basebuilder_pel7x64builder0
4 years ago
42 changed files with 3466 additions and 92 deletions
@ -0,0 +1,165 @@ |
|||||||
|
From 7fcb3a907824af6220007d91ef49095f990b1733 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:15:52 +0200 |
||||||
|
Subject: [PATCH] Consolidate DEBUGP macros |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475 |
||||||
|
Upstream Status: iptables commit 78b9d438037f2 |
||||||
|
Conflicts: |
||||||
|
* Context change due to missing commit 2963a8df2175b |
||||||
|
("iptables: Remove explicit static variables initalization.") |
||||||
|
* Dropped changes to non-existing files iptables/nft-shared.h and |
||||||
|
iptables/xtables-restore.c. |
||||||
|
|
||||||
|
commit 78b9d438037f2c83a7bbb73eb1b86cc295967905 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Thu Aug 2 17:05:15 2018 +0200 |
||||||
|
|
||||||
|
Consolidate DEBUGP macros |
||||||
|
|
||||||
|
This debug printing macro was defined in various places, always |
||||||
|
identical. Move it into xshared.h and drop it from sources including |
||||||
|
that header. There are a few exceptions: |
||||||
|
|
||||||
|
* iptables-xml.c did not include xshared.h, which this patch changes. |
||||||
|
|
||||||
|
* Sources in extensions and libiptc mostly left alone since they don't |
||||||
|
include xshared.h (and maybe shouldn't). Only libxt_set.h does, so |
||||||
|
it's converted, too. |
||||||
|
|
||||||
|
This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler |
||||||
|
warning. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libip6t_hbh.c | 6 ++---- |
||||||
|
extensions/libxt_set.h | 6 ------ |
||||||
|
iptables/ip6tables-restore.c | 6 ------ |
||||||
|
iptables/iptables-restore.c | 6 ------ |
||||||
|
iptables/iptables-xml.c | 7 +------ |
||||||
|
iptables/xshared.h | 6 ++++++ |
||||||
|
6 files changed, 9 insertions(+), 28 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c |
||||||
|
index c0389ed8bafde..1c49ee71ada13 100644 |
||||||
|
--- a/extensions/libip6t_hbh.c |
||||||
|
+++ b/extensions/libip6t_hbh.c |
||||||
|
@@ -5,8 +5,6 @@ |
||||||
|
#include <xtables.h> |
||||||
|
#include <linux/netfilter_ipv6/ip6t_opts.h> |
||||||
|
|
||||||
|
-#define DEBUG 0 |
||||||
|
- |
||||||
|
enum { |
||||||
|
O_HBH_LEN = 0, |
||||||
|
O_HBH_OPTS, |
||||||
|
@@ -83,7 +81,7 @@ parse_options(const char *optsstr, uint16_t *opts) |
||||||
|
opts[i] |= (0x00FF); |
||||||
|
} |
||||||
|
|
||||||
|
-#if DEBUG |
||||||
|
+#ifdef DEBUG |
||||||
|
printf("opts str: %s %s\n", cp, range); |
||||||
|
printf("opts opt: %04X\n", opts[i]); |
||||||
|
#endif |
||||||
|
@@ -92,7 +90,7 @@ parse_options(const char *optsstr, uint16_t *opts) |
||||||
|
|
||||||
|
free(buffer); |
||||||
|
|
||||||
|
-#if DEBUG |
||||||
|
+#ifdef DEBUG |
||||||
|
printf("addr nr: %d\n", i); |
||||||
|
#endif |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h |
||||||
|
index 5a1bdcf730cf2..41dfbd30fc7c1 100644 |
||||||
|
--- a/extensions/libxt_set.h |
||||||
|
+++ b/extensions/libxt_set.h |
||||||
|
@@ -8,12 +8,6 @@ |
||||||
|
#include <errno.h> |
||||||
|
#include "../iptables/xshared.h" |
||||||
|
|
||||||
|
-#ifdef DEBUG |
||||||
|
-#define DEBUGP(x, args...) fprintf(stderr, x , ## args) |
||||||
|
-#else |
||||||
|
-#define DEBUGP(x, args...) |
||||||
|
-#endif |
||||||
|
- |
||||||
|
static int |
||||||
|
get_version(unsigned *version) |
||||||
|
{ |
||||||
|
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c |
||||||
|
index fdcc0cb5b2c06..611430d930eda 100644 |
||||||
|
--- a/iptables/ip6tables-restore.c |
||||||
|
+++ b/iptables/ip6tables-restore.c |
||||||
|
@@ -20,12 +20,6 @@ |
||||||
|
#include "libiptc/libip6tc.h" |
||||||
|
#include "ip6tables-multi.h" |
||||||
|
|
||||||
|
-#ifdef DEBUG |
||||||
|
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
||||||
|
-#else |
||||||
|
-#define DEBUGP(x, args...) |
||||||
|
-#endif |
||||||
|
- |
||||||
|
static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; |
||||||
|
|
||||||
|
static struct timeval wait_interval = { |
||||||
|
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c |
||||||
|
index 5a8c2c738bb0f..b0da96d45d297 100644 |
||||||
|
--- a/iptables/iptables-restore.c |
||||||
|
+++ b/iptables/iptables-restore.c |
||||||
|
@@ -17,12 +17,6 @@ |
||||||
|
#include "libiptc/libiptc.h" |
||||||
|
#include "iptables-multi.h" |
||||||
|
|
||||||
|
-#ifdef DEBUG |
||||||
|
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
||||||
|
-#else |
||||||
|
-#define DEBUGP(x, args...) |
||||||
|
-#endif |
||||||
|
- |
||||||
|
static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; |
||||||
|
|
||||||
|
static struct timeval wait_interval = { |
||||||
|
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c |
||||||
|
index 92a5768f86903..c523a132b2240 100644 |
||||||
|
--- a/iptables/iptables-xml.c |
||||||
|
+++ b/iptables/iptables-xml.c |
||||||
|
@@ -16,12 +16,7 @@ |
||||||
|
#include "libiptc/libiptc.h" |
||||||
|
#include "xtables-multi.h" |
||||||
|
#include <xtables.h> |
||||||
|
- |
||||||
|
-#ifdef DEBUG |
||||||
|
-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) |
||||||
|
-#else |
||||||
|
-#define DEBUGP(x, args...) |
||||||
|
-#endif |
||||||
|
+#include "xshared.h" |
||||||
|
|
||||||
|
struct xtables_globals iptables_xml_globals = { |
||||||
|
.option_offset = 0, |
||||||
|
diff --git a/iptables/xshared.h b/iptables/xshared.h |
||||||
|
index 20dbbd12118ad..bfdb10b2701e5 100644 |
||||||
|
--- a/iptables/xshared.h |
||||||
|
+++ b/iptables/xshared.h |
||||||
|
@@ -9,6 +9,12 @@ |
||||||
|
#include <linux/netfilter_ipv4/ip_tables.h> |
||||||
|
#include <linux/netfilter_ipv6/ip6_tables.h> |
||||||
|
|
||||||
|
+#ifdef DEBUG |
||||||
|
+#define DEBUGP(x, args...) fprintf(stdout, x, ## args) |
||||||
|
+#else |
||||||
|
+#define DEBUGP(x, args...) |
||||||
|
+#endif |
||||||
|
+ |
||||||
|
enum { |
||||||
|
OPT_NONE = 0, |
||||||
|
OPT_NUMERIC = 1 << 0, |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,163 @@ |
|||||||
|
From b0c800d08b90b84d5d693d63602bcc4b43a07b6f Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:34 +0100 |
||||||
|
Subject: [PATCH] Fix a few cases of pointless assignments |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 7e50ebabbf9c3 |
||||||
|
Conflicts: Dropped changes to non-existing nft-backend files. |
||||||
|
|
||||||
|
commit 7e50ebabbf9c3a5eeb9511d9f32c6104b56da5cd |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:17:04 2018 +0200 |
||||||
|
|
||||||
|
Fix a few cases of pointless assignments |
||||||
|
|
||||||
|
This gets rid of a number of assignments which are either redundant or |
||||||
|
not used afterwards. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/ip6tables-restore.c | 4 ++-- |
||||||
|
iptables/iptables-restore.c | 4 ++-- |
||||||
|
iptables/iptables-xml.c | 4 ++-- |
||||||
|
libxtables/xtoptions.c | 2 +- |
||||||
|
utils/nfnl_osf.c | 13 +++++-------- |
||||||
|
5 files changed, 12 insertions(+), 15 deletions(-) |
||||||
|
|
||||||
|
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c |
||||||
|
index d610360a1c1ff..fdcc0cb5b2c06 100644 |
||||||
|
--- a/iptables/ip6tables-restore.c |
||||||
|
+++ b/iptables/ip6tables-restore.c |
||||||
|
@@ -427,7 +427,6 @@ int ip6tables_restore_main(int argc, char *argv[]) |
||||||
|
|
||||||
|
} else if (in_table) { |
||||||
|
int a; |
||||||
|
- char *ptr = buffer; |
||||||
|
char *pcnt = NULL; |
||||||
|
char *bcnt = NULL; |
||||||
|
char *parsestart; |
||||||
|
@@ -437,7 +436,8 @@ int ip6tables_restore_main(int argc, char *argv[]) |
||||||
|
|
||||||
|
if (buffer[0] == '[') { |
||||||
|
/* we have counters in our input */ |
||||||
|
- ptr = strchr(buffer, ']'); |
||||||
|
+ char *ptr = strchr(buffer, ']'); |
||||||
|
+ |
||||||
|
if (!ptr) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"Bad line %u: need ]\n", |
||||||
|
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c |
||||||
|
index db77fb77b3c98..5a8c2c738bb0f 100644 |
||||||
|
--- a/iptables/iptables-restore.c |
||||||
|
+++ b/iptables/iptables-restore.c |
||||||
|
@@ -426,7 +426,6 @@ iptables_restore_main(int argc, char *argv[]) |
||||||
|
|
||||||
|
} else if (in_table) { |
||||||
|
int a; |
||||||
|
- char *ptr = buffer; |
||||||
|
char *pcnt = NULL; |
||||||
|
char *bcnt = NULL; |
||||||
|
char *parsestart; |
||||||
|
@@ -436,7 +435,8 @@ iptables_restore_main(int argc, char *argv[]) |
||||||
|
|
||||||
|
if (buffer[0] == '[') { |
||||||
|
/* we have counters in our input */ |
||||||
|
- ptr = strchr(buffer, ']'); |
||||||
|
+ char *ptr = strchr(buffer, ']'); |
||||||
|
+ |
||||||
|
if (!ptr) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"Bad line %u: need ]\n", |
||||||
|
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c |
||||||
|
index 962844762fc4e..92a5768f86903 100644 |
||||||
|
--- a/iptables/iptables-xml.c |
||||||
|
+++ b/iptables/iptables-xml.c |
||||||
|
@@ -731,7 +731,6 @@ iptables_xml_main(int argc, char *argv[]) |
||||||
|
ret = 1; |
||||||
|
} else if (curTable[0]) { |
||||||
|
unsigned int a; |
||||||
|
- char *ptr = buffer; |
||||||
|
char *pcnt = NULL; |
||||||
|
char *bcnt = NULL; |
||||||
|
char *parsestart; |
||||||
|
@@ -747,7 +746,8 @@ iptables_xml_main(int argc, char *argv[]) |
||||||
|
|
||||||
|
if (buffer[0] == '[') { |
||||||
|
/* we have counters in our input */ |
||||||
|
- ptr = strchr(buffer, ']'); |
||||||
|
+ char *ptr = strchr(buffer, ']'); |
||||||
|
+ |
||||||
|
if (!ptr) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"Bad line %u: need ]\n", |
||||||
|
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c |
||||||
|
index 0c63c2d372dea..1ad4cb57f5836 100644 |
||||||
|
--- a/libxtables/xtoptions.c |
||||||
|
+++ b/libxtables/xtoptions.c |
||||||
|
@@ -282,7 +282,7 @@ static void xtopt_mint_value_to_ptr(struct xt_option_call *cb, void **datap, |
||||||
|
static void xtopt_parse_mint(struct xt_option_call *cb) |
||||||
|
{ |
||||||
|
const struct xt_option_entry *entry = cb->entry; |
||||||
|
- const char *arg = cb->arg; |
||||||
|
+ const char *arg; |
||||||
|
size_t esize = xtopt_esize_by_type(entry->type); |
||||||
|
const uintmax_t lmax = xtopt_max_by_type(entry->type); |
||||||
|
void *put = XTOPT_MKPTR(cb); |
||||||
|
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c |
||||||
|
index c67485ee698b1..0f8b35b805016 100644 |
||||||
|
--- a/utils/nfnl_osf.c |
||||||
|
+++ b/utils/nfnl_osf.c |
||||||
|
@@ -157,7 +157,6 @@ static void xt_osf_parse_opt(struct xt_osf_opt *opt, __u16 *optnum, char *obuf, |
||||||
|
i = 0; |
||||||
|
while (ptr != NULL && i < olen && *ptr != 0) { |
||||||
|
val = 0; |
||||||
|
- op = 0; |
||||||
|
wc = OSF_WSS_PLAIN; |
||||||
|
switch (obuf[i]) { |
||||||
|
case 'N': |
||||||
|
@@ -344,7 +343,7 @@ static int osf_load_line(char *buffer, int len, int del) |
||||||
|
pend = xt_osf_strchr(pbeg, OSFPDEL); |
||||||
|
if (pend) { |
||||||
|
*pend = '\0'; |
||||||
|
- cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg); |
||||||
|
+ snprintf(obuf, sizeof(obuf), "%s,", pbeg); |
||||||
|
pbeg = pend + 1; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -352,25 +351,23 @@ static int osf_load_line(char *buffer, int len, int del) |
||||||
|
if (pend) { |
||||||
|
*pend = '\0'; |
||||||
|
if (pbeg[0] == '@' || pbeg[0] == '*') |
||||||
|
- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); |
||||||
|
+ snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); |
||||||
|
else |
||||||
|
- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg); |
||||||
|
+ snprintf(f.genre, sizeof(f.genre), "%s", pbeg); |
||||||
|
pbeg = pend + 1; |
||||||
|
} |
||||||
|
|
||||||
|
pend = xt_osf_strchr(pbeg, OSFPDEL); |
||||||
|
if (pend) { |
||||||
|
*pend = '\0'; |
||||||
|
- cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg); |
||||||
|
+ snprintf(f.version, sizeof(f.version), "%s", pbeg); |
||||||
|
pbeg = pend + 1; |
||||||
|
} |
||||||
|
|
||||||
|
pend = xt_osf_strchr(pbeg, OSFPDEL); |
||||||
|
if (pend) { |
||||||
|
*pend = '\0'; |
||||||
|
- cnt = |
||||||
|
- snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); |
||||||
|
- pbeg = pend + 1; |
||||||
|
+ snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); |
||||||
|
} |
||||||
|
|
||||||
|
xt_osf_parse_opt(f.opt, &f.opt_num, obuf, sizeof(obuf)); |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,70 @@ |
|||||||
|
From 5527530396afccc43fddedbe6fdf1b4c6000b516 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:49:11 +0100 |
||||||
|
Subject: [PATCH] Mark fall through cases in switch() statements |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 1788f545aae28 |
||||||
|
Conflicts: Dropped changes to non-existing libebt_log.c, nft-shared.c |
||||||
|
and revision 4 of libxt_set.c. |
||||||
|
|
||||||
|
commit 1788f545aae285fa3cd6595d5d25b2ae1b215282 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:45 2018 +0200 |
||||||
|
|
||||||
|
Mark fall through cases in switch() statements |
||||||
|
|
||||||
|
Typical covscan complaint, non-empty fall throughs should be marked as |
||||||
|
such. There was but a single case which should break instead, namely in |
||||||
|
libebt_log.c: It is not critical, since the next case merely asserts |
||||||
|
'invert' being zero (which can't be as it was checked before). But while |
||||||
|
being at it, introduce log_chk_inv() to consolidate the semantically |
||||||
|
equal cases for the various log types. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_set.c | 4 ++++ |
||||||
|
1 file changed, 4 insertions(+) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c |
||||||
|
index 2cb9e78a85f97..ec826367d6631 100644 |
||||||
|
--- a/extensions/libxt_set.c |
||||||
|
+++ b/extensions/libxt_set.c |
||||||
|
@@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags, |
||||||
|
case '2': |
||||||
|
fprintf(stderr, |
||||||
|
"--set option deprecated, please use --match-set\n"); |
||||||
|
+ /* fall through */ |
||||||
|
case '1': /* --match-set <set> <flag>[,<flag> */ |
||||||
|
if (info->u.flags[0]) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
@@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags, |
||||||
|
case '2': |
||||||
|
fprintf(stderr, |
||||||
|
"--set option deprecated, please use --match-set\n"); |
||||||
|
+ /* fall through */ |
||||||
|
case '1': /* --match-set <set> <flag>[,<flag> */ |
||||||
|
if (info->dim) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
@@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags, |
||||||
|
case '2': |
||||||
|
fprintf(stderr, |
||||||
|
"--set option deprecated, please use --match-set\n"); |
||||||
|
+ /* fall through */ |
||||||
|
case '1': /* --match-set <set> <flag>[,<flag> */ |
||||||
|
if (info->dim) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
@@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags, |
||||||
|
case '2': |
||||||
|
fprintf(stderr, |
||||||
|
"--set option deprecated, please use --match-set\n"); |
||||||
|
+ /* fall through */ |
||||||
|
case '1': /* --match-set <set> <flag>[,<flag> */ |
||||||
|
if (info->match_set.dim) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,216 @@ |
|||||||
|
From 7c53ed370c79027455b4e342436da507be701e23 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] Share print_ipv{4,6}_addr() from xtables |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 8da04ffdca193 |
||||||
|
Conflicts: |
||||||
|
* Dropped changes to non-existing nft-ipv4.c and nft-ipv6.c. |
||||||
|
* Context change in xshared.{c,h}. |
||||||
|
|
||||||
|
commit 8da04ffdca1931402a6bc22c43c1a2fa1c6f1e14 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:59 2018 +0200 |
||||||
|
|
||||||
|
Share print_ipv{4,6}_addr() from xtables |
||||||
|
|
||||||
|
