diff --git a/backport-Improve-error-messages-for-unsupported-extensions.patch b/backport-Improve-error-messages-for-unsupported-extensions.patch new file mode 100644 index 0000000000000000000000000000000000000000..778d1035de6221768e2d3ff57aacec8b62579a5b --- /dev/null +++ b/backport-Improve-error-messages-for-unsupported-extensions.patch @@ -0,0 +1,90 @@ +From 17534cb18ed0a5052dc45c117401251359dba6aa Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 Feb 2022 17:47:22 +0100 +Subject: Improve error messages for unsupported extensions + +If a given extension was not supported by the kernel, iptables would +print a rather confusing error message if extension parameters were +given: + +| # rm /lib/modules/$(uname -r)/kernel/net/netfilter/xt_LOG.ko +| # iptables -A FORWARD -j LOG --log-prefix foo +| iptables v1.8.7 (legacy): unknown option "--log-prefix" + +Avoid this by pretending extension revision 0 is always supported. It is +the same hack as used to successfully print extension help texts as +unprivileged user, extended to all error codes to serve privileged ones +as well. + +In addition, print a warning if kernel rejected revision 0 and it's not +a permissions problem. This helps users find out which extension in a +rule the kernel didn't like. + +Finally, the above commands result in these messages: + +| Warning: Extension LOG revision 0 not supported, missing kernel +module? +| iptables: No chain/target/match by that name. + +Or, for iptables-nft: + +| Warning: Extension LOG revision 0 not supported, missing kernel +module? +| iptables v1.8.7 (nf_tables): RULE_APPEND failed (No such file or +directory): rule in chain FORWARD + +Conflict: NA +Reference: +https://git.netfilter.org/iptables/commit/?id=17534cb18ed0a5052dc45c117401251359dba6aa +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 13 +++++++++---- + libxtables/xtables.c | 7 ++++++- + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index c9a4940..18bf21c 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3245,11 +3245,16 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt) + err: + mnl_socket_close(nl); + +- /* pretend revision 0 is valid if not permitted to check - +- * this is required for printing extension help texts as user */ +- if (ret < 0 && errno == EPERM && rev == 0) ++ /* pretend revision 0 is valid - ++ * this is required for printing extension help texts as user, also ++ * helps error messaging on unavailable kernel extension */ ++ if (ret < 0 && rev == 0) { ++ if (errno != EPERM) ++ fprintf(stderr, ++ "Warning: Extension %s revision 0 not supported, missing kernel module?\n", ++ name); + return 1; +- ++ } + return ret < 0 ? 0 : 1; + } + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index bc42ba8..1f585e5 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -923,7 +923,12 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt) + /* Definitely don't support this? */ + if (errno == ENOENT || errno == EPROTONOSUPPORT) { + close(sockfd); +- return 0; ++ /* Pretend revision 0 support for better error messaging */ ++ if (revision == 0) ++ fprintf(stderr, ++ "Warning: Extension %s revision 0 not supported, missing kernel module?\n", ++ name); ++ return (revision == 0); + } else if (errno == ENOPROTOOPT) { + close(sockfd); + /* Assume only revision 0 support (old kernel) */ +-- +2.23.0 + diff --git a/backport-libxtables-Register-only-the-highest-revision-extension.patch b/backport-libxtables-Register-only-the-highest-revision-extension.patch new file mode 100644 index 0000000000000000000000000000000000000000..361bdc9d018aa8545d6ddd29a48daedd4af94d44 --- /dev/null +++ b/backport-libxtables-Register-only-the-highest-revision-extension.patch @@ -0,0 +1,64 @@ +From 2dbb49d15fb44ddd521a734eca3be3f940b7c1ba Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 11 Feb 2022 17:39:24 +0100 +Subject: libxtables: Register only the highest revision extension + +When fully registering extensions, ignore all consecutive ones with same +name and family value. Since commit b3ac87038f4e4 ("libxtables: Make +sure extensions register in revision order"), one may safely assume the +list of pending extensions has highest revision numbers first. Since +iptables is only interested in the highest revision the kernel supports, +registration and compatibility checks may be skipped once the first +matching extension in pending list has validated. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit/?id=2dbb49d15fb44ddd521a734eca3be3f940b7c1ba +Signed-off-by: Phil Sutter +--- + libxtables/xtables.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 50fd6a44..b34d62ac 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -697,6 +697,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, + struct xtables_match **dptr; + struct xtables_match *ptr; + const char *icmp6 = "icmp6"; ++ bool found = false; + + if (strlen(name) >= XT_EXTENSION_MAXNAMELEN) + xtables_error(PARAMETER_PROBLEM, +@@ -715,7 +716,9 @@ xtables_find_match(const char *name, enum xtables_tryload tryload, + if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { + ptr = *dptr; + *dptr = (*dptr)->next; +- if (xtables_fully_register_pending_match(ptr, prev)) { ++ if (!found && ++ xtables_fully_register_pending_match(ptr, prev)) { ++ found = true; + prev = ptr; + continue; + } else if (prev) { +@@ -817,6 +820,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) + struct xtables_target *prev = NULL; + struct xtables_target **dptr; + struct xtables_target *ptr; ++ bool found = false; + + /* Standard target? */ + if (strcmp(name, "") == 0 +@@ -831,7 +835,9 @@ xtables_find_target(const char *name, enum xtables_tryload tryload) + if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) { + ptr = *dptr; + *dptr = (*dptr)->next; +- if (xtables_fully_register_pending_target(ptr, prev)) { ++ if (!found && ++ xtables_fully_register_pending_target(ptr, prev)) { ++ found = true; + prev = ptr; + continue; + } else if (prev) { +-- +cgit v1.2.3 diff --git a/backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch b/backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch new file mode 100644 index 0000000000000000000000000000000000000000..d70742612b9e4ea8e5b463d1ff94140c60a8e7a1 --- /dev/null +++ b/backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch @@ -0,0 +1,95 @@ +From 0257293c68913dd5993c1cac44f2ee80af6d9792 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 26 Aug 2022 16:53:52 +0200 +Subject: [PATCH] nft: Expand extended error reporting to nft_cmd, too + +Introduce the same embedded 'error' struct in nft_cmd and initialize it +with the current value from nft_handle. Then in preparation phase, +update nft_handle's error.lineno with the value from the current +nft_cmd. + +This serves two purposes: + +* Allocated batch objects (obj_update) get the right lineno value + instead of the COMMIT one. + +* Any error during preparation may be reported with line number. Do this + and change the relevant fprintf() call to use nft_handle's lineno + instead of the global 'line' variable. + +With this change, cryptic iptables-nft-restore error messages should +finally be gone: + +| # iptables-nft-restore < +--- + iptables/nft-cmd.c | 1 + + iptables/nft-cmd.h | 3 +++ + iptables/nft.c | 2 ++ + iptables/xtables-restore.c | 2 +- + 4 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c +index 9b0c964..f026c62 100644 +--- a/iptables/nft-cmd.c ++++ b/iptables/nft-cmd.c +@@ -26,6 +26,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + if (!cmd) + return NULL; + ++ cmd->error.lineno = h->error.lineno; + cmd->command = command; + cmd->table = strdup(table); + if (chain) +diff --git a/iptables/nft-cmd.h b/iptables/nft-cmd.h +index ecf7655..3caa3ed 100644 +--- a/iptables/nft-cmd.h ++++ b/iptables/nft-cmd.h +@@ -24,6 +24,9 @@ struct nft_cmd { + struct xt_counters counters; + const char *rename; + int counters_save; ++ struct { ++ unsigned int lineno; ++ } error; + }; + + struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, +diff --git a/iptables/nft.c b/iptables/nft.c +index 3e24c86..996d5bc 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3050,6 +3050,8 @@ static int nft_prepare(struct nft_handle *h) + nft_cache_build(h); + + list_for_each_entry_safe(cmd, next, &h->cmd_list, head) { ++ h->error.lineno = cmd->error.lineno; ++ + switch (cmd->command) { + case NFT_COMPAT_TABLE_FLUSH: + ret = nft_table_flush(h, cmd->table); +diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c +index d273949..abeaf76 100644 +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -248,7 +248,7 @@ static void xtables_restore_parse_line(struct nft_handle *h, + return; + if (!ret) { + fprintf(stderr, "%s: line %u failed\n", +- xt_params->program_name, line); ++ xt_params->program_name, h->error.lineno); + exit(1); + } + } +-- +2.33.0 + diff --git a/backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch b/backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch new file mode 100644 index 0000000000000000000000000000000000000000..6bfb86881c9e05f76bd1ee173d47a3a7f0db7aa3 --- /dev/null +++ b/backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch @@ -0,0 +1,69 @@ +From 8468fd4f7c85c21ab375402bc80d0188412b6cbf Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 4 May 2022 11:19:16 +0200 +Subject: nft: Fix EPERM handling for extensions without rev 0 + +Treating revision 0 as compatible in EPERM case works fine as long as +there is a revision 0 of that extension defined in DSO. Fix the code for +others: Extend the EPERM handling to all revisions and keep the existing +warning for revision 0. + +Conflict: NA +Reference: +https://git.netfilter.org/iptables/commit/?id=8468fd4f7c85c21ab375402bc80d0188412b6cbf +Fixes: 17534cb18ed0a ("Improve error messages for unsupported +extensions") +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 11 +++++++---- + .../shell/testcases/iptables/0008-unprivileged_0 | 7 +++++++ + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 18bf21c..ebab3cc 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3245,15 +3245,18 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt) + err: + mnl_socket_close(nl); + +- /* pretend revision 0 is valid - ++ /* ignore EPERM and errors for revision 0 - + * this is required for printing extension help texts as user, also + * helps error messaging on unavailable kernel extension */ +- if (ret < 0 && rev == 0) { +- if (errno != EPERM) ++ if (ret < 0) { ++ if (errno == EPERM) ++ return 1; ++ if (rev == 0) { + fprintf(stderr, + "Warning: Extension %s revision 0 not supported, missing kernel module?\n", + name); +- return 1; ++ return 1; ++ } + } + return ret < 0 ? 0 : 1; + } +diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 +index 0914c88..1f1d342 100644 +--- a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 ++++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 +@@ -34,6 +34,13 @@ let "rc+=$?" + grep_or_rc "DNAT target options:" <<< "$out" + let "rc+=$?" + ++# TEE has no revision 0 ++out=$(run $XT_MULTI iptables -j TEE --help) ++let "rc+=$?" ++grep_or_rc "TEE target options:" <<< "$out" ++let "rc+=$?" ++ ++ + out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) + let "rc+=$?" + grep_or_rc "tcp match options:" <<< "$out" +-- +2.23.0 + diff --git a/backport-xshared-Fix-response-to-unprivileged-users.patch b/backport-xshared-Fix-response-to-unprivileged-users.