From 9a3fa70d9c75623e75b4e3dd6ab7cbe69e0a20b7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 11:14:42 +0000 Subject: import iptables-1.4.21-33.el7 --- diff --git a/SOURCES/Consolidate-DEBUGP-macros.patch b/SOURCES/Consolidate-DEBUGP-macros.patch new file mode 100644 index 0000000..50d0ef9 --- /dev/null +++ b/SOURCES/Consolidate-DEBUGP-macros.patch @@ -0,0 +1,165 @@ +From 7fcb3a907824af6220007d91ef49095f990b1733 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:15:52 +0200 +Subject: [PATCH] Consolidate DEBUGP macros + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475 +Upstream Status: iptables commit 78b9d438037f2 +Conflicts: +* Context change due to missing commit 2963a8df2175b + ("iptables: Remove explicit static variables initalization.") +* Dropped changes to non-existing files iptables/nft-shared.h and + iptables/xtables-restore.c. + +commit 78b9d438037f2c83a7bbb73eb1b86cc295967905 +Author: Phil Sutter +Date: Thu Aug 2 17:05:15 2018 +0200 + + Consolidate DEBUGP macros + + This debug printing macro was defined in various places, always + identical. Move it into xshared.h and drop it from sources including + that header. There are a few exceptions: + + * iptables-xml.c did not include xshared.h, which this patch changes. + + * Sources in extensions and libiptc mostly left alone since they don't + include xshared.h (and maybe shouldn't). Only libxt_set.h does, so + it's converted, too. + + This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler + warning. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libip6t_hbh.c | 6 ++---- + extensions/libxt_set.h | 6 ------ + iptables/ip6tables-restore.c | 6 ------ + iptables/iptables-restore.c | 6 ------ + iptables/iptables-xml.c | 7 +------ + iptables/xshared.h | 6 ++++++ + 6 files changed, 9 insertions(+), 28 deletions(-) + +diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c +index c0389ed8bafde..1c49ee71ada13 100644 +--- a/extensions/libip6t_hbh.c ++++ b/extensions/libip6t_hbh.c +@@ -5,8 +5,6 @@ + #include + #include + +-#define DEBUG 0 +- + enum { + O_HBH_LEN = 0, + O_HBH_OPTS, +@@ -83,7 +81,7 @@ parse_options(const char *optsstr, uint16_t *opts) + opts[i] |= (0x00FF); + } + +-#if DEBUG ++#ifdef DEBUG + printf("opts str: %s %s\n", cp, range); + printf("opts opt: %04X\n", opts[i]); + #endif +@@ -92,7 +90,7 @@ parse_options(const char *optsstr, uint16_t *opts) + + free(buffer); + +-#if DEBUG ++#ifdef DEBUG + printf("addr nr: %d\n", i); + #endif + +diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h +index 5a1bdcf730cf2..41dfbd30fc7c1 100644 +--- a/extensions/libxt_set.h ++++ b/extensions/libxt_set.h +@@ -8,12 +8,6 @@ + #include + #include "../iptables/xshared.h" + +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x , ## args) +-#else +-#define DEBUGP(x, args...) +-#endif +- + static int + get_version(unsigned *version) + { +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index fdcc0cb5b2c06..611430d930eda 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -20,12 +20,6 @@ + #include "libiptc/libip6tc.h" + #include "ip6tables-multi.h" + +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +-#else +-#define DEBUGP(x, args...) +-#endif +- + static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; + + static struct timeval wait_interval = { +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 5a8c2c738bb0f..b0da96d45d297 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -17,12 +17,6 @@ + #include "libiptc/libiptc.h" + #include "iptables-multi.h" + +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +-#else +-#define DEBUGP(x, args...) +-#endif +- + static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; + + static struct timeval wait_interval = { +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 92a5768f86903..c523a132b2240 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -16,12 +16,7 @@ + #include "libiptc/libiptc.h" + #include "xtables-multi.h" + #include +- +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +-#else +-#define DEBUGP(x, args...) +-#endif ++#include "xshared.h" + + struct xtables_globals iptables_xml_globals = { + .option_offset = 0, +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 20dbbd12118ad..bfdb10b2701e5 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -9,6 +9,12 @@ + #include + #include + ++#ifdef DEBUG ++#define DEBUGP(x, args...) fprintf(stdout, x, ## args) ++#else ++#define DEBUGP(x, args...) ++#endif ++ + enum { + OPT_NONE = 0, + OPT_NUMERIC = 1 << 0, +-- +2.21.0 + diff --git a/SOURCES/Fix-a-few-cases-of-pointless-assignments.patch b/SOURCES/Fix-a-few-cases-of-pointless-assignments.patch new file mode 100644 index 0000000..f4b4de3 --- /dev/null +++ b/SOURCES/Fix-a-few-cases-of-pointless-assignments.patch @@ -0,0 +1,163 @@ +From b0c800d08b90b84d5d693d63602bcc4b43a07b6f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:34 +0100 +Subject: [PATCH] Fix a few cases of pointless assignments + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 7e50ebabbf9c3 +Conflicts: Dropped changes to non-existing nft-backend files. + +commit 7e50ebabbf9c3a5eeb9511d9f32c6104b56da5cd +Author: Phil Sutter +Date: Wed Sep 19 15:17:04 2018 +0200 + + Fix a few cases of pointless assignments + + This gets rid of a number of assignments which are either redundant or + not used afterwards. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 4 ++-- + iptables/iptables-restore.c | 4 ++-- + iptables/iptables-xml.c | 4 ++-- + libxtables/xtoptions.c | 2 +- + utils/nfnl_osf.c | 13 +++++-------- + 5 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index d610360a1c1ff..fdcc0cb5b2c06 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -427,7 +427,6 @@ int ip6tables_restore_main(int argc, char *argv[]) + + } else if (in_table) { + int a; +- char *ptr = buffer; + char *pcnt = NULL; + char *bcnt = NULL; + char *parsestart; +@@ -437,7 +436,8 @@ int ip6tables_restore_main(int argc, char *argv[]) + + if (buffer[0] == '[') { + /* we have counters in our input */ +- ptr = strchr(buffer, ']'); ++ char *ptr = strchr(buffer, ']'); ++ + if (!ptr) + xtables_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index db77fb77b3c98..5a8c2c738bb0f 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -426,7 +426,6 @@ iptables_restore_main(int argc, char *argv[]) + + } else if (in_table) { + int a; +- char *ptr = buffer; + char *pcnt = NULL; + char *bcnt = NULL; + char *parsestart; +@@ -436,7 +435,8 @@ iptables_restore_main(int argc, char *argv[]) + + if (buffer[0] == '[') { + /* we have counters in our input */ +- ptr = strchr(buffer, ']'); ++ char *ptr = strchr(buffer, ']'); ++ + if (!ptr) + xtables_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 962844762fc4e..92a5768f86903 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -731,7 +731,6 @@ iptables_xml_main(int argc, char *argv[]) + ret = 1; + } else if (curTable[0]) { + unsigned int a; +- char *ptr = buffer; + char *pcnt = NULL; + char *bcnt = NULL; + char *parsestart; +@@ -747,7 +746,8 @@ iptables_xml_main(int argc, char *argv[]) + + if (buffer[0] == '[') { + /* we have counters in our input */ +- ptr = strchr(buffer, ']'); ++ char *ptr = strchr(buffer, ']'); ++ + if (!ptr) + xtables_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 0c63c2d372dea..1ad4cb57f5836 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -282,7 +282,7 @@ static void xtopt_mint_value_to_ptr(struct xt_option_call *cb, void **datap, + static void xtopt_parse_mint(struct xt_option_call *cb) + { + const struct xt_option_entry *entry = cb->entry; +- const char *arg = cb->arg; ++ const char *arg; + size_t esize = xtopt_esize_by_type(entry->type); + const uintmax_t lmax = xtopt_max_by_type(entry->type); + void *put = XTOPT_MKPTR(cb); +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index c67485ee698b1..0f8b35b805016 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -157,7 +157,6 @@ static void xt_osf_parse_opt(struct xt_osf_opt *opt, __u16 *optnum, char *obuf, + i = 0; + while (ptr != NULL && i < olen && *ptr != 0) { + val = 0; +- op = 0; + wc = OSF_WSS_PLAIN; + switch (obuf[i]) { + case 'N': +@@ -344,7 +343,7 @@ static int osf_load_line(char *buffer, int len, int del) + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; +- cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg); ++ snprintf(obuf, sizeof(obuf), "%s,", pbeg); + pbeg = pend + 1; + } + +@@ -352,25 +351,23 @@ static int osf_load_line(char *buffer, int len, int del) + if (pend) { + *pend = '\0'; + if (pbeg[0] == '@' || pbeg[0] == '*') +- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); ++ snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); + else +- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg); ++ snprintf(f.genre, sizeof(f.genre), "%s", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; +- cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg); ++ snprintf(f.version, sizeof(f.version), "%s", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; +- cnt = +- snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); +- pbeg = pend + 1; ++ snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); + } + + xt_osf_parse_opt(f.opt, &f.opt_num, obuf, sizeof(obuf)); +-- +2.21.0 + diff --git a/SOURCES/Mark-fall-through-cases-in-switch-statements.patch b/SOURCES/Mark-fall-through-cases-in-switch-statements.patch new file mode 100644 index 0000000..f4c2152 --- /dev/null +++ b/SOURCES/Mark-fall-through-cases-in-switch-statements.patch @@ -0,0 +1,70 @@ +From 5527530396afccc43fddedbe6fdf1b4c6000b516 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:49:11 +0100 +Subject: [PATCH] Mark fall through cases in switch() statements + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 1788f545aae28 +Conflicts: Dropped changes to non-existing libebt_log.c, nft-shared.c + and revision 4 of libxt_set.c. + +commit 1788f545aae285fa3cd6595d5d25b2ae1b215282 +Author: Phil Sutter +Date: Wed Sep 19 15:16:45 2018 +0200 + + Mark fall through cases in switch() statements + + Typical covscan complaint, non-empty fall throughs should be marked as + such. There was but a single case which should break instead, namely in + libebt_log.c: It is not critical, since the next case merely asserts + 'invert' being zero (which can't be as it was checked before). But while + being at it, introduce log_chk_inv() to consolidate the semantically + equal cases for the various log types. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_set.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c +index 2cb9e78a85f97..ec826367d6631 100644 +--- a/extensions/libxt_set.c ++++ b/extensions/libxt_set.c +@@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->u.flags[0]) + xtables_error(PARAMETER_PROBLEM, +@@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->dim) + xtables_error(PARAMETER_PROBLEM, +@@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->dim) + xtables_error(PARAMETER_PROBLEM, +@@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->match_set.dim) + xtables_error(PARAMETER_PROBLEM, +-- +2.21.0 + diff --git a/SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch b/SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch new file mode 100644 index 0000000..80879cc --- /dev/null +++ b/SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch @@ -0,0 +1,216 @@ +From 7c53ed370c79027455b4e342436da507be701e23 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] Share print_ipv{4,6}_addr() from xtables + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 8da04ffdca193 +Conflicts: +* Dropped changes to non-existing nft-ipv4.c and nft-ipv6.c. +* Context change in xshared.{c,h}. + +commit 8da04ffdca1931402a6bc22c43c1a2fa1c6f1e14 +Author: Phil Sutter +Date: Wed Sep 19 15:16:59 2018 +0200 + + Share print_ipv{4,6}_addr() from xtables + + These functions contain code which occurs in legacy's print_firewall() + functions, so use them there. + + Rename them to at least make clear they print more than a single + address. + + Also introduce ipv{4,6}_addr_to_string() which take care of converting + an address/netmask pair into string representation in a way which + doesn't upset covscan (since that didn't detect that 'buf' may not be + exceeded by the strings written into it. