diff --git a/backport-Fix-checking-of-conntrack-ctproto.patch b/backport-Fix-checking-of-conntrack-ctproto.patch new file mode 100644 index 0000000000000000000000000000000000000000..55cb27eb97b30cd018d826c4497ed6e5a4d0ab43 --- /dev/null +++ b/backport-Fix-checking-of-conntrack-ctproto.patch @@ -0,0 +1,95 @@ +From 2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23 Mon Sep 17 00:00:00 2001 +From: Quentin Armitage +Date: Sat, 23 Nov 2013 08:41:58 +0000 +Subject: extensions: Fix checking of conntrack --ctproto 0 + +There are three issues in the code: +1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask +2) in conntrack_mt_parse it is testing (info->invert_flags & + XT_INV_PROTO) before the invert bit has been set. +3) the sense of the error message is the wrong way round + +1) To get the error, ! -ctstatus XXX has to be specified, since + XT_INV_PROTO == XT_CONNTRACK_STATUS e.g. + | iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ... + +3) Unlike --proto 0 (where 0 means all protocols), in the conntrack + match --ctproto 0 appears to mean protocol 0, which can never be. + Therefore --ctproto 0 could never match and ! --ctproto 0 will always + match. Both of these should be rejected, since the user clearly + cannot be intending what was specified. + +The attached patch resolves the issue, and also produces an error +message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since +--ctproto 0 will never match, and ! --ctproto 0 will always match. + +[Phil: - Added Fixes: tag - it's a day 1 bug + - Copied patch description from Bugzilla + - Reorganized changes to reduce diff + - Added test cases] + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874 +Fixes: 5054e85be3068 ("general conntrack match module userspace support files") +Signed-off-by: Quentin Armitage +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23 + +--- + extensions/libxt_conntrack.c | 17 ++++++++--------- + extensions/libxt_conntrack.t | 2 ++ + 2 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c +index 7734509..3cc678f 100644 +--- a/extensions/libxt_conntrack.c ++++ b/extensions/libxt_conntrack.c +@@ -346,14 +346,13 @@ static void conntrack_parse(struct xt_option_call *cb) + sinfo->invflags |= XT_CONNTRACK_STATE; + break; + case O_CTPROTO: ++ if (cb->val.protocol == 0) ++ xtables_error(PARAMETER_PROBLEM, cb->invert ? ++ "condition would always match protocol" : ++ "rule would never match protocol"); + sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol; + if (cb->invert) + sinfo->invflags |= XT_CONNTRACK_PROTO; +- if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0 +- && (sinfo->invflags & XT_INV_PROTO)) +- xtables_error(PARAMETER_PROBLEM, +- "rule would never match protocol"); +- + sinfo->flags |= XT_CONNTRACK_PROTO; + break; + case O_CTORIGSRC: +@@ -411,11 +410,11 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev) + info->invert_flags |= XT_CONNTRACK_STATE; + break; + case O_CTPROTO: ++ if (cb->val.protocol == 0) ++ xtables_error(PARAMETER_PROBLEM, cb->invert ? ++ "conntrack: condition would always match protocol" : ++ "conntrack: rule would never match protocol"); + info->l4proto = cb->val.protocol; +- if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO)) +- xtables_error(PARAMETER_PROBLEM, "conntrack: rule would " +- "never match protocol"); +- + info->match_flags |= XT_CONNTRACK_PROTO; + if (cb->invert) + info->invert_flags |= XT_CONNTRACK_PROTO; +diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t +index db53147..2b3c5de 100644 +--- a/extensions/libxt_conntrack.t ++++ b/extensions/libxt_conntrack.t +@@ -25,3 +25,5 @@ + -m conntrack --ctstatus EXPECTED;=;OK + -m conntrack --ctstatus SEEN_REPLY;=;OK + -m conntrack;;FAIL ++-m conntrack --ctproto 0;;FAIL ++-m conntrack ! --ctproto 0;;FAIL +-- +2.33.0 + diff --git a/backport-Fix-for-non-CIDR-compatible-hostmasks.patch b/backport-Fix-for-non-CIDR-compatible-hostmasks.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5659b445672b5861d095637b704fcdcc0a66d5a --- /dev/null +++ b/backport-Fix-for-non-CIDR-compatible-hostmasks.patch @@ -0,0 +1,55 @@ +From 41139aee5e53304182a25f1e573f034b313f7232 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Nov 2023 20:21:49 +0100 +Subject: libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks + +In order to parse the mask, xtopt_parse_hostmask() calls +xtopt_parse_plenmask() thereby limiting netmask support to prefix +lengths (alternatively specified in IP address notation). + +In order to lift this impractical restriction, make +xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may +fall back to xtopt_parse_mask() which correctly initializes val.hmask +itself and indicates non-CIDR-compatible masks by setting val.hlen to +-1. + +So in order to support these odd masks, it is sufficient for +xtopt_parse_plenmask() to skip its mask building from val.hlen value and +take whatever val.hmask contains. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=41139aee5e53304182a25f1e573f034b313f7232 + +--- + libxtables/xtoptions.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index 0dcdf60..bc14958 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -714,6 +714,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) + + xtopt_parse_plen(cb); + ++ /* may not be convertible to CIDR notation */ ++ if (cb->val.hlen == (uint8_t)-1) ++ goto out_put; ++ + memset(mask, 0xFF, sizeof(union nf_inet_addr)); + /* This shifting is AF-independent. */ + if (cb->val.hlen == 0) { +@@ -734,6 +738,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) + mask[1] = htonl(mask[1]); + mask[2] = htonl(mask[2]); + mask[3] = htonl(mask[3]); ++out_put: + if (entry->flags & XTOPT_PUT) + memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); + } +-- +2.33.0 + diff --git a/backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch b/backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b85800434e6e71cf7473b85d0d820a3f223460d --- /dev/null +++ b/backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch @@ -0,0 +1,33 @@ +From 17d724f20e3c97ea8ce8765ca532a3cf49a98b31 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sun, 17 Dec 2023 13:02:36 +0100 +Subject: libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK + +Do as the comment in xtopt_parse_hostmask() claims and omit +XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate() +will catch the incompatibility. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") + +Conflict:There is no need to modify the header file comments +Reference:https://git.netfilter.org/iptables//commit/?id=17d724f20e3c97ea8ce8765ca532a3cf49a98b31 + +--- + libxtables/xtoptions.c | 1 - + 1 files changed, 1 deletions(-) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index bc14958..95038c2 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -58,7 +58,6 @@ static const size_t xtopt_psize[] = { + [XTTYPE_STRING] = -1, + [XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t), + [XTTYPE_HOST] = sizeof(union nf_inet_addr), +- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr), + [XTTYPE_PROTOCOL] = sizeof(uint8_t), + [XTTYPE_PORT] = sizeof(uint16_t), + [XTTYPE_PORTRC] = sizeof(uint16_t[2]), +-- +2.33.0 + diff --git a/backport-Special-casing-for-among-match-in-compare_matches.patch b/backport-Special-casing-for-among-match-in-compare_matches.patch new file mode 100644 index 0000000000000000000000000000000000000000..c83dbd7cc2ae5b97372d6180fb283291992fb5f0 --- /dev/null +++ b/backport-Special-casing-for-among-match-in-compare_matches.patch @@ -0,0 +1,49 @@ +From 10583537004f7ecd4aa11f6c12b7ba73fb77fc11 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 21 Jul 2023 13:14:36 +0200 +Subject: nft: Special casing for among match in compare_matches() + +When other extensions may have "garbage" appended to their data which +should not be considered for match comparison, among match is the +opposite in that it extends its data beyond the value in 'size' field. +Add special casing to cover for this, avoiding false-positive rule +comparison. + +Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=10583537004f7ecd4aa11f6c12b7ba73fb77fc11 + +--- + iptables/nft-shared.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c +index 10553ab..4c20ceb 100644 +--- a/iptables/nft-shared.c ++++ b/iptables/nft-shared.c +@@ -933,6 +933,7 @@ bool compare_matches(struct xtables_rule_match *mt1, + for (mp1 = mt1, mp2 = mt2; mp1 && mp2; mp1 = mp1->next, mp2 = mp2->next) { + struct xt_entry_match *m1 = mp1->match->m; + struct xt_entry_match *m2 = mp2->match->m; ++ size_t cmplen = mp1->match->userspacesize; + + if (strcmp(m1->u.user.name, m2->u.user.name) != 0) { + DEBUGP("mismatching match name\n"); +@@ -944,8 +945,10 @@ bool compare_matches(struct xtables_rule_match *mt1, + return false; + } + +- if (memcmp(m1->data, m2->data, +- mp1->match->userspacesize) != 0) { ++ if (!strcmp(m1->u.user.name, "among")) ++ cmplen = m1->u.match_size - sizeof(*m1); ++ ++ if (memcmp(m1->data, m2->data, cmplen) != 0) { + DEBUGP("mismatch match data\n"); + return false; + } +-- +2.33.0 + diff --git a/backport-exit-if-called-by-setuid-executeable.patch