf(" SECMARK ");
- print_secmark(info);
+ print_secmark(info->mode, info->secctx);
+}
+
+static void SECMARK_print_v1(const void *ip,
+ const struct xt_entry_target *target, int numeric)
+{
+ const struct xt_secmark_target_info_v1 *info =
+ (struct xt_secmark_target_info_v1 *)(target)->data;
+
+ printf(" SECMARK ");
+ print_secmark(info->mode, info->secctx);
}
static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target)
(struct xt_secmark_target_info*)target->data;
printf(" --");
- print_secmark(info);
+ print_secmark(info->mode, info->secctx);
}
-static struct xtables_target secmark_target = {
- .family = NFPROTO_UNSPEC,
- .name = "SECMARK",
- .version = XTABLES_VERSION,
- .revision = 0,
- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
- .help = SECMARK_help,
- .print = SECMARK_print,
- .save = SECMARK_save,
- .x6_parse = SECMARK_parse,
- .x6_options = SECMARK_opts,
+static void SECMARK_save_v1(const void *ip,
+ const struct xt_entry_target *target)
+{
+ const struct xt_secmark_target_info_v1 *info =
+ (struct xt_secmark_target_info_v1 *)target->data;
+
+ printf(" --");
+ print_secmark(info->mode, info->secctx);
+}
+
+static struct xtables_target secmark_tg_reg[] = {
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "SECMARK",
+ .version = XTABLES_VERSION,
+ .revision = 0,
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)),
+ .help = SECMARK_help,
+ .print = SECMARK_print,
+ .save = SECMARK_save,
+ .x6_parse = SECMARK_parse,
+ .x6_options = SECMARK_opts,
+ },
+ {
+ .family = NFPROTO_UNSPEC,
+ .name = "SECMARK",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)),
+ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)),
+ .help = SECMARK_help,
+ .print = SECMARK_print_v1,
+ .save = SECMARK_save_v1,
+ .x6_parse = SECMARK_parse_v1,
+ .x6_options = SECMARK_opts_v1,
+ }
};
void _init(void)
{
- xtables_register_target(&secmark_target);
+ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
}
diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
new file mode 100644
index 0000000000000..39d4c09348bf4
--- /dev/null
+++ b/extensions/libxt_SECMARK.t
@@ -0,0 +1,4 @@
+:INPUT,FORWARD,OUTPUT
+*security
+-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK;;FAIL
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
index 989092bd6274b..31760a286a854 100644
--- a/include/linux/netfilter/xt_SECMARK.h
+++ b/include/linux/netfilter/xt_SECMARK.h
@@ -19,4 +19,10 @@ struct xt_secmark_target_info {
char secctx[SECMARK_SECCTX_MAX];
};
+struct xt_secmark_target_info_v1 {
+ __u8 mode;
+ char secctx[SECMARK_SECCTX_MAX];
+ __u32 secid;
+};
+
#endif /*_XT_SECMARK_H_target */
--
2.40.0

View File

@ -0,0 +1,156 @@
From adc559b69fc2b8d95a7c3bae96ca12faa0ba5d1d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 17 Nov 2020 00:57:10 +0100
Subject: [PATCH] Use proto_to_name() from xshared in more places
Share the common proto name lookup code. While being at it, make proto
number variable 16bit, values may exceed 256.
This aligns iptables-nft '-p' argument printing with legacy iptables. In
practice, this should make a difference only in corner cases.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 556f704458cdb509d395ddb7d2629987d60e762e)
---
include/xtables.h | 2 +-
iptables/ip6tables.c | 22 +++++-----------------
iptables/iptables.c | 20 +++++---------------
iptables/nft-shared.c | 6 +++---
iptables/xshared.c | 2 +-
iptables/xshared.h | 2 +-
6 files changed, 16 insertions(+), 38 deletions(-)
diff --git a/include/xtables.h b/include/xtables.h
index 5044dd08e86d3..a7b36979398ba 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -395,7 +395,7 @@ struct xtables_rule_match {
*/
struct xtables_pprot {
const char *name;
- uint8_t num;
+ uint16_t num;
};
enum xtables_tryload {
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index c95355b091568..ce01ce8c04af6 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -796,28 +796,16 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
}
}
-/* The ip6tables looks up the /etc/protocols. */
static void print_proto(uint16_t proto, int invert)
{
if (proto) {
- unsigned int i;
+ const char *pname = proto_to_name(proto, 0);
const char *invertstr = invert ? " !" : "";
- const struct protoent *pent = getprotobynumber(proto);
- if (pent) {
- printf("%s -p %s",
- invertstr, pent->p_name);
- return;
- }
-
- for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
- if (xtables_chain_protos[i].num == proto) {
- printf("%s -p %s",
- invertstr, xtables_chain_protos[i].name);
- return;
- }
-
- printf("%s -p %u", invertstr, proto);
+ if (pname)
+ printf("%s -p %s", invertstr, pname);
+ else
+ printf("%s -p %u", invertstr, proto);
}
}
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 7d6183116d265..514238d924780 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -764,23 +764,13 @@ list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
static void print_proto(uint16_t proto, int invert)
{
if (proto) {
- unsigned int i;
+ const char *pname = proto_to_name(proto, 0);
const char *invertstr = invert ? " !" : "";
- const struct protoent *pent = getprotobynumber(proto);
- if (pent) {
- printf("%s -p %s", invertstr, pent->p_name);
- return;
- }
-
- for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
- if (xtables_chain_protos[i].num == proto) {
- printf("%s -p %s",
- invertstr, xtables_chain_protos[i].name);
- return;
- }
-
- printf("%s -p %u", invertstr, proto);
+ if (pname)
+ printf("%s -p %s", invertstr, pname);
+ else
+ printf("%s -p %u", invertstr, proto);
}
}
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index c1664b50f9383..4253b08196d29 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -826,13 +826,13 @@ void save_rule_details(const struct iptables_command_state *cs,
}
if (proto > 0) {
- const struct protoent *pent = getprotobynumber(proto);
+ const char *pname = proto_to_name(proto, 0);
if (invflags & XT_INV_PROTO)
printf("! ");
- if (pent)
- printf("-p %s ", pent->p_name);
+ if (pname)
+ printf("-p %s ", pname);
else
printf("-p %u ", proto);
}
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 3bcf24735c8fb..9a17a8fdf11cd 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -48,7 +48,7 @@ void print_extension_helps(const struct xtables_target *t,
}
const char *
-proto_to_name(uint8_t proto, int nolookup)
+proto_to_name(uint16_t proto, int nolookup)
{
unsigned int i;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 1e86aba8b2375..7c881c56a25da 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -152,7 +152,7 @@ enum {
extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
-extern const char *proto_to_name(uint8_t, int);
+extern const char *proto_to_name(uint16_t, int);
extern int command_default(struct iptables_command_state *,
struct xtables_globals *);
extern struct xtables_match *load_proto(struct iptables_command_state *);
--
2.40.0

View File

@ -1,66 +0,0 @@
From 1695f552d3947299e54978bcd5bc1cdc3a5c14f7 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 15 Apr 2020 18:16:41 +0200
Subject: [PATCH] extensions: libxt_CT: add translation for NOTRACK
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f3d4a3ddbcfca15a00dd9758f481420038f6de10)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_CT.c | 16 ++++++++++++++++
extensions/libxt_NOTRACK.txlate | 2 ++
2 files changed, 18 insertions(+)
create mode 100644 extensions/libxt_NOTRACK.txlate
diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
index 371b21766c56c..fbbbe2660e9fc 100644
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
@@ -348,6 +348,20 @@ static void notrack_ct2_tg_init(struct xt_entry_target *target)
info->flags = XT_CT_NOTRACK | XT_CT_NOTRACK_ALIAS;
}
+static int xlate_ct1_tg(struct xt_xlate *xl,
+ const struct xt_xlate_tg_params *params)
+{
+ struct xt_ct_target_info_v1 *info =
+ (struct xt_ct_target_info_v1 *)params->target->data;
+
+ if (info->flags & XT_CT_NOTRACK)
+ xt_xlate_add(xl, "notrack");
+ else
+ return 0;
+
+ return 1;
+}
+
static struct xtables_target ct_target_reg[] = {
{
.family = NFPROTO_UNSPEC,
@@ -387,6 +401,7 @@ static struct xtables_target ct_target_reg[] = {
.alias = ct_print_name_alias,
.x6_parse = ct_parse_v1,
.x6_options = ct_opts_v1,
+ .xlate = xlate_ct1_tg,
},
{
.family = NFPROTO_UNSPEC,
@@ -418,6 +433,7 @@ static struct xtables_target ct_target_reg[] = {
.size = XT_ALIGN(sizeof(struct xt_ct_target_info_v1)),
.userspacesize = offsetof(struct xt_ct_target_info_v1, ct),
.init = notrack_ct2_tg_init,
+ .xlate = xlate_ct1_tg,
},
{
.family = NFPROTO_UNSPEC,
diff --git a/extensions/libxt_NOTRACK.txlate b/extensions/libxt_NOTRACK.txlate
new file mode 100644
index 0000000000000..9d35619d3dbdd
--- /dev/null
+++ b/extensions/libxt_NOTRACK.txlate
@@ -0,0 +1,2 @@
+iptables-translate -A PREROUTING -t raw -j NOTRACK
+nft add rule ip raw PREROUTING counter notrack
--
2.28.0

