From 43df5c61e90bc3e0bef6dab4f74eb2f94f6d388c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 01 2019 20:30:55 +0000 Subject: import iptables-1.4.21-33.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..18ac54b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/iptables-1.4.21.tar.bz2 diff --git a/.iptables.metadata b/.iptables.metadata new file mode 100644 index 0000000..8205ca4 --- /dev/null +++ b/.iptables.metadata @@ -0,0 +1 @@ +85d4160537546a23a7e42bc26dd7ee62a0ede4c8 SOURCES/iptables-1.4.21.tar.bz2 diff --git a/SOURCES/Consolidate-DEBUGP-macros.patch b/SOURCES/Consolidate-DEBUGP-macros.patch new file mode 100644 index 0000000..50d0ef9 --- /dev/null +++ b/SOURCES/Consolidate-DEBUGP-macros.patch @@ -0,0 +1,165 @@ +From 7fcb3a907824af6220007d91ef49095f990b1733 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:15:52 +0200 +Subject: [PATCH] Consolidate DEBUGP macros + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475 +Upstream Status: iptables commit 78b9d438037f2 +Conflicts: +* Context change due to missing commit 2963a8df2175b + ("iptables: Remove explicit static variables initalization.") +* Dropped changes to non-existing files iptables/nft-shared.h and + iptables/xtables-restore.c. + +commit 78b9d438037f2c83a7bbb73eb1b86cc295967905 +Author: Phil Sutter +Date: Thu Aug 2 17:05:15 2018 +0200 + + Consolidate DEBUGP macros + + This debug printing macro was defined in various places, always + identical. Move it into xshared.h and drop it from sources including + that header. There are a few exceptions: + + * iptables-xml.c did not include xshared.h, which this patch changes. + + * Sources in extensions and libiptc mostly left alone since they don't + include xshared.h (and maybe shouldn't). Only libxt_set.h does, so + it's converted, too. + + This also converts DEBUG define use in libip6t_hbh.c to avoid a compiler + warning. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libip6t_hbh.c | 6 ++---- + extensions/libxt_set.h | 6 ------ + iptables/ip6tables-restore.c | 6 ------ + iptables/iptables-restore.c | 6 ------ + iptables/iptables-xml.c | 7 +------ + iptables/xshared.h | 6 ++++++ + 6 files changed, 9 insertions(+), 28 deletions(-) + +diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c +index c0389ed8bafde..1c49ee71ada13 100644 +--- a/extensions/libip6t_hbh.c ++++ b/extensions/libip6t_hbh.c +@@ -5,8 +5,6 @@ + #include + #include + +-#define DEBUG 0 +- + enum { + O_HBH_LEN = 0, + O_HBH_OPTS, +@@ -83,7 +81,7 @@ parse_options(const char *optsstr, uint16_t *opts) + opts[i] |= (0x00FF); + } + +-#if DEBUG ++#ifdef DEBUG + printf("opts str: %s %s\n", cp, range); + printf("opts opt: %04X\n", opts[i]); + #endif +@@ -92,7 +90,7 @@ parse_options(const char *optsstr, uint16_t *opts) + + free(buffer); + +-#if DEBUG ++#ifdef DEBUG + printf("addr nr: %d\n", i); + #endif + +diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h +index 5a1bdcf730cf2..41dfbd30fc7c1 100644 +--- a/extensions/libxt_set.h ++++ b/extensions/libxt_set.h +@@ -8,12 +8,6 @@ + #include + #include "../iptables/xshared.h" + +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x , ## args) +-#else +-#define DEBUGP(x, args...) +-#endif +- + static int + get_version(unsigned *version) + { +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index fdcc0cb5b2c06..611430d930eda 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -20,12 +20,6 @@ + #include "libiptc/libip6tc.h" + #include "ip6tables-multi.h" + +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +-#else +-#define DEBUGP(x, args...) +-#endif +- + static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; + + static struct timeval wait_interval = { +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 5a8c2c738bb0f..b0da96d45d297 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -17,12 +17,6 @@ + #include "libiptc/libiptc.h" + #include "iptables-multi.h" + +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +-#else +-#define DEBUGP(x, args...) +-#endif +- + static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; + + static struct timeval wait_interval = { +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 92a5768f86903..c523a132b2240 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -16,12 +16,7 @@ + #include "libiptc/libiptc.h" + #include "xtables-multi.h" + #include +- +-#ifdef DEBUG +-#define DEBUGP(x, args...) fprintf(stderr, x, ## args) +-#else +-#define DEBUGP(x, args...) +-#endif ++#include "xshared.h" + + struct xtables_globals iptables_xml_globals = { + .option_offset = 0, +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 20dbbd12118ad..bfdb10b2701e5 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -9,6 +9,12 @@ + #include + #include + ++#ifdef DEBUG ++#define DEBUGP(x, args...) fprintf(stdout, x, ## args) ++#else ++#define DEBUGP(x, args...) ++#endif ++ + enum { + OPT_NONE = 0, + OPT_NUMERIC = 1 << 0, +-- +2.21.0 + diff --git a/SOURCES/Fix-a-few-cases-of-pointless-assignments.patch b/SOURCES/Fix-a-few-cases-of-pointless-assignments.patch new file mode 100644 index 0000000..f4b4de3 --- /dev/null +++ b/SOURCES/Fix-a-few-cases-of-pointless-assignments.patch @@ -0,0 +1,163 @@ +From b0c800d08b90b84d5d693d63602bcc4b43a07b6f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:34 +0100 +Subject: [PATCH] Fix a few cases of pointless assignments + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 7e50ebabbf9c3 +Conflicts: Dropped changes to non-existing nft-backend files. + +commit 7e50ebabbf9c3a5eeb9511d9f32c6104b56da5cd +Author: Phil Sutter +Date: Wed Sep 19 15:17:04 2018 +0200 + + Fix a few cases of pointless assignments + + This gets rid of a number of assignments which are either redundant or + not used afterwards. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 4 ++-- + iptables/iptables-restore.c | 4 ++-- + iptables/iptables-xml.c | 4 ++-- + libxtables/xtoptions.c | 2 +- + utils/nfnl_osf.c | 13 +++++-------- + 5 files changed, 12 insertions(+), 15 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index d610360a1c1ff..fdcc0cb5b2c06 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -427,7 +427,6 @@ int ip6tables_restore_main(int argc, char *argv[]) + + } else if (in_table) { + int a; +- char *ptr = buffer; + char *pcnt = NULL; + char *bcnt = NULL; + char *parsestart; +@@ -437,7 +436,8 @@ int ip6tables_restore_main(int argc, char *argv[]) + + if (buffer[0] == '[') { + /* we have counters in our input */ +- ptr = strchr(buffer, ']'); ++ char *ptr = strchr(buffer, ']'); ++ + if (!ptr) + xtables_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index db77fb77b3c98..5a8c2c738bb0f 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -426,7 +426,6 @@ iptables_restore_main(int argc, char *argv[]) + + } else if (in_table) { + int a; +- char *ptr = buffer; + char *pcnt = NULL; + char *bcnt = NULL; + char *parsestart; +@@ -436,7 +435,8 @@ iptables_restore_main(int argc, char *argv[]) + + if (buffer[0] == '[') { + /* we have counters in our input */ +- ptr = strchr(buffer, ']'); ++ char *ptr = strchr(buffer, ']'); ++ + if (!ptr) + xtables_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 962844762fc4e..92a5768f86903 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -731,7 +731,6 @@ iptables_xml_main(int argc, char *argv[]) + ret = 1; + } else if (curTable[0]) { + unsigned int a; +- char *ptr = buffer; + char *pcnt = NULL; + char *bcnt = NULL; + char *parsestart; +@@ -747,7 +746,8 @@ iptables_xml_main(int argc, char *argv[]) + + if (buffer[0] == '[') { + /* we have counters in our input */ +- ptr = strchr(buffer, ']'); ++ char *ptr = strchr(buffer, ']'); ++ + if (!ptr) + xtables_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 0c63c2d372dea..1ad4cb57f5836 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -282,7 +282,7 @@ static void xtopt_mint_value_to_ptr(struct xt_option_call *cb, void **datap, + static void xtopt_parse_mint(struct xt_option_call *cb) + { + const struct xt_option_entry *entry = cb->entry; +- const char *arg = cb->arg; ++ const char *arg; + size_t esize = xtopt_esize_by_type(entry->type); + const uintmax_t lmax = xtopt_max_by_type(entry->type); + void *put = XTOPT_MKPTR(cb); +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index c67485ee698b1..0f8b35b805016 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -157,7 +157,6 @@ static void xt_osf_parse_opt(struct xt_osf_opt *opt, __u16 *optnum, char *obuf, + i = 0; + while (ptr != NULL && i < olen && *ptr != 0) { + val = 0; +- op = 0; + wc = OSF_WSS_PLAIN; + switch (obuf[i]) { + case 'N': +@@ -344,7 +343,7 @@ static int osf_load_line(char *buffer, int len, int del) + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; +- cnt = snprintf(obuf, sizeof(obuf), "%s,", pbeg); ++ snprintf(obuf, sizeof(obuf), "%s,", pbeg); + pbeg = pend + 1; + } + +@@ -352,25 +351,23 @@ static int osf_load_line(char *buffer, int len, int del) + if (pend) { + *pend = '\0'; + if (pbeg[0] == '@' || pbeg[0] == '*') +- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); ++ snprintf(f.genre, sizeof(f.genre), "%s", pbeg + 1); + else +- cnt = snprintf(f.genre, sizeof(f.genre), "%s", pbeg); ++ snprintf(f.genre, sizeof(f.genre), "%s", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; +- cnt = snprintf(f.version, sizeof(f.version), "%s", pbeg); ++ snprintf(f.version, sizeof(f.version), "%s", pbeg); + pbeg = pend + 1; + } + + pend = xt_osf_strchr(pbeg, OSFPDEL); + if (pend) { + *pend = '\0'; +- cnt = +- snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); +- pbeg = pend + 1; ++ snprintf(f.subtype, sizeof(f.subtype), "%s", pbeg); + } + + xt_osf_parse_opt(f.opt, &f.opt_num, obuf, sizeof(obuf)); +-- +2.21.0 + diff --git a/SOURCES/Mark-fall-through-cases-in-switch-statements.patch b/SOURCES/Mark-fall-through-cases-in-switch-statements.patch new file mode 100644 index 0000000..f4c2152 --- /dev/null +++ b/SOURCES/Mark-fall-through-cases-in-switch-statements.patch @@ -0,0 +1,70 @@ +From 5527530396afccc43fddedbe6fdf1b4c6000b516 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:49:11 +0100 +Subject: [PATCH] Mark fall through cases in switch() statements + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 1788f545aae28 +Conflicts: Dropped changes to non-existing libebt_log.c, nft-shared.c + and revision 4 of libxt_set.c. + +commit 1788f545aae285fa3cd6595d5d25b2ae1b215282 +Author: Phil Sutter +Date: Wed Sep 19 15:16:45 2018 +0200 + + Mark fall through cases in switch() statements + + Typical covscan complaint, non-empty fall throughs should be marked as + such. There was but a single case which should break instead, namely in + libebt_log.c: It is not critical, since the next case merely asserts + 'invert' being zero (which can't be as it was checked before). But while + being at it, introduce log_chk_inv() to consolidate the semantically + equal cases for the various log types. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_set.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c +index 2cb9e78a85f97..ec826367d6631 100644 +--- a/extensions/libxt_set.c ++++ b/extensions/libxt_set.c +@@ -60,6 +60,7 @@ set_parse_v0(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->u.flags[0]) + xtables_error(PARAMETER_PROBLEM, +@@ -140,6 +141,7 @@ set_parse_v1(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->dim) + xtables_error(PARAMETER_PROBLEM, +@@ -238,6 +240,7 @@ set_parse_v2(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->dim) + xtables_error(PARAMETER_PROBLEM, +@@ -415,6 +418,7 @@ set_parse_v3(int c, char **argv, int invert, unsigned int *flags, + case '2': + fprintf(stderr, + "--set option deprecated, please use --match-set\n"); ++ /* fall through */ + case '1': /* --match-set [, */ + if (info->match_set.dim) + xtables_error(PARAMETER_PROBLEM, +-- +2.21.0 + diff --git a/SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch b/SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch new file mode 100644 index 0000000..80879cc --- /dev/null +++ b/SOURCES/Share-print_ipv-4-6-_addr-from-xtables.patch @@ -0,0 +1,216 @@ +From 7c53ed370c79027455b4e342436da507be701e23 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] Share print_ipv{4,6}_addr() from xtables + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 8da04ffdca193 +Conflicts: +* Dropped changes to non-existing nft-ipv4.c and nft-ipv6.c. +* Context change in xshared.{c,h}. + +commit 8da04ffdca1931402a6bc22c43c1a2fa1c6f1e14 +Author: Phil Sutter +Date: Wed Sep 19 15:16:59 2018 +0200 + + Share print_ipv{4,6}_addr() from xtables + + These functions contain code which occurs in legacy's print_firewall() + functions, so use them there. + + Rename them to at least make clear they print more than a single + address. + + Also introduce ipv{4,6}_addr_to_string() which take care of converting + an address/netmask pair into string representation in a way which + doesn't upset covscan (since that didn't detect that 'buf' may not be + exceeded by the strings written into it. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables.c | 27 +----------------- + iptables/iptables.c | 25 +---------------- + iptables/xshared.c | 66 ++++++++++++++++++++++++++++++++++++++++++++ + iptables/xshared.h | 3 ++ + 4 files changed, 71 insertions(+), 50 deletions(-) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 76e36d44f6b25..fc2fd37cfe919 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -541,7 +541,6 @@ print_firewall(const struct ip6t_entry *fw, + { + const struct xtables_target *target = NULL; + const struct xt_entry_target *t; +- char buf[BUFSIZ]; + + if (!ip6tc_is_chain(targname, handle)) + target = xtables_find_target(targname, XTF_TRY_LOAD); +@@ -609,31 +608,7 @@ print_firewall(const struct ip6t_entry *fw, + printf(FMT("%-6s ","out %s "), iface); + } + +- fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); +- if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any) +- && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","%s "), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src)); +- else +- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src)); +- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk)); +- printf(FMT("%-19s ","%s "), buf); +- } +- +- fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); +- if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any) +- && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","-> %s"), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst)); +- else +- strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst)); +- strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk)); +- printf(FMT("%-19s ","-> %s"), buf); +- } ++ print_ipv6_addresses(fw, format); + + if (format & FMT_NOTABLE) + fputs(" ", stdout); +diff --git a/iptables/iptables.c b/iptables/iptables.c +index bac9fe0905e9f..dc70cc6e9b0ec 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -526,7 +526,6 @@ print_firewall(const struct ipt_entry *fw, + const struct xtables_target *target = NULL; + const struct xt_entry_target *t; + uint8_t flags; +- char buf[BUFSIZ]; + + if (!iptc_is_chain(targname, handle)) + target = xtables_find_target(targname, XTF_TRY_LOAD); +@@ -595,29 +594,7 @@ print_firewall(const struct ipt_entry *fw, + printf(FMT("%-6s ","out %s "), iface); + } + +- fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); +- if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","%s "), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.src)); +- else +- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.src)); +- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.smsk)); +- printf(FMT("%-19s ","%s "), buf); +- } +- +- fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); +- if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC)) +- printf(FMT("%-19s ","-> %s"), "anywhere"); +- else { +- if (format & FMT_NUMERIC) +- strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.dst)); +- else +- strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.dst)); +- strcat(buf, xtables_ipmask_to_numeric(&fw->ip.dmsk)); +- printf(FMT("%-19s ","-> %s"), buf); +- } ++ print_ipv4_addresses(fw, format); + + if (format & FMT_NOTABLE) + fputs(" ", stdout); +diff --git a/iptables/xshared.c b/iptables/xshared.c +index b8a81fd968361..742502154aa55 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -340,3 +340,69 @@ inline bool xs_has_arg(int argc, char *argv[]) + argv[optind][0] != '-' && + argv[optind][0] != '!'; + } ++ ++static const char *ipv4_addr_to_string(const struct in_addr *addr, ++ const struct in_addr *mask, ++ unsigned int format) ++{ ++ static char buf[BUFSIZ]; ++ ++ if (!mask->s_addr && !(format & FMT_NUMERIC)) ++ return "anywhere"; ++ ++ if (format & FMT_NUMERIC) ++ strncpy(buf, xtables_ipaddr_to_numeric(addr), BUFSIZ - 1); ++ else ++ strncpy(buf, xtables_ipaddr_to_anyname(addr), BUFSIZ - 1); ++ buf[BUFSIZ - 1] = '\0'; ++ ++ strncat(buf, xtables_ipmask_to_numeric(mask), ++ BUFSIZ - strlen(buf) - 1); ++ ++ return buf; ++} ++ ++void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format) ++{ ++ fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "%s "), ++ ipv4_addr_to_string(&fw->ip.src, &fw->ip.smsk, format)); ++ ++ fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "-> %s"), ++ ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format)); ++} ++ ++static const char *ipv6_addr_to_string(const struct in6_addr *addr, ++ const struct in6_addr *mask, ++ unsigned int format) ++{ ++ static char buf[BUFSIZ]; ++ ++ if (IN6_IS_ADDR_UNSPECIFIED(addr) && !(format & FMT_NUMERIC)) ++ return "anywhere"; ++ ++ if (format & FMT_NUMERIC) ++ strncpy(buf, xtables_ip6addr_to_numeric(addr), BUFSIZ - 1); ++ else ++ strncpy(buf, xtables_ip6addr_to_anyname(addr), BUFSIZ - 1); ++ buf[BUFSIZ - 1] = '\0'; ++ ++ strncat(buf, xtables_ip6mask_to_numeric(mask), ++ BUFSIZ - strlen(buf) - 1); ++ ++ return buf; ++} ++ ++void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) ++{ ++ fputc(fw6->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "%s "), ++ ipv6_addr_to_string(&fw6->ipv6.src, ++ &fw6->ipv6.smsk, format)); ++ ++ fputc(fw6->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); ++ printf(FMT("%-19s ", "-> %s"), ++ ipv6_addr_to_string(&fw6->ipv6.dst, ++ &fw6->ipv6.dmsk, format)); ++} +diff --git a/iptables/xshared.h b/iptables/xshared.h +index c35dfee47577d..20dbbd12118ad 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -113,4 +113,7 @@ bool xs_has_arg(int argc, char *argv[]); + + extern const struct xtables_afinfo *afinfo; + ++void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); ++void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); ++ + #endif /* IPTABLES_XSHARED_H */ +-- +2.21.0 + diff --git a/SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch b/SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch new file mode 100644 index 0000000..06a1fc9 --- /dev/null +++ b/SOURCES/extensions-Add-macro-_DEFAULT_SOURCE.patch @@ -0,0 +1,60 @@ +From 3dcd69e5655a2485d39efd64b5bd9fd38fdb4a04 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:52:42 +0100 +Subject: [PATCH] extensions: Add macro _DEFAULT_SOURCE. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 27de281d8aca8 + +commit 27de281d8aca84e3c841b3ae72a17616b1382ac4 +Author: Varsha Rao +Date: Thu Dec 21 09:05:45 2017 +0530 + + extensions: Add macro _DEFAULT_SOURCE. + + Define _DEFAULT_SOURCE as _BSD_SOURCE is deprecated. + https://sourceware.org/glibc/wiki/Release/2.20#Packaging_Changes + + This patch fixes the following warning: + + warning: #warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use + _DEFAULT_SOURCE" [-Wcpp] + # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use + # _DEFAULT_SOURCE" + + Signed-off-by: Varsha Rao + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_hashlimit.c | 1 + + extensions/libxt_limit.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c +index c5b8d7795c5e5..6d64017022c00 100644 +--- a/extensions/libxt_hashlimit.c ++++ b/extensions/libxt_hashlimit.c +@@ -11,6 +11,7 @@ + * Error corections by nmalykh@bilim.com (22.01.2005) + */ + #define _BSD_SOURCE 1 ++#define _DEFAULT_SOURCE 1 + #define _ISOC99_SOURCE 1 + #include + #include +diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c +index f75ef2f87a74c..183a86e324211 100644 +--- a/extensions/libxt_limit.c ++++ b/extensions/libxt_limit.c +@@ -4,6 +4,7 @@ + * Hervé Eychenne + */ + #define _BSD_SOURCE 1 ++#define _DEFAULT_SOURCE 1 + #define _ISOC99_SOURCE 1 + #include + #include +-- +2.21.0 + diff --git a/SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch b/SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch new file mode 100644 index 0000000..148cf4e --- /dev/null +++ b/SOURCES/extensions-Fix-ipvs-vproto-option-printing.patch @@ -0,0 +1,42 @@ +From 21ef09de8df5a448df06a3fb6c7708440fe8b8ac Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:19:53 +0200 +Subject: [PATCH] extensions: Fix ipvs vproto option printing + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726 +Upstream Status: iptables commit dd1ad59f0df66 + +commit dd1ad59f0df66811335c10ed90c33151a658a50e +Author: Phil Sutter +Date: Thu Feb 21 20:09:31 2019 +0100 + + extensions: Fix ipvs vproto option printing + + This was broken since day 1: vproto option was printed as 'proto' which + in turn iptables wouldn't accept anymore. + + Fixes: c36d05e424069 ("libxt_ipvs: user-space lib for netfilter matcher xt_ipvs") + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_ipvs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c +index fe98fef951686..51952be4245b3 100644 +--- a/extensions/libxt_ipvs.c ++++ b/extensions/libxt_ipvs.c +@@ -165,7 +165,7 @@ static void ipvs_mt_dump(const void *ip, const struct xt_ipvs_mtinfo *data, + if (data->bitmask & XT_IPVS_PROTO) { + if (data->invert & XT_IPVS_PROTO) + printf(" !"); +- printf(" %sproto %u", prefix, data->l4proto); ++ printf(" %svproto %u", prefix, data->l4proto); + } + + if (data->bitmask & XT_IPVS_VADDR) { +-- +2.21.0 + diff --git a/SOURCES/extensions-Fix-ipvs-vproto-parsing.patch b/SOURCES/extensions-Fix-ipvs-vproto-parsing.patch new file mode 100644 index 0000000..93109a2 --- /dev/null +++ b/SOURCES/extensions-Fix-ipvs-vproto-parsing.patch @@ -0,0 +1,57 @@ +From dab2ab10ed0cb30fb454097200f440660a0f3946 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:19:53 +0200 +Subject: [PATCH] extensions: Fix ipvs vproto parsing + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1679726 +Upstream Status: iptables commit fcbdc69e8a750 + +commit fcbdc69e8a750fe02c9d7c7aced0efc91715132d +Author: Phil Sutter +Date: Thu Feb 21 20:09:30 2019 +0100 + + extensions: Fix ipvs vproto parsing + + This was broken by integration into guided option parser: + + * Make 'vproto' option XTTYPE_PROTOCOL, otherwise its arguments are + parsed as garbage only. + + * Drop O_VPROTO case from ipvs_mt_parse(), due to XTOPT_POINTER() and + above change there is nothing to do for it in there. + + Fixes: 372203af4c70f ("libxt_ipvs: use guided option parser") + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_ipvs.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c +index a6c57a030d2c6..fe98fef951686 100644 +--- a/extensions/libxt_ipvs.c ++++ b/extensions/libxt_ipvs.c +@@ -27,7 +27,7 @@ enum { + static const struct xt_option_entry ipvs_mt_opts[] = { + {.name = "ipvs", .id = O_IPVS, .type = XTTYPE_NONE, + .flags = XTOPT_INVERT}, +- {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_STRING, ++ {.name = "vproto", .id = O_VPROTO, .type = XTTYPE_PROTOCOL, + .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, l4proto)}, + {.name = "vaddr", .id = O_VADDR, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, +@@ -69,9 +69,6 @@ static void ipvs_mt_parse(struct xt_option_call *cb) + + xtables_option_parse(cb); + switch (cb->entry->id) { +- case O_VPROTO: +- data->l4proto = cb->val.protocol; +- break; + case O_VADDR: + memcpy(&data->vaddr, &cb->val.haddr, sizeof(cb->val.haddr)); + memcpy(&data->vmask, &cb->val.hmask, sizeof(cb->val.hmask)); +-- +2.21.0 + diff --git a/SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch b/SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch new file mode 100644 index 0000000..8752cae --- /dev/null +++ b/SOURCES/extensions-Initialize-linear-mapping-of-symbols-in-_.patch @@ -0,0 +1,139 @@ +From 861155bef2343e0259469dc8e4acde60e2c6fb91 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:29:38 +0200 +Subject: [PATCH] extensions: Initialize linear mapping of symbols in _init() + of extension + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 +Upstream Status: iptables commit 56aadc01b258e +Conflicts: Whitespace change due to missing commit f7c26137b0d57 + ("extensions: libipt_realm: Add translation to nft"). + +commit 56aadc01b258ef7849463723ab5ddc4885db22f6 +Author: Serhey Popovych +Date: Thu Mar 1 13:03:10 2018 +0200 + + extensions: Initialize linear mapping of symbols in _init() of extension + + libxt_devgroup and libipt_realm currently unable to display symbolic + names in save/print commands because linear mapping is not initialized. + + It looks bit confusing as linear mapping initialization is done in init() + of extension, which is expected to be called before any other function of + extension. + + However init is called only when '-m' option specified on command line, + that is true only for insert, append, replace and destroy iptables + commands. + + Move initialization to extension _init() function before calling + any function in extension. + + Before: + ------- + ... src-group 0x1 dst-group 0x2 + ... src-group 0x2 dst-group 0x1 + + After: + ------ + ... src-group grp1 dst-group grp2 + ... src-group grp2 dst-group grp1 + + Signed-off-by: Serhey Popovych + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libipt_realm.c | 17 +++++++---------- + extensions/libxt_devgroup.c | 17 +++++++---------- + 2 files changed, 14 insertions(+), 20 deletions(-) + +diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c +index a8d9dda0c00c0..fffb1218db7a6 100644 +--- a/extensions/libipt_realm.c ++++ b/extensions/libipt_realm.c +@@ -28,17 +28,10 @@ static const struct xt_option_entry realm_opts[] = { + XTOPT_TABLEEND, + }; + +-/* array of realms from /etc/iproute2/rt_realms */ ++static const char f_realms[] = "/etc/iproute2/rt_realms"; ++/* array of realms from f_realms[] */ + static struct xtables_lmap *realms; + +-static void realm_init(struct xt_entry_match *m) +-{ +- const char file[] = "/etc/iproute2/rt_realms"; +- realms = xtables_lmap_init(file); +- if (realms == NULL && errno != ENOENT) +- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); +-} +- + static void realm_parse(struct xt_option_call *cb) + { + struct xt_realm_info *realminfo = cb->data; +@@ -114,7 +107,6 @@ static struct xtables_match realm_mt_reg = { + .size = XT_ALIGN(sizeof(struct xt_realm_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_realm_info)), + .help = realm_help, +- .init = realm_init, + .print = realm_print, + .save = realm_save, + .x6_parse = realm_parse, +@@ -123,5 +115,10 @@ static struct xtables_match realm_mt_reg = { + + void _init(void) + { ++ realms = xtables_lmap_init(f_realms); ++ if (realms == NULL && errno != ENOENT) ++ fprintf(stderr, "Warning: %s: %s\n", f_realms, ++ strerror(errno)); ++ + xtables_register_match(&realm_mt_reg); + } +diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c +index fb1fcb51c1bb2..ebfa2aee80cf2 100644 +--- a/extensions/libxt_devgroup.c ++++ b/extensions/libxt_devgroup.c +@@ -31,17 +31,10 @@ static const struct xt_option_entry devgroup_opts[] = { + XTOPT_TABLEEND, + }; + +-/* array of devgroups from /etc/iproute2/group */ ++static const char f_devgroups[] = "/etc/iproute2/group"; ++/* array of devgroups from f_devgroups[] */ + static struct xtables_lmap *devgroups; + +-static void devgroup_init(struct xt_entry_match *match) +-{ +- const char file[] = "/etc/iproute2/group"; +- devgroups = xtables_lmap_init(file); +- if (devgroups == NULL && errno != ENOENT) +- fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); +-} +- + static void devgroup_parse_groupspec(const char *arg, unsigned int *group, + unsigned int *mask) + { +@@ -157,7 +150,6 @@ static struct xtables_match devgroup_mt_reg = { + .family = NFPROTO_UNSPEC, + .size = XT_ALIGN(sizeof(struct xt_devgroup_info)), + .userspacesize = XT_ALIGN(sizeof(struct xt_devgroup_info)), +- .init = devgroup_init, + .help = devgroup_help, + .print = devgroup_print, + .save = devgroup_save, +@@ -168,5 +160,10 @@ static struct xtables_match devgroup_mt_reg = { + + void _init(void) + { ++ devgroups = xtables_lmap_init(f_devgroups); ++ if (devgroups == NULL && errno != ENOENT) ++ fprintf(stderr, "Warning: %s: %s\n", f_devgroups, ++ strerror(errno)); ++ + xtables_register_match(&devgroup_mt_reg); + } +-- +2.21.0 + diff --git a/SOURCES/extensions-REJECT-Check-for-array-overrun.patch b/SOURCES/extensions-REJECT-Check-for-array-overrun.patch new file mode 100644 index 0000000..58bf9da --- /dev/null +++ b/SOURCES/extensions-REJECT-Check-for-array-overrun.patch @@ -0,0 +1,72 @@ +From 20f5f3c0c3b4cebc60af3d2def0ac983f54bfb06 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:52:01 +0100 +Subject: [PATCH] extensions: REJECT: Check for array overrun + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: RHEL-only + +This might happen in theory if enum ip6t_reject_with was extended in +kernel and some other tool added a rule making use of the new value. + +Signed-off-by: Phil Sutter +--- + extensions/libip6t_REJECT.c | 8 ++++++++ + extensions/libipt_REJECT.