These functions contain code which occurs in legacy's print_firewall() |
||||||
|
functions, so use them there. |
||||||
|
|
||||||
|
Rename them to at least make clear they print more than a single |
||||||
|
address. |
||||||
|
|
||||||
|
Also introduce ipv{4,6}_addr_to_string() which take care of converting |
||||||
|
an address/netmask pair into string representation in a way which |
||||||
|
doesn't upset covscan (since that didn't detect that 'buf' may not be |
||||||
|
exceeded by the strings written into it. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/ip6tables.c | 27 +----------------- |
||||||
|
iptables/iptables.c | 25 +---------------- |
||||||
|
iptables/xshared.c | 66 ++++++++++++++++++++++++++++++++++++++++++++ |
||||||
|
iptables/xshared.h | 3 ++ |
||||||
|
4 files changed, 71 insertions(+), 50 deletions(-) |
||||||
|
|
||||||
|
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c |
||||||
|
index 76e36d44f6b25..fc2fd37cfe919 100644 |
||||||
|
--- a/iptables/ip6tables.c |
||||||
|
+++ b/iptables/ip6tables.c |
||||||
|
@@ -541,7 +541,6 @@ print_firewall(const struct ip6t_entry *fw, |
||||||
|
{ |
||||||
|
const struct xtables_target *target = NULL; |
||||||
|
const struct xt_entry_target *t; |
||||||
|
- char buf[BUFSIZ]; |
||||||
|
|
||||||
|
if (!ip6tc_is_chain(targname, handle)) |
||||||
|
target = xtables_find_target(targname, XTF_TRY_LOAD); |
||||||
|
@@ -609,31 +608,7 @@ print_firewall(const struct ip6t_entry *fw, |
||||||
|
printf(FMT("%-6s ","out %s "), iface); |
||||||
|
} |
||||||
|
|
||||||
|
- fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); |
||||||
|
- if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any) |
||||||
|
- && !(format & FMT_NUMERIC)) |
||||||
|
- printf(FMT("%-19s ","%s "), "anywhere"); |
||||||
|
- else { |
||||||
|
- if (format & FMT_NUMERIC) |
||||||
|
- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src)); |
||||||
|
- else |
||||||
|
- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src)); |
||||||
|
- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk)); |
||||||
|
- printf(FMT("%-19s ","%s "), buf); |
||||||
|
- } |
||||||
|
- |
||||||
|
- fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); |
||||||
|
- if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any) |
||||||
|
- && !(format & FMT_NUMERIC)) |
||||||
|
- printf(FMT("%-19s ","-> %s"), "anywhere"); |
||||||
|
- else { |
||||||
|
- if (format & FMT_NUMERIC) |
||||||
|
- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst)); |
||||||
|
- else |
||||||
|
- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst)); |
||||||
|
- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk)); |
||||||
|
- printf(FMT("%-19s ","-> %s"), buf); |
||||||
|
- } |
||||||
|
+ print_ipv6_addresses(fw, format); |
||||||
|
|
||||||
|
if (format & FMT_NOTABLE) |
||||||
|
fputs(" ", stdout); |
||||||
|
diff --git a/iptables/iptables.c b/iptables/iptables.c |
||||||
|
index bac9fe0905e9f..dc70cc6e9b0ec 100644 |
||||||
|
--- a/iptables/iptables.c |
||||||
|
+++ b/iptables/iptables.c |
||||||
|
@@ -526,7 +526,6 @@ print_firewall(const struct ipt_entry *fw, |
||||||
|
const struct xtables_target *target = NULL; |
||||||
|
const struct xt_entry_target *t; |
||||||
|
uint8_t flags; |
||||||
|
- char buf[BUFSIZ]; |
||||||
|
|
||||||
|
if (!iptc_is_chain(targname, handle)) |
||||||
|
target = xtables_find_target(targname, XTF_TRY_LOAD); |
||||||
|
@@ -595,29 +594,7 @@ print_firewall(const struct ipt_entry *fw, |
||||||
|
printf(FMT("%-6s ","out %s "), iface); |
||||||
|
} |
||||||
|
|
||||||
|
- fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); |
||||||
|
- if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC)) |
||||||
|
- printf(FMT("%-19s ","%s "), "anywhere"); |
||||||
|
- else { |
||||||
|
- if (format & FMT_NUMERIC) |
||||||
|
- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.src)); |
||||||
|
- else |
||||||
|
- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.src)); |
||||||
|
- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.smsk)); |
||||||
|
- printf(FMT("%-19s ","%s "), buf); |
||||||
|
- } |
||||||
|
- |
||||||
|
- fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); |
||||||
|
- if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC)) |
||||||
|
- printf(FMT("%-19s ","-> %s"), "anywhere"); |
||||||
|
- else { |
||||||
|
- if (format & FMT_NUMERIC) |
||||||
|
- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.dst)); |
||||||
|
- else |
||||||
|
- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.dst)); |
||||||
|
- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.dmsk)); |
||||||
|
- printf(FMT("%-19s ","-> %s"), buf); |
||||||
|
- } |
||||||
|
+ print_ipv4_addresses(fw, format); |
||||||
|
|
||||||
|
if (format & FMT_NOTABLE) |
||||||
|
fputs(" ", stdout); |
||||||
|
diff --git a/iptables/xshared.c b/iptables/xshared.c |
||||||
|
index b8a81fd968361..742502154aa55 100644 |
||||||
|
--- a/iptables/xshared.c |
||||||
|
+++ b/iptables/xshared.c |
||||||
|
@@ -340,3 +340,69 @@ inline bool xs_has_arg(int argc, char *argv[]) |
||||||
|
argv[optind][0] != '-' && |
||||||
|
argv[optind][0] != '!'; |
||||||
|
} |
||||||
|
+ |
||||||
|
+static const char *ipv4_addr_to_string(const struct in_addr *addr, |
||||||
|
+ const struct in_addr *mask, |
||||||
|
+ unsigned int format) |
||||||
|
+{ |
||||||
|
+ static char buf[BUFSIZ]; |
||||||
|
+ |
||||||
|
+ if (!mask->s_addr && !(format & FMT_NUMERIC)) |
||||||
|
+ return "anywhere"; |
||||||
|
+ |
||||||
|
+ if (format & FMT_NUMERIC) |
||||||
|
+ strncpy(buf, xtables_ipaddr_to_numeric(addr), BUFSIZ - 1); |
||||||
|
+ else |
||||||
|
+ strncpy(buf, xtables_ipaddr_to_anyname(addr), BUFSIZ - 1); |
||||||
|
+ buf[BUFSIZ - 1] = '\0'; |
||||||
|
+ |
||||||
|
+ strncat(buf, xtables_ipmask_to_numeric(mask), |
||||||
|
+ BUFSIZ - strlen(buf) - 1); |
||||||
|
+ |
||||||
|
+ return buf; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format) |
||||||
|
+{ |
||||||
|
+ fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); |
||||||
|
+ printf(FMT("%-19s ", "%s "), |
||||||
|
+ ipv4_addr_to_string(&fw->ip.src, &fw->ip.smsk, format)); |
||||||
|
+ |
||||||
|
+ fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); |
||||||
|
+ printf(FMT("%-19s ", "-> %s"), |
||||||
|
+ ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format)); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+static const char *ipv6_addr_to_string(const struct in6_addr *addr, |
||||||
|
+ const struct in6_addr *mask, |
||||||
|
+ unsigned int format) |
||||||
|
+{ |
||||||
|
+ static char buf[BUFSIZ]; |
||||||
|
+ |
||||||
|
+ if (IN6_IS_ADDR_UNSPECIFIED(addr) && !(format & FMT_NUMERIC)) |
||||||
|
+ return "anywhere"; |
||||||
|
+ |
||||||
|
+ if (format & FMT_NUMERIC) |
||||||
|
+ strncpy(buf, xtables_ip6addr_to_numeric(addr), BUFSIZ - 1); |
||||||
|
+ else |
||||||
|
+ strncpy(buf, xtables_ip6addr_to_anyname(addr), BUFSIZ - 1); |
||||||
|
+ buf[BUFSIZ - 1] = '\0'; |
||||||
|
+ |
||||||
|
+ strncat(buf, xtables_ip6mask_to_numeric(mask), |
||||||
|
+ BUFSIZ - strlen(buf) - 1); |
||||||
|
+ |
||||||
|
+ return buf; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) |
||||||
|
+{ |
||||||
|
+ fputc(fw6->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); |
||||||
|
+ printf(FMT("%-19s ", "%s "), |
||||||
|
+ ipv6_addr_to_string(&fw6->ipv6.src, |
||||||
|
+ &fw6->ipv6.smsk, format)); |
||||||
|
+ |
||||||
|
+ fputc(fw6->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); |
||||||
|
+ printf(FMT("%-19s ", "-> %s"), |
||||||
|
+ ipv6_addr_to_string(&fw6->ipv6.dst, |
||||||
|
+ &fw6->ipv6.dmsk, format)); |
||||||
|
+} |
||||||
|
diff --git a/iptables/xshared.h b/iptables/xshared.h |
||||||
|
index c35dfee47577d..20dbbd12118ad 100644 |
||||||
|
--- a/iptables/xshared.h |
||||||
|
+++ b/iptables/xshared.h |
||||||
|
@@ -113,4 +113,7 @@ bool xs_has_arg(int argc, char *argv[]); |
||||||
|
|
||||||
|
extern const struct xtables_afinfo *afinfo; |
||||||
|
|
||||||
|
+void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); |
||||||
|
+void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); |
||||||
|
+ |
||||||
|
#endif /* IPTABLES_XSHARED_H */ |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,60 @@ |
|||||||
|
From 3dcd69e5655a2485d39efd64b5bd9fd38fdb4a04 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:52:42 +0100 |
||||||
|
Subject: [PATCH] extensions: Add macro _DEFAULT_SOURCE. |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 27de281d8aca8 |
||||||
|
|
||||||
|
commit 27de281d8aca84e3c841b3ae72a17616b1382ac4 |
||||||
|
Author: Varsha Rao <rvarsha016@gmail.com> |
||||||
|
Date: Thu Dec 21 09:05:45 2017 +0530 |
||||||
|
|
||||||
|
extensions: Add macro _DEFAULT_SOURCE. |
||||||
|
|
||||||
|
Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated. |
||||||
|
https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes |
||||||
|
|
||||||
|
This patch fixes the following warning: |
||||||
|
|
||||||
|
warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use |
||||||
|
_DEFAULT_SOURCE" [-Wcpp] |
||||||
|
# warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use |
||||||
|
# _DEFAULT_SOURCE" |
||||||
|
|
||||||
|
Signed-off-by: Varsha Rao <rvarsha016@gmail.com> |
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_hashlimit.c | 1 + |
||||||
|
extensions/libxt_limit.c | 1 + |
||||||
|
2 files changed, 2 insertions(+) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c |
||||||
|
index c5b8d7795c5e5..6d64017022c00 100644 |
||||||
|
--- a/extensions/libxt_hashlimit.c |
||||||
|
+++ b/extensions/libxt_hashlimit.c |
||||||
|
@@ -11,6 +11,7 @@ |
||||||
|
* Error corections by nmalykh@bilim.com (22.01.2005) |
||||||
|
*/ |
||||||
|
#define _BSD_SOURCE 1 |
||||||
|
+#define _DEFAULT_SOURCE 1 |
||||||
|
#define _ISOC99_SOURCE 1 |
||||||
|
#include <math.h> |
||||||
|
#include <stdbool.h> |
||||||
|
diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c |
||||||
|
index f75ef2f87a74c..183a86e324211 100644 |
||||||
|
--- a/extensions/libxt_limit.c |
||||||
|
+++ b/extensions/libxt_limit.c |
||||||
|
@@ -4,6 +4,7 @@ |
||||||
|
* Hervé Eychenne <rv@wallfire.org> |
||||||
|
*/ |
||||||
|
#define _BSD_SOURCE 1 |
||||||
|
+#define _DEFAULT_SOURCE 1 |
||||||
|
#define _ISOC99_SOURCE 1 |
||||||
|
#include <math.h> |
||||||
|
#include <stdio.h> |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,42 @@ |
|||||||
|
From 21ef09de8df5a448df06a3fb6c7708440fe8b8ac Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:19:53 +0200 |
||||||
|
Subject: [PATCH] extensions: Fix ipvs vproto option printing |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726 |
||||||
|
Upstream Status: iptables commit dd1ad59f0df66 |
||||||
|
|
||||||
|
commit dd1ad59f0df66811335c10ed90c33151a658a50e |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Thu Feb 21 20:09:31 2019 +0100 |
||||||
|
|
||||||
|
extensions: Fix ipvs vproto option printing |
||||||
|
|
||||||
|
This was broken since day 1: vproto option was printed as 'proto' which |
||||||
|
in turn iptables wouldn't accept anymore. |
||||||
|
|
||||||
|
Fixes: c36d05e424069 ("libxt_ipvs: user-space lib for netfilter matcher xt_ipvs") |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_ipvs.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c |
||||||
|
index fe98fef951686..51952be4245b3 100644 |
||||||
|
--- a/extensions/libxt_ipvs.c |
||||||
|
+++ b/extensions/libxt_ipvs.c |
||||||
|
@@ -165,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, |
||||||
|
if (data->bitmask & XT_IPVS_PROTO) { |
||||||
|
if (data->invert & XT_IPVS_PROTO) |
||||||
|
printf(" !"); |
||||||
|
- printf(" %sproto %u", prefix, data->l4proto); |
||||||
|
+ printf(" %svproto %u", prefix, data->l4proto); |
||||||
|
} |
||||||
|
|
||||||
|
if (data->bitmask & XT_IPVS_VADDR) { |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,57 @@ |
|||||||
|
From dab2ab10ed0cb30fb454097200f440660a0f3946 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:19:53 +0200 |
||||||
|
Subject: [PATCH] extensions: Fix ipvs vproto parsing |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726 |
||||||
|
Upstream Status: iptables commit fcbdc69e8a750 |
||||||
|
|
||||||
|
commit fcbdc69e8a750fe02c9d7c7aced0efc91715132d |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Thu Feb 21 20:09:30 2019 +0100 |
||||||
|
|
||||||
|
extensions: Fix ipvs vproto parsing |
||||||
|
|
||||||
|
This was broken by integration into guided option parser: |
||||||
|
|
||||||
|
* Make 'vproto' option XTTYPE_PROTOCOL, otherwise its arguments are |
||||||
|
parsed as garbage only. |
||||||
|
|
||||||
|
* Drop O_VPROTO case from ipvs_mt_parse(), due to XTOPT_POINTER() and |
||||||
|
above change there is nothing to do for it in there. |
||||||
|
|
||||||
|
Fixes: 372203af4c70f ("libxt_ipvs: use guided option parser") |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_ipvs.c | 5 +---- |
||||||
|
1 file changed, 1 insertion(+), 4 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c |
||||||
|
index a6c57a030d2c6..fe98fef951686 100644 |
||||||
|
--- a/extensions/libxt_ipvs.c |
||||||
|
+++ b/extensions/libxt_ipvs.c |
||||||
|
@@ -27,7 +27,7 @@ enum { |
||||||
|
static const struct xt_option_entry ipvs_mt_opts[] = { |
||||||
|
{.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE, |
||||||
|
.flags = XTOPT_INVERT}, |
||||||
|
- {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_STRING, |
||||||
|
+ {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_PROTOCOL, |
||||||
|
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)}, |
||||||
|
{.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK, |
||||||
|
.flags = XTOPT_INVERT}, |
||||||
|
@@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb) |
||||||
|
|
||||||
|
xtables_option_parse(cb); |
||||||
|
switch (cb->entry->id) { |
||||||
|
- case O_VPROTO: |
||||||
|
- data->l4proto = cb->val.protocol; |
||||||
|
- break; |
||||||
|
case O_VADDR: |
||||||
|
memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr)); |
||||||
|
memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask)); |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,139 @@ |
|||||||
|
From 861155bef2343e0259469dc8e4acde60e2c6fb91 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:29:38 +0200 |
||||||
|
Subject: [PATCH] extensions: Initialize linear mapping of symbols in _init() |
||||||
|
of extension |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 |
||||||
|
Upstream Status: iptables commit 56aadc01b258e |
||||||
|
Conflicts: Whitespace change due to missing commit f7c26137b0d57 |
||||||
|
("extensions: libipt_realm: Add translation to nft"). |
||||||
|
|
||||||
|
commit 56aadc01b258ef7849463723ab5ddc4885db22f6 |
||||||
|
Author: Serhey Popovych <serhe.popovych@gmail.com> |
||||||
|
Date: Thu Mar 1 13:03:10 2018 +0200 |
||||||
|
|
||||||
|
extensions: Initialize linear mapping of symbols in _init() of extension |
||||||
|
|
||||||
|
libxt_devgroup and libipt_realm currently unable to display symbolic |
||||||
|
names in save/print commands because linear mapping is not initialized. |
||||||
|
|
||||||
|
It looks bit confusing as linear mapping initialization is done in init() |
||||||
|
of extension, which is expected to be called before any other function of |
||||||
|
extension. |
||||||
|
|
||||||
|
However init is called only when '-m' option specified on command line, |
||||||
|
that is true only for insert, append, replace and destroy iptables |
||||||
|
commands. |
||||||
|
|
||||||
|
Move initialization to extension _init() function before calling |
||||||
|
any function in extension. |
||||||
|
|
||||||
|
Before: |
||||||
|
------- |
||||||
|
... src-group 0x1 dst-group 0x2 |
||||||
