diff --git a/backport-Fix-checking-of-conntrack-ctproto.patch b/backport-Fix-checking-of-conntrack-ctproto.patch new file mode 100644 index 0000000000000000000000000000000000000000..55cb27eb97b30cd018d826c4497ed6e5a4d0ab43 --- /dev/null +++ b/backport-Fix-checking-of-conntrack-ctproto.patch @@ -0,0 +1,95 @@ +From 2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Sat, 23 Nov 2013 08:41:58 +0000 +Subject: extensions: Fix checking of conntrack --ctproto 0 + +There are three issues in the code: +1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask +2) in conntrack_mt_parse it is testing (info->invert_flags & + XT_INV_PROTO) before the invert bit has been set. +3) the sense of the error message is the wrong way round + +1) To get the error, ! -ctstatus XXX has to be specified, since + XT_INV_PROTO == XT_CONNTRACK_STATUS e.g. + | iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ... + +3) Unlike --proto 0 (where 0 means all protocols), in the conntrack + match --ctproto 0 appears to mean protocol 0, which can never be. + Therefore --ctproto 0 could never match and ! --ctproto 0 will always + match. Both of these should be rejected, since the user clearly + cannot be intending what was specified. + +The attached patch resolves the issue, and also produces an error +message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since +--ctproto 0 will never match, and ! --ctproto 0 will always match. + +[Phil: - Added Fixes: tag - it's a day 1 bug + - Copied patch description from Bugzilla + - Reorganized changes to reduce diff + - Added test cases] + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874 +Fixes: 5054e85be3068 ("general conntrack match module userspace support files") +Signed-off-by: Quentin Armitage +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23 + +--- + extensions/libxt_conntrack.c | 17 ++++++++--------- + extensions/libxt_conntrack.t | 2 ++ + 2 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 7734509..3cc678f 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -346,14 +346,13 @@ static void conntrack_parse(struct xt_option_call *cb) + sinfo->invflags |= XT_CONNTRACK_STATE; + break; + case O_CTPROTO: ++ if (cb->val.protocol == 0) ++ xtables_error(PARAMETER_PROBLEM, cb->invert ? ++ "condition would always match protocol" : ++ "rule would never match protocol"); + sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol; + if (cb->invert) + sinfo->invflags |= XT_CONNTRACK_PROTO; +- if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 +- && (sinfo->invflags & XT_INV_PROTO)) +- xtables_error(PARAMETER_PROBLEM, +- "rule would never match protocol"); +- + sinfo->flags |= XT_CONNTRACK_PROTO; + break; + case O_CTORIGSRC: +@@ -411,11 +410,11 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev) + info->invert_flags |= XT_CONNTRACK_STATE; + break; + case O_CTPROTO: ++ if (cb->val.protocol == 0) ++ xtables_error(PARAMETER_PROBLEM, cb->invert ? ++ "conntrack: condition would always match protocol" : ++ "conntrack: rule would never match protocol"); + info->l4proto = cb->val.protocol; +- if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) +- xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " +- "never match protocol"); +- + info->match_flags |= XT_CONNTRACK_PROTO; + if (cb->invert) + info->invert_flags |= XT_CONNTRACK_PROTO; +diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t +index db53147..2b3c5de 100644 +--- a/extensions/libxt_conntrack.t ++++ b/extensions/libxt_conntrack.t +@@ -25,3 +25,5 @@ + -m conntrack --ctstatus EXPECTED;=;OK + -m conntrack --ctstatus SEEN_REPLY;=;OK + -m conntrack;;FAIL ++-m conntrack --ctproto 0;;FAIL ++-m conntrack ! --ctproto 0;;FAIL +-- +2.33.0 + diff --git a/backport-Fix-for-non-CIDR-compatible-hostmasks.patch b/backport-Fix-for-non-CIDR-compatible-hostmasks.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5659b445672b5861d095637b704fcdcc0a66d5a --- /dev/null +++ b/backport-Fix-for-non-CIDR-compatible-hostmasks.patch @@ -0,0 +1,55 @@ +From 41139aee5e53304182a25f1e573f034b313f7232 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Nov 2023 20:21:49 +0100 +Subject: libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks + +In order to parse the mask, xtopt_parse_hostmask() calls +xtopt_parse_plenmask() thereby limiting netmask support to prefix +lengths (alternatively specified in IP address notation). + +In order to lift this impractical restriction, make +xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may +fall back to xtopt_parse_mask() which correctly initializes val.hmask +itself and indicates non-CIDR-compatible masks by setting val.hlen to +-1. + +So in order to support these odd masks, it is sufficient for +xtopt_parse_plenmask() to skip its mask building from val.hlen value and +take whatever val.hmask contains. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=41139aee5e53304182a25f1e573f034b313f7232 + +--- + libxtables/xtoptions.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 0dcdf60..bc14958 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -714,6 +714,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) + + xtopt_parse_plen(cb); + ++ /* may not be convertible to CIDR notation */ ++ if (cb->val.hlen == (uint8_t)-1) ++ goto out_put; ++ + memset(mask, 0xFF, sizeof(union nf_inet_addr)); + /* This shifting is AF-independent. */ + if (cb->val.hlen == 0) { +@@ -734,6 +738,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) + mask[1] = htonl(mask[1]); + mask[2] = htonl(mask[2]); + mask[3] = htonl(mask[3]); ++out_put: + if (entry->flags & XTOPT_PUT) + memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); + } +-- +2.33.0 + diff --git a/backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch b/backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b85800434e6e71cf7473b85d0d820a3f223460d --- /dev/null +++ b/backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch @@ -0,0 +1,33 @@ +From 17d724f20e3c97ea8ce8765ca532a3cf49a98b31 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sun, 17 Dec 2023 13:02:36 +0100 +Subject: libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK + +Do as the comment in xtopt_parse_hostmask() claims and omit +XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate() +will catch the incompatibility. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") + +Conflict:There is no need to modify the header file comments +Reference:https://git.netfilter.org/iptables//commit/?id=17d724f20e3c97ea8ce8765ca532a3cf49a98b31 + +--- + libxtables/xtoptions.c | 1 - + 1 files changed, 1 deletions(-) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index bc14958..95038c2 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -58,7 +58,6 @@ static const size_t xtopt_psize[] = { + [XTTYPE_STRING] = -1, + [XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t), + [XTTYPE_HOST] = sizeof(union nf_inet_addr), +- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr), + [XTTYPE_PROTOCOL] = sizeof(uint8_t), + [XTTYPE_PORT] = sizeof(uint16_t), + [XTTYPE_PORTRC] = sizeof(uint16_t[2]), +-- +2.33.0 + diff --git a/backport-Special-casing-for-among-match-in-compare_matches.patch b/backport-Special-casing-for-among-match-in-compare_matches.patch new file mode 100644 index 0000000000000000000000000000000000000000..c83dbd7cc2ae5b97372d6180fb283291992fb5f0 --- /dev/null +++ b/backport-Special-casing-for-among-match-in-compare_matches.patch @@ -0,0 +1,49 @@ +From 10583537004f7ecd4aa11f6c12b7ba73fb77fc11 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 21 Jul 2023 13:14:36 +0200 +Subject: nft: Special casing for among match in compare_matches() + +When other extensions may have "garbage" appended to their data which +should not be considered for match comparison, among match is the +opposite in that it extends its data beyond the value in 'size' field. +Add special casing to cover for this, avoiding false-positive rule +comparison. + +Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=10583537004f7ecd4aa11f6c12b7ba73fb77fc11 + +--- + iptables/nft-shared.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c +index 10553ab..4c20ceb 100644 +--- a/iptables/nft-shared.c ++++ b/iptables/nft-shared.c +@@ -933,6 +933,7 @@ bool compare_matches(struct xtables_rule_match *mt1, + for (mp1 = mt1, mp2 = mt2; mp1 && mp2; mp1 = mp1->next, mp2 = mp2->next) { + struct xt_entry_match *m1 = mp1->match->m; + struct xt_entry_match *m2 = mp2->match->m; ++ size_t cmplen = mp1->match->userspacesize; + + if (strcmp(m1->u.user.name, m2->u.user.name) != 0) { + DEBUGP("mismatching match name\n"); +@@ -944,8 +945,10 @@ bool compare_matches(struct xtables_rule_match *mt1, + return false; + } + +- if (memcmp(m1->data, m2->data, +- mp1->match->userspacesize) != 0) { ++ if (!strcmp(m1->u.user.name, "among")) ++ cmplen = m1->u.match_size - sizeof(*m1); ++ ++ if (memcmp(m1->data, m2->data, cmplen) != 0) { + DEBUGP("mismatch match data\n"); + return false; + } +-- +2.33.0 + diff --git a/backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch b/backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea1bb050ae73dfac99f4187b07651c15d2b4926b --- /dev/null +++ b/backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch @@ -0,0 +1,51 @@ +From b51aef061378b34fa9544b1af34021d89a76547a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 26 Jan 2023 03:27:16 +0100 +Subject: [PATCH] ebtables-translate: Print flush command after parsing is + finished + +Otherwise, bad calls like 'ebtables-translate -F -F' produce wrong +output instead of an error message. