powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

iptables package update 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2020-08-01 11:37:25 +02:00
parent 2eb4c7b76f
commit 1f56305bb9
42 changed files with 3466 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
SOURCES/Consolidate-DEBUGP-macros.patch Normal file
View File

@ -0,0 +1,165 @@
From 7fcb3a907824af6220007d91ef49095f990b1733 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:15:52 +0200
Subject: [PATCH] Consolidate DEBUGP macros

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475
Upstream Status: iptables commit 78b9d438037f2
Conflicts:
* Context change due to missing commit 2963a8df2175b
("iptables: Remove explicit static variables initalization.")
* Dropped changes to non-existing files iptables/nft-shared.h and
iptables/xtables-restore.c.

commit 78b9d438037f2c83a7bbb73eb1b86cc295967905
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Aug 2 17:05:15 2018 +0200

Consolidate DEBUGP macros

This debug printing macro was defined in various places, always
identical. Move it into xshared.h and drop it from sources including
that header. There are a few exceptions:

* iptables-xml.c did not include xshared.h, which this patch changes.

* Sources in extensions and libiptc mostly left alone since they don't
include xshared.h (and maybe shouldn't). Only libxt_set.h does, so
it's converted, too.

This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler
warning.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libip6t_hbh.c | 6 ++----
extensions/libxt_set.h | 6 ------
iptables/ip6tables-restore.c | 6 ------
iptables/iptables-restore.c | 6 ------
iptables/iptables-xml.c | 7 +------
iptables/xshared.h | 6 ++++++
6 files changed, 9 insertions(+), 28 deletions(-)

diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed8bafde..1c49ee71ada13 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -5,8 +5,6 @@
#include <xtables.h>
#include <linux/netfilter_ipv6/ip6t_opts.h>
-#define DEBUG 0
-
enum {
O_HBH_LEN = 0,
O_HBH_OPTS,
@@ -83,7 +81,7 @@ parse_options(const char *optsstr, uint16_t *opts)
opts[i] |= (0x00FF);
}
-#if DEBUG
+#ifdef DEBUG
printf("opts str: %s %s\n", cp, range);
printf("opts opt: %04X\n", opts[i]);
#endif
@@ -92,7 +90,7 @@ parse_options(const char *optsstr, uint16_t *opts)
free(buffer);
-#if DEBUG
+#ifdef DEBUG
printf("addr nr: %d\n", i);
#endif
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 5a1bdcf730cf2..41dfbd30fc7c1 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -8,12 +8,6 @@
#include <errno.h>
#include "../iptables/xshared.h"
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x , ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
static int
get_version(unsigned *version)
{
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index fdcc0cb5b2c06..611430d930eda 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -20,12 +20,6 @@
#include "libiptc/libip6tc.h"
#include "ip6tables-multi.h"
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0;
static struct timeval wait_interval = {
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 5a8c2c738bb0f..b0da96d45d297 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -17,12 +17,6 @@
#include "libiptc/libiptc.h"
#include "iptables-multi.h"
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
-
static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0;
static struct timeval wait_interval = {
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 92a5768f86903..c523a132b2240 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -16,12 +16,7 @@
#include "libiptc/libiptc.h"
#include "xtables-multi.h"
#include <xtables.h>
-
-#ifdef DEBUG
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args)
-#else
-#define DEBUGP(x, args...)
-#endif
+#include "xshared.h"
struct xtables_globals iptables_xml_globals = {
.option_offset = 0,
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 20dbbd12118ad..bfdb10b2701e5 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -9,6 +9,12 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
+#ifdef DEBUG
+#define DEBUGP(x, args...) fprintf(stdout, x, ## args)
+#else
+#define DEBUGP(x, args...)
+#endif
+
enum {
OPT_NONE = 0,
OPT_NUMERIC = 1 << 0,
--
2.21.0

163
SOURCES/Fix-a-few-cases-of-pointless-assignments.patch Normal file
View File

@ -0,0 +1,163 @@
From b0c800d08b90b84d5d693d63602bcc4b43a07b6f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:34 +0100
Subject: [PATCH] Fix a few cases of pointless assignments

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 7e50ebabbf9c3
Conflicts: Dropped changes to non-existing nft-backend files.

commit 7e50ebabbf9c3a5eeb9511d9f32c6104b56da5cd
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:17:04 2018 +0200

Fix a few cases of pointless assignments

This gets rid of a number of assignments which are either redundant or
not used afterwards.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables-restore.c | 4 ++--
iptables/iptables-restore.c | 4 ++--
iptables/iptables-xml.c | 4 ++--
libxtables/xtoptions.c | 2 +-
utils/nfnl_osf.c | 13 +++++--------
5 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index d610360a1c1ff..fdcc0cb5b2c06 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -427,7 +427,6 @@ int ip6tables_restore_main(int argc, char *argv[])
} else if (in_table) {
int a;
- char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
@@ -437,7 +436,8 @@ int ip6tables_restore_main(int argc, char *argv[])
if (buffer[0] == '[') {
/* we have counters in our input */
- ptr = strchr(buffer, ']');
+ char *ptr = strchr(buffer, ']');
+
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index db77fb77b3c98..5a8c2c738bb0f 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -426,7 +426,6 @@ iptables_restore_main(int argc, char *argv[])
} else if (in_table) {
int a;
- char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
@@ -436,7 +435,8 @@ iptables_restore_main(int argc, char *argv[])
if (buffer[0] == '[') {
/* we have counters in our input */
- ptr = strchr(buffer, ']');
+ char *ptr = strchr(buffer, ']');
+
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 962844762fc4e..92a5768f86903 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -731,7 +731,6 @@ iptables_xml_main(int argc, char *argv[])
ret = 1;
} else if (curTable[0]) {
unsigned int a;
- char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
char *parsestart;
@@ -747,7 +746,8 @@ iptables_xml_main(int argc, char *argv[])
if (buffer[0] == '[') {
/* we have counters in our input */
- ptr = strchr(buffer, ']');
+ char *ptr = strchr(buffer, ']');
+
if (!ptr)
xtables_error(PARAMETER_PROBLEM,
"Bad line %u: need ]\n",
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 0c63c2d372dea..1ad4cb57f5836 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -282,7 +282,7 @@ static void xtopt_mint_value_to_ptr(struct xt_option_call *cb, void **datap,
static void xtopt_parse_mint(struct xt_option_call *cb)
{
const struct xt_option_entry *entry = cb->entry;
- const char *arg = cb->arg;
+ const char *arg;
size_t esize = xtopt_esize_by_type(entry->type);
const uintmax_t lmax = xtopt_max_by_type(entry->type);
void *put = XTOPT_MKPTR(cb);
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index c67485ee698b1..0f8b35b805016 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -157,7 +157,6 @@ static void xt_osf_parse_opt(struct xt_osf_opt *opt, __u16 *optnum, char *obuf,
i = 0;
while (ptr != NULL && i < olen && *ptr != 0) {
val = 0;
- op = 0;
wc = OSF_WSS_PLAIN;
switch (obuf[i]) {
case 'N':
@@ -344,7 +343,7 @@ static int osf_load_line(char *buffer, int len, int del)
pend = xt_osf_strchr(pbeg, OSFPDEL);
if (pend) {
*pend = '\0';
- cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg);
+ snprintf(obuf, sizeof(obuf), "%s,", pbeg);
pbeg = pend + 1;
}
@@ -352,25 +351,23 @@ static int osf_load_line(char *buffer, int len, int del)
if (pend) {
*pend = '\0';
if (pbeg[0] == '@' || pbeg[0] == '*')
- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1);
+ snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1);
else
- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg);
+ snprintf(f.genre, sizeof(f.genre), "%s", pbeg);
pbeg = pend + 1;
}
pend = xt_osf_strchr(pbeg, OSFPDEL);
if (pend) {
*pend = '\0';
- cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg);
+ snprintf(f.version, sizeof(f.version), "%s", pbeg);
pbeg = pend + 1;
}
pend = xt_osf_strchr(pbeg, OSFPDEL);
if (pend) {
*pend = '\0';
- cnt =
- snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg);
- pbeg = pend + 1;
+ snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg);
}
xt_osf_parse_opt(f.opt, &f.opt_num, obuf, sizeof(obuf));
--
2.21.0

70
SOURCES/Mark-fall-through-cases-in-switch-statements.patch Normal file
View File

@ -0,0 +1,70 @@
From 5527530396afccc43fddedbe6fdf1b4c6000b516 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:49:11 +0100
Subject: [PATCH] Mark fall through cases in switch() statements

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 1788f545aae28
Conflicts: Dropped changes to non-existing libebt_log.c, nft-shared.c
and revision 4 of libxt_set.c.

commit 1788f545aae285fa3cd6595d5d25b2ae1b215282
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:45 2018 +0200

Mark fall through cases in switch() statements

Typical covscan complaint, non-empty fall throughs should be marked as
such. There was but a single case which should break instead, namely in
libebt_log.c: It is not critical, since the next case merely asserts
'invert' being zero (which can't be as it was checked before). But while
being at it, introduce log_chk_inv() to consolidate the semantically
equal cases for the various log types.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_set.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c
index 2cb9e78a85f97..ec826367d6631 100644
--- a/extensions/libxt_set.c
+++ b/extensions/libxt_set.c
@@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
+ /* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->u.flags[0])
xtables_error(PARAMETER_PROBLEM,
@@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
+ /* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
@@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
+ /* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->dim)
xtables_error(PARAMETER_PROBLEM,
@@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags,
case '2':
fprintf(stderr,
"--set option deprecated, please use --match-set\n");
+ /* fall through */
case '1': /* --match-set <set> <flag>[,<flag> */
if (info->match_set.dim)
xtables_error(PARAMETER_PROBLEM,
--
2.21.0

216
SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch Normal file
View File

@ -0,0 +1,216 @@
From 7c53ed370c79027455b4e342436da507be701e23 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] Share print_ipv{4,6}_addr() from xtables

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 8da04ffdca193
Conflicts:
* Dropped changes to non-existing nft-ipv4.c and nft-ipv6.c.
* Context change in xshared.{c,h}.

commit 8da04ffdca1931402a6bc22c43c1a2fa1c6f1e14
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:59 2018 +0200

Share print_ipv{4,6}_addr() from xtables

These functions contain code which occurs in legacy's print_firewall()
functions, so use them there.

Rename them to at least make clear they print more than a single
address.