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c +index 8085321a6d654..86f2d04296294 100644 +--- a/extensions/libip6t_REJECT.c ++++ b/extensions/libip6t_REJECT.c +@@ -104,6 +104,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + printf(" reject-with %s", reject_table[i].name); + } + +@@ -116,6 +120,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + + printf(" --reject-with %s", reject_table[i].name); + } +diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c +index 362c65ed88e96..5573ebd28022c 100644 +--- a/extensions/libipt_REJECT.c ++++ b/extensions/libipt_REJECT.c +@@ -124,6 +124,10 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + printf(" reject-with %s", reject_table[i].name); + } + +@@ -136,6 +140,10 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) + for (i = 0; i < ARRAY_SIZE(reject_table); ++i) + if (reject_table[i].with == reject->with) + break; ++ if (i == ARRAY_SIZE(reject_table)) ++ xtables_error(VERSION_PROBLEM, ++ "unknown reject type %d in ruleset", ++ reject->with); + + printf(" --reject-with %s", reject_table[i].name); + } +-- +2.21.0 + diff --git a/SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch b/SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch new file mode 100644 index 0000000..9a14186 --- /dev/null +++ b/SOURCES/extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch @@ -0,0 +1,48 @@ +From 2c7f817f6dc2d74d99248403b0ef7e36bcf060c8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:29:38 +0200 +Subject: [PATCH] extensions: libxt_devgroup: Fix the path of the group + mappings file + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 +Upstream Status: iptables commit 93ad9ea1b86bd + +commit 93ad9ea1b86bdaacffd8e33654abcea3d4e148b2 +Author: Ana Rey +Date: Thu Sep 18 13:06:42 2014 +0200 + + extensions: libxt_devgroup: Fix the path of the group mappings file + + Use "/etc/iproute2/group" as the default path to the mapping file + instead of "/etc/iproute2/group_map". + + Signed-off-by: Ana Rey + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_devgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c +index 4a69c8229ce4a..fb1fcb51c1bb2 100644 +--- a/extensions/libxt_devgroup.c ++++ b/extensions/libxt_devgroup.c +@@ -31,12 +31,12 @@ static const struct xt_option_entry devgroup_opts[] = { + XTOPT_TABLEEND, + }; + +-/* array of devgroups from /etc/iproute2/group_map */ ++/* array of devgroups from /etc/iproute2/group */ + static struct xtables_lmap *devgroups; + + static void devgroup_init(struct xt_entry_match *match) + { +- const char file[] = "/etc/iproute2/group_map"; ++ const char file[] = "/etc/iproute2/group"; + devgroups = xtables_lmap_init(file); + if (devgroups == NULL && errno != ENOENT) + fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); +-- +2.21.0 + diff --git a/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch b/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch new file mode 100644 index 0000000..e7658b0 --- /dev/null +++ b/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch @@ -0,0 +1,61 @@ +From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 15:28:07 +0200 +Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510 +Upstream Status: iptables commit dbbab0aa328f1 + +commit dbbab0aa328f136502373a1031e64eb53fa113e5 +Author: Phil Sutter +Date: Mon Oct 9 15:47:39 2017 +0200 + + extensions: libxt_tcpmss: Detect invalid ranges + + Previously, an MSS range of e.g. 65535:1000 was silently accepted but + would then never match a packet since the kernel checks whether the MSS + value is greater than or equal to the first *and* less than or equal to + the second value. + + Detect this as a parameter problem and update the man page accordingly. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_tcpmss.c | 6 +++++- + extensions/libxt_tcpmss.man | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c +index c7c5971716294..bcd357aa3d8e2 100644 +--- a/extensions/libxt_tcpmss.c ++++ b/extensions/libxt_tcpmss.c +@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb) + xtables_option_parse(cb); + mssinfo->mss_min = cb->val.u16_range[0]; + mssinfo->mss_max = mssinfo->mss_min; +- if (cb->nvals == 2) ++ if (cb->nvals == 2) { + mssinfo->mss_max = cb->val.u16_range[1]; ++ if (mssinfo->mss_max < mssinfo->mss_min) ++ xtables_error(PARAMETER_PROBLEM, ++ "tcpmss: invalid range given"); ++ } + if (cb->invert) + mssinfo->invert = 1; + } +diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man +index 8ee715cdbfb07..8253c363418f8 100644 +--- a/extensions/libxt_tcpmss.man ++++ b/extensions/libxt_tcpmss.man +@@ -1,4 +1,4 @@ + This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time. + .TP + [\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP] +-Match a given TCP MSS value or range. ++Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP. +-- +2.17.0 + diff --git a/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch b/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch new file mode 100644 index 0000000..60f605f --- /dev/null +++ b/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch @@ -0,0 +1,61 @@ +From a7da716205fb6009f665a4e91b28c7782cf47ce2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 16:34:48 +0200 +Subject: [PATCH] ip{,6}tables-restore: Don't accept wait-interval without wait + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078 +Upstream Status: iptables commit 21ba5b3874fb3 + +commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2 +Author: Phil Sutter +Date: Wed Sep 20 19:34:36 2017 +0200 + + ip{,6}tables-restore: Don't accept wait-interval without wait + + If -W was given, error out if -w wasn't since that doesn't make + sense. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 5 +++++ + iptables/iptables-restore.c | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index 0f85fee3593d5..e2a82c57bd426 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -271,6 +271,11 @@ int ip6tables_restore_main(int argc, char *argv[]) + } + else in = stdin; + ++ if (!wait_interval.tv_sec && !wait) { ++ fprintf(stderr, "Option --wait-interval requires option --wait\n"); ++ exit(1); ++ } ++ + /* Grab standard input. */ + while (fgets(buffer, sizeof(buffer), in)) { + int ret = 0; +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 6d0df8d1c0f36..af0c79408631d 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -270,6 +270,11 @@ iptables_restore_main(int argc, char *argv[]) + } + else in = stdin; + ++ if (!wait_interval.tv_sec && !wait) { ++ fprintf(stderr, "Option --wait-interval requires option --wait\n"); ++ exit(1); ++ } ++ + /* Grab standard input. */ + while (fgets(buffer, sizeof(buffer), in)) { + int ret = 0; +-- +2.17.0 + diff --git a/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch b/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch new file mode 100644 index 0000000..d69e43a --- /dev/null +++ b/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch @@ -0,0 +1,42 @@ +From f5757357c0bb6b5df843d15b90f235190d3b4448 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 16:34:48 +0200 +Subject: [PATCH] ip{,6}tables-restore: Don't ignore missing wait-interval + value + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078 +Upstream Status: iptables commit 60e0ffd365a2d + +commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92 +Author: Phil Sutter +Date: Wed Sep 20 19:34:35 2017 +0200 + + ip{,6}tables-restore: Don't ignore missing wait-interval value + + Passing -W without a value doesn't make sense so bail out if none was + given. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/xshared.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 3fbe3b1a99b77..b8a81fd968361 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -318,7 +318,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) + else if (xs_has_arg(argc, argv)) + arg = argv[optind++]; + else +- return; ++ xtables_error(PARAMETER_PROBLEM, "wait interval value required"); + + ret = sscanf(arg, "%u", &usec); + if (ret == 1) { +-- +2.17.0 + diff --git a/SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch b/SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch new file mode 100644 index 0000000..4401ada --- /dev/null +++ b/SOURCES/ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch @@ -0,0 +1,57 @@ +From 721bb877b759a0c92e6b019447fd3ee33d123cc0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] ip{, 6}tables-restore: Fix for uninitialized array 'curtable' + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 4e499d53d558b + +commit 4e499d53d558bed55c8fe74390250dbfd6da3efc +Author: Phil Sutter +Date: Wed Sep 19 15:16:46 2018 +0200 + + ip{, 6}tables-restore: Fix for uninitialized array 'curtable' + + When reading sufficiently malformed input, parser might hit end of + loop without having written the current table name into curtable and + therefore calling strcmp() with uninitialized buffer. Avoid this by + setting curtable to zero upon declaration. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 2 +- + iptables/iptables-restore.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index e2a82c57bd426..d610360a1c1ff 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -192,7 +192,7 @@ int ip6tables_restore_main(int argc, char *argv[]) + struct xtc_handle *handle = NULL; + char buffer[10240]; + int c, lock; +- char curtable[XT_TABLE_MAXNAMELEN + 1]; ++ char curtable[XT_TABLE_MAXNAMELEN + 1] = {}; + FILE *in; + int in_table = 0, testing = 0; + const char *tablename = NULL; +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index af0c79408631d..db77fb77b3c98 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -191,7 +191,7 @@ iptables_restore_main(int argc, char *argv[]) + struct xtc_handle *handle = NULL; + char buffer[10240]; + int c, lock; +- char curtable[XT_TABLE_MAXNAMELEN + 1]; ++ char curtable[XT_TABLE_MAXNAMELEN + 1] = {}; + FILE *in; + int in_table = 0, testing = 0; + const char *tablename = NULL; +-- +2.21.0 + diff --git a/SOURCES/iptables-1.4.21-configure_set_lock_file_path.patch b/SOURCES/iptables-1.4.21-configure_set_lock_file_path.patch new file mode 100644 index 0000000..4132f96 --- /dev/null +++ b/SOURCES/iptables-1.4.21-configure_set_lock_file_path.patch @@ -0,0 +1,97 @@ +Adapted version of + +commit b91af533f4da15854893ba5cc082e1df6bcf9a97 +Author: Lorenzo Colitti +Date: Tue Mar 14 17:55:50 2017 +0900 + + iptables: set the path of the lock file via a configure option. + + Currently the iptables lock is hardcoded as "/run/xtables.lock". + Allow users to change this path using the --with-xt-lock-name + option to ./configure option. This is useful on systems like + Android which do not have /run. + + Tested on Ubuntu, as follows: + + 1. By default, the lock is placed in /run/xtables.lock: + + $ make distclean-recursive && ./autogen.sh && + ./configure --disable-nftables --prefix /tmp/iptables && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + iptables: No chain/target/match by that name. + + 2. Specifying the lock results in the expected location being + used: + + $ make distclean-recursive && ./autogen.sh && \ + ./configure --disable-nftables --prefix /tmp/iptables \ + --with-xt-lock-name=/tmp/iptables/run/xtables.lock && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + iptables: No chain/target/match by that name. + + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/configure.ac.configure_set_lock_file_path iptables-1.4.21/configure.ac +--- iptables-1.4.21/configure.ac.configure_set_lock_file_path 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/configure.ac 2017-04-05 14:47:17.308782472 +0200 +@@ -60,6 +60,10 @@ AC_ARG_ENABLE([nfsynproxy], + AC_ARG_WITH([pkgconfigdir], AS_HELP_STRING([--with-pkgconfigdir=PATH], + [Path to the pkgconfig directory [[LIBDIR/pkgconfig]]]), + [pkgconfigdir="$withval"], [pkgconfigdir='${libdir}/pkgconfig']) ++AC_ARG_WITH([xt-lock-name], AS_HELP_STRING([--with-xt-lock-name=PATH], ++ [Path to the xtables lock [[/run/xtables.lock]]]), ++ [xt_lock_name="$withval"], ++ [xt_lock_name="/run/xtables.lock"]) + + libiptc_LDFLAGS2=""; + AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed], +@@ -118,7 +122,7 @@ AM_CONDITIONAL([HAVE_LIBNFNETLINK], [tes + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ + -Winline -pipe"; +-regular_CPPFLAGS="${largefile_cppflags} -D_REENTRANT \ ++regular_CPPFLAGS="${largefile_cppflags} -DXT_LOCK_NAME=\\\"\${xt_lock_name}\\\" -D_REENTRANT \ + -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL"; + kinclude_CPPFLAGS=""; + if [[ -n "$kbuilddir" ]]; then +@@ -156,6 +160,7 @@ AC_SUBST([libxtables_vcurrent]) + AC_SUBST([libxtables_vage]) + libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); + AC_SUBST([libxtables_vmajor]) ++AC_SUBST([xt_lock_name]) + + AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + iptables/Makefile iptables/xtables.pc +@@ -188,7 +193,8 @@ Build parameters: + Support plugins via dlopen (shared): ${enable_shared} + Installation prefix (--prefix): ${prefix} + Xtables extension directory: ${e_xtlibdir} +- Pkg-config directory: ${e_pkgconfigdir}" ++ Pkg-config directory: ${e_pkgconfigdir} ++ Xtables lock file: ${xt_lock_name}" + + if [[ -n "$ksourcedir" ]]; then + echo " Kernel source directory: ${ksourcedir}" +diff -up iptables-1.4.21/iptables/xshared.c.configure_set_lock_file_path iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.configure_set_lock_file_path 2017-04-05 14:46:47.861540910 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:46:47.863540927 +0200 +@@ -17,8 +17,6 @@ + #include + #include "xshared.h" + +-#define XT_LOCK_NAME "/run/xtables.lock" +- + /* + * Print out any special helps. A user might like to be able to add a --help + * to the commandline, and see expected results. So we call help for all diff --git a/SOURCES/iptables-1.4.21-flock_wait.patch b/SOURCES/iptables-1.4.21-flock_wait.patch new file mode 100644 index 0000000..82448ce --- /dev/null +++ b/SOURCES/iptables-1.4.21-flock_wait.patch @@ -0,0 +1,88 @@ +From aa562a660d1555b13cffbac1e744033e91f82707 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 16 Jan 2015 14:21:57 +0100 +Subject: iptables: use flock() instead of abstract unix sockets + +Abstract unix sockets cannot be used to synchronize several concurrent +instances of iptables since an unpriviledged process can create them and +prevent the legitimate iptables instance from running. + +Use flock() and /run instead as suggested by Lennart Poettering. + +Fixes: 93587a0 ("ip[6]tables: Add locking to prevent concurrent instances") +Reported-by: Lennart Poettering +Cc: Phil Oester +Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index b18022e..7beb86b 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -9,11 +9,11 @@ + #include + #include + #include ++#include + #include + #include "xshared.h" + +-#define XT_SOCKET_NAME "xtables" +-#define XT_SOCKET_LEN 8 ++#define XT_LOCK_NAME "/run/xtables.lock" + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -245,22 +245,14 @@ void xs_init_match(struct xtables_match *match) + + bool xtables_lock(int wait) + { +- int i = 0, ret, xt_socket; +- struct sockaddr_un xt_addr; +- int waited = 0; +- +- memset(&xt_addr, 0, sizeof(xt_addr)); +- xt_addr.sun_family = AF_UNIX; +- strcpy(xt_addr.sun_path+1, XT_SOCKET_NAME); +- xt_socket = socket(AF_UNIX, SOCK_STREAM, 0); +- /* If we can't even create a socket, fall back to prior (lockless) behavior */ +- if (xt_socket < 0) ++ int fd, waited = 0, i = 0; ++ ++ fd = open(XT_LOCK_NAME, O_CREAT, 0600); ++ if (fd < 0) + return true; + + while (1) { +- ret = bind(xt_socket, (struct sockaddr*)&xt_addr, +- offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); +- if (ret == 0) ++ if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; + else if (wait >= 0 && waited >= wait) + return false; +-- +cgit v0.10.2 + +commit 6dc53c514f1e4683e51a877b3a2f3128cfccef28 +Author: Pablo Neira Ayuso +Date: Mon Feb 16 16:57:39 2015 +0100 + + xshared: calm down compilation warning + + xshared.c: In function ‘xtables_lock’: + xshared.c:255:3: warning: implicit declaration of function ‘flock’ [-Wimplicit-function-declaration] + + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 7beb86b..81c2581 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/SOURCES/iptables-1.4.21-libxt_cgroup.patch b/SOURCES/iptables-1.4.21-libxt_cgroup.patch new file mode 100644 index 0000000..b0cf8ad --- /dev/null +++ b/SOURCES/iptables-1.4.21-libxt_cgroup.patch @@ -0,0 +1,126 @@ +From 6465867eb48506687872b838b1ddfee61d1a0aeb Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 23 Dec 2013 18:46:29 +0100 +Subject: iptables: add libxt_cgroup frontend + +This patch adds the user space extension/frontend for process matching +based on cgroups from the kernel patch entitled "netfilter: xtables: +lightweight process control group matching". + +Signed-off-by: Daniel Borkmann +Signed-off-by: Pablo Neira Ayuso + +diff --git a/extensions/libxt_cgroup.c b/extensions/libxt_cgroup.c +new file mode 100644 +index 0000000..e304e33 +--- /dev/null ++++ b/extensions/libxt_cgroup.c +@@ -0,0 +1,67 @@ ++#include ++#include ++#include ++ ++enum { ++ O_CGROUP = 0, ++}; ++ ++static void cgroup_help(void) ++{ ++ printf( ++"cgroup match options:\n" ++"[!] --cgroup fwid Match cgroup fwid\n"); ++} ++ ++static const struct xt_option_entry cgroup_opts[] = { ++ { ++ .name = "cgroup", ++ .id = O_CGROUP, ++ .type = XTTYPE_UINT32, ++ .flags = XTOPT_INVERT | XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_cgroup_info, id) ++ }, ++ XTOPT_TABLEEND, ++}; ++ ++static void cgroup_parse(struct xt_option_call *cb) ++{ ++ struct xt_cgroup_info *cgroupinfo = cb->data; ++ ++ xtables_option_parse(cb); ++ if (cb->invert) ++ cgroupinfo->invert = true; ++} ++ ++static void ++cgroup_print(const void *ip, const struct xt_entry_match *match, int numeric) ++{ ++ const struct xt_cgroup_info *info = (void *) match->data; ++ ++ printf(" cgroup %s%u", info->invert ? "! ":"", info->id); ++} ++ ++static void cgroup_save(const void *ip, const struct xt_entry_match *match) ++{ ++ const struct xt_cgroup_info *info = (void *) match->data; ++ ++ printf("%s --cgroup %u", info->invert ? " !" : "", info->id); ++} ++ ++static struct xtables_match cgroup_match = { ++ .family = NFPROTO_UNSPEC, ++ .name = "cgroup", ++ .version = XTABLES_VERSION, ++ .size = XT_ALIGN(sizeof(struct xt_cgroup_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_cgroup_info)), ++ .help = cgroup_help, ++ .print = cgroup_print, ++ .save = cgroup_save, ++ .x6_parse = cgroup_parse, ++ .x6_options = cgroup_opts, ++}; ++ ++void _init(void) ++{ ++ xtables_register_match(&cgroup_match); ++} +diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man +new file mode 100644 +index 0000000..456a031 +--- /dev/null ++++ b/extensions/libxt_cgroup.man +@@ -0,0 +1,15 @@ ++.TP ++[\fB!\fP] \fB\-\-cgroup\fP \fIfwid\fP ++Match corresponding cgroup for this packet. ++ ++Can be used to assign particular firewall policies for aggregated ++task/jobs on the system. This allows for more fine-grained firewall ++policies that only match for a subset of the system's processes. ++fwid is the maker set through the net_cls cgroup's id. ++.PP ++Example: ++.PP ++iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1 ++\-j DROP ++.PP ++Available since Linux 3.14. +diff --git a/include/linux/netfilter/xt_cgroup.h b/include/linux/netfilter/xt_cgroup.h +new file mode 100644 +index 0000000..943d3a0 +--- /dev/null ++++ b/include/linux/netfilter/xt_cgroup.h +@@ -0,0 +1,11 @@ ++#ifndef _XT_CGROUP_H ++#define _XT_CGROUP_H ++ ++#include ++ ++struct xt_cgroup_info { ++ __u32 id; ++ __u32 invert; ++}; ++ ++#endif /* _XT_CGROUP_H */ +-- +cgit v0.10.2 + diff --git a/SOURCES/iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch b/SOURCES/iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch new file mode 100644 index 0000000..07836ca --- /dev/null +++ b/SOURCES/iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch @@ -0,0 +1,67 @@ +Adapted version of + +commit 836846f0d747e1be8e37d2d43b215a68b30ea1a9 +Author: Lorenzo Colitti +Date: Thu Mar 16 12:54:20 2017 +0900 + + iptables: move XT_LOCK_NAME from CFLAGS to config.h. + + This slightly simplifies configure.ac and results in more + correct dependencies. + + Tested by running ./configure with --with-xt-lock-name and + without, and using strace to verify that the right lock is used. + + $ make distclean-recursive && ./autogen.sh && + ./configure --disable-nftables --prefix /tmp/iptables && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + + $ make distclean-recursive && ./autogen.sh && \ + ./configure --disable-nftables --prefix /tmp/iptables \ + --with-xt-lock-name=/tmp/iptables/run/xtables.lock && + make -j64 && + make install && + sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo + ... + open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 + flock(3, LOCK_EX|LOCK_NB) = 0 + + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/configure.ac.move_XT_LOCK_NAME_to_config.h iptables-1.4.21/configure.ac +--- iptables-1.4.21/configure.ac.move_XT_LOCK_NAME_to_config.h 2017-04-05 14:48:11.855229929 +0200 ++++ iptables-1.4.21/configure.ac 2017-04-05 14:48:11.856229937 +0200 +@@ -122,7 +122,7 @@ AM_CONDITIONAL([HAVE_LIBNFNETLINK], [tes + regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \ + -Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \ + -Winline -pipe"; +-regular_CPPFLAGS="${largefile_cppflags} -DXT_LOCK_NAME=\\\"\${xt_lock_name}\\\" -D_REENTRANT \ ++regular_CPPFLAGS="${largefile_cppflags} -D_REENTRANT \ + -DXTABLES_LIBDIR=\\\"\${xtlibdir}\\\" -DXTABLES_INTERNAL"; + kinclude_CPPFLAGS=""; + if [[ -n "$kbuilddir" ]]; then +@@ -160,7 +160,9 @@ AC_SUBST([libxtables_vcurrent]) + AC_SUBST([libxtables_vage]) + libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage)); + AC_SUBST([libxtables_vmajor]) +-AC_SUBST([xt_lock_name]) ++ ++AC_DEFINE_UNQUOTED([XT_LOCK_NAME], "${xt_lock_name}", ++ [Location of the iptables lock file]) + + AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + iptables/Makefile iptables/xtables.pc +diff -up iptables-1.4.21/iptables/xshared.c.move_XT_LOCK_NAME_to_config.h iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.move_XT_LOCK_NAME_to_config.h 2017-04-05 14:48:11.855229929 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:48:11.856229937 +0200 +@@ -1,3 +1,4 @@ ++#include + #include + #include + #include diff --git a/SOURCES/iptables-1.4.21-remove_duplicated_argument_parsing.patch b/SOURCES/iptables-1.4.21-remove_duplicated_argument_parsing.patch new file mode 100644 index 0000000..a0fe335 --- /dev/null +++ b/SOURCES/iptables-1.4.21-remove_duplicated_argument_parsing.patch @@ -0,0 +1,401 @@ +Adapted version of + +commit 6e2e169eb66b63d2991e1c7ada931e3cdb0ced32 +Author: Lorenzo Colitti +Date: Thu Mar 16 16:55:01 2017 +0900 + + iptables: remove duplicated argument parsing code + + 1. Factor out repeated code to a new xs_has_arg function. + 2. Add a new parse_wait_time option to parse the value of -w. + 3. Make parse_wait_interval take argc and argv so its callers + can be simpler. + + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables.c.remove_duplicated_argument_parsing iptables-1.4.21/iptables/ip6tables.c +--- iptables-1.4.21/iptables/ip6tables.c.remove_duplicated_argument_parsing 2017-04-05 14:51:44.033970476 +0200 ++++ iptables-1.4.21/iptables/ip6tables.c 2017-04-05 14:51:44.044970566 +0200 +@@ -1388,8 +1388,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_DELETE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_DELETE_NUM; + } +@@ -1399,8 +1398,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_REPLACE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else + xtables_error(PARAMETER_PROBLEM, +@@ -1412,8 +1410,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_INSERT, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else rulenum = 1; + break; +@@ -1422,11 +1419,9 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1434,11 +1429,9 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_LIST_RULES, + CMD_ZERO | CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1446,8 +1439,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_FLUSH, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1455,11 +1447,9 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_ZERO_NUM; + } +@@ -1476,8 +1466,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1485,8 +1474,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + newname = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1499,8 +1487,7 @@ int do_command6(int argc, char *argv[], + add_command(&command, CMD_SET_POLICY, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + policy = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1610,16 +1597,7 @@ int do_command6(int argc, char *argv[], + "You cannot use `-w' from " + "ip6tables-restore"); + } +- wait = -1; +- if (optarg) { +- if (sscanf(optarg, "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); +- } else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') +- if (sscanf(argv[optind++], "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); ++ wait = parse_wait_time(argc, argv); + break; + + case 'W': +@@ -1628,14 +1606,7 @@ int do_command6(int argc, char *argv[], + "You cannot use `-W' from " + "ip6tables-restore"); + } +- if (optarg) +- parse_wait_interval(optarg, &wait_interval); +- else if (optind < argc && +- argv[optind][0] != '-' && +- argv[optind][0] != '!') +- parse_wait_interval(argv[optind++], +- &wait_interval); +- ++ parse_wait_interval(argc, argv, &wait_interval); + wait_interval_set = true; + break; + +@@ -1685,8 +1656,7 @@ int do_command6(int argc, char *argv[], + bcnt = strchr(pcnt + 1, ','); + if (bcnt) + bcnt++; +- if (!bcnt && optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (!bcnt && xs_has_arg(argc, argv)) + bcnt = argv[optind++]; + if (!bcnt) + xtables_error(PARAMETER_PROBLEM, +diff -up iptables-1.4.21/iptables/iptables.c.remove_duplicated_argument_parsing iptables-1.4.21/iptables/iptables.c +--- iptables-1.4.21/iptables/iptables.c.remove_duplicated_argument_parsing 2017-04-05 14:51:44.034970484 +0200 ++++ iptables-1.4.21/iptables/iptables.c 2017-04-05 14:51:44.044970566 +0200 +@@ -1381,8 +1381,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_DELETE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_DELETE_NUM; + } +@@ -1392,8 +1391,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_REPLACE, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else + xtables_error(PARAMETER_PROBLEM, +@@ -1405,8 +1403,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_INSERT, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + else rulenum = 1; + break; +@@ -1415,11 +1412,9 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_LIST, + CMD_ZERO | CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1427,11 +1422,9 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_LIST_RULES, + CMD_ZERO|CMD_ZERO_NUM, cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + rulenum = parse_rulenumber(argv[optind++]); + break; + +@@ -1439,8 +1432,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_FLUSH, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1448,11 +1440,9 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_ZERO, CMD_LIST|CMD_LIST_RULES, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') { ++ if (xs_has_arg(argc, argv)) { + rulenum = parse_rulenumber(argv[optind++]); + command = CMD_ZERO_NUM; + } +@@ -1469,8 +1459,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_DELETE_CHAIN, CMD_NONE, + cs.invert); + if (optarg) chain = optarg; +- else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ else if (xs_has_arg(argc, argv)) + chain = argv[optind++]; + break; + +@@ -1478,8 +1467,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_RENAME_CHAIN, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + newname = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1492,8 +1480,7 @@ int do_command4(int argc, char *argv[], + add_command(&command, CMD_SET_POLICY, CMD_NONE, + cs.invert); + chain = optarg; +- if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (xs_has_arg(argc, argv)) + policy = argv[optind++]; + else + xtables_error(PARAMETER_PROBLEM, +@@ -1601,16 +1588,7 @@ int do_command4(int argc, char *argv[], + "You cannot use `-w' from " + "iptables-restore"); + } +- wait = -1; +- if (optarg) { +- if (sscanf(optarg, "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); +- } else if (optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') +- if (sscanf(argv[optind++], "%i", &wait) != 1) +- xtables_error(PARAMETER_PROBLEM, +- "wait seconds not numeric"); ++ wait = parse_wait_time(argc, argv); + break; + + case 'W': +@@ -1619,14 +1597,7 @@ int do_command4(int argc, char *argv[], + "You cannot use `-W' from " + "iptables-restore"); + } +- if (optarg) +- parse_wait_interval(optarg, &wait_interval); +- else if (optind < argc && +- argv[optind][0] != '-' && +- argv[optind][0] != '!') +- parse_wait_interval(argv[optind++], +- &wait_interval); +- ++ parse_wait_interval(argc, argv, &wait_interval); + wait_interval_set = true; + break; + +@@ -1676,8 +1647,7 @@ int do_command4(int argc, char *argv[], + bcnt = strchr(pcnt + 1, ','); + if (bcnt) + bcnt++; +- if (!bcnt && optind < argc && argv[optind][0] != '-' +- && argv[optind][0] != '!') ++ if (!bcnt && xs_has_arg(argc, argv)) + bcnt = argv[optind++]; + if (!bcnt) + xtables_error(PARAMETER_PROBLEM, +diff -up iptables-1.4.21/iptables/xshared.c.remove_duplicated_argument_parsing iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.remove_duplicated_argument_parsing 2017-04-05 14:51:44.042970550 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:51:44.045970574 +0200 +@@ -285,12 +285,36 @@ bool xtables_lock(int wait, struct timev + } + } + +-void parse_wait_interval(const char *str, struct timeval *wait_interval) ++int parse_wait_time(int argc, char *argv[]) + { ++ int wait = -1; ++ ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (xs_has_arg(argc, argv)) ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ ++ return wait; ++} ++ ++void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval) ++{ ++ const char *arg; + unsigned int usec; + int ret; + +- ret = sscanf(str, "%u", &usec); ++ if (optarg) ++ arg = optarg; ++ else if (xs_has_arg(argc, argv)) ++ arg = argv[optind++]; ++ else ++ return; ++ ++ ret = sscanf(arg, "%u", &usec); + if (ret == 1) { + if (usec > 999999) + xtables_error(PARAMETER_PROBLEM, +@@ -303,3 +327,10 @@ void parse_wait_interval(const char *str + } + xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); + } ++ ++inline bool xs_has_arg(int argc, char *argv[]) ++{ ++ return optind < argc && ++ argv[optind][0] != '-' && ++ argv[optind][0] != '!'; ++} +diff -up iptables-1.4.21/iptables/xshared.h.remove_duplicated_argument_parsing iptables-1.4.21/iptables/xshared.h +--- iptables-1.4.21/iptables/xshared.h.remove_duplicated_argument_parsing 2017-04-05 14:51:44.034970484 +0200 ++++ iptables-1.4.21/iptables/xshared.h 2017-04-05 14:51:44.045970574 +0200 +@@ -86,7 +86,9 @@ extern void xs_init_target(struct xtable + extern void xs_init_match(struct xtables_match *); + bool xtables_lock(int wait, struct timeval *wait_interval); + +-void parse_wait_interval(const char *str, struct timeval *wait_interval); ++int parse_wait_time(int argc, char *argv[]); ++void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); ++bool xs_has_arg(int argc, char *argv[]); + + extern const struct xtables_afinfo *afinfo; + diff --git a/SOURCES/iptables-1.4.21-restore_support_acquiring_the_lock.patch b/SOURCES/iptables-1.4.21-restore_support_acquiring_the_lock.patch new file mode 100644 index 0000000..77e1aff --- /dev/null +++ b/SOURCES/iptables-1.4.21-restore_support_acquiring_the_lock.patch @@ -0,0 +1,414 @@ +Adapted version of + +commit 999eaa241212d3952ddff39a99d0d55a74e3639e +Author: Lorenzo Colitti +Date: Thu Mar 16 16:55:02 2017 +0900 + + iptables-restore: support acquiring the lock. + + Currently, ip[6]tables-restore does not perform any locking, so it + is not safe to use concurrently with ip[6]tables. + + This patch makes ip[6]tables-restore wait for the lock if -w + was specified. Arguments to -w and -W are supported in the same + was as they are in ip[6]tables. + + The lock is not acquired on startup. Instead, it is acquired when + a new table handle is created (on encountering '*') and released + when the table is committed (COMMIT). This makes it possible to + keep long-running iptables-restore processes in the background + (for example, reading commands from a pipe opened by a system + management daemon) and simultaneously run iptables commands. + + If -w is not specified, then the command proceeds without taking + the lock. + + Tested as follows: + + 1. Run iptables-restore -w, and check that iptables commands work + with or without -w. + 2. Type "*filter" into the iptables-restore input. Verify that + a) ip[6]tables commands without -w fail with "another app is + currently holding the xtables lock...". + b) ip[6]tables commands with "-w 2" fail after 2 seconds. + c) ip[6]tables commands with "-w" hang until "COMMIT" is + typed into the iptables-restore window. + 3. With the lock held by an ip6tables-restore process: + strace -e flock /tmp/iptables/sbin/iptables-restore -w 1 -W 100000 + shows 11 calls to flock and fails. + 4. Run an iptables-restore with -w and one without -w, and check: + a) Type "*filter" in the first and then the second, and the + second exits with an error. + b) Type "*filter" in the second and "*filter" "-S" "COMMIT" + into the first. The rules are listed only when the first + copy sees "COMMIT". + + Signed-off-by: Narayan Kamath + Signed-off-by: Lorenzo Colitti + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/ip6tables.c +--- iptables-1.4.21/iptables/ip6tables.c.restore_support_acquiring_the_lock 2017-04-05 14:55:52.561008864 +0200 ++++ iptables-1.4.21/iptables/ip6tables.c 2017-04-05 14:55:52.564008888 +0200 +@@ -1767,7 +1767,7 @@ int do_command6(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait, &wait_interval)) { ++ if (!restore && xtables_lock(wait, &wait_interval) == XT_LOCK_BUSY) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/ip6tables-restore.