packages/iptables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches from upstream

Browse Source 
(cherry picked from commit eeb2e24c21a6ec7b35d5562109015648aa5c9df1)
This commit is contained in:
yangl777 2024-04-18 08:59:06 +00:00 committed by openeuler-sync-bot
parent e9d47d9c1f
commit a76a8c9244
11 changed files with 575 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
backport-Fix-checking-of-conntrack-ctproto.patch Normal file
View File

@ -0,0 +1,95 @@
From 2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23 Mon Sep 17 00:00:00 2001
From: Quentin Armitage <quentin@armitage.org.uk>
Date: Sat, 23 Nov 2013 08:41:58 +0000
Subject: extensions: Fix checking of conntrack --ctproto 0
There are three issues in the code:
1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
2) in conntrack_mt_parse it is testing (info->invert_flags &
XT_INV_PROTO) before the invert bit has been set.
3) the sense of the error message is the wrong way round
1) To get the error, ! -ctstatus XXX has to be specified, since
XT_INV_PROTO == XT_CONNTRACK_STATUS e.g.
| iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
3) Unlike --proto 0 (where 0 means all protocols), in the conntrack
match --ctproto 0 appears to mean protocol 0, which can never be.
Therefore --ctproto 0 could never match and ! --ctproto 0 will always
match. Both of these should be rejected, since the user clearly
cannot be intending what was specified.
The attached patch resolves the issue, and also produces an error
message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since
--ctproto 0 will never match, and ! --ctproto 0 will always match.
[Phil: - Added Fixes: tag - it's a day 1 bug
- Copied patch description from Bugzilla
- Reorganized changes to reduce diff
- Added test cases]
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874
Fixes: 5054e85be3068 ("general conntrack match module userspace support files")
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables//commit/?id=2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23
---
extensions/libxt_conntrack.c | 17 ++++++++---------
extensions/libxt_conntrack.t | 2 ++
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509..3cc678f 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -346,14 +346,13 @@ static void conntrack_parse(struct xt_option_call *cb)
sinfo->invflags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
+ if (cb->val.protocol == 0)
+ xtables_error(PARAMETER_PROBLEM, cb->invert ?
+ "condition would always match protocol" :
+ "rule would never match protocol");
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
if (cb->invert)
sinfo->invflags |= XT_CONNTRACK_PROTO;
- if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
- && (sinfo->invflags & XT_INV_PROTO))
- xtables_error(PARAMETER_PROBLEM,
- "rule would never match protocol");
-
sinfo->flags |= XT_CONNTRACK_PROTO;
break;
case O_CTORIGSRC:
@@ -411,11 +410,11 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
info->invert_flags |= XT_CONNTRACK_STATE;
break;
case O_CTPROTO:
+ if (cb->val.protocol == 0)
+ xtables_error(PARAMETER_PROBLEM, cb->invert ?
+ "conntrack: condition would always match protocol" :
+ "conntrack: rule would never match protocol");
info->l4proto = cb->val.protocol;
- if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
- xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
- "never match protocol");
-
info->match_flags |= XT_CONNTRACK_PROTO;
if (cb->invert)
info->invert_flags |= XT_CONNTRACK_PROTO;
diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t
index db53147..2b3c5de 100644
--- a/extensions/libxt_conntrack.t
+++ b/extensions/libxt_conntrack.t
@@ -25,3 +25,5 @@
-m conntrack --ctstatus EXPECTED;=;OK
-m conntrack --ctstatus SEEN_REPLY;=;OK
-m conntrack;;FAIL
+-m conntrack --ctproto 0;;FAIL
+-m conntrack ! --ctproto 0;;FAIL
--
2.33.0

55
backport-Fix-for-non-CIDR-compatible-hostmasks.patch Normal file
View File

@ -0,0 +1,55 @@
From 41139aee5e53304182a25f1e573f034b313f7232 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 20:21:49 +0100
Subject: libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
In order to parse the mask, xtopt_parse_hostmask() calls
xtopt_parse_plenmask() thereby limiting netmask support to prefix
lengths (alternatively specified in IP address notation).
In order to lift this impractical restriction, make
xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
fall back to xtopt_parse_mask() which correctly initializes val.hmask
itself and indicates non-CIDR-compatible masks by setting val.hlen to
-1.
So in order to support these odd masks, it is sufficient for
xtopt_parse_plenmask() to skip its mask building from val.hlen value and
take whatever val.hmask contains.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables//commit/?id=41139aee5e53304182a25f1e573f034b313f7232
---
libxtables/xtoptions.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 0dcdf60..bc14958 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -714,6 +714,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
xtopt_parse_plen(cb);
+ /* may not be convertible to CIDR notation */
+ if (cb->val.hlen == (uint8_t)-1)
+ goto out_put;
+
memset(mask, 0xFF, sizeof(union nf_inet_addr));
/* This shifting is AF-independent. */
if (cb->val.hlen == 0) {
@@ -734,6 +738,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
mask[1] = htonl(mask[1]);
mask[2] = htonl(mask[2]);
mask[3] = htonl(mask[3]);
+out_put:
if (entry->flags & XTOPT_PUT)
memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
}
--
2.33.0