Also introduce ipv{4,6}_addr_to_string() which take care of converting
an address/netmask pair into string representation in a way which
doesn't upset covscan (since that didn't detect that 'buf' may not be
exceeded by the strings written into it.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables.c | 27 +-----------------
iptables/iptables.c | 25 +----------------
iptables/xshared.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
iptables/xshared.h | 3 ++
4 files changed, 71 insertions(+), 50 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 76e36d44f6b25..fc2fd37cfe919 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -541,7 +541,6 @@ print_firewall(const struct ip6t_entry *fw,
{
const struct xtables_target *target = NULL;
const struct xt_entry_target *t;
- char buf[BUFSIZ];
if (!ip6tc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -609,31 +608,7 @@ print_firewall(const struct ip6t_entry *fw,
printf(FMT("%-6s ","out %s "), iface);
}
- fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
- if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any)
- && !(format & FMT_NUMERIC))
- printf(FMT("%-19s ","%s "), "anywhere");
- else {
- if (format & FMT_NUMERIC)
- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src));
- else
- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src));
- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk));
- printf(FMT("%-19s ","%s "), buf);
- }
-
- fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
- if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any)
- && !(format & FMT_NUMERIC))
- printf(FMT("%-19s ","-> %s"), "anywhere");
- else {
- if (format & FMT_NUMERIC)
- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst));
- else
- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst));
- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk));
- printf(FMT("%-19s ","-> %s"), buf);
- }
+ print_ipv6_addresses(fw, format);
if (format & FMT_NOTABLE)
fputs(" ", stdout);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index bac9fe0905e9f..dc70cc6e9b0ec 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -526,7 +526,6 @@ print_firewall(const struct ipt_entry *fw,
const struct xtables_target *target = NULL;
const struct xt_entry_target *t;
uint8_t flags;
- char buf[BUFSIZ];
if (!iptc_is_chain(targname, handle))
target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -595,29 +594,7 @@ print_firewall(const struct ipt_entry *fw,
printf(FMT("%-6s ","out %s "), iface);
}
- fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
- if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC))
- printf(FMT("%-19s ","%s "), "anywhere");
- else {
- if (format & FMT_NUMERIC)
- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.src));
- else
- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.src));
- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.smsk));
- printf(FMT("%-19s ","%s "), buf);
- }
-
- fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
- if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
- printf(FMT("%-19s ","-> %s"), "anywhere");
- else {
- if (format & FMT_NUMERIC)
- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.dst));
- else
- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.dst));
- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.dmsk));
- printf(FMT("%-19s ","-> %s"), buf);
- }
+ print_ipv4_addresses(fw, format);
if (format & FMT_NOTABLE)
fputs(" ", stdout);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index b8a81fd968361..742502154aa55 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -340,3 +340,69 @@ inline bool xs_has_arg(int argc, char *argv[])
argv[optind][0] != '-' &&
argv[optind][0] != '!';
}
+
+static const char *ipv4_addr_to_string(const struct in_addr *addr,
+ const struct in_addr *mask,
+ unsigned int format)
+{
+ static char buf[BUFSIZ];
+
+ if (!mask->s_addr && !(format & FMT_NUMERIC))
+ return "anywhere";
+
+ if (format & FMT_NUMERIC)
+ strncpy(buf, xtables_ipaddr_to_numeric(addr), BUFSIZ - 1);
+ else
+ strncpy(buf, xtables_ipaddr_to_anyname(addr), BUFSIZ - 1);
+ buf[BUFSIZ - 1] = '\0';
+
+ strncat(buf, xtables_ipmask_to_numeric(mask),
+ BUFSIZ - strlen(buf) - 1);
+
+ return buf;
+}
+
+void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format)
+{
+ fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
+ printf(FMT("%-19s ", "%s "),
+ ipv4_addr_to_string(&fw->ip.src, &fw->ip.smsk, format));
+
+ fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
+ printf(FMT("%-19s ", "-> %s"),
+ ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format));
+}
+
+static const char *ipv6_addr_to_string(const struct in6_addr *addr,
+ const struct in6_addr *mask,
+ unsigned int format)
+{
+ static char buf[BUFSIZ];
+
+ if (IN6_IS_ADDR_UNSPECIFIED(addr) && !(format & FMT_NUMERIC))
+ return "anywhere";
+
+ if (format & FMT_NUMERIC)
+ strncpy(buf, xtables_ip6addr_to_numeric(addr), BUFSIZ - 1);
+ else
+ strncpy(buf, xtables_ip6addr_to_anyname(addr), BUFSIZ - 1);
+ buf[BUFSIZ - 1] = '\0';
+
+ strncat(buf, xtables_ip6mask_to_numeric(mask),
+ BUFSIZ - strlen(buf) - 1);
+
+ return buf;
+}
+
+void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format)
+{
+ fputc(fw6->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
+ printf(FMT("%-19s ", "%s "),
+ ipv6_addr_to_string(&fw6->ipv6.src,
+ &fw6->ipv6.smsk, format));
+
+ fputc(fw6->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
+ printf(FMT("%-19s ", "-> %s"),
+ ipv6_addr_to_string(&fw6->ipv6.dst,
+ &fw6->ipv6.dmsk, format));
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index c35dfee47577d..20dbbd12118ad 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -113,4 +113,7 @@ bool xs_has_arg(int argc, char *argv[]);
extern const struct xtables_afinfo *afinfo;
+void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
+void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
+
#endif /* IPTABLES_XSHARED_H */
--
2.21.0

60
SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch Normal file
View File

@ -0,0 +1,60 @@
From 3dcd69e5655a2485d39efd64b5bd9fd38fdb4a04 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:52:42 +0100
Subject: [PATCH] extensions: Add macro _DEFAULT_SOURCE.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 27de281d8aca8

commit 27de281d8aca84e3c841b3ae72a17616b1382ac4
Author: Varsha Rao <rvarsha016@gmail.com>
Date: Thu Dec 21 09:05:45 2017 +0530

extensions: Add macro _DEFAULT_SOURCE.

Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated.
https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes

This patch fixes the following warning:

warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
_DEFAULT_SOURCE" [-Wcpp]
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use
# _DEFAULT_SOURCE"

Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_hashlimit.c | 1 +
extensions/libxt_limit.c | 1 +
2 files changed, 2 insertions(+)

diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index c5b8d7795c5e5..6d64017022c00 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -11,6 +11,7 @@
* Error corections by nmalykh@bilim.com (22.01.2005)
*/
#define _BSD_SOURCE 1
+#define _DEFAULT_SOURCE 1
#define _ISOC99_SOURCE 1
#include <math.h>
#include <stdbool.h>
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c
index f75ef2f87a74c..183a86e324211 100644
--- a/extensions/libxt_limit.c
+++ b/extensions/libxt_limit.c
@@ -4,6 +4,7 @@
* Hervé Eychenne <rv@wallfire.org>
*/
#define _BSD_SOURCE 1
+#define _DEFAULT_SOURCE 1
#define _ISOC99_SOURCE 1
#include <math.h>
#include <stdio.h>
--
2.21.0

42
SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch Normal file
View File

@ -0,0 +1,42 @@
From 21ef09de8df5a448df06a3fb6c7708440fe8b8ac Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:19:53 +0200
Subject: [PATCH] extensions: Fix ipvs vproto option printing

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726
Upstream Status: iptables commit dd1ad59f0df66

commit dd1ad59f0df66811335c10ed90c33151a658a50e
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Feb 21 20:09:31 2019 +0100

extensions: Fix ipvs vproto option printing

This was broken since day 1: vproto option was printed as 'proto' which
in turn iptables wouldn't accept anymore.

Fixes: c36d05e424069 ("libxt_ipvs: user-space lib for netfilter matcher xt_ipvs")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_ipvs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c
index fe98fef951686..51952be4245b3 100644
--- a/extensions/libxt_ipvs.c
+++ b/extensions/libxt_ipvs.c
@@ -165,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data,
if (data->bitmask & XT_IPVS_PROTO) {
if (data->invert & XT_IPVS_PROTO)
printf(" !");
- printf(" %sproto %u", prefix, data->l4proto);
+ printf(" %svproto %u", prefix, data->l4proto);
}
if (data->bitmask & XT_IPVS_VADDR) {
--
2.21.0

57
SOURCES/extensions-Fix-ipvs-vproto-parsing.patch Normal file
View File

@ -0,0 +1,57 @@
From dab2ab10ed0cb30fb454097200f440660a0f3946 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:19:53 +0200
Subject: [PATCH] extensions: Fix ipvs vproto parsing

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726
Upstream Status: iptables commit fcbdc69e8a750

commit fcbdc69e8a750fe02c9d7c7aced0efc91715132d
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Feb 21 20:09:30 2019 +0100

extensions: Fix ipvs vproto parsing

This was broken by integration into guided option parser:

* Make 'vproto' option XTTYPE_PROTOCOL, otherwise its arguments are
parsed as garbage only.

* Drop O_VPROTO case from ipvs_mt_parse(), due to XTOPT_POINTER() and
above change there is nothing to do for it in there.

Fixes: 372203af4c70f ("libxt_ipvs: use guided option parser")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_ipvs.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c
index a6c57a030d2c6..fe98fef951686 100644
--- a/extensions/libxt_ipvs.c
+++ b/extensions/libxt_ipvs.c
@@ -27,7 +27,7 @@ enum {
static const struct xt_option_entry ipvs_mt_opts[] = {
{.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE,
.flags = XTOPT_INVERT},
- {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_STRING,
+ {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_PROTOCOL,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)},
{.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK,
.flags = XTOPT_INVERT},
@@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
switch (cb->entry->id) {
- case O_VPROTO:
- data->l4proto = cb->val.protocol;
- break;
case O_VADDR:
memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr));
memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask));
--
2.21.0

139
SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch Normal file
View File

@ -0,0 +1,139 @@
From 861155bef2343e0259469dc8e4acde60e2c6fb91 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:29:38 +0200
Subject: [PATCH] extensions: Initialize linear mapping of symbols in _init()
of extension

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075
Upstream Status: iptables commit 56aadc01b258e
Conflicts: Whitespace change due to missing commit f7c26137b0d57
("extensions: libipt_realm: Add translation to nft").

commit 56aadc01b258ef7849463723ab5ddc4885db22f6
Author: Serhey Popovych <serhe.popovych@gmail.com>
Date: Thu Mar 1 13:03:10 2018 +0200

extensions: Initialize linear mapping of symbols in _init() of extension

libxt_devgroup and libipt_realm currently unable to display symbolic
names in save/print commands because linear mapping is not initialized.

It looks bit confusing as linear mapping initialization is done in init()
of extension, which is expected to be called before any other function of
extension.

However init is called only when '-m' option specified on command line,
that is true only for insert, append, replace and destroy iptables
commands.

Move initialization to extension _init() function before calling
any function in extension.

Before:
-------
... src-group 0x1 dst-group 0x2
... src-group 0x2 dst-group 0x1

After:
------
... src-group grp1 dst-group grp2
... src-group grp2 dst-group grp1

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libipt_realm.c | 17 +++++++----------
extensions/libxt_devgroup.c | 17 +++++++----------
2 files changed, 14 insertions(+), 20 deletions(-)

diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index a8d9dda0c00c0..fffb1218db7a6 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -28,17 +28,10 @@ static const struct xt_option_entry realm_opts[] = {
XTOPT_TABLEEND,
};
-/* array of realms from /etc/iproute2/rt_realms */
+static const char f_realms[] = "/etc/iproute2/rt_realms";
+/* array of realms from f_realms[] */
static struct xtables_lmap *realms;
-static void realm_init(struct xt_entry_match *m)
-{
- const char file[] = "/etc/iproute2/rt_realms";
- realms = xtables_lmap_init(file);
- if (realms == NULL && errno != ENOENT)
- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
-}
-
static void realm_parse(struct xt_option_call *cb)
{
struct xt_realm_info *realminfo = cb->data;
@@ -114,7 +107,6 @@ static struct xtables_match realm_mt_reg = {
.size = XT_ALIGN(sizeof(struct xt_realm_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)),
.help = realm_help,
- .init = realm_init,
.print = realm_print,
.save = realm_save,
.x6_parse = realm_parse,
@@ -123,5 +115,10 @@ static struct xtables_match realm_mt_reg = {
void _init(void)
{
+ realms = xtables_lmap_init(f_realms);
+ if (realms == NULL && errno != ENOENT)
+ fprintf(stderr, "Warning: %s: %s\n", f_realms,
+ strerror(errno));
+
xtables_register_match(&realm_mt_reg);
}
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index fb1fcb51c1bb2..ebfa2aee80cf2 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -31,17 +31,10 @@ static const struct xt_option_entry devgroup_opts[] = {
XTOPT_TABLEEND,
};
-/* array of devgroups from /etc/iproute2/group */
+static const char f_devgroups[] = "/etc/iproute2/group";
+/* array of devgroups from f_devgroups[] */
static struct xtables_lmap *devgroups;
-static void devgroup_init(struct xt_entry_match *match)
-{
- const char file[] = "/etc/iproute2/group";
- devgroups = xtables_lmap_init(file);
- if (devgroups == NULL && errno != ENOENT)
- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
-}
-
static void devgroup_parse_groupspec(const char *arg, unsigned int *group,
unsigned int *mask)
{
@@ -157,7 +150,6 @@ static struct xtables_match devgroup_mt_reg = {
.family = NFPROTO_UNSPEC,
.size = XT_ALIGN(sizeof(struct xt_devgroup_info)),
.userspacesize = XT_ALIGN(sizeof(struct xt_devgroup_info)),
- .init = devgroup_init,
.help = devgroup_help,
.print = devgroup_print,
.save = devgroup_save,
@@ -168,5 +160,10 @@ static struct xtables_match devgroup_mt_reg = {
void _init(void)
{
+ devgroups = xtables_lmap_init(f_devgroups);
+ if (devgroups == NULL && errno != ENOENT)
+ fprintf(stderr, "Warning: %s: %s\n", f_devgroups,
+ strerror(errno));
+
xtables_register_match(&devgroup_mt_reg);
}
--
2.21.0

72
SOURCES/extensions-REJECT-Check-for-array-overrun.patch Normal file
View File

@ -0,0 +1,72 @@
From 20f5f3c0c3b4cebc60af3d2def0ac983f54bfb06 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:52:01 +0100
Subject: [PATCH] extensions: REJECT: Check for array overrun

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: RHEL-only

This might happen in theory if enum ip6t_reject_with was extended in
kernel and some other tool added a rule making use of the new value.