View File

@ -0,0 +1,80 @@
From 867ccfc5a9394b8a0957db9f2828befb7efabd7c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 May 2021 16:03:24 +0200
Subject: [PATCH] extensions: sctp: Fix nftables translation
If both sport and dport was present, incorrect nft syntax was generated.
Fixes: defc7bd2bac89 ("extensions: libxt_sctp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit a61282ec6a1697bfb40f19d13a28a74559050167)
---
extensions/libxt_sctp.c | 10 ++++------
extensions/libxt_sctp.txlate | 10 +++++-----
2 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 140de2653b1ef..ee4e99ebf11bf 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -495,15 +495,13 @@ static int sctp_xlate(struct xt_xlate *xl,
if (!einfo->flags)
return 0;
- xt_xlate_add(xl, "sctp ");
-
if (einfo->flags & XT_SCTP_SRC_PORTS) {
if (einfo->spts[0] != einfo->spts[1])
- xt_xlate_add(xl, "sport%s %u-%u",
+ xt_xlate_add(xl, "sctp sport%s %u-%u",
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
einfo->spts[0], einfo->spts[1]);
else
- xt_xlate_add(xl, "sport%s %u",
+ xt_xlate_add(xl, "sctp sport%s %u",
einfo->invflags & XT_SCTP_SRC_PORTS ? " !=" : "",
einfo->spts[0]);
space = " ";
@@ -511,11 +509,11 @@ static int sctp_xlate(struct xt_xlate *xl,
if (einfo->flags & XT_SCTP_DEST_PORTS) {
if (einfo->dpts[0] != einfo->dpts[1])
- xt_xlate_add(xl, "%sdport%s %u-%u", space,
+ xt_xlate_add(xl, "%ssctp dport%s %u-%u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0], einfo->dpts[1]);
else
- xt_xlate_add(xl, "%sdport%s %u", space,
+ xt_xlate_add(xl, "%ssctp dport%s %u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0]);
}
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 72f4641ab021c..0d6c59e183675 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -23,16 +23,16 @@ iptables-translate -A INPUT -p sctp ! --dport 50:56 -j ACCEPT
nft add rule ip filter INPUT sctp dport != 50-56 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80 counter accept
iptables-translate -A INPUT -p sctp --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport 50-55 sctp dport 80 counter accept
iptables-translate -A INPUT -p sctp ! --dport 80:100 --sport 50 -j ACCEPT
-nft add rule ip filter INPUT sctp sport 50 dport != 80-100 counter accept
+nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
-nft add rule ip filter INPUT sctp sport != 50-55 dport 80 counter accept
+nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
--
2.40.0

View File

@ -0,0 +1,159 @@
From 448d1ff5807a52ec34759a6dddd348c5f3e96704 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 May 2021 16:26:42 +0200
Subject: [PATCH] extensions: sctp: Translate --chunk-types option
The translation is not fully complete as it is not possible to map 'any'
match type into nft syntax with a single rule. Also, 'only' match type
translation is a bit poor as it explicitly lists all chunk types that
are supposed to be missing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 5818be177110a09120dd8fe4bd2533acbf8da301)
---
extensions/libxt_sctp.c | 91 ++++++++++++++++++++++++++++--------
extensions/libxt_sctp.txlate | 6 +++
2 files changed, 78 insertions(+), 19 deletions(-)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index ee4e99ebf11bf..5d8ab85cacf42 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -92,28 +92,29 @@ struct sctp_chunk_names {
const char *name;
unsigned int chunk_type;
const char *valid_flags;
+ const char *nftname;
};
/*'ALL' and 'NONE' will be treated specially. */
static const struct sctp_chunk_names sctp_chunk_names[]
-= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE"},
- { .name = "INIT", .chunk_type = 1, .valid_flags = "--------"},
- { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------"},
- { .name = "SACK", .chunk_type = 3, .valid_flags = "--------"},
- { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------"},
- { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------"},
- { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T"},
- { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------"},
- { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------"},
- { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------"},
- { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------"},
- { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------"},
- { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------"},
- { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------"},
- { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T"},
- { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------"},
- { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------"},
- { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------"},
+= { { .name = "DATA", .chunk_type = 0, .valid_flags = "----IUBE", .nftname = "data" },
+ { .name = "INIT", .chunk_type = 1, .valid_flags = "--------", .nftname = "init" },
+ { .name = "INIT_ACK", .chunk_type = 2, .valid_flags = "--------", .nftname = "init-ack" },
+ { .name = "SACK", .chunk_type = 3, .valid_flags = "--------", .nftname = "sack" },
+ { .name = "HEARTBEAT", .chunk_type = 4, .valid_flags = "--------", .nftname = "heartbeat" },
+ { .name = "HEARTBEAT_ACK", .chunk_type = 5, .valid_flags = "--------", .nftname = "heartbeat-ack" },
+ { .name = "ABORT", .chunk_type = 6, .valid_flags = "-------T", .nftname = "abort" },
+ { .name = "SHUTDOWN", .chunk_type = 7, .valid_flags = "--------", .nftname = "shutdown" },
+ { .name = "SHUTDOWN_ACK", .chunk_type = 8, .valid_flags = "--------", .nftname = "shutdown-ack" },
+ { .name = "ERROR", .chunk_type = 9, .valid_flags = "--------", .nftname = "error" },
+ { .name = "COOKIE_ECHO", .chunk_type = 10, .valid_flags = "--------", .nftname = "cookie-echo" },
+ { .name = "COOKIE_ACK", .chunk_type = 11, .valid_flags = "--------", .nftname = "cookie-ack" },
+ { .name = "ECN_ECNE", .chunk_type = 12, .valid_flags = "--------", .nftname = "ecne" },
+ { .name = "ECN_CWR", .chunk_type = 13, .valid_flags = "--------", .nftname = "cwr" },
+ { .name = "SHUTDOWN_COMPLETE", .chunk_type = 14, .valid_flags = "-------T", .nftname = "shutdown-complete" },
+ { .name = "ASCONF", .chunk_type = 193, .valid_flags = "--------", .nftname = "asconf" },
+ { .name = "ASCONF_ACK", .chunk_type = 128, .valid_flags = "--------", .nftname = "asconf-ack" },
+ { .name = "FORWARD_TSN", .chunk_type = 192, .valid_flags = "--------", .nftname = "forward-tsn" },
};
static void
@@ -485,12 +486,52 @@ static void sctp_save(const void *ip, const struct xt_entry_match *match)
}
}
+static const char *sctp_xlate_chunk(struct xt_xlate *xl, const char *space,
+ const struct xt_sctp_info *einfo,
+ const struct sctp_chunk_names *scn)
+{
+ bool inv = einfo->invflags & XT_SCTP_CHUNK_TYPES;
+ const struct xt_sctp_flag_info *flag_info = NULL;
+ int i;
+
+ if (!scn->nftname)
+ return space;
+
+ if (!SCTP_CHUNKMAP_IS_SET(einfo->chunkmap, scn->chunk_type)) {
+ if (einfo->chunk_match_type != SCTP_CHUNK_MATCH_ONLY)
+ return space;
+
+ xt_xlate_add(xl, "%ssctp chunk %s %s", space,
+ scn->nftname, inv ? "exists" : "missing");
+ return " ";
+ }
+
+ for (i = 0; i < einfo->flag_count; i++) {
+ if (einfo->flag_info[i].chunktype == scn->chunk_type) {
+ flag_info = &einfo->flag_info[i];
+ break;
+ }
+ }
+
+ if (!flag_info) {
+ xt_xlate_add(xl, "%ssctp chunk %s %s", space,
+ scn->nftname, inv ? "missing" : "exists");
+ return " ";
+ }
+
+ xt_xlate_add(xl, "%ssctp chunk %s flags & 0x%x %s 0x%x", space,
+ scn->nftname, flag_info->flag_mask,
+ inv ? "!=" : "==", flag_info->flag);
+
+ return " ";
+}
+
static int sctp_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_sctp_info *einfo =
(const struct xt_sctp_info *)params->match->data;
- char *space = "";
+ const char *space = "";
if (!einfo->flags)
return 0;
@@ -516,6 +557,18 @@ static int sctp_xlate(struct xt_xlate *xl,
xt_xlate_add(xl, "%ssctp dport%s %u", space,
einfo->invflags & XT_SCTP_DEST_PORTS ? " !=" : "",
einfo->dpts[0]);
+ space = " ";
+ }
+
+ if (einfo->flags & XT_SCTP_CHUNK_TYPES) {
+ int i;
+
+ if (einfo->chunk_match_type == SCTP_CHUNK_MATCH_ANY)
+ return 0;
+
+ for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); i++)
+ space = sctp_xlate_chunk(xl, space, einfo,
+ &sctp_chunk_names[i]);
}
return 1;
diff --git a/extensions/libxt_sctp.txlate b/extensions/libxt_sctp.txlate
index 0d6c59e183675..bb817525db8d8 100644
--- a/extensions/libxt_sctp.txlate
+++ b/extensions/libxt_sctp.txlate
@@ -36,3 +36,9 @@ nft add rule ip filter INPUT sctp sport 50 sctp dport != 80-100 counter accept
iptables-translate -A INPUT -p sctp --dport 80 ! --sport 50:55 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 50-55 sctp dport 80 counter accept
+
+iptables-translate -A INPUT -p sctp --chunk-types all INIT,DATA:iUbE,SACK,ABORT:T -j ACCEPT
+nft add rule ip filter INPUT sctp chunk data flags & 0xf == 0x5 sctp chunk init exists sctp chunk sack exists sctp chunk abort flags & 0x1 == 0x1 counter accept
+
+iptables-translate -A INPUT -p sctp --chunk-types only SHUTDOWN_COMPLETE -j ACCEPT
+nft add rule ip filter INPUT sctp chunk data missing sctp chunk init missing sctp chunk init-ack missing sctp chunk sack missing sctp chunk heartbeat missing sctp chunk heartbeat-ack missing sctp chunk abort missing sctp chunk shutdown missing sctp chunk shutdown-ack missing sctp chunk error missing sctp chunk cookie-echo missing sctp chunk cookie-ack missing sctp chunk ecne missing sctp chunk cwr missing sctp chunk shutdown-complete exists sctp chunk asconf missing sctp chunk asconf-ack missing sctp chunk forward-tsn missing counter accept
--
2.40.0

