diff --git a/.arptables.metadata b/.arptables.metadata new file mode 100644 index 0000000..f685d88 --- /dev/null +++ b/.arptables.metadata @@ -0,0 +1 @@ +048b0df613cfb2c1c9f44f166cc32816a4fa43eb SOURCES/arptables-0.0.5.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e32575c --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +BUILD +BUILDROOT +RPMS +SRPMS + +SOURCES/arptables-0.0.5.tar.gz diff --git a/SOURCES/0001-build-an-libarptc.a-archive.patch b/SOURCES/0001-build-an-libarptc.a-archive.patch new file mode 100644 index 0000000..395abec --- /dev/null +++ b/SOURCES/0001-build-an-libarptc.a-archive.patch @@ -0,0 +1,48 @@ +From cf6e4aa648c4555bee35c39a72fa5a9eb3f7ce97 Mon Sep 17 00:00:00 2001 +From: Jonh Wendell +Date: Sun, 24 Feb 2013 10:53:52 +0100 +Subject: [PATCH] build an libarptc.a archive + +this allows programs to statically link against libarptc. + +(cherry picked from commit b064d44bd2581444108b1bdf8de1b8752246321f) +Signed-off-by: Phil Sutter +--- + Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 9a7bea4643de8..38158d9e98ab4 100644 +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ endif + + include extensions/Makefile + +-all: arptables ++all: arptables libarptc/libarptc.a + + arptables.o: arptables.c + $(CC) $(CFLAGS) -c -o $@ $< +@@ -30,6 +30,9 @@ arptables-standalone.o: arptables-standalone.c + libarptc/libarptc.o: libarptc/libarptc.c libarptc/libarptc_incl.c + $(CC) $(CFLAGS) -c -o $@ $< + ++libarptc/libarptc.a: libarptc/libarptc.o ++ $(AR) rcs $@ $< ++ + arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +@@ -62,7 +65,7 @@ clean: + rm -f arptables + rm -f *.o *~ + rm -f extensions/*.o extensions/*~ +- rm -f libarptc/*.o libarptc/*~ ++ rm -f libarptc/*.o libarptc/*~ libarptc/*.a + rm -f include/*~ include/libarptc/*~ + + DIR:=arptables-v$(ARPTABLES_VERSION) +-- +2.21.0 + diff --git a/SOURCES/0002-make-static-analysis-tool-happy-false-positive.patch b/SOURCES/0002-make-static-analysis-tool-happy-false-positive.patch new file mode 100644 index 0000000..ab52b3d --- /dev/null +++ b/SOURCES/0002-make-static-analysis-tool-happy-false-positive.patch @@ -0,0 +1,32 @@ +From 370a0929ce2e08f508df76392de5617c614103ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jarom=C3=ADr=20Kon=C4=8Dick=C3=BD?= +Date: Tue, 15 Oct 2013 21:40:20 +0200 +Subject: [PATCH] make static analysis tool happy (false positive) + +(cherry picked from commit ee4ec133bc5616f3d2b9efd468dfc1d42ca1c17d) +Signed-off-by: Phil Sutter +--- + arptables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arptables.c b/arptables.c +index 5535ab23780d5..8ef445a4700c4 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -1668,10 +1668,12 @@ static char *get_modprobe(void) + + ret = malloc(1024); + if (ret) { +- switch (read(procfile, ret, 1024)) { ++ int read_bytes = read(procfile, ret, 1024); ++ switch (read_bytes) { + case -1: goto fail; + case 1024: goto fail; /* Partial read. Wierd */ + } ++ ret[read_bytes] = '\0'; + if (ret[strlen(ret)-1]=='\n') + ret[strlen(ret)-1]=0; + close(procfile); +-- +2.21.0 + diff --git a/SOURCES/0003-fix-potential-buffer-overflows-reported-by-static-an.patch b/SOURCES/0003-fix-potential-buffer-overflows-reported-by-static-an.patch new file mode 100644 index 0000000..8170ad3 --- /dev/null +++ b/SOURCES/0003-fix-potential-buffer-overflows-reported-by-static-an.patch @@ -0,0 +1,97 @@ +From 103040a94970a52dde285a24f0fbb5193ea74d84 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jarom=C3=ADr=20Kon=C4=8Dick=C3=BD?= +Date: Tue, 15 Oct 2013 21:55:52 +0200 +Subject: [PATCH] fix potential buffer overflows reported by static analysis + +(cherry picked from commit 8f586939999e039563fee6bca4685895067a2b77) +Signed-off-by: Phil Sutter +--- + arptables.c | 9 +++++---- + libarptc/libarptc_incl.c | 16 ++++++++++------ + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/arptables.c b/arptables.c +index 8ef445a4700c4..4da6fea980bb9 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -1270,7 +1270,7 @@ print_firewall(const struct arpt_entry *fw, + sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); + else + sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); +- strcat(buf, mask_to_dotted(&(fw->arp.smsk))); ++ strncat(buf, mask_to_dotted(&(fw->arp.smsk)), sizeof(buf) - strlen(buf) -1); + printf("-s %s ", buf); + } + +@@ -1294,7 +1294,7 @@ after_devsrc: + sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); + else + sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); +- strcat(buf, mask_to_dotted(&(fw->arp.tmsk))); ++ strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), sizeof(buf) - strlen(buf) -1); + printf("-d %s ", buf); + } + +@@ -1796,7 +1796,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + *table, arptc_strerror(errno)); + } + } +- } ++ } + + memset(&fw, 0, sizeof(fw)); + opts = original_opts; +@@ -2064,7 +2064,8 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + + target->t = fw_calloc(1, size); + target->t->u.target_size = size; +- strcpy(target->t->u.user.name, jumpto); ++ strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name)); ++ target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0'; + /* + target->init(target->t, &fw.nfcache); + */ +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 2fa3d43576933..9c1aeac7ca3de 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -209,8 +209,10 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) + h->counter_map = (void *)h + + sizeof(STRUCT_TC_HANDLE) + + size; +- strcpy(h->info.name, tablename); +- strcpy(h->entries.name, tablename); ++ strncpy(h->info.name, tablename, sizeof(h->info.name)); ++ h->info.name[sizeof(h->info.name)-1] = '\0'; ++ strncpy(h->entries.name, tablename, sizeof(h->entries.name)); ++ h->entries.name[sizeof(h->entries.name)-1] = '\0'; + + return h; + } +@@ -357,8 +359,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev) + h->cache_chain_heads[h->cache_num_chains-1].end + = *prev; + +- strcpy(h->cache_chain_heads[h->cache_num_chains].name, +- (const char *)GET_TARGET(e)->data); ++ strncpy(h->cache_chain_heads[h->cache_num_chains].name, ++ (const char *)GET_TARGET(e)->data, TABLE_MAXNAMELEN-1); ++ h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0'; + h->cache_chain_heads[h->cache_num_chains].start + = (void *)e + e->next_offset; + h->cache_num_chains++; +@@ -368,8 +371,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev) + h->cache_chain_heads[h->cache_num_chains-1].end + = *prev; + +- strcpy(h->cache_chain_heads[h->cache_num_chains].name, +- h->hooknames[builtin-1]); ++ strncpy(h->cache_chain_heads[h->cache_num_chains].name, ++ h->hooknames[builtin-1], TABLE_MAXNAMELEN-1); ++ h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0'; + h->cache_chain_heads[h->cache_num_chains].start + = (void *)e; + h->cache_num_chains++; +-- +2.21.0 + diff --git a/SOURCES/0004-add-GPL-text.patch b/SOURCES/0004-add-GPL-text.patch new file mode 100644 index 0000000..32b8ee6 --- /dev/null +++ b/SOURCES/0004-add-GPL-text.patch @@ -0,0 +1,363 @@ +From 9bb376f78425859a3740b58e28976fb31289eca0 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer +Date: Tue, 15 Oct 2013 21:57:50 +0200 +Subject: [PATCH] add GPL text + +(cherry picked from commit c492c168b2ce99c68c85d4d55a2e842b4995b79d) +Signed-off-by: Phil Sutter +--- + COPYING | 342 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 342 insertions(+) + create mode 100644 COPYING + +diff --git a/COPYING b/COPYING +new file mode 100644 +index 0000000000000..514754e7c28a3 +--- /dev/null ++++ b/COPYING +@@ -0,0 +1,342 @@ ++All code in this package, including the code from the extensions, ++is released under the GPL license, which you find hereafter. ++ ++ GNU GENERAL PUBLIC LICENSE ++ Version 2, June 1991 ++ ++ Copyright (C) 1989, 1991 Free Software Foundation, Inc. ++ 675 Mass Ave, Cambridge, MA 02139, USA ++ Everyone is permitted to copy and distribute verbatim copies ++ of this license document, but changing it is not allowed. ++ ++ Preamble ++ ++ The licenses for most software are designed to take away your ++freedom to share and change it. By contrast, the GNU General Public ++License is intended to guarantee your freedom to share and change free ++software--to make sure the software is free for all its users. This ++General Public License applies to most of the Free Software ++Foundation's software and to any other program whose authors commit to ++using it. (Some other Free Software Foundation software is covered by ++the GNU Library General Public License instead.) You can apply it to ++your programs, too. ++ ++ When we speak of free software, we are referring to freedom, not ++price. Our General Public Licenses are designed to make sure that you ++have the freedom to distribute copies of free software (and charge for ++this service if you wish), that you receive source code or can get it ++if you want it, that you can change the software or use pieces of it ++in new free programs; and that you know you can do these things. ++ ++ To protect your rights, we need to make restrictions that forbid ++anyone to deny you these rights or to ask you to surrender the rights. ++These restrictions translate to certain responsibilities for you if you ++distribute copies of the software, or if you modify it. ++ ++ For example, if you distribute copies of such a program, whether ++gratis or for a fee, you must give the recipients all the rights that ++you have. You must make sure that they, too, receive or can get the ++source code. And you must show them these terms so they know their ++rights. ++ ++ We protect your rights with two steps: (1) copyright the software, and ++(2) offer you this license which gives you legal permission to copy, ++distribute and/or modify the software. ++ ++ Also, for each author's protection and ours, we want to make certain ++that everyone understands that there is no warranty for this free ++software. If the software is modified by someone else and passed on, we ++want its recipients to know that what they have is not the original, so ++that any problems introduced by others will not reflect on the original ++authors' reputations. ++ ++ Finally, any free program is threatened constantly by software ++patents. We wish to avoid the danger that redistributors of a free ++program will individually obtain patent licenses, in effect making the ++program proprietary. To prevent this, we have made it clear that any ++patent must be licensed for everyone's free use or not licensed at all. ++ ++ The precise terms and conditions for copying, distribution and ++modification follow. ++ ++ GNU GENERAL PUBLIC LICENSE ++ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ++ ++ 0. This License applies to any program or other work which contains ++a notice placed by the copyright