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libip6t_REJECT.c | 8 ++++++++
extensions/libipt_REJECT.c | 8 ++++++++
2 files changed, 16 insertions(+)

diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index 8085321a6d654..86f2d04296294 100644
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -104,6 +104,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target,
for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
if (reject_table[i].with == reject->with)
break;
+ if (i == ARRAY_SIZE(reject_table))
+ xtables_error(VERSION_PROBLEM,
+ "unknown reject type %d in ruleset",
+ reject->with);
printf(" reject-with %s", reject_table[i].name);
}
@@ -116,6 +120,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
if (reject_table[i].with == reject->with)
break;
+ if (i == ARRAY_SIZE(reject_table))
+ xtables_error(VERSION_PROBLEM,
+ "unknown reject type %d in ruleset",
+ reject->with);
printf(" --reject-with %s", reject_table[i].name);
}
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 362c65ed88e96..5573ebd28022c 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -124,6 +124,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target,
for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
if (reject_table[i].with == reject->with)
break;
+ if (i == ARRAY_SIZE(reject_table))
+ xtables_error(VERSION_PROBLEM,
+ "unknown reject type %d in ruleset",
+ reject->with);
printf(" reject-with %s", reject_table[i].name);
}
@@ -136,6 +140,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
if (reject_table[i].with == reject->with)
break;
+ if (i == ARRAY_SIZE(reject_table))
+ xtables_error(VERSION_PROBLEM,
+ "unknown reject type %d in ruleset",
+ reject->with);
printf(" --reject-with %s", reject_table[i].name);
}
--
2.21.0

48
SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch Normal file
View File

@ -0,0 +1,48 @@
From 2c7f817f6dc2d74d99248403b0ef7e36bcf060c8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:29:38 +0200
Subject: [PATCH] extensions: libxt_devgroup: Fix the path of the group
mappings file

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075
Upstream Status: iptables commit 93ad9ea1b86bd

commit 93ad9ea1b86bdaacffd8e33654abcea3d4e148b2
Author: Ana Rey <anarey@gmail.com>
Date: Thu Sep 18 13:06:42 2014 +0200

extensions: libxt_devgroup: Fix the path of the group mappings file

Use "/etc/iproute2/group" as the default path to the mapping file
instead of "/etc/iproute2/group_map".

Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_devgroup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index 4a69c8229ce4a..fb1fcb51c1bb2 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -31,12 +31,12 @@ static const struct xt_option_entry devgroup_opts[] = {
XTOPT_TABLEEND,
};
-/* array of devgroups from /etc/iproute2/group_map */
+/* array of devgroups from /etc/iproute2/group */
static struct xtables_lmap *devgroups;
static void devgroup_init(struct xt_entry_match *match)
{
- const char file[] = "/etc/iproute2/group_map";
+ const char file[] = "/etc/iproute2/group";
devgroups = xtables_lmap_init(file);
if (devgroups == NULL && errno != ENOENT)
fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
--
2.21.0

57
SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch Normal file
View File

@ -0,0 +1,57 @@
From 721bb877b759a0c92e6b019447fd3ee33d123cc0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] ip{, 6}tables-restore: Fix for uninitialized array 'curtable'

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 4e499d53d558b

commit 4e499d53d558bed55c8fe74390250dbfd6da3efc
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:46 2018 +0200

ip{, 6}tables-restore: Fix for uninitialized array 'curtable'

When reading sufficiently malformed input, parser might hit end of
loop without having written the current table name into curtable and
therefore calling strcmp() with uninitialized buffer. Avoid this by
setting curtable to zero upon declaration.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables-restore.c | 2 +-
iptables/iptables-restore.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index e2a82c57bd426..d610360a1c1ff 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -192,7 +192,7 @@ int ip6tables_restore_main(int argc, char *argv[])
struct xtc_handle *handle = NULL;
char buffer[10240];
int c, lock;
- char curtable[XT_TABLE_MAXNAMELEN + 1];
+ char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index af0c79408631d..db77fb77b3c98 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -191,7 +191,7 @@ iptables_restore_main(int argc, char *argv[])
struct xtc_handle *handle = NULL;
char buffer[10240];
int c, lock;
- char curtable[XT_TABLE_MAXNAMELEN + 1];
+ char curtable[XT_TABLE_MAXNAMELEN + 1] = {};
FILE *in;
int in_table = 0, testing = 0;
const char *tablename = NULL;
--
2.21.0

7
SOURCES/iptables-config
View File

@ -5,13 +5,6 @@
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped

50
SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch Normal file
View File

@ -0,0 +1,50 @@
From c360c1d2af887c8e614ec152fb64717e56fb472d Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 9 Apr 2019 15:22:44 +0200
Subject: [PATCH] iptables-xml: fix segfault if missing space after -A

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit f53b78e423d82

commit f53b78e423d82b0c71c076480f52edeb5eaec5f8
Author: Phil Oester <kernel@linuxace.com>
Date: Thu Jan 23 22:06:58 2014 -0800

iptables-xml: fix segfault if missing space after -A

As pointed out by Bernhard Reutner-Fischer, a malformed line fed to
iptables-xml such as the below with a missing space after the -A:

-APOSTROUTING -d 1.1.1.1/32 -p tcp -j MASQUERADE

causes a segfault. Patch attached.

This closes netfilter bugzilla #886.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/iptables-xml.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 49f8ea2826181..769f76550b764 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -777,6 +777,11 @@ iptables_xml_main(int argc, char *argv[])
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ if (!chain) {
+ fprintf(stderr, "%s: line %u failed - no chain found\n",
+ prog_name, line);
+ exit(1);
+ }
needChain(chain);// Should we explicitly look for -A
do_rule(pcnt, bcnt, newargc, newargv, newargvattr);
--
2.21.0

63
SOURCES/iptables.init
View File

@ -43,14 +43,8 @@ if [ ! -x /sbin/$IPTABLES ]; then
exit 5
fi

# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
&& NEW_MODUTILS=1 \
|| NEW_MODUTILS=0

# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
@ -64,10 +58,6 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"

# Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6

# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)

@ -83,38 +73,6 @@ if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
IPTABLES_RESTORE_CMD+=" $OPT"
fi

rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=

# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \
&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)

# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done

# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
res=$?
[ $res -eq 0 ] || echo -n " $mod"
let ret+=$res;
fi

return $ret
}

flush_n_delete() {
local ret=0

@ -290,23 +248,6 @@ stop() {
flush_n_delete
let ret+=$?
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: "
ret2=0
for mod in ${NF_MODULES[*]}; do
rmmod_r $mod
let ret2+=$?;
done
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r $mod >/dev/null
done
[ $ret2 -eq 0 ] && success || failure
echo
let ret+=$ret2
fi
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
@ -357,7 +298,7 @@ save() {
}

status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
if [ ! -f "$VAR_SUBSYS_IPTABLES" ] && [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi
@ -378,7 +319,7 @@ status() {

NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

2
SOURCES/iptables.service.in
View File

@ -1,5 +1,7 @@
[Unit]
Description=IPv4 firewall with iptables
Before=network-pre.target
Wants=network-pre.target
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables


59
SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch Normal file
View File

@ -0,0 +1,59 @@
From 72859f25cb799ba4ac0b532c59bd01be70950f00 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libiptc: Avoid side-effect in memset() calls

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit e6f986762667e

commit e6f986762667ee2b2d61e7978d460f28916158a3
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 10 23:35:14 2018 +0200

libiptc: Avoid side-effect in memset() calls

These calls to memset() are passed a length argument which exceeds
t->target.u.user.name's length by one byte and hence overwrite
t->target.u.user.revision as well (relying upon no padding to happen
between both).

Avoid this obscure behaviour by passing the correct field size and
explicitly overwriting 'revision' field.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libiptc/libiptc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index d2427c16a5254..4c0fbd5d7e68c 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1115,8 +1115,9 @@ static inline int iptcc_compile_rule (struct xtc_handle *h, STRUCT_REPLACE *repl
STRUCT_STANDARD_TARGET *t;
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
/* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
+ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN);
strcpy(t->target.u.user.name, STANDARD_TARGET);
+ t->target.u.user.revision = 0;
/* Jumps can only happen to builtin chains, so we
* can safely assume that they always have a header */
t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
@@ -1676,8 +1677,9 @@ iptcc_standard_map(struct rule_head *r, int verdict)
return 0;
}
/* memset for memcmp convenience on delete/replace */
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
+ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN);
strcpy(t->target.u.user.name, STANDARD_TARGET);
+ t->target.u.user.revision = 0;
t->verdict = verdict;
r->type = IPTCC_R_STANDARD;
--
2.21.0

44
SOURCES/libiptc-NULL-terminate-errorname.patch Normal file
View File

@ -0,0 +1,44 @@
From 9dfd443c3828a3e9a3cf5cf2afb9f0324bacb19a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libiptc: NULL-terminate errorname

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit a76ba54e28337

commit a76ba54e2833761c46fd57cbe2486cbc38686717
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 24 19:25:22 2018 +0200

libiptc: NULL-terminate errorname

In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
copying its content into 'error_name' field of struct xt_error_target
which is two bytes shorter may overflow. Make sure this doesn't happen
by using strncpy() and set the last byte to zero.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libiptc/libiptc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index f6a9862ea9f4d..d2427c16a5254 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1149,7 +1149,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
strcpy(head->name.target.u.user.name, ERROR_TARGET);
head->name.target.u.target_size =
ALIGN(sizeof(struct xt_error_target));
- strcpy(head->name.errorname, c->name);
+ strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN);
+ head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0';
} else {
repl->hook_entry[c->hooknum-1] = c->head_offset;
repl->underflow[c->hooknum-1] = c->foot_offset;
--
2.21.0

74
SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch Normal file
View File

@ -0,0 +1,74 @@
From e64b48b46cec83203ff8de80a1c56be2c40b2c7d Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libiptc: Simplify alloc_handle() function signature