|
... src-group 0x2 dst-group 0x1 |
||||||
|
|
||||||
|
After: |
||||||
|
------ |
||||||
|
... src-group grp1 dst-group grp2 |
||||||
|
... src-group grp2 dst-group grp1 |
||||||
|
|
||||||
|
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libipt_realm.c | 17 +++++++---------- |
||||||
|
extensions/libxt_devgroup.c | 17 +++++++---------- |
||||||
|
2 files changed, 14 insertions(+), 20 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c |
||||||
|
index a8d9dda0c00c0..fffb1218db7a6 100644 |
||||||
|
--- a/extensions/libipt_realm.c |
||||||
|
+++ b/extensions/libipt_realm.c |
||||||
|
@@ -28,17 +28,10 @@ static const struct xt_option_entry realm_opts[] = { |
||||||
|
XTOPT_TABLEEND, |
||||||
|
}; |
||||||
|
|
||||||
|
-/* array of realms from /etc/iproute2/rt_realms */ |
||||||
|
+static const char f_realms[] = "/etc/iproute2/rt_realms"; |
||||||
|
+/* array of realms from f_realms[] */ |
||||||
|
static struct xtables_lmap *realms; |
||||||
|
|
||||||
|
-static void realm_init(struct xt_entry_match *m) |
||||||
|
-{ |
||||||
|
- const char file[] = "/etc/iproute2/rt_realms"; |
||||||
|
- realms = xtables_lmap_init(file); |
||||||
|
- if (realms == NULL && errno != ENOENT) |
||||||
|
- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); |
||||||
|
-} |
||||||
|
- |
||||||
|
static void realm_parse(struct xt_option_call *cb) |
||||||
|
{ |
||||||
|
struct xt_realm_info *realminfo = cb->data; |
||||||
|
@@ -114,7 +107,6 @@ static struct xtables_match realm_mt_reg = { |
||||||
|
.size = XT_ALIGN(sizeof(struct xt_realm_info)), |
||||||
|
.userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), |
||||||
|
.help = realm_help, |
||||||
|
- .init = realm_init, |
||||||
|
.print = realm_print, |
||||||
|
.save = realm_save, |
||||||
|
.x6_parse = realm_parse, |
||||||
|
@@ -123,5 +115,10 @@ static struct xtables_match realm_mt_reg = { |
||||||
|
|
||||||
|
void _init(void) |
||||||
|
{ |
||||||
|
+ realms = xtables_lmap_init(f_realms); |
||||||
|
+ if (realms == NULL && errno != ENOENT) |
||||||
|
+ fprintf(stderr, "Warning: %s: %s\n", f_realms, |
||||||
|
+ strerror(errno)); |
||||||
|
+ |
||||||
|
xtables_register_match(&realm_mt_reg); |
||||||
|
} |
||||||
|
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c |
||||||
|
index fb1fcb51c1bb2..ebfa2aee80cf2 100644 |
||||||
|
--- a/extensions/libxt_devgroup.c |
||||||
|
+++ b/extensions/libxt_devgroup.c |
||||||
|
@@ -31,17 +31,10 @@ static const struct xt_option_entry devgroup_opts[] = { |
||||||
|
XTOPT_TABLEEND, |
||||||
|
}; |
||||||
|
|
||||||
|
-/* array of devgroups from /etc/iproute2/group */ |
||||||
|
+static const char f_devgroups[] = "/etc/iproute2/group"; |
||||||
|
+/* array of devgroups from f_devgroups[] */ |
||||||
|
static struct xtables_lmap *devgroups; |
||||||
|
|
||||||
|
-static void devgroup_init(struct xt_entry_match *match) |
||||||
|
-{ |
||||||
|
- const char file[] = "/etc/iproute2/group"; |
||||||
|
- devgroups = xtables_lmap_init(file); |
||||||
|
- if (devgroups == NULL && errno != ENOENT) |
||||||
|
- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); |
||||||
|
-} |
||||||
|
- |
||||||
|
static void devgroup_parse_groupspec(const char *arg, unsigned int *group, |
||||||
|
unsigned int *mask) |
||||||
|
{ |
||||||
|
@@ -157,7 +150,6 @@ static struct xtables_match devgroup_mt_reg = { |
||||||
|
.family = NFPROTO_UNSPEC, |
||||||
|
.size = XT_ALIGN(sizeof(struct xt_devgroup_info)), |
||||||
|
.userspacesize = XT_ALIGN(sizeof(struct xt_devgroup_info)), |
||||||
|
- .init = devgroup_init, |
||||||
|
.help = devgroup_help, |
||||||
|
.print = devgroup_print, |
||||||
|
.save = devgroup_save, |
||||||
|
@@ -168,5 +160,10 @@ static struct xtables_match devgroup_mt_reg = { |
||||||
|
|
||||||
|
void _init(void) |
||||||
|
{ |
||||||
|
+ devgroups = xtables_lmap_init(f_devgroups); |
||||||
|
+ if (devgroups == NULL && errno != ENOENT) |
||||||
|
+ fprintf(stderr, "Warning: %s: %s\n", f_devgroups, |
||||||
|
+ strerror(errno)); |
||||||
|
+ |
||||||
|
xtables_register_match(&devgroup_mt_reg); |
||||||
|
} |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,72 @@ |
|||||||
|
From 20f5f3c0c3b4cebc60af3d2def0ac983f54bfb06 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:52:01 +0100 |
||||||
|
Subject: [PATCH] extensions: REJECT: Check for array overrun |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: RHEL-only |
||||||
|
|
||||||
|
This might happen in theory if enum ip6t_reject_with was extended in |
||||||
|
kernel and some other tool added a rule making use of the new value. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libip6t_REJECT.c | 8 ++++++++ |
||||||
|
extensions/libipt_REJECT.c | 8 ++++++++ |
||||||
|
2 files changed, 16 insertions(+) |
||||||
|
|
||||||
|
diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c |
||||||
|
index 8085321a6d654..86f2d04296294 100644 |
||||||
|
--- a/extensions/libip6t_REJECT.c |
||||||
|
+++ b/extensions/libip6t_REJECT.c |
||||||
|
@@ -104,6 +104,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, |
||||||
|
for (i = 0; i < ARRAY_SIZE(reject_table); ++i) |
||||||
|
if (reject_table[i].with == reject->with) |
||||||
|
break; |
||||||
|
+ if (i == ARRAY_SIZE(reject_table)) |
||||||
|
+ xtables_error(VERSION_PROBLEM, |
||||||
|
+ "unknown reject type %d in ruleset", |
||||||
|
+ reject->with); |
||||||
|
printf(" reject-with %s", reject_table[i].name); |
||||||
|
} |
||||||
|
|
||||||
|
@@ -116,6 +120,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) |
||||||
|
for (i = 0; i < ARRAY_SIZE(reject_table); ++i) |
||||||
|
if (reject_table[i].with == reject->with) |
||||||
|
break; |
||||||
|
+ if (i == ARRAY_SIZE(reject_table)) |
||||||
|
+ xtables_error(VERSION_PROBLEM, |
||||||
|
+ "unknown reject type %d in ruleset", |
||||||
|
+ reject->with); |
||||||
|
|
||||||
|
printf(" --reject-with %s", reject_table[i].name); |
||||||
|
} |
||||||
|
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c |
||||||
|
index 362c65ed88e96..5573ebd28022c 100644 |
||||||
|
--- a/extensions/libipt_REJECT.c |
||||||
|
+++ b/extensions/libipt_REJECT.c |
||||||
|
@@ -124,6 +124,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, |
||||||
|
for (i = 0; i < ARRAY_SIZE(reject_table); ++i) |
||||||
|
if (reject_table[i].with == reject->with) |
||||||
|
break; |
||||||
|
+ if (i == ARRAY_SIZE(reject_table)) |
||||||
|
+ xtables_error(VERSION_PROBLEM, |
||||||
|
+ "unknown reject type %d in ruleset", |
||||||
|
+ reject->with); |
||||||
|
printf(" reject-with %s", reject_table[i].name); |
||||||
|
} |
||||||
|
|
||||||
|
@@ -136,6 +140,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) |
||||||
|
for (i = 0; i < ARRAY_SIZE(reject_table); ++i) |
||||||
|
if (reject_table[i].with == reject->with) |
||||||
|
break; |
||||||
|
+ if (i == ARRAY_SIZE(reject_table)) |
||||||
|
+ xtables_error(VERSION_PROBLEM, |
||||||
|
+ "unknown reject type %d in ruleset", |
||||||
|
+ reject->with); |
||||||
|
|
||||||
|
printf(" --reject-with %s", reject_table[i].name); |
||||||
|
} |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,48 @@ |
|||||||
|
From 2c7f817f6dc2d74d99248403b0ef7e36bcf060c8 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:29:38 +0200 |
||||||
|
Subject: [PATCH] extensions: libxt_devgroup: Fix the path of the group |
||||||
|
mappings file |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 |
||||||
|
Upstream Status: iptables commit 93ad9ea1b86bd |
||||||
|
|
||||||
|
commit 93ad9ea1b86bdaacffd8e33654abcea3d4e148b2 |
||||||
|
Author: Ana Rey <anarey@gmail.com> |
||||||
|
Date: Thu Sep 18 13:06:42 2014 +0200 |
||||||
|
|
||||||
|
extensions: libxt_devgroup: Fix the path of the group mappings file |
||||||
|
|
||||||
|
Use "/etc/iproute2/group" as the default path to the mapping file |
||||||
|
instead of "/etc/iproute2/group_map". |
||||||
|
|
||||||
|
Signed-off-by: Ana Rey <anarey@gmail.com> |
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_devgroup.c | 4 ++-- |
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c |
||||||
|
index 4a69c8229ce4a..fb1fcb51c1bb2 100644 |
||||||
|
--- a/extensions/libxt_devgroup.c |
||||||
|
+++ b/extensions/libxt_devgroup.c |
||||||
|
@@ -31,12 +31,12 @@ static const struct xt_option_entry devgroup_opts[] = { |
||||||
|
XTOPT_TABLEEND, |
||||||
|
}; |
||||||
|
|
||||||
|
-/* array of devgroups from /etc/iproute2/group_map */ |
||||||
|
+/* array of devgroups from /etc/iproute2/group */ |
||||||
|
static struct xtables_lmap *devgroups; |
||||||
|
|
||||||
|
static void devgroup_init(struct xt_entry_match *match) |
||||||
|
{ |
||||||
|
- const char file[] = "/etc/iproute2/group_map"; |
||||||
|
+ const char file[] = "/etc/iproute2/group"; |
||||||
|
devgroups = xtables_lmap_init(file); |
||||||
|
if (devgroups == NULL && errno != ENOENT) |
||||||
|
fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,57 @@ |
|||||||
|
From 721bb877b759a0c92e6b019447fd3ee33d123cc0 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] ip{, 6}tables-restore: Fix for uninitialized array 'curtable' |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 4e499d53d558b |
||||||
|
|
||||||
|
commit 4e499d53d558bed55c8fe74390250dbfd6da3efc |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:46 2018 +0200 |
||||||
|
|
||||||
|
ip{, 6}tables-restore: Fix for uninitialized array 'curtable' |
||||||
|
|
||||||
|
When reading sufficiently malformed input, parser might hit end of |
||||||
|
loop without having written the current table name into curtable and |
||||||
|
therefore calling strcmp() with uninitialized buffer. Avoid this by |
||||||
|
setting curtable to zero upon declaration. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/ip6tables-restore.c | 2 +- |
||||||
|
iptables/iptables-restore.c | 2 +- |
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c |
||||||
|
index e2a82c57bd426..d610360a1c1ff 100644 |
||||||
|
--- a/iptables/ip6tables-restore.c |
||||||
|
+++ b/iptables/ip6tables-restore.c |
||||||
|
@@ -192,7 +192,7 @@ int ip6tables_restore_main(int argc, char *argv[]) |
||||||
|
struct xtc_handle *handle = NULL; |
||||||
|
char buffer[10240]; |
||||||
|
int c, lock; |
||||||
|
- char curtable[XT_TABLE_MAXNAMELEN + 1]; |
||||||
|
+ char curtable[XT_TABLE_MAXNAMELEN + 1] = {}; |
||||||
|
FILE *in; |
||||||
|
int in_table = 0, testing = 0; |
||||||
|
const char *tablename = NULL; |
||||||
|
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c |
||||||
|
index af0c79408631d..db77fb77b3c98 100644 |
||||||
|
--- a/iptables/iptables-restore.c |
||||||
|
+++ b/iptables/iptables-restore.c |
||||||
|
@@ -191,7 +191,7 @@ iptables_restore_main(int argc, char *argv[]) |
||||||
|
struct xtc_handle *handle = NULL; |
||||||
|
char buffer[10240]; |
||||||
|
int c, lock; |
||||||
|
- char curtable[XT_TABLE_MAXNAMELEN + 1]; |
||||||
|
+ char curtable[XT_TABLE_MAXNAMELEN + 1] = {}; |
||||||
|
FILE *in; |
||||||
|
int in_table = 0, testing = 0; |
||||||
|
const char *tablename = NULL; |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,50 @@ |
|||||||
|
From c360c1d2af887c8e614ec152fb64717e56fb472d Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Tue, 9 Apr 2019 15:22:44 +0200 |
||||||
|
Subject: [PATCH] iptables-xml: fix segfault if missing space after -A |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit f53b78e423d82 |
||||||
|
|
||||||
|
commit f53b78e423d82b0c71c076480f52edeb5eaec5f8 |
||||||
|
Author: Phil Oester <kernel@linuxace.com> |
||||||
|
Date: Thu Jan 23 22:06:58 2014 -0800 |
||||||
|
|
||||||
|
iptables-xml: fix segfault if missing space after -A |
||||||
|
|
||||||
|
As pointed out by Bernhard Reutner-Fischer, a malformed line fed to |
||||||
|
iptables-xml such as the below with a missing space after the -A: |
||||||
|
|
||||||
|
-APOSTROUTING -d 1.1.1.1/32 -p tcp -j MASQUERADE |
||||||
|
|
||||||
|
causes a segfault. Patch attached. |
||||||
|
|
||||||
|
This closes netfilter bugzilla #886. |
||||||
|
|
||||||
|
Signed-off-by: Phil Oester <kernel@linuxace.com> |
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/iptables-xml.c | 5 +++++ |
||||||
|
1 file changed, 5 insertions(+) |
||||||
|
|
||||||
|
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c |
||||||
|
index 49f8ea2826181..769f76550b764 100644 |
||||||
|
--- a/iptables/iptables-xml.c |
||||||
|
+++ b/iptables/iptables-xml.c |
||||||
|
@@ -777,6 +777,11 @@ iptables_xml_main(int argc, char *argv[]) |
||||||
|
for (a = 0; a < newargc; a++) |
||||||
|
DEBUGP("argv[%u]: %s\n", a, newargv[a]); |
||||||
|
|
||||||
|
+ if (!chain) { |
||||||
|
+ fprintf(stderr, "%s: line %u failed - no chain found\n", |
||||||
|
+ prog_name, line); |
||||||
|
+ exit(1); |
||||||
|
+ } |
||||||
|
needChain(chain);// Should we explicitly look for -A |
||||||
|
do_rule(pcnt, bcnt, newargc, newargv, newargvattr); |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,59 @@ |
|||||||
|
From 72859f25cb799ba4ac0b532c59bd01be70950f00 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libiptc: Avoid side-effect in memset() calls |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit e6f986762667e |
||||||
|
|
||||||
|
commit e6f986762667ee2b2d61e7978d460f28916158a3 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Mon Sep 10 23:35:14 2018 +0200 |
||||||
|
|
||||||
|
libiptc: Avoid side-effect in memset() calls |
||||||
|
|
||||||
|
These calls to memset() are passed a length argument which exceeds |
||||||
|
t->target.u.user.name's length by one byte and hence overwrite |
||||||
|
t->target.u.user.revision as well (relying upon no padding to happen |
||||||
|
between both). |
||||||
|
|
||||||
|
Avoid this obscure behaviour by passing the correct field size and |
||||||
|
explicitly overwriting 'revision' field. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libiptc/libiptc.c | 6 ++++-- |
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c |
||||||
|
index d2427c16a5254..4c0fbd5d7e68c 100644 |
||||||
|
--- a/libiptc/libiptc.c |
||||||
|
+++ b/libiptc/libiptc.c |
||||||
|
@@ -1115,8 +1115,9 @@ static inline int iptcc_compile_rule (struct xtc_handle *h, STRUCT_REPLACE *repl |
||||||
|
STRUCT_STANDARD_TARGET *t; |
||||||
|
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry); |
||||||
|
/* memset for memcmp convenience on delete/replace */ |
||||||
|
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); |
||||||
|
+ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN); |
||||||
|
strcpy(t->target.u.user.name, STANDARD_TARGET); |
||||||
|
+ t->target.u.user.revision = 0; |
||||||
|
/* Jumps can only happen to builtin chains, so we |
||||||
|
* can safely assume that they always have a header */ |
||||||
|
t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE; |
||||||
|
@@ -1676,8 +1677,9 @@ iptcc_standard_map(struct rule_head *r, int verdict) |
||||||
|
return 0; |
||||||
|
} |
||||||
|
/* memset for memcmp convenience on delete/replace */ |
||||||
|
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); |
||||||
|
+ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN); |
||||||
|
strcpy(t->target.u.user.name, STANDARD_TARGET); |
||||||
|
+ t->target.u.user.revision = 0; |
||||||
|
t->verdict = verdict; |
||||||
|
|
||||||
|
r->type = IPTCC_R_STANDARD; |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,44 @@ |
|||||||
|
From 9dfd443c3828a3e9a3cf5cf2afb9f0324bacb19a Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libiptc: NULL-terminate errorname |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit a76ba54e28337 |
||||||
|
|
||||||
|
commit a76ba54e2833761c46fd57cbe2486cbc38686717 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Mon Sep 24 19:25:22 2018 +0200 |
||||||
|
|
||||||
|
libiptc: NULL-terminate errorname |
||||||
