From a7a8984584f9e7defcaecad17183c7782b5f8af1 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Mon, 21 Nov 2022 11:47:37 +0800 Subject: [PATCH] iptables:add some patches Signed-off-by: huangyu --- ...ended-error-reporting-to-nft_cmd-too.patch | 95 +++++++++++++++++++ ...restore-Extend-failure-error-message.patch | 44 +++++++++ iptables.spec | 10 +- 3 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch create mode 100644 backport-xtables-restore-Extend-failure-error-message.patch diff --git a/backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch b/backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch new file mode 100644 index 0000000..d707426 --- /dev/null +++ b/backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch @@ -0,0 +1,95 @@ +From 0257293c68913dd5993c1cac44f2ee80af6d9792 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 26 Aug 2022 16:53:52 +0200 +Subject: [PATCH] nft: Expand extended error reporting to nft_cmd, too + +Introduce the same embedded 'error' struct in nft_cmd and initialize it +with the current value from nft_handle. Then in preparation phase, +update nft_handle's error.lineno with the value from the current +nft_cmd. + +This serves two purposes: + +* Allocated batch objects (obj_update) get the right lineno value + instead of the COMMIT one. + +* Any error during preparation may be reported with line number. Do this + and change the relevant fprintf() call to use nft_handle's lineno + instead of the global 'line' variable. + +With this change, cryptic iptables-nft-restore error messages should +finally be gone: + +| # iptables-nft-restore < +--- + iptables/nft-cmd.c | 1 + + iptables/nft-cmd.h | 3 +++ + iptables/nft.c | 2 ++ + iptables/xtables-restore.c | 2 +- + 4 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c +index 9b0c964..f026c62 100644 +--- a/iptables/nft-cmd.c ++++ b/iptables/nft-cmd.c +@@ -26,6 +26,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + if (!cmd) + return NULL; + ++ cmd->error.lineno = h->error.lineno; + cmd->command = command; + cmd->table = strdup(table); + if (chain) +diff --git a/iptables/nft-cmd.h b/iptables/nft-cmd.h +index ecf7655..3caa3ed 100644 +--- a/iptables/nft-cmd.h ++++ b/iptables/nft-cmd.h +@@ -24,6 +24,9 @@ struct nft_cmd { + struct xt_counters counters; + const char *rename; + int counters_save; ++ struct { ++ unsigned int lineno; ++ } error; + }; + + struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, +diff --git a/iptables/nft.c b/iptables/nft.c +index 3e24c86..996d5bc 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3050,6 +3050,8 @@ static int nft_prepare(struct nft_handle *h) + nft_cache_build(h); + + list_for_each_entry_safe(cmd, next, &h->cmd_list, head) { ++ h->error.lineno = cmd->error.lineno; ++ + switch (cmd->command) { + case NFT_COMPAT_TABLE_FLUSH: + ret = nft_table_flush(h, cmd->table); +diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c +index d273949..abeaf76 100644 +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -248,7 +248,7 @@ static void xtables_restore_parse_line(struct nft_handle *h, + return; + if (!ret) { + fprintf(stderr, "%s: line %u failed\n", +- xt_params->program_name, line); ++ xt_params->program_name, h->error.lineno); + exit(1); + } + } +-- +2.33.0 + diff --git a/backport-xtables-restore-Extend-failure-error-message.patch b/backport-xtables-restore-Extend-failure-error-message.patch new file mode 100644 index 0000000..4849e5f --- /dev/null +++ b/backport-xtables-restore-Extend-failure-error-message.patch @@ -0,0 +1,44 @@ +From c70a33d219ccb43e6f59aa1b9bbab5dcb13f3443 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 25 Aug 2022 11:53:04 +0200 +Subject: [PATCH] xtables-restore: Extend failure error message + +If a line causes zero 'ret' value and errno is set, call nft_strerror() +for a more detailed error message. While not perfect, it helps with +debugging ominous "line NN failed" messages pointing at COMMIT: + +| # iptables-nft-restore < +--- + iptables/xtables-restore.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c +index abeaf76..5940e9a 100644 +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -247,8 +247,11 @@ static void xtables_restore_parse_line(struct nft_handle *h, + (strcmp(p->tablename, state->curtable->name) != 0)) + return; + if (!ret) { +- fprintf(stderr, "%s: line %u failed\n", ++ fprintf(stderr, "%s: line %u failed", + xt_params->program_name, h->error.lineno); ++ if (errno) ++ fprintf(stderr, ": %s.", nft_strerror(errno)); ++ fprintf(stderr, "\n"); + exit(1); + } + } +-- +2.33.0 + diff --git a/iptables.spec b/iptables.spec index 2406b3f..da6d749 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.7 -Release: 9 +Release: 10 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ @@ -19,6 +19,8 @@ Patch2: backport-xshared-Fix-response-to-unprivileged-users.patch Patch3: backport-Improve-error-messages-for-unsupported-extensions.patch Patch4: backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch Patch5: backport-libxtables-Register-only-the-highest-revision-extension.patch +Patch6: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch +Patch7: backport-xtables-restore-Extend-failure-error-message.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -324,6 +326,12 @@ fi %{_mandir}/man8/xtables-legacy* %changelog +* Mon Nov 21 2022 huangyu - 1.8.7-10 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add some patches + * Thu Sep 29 2022 huangyu - 1.8.7-9 - Type:bugfix - ID:NA -- Gitee