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables.c | 27 +----------------- + iptables/iptables.c | 25 +---------------- + iptables/xshared.c | 66 ++++++++++++++++++++++++++++++++++++++++++++ + iptables/xshared.h | 3 ++ + 4 files changed, 71 insertions(+), 50 deletions(-) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 76e36d44f6b25..fc2fd37cfe919 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -541,7 +541,6 @@ print_firewall(const struct ip6t_entry *fw, + { + const struct xtables_target *target = NULL; + const struct xt_entry_target *t; +- char buf[BUFSIZ]; + + if (!ip6tc_is_chain(targname, handle)) + target = xtables_find_target(targname, XTF_TRY_LOAD); +@@ -609,31 +608,7 @@ print_firewall(const struct ip6t_entry *fw, + printf(FMT("%-6s ","out %s "), iface); + } + +- fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); +- if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any) +- && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","%s "), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src)); +- else +- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src)); +- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk)); +- printf(FMT("%-19s ","%s "), buf); +- } +- +- fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); +- if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any) +- && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","-> %s"), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst)); +- else +- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst)); +- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk)); +- printf(FMT("%-19s ","-> %s"), buf); +- } ++ print_ipv6_addresses(fw, format); + + if (format & FMT_NOTABLE) + fputs(" ", stdout); +diff --git a/iptables/iptables.c b/iptables/iptables.c +index bac9fe0905e9f..dc70cc6e9b0ec 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -526,7 +526,6 @@ print_firewall(const struct ipt_entry *fw, + const struct xtables_target *target = NULL; + const struct xt_entry_target *t; + uint8_t flags; +- char buf[BUFSIZ]; + + if (!iptc_is_chain(targname, handle)) + target = xtables_find_target(targname, XTF_TRY_LOAD); +@@ -595,29 +594,7 @@ print_firewall(const struct ipt_entry *fw, + printf(FMT("%-6s ","out %s "), iface); + } + +- fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); +- if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","%s "), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.src)); +- else +- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.src)); +- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.smsk)); +- printf(FMT("%-19s ","%s "), buf); +- } +- +- fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); +- if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","-> %s"), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.dst)); +- else +- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.dst)); +- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.dmsk)); +- printf(FMT("%-19s ","-> %s"), buf); +- } ++ print_ipv4_addresses(fw, format); + + if (format & FMT_NOTABLE) + fputs(" ", stdout); +diff --git a/iptables/xshared.c b/iptables/xshared.c +index b8a81fd968361..742502154aa55 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -340,3 +340,69 @@ inline bool xs_has_arg(int argc, char *argv[]) + argv[optind][0] != '-' && + argv[optind][0] != '!'; + } ++ ++static const char *ipv4_addr_to_string(const struct in_addr *addr, ++ const struct in_addr *mask, ++ unsigned int format) ++{ ++ static char buf[BUFSIZ]; ++ ++ if (!mask->s_addr && !(format & FMT_NUMERIC)) ++ return "anywhere"; ++ ++ if (format & FMT_NUMERIC) ++ strncpy(buf, xtables_ipaddr_to_numeric(addr), BUFSIZ - 1); ++ else ++ strncpy(buf, xtables_ipaddr_to_anyname(addr), BUFSIZ - 1); ++ buf[BUFSIZ - 1] = '\0'; ++ ++ strncat(buf, xtables_ipmask_to_numeric(mask), ++ BUFSIZ - strlen(buf) - 1); ++ ++ return buf; ++} ++ ++void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format) ++{ ++ fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "%s "), ++ ipv4_addr_to_string(&fw->ip.src, &fw->ip.smsk, format)); ++ ++ fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "-> %s"), ++ ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format)); ++} ++ ++static const char *ipv6_addr_to_string(const struct in6_addr *addr, ++ const struct in6_addr *mask, ++ unsigned int format) ++{ ++ static char buf[BUFSIZ]; ++ ++ if (IN6_IS_ADDR_UNSPECIFIED(addr) && !(format & FMT_NUMERIC)) ++ return "anywhere"; ++ ++ if (format & FMT_NUMERIC) ++ strncpy(buf, xtables_ip6addr_to_numeric(addr), BUFSIZ - 1); ++ else ++ strncpy(buf, xtables_ip6addr_to_anyname(addr), BUFSIZ - 1); ++ buf[BUFSIZ - 1] = '\0'; ++ ++ strncat(buf, xtables_ip6mask_to_numeric(mask), ++ BUFSIZ - strlen(buf) - 1); ++ ++ return buf; ++} ++ ++void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) ++{ ++ fputc(fw6->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "%s "), ++ ipv6_addr_to_string(&fw6->ipv6.src, ++ &fw6->ipv6.smsk, format)); ++ ++ fputc(fw6->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "-> %s"), ++ ipv6_addr_to_string(&fw6->ipv6.dst, ++ &fw6->ipv6.dmsk, format)); ++} +diff --git a/iptables/xshared.h b/iptables/xshared.h +index c35dfee47577d..20dbbd12118ad 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -113,4 +113,7 @@ bool xs_has_arg(int argc, char *argv[]); + + extern const struct xtables_afinfo *afinfo; + ++void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); ++void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); ++ + #endif /* IPTABLES_XSHARED_H */ +-- +2.21.0 + diff --git a/SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch b/SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch new file mode 100644 index 0000000..06a1fc9 --- /dev/null +++ b/SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch @@ -0,0 +1,60 @@ +From 3dcd69e5655a2485d39efd64b5bd9fd38fdb4a04 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:52:42 +0100 +Subject: [PATCH] extensions: Add macro _DEFAULT_SOURCE. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 27de281d8aca8 + +commit 27de281d8aca84e3c841b3ae72a17616b1382ac4 +Author: Varsha Rao +Date: Thu Dec 21 09:05:45 2017 +0530 + + extensions: Add macro _DEFAULT_SOURCE. + + Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated. + https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes + + This patch fixes the following warning: + + warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use + _DEFAULT_SOURCE" [-Wcpp] + # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use + # _DEFAULT_SOURCE" + + Signed-off-by: Varsha Rao + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_hashlimit.c | 1 + + extensions/libxt_limit.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c +index c5b8d7795c5e5..6d64017022c00 100644 +--- a/extensions/libxt_hashlimit.c ++++ b/extensions/libxt_hashlimit.c +@@ -11,6 +11,7 @@ + * Error corections by nmalykh@bilim.com (22.01.2005) + */ + #define _BSD_SOURCE 1 ++#define _DEFAULT_SOURCE 1 + #define _ISOC99_SOURCE 1 + #include + #include +diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c +index f75ef2f87a74c..183a86e324211 100644 +--- a/extensions/libxt_limit.c ++++ b/extensions/libxt_limit.c +@@ -4,6 +4,7 @@ + * Hervé Eychenne + */ + #define _BSD_SOURCE 1 ++#define _DEFAULT_SOURCE 1 + #define _ISOC99_SOURCE 1 + #include + #include +-- +2.21.0 + diff --git a/SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch b/SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch new file mode 100644 index 0000000..148cf4e --- /dev/null +++ b/SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch @@ -0,0 +1,42 @@ +From 21ef09de8df5a448df06a3fb6c7708440fe8b8ac Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:19:53 +0200 +Subject: [PATCH] extensions: Fix ipvs vproto option printing + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726 +Upstream Status: iptables commit dd1ad59f0df66 + +commit dd1ad59f0df66811335c10ed90c33151a658a50e +Author: Phil Sutter +Date: Thu Feb 21 20:09:31 2019 +0100 + + extensions: Fix ipvs vproto option printing + + This was broken since day 1: vproto option was printed as 'proto' which + in turn iptables wouldn't accept anymore. + + Fixes: c36d05e424069 ("libxt_ipvs: user-space lib for netfilter matcher xt_ipvs") + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_ipvs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c +index fe98fef951686..51952be4245b3 100644 +--- a/extensions/libxt_ipvs.c ++++ b/extensions/libxt_ipvs.c +@@ -165,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, + if (data->bitmask & XT_IPVS_PROTO) { + if (data->invert & XT_IPVS_PROTO) + printf(" !"); +- printf(" %sproto %u", prefix, data->l4proto); ++ printf(" %svproto %u", prefix, data->l4proto); + } + + if (data->bitmask & XT_IPVS_VADDR) { +-- +2.21.0 + diff --git a/SOURCES/extensions-Fix-ipvs-vproto-parsing.patch b/SOURCES/extensions-Fix-ipvs-vproto-parsing.patch new file mode 100644 index 0000000..93109a2 --- /dev/null +++ b/SOURCES/extensions-Fix-ipvs-vproto-parsing.patch @@ -0,0 +1,57 @@ +From dab2ab10ed0cb30fb454097200f440660a0f3946 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:19:53 +0200 +Subject: [PATCH] extensions: Fix ipvs vproto parsing + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726 +Upstream Status: iptables commit fcbdc69e8a750 + +commit fcbdc69e8a750fe02c9d7c7aced0efc91715132d +Author: Phil Sutter +Date: Thu Feb 21 20:09:30 2019 +0100 + + extensions: Fix ipvs vproto parsing + + This was broken by integration into guided option parser: + + * Make 'vproto' option XTTYPE_PROTOCOL, otherwise its arguments are + parsed as garbage only. + + * Drop O_VPROTO case from ipvs_mt_parse(), due to XTOPT_POINTER() and + above change there is nothing to do for it in there. + + Fixes: 372203af4c70f ("libxt_ipvs: use guided option parser") + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_ipvs.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c +index a6c57a030d2c6..fe98fef951686 100644 +--- a/extensions/libxt_ipvs.c ++++ b/extensions/libxt_ipvs.c +@@ -27,7 +27,7 @@ enum { + static const struct xt_option_entry ipvs_mt_opts[] = { + {.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE, + .flags = XTOPT_INVERT}, +- {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_STRING, ++ {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_PROTOCOL, + .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)}, + {.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, +@@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb) + + xtables_option_parse(cb); + switch (cb->entry->id) { +- case O_VPROTO: +- data->l4proto = cb->val.protocol; +- break; + case O_VADDR: + memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr)); + memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask)); +-- +2.21.0 + diff --git a/SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch b/SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch new file mode 100644 index 0000000..8752cae --- /dev/null +++ b/SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch @@ -0,0 +1,139 @@ +From 861155bef2343e0259469dc8e4acde60e2c6fb91 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:29:38 +0200 +Subject: [PATCH] extensions: Initialize linear mapping of symbols in _init() + of extension + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 +Upstream Status: iptables commit 56aadc01b258e +Conflicts: Whitespace change due to missing commit f7c26137b0d57 + ("extensions: libipt_realm: Add translation to nft"). + +commit 56aadc01b258ef7849463723ab5ddc4885db22f6 +Author: Serhey Popovych +Date: Thu Mar 1 13:03:10 2018 +0200 + + extensions: Initialize linear mapping of symbols in _init() of extension + + libxt_devgroup and libipt_realm currently unable to display symbolic + names in save/print commands because linear mapping is not initialized. + + It looks bit confusing as linear mapping initialization is done in init() + of extension, which is expected to be called before any other function of + extension. + + However init is called only when '-m' option specified on command line, + that is true only for insert, append, replace and destroy iptables + commands. + + Move initialization to extension _init() function before calling + any function in extension. + + Before: + ------- + ... src-group 0x1 dst-group 0x2 + ... src-group 0x2 dst-group 0x1 + + After: + ------ + ... src-group grp1 dst-group grp2 + ... src-group grp2 dst-group grp1 + + Signed-off-by: Serhey Popovych + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libipt_realm.c | 17 +++++++---------- + extensions/libxt_devgroup.c | 17 +++++++---------- + 2 files changed, 14 insertions(+), 20 deletions(-) + +diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c +index a8d9dda0c00c0..fffb1218db7a6 100644 +--- a/extensions/libipt_realm.c ++++ b/extensions/libipt_realm.c +@@ -28,17 +28,10 @@ static const struct xt_option_entry realm_opts[] = { + XTOPT_TABLEEND, + }; + +-/* array of realms from /etc/iproute2/rt_realms */ ++static const char f_realms[] = "/etc/iproute2/rt_realms"; ++/* array of realms from f_realms[] */ + static struct xtables_lmap *realms; + +-static void realm_init(struct xt_entry_match *m) +-{ +- const char file[] = "/etc/iproute2/rt_realms"; +- realms = xtables_lmap_init(file); +- if (realms == NULL && errno != ENOENT) +- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); +-} +- + static void realm_parse(struct xt_option_call *cb) + { + struct xt_realm_info *realminfo = cb->data; +@@ -114,7 +107,6 @@ static struct xtables_match realm_mt_reg = { + .size = XT_ALIGN(sizeof(struct xt_realm_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), + .help = realm_help, +- .init = realm_init, + .print = realm_print, + .save = realm_save, + .x6_parse = realm_parse, +@@ -123,5 +115,10 @@ static struct xtables_match realm_mt_reg = { + + void _init(void) + { ++ realms = xtables_lmap_init(f_realms); ++ if (realms == NULL && errno != ENOENT) ++ fprintf(stderr, "Warning: %s: %s\n", f_realms, ++ strerror(errno)); ++ + xtables_register_match(&realm_mt_reg); + } +diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c +index fb1fcb51c1bb2..ebfa2aee80cf2 100644 +--- a/extensions/libxt_devgroup.c ++++ b/extensions/libxt_devgroup.c +@@ -31,17 +31,10 @@ static const struct xt_option_entry devgroup_opts[] = { + XTOPT_TABLEEND, + }; + +-/* array of devgroups from /etc/iproute2/group */ ++static const char f_devgroups[] = "/etc/iproute2/group"; ++/* array of devgroups from f_devgroups[] */ + static struct xtables_lmap *devgroups; + +-static void devgroup_init(struct xt_entry_match *match) +-{ +- const char file[] = "/etc/iproute2/group"; +- devgroups = xtables_lmap_init(file); +- if (devgroups == NULL && errno != ENOENT) +- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); +-} +- + static void devgroup_parse_groupspec(const char *arg, unsigned int *group, + unsigned int *mask) + { +@@ -157,7 +150,6 @@ static struct xtables_match devgroup_mt_reg = { + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_devgroup_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_devgroup_info)), +- .init = devgroup_init, + .help = devgroup_help, + .print = devgroup_print, + .save = devgroup_save, +@@ -168,5 +160,10 @@ static struct xtables_match devgroup_mt_reg = { + + void _init(void) + { ++ devgroups = xtables_lmap_init(f_devgroups); ++ if (devgroups == NULL && errno != ENOENT) ++ fprintf(stderr, "Warning: %s: %s\n", f_devgroups, ++ strerror(errno)); ++ + xtables_register_match(&devgroup_mt_reg); + } +-- +2.21.0 + diff --git a/SOURCES/extensions-REJECT-Check-for-array-overrun.patch b/SOURCES/extensions-REJECT-Check-for-array-overrun.patch new file mode 100644 index 0000000..58bf9da --- /dev/null +++ b/SOURCES/extensions-REJECT-Check-for-array-overrun.patch @@ -0,0 +1,72 @@ +From 20f5f3c0c3b4cebc60af3d2def0ac983f54bfb06 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:52:01 +0100 +Subject: [PATCH] extensions: REJECT: Check for array overrun + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: RHEL-only + +This might happen in theory if enum ip6t_reject_with was extended in +kernel and some other tool added a rule making use of the new value. + +Signed-off-by: Phil Sutter +--- + extensions/libip6t_REJECT.c | 8 ++++++++ + extensions/libipt_REJECT.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c +index 8085321a6d654..86f2d04296294 100644 +--- a/extensions/libip6t_REJECT.c ++++ b/extensions/libip6t_REJECT.c +@@ -104,6 +104,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + printf(" reject-with %s", reject_table[i].name); + } + +@@ -116,6 +120,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + + printf(" --reject-with %s", reject_table[i].name); + } +diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c +index 362c65ed88e96..5573ebd28022c 100644 +--- a/extensions/libipt_REJECT.c ++++ b/extensions/libipt_REJECT.c +@@ -124,6 +124,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + printf(" reject-with %s", reject_table[i].name); + } + +@@ -136,6 +140,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + + printf(" --reject-with %s", reject_table[i].name); + } +-- +2.21.0 + diff --git a/SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch b/SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch new file mode 100644 index 0000000..9a14186 --- /dev/null +++ b/SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch @@ -0,0 +1,48 @@ +From 2c7f817f6dc2d74d99248403b0ef7e36bcf060c8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:29:38 +0200 +Subject: [PATCH] extensions: libxt_devgroup: Fix the path of the group + mappings file + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 +Upstream Status: iptables commit 93ad9ea1b86bd + +commit 93ad9ea1b86bdaacffd8e33654abcea3d4e148b2 +Author: Ana Rey +Date: Thu Sep 18 13:06:42 2014 +0200 + + extensions: libxt_devgroup: Fix the path of the group mappings file + + Use "/etc/iproute2/group" as the default path to the mapping file + instead of "/etc/iproute2/group_map". + + Signed-off-by: Ana Rey + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_devgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c +index 4a69c8229ce4a..fb1fcb51c1bb2 100644 +--- a/extensions/libxt_devgroup.c ++++ b/extensions/libxt_devgroup.c +@@ -31,12 +31,12 @@ static const struct xt_option_entry devgroup_opts[] = { + XTOPT_TABLEEND, + }; + +-/* array of devgroups from /etc/iproute2/group_map */ ++/* array of devgroups from /etc/iproute2/group */ + static struct xtables_lmap *devgroups; + + static void devgroup_init(struct xt_entry_match *match) + { +- const char file[] = "/etc/iproute2/group_map"; ++ const char file[] = "/etc/iproute2/group"; + devgroups = xtables_lmap_init(file); + if (devgroups == NULL && errno != ENOENT) + fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); +-- +2.21.0 + diff --git a/SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch b/SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch new file mode 100644 index 0000000..4401ada --- /dev/null +++ b/SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch @@ -0,0 +1,57 @@ +From 721bb877b759a0c92e6b019447fd3ee33d123cc0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] ip{, 6}tables-restore: Fix for uninitialized array 'curtable' + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 4e499d53d558b + +commit 4e499d53d558bed55c8fe74390250dbfd6da3efc +Author: Phil Sutter +Date: Wed Sep 19 15:16:46 2018 +0200 + + ip{, 6}tables-restore: Fix for uninitialized array 'curtable' + + When reading sufficiently malformed input, parser might hit end of + loop without having written the current table name into curtable and + therefore calling strcmp() with uninitialized buffer. Avoid this by + setting curtable to zero upon declaration. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 2 +- + iptables/iptables-restore.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index e2a82c57bd426..d610360a1c1ff 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -192,7 +192,7 @@ int ip6tables_restore_main(int argc, char *argv[]) + struct xtc_handle *handle = NULL; + char buffer[10240]; + int c, lock; +- char curtable[XT_TABLE_MAXNAMELEN + 1]; ++ char curtable[XT_TABLE_MAXNAMELEN + 1] = {}; + FILE *in; + int in_table = 0, testing = 0; + const char *tablename = NULL; +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index af0c79408631d..db77fb77b3c98 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -191,7 +191,7 @@ iptables_restore_main(int argc, char *argv[]) + struct xtc_handle *handle = NULL; + char buffer[10240]; + int c, lock; +- char curtable[XT_TABLE_MAXNAMELEN + 1]; ++ char curtable[XT_TABLE_MAXNAMELEN + 1] = {}; + FILE *in; + int in_table = 0, testing = 0; + const char *tablename = NULL; +-- +2.21.0 + diff --git a/SOURCES/iptables-config b/SOURCES/iptables-config index 0237281..3d7e176 100644 --- a/SOURCES/iptables-config +++ b/SOURCES/iptables-config @@ -5,13 +5,6 @@ # stored in /etc/modprobe.conf. IPTABLES_MODULES="" -# Unload modules on restart and stop -# Value: yes|no, default: yes -# This option has to be 'yes' to get to a sane state for a firewall -# restart or stop. Only set to 'no' if there are problems unloading netfilter -# modules. -IPTABLES_MODULES_UNLOAD="yes" - # Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped diff --git a/SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch b/SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch new file mode 100644 index 0000000..033870c --- /dev/null +++ b/SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch @@ -0,0 +1,50 @@ +From c360c1d2af887c8e614ec152fb64717e56fb472d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 9 Apr 2019 15:22:44 +0200 +Subject: [PATCH] iptables-xml: fix segfault if missing space after -A + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit f53b78e423d82 + +commit f53b78e423d82b0c71c076480f52edeb5eaec5f8 +Author: Phil Oester +Date: Thu Jan 23 22:06:58 2014 -0800 + + iptables-xml: fix segfault if missing space after -A + + As pointed out by Bernhard Reutner-Fischer, a malformed line fed to + iptables-xml such as the below with a missing space after the -A: + + -APOSTROUTING -d 1.1.1.1/32 -p tcp -j MASQUERADE + + causes a segfault. Patch attached. + + This closes netfilter bugzilla #886. + + Signed-off-by: Phil Oester + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/iptables-xml.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 49f8ea2826181..769f76550b764 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -777,6 +777,11 @@ iptables_xml_main(int argc, char *argv[]) + for (a = 0; a < newargc; a++) + DEBUGP("argv[%u]: %s\n", a, newargv[a]); + ++ if (!chain) { ++ fprintf(stderr, "%s: line %u failed - no chain found\n", ++ prog_name, line); ++ exit(1); ++ } + needChain(chain);// Should we explicitly look for -A + do_rule(pcnt, bcnt, newargc, newargv, newargvattr); + +-- +2.21.0 + diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init index 73656d3..c0f15f1 100755 --- a/SOURCES/iptables.init +++ b/SOURCES/iptables.init @@ -43,14 +43,8 @@ if [ ! -x /sbin/$IPTABLES ]; then exit 5 fi -# Old or new modutils -/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \ - && NEW_MODUTILS=1 \ - || NEW_MODUTILS=0 - # Default firewall configuration: IPTABLES_MODULES="" -IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" @@ -64,10 +58,6 @@ IPTABLES_RESTORE_WAIT_INTERVAL=1000000 # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" -# Netfilter modules -NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables) -NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 - # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) @@ -83,38 +73,6 @@ if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then IPTABLES_RESTORE_CMD+=" $OPT" fi -rmmod_r() { - # Unload module with all referring modules. - # At first all referring modules will be unloaded, then the module itself. - local mod=$1 - local ret=0 - local ref= - - # Get referring modules. - # New modutils have another output format. - [ $NEW_MODUTILS = 1 ] \ - && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ - || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) - - # recursive call for all referring modules - for i in $ref; do - rmmod_r $i - let ret+=$?; - done - - # Unload module. - # The extra test is for 2.6: The module might have autocleaned, - # after all referring modules are unloaded. - if grep -q "^${mod}" /proc/modules ; then - modprobe -r $mod > /dev/null 2>&1 - res=$? - [ $res -eq 0 ] || echo -n " $mod" - let ret+=$res; - fi - - return $ret -} - flush_n_delete() { local ret=0 @@ -290,23 +248,6 @@ stop() { flush_n_delete let ret+=$? - if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then - echo -n $"${IPTABLES}: Unloading modules: " - ret2=0 - for mod in ${NF_MODULES[*]}; do - rmmod_r $mod - let ret2+=$?; - done - # try to unload remaining netfilter modules used by ipv4 and ipv6 - # netfilter - for mod in ${NF_MODULES_COMMON[*]}; do - rmmod_r $mod >/dev/null - done - [ $ret2 -eq 0 ] && success || failure - echo - let ret+=$ret2 - fi - rm -f $VAR_SUBSYS_IPTABLES return $ret } @@ -357,7 +298,7 @@ save() { } status() { - if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + if [ ! -f "$VAR_SUBSYS_IPTABLES" ] && [ -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not running." return 3 fi @@ -378,7 +319,7 @@ status() { NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" - VERBOSE= + VERBOSE= [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" diff --git a/SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch b/SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch new file mode 100644 index 0000000..f6ab7df --- /dev/null +++ b/SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch @@ -0,0 +1,59 @@ +From 72859f25cb799ba4ac0b532c59bd01be70950f00 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libiptc: Avoid side-effect in memset() calls + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit e6f986762667e + +commit e6f986762667ee2b2d61e7978d460f28916158a3 +Author: Phil Sutter +Date: Mon Sep 10 23:35:14 2018 +0200 + + libiptc: Avoid side-effect in memset() calls + + These calls to memset() are passed a length argument which exceeds + t->target.u.user.name's length by one byte and hence overwrite + t->target.u.user.revision as well (relying upon no padding to happen + between both). + + Avoid this obscure behaviour by passing the correct field size and + explicitly overwriting 'revision' field. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libiptc/libiptc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index d2427c16a5254..4c0fbd5d7e68c 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1115,8 +1115,9 @@ static inline int iptcc_compile_rule (struct xtc_handle *h, STRUCT_REPLACE *repl + STRUCT_STANDARD_TARGET *t; + t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry); + /* memset for memcmp convenience on delete/replace */ +- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); ++ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN); + strcpy(t->target.u.user.name, STANDARD_TARGET); ++ t->target.u.user.revision = 0; + /* Jumps can only happen to builtin chains, so we + * can safely assume that they always have a header */ + t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE; +@@ -1676,8 +1677,9 @@ iptcc_standard_map(struct rule_head *r, int verdict) + return 0; + } + /* memset for memcmp convenience on delete/replace */ +- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); ++ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN); + strcpy(t->target.u.user.name, STANDARD_TARGET); ++ t->target.u.user.revision = 0; + t->verdict = verdict; + + r->type = IPTCC_R_STANDARD; +-- +2.21.0 + diff --git a/SOURCES/libiptc-NULL-terminate-errorname.patch b/SOURCES/libiptc-NULL-terminate-errorname.patch new file mode 100644 index 0000000..c17bebc --- /dev/null +++ b/SOURCES/libiptc-NULL-terminate-errorname.patch @@ -0,0 +1,44 @@ +From 9dfd443c3828a3e9a3cf5cf2afb9f0324bacb19a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libiptc: NULL-terminate errorname + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit a76ba54e28337 + +commit a76ba54e2833761c46fd57cbe2486cbc38686717 +Author: Phil Sutter +Date: Mon Sep 24 19:25:22 2018 +0200 + + libiptc: NULL-terminate errorname + + In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence + copying its content into 'error_name' field of struct xt_error_target + which is two bytes shorter may overflow. Make sure this doesn't happen + by using strncpy() and set the last byte to zero. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libiptc/libiptc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index f6a9862ea9f4d..d2427c16a5254 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1149,7 +1149,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc + strcpy(head->name.target.u.user.name, ERROR_TARGET); + head->name.target.u.target_size = + ALIGN(sizeof(struct xt_error_target)); +- strcpy(head->name.errorname, c->name); ++ strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN); ++ head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0'; + } else { + repl->hook_entry[c->hooknum-1] = c->head_offset; + repl->underflow[c->hooknum-1] = c->foot_offset; +-- +2.21.0 + diff --git a/SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch b/SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch new file mode 100644 index 0000000..dd95978 --- /dev/null +++ b/SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch @@ -0,0 +1,74 @@ +From e64b48b46cec83203ff8de80a1c56be2c40b2c7d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libiptc: Simplify alloc_handle() function signature + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 22ef371abeeec + +commit 22ef371abeeec789bb6a701352dcb961556595c2 +Author: Phil Sutter +Date: Wed Sep 19 15:16:53 2018 +0200 + + libiptc: Simplify alloc_handle() function signature + + This change originated from covscan complaining about the strcpy() call + with an unknown size source buffer. But in fact, the size is known (and + equal to the destination size), so pass a pointer to STRUCT_GETINFO to + alloc_handle() instead of it's fields separately. Hopefully this will + silence covscan. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libiptc/libiptc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index 1f61fde53f1db..f6a9862ea9f4d 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1269,7 +1269,7 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl) + + /* Allocate handle of given size */ + static struct xtc_handle * +-alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) ++alloc_handle(STRUCT_GETINFO *infop) + { + struct xtc_handle *h; + +@@ -1280,14 +1280,14 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) + } + memset(h, 0, sizeof(*h)); + INIT_LIST_HEAD(&h->chains); +- strcpy(h->info.name, tablename); ++ strcpy(h->info.name, infop->name); + +- h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size); ++ h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + infop->size); + if (!h->entries) + goto out_free_handle; + +- strcpy(h->entries->name, tablename); +- h->entries->size = size; ++ strcpy(h->entries->name, infop->name); ++ h->entries->size = infop->size; + + return h; + +@@ -1336,8 +1336,8 @@ retry: + DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n", + info.valid_hooks, info.num_entries, info.size); + +- if ((h = alloc_handle(info.name, info.size, info.num_entries)) +- == NULL) { ++ h = alloc_handle(&info); ++ if (h == NULL) { + close(sockfd); + return NULL; + } +-- +2.21.0 + diff --git a/SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch b/SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch new file mode 100644 index 0000000..654cbba --- /dev/null +++ b/SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch @@ -0,0 +1,42 @@ +From a7bb46f478443597a7e97e81adb13d9619f4b1a7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxt_LED: Avoid string overrun while parsing led-trigger-id + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit d0c1f1b4ad4e3 + +commit d0c1f1b4ad4e3b91220a03514031ee879db832d0 +Author: Phil Sutter +Date: Wed Sep 19 15:16:48 2018 +0200 + + libxt_LED: Avoid string overrun while parsing led-trigger-id + + Instead of using strcat() and assuming the name will fit, print into the + buffer using snprintf() which truncates the string as needed. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_LED.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c +index 8622c379e68bc..6ada795056431 100644 +--- a/extensions/libxt_LED.c ++++ b/extensions/libxt_LED.c +@@ -53,8 +53,7 @@ static void LED_parse(struct xt_option_call *cb) + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_LED_TRIGGER_ID: +- strcpy(led->id, "netfilter-"); +- strcat(led->id, cb->arg); ++ snprintf(led->id, sizeof(led->id), "netfilter-%s", cb->arg); + break; + case O_LED_DELAY: + if (strncasecmp(cb->arg, "inf", 3) == 0) +-- +2.21.0 + diff --git a/SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch b/SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch new file mode 100644 index 0000000..ed84344 --- /dev/null +++ b/SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch @@ -0,0 +1,62 @@ +From de7ba61cf107f43223eeb640267d24e187047c29 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxt_conntrack: Avoid potential buffer overrun + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 8e798e050367d + +commit 8e798e050367dfe43bb958f11dd3170b03bda49e +Author: Phil Sutter +Date: Wed Sep 19 15:16:50 2018 +0200 + + libxt_conntrack: Avoid potential buffer overrun + + In print_addr(), a resolved hostname is written into a buffer without + size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an + issue, though covscan complained about it. Fix the code by using + conntrack_dump_addr() as an example. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_conntrack.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 3e7075760d40f..804aa23638ca1 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -673,20 +673,20 @@ static void + print_addr(const struct in_addr *addr, const struct in_addr *mask, + int inv, int numeric) + { +- char buf[BUFSIZ]; +- + if (inv) + printf(" !"); + + if (mask->s_addr == 0L && !numeric) +- printf(" %s", "anywhere"); ++ printf(" anywhere"); + else { + if (numeric) +- strcpy(buf, xtables_ipaddr_to_numeric(addr)); ++ printf(" %s%s", ++ xtables_ipaddr_to_numeric(addr), ++ xtables_ipmask_to_numeric(mask)); + else +- strcpy(buf, xtables_ipaddr_to_anyname(addr)); +- strcat(buf, xtables_ipmask_to_numeric(mask)); +- printf(" %s", buf); ++ printf(" %s%s", ++ xtables_ipaddr_to_anyname(addr), ++ xtables_ipmask_to_numeric(mask)); + } + } + +-- +2.21.0 + diff --git a/SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch b/SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch new file mode 100644 index 0000000..58678d8 --- /dev/null +++ b/SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch @@ -0,0 +1,50 @@ +From c923062439297cbf5b08429123ba214b4efc8798 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:34 +0100 +Subject: [PATCH] libxt_conntrack: Version 0 does not support + XT_CONNTRACK_DIRECTION + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 74eb2395c8384 + +commit 74eb2395c838460384286c2b95f711ae275a46cb +Author: Phil Sutter +Date: Wed Sep 19 15:16:49 2018 +0200 + + libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION + + Since sinfo->flags is only 8 bytes large, checking for + XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return + false, so drop this dead code. + + Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir") + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_conntrack.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 128bbd20a34c2..3e7075760d40f 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -774,14 +774,6 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, + else + printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max); + } +- +- if (sinfo->flags & XT_CONNTRACK_DIRECTION) { +- if (sinfo->invflags & XT_CONNTRACK_DIRECTION) +- printf(" %sctdir REPLY", optpfx); +- else +- printf(" %sctdir ORIGINAL", optpfx); +- } +- + } + + static void +-- +2.21.0 + diff --git a/SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch b/SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch new file mode 100644 index 0000000..eef1f3f --- /dev/null +++ b/SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch @@ -0,0 +1,77 @@ +From 0bf795555728e54db2593a73f90d7820cf3ef4c6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:34 +0100 +Subject: [PATCH] libxt_ipvs: Avoid potential buffer overrun + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 749d3c2ecd6a9 + +commit 749d3c2ecd6a9dc21f5a442c44495cb705621dff +Author: Phil Sutter +Date: Wed Sep 19 15:16:51 2018 +0200 + + libxt_ipvs: Avoid potential buffer overrun + + Just like with libxt_conntrack, get rid of the temporary buffer. The + comment even states that it was copied from there, so just make them + identical again. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_ipvs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c +index 46727660a027a..a6c57a030d2c6 100644 +--- a/extensions/libxt_ipvs.c ++++ b/extensions/libxt_ipvs.c +@@ -126,19 +126,19 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family, bool numeric) + { +- char buf[BUFSIZ]; +- + if (family == NFPROTO_IPV4) { + if (!numeric && addr->ip == 0) { + printf(" anywhere"); + return; + } + if (numeric) +- strcpy(buf, xtables_ipaddr_to_numeric(&addr->in)); ++ printf(" %s%s", ++ xtables_ipaddr_to_numeric(&addr->in), ++ xtables_ipmask_to_numeric(&mask->in)); + else +- strcpy(buf, xtables_ipaddr_to_anyname(&addr->in)); +- strcat(buf, xtables_ipmask_to_numeric(&mask->in)); +- printf(" %s", buf); ++ printf(" %s%s", ++ xtables_ipaddr_to_anyname(&addr->in), ++ xtables_ipmask_to_numeric(&mask->in)); + } else if (family == NFPROTO_IPV6) { + if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && + addr->ip6[2] == 0 && addr->ip6[3] == 0) { +@@ -146,11 +146,13 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + return; + } + if (numeric) +- strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6)); ++ printf(" %s%s", ++ xtables_ip6addr_to_numeric(&addr->in6), ++ xtables_ip6mask_to_numeric(&mask->in6)); + else +- strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6)); +- strcat(buf, xtables_ip6mask_to_numeric(&mask->in6)); +- printf(" %s", buf); ++ printf(" %s%s", ++ xtables_ip6addr_to_anyname(&addr->in6), ++ xtables_ip6mask_to_numeric(&mask->in6)); + } + } + +-- +2.21.0 + diff --git a/SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch b/SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch new file mode 100644 index 0000000..61107bd --- /dev/null +++ b/SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch @@ -0,0 +1,54 @@ +From 61fd4ee73f2a23eeb2b10b24d19ac13deaf0c177 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxt_recent: Remove ineffective checks for info->name + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit d0e3d95fa3442 + +commit d0e3d95fa3442c6ff32f7fed3e0d2eeb2248ef9f +Author: Phil Sutter +Date: Fri Oct 20 13:24:36 2017 +0200 + + libxt_recent: Remove ineffective checks for info->name + + In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a + pointer. So there is no point in comparing it against NULL. Changing the + check to make sure it's content is not an empty string is pointless + either, since a non-empty default string is used and the argument parser + will refuse empty strings as --name argument. So simply get rid of the + checks altogether. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_recent.