View File

@ -0,0 +1,33 @@
From e9dd197e783556dcb514ec624c4f6efeb782e7c7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:04:39 +0100
Subject: [PATCH] libxtables: Drop leftover variable in
xtables_numeric_to_ip6addr()
Variable 'err' was only used in removed debug code, so drop it as well.
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
---
libxtables/xtables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 7152c6576cd63..7f40b6f1b327b 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return NULL;
--
2.40.0

View File

@ -0,0 +1,49 @@
From 89bd91cfdf6f81971324dca1b0df7c6c5537a2ab Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:13:50 +0100
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
They are being assigned to but never read.
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
---
extensions/libebt_ip6.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index b8a5a5d8c3a92..301bed9aadefd 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
static struct in6_addr *numeric_to_addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return (struct in6_addr *)NULL;
}
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
char buf[256];
char *p;
int i;
- int err;
strncpy(buf, address, sizeof(buf) - 1);
/* first the mask */
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
strcpy(buf, "::");
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
return;
}
--
2.40.0

View File

@ -0,0 +1,29 @@
From e672c567d978bf99652a8c3681e105d5a212552f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:04:30 +0200
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
The allocated hostmask duplicate needs to be freed again.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
---
libxtables/xtoptions.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d329f2ff7979e..0dcdf607f4678 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
cb->arg = p;
xtopt_parse_plenmask(cb);
cb->arg = orig_arg;
+ free(work);
}
static void xtopt_parse_ethermac(struct xt_option_call *cb)
--
2.40.0

View File

@ -0,0 +1,34 @@
From bee29f2820cafde1e04ebef049bc4c40c4dbbe18 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:55:20 +0200
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
If rule allocation fails, free the allocated 'cmd' before returning to
caller.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
---
iptables/nft-cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index ed53c061edc6f..fd038503d87e1 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
if (state) {
rule = nft_rule_new(h, chain, table, state);
- if (!rule)
+ if (!rule) {
+ nft_cmd_free(cmd);
return NULL;
+ }
cmd->obj.rule = rule;
--
2.40.0

View File

@ -0,0 +1,29 @@
From 2f80e6d896590f42c932de32ae8c3d597cbf940b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:50:57 +0200
Subject: [PATCH] iptables-apply: Drop unused variable
It was assigned to but never read.
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
---
iptables/iptables-apply | 1 -
1 file changed, 1 deletion(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 4683b1b402d08..3a7df5e3cbc1f 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -231,7 +231,6 @@ case "$MODE" in
"$RUNCMD" &
CMD_PID=$!
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
- CMDTIMEOUT_PID=$!
if ! wait "$CMD_PID"; then
echo "failed."
echo "Error: unknown error running command: $RUNCMD" >&2
--
2.40.0

View File

@ -0,0 +1,130 @@
From 9a617399d5e0776b43f093b9d63d10f72e882fee Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 28 Jul 2021 17:53:53 +0200
Subject: [PATCH] doc: ebtables-nft.8: Adjust for missing atomic-options
Drop any reference to them (and the environment variable) but list them
in BUGS section hinting at ebtables-save and -restore tools.
Fixes: 1939cbc25e6f5 ("doc: Adjust ebtables man page")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 765bf04ecc228783cb88c810c85bc0c769579c39)
---
iptables/ebtables-nft.8 | 64 ++++++-----------------------------------
1 file changed, 8 insertions(+), 56 deletions(-)
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 1fa5ad9388cc0..08e9766f2cc74 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -44,12 +44,6 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
.br
.BR "ebtables " [ -t " table ] " --init-table
.br
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
-.br
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
-.br
-.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
-.br
.SH DESCRIPTION
.B ebtables
@@ -149,11 +143,9 @@ a table, the commands apply to the default filter table.
Only one command may be used on the command line at a time, except when
the commands
.BR -L " and " -Z
-are combined, the commands
+are combined or the commands
.BR -N " and " -P
-are combined, or when
-.B --atomic-file
-is used.
+are combined.
.TP
.B "-A, --append"
Append a rule to the end of the selected chain.
@@ -313,39 +305,6 @@ of the ebtables kernel table.
.TP
.B "--init-table"
Replace the current table data by the initial table data.
-.TP
-.B "--atomic-init"
-Copy the kernel's initial data of the table to the specified
-file. This can be used as the first action, after which rules are added
-to the file. The file can be specified using the
-.B --atomic-file
-command or through the
-.IR EBTABLES_ATOMIC_FILE " environment variable."
-.TP
-.B "--atomic-save"
-Copy the kernel's current data of the table to the specified
-file. This can be used as the first action, after which rules are added
-to the file. The file can be specified using the
-.B --atomic-file
-command or through the
-.IR EBTABLES_ATOMIC_FILE " environment variable."
-.TP
-.B "--atomic-commit"
-Replace the kernel table data with the data contained in the specified
-file. This is a useful command that allows you to load all your rules of a
-certain table into the kernel at once, saving the kernel a lot of precious
-time and allowing atomic updates of the tables. The file which contains
-the table data is constructed by using either the
-.B "--atomic-init"
-or the
-.B "--atomic-save"
-command to generate a starting file. After that, using the
-.B "--atomic-file"
-command when constructing rules or setting the
-.IR EBTABLES_ATOMIC_FILE " environment variable"
-allows you to extend the file and build the complete table before
-committing it to the kernel. This command can be very useful in boot scripts
-to populate the ebtables tables in a fast way.
.SS MISCELLANOUS COMMANDS
.TP
.B "-V, --version"
@@ -371,16 +330,6 @@ a target extension (see
.BR "TARGET EXTENSIONS" ")"
or a user-defined chain name.
.TP
-.B --atomic-file "\fIfile\fP"
-Let the command operate on the specified
-.IR file .
-The data of the table to
-operate on will be extracted from the file and the result of the operation
-will be saved back into the file. If specified, this option should come
-before the command specification. An alternative that should be preferred,
-is setting the
-.IR EBTABLES_ATOMIC_FILE " environment variable."
-.TP
.B -M, --modprobe "\fIprogram\fP"
When talking to the kernel, use this
.I program
@@ -1100,8 +1049,6 @@ arp message and the hardware address length in the arp header is 6 bytes.
.br
.SH FILES
.I /etc/ethertypes
-.SH ENVIRONMENT VARIABLES
-.I EBTABLES_ATOMIC_FILE
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH BUGS
@@ -1109,7 +1056,12 @@ The version of ebtables this man page ships with does not support the
.B broute
table. Also there is no support for
.B string
-match. And finally, this list is probably not complete.
+match. Further, support for atomic-options
+.RB ( --atomic-file ", " --atomic-init ", " --atomic-save ", " --atomic-commit )
+has not been implemented, although
+.BR ebtables-save " and " ebtables-restore
+might replace them entirely given the inherent atomicity of nftables.
+Finally, this list is probably not complete.
.SH SEE ALSO
.BR xtables-nft "(8), " iptables "(8), " ip (8)
.PP
--
2.40.0

View File

@ -0,0 +1,102 @@
From ec0a69df9ac073b1a6e951c08c049fec47a12b5c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 30 Jul 2021 12:25:10 +0200
Subject: [PATCH] ebtables: Dump atomic waste
With ebtables-nft.8 now educating people about the missing
functionality, get rid of atomic remains in source code. This eliminates
mostly comments except for --atomic-commit which was treated as alias of
--init-table. People not using the latter are probably trying to
atomic-commit from an atomic-file which in turn is not supported, so no
point keeping it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 263186372dc4ae6a54a29bea644bcf1fc8dc3fc0)
---
iptables/xtables-eb.c | 53 -------------------------------------------
1 file changed, 53 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 6df5839f07436..d07adad2d73c3 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -262,10 +262,6 @@ struct option ebt_original_options[] =
{ "new-chain" , required_argument, 0, 'N' },
{ "rename-chain" , required_argument, 0, 'E' },
{ "delete-chain" , optional_argument, 0, 'X' },
- { "atomic-init" , no_argument , 0, 7 },
- { "atomic-commit" , no_argument , 0, 8 },
- { "atomic-file" , required_argument, 0, 9 },
- { "atomic-save" , no_argument , 0, 10 },
{ "init-table" , no_argument , 0, 11 },
{ "concurrent" , no_argument , 0, 13 },
{ 0 }
@@ -371,10 +367,6 @@ static void print_help(const struct xtables_target *t,
"--new-chain -N chain : create a user defined chain\n"
"--rename-chain -E old new : rename a chain\n"
"--delete-chain -X [chain] : delete a user defined chain\n"
-"--atomic-commit : update the kernel w/t table contained in <FILE>\n"
-"--atomic-init : put the initial kernel table into <FILE>\n"
-"--atomic-save : put the current kernel table into <FILE>\n"
-"--atomic-file file : set <FILE> to file\n\n"
"Options:\n"
"--proto -p [!] proto : protocol hexadecimal, by name or LENGTH\n"
"--src -s [!] address[/mask]: source mac address\n"
@@ -1135,54 +1127,9 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
"Use --Lmac2 with -L");
flags |= LIST_MAC2;
break;
- case 8 : /* atomic-commit */
-/*
- replace->command = c;
- if (OPT_COMMANDS)
- ebt_print_error2("Multiple commands are not allowed");
- replace->flags |= OPT_COMMAND;
- if (!replace->filename)
- ebt_print_error2("No atomic file specified");*/
- /* Get the information from the file */
- /*ebt_get_table(replace, 0);*/
- /* We don't want the kernel giving us its counters,
- * they would overwrite the counters extracted from
- * the file */
- /*replace->num_counters = 0;*/
- /* Make sure the table will be written to the kernel */
- /*free(replace->filename);
- replace->filename = NULL;
- break;*/
- /*case 7 :*/ /* atomic-init */
- /*case 10:*/ /* atomic-save */
case 11: /* init-table */
nft_cmd_table_flush(h, *table);
return 1;
- /*
- replace->command = c;
- if (OPT_COMMANDS)
- ebt_print_error2("Multiple commands are not allowed");
- if (c != 11 && !replace->filename)
- ebt_print_error2("No atomic file specified");
- replace->flags |= OPT_COMMAND;
- {
- char *tmp = replace->filename;*/
-
- /* Get the kernel table */
- /*replace->filename = NULL;
- ebt_get_kernel_table(replace, c == 10 ? 0 : 1);
- replace->filename = tmp;
- }
- break;
- case 9 :*/ /* atomic */
- /*
- if (OPT_COMMANDS)
- ebt_print_error2("--atomic has to come before the command");*/
- /* A possible memory leak here, but this is not
- * executed in daemon mode */
- /*replace->filename = (char *)malloc(strlen(optarg) + 1);
- strcpy(replace->filename, optarg);
- break; */
case 13 :
break;
case 1 :
--
2.40.0