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=b51aef061378b34fa9544b1af34021d89a76547a + +Signed-off-by: Phil Sutter +--- + iptables/xtables-eb-translate.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c +index 99347c0c..da7e5e3d 100644 +--- a/iptables/xtables-eb-translate.c ++++ b/iptables/xtables-eb-translate.c +@@ -247,13 +247,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char + ret = 1; + break; + case 'F': /* Flush */ +- if (p.chain) { +- printf("flush chain bridge %s %s\n", p.table, p.chain); +- } else { +- printf("flush table bridge %s\n", p.table); +- } +- ret = 1; +- break; + case 'Z': /* Zero counters */ + if (c == 'Z') { + if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L')) +@@ -506,6 +499,13 @@ print_zero: + + if (command == 'P') { + return 0; ++ } else if (command == 'F') { ++ if (p.chain) { ++ printf("flush chain bridge %s %s\n", p.table, p.chain); ++ } else { ++ printf("flush table bridge %s\n", p.table); ++ } ++ ret = 1; + } else if (command == 'A') { + ret = nft_rule_eb_xlate_add(h, &p, &cs, true); + if (!ret) +-- +2.23.0 diff --git a/backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch b/backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch new file mode 100644 index 0000000000000000000000000000000000000000..1253d69e57818a435ce9eb0c0266ebf7b5c78e02 --- /dev/null +++ b/backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch @@ -0,0 +1,39 @@ +From 43f78733059ecd28d8567d8205cab5ed62d93458 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 3 Aug 2023 17:59:03 +0200 +Subject: Revert "libiptc: fix wrong maptype of base chain counters on restore" + +This reverts commit 7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4. + +The change can't be right: A simple rule append call will reset all +built-in chains' counters. The old code works fine even given the +mentioned "empty restore" use-case, at least if counters don't change on +the fly in-kernel. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=912 +Fixes: 7c4d668c9c2ee ("libiptc: fix wrong maptype of base chain counters on restore") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=43f78733059ecd28d8567d8205cab5ed62d93458 + +--- + libiptc/libiptc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index ceeb017..2deccd6 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -813,7 +813,7 @@ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num) + + /* save counter and counter_map information */ + h->chain_iterator_cur->counter_map.maptype = +- COUNTER_MAP_ZEROED; ++ COUNTER_MAP_NORMAL_MAP; + h->chain_iterator_cur->counter_map.mappos = num-1; + memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters, + sizeof(h->chain_iterator_cur->counters)); +-- +2.33.0 + diff --git a/backport-iptables-Fix-handling-of-non-existent-chains.patch b/backport-iptables-Fix-handling-of-non-existent-chains.patch new file mode 100644 index 0000000000000000000000000000000000000000..e952b6a70acbbc541f49fb6adfa228ab169a87b9 --- /dev/null +++ b/backport-iptables-Fix-handling-of-non-existent-chains.patch @@ -0,0 +1,56 @@ +From 82ccfb488eeac5507471099b9b4e6d136cc06e3b Mon Sep 17 00:00:00 2001 +From: Jacek Tomasiak +Date: Mon, 19 Jun 2023 13:46:36 +0200 +Subject: iptables: Fix handling of non-existent chains + +Since 694612adf87 the "compatibility" check considers non-existent +chains as "incompatible". This broke some scripts which used calls +like `iptables -L CHAIN404` to test for chain existence and expect +"No chain/target/match by that name." in the output. + +This patch changes the logic of `nft_is_table_compatible()` to +report non-existent chains as "compatible" which restores the old +behavior. + +Fixes: 694612adf87 ("nft: Fix selective chain compatibility checks") +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1648 +Signed-off-by: Jacek Tomasiak +Signed-off-by: Jacek Tomasiak +Signed-off-by: Phil Sutter + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=82ccfb488eeac5507471099b9b4e6d136cc06e3b + +--- + iptables/nft.c | 2 +- + iptables/tests/shell/testcases/iptables/0004-return-codes_0 | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 