|
|
||||||
|
In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence |
||||||
|
copying its content into 'error_name' field of struct xt_error_target |
||||||
|
which is two bytes shorter may overflow. Make sure this doesn't happen |
||||||
|
by using strncpy() and set the last byte to zero. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libiptc/libiptc.c | 3 ++- |
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c |
||||||
|
index f6a9862ea9f4d..d2427c16a5254 100644 |
||||||
|
--- a/libiptc/libiptc.c |
||||||
|
+++ b/libiptc/libiptc.c |
||||||
|
@@ -1149,7 +1149,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc |
||||||
|
strcpy(head->name.target.u.user.name, ERROR_TARGET); |
||||||
|
head->name.target.u.target_size = |
||||||
|
ALIGN(sizeof(struct xt_error_target)); |
||||||
|
- strcpy(head->name.errorname, c->name); |
||||||
|
+ strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN); |
||||||
|
+ head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0'; |
||||||
|
} else { |
||||||
|
repl->hook_entry[c->hooknum-1] = c->head_offset; |
||||||
|
repl->underflow[c->hooknum-1] = c->foot_offset; |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,74 @@ |
|||||||
|
From e64b48b46cec83203ff8de80a1c56be2c40b2c7d Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libiptc: Simplify alloc_handle() function signature |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 22ef371abeeec |
||||||
|
|
||||||
|
commit 22ef371abeeec789bb6a701352dcb961556595c2 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:53 2018 +0200 |
||||||
|
|
||||||
|
libiptc: Simplify alloc_handle() function signature |
||||||
|
|
||||||
|
This change originated from covscan complaining about the strcpy() call |
||||||
|
with an unknown size source buffer. But in fact, the size is known (and |
||||||
|
equal to the destination size), so pass a pointer to STRUCT_GETINFO to |
||||||
|
alloc_handle() instead of it's fields separately. Hopefully this will |
||||||
|
silence covscan. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libiptc/libiptc.c | 14 +++++++------- |
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c |
||||||
|
index 1f61fde53f1db..f6a9862ea9f4d 100644 |
||||||
|
--- a/libiptc/libiptc.c |
||||||
|
+++ b/libiptc/libiptc.c |
||||||
|
@@ -1269,7 +1269,7 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl) |
||||||
|
|
||||||
|
/* Allocate handle of given size */ |
||||||
|
static struct xtc_handle * |
||||||
|
-alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) |
||||||
|
+alloc_handle(STRUCT_GETINFO *infop) |
||||||
|
{ |
||||||
|
struct xtc_handle *h; |
||||||
|
|
||||||
|
@@ -1280,14 +1280,14 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) |
||||||
|
} |
||||||
|
memset(h, 0, sizeof(*h)); |
||||||
|
INIT_LIST_HEAD(&h->chains); |
||||||
|
- strcpy(h->info.name, tablename); |
||||||
|
+ strcpy(h->info.name, infop->name); |
||||||
|
|
||||||
|
- h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size); |
||||||
|
+ h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + infop->size); |
||||||
|
if (!h->entries) |
||||||
|
goto out_free_handle; |
||||||
|
|
||||||
|
- strcpy(h->entries->name, tablename); |
||||||
|
- h->entries->size = size; |
||||||
|
+ strcpy(h->entries->name, infop->name); |
||||||
|
+ h->entries->size = infop->size; |
||||||
|
|
||||||
|
return h; |
||||||
|
|
||||||
|
@@ -1336,8 +1336,8 @@ retry: |
||||||
|
DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n", |
||||||
|
info.valid_hooks, info.num_entries, info.size); |
||||||
|
|
||||||
|
- if ((h = alloc_handle(info.name, info.size, info.num_entries)) |
||||||
|
- == NULL) { |
||||||
|
+ h = alloc_handle(&info); |
||||||
|
+ if (h == NULL) { |
||||||
|
close(sockfd); |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,42 @@ |
|||||||
|
From a7bb46f478443597a7e97e81adb13d9619f4b1a7 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxt_LED: Avoid string overrun while parsing led-trigger-id |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit d0c1f1b4ad4e3 |
||||||
|
|
||||||
|
commit d0c1f1b4ad4e3b91220a03514031ee879db832d0 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:48 2018 +0200 |
||||||
|
|
||||||
|
libxt_LED: Avoid string overrun while parsing led-trigger-id |
||||||
|
|
||||||
|
Instead of using strcat() and assuming the name will fit, print into the |
||||||
|
buffer using snprintf() which truncates the string as needed. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_LED.c | 3 +-- |
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c |
||||||
|
index 8622c379e68bc..6ada795056431 100644 |
||||||
|
--- a/extensions/libxt_LED.c |
||||||
|
+++ b/extensions/libxt_LED.c |
||||||
|
@@ -53,8 +53,7 @@ static void LED_parse(struct xt_option_call *cb) |
||||||
|
xtables_option_parse(cb); |
||||||
|
switch (cb->entry->id) { |
||||||
|
case O_LED_TRIGGER_ID: |
||||||
|
- strcpy(led->id, "netfilter-"); |
||||||
|
- strcat(led->id, cb->arg); |
||||||
|
+ snprintf(led->id, sizeof(led->id), "netfilter-%s", cb->arg); |
||||||
|
break; |
||||||
|
case O_LED_DELAY: |
||||||
|
if (strncasecmp(cb->arg, "inf", 3) == 0) |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,62 @@ |
|||||||
|
From de7ba61cf107f43223eeb640267d24e187047c29 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxt_conntrack: Avoid potential buffer overrun |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 8e798e050367d |
||||||
|
|
||||||
|
commit 8e798e050367dfe43bb958f11dd3170b03bda49e |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:50 2018 +0200 |
||||||
|
|
||||||
|
libxt_conntrack: Avoid potential buffer overrun |
||||||
|
|
||||||
|
In print_addr(), a resolved hostname is written into a buffer without |
||||||
|
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an |
||||||
|
issue, though covscan complained about it. Fix the code by using |
||||||
|
conntrack_dump_addr() as an example. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_conntrack.c | 14 +++++++------- |
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c |
||||||
|
index 3e7075760d40f..804aa23638ca1 100644 |
||||||
|
--- a/extensions/libxt_conntrack.c |
||||||
|
+++ b/extensions/libxt_conntrack.c |
||||||
|
@@ -673,20 +673,20 @@ static void |
||||||
|
print_addr(const struct in_addr *addr, const struct in_addr *mask, |
||||||
|
int inv, int numeric) |
||||||
|
{ |
||||||
|
- char buf[BUFSIZ]; |
||||||
|
- |
||||||
|
if (inv) |
||||||
|
printf(" !"); |
||||||
|
|
||||||
|
if (mask->s_addr == 0L && !numeric) |
||||||
|
- printf(" %s", "anywhere"); |
||||||
|
+ printf(" anywhere"); |
||||||
|
else { |
||||||
|
if (numeric) |
||||||
|
- strcpy(buf, xtables_ipaddr_to_numeric(addr)); |
||||||
|
+ printf(" %s%s", |
||||||
|
+ xtables_ipaddr_to_numeric(addr), |
||||||
|
+ xtables_ipmask_to_numeric(mask)); |
||||||
|
else |
||||||
|
- strcpy(buf, xtables_ipaddr_to_anyname(addr)); |
||||||
|
- strcat(buf, xtables_ipmask_to_numeric(mask)); |
||||||
|
- printf(" %s", buf); |
||||||
|
+ printf(" %s%s", |
||||||
|
+ xtables_ipaddr_to_anyname(addr), |
||||||
|
+ xtables_ipmask_to_numeric(mask)); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,50 @@ |
|||||||
|
From c923062439297cbf5b08429123ba214b4efc8798 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:34 +0100 |
||||||
|
Subject: [PATCH] libxt_conntrack: Version 0 does not support |
||||||
|
XT_CONNTRACK_DIRECTION |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 74eb2395c8384 |
||||||
|
|
||||||
|
commit 74eb2395c838460384286c2b95f711ae275a46cb |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:49 2018 +0200 |
||||||
|
|
||||||
|
libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION |
||||||
|
|
||||||
|
Since sinfo->flags is only 8 bytes large, checking for |
||||||
|
XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return |
||||||
|
false, so drop this dead code. |
||||||
|
|
||||||
|
Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir") |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_conntrack.c | 8 -------- |
||||||
|
1 file changed, 8 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c |
||||||
|
index 128bbd20a34c2..3e7075760d40f 100644 |
||||||
|
--- a/extensions/libxt_conntrack.c |
||||||
|
+++ b/extensions/libxt_conntrack.c |
||||||
|
@@ -774,14 +774,6 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, |
||||||
|
else |
||||||
|
printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max); |
||||||
|
} |
||||||
|
- |
||||||
|
- if (sinfo->flags & XT_CONNTRACK_DIRECTION) { |
||||||
|
- if (sinfo->invflags & XT_CONNTRACK_DIRECTION) |
||||||
|
- printf(" %sctdir REPLY", optpfx); |
||||||
|
- else |
||||||
|
- printf(" %sctdir ORIGINAL", optpfx); |
||||||
|
- } |
||||||
|
- |
||||||
|
} |
||||||
|
|
||||||
|
static void |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,77 @@ |
|||||||
|
From 0bf795555728e54db2593a73f90d7820cf3ef4c6 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:34 +0100 |
||||||
|
Subject: [PATCH] libxt_ipvs: Avoid potential buffer overrun |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 749d3c2ecd6a9 |
||||||
|
|
||||||
|
commit 749d3c2ecd6a9dc21f5a442c44495cb705621dff |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:51 2018 +0200 |
||||||
|
|
||||||
|
libxt_ipvs: Avoid potential buffer overrun |
||||||
|
|
||||||
|
Just like with libxt_conntrack, get rid of the temporary buffer. The |
||||||
|
comment even states that it was copied from there, so just make them |
||||||
|
identical again. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_ipvs.c | 22 ++++++++++++---------- |
||||||
|
1 file changed, 12 insertions(+), 10 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c |
||||||
|
index 46727660a027a..a6c57a030d2c6 100644 |
||||||
|
--- a/extensions/libxt_ipvs.c |
||||||
|
+++ b/extensions/libxt_ipvs.c |
||||||
|
@@ -126,19 +126,19 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, |
||||||
|
const union nf_inet_addr *mask, |
||||||
|
unsigned int family, bool numeric) |
||||||
|
{ |
||||||
|
- char buf[BUFSIZ]; |
||||||
|
- |
||||||
|
if (family == NFPROTO_IPV4) { |
||||||
|
if (!numeric && addr->ip == 0) { |
||||||
|
printf(" anywhere"); |
||||||
|
return; |
||||||
|
} |
||||||
|
if (numeric) |
||||||
|
- strcpy(buf, xtables_ipaddr_to_numeric(&addr->in)); |
||||||
|
+ printf(" %s%s", |
||||||
|
+ xtables_ipaddr_to_numeric(&addr->in), |
||||||
|
+ xtables_ipmask_to_numeric(&mask->in)); |
||||||
|
else |
||||||
|
- strcpy(buf, xtables_ipaddr_to_anyname(&addr->in)); |
||||||
|
- strcat(buf, xtables_ipmask_to_numeric(&mask->in)); |
||||||
|
- printf(" %s", buf); |
||||||
|
+ printf(" %s%s", |
||||||
|
+ xtables_ipaddr_to_anyname(&addr->in), |
||||||
|
+ xtables_ipmask_to_numeric(&mask->in)); |
||||||
|
} else if (family == NFPROTO_IPV6) { |
||||||
|
if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && |
||||||
|
addr->ip6[2] == 0 && addr->ip6[3] == 0) { |
||||||
|
@@ -146,11 +146,13 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, |
||||||
|
return; |
||||||
|
} |
||||||
|
if (numeric) |
||||||
|
- strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6)); |
||||||
|
+ printf(" %s%s", |
||||||
|
+ xtables_ip6addr_to_numeric(&addr->in6), |
||||||
|
+ xtables_ip6mask_to_numeric(&mask->in6)); |
||||||
|
else |
||||||
|
- strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6)); |
||||||
|
- strcat(buf, xtables_ip6mask_to_numeric(&mask->in6)); |
||||||
|
- printf(" %s", buf); |
||||||
|
+ printf(" %s%s", |
||||||
|
+ xtables_ip6addr_to_anyname(&addr->in6), |
||||||
|
+ xtables_ip6mask_to_numeric(&mask->in6)); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,54 @@ |
|||||||
|
From 61fd4ee73f2a23eeb2b10b24d19ac13deaf0c177 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxt_recent: Remove ineffective checks for info->name |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit d0e3d95fa3442 |
||||||
|
|
||||||
|
commit d0e3d95fa3442c6ff32f7fed3e0d2eeb2248ef9f |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Fri Oct 20 13:24:36 2017 +0200 |
||||||
|
|
||||||
|
libxt_recent: Remove ineffective checks for info->name |
||||||
|
|
||||||
|
In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a |
||||||
|
pointer. So there is no point in comparing it against NULL. Changing the |
||||||
|
check to make sure it's content is not an empty string is pointless |
||||||
|
either, since a non-empty default string is used and the argument parser |
||||||
|
will refuse empty strings as --name argument. So simply get rid of the |
||||||
|
checks altogether. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_recent.c | 4 ++-- |
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c |
||||||
|
index e1801f1c18952..055ae35080346 100644 |
||||||
|
--- a/extensions/libxt_recent.c |
||||||
|
+++ b/extensions/libxt_recent.c |
||||||
|
@@ -199,7 +199,7 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, |
||||||
|
if(info->hit_count) printf(" hit_count: %d", info->hit_count); |
||||||
|
if (info->check_set & XT_RECENT_TTL) |
||||||
|
printf(" TTL-Match"); |
||||||
|
- if(info->name) printf(" name: %s", info->name); |
||||||
|
+ printf(" name: %s", info->name); |
||||||
|
if (info->side == XT_RECENT_SOURCE) |
||||||
|
printf(" side: source"); |
||||||
|
if (info->side == XT_RECENT_DEST) |
||||||
|
@@ -239,7 +239,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match, |
||||||
|
if(info->hit_count) printf(" --hitcount %d", info->hit_count); |
||||||
|
if (info->check_set & XT_RECENT_TTL) |
||||||
|
printf(" --rttl"); |
||||||
|
- if(info->name) printf(" --name %s",info->name); |
||||||
|
+ printf(" --name %s",info->name); |
||||||
|
|
||||||
|
switch(family) { |
||||||
|
case NFPROTO_IPV4: |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,51 @@ |
|||||||
|
From db1fcba4cade70fd86e615246bb03acd94cc4cd9 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libxt_sctp: fix array out of range in print_chunk |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 71de414c21f7f |
||||||
|
Conflicts: Dropped changes to non-existing libxt_sctp.t. |
||||||
|
|
||||||
|
commit 71de414c21f7f31270e5d62e782e52257e5c3d06 |
||||||
|
Author: huaibin Wang <huaibin.wang@6wind.com> |
||||||
|
Date: Mon Nov 13 14:27:54 2017 +0100 |
||||||
|
|
||||||
|
libxt_sctp: fix array out of range in print_chunk |
||||||
|
|
||||||
|
For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type |
||||||
|
is not equal to the corresponding index in sctp_chunk_names[]. Using this field |
||||||
|
leads to a segmentation fault (index out of range). |
||||||
|
|
||||||
|
Example |
||||||
|
$ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT |
||||||
|
$ iptables -L |
||||||
|
Chain INPUT (policy ACCEPT) |
||||||
|
target prot opt source destination |
||||||
|
Segmentation fault |
||||||
|
|
||||||
|
Signed-off-by: huaibin Wang <huaibin.wang@6wind.com> |
||||||
|
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> |
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_sctp.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c |
||||||
|
index 56a4cdf229390..cfd4c12330479 100644 |
||||||
|
--- a/extensions/libxt_sctp.c |
||||||
|
+++ b/extensions/libxt_sctp.c |
||||||
|
@@ -370,7 +370,7 @@ print_chunk(uint32_t chunknum, int numeric) |
||||||
|
|
||||||
|
for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) |
||||||
|
if (sctp_chunk_names[i].chunk_type == chunknum) |
||||||
|
- printf("%s", sctp_chunk_names[chunknum].name); |
||||||
|
+ printf("%s", sctp_chunk_names[i].name); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,46 @@ |
|||||||
|
From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libxt_string: Avoid potential array out of bounds access |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 56d7ab42f3782 |