View File

@ -0,0 +1,31 @@
From 59c41217b2acc9409ba50a76a40aaa994c83f454 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 3 Aug 2021 10:55:20 +0200
Subject: [PATCH] nft: Fix for non-verbose check command
Check command was unconditionally verbose since v1.8.5. Make it respect
--verbose option again.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0)
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 7f87d46dcc44c..f8534c6cd56fb 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3160,7 +3160,7 @@ static int nft_prepare(struct nft_handle *h)
case NFT_COMPAT_RULE_CHECK:
assert_chain_exists(h, cmd->table, cmd->jumpto);
ret = nft_rule_check(h, cmd->chain, cmd->table,
- cmd->obj.rule, cmd->rulenum);
+ cmd->obj.rule, cmd->verbose);
break;
case NFT_COMPAT_RULE_ZERO:
ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
--
2.40.0

View File

@ -0,0 +1,41 @@
From 07cfafd077bbd247bf75c0a3399569af58a63915 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 9 Aug 2021 18:48:58 +0200
Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=100
With the kernel ticking at 100Hz, a limit of 1/day with burst 5 does not
overflow in kernel, making the test unstable depending on kernel config.
Change it to not overflow with 1000Hz either by increasing the burst
value by a factor of 100.
Fixes: fcf9f6f25db11 ("extensions: libxt_hashlimit: add unit test")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit bef9dc575625a98a5e6ed8ca37e49031cdba5937)
---
extensions/libxt_hashlimit.t | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t
index ccd0d1e6a2a1a..8369933786f68 100644
--- a/extensions/libxt_hashlimit.t
+++ b/extensions/libxt_hashlimit.t
@@ -3,14 +3,12 @@
-m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
--m hashlimit --hashlimit-above 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
+-m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-# kernel says "xt_hashlimit: overflow, try lower: 864000000/5"
--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 5 --hashlimit-name mini1;;FAIL
+-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
--
2.40.0

View File

@ -0,0 +1,31 @@
From 71f9eda379a3d70b5b2cd9327e41ba5446c618e1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 31 Aug 2021 12:26:20 +0200
Subject: [PATCH] nft: Use xtables_malloc() in mnl_err_list_node_add()
The function called malloc() without checking for memory allocation
failure. Simply replace the call by xtables_malloc() to fix that.
Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ca11c7b7036b5821c17b8d08dc2a29f55b461a93)
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index f8534c6cd56fb..ba59cfb8c47af 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -143,7 +143,7 @@ struct mnl_err {
static void mnl_err_list_node_add(struct list_head *err_list, int error,
int seqnum)
{
- struct mnl_err *err = malloc(sizeof(struct mnl_err));
+ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err));
err->seqnum = seqnum;
err->err = error;
--
2.40.0

View File

@ -0,0 +1,47 @@
From c51304d536c3f91b58dc24b14131de157d741a9f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 8 Nov 2021 17:03:21 +0100
Subject: [PATCH] extensions: hashlimit: Fix tests with HZ=1000
In an attempt to fix for failing hashlimit tests with HZ=100, the
expected failures were changed so they are expected to pass and the
parameters changed to seemingly fix them. Yet while the new parameters
worked on HZ=100 systems, with higher tick rates they didn't so the
observed problem moved from the test failing on HZ=100 to failing on
HZ=1000 instead.
Kernel's error message "try lower: 864000000/5" turned out to be a red
herring: The burst value does not act as a dividor but a multiplier
instead, so in order to lower the overflow-checked value, a lower burst
value must be chosen. Inded, using a burst value of 1 makes the kernel
accept the rule in both HZ=100 and HZ=1000 configurations.
Fixes: bef9dc575625a ("extensions: hashlimit: Fix tests with HZ=100")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 1eab8e83aec0e6965f11f8cad460add1caeae629)
---
extensions/libxt_hashlimit.t | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_hashlimit.t b/extensions/libxt_hashlimit.t
index 8369933786f68..206d92935f2e2 100644
--- a/extensions/libxt_hashlimit.t
+++ b/extensions/libxt_hashlimit.t
@@ -3,12 +3,12 @@
-m hashlimit --hashlimit-above 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-above 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
+-m hashlimit --hashlimit-above 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1000000/sec --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/min --hashlimit-burst 5 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 5 --hashlimit-name mini1;=;OK
--m hashlimit --hashlimit-upto 1/day --hashlimit-burst 500 --hashlimit-name mini1;=;OK
+-m hashlimit --hashlimit-upto 1/day --hashlimit-burst 1 --hashlimit-name mini1;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
-m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name mini1 --hashlimit-htable-expire 2000;=;OK
--
2.40.0

View File

@ -0,0 +1,164 @@
From 655e919be08b6ca9b5529f16c659ee93572b867d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 5 Apr 2019 13:21:19 +0200
Subject: [PATCH] xshared: Merge and share parse_chain()
Have a common routine to perform chain name checks, combining all
variants' requirements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 1189d830ea4fd269da87761d400ebabca02e1ef3)
Conflicts:
iptables/ip6tables.c
iptables/xshared.c
-> Context change due to missing commit 9dc50b5b8e441
("xshared: Merge invflags handling code").
---
iptables/ip6tables.c | 26 --------------------------
iptables/iptables.c | 25 -------------------------
iptables/xshared.c | 24 ++++++++++++++++++++++++
iptables/xshared.h | 1 +
iptables/xtables.c | 9 +--------
5 files changed, 26 insertions(+), 59 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index ce01ce8c04af6..6db91c807bcea 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -248,32 +248,6 @@ static int is_exthdr(uint16_t proto)
proto == IPPROTO_DSTOPTS);
}
-static void
-parse_chain(const char *chainname)
-{
- const char *ptr;
-
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chainname, XT_EXTENSION_MAXNAMELEN);
-
- if (*chainname == '-' || *chainname == '!')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *chainname);
-
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
-
- for (ptr = chainname; *ptr; ptr++)
- if (isspace(*ptr))
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s'", chainname);
-}
-
static void
set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
int invert)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 514238d924780..a33416a887ed4 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -239,31 +239,6 @@ iptables_exit_error(enum xtables_exittype status, const char *msg, ...)
/* Christophe Burki wants `-p 6' to imply `-m tcp'. */
-static void
-parse_chain(const char *chainname)
-{
- const char *ptr;
-
- if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "chain name `%s' too long (must be under %u chars)",
- chainname, XT_EXTENSION_MAXNAMELEN);
-
- if (*chainname == '-' || *chainname == '!')
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *chainname);
-
- if (xtables_find_target(chainname, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
-
- for (ptr = chainname; *ptr; ptr++)
- if (isspace(*ptr))
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s'", chainname);
-}
static void
set_option(unsigned int *options, unsigned int option, uint8_t *invflg,
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 9a17a8fdf11cd..5ae158908b109 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -848,3 +848,27 @@ char opt2char(int option)
return *ptr;
}
+
+void parse_chain(const char *chainname)
+{
+ const char *ptr;
+
+ if (strlen(chainname) >= XT_EXTENSION_MAXNAMELEN)
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name `%s' too long (must be under %u chars)",
+ chainname, XT_EXTENSION_MAXNAMELEN);
+
+ if (*chainname == '-' || *chainname == '!')
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name not allowed to start with `%c'\n",
+ *chainname);
+
+ if (xtables_find_target(chainname, XTF_TRY_LOAD))
+ xtables_error(PARAMETER_PROBLEM,
+ "chain name may not clash with target name\n");
+
+ for (ptr = chainname; *ptr; ptr++)
+ if (isspace(*ptr))
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid chain name `%s'", chainname);
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 7c881c56a25da..10f6e0b5a0e98 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -223,6 +223,7 @@ char cmd2char(int option);
void add_command(unsigned int *cmd, const int newcmd,
const int othercmds, int invert);
int parse_rulenumber(const char *rule);
+void parse_chain(const char *chainname);
void generic_opt_check(int command, int options);
char opt2char(int option);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 9779bd83d53b3..54f887f80497e 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -587,14 +587,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'N':
- if (optarg && (*optarg == '-' || *optarg == '!'))
- xtables_error(PARAMETER_PROBLEM,
- "chain name not allowed to start "
- "with `%c'\n", *optarg);
- if (xtables_find_target(optarg, XTF_TRY_LOAD))
- xtables_error(PARAMETER_PROBLEM,
- "chain name may not clash "
- "with target name\n");
+ parse_chain(optarg);
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
cs->invert);
p->chain = optarg;
--
2.40.0

