packages/iptables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!5 update1.8.1

Browse Source 
Merge pull request !5 from zhouxudong8/zxd
This commit is contained in:
openeuler-ci-bot 2020-01-11 20:47:33 +08:00 committed by Gitee
commit 39708db643
18 changed files with 44 additions and 716 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Allocate-rule-cache-just-once.patch
View File

@ -1,38 +0,0 @@
From c2594475dd270e3a81033fed2e5251dbd5ce319b Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:08 +0200
Subject: xtables: Allocate rule cache just once
For each parsed table, xtables-restore calls nft_table_flush() which
each time allocates a new rule cache, possibly overwriting the pointer
to the previously allocated one. Fix this by checking the pointer value
and only allocate if it's NULL.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index a9cb92ed..d5c4c766 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1867,9 +1867,11 @@ next:
t = nftnl_table_list_iter_next(iter);
}
- h->rule_cache = nftnl_rule_list_alloc();
- if (h->rule_cache == NULL)
- return -1;
+ if (!h->rule_cache) {
+ h->rule_cache = nftnl_rule_list_alloc();
+ if (h->rule_cache == NULL)
+ return -1;
+ }
err_table_iter:
nftnl_table_list_iter_destroy(iter);
--
cgit v1.2.1

54
Fix-for-nft_rule_flush-returning-garbage.patch
View File

@ -1,54 +0,0 @@
From 89d344381c81bd1d5f29b498844f20280200c786 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:09 +0200
Subject: xtables: Fix for nft_rule_flush() returning garbage
Due to variable 'ret' not being initialized in all situations, return
code of the function depends on garbage in stack. Fix this by
initializing 'ret' to zero upon declaration.
While being at it, make nftnl_chain_list_get() failure as well as
nftnl_chain_list_iter_create() failure an error condition since both
functions should succeed even if the current ruleset does not contain
any chains at all.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index d5c4c766..f2d6ea13 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1474,7 +1474,7 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
{
- int ret;
+ int ret = 0;
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
struct nftnl_chain *c;
@@ -1486,13 +1486,15 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
list = nftnl_chain_list_get(h);
if (list == NULL) {
- ret = 0;
+ ret = 1;
goto err;
}
iter = nftnl_chain_list_iter_create(list);
- if (iter == NULL)
+ if (iter == NULL) {
+ ret = 1;
goto err;
+ }
c = nftnl_chain_list_iter_next(iter);
while (c != NULL) {
--
cgit v1.2.1

30
Fix-for-potential-array-boundary-overstep.patch
View File

@ -1,30 +0,0 @@
From bfd41c8d99a54769678e0c66d55797082bf1edd3 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 10 Sep 2018 23:35:15 +0200
Subject: ebtables: Fix for potential array boundary overstep
Fix the parameter check in nft_ebt_standard_target() to avoid an array
out of bounds access in ebt_standard_targets.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-bridge.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index 1fe26bab..9d49ccbe 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -78,7 +78,7 @@ static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
static inline const char *nft_ebt_standard_target(unsigned int num)
{
- if (num > NUM_STANDARD_TARGETS)
+ if (num >= NUM_STANDARD_TARGETS)
return NULL;
return ebt_standard_targets[num];
--
cgit v1.2.1

93
Fix-for-segfault-in-iptables-nft.patch
View File

@ -1,93 +0,0 @@
m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 17 Aug 2018 15:35:47 +0200
Subject: xtables: Fix for segfault in iptables-nft
Trying to set a chain's policy in an invalid table resulted in a
segfault. Reproducer was:
| # iptables -t broute -P BROUTING ACCEPT
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
returned NULL for the given table name.
For an illustrative error message, set errno to ENXIO in the above case
and add an appropriate Mesage to nft_strerror().
While being at it, improve the error message if an invalid policy was
given. Before:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Incompatible with this kernel.
After:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Bad policy name. Run `dmesg' for more information.
Third unrelated change in this patch: Drop error checking of
nft_chain_set() in do_commandx(): The function never returns negative,
so that check never yielded true.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 11 +++++++++--
iptables/xtables.c | 3 ---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 0b29caeb..dd8469a9 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
struct builtin_chain *_c;
_t = nft_table_builtin_find(h, table);
+ if (!_t) {
+ errno = ENXIO;
+ return NULL;
+ }
+
/* if this built-in table does not exists, create it */
- if (_t != NULL)
- nft_table_builtin_add(h, _t);
+ nft_table_builtin_add(h, _t);
_c = nft_chain_builtin_find(_t, chain);
if (_c != NULL) {
@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
c = nft_chain_new(h, table, chain, NF_DROP, counters);
else if (strcmp(policy, "ACCEPT") == 0)
c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
+ else
+ errno = EINVAL;
if (c == NULL)
return 0;
@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err)
"Bad rule (does a matching rule exist in that chain?)" },
{ nft_chain_set, ENOENT, "Bad built-in chain name" },
{ nft_chain_set, EINVAL, "Bad policy name" },
+ { nft_chain_set, ENXIO, "Bad table name" },
{ NULL, ELOOP, "Loop found in table" },
{ NULL, EPERM, "Permission denied (you must be root)" },
{ NULL, 0, "Incompatible with this kernel" },
diff --git a/iptables/xtables.c b/iptables/xtables.c
index d9050b45..72f65962 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
break;
case CMD_SET_POLICY:
ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
- if (ret < 0)
- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
- p.policy);
break;
default:
/* We should never reach this... */
--
cgit v1.2.1