1cb104e7..020553a4 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3860,7 +3860,7 @@ bool nft_is_table_compatible(struct nft_handle *h, + if (chain) { + struct nft_chain *c = nft_chain_find(h, table, chain); + +- return c && !nft_is_chain_compatible(c, h); ++ return !c || !nft_is_chain_compatible(c, h); + } + + return !nft_chain_foreach(h, table, nft_is_chain_compatible, h); +diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +index 33c5f1f3..234f3040 100755 +--- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 ++++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0 +@@ -58,6 +58,7 @@ cmd 1 "$ENOENT" -Z bar + cmd 0 -E foo bar + cmd 1 "$EEXIST_F" -E foo bar + cmd 1 "$ENOENT" -E foo bar2 ++cmd 1 "$ENOENT" -L foo + cmd 0 -N foo2 + cmd 1 "$EEXIST_F" -E foo2 bar + +-- +cgit v1.2.3 + diff --git a/backport-libipt_icmp-Fix-confusion-between-255-and-any.patch b/backport-libipt_icmp-Fix-confusion-between-255-and-any.patch new file mode 100644 index 0000000000000000000000000000000000000000..a51ee5968b4ec4788aa45019ec33fd1163d94143 --- /dev/null +++ b/backport-libipt_icmp-Fix-confusion-between-255-and-any.patch @@ -0,0 +1,53 @@ +From 5b5430d627bbc227a2d51d4312c371f2015834c6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 1 Aug 2023 23:28:20 +0200 +Subject: extensions: libipt_icmp: Fix confusion between 255/255 and any + +Per definition, ICMP type "any" is type 255 and the full range of codes +(0-255). Save callback though ignored the actual code values, printing +"any" for every type 255 match. This at least confuses users as they +can't find their rule added as '--icmp-type 255/255' anymore. + +It is not entirely clear what the fixed commit was trying to establish, +but the save output is certainly not correct (especially since print +callback gets things right). + +Reported-by: Amelia Downs +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1600 +Fixes: fc9237da4e845 ("Fix '-p icmp -m icmp' issue (Closes: #37)") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=5b5430d627bbc227a2d51d4312c371f2015834c6 +--- + extensions/libipt_icmp.c | 3 ++- + extensions/libipt_icmp.t | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c +index b0318aeb..171b3b39 100644 +--- a/extensions/libipt_icmp.c ++++ b/extensions/libipt_icmp.c +@@ -108,7 +108,8 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match) + printf(" !"); + + /* special hack for 'any' case */ +- if (icmp->type == 0xFF) { ++ if (icmp->type == 0xFF && ++ icmp->code[0] == 0 && icmp->code[1] == 0xFF) { + printf(" --icmp-type any"); + } else { + printf(" --icmp-type %u", icmp->type); +diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t +index f4ba65c2..ce4a33f9 100644 +--- a/extensions/libipt_icmp.t ++++ b/extensions/libipt_icmp.t +@@ -13,3 +13,5 @@ + # we accept "iptables -I INPUT -p tcp -m tcp", why not this below? + # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp + # -p icmp -m icmp;=;OK ++-p icmp -m icmp --icmp-type 255/255;=;OK ++-p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK +-- +cgit v1.2.3 + diff --git a/backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch b/backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch new file mode 100644 index 0000000000000000000000000000000000000000..38083732b3158096c4e2b0ba60c5786248e6d439 --- /dev/null +++ b/backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch @@ -0,0 +1,85 @@ +From e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 12 Oct 2023 17:27:42 +0200 +Subject: libiptc: Fix for another segfault due to chain index NULL pointer + +Chain rename code missed to adjust the num_chains value which is used to +calculate the number of chain index buckets to allocate during an index +rebuild. So with the right number of chains present, the last chain in a +middle bucket being renamed (and ending up in another bucket) triggers +an index rebuild based on false data. The resulting NULL pointer index +bucket then causes a segfault upon reinsertion. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713 +Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 +--- + .../shell/testcases/chain/0008rename-segfault2_0 | 32 ++++++++++++++++++++++ + libiptc/libiptc.c | 4 +++ + 2 files changed, 36 insertions(+) + create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0 + +diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 +new file mode 100755 +index 00000000..bc473d25 +--- /dev/null ++++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 +@@ -0,0 +1,32 @@ ++#!