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 22ef371abeeec

commit 22ef371abeeec789bb6a701352dcb961556595c2
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:53 2018 +0200

libiptc: Simplify alloc_handle() function signature

This change originated from covscan complaining about the strcpy() call
with an unknown size source buffer. But in fact, the size is known (and
equal to the destination size), so pass a pointer to STRUCT_GETINFO to
alloc_handle() instead of it's fields separately. Hopefully this will
silence covscan.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libiptc/libiptc.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 1f61fde53f1db..f6a9862ea9f4d 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1269,7 +1269,7 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl)
/* Allocate handle of given size */
static struct xtc_handle *
-alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
+alloc_handle(STRUCT_GETINFO *infop)
{
struct xtc_handle *h;
@@ -1280,14 +1280,14 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
}
memset(h, 0, sizeof(*h));
INIT_LIST_HEAD(&h->chains);
- strcpy(h->info.name, tablename);
+ strcpy(h->info.name, infop->name);
- h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size);
+ h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + infop->size);
if (!h->entries)
goto out_free_handle;
- strcpy(h->entries->name, tablename);
- h->entries->size = size;
+ strcpy(h->entries->name, infop->name);
+ h->entries->size = infop->size;
return h;
@@ -1336,8 +1336,8 @@ retry:
DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n",
info.valid_hooks, info.num_entries, info.size);
- if ((h = alloc_handle(info.name, info.size, info.num_entries))
- == NULL) {
+ h = alloc_handle(&info);
+ if (h == NULL) {
close(sockfd);
return NULL;
}
--
2.21.0

42
SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch Normal file
View File

@ -0,0 +1,42 @@
From a7bb46f478443597a7e97e81adb13d9619f4b1a7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxt_LED: Avoid string overrun while parsing led-trigger-id

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit d0c1f1b4ad4e3

commit d0c1f1b4ad4e3b91220a03514031ee879db832d0
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:48 2018 +0200

libxt_LED: Avoid string overrun while parsing led-trigger-id

Instead of using strcat() and assuming the name will fit, print into the
buffer using snprintf() which truncates the string as needed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_LED.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c
index 8622c379e68bc..6ada795056431 100644
--- a/extensions/libxt_LED.c
+++ b/extensions/libxt_LED.c
@@ -53,8 +53,7 @@ static void LED_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_LED_TRIGGER_ID:
- strcpy(led->id, "netfilter-");
- strcat(led->id, cb->arg);
+ snprintf(led->id, sizeof(led->id), "netfilter-%s", cb->arg);
break;
case O_LED_DELAY:
if (strncasecmp(cb->arg, "inf", 3) == 0)
--
2.21.0

62
SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch Normal file
View File

@ -0,0 +1,62 @@
From de7ba61cf107f43223eeb640267d24e187047c29 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxt_conntrack: Avoid potential buffer overrun

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 8e798e050367d

commit 8e798e050367dfe43bb958f11dd3170b03bda49e
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:50 2018 +0200

libxt_conntrack: Avoid potential buffer overrun

In print_addr(), a resolved hostname is written into a buffer without
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an
issue, though covscan complained about it. Fix the code by using
conntrack_dump_addr() as an example.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_conntrack.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 3e7075760d40f..804aa23638ca1 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -673,20 +673,20 @@ static void
print_addr(const struct in_addr *addr, const struct in_addr *mask,
int inv, int numeric)
{
- char buf[BUFSIZ];
-
if (inv)
printf(" !");
if (mask->s_addr == 0L && !numeric)
- printf(" %s", "anywhere");
+ printf(" anywhere");
else {
if (numeric)
- strcpy(buf, xtables_ipaddr_to_numeric(addr));
+ printf(" %s%s",
+ xtables_ipaddr_to_numeric(addr),
+ xtables_ipmask_to_numeric(mask));
else
- strcpy(buf, xtables_ipaddr_to_anyname(addr));
- strcat(buf, xtables_ipmask_to_numeric(mask));
- printf(" %s", buf);
+ printf(" %s%s",
+ xtables_ipaddr_to_anyname(addr),
+ xtables_ipmask_to_numeric(mask));
}
}
--
2.21.0

50
SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch Normal file
View File

@ -0,0 +1,50 @@
From c923062439297cbf5b08429123ba214b4efc8798 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:34 +0100
Subject: [PATCH] libxt_conntrack: Version 0 does not support
XT_CONNTRACK_DIRECTION

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 74eb2395c8384

commit 74eb2395c838460384286c2b95f711ae275a46cb
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:49 2018 +0200

libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION

Since sinfo->flags is only 8 bytes large, checking for
XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return
false, so drop this dead code.

Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_conntrack.c | 8 --------
1 file changed, 8 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 128bbd20a34c2..3e7075760d40f 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -774,14 +774,6 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
else
printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max);
}
-
- if (sinfo->flags & XT_CONNTRACK_DIRECTION) {
- if (sinfo->invflags & XT_CONNTRACK_DIRECTION)
- printf(" %sctdir REPLY", optpfx);
- else
- printf(" %sctdir ORIGINAL", optpfx);
- }
-
}
static void
--
2.21.0

77
SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch Normal file
View File

@ -0,0 +1,77 @@
From 0bf795555728e54db2593a73f90d7820cf3ef4c6 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:34 +0100
Subject: [PATCH] libxt_ipvs: Avoid potential buffer overrun

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 749d3c2ecd6a9

commit 749d3c2ecd6a9dc21f5a442c44495cb705621dff
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:51 2018 +0200

libxt_ipvs: Avoid potential buffer overrun

Just like with libxt_conntrack, get rid of the temporary buffer. The
comment even states that it was copied from there, so just make them
identical again.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_ipvs.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c
index 46727660a027a..a6c57a030d2c6 100644
--- a/extensions/libxt_ipvs.c
+++ b/extensions/libxt_ipvs.c
@@ -126,19 +126,19 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr,
const union nf_inet_addr *mask,
unsigned int family, bool numeric)
{
- char buf[BUFSIZ];
-
if (family == NFPROTO_IPV4) {
if (!numeric && addr->ip == 0) {
printf(" anywhere");
return;
}
if (numeric)
- strcpy(buf, xtables_ipaddr_to_numeric(&addr->in));
+ printf(" %s%s",
+ xtables_ipaddr_to_numeric(&addr->in),
+ xtables_ipmask_to_numeric(&mask->in));
else
- strcpy(buf, xtables_ipaddr_to_anyname(&addr->in));
- strcat(buf, xtables_ipmask_to_numeric(&mask->in));
- printf(" %s", buf);
+ printf(" %s%s",
+ xtables_ipaddr_to_anyname(&addr->in),
+ xtables_ipmask_to_numeric(&mask->in));
} else if (family == NFPROTO_IPV6) {
if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 &&
addr->ip6[2] == 0 && addr->ip6[3] == 0) {
@@ -146,11 +146,13 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr,
return;
}
if (numeric)
- strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6));
+ printf(" %s%s",
+ xtables_ip6addr_to_numeric(&addr->in6),
+ xtables_ip6mask_to_numeric(&mask->in6));
else
- strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6));
- strcat(buf, xtables_ip6mask_to_numeric(&mask->in6));
- printf(" %s", buf);
+ printf(" %s%s",
+ xtables_ip6addr_to_anyname(&addr->in6),
+ xtables_ip6mask_to_numeric(&mask->in6));
}
}
--
2.21.0

54
SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch Normal file
View File

@ -0,0 +1,54 @@
From 61fd4ee73f2a23eeb2b10b24d19ac13deaf0c177 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxt_recent: Remove ineffective checks for info->name

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit d0e3d95fa3442

commit d0e3d95fa3442c6ff32f7fed3e0d2eeb2248ef9f
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Oct 20 13:24:36 2017 +0200

libxt_recent: Remove ineffective checks for info->name

In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a
pointer. So there is no point in comparing it against NULL. Changing the
check to make sure it's content is not an empty string is pointless
either, since a non-empty default string is used and the argument parser
will refuse empty strings as --name argument. So simply get rid of the
checks altogether.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_recent.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index e1801f1c18952..055ae35080346 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -199,7 +199,7 @@ static void recent_print(const void *ip, const struct xt_entry_match *match,
if(info->hit_count) printf(" hit_count: %d", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" TTL-Match");
- if(info->name) printf(" name: %s", info->name);
+ printf(" name: %s", info->name);
if (info->side == XT_RECENT_SOURCE)
printf(" side: source");
if (info->side == XT_RECENT_DEST)
@@ -239,7 +239,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match,
if(info->hit_count) printf(" --hitcount %d", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" --rttl");
- if(info->name) printf(" --name %s",info->name);
+ printf(" --name %s",info->name);
switch(family) {
case NFPROTO_IPV4:
--
2.21.0

51
SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch Normal file
View File

@ -0,0 +1,51 @@
From db1fcba4cade70fd86e615246bb03acd94cc4cd9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxt_sctp: fix array out of range in print_chunk

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 71de414c21f7f
Conflicts: Dropped changes to non-existing libxt_sctp.t.

commit 71de414c21f7f31270e5d62e782e52257e5c3d06
Author: huaibin Wang <huaibin.wang@6wind.com>
Date: Mon Nov 13 14:27:54 2017 +0100

libxt_sctp: fix array out of range in print_chunk

For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type
is not equal to the corresponding index in sctp_chunk_names[]. Using this field
leads to a segmentation fault (index out of range).

Example
$ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Segmentation fault

Signed-off-by: huaibin Wang <huaibin.wang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_sctp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 56a4cdf229390..cfd4c12330479 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -370,7 +370,7 @@ print_chunk(uint32_t chunknum, int numeric)
for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i)
if (sctp_chunk_names[i].chunk_type == chunknum)
- printf("%s", sctp_chunk_names[chunknum].name);
+ printf("%s", sctp_chunk_names[i].name);
}
}
--
2.21.0

46
SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch Normal file
View File

@ -0,0 +1,46 @@
From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxt_string: Avoid potential array out of bounds access

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 56d7ab42f3782

commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 10 23:35:16 2018 +0200

libxt_string: Avoid potential array out of bounds access

The pattern index variable 'sindex' is bounds checked before
incrementing it, which means in the next loop iteration it might already
match the bounds check condition but is used anyway.

Fix this by incrementing the index before performing the bounds check.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_string.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index fb15980e4a73f..d298c6a7081e7 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info)
info->pattern[sindex] = s[i];
i++;
}
- if (sindex > XT_STRING_MAX_PATTERN_SIZE)
+ if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
- sindex++;
}
info->patlen = sindex;
}
--
2.21.0

62
SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch Normal file
View File

@ -0,0 +1,62 @@
From 5790cacab5a3fd7bde26056fa0f8b4650bd21bb7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxt_string: Fix array out of bounds check

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 6fc7762f6f785

commit 6fc7762f6f78526e3cb0c189ac2778a6be4c00b5
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 17 13:38:33 2018 +0200

libxt_string: Fix array out of bounds check

Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds
access") tried to fix parse_hex_string() for overlong strings but the
change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE
which leads to access of first byte after info->pattern. This is not
really a problem because it merely overwrites info->patlen before
calling xtables_error() later, but covscan still detects it so it's
still worth fixing.

The crucial bit here is that 'sindex' has to be incremented at end of
the last iteration since its value is used for info->patlen. Hence just
move the overflow check to the beginning of the loop.

Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_string.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index d298c6a7081e7..7c6366cbbf1b3 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info)
}
while (i < slen) {
+ if (sindex >= XT_STRING_MAX_PATTERN_SIZE)
+ xtables_error(PARAMETER_PROBLEM,
+ "STRING too long \"%s\"", s);
if (s[i] == '\\' && !hex_f) {
literal_f = 1;
} else if (s[i] == '\\') {
@@ -159,8 +162,7 @@ parse_hex_string(const char *s, struct xt_string_info *info)
info->pattern[sindex] = s[i];
i++;
}
- if (++sindex > XT_STRING_MAX_PATTERN_SIZE)
- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s);
+ sindex++;
}
info->patlen = sindex;
}
--
2.21.0

59
SOURCES/libxt_time-Drop-initialization-of-variable-year.patch Normal file
View File

@ -0,0 +1,59 @@
From c6d6426921160fb554871fbe201722963f8a917c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxt_time: Drop initialization of variable 'year'

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 6b7145fa2112e

commit 6b7145fa2112e257073cc44346e9891fa23ce9c2
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:52 2018 +0200

libxt_time: Drop initialization of variable 'year'

The variable is not read before being assigned the return value of
strtoul(), thefore the initialization is useless. And since after this
change parameter 'end' becomes unused, drop it as well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libxt_time.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 9c5bda88c1c78..5a8cc5de13031 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -88,10 +88,10 @@ static void time_init(struct xt_entry_match *m)
info->date_stop = INT_MAX;
}
-static time_t time_parse_date(const char *s, bool end)
+static time_t time_parse_date(const char *s)
{
unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0;
- unsigned int year = end ? 2038 : 1970;
+ unsigned int year;
const char *os = s;
struct tm tm;
time_t ret;
@@ -265,10 +265,10 @@ static void time_parse(struct xt_option_call *cb)
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_DATE_START:
- info->date_start = time_parse_date(cb->arg, false);
+ info->date_start = time_parse_date(cb->arg);
break;
case O_DATE_STOP:
- info->date_stop = time_parse_date(cb->arg, true);
+ info->date_stop = time_parse_date(cb->arg);
break;
case O_TIME_START:
info->daytime_start = time_parse_minutes(cb->arg);
--
2.21.0

91
SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch Normal file
View File

@ -0,0 +1,91 @@
From 3f4e13d60ddbb61bc3256221a98f5c5a954f6f5c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxtables: Avoid calling memcpy() with NULL source

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit ab639f236ff85

commit ab639f236ff85d2f447cc6601c7ff42cefdaf853
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:54 2018 +0200

libxtables: Avoid calling memcpy() with NULL source

Both affected functions check if 'oldopts' is NULL once but later seem
to ignore that possibility. To catch up on that, increment the pointer
only if it isn't NULL, also don't copy its content into the merged
options buffer in that case.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 12 ++++++++----
libxtables/xtoptions.c | 12 ++++++++----
2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 4a014e48a9f45..cf9a59d5ec095 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -119,8 +119,10 @@ struct option *xtables_merge_options(struct option *orig_opts,
* Since @oldopts also has @orig_opts already (and does so at the
* start), skip these entries.
*/
- oldopts += num_oold;
- num_old -= num_oold;
+ if (oldopts != NULL) {
+ oldopts += num_oold;
+ num_old -= num_oold;
+ }
merge = malloc(sizeof(*mp) * (num_oold + num_old + num_new + 1));
if (merge == NULL)
@@ -139,8 +141,10 @@ struct option *xtables_merge_options(struct option *orig_opts,
mp->val += *option_offset;
/* Third, the old options */
- memcpy(mp, oldopts, sizeof(*mp) * num_old);
- mp += num_old;
+ if (oldopts != NULL) {
+ memcpy(mp, oldopts, sizeof(*mp) * num_old);
+ mp += num_old;
+ }
xtables_free_opts(0);
/* Clear trailing entry */
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 1ad4cb57f5836..1d3fda73dedf7 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -91,8 +91,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
* Since @oldopts also has @orig_opts already (and does so at the
* start), skip these entries.
*/
- oldopts += num_orig;
- num_old -= num_orig;
+ if (oldopts != NULL) {
+ oldopts += num_orig;
+ num_old -= num_orig;
+ }
merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1));
if (merge == NULL)
@@ -114,8 +116,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
}
/* Third, the old options */
- memcpy(mp, oldopts, sizeof(*mp) * num_old);
- mp += num_old;
+ if (oldopts != NULL) {
+ memcpy(mp, oldopts, sizeof(*mp) * num_old);
+ mp += num_old;
+ }
xtables_free_opts(0);
/* Clear trailing entry */
--
2.21.0

57
SOURCES/libxtables-Check-extension-real_name-length.patch Normal file
View File

@ -0,0 +1,57 @@
From e4dd398938aed75397463aed36fc03f9d754bf29 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxtables: Check extension real_name length

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit a3716cc1a501e

commit a3716cc1a501e40e26a96d78b2e1285bb081f366
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 24 19:25:21 2018 +0200

libxtables: Check extension real_name length

Just like with 'name', if given check 'real_name' to not exceed max length.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 12 ++++++++++++
1 file changed, 12 insertions(+)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 575f7ee0a0d78..4a014e48a9f45 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -839,6 +839,12 @@ void xtables_register_match(struct xtables_match *me)
exit(1);
}
+ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) {
+ fprintf(stderr, "%s: match `%s' has invalid real name\n",
+ xt_params->program_name, me->real_name);
+ exit(1);
+ }
+
if (me->family >= NPROTO) {
fprintf(stderr,
"%s: BUG: match %s has invalid protocol family\n",
@@ -997,6 +1003,12 @@ void xtables_register_target(struct xtables_target *me)
exit(1);
}
+ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) {
+ fprintf(stderr, "%s: target `%s' has invalid real name\n",
+ xt_params->program_name, me->real_name);
+ exit(1);
+ }
+
if (me->family >= NPROTO) {
fprintf(stderr,
"%s: BUG: target %s has invalid protocol family\n",
--
2.21.0

42
SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch Normal file
View File

@ -0,0 +1,42 @@
From 6052b28839968d5077c182e6defa260e68147547 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxtables: Don't read garbage in xtables_strtoui()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 61ebf3f72ac62

commit 61ebf3f72ac62d887414c50fc83e277386f54e8f
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:55 2018 +0200

libxtables: Don't read garbage in xtables_strtoui()

If xtables_strtoul() fails, it returns false and data pointed to by
parameter 'value' is undefined. Hence avoid copying that data in
xtables_strtoui() if the call failed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index fb60c01b48c05..575f7ee0a0d78 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -473,7 +473,7 @@ bool xtables_strtoui(const char *s, char **end, unsigned int *value,
bool ret;
ret = xtables_strtoul(s, end, &v, min, max);
- if (value != NULL)
+ if (ret && value != NULL)
*value = v;
return ret;
}
--
2.21.0

42
SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch Normal file
View File

@ -0,0 +1,42 @@
From f958c3a78f14140e7ee983c3698918fe35f1a7af Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] libxtables: Fix potential array overrun in
xtables_option_parse()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 4144571f87c09

commit 4144571f87c094471419ef59e8bb89ef33cd1365
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Sep 10 23:35:13 2018 +0200

libxtables: Fix potential array overrun in xtables_option_parse()

If entry->type is to be used as array index, it needs to be at max one
less than that array's size.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtoptions.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 78e9abd6a3f47..0c63c2d372dea 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -864,7 +864,7 @@ void xtables_option_parse(struct xt_option_call *cb)
* a *RC option type.
*/
cb->nvals = 1;
- if (entry->type <= ARRAY_SIZE(xtopt_subparse) &&
+ if (entry->type < ARRAY_SIZE(xtopt_subparse) &&
xtopt_subparse[entry->type] != NULL)
xtopt_subparse[entry->type](cb);
/* Exclusion with other flags tested later in finalize. */
--
2.21.0

71
SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch Normal file
View File

@ -0,0 +1,71 @@
From fbcd6c97015324480f843c08da338c9d580b2b31 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxtables: Use posix_spawn() instead of vfork()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit d95c1e8b65c4e

commit d95c1e8b65c4ec66b8fcd2f7ede257853a888750
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:17:05 2018 +0200

libxtables: Use posix_spawn() instead of vfork()

According to covscan, vfork() may lead to a deadlock in the parent
process. It suggests to use posix_spawn() instead. Since the latter
combines vfork() and exec() calls, use it for xtables_insmod().

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index bca9863acc566..7210d3706bf26 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -21,6 +21,7 @@
#include <fcntl.h>
#include <inttypes.h>
#include <netdb.h>
+#include <spawn.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
@@ -343,6 +344,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
char *buf = NULL;
char *argv[4];
int status;
+ pid_t pid;
/* If they don't explicitly set it, read out of kernel */
if (!modprobe) {
@@ -363,18 +365,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
*/
fflush(stdout);
- switch (vfork()) {
- case 0:
- execv(argv[0], argv);
-
- /* not usually reached */
- _exit(1);
- case -1:
+ if (posix_spawn(&pid, argv[0], NULL, NULL, argv, NULL)) {
free(buf);
return -1;
-
- default: /* parent */
- wait(&status);
+ } else {
+ waitpid(pid, &status, 0);
}
free(buf);
--
2.21.0

102
SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch Normal file
View File

@ -0,0 +1,102 @@
From 0d89bdef1e7f698787967bffed5c413ef0dee761 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxtables: move some code to avoid cautions in vfork man
page

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 78683093cf4f0

commit 78683093cf4f059531e5f929a4884ffaecb8411c
Author: Dan Wilder <dan.wilder@watchguard.com>
Date: Sat Oct 25 00:51:59 2014 +0200

libxtables: move some code to avoid cautions in vfork man page

Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame:

357 switch (vfork()) {
358 case 0:
359 argv[0] = (char *)modprobe;
360 argv[1] = (char *)modname;
361 if (quiet) {
362 argv[2] = "-q";
363 argv[3] = NULL;
364 } else {
365 argv[2] = NULL;
366 argv[3] = NULL;
367 }
368 execv(argv[0], argv);
369
370 /* not usually reached */
371 exit(1);

modprobe pointed to a non-existant program /sbin/modprobe, so execv()
always failed. Not a problem in itself on our platform, as the kernel
modules are pre-loaded before iptables-restore is run, but it took a
bit of headscratching to track this down, as a stack frame was
corrupted, leading to failures quite a while after the function
containing this code had returned!

Relevant caution in man 2 vfork:

"The vfork() function has the same effect as fork(2), except that
the behavior is undefined if the process created by vfork() either
modifies any data ... or calls any other function before
successfully calling _exit(2) or one of the exec(3) family of
functions."

Apparently this has not been a problem for us in earlier versions of
glibc, maybe because vfork was more like fork, maybe because the
stack corruption was innocuous. Ours is a corner case anyway, as
it might not have been a problem had modprobe existed or had
modprobe been a symlink to /bin/true. But it seems odd to disregard
man page cautions, and our problem goes away if they are heeded.

Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index cf9a59d5ec095..bca9863acc566 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -352,6 +352,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
modprobe = buf;
}
+ argv[0] = (char *)modprobe;
+ argv[1] = (char *)modname;
+ argv[2] = quiet ? "-q" : NULL;
+ argv[3] = NULL;
+
/*
* Need to flush the buffer, or the child may output it again
* when switching the program thru execv.
@@ -360,19 +365,10 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
switch (vfork()) {
case 0:
- argv[0] = (char *)modprobe;
- argv[1] = (char *)modname;
- if (quiet) {
- argv[2] = "-q";
- argv[3] = NULL;
- } else {
- argv[2] = NULL;
- argv[3] = NULL;
- }
execv(argv[0], argv);
/* not usually reached */
- exit(1);
+ _exit(1);
case -1:
free(buf);
return -1;
--
2.21.0

46
SOURCES/list-fix-prefetch-dummy.patch Normal file
View File

@ -0,0 +1,46 @@
From 9db248f030af87e336b5880fc39e37a5beb7f291 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:52:42 +0100
Subject: [PATCH] list: fix prefetch dummy

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 86a65af62b6b9

commit 86a65af62b6b986aa2ae3cbf3c655ea8225b027a
Author: Arturo Borrero <arturo.borrero.glez@gmail.com>
Date: Mon Apr 6 20:05:41 2015 +0200

list: fix prefetch dummy

linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
for (pos = list_entry((head)->next, typeof(*pos), member), \
^
libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry'
list_for_each_entry(c, &h->chains, list) {
^

[ Patch copied from one similar of Patrick McHardy on libnftnl ]

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libiptc/linux_list.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libiptc/linux_list.h b/libiptc/linux_list.h
index abdcf88dadd64..559e33c9ebde0 100644
--- a/libiptc/linux_list.h
+++ b/libiptc/linux_list.h
@@ -27,7 +27,7 @@
1; \
})
-#define prefetch(x) 1
+#define prefetch(x) ((void)0)
/* empty define to make this work in userspace -HW */
#define smp_wmb()
--
2.21.0