holder saying it may be distributed ++under the terms of this General Public License. The "Program", below, ++refers to any such program or work, and a "work based on the Program" ++means either the Program or any derivative work under copyright law: ++that is to say, a work containing the Program or a portion of it, ++either verbatim or with modifications and/or translated into another ++language. (Hereinafter, translation is included without limitation in ++the term "modification".) Each licensee is addressed as "you". ++ ++Activities other than copying, distribution and modification are not ++covered by this License; they are outside its scope. The act of ++running the Program is not restricted, and the output from the Program ++is covered only if its contents constitute a work based on the ++Program (independent of having been made by running the Program). ++Whether that is true depends on what the Program does. ++ ++ 1. You may copy and distribute verbatim copies of the Program's ++source code as you receive it, in any medium, provided that you ++conspicuously and appropriately publish on each copy an appropriate ++copyright notice and disclaimer of warranty; keep intact all the ++notices that refer to this License and to the absence of any warranty; ++and give any other recipients of the Program a copy of this License ++along with the Program. ++ ++You may charge a fee for the physical act of transferring a copy, and ++you may at your option offer warranty protection in exchange for a fee. ++ ++ 2. You may modify your copy or copies of the Program or any portion ++of it, thus forming a work based on the Program, and copy and ++distribute such modifications or work under the terms of Section 1 ++above, provided that you also meet all of these conditions: ++ ++ a) You must cause the modified files to carry prominent notices ++ stating that you changed the files and the date of any change. ++ ++ b) You must cause any work that you distribute or publish, that in ++ whole or in part contains or is derived from the Program or any ++ part thereof, to be licensed as a whole at no charge to all third ++ parties under the terms of this License. ++ ++ c) If the modified program normally reads commands interactively ++ when run, you must cause it, when started running for such ++ interactive use in the most ordinary way, to print or display an ++ announcement including an appropriate copyright notice and a ++ notice that there is no warranty (or else, saying that you provide ++ a warranty) and that users may redistribute the program under ++ these conditions, and telling the user how to view a copy of this ++ License. (Exception: if the Program itself is interactive but ++ does not normally print such an announcement, your work based on ++ the Program is not required to print an announcement.) ++ ++These requirements apply to the modified work as a whole. If ++identifiable sections of that work are not derived from the Program, ++and can be reasonably considered independent and separate works in ++themselves, then this License, and its terms, do not apply to those ++sections when you distribute them as separate works. But when you ++distribute the same sections as part of a whole which is a work based ++on the Program, the distribution of the whole must be on the terms of ++this License, whose permissions for other licensees extend to the ++entire whole, and thus to each and every part regardless of who wrote it. ++ ++Thus, it is not the intent of this section to claim rights or contest ++your rights to work written entirely by you; rather, the intent is to ++exercise the right to control the distribution of derivative or ++collective works based on the Program. ++ ++In addition, mere aggregation of another work not based on the Program ++with the Program (or with a work based on the Program) on a volume of ++a storage or distribution medium does not bring the other work under ++the scope of this License. ++ ++ 3. You may copy and distribute the Program (or a work based on it, ++under Section 2) in object code or executable form under the terms of ++Sections 1 and 2 above provided that you also do one of the following: ++ ++ a) Accompany it with the complete corresponding machine-readable ++ source code, which must be distributed under the terms of Sections ++ 1 and 2 above on a medium customarily used for software interchange; or, ++ ++ b) Accompany it with a written offer, valid for at least three ++ years, to give any third party, for a charge no more than your ++ cost of physically performing source distribution, a complete ++ machine-readable copy of the corresponding source code, to be ++ distributed under the terms of Sections 1 and 2 above on a medium ++ customarily used for software interchange; or, ++ ++ c) Accompany it with the information you received as to the offer ++ to distribute corresponding source code. (This alternative is ++ allowed only for noncommercial distribution and only if you ++ received the program in object code or executable form with such ++ an offer, in accord with Subsection b above.) ++ ++The source code for a work means the preferred form of the work for ++making modifications to it. For an executable work, complete source ++code means all the source code for all modules it contains, plus any ++associated interface definition files, plus the scripts used to ++control compilation and installation of the executable. However, as a ++special exception, the source code distributed need not include ++anything that is normally distributed (in either source or binary ++form) with the major components (compiler, kernel, and so on) of the ++operating system on which the executable runs, unless that component ++itself accompanies the executable. ++ ++If distribution of executable or object code is made by offering ++access to copy from a designated place, then offering equivalent ++access to copy the source code from the same place counts as ++distribution of the source code, even though third parties are not ++compelled to copy the source along with the object code. ++ ++ 4. You may not copy, modify, sublicense, or distribute the Program ++except as expressly provided under this License. Any attempt ++otherwise to copy, modify, sublicense or distribute the Program is ++void, and will automatically terminate your rights under this License. ++However, parties who have received copies, or rights, from you under ++this License will not have their licenses terminated so long as such ++parties remain in full compliance. ++ ++ 5. You are not required to accept this License, since you have not ++signed it. However, nothing else grants you permission to modify or ++distribute the Program or its derivative works. These actions are ++prohibited by law if you do not accept this License. Therefore, by ++modifying or distributing the Program (or any work based on the ++Program), you indicate your acceptance of this License to do so, and ++all its terms and conditions for copying, distributing or modifying ++the Program or works based on it. ++ ++ 6. Each time you redistribute the Program (or any work based on the ++Program), the recipient automatically receives a license from the ++original licensor to copy, distribute or modify the Program subject to ++these terms and conditions. You may not impose any further ++restrictions on the recipients' exercise of the rights granted herein. ++You are not responsible for enforcing compliance by third parties to ++this License. ++ ++ 7. If, as a consequence of a court judgment or allegation of patent ++infringement or for any other reason (not limited to patent issues), ++conditions are imposed on you (whether by court order, agreement or ++otherwise) that contradict the conditions of this License, they do not ++excuse you from the conditions of this License. If you cannot ++distribute so as to satisfy simultaneously your obligations under this ++License and any other pertinent obligations, then as a consequence you ++may not distribute the Program at all. For example, if a patent ++license would not permit royalty-free redistribution of the Program by ++all those who receive copies directly or indirectly through you, then ++the only way you could satisfy both it and this License would be to ++refrain entirely from distribution of the Program. ++ ++If any portion of this section is held invalid or unenforceable under ++any particular circumstance, the balance of the section is intended to ++apply and the section as a whole is intended to apply in other ++circumstances. ++ ++It is not the purpose of this section to induce you to infringe any ++patents or other property right claims or to contest validity of any ++such claims; this section has the sole purpose of protecting the ++integrity of the free software distribution system, which is ++implemented by public license practices. Many people have made ++generous contributions to the wide range of software distributed ++through that system in reliance on consistent application of that ++system; it is up to the author/donor to decide if he or she is willing ++to distribute software through any other system and a licensee cannot ++impose that choice. ++ ++This section is intended to make thoroughly clear what is believed to ++be a consequence of the rest of this License. ++ ++ 8. If the distribution and/or use of the Program is restricted in ++certain countries either by patents or by copyrighted interfaces, the ++original copyright holder who places the Program under this License ++may add an explicit geographical distribution limitation excluding ++those countries, so that distribution is permitted only in or among ++countries not thus excluded. In such case, this License incorporates ++the limitation as if written in the body of this License. ++ ++ 9. The Free Software Foundation may publish revised and/or new versions ++of the General Public License from time to time. Such new versions will ++be similar in spirit to the present version, but may differ in detail to ++address new problems or concerns. ++ ++Each version is given a distinguishing version number. If the Program ++specifies a version number of this License which applies to it and "any ++later version", you have the option of following the terms and conditions ++either of that version or of any later version published by the Free ++Software Foundation. If the Program does not specify a version number of ++this License, you may choose any version ever published by the Free Software ++Foundation. ++ ++ 10. If you wish to incorporate parts of the Program into other free ++programs whose distribution conditions are different, write to the author ++to ask for permission. For software which is copyrighted