View File

@ -0,0 +1,58 @@
From e004e9e1d0e7ef4d9756d9f01feef8efef02300b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sat, 6 Nov 2021 01:09:37 +0100
Subject: [PATCH] nft-shared: Drop unused function print_proto()
The last users vanished back in 2013. There is identical code in
save_rule_details(), but with only a single user there's not much point
in keeping the function.
Fixes: cdc78b1d6bd7b ("nft: convert rule into a command state structure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit cf14b92bc1a3f5040437234dffe5cf6aa59711a5)
---
iptables/nft-shared.c | 15 ---------------
iptables/nft-shared.h | 1 -
2 files changed, 16 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 4253b08196d29..f270f610a8f67 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -373,21 +373,6 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
ctx->h->ops->parse_match(match, ctx->cs);
}
-void print_proto(uint16_t proto, int invert)
-{
- const struct protoent *pent = getprotobynumber(proto);
-
- if (invert)
- printf("! ");
-
- if (pent) {
- printf("-p %s ", pent->p_name);
- return;
- }
-
- printf("-p %u ", proto);
-}
-
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
{
uint32_t len;
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 6fc81d9ce08ef..519118a2daf6c 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -139,7 +139,6 @@ bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
unsigned char *iniface_mask, char *outiface,
unsigned char *outiface_mask, uint8_t *invflags);
-void print_proto(uint16_t proto, int invert);
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
void nft_rule_to_iptables_command_state(struct nft_handle *h,
const struct nftnl_rule *r,
--
2.40.0

View File

@ -0,0 +1,48 @@
From 9b1dc489369e19ffd78a69de31f4ac653070eaf8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sat, 6 Nov 2021 01:32:47 +0100
Subject: [PATCH] xshared: Make load_proto() static
The last outside users vanished ten years ago.
Fixes: 449cdd6bcc8d1 ("src: combine default_command functions")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 7213561d9d7a17c4db29c867b2607241941dae5a)
Conflicts:
iptables/xshared.h
-> Context change due to missing commit 3664249f52030
("xshared: Eliminate iptables_command_state->invert").
---
iptables/xshared.c | 2 +-
iptables/xshared.h | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 5ae158908b109..26e938309eab3 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -106,7 +106,7 @@ static bool should_load_proto(struct iptables_command_state *cs)
return !cs->proto_used;
}
-struct xtables_match *load_proto(struct iptables_command_state *cs)
+static struct xtables_match *load_proto(struct iptables_command_state *cs)
{
if (!should_load_proto(cs))
return NULL;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 10f6e0b5a0e98..d80c8beee1894 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -155,7 +155,6 @@ extern void print_extension_helps(const struct xtables_target *,
extern const char *proto_to_name(uint16_t, int);
extern int command_default(struct iptables_command_state *,
struct xtables_globals *);
-extern struct xtables_match *load_proto(struct iptables_command_state *);
extern int subcmd_main(int, char **, const struct subcommand *);
extern void xs_init_target(struct xtables_target *);
extern void xs_init_match(struct xtables_match *);
--
2.40.0

View File

@ -0,0 +1,40 @@
From 4572ecb1f222ec63f0d5669d0924d2cf1e879290 Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <jeremy@azazel.net>
Date: Fri, 1 Oct 2021 18:41:39 +0100
Subject: [PATCH] extensions: libxt_NFLOG: fix `--nflog-prefix` Python
test-cases
The `iptables-save` includes an extra space between `--nflog-prefix` and
the prefix.
The maximum length of prefixes includes the trailing NUL character.
NFLOG silently truncates prefixes which exceed the maximum length.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f0d02998883d2efcb316cd6f524e2f7b3c4d055b)
---
extensions/libxt_NFLOG.t | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_NFLOG.t b/extensions/libxt_NFLOG.t
index 933fa22160e59..69b0255a891b1 100644
--- a/extensions/libxt_NFLOG.t
+++ b/extensions/libxt_NFLOG.t
@@ -12,10 +12,8 @@
-j NFLOG --nflog-size 4294967295;=;OK
-j NFLOG --nflog-size 4294967296;;FAIL
-j NFLOG --nflog-size -1;;FAIL
-# ERROR: cannot find: iptables -I INPUT -j NFLOG --nflog-prefix xxxxxx [...]
-# -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
-# ERROR: should fail: iptables -A INPUT -j NFLOG --nflog-prefix xxxxxxx [...]
-# -j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;;FAIL
+-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
+-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK
-j NFLOG --nflog-threshold 1;=;OK
# ERROR: line 13 (should fail: iptables -A INPUT -j NFLOG --nflog-threshold 0
# -j NFLOG --nflog-threshold 0;;FAIL
--
2.40.0

View File

@ -0,0 +1,53 @@
From c83d8cec2a2c70776ca569699983f0cf3e11fb99 Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <jeremy@azazel.net>
Date: Fri, 1 Oct 2021 18:41:40 +0100
Subject: [PATCH] extensions: libxt_NFLOG: remove extra space when saving
targets with prefixes
When printing out NFLOG targets an extra space was inserted between
`--nflog-prefix` and the prefix itself:
$ sudo /usr/sbin/iptables -A INPUT -j NFLOG --nflog-prefix test
$ sudo /usr/sbin/iptables-save | grep NFLOG
-A INPUT -j NFLOG --nflog-prefix test
^^
Fixes: 73866357e4a7 ("iptables: do not print trailing whitespaces")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 05286bab77a6e0f9502e8fb99e1c53ed15663f3f)
---
extensions/libxt_NFLOG.c | 2 +-
extensions/libxt_NFLOG.t | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index 02a1b4aa35a3b..80c0263510f1e 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -78,7 +78,7 @@ static void NFLOG_check(struct xt_fcheck_call *cb)
static void nflog_print(const struct xt_nflog_info *info, char *prefix)
{
if (info->prefix[0] != '\0') {
- printf(" %snflog-prefix ", prefix);
+ printf(" %snflog-prefix", prefix);
xtables_save_string(info->prefix);
}
if (info->group)
diff --git a/extensions/libxt_NFLOG.t b/extensions/libxt_NFLOG.t
index 69b0255a891b1..bc529b19fc3ff 100644
--- a/extensions/libxt_NFLOG.t
+++ b/extensions/libxt_NFLOG.t
@@ -12,8 +12,8 @@
-j NFLOG --nflog-size 4294967295;=;OK
-j NFLOG --nflog-size 4294967296;;FAIL
-j NFLOG --nflog-size -1;;FAIL
--j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
--j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK
+-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;=;OK
+-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;-j NFLOG --nflog-prefix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;OK
-j NFLOG --nflog-threshold 1;=;OK
# ERROR: line 13 (should fail: iptables -A INPUT -j NFLOG --nflog-threshold 0
# -j NFLOG --nflog-threshold 0;;FAIL
--
2.40.0

View File

@ -0,0 +1,135 @@
From 84d19c668db246556fac766cff8652ea6f3a4076 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 18 Jan 2022 22:39:08 +0100
Subject: [PATCH] xshared: Fix response to unprivileged users
Expected behaviour in both variants is:
* Print help without error, append extension help if -m and/or -j
options are present
* Indicate lack of permissions in an error message for anything else
With iptables-nft, this was broken basically from day 1. Shared use of
do_parse() then somewhat broke legacy: it started complaining about
inability to create a lock file.
Fix this by making iptables-nft assume extension revision 0 is present
if permissions don't allow to verify. This is consistent with legacy.
Second part is to exit directly after printing help - this avoids having
to make the following code "nop-aware" to prevent privileged actions.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 26ecdf53960658771c0fc582f72a4025e2887f75)
Conflicts:
iptables/xshared.c
-> Adjusted to missing commit 62c3c93d4b0f5
("xshared: Move do_parse to shared space").
---
iptables/nft.c | 5 ++
.../testcases/iptables/0008-unprivileged_0 | 60 +++++++++++++++++++
iptables/xtables.c | 3 +-
3 files changed, 66 insertions(+), 2 deletions(-)
create mode 100755 iptables/tests/shell/testcases/iptables/0008-unprivileged_0
diff --git a/iptables/nft.c b/iptables/nft.c
index ba59cfb8c47af..da9d24f5c86e2 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3294,6 +3294,11 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
err:
mnl_socket_close(nl);
+ /* pretend revision 0 is valid if not permitted to check -
+ * this is required for printing extension help texts as user */
+ if (ret < 0 && errno == EPERM && rev == 0)
+ return 1;
+
return ret < 0 ? 0 : 1;
}
diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
new file mode 100755
index 0000000000000..43e3bc8721dbd
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+# iptables may print match/target specific help texts
+# help output should work for unprivileged users
+
+run() {
+ echo "running: $*" >&2
+ runuser -u nobody -- "$@"
+}
+
+grep_or_rc() {
+ declare -g rc
+ grep -q "$*" && return 0
+ echo "missing in output: $*" >&2
+ return 1
+}
+
+out=$(run $XT_MULTI iptables --help)
+let "rc+=$?"
+grep_or_rc "iptables -h (print this help information)" <<< "$out"
+let "rc+=$?"
+
+out=$(run $XT_MULTI iptables -m limit --help)
+let "rc+=$?"
+grep_or_rc "limit match options:" <<< "$out"
+let "rc+=$?"
+
+out=$(run $XT_MULTI iptables -p tcp --help)
+let "rc+=$?"
+grep_or_rc "tcp match options:" <<< "$out"
+let "rc+=$?"
+
+out=$(run $XT_MULTI iptables -j DNAT --help)
+let "rc+=$?"
+grep_or_rc "DNAT target options:" <<< "$out"
+let "rc+=$?"
+
+out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
+let "rc+=$?"
+grep_or_rc "tcp match options:" <<< "$out"
+let "rc+=$?"
+out=$(run $XT_MULTI iptables -p tcp -j DNAT --help)
+let "rc+=$?"
+grep_or_rc "DNAT target options:" <<< "$out"
+let "rc+=$?"
+
+
+run $XT_MULTI iptables -L 2>&1 | \
+ grep_or_rc "Permission denied"
+let "rc+=$?"
+
+run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \
+ grep_or_rc "Permission denied"
+let "rc+=$?"
+
+run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \
+ grep_or_rc "Permission denied"
+let "rc+=$?"
+
+exit $rc
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 54f887f80497e..7ef1702a0cd50 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -637,8 +637,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
XTF_TRY_LOAD, &cs->matches);
printhelp(cs->matches);
- p->command = CMD_NONE;
- return;
+ exit(0);
/*
* Option selection
--
2.40.0