b/backport-exit-if-called-by-setuid-executeable.patch new file mode 100644 index 0000000000000000000000000000000000000000..19dfbcb420e013509b2a74ffb6578a232b1c1bf0 --- /dev/null +++ b/backport-exit-if-called-by-setuid-executeable.patch @@ -0,0 +1,36 @@ +From ef7781eb1437a2d6fd37eb3567c599e3ea682b96 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 19 Jul 2021 16:35:09 +0200 +Subject: libxtables: exit if called by setuid executeable + +Conflict:NA +Reference:https://git.netfilter.org/iptables/patch/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96 + +iptables (legacy or nft, doesn't matter) cannot be safely used with +setuid binaries. + +Add a safety check for this. + +Signed-off-by: Florian Westphal +--- + libxtables/xtables.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libxtables/xtables.c b/libxtables/xtables.c +index 9fff1e0d..b261e97b 100644 +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -245,6 +245,10 @@ static void dlreg_free(void) + + void xtables_init(void) + { ++ /* xtables cannot be used with setuid in a safe way. */ ++ if (getuid() != geteuid()) ++ _exit(111); ++ + xtables_libdir = getenv("XTABLES_LIBDIR"); + if (xtables_libdir != NULL) + return; +-- +cgit v1.2.3 + diff --git a/backport-fix-for-non-verbose-check-command.patch b/backport-fix-for-non-verbose-check-command.patch new file mode 100644 index 0000000000000000000000000000000000000000..e1040c3f6dabbd83977c24104a2ea8ef857eec81 --- /dev/null +++ b/backport-fix-for-non-verbose-check-command.patch @@ -0,0 +1,33 @@ +From 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 3 Aug 2021 10:55:20 +0200 +Subject: nft: Fix for non-verbose check command + +Conflict:NA +Reference:https://git.netfilter.org/iptables/patch/?id=57d1422dbbc41c36ed2e9f6c67aa040c65a429a0 + +Check command was unconditionally verbose since v1.8.5. Make it respect +--verbose option again. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter +--- + iptables/nft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index f1deb82f..795dff86 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h) + case NFT_COMPAT_RULE_CHECK: + assert_chain_exists(h, cmd->table, cmd->jumpto); + ret = nft_rule_check(h, cmd->chain, cmd->table, +- cmd->obj.rule, cmd->rulenum); ++ cmd->obj.rule, cmd->verbose); + break; + case NFT_COMPAT_RULE_ZERO: + ret = nft_rule_zero_counters(h, cmd->chain, cmd->table, +-- +cgit v1.2.3 + diff --git a/backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch b/backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch new file mode 100644 index 0000000000000000000000000000000000000000..1253d69e57818a435ce9eb0c0266ebf7b5c78e02 --- /dev/null +++ b/backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch @@ -0,0 +1,39 @@ +From 43f78733059ecd28d8567d8205cab5ed62d93458 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 3 Aug 2023 17:59:03 +0200 +Subject: Revert "libiptc: fix wrong maptype of base chain counters on restore" + +This reverts commit 7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4. + +The change can't be right: A simple rule append call will reset all +built-in chains' counters. The old code works fine even given the +mentioned "empty restore" use-case, at least if counters don't change on +the fly in-kernel. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=912 +Fixes: 7c4d668c9c2ee ("libiptc: fix wrong maptype of base chain counters on restore") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables//commit/?id=43f78733059ecd28d8567d8205cab5ed62d93458 + +--- + libiptc/libiptc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index ceeb017..2deccd6 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -813,7 +813,7 @@ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num) + + /* save counter and counter_map information */ + h->chain_iterator_cur->counter_map.maptype = +- COUNTER_MAP_ZEROED; ++ COUNTER_MAP_NORMAL_MAP; + h->chain_iterator_cur->counter_map.mappos = num-1; + memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters, + sizeof(h->chain_iterator_cur->counters)); +-- +2.33.0 + diff --git a/backport-libipt_icmp-Fix-confusion-between-255-and-any.patch b/backport-libipt_icmp-Fix-confusion-between-255-and-any.patch new file mode 100644 index 0000000000000000000000000000000000000000..c7c77fb196f0635bf21f3cfe86f0107b0f71f2ae --- /dev/null +++ b/backport-libipt_icmp-Fix-confusion-between-255-and-any.patch @@ -0,0 +1,56 @@ +From 5b5430d627bbc227a2d51d4312c371f2015834c6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 1 Aug 2023 23:28:20 +0200 +Subject: extensions: libipt_icmp: Fix confusion