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c +index e1801f1c18952..055ae35080346 100644 +--- a/extensions/libxt_recent.c ++++ b/extensions/libxt_recent.c +@@ -199,7 +199,7 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, + if(info->hit_count) printf(" hit_count: %d", info->hit_count); + if (info->check_set & XT_RECENT_TTL) + printf(" TTL-Match"); +- if(info->name) printf(" name: %s", info->name); ++ printf(" name: %s", info->name); + if (info->side == XT_RECENT_SOURCE) + printf(" side: source"); + if (info->side == XT_RECENT_DEST) +@@ -239,7 +239,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match, + if(info->hit_count) printf(" --hitcount %d", info->hit_count); + if (info->check_set & XT_RECENT_TTL) + printf(" --rttl"); +- if(info->name) printf(" --name %s",info->name); ++ printf(" --name %s",info->name); + + switch(family) { + case NFPROTO_IPV4: +-- +2.21.0 + diff --git a/SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch b/SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch new file mode 100644 index 0000000..040aa79 --- /dev/null +++ b/SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch @@ -0,0 +1,51 @@ +From db1fcba4cade70fd86e615246bb03acd94cc4cd9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_sctp: fix array out of range in print_chunk + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 71de414c21f7f +Conflicts: Dropped changes to non-existing libxt_sctp.t. + +commit 71de414c21f7f31270e5d62e782e52257e5c3d06 +Author: huaibin Wang +Date: Mon Nov 13 14:27:54 2017 +0100 + + libxt_sctp: fix array out of range in print_chunk + + For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type + is not equal to the corresponding index in sctp_chunk_names[]. Using this field + leads to a segmentation fault (index out of range). + + Example + $ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT + $ iptables -L + Chain INPUT (policy ACCEPT) + target prot opt source destination + Segmentation fault + + Signed-off-by: huaibin Wang + Signed-off-by: Nicolas Dichtel + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_sctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index 56a4cdf229390..cfd4c12330479 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -370,7 +370,7 @@ print_chunk(uint32_t chunknum, int numeric) + + for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) + if (sctp_chunk_names[i].chunk_type == chunknum) +- printf("%s", sctp_chunk_names[chunknum].name); ++ printf("%s", sctp_chunk_names[i].name); + } + } + +-- +2.21.0 + diff --git a/SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch b/SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch new file mode 100644 index 0000000..acda814 --- /dev/null +++ b/SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch @@ -0,0 +1,46 @@ +From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_string: Avoid potential array out of bounds access + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 56d7ab42f3782 + +commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c +Author: Phil Sutter +Date: Mon Sep 10 23:35:16 2018 +0200 + + libxt_string: Avoid potential array out of bounds access + + The pattern index variable 'sindex' is bounds checked before + incrementing it, which means in the next loop iteration it might already + match the bounds check condition but is used anyway. + + Fix this by incrementing the index before performing the bounds check. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_string.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c +index fb15980e4a73f..d298c6a7081e7 100644 +--- a/extensions/libxt_string.c ++++ b/extensions/libxt_string.c +@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info) + info->pattern[sindex] = s[i]; + i++; + } +- if (sindex > XT_STRING_MAX_PATTERN_SIZE) ++ if (++sindex > XT_STRING_MAX_PATTERN_SIZE) + xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); +- sindex++; + } + info->patlen = sindex; + } +-- +2.21.0 + diff --git a/SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch b/SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch new file mode 100644 index 0000000..f4c9047 --- /dev/null +++ b/SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch @@ -0,0 +1,62 @@ +From 5790cacab5a3fd7bde26056fa0f8b4650bd21bb7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_string: Fix array out of bounds check + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 6fc7762f6f785 + +commit 6fc7762f6f78526e3cb0c189ac2778a6be4c00b5 +Author: Phil Sutter +Date: Mon Sep 17 13:38:33 2018 +0200 + + libxt_string: Fix array out of bounds check + + Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds + access") tried to fix parse_hex_string() for overlong strings but the + change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE + which leads to access of first byte after info->pattern. This is not + really a problem because it merely overwrites info->patlen before + calling xtables_error() later, but covscan still detects it so it's + still worth fixing. + + The crucial bit here is that 'sindex' has to be incremented at end of + the last iteration since its value is used for info->patlen. Hence just + move the overflow check to the beginning of the loop. + + Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access") + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_string.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c +index d298c6a7081e7..7c6366cbbf1b3 100644 +--- a/extensions/libxt_string.c ++++ b/extensions/libxt_string.c +@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info) + } + + while (i < slen) { ++ if (sindex >= XT_STRING_MAX_PATTERN_SIZE) ++ xtables_error(PARAMETER_PROBLEM, ++ "STRING too long \"%s\"", s); + if (s[i] == '\\' && !hex_f) { + literal_f = 1; + } else if (s[i] == '\\') { +@@ -159,8 +162,7 @@ parse_hex_string(const char *s, struct xt_string_info *info) + info->pattern[sindex] = s[i]; + i++; + } +- if (++sindex > XT_STRING_MAX_PATTERN_SIZE) +- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); ++ sindex++; + } + info->patlen = sindex; + } +-- +2.21.0 + diff --git a/SOURCES/libxt_time-Drop-initialization-of-variable-year.patch b/SOURCES/libxt_time-Drop-initialization-of-variable-year.patch new file mode 100644 index 0000000..0aa5037 --- /dev/null +++ b/SOURCES/libxt_time-Drop-initialization-of-variable-year.patch @@ -0,0 +1,59 @@ +From c6d6426921160fb554871fbe201722963f8a917c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_time: Drop initialization of variable 'year' + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 6b7145fa2112e + +commit 6b7145fa2112e257073cc44346e9891fa23ce9c2 +Author: Phil Sutter +Date: Wed Sep 19 15:16:52 2018 +0200 + + libxt_time: Drop initialization of variable 'year' + + The variable is not read before being assigned the return value of + strtoul(), thefore the initialization is useless. And since after this + change parameter 'end' becomes unused, drop it as well. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_time.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c +index 9c5bda88c1c78..5a8cc5de13031 100644 +--- a/extensions/libxt_time.c ++++ b/extensions/libxt_time.c +@@ -88,10 +88,10 @@ static void time_init(struct xt_entry_match *m) + info->date_stop = INT_MAX; + } + +-static time_t time_parse_date(const char *s, bool end) ++static time_t time_parse_date(const char *s) + { + unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0; +- unsigned int year = end ? 2038 : 1970; ++ unsigned int year; + const char *os = s; + struct tm tm; + time_t ret; +@@ -265,10 +265,10 @@ static void time_parse(struct xt_option_call *cb) + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_DATE_START: +- info->date_start = time_parse_date(cb->arg, false); ++ info->date_start = time_parse_date(cb->arg); + break; + case O_DATE_STOP: +- info->date_stop = time_parse_date(cb->arg, true); ++ info->date_stop = time_parse_date(cb->arg); + break; + case O_TIME_START: + info->daytime_start = time_parse_minutes(cb->arg); +-- +2.21.0 + diff --git a/SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch b/SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch new file mode 100644 index 0000000..2d4abba --- /dev/null +++ b/SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch @@ -0,0 +1,91 @@ +From 3f4e13d60ddbb61bc3256221a98f5c5a954f6f5c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: Avoid calling memcpy() with NULL source + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit ab639f236ff85 + +commit ab639f236ff85d2f447cc6601c7ff42cefdaf853 +Author: Phil Sutter +Date: Wed Sep 19 15:16:54 2018 +0200 + + libxtables: Avoid calling memcpy() with NULL source + + Both affected functions check if 'oldopts' is NULL once but later seem + to ignore that possibility. To catch up on that, increment the pointer + only if it isn't NULL, also don't copy its content into the merged + options buffer in that case. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 12 ++++++++---- + libxtables/xtoptions.c | 12 ++++++++---- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 4a014e48a9f45..cf9a59d5ec095 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -119,8 +119,10 @@ struct option *xtables_merge_options(struct option *orig_opts, + * Since @oldopts also has @orig_opts already (and does so at the + * start), skip these entries. + */ +- oldopts += num_oold; +- num_old -= num_oold; ++ if (oldopts != NULL) { ++ oldopts += num_oold; ++ num_old -= num_oold; ++ } + + merge = malloc(sizeof(*mp) * (num_oold + num_old + num_new + 1)); + if (merge == NULL) +@@ -139,8 +141,10 @@ struct option *xtables_merge_options(struct option *orig_opts, + mp->val += *option_offset; + + /* Third, the old options */ +- memcpy(mp, oldopts, sizeof(*mp) * num_old); +- mp += num_old; ++ if (oldopts != NULL) { ++ memcpy(mp, oldopts, sizeof(*mp) * num_old); ++ mp += num_old; ++ } + xtables_free_opts(0); + + /* Clear trailing entry */ +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 1ad4cb57f5836..1d3fda73dedf7 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -91,8 +91,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, + * Since @oldopts also has @orig_opts already (and does so at the + * start), skip these entries. + */ +- oldopts += num_orig; +- num_old -= num_orig; ++ if (oldopts != NULL) { ++ oldopts += num_orig; ++ num_old -= num_orig; ++ } + + merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1)); + if (merge == NULL) +@@ -114,8 +116,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, + } + + /* Third, the old options */ +- memcpy(mp, oldopts, sizeof(*mp) * num_old); +- mp += num_old; ++ if (oldopts != NULL) { ++ memcpy(mp, oldopts, sizeof(*mp) * num_old); ++ mp += num_old; ++ } + xtables_free_opts(0); + + /* Clear trailing entry */ +-- +2.21.0 + diff --git a/SOURCES/libxtables-Check-extension-real_name-length.patch b/SOURCES/libxtables-Check-extension-real_name-length.patch new file mode 100644 index 0000000..d4e1d6d --- /dev/null +++ b/SOURCES/libxtables-Check-extension-real_name-length.patch @@ -0,0 +1,57 @@ +From e4dd398938aed75397463aed36fc03f9d754bf29 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: Check extension real_name length + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit a3716cc1a501e + +commit a3716cc1a501e40e26a96d78b2e1285bb081f366 +Author: Phil Sutter +Date: Mon Sep 24 19:25:21 2018 +0200 + + libxtables: Check extension real_name length + + Just like with 'name', if given check 'real_name' to not exceed max length. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 575f7ee0a0d78..4a014e48a9f45 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -839,6 +839,12 @@ void xtables_register_match(struct xtables_match *me) + exit(1); + } + ++ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) { ++ fprintf(stderr, "%s: match `%s' has invalid real name\n", ++ xt_params->program_name, me->real_name); ++ exit(1); ++ } ++ + if (me->family >= NPROTO) { + fprintf(stderr, + "%s: BUG: match %s has invalid protocol family\n", +@@ -997,6 +1003,12 @@ void xtables_register_target(struct xtables_target *me) + exit(1); + } + ++ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) { ++ fprintf(stderr, "%s: target `%s' has invalid real name\n", ++ xt_params->program_name, me->real_name); ++ exit(1); ++ } ++ + if (me->family >= NPROTO) { + fprintf(stderr, + "%s: BUG: target %s has invalid protocol family\n", +-- +2.21.0 + diff --git a/SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch b/SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch new file mode 100644 index 0000000..d1dae23 --- /dev/null +++ b/SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch @@ -0,0 +1,42 @@ +From 6052b28839968d5077c182e6defa260e68147547 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxtables: Don't read garbage in xtables_strtoui() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 61ebf3f72ac62 + +commit 61ebf3f72ac62d887414c50fc83e277386f54e8f +Author: Phil Sutter +Date: Wed Sep 19 15:16:55 2018 +0200 + + libxtables: Don't read garbage in xtables_strtoui() + + If xtables_strtoul() fails, it returns false and data pointed to by + parameter 'value' is undefined. Hence avoid copying that data in + xtables_strtoui() if the call failed. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index fb60c01b48c05..575f7ee0a0d78 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -473,7 +473,7 @@ bool xtables_strtoui(const char *s, char **end, unsigned int *value, + bool ret; + + ret = xtables_strtoul(s, end, &v, min, max); +- if (value != NULL) ++ if (ret && value != NULL) + *value = v; + return ret; + } +-- +2.21.0 + diff --git a/SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch b/SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch new file mode 100644 index 0000000..51e3bf0 --- /dev/null +++ b/SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch @@ -0,0 +1,42 @@ +From f958c3a78f14140e7ee983c3698918fe35f1a7af Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxtables: Fix potential array overrun in + xtables_option_parse() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 4144571f87c09 + +commit 4144571f87c094471419ef59e8bb89ef33cd1365 +Author: Phil Sutter +Date: Mon Sep 10 23:35:13 2018 +0200 + + libxtables: Fix potential array overrun in xtables_option_parse() + + If entry->type is to be used as array index, it needs to be at max one + less than that array's size. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtoptions.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 78e9abd6a3f47..0c63c2d372dea 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -864,7 +864,7 @@ void xtables_option_parse(struct xt_option_call *cb) + * a *RC option type. + */ + cb->nvals = 1; +- if (entry->type <= ARRAY_SIZE(xtopt_subparse) && ++ if (entry->type < ARRAY_SIZE(xtopt_subparse) && + xtopt_subparse[entry->type] != NULL) + xtopt_subparse[entry->type](cb); + /* Exclusion with other flags tested later in finalize. */ +-- +2.21.0 + diff --git a/SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch b/SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch new file mode 100644 index 0000000..b301387 --- /dev/null +++ b/SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch @@ -0,0 +1,71 @@ +From fbcd6c97015324480f843c08da338c9d580b2b31 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: Use posix_spawn() instead of vfork() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit d95c1e8b65c4e + +commit d95c1e8b65c4ec66b8fcd2f7ede257853a888750 +Author: Phil Sutter +Date: Wed Sep 19 15:17:05 2018 +0200 + + libxtables: Use posix_spawn() instead of vfork() + + According to covscan, vfork() may lead to a deadlock in the parent + process. It suggests to use posix_spawn() instead. Since the latter + combines vfork() and exec() calls, use it for xtables_insmod(). + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index bca9863acc566..7210d3706bf26 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -343,6 +344,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + char *buf = NULL; + char *argv[4]; + int status; ++ pid_t pid; + + /* If they don't explicitly set it, read out of kernel */ + if (!modprobe) { +@@ -363,18 +365,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + */ + fflush(stdout); + +- switch (vfork()) { +- case 0: +- execv(argv[0], argv); +- +- /* not usually reached */ +- _exit(1); +- case -1: ++ if (posix_spawn(&pid, argv[0], NULL, NULL, argv, NULL)) { + free(buf); + return -1; +- +- default: /* parent */ +- wait(&status); ++ } else { ++ waitpid(pid, &status, 0); + } + + free(buf); +-- +2.21.0 + diff --git a/SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch b/SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch new file mode 100644 index 0000000..bc11de0 --- /dev/null +++ b/SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch @@ -0,0 +1,102 @@ +From 0d89bdef1e7f698787967bffed5c413ef0dee761 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: move some code to avoid cautions in vfork man + page + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 78683093cf4f0 + +commit 78683093cf4f059531e5f929a4884ffaecb8411c +Author: Dan Wilder +Date: Sat Oct 25 00:51:59 2014 +0200 + + libxtables: move some code to avoid cautions in vfork man page + + Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame: + + 357 switch (vfork()) { + 358 case 0: + 359 argv[0] = (char *)modprobe; + 360 argv[1] = (char *)modname; + 361 if (quiet) { + 362 argv[2] = "-q"; + 363 argv[3] = NULL; + 364 } else { + 365 argv[2] = NULL; + 366 argv[3] = NULL; + 367 } + 368 execv(argv[0], argv); + 369 + 370 /* not usually reached */ + 371 exit(1); + + modprobe pointed to a non-existant program /sbin/modprobe, so execv() + always failed. Not a problem in itself on our platform, as the kernel + modules are pre-loaded before iptables-restore is run, but it took a + bit of headscratching to track this down, as a stack frame was + corrupted, leading to failures quite a while after the function + containing this code had returned! + + Relevant caution in man 2 vfork: + + "The vfork() function has the same effect as fork(2), except that + the behavior is undefined if the process created by vfork() either + modifies any data ... or calls any other function before + successfully calling _exit(2) or one of the exec(3) family of + functions." + + Apparently this has not been a problem for us in earlier versions of + glibc, maybe because vfork was more like fork, maybe because the + stack corruption was innocuous. Ours is a corner case anyway, as + it might not have been a problem had modprobe existed or had + modprobe been a symlink to /bin/true. But it seems odd to disregard + man page cautions, and our problem goes away if they are heeded. + + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index cf9a59d5ec095..bca9863acc566 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -352,6 +352,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + modprobe = buf; + } + ++ argv[0] = (char *)modprobe; ++ argv[1] = (char *)modname; ++ argv[2] = quiet ? "-q" : NULL; ++ argv[3] = NULL; ++ + /* + * Need to flush the buffer, or the child may output it again + * when switching the program thru execv. +@@ -360,19 +365,10 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + + switch (vfork()) { + case 0: +- argv[0] = (char *)modprobe; +- argv[1] = (char *)modname; +- if (quiet) { +- argv[2] = "-q"; +- argv[3] = NULL; +- } else { +- argv[2] = NULL; +- argv[3] = NULL; +- } + execv(argv[0], argv); + + /* not usually reached */ +- exit(1); ++ _exit(1); + case -1: + free(buf); + return -1; +-- +2.21.0 + diff --git a/SOURCES/list-fix-prefetch-dummy.patch b/SOURCES/list-fix-prefetch-dummy.patch new file mode 100644 index 0000000..9ca7544 --- /dev/null +++ b/SOURCES/list-fix-prefetch-dummy.patch @@ -0,0 +1,46 @@ +From 9db248f030af87e336b5880fc39e37a5beb7f291 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:52:42 +0100 +Subject: [PATCH] list: fix prefetch dummy + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 86a65af62b6b9 + +commit 86a65af62b6b986aa2ae3cbf3c655ea8225b027a +Author: Arturo Borrero +Date: Mon Apr 6 20:05:41 2015 +0200 + + list: fix prefetch dummy + + linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value] + for (pos = list_entry((head)->next, typeof(*pos), member), \ + ^ + libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry' + list_for_each_entry(c, &h->chains, list) { + ^ + + [ Patch copied from one similar of Patrick McHardy on libnftnl ] + + Signed-off-by: Arturo Borrero Gonzalez + +Signed-off-by: Phil Sutter +--- + libiptc/linux_list.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libiptc/linux_list.h b/libiptc/linux_list.h +index abdcf88dadd64..559e33c9ebde0 100644 +--- a/libiptc/linux_list.h ++++ b/libiptc/linux_list.h +@@ -27,7 +27,7 @@ + 1; \ + }) + +-#define prefetch(x) 1 ++#define prefetch(x) ((void)0) + + /* empty define to make this work in userspace -HW */ + #define smp_wmb() +-- +2.21.0 + diff --git a/SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch b/SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch new file mode 100644 index 0000000..49c467e --- /dev/null +++ b/SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch @@ -0,0 +1,47 @@ +From d9db0c35351a960a141e9ddc30cf6f09c9c27c8b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 18 Apr 2019 13:29:43 +0200 +Subject: [PATCH] man: iptables-save: Add note about module autoloading + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1691380 +Upstream Status: iptables commit 3390007a11cbc + +commit 3390007a11cbc45de1522f99ae751a3c5d55dd6f +Author: Phil Sutter +Date: Tue Mar 26 19:03:43 2019 +0100 + + man: iptables-save: Add note about module autoloading + + Using '-t' parameter in iptables-save might lead to kernel module + loading, just like with iptables itself. Copy the hint from iptables.8 + to inform users. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/iptables-save.8.in | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in +index 4091c0a595575..c3f1bd2152c58 100644 +--- a/iptables/iptables-save.8.in ++++ b/iptables/iptables-save.8.in +@@ -44,8 +44,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path. + include the current values of all packet and byte counters in the output + .TP + \fB\-t\fR, \fB\-\-table\fR \fItablename\fP +-restrict output to only one table. If not specified, output includes all +-available tables. ++restrict output to only one table. If the kernel is configured with automatic ++module loading, an attempt will be made to load the appropriate module for ++that table if it is not already there. ++.br ++If not specified, output includes all available tables. + .SH BUGS + None known as of iptables-1.2.1 release + .SH AUTHORS +-- +2.21.0 + diff --git a/SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch b/SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch new file mode 100644 index 0000000..6422370 --- /dev/null +++ b/SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch @@ -0,0 +1,43 @@ +From 4103f34690e1380c0ad4831b80ad913ea980eab4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] nfnl_osf: Drop pointless check in xt_osf_strchr() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 8c786a351a441 + +commit 8c786a351a441ff23ad5d9d1da8cec492f88f542 +Author: Phil Sutter +Date: Wed Sep 19 15:16:42 2018 +0200 + + nfnl_osf: Drop pointless check in xt_osf_strchr() + + Although it remains unclear what the original intention behind the + affected code was, but 'tmp + 1' always evaluates true since 'tmp' is a + pointer value. + + Cc: Evgeniy Polyakov + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index 0f8b35b805016..9a9fbe1268155 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -141,7 +141,7 @@ static char *xt_osf_strchr(char *ptr, char c) + if (tmp) + *tmp = '\0'; + +- while (tmp && tmp + 1 && isspace(*(tmp + 1))) ++ while (tmp && isspace(*(tmp + 1))) + tmp++; + + return tmp; +-- +2.21.0 + diff --git a/SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch b/SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch new file mode 100644 index 0000000..eeee0cc --- /dev/null +++ b/SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch @@ -0,0 +1,40 @@ +From 4ee53b682e3ebb9a809007ec907f65ccfe4a1342 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 52aa15098ebd6 + +commit 52aa15098ebd62eaca9eb3c57c240df2455d8e9b +Author: Phil Sutter +Date: Wed Sep 19 15:16:56 2018 +0200 + + nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() + + This eliminates the deprecation warning when compiling the sources. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index 972128f47ba04..c67485ee698b1 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -384,7 +384,7 @@ static int osf_load_line(char *buffer, int len, int del) + + nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger)); + +- return nfnl_talk(nfnlh, nmh, 0, 0, NULL, NULL, NULL); ++ return nfnl_query(nfnlh, nmh); + } + + static int osf_load_entries(char *path, int del) +-- +2.21.0 + diff --git a/SOURCES/xshared-Consolidate-argv-construction-routines.patch b/SOURCES/xshared-Consolidate-argv-construction-routines.patch new file mode 100644 index 0000000..7e1a5fa --- /dev/null +++ b/SOURCES/xshared-Consolidate-argv-construction-routines.patch @@ -0,0 +1,568 @@ +From fc87d26b0343a5fbe661acc967f7a7c316531ca5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:16:49 +0200 +Subject: [PATCH] xshared: Consolidate argv construction routines + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475 +Upstream Status: iptables commit a2ed880a19d08 +Conflicts: +* Context change due to missing commit 2963a8df2175b + ("iptables: Remove explicit static variables initalization."). +* Context change due to missing commit 1cc09188079a6 + ("xshared: Consolidate parse_counters()"). +* Context change due to previously backported commit 8da04ffdca193 + ("Share print_ipv{4,6}_addr() from xtables"). +* Dropped changes to non-existing file iptables/xtables-restore.c. + +commit a2ed880a19d0861342b3515721804b18d698bf44 +Author: Phil Sutter +Date: Thu Aug 2 17:05:17 2018 +0200 + + xshared: Consolidate argv construction routines + + Implementations were equal in {ip,ip6,x}tables-restore.c. The one in + iptables-xml.c differed slightly. For now, collect all features + together. Maybe it would make sense to migrate iptables-xml.c to using + add_param_to_argv() at some point and therefore extend the latter to + store whether a given parameter was quoted or not. + + While being at it, a few improvements were done: + + * free_argv() now also resets 'newargc' variable, so users don't have to + do that anymore. + * Indenting level in add_param_to_argv() was reduced a bit. + * That long error message is put into a single line to aid in grepping + for it. + * Explicit call to exit() after xtables_error() is removed since the + latter does not return anyway. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 107 ++---------------------------- + iptables/iptables-restore.c | 107 ++---------------------------- + iptables/iptables-xml.c | 63 ------------------ + iptables/xshared.c | 123 +++++++++++++++++++++++++++++++++++ + iptables/xshared.h | 13 ++++ + 5 files changed, 150 insertions(+), 263 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index 611430d930eda..1f8cb43286f03 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -91,96 +91,6 @@ static int parse_counters(char *string, struct xt_counters *ctr) + return ret == 2; + } + +-/* global new argv and argc */ +-static char *newargv[255]; +-static int newargc; +- +-/* function adding one argument to newargv, updating newargc +- * returns true if argument added, false otherwise */ +-static int add_argv(char *what) { +- DEBUGP("add_argv: %s\n", what); +- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { +- newargv[newargc] = strdup(what); +- newargv[++newargc] = NULL; +- return 1; +- } else { +- xtables_error(PARAMETER_PROBLEM, +- "Parser cannot handle more arguments\n"); +- return 0; +- } +-} +- +-static void free_argv(void) { +- int i; +- +- for (i = 0; i < newargc; i++) +- free(newargv[i]); +-} +- +-static void add_param_to_argv(char *parsestart) +-{ +- int quote_open = 0, escaped = 0, param_len = 0; +- char param_buffer[1024], *curchar; +- +- /* After fighting with strtok enough, here's now +- * a 'real' parser. According to Rusty I'm now no +- * longer a real hacker, but I can live with that */ +- +- for (curchar = parsestart; *curchar; curchar++) { +- if (quote_open) { +- if (escaped) { +- param_buffer[param_len++] = *curchar; +- escaped = 0; +- continue; +- } else if (*curchar == '\\') { +- escaped = 1; +- continue; +- } else if (*curchar == '"') { +- quote_open = 0; +- *curchar = ' '; +- } else { +- param_buffer[param_len++] = *curchar; +- continue; +- } +- } else { +- if (*curchar == '"') { +- quote_open = 1; +- continue; +- } +- } +- +- if (*curchar == ' ' +- || *curchar == '\t' +- || * curchar == '\n') { +- if (!param_len) { +- /* two spaces? */ +- continue; +- } +- +- param_buffer[param_len] = '\0'; +- +- /* check if table name specified */ +- if (!strncmp(param_buffer, "-t", 2) +- || !strncmp(param_buffer, "--table", 8)) { +- xtables_error(PARAMETER_PROBLEM, +- "The -t option (seen in line %u) cannot be " +- "used in ip6tables-restore.\n", line); +- exit(1); +- } +- +- add_argv(param_buffer); +- param_len = 0; +- } else { +- /* regular character, copy to buffer */ +- param_buffer[param_len++] = *curchar; +- +- if (param_len >= sizeof(param_buffer)) +- xtables_error(PARAMETER_PROBLEM, +- "Parameter too long!"); +- } +- } +-} +- + int ip6tables_restore_main(int argc, char *argv[]) + { + struct xtc_handle *handle = NULL; +@@ -425,9 +335,6 @@ int ip6tables_restore_main(int argc, char *argv[]) + char *bcnt = NULL; + char *parsestart; + +- /* reset the newargv */ +- newargc = 0; +- + if (buffer[0] == '[') { + /* we have counters in our input */ + char *ptr = strchr(buffer, ']'); +@@ -456,17 +363,17 @@ int ip6tables_restore_main(int argc, char *argv[]) + parsestart = buffer; + } + +- add_argv(argv[0]); +- add_argv("-t"); +- add_argv(curtable); ++ add_argv(argv[0], 0); ++ add_argv("-t", 0); ++ add_argv(curtable, 0); + + if (counters && pcnt && bcnt) { +- add_argv("--set-counters"); +- add_argv((char *) pcnt); +- add_argv((char *) bcnt); ++ add_argv("--set-counters", 0); ++ add_argv((char *) pcnt, 0); ++ add_argv((char *) bcnt, 0); + } + +- add_param_to_argv(parsestart); ++ add_param_to_argv(parsestart, line); + + DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", + newargc, curtable); +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index b0da96d45d297..615e38a6625e0 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -89,96 +89,6 @@ static int parse_counters(char *string, struct xt_counters *ctr) + return ret == 2; + } + +-/* global new argv and argc */ +-static char *newargv[255]; +-static int newargc; +- +-/* function adding one argument to newargv, updating newargc +- * returns true if argument added, false otherwise */ +-static int add_argv(char *what) { +- DEBUGP("add_argv: %s\n", what); +- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { +- newargv[newargc] = strdup(what); +- newargv[++newargc] = NULL; +- return 1; +- } else { +- xtables_error(PARAMETER_PROBLEM, +- "Parser cannot handle more arguments\n"); +- return 0; +- } +-} +- +-static void free_argv(void) { +- int i; +- +- for (i = 0; i < newargc; i++) +- free(newargv[i]); +-} +- +-static void add_param_to_argv(char *parsestart) +-{ +- int quote_open = 0, escaped = 0, param_len = 0; +- char param_buffer[1024], *curchar; +- +- /* After fighting with strtok enough, here's now +- * a 'real' parser. According to Rusty I'm now no +- * longer a real hacker, but I can live with that */ +- +- for (curchar = parsestart; *curchar; curchar++) { +- if (quote_open) { +- if (escaped) { +- param_buffer[param_len++] = *curchar; +- escaped = 0; +- continue; +- } else if (*curchar == '\\') { +- escaped = 1; +- continue; +- } else if (*curchar == '"') { +- quote_open = 0; +- *curchar = ' '; +- } else { +- param_buffer[param_len++] = *curchar; +- continue; +- } +- } else { +- if (*curchar == '"') { +- quote_open = 1; +- continue; +- } +- } +- +- if (*curchar == ' ' +- || *curchar == '\t' +- || * curchar == '\n') { +- if (!param_len) { +- /* two spaces? */ +- continue; +- } +- +- param_buffer[param_len] = '\0'; +- +- /* check if table name specified */ +- if (!strncmp(param_buffer, "-t", 2) +- || !strncmp(param_buffer, "--table", 8)) { +- xtables_error(PARAMETER_PROBLEM, +- "The -t option (seen in line %u) cannot be " +- "used in iptables-restore.\n", line); +- exit(1); +- } +- +- add_argv(param_buffer); +- param_len = 0; +- } else { +- /* regular character, copy to buffer */ +- param_buffer[param_len++] = *curchar; +- +- if (param_len >= sizeof(param_buffer)) +- xtables_error(PARAMETER_PROBLEM, +- "Parameter too long!"); +- } +- } +-} +- + int + iptables_restore_main(int argc, char *argv[]) + { +@@ -424,9 +334,6 @@ iptables_restore_main(int argc, char *argv[]) + char *bcnt = NULL; + char *parsestart; + +- /* reset the newargv */ +- newargc = 0; +- + if (buffer[0] == '[') { + /* we have counters in our input */ + char *ptr = strchr(buffer, ']'); +@@ -455,17 +362,17 @@ iptables_restore_main(int argc, char *argv[]) + parsestart = buffer; + } + +- add_argv(argv[0]); +- add_argv("-t"); +- add_argv(curtable); ++ add_argv(argv[0], 0); ++ add_argv("-t", 0); ++ add_argv(curtable, 0); + + if (counters && pcnt && bcnt) { +- add_argv("--set-counters"); +- add_argv((char *) pcnt); +- add_argv((char *) bcnt); ++ add_argv("--set-counters", 0); ++ add_argv((char *) pcnt, 0); ++ add_argv((char *) bcnt, 0); + } + +- add_param_to_argv(parsestart); ++ add_param_to_argv(parsestart, line); + + DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", + newargc, curtable); +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index c523a132b2240..49f8ea2826181 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -66,16 +66,6 @@ parse_counters(char *string, struct xt_counters *ctr) + return (0 == 2); + } + +-/* global new argv and argc */ +-static char *newargv[255]; +-static unsigned int newargc = 0; +- +-static char *oldargv[255]; +-static unsigned int oldargc = 0; +- +-/* arg meta data, were they quoted, frinstance */ +-static int newargvattr[255]; +- + #define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN + static char closeActionTag[XT_TABLE_MAXNAMELEN + 1]; + static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1]; +@@ -93,56 +83,6 @@ struct chain { + static struct chain chains[maxChains]; + static int nextChain = 0; + +-/* funCtion adding one argument to newargv, updating newargc +- * returns true if argument added, false otherwise */ +-static int +-add_argv(char *what, int quoted) +-{ +- DEBUGP("add_argv: %d %s\n", newargc, what); +- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { +- newargv[newargc] = strdup(what); +- newargvattr[newargc] = quoted; +- newargc++; +- return 1; +- } else +- return 0; +-} +- +-static void +-free_argv(void) +-{ +- unsigned int i; +- +- for (i = 0; i < newargc; i++) { +- free(newargv[i]); +- newargv[i] = NULL; +- } +- newargc = 0; +- +- for (i = 0; i < oldargc; i++) { +- free(oldargv[i]); +- oldargv[i] = NULL; +- } +- oldargc = 0; +-} +- +-/* save parsed rule for comparison with next rule +- to perform action agregation on duplicate conditions */ +-static void +-save_argv(void) +-{ +- unsigned int i; +- +- for (i = 0; i < oldargc; i++) +- free(oldargv[i]); +- oldargc = newargc; +- newargc = 0; +- for (i = 0; i < oldargc; i++) { +- oldargv[i] = newargv[i]; +- newargv[i] = NULL; +- } +-} +- + /* like puts but with xml encoding */ + static void + xmlEncode(char *text) +@@ -736,9 +676,6 @@ iptables_xml_main(int argc, char *argv[]) + int quote_open, quoted; + char param_buffer[1024]; + +- /* reset the newargv */ +- newargc = 0; +- + if (buffer[0] == '[') { + /* we have counters in our input */ + char *ptr = strchr(buffer, ']'); +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 742502154aa55..84dbea562576e 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -406,3 +406,126 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) + ipv6_addr_to_string(&fw6->ipv6.dst, + &fw6->ipv6.dmsk, format)); + } ++ ++/* global new argv and argc */ ++char *newargv[255]; ++int newargc = 0; ++ ++/* saved newargv and newargc from save_argv() */ ++char *oldargv[255]; ++int oldargc = 0; ++ ++/* arg meta data, were they quoted, frinstance */ ++int newargvattr[255]; ++ ++/* function adding one argument to newargv, updating newargc ++ * returns true if argument added, false otherwise */ ++int add_argv(const char *what, int quoted) ++{ ++ DEBUGP("add_argv: %s\n", what); ++ if (what && newargc + 1 < ARRAY_SIZE(newargv)) { ++ newargv[newargc] = strdup(what); ++ newargvattr[newargc] = quoted; ++ newargv[++newargc] = NULL; ++ return 1; ++ } else { ++ xtables_error(PARAMETER_PROBLEM, ++ "Parser cannot handle more arguments\n"); ++ } ++} ++ ++void free_argv(void) ++{ ++ while (newargc) ++ free(newargv[--newargc]); ++ while (oldargc) ++ free(oldargv[--oldargc]); ++} ++ ++/* Save parsed rule for comparison with next rule to perform action aggregation ++ * on duplicate conditions. ++ */ ++void save_argv(void) ++{ ++ unsigned int i; ++ ++ while (oldargc) ++ free(oldargv[--oldargc]); ++ ++ oldargc = newargc; ++ newargc = 0; ++ for (i = 0; i < oldargc; i++) { ++ oldargv[i] = newargv[i]; ++ } ++} ++ ++void add_param_to_argv(char *parsestart, int line) ++{ ++ int quote_open = 0, escaped = 0, param_len = 0; ++ char param_buffer[1024], *curchar; ++ ++ /* After fighting with strtok enough, here's now ++ * a 'real' parser. According to Rusty I'm now no ++ * longer a real hacker, but I can live with that */ ++ ++ for (curchar = parsestart; *curchar; curchar++) { ++ if (quote_open) { ++ if (escaped) { ++ param_buffer[param_len++] = *curchar; ++ escaped = 0; ++ continue; ++ } else if (*curchar == '\\') { ++ escaped = 1; ++ continue; ++ } else if (*curchar == '"') { ++ quote_open = 0; ++ *curchar = '"'; ++ } else { ++ param_buffer[param_len++] = *curchar; ++ continue; ++ } ++ } else { ++ if (*curchar == '"') { ++ quote_open = 1; ++ continue; ++ } ++ } ++ ++ switch (*curchar) { ++ case '"': ++ break; ++ case ' ': ++ case '\t': ++ case '\n': ++ if (!param_len) { ++ /* two spaces? */ ++ continue; ++ } ++ break; ++ default: ++ /* regular character, copy to buffer */ ++ param_buffer[param_len++] = *curchar; ++ ++ if (param_len >= sizeof(param_buffer)) ++ xtables_error(PARAMETER_PROBLEM, ++ "Parameter too long!"); ++ continue; ++ } ++ ++ param_buffer[param_len] = '\0'; ++ ++ /* check if table name specified */ ++ if ((param_buffer[0] == '-' && ++ param_buffer[1] != '-' && ++ strchr(param_buffer, 't')) || ++ (!strncmp(param_buffer, "--t", 3) && ++ !strncmp(param_buffer, "--table", strlen(param_buffer)))) { ++ xtables_error(PARAMETER_PROBLEM, ++ "The -t option (seen in line %u) cannot be used in %s.