View File

@ -0,0 +1,64 @@
From da4e3255df89367a3fcf0625df2f161724ef591c Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Feb 2022 17:39:24 +0100
Subject: [PATCH] libxtables: Register only the highest revision extension
When fully registering extensions, ignore all consecutive ones with same
name and family value. Since commit b3ac87038f4e4 ("libxtables: Make
sure extensions register in revision order"), one may safely assume the
list of pending extensions has highest revision numbers first. Since
iptables is only interested in the highest revision the kernel supports,
registration and compatibility checks may be skipped once the first
matching extension in pending list has validated.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 2dbb49d15fb44ddd521a734eca3be3f940b7c1ba)
---
libxtables/xtables.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 7f40b6f1b327b..3f7b9768897ac 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -668,6 +668,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
struct xtables_match **dptr;
struct xtables_match *ptr;
const char *icmp6 = "icmp6";
+ bool found = false;
if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
xtables_error(PARAMETER_PROBLEM,
@@ -686,7 +687,9 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
- if (xtables_fully_register_pending_match(ptr, prev)) {
+ if (!found &&
+ xtables_fully_register_pending_match(ptr, prev)) {
+ found = true;
prev = ptr;
continue;
} else if (prev) {
@@ -788,6 +791,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
struct xtables_target *prev = NULL;
struct xtables_target **dptr;
struct xtables_target *ptr;
+ bool found = false;
/* Standard target? */
if (strcmp(name, "") == 0
@@ -802,7 +806,9 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
ptr = *dptr;
*dptr = (*dptr)->next;
- if (xtables_fully_register_pending_target(ptr, prev)) {
+ if (!found &&
+ xtables_fully_register_pending_target(ptr, prev)) {
+ found = true;
prev = ptr;
continue;
} else if (prev) {
--
2.40.0

View File

@ -0,0 +1,84 @@
From 8da52ae6b1eabcbce070e25342c9b5b6f84cbf7f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Feb 2022 17:47:22 +0100
Subject: [PATCH] Improve error messages for unsupported extensions
If a given extension was not supported by the kernel, iptables would
print a rather confusing error message if extension parameters were
given:
| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko
| # iptables -A FORWARD -j LOG --log-prefix foo
| iptables v1.8.7 (legacy): unknown option "--log-prefix"
Avoid this by pretending extension revision 0 is always supported. It is
the same hack as used to successfully print extension help texts as
unprivileged user, extended to all error codes to serve privileged ones
as well.
In addition, print a warning if kernel rejected revision 0 and it's not
a permissions problem. This helps users find out which extension in a
rule the kernel didn't like.
Finally, the above commands result in these messages:
| Warning: Extension LOG revision 0 not supported, missing kernel module?
| iptables: No chain/target/match by that name.
Or, for iptables-nft:
| Warning: Extension LOG revision 0 not supported, missing kernel module?
| iptables v1.8.7 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain FORWARD
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 17534cb18ed0a5052dc45c117401251359dba6aa)
---
iptables/nft.c | 12 +++++++++---
libxtables/xtables.c | 7 ++++++-
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index da9d24f5c86e2..2393940d7f64a 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3294,10 +3294,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt)
err:
mnl_socket_close(nl);
- /* pretend revision 0 is valid if not permitted to check -
- * this is required for printing extension help texts as user */
- if (ret < 0 && errno == EPERM && rev == 0)
+ /* pretend revision 0 is valid -
+ * this is required for printing extension help texts as user, also
+ * helps error messaging on unavailable kernel extension */
+ if (ret < 0 && rev == 0) {
+ if (errno != EPERM)
+ fprintf(stderr,
+ "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
+ name);
return 1;
+ }
return ret < 0 ? 0 : 1;
}
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 3f7b9768897ac..6ded6cc720ea8 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -929,7 +929,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
/* Definitely don't support this? */
if (errno == ENOENT || errno == EPROTONOSUPPORT) {
close(sockfd);
- return 0;
+ /* Pretend revision 0 support for better error messaging */
+ if (revision == 0)
+ fprintf(stderr,
+ "Warning: Extension %s revision 0 not supported, missing kernel module?\n",
+ name);
+ return (revision == 0);
} else if (errno == ENOPROTOOPT) {
close(sockfd);
/* Assume only revision 0 support (old kernel) */
--
2.40.0

View File

@ -0,0 +1,199 @@
From 4f6e933bd26243e2e3c644544d609ada04d46873 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 1 Mar 2022 18:59:31 +0100
Subject: [PATCH] nft: Simplify immediate parsing
Implementations of parse_immediate callback are mostly trivial, the only
relevant part is access to family-specific parts of struct
iptables_command_state when setting goto flag for iptables and
ip6tables. Refactor them into simple set_goto_flag callbacks.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit b5f2faea325a315bfb932ebc634f3298d4824cae)
---
iptables/nft-arp.c | 9 ---------
iptables/nft-bridge.c | 9 ---------
iptables/nft-ipv4.c | 12 +++---------
iptables/nft-ipv6.c | 12 +++---------
iptables/nft-shared.c | 17 +++++++----------
iptables/nft-shared.h | 2 +-
6 files changed, 14 insertions(+), 47 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 2a9387a18dffe..d55e06572b283 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -182,14 +182,6 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
fw->arp.invflags |= flags;
}
-static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto,
- void *data)
-{
- struct iptables_command_state *cs = data;
-
- cs->jumpto = jumpto;
-}
-
static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask)
{
mask->s_addr = ctx->bitwise.mask[0];
@@ -552,7 +544,6 @@ struct nft_family_ops nft_family_ops_arp = {
.print_payload = NULL,
.parse_meta = nft_arp_parse_meta,
.parse_payload = nft_arp_parse_payload,
- .parse_immediate = nft_arp_parse_immediate,
.print_header = nft_arp_print_header,
.print_rule = nft_arp_print_rule,
.save_rule = nft_arp_save_rule,
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index c1a2c209cc1aa..94febc9890674 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -284,14 +284,6 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
}
}
-static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
- void *data)
-{
- struct iptables_command_state *cs = data;
-
- cs->jumpto = jumpto;
-}
-
/* return 0 if saddr, 1 if daddr, -1 on error */
static int
lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
@@ -922,7 +914,6 @@ struct nft_family_ops nft_family_ops_bridge = {
.print_payload = NULL,
.parse_meta = nft_bridge_parse_meta,
.parse_payload = nft_bridge_parse_payload,
- .parse_immediate = nft_bridge_parse_immediate,
.parse_lookup = nft_bridge_parse_lookup,
.parse_match = nft_bridge_parse_match,
.parse_target = nft_bridge_parse_target,
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index a5b835b1f681d..76c76b67100ca 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -241,15 +241,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
}
}
-static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
- void *data)
+static void nft_ipv4_set_goto_flag(struct iptables_command_state *cs)
{
- struct iptables_command_state *cs = data;
-
- cs->jumpto = jumpto;
-
- if (nft_goto)
- cs->fw.ip.flags |= IPT_F_GOTO;
+ cs->fw.ip.flags |= IPT_F_GOTO;
}
static void print_fragment(unsigned int flags, unsigned int invflags,
@@ -473,7 +467,7 @@ struct nft_family_ops nft_family_ops_ipv4 = {
.is_same = nft_ipv4_is_same,
.parse_meta = nft_ipv4_parse_meta,
.parse_payload = nft_ipv4_parse_payload,
- .parse_immediate = nft_ipv4_parse_immediate,
+ .set_goto_flag = nft_ipv4_set_goto_flag,
.print_header = print_header,
.print_rule = nft_ipv4_print_rule,
.save_rule = nft_ipv4_save_rule,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 46008fc5e762a..fac0f16cfe815 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -180,15 +180,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
}
}
-static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
- void *data)
+static void nft_ipv6_set_goto_flag(struct iptables_command_state *cs)
{
- struct iptables_command_state *cs = data;
-
- cs->jumpto = jumpto;
-
- if (nft_goto)
- cs->fw6.ipv6.flags |= IP6T_F_GOTO;
+ cs->fw6.ipv6.flags |= IP6T_F_GOTO;
}
static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
@@ -415,7 +409,7 @@ struct nft_family_ops nft_family_ops_ipv6 = {
.is_same = nft_ipv6_is_same,
.parse_meta = nft_ipv6_parse_meta,
.parse_payload = nft_ipv6_parse_payload,
- .parse_immediate = nft_ipv6_parse_immediate,
+ .set_goto_flag = nft_ipv6_set_goto_flag,
.print_header = print_header,
.print_rule = nft_ipv6_print_rule,
.save_rule = nft_ipv6_save_rule,
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index f270f610a8f67..894407f7d9b57 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -495,9 +495,7 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters
static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
{
const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
- const char *jumpto = NULL;
- bool nft_goto = false;
- void *data = ctx->cs;
+ struct iptables_command_state *cs = ctx->cs;
int verdict;
if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
@@ -520,23 +518,22 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
/* Standard target? */
switch(verdict) {
case NF_ACCEPT:
- jumpto = "ACCEPT";
+ cs->jumpto = "ACCEPT";
break;
case NF_DROP:
- jumpto = "DROP";
+ cs->jumpto = "DROP";
break;
case NFT_RETURN:
- jumpto = "RETURN";
+ cs->jumpto = "RETURN";
break;;
case NFT_GOTO:
- nft_goto = true;
+ if (ctx->h->ops->set_goto_flag)
+ ctx->h->ops->set_goto_flag(cs);
/* fall through */
case NFT_JUMP:
- jumpto = chain;
+ cs->jumpto = chain;
break;
}
-
- ctx->h->ops->parse_immediate(jumpto, nft_goto, data);
}
static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 519118a2daf6c..2c5f2cfc012d5 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -89,7 +89,7 @@ struct nft_family_ops {
void *data);
void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
void *data);
- void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
+ void (*set_goto_flag)(struct iptables_command_state *cs);
void (*print_table_header)(const char *tablename);
void (*print_header)(unsigned int format, const char *chain,
--
2.40.0