33
Fix-for-segfault-when-registering-hashlimit-extension.patch
View File

@ -1,33 +0,0 @@
From 37b68b2bc903112a74545c7f4a49c89e889582a9 Mon Sep 17 00:00:00 2001
From: Heena Sirwani <heenasirwani@gmail.com>
Date: Tue, 21 Aug 2018 17:25:56 +0530
Subject: xtables: Fix for segfault when registering hashlimit extension
This patch fixes the crash when registering the hashlimit extension
with xtables during init_extensions(when built with static libs) .
The option validation function xtables_option_metavalidate has a
loop termination condition of the entry name being NULL. The loop
does not terminate when validating hashlimit_mt_opts_v2 which causes
a crash on derefencing an invalid entry.
Signed-off-by: Heena Sirwani <heenasirwani@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
extensions/libxt_hashlimit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 70bc615b..7d78d852 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -205,6 +205,7 @@ static const struct xt_option_entry hashlimit_mt_opts_v2[] = {
{.name = "hashlimit-mode", .id = O_MODE, .type = XTTYPE_STRING},
{.name = "hashlimit-name", .id = O_NAME, .type = XTTYPE_STRING,
.flags = XTOPT_MAND | XTOPT_PUT, XTOPT_POINTER(s, name), .min = 1},
+ XTOPT_TABLEEND,
};
#undef s
--
cgit v1.2.1

31
Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
View File

@ -1,31 +0,0 @@
From 7c9a1521105aa515a272e2d04fa806bed8b43396 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 19 Sep 2018 15:17:07 +0200
Subject: arptables: Fix incorrect strcmp() in nft_arp_rule_find()
Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
strcmp() may be passed a NULL pointer. Therefore check if the pointer is
valid before doing so.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-arp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index b8e89826..a2109c60 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -661,7 +661,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
if (!compare_targets(cs->target, this.target))
return false;
- if (strcmp(cs->jumpto, this.jumpto) != 0)
+ if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0)
return false;
return true;
--
cgit v1.2.1

29
Fix-opcode-printing-in-numeric-output.patch
View File

@ -1,29 +0,0 @@
From 3f279553a2908bfa3ad76211ee657c97e4103563 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:22 +0200
Subject: arptables: Fix opcode printing in numeric output
This line of code was dropped by accident, add it back.
Fixes: 68e5e18210b8d ("nft-arp: adds nft_arp_save_firewall")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-arp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 5cabb93e..570a2589 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -543,6 +543,7 @@ after_devdst:
if (tmp <= NUMOPCODES && !(format & FMT_NUMERIC))
printf("--opcode %s", opcodes[tmp-1]);
else
+ printf("--opcode %d", tmp);
if (fw->arp.arpop_mask != 65535)
printf("/%d", ntohs(fw->arp.arpop_mask));
--
cgit v1.2.1

30
Fix-potential-array-overrun-in-xtables_option_parse.patch
View File

@ -1,30 +0,0 @@
From 4144571f87c094471419ef59e8bb89ef33cd1365 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 10 Sep 2018 23:35:13 +0200
Subject: libxtables: Fix potential array overrun in xtables_option_parse()
If entry->type is to be used as array index, it needs to be at max one
less than that array's size.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
libxtables/xtoptions.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index ba3128bd..326febd5 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -844,7 +844,7 @@ void xtables_option_parse(struct xt_option_call *cb)
* a *RC option type.
*/
cb->nvals = 1;
- if (entry->type <= ARRAY_SIZE(xtopt_subparse) &&
+ if (entry->type < ARRAY_SIZE(xtopt_subparse) &&
xtopt_subparse[entry->type] != NULL)
xtopt_subparse[entry->type](cb);
/* Exclusion with other flags tested later in finalize. */
--
cgit v1.2.1