by the Free ++Software Foundation, write to the Free Software Foundation; we sometimes ++make exceptions for this. Our decision will be guided by the two goals ++of preserving the free status of all derivatives of our free software and ++of promoting the sharing and reuse of software generally. ++ ++ NO WARRANTY ++ ++ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY ++FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN ++OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES ++PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED ++OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS ++TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE ++PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, ++REPAIR OR CORRECTION. ++ ++ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR ++REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, ++INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING ++OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED ++TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY ++YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER ++PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGES. ++ ++ END OF TERMS AND CONDITIONS ++ ++ Appendix: How to Apply These Terms to Your New Programs ++ ++ If you develop a new program, and you want it to be of the greatest ++possible use to the public, the best way to achieve this is to make it ++free software which everyone can redistribute and change under these terms. ++ ++ To do so, attach the following notices to the program. It is safest ++to attach them to the start of each source file to most effectively ++convey the exclusion of warranty; and each file should have at least ++the "copyright" line and a pointer to where the full notice is found. ++ ++ ++ Copyright (C) 19yy ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ ++Also add information on how to contact you by electronic and paper mail. ++ ++If the program is interactive, make it output a short notice like this ++when it starts in an interactive mode: ++ ++ Gnomovision version 69, Copyright (C) 19yy name of author ++ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. ++ This is free software, and you are welcome to redistribute it ++ under certain conditions; type `show c' for details. ++ ++The hypothetical commands `show w' and `show c' should show the appropriate ++parts of the General Public License. Of course, the commands you use may ++be called something other than `show w' and `show c'; they could even be ++mouse-clicks or menu items--whatever suits your program. ++ ++You should also get your employer (if you work as a programmer) or your ++school, if any, to sign a "copyright disclaimer" for the program, if ++necessary. Here is a sample; alter the names: ++ ++ Yoyodyne, Inc., hereby disclaims all copyright interest in the program ++ `Gnomovision' (which makes passes at compilers) written by James Hacker. ++ ++ , 1 April 1989 ++ Ty Coon, President of Vice ++ ++This General Public License does not permit incorporating your program into ++proprietary programs. If your program is a subroutine library, you may ++consider it more useful to permit linking proprietary applications with the ++library. If this is what you want to do, use the GNU Library General ++Public License instead of this License. +-- +2.21.0 + diff --git a/SOURCES/0005-Add-man-pages-for-arptables-save-restore.patch b/SOURCES/0005-Add-man-pages-for-arptables-save-restore.patch new file mode 100644 index 0000000..e15b15a --- /dev/null +++ b/SOURCES/0005-Add-man-pages-for-arptables-save-restore.patch @@ -0,0 +1,107 @@ +From 4c4c2e4080114126a38cd856f6aad011ebe08b49 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Mon, 18 Nov 2013 21:42:52 +0100 +Subject: [PATCH] Add man pages for arptables-{save,restore} + +(cherry picked from commit f79b957fadfb22396d527743ecc154f1e30277dd) +Signed-off-by: Phil Sutter +--- + arptables-restore.8 | 41 +++++++++++++++++++++++++++++++++++++++++ + arptables-save.8 | 37 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+) + create mode 100644 arptables-restore.8 + create mode 100644 arptables-save.8 + +diff --git a/arptables-restore.8 b/arptables-restore.8 +new file mode 100644 +index 0000000000000..4f2f623673415 +--- /dev/null ++++ b/arptables-restore.8 +@@ -0,0 +1,41 @@ ++.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" "" ++.\" ++.\" Man page written by Jesper Dangaard Brouer based on a ++.\" Man page written by Harald Welte ++.\" It is based on the iptables-restore man page. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables-restore \(em Restore ARP Tables ++.SH SYNOPSIS ++\fBarptables\-restore ++.SH DESCRIPTION ++.PP ++.B arptables-restore ++is used to restore ARP Tables from data specified on STDIN or ++via a file as first argument. ++Use I/O redirection provided by your shell to read from a file ++.TP ++.B arptables-restore ++flushes (deletes) all previous contents of the respective ARP Table. ++.SH BUGS ++None known as of arptables-0.0.4 release ++.SH AUTHOR ++Jesper Dangaard Brouer ++.SH SEE ALSO ++\fBarptables\-save\fP(8), \fBarptables\fP(8) ++.PP +diff --git a/arptables-save.8 b/arptables-save.8 +new file mode 100644 +index 0000000000000..34791a9c087f0 +--- /dev/null ++++ b/arptables-save.8 +@@ -0,0 +1,37 @@ ++.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" "" ++.\" ++.\" Man page written by Jesper Dangaard Brouer based on a ++.\" Man page written by Harald Welte ++.\" It is based on the iptables-save man page. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables-save \(em dump arptables rules to stdout ++.SH SYNOPSIS ++\fBarptables\-save ++.SH DESCRIPTION ++.PP ++.B arptables-save ++is used to dump the contents of an ARP Table in easily parseable format ++to STDOUT. Use I/O-redirection provided by your shell to write to a file. ++.SH BUGS ++None known as of arptables-0.0.4 release ++.SH AUTHOR ++Jesper Dangaard Brouer ++.SH SEE ALSO ++\fBarptables\-restore\fP(8), \fBarptables\fP(8) ++.PP +-- +2.21.0 + diff --git a/SOURCES/0006-arptables-install-man-pages.patch b/SOURCES/0006-arptables-install-man-pages.patch new file mode 100644 index 0000000..10fc68d --- /dev/null +++ b/SOURCES/0006-arptables-install-man-pages.patch @@ -0,0 +1,58 @@ +From feaadda185a25290f98e5c09b859b2000818cf87 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Sun, 2 Mar 2014 22:08:02 +0100 +Subject: [PATCH] arptables: install man pages + +(cherry picked from commit 36daba3cd378cabf915fa6ef882ad3dc7add4282) +Signed-off-by: Phil Sutter +--- + Makefile | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index 38158d9e98ab4..7bead0d9134f3 100644 +--- a/Makefile ++++ b/Makefile +@@ -6,10 +6,13 @@ PREFIX:=/usr/local + LIBDIR:=$(PREFIX)/lib + BINDIR:=$(PREFIX)/sbin + MANDIR:=$(PREFIX)/man ++man8dir=$(MANDIR)/man8 + INITDIR:=/etc/rc.d/init.d + SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + ++MANS = arptables.8 arptables-save.8 arptables-restore.8 ++ + COPT_FLAGS:=-O2 + CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include/ -Iinclude/ -DARPTABLES_VERSION=\"$(ARPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DARPTC_DEBUG + +@@ -36,10 +39,6 @@ libarptc/libarptc.a: libarptc/libarptc.o + arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +-$(DESTDIR)$(MANDIR)/man8/arptables.8: arptables.8 +- mkdir -p $(@D) +- install -m 0644 $< $@ +- + $(DESTDIR)$(BINDIR)/arptables: arptables + mkdir -p $(DESTDIR)$(BINDIR) + install -m 0755 $< $@ +@@ -57,8 +56,13 @@ scripts: arptables-save arptables-restore arptables.sysv + if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ $(DESTDIR)$(INITDIR)/arptables; fi + rm -f arptables-save_ arptables-restore_ arptables.sysv_ + ++.PHONY: install-man ++install-man: $(MANS) ++ [ -d "$(DESTDIR)$(man8dir)" ] || mkdir -p "$(DESTDIR)$(man8dir)" ++ install -m 0644 $^ $(DESTDIR)$(man8dir)/ ++ + .PHONY: install +-install: $(DESTDIR)$(MANDIR)/man8/arptables.8 $(DESTDIR)$(BINDIR)/arptables scripts ++install: install-man $(DESTDIR)$(BINDIR)/arptables scripts + + .PHONY: clean + clean: +-- +2.21.0 + diff --git a/SOURCES/0007-arptables-add-missing-long-option-set-counters-and-u.patch b/SOURCES/0007-arptables-add-missing-long-option-set-counters-and-u.patch new file mode 100644 index 0000000..13ed8fa --- /dev/null +++ b/SOURCES/0007-arptables-add-missing-long-option-set-counters-and-u.patch @@ -0,0 +1,56 @@ +From 81f722a8a632ab2e0a50861d8505d460447bf5d7 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Sun, 2 Mar 2014 22:08:30 +0100 +Subject: [PATCH] arptables: add missing long option --set-counters and update + documentation + +(cherry picked from commit 9fcaf703f93658ec0ae2ae1013b191a76835b94a) +Signed-off-by: Phil Sutter +--- + arptables.8 | 8 ++++++++ + arptables.c | 3 ++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arptables.8 b/arptables.8 +index 0b6b62e1a7efd..78b2c60978c40 100644 +--- a/arptables.8 ++++ b/arptables.8 +@@ -215,6 +215,14 @@ The target of the rule. This is one of the following values: + a target extension (see + .BR "TARGET EXTENSIONS" ")" + or a user-defined chain name. ++.TP ++.BI "-c, --set-counters " "PKTS BYTES" ++This enables the administrator to initialize the packet and byte ++counters of a rule (during ++.B INSERT, ++.B APPEND, ++.B REPLACE ++operations). + + .SS RULE-SPECIFICATIONS + The following command line arguments make up a rule specification (as used +diff --git a/arptables.c b/arptables.c +index 4da6fea980bb9..3fb8ed5c40e73 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -152,6 +152,7 @@ static struct option original_opts[] = { + { "help", 2, 0, 'h' }, + { "line-numbers", 0, 0, '0' }, + { "modprobe", 1, 0, 'M' }, ++ { "set-counters", 1, 0, 'c' }, + { 0 } + }; + +@@ -529,7 +530,7 @@ exit_printhelp(void) + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + " --modprobe= try to insert modules using this command\n" +-" --set-counters PKTS BYTES set the counter during insert/append\n" ++" --set-counters -c PKTS BYTES set the counter during insert/append\n" + "[!] --version -V print package version.\n"); + printf(" opcode strings: \n"); + for (i = 0; i < NUMOPCODES; i++) +-- +2.21.0 + diff --git a/SOURCES/0008-arptables-fix-potential-buffer-overflow-author-dcb.patch b/SOURCES/0008-arptables-fix-potential-buffer-overflow-author-dcb.patch new file mode 100644 index 0000000..855952f --- /dev/null +++ b/SOURCES/0008-arptables-fix-potential-buffer-overflow-author-dcb.patch @@ -0,0 +1,26 @@ +From 2aa3fc519050787aa05395b3821fbc4ddfe41ac5 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer +Date: Tue, 6 May 2014 21:07:13 +0200 +Subject: [PATCH] arptables: fix potential buffer overflow (author: dcb) + +(cherry picked from commit c29948407c6e1960b9ca0ff3f1479773c95d25c9) +Signed-off-by: Phil Sutter +--- + arptables.