||||||
|
|
||||||
|
commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Mon Sep 10 23:35:16 2018 +0200 |
||||||
|
|
||||||
|
libxt_string: Avoid potential array out of bounds access |
||||||
|
|
||||||
|
The pattern index variable 'sindex' is bounds checked before |
||||||
|
incrementing it, which means in the next loop iteration it might already |
||||||
|
match the bounds check condition but is used anyway. |
||||||
|
|
||||||
|
Fix this by incrementing the index before performing the bounds check. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_string.c | 3 +-- |
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c |
||||||
|
index fb15980e4a73f..d298c6a7081e7 100644 |
||||||
|
--- a/extensions/libxt_string.c |
||||||
|
+++ b/extensions/libxt_string.c |
||||||
|
@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info) |
||||||
|
info->pattern[sindex] = s[i]; |
||||||
|
i++; |
||||||
|
} |
||||||
|
- if (sindex > XT_STRING_MAX_PATTERN_SIZE) |
||||||
|
+ if (++sindex > XT_STRING_MAX_PATTERN_SIZE) |
||||||
|
xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); |
||||||
|
- sindex++; |
||||||
|
} |
||||||
|
info->patlen = sindex; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,62 @@ |
|||||||
|
From 5790cacab5a3fd7bde26056fa0f8b4650bd21bb7 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libxt_string: Fix array out of bounds check |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 6fc7762f6f785 |
||||||
|
|
||||||
|
commit 6fc7762f6f78526e3cb0c189ac2778a6be4c00b5 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Mon Sep 17 13:38:33 2018 +0200 |
||||||
|
|
||||||
|
libxt_string: Fix array out of bounds check |
||||||
|
|
||||||
|
Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds |
||||||
|
access") tried to fix parse_hex_string() for overlong strings but the |
||||||
|
change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE |
||||||
|
which leads to access of first byte after info->pattern. This is not |
||||||
|
really a problem because it merely overwrites info->patlen before |
||||||
|
calling xtables_error() later, but covscan still detects it so it's |
||||||
|
still worth fixing. |
||||||
|
|
||||||
|
The crucial bit here is that 'sindex' has to be incremented at end of |
||||||
|
the last iteration since its value is used for info->patlen. Hence just |
||||||
|
move the overflow check to the beginning of the loop. |
||||||
|
|
||||||
|
Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access") |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_string.c | 6 ++++-- |
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c |
||||||
|
index d298c6a7081e7..7c6366cbbf1b3 100644 |
||||||
|
--- a/extensions/libxt_string.c |
||||||
|
+++ b/extensions/libxt_string.c |
||||||
|
@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info) |
||||||
|
} |
||||||
|
|
||||||
|
while (i < slen) { |
||||||
|
+ if (sindex >= XT_STRING_MAX_PATTERN_SIZE) |
||||||
|
+ xtables_error(PARAMETER_PROBLEM, |
||||||
|
+ "STRING too long \"%s\"", s); |
||||||
|
if (s[i] == '\\' && !hex_f) { |
||||||
|
literal_f = 1; |
||||||
|
} else if (s[i] == '\\') { |
||||||
|
@@ -159,8 +162,7 @@ parse_hex_string(const char *s, struct xt_string_info *info) |
||||||
|
info->pattern[sindex] = s[i]; |
||||||
|
i++; |
||||||
|
} |
||||||
|
- if (++sindex > XT_STRING_MAX_PATTERN_SIZE) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); |
||||||
|
+ sindex++; |
||||||
|
} |
||||||
|
info->patlen = sindex; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,59 @@ |
|||||||
|
From c6d6426921160fb554871fbe201722963f8a917c Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libxt_time: Drop initialization of variable 'year' |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 6b7145fa2112e |
||||||
|
|
||||||
|
commit 6b7145fa2112e257073cc44346e9891fa23ce9c2 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:52 2018 +0200 |
||||||
|
|
||||||
|
libxt_time: Drop initialization of variable 'year' |
||||||
|
|
||||||
|
The variable is not read before being assigned the return value of |
||||||
|
strtoul(), thefore the initialization is useless. And since after this |
||||||
|
change parameter 'end' becomes unused, drop it as well. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libxt_time.c | 8 ++++---- |
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c |
||||||
|
index 9c5bda88c1c78..5a8cc5de13031 100644 |
||||||
|
--- a/extensions/libxt_time.c |
||||||
|
+++ b/extensions/libxt_time.c |
||||||
|
@@ -88,10 +88,10 @@ static void time_init(struct xt_entry_match *m) |
||||||
|
info->date_stop = INT_MAX; |
||||||
|
} |
||||||
|
|
||||||
|
-static time_t time_parse_date(const char *s, bool end) |
||||||
|
+static time_t time_parse_date(const char *s) |
||||||
|
{ |
||||||
|
unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0; |
||||||
|
- unsigned int year = end ? 2038 : 1970; |
||||||
|
+ unsigned int year; |
||||||
|
const char *os = s; |
||||||
|
struct tm tm; |
||||||
|
time_t ret; |
||||||
|
@@ -265,10 +265,10 @@ static void time_parse(struct xt_option_call *cb) |
||||||
|
xtables_option_parse(cb); |
||||||
|
switch (cb->entry->id) { |
||||||
|
case O_DATE_START: |
||||||
|
- info->date_start = time_parse_date(cb->arg, false); |
||||||
|
+ info->date_start = time_parse_date(cb->arg); |
||||||
|
break; |
||||||
|
case O_DATE_STOP: |
||||||
|
- info->date_stop = time_parse_date(cb->arg, true); |
||||||
|
+ info->date_stop = time_parse_date(cb->arg); |
||||||
|
break; |
||||||
|
case O_TIME_START: |
||||||
|
info->daytime_start = time_parse_minutes(cb->arg); |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,91 @@ |
|||||||
|
From 3f4e13d60ddbb61bc3256221a98f5c5a954f6f5c Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxtables: Avoid calling memcpy() with NULL source |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit ab639f236ff85 |
||||||
|
|
||||||
|
commit ab639f236ff85d2f447cc6601c7ff42cefdaf853 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:54 2018 +0200 |
||||||
|
|
||||||
|
libxtables: Avoid calling memcpy() with NULL source |
||||||
|
|
||||||
|
Both affected functions check if 'oldopts' is NULL once but later seem |
||||||
|
to ignore that possibility. To catch up on that, increment the pointer |
||||||
|
only if it isn't NULL, also don't copy its content into the merged |
||||||
|
options buffer in that case. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libxtables/xtables.c | 12 ++++++++---- |
||||||
|
libxtables/xtoptions.c | 12 ++++++++---- |
||||||
|
2 files changed, 16 insertions(+), 8 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||||
|
index 4a014e48a9f45..cf9a59d5ec095 100644 |
||||||
|
--- a/libxtables/xtables.c |
||||||
|
+++ b/libxtables/xtables.c |
||||||
|
@@ -119,8 +119,10 @@ struct option *xtables_merge_options(struct option *orig_opts, |
||||||
|
* Since @oldopts also has @orig_opts already (and does so at the |
||||||
|
* start), skip these entries. |
||||||
|
*/ |
||||||
|
- oldopts += num_oold; |
||||||
|
- num_old -= num_oold; |
||||||
|
+ if (oldopts != NULL) { |
||||||
|
+ oldopts += num_oold; |
||||||
|
+ num_old -= num_oold; |
||||||
|
+ } |
||||||
|
|
||||||
|
merge = malloc(sizeof(*mp) * (num_oold + num_old + num_new + 1)); |
||||||
|
if (merge == NULL) |
||||||
|
@@ -139,8 +141,10 @@ struct option *xtables_merge_options(struct option *orig_opts, |
||||||
|
mp->val += *option_offset; |
||||||
|
|
||||||
|
/* Third, the old options */ |
||||||
|
- memcpy(mp, oldopts, sizeof(*mp) * num_old); |
||||||
|
- mp += num_old; |
||||||
|
+ if (oldopts != NULL) { |
||||||
|
+ memcpy(mp, oldopts, sizeof(*mp) * num_old); |
||||||
|
+ mp += num_old; |
||||||
|
+ } |
||||||
|
xtables_free_opts(0); |
||||||
|
|
||||||
|
/* Clear trailing entry */ |
||||||
|
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c |
||||||
|
index 1ad4cb57f5836..1d3fda73dedf7 100644 |
||||||
|
--- a/libxtables/xtoptions.c |
||||||
|
+++ b/libxtables/xtoptions.c |
||||||
|
@@ -91,8 +91,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, |
||||||
|
* Since @oldopts also has @orig_opts already (and does so at the |
||||||
|
* start), skip these entries. |
||||||
|
*/ |
||||||
|
- oldopts += num_orig; |
||||||
|
- num_old -= num_orig; |
||||||
|
+ if (oldopts != NULL) { |
||||||
|
+ oldopts += num_orig; |
||||||
|
+ num_old -= num_orig; |
||||||
|
+ } |
||||||
|
|
||||||
|
merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1)); |
||||||
|
if (merge == NULL) |
||||||
|
@@ -114,8 +116,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, |
||||||
|
} |
||||||
|
|
||||||
|
/* Third, the old options */ |
||||||
|
- memcpy(mp, oldopts, sizeof(*mp) * num_old); |
||||||
|
- mp += num_old; |
||||||
|
+ if (oldopts != NULL) { |
||||||
|
+ memcpy(mp, oldopts, sizeof(*mp) * num_old); |
||||||
|
+ mp += num_old; |
||||||
|
+ } |
||||||
|
xtables_free_opts(0); |
||||||
|
|
||||||
|
/* Clear trailing entry */ |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,57 @@ |
|||||||
|
From e4dd398938aed75397463aed36fc03f9d754bf29 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxtables: Check extension real_name length |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit a3716cc1a501e |
||||||
|
|
||||||
|
commit a3716cc1a501e40e26a96d78b2e1285bb081f366 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Mon Sep 24 19:25:21 2018 +0200 |
||||||
|
|
||||||
|
libxtables: Check extension real_name length |
||||||
|
|
||||||
|
Just like with 'name', if given check 'real_name' to not exceed max length. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libxtables/xtables.c | 12 ++++++++++++ |
||||||
|
1 file changed, 12 insertions(+) |
||||||
|
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||||
|
index 575f7ee0a0d78..4a014e48a9f45 100644 |
||||||
|
--- a/libxtables/xtables.c |
||||||
|
+++ b/libxtables/xtables.c |
||||||
|
@@ -839,6 +839,12 @@ void xtables_register_match(struct xtables_match *me) |
||||||
|
exit(1); |
||||||
|
} |
||||||
|
|
||||||
|
+ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) { |
||||||
|
+ fprintf(stderr, "%s: match `%s' has invalid real name\n", |
||||||
|
+ xt_params->program_name, me->real_name); |
||||||
|
+ exit(1); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
if (me->family >= NPROTO) { |
||||||
|
fprintf(stderr, |
||||||
|
"%s: BUG: match %s has invalid protocol family\n", |
||||||
|
@@ -997,6 +1003,12 @@ void xtables_register_target(struct xtables_target *me) |
||||||
|
exit(1); |
||||||
|
} |
||||||
|
|
||||||
|
+ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) { |
||||||
|
+ fprintf(stderr, "%s: target `%s' has invalid real name\n", |
||||||
|
+ xt_params->program_name, me->real_name); |
||||||
|
+ exit(1); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
if (me->family >= NPROTO) { |
||||||
|
fprintf(stderr, |
||||||
|
"%s: BUG: target %s has invalid protocol family\n", |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,42 @@ |
|||||||
|
From 6052b28839968d5077c182e6defa260e68147547 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libxtables: Don't read garbage in xtables_strtoui() |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 61ebf3f72ac62 |
||||||
|
|
||||||
|
commit 61ebf3f72ac62d887414c50fc83e277386f54e8f |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:55 2018 +0200 |
||||||
|
|
||||||
|
libxtables: Don't read garbage in xtables_strtoui() |
||||||
|
|
||||||
|
If xtables_strtoul() fails, it returns false and data pointed to by |
||||||
|
parameter 'value' is undefined. Hence avoid copying that data in |
||||||
|
xtables_strtoui() if the call failed. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libxtables/xtables.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||||
|
index fb60c01b48c05..575f7ee0a0d78 100644 |
||||||
|
--- a/libxtables/xtables.c |
||||||
|
+++ b/libxtables/xtables.c |
||||||
|
@@ -473,7 +473,7 @@ bool xtables_strtoui(const char *s, char **end, unsigned int *value, |
||||||
|
bool ret; |
||||||
|
|
||||||
|
ret = xtables_strtoul(s, end, &v, min, max); |
||||||
|
- if (value != NULL) |
||||||
|
+ if (ret && value != NULL) |
||||||
|
*value = v; |
||||||
|
return ret; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,42 @@ |
|||||||
|
From f958c3a78f14140e7ee983c3698918fe35f1a7af Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] libxtables: Fix potential array overrun in |
||||||
|
xtables_option_parse() |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 4144571f87c09 |
||||||
|
|
||||||
|
commit 4144571f87c094471419ef59e8bb89ef33cd1365 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Mon Sep 10 23:35:13 2018 +0200 |
||||||
|
|
||||||
|
libxtables: Fix potential array overrun in xtables_option_parse() |
||||||
|
|
||||||
|
If entry->type is to be used as array index, it needs to be at max one |
||||||
|
less than that array's size. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libxtables/xtoptions.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c |
||||||
|
index 78e9abd6a3f47..0c63c2d372dea 100644 |
||||||
|
--- a/libxtables/xtoptions.c |
||||||
|
+++ b/libxtables/xtoptions.c |
||||||
|
@@ -864,7 +864,7 @@ void xtables_option_parse(struct xt_option_call *cb) |
||||||
|
* a *RC option type. |
||||||
|
*/ |
||||||
|
cb->nvals = 1; |
||||||
|
- if (entry->type <= ARRAY_SIZE(xtopt_subparse) && |
||||||
|
+ if (entry->type < ARRAY_SIZE(xtopt_subparse) && |
||||||
|
xtopt_subparse[entry->type] != NULL) |
||||||
|
xtopt_subparse[entry->type](cb); |
||||||
|
/* Exclusion with other flags tested later in finalize. */ |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,71 @@ |
|||||||
|
From fbcd6c97015324480f843c08da338c9d580b2b31 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxtables: Use posix_spawn() instead of vfork() |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit d95c1e8b65c4e |
||||||
|
|
||||||
|
commit d95c1e8b65c4ec66b8fcd2f7ede257853a888750 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:17:05 2018 +0200 |
||||||
|
|
||||||
|
libxtables: Use posix_spawn() instead of vfork() |
||||||
|
|
||||||
|
According to covscan, vfork() may lead to a deadlock in the parent |
||||||
|
process. It suggests to use posix_spawn() instead. Since the latter |
||||||
|
combines vfork() and exec() calls, use it for xtables_insmod(). |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libxtables/xtables.c | 15 +++++---------- |
||||||
|
1 file changed, 5 insertions(+), 10 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||||
|
index bca9863acc566..7210d3706bf26 100644 |
||||||
|
--- a/libxtables/xtables.c |
||||||
|
+++ b/libxtables/xtables.c |
||||||
|
@@ -21,6 +21,7 @@ |
||||||
|
#include <fcntl.h> |
||||||
|
#include <inttypes.h> |
||||||
|
#include <netdb.h> |
||||||
|
+#include <spawn.h> |
||||||
|
#include <stdarg.h> |
||||||
|
#include <stdbool.h> |
||||||
|
#include <stdio.h> |
||||||
|
@@ -343,6 +344,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) |
||||||
|
char *buf = NULL; |
||||||
|
char *argv[4]; |
||||||
|
int status; |
||||||
|
+ pid_t pid; |
||||||
|
|
||||||
|
/* If they don't explicitly set it, read out of kernel */ |
||||||
|
if (!modprobe) { |
||||||
|
@@ -363,18 +365,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) |
||||||
|
*/ |
||||||
|
fflush(stdout); |
||||||
|
|
||||||
|
- switch (vfork()) { |
||||||
|
- case 0: |
||||||
|
- execv(argv[0], argv); |
||||||
|
- |
||||||
|
- /* not usually reached */ |
||||||
|
- _exit(1); |
||||||
|
- case -1: |
||||||
|
+ if (posix_spawn(&pid, argv[0], NULL, NULL, argv, NULL)) { |
||||||
|
free(buf); |
||||||
|
return -1; |
||||||
|
- |
||||||
|
- default: /* parent */ |