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/ip6tables-restore.c +--- iptables-1.4.21/iptables/ip6tables-restore.c.restore_support_acquiring_the_lock 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/ip6tables-restore.c 2017-04-05 14:58:41.513393942 +0200 +@@ -15,6 +15,7 @@ + #include + #include + #include "ip6tables.h" ++#include "xshared.h" + #include "xtables.h" + #include "libiptc/libip6tc.h" + #include "ip6tables-multi.h" +@@ -25,18 +26,24 @@ + #define DEBUGP(x, args...) + #endif + +-static int binary = 0, counters = 0, verbose = 0, noflush = 0; ++static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; ++ ++static struct timeval wait_interval = { ++ .tv_sec = 1, ++}; + + /* Keeping track of external matches and targets. */ + static const struct option options[] = { +- {.name = "binary", .has_arg = false, .val = 'b'}, +- {.name = "counters", .has_arg = false, .val = 'c'}, +- {.name = "verbose", .has_arg = false, .val = 'v'}, +- {.name = "test", .has_arg = false, .val = 't'}, +- {.name = "help", .has_arg = false, .val = 'h'}, +- {.name = "noflush", .has_arg = false, .val = 'n'}, +- {.name = "modprobe", .has_arg = true, .val = 'M'}, +- {.name = "table", .has_arg = true, .val = 'T'}, ++ {.name = "binary", .has_arg = 0, .val = 'b'}, ++ {.name = "counters", .has_arg = 0, .val = 'c'}, ++ {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "test", .has_arg = 0, .val = 't'}, ++ {.name = "help", .has_arg = 0, .val = 'h'}, ++ {.name = "noflush", .has_arg = 0, .val = 'n'}, ++ {.name = "modprobe", .has_arg = 1, .val = 'M'}, ++ {.name = "table", .has_arg = 1, .val = 'T'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {NULL}, + }; + +@@ -44,14 +51,16 @@ static void print_usage(const char *name + + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-w secs] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" + " [ --test ]\n" + " [ --help ]\n" ++ " [ --wait=\n" ++ " [ --wait-interval=\n" + " [ --noflush ]\n" +- " [ --modprobe=]\n", name); ++ " [ --modprobe=]\n", name); + + exit(1); + } +@@ -182,7 +191,7 @@ int ip6tables_restore_main(int argc, cha + { + struct xtc_handle *handle = NULL; + char buffer[10240]; +- int c; ++ int c, lock; + char curtable[XT_TABLE_MAXNAMELEN + 1]; + FILE *in; + int in_table = 0, testing = 0; +@@ -190,6 +199,7 @@ int ip6tables_restore_main(int argc, cha + const struct xtc_ops *ops = &ip6tc_ops; + + line = 0; ++ lock = XT_LOCK_NOT_ACQUIRED; + + ip6tables_globals.program_name = "ip6tables-restore"; + c = xtables_init_all(&ip6tables_globals, NFPROTO_IPV6); +@@ -204,7 +214,7 @@ int ip6tables_restore_main(int argc, cha + init_extensions6(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +235,12 @@ int ip6tables_restore_main(int argc, cha + case 'n': + noflush = 1; + break; ++ case 'w': ++ wait = parse_wait_time(argc, argv); ++ break; ++ case 'W': ++ parse_wait_interval(argc, argv, &wait_interval); ++ break; + case 'M': + xtables_modprobe_program = optarg; + break; +@@ -269,8 +285,23 @@ int ip6tables_restore_main(int argc, cha + DEBUGP("Not calling commit, testing\n"); + ret = 1; + } ++ ++ /* Done with the current table, release the lock. */ ++ if (lock >= 0) { ++ xtables_unlock(lock); ++ lock = XT_LOCK_NOT_ACQUIRED; ++ } ++ + in_table = 0; + } else if ((buffer[0] == '*') && (!in_table)) { ++ /* Acquire a lock before we create a new table handle */ ++ lock = xtables_lock(wait, &wait_interval); ++ if (lock == XT_LOCK_BUSY) { ++ fprintf(stderr, "Another app is currently holding the xtables lock. " ++ "Perhaps you want to use the -w option?\n"); ++ exit(RESOURCE_PROBLEM); ++ } ++ + /* New table */ + char *table; + +diff -up iptables-1.4.21/iptables/iptables.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/iptables.c +--- iptables-1.4.21/iptables/iptables.c.restore_support_acquiring_the_lock 2017-04-05 14:55:52.562008872 +0200 ++++ iptables-1.4.21/iptables/iptables.c 2017-04-05 14:55:52.564008888 +0200 +@@ -1754,7 +1754,7 @@ int do_command4(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait, &wait_interval)) { ++ if (!restore && xtables_lock(wait, &wait_interval) == XT_LOCK_BUSY) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/iptables-restore.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/iptables-restore.c +--- iptables-1.4.21/iptables/iptables-restore.c.restore_support_acquiring_the_lock 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-restore.c 2017-04-05 15:00:17.389179935 +0200 +@@ -12,6 +12,7 @@ + #include + #include + #include "iptables.h" ++#include "xshared.h" + #include "xtables.h" + #include "libiptc/libiptc.h" + #include "iptables-multi.h" +@@ -22,18 +23,24 @@ + #define DEBUGP(x, args...) + #endif + +-static int binary = 0, counters = 0, verbose = 0, noflush = 0; ++static int binary = 0, counters = 0, verbose = 0, noflush = 0, wait = 0; ++ ++static struct timeval wait_interval = { ++ .tv_sec = 1, ++}; + + /* Keeping track of external matches and targets. */ + static const struct option options[] = { +- {.name = "binary", .has_arg = false, .val = 'b'}, +- {.name = "counters", .has_arg = false, .val = 'c'}, +- {.name = "verbose", .has_arg = false, .val = 'v'}, +- {.name = "test", .has_arg = false, .val = 't'}, +- {.name = "help", .has_arg = false, .val = 'h'}, +- {.name = "noflush", .has_arg = false, .val = 'n'}, +- {.name = "modprobe", .has_arg = true, .val = 'M'}, +- {.name = "table", .has_arg = true, .val = 'T'}, ++ {.name = "binary", .has_arg = 0, .val = 'b'}, ++ {.name = "counters", .has_arg = 0, .val = 'c'}, ++ {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "test", .has_arg = 0, .val = 't'}, ++ {.name = "help", .has_arg = 0, .val = 'h'}, ++ {.name = "noflush", .has_arg = 0, .val = 'n'}, ++ {.name = "modprobe", .has_arg = 1, .val = 'M'}, ++ {.name = "table", .has_arg = 1, .val = 'T'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {NULL}, + }; + +@@ -43,15 +50,17 @@ static void print_usage(const char *name + + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" + " [ --test ]\n" + " [ --help ]\n" + " [ --noflush ]\n" ++ " [ --wait=\n" ++ " [ --wait-interval=\n" + " [ --table= ]\n" +- " [ --modprobe=]\n", name); ++ " [ --modprobe=]\n", name); + + exit(1); + } +@@ -182,7 +191,7 @@ iptables_restore_main(int argc, char *ar + { + struct xtc_handle *handle = NULL; + char buffer[10240]; +- int c; ++ int c, lock; + char curtable[XT_TABLE_MAXNAMELEN + 1]; + FILE *in; + int in_table = 0, testing = 0; +@@ -190,6 +199,7 @@ iptables_restore_main(int argc, char *ar + const struct xtc_ops *ops = &iptc_ops; + + line = 0; ++ lock = XT_LOCK_NOT_ACQUIRED; + + iptables_globals.program_name = "iptables-restore"; + c = xtables_init_all(&iptables_globals, NFPROTO_IPV4); +@@ -204,7 +214,7 @@ iptables_restore_main(int argc, char *ar + init_extensions4(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +235,12 @@ iptables_restore_main(int argc, char *ar + case 'n': + noflush = 1; + break; ++ case 'w': ++ wait = parse_wait_time(argc, argv); ++ break; ++ case 'W': ++ parse_wait_interval(argc, argv, &wait_interval); ++ break; + case 'M': + xtables_modprobe_program = optarg; + break; +@@ -269,8 +285,23 @@ iptables_restore_main(int argc, char *ar + DEBUGP("Not calling commit, testing\n"); + ret = 1; + } ++ ++ /* Done with the current table, release the lock. */ ++ if (lock >= 0) { ++ xtables_unlock(lock); ++ lock = XT_LOCK_NOT_ACQUIRED; ++ } ++ + in_table = 0; + } else if ((buffer[0] == '*') && (!in_table)) { ++ /* Acquire a lock before we create a new table handle */ ++ lock = xtables_lock(wait, &wait_interval); ++ if (lock == XT_LOCK_BUSY) { ++ fprintf(stderr, "Another app is currently holding the xtables lock. " ++ "Perhaps you want to use the -w option?\n"); ++ exit(RESOURCE_PROBLEM); ++ } ++ + /* New table */ + char *table; + +diff -up iptables-1.4.21/iptables/xshared.c.restore_support_acquiring_the_lock iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.restore_support_acquiring_the_lock 2017-04-05 14:55:52.562008872 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:55:52.565008896 +0200 +@@ -246,7 +246,7 @@ void xs_init_match(struct xtables_match + match->init(match->m); + } + +-bool xtables_lock(int wait, struct timeval *wait_interval) ++int xtables_lock(int wait, struct timeval *wait_interval) + { + struct timeval time_left, wait_time; + int fd, i = 0; +@@ -256,22 +256,22 @@ bool xtables_lock(int wait, struct timev + + fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (fd < 0) +- return true; ++ return XT_LOCK_UNSUPPORTED; + + if (wait == -1) { + if (flock(fd, LOCK_EX) == 0) +- return true; ++ return fd; + + fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, + strerror(errno)); +- return false; ++ return XT_LOCK_BUSY; + } + + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) +- return true; ++ return fd; + else if (timercmp(&time_left, wait_interval, <)) +- return false; ++ return XT_LOCK_BUSY; + + if (++i % 10 == 0) { + fprintf(stderr, "Another app is currently holding the xtables lock; " +@@ -285,6 +285,12 @@ bool xtables_lock(int wait, struct timev + } + } + ++void xtables_unlock(int lock) ++{ ++ if (lock >= 0) ++ close(lock); ++} ++ + int parse_wait_time(int argc, char *argv[]) + { + int wait = -1; +diff -up iptables-1.4.21/iptables/xshared.h.restore_support_acquiring_the_lock iptables-1.4.21/iptables/xshared.h +--- iptables-1.4.21/iptables/xshared.h.restore_support_acquiring_the_lock 2017-04-05 14:55:52.562008872 +0200 ++++ iptables-1.4.21/iptables/xshared.h 2017-04-05 14:55:52.565008896 +0200 +@@ -84,7 +84,28 @@ extern struct xtables_match *load_proto( + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-bool xtables_lock(int wait, struct timeval *wait_interval); ++ ++/** ++ * Values for the iptables lock. ++ * ++ * A value >= 0 indicates the lock filedescriptor. Other values are: ++ * ++ * XT_LOCK_UNSUPPORTED : The system does not support locking, execution will ++ * proceed lockless. ++ * ++ * XT_LOCK_BUSY : The lock was held by another process. xtables_lock only ++ * returns this value when |wait| == false. If |wait| == true, xtables_lock ++ * will not return unless the lock has been acquired. ++ * ++ * XT_LOCK_NOT_ACQUIRED : We have not yet attempted to acquire the lock. ++ */ ++enum { ++ XT_LOCK_BUSY = -1, ++ XT_LOCK_UNSUPPORTED = -2, ++ XT_LOCK_NOT_ACQUIRED = -3, ++}; ++extern int xtables_lock(int wait, struct timeval *tv); ++extern void xtables_unlock(int lock); + + int parse_wait_time(int argc, char *argv[]); + void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval); diff --git a/SOURCES/iptables-1.4.21-restore_version.patch b/SOURCES/iptables-1.4.21-restore_version.patch new file mode 100644 index 0000000..bee5903 --- /dev/null +++ b/SOURCES/iptables-1.4.21-restore_version.patch @@ -0,0 +1,143 @@ +Adapted version of + +commit 9cd3adbed2fd8cdb6366293f3799573b811be89b +Author: Dan Williams +Date: Mon Apr 10 12:31:56 2017 -0500 + + iptables-restore/ip6tables-restore: add --version/-V argument + + Prints program version just like iptables/ip6tables. + + Signed-off-by: Dan Williams + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables-restore.c.restore_version iptables-1.4.21/iptables/ip6tables-restore.c +--- iptables-1.4.21/iptables/ip6tables-restore.c.restore_version 2017-04-20 16:49:34.253130005 +0200 ++++ iptables-1.4.21/iptables/ip6tables-restore.c 2017-04-20 16:51:43.931089903 +0200 +@@ -37,6 +37,7 @@ static const struct option options[] = { + {.name = "binary", .has_arg = 0, .val = 'b'}, + {.name = "counters", .has_arg = 0, .val = 'c'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "test", .has_arg = 0, .val = 't'}, + {.name = "help", .has_arg = 0, .val = 'h'}, + {.name = "noflush", .has_arg = 0, .val = 'n'}, +@@ -49,12 +50,16 @@ static const struct option options[] = { + + static void print_usage(const char *name, const char *version) __attribute__((noreturn)); + ++#define prog_name ip6tables_globals.program_name ++#define prog_vers ip6tables_globals.program_version ++ + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-w secs] [-W usecs]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-V] [-t] [-h] [-w secs] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" ++ " [ --version]\n" + " [ --test ]\n" + " [ --help ]\n" + " [ --wait=\n" +@@ -79,8 +84,7 @@ static struct xtc_handle *create_handle( + + if (!handle) { + xtables_error(PARAMETER_PROBLEM, "%s: unable to initialize " +- "table '%s'\n", ip6tables_globals.program_name, +- tablename); ++ "table '%s'\n", prog_name, tablename); + exit(1); + } + return handle; +@@ -214,7 +218,7 @@ int ip6tables_restore_main(int argc, cha + init_extensions6(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvVthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +229,9 @@ int ip6tables_restore_main(int argc, cha + case 'v': + verbose = 1; + break; ++ case 'V': ++ printf("%s v%s\n", prog_name, prog_vers); ++ exit(0); + case 't': + testing = 1; + break; +diff -up iptables-1.4.21/iptables/iptables-restore.8.in.restore_version iptables-1.4.21/iptables/iptables-restore.8.in +--- iptables-1.4.21/iptables/iptables-restore.8.in.restore_version 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-restore.8.in 2017-04-20 16:52:20.883299806 +0200 +@@ -23,9 +23,9 @@ iptables-restore \(em Restore IP Tables + .P + ip6tables-restore \(em Restore IPv6 Tables + .SH SYNOPSIS +-\fBiptables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] + .P +-\fBip6tables\-restore\fP [\fB\-chntv\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] + [\fB\-T\fP \fIname\fP] + .SH DESCRIPTION + .PP +@@ -51,6 +51,9 @@ Only parse and construct the ruleset, bu + \fB\-v\fP, \fB\-\-verbose\fP + Print additional debug info during ruleset processing. + .TP ++\fB\-V\fP, \fB\-\-version\fP ++Print the program version number. ++.TP + \fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP + Specify the path to the modprobe program. By default, iptables-restore will + inspect /proc/sys/kernel/modprobe to determine the executable's path. +diff -up iptables-1.4.21/iptables/iptables-restore.c.restore_version iptables-1.4.21/iptables/iptables-restore.c +--- iptables-1.4.21/iptables/iptables-restore.c.restore_version 2017-04-20 16:49:34.253130005 +0200 ++++ iptables-1.4.21/iptables/iptables-restore.c 2017-04-20 17:29:32.495390523 +0200 +@@ -34,6 +34,7 @@ static const struct option options[] = { + {.name = "binary", .has_arg = 0, .val = 'b'}, + {.name = "counters", .has_arg = 0, .val = 'c'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, ++ {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "test", .has_arg = 0, .val = 't'}, + {.name = "help", .has_arg = 0, .val = 'h'}, + {.name = "noflush", .has_arg = 0, .val = 'n'}, +@@ -47,13 +48,15 @@ static const struct option options[] = { + static void print_usage(const char *name, const char *version) __attribute__((noreturn)); + + #define prog_name iptables_globals.program_name ++#define prog_vers iptables_globals.program_version + + static void print_usage(const char *name, const char *version) + { +- fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-t] [-h] [-W usecs]\n" ++ fprintf(stderr, "Usage: %s [-b] [-c] [-v] [-V] [-t] [-h] [-W usecs]\n" + " [ --binary ]\n" + " [ --counters ]\n" + " [ --verbose ]\n" ++ " [ --version]\n" + " [ --test ]\n" + " [ --help ]\n" + " [ --noflush ]\n" +@@ -214,7 +217,7 @@ iptables_restore_main(int argc, char *ar + init_extensions4(); + #endif + +- while ((c = getopt_long(argc, argv, "bcvthnwWM:T:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "bcvVthnwWM:T:", options, NULL)) != -1) { + switch (c) { + case 'b': + binary = 1; +@@ -225,6 +228,9 @@ iptables_restore_main(int argc, char *ar + case 'v': + verbose = 1; + break; ++ case 'V': ++ printf("%s v%s\n", prog_name, prog_vers); ++ exit(0); + case 't': + testing = 1; + break; diff --git a/SOURCES/iptables-1.4.21-restore_wait_man.patch b/SOURCES/iptables-1.4.21-restore_wait_man.patch new file mode 100644 index 0000000..4d3b3df --- /dev/null +++ b/SOURCES/iptables-1.4.21-restore_wait_man.patch @@ -0,0 +1,51 @@ +Adapted version of + +commit 65801d02a482befd2745c792d6596ec75d434934 +Author: Dan Williams +Date: Mon Apr 10 12:35:18 2017 -0500 + + iptables-restore.8: document -w/-W options + + Fixes: 999eaa241212 ("iptables-restore: support acquiring the lock.") + Signed-off-by: Dan Williams + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/iptables-restore.8.in.restore_wait_man iptables-1.4.21/iptables/iptables-restore.8.in +--- iptables-1.4.21/iptables/iptables-restore.8.in.restore_wait_man 2017-04-20 17:33:23.386401192 +0200 ++++ iptables-1.4.21/iptables/iptables-restore.8.in 2017-04-20 17:35:13.562713997 +0200 +@@ -23,9 +23,11 @@ iptables-restore \(em Restore IP Tables + .P + ip6tables-restore \(em Restore IPv6 Tables + .SH SYNOPSIS +-\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP] +++[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] + .P +-\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-M\fP \fImodprobe\fP] ++\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIsecs\fP] +++[\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] + [\fB\-T\fP \fIname\fP] + .SH DESCRIPTION + .PP +@@ -54,6 +56,21 @@ Print additional debug info during rules + \fB\-V\fP, \fB\-\-version\fP + Print the program version number. + .TP ++\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP] ++Wait for the xtables lock. ++To prevent multiple instances of the program from running concurrently, ++an attempt will be made to obtain an exclusive lock at launch. By default, ++the program will exit if the lock cannot be obtained. This option will ++make the program wait (indefinitely or for optional \fIseconds\fP) until ++the exclusive lock can be obtained. ++.TP ++\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP ++Interval to wait per each iteration. ++When running latency sensitive applications, waiting for the xtables lock ++for extended durations may not be acceptable. This option will make each ++iteration take the amount of time specified. The default interval is ++1 second. This option only works with \fB\-w\fP. ++.TP + \fB\-M\fP, \fB\-\-modprobe\fP \fImodprobe_program\fP + Specify the path to the modprobe program. By default, iptables-restore will + inspect /proc/sys/kernel/modprobe to determine the executable's path. diff --git a/SOURCES/iptables-1.4.21-rhbz_1054871.patch b/SOURCES/iptables-1.4.21-rhbz_1054871.patch new file mode 100644 index 0000000..f2dfe6f --- /dev/null +++ b/SOURCES/iptables-1.4.21-rhbz_1054871.patch @@ -0,0 +1,51 @@ +diff -up iptables-1.4.21/iptables/ip6tables-save.c.rhbz_1054871 iptables-1.4.21/iptables/ip6tables-save.c +--- iptables-1.4.21/iptables/ip6tables-save.c.rhbz_1054871 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/ip6tables-save.c 2014-03-11 16:19:11.855799695 +0100 +@@ -141,7 +141,7 @@ int ip6tables_save_main(int argc, char * + init_extensions6(); + #endif + +- while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "M:cdt:", options, NULL)) != -1) { + switch (c) { + case 'c': + show_counters = 1; +diff -up iptables-1.4.21/iptables/iptables-save.8.in.rhbz_1054871 iptables-1.4.21/iptables/iptables-save.8.in +--- iptables-1.4.21/iptables/iptables-save.8.in.rhbz_1054871 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-save.8.in 2014-03-11 16:15:54.491729364 +0100 +@@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules t + .P + ip6tables-save \(em dump iptables rules to stdout + .SH SYNOPSIS +-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] ++\fBiptables\-save\fP [\fB\-M\fP,\fB\-\-modprobe\fP \fImodprobe\fP] [\fB\-c\fP] + [\fB\-t\fP \fItable\fP] + .P +-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +-[\fB\-t\fP \fItable\fP ++\fBip6tables\-save\fP [\fB\-M\fP,\fB\-\-modprobe\fP \fImodprobe\fP] [\fB\-c\fP] ++[\fB\-t\fP \fItable\fP] + .SH DESCRIPTION + .PP + .B iptables-save +@@ -36,7 +36,7 @@ and + are used to dump the contents of IP or IPv6 Table in easily parseable format + to STDOUT. Use I/O-redirection provided by your shell to write to a file. + .TP +-\fB\-M\fP \fImodprobe_program\fP ++\fB\-M\fP,\fB\-\-modprobe\fP \fImodprobe_program\fP + Specify the path to the modprobe program. By default, iptables-save will + inspect /proc/sys/kernel/modprobe to determine the executable's path. + .TP +diff -up iptables-1.4.21/iptables/iptables-save.c.rhbz_1054871 iptables-1.4.21/iptables/iptables-save.c +--- iptables-1.4.21/iptables/iptables-save.c.rhbz_1054871 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/iptables/iptables-save.c 2014-03-11 16:19:38.354409495 +0100 +@@ -140,7 +140,7 @@ iptables_save_main(int argc, char *argv[ + init_extensions4(); + #endif + +- while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "M:cdt:", options, NULL)) != -1) { + switch (c) { + case 'c': + show_counters = 1; diff --git a/SOURCES/iptables-1.4.21-rhbz_1261238.patch b/SOURCES/iptables-1.4.21-rhbz_1261238.patch new file mode 100644 index 0000000..2584c74 --- /dev/null +++ b/SOURCES/iptables-1.4.21-rhbz_1261238.patch @@ -0,0 +1,14 @@ +diff -up iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 iptables-1.4.21/extensions/libxt_TRACE.man +--- iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 2013-11-22 12:18:13.000000000 +0100 ++++ iptables-1.4.21/extensions/libxt_TRACE.man 2016-07-01 11:43:59.775632018 +0200 +@@ -1,8 +1,8 @@ + This target marks packets so that the kernel will log every rule which match + the packets as those traverse the tables, chains, rules. + .PP +-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this +-to be visible. ++A logging backend, such as nf_log_ipv4(6) or nfnetlink_log, must be loaded for ++this to be visible. + The packets are logged with the string prefix: + "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for + plain rule, "return" for implicit rule at the end of a user defined chain diff --git a/SOURCES/iptables-1.4.21-wait-interval.patch b/SOURCES/iptables-1.4.21-wait-interval.patch new file mode 100644 index 0000000..ac116d8 --- /dev/null +++ b/SOURCES/iptables-1.4.21-wait-interval.patch @@ -0,0 +1,330 @@ +Adapted version of + +commit e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 +Author: Subash Abhinov Kasiviswanathan +Date: Thu Jun 23 18:44:06 2016 -0600 + + xtables: Add an interval option for xtables lock wait + + ip[6]tables currently waits for 1 second for the xtables lock to be + freed if the -w option is used. We have seen that the lock is held + much less than that resulting in unnecessary delay when trying to + acquire the lock. This problem is even severe in case of latency + sensitive applications. + + Introduce a new option 'W' to specify the wait interval in microseconds. + If this option is not specified, the command sleeps for 1 second by + default. + + v1->v2: Change behavior to take millisecond sleep as an argument to + -w as suggested by Pablo. Also maintain current behavior for -w to + sleep for 1 second as mentioned by Liping. + + v2->v3: Move the millisecond behavior to a new option as suggested + by Pablo. + + v3->v4: Use select instead of usleep. Sleep every iteration for + the time specified in the "-W" argument. Update man page. + + v4->v5: Fix compilation error when enabling nftables + + v5->v6: Simplify -W so it only takes the interval wait in microseconds. + Bail out if -W is specific but -w is not. + + Joint work with Pablo Neira. + + Signed-off-by: Subash Abhinov Kasiviswanathan + Signed-off-by: Pablo Neira Ayuso + +diff -up iptables-1.4.21/iptables/ip6tables.c.wait-interval iptables-1.4.21/iptables/ip6tables.c +--- iptables-1.4.21/iptables/ip6tables.c.wait-interval 2017-04-05 14:04:04.560346651 +0200 ++++ iptables-1.4.21/iptables/ip6tables.c 2017-04-05 14:04:04.562346670 +0200 +@@ -103,6 +103,7 @@ static struct option original_opts[] = { + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, + {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "help", .has_arg = 2, .val = 'h'}, +@@ -258,7 +259,10 @@ exit_printhelp(const struct xtables_rule + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w [seconds] wait for the xtables lock\n" ++" --wait -w [seconds] maximum wait to acquire xtables lock before give up\n" ++" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n" ++" interval to wait for xtables lock\n" ++" default is 1 second\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + /*"[!] --fragment -f match second or further fragments only\n"*/ +@@ -1323,6 +1327,10 @@ int do_command6(int argc, char *argv[], + + int verbose = 0; + int wait = 0; ++ struct timeval wait_interval = { ++ .tv_sec = 1, ++ }; ++ bool wait_interval_set = false; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1358,7 +1366,7 @@ int do_command6(int argc, char *argv[], + + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::nt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::W::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1614,6 +1622,23 @@ int do_command6(int argc, char *argv[], + "wait seconds not numeric"); + break; + ++ case 'W': ++ if (restore) { ++ xtables_error(PARAMETER_PROBLEM, ++ "You cannot use `-W' from " ++ "ip6tables-restore"); ++ } ++ if (optarg) ++ parse_wait_interval(optarg, &wait_interval); ++ else if (optind < argc && ++ argv[optind][0] != '-' && ++ argv[optind][0] != '!') ++ parse_wait_interval(argv[optind++], ++ &wait_interval); ++ ++ wait_interval_set = true; ++ break; ++ + case 'm': + command_match(&cs); + break; +@@ -1718,6 +1743,10 @@ int do_command6(int argc, char *argv[], + cs.invert = FALSE; + } + ++ if (!wait && wait_interval_set) ++ xtables_error(PARAMETER_PROBLEM, ++ "--wait-interval only makes sense with --wait\n"); ++ + if (strcmp(*table, "nat") == 0 && + ((policy != NULL && strcmp(policy, "DROP") == 0) || + (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) +@@ -1768,7 +1797,7 @@ int do_command6(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait)) { ++ if (!restore && !xtables_lock(wait, &wait_interval)) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/iptables.8.in.wait-interval iptables-1.4.21/iptables/iptables.8.in +--- iptables-1.4.21/iptables/iptables.8.in.wait-interval 2017-04-05 14:04:04.555346605 +0200 ++++ iptables-1.4.21/iptables/iptables.8.in 2017-04-05 14:04:04.562346670 +0200 +@@ -369,6 +369,13 @@ the program will exit if the lock cannot + make the program wait (indefinitely or for optional \fIseconds\fP) until + the exclusive lock can be obtained. + .TP ++\fB\-W\fP, \fB\-\-wait-interval\fP \fImicroseconds\fP ++Interval to wait per each iteration. ++When running latency sensitive applications, waiting for the xtables lock ++for extended durations may not be acceptable. This option will make each ++iteration take the amount of time specified. The default interval is ++1 second. This option only works with \fB\-w\fP. ++.TP + \fB\-n\fP, \fB\-\-numeric\fP + Numeric output. + IP addresses and port numbers will be printed in numeric format. +diff -up iptables-1.4.21/iptables/iptables.c.wait-interval iptables-1.4.21/iptables/iptables.c +--- iptables-1.4.21/iptables/iptables.c.wait-interval 2017-04-05 14:04:04.555346605 +0200 ++++ iptables-1.4.21/iptables/iptables.c 2017-04-05 14:04:04.563346679 +0200 +@@ -100,6 +100,7 @@ static struct option original_opts[] = { + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, + {.name = "wait", .has_arg = 2, .val = 'w'}, ++ {.name = "wait-interval", .has_arg = 2, .val = 'W'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "fragments", .has_arg = 0, .val = 'f'}, + {.name = "version", .has_arg = 0, .val = 'V'}, +@@ -252,7 +253,9 @@ exit_printhelp(const struct xtables_rule + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w [seconds] wait for the xtables lock\n" ++" --wait -w [seconds] maximum wait to acquire xtables lock before give up\n" ++" --wait-interval -W [usecs] wait time to try to acquire xtables lock\n" ++" default is 1 second\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + "[!] --fragment -f match second or further fragments only\n" +@@ -1316,7 +1319,10 @@ int do_command4(int argc, char *argv[], + unsigned int nsaddrs = 0, ndaddrs = 0; + struct in_addr *saddrs = NULL, *smasks = NULL; + struct in_addr *daddrs = NULL, *dmasks = NULL; +- ++ struct timeval wait_interval = { ++ .tv_sec = 1, ++ }; ++ bool wait_interval_set = false; + int verbose = 0; + int wait = 0; + const char *chain = NULL; +@@ -1353,7 +1359,7 @@ int do_command4(int argc, char *argv[], + opterr = 0; + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1607,6 +1613,23 @@ int do_command4(int argc, char *argv[], + "wait seconds not numeric"); + break; + ++ case 'W': ++ if (restore) { ++ xtables_error(PARAMETER_PROBLEM, ++ "You cannot use `-W' from " ++ "iptables-restore"); ++ } ++ if (optarg) ++ parse_wait_interval(optarg, &wait_interval); ++ else if (optind < argc && ++ argv[optind][0] != '-' && ++ argv[optind][0] != '!') ++ parse_wait_interval(argv[optind++], ++ &wait_interval); ++ ++ wait_interval_set = true; ++ break; ++ + case 'm': + command_match(&cs); + break; +@@ -1707,6 +1730,10 @@ int do_command4(int argc, char *argv[], + cs.invert = FALSE; + } + ++ if (!wait && wait_interval_set) ++ xtables_error(PARAMETER_PROBLEM, ++ "--wait-interval only makes sense with --wait\n"); ++ + if (strcmp(*table, "nat") == 0 && + ((policy != NULL && strcmp(policy, "DROP") == 0) || + (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) +@@ -1757,7 +1784,7 @@ int do_command4(int argc, char *argv[], + generic_opt_check(command, cs.options); + + /* Attempt to acquire the xtables lock */ +- if (!restore && !xtables_lock(wait)) { ++ if (!restore && !xtables_lock(wait, &wait_interval)) { + fprintf(stderr, "Another app is currently holding the xtables lock. "); + if (wait == 0) + fprintf(stderr, "Perhaps you want to use the -w option?