72
Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
View File

@ -1,72 +0,0 @@
From 82d278c19f8f187e78c90c91834018b16c007098 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:11 +0200
Subject: xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
not added to the cache.
There is one exception though, namely when zeroing counters:
nft_chain_zero_counters() adds a chain object it took from chain cache.
To distinguish this situation from the others, introduce
NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 26df1287..327c19ad 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -246,6 +246,7 @@ enum obj_update_type {
NFT_COMPAT_CHAIN_USER_FLUSH,
NFT_COMPAT_CHAIN_UPDATE,
NFT_COMPAT_CHAIN_RENAME,
+ NFT_COMPAT_CHAIN_ZERO,
NFT_COMPAT_RULE_APPEND,
NFT_COMPAT_RULE_INSERT,
NFT_COMPAT_RULE_REPLACE,
@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h,
nftnl_table_get_str(o->table, NFTNL_TABLE_NAME));
break;
case NFT_COMPAT_CHAIN_ADD:
+ case NFT_COMPAT_CHAIN_ZERO:
case NFT_COMPAT_CHAIN_USER_ADD:
case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
case NFT_COMPAT_TABLE_FLUSH:
nftnl_table_free(o->table);
break;
- case NFT_COMPAT_CHAIN_ADD:
+ case NFT_COMPAT_CHAIN_ZERO:
case NFT_COMPAT_CHAIN_USER_ADD:
break;
+ case NFT_COMPAT_CHAIN_ADD:
case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
case NFT_COMPAT_CHAIN_UPDATE:
@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action)
n->seq, n->table);
break;
case NFT_COMPAT_CHAIN_ADD:
+ case NFT_COMPAT_CHAIN_ZERO:
nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
NLM_F_CREATE, n->seq,
n->chain);
@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
- ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
+ ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);
if (chain != NULL)
break;
--
cgit v1.2.1

31
Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
View File

@ -1,31 +0,0 @@
From c2895eaf7a9d604c4aa10848ad46cdde48a00357 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 2 Aug 2018 17:05:10 +0200
Subject: xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
These always have to be freed because nft_chain_user_del() removes them
from the cache so they are not freed when the chain cache is flushed.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index f2d6ea13..26df1287 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2447,8 +2447,8 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
break;
case NFT_COMPAT_CHAIN_ADD:
case NFT_COMPAT_CHAIN_USER_ADD:
- case NFT_COMPAT_CHAIN_USER_DEL:
break;
+ case NFT_COMPAT_CHAIN_USER_DEL:
case NFT_COMPAT_CHAIN_USER_FLUSH:
case NFT_COMPAT_CHAIN_UPDATE:
case NFT_COMPAT_CHAIN_RENAME:
--
cgit v1.2.1

31
fix-crash-if-nft_rule_list_get-fails.patch
View File

@ -1,31 +0,0 @@
From 907da5c505b219537586f7c2bdb7320c4f97386f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 19 Jul 2018 18:31:53 +0200
Subject: xtables: fix crash if nft_rule_list_get() fails
Without this, trying to add a rule using ebtables without proper
permissions crashes the program.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 3cacf5fe..e1788dba 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1176,7 +1176,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
if (batch_rule_add(h, type, r) < 0)
nftnl_rule_free(r);
- nft_rule_list_get(h);
+ if (!nft_rule_list_get(h))
+ return 0;
nftnl_rule_list_add_tail(r, h->rule_cache);
--
cgit v1.2.1

