diff --git a/SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch b/SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch new file mode 100644 index 0000000..c40010b --- /dev/null +++ b/SOURCES/0025-extensions-SECMARK-Implement-revision-1.patch @@ -0,0 +1,177 @@ +From 6415593af4223ea082e0086ec1088f0eacfbce78 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 29 Apr 2021 15:28:59 +0200 +Subject: [PATCH] extensions: SECMARK: Implement revision 1 + +The changed data structure for communication with kernel allows to +exclude the field 'secid' which is populated on kernel side. Thus +this fixes the formerly always failing extension comparison breaking +rule check and rule delete by content. + +Signed-off-by: Phil Sutter +(cherry picked from commit 616800af0da86d151cb695f1376d5ec6ede6fa72) +--- + extensions/libxt_SECMARK.c | 90 +++++++++++++++++++++------- + extensions/libxt_SECMARK.t | 4 ++ + include/linux/netfilter/xt_SECMARK.h | 6 ++ + 3 files changed, 80 insertions(+), 20 deletions(-) + create mode 100644 extensions/libxt_SECMARK.t + +diff --git a/extensions/libxt_SECMARK.c b/extensions/libxt_SECMARK.c +index 6ba8606355daa..24249bd618ffe 100644 +--- a/extensions/libxt_SECMARK.c ++++ b/extensions/libxt_SECMARK.c +@@ -29,6 +29,13 @@ static const struct xt_option_entry SECMARK_opts[] = { + XTOPT_TABLEEND, + }; + ++static const struct xt_option_entry SECMARK_opts_v1[] = { ++ {.name = "selctx", .id = O_SELCTX, .type = XTTYPE_STRING, ++ .flags = XTOPT_MAND | XTOPT_PUT, ++ XTOPT_POINTER(struct xt_secmark_target_info_v1, secctx)}, ++ XTOPT_TABLEEND, ++}; ++ + static void SECMARK_parse(struct xt_option_call *cb) + { + struct xt_secmark_target_info *info = cb->data; +@@ -37,15 +44,23 @@ static void SECMARK_parse(struct xt_option_call *cb) + info->mode = SECMARK_MODE_SEL; + } + +-static void print_secmark(const struct xt_secmark_target_info *info) ++static void SECMARK_parse_v1(struct xt_option_call *cb) ++{ ++ struct xt_secmark_target_info_v1 *info = cb->data; ++ ++ xtables_option_parse(cb); ++ info->mode = SECMARK_MODE_SEL; ++} ++ ++static void print_secmark(__u8 mode, const char *secctx) + { +- switch (info->mode) { ++ switch (mode) { + case SECMARK_MODE_SEL: +- printf("selctx %s", info->secctx); ++ printf("selctx %s", secctx); + break; +- ++ + default: +- xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode); ++ xtables_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", mode); + } + } + +@@ -56,7 +71,17 @@ static void SECMARK_print(const void *ip, const struct xt_entry_target *target, + (struct xt_secmark_target_info*)(target)->data; + + printf(" SECMARK "); +- print_secmark(info); ++ print_secmark(info->mode, info->secctx); ++} ++ ++static void SECMARK_print_v1(const void *ip, ++ const struct xt_entry_target *target, int numeric) ++{ ++ const struct xt_secmark_target_info_v1 *info = ++ (struct xt_secmark_target_info_v1 *)(target)->data; ++ ++ printf(" SECMARK "); ++ print_secmark(info->mode, info->secctx); + } + + static void SECMARK_save(const void *ip, const struct xt_entry_target *target) +@@ -65,24 +90,49 @@ static void SECMARK_save(const void *ip, const struct xt_entry_target *target) + (struct xt_secmark_target_info*)target->data; + + printf(" --"); +- print_secmark(info); ++ print_secmark(info->mode, info->secctx); + } + +-static struct xtables_target secmark_target = { +- .family = NFPROTO_UNSPEC, +- .name = "SECMARK", +- .version = XTABLES_VERSION, +- .revision = 0, +- .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), +- .