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5f574b90b61121c9ff96648ee45514bb9b2a85e --- /dev/null +++ b/backport-xshared-Fix-response-to-unprivileged-users.patch @@ -0,0 +1,130 @@ +From 26ecdf53960658771c0fc582f72a4025e2887f75 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 18 Jan 2022 22:39:08 +0100 +Subject: xshared: Fix response to unprivileged users + +Expected behaviour in both variants is: + +* Print help without error, append extension help if -m and/or -j + options are present +* Indicate lack of permissions in an error message for anything else + +With iptables-nft, this was broken basically from day 1. Shared use of +do_parse() then somewhat broke legacy: it started complaining about +inability to create a lock file. + +Fix this by making iptables-nft assume extension revision 0 is present +if permissions don't allow to verify. This is consistent with legacy. + +Second part is to exit directly after printing help - this avoids having +to make the following code "nop-aware" to prevent privileged actions. + +Conflict: NA +Reference: +https://git.netfilter.org/iptables/commit/?id=26ecdf53960658771c0fc582f72a4025e2887f75 +Signed-off-by: Phil Sutter +Reviewed-by: Florian Westphal +--- + iptables/nft.c | 5 ++ + .../testcases/iptables/0008-unprivileged_0 | 59 +++++++++++++++++++ + iptables/xtables.c | 2 +- + 3 files changed, 65 insertions(+), 1 deletion(-) + create mode 100644 iptables/tests/shell/testcases/iptables/0008-unprivileged_0 + +diff --git a/iptables/nft.c b/iptables/nft.c +index bde4ca7..c9a4940 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3245,6 +3245,11 @@ int nft_compatible_revision(const char *name, uint8_t rev, int opt) + err: + mnl_socket_close(nl); + ++ /* pretend revision 0 is valid if not permitted to check - ++ * this is required for printing extension help texts as user */ ++ if (ret < 0 && errno == EPERM && rev == 0) ++ return 1; ++ + return ret < 0 ? 0 : 1; + } + +diff --git a/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 +new file mode 100644 +index 0000000..0914c88 +--- /dev/null ++++ b/iptables/tests/shell/testcases/iptables/0008-unprivileged_0 +@@ -0,0 +1,59 @@ ++#!/bin/bash ++# iptables may print match/target specific help texts ++# help output should work for unprivileged users ++ ++run() { ++ echo "running: $*" >&2 ++ runuser -u nobody -- "$@" ++} ++ ++grep_or_rc() { ++ declare -g rc ++ grep -q "$*" && return 0 ++ echo "missing in output: $*" >&2 ++ return 1 ++} ++ ++out=$(run $XT_MULTI iptables --help) ++let "rc+=$?" ++grep_or_rc "iptables -h (print this help information)" <<< "$out" ++let "rc+=$?" ++ ++out=$(run $XT_MULTI iptables -m limit --help) ++let "rc+=$?" ++grep_or_rc "limit match options:" <<< "$out" ++let "rc+=$?" ++ ++out=$(run $XT_MULTI iptables -p tcp --help) ++let "rc+=$?" ++grep_or_rc "tcp match options:" <<< "$out" ++let "rc+=$?" ++ ++out=$(run $XT_MULTI iptables -j DNAT --help) ++let "rc+=$?" ++grep_or_rc "DNAT target options:" <<< "$out" ++let "rc+=$?" ++ ++out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) ++let "rc+=$?" ++grep_or_rc "tcp match options:" <<< "$out" ++let "rc+=$?" ++out=$(run $XT_MULTI iptables -p tcp -j DNAT --help) ++let "rc+=$?" ++grep_or_rc "DNAT target options:" <<< "$out" ++let "rc+=$?" ++ ++ ++run $XT_MULTI iptables -L 2>&1 | \ ++ grep_or_rc "Permission denied" ++let "rc+=$?" ++ ++run $XT_MULTI iptables -A FORWARD -p tcp --dport 123 2>&1 | \ ++ grep_or_rc "Permission denied" ++let "rc+=$?" ++ ++run $XT_MULTI iptables -A FORWARD -j DNAT --to-destination 1.2.3.4 2>&1 | \ ++ grep_or_rc "Permission denied" ++let "rc+=$?" ++ ++exit $rc +diff --git a/iptables/xtables.c b/iptables/xtables.c +index 9779bd8..a16bba7 100644 +--- a/iptables/xtables.c ++++ b/iptables/xtables.c +@@ -645,7 +645,7 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], + + printhelp(cs->matches); + p->command = CMD_NONE; +- return; ++ exit(0); + + /* + * Option selection +-- +2.23.0 + diff --git a/backport-xtables-restore-Extend-failure-error-message.patch