between 255/255 and any + +Per definition, ICMP type "any" is type 255 and the full range of codes +(0-255). Save callback though ignored the actual code values, printing +"any" for every type 255 match. This at least confuses users as they +can't find their rule added as '--icmp-type 255/255' anymore. + +It is not entirely clear what the fixed commit was trying to establish, +but the save output is certainly not correct (especially since print +callback gets things right). + +Reported-by: Amelia Downs +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1600 +Fixes: fc9237da4e845 ("Fix '-p icmp -m icmp' issue (Closes: #37)") +Signed-off-by: Phil Sutter + +Conflict:The front patch be8c605 is not integrated. As a result, test cases need to be adapted. +Reference:https://git.netfilter.org/iptables//commit/?id=5b5430d627bbc227a2d51d4312c371f2015834c6 + +--- + extensions/libipt_icmp.c | 3 ++- + extensions/libipt_icmp.t | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c +index e5e2366..b06fdee 100644 +--- a/extensions/libipt_icmp.c ++++ b/extensions/libipt_icmp.c +@@ -216,7 +216,8 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match) + printf(" !"); + + /* special hack for 'any' case */ +- if (icmp->type == 0xFF) { ++ if (icmp->type == 0xFF && ++ icmp->code[0] == 0 && icmp->code[1] == 0xFF) { + printf(" --icmp-type any"); + } else { + printf(" --icmp-type %u", icmp->type); +diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t +index 09771a3..44a1144 100644 +--- a/extensions/libipt_icmp.t ++++ b/extensions/libipt_icmp.t +@@ -13,6 +13,7 @@ + # we accept "iptables -I INPUT -p tcp -m tcp", why not this below? + # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp + # -p icmp -m icmp;=;OK ++-p icmp -m icmp --icmp-type 255/255;=;OK + -p icmp -m icmp ! --icmp-type 1/0;=;OK + -p icmp -m icmp --icmp-type router;;FAIL + -p icmp -m icmp --icmp-type -1;;FAIL +-- +2.33.0 + diff --git a/backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch b/backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch new file mode 100644 index 0000000000000000000000000000000000000000..38083732b3158096c4e2b0ba60c5786248e6d439 --- /dev/null +++ b/backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch @@ -0,0 +1,85 @@ +From e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 12 Oct 2023 17:27:42 +0200 +Subject: libiptc: Fix for another segfault due to chain index NULL pointer + +Chain rename code missed to adjust the num_chains value which is used to +calculate the number of chain index buckets to allocate during an index +rebuild. So with the right number of chains present, the last chain in a +middle bucket being renamed (and ending up in another bucket) triggers +an index rebuild based on false data. The resulting NULL pointer index +bucket then causes a segfault upon reinsertion. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713 +Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 +--- + .../shell/testcases/chain/0008rename-segfault2_0 | 32 ++++++++++++++++++++++ + libiptc/libiptc.c | 4 +++ + 2 files changed, 36 insertions(+) + create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0 + +diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 +new file mode 100755 +index 00000000..bc473d25 +--- /dev/null ++++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 +@@ -0,0 +1,32 @@ ++#!/bin/bash ++# ++# Another funny rename bug in libiptc: ++# If there is a chain index bucket with only a single chain in it and it is not ++# the last one and that chain is renamed, a chain index rebuild is triggered. ++# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an ++# extra index is allocated and remains NULL. The following insert of renamed ++# chain then segfaults. ++ ++( ++ echo "*filter" ++ # first bucket ++ for ((i = 0; i < 40; i++)); do ++ echo ":chain-a-$i - [0:0]" ++ done ++ # second bucket ++ for ((i = 0; i < 40; i++)); do ++ echo ":chain-b-$i - [0:0]" ++ done ++ # third bucket, just make sure it exists ++ echo ":chain-c-0 - [0:0]" ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore ++ ++# rename all chains of the middle bucket ++( ++ echo "*filter" ++ for ((i = 0; i < 40; i++)); do ++ echo "-E chain-b-$i chain-d-$i" ++ done ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore --noflush +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index e4750633..9712a363 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, + return 0; + } + ++ handle->num_chains--; ++ + /* This only unlinks "c" from the list, thus no free(c) */ + iptcc_chain_index_delete_chain(c, handle); + + /* Change