||||||
|
- wait(&status); |
||||||
|
+ } else { |
||||||
|
+ waitpid(pid, &status, 0); |
||||||
|
} |
||||||
|
|
||||||
|
free(buf); |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,102 @@ |
|||||||
|
From 0d89bdef1e7f698787967bffed5c413ef0dee761 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] libxtables: move some code to avoid cautions in vfork man |
||||||
|
page |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 78683093cf4f0 |
||||||
|
|
||||||
|
commit 78683093cf4f059531e5f929a4884ffaecb8411c |
||||||
|
Author: Dan Wilder <dan.wilder@watchguard.com> |
||||||
|
Date: Sat Oct 25 00:51:59 2014 +0200 |
||||||
|
|
||||||
|
libxtables: move some code to avoid cautions in vfork man page |
||||||
|
|
||||||
|
Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame: |
||||||
|
|
||||||
|
357 switch (vfork()) { |
||||||
|
358 case 0: |
||||||
|
359 argv[0] = (char *)modprobe; |
||||||
|
360 argv[1] = (char *)modname; |
||||||
|
361 if (quiet) { |
||||||
|
362 argv[2] = "-q"; |
||||||
|
363 argv[3] = NULL; |
||||||
|
364 } else { |
||||||
|
365 argv[2] = NULL; |
||||||
|
366 argv[3] = NULL; |
||||||
|
367 } |
||||||
|
368 execv(argv[0], argv); |
||||||
|
369 |
||||||
|
370 /* not usually reached */ |
||||||
|
371 exit(1); |
||||||
|
|
||||||
|
modprobe pointed to a non-existant program /sbin/modprobe, so execv() |
||||||
|
always failed. Not a problem in itself on our platform, as the kernel |
||||||
|
modules are pre-loaded before iptables-restore is run, but it took a |
||||||
|
bit of headscratching to track this down, as a stack frame was |
||||||
|
corrupted, leading to failures quite a while after the function |
||||||
|
containing this code had returned! |
||||||
|
|
||||||
|
Relevant caution in man 2 vfork: |
||||||
|
|
||||||
|
"The vfork() function has the same effect as fork(2), except that |
||||||
|
the behavior is undefined if the process created by vfork() either |
||||||
|
modifies any data ... or calls any other function before |
||||||
|
successfully calling _exit(2) or one of the exec(3) family of |
||||||
|
functions." |
||||||
|
|
||||||
|
Apparently this has not been a problem for us in earlier versions of |
||||||
|
glibc, maybe because vfork was more like fork, maybe because the |
||||||
|
stack corruption was innocuous. Ours is a corner case anyway, as |
||||||
|
it might not have been a problem had modprobe existed or had |
||||||
|
modprobe been a symlink to /bin/true. But it seems odd to disregard |
||||||
|
man page cautions, and our problem goes away if they are heeded. |
||||||
|
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libxtables/xtables.c | 16 ++++++---------- |
||||||
|
1 file changed, 6 insertions(+), 10 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||||
|
index cf9a59d5ec095..bca9863acc566 100644 |
||||||
|
--- a/libxtables/xtables.c |
||||||
|
+++ b/libxtables/xtables.c |
||||||
|
@@ -352,6 +352,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) |
||||||
|
modprobe = buf; |
||||||
|
} |
||||||
|
|
||||||
|
+ argv[0] = (char *)modprobe; |
||||||
|
+ argv[1] = (char *)modname; |
||||||
|
+ argv[2] = quiet ? "-q" : NULL; |
||||||
|
+ argv[3] = NULL; |
||||||
|
+ |
||||||
|
/* |
||||||
|
* Need to flush the buffer, or the child may output it again |
||||||
|
* when switching the program thru execv. |
||||||
|
@@ -360,19 +365,10 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) |
||||||
|
|
||||||
|
switch (vfork()) { |
||||||
|
case 0: |
||||||
|
- argv[0] = (char *)modprobe; |
||||||
|
- argv[1] = (char *)modname; |
||||||
|
- if (quiet) { |
||||||
|
- argv[2] = "-q"; |
||||||
|
- argv[3] = NULL; |
||||||
|
- } else { |
||||||
|
- argv[2] = NULL; |
||||||
|
- argv[3] = NULL; |
||||||
|
- } |
||||||
|
execv(argv[0], argv); |
||||||
|
|
||||||
|
/* not usually reached */ |
||||||
|
- exit(1); |
||||||
|
+ _exit(1); |
||||||
|
case -1: |
||||||
|
free(buf); |
||||||
|
return -1; |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,46 @@ |
|||||||
|
From 9db248f030af87e336b5880fc39e37a5beb7f291 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:52:42 +0100 |
||||||
|
Subject: [PATCH] list: fix prefetch dummy |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 86a65af62b6b9 |
||||||
|
|
||||||
|
commit 86a65af62b6b986aa2ae3cbf3c655ea8225b027a |
||||||
|
Author: Arturo Borrero <arturo.borrero.glez@gmail.com> |
||||||
|
Date: Mon Apr 6 20:05:41 2015 +0200 |
||||||
|
|
||||||
|
list: fix prefetch dummy |
||||||
|
|
||||||
|
linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value] |
||||||
|
for (pos = list_entry((head)->next, typeof(*pos), member), \ |
||||||
|
^ |
||||||
|
libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry' |
||||||
|
list_for_each_entry(c, &h->chains, list) { |
||||||
|
^ |
||||||
|
|
||||||
|
[ Patch copied from one similar of Patrick McHardy on libnftnl ] |
||||||
|
|
||||||
|
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
libiptc/linux_list.h | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/libiptc/linux_list.h b/libiptc/linux_list.h |
||||||
|
index abdcf88dadd64..559e33c9ebde0 100644 |
||||||
|
--- a/libiptc/linux_list.h |
||||||
|
+++ b/libiptc/linux_list.h |
||||||
|
@@ -27,7 +27,7 @@ |
||||||
|
1; \ |
||||||
|
}) |
||||||
|
|
||||||
|
-#define prefetch(x) 1 |
||||||
|
+#define prefetch(x) ((void)0) |
||||||
|
|
||||||
|
/* empty define to make this work in userspace -HW */ |
||||||
|
#define smp_wmb() |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,47 @@ |
|||||||
|
From d9db0c35351a960a141e9ddc30cf6f09c9c27c8b Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Thu, 18 Apr 2019 13:29:43 +0200 |
||||||
|
Subject: [PATCH] man: iptables-save: Add note about module autoloading |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1691380 |
||||||
|
Upstream Status: iptables commit 3390007a11cbc |
||||||
|
|
||||||
|
commit 3390007a11cbc45de1522f99ae751a3c5d55dd6f |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Tue Mar 26 19:03:43 2019 +0100 |
||||||
|
|
||||||
|
man: iptables-save: Add note about module autoloading |
||||||
|
|
||||||
|
Using '-t' parameter in iptables-save might lead to kernel module |
||||||
|
loading, just like with iptables itself. Copy the hint from iptables.8 |
||||||
|
to inform users. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/iptables-save.8.in | 7 +++++-- |
||||||
|
1 file changed, 5 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in |
||||||
|
index 4091c0a595575..c3f1bd2152c58 100644 |
||||||
|
--- a/iptables/iptables-save.8.in |
||||||
|
+++ b/iptables/iptables-save.8.in |
||||||
|
@@ -44,8 +44,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path. |
||||||
|
include the current values of all packet and byte counters in the output |
||||||
|
.TP |
||||||
|
\fB\-t\fR, \fB\-\-table\fR \fItablename\fP |
||||||
|
-restrict output to only one table. If not specified, output includes all |
||||||
|
-available tables. |
||||||
|
+restrict output to only one table. If the kernel is configured with automatic |
||||||
|
+module loading, an attempt will be made to load the appropriate module for |
||||||
|
+that table if it is not already there. |
||||||
|
+.br |
||||||
|
+If not specified, output includes all available tables. |
||||||
|
.SH BUGS |
||||||
|
None known as of iptables-1.2.1 release |
||||||
|
.SH AUTHORS |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,43 @@ |
|||||||
|
From 4103f34690e1380c0ad4831b80ad913ea980eab4 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:51:28 +0100 |
||||||
|
Subject: [PATCH] nfnl_osf: Drop pointless check in xt_osf_strchr() |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 8c786a351a441 |
||||||
|
|
||||||
|
commit 8c786a351a441ff23ad5d9d1da8cec492f88f542 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:42 2018 +0200 |
||||||
|
|
||||||
|
nfnl_osf: Drop pointless check in xt_osf_strchr() |
||||||
|
|
||||||
|
Although it remains unclear what the original intention behind the |
||||||
|
affected code was, but 'tmp + 1' always evaluates true since 'tmp' is a |
||||||
|
pointer value. |
||||||
|
|
||||||
|
Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
utils/nfnl_osf.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c |
||||||
|
index 0f8b35b805016..9a9fbe1268155 100644 |
||||||
|
--- a/utils/nfnl_osf.c |
||||||
|
+++ b/utils/nfnl_osf.c |
||||||
|
@@ -141,7 +141,7 @@ static char *xt_osf_strchr(char *ptr, char c) |
||||||
|
if (tmp) |
||||||
|
*tmp = '\0'; |
||||||
|
|
||||||
|
- while (tmp && tmp + 1 && isspace(*(tmp + 1))) |
||||||
|
+ while (tmp && isspace(*(tmp + 1))) |
||||||
|
tmp++; |
||||||
|
|
||||||
|
return tmp; |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,40 @@ |
|||||||
|
From 4ee53b682e3ebb9a809007ec907f65ccfe4a1342 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Fri, 15 Mar 2019 17:50:10 +0100 |
||||||
|
Subject: [PATCH] nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 |
||||||
|
Upstream Status: iptables commit 52aa15098ebd6 |
||||||
|
|
||||||
|
commit 52aa15098ebd62eaca9eb3c57c240df2455d8e9b |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Wed Sep 19 15:16:56 2018 +0200 |
||||||
|
|
||||||
|
nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() |
||||||
|
|
||||||
|
This eliminates the deprecation warning when compiling the sources. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
utils/nfnl_osf.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c |
||||||
|
index 972128f47ba04..c67485ee698b1 100644 |
||||||
|
--- a/utils/nfnl_osf.c |
||||||
|
+++ b/utils/nfnl_osf.c |
||||||
|
@@ -384,7 +384,7 @@ static int osf_load_line(char *buffer, int len, int del) |
||||||
|
|
||||||
|
nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger)); |
||||||
|
|
||||||
|
- return nfnl_talk(nfnlh, nmh, 0, 0, NULL, NULL, NULL); |
||||||
|
+ return nfnl_query(nfnlh, nmh); |
||||||
|
} |
||||||
|
|
||||||
|
static int osf_load_entries(char *path, int del) |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,568 @@ |
|||||||
|
From fc87d26b0343a5fbe661acc967f7a7c316531ca5 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:16:49 +0200 |
||||||
|
Subject: [PATCH] xshared: Consolidate argv construction routines |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475 |
||||||
|
Upstream Status: iptables commit a2ed880a19d08 |
||||||
|
Conflicts: |
||||||
|
* Context change due to missing commit 2963a8df2175b |
||||||
|
("iptables: Remove explicit static variables initalization."). |
||||||
|
* Context change due to missing commit 1cc09188079a6 |
||||||
|
("xshared: Consolidate parse_counters()"). |
||||||
|
* Context change due to previously backported commit 8da04ffdca193 |
||||||
|
("Share print_ipv{4,6}_addr() from xtables"). |
||||||
|
* Dropped changes to non-existing file iptables/xtables-restore.c. |
||||||
|
|
||||||
|
commit a2ed880a19d0861342b3515721804b18d698bf44 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Thu Aug 2 17:05:17 2018 +0200 |
||||||
|
|
||||||
|
xshared: Consolidate argv construction routines |
||||||
|
|
||||||
|
Implementations were equal in {ip,ip6,x}tables-restore.c. The one in |
||||||
|
iptables-xml.c differed slightly. For now, collect all features |
||||||
|
together. Maybe it would make sense to migrate iptables-xml.c to using |
||||||
|
add_param_to_argv() at some point and therefore extend the latter to |
||||||
|
store whether a given parameter was quoted or not. |
||||||
|
|
||||||
|
While being at it, a few improvements were done: |
||||||
|
|
||||||
|
* free_argv() now also resets 'newargc' variable, so users don't have to |
||||||
|
do that anymore. |
||||||
|
* Indenting level in add_param_to_argv() was reduced a bit. |
||||||
|
* That long error message is put into a single line to aid in grepping |
||||||
|
for it. |
||||||
|
* Explicit call to exit() after xtables_error() is removed since the |
||||||
|
latter does not return anyway. |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/ip6tables-restore.c | 107 ++---------------------------- |
||||||
|
iptables/iptables-restore.c | 107 ++---------------------------- |
||||||
|
iptables/iptables-xml.c | 63 ------------------ |
||||||
|
iptables/xshared.c | 123 +++++++++++++++++++++++++++++++++++ |
||||||
|
iptables/xshared.h | 13 ++++ |
||||||
|
5 files changed, 150 insertions(+), 263 deletions(-) |
||||||
|
|
||||||
|
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c |
||||||
|
index 611430d930eda..1f8cb43286f03 100644 |
||||||
|
--- a/iptables/ip6tables-restore.c |
||||||
|
+++ b/iptables/ip6tables-restore.c |
||||||
|
@@ -91,96 +91,6 @@ static int parse_counters(char *string, struct xt_counters *ctr) |
||||||
|
return ret == 2; |
||||||
|
} |
||||||
|
|
||||||
|
-/* global new argv and argc */ |
||||||
|
-static char *newargv[255]; |
||||||
|
-static int newargc; |
||||||
|
- |
||||||
|
-/* function adding one argument to newargv, updating newargc |
||||||
|
- * returns true if argument added, false otherwise */ |
||||||
|
-static int add_argv(char *what) { |
||||||
|
- DEBUGP("add_argv: %s\n", what); |
||||||
|
- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
||||||
|
- newargv[newargc] = strdup(what); |
||||||
|
- newargv[++newargc] = NULL; |
||||||
|
- return 1; |
||||||
|
- } else { |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Parser cannot handle more arguments\n"); |
||||||
|
- return 0; |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
-static void free_argv(void) { |
||||||
|
- int i; |
||||||
|
- |
||||||
|
- for (i = 0; i < newargc; i++) |
||||||
|
- free(newargv[i]); |
||||||
|
-} |
||||||
|
- |
||||||
|
-static void add_param_to_argv(char *parsestart) |
||||||
|
-{ |
||||||
|
- int quote_open = 0, escaped = 0, param_len = 0; |
||||||
|
- char param_buffer[1024], *curchar; |
||||||
|
- |
||||||
|
- /* After fighting with strtok enough, here's now |
||||||
|
- * a 'real' parser. According to Rusty I'm now no |
||||||
|
- * longer a real hacker, but I can live with that */ |
||||||
|
- |
||||||
|
- for (curchar = parsestart; *curchar; curchar++) { |
||||||
|
- if (quote_open) { |
||||||
|
- if (escaped) { |
||||||
|
- param_buffer[param_len++] = *curchar; |
||||||
|
- escaped = 0; |
||||||
|
- continue; |
||||||
|
- } else if (*curchar == '\\') { |
||||||
|
- escaped = 1; |
||||||
|
- continue; |
||||||
|
- } else if (*curchar == '"') { |
||||||
|
- quote_open = 0; |
||||||
|
- *curchar = ' '; |
||||||
|
- } else { |
||||||
|
- param_buffer[param_len++] = *curchar; |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- } else { |
||||||
|
- if (*curchar == '"') { |
||||||
|
- quote_open = 1; |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- } |
||||||
|
- |
||||||
|
- if (*curchar == ' ' |
||||||
|
- || *curchar == '\t' |
||||||
|
- || * curchar == '\n') { |
||||||
|
- if (!param_len) { |
||||||
|
- /* two spaces? */ |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- |
||||||
|
- param_buffer[param_len] = '\0'; |
||||||
|
- |
||||||
|
- /* check if table name specified */ |
||||||
|
- if (!strncmp(param_buffer, "-t", 2) |
||||||
|
- || !strncmp(param_buffer, "--table", 8)) { |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "The -t option (seen in line %u) cannot be " |
||||||
|
- "used in ip6tables-restore.\n", line); |
||||||
|
- exit(1); |
||||||
|
- } |
||||||
|
- |
||||||
|
- add_argv(param_buffer); |
||||||
|
- param_len = 0; |
||||||
|
- } else { |
||||||
|
- /* regular character, copy to buffer */ |
||||||
|
- param_buffer[param_len++] = *curchar; |
||||||
|
- |
||||||
|
- if (param_len >= sizeof(param_buffer)) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Parameter too long!"); |
||||||
|
- } |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