192
free-the-table-lock-when-skipping-a-table.patch
View File

@ -1,192 +0,0 @@
From 31e4b5906ff676a3c13060d6f456d72b7f6c90c2 Mon Sep 17 00:00:00 2001
From: Joel Goguen <contact+netfilter@jgoguen.ca>
Date: Wed, 11 Jul 2018 16:32:20 -0700
Subject: iptables-restore: free the table lock when skipping a table
Currently, when running `iptables-restore --table=X`, where `X` is not the first
table in the rules dump, the restore will fail when parsing the second table:
- a lock is acquird when parsing the first table name
- the table name does not match the parameter to `--table` so processing
continues until the next table
- when processing the next table a lock is acquired, which fails because a lock
is already held
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
This will release the lock as soon as it's decided the current table won't be
used.
Signed-off-by: Joel Goguen <contact+netfilter@jgoguen.ca>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/ip6tables-restore.c | 7 +++-
iptables/iptables-restore.c | 7 +++-
.../ipt-restore/0001load-specific-table_0 | 41 ++++++++++++++++++++++
.../testcases/ipt-restore/dumps/ip6tables.dump | 30 ++++++++++++++++
.../testcases/ipt-restore/dumps/iptables.dump | 30 ++++++++++++++++
5 files changed, 113 insertions(+), 2 deletions(-)
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
create mode 100644 iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
index cc50bb4f..d36f92da 100644
--- a/iptables/ip6tables-restore.c
+++ b/iptables/ip6tables-restore.c
@@ -325,8 +325,13 @@ int ip6tables_restore_main(int argc, char *argv[])
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
- if (tablename != NULL && strcmp(tablename, table) != 0)
+ if (tablename != NULL && strcmp(tablename, table) != 0) {
+ if (lock >= 0) {
+ xtables_unlock(lock);
+ lock = XT_LOCK_NOT_ACQUIRED;
+ }
continue;
+ }
if (handle)
ops->free(handle);
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index d5603fce..142ddb82 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -323,8 +323,13 @@ iptables_restore_main(int argc, char *argv[])
strncpy(curtable, table, XT_TABLE_MAXNAMELEN);
curtable[XT_TABLE_MAXNAMELEN] = '\0';
- if (tablename && (strcmp(tablename, table) != 0))
+ if (tablename && (strcmp(tablename, table) != 0)) {
+ if (lock >= 0) {
+ xtables_unlock(lock);
+ lock = XT_LOCK_NOT_ACQUIRED;
+ }
continue;
+ }
if (handle)
ops->free(handle);
diff --git a/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0 b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
new file mode 100755
index 00000000..ce3bef3a
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0001load-specific-table_0
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+RET=0
+tmpfile=""
+
+set -x
+
+clean_tempfile()
+{
+ if [ -n "${tmpfile}" ]; then
+ rm -f "${tmpfile}"
+ fi
+}
+
+trap clean_tempfile EXIT
+
+tmpfile=$(mktemp) || exit 1
+
+do_simple()
+{
+ iptables="${1}"
+ table="${2}"
+ dumpfile="$(dirname "${0}")/dumps/${iptables}.dump"
+
+ "$XT_MULTI" "${iptables}-restore" --table="${table}" <"${dumpfile}"; rv=$?
+
+ if [ "${rv}" -ne 0 ]; then
+ RET=1
+ fi
+}
+
+do_simple "iptables" "filter"
+do_simple "iptables" "mangle"
+do_simple "iptables" "raw"
+do_simple "iptables" "nat"
+do_simple "ip6tables" "filter"
+do_simple "ip6tables" "mangle"
+do_simple "ip6tables" "raw"
+do_simple "ip6tables" "nat"
+
+exit "${RET}"
diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
new file mode 100644
index 00000000..4ac4f882
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/ip6tables.dump
@@ -0,0 +1,30 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [8:656]
+:POSTROUTING ACCEPT [8:656]
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [794:190738]
+:INPUT ACCEPT [794:190738]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [991:170303]
+:POSTROUTING ACCEPT [991:170303]
+COMMIT
+
+*raw
+:PREROUTING ACCEPT [794:190738]
+:OUTPUT ACCEPT [991:170303]
+COMMIT
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [991:170303]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp6-port-unreachable
+COMMIT
diff --git a/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
new file mode 100644
index 00000000..6e4e42d3
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/dumps/iptables.dump
@@ -0,0 +1,30 @@
+*nat
+:PREROUTING ACCEPT [1:89]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [351:24945]
+:POSTROUTING ACCEPT [351:24945]
+COMMIT
+
+*mangle
+:PREROUTING ACCEPT [3270:1513114]
+:INPUT ACCEPT [3270:1513114]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3528:1087907]
+:POSTROUTING ACCEPT [3546:1090751]
+COMMIT
+
+*raw
+:PREROUTING ACCEPT [3270:1513114]
+:OUTPUT ACCEPT [3528:1087907]
+COMMIT
+
+*filter
+:INPUT DROP [37:4057]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [3528:1087907]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-unreachable
+-A OUTPUT -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unreachable
+COMMIT
--
cgit v1.2.1

21
iptables-1.6.0-iptables-apply_mktemp.patch
View File

@ -1,21 +0,0 @@
diff -up iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp iptables-1.6.0/iptables/iptables-apply
--- iptables-1.6.0/iptables/iptables-apply.iptables-apply_mktemp 2015-12-09 13:55:06.000000000 +0100
+++ iptables-1.6.0/iptables/iptables-apply 2016-04-13 17:44:07.130453958 +0200
@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
exit 2
fi
-COMMANDS=(tempfile "$SAVE" "$RESTORE")
+COMMANDS=(mktemp "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
umask 0700
-TMPFILE=$(tempfile -p iptap)
+TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15
if ! "$SAVE" >"$TMPFILE"; then