47
SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch Normal file
View File

@ -0,0 +1,47 @@
From d9db0c35351a960a141e9ddc30cf6f09c9c27c8b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 18 Apr 2019 13:29:43 +0200
Subject: [PATCH] man: iptables-save: Add note about module autoloading

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1691380
Upstream Status: iptables commit 3390007a11cbc

commit 3390007a11cbc45de1522f99ae751a3c5d55dd6f
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Mar 26 19:03:43 2019 +0100

man: iptables-save: Add note about module autoloading

Using '-t' parameter in iptables-save might lead to kernel module
loading, just like with iptables itself. Copy the hint from iptables.8
to inform users.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/iptables-save.8.in | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 4091c0a595575..c3f1bd2152c58 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -44,8 +44,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path.
include the current values of all packet and byte counters in the output
.TP
\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
-available tables.
+restrict output to only one table. If the kernel is configured with automatic
+module loading, an attempt will be made to load the appropriate module for
+that table if it is not already there.
+.br
+If not specified, output includes all available tables.
.SH BUGS
None known as of iptables-1.2.1 release
.SH AUTHORS
--
2.21.0

43
SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch Normal file
View File

@ -0,0 +1,43 @@
From 4103f34690e1380c0ad4831b80ad913ea980eab4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] nfnl_osf: Drop pointless check in xt_osf_strchr()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 8c786a351a441

commit 8c786a351a441ff23ad5d9d1da8cec492f88f542
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:42 2018 +0200

nfnl_osf: Drop pointless check in xt_osf_strchr()

Although it remains unclear what the original intention behind the
affected code was, but 'tmp + 1' always evaluates true since 'tmp' is a
pointer value.

Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
utils/nfnl_osf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index 0f8b35b805016..9a9fbe1268155 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -141,7 +141,7 @@ static char *xt_osf_strchr(char *ptr, char c)
if (tmp)
*tmp = '\0';
- while (tmp && tmp + 1 && isspace(*(tmp + 1)))
+ while (tmp && isspace(*(tmp + 1)))
tmp++;
return tmp;
--
2.21.0

40
SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch Normal file
View File

@ -0,0 +1,40 @@
From 4ee53b682e3ebb9a809007ec907f65ccfe4a1342 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:50:10 +0100
Subject: [PATCH] nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit 52aa15098ebd6

commit 52aa15098ebd62eaca9eb3c57c240df2455d8e9b
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:56 2018 +0200

nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()

This eliminates the deprecation warning when compiling the sources.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
utils/nfnl_osf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index 972128f47ba04..c67485ee698b1 100644
--- a/utils/nfnl_osf.c
+++ b/utils/nfnl_osf.c
@@ -384,7 +384,7 @@ static int osf_load_line(char *buffer, int len, int del)
nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger));
- return nfnl_talk(nfnlh, nmh, 0, 0, NULL, NULL, NULL);
+ return nfnl_query(nfnlh, nmh);
}
static int osf_load_entries(char *path, int del)
--
2.21.0

568
SOURCES/xshared-Consolidate-argv-construction-routines.patch Normal file
View File

@ -0,0 +1,568 @@
From fc87d26b0343a5fbe661acc967f7a7c316531ca5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:16:49 +0200
Subject: [PATCH] xshared: Consolidate argv construction routines

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475
Upstream Status: iptables commit a2ed880a19d08
Conflicts:
* Context change due to missing commit 2963a8df2175b
("iptables: Remove explicit static variables initalization.").
* Context change due to missing commit 1cc09188079a6
("xshared: Consolidate parse_counters()").
* Context change due to previously backported commit 8da04ffdca193
("Share print_ipv{4,6}_addr() from xtables").
* Dropped changes to non-existing file iptables/xtables-restore.c.

commit a2ed880a19d0861342b3515721804b18d698bf44
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Aug 2 17:05:17 2018 +0200

xshared: Consolidate argv construction routines

Implementations were equal in {ip,ip6,x}tables-restore.c. The one in
iptables-xml.c differed slightly. For now, collect all features
together. Maybe it would make sense to migrate iptables-xml.c to using
add_param_to_argv() at some point and therefore extend the latter to
store whether a given parameter was quoted or not.

While being at it, a few improvements were done:

* free_argv() now also resets 'newargc' variable, so users don't have to
do that anymore.
* Indenting level in add_param_to_argv() was reduced a bit.
* That long error message is put into a single line to aid in grepping
for it.
* Explicit call to exit() after xtables_error() is removed since the
latter does not return anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables-restore.c | 107 ++----------------------------
iptables/iptables-restore.c | 107 ++----------------------------
iptables/iptables-xml.c | 63 ------------------
iptables/xshared.c | 123 +++++++++++++++++++++++++++++++++++
iptables/xshared.h | 13 ++++
5 files changed, 150 insertions(+), 263 deletions(-)

diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index 611430d930eda..1f8cb43286f03 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -91,96 +91,6 @@ static int parse_counters(char *string, struct xt_counters *ctr)
return ret == 2;
}
-/* global new argv and argc */
-static char *newargv[255];
-static int newargc;
-
-/* function adding one argument to newargv, updating newargc
- * returns true if argument added, false otherwise */
-static int add_argv(char *what) {
- DEBUGP("add_argv: %s\n", what);
- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
- newargv[newargc] = strdup(what);
- newargv[++newargc] = NULL;
- return 1;
- } else {
- xtables_error(PARAMETER_PROBLEM,
- "Parser cannot handle more arguments\n");
- return 0;
- }
-}
-
-static void free_argv(void) {
- int i;
-
- for (i = 0; i < newargc; i++)
- free(newargv[i]);
-}
-
-static void add_param_to_argv(char *parsestart)
-{
- int quote_open = 0, escaped = 0, param_len = 0;
- char param_buffer[1024], *curchar;
-
- /* After fighting with strtok enough, here's now
- * a 'real' parser. According to Rusty I'm now no
- * longer a real hacker, but I can live with that */
-
- for (curchar = parsestart; *curchar; curchar++) {
- if (quote_open) {
- if (escaped) {
- param_buffer[param_len++] = *curchar;
- escaped = 0;
- continue;
- } else if (*curchar == '\\') {
- escaped = 1;
- continue;
- } else if (*curchar == '"') {
- quote_open = 0;
- *curchar = ' ';
- } else {
- param_buffer[param_len++] = *curchar;
- continue;
- }
- } else {
- if (*curchar == '"') {
- quote_open = 1;
- continue;
- }
- }
-
- if (*curchar == ' '
- || *curchar == '\t'
- || * curchar == '\n') {
- if (!param_len) {
- /* two spaces? */
- continue;
- }
-
- param_buffer[param_len] = '\0';
-
- /* check if table name specified */
- if (!strncmp(param_buffer, "-t", 2)
- || !strncmp(param_buffer, "--table", 8)) {
- xtables_error(PARAMETER_PROBLEM,
- "The -t option (seen in line %u) cannot be "
- "used in ip6tables-restore.\n", line);
- exit(1);
- }
-
- add_argv(param_buffer);
- param_len = 0;
- } else {
- /* regular character, copy to buffer */
- param_buffer[param_len++] = *curchar;
-
- if (param_len >= sizeof(param_buffer))
- xtables_error(PARAMETER_PROBLEM,
- "Parameter too long!");
- }
- }
-}
-
int ip6tables_restore_main(int argc, char *argv[])
{
struct xtc_handle *handle = NULL;
@@ -425,9 +335,6 @@ int ip6tables_restore_main(int argc, char *argv[])
char *bcnt = NULL;
char *parsestart;
- /* reset the newargv */
- newargc = 0;
-
if (buffer[0] == '[') {
/* we have counters in our input */
char *ptr = strchr(buffer, ']');
@@ -456,17 +363,17 @@ int ip6tables_restore_main(int argc, char *argv[])
parsestart = buffer;
}
- add_argv(argv[0]);
- add_argv("-t");
- add_argv(curtable);
+ add_argv(argv[0], 0);
+ add_argv("-t", 0);
+ add_argv(curtable, 0);
if (counters && pcnt && bcnt) {
- add_argv("--set-counters");
- add_argv((char *) pcnt);
- add_argv((char *) bcnt);
+ add_argv("--set-counters", 0);
+ add_argv((char *) pcnt, 0);
+ add_argv((char *) bcnt, 0);
}
- add_param_to_argv(parsestart);
+ add_param_to_argv(parsestart, line);
DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
newargc, curtable);
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index b0da96d45d297..615e38a6625e0 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -89,96 +89,6 @@ static int parse_counters(char *string, struct xt_counters *ctr)
return ret == 2;
}
-/* global new argv and argc */
-static char *newargv[255];
-static int newargc;
-
-/* function adding one argument to newargv, updating newargc
- * returns true if argument added, false otherwise */
-static int add_argv(char *what) {
- DEBUGP("add_argv: %s\n", what);
- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
- newargv[newargc] = strdup(what);
- newargv[++newargc] = NULL;
- return 1;
- } else {
- xtables_error(PARAMETER_PROBLEM,
- "Parser cannot handle more arguments\n");
- return 0;
- }
-}
-
-static void free_argv(void) {
- int i;
-
- for (i = 0; i < newargc; i++)
- free(newargv[i]);
-}
-
-static void add_param_to_argv(char *parsestart)
-{
- int quote_open = 0, escaped = 0, param_len = 0;
- char param_buffer[1024], *curchar;
-
- /* After fighting with strtok enough, here's now
- * a 'real' parser. According to Rusty I'm now no
- * longer a real hacker, but I can live with that */
-
- for (curchar = parsestart; *curchar; curchar++) {
- if (quote_open) {
- if (escaped) {
- param_buffer[param_len++] = *curchar;
- escaped = 0;
- continue;
- } else if (*curchar == '\\') {
- escaped = 1;
- continue;
- } else if (*curchar == '"') {
- quote_open = 0;
- *curchar = ' ';
- } else {
- param_buffer[param_len++] = *curchar;
- continue;
- }
- } else {
- if (*curchar == '"') {
- quote_open = 1;
- continue;
- }
- }
-
- if (*curchar == ' '
- || *curchar == '\t'
- || * curchar == '\n') {
- if (!param_len) {
- /* two spaces? */
- continue;
- }
-
- param_buffer[param_len] = '\0';
-
- /* check if table name specified */
- if (!strncmp(param_buffer, "-t", 2)
- || !strncmp(param_buffer, "--table", 8)) {
- xtables_error(PARAMETER_PROBLEM,
- "The -t option (seen in line %u) cannot be "
- "used in iptables-restore.\n", line);
- exit(1);
- }
-
- add_argv(param_buffer);
- param_len = 0;
- } else {
- /* regular character, copy to buffer */
- param_buffer[param_len++] = *curchar;
-
- if (param_len >= sizeof(param_buffer))
- xtables_error(PARAMETER_PROBLEM,
- "Parameter too long!");
- }
- }
-}
-
int
iptables_restore_main(int argc, char *argv[])
{
@@ -424,9 +334,6 @@ iptables_restore_main(int argc, char *argv[])
char *bcnt = NULL;
char *parsestart;
- /* reset the newargv */
- newargc = 0;
-
if (buffer[0] == '[') {
/* we have counters in our input */
char *ptr = strchr(buffer, ']');
@@ -455,17 +362,17 @@ iptables_restore_main(int argc, char *argv[])
parsestart = buffer;
}
- add_argv(argv[0]);
- add_argv("-t");
- add_argv(curtable);
+ add_argv(argv[0], 0);
+ add_argv("-t", 0);
+ add_argv(curtable, 0);
if (counters && pcnt && bcnt) {
- add_argv("--set-counters");
- add_argv((char *) pcnt);
- add_argv((char *) bcnt);
+ add_argv("--set-counters", 0);
+ add_argv((char *) pcnt, 0);
+ add_argv((char *) bcnt, 0);
}
- add_param_to_argv(parsestart);
+ add_param_to_argv(parsestart, line);
DEBUGP("calling do_command4(%u, argv, &%s, handle):\n",
newargc, curtable);
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index c523a132b2240..49f8ea2826181 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -66,16 +66,6 @@ parse_counters(char *string, struct xt_counters *ctr)
return (0 == 2);
}
-/* global new argv and argc */
-static char *newargv[255];
-static unsigned int newargc = 0;
-
-static char *oldargv[255];
-static unsigned int oldargc = 0;
-
-/* arg meta data, were they quoted, frinstance */
-static int newargvattr[255];
-
#define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN
static char closeActionTag[XT_TABLE_MAXNAMELEN + 1];
static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1];
@@ -93,56 +83,6 @@ struct chain {
static struct chain chains[maxChains];
static int nextChain = 0;
-/* funCtion adding one argument to newargv, updating newargc
- * returns true if argument added, false otherwise */
-static int
-add_argv(char *what, int quoted)
-{
- DEBUGP("add_argv: %d %s\n", newargc, what);
- if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
- newargv[newargc] = strdup(what);
- newargvattr[newargc] = quoted;
- newargc++;
- return 1;
- } else
- return 0;
-}
-
-static void
-free_argv(void)
-{
- unsigned int i;
-
- for (i = 0; i < newargc; i++) {
- free(newargv[i]);
- newargv[i] = NULL;
- }
- newargc = 0;
-
- for (i = 0; i < oldargc; i++) {
- free(oldargv[i]);
- oldargv[i] = NULL;
- }
- oldargc = 0;
-}
-
-/* save parsed rule for comparison with next rule
- to perform action agregation on duplicate conditions */
-static void
-save_argv(void)
-{
- unsigned int i;
-
- for (i = 0; i < oldargc; i++)
- free(oldargv[i]);
- oldargc = newargc;
- newargc = 0;
- for (i = 0; i < oldargc; i++) {
- oldargv[i] = newargv[i];
- newargv[i] = NULL;
- }
-}
-
/* like puts but with xml encoding */
static void
xmlEncode(char *text)
@@ -736,9 +676,6 @@ iptables_xml_main(int argc, char *argv[])
int quote_open, quoted;
char param_buffer[1024];
- /* reset the newargv */
- newargc = 0;
-
if (buffer[0] == '[') {
/* we have counters in our input */
char *ptr = strchr(buffer, ']');
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 742502154aa55..84dbea562576e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -406,3 +406,126 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format)
ipv6_addr_to_string(&fw6->ipv6.dst,
&fw6->ipv6.dmsk, format));
}
+
+/* global new argv and argc */
+char *newargv[255];
+int newargc = 0;
+
+/* saved newargv and newargc from save_argv() */
+char *oldargv[255];
+int oldargc = 0;
+
+/* arg meta data, were they quoted, frinstance */
+int newargvattr[255];
+
+/* function adding one argument to newargv, updating newargc
+ * returns true if argument added, false otherwise */
+int add_argv(const char *what, int quoted)
+{
+ DEBUGP("add_argv: %s\n", what);
+ if (what && newargc + 1 < ARRAY_SIZE(newargv)) {
+ newargv[newargc] = strdup(what);
+ newargvattr[newargc] = quoted;
+ newargv[++newargc] = NULL;
+ return 1;
+ } else {
+ xtables_error(PARAMETER_PROBLEM,
+ "Parser cannot handle more arguments\n");
+ }
+}
+
+void free_argv(void)
+{
+ while (newargc)
+ free(newargv[--newargc]);
+ while (oldargc)
+ free(oldargv[--oldargc]);
+}
+
+/* Save parsed rule for comparison with next rule to perform action aggregation
+ * on duplicate conditions.
+ */
+void save_argv(void)
+{
+ unsigned int i;
+
+ while (oldargc)
+ free(oldargv[--oldargc]);
+
+ oldargc = newargc;
+ newargc = 0;
+ for (i = 0; i < oldargc; i++) {
+ oldargv[i] = newargv[i];
+ }
+}
+
+void add_param_to_argv(char *parsestart, int line)
+{
+ int quote_open = 0, escaped = 0, param_len = 0;
+ char param_buffer[1024], *curchar;
+
+ /* After fighting with strtok enough, here's now
+ * a 'real' parser. According to Rusty I'm now no
+ * longer a real hacker, but I can live with that */
+
+ for (curchar = parsestart; *curchar; curchar++) {
+ if (quote_open) {
+ if (escaped) {
+ param_buffer[param_len++] = *curchar;
+ escaped = 0;
+ continue;
+ } else if (*curchar == '\\') {
+ escaped = 1;
+ continue;
+ } else if (*curchar == '"') {
+ quote_open = 0;
+ *curchar = '"';
+ } else {
+ param_buffer[param_len++] = *curchar;
+ continue;
+ }
+ } else {
+ if (*curchar == '"') {
+ quote_open = 1;
+ continue;
+ }
+ }
+
+ switch (*curchar) {
+ case '"':
+ break;
+ case ' ':
+ case '\t':
+ case '\n':
+ if (!param_len) {
+ /* two spaces? */
+ continue;
+ }
+ break;
+ default:
+ /* regular character, copy to buffer */
+ param_buffer[param_len++] = *curchar;
+
+ if (param_len >= sizeof(param_buffer))
+ xtables_error(PARAMETER_PROBLEM,
+ "Parameter too long!");
+ continue;
+ }
+
+ param_buffer[param_len] = '\0';
+
+ /* check if table name specified */
+ if ((param_buffer[0] == '-' &&
+ param_buffer[1] != '-' &&
+ strchr(param_buffer, 't')) ||
+ (!strncmp(param_buffer, "--t", 3) &&
+ !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
+ }
+
+ add_argv(param_buffer, 0);
+ param_len = 0;
+ }
+}
diff --git a/iptables/xshared.h b/iptables/xshared.h
index bfdb10b2701e5..4f567db9f410b 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -119,6 +119,19 @@ bool xs_has_arg(int argc, char *argv[]);
extern const struct xtables_afinfo *afinfo;
+extern char *newargv[];
+extern int newargc;
+
+extern char *oldargv[];
+extern int oldargc;
+
+extern int newargvattr[];
+
+int add_argv(const char *what, int quoted);
+void free_argv(void);
+void save_argv(void);
+void add_param_to_argv(char *parsestart, int line);
+
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
--
2.21.0