the name of the chain */ + strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1); + ++ handle->num_chains++; ++ + /* Insert sorted into to list again */ + iptc_insert_chain(handle, c); + +-- +cgit v1.2.3 + diff --git a/backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch b/backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch new file mode 100644 index 0000000000000000000000000000000000000000..f1a4d88c011d070719463390f3243fb7b105f424 --- /dev/null +++ b/backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch @@ -0,0 +1,69 @@ +From 97bf4e68fc0794adba3243fd96f40f4568e7216f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 7 Oct 2022 18:29:07 +0200 +Subject: libiptc: Fix for segfault when renaming a chain + +This is an odd bug: If the number of chains is right and one renames the +last one in the list, libiptc dereferences a NULL pointer. Add fix and +test case for it. + +Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") +Reported-by: Julien Castets +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=97bf4e68fc0794adba3243fd96f40f4568e7216f +--- + .../tests/shell/testcases/chain/0006rename-segfault_0 | 19 +++++++++++++++++++ + libiptc/libiptc.c | 9 +++++++++ + 2 files changed, 28 insertions(+) + create mode 100755 iptables/tests/shell/testcases/chain/0006rename-segfault_0 + +diff --git a/iptables/tests/shell/testcases/chain/0006rename-segfault_0 b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 +new file mode 100755 +index 00000000..c10a8006 +--- /dev/null ++++ b/iptables/tests/shell/testcases/chain/0006rename-segfault_0 +@@ -0,0 +1,19 @@ ++#!/bin/bash ++# ++# Cover for a bug in libiptc: ++# - the chain 'node-98-tmp' is the last in the list sorted by name ++# - there are 81 chains in total, so three chain index buckets ++# - the last index bucket contains only the 'node-98-tmp' chain ++# => rename temporarily removes it from the bucket, leaving a NULL bucket ++# behind which is dereferenced later when inserting the chain again with new ++# name again ++ ++( ++ echo "*filter" ++ for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do ++ echo ":$chain - [0:0]" ++ done ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore ++$XT_MULTI iptables -E node-98-tmp node-98 ++exit $? +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index ceeb017b..97823f93 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -606,6 +606,15 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, struct xtc_handl + + if (index_ptr == &c->list) { /* Chain used as index ptr */ + ++ /* If this is the last chain in the list, its index bucket just ++ * became empty. Adjust the size to avoid a NULL-pointer deref ++ * later. ++ */ ++ if (next == &h->chains) { ++ h->chain_index_sz--; ++ return 0; ++ } ++ + /* See if its possible to avoid a rebuild, by shifting + * to next pointer. Its possible if the next pointer + * is located in the same index bucket. +-- +cgit v1.2.3 + diff --git a/backport-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch b/backport-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch new file mode 100644 index 0000000000000000000000000000000000000000..823b939f049b6202a90d389fa9e9297b65f3419c --- /dev/null +++ b/backport-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch @@ -0,0 +1,31 @@ +From ffe88f8f01263687e82ef4d3d2bdc0cb5444711e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 11:04:30 +0200 +Subject: libxtables: Fix memleak in xtopt_parse_hostmask() + +The allocated hostmask duplicate needs to be freed again. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=ffe88f8f01263687e82ef4d3d2bdc0cb5444711e +--- + libxtables/xtoptions.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index d329f2ff..0dcdf607 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb) + cb->arg = p; + xtopt_parse_plenmask(cb); + cb->arg = orig_arg; ++ free(work); + } + + static void xtopt_parse_ethermac(struct xt_option_call *cb) +-- +cgit v1.2.3 + diff --git a/backport-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch b/backport-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch new file mode 100644 index 0000000000000000000000000000000000000000..5792dd0c9cb11d42e61a14e1909e421004986481 --- /dev/null +++ b/backport-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch @@ -0,0 +1,36 @@ +From eab75ed36a4f204ddab0c40ba42c5a300634d5c3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 2 Jun 2021 11:55:20 +0200 +Subject: nft: Avoid memleak in error path of nft_cmd_new() + +If rule allocation fails, free the allocated 'cmd' before returning to +caller. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/iptables/commit/?id=eab75ed36a4f204ddab0c40ba42c5a300634d5c3 +--- + iptables/nft-cmd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c +index f2b935c5..c3f6c14e 100644 +--- a/iptables/nft-cmd.c ++++ b/iptables/nft-cmd.c +@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, + + if (state) { + rule = nft_rule_new(h, chain, table, state); +- if (!rule) ++ if (!rule) { ++ nft_cmd_free(cmd); + return NULL; ++ } + + cmd->obj.rule = rule; + +-- +cgit v1.2.3 + diff --git a/backport-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch b/backport-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch new file mode 100644 index 0000000000000000000000000000000000000000..9681aec684a8d431a2cab8eb59aa1aef8692b15e --- /dev/null +++ b/backport-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch @@ -0,0 +1,32 @@ +From ca11c7b7036b5821c17b8d08dc2a29f55b461a93 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 31 Aug 2021 12:26:20 +0200 +Subject: nft: Use xtables_malloc() in mnl_err_list_node_add() + +The function called malloc() without checking for memory allocation +failure. Simply replace the call by xtables_malloc() to fix that. + +Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API") +Signed-off-by: Phil Sutter + +Conflict: NA +Reference: https://git.netfilter.org/iptables/commit?id=ca11c7b7036b5821c17b8d08dc2a29f55b461a93 +--- + iptables/nft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft.c b/iptables/nft.c +index 795dff86..a470939d 100644 +--- a/iptables/nft.c ++++ b/iptables/nft.c +@@ -143,7 +143,7 @@ struct mnl_err { + static void mnl_err_list_node_add(struct list_head *err_list, int error, + int seqnum) + { +- struct mnl_err *err = malloc(sizeof(struct mnl_err)); ++ struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err)); + + err->seqnum = seqnum; + err->err = error; +-- +cgit v1.2.3 diff --git a/backport-use-fully-random-so-that-nft-can-understand.patch b/backport-use-fully-random-so-that-nft-can-understand.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1fac899eb5f11b819efe52e488985a6dcd92670 --- /dev/null +++ b/backport-use-fully-random-so-that-nft-can-understand.patch @@ -0,0 +1,60 @@ +From 943fbf3e1850ae1f52f29c2f4f2aca399779b368 Mon Sep 17 00:00:00 2001 +From: Pavel Tikhomirov +Date: Wed, 4 Aug 2021 18:50:57 +0300 +Subject: ip6tables: masquerade: use fully-random so that nft can understand + the rule + +Conflict:NA +Reference:https://git.netfilter.org/iptables/patch/?id=943fbf3e1850ae1f52f29c2f4f2aca399779b368 + +Here is the problem: + +[]# nft -v +nftables v0.9.8 (E.D.S.) +[]# iptables-nft -v +iptables v1.8.7 (nf_tables): no command specified +Try `iptables -h' or 'iptables --help' for more information. +[]# nft flush ruleset +[]# ip6tables-nft -t nat -A POSTROUTING -j MASQUERADE --random-full +[]# nft list ruleset +table ip6 nat { + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + counter packets 0 bytes 0 masquerade random-fully + } +} +[]# nft list ruleset > /tmp/ruleset +[]# nft flush ruleset +[]# nft -f /tmp/ruleset +/tmp/ruleset:4:54-54: Error: syntax error, unexpected newline + counter packets 0 bytes 0 masquerade random-fully + +That's because nft list ruleset saves "random-fully" which is wrong +format for nft -f, right should be "fully-random". + +We face this problem because we run k8s in Virtuozzo container, and k8s +creates those "random-fully" rules by iptables(nft) and then CRIU can't +restore those rules using nft. + +Signed-off-by: Pavel Tikhomirov +Signed-off-by: Florian Westphal +--- + extensions/libip6t_MASQUERADE.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c +index f92760fa..f28f071b 100644 +--- a/extensions/libip6t_MASQUERADE.c ++++ b/extensions/libip6t_MASQUERADE.c +@@ -163,7 +163,7 @@ static int MASQUERADE_xlate(struct xt_xlate *xl, + + xt_xlate_add(xl, " "); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) +- xt_xlate_add(xl, "random-fully "); ++ xt_xlate_add(xl, "fully-random "); + + return 1; + } +-- +cgit v1.2.3 + diff --git a/iptables.spec b/iptables.spec index fd917e15518297491e99282ac7b6270c71c14d4b..531ac29ef5e0c74612bd3463784575189bafb82b 100644 --- a/iptables.spec +++ b/iptables.spec @@ -2,36 +2,50 @@ %global legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: iptables Version: 1.8.7 -Release: 14 +Release: 15 Summary: IP packet filter administration utilities License: GPLv2 and Artistic Licence 2.0 and ISC URL: https://www.netfilter.org/ Source0: https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2 -Source1: iptables.init -Source2: iptables-config -Source3: iptables.service -Source4: sysconfig_iptables -Source5: sysconfig_ip6tables +Source1: iptables.init +Source2: iptables-config +Source3: iptables.service +Source4: sysconfig_iptables +Source5: sysconfig_ip6tables Patch0: bugfix-add-check-fw-in-entry.patch -Patch1: tests-extensions-add-some-testcases.patch -Patch2: backport-xshared-Fix-response-to-unprivileged-users.patch -Patch3: backport-Improve-error-messages-for-unsupported-extensions.patch -Patch4: backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch -Patch5: backport-libxtables-Register-only-the-highest-revision-extension.patch -Patch6: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch -Patch7: backport-xtables-restore-Extend-failure-error-message.patch -Patch8: enabled-makecheck-in-extensions.patch - -Patch9: backport-extensions-among-Fix-for-use-with-ebtables-restore.patch -Patch10: backport-extensions-libebt_redirect-Fix-xlate-return-code.patch -Patch11: backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch -Patch12: backport-iptables-restore-Free-handle-with-test-also.patch -Patch13: backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch -Patch14: backport-iptables-Plug-memleaks-in-print_firewall.patch -Patch15: backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch -Patch16: backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch -Patch17: backport-iptables-Fix-handling-of-non-existent-chains.patch +Patch1: tests-extensions-add-some-testcases.patch +Patch2: backport-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch +Patch3: backport-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch +Patch4: backport-exit-if-called-by-setuid-executeable.patch +Patch5: backport-fix-for-non-verbose-check-command.patch +Patch6: backport-use-fully-random-so-that-nft-can-understand.patch +Patch7: backport-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch +Patch8: backport-xshared-Fix-response-to-unprivileged-users.patch +Patch9: backport-Improve-error-messages-for-unsupported-extensions.patch +Patch10: backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch +Patch11: backport-libxtables-Register-only-the-highest-revision-extension.patch +Patch12: backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch +Patch13: backport-xtables-restore-Extend-failure-error-message.patch +Patch14: enabled-makecheck-in-extensions.patch + +Patch15: backport-extensions-among-Fix-for-use-with-ebtables-restore.patch +Patch16: backport-extensions-libebt_redirect-Fix-xlate-return-code.patch +Patch17: backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch +Patch18: backport-iptables-restore-Free-handle-with-test-also.patch +Patch19: backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch +Patch20: backport-iptables-Plug-memleaks-in-print_firewall.patch +Patch21: backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch +Patch22: backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch +Patch23: backport-iptables-Fix-handling-of-non-existent-chains.patch +Patch24: backport-Special-casing-for-among-match-in-compare_matches.patch +Patch25: backport-libipt_icmp-Fix-confusion-between-255-and-any.patch +Patch26: backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch +Patch27: backport-Fix-checking-of-conntrack-ctproto.patch +Patch28: backport-Fix-for-non-CIDR-compatible-hostmasks.patch +Patch29: backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch +Patch30: backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch +Patch31: backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel @@ -340,6 +354,25 @@ fi %{_mandir}/man8/xtables-legacy* %changelog +* Thu Apr 18 2024 yanglu - 1.8.7-15 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:libxtables:Fix memleak in xtopt_parse_hostmask + nft:Avoid memleak in error path of nft_cmd_new + exit if called by setuid executeable + fix for non verbose check command + use fully random so that nft can understand + Use xtables_malloc in mnl_err_list_node_add + nft: Special casing for among match in compare_matches + extensions: libipt_icmp: Fix confusion between 255/255 and any + Revert libiptc: fix wrong maptype of base chain counters on restore + extensions: Fix checking of conntrack --ctproto 0 + libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks + libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK + libiptc: Fix for another segfault due to chain index NULL pointer + libiptc: Fix for segfault when renaming a chain + * Mon Aug 14 2023 zhanghao - 1.8.7-14 - Type:bugfix - CVE:NA