\n"); +diff -up iptables-1.4.21/iptables/xshared.c.wait-interval iptables-1.4.21/iptables/xshared.c +--- iptables-1.4.21/iptables/xshared.c.wait-interval 2017-04-05 14:04:04.557346624 +0200 ++++ iptables-1.4.21/iptables/xshared.c 2017-04-05 14:04:04.563346679 +0200 +@@ -9,12 +9,15 @@ + #include + #include + #include ++#include + #include + #include + #include ++#include + #include "xshared.h" + + #define XT_LOCK_NAME "/run/xtables.lock" ++#define BASE_MICROSECONDS 100000 + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -244,9 +247,15 @@ void xs_init_match(struct xtables_match + match->init(match->m); + } + +-bool xtables_lock(int wait) ++bool xtables_lock(int wait, struct timeval *wait_interval) + { +- int fd, waited = 0, i = 0; ++ struct timeval time_left, wait_time, waited_time; ++ int fd, i = 0; ++ ++ time_left.tv_sec = wait; ++ time_left.tv_usec = 0; ++ waited_time.tv_sec = 0; ++ waited_time.tv_usec = 0; + + fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (fd < 0) +@@ -255,12 +264,43 @@ bool xtables_lock(int wait) + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; +- else if (wait >= 0 && waited >= wait) ++ if (++i % 10 == 0) { ++ if (wait != -1) ++ fprintf(stderr, "Another app is currently holding the xtables lock; " ++ "still %lds %ldus time ahead to have a chance to grab the lock...\n", ++ time_left.tv_sec, time_left.tv_usec); ++ else ++ fprintf(stderr, "Another app is currently holding the xtables lock; " ++ "waiting for it to exit...\n"); ++ } ++ ++ wait_time = *wait_interval; ++ select(0, NULL, NULL, NULL, &wait_time); ++ if (wait == -1) ++ continue; ++ ++ timeradd(&waited_time, wait_interval, &waited_time); ++ timersub(&time_left, wait_interval, &time_left); ++ if (!timerisset(&time_left)) + return false; +- if (++i % 2 == 0) +- fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting (%ds) for it to exit...\n", waited); +- waited++; +- sleep(1); + } + } ++ ++void parse_wait_interval(const char *str, struct timeval *wait_interval) ++{ ++ unsigned int usec; ++ int ret; ++ ++ ret = sscanf(str, "%u", &usec); ++ if (ret == 1) { ++ if (usec > 999999) ++ xtables_error(PARAMETER_PROBLEM, ++ "too long usec wait %u > 999999 usec", ++ usec); ++ ++ wait_interval->tv_sec = 0; ++ wait_interval->tv_usec = usec; ++ return; ++ } ++ xtables_error(PARAMETER_PROBLEM, "wait interval not numeric"); ++} +diff -up iptables-1.4.21/iptables/xshared.h.wait-interval iptables-1.4.21/iptables/xshared.h +--- iptables-1.4.21/iptables/xshared.h.wait-interval 2017-04-05 14:04:04.555346605 +0200 ++++ iptables-1.4.21/iptables/xshared.h 2017-04-05 14:04:04.563346679 +0200 +@@ -84,7 +84,9 @@ extern struct xtables_match *load_proto( + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-extern bool xtables_lock(int wait); ++bool xtables_lock(int wait, struct timeval *wait_interval); ++ ++void parse_wait_interval(const char *str, struct timeval *wait_interval); + + extern const struct xtables_afinfo *afinfo; + diff --git a/SOURCES/iptables-1.4.21-wait_seconds.patch b/SOURCES/iptables-1.4.21-wait_seconds.patch new file mode 100644 index 0000000..4fb5cbc --- /dev/null +++ b/SOURCES/iptables-1.4.21-wait_seconds.patch @@ -0,0 +1,288 @@ +twoerner: Adapted version of the upstream patch for 1.4.21 + + +From aaa4ace72ba1d195bbf436134a336816c33f7bd0 Mon Sep 17 00:00:00 2001 +From: Jiri Popelka +Date: Fri, 4 Jul 2014 15:50:41 +0200 +Subject: iptables: add optional [seconds] argument to -w + +This patch adds an optional numeric argument +to -w option (added with 93587a0) so one can +specify how long to wait for an exclusive lock. + +If the value isn't specified it works as before, +i.e. program waits indefinitely. + +If user specifies it, program exits after +the given time interval passes. + +This patch also adds the -w/--wait to nftables +compat code, so the parser doesn't complain. + +[ In the original patch, iptables-compat -w X was not working, + I have fixed by adding the dummy code not to break scripts + using the new optional argument --pablo ] + +Signed-off-by: Jiri Popelka +Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 2ebfd6c..8db13b4 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -102,7 +102,7 @@ static struct option original_opts[] = { + {.name = "numeric", .has_arg = 0, .val = 'n'}, + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, +- {.name = "wait", .has_arg = 0, .val = 'w'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "version", .has_arg = 0, .val = 'V'}, + {.name = "help", .has_arg = 2, .val = 'h'}, +@@ -258,7 +258,7 @@ exit_printhelp(const struct xtables_rule_match *matches) + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w wait for the xtables lock\n" ++" --wait -w [seconds] wait for the xtables lock\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + /*"[!] --fragment -f match second or further fragments only\n"*/ +@@ -1322,7 +1322,7 @@ int do_command6(int argc, char *argv[], char **table, + struct in6_addr *smasks = NULL, *dmasks = NULL; + + int verbose = 0; +- bool wait = false; ++ int wait = 0; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1358,7 +1358,7 @@ int do_command6(int argc, char *argv[], char **table, + + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvwnt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvw::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1602,7 +1602,16 @@ int do_command6(int argc, char *argv[], char **table, + "You cannot use `-w' from " + "ip6tables-restore"); + } +- wait = true; ++ wait = -1; ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (optind < argc && argv[optind][0] != '-' ++ && argv[optind][0] != '!') ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); + break; + + case 'm': +@@ -1753,8 +1762,11 @@ int do_command6(int argc, char *argv[], char **table, + + /* Attempt to acquire the xtables lock */ + if (!restore && !xtables_lock(wait)) { +- fprintf(stderr, "Another app is currently holding the xtables lock. " +- "Perhaps you want to use the -w option?\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock. "); ++ if (wait == 0) ++ fprintf(stderr, "Perhaps you want to use the -w option?\n"); ++ else ++ fprintf(stderr, "Stopped waiting after %ds.\n", wait); + xtables_free_opts(1); + exit(RESOURCE_PROBLEM); + } +diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in +index 8ef222e..ceba5dc 100644 +--- a/iptables/iptables.8.in ++++ b/iptables/iptables.8.in +@@ -361,12 +361,13 @@ For appending, insertion, deletion and replacement, this causes + detailed information on the rule or rules to be printed. \fB\-v\fP may be + specified multiple times to possibly emit more detailed debug statements. + .TP +-\fB\-w\fP, \fB\-\-wait\fP ++\fB\-w\fP, \fB\-\-wait\fP [\fIseconds\fP] + Wait for the xtables lock. + To prevent multiple instances of the program from running concurrently, + an attempt will be made to obtain an exclusive lock at launch. By default, + the program will exit if the lock cannot be obtained. This option will +-make the program wait until the exclusive lock can be obtained. ++make the program wait (indefinitely or for optional \fIseconds\fP) until ++the exclusive lock can be obtained. + .TP + \fB\-n\fP, \fB\-\-numeric\fP + Numeric output. +diff --git a/iptables/iptables.c b/iptables/iptables.c +index 471bff0..88953c4 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -99,7 +99,7 @@ static struct option original_opts[] = { + {.name = "numeric", .has_arg = 0, .val = 'n'}, + {.name = "out-interface", .has_arg = 1, .val = 'o'}, + {.name = "verbose", .has_arg = 0, .val = 'v'}, +- {.name = "wait", .has_arg = 0, .val = 'w'}, ++ {.name = "wait", .has_arg = 2, .val = 'w'}, + {.name = "exact", .has_arg = 0, .val = 'x'}, + {.name = "fragments", .has_arg = 0, .val = 'f'}, + {.name = "version", .has_arg = 0, .val = 'V'}, +@@ -252,7 +252,7 @@ exit_printhelp(const struct xtables_rule_match *matches) + " network interface name ([+] for wildcard)\n" + " --table -t table table to manipulate (default: `filter')\n" + " --verbose -v verbose mode\n" +-" --wait -w wait for the xtables lock\n" ++" --wait -w [seconds] wait for the xtables lock\n" + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + "[!] --fragment -f match second or further fragments only\n" +@@ -1318,7 +1318,7 @@ int do_command4(int argc, char *argv[], char **table, + struct in_addr *daddrs = NULL, *dmasks = NULL; + + int verbose = 0; +- bool wait = false; ++ int wait = 0; + const char *chain = NULL; + const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL; + const char *policy = NULL, *newname = NULL; +@@ -1351,10 +1351,9 @@ int do_command4(int argc, char *argv[], char **table, + /* Suppress error messages: we may add new options if we + demand-load a protocol. */ + opterr = 0; +- + opts = xt_params->orig_opts; + while ((cs.c = getopt_long(argc, argv, +- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvwnt:m:xc:g:46", ++ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", + opts, NULL)) != -1) { + switch (cs.c) { + /* +@@ -1596,7 +1595,16 @@ int do_command4(int argc, char *argv[], char **table, + "You cannot use `-w' from " + "iptables-restore"); + } +- wait = true; ++ wait = -1; ++ if (optarg) { ++ if (sscanf(optarg, "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); ++ } else if (optind < argc && argv[optind][0] != '-' ++ && argv[optind][0] != '!') ++ if (sscanf(argv[optind++], "%i", &wait) != 1) ++ xtables_error(PARAMETER_PROBLEM, ++ "wait seconds not numeric"); + break; + + case 'm': +@@ -1750,8 +1758,11 @@ int do_command4(int argc, char *argv[], char **table, + + /* Attempt to acquire the xtables lock */ + if (!restore && !xtables_lock(wait)) { +- fprintf(stderr, "Another app is currently holding the xtables lock. " +- "Perhaps you want to use the -w option?\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock. "); ++ if (wait == 0) ++ fprintf(stderr, "Perhaps you want to use the -w option?\n"); ++ else ++ fprintf(stderr, "Stopped waiting after %ds.\n", wait); + xtables_free_opts(1); + exit(RESOURCE_PROBLEM); + } +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 6c9992e..b18022e 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -243,10 +243,11 @@ void xs_init_match(struct xtables_match *match) + match->init(match->m); + } + +-bool xtables_lock(bool wait) ++bool xtables_lock(int wait) + { + int i = 0, ret, xt_socket; + struct sockaddr_un xt_addr; ++ int waited = 0; + + memset(&xt_addr, 0, sizeof(xt_addr)); + xt_addr.sun_family = AF_UNIX; +@@ -261,11 +262,12 @@ bool xtables_lock(bool wait) + offsetof(struct sockaddr_un, sun_path)+XT_SOCKET_LEN); + if (ret == 0) + return true; +- else if (wait == false) ++ else if (wait >= 0 && waited >= wait) + return false; + if (++i % 2 == 0) + fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting for it to exit...\n"); ++ "waiting (%ds) for it to exit...\n", waited); ++ waited++; + sleep(1); + } + } +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 27c5b78..40dd915 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -84,7 +84,7 @@ extern struct xtables_match *load_proto(struct iptables_command_state *); + extern int subcmd_main(int, char **, const struct subcommand *); + extern void xs_init_target(struct xtables_target *); + extern void xs_init_match(struct xtables_match *); +-extern bool xtables_lock(bool wait); ++extern bool xtables_lock(int wait); + + extern const struct xtables_afinfo *afinfo; + +#diff --git a/iptables/xtables.c b/iptables/xtables.c +#index 45a5ac6..d661dd1 100644 +#--- a/iptables/xtables.c +#+++ b/iptables/xtables.c +#@@ -85,6 +85,7 @@ static struct option original_opts[] = { +# {.name = "numeric", .has_arg = 0, .val = 'n'}, +# {.name = "out-interface", .has_arg = 1, .val = 'o'}, +# {.name = "verbose", .has_arg = 0, .val = 'v'}, +#+ {.name = "wait", .has_arg = 2, .val = 'w'}, +# {.name = "exact", .has_arg = 0, .val = 'x'}, +# {.name = "fragments", .has_arg = 0, .val = 'f'}, +# {.name = "version", .has_arg = 0, .val = 'V'}, +#@@ -683,6 +684,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# { +# struct iptables_command_state cs; +# int verbose = 0; +#+ int wait = 0; +# const char *chain = NULL; +# const char *policy = NULL, *newname = NULL; +# unsigned int rulenum = 0, command = 0; +#@@ -722,7 +724,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# +# opts = xt_params->orig_opts; +# while ((cs.c = getopt_long(argc, argv, +#- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46", +#+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::nt:m:xc:g:46", +# opts, NULL)) != -1) { +# switch (cs.c) { +# /* +#@@ -1007,6 +1009,15 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, +# "You cannot use `-w' from " +# "iptables-restore"); +# } +#+ if (optarg) { +#+ if (sscanf(optarg, "%i", &wait) != 1) +#+ xtables_error(PARAMETER_PROBLEM, +#+ "wait seconds not numeric"); +#+ } else if (optind < argc && argv[optind][0] != '-' +#+ && argv[optind][0] != '!') +#+ if (sscanf(argv[optind++], "%i", &wait) != 1) +#+ xtables_error(PARAMETER_PROBLEM, +#+ "wait seconds not numeric"); +# break; +# +# case '0': +-- +cgit v0.10.2 + diff --git a/SOURCES/iptables-c513cc3-rhbz_1298879.patch b/SOURCES/iptables-c513cc3-rhbz_1298879.patch new file mode 100644 index 0000000..136b648 --- /dev/null +++ b/SOURCES/iptables-c513cc3-rhbz_1298879.patch @@ -0,0 +1,34 @@ +From c513cc3dd10231f267548d644dcb7632516a2348 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Fri, 10 Jun 2016 14:57:58 +0200 +Subject: ip6tables: Warn about use of DROP in nat table + +Clone of 1eada72b with 9bb76094 and e0390bee on top. + +Signed-off-by: Thomas Woerner +Signed-off-by: Pablo Neira Ayuso +--- + iptables/ip6tables.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index 2731209..c48ddf9 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1720,6 +1720,13 @@ int do_command6(int argc, char *argv[], char **table, + cs.invert = FALSE; + } + ++ if (strcmp(*table, "nat") == 0 && ++ ((policy != NULL && strcmp(policy, "DROP") == 0) || ++ (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0))) ++ xtables_error(PARAMETER_PROBLEM, ++ "\nThe \"nat\" table is not intended for filtering, " ++ "the use of DROP is therefore inhibited.\n\n"); ++ + for (matchp = cs.matches; matchp; matchp = matchp->next) + xtables_option_mfcall(matchp->match); + if (cs.target != NULL) +-- +cgit v0.12 + diff --git a/SOURCES/iptables-config b/SOURCES/iptables-config new file mode 100644 index 0000000..3d7e176 --- /dev/null +++ b/SOURCES/iptables-config @@ -0,0 +1,59 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IPTABLES_MODULES="" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IPTABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/SOURCES/iptables-do_not_lock_again_and_again.patch b/SOURCES/iptables-do_not_lock_again_and_again.patch new file mode 100644 index 0000000..6d4913d --- /dev/null +++ b/SOURCES/iptables-do_not_lock_again_and_again.patch @@ -0,0 +1,78 @@ +commit 24f8174646123c2833bc87967b366796231b04e0 +Author: Liping Zhang +Date: Sun Feb 5 21:57:34 2017 +0800 + + xshared: do not lock again and again if "-w" option is not specified + + After running the following commands, some confusing messages was printed + out: + # while : ; do + iptables -A INPUT & + iptables -D INPUT & + done + [...] + Another app is currently holding the xtables lock; still -9s 0us time + ahead to have a chance to grab the lock... + Another app is currently holding the xtables lock; still -29s 0us time + ahead to have a chance to grab the lock... + + If "-w" option is not specified, the "wait" will be zero, so we should + check whether the timer_left is less than wait_interval before we call + select to sleep. + + Also remove unused "BASE_MICROSECONDS" and "struct timeval waited_time" + introduced by commit e8f857a5a151 ("xtables: Add an interval option for + xtables lock wait"). + + Fixes: e8f857a5a151 ("xtables: Add an interval option for xtables lock wait") + Signed-off-by: Liping Zhang + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index cccb8ae..055acf2 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -17,7 +17,6 @@ + #include "xshared.h" + + #define XT_LOCK_NAME "/run/xtables.lock" +-#define BASE_MICROSECONDS 100000 + + /* + * Print out any special helps. A user might like to be able to add a --help +@@ -249,13 +248,11 @@ void xs_init_match(struct xtables_match *match) + + bool xtables_lock(int wait, struct timeval *wait_interval) + { +- struct timeval time_left, wait_time, waited_time; ++ struct timeval time_left, wait_time; + int fd, i = 0; + + time_left.tv_sec = wait; + time_left.tv_usec = 0; +- waited_time.tv_sec = 0; +- waited_time.tv_usec = 0; + + fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (fd < 0) +@@ -264,6 +261,9 @@ bool xtables_lock(int wait, struct timeval *wait_interval) + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; ++ else if (wait >= 0 && timercmp(&time_left, wait_interval, <)) ++ return false; ++ + if (++i % 10 == 0) { + if (wait != -1) + fprintf(stderr, "Another app is currently holding the xtables lock; " +@@ -279,10 +279,7 @@ bool xtables_lock(int wait, struct timeval *wait_interval) + if (wait == -1) + continue; + +- timeradd(&waited_time, wait_interval, &waited_time); + timersub(&time_left, wait_interval, &time_left); +- if (!timerisset(&time_left)) +- return false; + } + } + diff --git a/SOURCES/iptables-do_not_set_changed_for_check_options.patch b/SOURCES/iptables-do_not_set_changed_for_check_options.patch new file mode 100644 index 0000000..f36e064 --- /dev/null +++ b/SOURCES/iptables-do_not_set_changed_for_check_options.patch @@ -0,0 +1,79 @@ +commit 9b8cb7564a53865bf0e239bbc3e057de70edf65d +Author: Dan Williams +Date: Sat Feb 25 22:02:03 2017 -0600 + + libiptc: don't set_changed() when checking rules with module jumps + + Checking a rule that includes a jump to a module-based target currently + sets the "changed" flag on the handle, which then causes TC_COMMIT() to + run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This + seems wrong for simply checking rules, an operation which is documented + as "...does not alter the existing iptables configuration..." but yet + it clearly could do so. + + Fix that by ensuring that rule check operations for module targets + don't set the changed flag, and thus exit early from TC_COMMIT(). + + Signed-off-by: Dan Williams + Signed-off-by: Pablo Neira Ayuso + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index 2c66d04..a6e7057 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1686,7 +1686,8 @@ iptcc_standard_map(struct rule_head *r, int verdict) + + static int + iptcc_map_target(struct xtc_handle *const handle, +- struct rule_head *r) ++ struct rule_head *r, ++ bool dry_run) + { + STRUCT_ENTRY *e = r->entry; + STRUCT_ENTRY_TARGET *t = GET_TARGET(e); +@@ -1731,7 +1732,8 @@ iptcc_map_target(struct xtc_handle *const handle, + 0, + FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name)); + r->type = IPTCC_R_MODULE; +- set_changed(handle); ++ if (!dry_run) ++ set_changed(handle); + return 1; + } + +@@ -1781,7 +1783,7 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain, + memcpy(r->entry, e, e->next_offset); + r->counter_map.maptype = COUNTER_MAP_SET; + +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, false)) { + free(r); + return 0; + } +@@ -1831,7 +1833,7 @@ TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain, + memcpy(r->entry, e, e->next_offset); + r->counter_map.maptype = COUNTER_MAP_SET; + +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, false)) { + free(r); + return 0; + } +@@ -1870,7 +1872,7 @@ TC_APPEND_ENTRY(const IPT_CHAINLABEL chain, + memcpy(r->entry, e, e->next_offset); + r->counter_map.maptype = COUNTER_MAP_SET; + +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, false)) { + DEBUGP("unable to map target of rule for chain `%s'\n", chain); + free(r); + return 0; +@@ -1976,7 +1978,7 @@ static int delete_entry(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *origfw, + + memcpy(r->entry, origfw, origfw->next_offset); + r->counter_map.maptype = COUNTER_MAP_NOMAP; +- if (!iptcc_map_target(handle, r)) { ++ if (!iptcc_map_target(handle, r, dry_run)) { + DEBUGP("unable to map target of rule for chain `%s'\n", chain); + free(r); + return 0; diff --git a/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch b/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch new file mode 100644 index 0000000..750fa48 --- /dev/null +++ b/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch @@ -0,0 +1,152 @@ +From 7450d63abf0608efba8d48858e54ff23f2179300 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 May 2018 15:29:24 +0200 +Subject: [PATCH] iptables-restore/save: exit when given an unknown option + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078 +Upstream Status: iptables commit d89dc47ab3875 +Conflicts: + * Context changes in ip{6,}tables-restore.c + * xtables-{save,restore}.c not present here. + +commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e +Author: Vincent Bernat +Date: Sat Apr 15 12:16:47 2017 +0200 + + iptables-restore/save: exit when given an unknown option + + When an unknown option is given, iptables-restore should exit instead of + continue its operation. For example, if `--table` was misspelled, this + could lead to an unwanted change. Moreover, exit with a status code of + 1. Make the same change for iptables-save. + + OTOH, exit with a status code of 0 when requesting help. + + Signed-off-by: Vincent Bernat + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 10 +++++----- + iptables/ip6tables-save.c | 4 ++++ + iptables/iptables-restore.c | 10 +++++----- + iptables/iptables-save.c | 4 ++++ + 4 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index 0b8b95607febf..0f85fee3593d5 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -48,8 +48,6 @@ static const struct option options[] = { + {NULL}, + }; + +-static void print_usage(const char *name, const char *version) __attribute__((noreturn)); +- + #define prog_name ip6tables_globals.program_name + #define prog_vers ip6tables_globals.program_version + +@@ -66,8 +64,6 @@ static void print_usage(const char *name, const char *version) + " [ --wait-interval=\n" + " [ --noflush ]\n" + " [ --modprobe=]\n", name); +- +- exit(1); + } + + static struct xtc_handle *create_handle(const char *tablename) +@@ -238,7 +234,7 @@ int ip6tables_restore_main(int argc, char *argv[]) + case 'h': + print_usage("ip6tables-restore", + IPTABLES_VERSION); +- break; ++ exit(0); + case 'n': + noflush = 1; + break; +@@ -254,6 +250,10 @@ int ip6tables_restore_main(int argc, char *argv[]) + case 'T': + tablename = optarg; + break; ++ default: ++ fprintf(stderr, ++ "Try `ip6tables-restore -h' for more information.\n"); ++ exit(1); + } + } + +diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c +index 3a1ded162fad1..a64d169fc1211 100644 +--- a/iptables/ip6tables-save.c ++++ b/iptables/ip6tables-save.c +@@ -157,6 +157,10 @@ int ip6tables_save_main(int argc, char *argv[]) + case 'd': + do_output(tablename); + exit(0); ++ default: ++ fprintf(stderr, ++ "Look at manual page `ip6tables-save.8' for more information.\n"); ++ exit(1); + } + } + +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index 7aab1e78d7e0e..6d0df8d1c0f36 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -45,8 +45,6 @@ static const struct option options[] = { + {NULL}, + }; + +-static void print_usage(const char *name, const char *version) __attribute__((noreturn)); +- + #define prog_name iptables_globals.program_name + #define prog_vers iptables_globals.program_version + +@@ -64,8 +62,6 @@ static void print_usage(const char *name, const char *version) + " [ --wait-interval=\n" + " [ --table=
]\n" + " [ --modprobe=]\n", name); +- +- exit(1); + } + + static struct xtc_handle *create_handle(const char *tablename) +@@ -237,7 +233,7 @@ iptables_restore_main(int argc, char *argv[]) + case 'h': + print_usage("iptables-restore", + IPTABLES_VERSION); +- break; ++ exit(0); + case 'n': + noflush = 1; + break; +@@ -253,6 +249,10 @@ iptables_restore_main(int argc, char *argv[]) + case 'T': + tablename = optarg; + break; ++ default: ++ fprintf(stderr, ++ "Try `iptables-restore -h' for more information.\n"); ++ exit(1); + } + } + +diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c +index 21f8839e8cd82..87bc885735dc3 100644 +--- a/iptables/iptables-save.c ++++ b/iptables/iptables-save.c +@@ -156,6 +156,10 @@ iptables_save_main(int argc, char *argv[]) + case 'd': + do_output(tablename); + exit(0); ++ default: ++ fprintf(stderr, ++ "Look at manual page `iptables-save.8' for more information.\n"); ++ exit(1); + } + } + +-- +2.17.0 + diff --git a/SOURCES/iptables-use_the_blocking_file_lock_request.patch b/SOURCES/iptables-use_the_blocking_file_lock_request.patch new file mode 100644 index 0000000..1cddc36 --- /dev/null +++ b/SOURCES/iptables-use_the_blocking_file_lock_request.patch @@ -0,0 +1,91 @@ +commit 72bb3dbf0ecdf3ec96aee80e5d152c8be4394da1 +Author: Liping Zhang +Date: Mon Feb 6 19:47:47 2017 +0800 + + xshared: using the blocking file lock request when we wait indefinitely + + When using "-w" to avoid concurrent instances, we try to do flock() every + one second until it success. But one second maybe too long in some + situations, and it's hard to select a suitable interval time. So when + using "iptables -w" to wait indefinitely, it's better to block until + it become success. + + Now do some performance tests. First, flush all the iptables rules in + filter table, and run "iptables -w -S" endlessly: + # iptables -F + # iptables -X + # while : ; do + iptables -w -S >&- & + done + + Second, after adding and deleting the iptables rules 100 times, measure + the time cost: + # time for i in $(seq 100); do + iptables -w -A INPUT + iptables -w -D INPUT + done + + Before this patch: + real 1m15.962s + user 0m0.224s + sys 0m1.475s + + Apply this patch: + real 0m1.830s + user 0m0.168s + sys 0m1.130s + + Signed-off-by: Liping Zhang + Signed-off-by: Pablo Neira Ayuso + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 055acf2..f0a5ddd 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -1,4 +1,5 @@ + #include ++#include + #include + #include + #include +@@ -258,27 +259,29 @@ bool xtables_lock(int wait, struct timeval *wait_interval) + if (fd < 0) + return true; + ++ if (wait == -1) { ++ if (flock(fd, LOCK_EX) == 0) ++ return true; ++ ++ fprintf(stderr, "Can't lock %s: %s\n", XT_LOCK_NAME, ++ strerror(errno)); ++ return false; ++ } ++ + while (1) { + if (flock(fd, LOCK_EX | LOCK_NB) == 0) + return true; +- else if (wait >= 0 && timercmp(&time_left, wait_interval, <)) ++ else if (timercmp(&time_left, wait_interval, <)) + return false; + + if (++i % 10 == 0) { +- if (wait != -1) +- fprintf(stderr, "Another app is currently holding the xtables lock; " +- "still %lds %ldus time ahead to have a chance to grab the lock...\n", +- time_left.tv_sec, time_left.tv_usec); +- else +- fprintf(stderr, "Another app is currently holding the xtables lock; " +- "waiting for it to exit...\n"); ++ fprintf(stderr, "Another app is currently holding the xtables lock; " ++ "still %lds %ldus time ahead to have a chance to grab the lock...\n", ++ time_left.tv_sec, time_left.tv_usec); + } + + wait_time = *wait_interval; + select(0, NULL, NULL, NULL, &wait_time); +- if (wait == -1) +- continue; +- + timersub(&time_left, wait_interval, &time_left); + } + } diff --git a/SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch b/SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch new file mode 100644 index 0000000..033870c --- /dev/null +++ b/SOURCES/iptables-xml-fix-segfault-if-missing-space-after-A.patch @@ -0,0 +1,50 @@ +From c360c1d2af887c8e614ec152fb64717e56fb472d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 9 Apr 2019 15:22:44 +0200 +Subject: [PATCH] iptables-xml: fix segfault if missing space after -A + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit f53b78e423d82 + +commit f53b78e423d82b0c71c076480f52edeb5eaec5f8 +Author: Phil Oester +Date: Thu Jan 23 22:06:58 2014 -0800 + + iptables-xml: fix segfault if missing space after -A + + As pointed out by Bernhard Reutner-Fischer, a malformed line fed to + iptables-xml such as the below with a missing space after the -A: + + -APOSTROUTING -d 1.1.1.1/32 -p tcp -j MASQUERADE + + causes a segfault. Patch attached. + + This closes netfilter bugzilla #886. + + Signed-off-by: Phil Oester + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/iptables-xml.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index 49f8ea2826181..769f76550b764 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -777,6 +777,11 @@ iptables_xml_main(int argc, char *argv[]) + for (a = 0; a < newargc; a++) + DEBUGP("argv[%u]: %s\n", a, newargv[a]); + ++ if (!chain) { ++ fprintf(stderr, "%s: line %u failed - no chain found\n", ++ prog_name, line); ++ exit(1); ++ } + needChain(chain);// Should we explicitly look for -A + do_rule(pcnt, bcnt, newargc, newargv, newargvattr); + +-- +2.21.0 + diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init new file mode 100755 index 0000000..c0f15f1 --- /dev/null +++ b/SOURCES/iptables.init @@ -0,0 +1,430 @@ +#!/bin/bash +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES +RESTORECON=$(which restorecon 2>/dev/null) +[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 +fi + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" +IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + +# Prepare commands for wait options +IPTABLES_CMD="$IPTABLES" +IPTABLES_RESTORE_CMD="$IPTABLES-restore" +if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="--wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + IPTABLES_CMD+=" $OPT" + IPTABLES_RESTORE_CMD+=" $OPT" +fi + +flush_n_delete() { + local ret=0 + + # Flush firewall rules and delete chains. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + [ -z "$NF_TABLES" ] && return 1 + + echo -n $"${IPTABLES}: Flushing firewall rules: " + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IPTABLES_CMD -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES_CMD -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES_CMD -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + local ret=0 + + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Check if firewall is configured (has tables) + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + [ -z "$tables" ] && return 1 + + echo -n $"${IPTABLES}: Setting chains to policy $policy: " + for i in $tables; do + echo -n "$i " + case "$i" in + raw) + $IPTABLES_CMD -t raw -P PREROUTING $policy \ + && $IPTABLES_CMD -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IPTABLES_CMD -t filter -P INPUT $policy \ + && $IPTABLES_CMD -t filter -P OUTPUT $policy \ + && $IPTABLES_CMD -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES_CMD -t nat -P PREROUTING $policy \ + && $IPTABLES_CMD -t nat -P POSTROUTING $policy \ + && $IPTABLES_CMD -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES_CMD -t mangle -P PREROUTING $policy \ + && $IPTABLES_CMD -t mangle -P POSTROUTING $policy \ + && $IPTABLES_CMD -t mangle -P INPUT $policy \ + && $IPTABLES_CMD -t mangle -P OUTPUT $policy \ + && $IPTABLES_CMD -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + security) + # Ignore the security table + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + local ret=0 + + # load matched sysctl values + if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + for item in $IPTABLES_SYSCTL_LOAD_LIST; do + fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + local ret=0 + + # Do not start if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IPTABLES_FALLBACK_DATA" ]; then + echo -n $"${IPTABLES}: Applying firewall fallback rules: " + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + local ret=0 + + # Do not stop if iptables module is not loaded. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 + + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + let ret+=$? + # And then, flush the rules and delete chains + flush_n_delete + let ret+=$? + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + local ret=0 + + # Check if iptable module is loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 0 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo -n $"${IPTABLES}: Nothing to save."; warning; echo + return 6 + fi + + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + && $RESTORECON $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + && $RESTORECON $IPTABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" ] && [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable modules are loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 + fi + + # Check if firewall is configured (has tables) + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + local ret=0 + + # Do not reload if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IPTABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/SOURCES/iptables.panic-legacy b/SOURCES/iptables.panic-legacy new file mode 100644 index 0000000..7eedfce --- /dev/null +++ b/SOURCES/iptables.panic-legacy @@ -0,0 +1,2 @@ +#!/bin/bash +exec /usr/libexec/iptables/iptables.init panic diff --git a/SOURCES/iptables.save-legacy b/SOURCES/iptables.save-legacy new file mode 100644 index 0000000..accca0e --- /dev/null +++ b/SOURCES/iptables.save-legacy @@ -0,0 +1,2 @@ +#!/bin/bash +exec /usr/libexec/iptables/iptables.init save diff --git a/SOURCES/iptables.service.in b/SOURCES/iptables.service.in new file mode 100644 index 0000000..6722c7a --- /dev/null +++ b/SOURCES/iptables.service.in @@ -0,0 +1,18 @@ +[Unit] +Description=IPv4 firewall with iptables +After=syslog.target +AssertPathExists=/etc/sysconfig/iptables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=basic.target diff --git a/SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch b/SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch new file mode 100644 index 0000000..f6ab7df --- /dev/null +++ b/SOURCES/libiptc-Avoid-side-effect-in-memset-calls.patch @@ -0,0 +1,59 @@ +From 72859f25cb799ba4ac0b532c59bd01be70950f00 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libiptc: Avoid side-effect in memset() calls + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit e6f986762667e + +commit e6f986762667ee2b2d61e7978d460f28916158a3 +Author: Phil Sutter +Date: Mon Sep 10 23:35:14 2018 +0200 + + libiptc: Avoid side-effect in memset() calls + + These calls to memset() are passed a length argument which exceeds + t->target.u.user.name's length by one byte and hence overwrite + t->target.u.user.revision as well (relying upon no padding to happen + between both). + + Avoid this obscure behaviour by passing the correct field size and + explicitly overwriting 'revision' field. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libiptc/libiptc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index d2427c16a5254..4c0fbd5d7e68c 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1115,8 +1115,9 @@ static inline int iptcc_compile_rule (struct xtc_handle *h, STRUCT_REPLACE *repl + STRUCT_STANDARD_TARGET *t; + t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry); + /* memset for memcmp convenience on delete/replace */ +- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); ++ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN); + strcpy(t->target.u.user.name, STANDARD_TARGET); ++ t->target.u.user.revision = 0; + /* Jumps can only happen to builtin chains, so we + * can safely assume that they always have a header */ + t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE; +@@ -1676,8 +1677,9 @@ iptcc_standard_map(struct rule_head *r, int verdict) + return 0; + } + /* memset for memcmp convenience on delete/replace */ +- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN); ++ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN); + strcpy(t->target.u.user.name, STANDARD_TARGET); ++ t->target.u.user.revision = 0; + t->verdict = verdict; + + r->type = IPTCC_R_STANDARD; +-- +2.21.0 + diff --git a/SOURCES/libiptc-NULL-terminate-errorname.patch b/SOURCES/libiptc-NULL-terminate-errorname.patch new file mode 100644 index 0000000..c17bebc --- /dev/null +++ b/SOURCES/libiptc-NULL-terminate-errorname.patch @@ -0,0 +1,44 @@ +From 9dfd443c3828a3e9a3cf5cf2afb9f0324bacb19a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libiptc: NULL-terminate errorname + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit a76ba54e28337 + +commit a76ba54e2833761c46fd57cbe2486cbc38686717 +Author: Phil Sutter +Date: Mon Sep 24 19:25:22 2018 +0200 + + libiptc: NULL-terminate errorname + + In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence + copying its content into 'error_name' field of struct xt_error_target + which is two bytes shorter may overflow. Make sure this doesn't happen + by using strncpy() and set the last byte to zero. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libiptc/libiptc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index f6a9862ea9f4d..d2427c16a5254 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1149,7 +1149,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc + strcpy(head->name.target.u.user.name, ERROR_TARGET); + head->name.target.u.target_size = + ALIGN(sizeof(struct xt_error_target)); +- strcpy(head->name.errorname, c->name); ++ strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN); ++ head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0'; + } else { + repl->hook_entry[c->hooknum-1] = c->head_offset; + repl->underflow[c->hooknum-1] = c->foot_offset; +-- +2.21.0 + diff --git a/SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch b/SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch new file mode 100644 index 0000000..dd95978 --- /dev/null +++ b/SOURCES/libiptc-Simplify-alloc_handle-function-signature.patch @@ -0,0 +1,74 @@ +From e64b48b46cec83203ff8de80a1c56be2c40b2c7d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libiptc: Simplify alloc_handle() function signature + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 22ef371abeeec + +commit 22ef371abeeec789bb6a701352dcb961556595c2 +Author: Phil Sutter +Date: Wed Sep 19 15:16:53 2018 +0200 + + libiptc: Simplify alloc_handle() function signature + + This change originated from covscan complaining about the strcpy() call + with an unknown size source buffer. But in fact, the size is known (and + equal to the destination size), so pass a pointer to STRUCT_GETINFO to + alloc_handle() instead of it's fields separately. Hopefully this will + silence covscan. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libiptc/libiptc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index 1f61fde53f1db..f6a9862ea9f4d 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -1269,7 +1269,7 @@ static int iptcc_compile_table(struct xtc_handle *h, STRUCT_REPLACE *repl) + + /* Allocate handle of given size */ + static struct xtc_handle * +-alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) ++alloc_handle(STRUCT_GETINFO *infop) + { + struct xtc_handle *h; + +@@ -1280,14 +1280,14 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) + } + memset(h, 0, sizeof(*h)); + INIT_LIST_HEAD(&h->chains); +- strcpy(h->info.name, tablename); ++ strcpy(h->info.name, infop->name); + +- h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + size); ++ h->entries = malloc(sizeof(STRUCT_GET_ENTRIES) + infop->size); + if (!h->entries) + goto out_free_handle; + +- strcpy(h->entries->name, tablename); +- h->entries->size = size; ++ strcpy(h->entries->name, infop->name); ++ h->entries->size = infop->size; + + return h; + +@@ -1336,8 +1336,8 @@ retry: + DEBUGP("valid_hooks=0x%08x, num_entries=%u, size=%u\n", + info.valid_hooks, info.num_entries, info.size); + +- if ((h = alloc_handle(info.name, info.size, info.num_entries)) +- == NULL) { ++ h = alloc_handle(&info); ++ if (h == NULL) { + close(sockfd); + return NULL; + } +-- +2.21.0 + diff --git a/SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch b/SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch new file mode 100644 index 0000000..654cbba --- /dev/null +++ b/SOURCES/libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch @@ -0,0 +1,42 @@ +From a7bb46f478443597a7e97e81adb13d9619f4b1a7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxt_LED: Avoid string overrun while parsing led-trigger-id + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit d0c1f1b4ad4e3 + +commit d0c1f1b4ad4e3b91220a03514031ee879db832d0 +Author: Phil Sutter +Date: Wed Sep 19 15:16:48 2018 +0200 + + libxt_LED: Avoid string overrun while parsing led-trigger-id + + Instead of using strcat() and assuming the name will fit, print into the + buffer using snprintf() which truncates the string as needed. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_LED.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c +index 8622c379e68bc..6ada795056431 100644 +--- a/extensions/libxt_LED.c ++++ b/extensions/libxt_LED.c +@@ -53,8 +53,7 @@ static void LED_parse(struct xt_option_call *cb) + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_LED_TRIGGER_ID: +- strcpy(led->id, "netfilter-"); +- strcat(led->id, cb->arg); ++ snprintf(led->id, sizeof(led->id), "netfilter-%s", cb->arg); + break; + case O_LED_DELAY: + if (strncasecmp(cb->arg, "inf", 3) == 0) +-- +2.21.0 + diff --git a/SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch b/SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch new file mode 100644 index 0000000..ed84344 --- /dev/null +++ b/SOURCES/libxt_conntrack-Avoid-potential-buffer-overrun.patch @@ -0,0 +1,62 @@ +From de7ba61cf107f43223eeb640267d24e187047c29 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxt_conntrack: Avoid potential buffer overrun + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 8e798e050367d + +commit 8e798e050367dfe43bb958f11dd3170b03bda49e +Author: Phil Sutter +Date: Wed Sep 19 15:16:50 2018 +0200 + + libxt_conntrack: Avoid potential buffer overrun + + In print_addr(), a resolved hostname is written into a buffer without + size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an + issue, though covscan complained about it. Fix the code by using + conntrack_dump_addr() as an example. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_conntrack.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 3e7075760d40f..804aa23638ca1 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -673,20 +673,20 @@ static void + print_addr(const struct in_addr *addr, const struct in_addr *mask, + int inv, int numeric) + { +- char buf[BUFSIZ]; +- + if (inv) + printf(" !"); + + if (mask->s_addr == 0L && !numeric) +- printf(" %s", "anywhere"); ++ printf(" anywhere"); + else { + if (numeric) +- strcpy(buf, xtables_ipaddr_to_numeric(addr)); ++ printf(" %s%s", ++ xtables_ipaddr_to_numeric(addr), ++ xtables_ipmask_to_numeric(mask)); + else +- strcpy(buf, xtables_ipaddr_to_anyname(addr)); +- strcat(buf, xtables_ipmask_to_numeric(mask)); +- printf(" %s", buf); ++ printf(" %s%s", ++ xtables_ipaddr_to_anyname(addr), ++ xtables_ipmask_to_numeric(mask)); + } + } + +-- +2.21.0 + diff --git a/SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch b/SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch new file mode 100644 index 0000000..58678d8 --- /dev/null +++ b/SOURCES/libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch @@ -0,0 +1,50 @@ +From c923062439297cbf5b08429123ba214b4efc8798 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:34 +0100 +Subject: [PATCH] libxt_conntrack: Version 0 does not support + XT_CONNTRACK_DIRECTION + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 74eb2395c8384 + +commit 74eb2395c838460384286c2b95f711ae275a46cb +Author: Phil Sutter +Date: Wed Sep 19 15:16:49 2018 +0200 + + libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION + + Since sinfo->flags is only 8 bytes large, checking for + XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return + false, so drop this dead code. + + Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir") + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_conntrack.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 128bbd20a34c2..3e7075760d40f 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -774,14 +774,6 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric, + else + printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max); + } +- +- if (sinfo->flags & XT_CONNTRACK_DIRECTION) { +- if (sinfo->invflags & XT_CONNTRACK_DIRECTION) +- printf(" %sctdir REPLY", optpfx); +- else +- printf(" %sctdir ORIGINAL", optpfx); +- } +- + } + + static void +-- +2.21.0 + diff --git a/SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch b/SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch new file mode 100644 index 0000000..eef1f3f --- /dev/null +++ b/SOURCES/libxt_ipvs-Avoid-potential-buffer-overrun.patch @@ -0,0 +1,77 @@ +From 0bf795555728e54db2593a73f90d7820cf3ef4c6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:34 +0100 +Subject: [PATCH] libxt_ipvs: Avoid potential buffer overrun + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 749d3c2ecd6a9 + +commit 749d3c2ecd6a9dc21f5a442c44495cb705621dff +Author: Phil Sutter +Date: Wed Sep 19 15:16:51 2018 +0200 + + libxt_ipvs: Avoid potential buffer overrun + + Just like with libxt_conntrack, get rid of the temporary buffer. The + comment even states that it was copied from there, so just make them + identical again. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_ipvs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/extensions/libxt_ipvs.c b/extensions/libxt_ipvs.c +index 46727660a027a..a6c57a030d2c6 100644 +--- a/extensions/libxt_ipvs.c ++++ b/extensions/libxt_ipvs.c +@@ -126,19 +126,19 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + const union nf_inet_addr *mask, + unsigned int family, bool numeric) + { +- char buf[BUFSIZ]; +- + if (family == NFPROTO_IPV4) { + if (!numeric && addr->ip == 0) { + printf(" anywhere"); + return; + } + if (numeric) +- strcpy(buf, xtables_ipaddr_to_numeric(&addr->in)); ++ printf(" %s%s", ++ xtables_ipaddr_to_numeric(&addr->in), ++ xtables_ipmask_to_numeric(&mask->in)); + else +- strcpy(buf, xtables_ipaddr_to_anyname(&addr->in)); +- strcat(buf, xtables_ipmask_to_numeric(&mask->in)); +- printf(" %s", buf); ++ printf(" %s%s", ++ xtables_ipaddr_to_anyname(&addr->in), ++ xtables_ipmask_to_numeric(&mask->in)); + } else if (family == NFPROTO_IPV6) { + if (!numeric && addr->ip6[0] == 0 && addr->ip6[1] == 0 && + addr->ip6[2] == 0 && addr->ip6[3] == 0) { +@@ -146,11 +146,13 @@ static void ipvs_mt_dump_addr(const union nf_inet_addr *addr, + return; + } + if (numeric) +- strcpy(buf, xtables_ip6addr_to_numeric(&addr->in6)); ++ printf(" %s%s", ++ xtables_ip6addr_to_numeric(&addr->in6), ++ xtables_ip6mask_to_numeric(&mask->in6)); + else +- strcpy(buf, xtables_ip6addr_to_anyname(&addr->in6)); +- strcat(buf, xtables_ip6mask_to_numeric(&mask->in6)); +- printf(" %s", buf); ++ printf(" %s%s", ++ xtables_ip6addr_to_anyname(&addr->in6), ++ xtables_ip6mask_to_numeric(&mask->in6)); + } + } + +-- +2.21.0 + diff --git a/SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch b/SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch new file mode 100644 index 0000000..61107bd --- /dev/null +++ b/SOURCES/libxt_recent-Remove-ineffective-checks-for-info-name.patch @@ -0,0 +1,54 @@ +From 61fd4ee73f2a23eeb2b10b24d19ac13deaf0c177 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxt_recent: Remove ineffective checks for info->name + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit d0e3d95fa3442 + +commit d0e3d95fa3442c6ff32f7fed3e0d2eeb2248ef9f +Author: Phil Sutter +Date: Fri Oct 20 13:24:36 2017 +0200 + + libxt_recent: Remove ineffective checks for info->name + + In struct xt_recent_mtinfo{,_v1}, field 'name' is an array, not a + pointer. So there is no point in comparing it against NULL. Changing the + check to make sure it's content is not an empty string is pointless + either, since a non-empty default string is used and the argument parser + will refuse empty strings as --name argument. So simply get rid of the + checks altogether. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_recent.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c +index e1801f1c18952..055ae35080346 100644 +--- a/extensions/libxt_recent.c ++++ b/extensions/libxt_recent.c +@@ -199,7 +199,7 @@ static void recent_print(const void *ip, const struct xt_entry_match *match, + if(info->hit_count) printf(" hit_count: %d", info->hit_count); + if (info->check_set & XT_RECENT_TTL) + printf(" TTL-Match"); +- if(info->name) printf(" name: %s", info->name); ++ printf(" name: %s", info->name); + if (info->side == XT_RECENT_SOURCE) + printf(" side: source"); + if (info->side == XT_RECENT_DEST) +@@ -239,7 +239,7 @@ static void recent_save(const void *ip, const struct xt_entry_match *match, + if(info->hit_count) printf(" --hitcount %d", info->hit_count); + if (info->check_set & XT_RECENT_TTL) + printf(" --rttl"); +- if(info->name) printf(" --name %s",info->name); ++ printf(" --name %s",info->name); + + switch(family) { + case NFPROTO_IPV4: +-- +2.21.0 + diff --git a/SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch b/SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch new file mode 100644 index 0000000..040aa79 --- /dev/null +++ b/SOURCES/libxt_sctp-fix-array-out-of-range-in-print_chunk.patch @@ -0,0 +1,51 @@ +From db1fcba4cade70fd86e615246bb03acd94cc4cd9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_sctp: fix array out of range in print_chunk + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 71de414c21f7f +Conflicts: Dropped changes to non-existing libxt_sctp.t. + +commit 71de414c21f7f31270e5d62e782e52257e5c3d06 +Author: huaibin Wang +Date: Mon Nov 13 14:27:54 2017 +0100 + + libxt_sctp: fix array out of range in print_chunk + + For chunk type ASCONF, ASCONF_ACK and FORWARD_TSN, sctp_chunk_names[].chunk_type + is not equal to the corresponding index in sctp_chunk_names[]. Using this field + leads to a segmentation fault (index out of range). + + Example + $ iptables -A INPUT -p sctp --chunk-type all ASCONF,ASCONF_ACK,FORWARD_TSN -j ACCEPT + $ iptables -L + Chain INPUT (policy ACCEPT) + target prot opt source destination + Segmentation fault + + Signed-off-by: huaibin Wang + Signed-off-by: Nicolas Dichtel + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_sctp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c +index 56a4cdf229390..cfd4c12330479 100644 +--- a/extensions/libxt_sctp.c ++++ b/extensions/libxt_sctp.c +@@ -370,7 +370,7 @@ print_chunk(uint32_t chunknum, int numeric) + + for (i = 0; i < ARRAY_SIZE(sctp_chunk_names); ++i) + if (sctp_chunk_names[i].chunk_type == chunknum) +- printf("%s", sctp_chunk_names[chunknum].name); ++ printf("%s", sctp_chunk_names[i].name); + } + } + +-- +2.21.0 + diff --git a/SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch b/SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch new file mode 100644 index 0000000..acda814 --- /dev/null +++ b/SOURCES/libxt_string-Avoid-potential-array-out-of-bounds-acc.patch @@ -0,0 +1,46 @@ +From d9b22d809995f16b2bc988c8f72d70a5cd3e86d1 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_string: Avoid potential array out of bounds access + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 56d7ab42f3782 + +commit 56d7ab42f37829ab8d42f34b77fd630ce08f5a7c +Author: Phil Sutter +Date: Mon Sep 10 23:35:16 2018 +0200 + + libxt_string: Avoid potential array out of bounds access + + The pattern index variable 'sindex' is bounds checked before + incrementing it, which means in the next loop iteration it might already + match the bounds check condition but is used anyway. + + Fix this by incrementing the index before performing the bounds check. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_string.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c +index fb15980e4a73f..d298c6a7081e7 100644 +--- a/extensions/libxt_string.c ++++ b/extensions/libxt_string.c +@@ -159,9 +159,8 @@ parse_hex_string(const char *s, struct xt_string_info *info) + info->pattern[sindex] = s[i]; + i++; + } +- if (sindex > XT_STRING_MAX_PATTERN_SIZE) ++ if (++sindex > XT_STRING_MAX_PATTERN_SIZE) + xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); +- sindex++; + } + info->patlen = sindex; + } +-- +2.21.0 + diff --git a/SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch b/SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch new file mode 100644 index 0000000..f4c9047 --- /dev/null +++ b/SOURCES/libxt_string-Fix-array-out-of-bounds-check.patch @@ -0,0 +1,62 @@ +From 5790cacab5a3fd7bde26056fa0f8b4650bd21bb7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_string: Fix array out of bounds check + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 6fc7762f6f785 + +commit 6fc7762f6f78526e3cb0c189ac2778a6be4c00b5 +Author: Phil Sutter +Date: Mon Sep 17 13:38:33 2018 +0200 + + libxt_string: Fix array out of bounds check + + Commit 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds + access") tried to fix parse_hex_string() for overlong strings but the + change still allowed for 'sindex' to become XT_STRING_MAX_PATTERN_SIZE + which leads to access of first byte after info->pattern. This is not + really a problem because it merely overwrites info->patlen before + calling xtables_error() later, but covscan still detects it so it's + still worth fixing. + + The crucial bit here is that 'sindex' has to be incremented at end of + the last iteration since its value is used for info->patlen. Hence just + move the overflow check to the beginning of the loop. + + Fixes: 56d7ab42f3782 ("libxt_string: Avoid potential array out of bounds access") + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + extensions/libxt_string.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c +index d298c6a7081e7..7c6366cbbf1b3 100644 +--- a/extensions/libxt_string.c ++++ b/extensions/libxt_string.c +@@ -103,6 +103,9 @@ parse_hex_string(const char *s, struct xt_string_info *info) + } + + while (i < slen) { ++ if (sindex >= XT_STRING_MAX_PATTERN_SIZE) ++ xtables_error(PARAMETER_PROBLEM, ++ "STRING too long \"%s\"", s); + if (s[i] == '\\' && !hex_f) { + literal_f = 1; + } else if (s[i] == '\\') { +@@ -159,8 +162,7 @@ parse_hex_string(const char *s, struct xt_string_info *info) + info->pattern[sindex] = s[i]; + i++; + } +- if (++sindex > XT_STRING_MAX_PATTERN_SIZE) +- xtables_error(PARAMETER_PROBLEM, "STRING too long \"%s\"", s); ++ sindex++; + } + info->patlen = sindex; + } +-- +2.21.0 + diff --git a/SOURCES/libxt_time-Drop-initialization-of-variable-year.patch b/SOURCES/libxt_time-Drop-initialization-of-variable-year.patch new file mode 100644 index 0000000..0aa5037 --- /dev/null +++ b/SOURCES/libxt_time-Drop-initialization-of-variable-year.patch @@ -0,0 +1,59 @@ +From c6d6426921160fb554871fbe201722963f8a917c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxt_time: Drop initialization of variable 'year' + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 6b7145fa2112e + +commit 6b7145fa2112e257073cc44346e9891fa23ce9c2 +Author: Phil Sutter +Date: Wed Sep 19 15:16:52 2018 +0200 + + libxt_time: Drop initialization of variable 'year' + + The variable is not read before being assigned the return value of + strtoul(), thefore the initialization is useless. And since after this + change parameter 'end' becomes unused, drop it as well. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libxt_time.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c +index 9c5bda88c1c78..5a8cc5de13031 100644 +--- a/extensions/libxt_time.c ++++ b/extensions/libxt_time.c +@@ -88,10 +88,10 @@ static void time_init(struct xt_entry_match *m) + info->date_stop = INT_MAX; + } + +-static time_t time_parse_date(const char *s, bool end) ++static time_t time_parse_date(const char *s) + { + unsigned int month = 1, day = 1, hour = 0, minute = 0, second = 0; +- unsigned int year = end ? 2038 : 1970; ++ unsigned int year; + const char *os = s; + struct tm tm; + time_t ret; +@@ -265,10 +265,10 @@ static void time_parse(struct xt_option_call *cb) + xtables_option_parse(cb); + switch (cb->entry->id) { + case O_DATE_START: +- info->date_start = time_parse_date(cb->arg, false); ++ info->date_start = time_parse_date(cb->arg); + break; + case O_DATE_STOP: +- info->date_stop = time_parse_date(cb->arg, true); ++ info->date_stop = time_parse_date(cb->arg); + break; + case O_TIME_START: + info->daytime_start = time_parse_minutes(cb->arg); +-- +2.21.0 + diff --git a/SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch b/SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch new file mode 100644 index 0000000..2d4abba --- /dev/null +++ b/SOURCES/libxtables-Avoid-calling-memcpy-with-NULL-source.patch @@ -0,0 +1,91 @@ +From 3f4e13d60ddbb61bc3256221a98f5c5a954f6f5c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: Avoid calling memcpy() with NULL source + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit ab639f236ff85 + +commit ab639f236ff85d2f447cc6601c7ff42cefdaf853 +Author: Phil Sutter +Date: Wed Sep 19 15:16:54 2018 +0200 + + libxtables: Avoid calling memcpy() with NULL source + + Both affected functions check if 'oldopts' is NULL once but later seem + to ignore that possibility. To catch up on that, increment the pointer + only if it isn't NULL, also don't copy its content into the merged + options buffer in that case. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 12 ++++++++---- + libxtables/xtoptions.c | 12 ++++++++---- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 4a014e48a9f45..cf9a59d5ec095 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -119,8 +119,10 @@ struct option *xtables_merge_options(struct option *orig_opts, + * Since @oldopts also has @orig_opts already (and does so at the + * start), skip these entries. + */ +- oldopts += num_oold; +- num_old -= num_oold; ++ if (oldopts != NULL) { ++ oldopts += num_oold; ++ num_old -= num_oold; ++ } + + merge = malloc(sizeof(*mp) * (num_oold + num_old + num_new + 1)); + if (merge == NULL) +@@ -139,8 +141,10 @@ struct option *xtables_merge_options(struct option *orig_opts, + mp->val += *option_offset; + + /* Third, the old options */ +- memcpy(mp, oldopts, sizeof(*mp) * num_old); +- mp += num_old; ++ if (oldopts != NULL) { ++ memcpy(mp, oldopts, sizeof(*mp) * num_old); ++ mp += num_old; ++ } + xtables_free_opts(0); + + /* Clear trailing entry */ +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 1ad4cb57f5836..1d3fda73dedf7 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -91,8 +91,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, + * Since @oldopts also has @orig_opts already (and does so at the + * start), skip these entries. + */ +- oldopts += num_orig; +- num_old -= num_orig; ++ if (oldopts != NULL) { ++ oldopts += num_orig; ++ num_old -= num_orig; ++ } + + merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1)); + if (merge == NULL) +@@ -114,8 +116,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, + } + + /* Third, the old options */ +- memcpy(mp, oldopts, sizeof(*mp) * num_old); +- mp += num_old; ++ if (oldopts != NULL) { ++ memcpy(mp, oldopts, sizeof(*mp) * num_old); ++ mp += num_old; ++ } + xtables_free_opts(0); + + /* Clear trailing entry */ +-- +2.21.0 + diff --git a/SOURCES/libxtables-Check-extension-real_name-length.patch b/SOURCES/libxtables-Check-extension-real_name-length.patch new file mode 100644 index 0000000..d4e1d6d --- /dev/null +++ b/SOURCES/libxtables-Check-extension-real_name-length.patch @@ -0,0 +1,57 @@ +From e4dd398938aed75397463aed36fc03f9d754bf29 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: Check extension real_name length + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit a3716cc1a501e + +commit a3716cc1a501e40e26a96d78b2e1285bb081f366 +Author: Phil Sutter +Date: Mon Sep 24 19:25:21 2018 +0200 + + libxtables: Check extension real_name length + + Just like with 'name', if given check 'real_name' to not exceed max length. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 575f7ee0a0d78..4a014e48a9f45 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -839,6 +839,12 @@ void xtables_register_match(struct xtables_match *me) + exit(1); + } + ++ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) { ++ fprintf(stderr, "%s: match `%s' has invalid real name\n", ++ xt_params->program_name, me->real_name); ++ exit(1); ++ } ++ + if (me->family >= NPROTO) { + fprintf(stderr, + "%s: BUG: match %s has invalid protocol family\n", +@@ -997,6 +1003,12 @@ void xtables_register_target(struct xtables_target *me) + exit(1); + } + ++ if (me->real_name && strlen(me->real_name) >= XT_EXTENSION_MAXNAMELEN) { ++ fprintf(stderr, "%s: target `%s' has invalid real name\n", ++ xt_params->program_name, me->real_name); ++ exit(1); ++ } ++ + if (me->family >= NPROTO) { + fprintf(stderr, + "%s: BUG: target %s has invalid protocol family\n", +-- +2.21.0 + diff --git a/SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch b/SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch new file mode 100644 index 0000000..d1dae23 --- /dev/null +++ b/SOURCES/libxtables-Don-t-read-garbage-in-xtables_strtoui.patch @@ -0,0 +1,42 @@ +From 6052b28839968d5077c182e6defa260e68147547 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxtables: Don't read garbage in xtables_strtoui() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 61ebf3f72ac62 + +commit 61ebf3f72ac62d887414c50fc83e277386f54e8f +Author: Phil Sutter +Date: Wed Sep 19 15:16:55 2018 +0200 + + libxtables: Don't read garbage in xtables_strtoui() + + If xtables_strtoul() fails, it returns false and data pointed to by + parameter 'value' is undefined. Hence avoid copying that data in + xtables_strtoui() if the call failed. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index fb60c01b48c05..575f7ee0a0d78 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -473,7 +473,7 @@ bool xtables_strtoui(const char *s, char **end, unsigned int *value, + bool ret; + + ret = xtables_strtoul(s, end, &v, min, max); +- if (value != NULL) ++ if (ret && value != NULL) + *value = v; + return ret; + } +-- +2.21.0 + diff --git a/SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch b/SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch new file mode 100644 index 0000000..51e3bf0 --- /dev/null +++ b/SOURCES/libxtables-Fix-potential-array-overrun-in-xtables_op.patch @@ -0,0 +1,42 @@ +From f958c3a78f14140e7ee983c3698918fe35f1a7af Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] libxtables: Fix potential array overrun in + xtables_option_parse() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 4144571f87c09 + +commit 4144571f87c094471419ef59e8bb89ef33cd1365 +Author: Phil Sutter +Date: Mon Sep 10 23:35:13 2018 +0200 + + libxtables: Fix potential array overrun in xtables_option_parse() + + If entry->type is to be used as array index, it needs to be at max one + less than that array's size. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtoptions.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 78e9abd6a3f47..0c63c2d372dea 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -864,7 +864,7 @@ void xtables_option_parse(struct xt_option_call *cb) + * a *RC option type. + */ + cb->nvals = 1; +- if (entry->type <= ARRAY_SIZE(xtopt_subparse) && ++ if (entry->type < ARRAY_SIZE(xtopt_subparse) && + xtopt_subparse[entry->type] != NULL) + xtopt_subparse[entry->type](cb); + /* Exclusion with other flags tested later in finalize. */ +-- +2.21.0 + diff --git a/SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch b/SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch new file mode 100644 index 0000000..b301387 --- /dev/null +++ b/SOURCES/libxtables-Use-posix_spawn-instead-of-vfork.patch @@ -0,0 +1,71 @@ +From fbcd6c97015324480f843c08da338c9d580b2b31 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: Use posix_spawn() instead of vfork() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit d95c1e8b65c4e + +commit d95c1e8b65c4ec66b8fcd2f7ede257853a888750 +Author: Phil Sutter +Date: Wed Sep 19 15:17:05 2018 +0200 + + libxtables: Use posix_spawn() instead of vfork() + + According to covscan, vfork() may lead to a deadlock in the parent + process. It suggests to use posix_spawn() instead. Since the latter + combines vfork() and exec() calls, use it for xtables_insmod(). + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index bca9863acc566..7210d3706bf26 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -343,6 +344,7 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + char *buf = NULL; + char *argv[4]; + int status; ++ pid_t pid; + + /* If they don't explicitly set it, read out of kernel */ + if (!modprobe) { +@@ -363,18 +365,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + */ + fflush(stdout); + +- switch (vfork()) { +- case 0: +- execv(argv[0], argv); +- +- /* not usually reached */ +- _exit(1); +- case -1: ++ if (posix_spawn(&pid, argv[0], NULL, NULL, argv, NULL)) { + free(buf); + return -1; +- +- default: /* parent */ +- wait(&status); ++ } else { ++ waitpid(pid, &status, 0); + } + + free(buf); +-- +2.21.0 + diff --git a/SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch b/SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch new file mode 100644 index 0000000..bc11de0 --- /dev/null +++ b/SOURCES/libxtables-move-some-code-to-avoid-cautions-in-vfork.patch @@ -0,0 +1,102 @@ +From 0d89bdef1e7f698787967bffed5c413ef0dee761 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] libxtables: move some code to avoid cautions in vfork man + page + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 78683093cf4f0 + +commit 78683093cf4f059531e5f929a4884ffaecb8411c +Author: Dan Wilder +Date: Sat Oct 25 00:51:59 2014 +0200 + + libxtables: move some code to avoid cautions in vfork man page + + Running iptables-restore on an embedded platform containing no modprobe program, the following lines in xtables.c lead to corrupted stack frame: + + 357 switch (vfork()) { + 358 case 0: + 359 argv[0] = (char *)modprobe; + 360 argv[1] = (char *)modname; + 361 if (quiet) { + 362 argv[2] = "-q"; + 363 argv[3] = NULL; + 364 } else { + 365 argv[2] = NULL; + 366 argv[3] = NULL; + 367 } + 368 execv(argv[0], argv); + 369 + 370 /* not usually reached */ + 371 exit(1); + + modprobe pointed to a non-existant program /sbin/modprobe, so execv() + always failed. Not a problem in itself on our platform, as the kernel + modules are pre-loaded before iptables-restore is run, but it took a + bit of headscratching to track this down, as a stack frame was + corrupted, leading to failures quite a while after the function + containing this code had returned! + + Relevant caution in man 2 vfork: + + "The vfork() function has the same effect as fork(2), except that + the behavior is undefined if the process created by vfork() either + modifies any data ... or calls any other function before + successfully calling _exit(2) or one of the exec(3) family of + functions." + + Apparently this has not been a problem for us in earlier versions of + glibc, maybe because vfork was more like fork, maybe because the + stack corruption was innocuous. Ours is a corner case anyway, as + it might not have been a problem had modprobe existed or had + modprobe been a symlink to /bin/true. But it seems odd to disregard + man page cautions, and our problem goes away if they are heeded. + + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index cf9a59d5ec095..bca9863acc566 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -352,6 +352,11 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + modprobe = buf; + } + ++ argv[0] = (char *)modprobe; ++ argv[1] = (char *)modname; ++ argv[2] = quiet ? "-q" : NULL; ++ argv[3] = NULL; ++ + /* + * Need to flush the buffer, or the child may output it again + * when switching the program thru execv. +@@ -360,19 +365,10 @@ int xtables_insmod(const char *modname, const char *modprobe, bool quiet) + + switch (vfork()) { + case 0: +- argv[0] = (char *)modprobe; +- argv[1] = (char *)modname; +- if (quiet) { +- argv[2] = "-q"; +- argv[3] = NULL; +- } else { +- argv[2] = NULL; +- argv[3] = NULL; +- } + execv(argv[0], argv); + + /* not usually reached */ +- exit(1); ++ _exit(1); + case -1: + free(buf); + return -1; +-- +2.21.0 + diff --git a/SOURCES/list-fix-prefetch-dummy.patch b/SOURCES/list-fix-prefetch-dummy.patch new file mode 100644 index 0000000..9ca7544 --- /dev/null +++ b/SOURCES/list-fix-prefetch-dummy.patch @@ -0,0 +1,46 @@ +From 9db248f030af87e336b5880fc39e37a5beb7f291 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:52:42 +0100 +Subject: [PATCH] list: fix prefetch dummy + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 86a65af62b6b9 + +commit 86a65af62b6b986aa2ae3cbf3c655ea8225b027a +Author: Arturo Borrero +Date: Mon Apr 6 20:05:41 2015 +0200 + + list: fix prefetch dummy + + linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value] + for (pos = list_entry((head)->next, typeof(*pos), member), \ + ^ + libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry' + list_for_each_entry(c, &h->chains, list) { + ^ + + [ Patch copied from one similar of Patrick McHardy on libnftnl ] + + Signed-off-by: Arturo Borrero Gonzalez + +Signed-off-by: Phil Sutter +--- + libiptc/linux_list.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libiptc/linux_list.h b/libiptc/linux_list.h +index abdcf88dadd64..559e33c9ebde0 100644 +--- a/libiptc/linux_list.h ++++ b/libiptc/linux_list.h +@@ -27,7 +27,7 @@ + 1; \ + }) + +-#define prefetch(x) 1 ++#define prefetch(x) ((void)0) + + /* empty define to make this work in userspace -HW */ + #define smp_wmb() +-- +2.21.0 + diff --git a/SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch b/SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch new file mode 100644 index 0000000..49c467e --- /dev/null +++ b/SOURCES/man-iptables-save-Add-note-about-module-autoloading.patch @@ -0,0 +1,47 @@ +From d9db0c35351a960a141e9ddc30cf6f09c9c27c8b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 18 Apr 2019 13:29:43 +0200 +Subject: [PATCH] man: iptables-save: Add note about module autoloading + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1691380 +Upstream Status: iptables commit 3390007a11cbc + +commit 3390007a11cbc45de1522f99ae751a3c5d55dd6f +Author: Phil Sutter +Date: Tue Mar 26 19:03:43 2019 +0100 + + man: iptables-save: Add note about module autoloading + + Using '-t' parameter in iptables-save might lead to kernel module + loading, just like with iptables itself. Copy the hint from iptables.8 + to inform users. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/iptables-save.8.in | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in +index 4091c0a595575..c3f1bd2152c58 100644 +--- a/iptables/iptables-save.8.in ++++ b/iptables/iptables-save.8.in +@@ -44,8 +44,11 @@ inspect /proc/sys/kernel/modprobe to determine the executable's path. + include the current values of all packet and byte counters in the output + .TP + \fB\-t\fR, \fB\-\-table\fR \fItablename\fP +-restrict output to only one table. If not specified, output includes all +-available tables. ++restrict output to only one table. If the kernel is configured with automatic ++module loading, an attempt will be made to load the appropriate module for ++that table if it is not already there. ++.br ++If not specified, output includes all available tables. + .SH BUGS + None known as of iptables-1.2.1 release + .SH AUTHORS +-- +2.21.0 + diff --git a/SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch b/SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch new file mode 100644 index 0000000..6422370 --- /dev/null +++ b/SOURCES/nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch @@ -0,0 +1,43 @@ +From 4103f34690e1380c0ad4831b80ad913ea980eab4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:51:28 +0100 +Subject: [PATCH] nfnl_osf: Drop pointless check in xt_osf_strchr() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 8c786a351a441 + +commit 8c786a351a441ff23ad5d9d1da8cec492f88f542 +Author: Phil Sutter +Date: Wed Sep 19 15:16:42 2018 +0200 + + nfnl_osf: Drop pointless check in xt_osf_strchr() + + Although it remains unclear what the original intention behind the + affected code was, but 'tmp + 1' always evaluates true since 'tmp' is a + pointer value. + + Cc: Evgeniy Polyakov + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index 0f8b35b805016..9a9fbe1268155 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -141,7 +141,7 @@ static char *xt_osf_strchr(char *ptr, char c) + if (tmp) + *tmp = '\0'; + +- while (tmp && tmp + 1 && isspace(*(tmp + 1))) ++ while (tmp && isspace(*(tmp + 1))) + tmp++; + + return tmp; +-- +2.21.0 + diff --git a/SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch b/SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch new file mode 100644 index 0000000..eeee0cc --- /dev/null +++ b/SOURCES/nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch @@ -0,0 +1,40 @@ +From 4ee53b682e3ebb9a809007ec907f65ccfe4a1342 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 15 Mar 2019 17:50:10 +0100 +Subject: [PATCH] nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 +Upstream Status: iptables commit 52aa15098ebd6 + +commit 52aa15098ebd62eaca9eb3c57c240df2455d8e9b +Author: Phil Sutter +Date: Wed Sep 19 15:16:56 2018 +0200 + + nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() + + This eliminates the deprecation warning when compiling the sources. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index 972128f47ba04..c67485ee698b1 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -384,7 +384,7 @@ static int osf_load_line(char *buffer, int len, int del) + + nfnl_addattr_l(nmh, sizeof(buf), OSF_ATTR_FINGER, &f, sizeof(struct xt_osf_user_finger)); + +- return nfnl_talk(nfnlh, nmh, 0, 0, NULL, NULL, NULL); ++ return nfnl_query(nfnlh, nmh); + } + + static int osf_load_entries(char *path, int del) +-- +2.21.0 + diff --git a/SOURCES/sysconfig_ip6tables b/SOURCES/sysconfig_ip6tables new file mode 100644 index 0000000..34b8b87 --- /dev/null +++ b/SOURCES/sysconfig_ip6tables @@ -0,0 +1,15 @@ +# sample configuration for ip6tables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/SOURCES/sysconfig_iptables b/SOURCES/sysconfig_iptables new file mode 100644 index 0000000..5183250 --- /dev/null +++ b/SOURCES/sysconfig_iptables @@ -0,0 +1,14 @@ +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch b/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch new file mode 100644 index 0000000..53e1a4d --- /dev/null +++ b/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch @@ -0,0 +1,145 @@ +From 77ff3d215f2a28a9ffc9fe1943c7f2b12d5e4f69 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 5 Jun 2018 14:49:54 +0200 +Subject: [PATCH 2/2] utils: Add a man page for nfnl_osf + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331 +Upstream Status: iptables commit af468b6e7f35d + +commit af468b6e7f35db09af10ae4ec65cc7803180a4b4 +Author: Phil Sutter +Date: Wed Sep 20 18:54:09 2017 +0200 + + utils: Add a man page for nfnl_osf + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + configure.ac | 3 +- + utils/.gitignore | 1 + + utils/Makefile.am | 4 +++ + utils/nfnl_osf.8.in | 67 +++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 74 insertions(+), 1 deletion(-) + create mode 100644 utils/nfnl_osf.8.in + +diff --git a/configure.ac b/configure.ac +index af710cf5481c0..9046633ce5a4d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -173,7 +173,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile + libiptc/Makefile libiptc/libiptc.pc + libiptc/libip4tc.pc libiptc/libip6tc.pc + libxtables/Makefile utils/Makefile +- include/xtables-version.h include/iptables/internal.h]) ++ include/xtables-version.h include/iptables/internal.h ++ utils/nfnl_osf.8]) + AC_OUTPUT + + +diff --git a/utils/.gitignore b/utils/.gitignore +index 216d1e4a621ed..7c6afbf4e6a52 100644 +--- a/utils/.gitignore ++++ b/utils/.gitignore +@@ -1,2 +1,3 @@ + /nfnl_osf ++/nfnl_osf.8 + /nfbpf_compile +diff --git a/utils/Makefile.am b/utils/Makefile.am +index c4192a9e73688..80029e303ff3b 100644 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -6,8 +6,10 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \ + + sbin_PROGRAMS = + pkgdata_DATA = ++man_MANS = + + if HAVE_LIBNFNETLINK ++man_MANS += nfnl_osf.8 + sbin_PROGRAMS += nfnl_osf + pkgdata_DATA += pf.os + +@@ -23,3 +25,5 @@ if ENABLE_SYNCONF + sbin_PROGRAMS += nfsynproxy + nfsynproxy_LDADD = -lpcap + endif ++ ++CLEANFILES = nfnl_osf.8 +diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in +new file mode 100644 +index 0000000000000..140b5c3f99a42 +--- /dev/null ++++ b/utils/nfnl_osf.8.in +@@ -0,0 +1,67 @@ ++.TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" ++ ++.SH NAME ++nfnl_osf \- OS fingerprint loader utility ++.SH SYNOPSIS ++ ++.ad l ++.in +8 ++.ti -8 ++.B nfnl_osf ++.BI -f " fingerprints" ++[ ++.B -d ++] ++ ++.SH DESCRIPTION ++The ++.B nfnl_osf ++utility allows to load a set of operating system signatures into the kernel for ++later matching against using iptables' ++.B osf ++match. ++ ++.SH OPTIONS ++ ++.TP ++.BI -f " fingerprints" ++Read signatures from file ++.IR fingerprints . ++ ++.TP ++.B -d ++Instead of adding the signatures from ++.I fingerprints ++into the kernel, remove them. ++ ++.SH EXIT STATUS ++Exit status is 0 if command succeeded, otherwise a negative return code ++indicates the type of error which happened: ++ ++.TP ++.B -1 ++Illegal arguments passed, fingerprints file not readable or failure in netlink ++communication. ++ ++.TP ++.B -ENOENT ++Fingerprints file not specified. ++ ++.TP ++.B -EINVAL ++Netlink handle initialization failed or fingerprints file format invalid. ++ ++.SH FILES ++ ++An up to date set of operating system signatures can be downloaded from ++http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . ++ ++.SH SEE ALSO ++ ++The description of ++.B osf ++match in ++.BR iptables-extensions (8) ++contains further information about the topic as well as example ++.B nfnl_osf ++invocations. +-- +2.17.0 + diff --git a/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch b/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch new file mode 100644 index 0000000..4c77002 --- /dev/null +++ b/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch @@ -0,0 +1,43 @@ +From 89c09c279e53abd66a7ca9b0dd8d2c2a5c8f2d9d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 5 Jun 2018 14:49:54 +0200 +Subject: [PATCH 1/2] utils: nfnl_osf: Fix synopsis in help text + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331 +Upstream Status: iptables commit 1773dcaabb738 + +commit 1773dcaabb73884666d30b926677f8232e5c04b3 +Author: Phil Sutter +Date: Wed Sep 20 18:54:08 2017 +0200 + + utils: nfnl_osf: Fix synopsis in help text + + * -d is optional + * -h is not really a flag, just anything not recognized triggers the + help output. + * That '' bit is rather confusing than helpful. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + utils/nfnl_osf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c +index bb5f92dc6d0aa..972128f47ba04 100644 +--- a/utils/nfnl_osf.c ++++ b/utils/nfnl_osf.c +@@ -438,7 +438,7 @@ int main(int argc, char *argv[]) + break; + default: + fprintf(stderr, +- "Usage: %s -f fingerprints -d -h\n", ++ "Usage: %s -f fingerprints [-d]\n", + argv[0]); + return -1; + } +-- +2.17.0 + diff --git a/SOURCES/xshared-Consolidate-argv-construction-routines.patch b/SOURCES/xshared-Consolidate-argv-construction-routines.patch new file mode 100644 index 0000000..7e1a5fa --- /dev/null +++ b/SOURCES/xshared-Consolidate-argv-construction-routines.patch @@ -0,0 +1,568 @@ +From fc87d26b0343a5fbe661acc967f7a7c316531ca5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:16:49 +0200 +Subject: [PATCH] xshared: Consolidate argv construction routines + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1668475 +Upstream Status: iptables commit a2ed880a19d08 +Conflicts: +* Context change due to missing commit 2963a8df2175b + ("iptables: Remove explicit static variables initalization."). +* Context change due to missing commit 1cc09188079a6 + ("xshared: Consolidate parse_counters()"). +* Context change due to previously backported commit 8da04ffdca193 + ("Share print_ipv{4,6}_addr() from xtables"). +* Dropped changes to non-existing file iptables/xtables-restore.c. + +commit a2ed880a19d0861342b3515721804b18d698bf44 +Author: Phil Sutter +Date: Thu Aug 2 17:05:17 2018 +0200 + + xshared: Consolidate argv construction routines + + Implementations were equal in {ip,ip6,x}tables-restore.c. The one in + iptables-xml.c differed slightly. For now, collect all features + together. Maybe it would make sense to migrate iptables-xml.c to using + add_param_to_argv() at some point and therefore extend the latter to + store whether a given parameter was quoted or not. + + While being at it, a few improvements were done: + + * free_argv() now also resets 'newargc' variable, so users don't have to + do that anymore. + * Indenting level in add_param_to_argv() was reduced a bit. + * That long error message is put into a single line to aid in grepping + for it. + * Explicit call to exit() after xtables_error() is removed since the + latter does not return anyway. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables-restore.c | 107 ++---------------------------- + iptables/iptables-restore.c | 107 ++---------------------------- + iptables/iptables-xml.c | 63 ------------------ + iptables/xshared.c | 123 +++++++++++++++++++++++++++++++++++ + iptables/xshared.h | 13 ++++ + 5 files changed, 150 insertions(+), 263 deletions(-) + +diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c +index 611430d930eda..1f8cb43286f03 100644 +--- a/iptables/ip6tables-restore.c ++++ b/iptables/ip6tables-restore.c +@@ -91,96 +91,6 @@ static int parse_counters(char *string, struct xt_counters *ctr) + return ret == 2; + } + +-/* global new argv and argc */ +-static char *newargv[255]; +-static int newargc; +- +-/* function adding one argument to newargv, updating newargc +- * returns true if argument added, false otherwise */ +-static int add_argv(char *what) { +- DEBUGP("add_argv: %s\n", what); +- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { +- newargv[newargc] = strdup(what); +- newargv[++newargc] = NULL; +- return 1; +- } else { +- xtables_error(PARAMETER_PROBLEM, +- "Parser cannot handle more arguments\n"); +- return 0; +- } +-} +- +-static void free_argv(void) { +- int i; +- +- for (i = 0; i < newargc; i++) +- free(newargv[i]); +-} +- +-static void add_param_to_argv(char *parsestart) +-{ +- int quote_open = 0, escaped = 0, param_len = 0; +- char param_buffer[1024], *curchar; +- +- /* After fighting with strtok enough, here's now +- * a 'real' parser. According to Rusty I'm now no +- * longer a real hacker, but I can live with that */ +- +- for (curchar = parsestart; *curchar; curchar++) { +- if (quote_open) { +- if (escaped) { +- param_buffer[param_len++] = *curchar; +- escaped = 0; +- continue; +- } else if (*curchar == '\\') { +- escaped = 1; +- continue; +- } else if (*curchar == '"') { +- quote_open = 0; +- *curchar = ' '; +- } else { +- param_buffer[param_len++] = *curchar; +- continue; +- } +- } else { +- if (*curchar == '"') { +- quote_open = 1; +- continue; +- } +- } +- +- if (*curchar == ' ' +- || *curchar == '\t' +- || * curchar == '\n') { +- if (!param_len) { +- /* two spaces? */ +- continue; +- } +- +- param_buffer[param_len] = '\0'; +- +- /* check if table name specified */ +- if (!strncmp(param_buffer, "-t", 2) +- || !strncmp(param_buffer, "--table", 8)) { +- xtables_error(PARAMETER_PROBLEM, +- "The -t option (seen in line %u) cannot be " +- "used in ip6tables-restore.\n", line); +- exit(1); +- } +- +- add_argv(param_buffer); +- param_len = 0; +- } else { +- /* regular character, copy to buffer */ +- param_buffer[param_len++] = *curchar; +- +- if (param_len >= sizeof(param_buffer)) +- xtables_error(PARAMETER_PROBLEM, +- "Parameter too long!"); +- } +- } +-} +- + int ip6tables_restore_main(int argc, char *argv[]) + { + struct xtc_handle *handle = NULL; +@@ -425,9 +335,6 @@ int ip6tables_restore_main(int argc, char *argv[]) + char *bcnt = NULL; + char *parsestart; + +- /* reset the newargv */ +- newargc = 0; +- + if (buffer[0] == '[') { + /* we have counters in our input */ + char *ptr = strchr(buffer, ']'); +@@ -456,17 +363,17 @@ int ip6tables_restore_main(int argc, char *argv[]) + parsestart = buffer; + } + +- add_argv(argv[0]); +- add_argv("-t"); +- add_argv(curtable); ++ add_argv(argv[0], 0); ++ add_argv("-t", 0); ++ add_argv(curtable, 0); + + if (counters && pcnt && bcnt) { +- add_argv("--set-counters"); +- add_argv((char *) pcnt); +- add_argv((char *) bcnt); ++ add_argv("--set-counters", 0); ++ add_argv((char *) pcnt, 0); ++ add_argv((char *) bcnt, 0); + } + +- add_param_to_argv(parsestart); ++ add_param_to_argv(parsestart, line); + + DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", + newargc, curtable); +diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c +index b0da96d45d297..615e38a6625e0 100644 +--- a/iptables/iptables-restore.c ++++ b/iptables/iptables-restore.c +@@ -89,96 +89,6 @@ static int parse_counters(char *string, struct xt_counters *ctr) + return ret == 2; + } + +-/* global new argv and argc */ +-static char *newargv[255]; +-static int newargc; +- +-/* function adding one argument to newargv, updating newargc +- * returns true if argument added, false otherwise */ +-static int add_argv(char *what) { +- DEBUGP("add_argv: %s\n", what); +- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { +- newargv[newargc] = strdup(what); +- newargv[++newargc] = NULL; +- return 1; +- } else { +- xtables_error(PARAMETER_PROBLEM, +- "Parser cannot handle more arguments\n"); +- return 0; +- } +-} +- +-static void free_argv(void) { +- int i; +- +- for (i = 0; i < newargc; i++) +- free(newargv[i]); +-} +- +-static void add_param_to_argv(char *parsestart) +-{ +- int quote_open = 0, escaped = 0, param_len = 0; +- char param_buffer[1024], *curchar; +- +- /* After fighting with strtok enough, here's now +- * a 'real' parser. According to Rusty I'm now no +- * longer a real hacker, but I can live with that */ +- +- for (curchar = parsestart; *curchar; curchar++) { +- if (quote_open) { +- if (escaped) { +- param_buffer[param_len++] = *curchar; +- escaped = 0; +- continue; +- } else if (*curchar == '\\') { +- escaped = 1; +- continue; +- } else if (*curchar == '"') { +- quote_open = 0; +- *curchar = ' '; +- } else { +- param_buffer[param_len++] = *curchar; +- continue; +- } +- } else { +- if (*curchar == '"') { +- quote_open = 1; +- continue; +- } +- } +- +- if (*curchar == ' ' +- || *curchar == '\t' +- || * curchar == '\n') { +- if (!param_len) { +- /* two spaces? */ +- continue; +- } +- +- param_buffer[param_len] = '\0'; +- +- /* check if table name specified */ +- if (!strncmp(param_buffer, "-t", 2) +- || !strncmp(param_buffer, "--table", 8)) { +- xtables_error(PARAMETER_PROBLEM, +- "The -t option (seen in line %u) cannot be " +- "used in iptables-restore.\n", line); +- exit(1); +- } +- +- add_argv(param_buffer); +- param_len = 0; +- } else { +- /* regular character, copy to buffer */ +- param_buffer[param_len++] = *curchar; +- +- if (param_len >= sizeof(param_buffer)) +- xtables_error(PARAMETER_PROBLEM, +- "Parameter too long!"); +- } +- } +-} +- + int + iptables_restore_main(int argc, char *argv[]) + { +@@ -424,9 +334,6 @@ iptables_restore_main(int argc, char *argv[]) + char *bcnt = NULL; + char *parsestart; + +- /* reset the newargv */ +- newargc = 0; +- + if (buffer[0] == '[') { + /* we have counters in our input */ + char *ptr = strchr(buffer, ']'); +@@ -455,17 +362,17 @@ iptables_restore_main(int argc, char *argv[]) + parsestart = buffer; + } + +- add_argv(argv[0]); +- add_argv("-t"); +- add_argv(curtable); ++ add_argv(argv[0], 0); ++ add_argv("-t", 0); ++ add_argv(curtable, 0); + + if (counters && pcnt && bcnt) { +- add_argv("--set-counters"); +- add_argv((char *) pcnt); +- add_argv((char *) bcnt); ++ add_argv("--set-counters", 0); ++ add_argv((char *) pcnt, 0); ++ add_argv((char *) bcnt, 0); + } + +- add_param_to_argv(parsestart); ++ add_param_to_argv(parsestart, line); + + DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", + newargc, curtable); +diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c +index c523a132b2240..49f8ea2826181 100644 +--- a/iptables/iptables-xml.c ++++ b/iptables/iptables-xml.c +@@ -66,16 +66,6 @@ parse_counters(char *string, struct xt_counters *ctr) + return (0 == 2); + } + +-/* global new argv and argc */ +-static char *newargv[255]; +-static unsigned int newargc = 0; +- +-static char *oldargv[255]; +-static unsigned int oldargc = 0; +- +-/* arg meta data, were they quoted, frinstance */ +-static int newargvattr[255]; +- + #define XT_CHAIN_MAXNAMELEN XT_TABLE_MAXNAMELEN + static char closeActionTag[XT_TABLE_MAXNAMELEN + 1]; + static char closeRuleTag[XT_TABLE_MAXNAMELEN + 1]; +@@ -93,56 +83,6 @@ struct chain { + static struct chain chains[maxChains]; + static int nextChain = 0; + +-/* funCtion adding one argument to newargv, updating newargc +- * returns true if argument added, false otherwise */ +-static int +-add_argv(char *what, int quoted) +-{ +- DEBUGP("add_argv: %d %s\n", newargc, what); +- if (what && newargc + 1 < ARRAY_SIZE(newargv)) { +- newargv[newargc] = strdup(what); +- newargvattr[newargc] = quoted; +- newargc++; +- return 1; +- } else +- return 0; +-} +- +-static void +-free_argv(void) +-{ +- unsigned int i; +- +- for (i = 0; i < newargc; i++) { +- free(newargv[i]); +- newargv[i] = NULL; +- } +- newargc = 0; +- +- for (i = 0; i < oldargc; i++) { +- free(oldargv[i]); +- oldargv[i] = NULL; +- } +- oldargc = 0; +-} +- +-/* save parsed rule for comparison with next rule +- to perform action agregation on duplicate conditions */ +-static void +-save_argv(void) +-{ +- unsigned int i; +- +- for (i = 0; i < oldargc; i++) +- free(oldargv[i]); +- oldargc = newargc; +- newargc = 0; +- for (i = 0; i < oldargc; i++) { +- oldargv[i] = newargv[i]; +- newargv[i] = NULL; +- } +-} +- + /* like puts but with xml encoding */ + static void + xmlEncode(char *text) +@@ -736,9 +676,6 @@ iptables_xml_main(int argc, char *argv[]) + int quote_open, quoted; + char param_buffer[1024]; + +- /* reset the newargv */ +- newargc = 0; +- + if (buffer[0] == '[') { + /* we have counters in our input */ + char *ptr = strchr(buffer, ']'); +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 742502154aa55..84dbea562576e 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -406,3 +406,126 @@ void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) + ipv6_addr_to_string(&fw6->ipv6.dst, + &fw6->ipv6.dmsk, format)); + } ++ ++/* global new argv and argc */ ++char *newargv[255]; ++int newargc = 0; ++ ++/* saved newargv and newargc from save_argv() */ ++char *oldargv[255]; ++int oldargc = 0; ++ ++/* arg meta data, were they quoted, frinstance */ ++int newargvattr[255]; ++ ++/* function adding one argument to newargv, updating newargc ++ * returns true if argument added, false otherwise */ ++int add_argv(const char *what, int quoted) ++{ ++ DEBUGP("add_argv: %s\n", what); ++ if (what && newargc + 1 < ARRAY_SIZE(newargv)) { ++ newargv[newargc] = strdup(what); ++ newargvattr[newargc] = quoted; ++ newargv[++newargc] = NULL; ++ return 1; ++ } else { ++ xtables_error(PARAMETER_PROBLEM, ++ "Parser cannot handle more arguments\n"); ++ } ++} ++ ++void free_argv(void) ++{ ++ while (newargc) ++ free(newargv[--newargc]); ++ while (oldargc) ++ free(oldargv[--oldargc]); ++} ++ ++/* Save parsed rule for comparison with next rule to perform action aggregation ++ * on duplicate conditions. ++ */ ++void save_argv(void) ++{ ++ unsigned int i; ++ ++ while (oldargc) ++ free(oldargv[--oldargc]); ++ ++ oldargc = newargc; ++ newargc = 0; ++ for (i = 0; i < oldargc; i++) { ++ oldargv[i] = newargv[i]; ++ } ++} ++ ++void add_param_to_argv(char *parsestart, int line) ++{ ++ int quote_open = 0, escaped = 0, param_len = 0; ++ char param_buffer[1024], *curchar; ++ ++ /* After fighting with strtok enough, here's now ++ * a 'real' parser. According to Rusty I'm now no ++ * longer a real hacker, but I can live with that */ ++ ++ for (curchar = parsestart; *curchar; curchar++) { ++ if (quote_open) { ++ if (escaped) { ++ param_buffer[param_len++] = *curchar; ++ escaped = 0; ++ continue; ++ } else if (*curchar == '\\') { ++ escaped = 1; ++ continue; ++ } else if (*curchar == '"') { ++ quote_open = 0; ++ *curchar = '"'; ++ } else { ++ param_buffer[param_len++] = *curchar; ++ continue; ++ } ++ } else { ++ if (*curchar == '"') { ++ quote_open = 1; ++ continue; ++ } ++ } ++ ++ switch (*curchar) { ++ case '"': ++ break; ++ case ' ': ++ case '\t': ++ case '\n': ++ if (!param_len) { ++ /* two spaces? */ ++ continue; ++ } ++ break; ++ default: ++ /* regular character, copy to buffer */ ++ param_buffer[param_len++] = *curchar; ++ ++ if (param_len >= sizeof(param_buffer)) ++ xtables_error(PARAMETER_PROBLEM, ++ "Parameter too long!"); ++ continue; ++ } ++ ++ param_buffer[param_len] = '\0'; ++ ++ /* check if table name specified */ ++ if ((param_buffer[0] == '-' && ++ param_buffer[1] != '-' && ++ strchr(param_buffer, 't')) || ++ (!strncmp(param_buffer, "--t", 3) && ++ !strncmp(param_buffer, "--table", strlen(param_buffer)))) { ++ xtables_error(PARAMETER_PROBLEM, ++ "The -t option (seen in line %u) cannot be used in %s.