259
SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch Normal file
View File

@ -0,0 +1,259 @@
From cc564f1b24a61d8abcd1163323ba68d373ef3d7c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 3 Apr 2019 20:30:11 +0200
Subject: [PATCH] xtables: Introduce and use common function to parse
val[/mask] arguments

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075
Upstream Status: iptables commit 29b1d97764d18

commit 29b1d97764d1849651388d870565b3fa815a0bd8
Author: Serhey Popovych <serhe.popovych@gmail.com>
Date: Thu Mar 1 13:03:11 2018 +0200

xtables: Introduce and use common function to parse val[/mask] arguments

There are a couple of places in both core and extensions where arguments
in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32).

In some cases symbolic name might be used which is mapped in code to
numeric value.

Introduce common function to handle both cases where value given is
either val[/mask] or symbolic name.

Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
extensions/libipt_realm.c | 29 ++++++---------------
extensions/libxt_devgroup.c | 35 ++++---------------------
include/xtables.h | 11 ++++++++
libxtables/xtables.c | 52 +++++++++++++++++++++++++++++++++++++
libxtables/xtoptions.c | 22 +---------------
5 files changed, 77 insertions(+), 72 deletions(-)

diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index fffb1218db7a6..0bfbaea0add23 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -34,30 +34,17 @@ static struct xtables_lmap *realms;
static void realm_parse(struct xt_option_call *cb)
{
- struct xt_realm_info *realminfo = cb->data;
- int id;
- char *end;
+ struct xt_realm_info *ri = cb->data;
+ unsigned int id, mask;
xtables_option_parse(cb);
- realminfo->id = strtoul(cb->arg, &end, 0);
- if (end != cb->arg && (*end == '/' || *end == '\0')) {
- if (*end == '/')
- realminfo->mask = strtoul(end+1, &end, 0);
- else
- realminfo->mask = 0xffffffff;
- if (*end != '\0' || end == cb->arg)
- xtables_error(PARAMETER_PROBLEM,
- "Bad realm value \"%s\"", cb->arg);
- } else {
- id = xtables_lmap_name2id(realms, cb->arg);
- if (id == -1)
- xtables_error(PARAMETER_PROBLEM,
- "Realm \"%s\" not found", cb->arg);
- realminfo->id = id;
- realminfo->mask = 0xffffffff;
- }
+ xtables_parse_val_mask(cb, &id, &mask, realms);
+
+ ri->id = id;
+ ri->mask = mask;
+
if (cb->invert)
- realminfo->invert = 1;
+ ri->invert = 1;
}
static void
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index ebfa2aee80cf2..604828276177b 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -35,49 +35,24 @@ static const char f_devgroups[] = "/etc/iproute2/group";
/* array of devgroups from f_devgroups[] */
static struct xtables_lmap *devgroups;
-static void devgroup_parse_groupspec(const char *arg, unsigned int *group,
- unsigned int *mask)
-{
- char *end;
- bool ok;
-
- ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX);
- if (ok && (*end == '/' || *end == '\0')) {
- if (*end == '/')
- ok = xtables_strtoui(end + 1, NULL, mask,
- 0, UINT32_MAX);
- else
- *mask = ~0U;
- if (!ok)
- xtables_error(PARAMETER_PROBLEM,
- "Bad group value \"%s\"", arg);
- } else {
- *group = xtables_lmap_name2id(devgroups, arg);
- if (*group == -1)
- xtables_error(PARAMETER_PROBLEM,
- "Device group \"%s\" not found", arg);
- *mask = ~0U;
- }
-}
-
static void devgroup_parse(struct xt_option_call *cb)
{
struct xt_devgroup_info *info = cb->data;
- unsigned int id, mask;
+ unsigned int group, mask;
xtables_option_parse(cb);
+ xtables_parse_val_mask(cb, &group, &mask, devgroups);
+
switch (cb->entry->id) {
case O_SRC_GROUP:
- devgroup_parse_groupspec(cb->arg, &id, &mask);
- info->src_group = id;
+ info->src_group = group;
info->src_mask = mask;
info->flags |= XT_DEVGROUP_MATCH_SRC;
if (cb->invert)
info->flags |= XT_DEVGROUP_INVERT_SRC;
break;
case O_DST_GROUP:
- devgroup_parse_groupspec(cb->arg, &id, &mask);
- info->dst_group = id;
+ info->dst_group = group;
info->dst_mask = mask;
info->flags |= XT_DEVGROUP_MATCH_DST;
if (cb->invert)
diff --git a/include/xtables.h b/include/xtables.h
index 021726708b2ee..47481e693ca25 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -501,6 +501,17 @@ extern void xtables_save_string(const char *value);
extern void xtables_print_num(uint64_t number, unsigned int format);
+extern void xtables_parse_val_mask(struct xt_option_call *cb,
+ unsigned int *val, unsigned int *mask,
+ const struct xtables_lmap *lmap);
+
+static inline void xtables_parse_mark_mask(struct xt_option_call *cb,
+ unsigned int *mark,
+ unsigned int *mask)
+{
+ xtables_parse_val_mask(cb, mark, mask, NULL);
+}
+
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
# ifdef _INIT
# undef _init
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 7210d3706bf26..2981f52bc767f 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1950,6 +1950,58 @@ void xtables_print_num(uint64_t number, unsigned int format)
printf(FMT("%4lluT ","%lluT "), (unsigned long long)number);
}
+void xtables_parse_val_mask(struct xt_option_call *cb,
+ unsigned int *val, unsigned int *mask,
+ const struct xtables_lmap *lmap)
+{
+ char *end;
+
+ *mask = ~0U;
+
+ if (!xtables_strtoui(cb->arg, &end, val, 0, UINT32_MAX)) {
+ if (lmap)
+ goto name2val;
+ else
+ goto bad_val;
+ }
+
+ if (*end == '\0')
+ return;
+
+ if (*end != '/') {
+ if (lmap)
+ goto name2val;
+ else
+ goto garbage;
+ }
+
+ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX))
+ goto bad_val;
+
+ if (*end == '\0')
+ return;
+
+garbage:
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "%s: trailing garbage after value "
+ "for option \"--%s\".\n",
+ cb->ext_name, cb->entry->name);
+
+bad_val:
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "%s: bad integer value for option \"--%s\", "
+ "or out of range.\n",
+ cb->ext_name, cb->entry->name);
+
+name2val:
+ *val = xtables_lmap_name2id(lmap, cb->arg);
+ if ((int)*val == -1)
+ xt_params->exit_err(PARAMETER_PROBLEM,
+ "%s: could not map name %s to an integer value "
+ "for option \"--%s\".\n",
+ cb->ext_name, cb->arg, cb->entry->name);
+}
+
int kernel_version;
void get_kernel_version(void)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 1d3fda73dedf7..4bbc03ab0f047 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -432,27 +432,7 @@ static void xtopt_parse_tosmask(struct xt_option_call *cb)
*/
static void xtopt_parse_markmask(struct xt_option_call *cb)
{
- unsigned int mark = 0, mask = ~0U;
- char *end;
-
- if (!xtables_strtoui(cb->arg, &end, &mark, 0, UINT32_MAX))
- xt_params->exit_err(PARAMETER_PROBLEM,
- "%s: bad mark value for option \"--%s\", "
- "or out of range.\n",
- cb->ext_name, cb->entry->name);
- if (*end == '/' &&
- !xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX))
- xt_params->exit_err(PARAMETER_PROBLEM,
- "%s: bad mask value for option \"--%s\", "
- "or out of range.\n",
- cb->ext_name, cb->entry->name);
- if (*end != '\0')
- xt_params->exit_err(PARAMETER_PROBLEM,
- "%s: trailing garbage after value "
- "for option \"--%s\".\n",
- cb->ext_name, cb->entry->name);
- cb->val.mark = mark;
- cb->val.mask = mask;
+ xtables_parse_mark_mask(cb, &cb->val.mark, &cb->val.mask);
}
static int xtopt_sysloglvl_compare(const void *a, const void *b)
--
2.21.0