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), +- .help = SECMARK_help, +- .print = SECMARK_print, +- .save = SECMARK_save, +- .x6_parse = SECMARK_parse, +- .x6_options = SECMARK_opts, ++static void SECMARK_save_v1(const void *ip, ++ const struct xt_entry_target *target) ++{ ++ const struct xt_secmark_target_info_v1 *info = ++ (struct xt_secmark_target_info_v1 *)target->data; ++ ++ printf(" --"); ++ print_secmark(info->mode, info->secctx); ++} ++ ++static struct xtables_target secmark_tg_reg[] = { ++ { ++ .family = NFPROTO_UNSPEC, ++ .name = "SECMARK", ++ .version = XTABLES_VERSION, ++ .revision = 0, ++ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info)), ++ .userspacesize = XT_ALIGN(sizeof(struct xt_secmark_target_info)), ++ .help = SECMARK_help, ++ .print = SECMARK_print, ++ .save = SECMARK_save, ++ .x6_parse = SECMARK_parse, ++ .x6_options = SECMARK_opts, ++ }, ++ { ++ .family = NFPROTO_UNSPEC, ++ .name = "SECMARK", ++ .version = XTABLES_VERSION, ++ .revision = 1, ++ .size = XT_ALIGN(sizeof(struct xt_secmark_target_info_v1)), ++ .userspacesize = XT_ALIGN(offsetof(struct xt_secmark_target_info_v1, secid)), ++ .help = SECMARK_help, ++ .print = SECMARK_print_v1, ++ .save = SECMARK_save_v1, ++ .x6_parse = SECMARK_parse_v1, ++ .x6_options = SECMARK_opts_v1, ++ } + }; + + void _init(void) + { +- xtables_register_target(&secmark_target); ++ xtables_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg)); + } +diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t +new file mode 100644 +index 0000000000000..39d4c09348bf4 +--- /dev/null ++++ b/extensions/libxt_SECMARK.t +@@ -0,0 +1,4 @@ ++:INPUT,FORWARD,OUTPUT ++*security ++-j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK ++-j SECMARK;;FAIL +diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h +index 989092bd6274b..31760a286a854 100644 +--- a/include/linux/netfilter/xt_SECMARK.h ++++ b/include/linux/netfilter/xt_SECMARK.h +@@ -19,4 +19,10 @@ struct xt_secmark_target_info { + char secctx[SECMARK_SECCTX_MAX]; + }; + ++struct xt_secmark_target_info_v1 { ++ __u8 mode; ++ char secctx[SECMARK_SECCTX_MAX]; ++ __u32 secid; ++}; ++ + #endif /*_XT_SECMARK_H_target */ +-- +2.34.1 + diff --git a/SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch b/SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch new file mode 100644 index 0000000..0813ef1 --- /dev/null +++ b/SOURCES/0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch @@ -0,0 +1,26 @@ +From 45664de1be104ce9716227a0ad11ef2343ece3df Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 16 Jul 2021 21:51:49 +0200 +Subject: [PATCH] extensions: SECMARK: Use a better context in test case + +RHEL SELinux policies don't allow setting +system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has +'packet_type' attribute (identified via +'seinfo -xt | grep packet_type'). +--- + extensions/libxt_SECMARK.t | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t +index 39d4c09348bf4..295e7a7244902 100644 +--- a/extensions/libxt_SECMARK.t ++++ b/extensions/libxt_SECMARK.t +@@ -1,4 +1,4 @@ + :INPUT,FORWARD,OUTPUT + *security +--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK ++-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK + -j SECMARK;;FAIL +-- +2.34.1 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index b5a012f..b6b263a 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -16,7 +16,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.7 -Release: 26%{?dist} +Release: 28%{?dist} Source: %{url}/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -53,6 +53,8 @@ Patch21: 0021-doc-ebtables-nft.8-Adjust-for-missing-atomic-options.patch Patch22: 0022-ebtables-Dump-atomic-waste.patch Patch23: 0023-nft-Fix-for-non-verbose-check-command.patch Patch24: 0024-tests-shell-Assert-non-verbose-mode-is-silent.patch +Patch25: 0025-extensions-SECMARK-Implement-revision-1.patch +Patch26: 0026-extensions-SECMARK-Use-a-better-context-in-test-case.patch # pf.os: ISC license # iptables-apply: Artistic 2.0 @@ -468,6 +470,12 @@ fi %ghost %{_mandir}/man8/ebtables.8.gz %changelog +* Wed Feb 16 2022 Phil Sutter - 1.8.7-28 +- extensions: SECMARK: Use a better context in test case + +* Fri Jan 28 2022 Phil Sutter - 1.8.7-27 +- extensions: SECMARK: Implement revision 1 + * Mon Oct 11 2021 Phil Sutter - 1.8.7-26 - tests/shell: Assert non-verbose mode is silent - nft: Fix for non-verbose check command