15
iptables-1.8.0-xtables-nft-multi.patch
View File

@ -1,15 +0,0 @@
diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c
index 187da81e9f59b..03690a56edb72 100644
--- a/iptables/xtables-nft-multi.c
+++ b/iptables/xtables-nft-multi.c
@@ -31,8 +31,10 @@ static const struct subcommand multi_subcommands[] = {
{"iptables-restore-translate", xtables_ip4_xlate_restore_main},
{"ip6tables-restore-translate", xtables_ip6_xlate_restore_main},
{"arptables", xtables_arp_main},
+ {"arptables-nft", xtables_arp_main},
{"ebtables-translate", xtables_eb_xlate_main},
{"ebtables", xtables_eb_main},
+ {"ebtables-nft", xtables_eb_main},
{"xtables-monitor", xtables_monitor_main},
{NULL},
};

BIN
iptables-1.8.0.tar.bz2
View File

Binary file not shown.

BIN
iptables-1.8.1.tar.bz2 Normal file
View File

Binary file not shown.

34
iptables-apply-Use-mktemp-instead-of-tempfile.patch Normal file
View File

@ -0,0 +1,34 @@
0d0a2c9c269dc5ed9e7d841b8ecb9dc060af Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 12 Apr 2019 18:02:19 +0200
Subject: [PATCH] iptables-apply: Use mktemp instead of tempfile
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/iptables-apply | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 819ca4a459c42..a685b6bbcd7dc 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -111,7 +111,7 @@ if [[ ! -r "$FILE" ]]; then
exit 2
fi
-COMMANDS=(tempfile "$SAVE" "$RESTORE")
+COMMANDS=(mktemp "$SAVE" "$RESTORE")
for cmd in "${COMMANDS[@]}"; do
if ! command -v $cmd >/dev/null; then
@@ -122,7 +122,7 @@ done
umask 0700
-TMPFILE=$(tempfile -p iptap)
+TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
FPE USR1 SEGV USR2 PIPE ALRM TERM
--
2.21.0

26
iptables.spec
View File

@ -1,8 +1,8 @@
%global script_path %{_libexecdir}/iptables
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
Name: iptables
Version: 1.8.0
Release: 6
Version: 1.8.1
Release: 1
Summary: IP packet filter administration utilities
License: GPLv2 and Artistic Licence 2.0 and ISC
URL: https://www.netfilter.org/
@ -13,20 +13,7 @@ Source3: iptables.service
Source4: sysconfig_iptables
Source5: sysconfig_ip6tables
Patch1: iptables-1.6.0-iptables-apply_mktemp.patch
Patch2: iptables-1.8.0-xtables-nft-multi.patch
Patch6000: fix-crash-if-nft_rule_list_get-fails.patch
Patch6001: free-the-table-lock-when-skipping-a-table.patch
Patch6002: Allocate-rule-cache-just-once.patch
Patch6003: Fix-for-nft_rule_flush-returning-garbage.patch
Patch6004: Free-chains-in-NFT_COMPAT_CHAIN_USER_DEL-jobs.patch
Patch6005: Free-chains-in-NFT_COMPAT_CHAIN_ADD-jobs.patch
Patch6006: Fix-opcode-printing-in-numeric-output.patch
Patch6007: Fix-for-segfault-in-iptables-nft.patch
Patch6008: Fix-for-segfault-when-registering-hashlimit-extension.patch
Patch6009: Fix-potential-array-overrun-in-xtables_option_parse.patch
Patch6010: Fix-for-potential-array-boundary-overstep.patch
Patch6011: Fix-incorrect-strcmp-in-nft_arp_rule_find.patch
Patch1: iptables-apply-Use-mktemp-instead-of-tempfile.patch
BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd git
BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@ -216,6 +203,10 @@ fi
%{_sbindir}/iptables-apply
%{_sbindir}/ip*tables-legacy*
%{_sbindir}/xtables-legacy-multi
%{_sbindir}/arptables-restore
%{_sbindir}/arptables-save
%{_sbindir}/ebtables-restore
%{_sbindir}/ebtables-save
%exclude %{_sbindir}/*-nft*
%exclude %{_sbindir}/*-translate
%exclude %{_sbindir}/xtables-monitor
@ -257,6 +248,9 @@ fi
%{_mandir}/*
%changelog
* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.1-1
- Package update
* Thu Nov 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.0-6
- Type:bugfix
- Id:NA