View File

@ -0,0 +1,119 @@
From 1a3d13b637e71f1f207eda17f816c58a9425971e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 1 Mar 2022 19:46:21 +0100
Subject: [PATCH] nft: Speed up immediate parsing
Parsing of rules which jump to a chain pointlessly causes a call to
xtables_find_target() despite the code already knowing the outcome.
Avoid the significant delay for rulesets with many chain jumps by
performing the (standard) target lookup only for accept/drop/return
verdicts.
From a biased test-case on my VM:
| # iptables-nft-save | grep -c -- '-j'
| 133943
| # time ./old/iptables-nft-save >/dev/null
| real 0m45.566s
| user 0m1.308s
| sys 0m8.430s
| # time ./new/iptables-nft-save >/dev/null
| real 0m3.547s
| user 0m0.762s
| sys 0m2.476s
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 07ee529f5a62838d68be59683be99bf6a7cda0f2)
---
iptables/nft-bridge.c | 1 +
iptables/nft-shared.c | 37 ++++++++++++++++++-------------------
2 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 94febc9890674..9cc6f87b28fe0 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -539,6 +539,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
}
cs->target = t;
+ cs->jumpto = t->name;
}
static void nft_rule_to_ebtables_command_state(struct nft_handle *h,
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 894407f7d9b57..6c643a8c06aaa 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -496,6 +496,8 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
{
const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
struct iptables_command_state *cs = ctx->cs;
+ struct xt_entry_target *t;
+ uint32_t size;
int verdict;
if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) {
@@ -532,8 +534,21 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
/* fall through */
case NFT_JUMP:
cs->jumpto = chain;
- break;
+ /* fall through */
+ default:
+ return;
}
+
+ cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
+ if (!cs->target)
+ return;
+
+ size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
+ t = xtables_calloc(1, size);
+ t->u.target_size = size;
+ t->u.user.revision = cs->target->revision;
+ strcpy(t->u.user.name, cs->jumpto);
+ cs->target->t = t;
}
static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -661,25 +676,8 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
}
}
- if (cs->target != NULL) {
- cs->jumpto = cs->target->name;
- } else if (cs->jumpto != NULL) {
- struct xt_entry_target *t;
- uint32_t size;
-
- cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD);
- if (!cs->target)
- return;
-
- size = XT_ALIGN(sizeof(struct xt_entry_target)) + cs->target->size;
- t = xtables_calloc(1, size);
- t->u.target_size = size;
- t->u.user.revision = cs->target->revision;
- strcpy(t->u.user.name, cs->jumpto);
- cs->target->t = t;
- } else {
+ if (!cs->jumpto)
cs->jumpto = "";
- }
}
void nft_clear_iptables_command_state(struct iptables_command_state *cs)
@@ -968,6 +966,7 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data)
struct iptables_command_state *cs = data;
cs->target = t;
+ cs->jumpto = t->name;
}
void nft_check_xt_legacy(int family, bool is_ipt_save)
--
2.40.0

View File

@ -0,0 +1,104 @@
From 38ddff6cd616cf9d6869bcf8fa3c01e186446cb4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 1 Mar 2022 23:05:29 +0100
Subject: [PATCH] xshared: Prefer xtables_chain_protos lookup over getprotoent
When dumping a large ruleset, common protocol matches such as for TCP
port number significantly slow down rule printing due to repeated calls
for getprotobynumber(). The latter does not involve any caching, so
/etc/protocols is consulted over and over again.
As a simple countermeasure, make functions converting between proto
number and name prefer the built-in list of "well-known" protocols. This
is not a perfect solution, repeated rules for protocol names libxtables
does not cache (e.g. igmp or dccp) will still be slow. Implementing
getprotoent() result caching could solve this.
As a side-effect, explicit check for pseudo-protocol "all" may be
dropped as it is contained in the built-in list and therefore immutable.
Also update xtables_chain_protos entries a bit to align with typical
/etc/protocols contents. The testsuite assumes those names, so the
preferred ones prior to this patch are indeed uncommon nowadays.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit b6196c7504d4d41827cea86c167926125cdbf1f3)
---
iptables/xshared.c | 8 ++++----
libxtables/xtables.c | 19 ++++++-------------
2 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 26e938309eab3..f7581967efc28 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -52,16 +52,16 @@ proto_to_name(uint16_t proto, int nolookup)
{
unsigned int i;
+ for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
+ if (xtables_chain_protos[i].num == proto)
+ return xtables_chain_protos[i].name;
+
if (proto && !nolookup) {
struct protoent *pent = getprotobynumber(proto);
if (pent)
return pent->p_name;
}
- for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
- if (xtables_chain_protos[i].num == proto)
- return xtables_chain_protos[i].name;
-
return NULL;
}
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 6ded6cc720ea8..cb380ad61ccb5 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -2077,10 +2077,11 @@ const struct xtables_pprot xtables_chain_protos[] = {
{"udp", IPPROTO_UDP},
{"udplite", IPPROTO_UDPLITE},
{"icmp", IPPROTO_ICMP},
- {"icmpv6", IPPROTO_ICMPV6},
{"ipv6-icmp", IPPROTO_ICMPV6},
+ {"icmpv6", IPPROTO_ICMPV6},
{"esp", IPPROTO_ESP},
{"ah", IPPROTO_AH},
+ {"mobility-header", IPPROTO_MH},
{"ipv6-mh", IPPROTO_MH},
{"mh", IPPROTO_MH},
{"all", 0},
@@ -2096,23 +2097,15 @@ xtables_parse_protocol(const char *s)
if (xtables_strtoui(s, NULL, &proto, 0, UINT8_MAX))
return proto;
- /* first deal with the special case of 'all' to prevent
- * people from being able to redefine 'all' in nsswitch
- * and/or provoke expensive [not working] ldap/nis/...
- * lookups */
- if (strcmp(s, "all") == 0)
- return 0;
+ for (i = 0; xtables_chain_protos[i].name != NULL; ++i) {
+ if (strcmp(s, xtables_chain_protos[i].name) == 0)
+ return xtables_chain_protos[i].num;
+ }
pent = getprotobyname(s);
if (pent != NULL)
return pent->p_proto;
- for (i = 0; i < ARRAY_SIZE(xtables_chain_protos); ++i) {
- if (xtables_chain_protos[i].name == NULL)
- continue;
- if (strcmp(s, xtables_chain_protos[i].name) == 0)
- return xtables_chain_protos[i].num;
- }
xt_params->exit_err(PARAMETER_PROBLEM,
"unknown protocol \"%s\" specified", s);
return -1;
--
2.40.0

View File

@ -0,0 +1,41 @@
From f6915482a365373c5892752f87086740b84fe2d3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 15 Mar 2022 12:17:25 +0100
Subject: [PATCH] libxtables: Fix for warning in xtables_ipmask_to_numeric
Gcc complains:
| xtables.c: In function 'xtables_ipmask_to_numeric':
| xtables.c:1491:34: warning: '__builtin___sprintf_chk' may write a terminating nul past the end of the destination [-Wformat-overflow=]
| 1491 | sprintf(buf, "/%s", xtables_ipaddr_to_numeric(mask));
| | ^
Indeed, xtables_ipaddr_to_numeric() returns a pointer to a 20 byte
buffer and xtables_ipmask_to_numeric() writes its content into a buffer
of same size at offset 1. Yet length of returned string is deterministic
as it is an IPv4 address. So shrink it to the minimum of 16 bytes which
eliminates the warning as well.
Fixes: a96166c24eaac ("libxtables: add xtables_ip[6]mask_to_cidr")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0c8e253595bd80e4ddd73230d079e33cd5420b32)
---
libxtables/xtables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index cb380ad61ccb5..2e6c68292f16a 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1389,7 +1389,7 @@ void xtables_param_act(unsigned int status, const char *p1, ...)
const char *xtables_ipaddr_to_numeric(const struct in_addr *addrp)
{
- static char buf[20];
+ static char buf[16];
const unsigned char *bytep = (const void *)&addrp->s_addr;
sprintf(buf, "%u.%u.%u.%u", bytep[0], bytep[1], bytep[2], bytep[3]);
--
2.40.0