\n", ++ line, xt_params->program_name); ++ } ++ ++ add_argv(param_buffer, 0); ++ param_len = 0; ++ } ++} +diff --git a/iptables/xshared.h b/iptables/xshared.h +index bfdb10b2701e5..4f567db9f410b 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -119,6 +119,19 @@ bool xs_has_arg(int argc, char *argv[]); + + extern const struct xtables_afinfo *afinfo; + ++extern char *newargv[]; ++extern int newargc; ++ ++extern char *oldargv[]; ++extern int oldargc; ++ ++extern int newargvattr[]; ++ ++int add_argv(const char *what, int quoted); ++void free_argv(void); ++void save_argv(void); ++void add_param_to_argv(char *parsestart, int line); ++ + void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); + void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); + +-- +2.21.0 + diff --git a/SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch b/SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch new file mode 100644 index 0000000..8189830 --- /dev/null +++ b/SOURCES/xtables-Introduce-and-use-common-function-to-parse-v.patch @@ -0,0 +1,259 @@ +From cc564f1b24a61d8abcd1163323ba68d373ef3d7c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 3 Apr 2019 20:30:11 +0200 +Subject: [PATCH] xtables: Introduce and use common function to parse + val[/mask] arguments + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1657075 +Upstream Status: iptables commit 29b1d97764d18 + +commit 29b1d97764d1849651388d870565b3fa815a0bd8 +Author: Serhey Popovych +Date: Thu Mar 1 13:03:11 2018 +0200 + + xtables: Introduce and use common function to parse val[/mask] arguments + + There are a couple of places in both core and extensions where arguments + in the form of val[/mask] is parsed (see XTTYPE_MARKMASK32). + + In some cases symbolic name might be used which is mapped in code to + numeric value. + + Introduce common function to handle both cases where value given is + either val[/mask] or symbolic name. + + Signed-off-by: Serhey Popovych + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + extensions/libipt_realm.c | 29 ++++++--------------- + extensions/libxt_devgroup.c | 35 ++++--------------------- + include/xtables.h | 11 ++++++++ + libxtables/xtables.c | 52 +++++++++++++++++++++++++++++++++++++ + libxtables/xtoptions.c | 22 +--------------- + 5 files changed, 77 insertions(+), 72 deletions(-) + +diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c +index fffb1218db7a6..0bfbaea0add23 100644 +--- a/extensions/libipt_realm.c ++++ b/extensions/libipt_realm.c +@@ -34,30 +34,17 @@ static struct xtables_lmap *realms; + + static void realm_parse(struct xt_option_call *cb) + { +- struct xt_realm_info *realminfo = cb->data; +- int id; +- char *end; ++ struct xt_realm_info *ri = cb->data; ++ unsigned int id, mask; + + xtables_option_parse(cb); +- realminfo->id = strtoul(cb->arg, &end, 0); +- if (end != cb->arg && (*end == '/' || *end == '\0')) { +- if (*end == '/') +- realminfo->mask = strtoul(end+1, &end, 0); +- else +- realminfo->mask = 0xffffffff; +- if (*end != '\0' || end == cb->arg) +- xtables_error(PARAMETER_PROBLEM, +- "Bad realm value \"%s\"", cb->arg); +- } else { +- id = xtables_lmap_name2id(realms, cb->arg); +- if (id == -1) +- xtables_error(PARAMETER_PROBLEM, +- "Realm \"%s\" not found", cb->arg); +- realminfo->id = id; +- realminfo->mask = 0xffffffff; +- } ++ xtables_parse_val_mask(cb, &id, &mask, realms); ++ ++ ri->id = id; ++ ri->mask = mask; ++ + if (cb->invert) +- realminfo->invert = 1; ++ ri->invert = 1; + } + + static void +diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c +index ebfa2aee80cf2..604828276177b 100644 +--- a/extensions/libxt_devgroup.c ++++ b/extensions/libxt_devgroup.c +@@ -35,49 +35,24 @@ static const char f_devgroups[] = "/etc/iproute2/group"; + /* array of devgroups from f_devgroups[] */ + static struct xtables_lmap *devgroups; + +-static void devgroup_parse_groupspec(const char *arg, unsigned int *group, +- unsigned int *mask) +-{ +- char *end; +- bool ok; +- +- ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX); +- if (ok && (*end == '/' || *end == '\0')) { +- if (*end == '/') +- ok = xtables_strtoui(end + 1, NULL, mask, +- 0, UINT32_MAX); +- else +- *mask = ~0U; +- if (!ok) +- xtables_error(PARAMETER_PROBLEM, +- "Bad group value \"%s\"", arg); +- } else { +- *group = xtables_lmap_name2id(devgroups, arg); +- if (*group == -1) +- xtables_error(PARAMETER_PROBLEM, +- "Device group \"%s\" not found", arg); +- *mask = ~0U; +- } +-} +- + static void devgroup_parse(struct xt_option_call *cb) + { + struct xt_devgroup_info *info = cb->data; +- unsigned int id, mask; ++ unsigned int group, mask; + + xtables_option_parse(cb); ++ xtables_parse_val_mask(cb, &group, &mask, devgroups); ++ + switch (cb->entry->id) { + case O_SRC_GROUP: +- devgroup_parse_groupspec(cb->arg, &id, &mask); +- info->src_group = id; ++ info->src_group = group; + info->src_mask = mask; + info->flags |= XT_DEVGROUP_MATCH_SRC; + if (cb->invert) + info->flags |= XT_DEVGROUP_INVERT_SRC; + break; + case O_DST_GROUP: +- devgroup_parse_groupspec(cb->arg, &id, &mask); +- info->dst_group = id; ++ info->dst_group = group; + info->dst_mask = mask; + info->flags |= XT_DEVGROUP_MATCH_DST; + if (cb->invert) +diff --git a/include/xtables.h b/include/xtables.h +index 021726708b2ee..47481e693ca25 100644 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -501,6 +501,17 @@ extern void xtables_save_string(const char *value); + + extern void xtables_print_num(uint64_t number, unsigned int format); + ++extern void xtables_parse_val_mask(struct xt_option_call *cb, ++ unsigned int *val, unsigned int *mask, ++ const struct xtables_lmap *lmap); ++ ++static inline void xtables_parse_mark_mask(struct xt_option_call *cb, ++ unsigned int *mark, ++ unsigned int *mask) ++{ ++ xtables_parse_val_mask(cb, mark, mask, NULL); ++} ++ + #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + # ifdef _INIT + # undef _init +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 7210d3706bf26..2981f52bc767f 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -1950,6 +1950,58 @@ void xtables_print_num(uint64_t number, unsigned int format) + printf(FMT("%4lluT ","%lluT "), (unsigned long long)number); + } + ++void xtables_parse_val_mask(struct xt_option_call *cb, ++ unsigned int *val, unsigned int *mask, ++ const struct xtables_lmap *lmap) ++{ ++ char *end; ++ ++ *mask = ~0U; ++ ++ if (!xtables_strtoui(cb->arg, &end, val, 0, UINT32_MAX)) { ++ if (lmap) ++ goto name2val; ++ else ++ goto bad_val; ++ } ++ ++ if (*end == '\0') ++ return; ++ ++ if (*end != '/') { ++ if (lmap) ++ goto name2val; ++ else ++ goto garbage; ++ } ++ ++ if (!xtables_strtoui(end + 1, &end, mask, 0, UINT32_MAX)) ++ goto bad_val; ++ ++ if (*end == '\0') ++ return; ++ ++garbage: ++ xt_params->exit_err(PARAMETER_PROBLEM, ++ "%s: trailing garbage after value " ++ "for option \"--%s\".\n", ++ cb->ext_name, cb->entry->name); ++ ++bad_val: ++ xt_params->exit_err(PARAMETER_PROBLEM, ++ "%s: bad integer value for option \"--%s\", " ++ "or out of range.\n", ++ cb->ext_name, cb->entry->name); ++ ++name2val: ++ *val = xtables_lmap_name2id(lmap, cb->arg); ++ if ((int)*val == -1) ++ xt_params->exit_err(PARAMETER_PROBLEM, ++ "%s: could not map name %s to an integer value " ++ "for option \"--%s\".\n", ++ cb->ext_name, cb->arg, cb->entry->name); ++} ++ + int kernel_version; + + void get_kernel_version(void) +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 1d3fda73dedf7..4bbc03ab0f047 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -432,27 +432,7 @@ static void xtopt_parse_tosmask(struct xt_option_call *cb) + */ + static void xtopt_parse_markmask(struct xt_option_call *cb) + { +- unsigned int mark = 0, mask = ~0U; +- char *end; +- +- if (!xtables_strtoui(cb->arg, &end, &mark, 0, UINT32_MAX)) +- xt_params->exit_err(PARAMETER_PROBLEM, +- "%s: bad mark value for option \"--%s\", " +- "or out of range.\n", +- cb->ext_name, cb->entry->name); +- if (*end == '/' && +- !xtables_strtoui(end + 1, &end, &mask, 0, UINT32_MAX)) +- xt_params->exit_err(PARAMETER_PROBLEM, +- "%s: bad mask value for option \"--%s\", " +- "or out of range.\n", +- cb->ext_name, cb->entry->name); +- if (*end != '\0') +- xt_params->exit_err(PARAMETER_PROBLEM, +- "%s: trailing garbage after value " +- "for option \"--%s\".\n", +- cb->ext_name, cb->entry->name); +- cb->val.mark = mark; +- cb->val.mask = mask; ++ xtables_parse_mark_mask(cb, &cb->val.mark, &cb->val.mask); + } + + static int xtopt_sysloglvl_compare(const void *a, const void *b) +-- +2.21.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec new file mode 100644 index 0000000..1725e69 --- /dev/null +++ b/SPECS/iptables.spec @@ -0,0 +1,1373 @@ +# install init scripts to /usr/libexec with systemd +%define script_path %{_libexecdir}/iptables + +# service legacy actions (RHBZ#748134) +%define legacy_actions %{_libexecdir}/initscripts/legacy-actions + +Name: iptables +Summary: Tools for managing Linux kernel packet filtering capabilities +Version: 1.4.21 +Release: 33%{?dist} +Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 +Source1: iptables.init +Source2: iptables-config +Source3: iptables.service.in +Source4: iptables.save-legacy +Source5: sysconfig_iptables +Source6: sysconfig_ip6tables +Source7: iptables.panic-legacy +Patch1: iptables-1.4.21-rhbz_1054871.patch +Patch2: iptables-1.4.21-libxt_cgroup.patch +Patch3: iptables-1.4.21-wait_seconds.patch +Patch4: iptables-1.4.21-flock_wait.patch +Patch5: iptables-1.4.21-rhbz_1261238.patch +Patch6: iptables-c513cc3-rhbz_1298879.patch +Patch7: iptables-1.4.21-wait-interval.patch +Patch8: iptables-do_not_lock_again_and_again.patch +Patch9: iptables-use_the_blocking_file_lock_request.patch +Patch10: iptables-1.4.21-configure_set_lock_file_path.patch +Patch11: iptables-1.4.21-move_XT_LOCK_NAME_to_config.h.patch +Patch12: iptables-1.4.21-remove_duplicated_argument_parsing.patch +Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch +# One patch invalid: 1cf4ba6fbe85b3cbe9828a7947000290e1989986 +Patch14: iptables-do_not_set_changed_for_check_options.patch +Patch15: iptables-1.4.21-restore_version.patch +Patch16: iptables-1.4.21-restore_wait_man.patch +Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch +Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch +Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch +Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch +Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch +Patch22: utils-Add-a-man-page-for-nfnl_osf.patch +Patch23: Mark-fall-through-cases-in-switch-statements.patch +Patch24: libiptc-Simplify-alloc_handle-function-signature.patch +Patch25: libxtables-Fix-potential-array-overrun-in-xtables_op.patch +Patch26: ip-6-tables-restore-Fix-for-uninitialized-array-curt.patch +Patch27: nfnl_osf-Replace-deprecated-nfnl_talk-by-nfnl_query.patch +Patch28: libxt_string-Avoid-potential-array-out-of-bounds-acc.patch +Patch29: libxt_string-Fix-array-out-of-bounds-check.patch +Patch30: libxtables-Don-t-read-garbage-in-xtables_strtoui.patch +Patch31: libxt_time-Drop-initialization-of-variable-year.patch +Patch32: libxt_sctp-fix-array-out-of-range-in-print_chunk.patch +Patch33: libxt_ipvs-Avoid-potential-buffer-overrun.patch +Patch34: libxt_conntrack-Version-0-does-not-support-XT_CONNTR.patch +Patch35: Fix-a-few-cases-of-pointless-assignments.patch +Patch36: nfnl_osf-Drop-pointless-check-in-xt_osf_strchr.patch +Patch37: libxt_conntrack-Avoid-potential-buffer-overrun.patch +Patch38: libxtables-Check-extension-real_name-length.patch +Patch39: libiptc-NULL-terminate-errorname.patch +Patch40: libxtables-Avoid-calling-memcpy-with-NULL-source.patch +Patch41: libxt_LED-Avoid-string-overrun-while-parsing-led-tri.patch +Patch42: libxt_recent-Remove-ineffective-checks-for-info-name.patch +Patch43: libxtables-move-some-code-to-avoid-cautions-in-vfork.patch +Patch44: libxtables-Use-posix_spawn-instead-of-vfork.patch +Patch45: libiptc-Avoid-side-effect-in-memset-calls.patch +Patch46: Share-print_ipv-4-6-_addr-from-xtables.patch +Patch47: extensions-REJECT-Check-for-array-overrun.patch +Patch48: list-fix-prefetch-dummy.patch +Patch49: extensions-Add-macro-_DEFAULT_SOURCE.patch +Patch50: Consolidate-DEBUGP-macros.patch +Patch51: xshared-Consolidate-argv-construction-routines.patch +Patch52: extensions-Fix-ipvs-vproto-parsing.patch +Patch53: extensions-Fix-ipvs-vproto-option-printing.patch +Patch54: extensions-libxt_devgroup-Fix-the-path-of-the-group-.patch +Patch55: extensions-Initialize-linear-mapping-of-symbols-in-_.patch +Patch56: xtables-Introduce-and-use-common-function-to-parse-v.patch +Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch +Patch58: man-iptables-save-Add-note-about-module-autoloading.patch + +Group: System Environment/Base +URL: http://www.netfilter.org/ +License: GPLv2 +# libnetfilter_conntrack is needed for xt_connlabel +BuildRequires: libnetfilter_conntrack-devel >= 1.0.4 +# libnfnetlink-devel is requires for nfnl_osf +BuildRequires: libnfnetlink-devel +BuildRequires: libselinux-devel +BuildRequires: kernel-headers +BuildRequires: systemd +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: libtool + +%description +The iptables utility controls the network packet filtering code in the +Linux kernel. If you need to set up firewalls and/or IP masquerading, +you should install this package. + +%package devel +Summary: Development package for iptables +Group: System Environment/Base +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: pkgconfig + +%description devel +iptables development headers and libraries. + +The iptc interface is upstream marked as not public. The interface is not +stable and may change with every new version. It is therefore unsupported. + +%package services +Summary: iptables and ip6tables services for iptables +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} +Requires: /bin/bash +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# provide and obsolete old main package +Provides: %{name} = 1.4.16.1 +Obsoletes: %{name} < 1.4.16.1 +# provide and obsolete ipv6 sub package +Provides: %{name}-ipv6 = 1.4.11.1 +Obsoletes: %{name}-ipv6 < 1.4.11.1 + +%description services +iptables services for IPv4 and IPv6 + +This package provides the services iptables and ip6tables that have been split +out of the base package since they are not active by default anymore. + +%package utils +Summary: iptables and ip6tables services for iptables +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description utils +Utils for iptables. + +Currently only provides nfnl_osf with the pf.os database. + + +%prep +%autosetup -p1 + +%build +# Since patches above touch configure.ac we must regen configure +./autogen.sh + +CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \ +%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr + +# do not use rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +rm -f include/linux/types.h + +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} +# remove la file(s) +rm -f %{buildroot}/%{_libdir}/*.la + +# install ip*tables.h header files +install -m 644 include/ip*tables.h %{buildroot}%{_includedir}/ +install -d -m 755 %{buildroot}%{_includedir}/iptables +install -m 644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables/ + +# install ipulog header file +install -d -m 755 %{buildroot}%{_includedir}/libipulog/ +install -m 644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog/ + +# install init scripts and configuration files +install -d -m 755 %{buildroot}%{script_path} +install -c -m 755 %{SOURCE1} %{buildroot}%{script_path}/iptables.init +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE1} > ip6tables.init +install -c -m 755 ip6tables.init %{buildroot}%{script_path}/ip6tables.init +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -c -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/iptables-config +sed -e 's;iptables;ip6tables;g' -e 's;IPTABLES;IP6TABLES;g' < %{SOURCE2} > ip6tables-config +install -c -m 600 ip6tables-config %{buildroot}%{_sysconfdir}/sysconfig/ip6tables-config +install -c -m 600 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysconfig/iptables +install -c -m 600 %{SOURCE6} %{buildroot}%{_sysconfdir}/sysconfig/ip6tables + +# install systemd service files +install -d -m 755 %{buildroot}/%{_unitdir} +sed -e 's;iptables;ip6tables;g' \ + -e 's;IPv4;IPv6;g' \ + -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \ + -e 's;^\(After=.*\)$;\1 iptables.service;' \ + < %{SOURCE3} > ip6tables.service +sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \ + < %{SOURCE3} > iptables.service +install -c -m 644 iptables.service %{buildroot}/%{_unitdir} +install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir} + +# install legacy actions for service command +install -d %{buildroot}/%{legacy_actions}/iptables +install -d %{buildroot}/%{legacy_actions}/ip6tables +install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/iptables/save +install -c -m 755 %{SOURCE7} %{buildroot}/%{legacy_actions}/iptables/panic +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/save > ip6tabes.save-legacy +sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy +install -c -m 755 ip6tabes.save-legacy %{buildroot}/%{legacy_actions}/ip6tables/save +install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic + +%if 0%{?rhel} +%pre +for p in %{_sysconfdir}/alternatives/iptables.*; do + if [ -h "$p" ]; then + ipt=$(readlink "$p") + echo "Removing alternatives for ${p##*/} with path $ipt" + %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" + fi +done +for p in %{_sysconfdir}/alternatives/ip6tables.*; do + if [ -h "$p" ]; then + ipt=$(readlink "$p") + echo "Removing alternatives for ${p##*/} with path $ipt" + %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" + # create dummy alternatives entry to fix iptables-ipv6 package removal + %{_sbindir}/alternatives --install /sbin/ip6tables.dummy "${p##*/}" "$ipt" 90 + fi +done + +%posttrans +# cleanup dummy alternatives to fix iptables-ipv6 package removal if still there +for p in %{_sysconfdir}/alternatives/ip6tables.*; do + if [ -h "$p" ]; then + ipt=$(readlink "$p") + %{_sbindir}/alternatives --remove "${p##*/}" "$ipt" || : + fi +done +%endif + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%post services +%systemd_post iptables.service ip6tables.service + +%preun services +%systemd_preun iptables.service ip6tables.service + +%postun services +/sbin/ldconfig +%systemd_postun iptables.service ip6tables.service + +%files +%doc COPYING INCOMPATIBILITIES +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables-config +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables-config +%{_sbindir}/iptables* +%{_sbindir}/ip6tables* +%{_sbindir}/xtables-multi +%{_bindir}/iptables-xml +%{_mandir}/man1/iptables-xml* +%{_mandir}/man8/iptables* +%{_mandir}/man8/ip6tables* +%dir %{_libdir}/xtables +%{_libdir}/xtables/libipt* +%{_libdir}/xtables/libip6t* +%{_libdir}/xtables/libxt* +%{_libdir}/libip*tc.so.* +%{_libdir}/libxtables.so.* + +%files devel +%dir %{_includedir}/iptables +%{_includedir}/iptables/*.h +%{_includedir}/*.h +%dir %{_includedir}/libiptc +%{_includedir}/libiptc/*.h +%dir %{_includedir}/libipulog +%{_includedir}/libipulog/*.h +%{_libdir}/libip*tc.so +%{_libdir}/libxtables.so +%{_libdir}/pkgconfig/libiptc.pc +%{_libdir}/pkgconfig/libip4tc.pc +%{_libdir}/pkgconfig/libip6tc.pc +%{_libdir}/pkgconfig/xtables.pc + +%files services +%dir %{script_path} +%attr(0755,root,root) %{script_path}/iptables.init +%attr(0755,root,root) %{script_path}/ip6tables.init +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/iptables +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ip6tables +%{_unitdir}/iptables.service +%{_unitdir}/ip6tables.service +%dir %{legacy_actions}/iptables +%{legacy_actions}/iptables/save +%{legacy_actions}/iptables/panic +%dir %{legacy_actions}/ip6tables +%{legacy_actions}/ip6tables/save +%{legacy_actions}/ip6tables/panic + +%files utils +%{_sbindir}/nfnl_osf +%dir %{_datadir}/xtables +%{_datadir}/xtables/pf.os +%{_mandir}/man8/nfnl_osf* + + +%changelog +* Thu Apr 18 2019 Phil Sutter - 1.4.21-33 +- man: iptables-save: Add note about module autoloading (RHBZ#1691380) + +* Tue Apr 09 2019 Phil Sutter - 1.4.21-32 +- iptables-xml: fix segfault if missing space after -A (RHBZ#1525980) + +* Wed Apr 03 2019 Phil Sutter - 1.4.21-31 +- Fix iptables-restore with empty comment in rule (RHBZ#1668475) +- Fix parsing and printing of -m ipvs --vproto option (RHBZ#1679726) +- Fix for wrong location of devgroup definition file (RHBZ#1657075) +- Fix for non-numeric devgroup name output (RHBZ#1657075) +- Reject negative realm values (RHBZ#1657075) + +* Fri Mar 15 2019 Phil Sutter - 1.4.21-30 +- Drop leftover variable from init script (RHBZ#1520534) + +* Fri Mar 15 2019 Phil Sutter - 1.4.21-29 +- Do not attempt to unload any modules when stopping the firewall (RHBZ#1520534) +- Fix for covscan warnings (RHBZ#1525980) + +* Tue Jun 05 2018 Phil Sutter - 1.4.21-28 +- Add nfnl_osf.8 man page (RHBZ#1487331) + +* Fri May 11 2018 Phil Sutter - 1.4.21-27 +- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510) +- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078) +- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078) +- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078) +- Ignore security table when setting policies (RHBZ#1494012) +- Fix spec file changing SRPM content (RHBZ#1531290) + +* Thu Mar 29 2018 Phil Sutter - 1.4.21-26 +- Avoid overwriting parent's return code (RHBZ#1560012) + +* Thu Mar 29 2018 Phil Sutter - 1.4.21-25 +- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012) +- Propagate errors on service stop (RHBZ#1560012) + +* Fri Nov 17 2017 Phil Sutter - 1.4.21-24 +- Fix fgrep call over multiple files in iptables.init + +* Fri Oct 20 2017 Phil Sutter - 1.4.21-23 +- Fix incorrect ip6tables.service unit syntax (RHBZ#1486803) + +* Fri Oct 06 2017 Phil Sutter - 1.4.21-22 +- Search for restorecon binary using which (RHBZ#1406860) + +* Thu Sep 07 2017 Phil Sutter - 1.4.21-21 +- Scan /etc/sysctl.d for items in IPTABLES_SYSCTL_LOAD_LIST (RHBZ#1402021) + +* Thu Aug 31 2017 Phil Sutter - 1.4.21-20 +- Prevent iptables.service and ip6tables.service from running in parallel + (RHBZ#1486803) +- Don't restart services upon upgrade (RHBZ#1380141) + +* Thu Aug 10 2017 Thomas Woerner 1.4.21-19 +- Use wait option for restore calls to fix failing service starts + (RHBZ#1477413) + +* Mon Apr 24 2017 Thomas Woerner 1.4.21-18 +- Add support for --wait options to restore commands (RHBZ#1438597) +- Do not set changed flag for rule check operations with module targets + (RHBZ#1438597) +- Add version option to restore commands (RHBZ#1438597) + +* Fri Jul 1 2016 Thomas Woerner 1.4.21-17 +- Fixed init script not to fail on missing restorecon (RHBZ#1246380) +- Adapted man page snipplet for TRACE to use proper logging backend names + (RHBZ#1261238) +- Warn about use of DROP in nat table (RHBZ#1298879) +- Fixed modules unload in init script (RHBZ#1324102) + +* Fri Sep 18 2015 Thomas Woerner 1.4.21-16 +- Fix important coverity findings: missing include for flock and use bash for + init script (RHBZ#1264399) + +* Fri Sep 18 2015 Thomas Woerner 1.4.21-15 +- Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415) + +* Tue Jun 30 2015 Thomas Woerner 1.4.21-14 +- Add cgroup support (RHBZ#1058660) +- Add wait seonds support for commands (RHBZ#1156411) +- Add dhcpv6-client in default IPv6 firewall rules (RHBZ#1169036) +- Add message for init script error returns (RHBZ#1200415) +- Use flock for wait option (RHBZ#1202435) + +* Thu Mar 27 2014 Thomas Woerner 1.4.21-13 +- fixed further update issues from RHEL-6 to RHEL-7 (RHBZ#1043901) + +* Tue Mar 11 2014 Jiri Popelka - 1.4.21-12 +- Fixed iptables-save man page completely wrong (RHBZ#1054871) + +* Mon Mar 10 2014 Jiri Popelka - 1.4.21-11 +- Added missing "panic" action (RHBZ#1067670) + +* Mon Feb 24 2014 Jiri Popelka - 1.4.21-10 +- Fixed missing reload action for iptables service (RHBZ#1066007) + +* Fri Feb 21 2014 Thomas Woerner 1.4.21-9 +- fixed missing system hang at shutdown if root device is network based + (RHBZ#1007934) +- Fixed iptables-save man page completely wrong (RHBZ#1054871) +- Fixed missing reload action for iptables service (RHBZ#1066007) +- Fixed regressions from RHEL-6 iptables services (RHBZ#1067670) + +* Fri Jan 24 2014 Daniel Mach - 1.4.21-8 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-7 +- libnetfilter_conntrack is needed in version 1.0.4 for connlabel + See: RHBZ#1053702 + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-6 +- Enable connlabel support again, needs libnetfilter_conntrack + +* Wed Jan 15 2014 Thomas Woerner 1.4.21-6 +- fixed update from RHEL-6 to RHEL-7 (RHBZ#1043901) + +* Tue Jan 14 2014 Jiri Popelka - 1.4.21-5 +- chmod /etc/sysconfig/ip[6]tables 755 -> 600 + +* Fri Jan 10 2014 Jiri Popelka - 1.4.21-4 +- drop virtual provide for xtables.so.9 +- add default /etc/sysconfig/ip[6]tables (RHBZ#1034494) + +* Thu Jan 09 2014 Jiri Popelka - 1.4.21-3 +- no need to support the pre-systemd things +- use systemd macros (#850166) +- remove scriptlets for migrating to a systemd unit from a SysV initscripts +- ./configure -> %%configure +- spec clean up +- fix self-obsoletion + +* Thu Jan 9 2014 Thomas Woerner 1.4.21-2 +- fixed system hang at shutdown if root device is network based (RHBZ#1007934) + Thanks to Rodrigo A B Freire for the patch + +* Thu Jan 9 2014 Thomas Woerner 1.4.21-1 +- no connlabel.conf upstream anymore +- new version 1.4.21 + - doc: clarify DEBUG usage macro + - iptables: use autoconf to process .in man pages + - extensions: libipt_ULOG: man page should mention NFLOG as replacement + - extensions: libxt_connlabel: use libnetfilter_conntrack + - Introduce a new revision for the set match with the counters support + - libxt_CT: Add the "NOTRACK" alias + - libip6t_mh: Correct command to list named mh types in manpage + - extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support + - extensions: libxt_LED: fix parsing of delay + - ip{6}tables-restore: fix breakage due to new locking approach + - libxt_recent: restore minimum value for --seconds + - iptables-xml: fix parameter parsing (similar to 2165f38) + - extensions: add copyright statements + - xtables: improve get_modprobe handling + - ip[6]tables: Add locking to prevent concurrent instances + - iptables: Fix connlabel.conf install location + - ip6tables: don't print out /128 + - libip6t_LOG: target output is different to libipt_LOG + - build: additional include path required after UAPI changes + - iptables: iptables-xml: Fix various parsing bugs + - libxt_recent: restore reap functionality to recent module + - build: fail in configure on missing dependency with --enable-bpf-compiler + - extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter + - extensions: libxt_set, libxt_SET: check the set family too + - ip6tables: Use consistent exit code for EAGAIN + - iptables: libxt_hashlimit.man: correct address + - iptables: libxt_conntrack.man extraneous commas + - iptables: libip(6)t_REJECT.man default icmp types + - iptables: iptables-xm1.1 correct man section + - iptables: libxt_recent.{c,man} dead URL + - iptables: libxt_string.man add examples + - extensions: libxt_LOG: use generic syslog reference in manpage + - iptables: extensions/GNUMakefile.in use CPPFLAGS + - iptables: correctly reference generated file + - ip[6]tables: fix incorrect alignment in commands_v_options + - build: add software version to manpage first line at configure stage + - extensions: libxt_cluster: add note on arptables-jf + - utils: nfsynproxy: fix error while compiling the BPF filter + - extensions: add SYNPROXY extension + - utils: add nfsynproxy tool + - iptables: state match incompatibilty across versions + - libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks + - iptables: improve chain name validation + - iptables: spurious error in load_extension + - xtables: trivial spelling fix + +* Fri Dec 27 2013 Daniel Mach - 1.4.19.1-2 +- Mass rebuild 2013-12-27 + +* Sun Dec 22 2013 Ville Skyttä - 1.4.19.1-2 +- Drop INSTALL from docs, escape macros in %%changelog. + +* Wed Jul 31 2013 Thomas Woerner 1.4.19.1-1 +- new version 1.4.19.1 + - libxt_NFQUEUE: fix bypass option documentation + - extensions: add connlabel match + - extensions: add connlabel match + - ip[6]tables: show --protocol instead of --proto in usage + - libxt_recent: Fix missing space in manpage for --mask option + - extensions: libxt_multiport: Update manpage to list valid protocols + - utils: nfnl_osf: use the right nfnetlink lib + - libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency + - Revert "build: resolve link failure for ip6t_NETMAP" + - libxt_osf: fix missing --ttl and --log in save output + - libxt_osf: fix bad location for location in --genre + - libip6t_SNPT: add manpage + - libip6t_DNPT: add manpage + - utils: updates .gitignore to include nfbpf_compile + - extensions: libxt_bpf: clarify --bytecode argument + - libxtables: fix parsing of dotted network mask format + - build: bump version to 1.4.19 + - libxt_conntrack: fix state match alias state parsing + - extensions: add libxt_bpf extension + - utils: nfbpf_compile + - doc: mention SNAT in INPUT chain since kernel 2.6.36 +- fixed changelog date weekdays where needed + +* Mon Mar 4 2013 Thomas Woerner 1.4.18-1 +- new version 1.4.18 + - lots of documentation changes + - Introduce match/target aliases + - Add the "state" alias to the "conntrack" match + - iptables: remove unused leftover definitions + - libxtables: add xtables_rule_matches_free + - libxtables: add xtables_print_num + - extensions: libip6t_DNPT: fix wording in DNPT target + - extension: libip6t_DNAT: allow port DNAT without address + - extensions: libip6t_DNAT: set IPv6 DNAT --to-destination + - extensions: S/DNPT: add missing save function +- changes of 1.4.17: + - libxt_time: add support to ignore day transition + - Convert the NAT targets to use the kernel supplied nf_nat.h header + - extensions: add IPv6 MASQUERADE extension + - extensions: add IPv6 SNAT extension + - extensions: add IPv6 DNAT target + - extensions: add IPv6 REDIRECT extension + - extensions: add IPv6 NETMAP extension + - extensions: add NPT extension + - extensions: libxt_statistic: Fix save output + +* Thu Feb 14 2013 Fedora Release Engineering - 1.4.16.