int ip6tables_restore_main(int argc, char *argv[]) |
||||||
|
{ |
||||||
|
struct xtc_handle *handle = NULL; |
||||||
|
@@ -425,9 +335,6 @@ int ip6tables_restore_main(int argc, char *argv[]) |
||||||
|
char *bcnt = NULL; |
||||||
|
char *parsestart; |
||||||
|
|
||||||
|
- /* reset the newargv */ |
||||||
|
- newargc = 0; |
||||||
|
- |
||||||
|
if (buffer[0] == '[') { |
||||||
|
/* we have counters in our input */ |
||||||
|
char *ptr = strchr(buffer, ']'); |
||||||
|
@@ -456,17 +363,17 @@ int ip6tables_restore_main(int argc, char *argv[]) |
||||||
|
parsestart = buffer; |
||||||
|
} |
||||||
|
|
||||||
|
- add_argv(argv[0]); |
||||||
|
- add_argv("-t"); |
||||||
|
- add_argv(curtable); |
||||||
|
+ add_argv(argv[0], 0); |
||||||
|
+ add_argv("-t", 0); |
||||||
|
+ add_argv(curtable, 0); |
||||||
|
|
||||||
|
if (counters && pcnt && bcnt) { |
||||||
|
- add_argv("--set-counters"); |
||||||
|
- add_argv((char *) pcnt); |
||||||
|
- add_argv((char *) bcnt); |
||||||
|
+ add_argv("--set-counters", 0); |
||||||
|
+ add_argv((char *) pcnt, 0); |
||||||
|
+ add_argv((char *) bcnt, 0); |
||||||
|
} |
||||||
|
|
||||||
|
- add_param_to_argv(parsestart); |
||||||
|
+ add_param_to_argv(parsestart, line); |
||||||
|
|
||||||
|
DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", |
||||||
|
newargc, curtable); |
||||||
|
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c |
||||||
|
index b0da96d45d297..615e38a6625e0 100644 |
||||||
|
--- a/iptables/iptables-restore.c |
||||||
|
+++ b/iptables/iptables-restore.c |
||||||
|
@@ -89,96 +89,6 @@ static int parse_counters(char *string, struct xt_counters *ctr) |
||||||
|
return ret == 2; |
||||||
|
} |
||||||
|
|
||||||
|
-/* global new argv and argc */ |
||||||
|
-static char *newargv[255]; |
||||||
|
-static int newargc; |
||||||
|
- |
||||||
|
-/* function adding one argument to newargv, updating newargc |
||||||
|
- * returns true if argument added, false otherwise */ |
||||||
|
-static int add_argv(char *what) { |
||||||
|
- DEBUGP("add_argv: %s\n", what); |
||||||
|
- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
||||||
|
- newargv[newargc] = strdup(what); |
||||||
|
- newargv[++newargc] = NULL; |
||||||
|
- return 1; |
||||||
|
- } else { |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Parser cannot handle more arguments\n"); |
||||||
|
- return 0; |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
-static void free_argv(void) { |
||||||
|
- int i; |
||||||
|
- |
||||||
|
- for (i = 0; i < newargc; i++) |
||||||
|
- free(newargv[i]); |
||||||
|
-} |
||||||
|
- |
||||||
|
-static void add_param_to_argv(char *parsestart) |
||||||
|
-{ |
||||||
|
- int quote_open = 0, escaped = 0, param_len = 0; |
||||||
|
- char param_buffer[1024], *curchar; |
||||||
|
- |
||||||
|
- /* After fighting with strtok enough, here's now |
||||||
|
- * a 'real' parser. According to Rusty I'm now no |
||||||
|
- * longer a real hacker, but I can live with that */ |
||||||
|
- |
||||||
|
- for (curchar = parsestart; *curchar; curchar++) { |
||||||
|
- if (quote_open) { |
||||||
|
- if (escaped) { |
||||||
|
- param_buffer[param_len++] = *curchar; |
||||||
|
- escaped = 0; |
||||||
|
- continue; |
||||||
|
- } else if (*curchar == '\\') { |
||||||
|
- escaped = 1; |
||||||
|
- continue; |
||||||
|
- } else if (*curchar == '"') { |
||||||
|
- quote_open = 0; |
||||||
|
- *curchar = ' '; |
||||||
|
- } else { |
||||||
|
- param_buffer[param_len++] = *curchar; |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- } else { |
||||||
|
- if (*curchar == '"') { |
||||||
|
- quote_open = 1; |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- } |
||||||
|
- |
||||||
|
- if (*curchar == ' ' |
||||||
|
- || *curchar == '\t' |
||||||
|
- || * curchar == '\n') { |
||||||
|
- if (!param_len) { |
||||||
|
- /* two spaces? */ |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- |
||||||
|
- param_buffer[param_len] = '\0'; |
||||||
|
- |
||||||
|
- /* check if table name specified */ |
||||||
|
- if (!strncmp(param_buffer, "-t", 2) |
||||||
|
- || !strncmp(param_buffer, "--table", 8)) { |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "The -t option (seen in line %u) cannot be " |
||||||
|
- "used in iptables-restore.\n", line); |
||||||
|
- exit(1); |
||||||
|
- } |
||||||
|
- |
||||||
|
- add_argv(param_buffer); |
||||||
|
- param_len = 0; |
||||||
|
- } else { |
||||||
|
- /* regular character, copy to buffer */ |
||||||
|
- param_buffer[param_len++] = *curchar; |
||||||
|
- |
||||||
|
- if (param_len >= sizeof(param_buffer)) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Parameter too long!"); |
||||||
|
- } |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
int |
||||||
|
iptables_restore_main(int argc, char *argv[]) |
||||||
|
{ |
||||||
|
@@ -424,9 +334,6 @@ iptables_restore_main(int argc, char *argv[]) |
||||||
|
char *bcnt = NULL; |
||||||
|
char *parsestart; |
||||||
|
|
||||||
|
- /* reset the newargv */ |
||||||
|
- newargc = 0; |
||||||
|
- |
||||||
|
if (buffer[0] == '[') { |
||||||
|
/* we have counters in our input */ |
||||||
|
char *ptr = strchr(buffer, ']'); |
||||||
|
@@ -455,17 +362,17 @@ iptables_restore_main(int argc, char *argv[]) |
||||||
|
parsestart = buffer; |
||||||
|
} |
||||||
|
|
||||||
|
- add_argv(argv[0]); |
||||||
|
- add_argv("-t"); |
||||||
|
- add_argv(curtable); |
||||||
|
+ add_argv(argv[0], 0); |
||||||
|
+ add_argv("-t", 0); |
||||||
|
+ add_argv(curtable, 0); |
||||||
|
|
||||||
|
if (counters && pcnt && bcnt) { |
||||||
|
- add_argv("--set-counters"); |
||||||
|
- add_argv((char *) pcnt); |
||||||
|
- add_argv((char *) bcnt); |
||||||
|
+ add_argv("--set-counters", 0); |
||||||
|
+ add_argv((char *) pcnt, 0); |
||||||
|
+ add_argv((char *) bcnt, 0); |
||||||
|
} |
||||||
|
|
||||||
|
- add_param_to_argv(parsestart); |
||||||
|
+ add_param_to_argv(parsestart, line); |
||||||
|
|
||||||
|
DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", |
||||||
|
newargc, curtable); |
||||||
|
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c |
||||||
|
index c523a132b2240..49f8ea2826181 100644 |
||||||
|
--- a/iptables/iptables-xml.c |
||||||
|
+++ b/iptables/iptables-xml.c |
||||||
|
@@ -66,16 +66,6 @@ parse_counters(char *string, struct xt_counters *ctr) |
||||||
|
return (0 == 2); |
||||||
|
} |
||||||
|
|
||||||
|
-/* global new argv and argc */ |
||||||
|
-static char *newargv[255]; |
||||||
|
-static unsigned int newargc = 0; |
||||||
|
- |
||||||
|
-static char *oldargv[255]; |
||||||
|
-static unsigned int oldargc = 0; |
||||||
|
- |
||||||
|
-/* arg meta data, were they quoted, frinstance */ |
||||||
|
-static int newargvattr[255]; |
||||||
|
- |
||||||
|
#define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN |
||||||
|
static char closeActionTag[XT_TABLE_MAXNAMELEN + 1]; |
||||||
|
static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1]; |
||||||
|
@@ -93,56 +83,6 @@ struct chain { |
||||||
|
static struct chain chains[maxChains]; |
||||||
|
static int nextChain = 0; |
||||||
|
|
||||||
|
-/* funCtion adding one argument to newargv, updating newargc |
||||||
|
- * returns true if argument added, false otherwise */ |
||||||
|
-static int |
||||||
|
-add_argv(char *what, int quoted) |
||||||
|
-{ |
||||||
|
- DEBUGP("add_argv: %d %s\n", newargc, what); |
||||||
|
- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
||||||
|
- newargv[newargc] = strdup(what); |
||||||
|
- newargvattr[newargc] = quoted; |
||||||
|
- newargc++; |
||||||
|
- return 1; |
||||||
|
- } else |
||||||
|
- return 0; |
||||||
|
-} |
||||||
|
- |
||||||
|
-static void |
||||||
|
-free_argv(void) |
||||||
|
-{ |
||||||
|
- unsigned int i; |
||||||
|
- |
||||||
|
- for (i = 0; i < newargc; i++) { |
||||||
|
- free(newargv[i]); |
||||||
|
- newargv[i] = NULL; |
||||||
|
- } |
||||||
|
- newargc = 0; |
||||||
|
- |
||||||
|
- for (i = 0; i < oldargc; i++) { |
||||||
|
- free(oldargv[i]); |
||||||
|
- oldargv[i] = NULL; |
||||||
|
- } |
||||||
|
- oldargc = 0; |
||||||
|
-} |
||||||
|
- |
||||||
|
-/* save parsed rule for comparison with next rule |
||||||
|
- to perform action agregation on duplicate conditions */ |
||||||
|
-static void |
||||||
|
-save_argv(void) |
||||||
|
-{ |
||||||
|
- unsigned int i; |
||||||
|
- |
||||||
|
- for (i = 0; i < oldargc; i++) |
||||||
|
- free(oldargv[i]); |
||||||
|
- oldargc = newargc; |
||||||
|
- newargc = 0; |
||||||
|
- for (i = 0; i < oldargc; i++) { |
||||||
|
- oldargv[i] = newargv[i]; |
||||||
|
- newargv[i] = NULL; |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
/* like puts but with xml encoding */ |
||||||
|
static void |
||||||
|
xmlEncode(char *text) |
||||||
|
@@ -736,9 +676,6 @@ iptables_xml_main(int argc, char *argv[]) |
||||||
|
int quote_open, quoted; |
||||||
|
char param_buffer[1024]; |
||||||
|
|
||||||
|
- /* reset the newargv */ |
||||||
|
- newargc = 0; |
||||||
|
- |
||||||
|
if (buffer[0] == '[') { |
||||||
|
/* we have counters in our input */ |
||||||
|
char *ptr = strchr(buffer, ']'); |
||||||
|
diff --git a/iptables/xshared.c b/iptables/xshared.c |
||||||
|
index 742502154aa55..84dbea562576e 100644 |
||||||
|
--- a/iptables/xshared.c |
||||||
|
+++ b/iptables/xshared.c |
||||||
|
@@ -406,3 +406,126 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) |
||||||
|
ipv6_addr_to_string(&fw6->ipv6.dst, |
||||||
|
&fw6->ipv6.dmsk, format)); |
||||||
|
} |
||||||
|
+ |
||||||
|
+/* global new argv and argc */ |
||||||
|
+char *newargv[255]; |
||||||
|
+int newargc = 0; |
||||||
|
+ |
||||||
|
+/* saved newargv and newargc from save_argv() */ |
||||||
|
+char *oldargv[255]; |
||||||
|
+int oldargc = 0; |
||||||
|
+ |
||||||
|
+/* arg meta data, were they quoted, frinstance */ |
||||||
|
+int newargvattr[255]; |
||||||
|
+ |
||||||
|
+/* function adding one argument to newargv, updating newargc |
||||||
|
+ * returns true if argument added, false otherwise */ |
||||||
|
+int add_argv(const char *what, int quoted) |
||||||
|
+{ |
||||||
|
+ DEBUGP("add_argv: %s\n", what); |
||||||
|
+ if (what && newargc + 1 < ARRAY_SIZE(newargv)) { |
||||||
|
+ newargv[newargc] = strdup(what); |
||||||
|
+ newargvattr[newargc] = quoted; |
||||||
|
+ newargv[++newargc] = NULL; |
||||||
|
+ return 1; |
||||||
|
+ } else { |
||||||
|
+ xtables_error(PARAMETER_PROBLEM, |
||||||
|
+ "Parser cannot handle more arguments\n"); |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+void free_argv(void) |
||||||
|
+{ |
||||||
|
+ while (newargc) |
||||||
|
+ free(newargv[--newargc]); |
||||||
|
+ while (oldargc) |
||||||
|
+ free(oldargv[--oldargc]); |
||||||
|
+} |
||||||
|
+ |
||||||
|
+/* Save parsed rule for comparison with next rule to perform action aggregation |
||||||
|
+ * on duplicate conditions. |
||||||
|
+ */ |
||||||
|
+void save_argv(void) |
||||||
|
+{ |
||||||
|
+ unsigned int i; |
||||||
|
+ |
||||||
|
+ while (oldargc) |
||||||
|
+ free(oldargv[--oldargc]); |
||||||
|
+ |
||||||
|
+ oldargc = newargc; |
||||||
|
+ newargc = 0; |
||||||
|
+ for (i = 0; i < oldargc; i++) { |
||||||
|
+ oldargv[i] = newargv[i]; |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+void add_param_to_argv(char *parsestart, int line) |
||||||
|
+{ |
||||||
|
+ int quote_open = 0, escaped = 0, param_len = 0; |
||||||
|
+ char param_buffer[1024], *curchar; |
||||||
|
+ |
||||||
|
+ /* After fighting with strtok enough, here's now |
||||||
|
+ * a 'real' parser. According to Rusty I'm now no |
||||||
|
+ * longer a real hacker, but I can live with that */ |
||||||
|
+ |
||||||
|
+ for (curchar = parsestart; *curchar; curchar++) { |
||||||
|
+ if (quote_open) { |
||||||
|
+ if (escaped) { |
||||||
|
+ param_buffer[param_len++] = *curchar; |
||||||
|
+ escaped = 0; |
||||||
|
+ continue; |
||||||
|
+ } else if (*curchar == '\\') { |
||||||
|
+ escaped = 1; |
||||||
|
+ continue; |
||||||
|
+ } else if (*curchar == '"') { |
||||||
|
+ quote_open = 0; |
||||||
|
+ *curchar = '"'; |
||||||
|
+ } else { |
||||||
|
+ param_buffer[param_len++] = *curchar; |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
+ } else { |
||||||
|
+ if (*curchar == '"') { |
||||||
|
+ quote_open = 1; |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ switch (*curchar) { |
||||||
|
+ case '"': |
||||||
|
+ break; |
||||||
|
+ case ' ': |
||||||
|
+ case '\t': |
||||||
|
+ case '\n': |
||||||
|
+ if (!param_len) { |
||||||
|
+ /* two spaces? */ |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
+ break; |
||||||
|
+ default: |
||||||
|
+ /* regular character, copy to buffer */ |
||||||
|
+ param_buffer[param_len++] = *curchar; |
||||||
|
+ |
||||||
|
+ if (param_len >= sizeof(param_buffer)) |
||||||
|
+ xtables_error(PARAMETER_PROBLEM, |
||||||
|
+ "Parameter too long!"); |
||||||
|
+ continue; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ param_buffer[param_len] = '\0'; |
||||||
|
+ |
||||||
|
+ /* check if table name specified */ |
||||||
|
+ if ((param_buffer[0] == '-' && |
||||||
|
+ param_buffer[1] != '-' && |
||||||
|
+ strchr(param_buffer, 't')) || |
||||||
|
+ (!strncmp(param_buffer, "--t", 3) && |
||||||
|
+ !strncmp(param_buffer, "--table", strlen(param_buffer)))) { |
||||||
|
+ xtables_error(PARAMETER_PROBLEM, |
||||||
|
+ "The -t option (seen in line %u) cannot be used in %s.\n", |
||||||
|
+ line, xt_params->program_name); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ add_argv(param_buffer, 0); |
||||||
|
+ param_len = 0; |
||||||
|
+ } |
||||||
|
+} |
||||||
|
diff --git a/iptables/xshared.h b/iptables/xshared.h |
||||||
|
index bfdb10b2701e5..4f567db9f410b 100644 |
||||||
|
--- a/iptables/xshared.h |
||||||
|
+++ b/iptables/xshared.h |
||||||
|
@@ -119,6 +119,19 @@ bool xs_has_arg(int argc, char *argv[]); |
||||||
|
|
||||||
|
extern const struct xtables_afinfo *afinfo; |
||||||
|
|
||||||
|
+extern char *newargv[]; |
||||||
|
+extern int newargc; |
||||||
|
+ |
||||||
|
+extern char *oldargv[]; |
||||||
|
+extern int oldargc; |
||||||
|
+ |
||||||
|
+extern int newargvattr[]; |
||||||
|
+ |
||||||
|
+int add_argv(const char *what, int quoted); |
||||||
|
+void free_argv(void); |
||||||
|
+void save_argv(void); |
||||||
|
+void add_param_to_argv(char *parsestart, int line); |
||||||
|
+ |
||||||
|
void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); |
||||||
|
void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); |
||||||
|
|
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,259 @@ |
|||||||
|
From cc564f1b24a61d8abcd1163323ba68d373ef3d7c Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 3 Apr 2019 20:30:11 +0200 |
||||||
|
Subject: [PATCH] xtables: Introduce and use common function to parse |
||||||
|
val[/mask] arguments |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 |
||||||
|
Upstream Status: iptables commit 29b1d97764d18 |
||||||
|
|
||||||
|
commit 29b1d97764d1849651388d870565b3fa815a0bd8 |
||||||
|
Author: Serhey Popovych <serhe.popovych@gmail.com> |
||||||
|
Date: Thu Mar 1 13:03:11 2018 +0200 |
||||||
|
|
||||||
|
xtables: Introduce and use common function to parse val[/mask] arguments |
||||||
|
|
||||||
|
There are a couple of places in both core and extensions where arguments |
||||||
|
in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). |
||||||
|
|
||||||
|
In some cases symbolic name might be used which is mapped in code to |
||||||
|
numeric value. |
||||||
|
|
||||||
|
Introduce common function to handle both cases where value given is |
||||||
|
either val[/mask] or symbolic name. |
||||||
|
|
||||||
|
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com> |
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
extensions/libipt_realm.c | 29 ++++++--------------- |
||||||
|