View File

@ -0,0 +1,118 @@
From 0a2bf490dde3b55fd2607976aa07a853a18e15f7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 16 Mar 2022 17:14:07 +0100
Subject: [PATCH] nft: Reject standard targets as chain names when restoring
Reuse parse_chain() called from do_parse() for '-N' and rename it for a
better description of what it does.
Note that by itself, this patch will likely kill iptables-restore
performance for big rulesets due to the extra extension lookup for chain
lines. A following patch announcing those chains to libxtables will
alleviate that.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit b1aee6b2238794446feba41778f88703784560f7)
Conflicts:
iptables/xshared.c
-> Context change due to missing commit 9dc50b5b8e441
("xshared: Merge invflags handling code").
-> Adjust to missing commits 62c3c93d4b0f5
("xshared: Move do_parse to shared space"), 9baf3bf0e77da
("iptables: Use xtables' do_parse() function") and 5c2c2eea2fff3
("ip6tables: Use the shared do_parse, too").
---
iptables/ip6tables.c | 2 +-
iptables/iptables.c | 2 +-
iptables/xshared.c | 2 +-
iptables/xshared.h | 2 +-
iptables/xtables-restore.c | 5 +----
iptables/xtables.c | 2 +-
6 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 6db91c807bcea..897f30d5ef4b0 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1156,7 +1156,7 @@ int do_command6(int argc, char *argv[], char **table,
break;
case 'N':
- parse_chain(optarg);
+ assert_valid_chain_name(optarg);
add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
cs.invert);
chain = optarg;
diff --git a/iptables/iptables.c b/iptables/iptables.c
index a33416a887ed4..9964d14ed8195 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1153,7 +1153,7 @@ int do_command4(int argc, char *argv[], char **table,
break;
case 'N':
- parse_chain(optarg);
+ assert_valid_chain_name(optarg);
add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
cs.invert);
chain = optarg;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index f7581967efc28..b052b849b2069 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -849,7 +849,7 @@ char opt2char(int option)
return *ptr;
}
-void parse_chain(const char *chainname)
+void assert_valid_chain_name(const char *chainname)
{
const char *ptr;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index d80c8beee1894..c512f20afd33a 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -222,7 +222,7 @@ char cmd2char(int option);
void add_command(unsigned int *cmd, const int newcmd,
const int othercmds, int invert);
int parse_rulenumber(const char *rule);
-void parse_chain(const char *chainname);
+void assert_valid_chain_name(const char *chainname);
void generic_opt_check(int command, int options);
char opt2char(int option);
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index a3bb4f00e79c6..5d0e44843b285 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -156,10 +156,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
"%s: line %u chain name invalid\n",
xt_params->program_name, line);
- if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
- xtables_error(PARAMETER_PROBLEM,
- "Invalid chain name `%s' (%u chars max)",
- chain, XT_EXTENSION_MAXNAMELEN - 1);
+ assert_valid_chain_name(chain);
policy = strtok(NULL, " \t\n");
DEBUGP("line %u, policy '%s'\n", line, policy);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 7ef1702a0cd50..3c7b3fc45b6f6 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -587,7 +587,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
break;
case 'N':
- parse_chain(optarg);
+ assert_valid_chain_name(optarg);
add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
cs->invert);
p->chain = optarg;
--
2.40.0

View File

@ -0,0 +1,140 @@
From 064d7af6927b7b47d13d7fa7ad815f99d83d5006 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 15 Dec 2020 15:40:56 +0100
Subject: [PATCH] libxtables: Implement notargets hash table
Target lookup is relatively costly due to the filesystem access. Avoid
this overhead in huge rulesets which contain many chain jumps by caching
the failed lookups into a hashtable for later.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f58b0d7406451afbb4b9b6c7888990c964fa7c79)
---
libxtables/xtables.c | 75 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 75 insertions(+)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 2e6c68292f16a..b2b3eddf78dbc 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -48,6 +48,7 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <libiptc/libxtc.h>
+#include <libiptc/linux_list.h>
#ifndef NO_SHARED_LIBS
#include <dlfcn.h>
@@ -242,6 +243,71 @@ static void dlreg_free(void)
}
#endif
+struct notarget {
+ struct hlist_node node;
+ char name[];
+};
+
+#define NOTARGET_HSIZE 512
+static struct hlist_head notargets[NOTARGET_HSIZE];
+
+static void notargets_hlist_init(void)
+{
+ int i;
+
+ for (i = 0; i < NOTARGET_HSIZE; i++)
+ INIT_HLIST_HEAD(&notargets[i]);
+}
+
+static void notargets_hlist_free(void)
+{
+ struct hlist_node *pos, *n;
+ struct notarget *cur;
+ int i;
+
+ for (i = 0; i < NOTARGET_HSIZE; i++) {
+ hlist_for_each_entry_safe(cur, pos, n, &notargets[i], node) {
+ hlist_del(&cur->node);
+ free(cur);
+ }
+ }
+}
+
+static uint32_t djb_hash(const char *key)
+{
+ uint32_t i, hash = 5381;
+
+ for (i = 0; i < strlen(key); i++)
+ hash = ((hash << 5) + hash) + key[i];
+
+ return hash;
+}
+
+static struct notarget *notargets_hlist_lookup(const char *name)
+{
+ uint32_t key = djb_hash(name) % NOTARGET_HSIZE;
+ struct hlist_node *node;
+ struct notarget *cur;
+
+ hlist_for_each_entry(cur, node, &notargets[key], node) {
+ if (!strcmp(name, cur->name))
+ return cur;
+ }
+ return NULL;
+}
+
+static void notargets_hlist_insert(const char *name)
+{
+ struct notarget *cur;
+
+ if (!name)
+ return;
+
+ cur = xtables_malloc(sizeof(*cur) + strlen(name) + 1);
+ strcpy(cur->name, name);
+ hlist_add_head(&cur->node, &notargets[djb_hash(name) % NOTARGET_HSIZE]);
+}
+
void xtables_init(void)
{
xtables_libdir = getenv("XTABLES_LIBDIR");
@@ -267,6 +333,8 @@ void xtables_init(void)
return;
}
xtables_libdir = XTABLES_LIBDIR;
+
+ notargets_hlist_init();
}
void xtables_fini(void)
@@ -274,6 +342,7 @@ void xtables_fini(void)
#ifndef NO_SHARED_LIBS
dlreg_free();
#endif
+ notargets_hlist_free();
}
void xtables_set_nfproto(uint8_t nfproto)
@@ -800,6 +869,10 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
|| strcmp(name, XTC_LABEL_QUEUE) == 0
|| strcmp(name, XTC_LABEL_RETURN) == 0)
name = "standard";
+ /* known non-target? */
+ else if (notargets_hlist_lookup(name) &&
+ tryload != XTF_LOAD_MUST_SUCCEED)
+ return NULL;
/* Trigger delayed initialization */
for (dptr = &xtables_pending_targets; *dptr; ) {
@@ -865,6 +938,8 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
if (ptr)
ptr->used = 1;
+ else
+ notargets_hlist_insert(name);
return ptr;
}
--
2.40.0

View File

@ -0,0 +1,86 @@
From 2fb92babbf460de158cc435f66c46f0642763193 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 4 Mar 2022 12:50:01 +0100
Subject: [PATCH] libxtables: Boost rule target checks by announcing chain
names
When restoring a ruleset, feed libxtables with chain names from
respective lines to avoid an extension search.
While the user's intention is clear, this effectively disables the
sanity check for clashes with target extensions. But:
* The check yielded only a warning and the clashing chain was finally
accepted.
* Users crafting iptables dumps for feeding into iptables-restore likely
know what they're doing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518)
---
include/xtables.h | 3 +++
iptables/iptables-restore.c | 1 +
iptables/xtables-restore.c | 1 +
libxtables/xtables.c | 6 ++++++
4 files changed, 11 insertions(+)
diff --git a/include/xtables.h b/include/xtables.h
index a7b36979398ba..3c0d0f78e8d1a 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -633,6 +633,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
const char *xt_xlate_get_comment(struct xt_xlate *xl);
const char *xt_xlate_get(struct xt_xlate *xl);
+/* informed target lookups */
+void xtables_announce_chain(const char *name);
+
#ifdef XTABLES_INTERNAL
/* Shipped modules rely on this... */
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index cc2c2b8b10086..a34d95015c93c 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -311,6 +311,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
cb->ops->strerror(errno));
}
+ xtables_announce_chain(chain);
ret = 1;
} else if (in_table) {
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 5d0e44843b285..b3c8dbaa7e2cc 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -156,6 +156,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
"%s: line %u chain name invalid\n",
xt_params->program_name, line);
+ xtables_announce_chain(chain);
assert_valid_chain_name(chain);
policy = strtok(NULL, " \t\n");
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index b2b3eddf78dbc..803551053c15f 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -308,6 +308,12 @@ static void notargets_hlist_insert(const char *name)
hlist_add_head(&cur->node, &notargets[djb_hash(name) % NOTARGET_HSIZE]);
}
+void xtables_announce_chain(const char *name)
+{
+ if (!notargets_hlist_lookup(name))
+ notargets_hlist_insert(name);
+}
+
void xtables_init(void)
{
xtables_libdir = getenv("XTABLES_LIBDIR");
--
2.40.0

View File

@ -0,0 +1,31 @@
From ef0405f9267dc23f51bb2b84e63e31ba484f3196 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 21 Apr 2022 16:53:33 +0200
Subject: [PATCH] nft-shared: update context register for bitwise expression
Update the destination register, otherwise nft_parse_cmp() gives up on
interpreting the cmp expression when bitwise sreg != dreg.
Fixes: 2c4a34c30cb4 ("iptables-compat: fix address prefix")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 4c70c42fe8d937a2ca2709daa9efe96275d194da)
---
iptables/nft-shared.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 6c643a8c06aaa..2b934ffc17756 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -459,6 +459,8 @@ static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
if (ctx->reg && reg != ctx->reg)
return;
+ reg = nftnl_expr_get_u32(e, NFTNL_EXPR_BITWISE_DREG);
+ ctx->reg = reg;
data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_XOR, &len);
memcpy(ctx->bitwise.xor, data, len);
data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_MASK, &len);
--
2.40.0

View File

@ -0,0 +1,29 @@
From 1f7fa039057778f229c5190d816551bf75955d5a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 5 May 2022 18:00:14 +0200
Subject: [PATCH] extensions: MARK: Drop extra newline at end of help
Fixes: f4b737fb0c52a ("libxt_MARK r2")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit adbfec0b3e3275ea5e7c933b630756cf01a4f8c6)
---
extensions/libxt_MARK.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/extensions/libxt_MARK.c b/extensions/libxt_MARK.c
index b765af6c35304..1536563d0f4c7 100644
--- a/extensions/libxt_MARK.c
+++ b/extensions/libxt_MARK.c
@@ -77,8 +77,7 @@ static void mark_tg_help(void)
" --set-mark value[/mask] Clear bits in mask and OR value into nfmark\n"
" --and-mark bits Binary AND the nfmark with bits\n"
" --or-mark bits Binary OR the nfmark with bits\n"
-" --xor-mark bits Binary XOR the nfmark with bits\n"
-"\n");
+" --xor-mark bits Binary XOR the nfmark with bits\n");
}
static void MARK_parse_v0(struct xt_option_call *cb)
--
2.40.0

Some files were not shown because too many files have changed in this diff Show More