/bin/bash ++# ++# Another funny rename bug in libiptc: ++# If there is a chain index bucket with only a single chain in it and it is not ++# the last one and that chain is renamed, a chain index rebuild is triggered. ++# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an ++# extra index is allocated and remains NULL. The following insert of renamed ++# chain then segfaults. ++ ++( ++ echo "*filter" ++ # first bucket ++ for ((i = 0; i < 40; i++)); do ++ echo ":chain-a-$i - [0:0]" ++ done ++ # second bucket ++ for ((i = 0; i < 40; i++)); do ++ echo ":chain-b-$i - [0:0]" ++ done ++ # third bucket, just make sure it exists ++ echo ":chain-c-0 - [0:0]" ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore ++ ++# rename all chains of the middle bucket ++( ++ echo "*filter" ++ for ((i = 0; i < 40; i++)); do ++ echo "-E chain-b-$i chain-d-$i" ++ done ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore --noflush +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index e4750633..9712a363 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, + return 0; + } + ++ handle->num_chains--; ++ + /* This only unlinks "c" from the list, thus no free(c) */ + iptcc_chain_index_delete_chain(c, handle); + + /* Change the name of the chain */ + strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1); + ++ handle->num_chains++; ++ + /* Insert sorted into to list again */ + iptc_insert_chain(handle, c); + +-- +cgit v1.2.3 + diff --git a/backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch b/backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch new file mode 100644 index 0000000000000000000000000000000000000000..71dc49b0596fd14b23e14322433edeb4da6f9295 --- /dev/null +++ b/backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch @@ -0,0 +1,32 @@ +From e900d40afdb731d2270a5110833ae49192974355 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 14 Mar 2023 22:36:50 +0100 +Subject: [PATCH] xtables-eb: fix crash when opts isn't reallocated + +opts may point to statically allocated memory. +This fixes abort() from libc. + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=e900d40afdb731d2270a5110833ae49192974355 + +Signed-off-by: Florian Westphal +--- + iptables/xtables-eb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c +index 3a73e797..068dffd2 100644 +--- a/iptables/xtables-eb.c ++++ b/iptables/xtables-eb.c +@@ -675,7 +675,8 @@ void nft_fini_eb(struct nft_handle *h) + free(target->t); + } + +- free(opts); ++ if (opts != ebt_original_options) ++ free(opts); + + nft_fini(h); + xtables_fini(); +-- +2.23.0 diff --git a/iptables.spec b/iptables.spec index 8f60fe51aa72ec6b96bf06cd825227ad98d46b75..40d85607f76c0cbb5e90c5acba1f9e62c5c4bc11 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,7 +2,7 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.9 -Release: 2 +Release: 3 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ @@ -16,6 +16,17 @@ Source5: sysconfig_ip6tables Patch0: 0001-extensions-NAT-Fix-for-Werror-format-security.patch Patch1: enabled-makecheck-in-extensions.patch Patch2: bugfix-add-check-fw-in-entry.patch +Patch3: backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch +Patch4: backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch +Patch5: backport-iptables-Fix-handling-of-non-existent-chains.patch +Patch6: backport-Special-casing-for-among-match-in-compare_matches.patch +Patch7: backport-libipt_icmp-Fix-confusion-between-255-and-any.patch +Patch8: backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch +Patch9: backport-Fix-checking-of-conntrack-ctproto.patch +Patch10: backport-Fix-for-non-CIDR-compatible-hostmasks.patch +Patch11: backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch +Patch12: backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch + BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -332,6 +343,21 @@ fi %{_datadir}/xtables/iptables.xslt %changelog +* Thu Apr 18 2024 yanglu - 1.8.9-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:ebtables translate Print flush command after parsing is finished + fix crash when opts isn't reallocated + Fix handling of non-existent chains + nft: Special casing for among match in compare_matches + extensions: libipt_icmp: Fix confusion between 255/255 and any + Revert libiptc: fix wrong maptype of base chain counters on restore + extensions: Fix checking of conntrack --ctproto 0 + libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks + libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK + libiptc: Fix for another segfault due to chain index NULL pointer + * Wed Feb 15 2023 zhanghao - 1.8.9-2 - Type:requirement - ID:NA