diff --git a/SOURCES/iptables.service.in b/SOURCES/iptables.service.in index 6722c7a..3277621 100644 --- a/SOURCES/iptables.service.in +++ b/SOURCES/iptables.service.in @@ -1,5 +1,7 @@ [Unit] Description=IPv4 firewall with iptables +Before=network-pre.target +Wants=network-pre.target After=syslog.target AssertPathExists=/etc/sysconfig/iptables diff --git a/SOURCES/xtables-restore-Fix-table-parameter-check.patch b/SOURCES/xtables-restore-Fix-table-parameter-check.patch new file mode 100644 index 0000000..1be5962 --- /dev/null +++ b/SOURCES/xtables-restore-Fix-table-parameter-check.patch @@ -0,0 +1,81 @@ +From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 23 Oct 2019 12:06:55 +0200 +Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700 +Upstream Status: iptables commit 3dc433b55bbfa +Conflicts: Downstream does not support nft-variants. + +commit 3dc433b55bbfaf9df3ee408aaa6282742f377864 +Author: Phil Sutter +Date: Fri Sep 20 17:31:58 2019 +0200 + + xtables-restore: Fix --table parameter check + + Xtables-restore tries to reject rule commands in input which contain a + --table parameter (since it is adding this itself based on the previous + table line). The manual check was not perfect though as it caught any + parameter starting with a dash and containing a 't' somewhere, even in + rule comments: + + | *filter + | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT + | COMMIT + + Instead of error-prone manual checking, go a much simpler route: All + do_command callbacks are passed a boolean indicating they're called from + *tables-restore. React upon this when handling a table parameter and + error out if it's not the first one. + + Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") + Signed-off-by: Phil Sutter + Acked-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + iptables/iptables.c | 4 ++++ + iptables/xshared.c | 12 ------------ + 2 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/iptables/iptables.c b/iptables/iptables.c +index dc70cc6e9b0ec..d106a18949407 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table, + if (cs.invert) + xtables_error(PARAMETER_PROBLEM, + "unexpected ! flag before --table"); ++ if (restore && *table) ++ xtables_error(PARAMETER_PROBLEM, ++ "The -t option (seen in line %u) cannot be used in %s.\n", ++ line, xt_params->program_name); + *table = optarg; + break; + +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 84dbea562576e..058b5e8b63896 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line) + } + + param_buffer[param_len] = '\0'; +- +- /* check if table name specified */ +- if ((param_buffer[0] == '-' && +- param_buffer[1] != '-' && +- strchr(param_buffer, 't')) || +- (!strncmp(param_buffer, "--t", 3) && +- !strncmp(param_buffer, "--table", strlen(param_buffer)))) { +- xtables_error(PARAMETER_PROBLEM, +- "The -t option (seen in line %u) cannot be used in %s.\n", +- line, xt_params->program_name); +- } +- + add_argv(param_buffer, 0); + param_len = 0; + } +-- +2.23.0 + diff --git a/SOURCES/xtables-restore-Unbreak-tables-restore.patch b/SOURCES/xtables-restore-Unbreak-tables-restore.patch new file mode 100644 index 0000000..619c274 --- /dev/null +++ b/SOURCES/xtables-restore-Unbreak-tables-restore.patch @@ -0,0 +1,90 @@ +From 5b36b6fa581ca958340ab8d40be646cae249eee4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 23 Oct 2019 12:07:39 +0200 +Subject: [PATCH 2/2] xtables-restore: Unbreak *tables-restore + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700 +Upstream Status: iptables commit 4e470fa347610 +Conflicts: Downstream does not support nft-variants. + +commit 4e470fa34761085144640fb561a9ad26b2cde382 +Author: Phil Sutter +Date: Tue Oct 22 12:25:28 2019 +0200 + + xtables-restore: Unbreak *tables-restore + + Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") + installed an error check which evaluated true in all cases as all + callers of do_command callbacks pass a pointer to a table name already. + Attached test case passed as it tested error condition only. + + Fix the whole mess by introducing a boolean to indicate whether a table + parameter was seen already. Extend the test case to cover positive as + well as negative behaviour and to test ebtables-restore and + ip6tables-restore as well. Also add the required checking code to the + latter since the original commit missed it. + + Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check") + Signed-off-by: Phil Sutter + Acked-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + iptables/ip6tables.c | 6 ++++++ + iptables/iptables.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c +index fc2fd37cfe919..42edf7a55ec6e 100644 +--- a/iptables/ip6tables.c ++++ b/iptables/ip6tables.c +@@ -1316,6 +1316,7 @@ int do_command6(int argc, char *argv[], char **table, + struct xtables_rule_match *matchp; + struct xtables_target *t; + unsigned long long cnt; ++ bool table_set = false; + + memset(&cs, 0, sizeof(cs)); + cs.jumpto = ""; +@@ -1598,7 +1599,12 @@ int do_command6(int argc, char *argv[], char **table, + if (cs.invert) + xtables_error(PARAMETER_PROBLEM, + "unexpected ! flag before --table"); ++ if (restore && table_set) ++ xtables_error(PARAMETER_PROBLEM, ++ "The -t option (seen in line %u) cannot be used in %s.\n", ++ line, xt_params->program_name); + *table = optarg; ++ table_set = true; + break; + + case 'x': +diff --git a/iptables/iptables.c b/iptables/iptables.c +index d106a18949407..0ad87fd98684d 100644 +--- a/iptables/iptables.c ++++ b/iptables/iptables.c +@@ -1312,6 +1312,7 @@ int do_command4(int argc, char *argv[], char **table, + struct xtables_rule_match *matchp; + struct xtables_target *t; + unsigned long long cnt; ++ bool table_set = false; + + memset(&cs, 0, sizeof(cs)); + cs.jumpto = ""; +@@ -1591,11 +1592,12 @@ int do_command4(int argc, char *argv[], char **table, + if (cs.invert) + xtables_error(PARAMETER_PROBLEM, + "unexpected ! flag before --table"); +- if (restore && *table) ++ if (restore && table_set) + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); + *table = optarg; ++ table_set = true; + break; + + case 'x': +-- +2.23.0 + diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec index 1725e69..59c05bc 100644 --- a/SPECS/iptables.spec +++ b/SPECS/iptables.spec @@ -7,7 +7,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities Version: 1.4.21 -Release: 33%{?dist} +Release: 34%{?dist} Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2 Source1: iptables.init Source2: iptables-config @@ -75,6 +75,8 @@ Patch55: extensions-Initialize-linear-mapping-of-symbols-in-_.patch Patch56: xtables-Introduce-and-use-common-function-to-parse-v.patch Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch Patch58: man-iptables-save-Add-note-about-module-autoloading.patch +Patch59: xtables-restore-Fix-table-parameter-check.patch +Patch60: xtables-restore-Unbreak-tables-restore.patch Group: System Environment/Base URL: http://www.netfilter.org/ @@ -304,6 +306,10 @@ done %changelog +* Wed Oct 23 2019 Phil Sutter - 1.4.21-34 +- Fix iptables-restore for rules with '-' and 't' in comments (RHBZ#1749700) +- Make services start before network-pre.target is reached (RHBZ#1736765) + * Thu Apr 18 2019 Phil Sutter - 1.4.21-33 - man: iptables-save: Add note about module autoloading (RHBZ#1691380)