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arptables.c b/arptables.c +index 3fb8ed5c40e73..64ac3aa226a2c 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -763,6 +763,7 @@ parse_hostnetworkmask(const char *name, struct in_addr **addrpp, + int i, j, k, n; + + strncpy(buf, name, sizeof(buf) - 1); ++ buf[sizeof(buf) - 1] = '\0'; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + addrp = parse_mask(p + 1); +-- +2.21.0 + diff --git a/SOURCES/0009-arptables-remove-dead-dynamic-hooks-code.patch b/SOURCES/0009-arptables-remove-dead-dynamic-hooks-code.patch new file mode 100644 index 0000000..b6f9a0a --- /dev/null +++ b/SOURCES/0009-arptables-remove-dead-dynamic-hooks-code.patch @@ -0,0 +1,59 @@ +From 27791d35cf3fd7e7ca1389804b6e1820fa70bc0f Mon Sep 17 00:00:00 2001 +From: Gustavo Zacarias +Date: Tue, 11 Nov 2014 10:20:22 -0300 +Subject: [PATCH] arptables: remove dead dynamic hooks code + +The code is unused and #if'ed away, it also breaks pure-static +builds because of the dlfcn.h include. + +Signed-off-by: Gustavo Zacarias +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 4b7d6b0cac33d41cb3c74694ada06e19aa7e920e) +Signed-off-by: Phil Sutter +--- + arptables.c | 1 - + libarptc/libarptc_incl.c | 15 --------------- + 2 files changed, 16 deletions(-) + +diff --git a/arptables.c b/arptables.c +index 64ac3aa226a2c..845e226a98a30 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -35,7 +35,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 9c1aeac7ca3de..1d2e8b7b7ac01 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -257,22 +257,7 @@ TC_INIT(const char *tablename) + == NULL) + return NULL; + +-/* Too hard --RR */ +-#if 0 +- sprintf(pathname, "%s/%s", ARPT_LIB_DIR, info.name); +- dynlib = dlopen(pathname, RTLD_NOW); +- if (!dynlib) { +- errno = ENOENT; +- return NULL; +- } +- h->hooknames = dlsym(dynlib, "hooknames"); +- if (!h->hooknames) { +- errno = ENOENT; +- return NULL; +- } +-#else + h->hooknames = hooknames; +-#endif + + /* Initialize current state */ + h->info = info; +-- +2.21.0 + diff --git a/SOURCES/0010-src-cache-in-tree-and-use-x_tables.h.patch b/SOURCES/0010-src-cache-in-tree-and-use-x_tables.h.patch new file mode 100644 index 0000000..1a1e7bb --- /dev/null +++ b/SOURCES/0010-src-cache-in-tree-and-use-x_tables.h.patch @@ -0,0 +1,603 @@ +From f4f26b8d839a8fcd0ae43d2944436e1dbafdfda6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 1 Apr 2015 12:16:30 +0200 +Subject: [PATCH] src: cache in tree and use x_tables.h + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 5700dbf07266c1ab888dceee75a040eb7af40950) +Signed-off-by: Phil Sutter +--- + include/libarptc/libarptc.h | 1 + + include/linux/netfilter/x_tables.h | 185 +++++++++++++++++++ + include/linux/netfilter_arp/arp_tables.h | 222 +++++------------------ + libarptc/libarptc_incl.c | 17 +- + 4 files changed, 233 insertions(+), 192 deletions(-) + create mode 100644 include/linux/netfilter/x_tables.h + +diff --git a/include/libarptc/libarptc.h b/include/libarptc/libarptc.h +index e4f11752a201d..ff4606fb9ae16 100644 +--- a/include/libarptc/libarptc.h ++++ b/include/libarptc/libarptc.h +@@ -3,6 +3,7 @@ + /* Library which manipulates filtering rules. */ + + #include ++#include + #include + + #ifndef ARPT_MIN_ALIGN +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +new file mode 100644 +index 0000000000000..4120970072771 +--- /dev/null ++++ b/include/linux/netfilter/x_tables.h +@@ -0,0 +1,185 @@ ++#ifndef _X_TABLES_H ++#define _X_TABLES_H ++#include ++#include ++ ++#define XT_FUNCTION_MAXNAMELEN 30 ++#define XT_EXTENSION_MAXNAMELEN 29 ++#define XT_TABLE_MAXNAMELEN 32 ++ ++struct xt_entry_match { ++ union { ++ struct { ++ __u16 match_size; ++ ++ /* Used by userspace */ ++ char name[XT_EXTENSION_MAXNAMELEN]; ++ __u8 revision; ++ } user; ++ struct { ++ __u16 match_size; ++ ++ /* Used inside the kernel */ ++ struct xt_match *match; ++ } kernel; ++ ++ /* Total length */ ++ __u16 match_size; ++ } u; ++ ++ unsigned char data[0]; ++}; ++ ++struct xt_entry_target { ++ union { ++ struct { ++ __u16 target_size; ++ ++ /* Used by userspace */ ++ char name[XT_EXTENSION_MAXNAMELEN]; ++ __u8 revision; ++ } user; ++ struct { ++ __u16 target_size; ++ ++ /* Used inside the kernel */ ++ struct xt_target *target; ++ } kernel; ++ ++ /* Total length */ ++ __u16 target_size; ++ } u; ++ ++ unsigned char data[0]; ++}; ++ ++#define XT_TARGET_INIT(__name, __size) \ ++{ \ ++ .target.u.user = { \ ++ .target_size = XT_ALIGN(__size), \ ++ .name = __name, \ ++ }, \ ++} ++ ++struct xt_standard_target { ++ struct xt_entry_target target; ++ int verdict; ++}; ++ ++struct xt_error_target { ++ struct xt_entry_target target; ++ char errorname[XT_FUNCTION_MAXNAMELEN]; ++}; ++ ++/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision ++ * kernel supports, if >= revision. */ ++struct xt_get_revision { ++ char name[XT_EXTENSION_MAXNAMELEN]; ++ __u8 revision; ++}; ++ ++/* CONTINUE verdict for targets */ ++#define XT_CONTINUE 0xFFFFFFFF ++ ++/* For standard target */ ++#define XT_RETURN (-NF_REPEAT - 1) ++ ++/* this is a dummy structure to find out the alignment requirement for a struct ++ * containing all the fundamental data types that are used in ipt_entry, ++ * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my ++ * personal pleasure to remove it -HW ++ */ ++struct _xt_align { ++ __u8 u8; ++ __u16 u16; ++ __u32 u32; ++ __u64 u64; ++}; ++ ++#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) ++ ++/* Standard return verdict, or do jump. */ ++#define XT_STANDARD_TARGET "" ++/* Error verdict. */ ++#define XT_ERROR_TARGET "ERROR" ++ ++#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) ++#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) ++ ++struct xt_counters { ++ __u64 pcnt, bcnt; /* Packet and byte counters */ ++}; ++ ++/* The argument to IPT_SO_ADD_COUNTERS. */ ++struct xt_counters_info { ++ /* Which table. */ ++ char name[XT_TABLE_MAXNAMELEN]; ++ ++ unsigned int num_counters; ++ ++ /* The counters (actually `number' of these). */ ++ struct xt_counters counters[0]; ++}; ++ ++#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ ++ ++/* fn returns 0 to continue iteration */ ++#define XT_MATCH_ITERATE(type, e, fn, args...) \ ++({ \ ++ unsigned int __i; \ ++ int __ret = 0; \ ++ struct xt_entry_match *__m; \ ++ \ ++ for (__i = sizeof(type); \ ++ __i < (e)->target_offset; \ ++ __i += __m->u.match_size) { \ ++ __m = (void *)e + __i; \ ++ \ ++ __ret = fn(__m , ## args); \ ++ if (__ret != 0) \ ++ break; \ ++ } \ ++ __ret; \ ++}) ++ ++/* fn returns 0 to continue iteration */ ++#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ ++({ \ ++ unsigned int __i, __n; \ ++ int __ret = 0; \ ++ type *__entry; \ ++ \ ++ for (__i = 0, __n = 0; __i < (size); \ ++ __i += __entry->next_offset, __n++) { \ ++ __entry = (void *)(entries) + __i; \ ++ if (__n < n) \ ++ continue; \ ++ \ ++ __ret = fn(__entry , ## args); \ ++ if (__ret != 0) \ ++ break; \ ++ } \ ++ __ret; \ ++}) ++ ++/* fn returns 0 to continue iteration */ ++#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ ++ XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) ++ ++ ++/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ ++#define xt_entry_foreach(pos, ehead, esize) \ ++ for ((pos) = (typeof(pos))(ehead); \ ++ (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ ++ (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) ++ ++/* can only be xt_entry_match, so no use of typeof here */ ++#define xt_ematch_foreach(pos, entry) \ ++ for ((pos) = (struct xt_entry_match *)entry->elems; \ ++ (pos) < (struct xt_entry_match *)((char *)(entry) + \ ++ (entry)->target_offset); \ ++ (pos) = (struct xt_entry_match *)((char *)(pos) + \ ++ (pos)->u.match_size)) ++ ++ ++#endif /* _X_TABLES_H */ +diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h +index 0acda6620bd19..bb1ec648af257 100644 +--- a/include/linux/netfilter_arp/arp_tables.h ++++ b/include/linux/netfilter_arp/arp_tables.h +@@ -9,18 +9,25 @@ + #ifndef _ARPTABLES_H + #define _ARPTABLES_H + +-#ifdef __KERNEL__ +-#include + #include +-#include +-#include +-#include +-#endif + + #include + +-#define ARPT_FUNCTION_MAXNAMELEN 30 +-#define ARPT_TABLE_MAXNAMELEN 32 ++#include ++ ++#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN ++#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN ++#define arpt_entry_target xt_entry_target ++#define arpt_standard_target xt_standard_target ++#define arpt_error_target xt_error_target ++#define ARPT_CONTINUE XT_CONTINUE ++#define ARPT_RETURN XT_RETURN ++#define arpt_counters_info xt_counters_info ++#define arpt_counters xt_counters ++#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET ++#define ARPT_ERROR_TARGET XT_ERROR_TARGET ++#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ ++ XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) + + #define ARPT_DEV_ADDR_LEN_MAX 16 + +@@ -37,16 +44,16 @@ struct arpt_arp { + struct in_addr smsk, tmsk; + + /* Device hw address length, src+target device addresses */ +- u_int8_t arhln, arhln_mask; ++ __u8 arhln, arhln_mask; + struct arpt_devaddr_info src_devaddr; + struct arpt_devaddr_info tgt_devaddr; + + /* ARP operation code. */ +- u_int16_t arpop, arpop_mask; ++ __be16 arpop, arpop_mask; + + /* ARP hardware address and protocol address format. */ +- u_int16_t arhrd, arhrd_mask; +- u_int16_t arpro, arpro_mask; ++ __be16 arhrd, arhrd_mask; ++ __be16 arpro, arpro_mask; + + /* The protocol address length is only accepted if it is 4 + * so there is no use in offering a way to do filtering on it. +@@ -56,43 +63,9 @@ struct arpt_arp { + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Flags word */ +- u_int8_t flags; ++ __u8 flags; + /* Inverse flags */ +- u_int16_t invflags; +-}; +- +-struct arpt_entry_target +-{ +- union { +- struct { +- u_int16_t target_size; +- +- /* Used by userspace */ +- char name[ARPT_FUNCTION_MAXNAMELEN]; +- } user; +- struct { +- u_int16_t target_size; +- +- /* Used inside the kernel */ +- struct arpt_target *target; +- } kernel; +- +- /* Total length */ +- u_int16_t target_size; +- } u; +- +- unsigned char data[0]; +-}; +- +-struct arpt_standard_target +-{ +- struct arpt_entry_target target; +- int verdict; +-}; +- +-struct arpt_counters +-{ +- u_int64_t pcnt, bcnt; /* Packet and byte counters */ ++ __u16 invflags; + }; + + /* Values for "flag" field in struct arpt_ip (general arp structure). +@@ -121,15 +94,15 @@ struct arpt_entry + struct arpt_arp arp; + + /* Size of arpt_entry + matches */ +- u_int16_t target_offset; ++ __u16 target_offset; + /* Size of arpt_entry + matches + target */ +- u_int16_t next_offset; ++ __u16 next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ +- struct arpt_counters counters; ++ struct xt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +@@ -139,8 +112,10 @@ struct arpt_entry + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. ++ * ++ * ATTENTION: check linux/in.h before adding new number here. + */ +-#define ARPT_BASE_CTL 96 /* base for firewall socket options */ ++#define ARPT_BASE_CTL 96 + + #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) + #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) +@@ -148,29 +123,24 @@ struct arpt_entry + + #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) + #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) +-#define ARPT_SO_GET_MAX ARPT_SO_GET_ENTRIES +- +-/* CONTINUE verdict for targets */ +-#define ARPT_CONTINUE 0xFFFFFFFF +- +-/* For standard target */ +-#define ARPT_RETURN (-NF_REPEAT - 1) ++/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ ++#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) ++#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) + + /* The argument to ARPT_SO_GET_INFO */ +-struct arpt_getinfo +-{ ++struct arpt_getinfo { + /* Which table: caller fills this in. */ +- char name[ARPT_TABLE_MAXNAMELEN]; ++ char name[XT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ +- unsigned int hook_entry[3]; ++ unsigned int hook_entry[NF_ARP_NUMHOOKS]; + + /* Underflow points. */ +- unsigned int underflow[3]; ++ unsigned int underflow[NF_ARP_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; +@@ -180,10 +150,9 @@ struct arpt_getinfo + }; + + /* The argument to ARPT_SO_SET_REPLACE. */ +-struct arpt_replace +-{ ++struct arpt_replace { + /* Which table. */ +- char name[ARPT_TABLE_MAXNAMELEN]; ++ char name[XT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ +@@ -196,38 +165,25 @@ struct arpt_replace + unsigned int size; + + /* Hook entry points. */ +- unsigned int hook_entry[3]; ++ unsigned int hook_entry[NF_ARP_NUMHOOKS]; + + /* Underflow points. */ +- unsigned int underflow[3]; ++ unsigned int underflow[NF_ARP_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ +- struct arpt_counters *counters; ++ struct xt_counters *counters; + + /* The entries (hang off end: not really an array). */ + struct arpt_entry entries[0]; + }; + +-/* The argument to ARPT_SO_ADD_COUNTERS. */ +-struct arpt_counters_info +-{ +- /* Which table. */ +- char name[ARPT_TABLE_MAXNAMELEN]; +- +- unsigned int num_counters; +- +- /* The counters (actually `number' of these). */ +- struct arpt_counters counters[0]; +-}; +- + /* The argument to ARPT_SO_GET_ENTRIES. */ +-struct arpt_get_entries +-{ ++struct arpt_get_entries { + /* Which table: user fills this in. */ +- char name[ARPT_TABLE_MAXNAMELEN]; ++ char name[XT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; +@@ -236,107 +192,13 @@ struct arpt_get_entries + struct arpt_entry entrytable[0]; + }; + +-/* Standard return verdict, or do jump. */ +-#define ARPT_STANDARD_TARGET "" +-/* Error verdict. */ +-#define ARPT_ERROR_TARGET "ERROR" +- + /* Helper functions */ +-static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e) ++static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) + { + return (void *)e + e->target_offset; + } + +-/* fn returns 0 to continue iteration */ +-#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ +-({ \ +- unsigned int __i; \ +- int __ret = 0; \ +- struct arpt_entry *__entry; \ +- \ +- for (__i = 0; __i < (size); __i += __entry->next_offset) { \ +- __entry = (void *)(entries) + __i; \ +- \ +- __ret = fn(__entry , ## args); \ +- if (__ret != 0) \ +- break; \ +- } \ +- __ret; \ +-}) +- + /* + * Main firewall chains definitions and global var's definitions. + */ +-#ifdef __KERNEL__ +- +-/* Registration hooks for targets. */ +-struct arpt_target +-{ +- struct list_head list; +- +- const char name[ARPT_FUNCTION_MAXNAMELEN]; +- +- /* Returns verdict. */ +- unsigned int (*target)(struct sk_buff **pskb, +- unsigned int hooknum, +- const struct net_device *in, +- const struct net_device *out, +- const void *targinfo, +- void *userdata); +- +- /* Called when user tries to insert an entry of this type: +- hook_mask is a bitmask of hooks from which it can be +- called. */ +- /* Should return true or false. */ +- int (*checkentry)(const char *tablename, +- const struct arpt_entry *e, +- void *targinfo, +- unsigned int targinfosize, +- unsigned int hook_mask); +- +- /* Called when entry of this type deleted. */ +- void (*destroy)(void *targinfo, unsigned int targinfosize); +- +- /* Set this to THIS_MODULE if you are a module, otherwise NULL */ +- struct module *me; +-}; +- +-extern int arpt_register_target(struct arpt_target *target); +-extern void arpt_unregister_target(struct arpt_target *target); +- +-/* Furniture shopping... */ +-struct arpt_table +-{ +- struct list_head list; +- +- /* A unique name... */ +- char name[ARPT_TABLE_MAXNAMELEN]; +- +- /* Seed table: copied in register_table */ +- struct arpt_replace *table; +- +- /* What hooks you will enter on */ +- unsigned int valid_hooks; +- +- /* Lock for the curtain */ +- rwlock_t lock; +- +- /* Man behind the curtain... */ +- struct arpt_table_info *private; +- +- /* Set this to THIS_MODULE if you are a module, otherwise NULL */ +- struct module *me; +-}; +- +-extern int arpt_register_table(struct arpt_table *table); +-extern void arpt_unregister_table(struct arpt_table *table); +-extern unsigned int arpt_do_table(struct sk_buff **pskb, +- unsigned int hook, +- const struct net_device *in, +- const struct net_device *out, +- struct arpt_table *table, +- void *userdata); +- +-#define ARPT_ALIGN(s) (((s) + (__alignof__(struct arpt_entry)-1)) & ~(__alignof__(struct arpt_entry)-1)) +-#endif /*__KERNEL__*/ + #endif /* _ARPTABLES_H */ +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 1d2e8b7b7ac01..a034930600344 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -40,13 +40,6 @@ struct counter_map + unsigned int mappos; + }; + +-/* Convenience structures */ +-struct arpt_error_target +-{ +- STRUCT_ENTRY_TARGET t; +- char error[TABLE_MAXNAMELEN]; +-}; +- + struct chain_cache + { + char name[TABLE_MAXNAMELEN]; +@@ -1342,9 +1335,9 @@ TC_CREATE_CHAIN(const ARPT_CHAINLABEL chain, TC_HANDLE_T *handle) + newc.head.next_offset + = sizeof(STRUCT_ENTRY) + + ALIGN(sizeof(struct arpt_error_target)); +- strcpy(newc.name.t.u.user.name, ERROR_TARGET); +- newc.name.t.u.target_size = ALIGN(sizeof(struct arpt_error_target)); +- strcpy(newc.name.error, chain); ++ strcpy(newc.name.target.u.user.name, ERROR_TARGET); ++ newc.name.target.u.target_size = ALIGN(sizeof(struct arpt_error_target)); ++ strcpy(newc.name.errorname, chain); + + newc.ret.target_offset = sizeof(STRUCT_ENTRY); + newc.ret.next_offset +@@ -1482,8 +1475,8 @@ int TC_RENAME_CHAIN(const ARPT_CHAINLABEL oldname, + t = (struct arpt_error_target *) + GET_TARGET(get_entry(*handle, labeloff)); + +- memset(t->error, 0, sizeof(t->error)); +- strcpy(t->error, newname); ++ memset(t->errorname, 0, sizeof(t->errorname)); ++ strcpy(t->errorname, newname); + set_changed(*handle); + + return 1; +-- +2.21.0 + diff --git a/SOURCES/0011-src-fix-compilation-warning.patch b/SOURCES/0011-src-fix-compilation-warning.patch new file mode 100644 index 0000000..5d229c0 --- /dev/null +++ b/SOURCES/0011-src-fix-compilation-warning.patch @@ -0,0 +1,61 @@ +From 633ad43b19b4e5e26fff16c339f9fdd5293c2ffc Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 2 Apr 2015 10:33:18 +0200 +Subject: [PATCH] src: fix compilation warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +libarptc/libarptc.c: In function ‘dump_entry’: +libarptc/libarptc.c:137:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘__u64’ [-Wformat] +libarptc/libarptc.c:137:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘__u64’ [-Wformat] + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 935acea0326785834b22f2233e1b1e3f8d000f7d) +Signed-off-by: Phil Sutter +--- + arptables.c | 7 ++++--- + libarptc/libarptc.c | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arptables.c b/arptables.c +index 845e226a98a30..f820ffa894e00 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -2164,16 +2164,17 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + "-%c requires packet and byte counter", + opt2char(OPT_COUNTERS)); + +- if (sscanf(pcnt, "%"PRIu64, &fw.counters.pcnt) != 1) ++ if (sscanf(pcnt, "%"PRIu64, ++ (uint64_t *)&fw.counters.pcnt) != 1) + exit_error(PARAMETER_PROBLEM, + "-%c packet counter not numeric", + opt2char(OPT_COUNTERS)); + +- if (sscanf(bcnt, "%"PRIu64, &fw.counters.bcnt) != 1) ++ if (sscanf(bcnt, "%"PRIu64, ++ (uint64_t *)&fw.counters.bcnt) != 1) + exit_error(PARAMETER_PROBLEM, + "-%c byte counter not numeric", + opt2char(OPT_COUNTERS)); +- + break; + + +diff --git a/libarptc/libarptc.c b/libarptc/libarptc.c +index 2dcaaefff5b41..0025a75efc9ea 100644 +--- a/libarptc/libarptc.c ++++ b/libarptc/libarptc.c +@@ -134,7 +134,7 @@ dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle) + printf("Flags: %02X\n", e->arp.flags); + printf("Invflags: %02X\n", e->arp.invflags); + printf("Counters: %"PRIu64" packets, %"PRIu64" bytes\n", +- e->counters.pcnt, e->counters.bcnt); ++ (uint64_t)e->counters.pcnt, (uint64_t)e->counters.bcnt); + /* + printf("Cache: %08X ", e->nfcache); + if (e->nfcache & NFC_ALTERED) printf("ALTERED "); +-- +2.21.0 + diff --git a/SOURCES/0012-arptables-Add-revision-field-for-arptables-userspace.patch b/SOURCES/0012-arptables-Add-revision-field-for-arptables-userspace.patch new file mode 100644 index 0000000..8da02b1 --- /dev/null +++ b/SOURCES/0012-arptables-Add-revision-field-for-arptables-userspace.patch @@ -0,0 +1,115 @@ +From 4c30ed220bbcc4a8060b382b536a615dd296a6fa Mon Sep 17 00:00:00 2001 +From: Zhang Chunyu +Date: Sun, 29 Mar 2015 22:35:47 -0400 +Subject: [PATCH] arptables: Add revision field for arptables userspace + +Signed-off-by: Gao feng +Signed-off-by: Zhang Chunyu +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit dbbe9f7de36aa3c7dd61dc89092c03f7902e474e) +Signed-off-by: Phil Sutter +--- + arptables.c | 2 ++ + extensions/arpt_CLASSIFY.c | 1 + + extensions/arpt_mangle.c | 1 + + extensions/arpt_standard.c | 1 + + include/arptables.h | 6 ++++++ + libarptc/libarptc_incl.c | 2 +- + 6 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/arptables.c b/arptables.c +index f820ffa894e00..fbe7350be3f32 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -2067,6 +2067,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + target->t->u.target_size = size; + strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name)); + target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0'; ++ target->t->u.user.revision = target->revision; + /* + target->init(target->t, &fw.nfcache); + */ +@@ -2392,6 +2393,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + target->t = fw_calloc(1, size); + target->t->u.target_size = size; + strcpy(target->t->u.user.name, jumpto); ++ target->t->u.user.revision = target->revision; + target->init(target->t); + } + +diff --git a/extensions/arpt_CLASSIFY.c b/extensions/arpt_CLASSIFY.c +index cb5770be8053c..7893aed31c057 100644 +--- a/extensions/arpt_CLASSIFY.c ++++ b/extensions/arpt_CLASSIFY.c +@@ -105,6 +105,7 @@ struct arptables_target classify + ARPTABLES_VERSION, + ARPT_ALIGN(sizeof(struct xt_classify_target_info)), + ARPT_ALIGN(sizeof(struct xt_classify_target_info)), ++ 0, + &help, + &init, + &parse, +diff --git a/extensions/arpt_mangle.c b/extensions/arpt_mangle.c +index c38fc1668236d..c7c3a7a42fc36 100644 +--- a/extensions/arpt_mangle.c ++++ b/extensions/arpt_mangle.c +@@ -199,6 +199,7 @@ struct arptables_target change + ARPTABLES_VERSION, + ARPT_ALIGN(sizeof(struct arpt_mangle)), + ARPT_ALIGN(sizeof(struct arpt_mangle)), ++ 0, + &help, + &init, + &parse, +diff --git a/extensions/arpt_standard.c b/extensions/arpt_standard.c +index cb3891d871102..6c2b1874acb59 100644 +--- a/extensions/arpt_standard.c ++++ b/extensions/arpt_standard.c +@@ -54,6 +54,7 @@ struct arptables_target standard + ARPTABLES_VERSION, + ARPT_ALIGN(sizeof(int)), + ARPT_ALIGN(sizeof(int)), ++ 0, + &help, + &init, + &parse, +diff --git a/include/arptables.h b/include/arptables.h +index 820b66460cfbe..82e6e9a80445e 100644 +--- a/include/arptables.h ++++ b/include/arptables.h +@@ -32,6 +32,9 @@ struct arptables_match + /* Size of match data relevent for userspace comparison purposes */ + size_t userspacesize; + ++ /* Revision of target (0 by default). */ ++ u_int8_t revision; ++ + /* Function which prints out usage message. */ + void (*help)(void); + +@@ -81,6 +84,9 @@ struct arptables_target + /* Size of target data relevent for userspace comparison purposes */ + size_t userspacesize; + ++ /* Revision of target (0 by default). */ ++ u_int8_t revision; ++ + /* Function which prints out usage message. */ + void (*help)(void); + +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index a034930600344..87404ce185d77 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -872,7 +872,7 @@ map_target(const TC_HANDLE_T handle, + /* memset to all 0 for your memcmp convenience. */ + memset(t->u.user.name + strlen(t->u.user.name), + 0, +- FUNCTION_MAXNAMELEN - strlen(t->u.user.name)); ++ FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name)); + return 1; + } + +-- +2.21.0 + diff --git a/SOURCES/0013-arptables-Add-MARK-target.patch b/SOURCES/0013-arptables-Add-MARK-target.patch new file mode 100644 index 0000000..33c6dac --- /dev/null +++ b/SOURCES/0013-arptables-Add-MARK-target.patch @@ -0,0 +1,218 @@ +From 31eaf6577094b474932846d817c25fdd734e1aa8 Mon Sep 17 00:00:00 2001 +From: Zhang Chunyu +Date: Sun, 29 Mar 2015 22:35:48 -0400 +Subject: [PATCH] arptables: Add MARK target + +We can use MARK target to set make value for arp packet. + +Signed-off-by: Gao feng +Signed-off-by: Zhang Chunyu +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 4bb2f8340783fd3a3f70aa6f8807428a280f8474) +Signed-off-by: Phil Sutter +--- + arptables.8 | 17 +++++ + extensions/Makefile | 2 +- + extensions/arpt_MARK.c | 150 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 168 insertions(+), 1 deletion(-) + create mode 100644 extensions/arpt_MARK.c + +diff --git a/arptables.8 b/arptables.8 +index 78b2c60978c40..676b8840c60f2 100644 +--- a/arptables.8 ++++ b/arptables.8 +@@ -315,6 +315,23 @@ sify the packet into a specific CBQ class). + Set the major and minor class value. The values are always + interpreted as hexadecimal even if no 0x prefix is given. + ++.SS MARK ++This module allows you to set the skb->mark value (and thus classify ++the packet by the mark in u32) ++ ++.TP ++.BR "--set-mark mark" ++Set the mark value. The values are always ++interpreted as hexadecimal even if no 0x prefix is given ++ ++.TP ++.BR "--and-mark mark" ++Binary AND the mark with bits. ++ ++.TP ++.BR "--or-mark mark" ++Binary OR the mark with bits. ++ + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH SEE ALSO +diff --git a/extensions/Makefile b/extensions/Makefile +index 09b244ead15ac..0189cc9066674 100644 +--- a/extensions/Makefile ++++ b/extensions/Makefile +@@ -1,6 +1,6 @@ + #! /usr/bin/make + +-EXT_FUNC+=standard mangle CLASSIFY ++EXT_FUNC+=standard mangle CLASSIFY MARK + EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o) + + extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h +diff --git a/extensions/arpt_MARK.c b/extensions/arpt_MARK.c +new file mode 100644 +index 0000000000000..3e5a9f96db8a7 +--- /dev/null ++++ b/extensions/arpt_MARK.c +@@ -0,0 +1,150 @@ ++/* ++ * (C) 2014 by Gao Feng ++ * ++ * arpt_MARK.c -- arptables extension to set mark for arp packet ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static void help(void) ++{ ++ printf( ++"MARK target v%s options:\n" ++"--set-mark mark : set the mark value\n" ++"--and-mark value : binary AND the mark with value\n" ++"--or-mark value : binary OR the mark with value\n", ++ ARPTABLES_VERSION); ++} ++ ++#define MARK_OPT 1 ++#define AND_MARK_OPT 2 ++#define OR_MARK_OPT 3 ++ ++static struct option opts[] = { ++ { .name = "set-mark", .has_arg = required_argument, .flag = 0, .val = MARK_OPT }, ++ { .name = "and-mark", .has_arg = required_argument, .flag = 0, .val = AND_MARK_OPT }, ++ { .name = "or-mark", .has_arg = required_argument, .flag = 0, .val = OR_MARK_OPT }, ++ { .name = NULL} ++}; ++ ++static void init(struct arpt_entry_target *t) ++{ ++ struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *) t->data; ++ ++ info->mark = 0; ++} ++ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct arpt_entry *e, struct arpt_entry_target **t) ++{ ++ struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *)(*t)->data; ++ int i; ++ ++ switch (c) { ++ case MARK_OPT: ++ if (sscanf(argv[optind-1], "%x", &i) != 1) { ++ exit_error(PARAMETER_PROBLEM, ++ "Bad mark value `%s'", optarg); ++ return 0; ++ } ++ info->mark = i; ++ if (*flags) ++ exit_error(PARAMETER_PROBLEM, ++ "MARK: Can't specify --set-mark twice"); ++ *flags = 1; ++ break; ++ case AND_MARK_OPT: ++ if (sscanf(argv[optind-1], "%x", &i) != 1) { ++ exit_error(PARAMETER_PROBLEM, ++ "Bad mark value `%s'", optarg); ++ return 0; ++ } ++ info->mark = 0; ++ info->mask = ~i; ++ if (*flags) ++ exit_error(PARAMETER_PROBLEM, ++ "MARK: Can't specify --and-mark twice"); ++ *flags = 1; ++ break; ++ case OR_MARK_OPT: ++ if (sscanf(argv[optind-1], "%x", &i) != 1) { ++ exit_error(PARAMETER_PROBLEM, ++ "Bad mark value `%s'", optarg); ++ return 0; ++ } ++ info->mark = info->mask = i; ++ if (*flags) ++ exit_error(PARAMETER_PROBLEM, ++ "MARK: Can't specify --or-mark twice"); ++ *flags = 1; ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, "MARK: Parameter --set-mark/--and-mark/--or-mark is required"); ++} ++ ++static void print(const struct arpt_arp *ip, ++ const struct arpt_entry_target *target, int numeric) ++{ ++ struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *)(target->data); ++ ++ if (info->mark == 0) ++ printf("--and-mark %x", (unsigned int)(uint32_t)~info->mask); ++ else if (info->mark == info->mask) ++ printf("--or-mark %x", info->mark); ++ else ++ printf("--set-mark %x", info->mark); ++} ++ ++static void save(const struct arpt_arp *ip, ++ const struct arpt_entry_target *target) ++{ ++} ++ ++static struct arptables_target mark = { ++ .next = NULL, ++ .name = "MARK", ++ .version = ARPTABLES_VERSION, ++ .size = ARPT_ALIGN(sizeof(struct xt_mark_tginfo2)), ++ .userspacesize = ARPT_ALIGN(sizeof(struct xt_mark_tginfo2)), ++ .revision = 2, ++ .help = help, ++ .init = init, ++ .parse = parse, ++ .final_check = final_check, ++ .print = print, ++ .save = save, ++ .extra_opts = opts ++}; ++ ++static void _init(void) __attribute__ ((constructor)); ++static void _init(void) ++{ ++ register_target(&mark); ++} +-- +2.21.0 + diff --git a/SOURCES/0014-src-Use-stdint-types.patch b/SOURCES/0014-src-Use-stdint-types.patch new file mode 100644 index 0000000..28412f8 --- /dev/null +++ b/SOURCES/0014-src-Use-stdint-types.patch @@ -0,0 +1,145 @@ +From 43423fdfe9cfc69d5759ef04b9d91e3cf60a8142 Mon Sep 17 00:00:00 2001 +From: Felix Janda +Date: Sat, 16 May 2015 10:31:24 +0200 +Subject: [PATCH] src: Use stdint types + +Signed-off-by: Felix Janda +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 047f37b1d5d865084a435fd7594b8c5c332ccb8d) +Signed-off-by: Phil Sutter +--- + arptables.c | 8 ++++---- + include/arptables.h | 7 ++++--- + include/libarptc/libarptc.h | 7 ++++--- + libarptc/libarptc.c | 4 ++-- + libarptc/libarptc_incl.c | 2 +- + 5 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/arptables.c b/arptables.c +index fbe7350be3f32..4e9af67f92042 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -230,7 +230,7 @@ extern void dump_entries(const arptc_handle_t handle); + /etc/protocols */ + struct pprot { + char *name; +- u_int8_t num; ++ uint8_t num; + }; + + /* Primitive headers... */ +@@ -926,7 +926,7 @@ mask_to_dotted(const struct in_addr *mask) + { + int i; + static char buf[20]; +- u_int32_t maskaddr, bits; ++ uint32_t maskaddr, bits; + + maskaddr = ntohl(mask->s_addr); + +@@ -968,7 +968,7 @@ string_to_number(const char *s, unsigned int min, unsigned int max, + } + + static void +-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, ++set_option(unsigned int *options, unsigned int option, uint16_t *invflg, + int invert) + { + if (*options & option) +@@ -1108,7 +1108,7 @@ register_target(struct arptables_target *me) + } + + static void +-print_num(u_int64_t number, unsigned int format) ++print_num(uint64_t number, unsigned int format) + { + if (format & FMT_KILOMEGAGIGA) { + if (number > 99999) { +diff --git a/include/arptables.h b/include/arptables.h +index 82e6e9a80445e..34f53c1cadbd8 100644 +--- a/include/arptables.h ++++ b/include/arptables.h +@@ -1,6 +1,7 @@ + #ifndef _ARPTABLES_USER_H + #define _ARPTABLES_USER_H + ++#include + #include "arptables_common.h" + #include "libarptc/libarptc.h" + +@@ -33,7 +34,7 @@ struct arptables_match + size_t userspacesize; + + /* Revision of target (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Function which prints out usage message. */ + void (*help)(void); +@@ -85,7 +86,7 @@ struct arptables_target + size_t userspacesize; + + /* Revision of target (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Function which prints out usage message. */ + void (*help)(void); +@@ -132,7 +133,7 @@ extern char *mask_to_dotted(const struct in_addr *mask); + + extern void parse_hostnetworkmask(const char *name, struct in_addr **addrpp, + struct in_addr *maskp, unsigned int *naddrs); +-extern u_int16_t parse_protocol(const char *s); ++extern uint16_t parse_protocol(const char *s); + + extern int do_command(int argc, char *argv[], char **table, + arptc_handle_t *handle); +diff --git a/include/libarptc/libarptc.h b/include/libarptc/libarptc.h +index ff4606fb9ae16..18e8bb06fee6b 100644 +--- a/include/libarptc/libarptc.h ++++ b/include/libarptc/libarptc.h +@@ -7,9 +7,10 @@ + #include + + #ifndef ARPT_MIN_ALIGN +-/* arpt_entry has pointers and u_int64_t's in it, so if you align to +- it, you'll also align to any crazy matches and targets someone +- might write */ ++/* arpt_entry has pointers and uint64_t's in it, so if you align to ++ * it, you'll also align to any crazy matches and targets someone ++ * might write. ++ */ + #define ARPT_MIN_ALIGN (__alignof__(struct arpt_entry)) + #endif + +diff --git a/libarptc/libarptc.c b/libarptc/libarptc.c +index 0025a75efc9ea..6d9773553e679 100644 +--- a/libarptc/libarptc.c ++++ b/libarptc/libarptc.c +@@ -256,8 +256,8 @@ unconditional(const struct arpt_arp *arp) + { + unsigned int i; + +- for (i = 0; i < sizeof(*arp)/sizeof(u_int32_t); i++) +- if (((u_int32_t *)arp)[i]) ++ for (i = 0; i < sizeof(*arp) / sizeof(uint32_t); i++) ++ if (((uint32_t *)arp)[i]) + return 0; + + return 1; +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 87404ce185d77..ca23da6474990 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -1688,7 +1688,7 @@ TC_COMMIT(TC_HANDLE_T *handle) + /* Kernel will think that pointer should be 64-bits, and get + padding. So we accomodate here (assumption: alignment of + `counters' is on 64-bit boundary). */ +- u_int64_t *kernptr = (u_int64_t *)&newcounters->counters; ++ uint64_t *kernptr = (uint64_t *)&newcounters->counters; + if ((unsigned long)&newcounters->counters % 8 != 0) { + fprintf(stderr, + "counters alignment incorrect! Mail rusty!