81
SOURCES/xtables-restore-Fix-table-parameter-check.patch Normal file
View File

@ -0,0 +1,81 @@
From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 23 Oct 2019 12:06:55 +0200
Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
Upstream Status: iptables commit 3dc433b55bbfa
Conflicts: Downstream does not support nft-variants.

commit 3dc433b55bbfaf9df3ee408aaa6282742f377864
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Sep 20 17:31:58 2019 +0200

xtables-restore: Fix --table parameter check

Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
rule comments:

| *filter
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
| COMMIT

Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.

Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/iptables.c | 4 ++++
iptables/xshared.c | 12 ------------
2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/iptables/iptables.c b/iptables/iptables.c
index dc70cc6e9b0ec..d106a18949407 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
+ if (restore && *table)
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
*table = optarg;
break;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 84dbea562576e..058b5e8b63896 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line)
}
param_buffer[param_len] = '\0';
-
- /* check if table name specified */
- if ((param_buffer[0] == '-' &&
- param_buffer[1] != '-' &&
- strchr(param_buffer, 't')) ||
- (!strncmp(param_buffer, "--t", 3) &&
- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
- xtables_error(PARAMETER_PROBLEM,
- "The -t option (seen in line %u) cannot be used in %s.\n",
- line, xt_params->program_name);
- }
-
add_argv(param_buffer, 0);
param_len = 0;
}
--
2.23.0

90
SOURCES/xtables-restore-Unbreak-tables-restore.patch Normal file
View File

@ -0,0 +1,90 @@
From 5b36b6fa581ca958340ab8d40be646cae249eee4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 23 Oct 2019 12:07:39 +0200
Subject: [PATCH 2/2] xtables-restore: Unbreak *tables-restore

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
Upstream Status: iptables commit 4e470fa347610
Conflicts: Downstream does not support nft-variants.

commit 4e470fa34761085144640fb561a9ad26b2cde382
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Oct 22 12:25:28 2019 +0200

xtables-restore: Unbreak *tables-restore

Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
installed an error check which evaluated true in all cases as all
callers of do_command callbacks pass a pointer to a table name already.
Attached test case passed as it tested error condition only.

Fix the whole mess by introducing a boolean to indicate whether a table
parameter was seen already. Extend the test case to cover positive as
well as negative behaviour and to test ebtables-restore and
ip6tables-restore as well. Also add the required checking code to the
latter since the original commit missed it.

Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables.c | 6 ++++++
iptables/iptables.c | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index fc2fd37cfe919..42edf7a55ec6e 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1316,6 +1316,7 @@ int do_command6(int argc, char *argv[], char **table,
struct xtables_rule_match *matchp;
struct xtables_target *t;
unsigned long long cnt;
+ bool table_set = false;
memset(&cs, 0, sizeof(cs));
cs.jumpto = "";
@@ -1598,7 +1599,12 @@ int do_command6(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
+ if (restore && table_set)
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
*table = optarg;
+ table_set = true;
break;
case 'x':
diff --git a/iptables/iptables.c b/iptables/iptables.c
index d106a18949407..0ad87fd98684d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1312,6 +1312,7 @@ int do_command4(int argc, char *argv[], char **table,
struct xtables_rule_match *matchp;
struct xtables_target *t;
unsigned long long cnt;
+ bool table_set = false;
memset(&cs, 0, sizeof(cs));
cs.jumpto = "";
@@ -1591,11 +1592,12 @@ int do_command4(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
- if (restore && *table)
+ if (restore && table_set)
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
*table = optarg;
+ table_set = true;
break;
case 'x':
--
2.23.0

88
SPECS/iptables.spec
View File

@ -7,7 +7,7 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.4.21
Release: 28%{?dist}
Release: 34%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@ -39,6 +39,44 @@ Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch
Patch22: utils-Add-a-man-page-for-nfnl_osf.patch
Patch23: Mark-fall-through-cases-in-switch-statements.patch
Patch24: libiptc-Simplify-alloc_handle-function-signature.patch
Patch25: libxtables-Fix-potential-array-overrun-in-xtables_op.patch
Patch26: ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch
Patch27: nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch
Patch28: libxt_string-Avoid-potential-array-out-of-bounds-acc.patch
Patch29: libxt_string-Fix-array-out-of-bounds-check.patch
Patch30: libxtables-Don-t-read-garbage-in-xtables_strtoui.patch
Patch31: libxt_time-Drop-initialization-of-variable-year.patch
Patch32: libxt_sctp-fix-array-out-of-range-in-print_chunk.patch
Patch33: libxt_ipvs-Avoid-potential-buffer-overrun.patch
Patch34: libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch
Patch35: Fix-a-few-cases-of-pointless-assignments.patch
Patch36: nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch
Patch37: libxt_conntrack-Avoid-potential-buffer-overrun.patch
Patch38: libxtables-Check-extension-real_name-length.patch
Patch39: libiptc-NULL-terminate-errorname.patch
Patch40: libxtables-Avoid-calling-memcpy-with-NULL-source.patch
Patch41: libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch
Patch42: libxt_recent-Remove-ineffective-checks-for-info-name.patch
Patch43: libxtables-move-some-code-to-avoid-cautions-in-vfork.patch
Patch44: libxtables-Use-posix_spawn-instead-of-vfork.patch
Patch45: libiptc-Avoid-side-effect-in-memset-calls.patch
Patch46: Share-print_ipv-4-6-_addr-from-xtables.patch
Patch47: extensions-REJECT-Check-for-array-overrun.patch
Patch48: list-fix-prefetch-dummy.patch
Patch49: extensions-Add-macro-_DEFAULT_SOURCE.patch
Patch50: Consolidate-DEBUGP-macros.patch
Patch51: xshared-Consolidate-argv-construction-routines.patch
Patch52: extensions-Fix-ipvs-vproto-parsing.patch
Patch53: extensions-Fix-ipvs-vproto-option-printing.patch
Patch54: extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch
Patch55: extensions-Initialize-linear-mapping-of-symbols-in-_.patch
Patch56: xtables-Introduce-and-use-common-function-to-parse-v.patch
Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch
Patch58: man-iptables-save-Add-note-about-module-autoloading.patch
Patch59: xtables-restore-Fix-table-parameter-check.patch
Patch60: xtables-restore-Unbreak-tables-restore.patch

Group: System Environment/Base
URL: http://www.netfilter.org/
@ -104,29 +142,7 @@ Currently only provides nfnl_osf with the pf.os database.


%prep
%setup -q
%patch1 -p1 -b .rhbz_1054871
%patch2 -p1 -b .libxt_cgroup
%patch3 -p1 -b .wait_seconds
%patch4 -p1 -b .flock_wait
%patch5 -p1 -b .rhbz_1261238
%patch6 -p1 -b .rhbz_1298879
%patch7 -p1 -b .wait-interval
%patch8 -p1 -b .do_not_lock_again_and_again
%patch9 -p1 -b .use_the_blocking_file_lock_request
%patch10 -p1 -b .configure_set_lock_file_path
%patch11 -p1 -b .move_XT_LOCK_NAME_to_config.h
%patch12 -p1 -b .remove_duplicated_argument_parsing
%patch13 -p1 -b .restore_support_acquiring_the_lock
%patch14 -p1 -b .do_not_set_changed_for_check_options
%patch15 -p1 -b .restore_version
%patch16 -p1 -b .restore_wait_man
%patch17 -p1 -b .tcpmss_detect_invalid_ranges
%patch18 -p1 -b .exit_unknown_option
%patch19 -p1 -b .require_wait_value
%patch20 -p1 -b .wait_interval_needs_wait
%patch21 -p1 -b .nfnl_osf_synopsis
%patch22 -p1 -b .nfnl_osf_man_page
%autosetup -p1

%build
# Since patches above touch configure.ac we must regen configure
@ -290,6 +306,30 @@ done


%changelog
* Wed Oct 23 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-34
- Fix iptables-restore for rules with '-' and 't' in comments (RHBZ#1749700)
- Make services start before network-pre.target is reached (RHBZ#1736765)

* Thu Apr 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-33
- man: iptables-save: Add note about module autoloading (RHBZ#1691380)

* Tue Apr 09 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-32
- iptables-xml: fix segfault if missing space after -A (RHBZ#1525980)

* Wed Apr 03 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-31
- Fix iptables-restore with empty comment in rule (RHBZ#1668475)
- Fix parsing and printing of -m ipvs --vproto option (RHBZ#1679726)
- Fix for wrong location of devgroup definition file (RHBZ#1657075)
- Fix for non-numeric devgroup name output (RHBZ#1657075)
- Reject negative realm values (RHBZ#1657075)

* Fri Mar 15 2019 Phil Sutter - 1.4.21-30
- Drop leftover variable from init script (RHBZ#1520534)

* Fri Mar 15 2019 Phil Sutter - 1.4.21-29
- Do not attempt to unload any modules when stopping the firewall (RHBZ#1520534)
- Fix for covscan warnings (RHBZ#1525980)

* Tue Jun 05 2018 Phil Sutter - 1.4.21-28
- Add nfnl_osf.8 man page (RHBZ#1487331)