b/backport-xtables-restore-Extend-failure-error-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..4849e5ffa57754c11055ee9e15c2c77c4b0147db --- /dev/null +++ b/backport-xtables-restore-Extend-failure-error-message.patch @@ -0,0 +1,44 @@ +From c70a33d219ccb43e6f59aa1b9bbab5dcb13f3443 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 25 Aug 2022 11:53:04 +0200 +Subject: [PATCH] xtables-restore: Extend failure error message + +If a line causes zero 'ret' value and errno is set, call nft_strerror() +for a more detailed error message. While not perfect, it helps with +debugging ominous "line NN failed" messages pointing at COMMIT: + +| # iptables-nft-restore < +--- + iptables/xtables-restore.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c +index abeaf76..5940e9a 100644 +--- a/iptables/xtables-restore.c ++++ b/iptables/xtables-restore.c +@@ -247,8 +247,11 @@ static void xtables_restore_parse_line(struct nft_handle *h, + (strcmp(p->tablename, state->curtable->name) != 0)) + return; + if (!ret) { +- fprintf(stderr, "%s: line %u failed\n", ++ fprintf(stderr, "%s: line %u failed", + xt_params->program_name, h->error.lineno); ++ if (errno) ++ fprintf(stderr, ": %s.", nft_strerror(errno)); ++ fprintf(stderr, "\n"); + exit(1); + } + } +-- +2.33.0 + diff --git a/enabled-makecheck-in-extensions.patch b/enabled-makecheck-in-extensions.patch new file mode 100644 index 0000000000000000000000000000000000000000..a80465ae0c4ef0a144e8536659880e7293c7fa9f --- /dev/null +++ b/enabled-makecheck-in-extensions.patch @@ -0,0 +1,35 @@ +From 54c670ada541aa61ab9ab7907ab245718137efb8 Mon Sep 17 00:00:00 2001 +From: huangyu +Date: Sat, 26 Nov 2022 18:08:31 +0800 +Subject: [PATCH] enable makecheck in extensions + +Signed-off-by: huangyu +--- + extensions/GNUmakefile.in | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in +index 956ccb3..70515c4 100644 +--- a/extensions/GNUmakefile.in ++++ b/extensions/GNUmakefile.in +@@ -79,7 +79,7 @@ targets_install := + + .SECONDARY: + +-.PHONY: all install uninstall clean distclean FORCE ++.PHONY: all install uninstall check clean distclean FORCE + + all: ${targets} + +@@ -105,6 +105,8 @@ uninstall: + rmdir -p --ignore-fail-on-non-empty "$$dir"; \ + } + ++check: ++ + clean: + rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c initextb.c initexta.c; + rm -f .*.d .*.dd; +-- +2.23.0 + diff --git a/iptables.spec b/iptables.spec index cd895aa56987e311d3aa5e202ccc3096f25029b9..663c3eba22cf0d9358f4b622ef5885c04783a4cf 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.7 -Release: 8 +Release: 11 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ @@ -15,6 +15,13 @@ Source5: sysconfig_ip6tables Patch0: bugfix-add-check-fw-in-entry.patch Patch1: tests-extensions-add-some-testcases.patch +Patch2: backport-xshared-Fix-response-to-unprivileged-users.patch +Patch3: backport-Improve-error-messages-for-unsupported-extensions.patch +Patch4: backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch +Patch5: backport-libxtables-Register-only-the-highest-revision-extension.patch +Patch6: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch +Patch7: backport-xtables-restore-Extend-failure-error-message.patch +Patch8: enabled-makecheck-in-extensions.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -79,6 +86,9 @@ rm -f include/linux/types.h %make_build +%check +make check + %install %make_install @@ -320,6 +330,24 @@ fi %{_mandir}/man8/xtables-legacy* %changelog +* Wed Nov 30 2022 huangyu - 1.8.7-11 +- Type:feature +- ID:NA +- SUG:NA +- DESC:enabled DT test + +* Mon Nov 21 2022 huangyu - 1.8.7-10 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add some patches + +* Thu Sep 29 2022 huangyu - 1.8.7-9 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:add some patches + * Fri Jul 01 2022 xingwei - 1.8.7-8 - Type:bugfix - ID:NA