\n"); +-- +2.21.0 + diff --git a/SOURCES/0015-src-Remove-support-for-libc5.patch b/SOURCES/0015-src-Remove-support-for-libc5.patch new file mode 100644 index 0000000..84c4c62 --- /dev/null +++ b/SOURCES/0015-src-Remove-support-for-libc5.patch @@ -0,0 +1,63 @@ +From 938f4d10663d99dff32ce92c7a2ce1af6de47aa2 Mon Sep 17 00:00:00 2001 +From: Felix Janda +Date: Sat, 16 May 2015 10:31:41 +0200 +Subject: [PATCH] src: Remove support for libc5 + +Fixes compilation with musl libc + +Signed-off-by: Felix Janda +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit f4ab8f63f11a72f14687a6646d04ae1bae3fa45f) +Signed-off-by: Phil Sutter +--- + include/libarptc/arpt_kernel_headers.h | 12 ------------ + libarptc/libarptc.c | 4 ---- + 2 files changed, 16 deletions(-) + +diff --git a/include/libarptc/arpt_kernel_headers.h b/include/libarptc/arpt_kernel_headers.h +index 442cc54cd3962..140e99973ad15 100644 +--- a/include/libarptc/arpt_kernel_headers.h ++++ b/include/libarptc/arpt_kernel_headers.h +@@ -5,7 +5,6 @@ + + #include + +-#if defined(__GLIBC__) && __GLIBC__ == 2 + #include + #include + #include +@@ -14,16 +13,5 @@ + #include + #include + #include +-#else +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#endif + + #endif +diff --git a/libarptc/libarptc.c b/libarptc/libarptc.c +index 6d9773553e679..e979dad6cebbe 100644 +--- a/libarptc/libarptc.c ++++ b/libarptc/libarptc.c +@@ -23,10 +23,6 @@ + #define inline + #endif + +-#if !defined(__GLIBC__) || (__GLIBC__ < 2) +-typedef unsigned int socklen_t; +-#endif +- + #include "libarptc/libarptc.h" + + #define IP_VERSION 4 +-- +2.21.0 + diff --git a/SOURCES/0016-arptables-cleanup-sysvinit-script.patch b/SOURCES/0016-arptables-cleanup-sysvinit-script.patch new file mode 100644 index 0000000..cd4a33c --- /dev/null +++ b/SOURCES/0016-arptables-cleanup-sysvinit-script.patch @@ -0,0 +1,158 @@ +From 6e39026e78c20319d1f5006bbe6ad0f7541d58ae Mon Sep 17 00:00:00 2001 +From: Arturo Borrero Gonzalez +Date: Thu, 3 May 2018 11:28:31 +0200 +Subject: [PATCH] arptables: cleanup sysvinit script + +This file belong to downstream distributions. Also, it's unmaintained. + +Signed-off-by: Arturo Borrero Gonzalez +(cherry picked from commit 988d6a4cd1b12718177bf3065f07faeabb208713) +Signed-off-by: Phil Sutter +--- + Makefile | 8 +--- + arptables.sysv | 103 ------------------------------------------------- + 2 files changed, 2 insertions(+), 109 deletions(-) + delete mode 100644 arptables.sysv + +diff --git a/Makefile b/Makefile +index 7bead0d9134f3..139c9cae9ff6c 100644 +--- a/Makefile ++++ b/Makefile +@@ -7,7 +7,6 @@ LIBDIR:=$(PREFIX)/lib + BINDIR:=$(PREFIX)/sbin + MANDIR:=$(PREFIX)/man + man8dir=$(MANDIR)/man8 +-INITDIR:=/etc/rc.d/init.d + SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + +@@ -46,15 +45,12 @@ $(DESTDIR)$(BINDIR)/arptables: arptables + tmp1:=$(shell printf $(BINDIR) | sed 's/\//\\\//g') + tmp2:=$(shell printf $(SYSCONFIGDIR) | sed 's/\//\\\//g') + .PHONY: scripts +-scripts: arptables-save arptables-restore arptables.sysv ++scripts: arptables-save arptables-restore + cat arptables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-save_ + install -m 0755 arptables-save_ $(DESTDIR)$(BINDIR)/arptables-save + cat arptables-restore | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-restore_ + install -m 0755 arptables-restore_ $(DESTDIR)$(BINDIR)/arptables-restore +- cat arptables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > arptables.sysv_ +- if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi +- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ $(DESTDIR)$(INITDIR)/arptables; fi +- rm -f arptables-save_ arptables-restore_ arptables.sysv_ ++ rm -f arptables-save_ arptables-restore_ + + .PHONY: install-man + install-man: $(MANS) +diff --git a/arptables.sysv b/arptables.sysv +deleted file mode 100644 +index ea5cf092ef2c8..0000000000000 +--- a/arptables.sysv ++++ /dev/null +@@ -1,103 +0,0 @@ +-#!/bin/bash +-# +-# init script for arptables +-# +-# Original by Dag Wieers . +-# Modified/changed to arptables by +-# Rok Papez . +-# +-# chkconfig: - 16 84 +-# description: Arp filtering tables +-# +-# config: __SYSCONFIG__/arptables +- +-source /etc/init.d/functions +-source /etc/sysconfig/network +- +-# Check that networking is up. +-[ ${NETWORKING} = "no" ] && exit 0 +- +-[ -x __EXEC_PATH__/arptables ] || exit 1 +-[ -x __EXEC_PATH__/arptables-save ] || exit 1 +-[ -x __EXEC_PATH__/arptables-restore ] || exit 1 +- +-[ "$1" != "save" -o -r __SYSCONFIG__/arptables ] || exit 1 +- +-RETVAL=0 +-prog="arptables" +-desc="Arp filtering" +- +-start() { +- echo -n $"Starting $desc ($prog): " +- __EXEC_PATH__/arptables-restore < __SYSCONFIG__/arptables || RETVAL=1 +- +- if [ $RETVAL -eq 0 ]; then +- success "$prog startup" +- rm -f /var/lock/subsys/$prog +- else +- failure "$prog startup" +- fi +- +- echo +- return $RETVAL +-} +- +-stop() { +- echo -n $"Stopping $desc ($prog): " +- __EXEC_PATH__/arptables-restore < /dev/null || RETVAL=1 +- +- if [ $RETVAL -eq 0 ]; then +- success "$prog shutdown" +- rm -f %{_localstatedir}/lock/subsys/$prog +- else +- failure "$prog shutdown" +- fi +- +- echo +- return $RETVAL +-} +- +-restart() { +- stop +- start +-} +- +-save() { +- echo -n $"Saving $desc ($prog): " +- __EXEC_PATH__/arptables-save > __SYSCONFIG__/arptables || RETVAL=1 +- +- if [ $RETVAL -eq 0 ]; then +- success "$prog saved" +- else +- failure "$prog saved" +- fi +- echo +-} +- +-case "$1" in +- start) +- start +- ;; +- stop) +- stop +- ;; +- restart|reload) +- restart +- ;; +- condrestart) +- [ -e /var/lock/subsys/$prog ] && restart +- RETVAL=$? +- ;; +- save) +- save +- ;; +- status) +- __EXEC_PATH__/arptables-save +- RETVAL=$? +- ;; +- *) +- echo $"Usage $0 {start|stop|restart|condrestart|save|status}" +- RETVAL=1 +-esac +- +-exit $RETVAL +-- +2.21.0 + diff --git a/SOURCES/0017-arptables-legacy-renaming.patch b/SOURCES/0017-arptables-legacy-renaming.patch new file mode 100644 index 0000000..497edd7 --- /dev/null +++ b/SOURCES/0017-arptables-legacy-renaming.patch @@ -0,0 +1,129 @@ +From 0c80be6f74250dbc70d071a84bc3b7a7d15b80f2 Mon Sep 17 00:00:00 2001 +From: Arturo Borrero Gonzalez +Date: Wed, 20 Jun 2018 15:43:39 +0200 +Subject: [PATCH] arptables: legacy renaming + +The original arptables tool is now the legacy version, let's rename it. + +A more uptodate client of the arptables tool is provided in the iptables +tarball. The new tool was formerly known as arptables-compat. + +The new -legacy binary should have no problem if called via a symlink. + +Signed-off-by: Arturo Borrero Gonzalez +Signed-off-by: Florian Westphal +(cherry picked from commit 28b22d55615447c94c5058e0aacec612ebc27f2a) +Signed-off-by: Phil Sutter +--- + Makefile | 12 ++++++------ + arptables.8 => arptables-legacy.8 | 16 ++++++++++++++-- + arptables.c | 2 +- + 3 files changed, 21 insertions(+), 9 deletions(-) + rename arptables.8 => arptables-legacy.8 (94%) + +diff --git a/Makefile b/Makefile +index 139c9cae9ff6c..5f3f81290165c 100644 +--- a/Makefile ++++ b/Makefile +@@ -10,7 +10,7 @@ man8dir=$(MANDIR)/man8 + SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + +-MANS = arptables.8 arptables-save.8 arptables-restore.8 ++MANS = arptables-legacy.8 arptables-save.8 arptables-restore.8 + + COPT_FLAGS:=-O2 + CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include/ -Iinclude/ -DARPTABLES_VERSION=\"$(ARPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DARPTC_DEBUG +@@ -21,7 +21,7 @@ endif + + include extensions/Makefile + +-all: arptables libarptc/libarptc.a ++all: arptables-legacy libarptc/libarptc.a + + arptables.o: arptables.c + $(CC) $(CFLAGS) -c -o $@ $< +@@ -35,10 +35,10 @@ libarptc/libarptc.o: libarptc/libarptc.c libarptc/libarptc_incl.c + libarptc/libarptc.a: libarptc/libarptc.o + $(AR) rcs $@ $< + +-arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) ++arptables-legacy: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +-$(DESTDIR)$(BINDIR)/arptables: arptables ++$(DESTDIR)$(BINDIR)/arptables-legacy: arptables-legacy + mkdir -p $(DESTDIR)$(BINDIR) + install -m 0755 $< $@ + +@@ -58,11 +58,11 @@ install-man: $(MANS) + install -m 0644 $^ $(DESTDIR)$(man8dir)/ + + .PHONY: install +-install: install-man $(DESTDIR)$(BINDIR)/arptables scripts ++install: install-man $(DESTDIR)$(BINDIR)/arptables-legacy scripts + + .PHONY: clean + clean: +- rm -f arptables ++ rm -f arptables-legacy + rm -f *.o *~ + rm -f extensions/*.o extensions/*~ + rm -f libarptc/*.o libarptc/*~ libarptc/*.a +diff --git a/arptables.8 b/arptables-legacy.8 +similarity index 94% +rename from arptables.8 +rename to arptables-legacy.8 +index 676b8840c60f2..3ce99e3757004 100644 +--- a/arptables.8 ++++ b/arptables-legacy.8 +@@ -1,4 +1,4 @@ +-.TH ARPTABLES 8 "November 2011" ++.TH ARPTABLES 8 "June 2018" + .\" + .\" Man page originally written by Jochen Friedrich , + .\" maintained by Bart De Schuymer. +@@ -22,7 +22,7 @@ + .\" + .\" + .SH NAME +-arptables \- ARP table administration ++arptables \- ARP table administration (legacy) + .SH SYNOPSIS + .