\n", ++ line, xt_params->program_name); ++ } ++ ++ add_argv(param_buffer, 0); ++ param_len = 0; ++ } ++} +diff --git a/iptables/xshared.h b/iptables/xshared.h +index bfdb10b2701e5..4f567db9f410b 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -119,6 +119,19 @@ bool xs_has_arg(int argc, char *argv[]); + + extern const struct xtables_afinfo *afinfo; + ++extern char *newargv[]; ++extern int newargc; ++ ++extern char *oldargv[]; ++extern int oldargc; ++ ++extern int newargvattr[]; ++ ++int add_argv(const char *what, int quoted); ++void free_argv(void); ++void save_argv(void); ++void add_param_to_argv(char *parsestart, int line); ++ + void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); + void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); + +-- +2.21.0 + diff --git a/SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch b/SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch new file mode 100644 index 0000000..8189830 --- /dev/null +++ b/SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch @@ -0,0 +1,259 @@ +From cc564f1b24a61d8abcd1163323ba68d373ef3d7c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:30:11 +0200 +Subject: [PATCH] xtables: Introduce and use common function to parse + val[/mask] arguments + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 +Upstream Status: iptables commit 29b1d97764d18 + +commit 29b1d97764d1849651388d870565b3fa815a0bd8 +Author: Serhey Popovych +Date: Thu Mar 1 13:03:11 2018 +0200 + + xtables: Introduce and use common function to parse val[/mask] arguments + + There are a couple of places in both core and extensions where arguments + in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). + + In some cases symbolic name might be used which is mapped in code to + numeric value. + + Introduce common function to handle both cases where value given is + either val[/mask] or symbolic name. + + Signed-off-by: Serhey Popovych + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libipt_realm.c | 29 ++++++--------------- + extensions/libxt_devgroup.c | 35 ++++--------------------- + include/xtables.h | 11 ++++++++ + libxtables/xtables.c | 52 +++++++++++++++++++++++++++++++++++++ + libxtables/xtoptions.c | 22 +--------------- + 5 files changed, 77 insertions(+), 72 deletions(-) + +diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c +index fffb1218db7a6..0bfbaea0add23 100644 +--- a/extensions/libipt_realm.c ++++ b/extensions/libipt_realm.c +@@ -34,30 +34,17 @@ static struct xtables_lmap *realms; + + static void realm_parse(struct xt_option_call *cb) + { +- struct xt_realm_info *realminfo = cb->data; +- int id; +- char *end; ++ struct xt_realm_info *ri = cb->data; ++ unsigned int id, mask; + + xtables_option_parse(cb); +- realminfo->id = strtoul(cb->arg, &end, 0); +- if (end != cb->arg && (*end == '/' || *end == '\0')) { +- if (*end == '/') +- realminfo->mask = strtoul(end+1, &end, 0); +- else +- realminfo->mask = 0xffffffff; +- if (*end != '\0' || end == cb->arg) +- xtables_error(PARAMETER_PROBLEM, +- "Bad realm value \"%s\"", cb->arg); +- } else { +- id = xtables_lmap_name2id(realms, cb->arg); +- if (id == -1) +- xtables_error(PARAMETER_PROBLEM, +- "Realm \"%s\" not found", cb->arg); +- realminfo->id = id; +- realminfo->mask = 0xffffffff; +- } ++ xtables_parse_val_mask(cb, &id, &mask, realms); ++ ++ ri->id = id; ++ ri->mask = mask; ++ + if (cb->invert) +- realminfo->invert = 1; ++ ri->invert = 1; + } + + static void +diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c +index ebfa2aee80cf2..604828276177b 100644 +--- a/extensions/libxt_devgroup.c ++++ b/extensions/libxt_devgroup.c +@@ -35,49 +35,24 @@ static const char f_devgroups[] = "/etc/iproute2/group"; + /* array of devgroups from f_devgroups[] */ + static struct xtables_lmap *devgroups; + +-static void devgroup_parse_groupspec(const char *arg, unsigned int *group, +- unsigned int *mask) +-{ +- char *end; +- bool ok; +- +- ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX); +- if (ok && (*end == '/' || *end == '\0')) { +- if (*end == '/') +- ok = xtables_strtoui(end + 1, NULL, mask, +- 0, UINT32_MAX); +- else +- *mask = ~0U; +- if (!ok) +- xtables_error(PARAMETER_PROBLEM, +- "Bad group value \"%s\"", arg); +- } else { +- *group = xtables_lmap_name2id(devgroups, arg); +- if (*group == -1) +- xtables_error(PARAMETER_PROBLEM, +- "Device group \"%s\" not found", arg); +- *mask = ~0U; +- } +-} +- + static void devgroup_parse(struct xt_option_call *cb) + { + struct xt_devgroup_info *info = cb->data; +- unsigned int id, mask; ++ unsigned int group, mask; + + xtables_option_parse(cb); ++ xtables_parse_val_mask(cb, &group, &mask, devgroups); ++ + switch (cb->entry->id) { + case O_SRC_GROUP: +- devgroup_parse_groupspec(cb->arg, &id, &mask); +- info->src_group = id; ++ info->src_group = group; + info->src_mask = mask; + info->flags |= XT_DEVGROUP_MATCH_SRC; + if (cb->invert) + info->flags |= XT_DEVGROUP_INVERT_SRC; + break; + case O_DST_GROUP: +- devgroup_parse_groupspec(cb->arg, &id, &mask); +- info->dst_group = id; ++ info->dst_group = group; + info->dst_mask = mask; + info->flags |= XT_DEVGROUP_MATCH_DST; + if (cb->invert) +diff --git a/include/xtables.h b/include/xtables.h +index 021726708b2ee..47481e693ca25 100644 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -501,6 +501,17 @@ extern void xtables_save_string(const char *value); + + extern void xtables_print_num(uint64_t number, unsigned int format); + ++extern void xtables_parse_val_mask(struct xt_option_call *cb, ++ unsigned int *val, unsigned int *mask, ++ const struct xtables_lmap *lmap); ++ ++static inline void xtables_parse_mark_mask(struct xt_option_call *cb, ++ unsigned int *mark, ++ unsigned int *mask) ++{ ++ xtables_parse_val_mask(cb, mark, mask, NULL); ++} ++ + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + # ifdef _INIT + # undef _init +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 7210d3706bf26..2981f52bc767f 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -1950,6 +1950,58 @@ void xtables_print_num(uint64_t number, unsigned int format) + printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); + } + ++void xtables_parse_val_mask(struct xt_option_call *cb, ++ unsigned int *val, unsigned int *mask, ++ const struct xtables_lmap *lmap) ++{ ++ char *end; ++ ++ *mask = ~0U; ++ ++ if (!xtables_strtoui(cb->arg, &end, val, 0, UINT32_MAX)) { ++ if (lmap) ++ goto name2val; ++ else ++ goto bad_val; ++ } ++ ++ if (*end == '\0') ++ return; ++ ++ if (*end != '/') { ++ if (lmap) ++ goto name2val; ++ else ++ goto garbage; ++ } ++ ++ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX)) ++ goto bad_val; ++ ++ if (*end == '\0') ++ return; ++ ++garbage: ++ xt_params->exit_err(PARAMETER_PROBLEM, ++ "%s: trailing garbage after value " ++ "for option \"--%s\".\n", ++ cb->ext_name, cb->entry->name); ++ ++bad_val: ++ xt_params->exit_err(PARAMETER_PROBLEM, ++ "%s: bad integer value for option \"--%s\", " ++ "or out of range.\n", ++ cb->ext_name, cb->entry->name); ++ ++name2val: ++ *val = xtables_lmap_name2id(lmap, cb->arg); ++ if ((int)*val == -1) ++ xt_params->exit_err(PARAMETER_PROBLEM, ++ "%s: could not map name %s to an integer value " ++ "for option \"--%s\".\n", ++ cb->ext_name, cb->arg, cb->entry->name); ++} ++ + int kernel_version; + + void get_kernel_version(void) +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 1d3fda73dedf7..4bbc03ab0f047 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -432,27 +432,7 @@ static void xtopt_parse_tosmask(struct xt_option_call *cb) + */ + static void xtopt_parse_markmask(struct xt_option_call *cb) + { +- unsigned int mark = 0, mask = ~0U; +- char *end; +- +- if (!xtables_strtoui(cb->arg, &end, &mark, 0, UINT32_MAX)) +- xt_params->exit_err(PARAMETER_PROBLEM, +- "%s: bad mark value for option \"--%s\", " +- "or out of range.\n", +- cb->ext_name, cb->entry->name); +- if (*end == '/' && +- !xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX)) +- xt_params->exit_err(PARAMETER_PROBLEM, +- "%s: bad mask value for option \"--%s\", " +- "or out of range.\n", +- cb->ext_name, cb->entry->name); +- if (*end != '\0') +- xt_params->exit_err(PARAMETER_PROBLEM, +- "%s: trailing garbage after value " +- "for option \"--%s\".\n", +- cb->ext_name, cb->entry->name); +- cb->val.mark = mark; +- cb->val.mask = mask; ++ xtables_parse_mark_mask(cb, &cb->val.mark, &cb->val.mask); + } + + static int xtopt_sysloglvl_compare(const void *a, const void *b) +-- +2.21.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 22d331f..1725e69 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,7 +7,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 28%{?dist} +Release: 33%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -39,6 +39,42 @@ Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch Patch22: utils-Add-a-man-page-for-nfnl_osf.patch +Patch23: Mark-fall-through-cases-in-switch-statements.patch +Patch24: libiptc-Simplify-alloc_handle-function-signature.patch +Patch25: libxtables-Fix-potential-array-overrun-in-xtables_op.patch +Patch26: ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch +Patch27: nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch +Patch28: libxt_string-Avoid-potential-array-out-of-bounds-acc.patch +Patch29: libxt_string-Fix-array-out-of-bounds-check.patch +Patch30: libxtables-Don-t-read-garbage-in-xtables_strtoui.patch +Patch31: libxt_time-Drop-initialization-of-variable-year.patch +Patch32: libxt_sctp-fix-array-out-of-range-in-print_chunk.patch +Patch33: libxt_ipvs-Avoid-potential-buffer-overrun.patch +Patch34: libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch +Patch35: Fix-a-few-cases-of-pointless-assignments.patch +Patch36: nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch +Patch37: libxt_conntrack-Avoid-potential-buffer-overrun.patch +Patch38: libxtables-Check-extension-real_name-length.patch +Patch39: libiptc-NULL-terminate-errorname.patch +Patch40: libxtables-Avoid-calling-memcpy-with-NULL-source.patch +Patch41: libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch +Patch42: libxt_recent-Remove-ineffective-checks-for-info-name.patch +Patch43: libxtables-move-some-code-to-avoid-cautions-in-vfork.patch +Patch44: libxtables-Use-posix_spawn-instead-of-vfork.patch +Patch45: libiptc-Avoid-side-effect-in-memset-calls.patch +Patch46: Share-print_ipv-4-6-_addr-from-xtables.patch +Patch47: extensions-REJECT-Check-for-array-overrun.patch +Patch48: list-fix-prefetch-dummy.patch +Patch49: extensions-Add-macro-_DEFAULT_SOURCE.patch +Patch50: Consolidate-DEBUGP-macros.patch +Patch51: xshared-Consolidate-argv-construction-routines.patch +Patch52: extensions-Fix-ipvs-vproto-parsing.patch +Patch53: extensions-Fix-ipvs-vproto-option-printing.patch +Patch54: extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch +Patch55: extensions-Initialize-linear-mapping-of-symbols-in-_.patch +Patch56: xtables-Introduce-and-use-common-function-to-parse-v.patch +Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch +Patch58: man-iptables-save-Add-note-about-module-autoloading.patch Group: System Environment/Base URL: http://www.netfilter.org/ @@ -104,29 +140,7 @@ Currently only provides nfnl_osf with the pf.os database. %prep -%setup -q -%patch1 -p1 -b .rhbz_1054871 -%patch2 -p1 -b .libxt_cgroup -%patch3 -p1 -b .wait_seconds -%patch4 -p1 -b .flock_wait -%patch5 -p1 -b .rhbz_1261238 -%patch6 -p1 -b .rhbz_1298879 -%patch7 -p1 -b .wait-interval -%patch8 -p1 -b .do_not_lock_again_and_again -%patch9 -p1 -b .use_the_blocking_file_lock_request -%patch10 -p1 -b .configure_set_lock_file_path -%patch11 -p1 -b .move_XT_LOCK_NAME_to_config.h -%patch12 -p1 -b .remove_duplicated_argument_parsing -%patch13 -p1 -b .restore_support_acquiring_the_lock -%patch14 -p1 -b .do_not_set_changed_for_check_options -%patch15 -p1 -b .restore_version -%patch16 -p1 -b .restore_wait_man -%patch17 -p1 -b .tcpmss_detect_invalid_ranges -%patch18 -p1 -b .exit_unknown_option -%patch19 -p1 -b .require_wait_value -%patch20 -p1 -b .wait_interval_needs_wait -%patch21 -p1 -b .nfnl_osf_synopsis -%patch22 -p1 -b .nfnl_osf_man_page +%autosetup -p1 %build # Since patches above touch configure.ac we must regen configure @@ -290,6 +304,26 @@ done %changelog +* Thu Apr 18 2019 Phil Sutter - 1.4.21-33 +- man: iptables-save: Add note about module autoloading (RHBZ#1691380) + +* Tue Apr 09 2019 Phil Sutter - 1.4.21-32 +- iptables-xml: fix segfault if missing space after -A (RHBZ#1525980) + +* Wed Apr 03 2019 Phil Sutter - 1.4.21-31 +- Fix iptables-restore with empty comment in rule (RHBZ#1668475) +- Fix parsing and printing of -m ipvs --vproto option (RHBZ#1679726) +- Fix for wrong location of devgroup definition file (RHBZ#1657075) +- Fix for non-numeric devgroup name output (RHBZ#1657075) +- Reject negative realm values (RHBZ#1657075) + +* Fri Mar 15 2019 Phil Sutter - 1.4.21-30 +- Drop leftover variable from init script (RHBZ#1520534) + +* Fri Mar 15 2019 Phil Sutter - 1.4.21-29 +- Do not attempt to unload any modules when stopping the firewall (RHBZ#1520534) +- Fix for covscan warnings (RHBZ#1525980) + * Tue Jun 05 2018 Phil Sutter - 1.4.21-28 - Add nfnl_osf.8 man page (RHBZ#1487331)