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 16 2013 Ville Skyttä - 1.4.16.2-6 +- Own unowned -services libexec dirs (#894464, Michael Scherer). +- Fix -services unit file permissions (#732936, Michal Schmidt). + +* Thu Nov 8 2012 Thomas Woerner 1.4.16.2-5 +- fixed path of ip6tables.init in ip6tables.service + +* Fri Nov 2 2012 Thomas Woerner 1.4.16.2-4 +- fixed missing services for update of pre F-18 installations (rhbz#867960) + - provide and obsolete old main package in services sub package + - provide and obsolete old ipv6 sub package (pre F-17) in services sub package + +* Sun Oct 14 2012 Dan Horák 1.4.16.2-3 +- fix the compat provides for all 64-bit arches + +* Fri Oct 12 2012 Thomas Woerner 1.4.16.2-2 +- new sub package services providing the systemd services (RHBZ#862922) +- new sub package utils: provides nfnl_osf and the pf.os database +- using %%{_libexecdir}/iptables as script path for the original init scripts +- added service iptables save funcitonality using the new way provided by + initscripts 9.37.1 (RHBZ#748134) +- added virtual provide for libxtables.so.7 + +* Mon Oct 8 2012 Thomas Woerner 1.4.16.2-1 +- new version 1.4.16.2 + - build: support for automake-1.12 + - build: separate AC variable replacements from xtables.h + - build: have `make clean` remove dep files too + - doc: grammatical updates to libxt_SET + - doc: clean up interpunction in state list for xt_conntrack + - doc: deduplicate extension descriptions into a new manpage + - doc: trim "state" manpage and reference conntrack instead + - doc: have NOTRACK manpage point to CT instead + - doc: mention iptables-apply in the SEE ALSO sections + - extensions: libxt_addrtype: fix type in help message + - include: add missing linux/netfilter_ipv4/ip_queue.h + - iptables: fix wrong error messages + - iptables: support for match aliases + - iptables: support for target aliases + - iptables-restore: warn about -t in rule lines + - ip[6]tables-restore: cleanup to reduce one level of indentation + - libip6t_frag: match any frag id by default + - libxtables: consolidate preference logic + - libxt_devgroup: consolidate devgroup specification parsing + - libxt_devgroup: guard against negative numbers + - libxt_LED: guard against negative numbers + - libxt_NOTRACK: replace as an alias to CT --notrack + - libxt_state: replace as an alias to xt_conntrack + - libxt_tcp: print space before, not after "flags:" + - libxt_u32: do bounds checking for @'s operands + - libxt_*limit: avoid division by zero + - Merge branch 'master' of git://git.inai.de/iptables + - Merge remote-tracking branch 'nf/stable' + - New set match revision with --return-nomatch flag support +- dropped fixrestore patch, upstream + +* Wed Aug 1 2012 Thomas Woerner 1.4.15-1 +- new version 1.4.15 + - extensions: add HMARK target + - iptables-restore: fix parameter parsing (shows up with gcc-4.7) + - iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7) + - libxtables: add xtables_ip[6]mask_to_cidr + - libxt_devgroup: add man page snippet + - libxt_hashlimit: add support for byte-based operation + - libxt_recent: add --mask netmask + - libxt_recent: remove unused variable + - libxt_HMARK: correct a number of errors introduced by Pablo's rework + - libxt_HMARK: fix ct case example + - libxt_HMARK: fix output of iptables -L + - Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)" + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-3 +- added fixrestore patch submitted to upstream by fryasu (nfbz#774) + (RHBZ#825796) + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-2 +- disabled libipq, removed upstream, not provided by kernel anymore + +* Wed Jul 18 2012 Thomas Woerner 1.4.14-1 +- new version 1.4.14 + - extensions: add IPv6 capable ECN match extension + - extensions: add nfacct match + - extensions: add rpfilter module + - extensions: libxt_rateest: output all options in save hook + - iptables: missing free() in function cache_add_entry() + - iptables: missing free() in function delete_entry() + - libiptc: fix retry path in TC_INIT + - libiptc: Returns the position the entry was inserted + - libipt_ULOG: fix --ulog-cprange + - libxt_CT: add --timeout option + - ip(6)tables-restore: make sure argv is NULL terminated + - Revert "libiptc: Returns the position the entry was inserted" + - src: mark newly opened fds as FD_CLOEXEC (close on exec) + - tests: add rateest match rules +- dropped patch5 (cloexec), merged upstream + +* Mon Apr 23 2012 Thomas Woerner 1.4.12.2-5 +- reenable iptables default services + +* Wed Feb 29 2012 Harald Hoyer 1.4.12.2-4 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Thu Feb 16 2012 Thomas Woerner 1.4.12.2-3 +- fixed auto enable check for Fedora > 16 and added rhel > 6 check + +* Wed Feb 15 2012 Thomas Woerner 1.4.12.2-2 +- disabled autostart and auto enable for iptables.service and ip6tables.service + for Fedora > 16 + +* Mon Jan 16 2012 Thomas Woerner 1.4.12.2-1 +- new version 1.4.12.2 with new pkgconfig/libip4tc.pc and pkgconfig/libip6tc.pc + - build: make check stage not fail when building statically + - build: restore build order of modules + - build: scan for unreferenced symbols + - build: sort file list before build + - doc: clarification on the meaning of -p 0 + - doc: document iptables-restore's -T option + - doc: fix undesired newline in ip6tables-restore(8) + - ip6tables-restore: implement missing -T option + - iptables: move kernel version find routing into libxtables + - libiptc: provide separate pkgconfig files + - libipt_SAME: set PROTO_RANDOM on all ranges + - libxtables: Fix file descriptor leak in xtables_lmap_init on error + - libxt_connbytes: fix handling of --connbytes FROM + - libxt_CONNSECMARK: fix spacing in output + - libxt_conntrack: improve error message on parsing violation + - libxt_NFQUEUE: fix --queue-bypass ipt-save output + - libxt_RATEEST: link with -lm + - libxt_statistic: link with -lm + - Merge branch 'stable' + - Merge branch 'stable' of git://dev.medozas.de/iptables + - nfnl_osf: add missing libnfnetlink_CFLAGS to compile process + - xtoptions: fill in fallback value for nvals + - xtoptions: simplify xtables_parse_interface + +* Fri Jan 13 2012 Fedora Release Engineering - 1.4.12.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 12 2011 Thomas Woerner 1.4.12.1-1 +- new version 1.4.12.1 with new pkgconfig/libipq.pc + - build: abort autogen on subcommand failure + - build: strengthen check for overlong lladdr components + - build: workaround broken linux-headers on RHEL-5 + - doc: clarify libxt_connlimit defaults + - doc: fix typo in libxt_TRACE + - extensions: use multi-target registration + - libip6t_dst: restore setting IP6T_OPTS_LEN flag + - libip6t_frag: restore inversion support + - libip6t_hbh: restore setting IP6T_OPTS_LEN flag + - libipq: add pkgconfig file + - libipt_ttl: document that negation is available + - libxt_conntrack: fix --ctproto 0 output + - libxt_conntrack: remove one misleading comment + - libxt_dccp: fix deprecated intrapositional ordering of ! + - libxt_dccp: fix random output of ! on --dccp-option + - libxt_dccp: provide man pages options in short help too + - libxt_dccp: restore missing XTOPT_INVERT tags for options + - libxt_dccp: spell out option name on save + - libxt_dscp: restore inversion support + - libxt_hashlimit: default htable-expire must be in milliseconds + - libxt_hashlimit: observe new default gc-expire time when saving + - libxt_hashlimit: remove inversion from hashlimit rev 0 + - libxt_owner: restore inversion support + - libxt_physdev: restore inversion support + - libxt_policy: remove superfluous inversion + - libxt_set: put differing variable names in directly + - libxt_set: update man page about kernel support on the feature + - libxt_string: define _GNU_SOURCE for strnlen + - libxt_string: escape the escaping char too + - libxt_string: fix space around arguments + - libxt_string: replace hex codes by char equivalents + - libxt_string: simplify hex output routine + - libxt_tcp: always print the mask parts + - libxt_TCPMSS: restore build with IPv6-less libcs + - libxt_TOS: update linux kernel version list for backported fix + - libxt_u32: fix missing allowance for inversion + - src: remove unused IPTABLES_MULTI define + - tests: add negation tests for libxt_statistic + - xtoptions: flag use of XTOPT_POINTER without XTOPT_PUT +- removed include/linux/types.h before build to be able to compile + +* Tue Jul 26 2011 Thomas Woerner 1.4.12-2 +- dropped temporary provide again + +* Tue Jul 26 2011 Thomas Woerner 1.4.12-1.1 +- added temporary provides for libxtables.so.6 to be able to rebuild iproute, + which is part of the standard build environment + +* Mon Jul 25 2011 Thomas Woerner 1.4.12-1 +- new version 1.4.12 with support of all new features of kernel 3.0 + - build: attempt to fix building under Linux 2.4 + - build: bump soversion for recent data structure change + - build: install modules in arch-dependent location + - doc: fix group range in libxt_NFLOG's man + - doc: fix version string in ip6tables.8 + - doc: include matches/targets in manpage again + - doc: mention multiple verbosity flags + - doc: the -m option cannot be inverted + - extensions: support for per-extension instance global variable space + - iptables-apply: select default rule file depending on call name + - iptables: consolidate target/match init call + - iptables: Coverity: DEADCODE + - iptables: Coverity: NEGATIVE_RETURNS + - iptables: Coverity: RESOURCE_LEAK + - iptables: Coverity: REVERSE_INULL + - iptables: Coverity: VARARGS + - iptables: restore negation for -f + - libip6t_HL: fix option names from ttl -> hl + - libipt_LOG: fix ignoring all but last flags + - libxtables: ignore whitespace in the multiaddress argument parser + - libxtables: properly reject empty hostnames + - libxtables: set clone's initial data to NULL + - libxt_conntrack: move more data into the xt_option_entry + - libxt_conntrack: restore network-byte order for v1,v2 + - libxt_hashlimit: use a more obvious expiry value by default + - libxt_rateest: abolish global variables + - libxt_RATEEST: abolish global variables + - libxt_RATEEST: fix userspacesize field + - libxt_RATEEST: use guided option parser + - libxt_state: fix regression about inversion of main option + - option: remove last traces of intrapositional negation +- complete changelog: + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.12.txt + +* Thu Jul 21 2011 Thomas Woerner 1.4.11.1-4 +- merged ipv6 sub package into main package +- renamed init scripts to /usr/libexec/ip*tables.init + +* Fri Jul 15 2011 Thomas Woerner 1.4.11.1-3 +- added support for native systemd file (rhbz#694738) + - new iptables.service file + - additional requires + - moved sysv init scripts to /usr/libexec + - added new post, preun and postun scripts and triggers + +* Tue Jul 12 2011 Thomas Woerner 1.4.11.1-2 +- dropped temporary provide again +- enabled smp build + +* Tue Jul 12 2011 Thomas Woerner 1.4.11.1-1.1 +- added temporary provides for libxtables.so.5 to be able to rebuild iproute, + which is part of the standard build environment + +* Mon Jul 11 2011 Thomas Woerner 1.4.11.1-1 +- new version 1.4.11.1, bug and doc fix release for 1.4.11 + +* Tue Jun 7 2011 Thomas Woerner 1.4.11-1 +- new version 1.4.11 with all new features of 2.6.37-39 (not usable) + - lots of changes and bugfixes for base and extensions + - complete changelog: + http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.11.txt + +* Wed Feb 09 2011 Fedora Release Engineering - 1.4.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 10 2011 Thomas Woerner 1.4.10-1 +- new version 1.4.10 with all new features of 2.6.36 + - all: consistent syntax use in struct option + - build: fix static linking + - doc: let man(1) autoalign the text in xt_cpu + - doc: remove extra empty line from xt_cpu + - doc: minimal spelling updates to xt_cpu + - doc: consistent use of markup + - extensions: libxt_quota: don't ignore the quota value on deletion + - extensions: REDIRECT: add random help + - extensions: add xt_cpu match + - extensions: add idletimer xt target extension + - extensions: libxt_IDLETIMER: use xtables_param_act when checking options + - extensions: libxt_CHECKSUM extension + - extensions: libipt_LOG/libip6t_LOG: support macdecode option + - extensions: fix compilation of the new CHECKSUM target + - extensions: libxt_ipvs: user-space lib for netfilter matcher xt_ipvs + - iptables-xml: resolve compiler warnings + - iptables: limit chain name length to be consistent with targets + - libiptc: add Libs.private to pkgconfig files + - libiptc: build with -Wl,--no-as-needed + - xtables: remove unnecessary cast +- dropped xt_CHECKSUM, added upstream + +* Tue Oct 12 2010 Thomas Woerner 1.4.9-2 +- added xt_CHECKSUM patch from Michael S. Tsirkin (rhbz#612587) + +* Wed Aug 4 2010 Thomas Woerner 1.4.9-1 +- new version 1.4.9 with all new features of 2.6.35 + - doc: xt_hashlimit: fix a typo + - doc: xt_LED: nroff formatting requirements + - doc: xt_string: correct copy-and-pasting in manpage + - extensions: add the LED target + - extensions: libxt_quota.c: Support option negation + - extensions: libxt_rateest: fix bps options for iptables-save + - extensions: libxt_rateest: fix typo in the man page + - extensions: REDIRECT: add random help + - includes: sync header files from Linux 2.6.35-rc1 + - libxt_conntrack: do print netmask + - libxt_hashlimit: always print burst value + - libxt_set: new revision added + - utils: add missing include flags to Makefile + - xtables: another try at chain name length checking + - xtables: remove xtables_set_revision function + - xt_quota: also document negation + - xt_sctp: Trace DATA chunk that supports SACK-IMMEDIATELY extension + - xt_sctp: support FORWARD_TSN chunk type + +* Fri Jul 2 2010 Thomas Woerner 1.4.8-1 +- new version 1.4.8 all new features of 2.6.34 (rhbz#) + - extensions: REDIRECT: fix --to-ports parser + - iptables: add noreturn attribute to exit_tryhelp() + - extensions: MASQUERADE: fix --to-ports parser + - libxt_comment: avoid use of IPv4-specific examples + - libxt_CT: add a manpage + - iptables: correctly check for too-long chain/target/match names + - doc: libxt_MARK: no longer restricted to mangle table + - doc: remove claim that TCPMSS is limited to mangle + - libxt_recent: add a missing space in output + - doc: add manpage for libxt_osf + - libxt_osf: import nfnl_osf program + - extensions: add support for xt_TEE + - CT: fix --ctevents parsing + - extensions: add CT extension + - libxt_CT: print conntrack zone in ->print/->save + - xtables: fix compilation when debugging is enabled + - libxt_conntrack: document --ctstate UNTRACKED + - iprange: fix xt_iprange v0 parsing + +* Wed Mar 24 2010 Thomas Woerner 1.4.7-2 +- added default values for IPTABLES_STATUS_VERBOSE and + IPTABLES_STATUS_LINENUMBERS in init script +- added missing lsb keywords Required-Start and Required-Stop to init script + +* Fri Mar 5 2010 Thomas Woerner 1.4.7-1 +- new version 1.4.7 with support for all new features of 2.6.33 (rhbz#570767) + - libip4tc: Add static qualifier to dump_entry() + - libipq: build as shared library + - recent: reorder cases in code (cosmetic cleanup) + - several man page and documentation fixes + - policy: fix error message showing wrong option + - includes: header updates + - Lift restrictions on interface names +- fixed license and moved iptables-xml into base package according to review + +* Wed Jan 27 2010 Thomas Woerner 1.4.6-2 +- moved libip*tc and libxtables libs to /lib[64], added symlinks for .so libs + to /usr/lib[64] for compatibility (rhbz#558796) + +* Wed Jan 13 2010 Thomas Woerner 1.4.6-1 +- new version 1.4.6 with support for all new features of 2.6.32 + - several man page fixes + - Support for nommu arches + - realm: remove static initializations + - libiptc: remove unused functions + - libiptc: avoid strict-aliasing warnings + - iprange: do accept non-ranges for xt_iprange v1 + - iprange: warn on reverse range + - iprange: roll address parsing into a loop + - iprange: do accept non-ranges for xt_iprange v1 (log) + - iprange: warn on reverse range (log) + - libiptc: fix wrong maptype of base chain counters on restore + - iptables: fix undersized deletion mask creation + - style: reduce indent in xtables_check_inverse + - libxtables: hand argv to xtables_check_inverse + - iptables/extensions: make bundled options work again + - CONNMARK: print mark rules with mask 0xffffffff as set instead of xset + - iptables: take masks into consideration for replace command + - doc: explain experienced --hitcount limit + - doc: name resolution clarification + - iptables: expose option to zero packet/byte counters for a specific rule + - build: restore --disable-ipv6 functionality on system w/o v6 headers + - MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmark + - DNAT: fix incorrect check during parsing + - extensions: add osf extension + - conntrack: fix --expires parsing + +* Thu Dec 17 2009 Thomas Woerner 1.4.5-2 +- dropped nf_ext_init remains from cloexec patch + +* Thu Sep 17 2009 Thomas Woerner 1.4.5-1 +- new version 1.4.5 with support for all new features of 2.6.31 + - libxt_NFQUEUE: add new v1 version with queue-balance option + - xt_conntrack: revision 2 for enlarged state_mask member + - libxt_helper: fix invalid passed option to check_inverse + - libiptc: split v4 and v6 + - extensions: collapse registration structures + - iptables: allow for parse-less extensions + - iptables: allow for help-less extensions + - extensions: remove empty help and parse functions + - xtables: add multi-registration functions + - extensions: collapse data variables to use multi-reg calls + - xtables: warn of missing version identifier in extensions + - multi binary: allow subcommand via argv[1] + - iptables: accept multiple IP address specifications for -s, -d + - several build fixes + - several man page fixes +- fixed two leaked file descriptors on sockets (rhbz#521397) + +* Mon Aug 24 2009 Thomas Woerner 1.4.4-1 +- new version 1.4.4 with support for all new features of 2.6.30 + - several man page fixes + - iptables: replace open-coded sizeof by ARRAY_SIZE + - libip6t_policy: remove redundant functions + - policy: use direct xt_policy_info instead of ipt/ip6t + - policy: merge ipv6 and ipv4 variant + - extensions: add `cluster' match support + - extensions: add const qualifiers in print/save functions + - extensions: use NFPROTO_UNSPEC for .family field + - extensions: remove redundant casts + - iptables: close open file descriptors + - fix segfault if incorrect protocol name is used + - replace open-coded sizeof by ARRAY_SIZE + - do not include v4-only modules in ip6tables manpage + - use direct xt_policy_info instead of ipt/ip6t + - xtables: fix segfault if incorrect protocol name is used + - libxt_connlimit: initialize v6_mask + - SNAT/DNAT: add support for persistent multi-range NAT mappings + +* Fri Jul 24 2009 Fedora Release Engineering - 1.4.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Apr 15 2009 Thomas Woerner 1.4.3.2-1 +- new version 1.4.3.2 +- also install iptables/internal.h, needed for iptables.h and ip6tables.h + +* Mon Mar 30 2009 Thomas Woerner 1.4.3.1-1 +- new version 1.4.3.1 + - libiptc is now shared + - supports all new features of the 2.6.29 kernel +- dropped typo_latter patch + +* Thu Mar 5 2009 Thomas Woerner 1.4.2-3 +- still more review fixes (rhbz#225906) + - consistent macro usage + - use sed instead of perl for rpath removal + - use standard RPM CFLAGS, but also -fno-strict-aliasing (needed for libiptc*) + +* Wed Feb 25 2009 Fedora Release Engineering - 1.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Feb 20 2009 Thomas Woerner 1.4.2-1 +- new version 1.4.2 +- removed TOS value mask patch (upstream) +- more review fixes (rhbz#225906) +- install all header files (rhbz#462207) +- dropped nf_ext_init (rhbz#472548) + +* Tue Jul 22 2008 Thomas Woerner 1.4.1.1-2 +- fixed TOS value mask problem (rhbz#456244) (upstream patch) +- two more cloexec fixes + +* Tue Jul 1 2008 Thomas Woerner 1.4.1.1-1 +- upstream bug fix release 1.4.1.1 +- dropped extra patch for 1.4.1 - not needed anymore + +* Tue Jun 10 2008 Thomas Woerner 1.4.1-1 +- new version 1.4.1 with new build environment +- additional ipv6 network mask patch from Jan Engelhardt +- spec file cleanup +- removed old patches + +* Fri Jun 6 2008 Tom "spot" Callaway 1.4.0-5 +- use normal kernel headers, not linux/compiler.h +- change BuildRequires: kernel-devel to kernel-headers +- We need to do this to be able to build for both sparcv9 and sparc64 + (there is no kernel-devel.sparcv9) + +* Thu Mar 20 2008 Thomas Woerner 1.4.0-4 +- use O_CLOEXEC for all opened files in all applications (rhbz#438189) + +* Mon Mar 3 2008 Thomas Woerner 1.4.0-3 +- use the kernel headers from the build tree for iptables for now to be able to + compile this package, but this makes the package more kernel dependant +- use s6_addr32 instead of in6_u.u6_addr32 + +* Wed Feb 20 2008 Fedora Release Engineering - 1.4.0-2 +- Autorebuild for GCC 4.3 + +* Mon Feb 11 2008 Thomas Woerner 1.4.0-1 +- new version 1.4.0 +- fixed condrestart (rhbz#428148) +- report the module in rmmod_r if there is an error +- use nf_ext_init instead of my_init for extension constructors + +* Mon Nov 5 2007 Thomas Woerner 1.3.8-6 +- fixed leaked file descriptor before fork/exec (rhbz#312191) +- blacklisting is not working, use "install X /bin/(true|false)" test instead +- return private exit code 150 for disabled ipv6 support +- use script name for output messages + +* Tue Oct 16 2007 Thomas Woerner 1.3.8-5 +- fixed error code for stopping a already stopped firewall (rhbz#321751) +- moved blacklist test into start + +* Wed Sep 26 2007 Thomas Woerner 1.3.8-4.1 +- do not start ip6tables if ipv6 is blacklisted (rhbz#236888) +- use simpler fix for (rhbz#295611) + Thanks to Linus Torvalds for the patch. + +* Mon Sep 24 2007 Thomas Woerner 1.3.8-4 +- fixed IPv6 reject type (rhbz#295181) +- fixed init script: start, stop and status +- support netfilter compiled into kernel in init script (rhbz#295611) +- dropped inversion for limit modules from man pages (rhbz#220780) +- fixed typo in ip6tables man page (rhbz#236185) + +* Wed Sep 19 2007 Thomas Woerner 1.3.8-3 +- do not depend on local_fs in lsb header - this delayes start after network +- fixed exit code for initscript usage + +* Mon Sep 17 2007 Thomas Woerner 1.3.8-2.1 +- do not use lock file for condrestart test + +* Thu Aug 23 2007 Thomas Woerner 1.3.8-2 +- fixed initscript for LSB conformance (rhbz#246953, rhbz#242459) +- provide iptc interface again, but unsupported (rhbz#216733) +- compile all extension, which are supported by the kernel-headers package +- review fixes (rhbz#225906) + +* Tue Jul 31 2007 Thomas Woerner +- reverted ipv6 fix, because it disables the ipv6 at all (rhbz#236888) + +* Fri Jul 13 2007 Steve Conklin - 1.3.8-1 +- New version 1.3.8 + +* Mon Apr 23 2007 Jeremy Katz - 1.3.7-2 +- fix error when ipv6 support isn't loaded in the kernel (#236888) + +* Wed Jan 10 2007 Thomas Woerner 1.3.7-1.1 +- fixed installation of secmark modules + +* Tue Jan 9 2007 Thomas Woerner 1.3.7-1 +- new verison 1.3.7 +- iptc is not a public interface and therefore not installed anymore +- dropped upstream secmark patch + +* Tue Sep 19 2006 Thomas Woerner 1.3.5-2 +- added secmark iptables patches (#201573) + +* Wed Jul 12 2006 Jesse Keating - 1.3.5-1.2.1 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 1.3.5-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.3.5-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Feb 2 2006 Thomas Woerner 1.3.5-1 +- new version 1.3.5 +- fixed init script to set policy for raw tables, too (#179094) + +* Tue Jan 24 2006 Thomas Woerner 1.3.4-3 +- added important iptables header files to devel package + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Thomas Woerner 1.3.4-2 +- fix for plugin problem: link with "gcc -shared" instead of "ld -shared" and + replace "_init" with "__attribute((constructor)) my_init" + +* Fri Nov 25 2005 Thomas Woerner 1.3.4-1.1 +- rebuild due to unresolved symbols in shared libraries + +* Fri Nov 18 2005 Thomas Woerner 1.3.4-1 +- new version 1.3.4 +- dropped free_opts patch (upstream fixed) +- made libipq PIC (#158623) +- additional configuration options for iptables startup script (#172929) + Thanks to Jan Gruenwald for the patch +- spec file cleanup (dropped linux_header define and usage) + +* Mon Jul 18 2005 Thomas Woerner 1.3.2-1 +- new version 1.3.2 with additional patch for the misplaced free_opts call + from Marcus Sundberg + +* Wed May 11 2005 Thomas Woerner 1.3.1-1 +- new version 1.3.1 + +* Fri Mar 18 2005 Thomas Woerner 1.3.0-2 +- Remove unnecessary explicit kernel dep (#146142) +- Fixed out of bounds accesses (#131848): Thanks to Steve Grubb + for the patch +- Adapted iptables-config to reference to modprobe.conf (#150143) +- Remove misleading message (#140154): Thanks to Ulrich Drepper + for the patch + +* Mon Feb 21 2005 Thomas Woerner 1.3.0-1 +- new version 1.3.0 + +* Thu Nov 11 2004 Thomas Woerner 1.2.11-3.2 +- fixed autoload problem in iptables and ip6tables (CAN-2004-0986) + +* Fri Sep 17 2004 Thomas Woerner 1.2.11-3.1 +- changed default behaviour for IPTABLES_STATUS_NUMERIC to "yes" (#129731) +- modified config file to match this change and un-commented variables with + default values + +* Thu Sep 16 2004 Thomas Woerner 1.2.11-3 +- applied second part of cleanup patch from (#131848): thanks to Steve Grubb + for the patch + +* Wed Aug 25 2004 Thomas Woerner 1.2.11-2 +- fixed free bug in iptables (#128322) + +* Tue Jun 22 2004 Thomas Woerner 1.2.11-1 +- new version 1.2.11 + +* Thu Jun 17 2004 Thomas Woerner 1.2.10-1 +- new version 1.2.10 + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Thu Feb 26 2004 Thomas Woerner 1.2.9-2.3 +- fixed iptables-restore -c fault if there are no counters (#116421) + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Sun Jan 25 2004 Dan Walsh 1.2.9-1.2 +- Close File descriptors to prevent SELinux error message + +* Wed Jan 7 2004 Thomas Woerner 1.2.9-1.1 +- rebuild + +* Wed Dec 17 2003 Thomas Woerner 1.2.9-1 +- vew version 1.2.9 +- new config options in ipXtables-config: + IPTABLES_MODULES_UNLOAD +- more documentation in ipXtables-config +- fix for netlink security issue in libipq (devel package) +- print fix for libipt_icmp (#109546) + +* Thu Oct 23 2003 Thomas Woerner 1.2.8-13 +- marked all messages in iptables init script for translation (#107462) +- enabled devel package (#105884, #106101) +- bumped build for fedora for libipt_recent.so (#106002) + +* Tue Sep 23 2003 Thomas Woerner 1.2.8-12.1 +- fixed lost udp port range in ip6tables-save (#104484) +- fixed non numeric multiport port output in ipXtables-savs + +* Mon Sep 22 2003 Florian La Roche 1.2.8-11 +- do not link against -lnsl + +* Wed Sep 17 2003 Thomas Woerner 1.2.8-10 +- made variables in rmmod_r local + +* Tue Jul 22 2003 Thomas Woerner 1.2.8-9 +- fixed permission for init script + +* Sat Jul 19 2003 Thomas Woerner 1.2.8-8 +- fixed save when iptables file is missing and iptables-config permissions + +* Tue Jul 8 2003 Thomas Woerner 1.2.8-7 +- fixes for ip6tables: module unloading, setting policy only for existing + tables + +* Thu Jul 3 2003 Thomas Woerner 1.2.8-6 +- IPTABLES_SAVE_COUNTER defaults to no, now +- install config file in /etc/sysconfig +- exchange unload of ip_tables and ip_conntrack +- fixed start function + +* Wed Jul 2 2003 Thomas Woerner 1.2.8-5 +- new config option IPTABLES_SAVE_ON_RESTART +- init script: new status, save and restart +- fixes #44905, #65389, #80785, #82860, #91040, #91560 and #91374 + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-4 +- new config option IPTABLES_STATUS_NUMERIC +- cleared IPTABLES_MODULES in iptables-config + +* Mon Jun 30 2003 Thomas Woerner 1.2.8-3 +- new init scripts + +* Sat Jun 28 2003 Florian La Roche +- remove check for very old kernel versions in init scripts +- sync up both init scripts and remove some further ugly things +- add some docu into rpm + +* Thu Jun 26 2003 Thomas Woerner 1.2.8-2 +- rebuild + +* Mon Jun 16 2003 Thomas Woerner 1.2.8-1 +- update to 1.2.8 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Mon Jan 13 2003 Bill Nottingham 1.2.7a-1 +- update to 1.2.7a +- add a plethora of bugfixes courtesy Michael Schwendt + +* Fri Dec 13 2002 Elliot Lee 1.2.6a-3 +- Fix multilib + +* Wed Aug 07 2002 Karsten Hopp +- fixed iptables and ip6tables initscript output, based on #70511 +- check return status of all iptables calls, not just the last one + in a 'for' loop. + +* Mon Jul 29 2002 Bernhard Rosenkraenzer 1.2.6a-1 +- 1.2.6a (bugfix release, #69747) + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Mon Mar 4 2002 Bernhard Rosenkraenzer 1.2.5-3 +- Add some fixes from CVS, fixing bug #60465 + +* Tue Feb 12 2002 Bernhard Rosenkraenzer 1.2.5-2 +- Merge ip6tables improvements from Ian Prowell + #59402 +- Update URL (#59354) +- Use /sbin/chkconfig rather than chkconfig in %%postun script + +* Fri Jan 11 2002 Bernhard Rosenkraenzer 1.2.5-1 +- 1.2.5 + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Mon Nov 5 2001 Bernhard Rosenkraenzer 1.2.4-2 +- Fix %%preun script + +* Tue Oct 30 2001 Bernhard Rosenkraenzer 1.2.4-1 +- Update to 1.2.4 (various fixes, including security fixes; among others: + #42990, #50500, #53325, #54280) +- Fix init script (#31133) + +* Mon Sep 3 2001 Bernhard Rosenkraenzer 1.2.3-1 +- 1.2.3 (5 security fixes, some other fixes) +- Fix updating (#53032) + +* Mon Aug 27 2001 Bernhard Rosenkraenzer 1.2.2-4 +- Fix #50990 +- Add some fixes from current CVS; should fix #52620 + +* Mon Jul 16 2001 Bernhard Rosenkraenzer 1.2.2-3 +- Add some fixes from the current CVS tree; fixes #49154 and some IPv6 + issues + +* Tue Jun 26 2001 Bernhard Rosenkraenzer 1.2.2-2 +- Fix iptables-save reject-with (#45632), Patch from Michael Schwendt + + +* Tue May 8 2001 Bernhard Rosenkraenzer 1.2.2-1 +- 1.2.2 + +* Wed Mar 21 2001 Bernhard Rosenkraenzer +- 1.2.1a, fixes #28412, #31136, #31460, #31133 + +* Thu Mar 1 2001 Bernhard Rosenkraenzer +- Yet another initscript fix (#30173) +- Fix the fixes; they fixed some issues but broke more important + stuff :/ (#30176) + +* Tue Feb 27 2001 Bernhard Rosenkraenzer +- Fix up initscript (#27962) +- Add fixes from CVS to iptables-{restore,save}, fixing #28412 + +* Fri Feb 09 2001 Karsten Hopp +- create /etc/sysconfig/iptables mode 600 (same problem as #24245) + +* Mon Feb 05 2001 Karsten Hopp +- fix bugzilla #25986 (initscript not marked as config file) +- fix bugzilla #25962 (iptables-restore) +- mv chkconfig --del from postun to preun + +* Thu Feb 1 2001 Trond Eivind Glomsrød +- Fix check for ipchains + +* Mon Jan 29 2001 Bernhard Rosenkraenzer +- Some fixes to init scripts + +* Wed Jan 24 2001 Bernhard Rosenkraenzer +- Add some fixes from CVS, fixes among other things Bug #24732 + +* Wed Jan 17 2001 Bernhard Rosenkraenzer +- Add missing man pages, fix up init script (Bug #17676) + +* Mon Jan 15 2001 Bill Nottingham +- add init script + +* Mon Jan 15 2001 Bernhard Rosenkraenzer +- 1.2 +- fix up ipv6 split +- add init script +- Move the plugins from /usr/lib/iptables to /lib/iptables. + This needs to work before /usr is mounted... +- Use -O1 on alpha (compiler bug) + +* Sat Jan 6 2001 Bernhard Rosenkraenzer +- 1.1.2 +- Add IPv6 support (in separate package) + +* Thu Aug 17 2000 Bill Nottingham +- build everywhere + +* Tue Jul 25 2000 Bernhard Rosenkraenzer +- 1.1.1 + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Tue Jun 27 2000 Preston Brown +- move iptables to /sbin. +- excludearch alpha for now, not building there because of compiler bug(?) + +* Fri Jun 9 2000 Bill Nottingham +- don't obsolete ipchains either +- update to 1.1.0 + +* Sun Jun 4 2000 Bill Nottingham +- remove explicit kernel requirement + +* Tue May 2 2000 Bernhard Rosenkränzer +- initial package