extensions/libxt_devgroup.c | 35 ++++--------------------- |
||||||
|
include/xtables.h | 11 ++++++++ |
||||||
|
libxtables/xtables.c | 52 +++++++++++++++++++++++++++++++++++++ |
||||||
|
libxtables/xtoptions.c | 22 +--------------- |
||||||
|
5 files changed, 77 insertions(+), 72 deletions(-) |
||||||
|
|
||||||
|
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c |
||||||
|
index fffb1218db7a6..0bfbaea0add23 100644 |
||||||
|
--- a/extensions/libipt_realm.c |
||||||
|
+++ b/extensions/libipt_realm.c |
||||||
|
@@ -34,30 +34,17 @@ static struct xtables_lmap *realms; |
||||||
|
|
||||||
|
static void realm_parse(struct xt_option_call *cb) |
||||||
|
{ |
||||||
|
- struct xt_realm_info *realminfo = cb->data; |
||||||
|
- int id; |
||||||
|
- char *end; |
||||||
|
+ struct xt_realm_info *ri = cb->data; |
||||||
|
+ unsigned int id, mask; |
||||||
|
|
||||||
|
xtables_option_parse(cb); |
||||||
|
- realminfo->id = strtoul(cb->arg, &end, 0); |
||||||
|
- if (end != cb->arg && (*end == '/' || *end == '\0')) { |
||||||
|
- if (*end == '/') |
||||||
|
- realminfo->mask = strtoul(end+1, &end, 0); |
||||||
|
- else |
||||||
|
- realminfo->mask = 0xffffffff; |
||||||
|
- if (*end != '\0' || end == cb->arg) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Bad realm value \"%s\"", cb->arg); |
||||||
|
- } else { |
||||||
|
- id = xtables_lmap_name2id(realms, cb->arg); |
||||||
|
- if (id == -1) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Realm \"%s\" not found", cb->arg); |
||||||
|
- realminfo->id = id; |
||||||
|
- realminfo->mask = 0xffffffff; |
||||||
|
- } |
||||||
|
+ xtables_parse_val_mask(cb, &id, &mask, realms); |
||||||
|
+ |
||||||
|
+ ri->id = id; |
||||||
|
+ ri->mask = mask; |
||||||
|
+ |
||||||
|
if (cb->invert) |
||||||
|
- realminfo->invert = 1; |
||||||
|
+ ri->invert = 1; |
||||||
|
} |
||||||
|
|
||||||
|
static void |
||||||
|
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c |
||||||
|
index ebfa2aee80cf2..604828276177b 100644 |
||||||
|
--- a/extensions/libxt_devgroup.c |
||||||
|
+++ b/extensions/libxt_devgroup.c |
||||||
|
@@ -35,49 +35,24 @@ static const char f_devgroups[] = "/etc/iproute2/group"; |
||||||
|
/* array of devgroups from f_devgroups[] */ |
||||||
|
static struct xtables_lmap *devgroups; |
||||||
|
|
||||||
|
-static void devgroup_parse_groupspec(const char *arg, unsigned int *group, |
||||||
|
- unsigned int *mask) |
||||||
|
-{ |
||||||
|
- char *end; |
||||||
|
- bool ok; |
||||||
|
- |
||||||
|
- ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX); |
||||||
|
- if (ok && (*end == '/' || *end == '\0')) { |
||||||
|
- if (*end == '/') |
||||||
|
- ok = xtables_strtoui(end + 1, NULL, mask, |
||||||
|
- 0, UINT32_MAX); |
||||||
|
- else |
||||||
|
- *mask = ~0U; |
||||||
|
- if (!ok) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Bad group value \"%s\"", arg); |
||||||
|
- } else { |
||||||
|
- *group = xtables_lmap_name2id(devgroups, arg); |
||||||
|
- if (*group == -1) |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "Device group \"%s\" not found", arg); |
||||||
|
- *mask = ~0U; |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
static void devgroup_parse(struct xt_option_call *cb) |
||||||
|
{ |
||||||
|
struct xt_devgroup_info *info = cb->data; |
||||||
|
- unsigned int id, mask; |
||||||
|
+ unsigned int group, mask; |
||||||
|
|
||||||
|
xtables_option_parse(cb); |
||||||
|
+ xtables_parse_val_mask(cb, &group, &mask, devgroups); |
||||||
|
+ |
||||||
|
switch (cb->entry->id) { |
||||||
|
case O_SRC_GROUP: |
||||||
|
- devgroup_parse_groupspec(cb->arg, &id, &mask); |
||||||
|
- info->src_group = id; |
||||||
|
+ info->src_group = group; |
||||||
|
info->src_mask = mask; |
||||||
|
info->flags |= XT_DEVGROUP_MATCH_SRC; |
||||||
|
if (cb->invert) |
||||||
|
info->flags |= XT_DEVGROUP_INVERT_SRC; |
||||||
|
break; |
||||||
|
case O_DST_GROUP: |
||||||
|
- devgroup_parse_groupspec(cb->arg, &id, &mask); |
||||||
|
- info->dst_group = id; |
||||||
|
+ info->dst_group = group; |
||||||
|
info->dst_mask = mask; |
||||||
|
info->flags |= XT_DEVGROUP_MATCH_DST; |
||||||
|
if (cb->invert) |
||||||
|
diff --git a/include/xtables.h b/include/xtables.h |
||||||
|
index 021726708b2ee..47481e693ca25 100644 |
||||||
|
--- a/include/xtables.h |
||||||
|
+++ b/include/xtables.h |
||||||
|
@@ -501,6 +501,17 @@ extern void xtables_save_string(const char *value); |
||||||
|
|
||||||
|
extern void xtables_print_num(uint64_t number, unsigned int format); |
||||||
|
|
||||||
|
+extern void xtables_parse_val_mask(struct xt_option_call *cb, |
||||||
|
+ unsigned int *val, unsigned int *mask, |
||||||
|
+ const struct xtables_lmap *lmap); |
||||||
|
+ |
||||||
|
+static inline void xtables_parse_mark_mask(struct xt_option_call *cb, |
||||||
|
+ unsigned int *mark, |
||||||
|
+ unsigned int *mask) |
||||||
|
+{ |
||||||
|
+ xtables_parse_val_mask(cb, mark, mask, NULL); |
||||||
|
+} |
||||||
|
+ |
||||||
|
#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) |
||||||
|
# ifdef _INIT |
||||||
|
# undef _init |
||||||
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c |
||||||
|
index 7210d3706bf26..2981f52bc767f 100644 |
||||||
|
--- a/libxtables/xtables.c |
||||||
|
+++ b/libxtables/xtables.c |
||||||
|
@@ -1950,6 +1950,58 @@ void xtables_print_num(uint64_t number, unsigned int format) |
||||||
|
printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); |
||||||
|
} |
||||||
|
|
||||||
|
+void xtables_parse_val_mask(struct xt_option_call *cb, |
||||||
|
+ unsigned int *val, unsigned int *mask, |
||||||
|
+ const struct xtables_lmap *lmap) |
||||||
|
+{ |
||||||
|
+ char *end; |
||||||
|
+ |
||||||
|
+ *mask = ~0U; |
||||||
|
+ |
||||||
|
+ if (!xtables_strtoui(cb->arg, &end, val, 0, UINT32_MAX)) { |
||||||
|
+ if (lmap) |
||||||
|
+ goto name2val; |
||||||
|
+ else |
||||||
|
+ goto bad_val; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (*end == '\0') |
||||||
|
+ return; |
||||||
|
+ |
||||||
|
+ if (*end != '/') { |
||||||
|
+ if (lmap) |
||||||
|
+ goto name2val; |
||||||
|
+ else |
||||||
|
+ goto garbage; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX)) |
||||||
|
+ goto bad_val; |
||||||
|
+ |
||||||
|
+ if (*end == '\0') |
||||||
|
+ return; |
||||||
|
+ |
||||||
|
+garbage: |
||||||
|
+ xt_params->exit_err(PARAMETER_PROBLEM, |
||||||
|
+ "%s: trailing garbage after value " |
||||||
|
+ "for option \"--%s\".\n", |
||||||
|
+ cb->ext_name, cb->entry->name); |
||||||
|
+ |
||||||
|
+bad_val: |
||||||
|
+ xt_params->exit_err(PARAMETER_PROBLEM, |
||||||
|
+ "%s: bad integer value for option \"--%s\", " |
||||||
|
+ "or out of range.\n", |
||||||
|
+ cb->ext_name, cb->entry->name); |
||||||
|
+ |
||||||
|
+name2val: |
||||||
|
+ *val = xtables_lmap_name2id(lmap, cb->arg); |
||||||
|
+ if ((int)*val == -1) |
||||||
|
+ xt_params->exit_err(PARAMETER_PROBLEM, |
||||||
|
+ "%s: could not map name %s to an integer value " |
||||||
|
+ "for option \"--%s\".\n", |
||||||
|
+ cb->ext_name, cb->arg, cb->entry->name); |
||||||
|
+} |
||||||
|
+ |
||||||
|
int kernel_version; |
||||||
|
|
||||||
|
void get_kernel_version(void) |
||||||
|
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c |
||||||
|
index 1d3fda73dedf7..4bbc03ab0f047 100644 |
||||||
|
--- a/libxtables/xtoptions.c |
||||||
|
+++ b/libxtables/xtoptions.c |
||||||
|
@@ -432,27 +432,7 @@ static void xtopt_parse_tosmask(struct xt_option_call *cb) |
||||||
|
*/ |
||||||
|
static void xtopt_parse_markmask(struct xt_option_call *cb) |
||||||
|
{ |
||||||
|
- unsigned int mark = 0, mask = ~0U; |
||||||
|
- char *end; |
||||||
|
- |
||||||
|
- if (!xtables_strtoui(cb->arg, &end, &mark, 0, UINT32_MAX)) |
||||||
|
- xt_params->exit_err(PARAMETER_PROBLEM, |
||||||
|
- "%s: bad mark value for option \"--%s\", " |
||||||
|
- "or out of range.\n", |
||||||
|
- cb->ext_name, cb->entry->name); |
||||||
|
- if (*end == '/' && |
||||||
|
- !xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX)) |
||||||
|
- xt_params->exit_err(PARAMETER_PROBLEM, |
||||||
|
- "%s: bad mask value for option \"--%s\", " |
||||||
|
- "or out of range.\n", |
||||||
|
- cb->ext_name, cb->entry->name); |
||||||
|
- if (*end != '\0') |
||||||
|
- xt_params->exit_err(PARAMETER_PROBLEM, |
||||||
|
- "%s: trailing garbage after value " |
||||||
|
- "for option \"--%s\".\n", |
||||||
|
- cb->ext_name, cb->entry->name); |
||||||
|
- cb->val.mark = mark; |
||||||
|
- cb->val.mask = mask; |
||||||
|
+ xtables_parse_mark_mask(cb, &cb->val.mark, &cb->val.mask); |
||||||
|
} |
||||||
|
|
||||||
|
static int xtopt_sysloglvl_compare(const void *a, const void *b) |
||||||
|
-- |
||||||
|
2.21.0 |
||||||
|
|
@ -0,0 +1,81 @@ |
|||||||
|
From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 23 Oct 2019 12:06:55 +0200 |
||||||
|
Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700 |
||||||
|
Upstream Status: iptables commit 3dc433b55bbfa |
||||||
|
Conflicts: Downstream does not support nft-variants. |
||||||
|
|
||||||
|
commit 3dc433b55bbfaf9df3ee408aaa6282742f377864 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Fri Sep 20 17:31:58 2019 +0200 |
||||||
|
|
||||||
|
xtables-restore: Fix --table parameter check |
||||||
|
|
||||||
|
Xtables-restore tries to reject rule commands in input which contain a |
||||||
|
--table parameter (since it is adding this itself based on the previous |
||||||
|
table line). The manual check was not perfect though as it caught any |
||||||
|
parameter starting with a dash and containing a 't' somewhere, even in |
||||||
|
rule comments: |
||||||
|
|
||||||
|
| *filter |
||||||
|
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT |
||||||
|
| COMMIT |
||||||
|
|
||||||
|
Instead of error-prone manual checking, go a much simpler route: All |
||||||
|
do_command callbacks are passed a boolean indicating they're called from |
||||||
|
*tables-restore. React upon this when handling a table parameter and |
||||||
|
error out if it's not the first one. |
||||||
|
|
||||||
|
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Acked-by: Florian Westphal <fw@strlen.de> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/iptables.c | 4 ++++ |
||||||
|
iptables/xshared.c | 12 ------------ |
||||||
|
2 files changed, 4 insertions(+), 12 deletions(-) |
||||||
|
|
||||||
|
diff --git a/iptables/iptables.c b/iptables/iptables.c |
||||||
|
index dc70cc6e9b0ec..d106a18949407 100644 |
||||||
|
--- a/iptables/iptables.c |
||||||
|
+++ b/iptables/iptables.c |
||||||
|
@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table, |
||||||
|
if (cs.invert) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"unexpected ! flag before --table"); |
||||||
|
+ if (restore && *table) |
||||||
|
+ xtables_error(PARAMETER_PROBLEM, |
||||||
|
+ "The -t option (seen in line %u) cannot be used in %s.\n", |
||||||
|
+ line, xt_params->program_name); |
||||||
|
*table = optarg; |
||||||
|
break; |
||||||
|
|
||||||
|
diff --git a/iptables/xshared.c b/iptables/xshared.c |
||||||
|
index 84dbea562576e..058b5e8b63896 100644 |
||||||
|
--- a/iptables/xshared.c |
||||||
|
+++ b/iptables/xshared.c |
||||||
|
@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line) |
||||||
|
} |
||||||
|
|
||||||
|
param_buffer[param_len] = '\0'; |
||||||
|
- |
||||||
|
- /* check if table name specified */ |
||||||
|
- if ((param_buffer[0] == '-' && |
||||||
|
- param_buffer[1] != '-' && |
||||||
|
- strchr(param_buffer, 't')) || |
||||||
|
- (!strncmp(param_buffer, "--t", 3) && |
||||||
|
- !strncmp(param_buffer, "--table", strlen(param_buffer)))) { |
||||||
|
- xtables_error(PARAMETER_PROBLEM, |
||||||
|
- "The -t option (seen in line %u) cannot be used in %s.\n", |
||||||
|
- line, xt_params->program_name); |
||||||
|
- } |
||||||
|
- |
||||||
|
add_argv(param_buffer, 0); |
||||||
|
param_len = 0; |
||||||
|
} |
||||||
|
-- |
||||||
|
2.23.0 |
||||||
|
|
@ -0,0 +1,90 @@ |
|||||||
|
From 5b36b6fa581ca958340ab8d40be646cae249eee4 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Phil Sutter <psutter@redhat.com> |
||||||
|
Date: Wed, 23 Oct 2019 12:07:39 +0200 |
||||||
|
Subject: [PATCH 2/2] xtables-restore: Unbreak *tables-restore |
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700 |
||||||
|
Upstream Status: iptables commit 4e470fa347610 |
||||||
|
Conflicts: Downstream does not support nft-variants. |
||||||
|
|
||||||
|
commit 4e470fa34761085144640fb561a9ad26b2cde382 |
||||||
|
Author: Phil Sutter <phil@nwl.cc> |
||||||
|
Date: Tue Oct 22 12:25:28 2019 +0200 |
||||||
|
|
||||||
|
xtables-restore: Unbreak *tables-restore |
||||||
|
|
||||||
|
Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") |
||||||
|
installed an error check which evaluated true in all cases as all |
||||||
|
callers of do_command callbacks pass a pointer to a table name already. |
||||||
|
Attached test case passed as it tested error condition only. |
||||||
|
|
||||||
|
Fix the whole mess by introducing a boolean to indicate whether a table |
||||||
|
parameter was seen already. Extend the test case to cover positive as |
||||||
|
well as negative behaviour and to test ebtables-restore and |
||||||
|
ip6tables-restore as well. Also add the required checking code to the |
||||||
|
latter since the original commit missed it. |
||||||
|
|
||||||
|
Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") |
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc> |
||||||
|
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com> |
||||||
|
--- |
||||||
|
iptables/ip6tables.c | 6 ++++++ |
||||||
|
iptables/iptables.c | 4 +++- |
||||||
|
2 files changed, 9 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c |
||||||
|
index fc2fd37cfe919..42edf7a55ec6e 100644 |
||||||
|
--- a/iptables/ip6tables.c |
||||||
|
+++ b/iptables/ip6tables.c |
||||||
|
@@ -1316,6 +1316,7 @@ int do_command6(int argc, char *argv[], char **table, |
||||||
|
struct xtables_rule_match *matchp; |
||||||
|
struct xtables_target *t; |
||||||
|
unsigned long long cnt; |
||||||
|
+ bool table_set = false; |
||||||
|
|
||||||
|
memset(&cs, 0, sizeof(cs)); |
||||||
|
cs.jumpto = ""; |
||||||
|
@@ -1598,7 +1599,12 @@ int do_command6(int argc, char *argv[], char **table, |
||||||
|
if (cs.invert) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"unexpected ! flag before --table"); |
||||||
|
+ if (restore && table_set) |
||||||
|
+ xtables_error(PARAMETER_PROBLEM, |
||||||
|
+ "The -t option (seen in line %u) cannot be used in %s.\n", |
||||||
|
+ line, xt_params->program_name); |
||||||
|
*table = optarg; |
||||||
|
+ table_set = true; |
||||||
|
break; |
||||||
|
|
||||||
|
case 'x': |
||||||
|
diff --git a/iptables/iptables.c b/iptables/iptables.c |
||||||
|
index d106a18949407..0ad87fd98684d 100644 |
||||||
|
--- a/iptables/iptables.c |
||||||
|
+++ b/iptables/iptables.c |
||||||
|
@@ -1312,6 +1312,7 @@ int do_command4(int argc, char *argv[], char **table, |
||||||
|
struct xtables_rule_match *matchp; |
||||||
|
struct xtables_target *t; |
||||||
|
unsigned long long cnt; |
||||||
|
+ bool table_set = false; |
||||||
|
|
||||||
|
memset(&cs, 0, sizeof(cs)); |
||||||
|
cs.jumpto = ""; |
||||||
|
@@ -1591,11 +1592,12 @@ int do_command4(int argc, char *argv[], char **table, |
||||||
|
if (cs.invert) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"unexpected ! flag before --table"); |
||||||
|
- if (restore && *table) |
||||||
|
+ if (restore && table_set) |
||||||
|
xtables_error(PARAMETER_PROBLEM, |
||||||
|
"The -t option (seen in line %u) cannot be used in %s.\n", |
||||||
|
line, xt_params->program_name); |
||||||
|
*table = optarg; |
||||||
|
+ table_set = true; |
||||||
|
break; |
||||||
|
|
||||||
|
case 'x': |
||||||
|
-- |
||||||
|
2.23.0 |
||||||
|
|
Loading…
Reference in new issue