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] + .br +@@ -37,6 +37,18 @@ arptables \- ARP table administration + .BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name" + .br + .BR "arptables " [ "-t table" ] " -P chain target " [ options ] ++ ++.SH LEGACY ++This tool uses the old xtables/setsockopt framework, and is a legacy version ++of arptables. That means that a new, more modern tool exists with the same ++functionality using the nf_tables framework and you are encouraged to migrate now. ++The new binaries (formerly known as -compat) uses the same syntax and ++semantics than this legacy one. ++ ++You can still use this legacy tool. You should probably get some specific ++information from your Linux distribution or vendor. ++More docs are available at https://wiki.nftables.org ++ + .SH DESCRIPTION + .B arptables + is a user space tool, it is used to set up and maintain the +diff --git a/arptables.c b/arptables.c +index 4e9af67f92042..09c9ca25217d0 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -468,7 +468,7 @@ exit_printhelp(void) + struct arptables_target *t = NULL; + int i; + +- printf("%s v%s\n\n" ++ printf("%s v%s (legacy)\n\n" + "Usage: %s -[AD] chain rule-specification [options]\n" + " %s -[RI] chain rulenum rule-specification [options]\n" + " %s -D chain rulenum [options]\n" +-- +2.21.0 + diff --git a/SOURCES/COPYING b/SOURCES/COPYING new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/SOURCES/COPYING @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/SOURCES/arptables-legacy-helper b/SOURCES/arptables-legacy-helper new file mode 100644 index 0000000..11685ab --- /dev/null +++ b/SOURCES/arptables-legacy-helper @@ -0,0 +1,104 @@ +#!/bin/sh +# config: /etc/sysconfig/arptables + +# Source 'em up +. /etc/init.d/functions + +ARPTABLES_CONFIG=/etc/sysconfig/arptables + +arp_table() { + if fgrep -qsx $1 /proc/net/arp_tables_names; then + arptables -t "$@" + fi +} + +flush_delete_chains() { + chains=$(cat /proc/net/arp_tables_names 2>/dev/null) + echo -n $"Flushing all chains:" + let ret=0 + for i in $chains; do arptables -t $i -F; let ret+=$?; done + arptables -F; let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo + + echo -n $"Removing user defined chains:" + let ret=0 + for i in $chains; do arptables -t $i -X; let ret+=$?; done + arptables -X; let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo +} + +start() { + if [ ! -x /usr/sbin/arptables ]; then + exit 4 + fi + + # don't do squat if we don't have the config file + if [ -f $ARPTABLES_CONFIG ]; then + # If we don't clear these first, we might be adding to + # pre-existing rules. + flush_delete_chains + + for i in $(cat /proc/net/arp_tables_names 2>/dev/null); do + arptables -t $i -Z; + done + + echo -n $"Applying arptables firewall rules: " + /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ + success || \ + failure + echo + touch /var/lock/subsys/arptables + else + failure + echo + echo $"Configuration file /etc/sysconfig/arptables missing" + exit 6 + fi +} + +stop() { + flush_delete_chains + echo -n $"Resetting built-in chains to the default ACCEPT policy:" + arp_table filter -P INPUT ACCEPT && \ + arp_table filter -P OUTPUT ACCEPT && \ + success || \ + failure + echo + rm -f /var/lock/subsys/arptables +} + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +restart|reload) + # "restart" is really just "start" as this isn't a daemon, + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy + start + ;; + +condrestart|try-restart|force-reload) + [ -e /var/lock/subsys/arptables ] && start + ;; + +*) + exit 2 +esac + +exit 0 diff --git a/SOURCES/arptables.service b/SOURCES/arptables.service new file mode 100644 index 0000000..df6c7d6 --- /dev/null +++ b/SOURCES/arptables.service @@ -0,0 +1,12 @@ +[Unit] +Description=Automates a packet filtering firewall with arptables +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/arptables-helper start +ExecStop=/usr/libexec/arptables-helper stop +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/arptables.spec b/SPECS/arptables.spec new file mode 100644 index 0000000..c801a50 --- /dev/null +++ b/SPECS/arptables.spec @@ -0,0 +1,220 @@ +Summary: User space tool to set up tables of ARP rules in kernel +Name: arptables +Version: 0.0.5 +Release: 4%{?dist} +License: GPLv2+ + +URL: http://ebtables.sourceforge.net/ +Source0: http://ftp.netfilter.org/pub/arptables/%{name}-%{version}.tar.gz +Source1: arptables.service +Source2: arptables-legacy-helper + +BuildRequires: gcc +BuildRequires: perl-generators +BuildRequires: systemd +BuildRequires: make + +%description +The arptables is a user space tool used to set up and maintain +the tables of ARP rules in the Linux kernel. These rules inspect +the ARP frames which they see. arptables is analogous to the iptables +user space tool, but is less complicated. + +%package legacy +Summary: Legacy user space tool to set up tables of ARP rules in kernel +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Provides: arptables-helper + +%description legacy +The arptables is a user space tool used to set up and maintain +the tables of ARP rules in the Linux kernel. These rules inspect +the ARP frames which they see. arptables is analogous to the iptables +user space tool, but is less complicated. + +Note that it is considered legacy upstream since nftables provides the same +functionality in a much newer code-base. To aid in migration, there is +arptables-nft utility, a drop-in replacement for the legacy one which uses +nftables internally. It is provided by iptables-arptables package. + +%package services +Summary: arptables systemd services +%{?systemd_ordering} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: arptables-helper +Obsoletes: arptables-compat < 0.0.4-20 + +%description services +arptables systemd services + +This package provides the systemd arptables service that has been split +out of the base package for better integration with alternatives. + +%prep +%autosetup -p1 + +%build +# Makefile uses $(KERNEL_DIR) to redefine where to look for header files. +# But when it's set to standard system include directory gcc ignores it +# (see gcc(1)). It however looks that the code is not ready for using +# system headers (instead included ones) so we don't use this option. +make all 'COPT_FLAGS=%{optflags}' 'LDFLAGS=%{build_ldflags}' %{_smp_mflags} + +%install +make install DESTDIR=%{buildroot} BINDIR=%{_sbindir} MANDIR=%{_mandir} +pfx=%{buildroot}%{_sbindir} +manpfx=%{buildroot}%{_mandir}/man8 +for sfx in "-restore" "-save"; do + mv $pfx/arptables$sfx $pfx/arptables-legacy$sfx + touch $pfx/arptables$sfx + mv $manpfx/arptables${sfx}.8 $manpfx/arptables-legacy${sfx}.8 + touch $manpfx/arptables${sfx}.8 +done + +install -p -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/arptables.service +mkdir -p %{buildroot}%{_libexecdir}/ +install -p -D -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/ +touch %{buildroot}%{_libexecdir}/arptables-helper +rm -rf %{buildroot}%{_initrddir} +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +echo '# Configure prior to use' > %{buildroot}%{_sysconfdir}/sysconfig/arptables + +%post legacy +pfx=%{_sbindir}/arptables +manpfx=%{_mandir}/man8/arptables +lepfx=%{_libexecdir}/arptables +for sfx in "" "-restore" "-save"; do + if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then + rm -f $pfx$sfx + fi + if [ "$(readlink -e $manpfx${sfx}.8.gz)" == $manpfx${sfx}.8.gz ]; then + rm -f $manpfx${sfx}.8.gz + fi +done +if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then + rm -f $lepfx-helper +fi +%{_sbindir}/update-alternatives --install \ + $pfx arptables $pfx-legacy 10 \ + --slave $pfx-save arptables-save $pfx-legacy-save \ + --slave $pfx-restore arptables-restore $pfx-legacy-restore \ + --slave $manpfx.8.gz arptables-man $manpfx-legacy.8.gz \ + --slave $manpfx-save.8.gz arptables-save-man $manpfx-legacy-save.8.gz \ + --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-legacy-restore.8.gz \ + --slave $lepfx-helper arptables-helper $lepfx-legacy-helper + +%preun legacy +%systemd_preun arptables.service + +%postun legacy +%systemd_postun_with_restart arptables.service +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove \ + arptables %{_sbindir}/arptables-legacy +fi + +%post services +%systemd_post arptables.service + +%preun services +%systemd_preun arptables.service + +%postun services +%?ldconfig +%systemd_postun arptables.service + +%files legacy +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_sbindir}/arptables-legacy* +%{_libexecdir}/arptables-legacy-helper +%{_mandir}/*/arptables-legacy* +%ghost %{_sbindir}/arptables +%ghost %{_sbindir}/arptables-save +%ghost %{_sbindir}/arptables-restore +%ghost %{_mandir}/man8/arptables.8.gz +%ghost %{_mandir}/man8/arptables-save.8.gz +%ghost %{_mandir}/man8/arptables-restore.8.gz +%ghost %{_libexecdir}/arptables-helper + +%files services +%{_unitdir}/arptables.service +%config(noreplace) %{_sysconfdir}/sysconfig/arptables + +%changelog +* Tue Jan 26 2021 Fedora Release Engineering - 0.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 0.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Dec 04 2019 Phil Sutter - 0.0.5-1 +- New version 0.0.5 + +* Wed Oct 30 2019 Phil Sutter - 0.0.4-20 +- Make services sub-package obsolete compat to fix upgrade path + +* Tue Oct 22 2019 Phil Sutter - 0.0.4-19 +- Drop compat sub-package again + +* Wed Jul 24 2019 Fedora Release Engineering - 0.0.4-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Mar 21 2019 Phil Sutter - 0.0.4-17 +- Fix upgrade from non-legacy arptables package + +* Mon Feb 18 2019 Phil Sutter - 0.0.4-16 +- Integrate with alternatives +- Split systemd service into sub-package +- Rename arptables RPM into arptables-legacy +- Add recent upstream changes + +* Thu Jan 31 2019 Fedora Release Engineering - 0.0.4-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 0.0.4-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Feb 21 2018 Florian Weimer - 0.0.4-13 +- Use LDFLAGS from redhat-rpm-config + +* Wed Feb 07 2018 Fedora Release Engineering - 0.0.4-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 0.0.4-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.0.4-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.0.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 03 2016 Fedora Release Engineering - 0.0.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 0.0.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Aug 15 2014 Fedora Release Engineering - 0.0.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.0.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Sep 16 2013 Jiri Popelka - 0.0.4-4 +- revert previous change, the code is not ready for this + +* Mon Sep 16 2013 Jiri Popelka - 0.0.4-3 +- use system kernel headers + +* Fri Sep 13 2013 Jiri Popelka - 0.0.4-2 +- install with '-p' (#1007964) + +* Fri Sep 13 2013 Jiri Popelka - 0.0.4-1 +- renamed arptables_jf to arptables