33
backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch Normal file
View File

@ -0,0 +1,33 @@
From 17d724f20e3c97ea8ce8765ca532a3cf49a98b31 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 17 Dec 2023 13:02:36 +0100
Subject: libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
Do as the comment in xtopt_parse_hostmask() claims and omit
XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
will catch the incompatibility.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Conflict:There is no need to modify the header file comments
Reference:https://git.netfilter.org/iptables//commit/?id=17d724f20e3c97ea8ce8765ca532a3cf49a98b31
---
libxtables/xtoptions.c | 1 -
1 files changed, 1 deletions(-)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index bc14958..95038c2 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -58,7 +58,6 @@ static const size_t xtopt_psize[] = {
[XTTYPE_STRING] = -1,
[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
[XTTYPE_HOST] = sizeof(union nf_inet_addr),
- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr),
[XTTYPE_PROTOCOL] = sizeof(uint8_t),
[XTTYPE_PORT] = sizeof(uint16_t),
[XTTYPE_PORTRC] = sizeof(uint16_t[2]),
--
2.33.0

49
backport-Special-casing-for-among-match-in-compare_matches.patch Normal file
View File

@ -0,0 +1,49 @@
From 10583537004f7ecd4aa11f6c12b7ba73fb77fc11 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 21 Jul 2023 13:14:36 +0200
Subject: nft: Special casing for among match in compare_matches()
When other extensions may have "garbage" appended to their data which
should not be considered for match comparison, among match is the
opposite in that it extends its data beyond the value in 'size' field.
Add special casing to cover for this, avoiding false-positive rule
comparison.
Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables//commit/?id=10583537004f7ecd4aa11f6c12b7ba73fb77fc11
---
iptables/nft-shared.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 10553ab..4c20ceb 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -933,6 +933,7 @@ bool compare_matches(struct xtables_rule_match *mt1,
for (mp1 = mt1, mp2 = mt2; mp1 && mp2; mp1 = mp1->next, mp2 = mp2->next) {
struct xt_entry_match *m1 = mp1->match->m;
struct xt_entry_match *m2 = mp2->match->m;
+ size_t cmplen = mp1->match->userspacesize;
if (strcmp(m1->u.user.name, m2->u.user.name) != 0) {
DEBUGP("mismatching match name\n");
@@ -944,8 +945,10 @@ bool compare_matches(struct xtables_rule_match *mt1,
return false;
}
- if (memcmp(m1->data, m2->data,
- mp1->match->userspacesize) != 0) {
+ if (!strcmp(m1->u.user.name, "among"))
+ cmplen = m1->u.match_size - sizeof(*m1);
+
+ if (memcmp(m1->data, m2->data, cmplen) != 0) {
DEBUGP("mismatch match data\n");
return false;
}
--
2.33.0

51
backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch Normal file
View File

@ -0,0 +1,51 @@
From b51aef061378b34fa9544b1af34021d89a76547a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 26 Jan 2023 03:27:16 +0100
Subject: [PATCH] ebtables-translate: Print flush command after parsing is
finished
Otherwise, bad calls like 'ebtables-translate -F -F' produce wrong
output instead of an error message.
Conflict: NA
Reference: https://git.netfilter.org/iptables/commit?id=b51aef061378b34fa9544b1af34021d89a76547a
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xtables-eb-translate.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 99347c0c..da7e5e3d 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -247,13 +247,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
ret = 1;
break;
case 'F': /* Flush */
- if (p.chain) {
- printf("flush chain bridge %s %s\n", p.table, p.chain);
- } else {
- printf("flush table bridge %s\n", p.table);
- }
- ret = 1;
- break;
case 'Z': /* Zero counters */
if (c == 'Z') {
if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L'))
@@ -506,6 +499,13 @@ print_zero:
if (command == 'P') {
return 0;
+ } else if (command == 'F') {
+ if (p.chain) {
+ printf("flush chain bridge %s %s\n", p.table, p.chain);
+ } else {
+ printf("flush table bridge %s\n", p.table);
+ }
+ ret = 1;
} else if (command == 'A') {
ret = nft_rule_eb_xlate_add(h, &p, &cs, true);
if (!ret)
--
2.23.0

39
backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch Normal file
View File

@ -0,0 +1,39 @@
From 43f78733059ecd28d8567d8205cab5ed62d93458 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 3 Aug 2023 17:59:03 +0200
Subject: Revert "libiptc: fix wrong maptype of base chain counters on restore"
This reverts commit 7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4.
The change can't be right: A simple rule append call will reset all
built-in chains' counters. The old code works fine even given the
mentioned "empty restore" use-case, at least if counters don't change on
the fly in-kernel.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=912
Fixes: 7c4d668c9c2ee ("libiptc: fix wrong maptype of base chain counters on restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables//commit/?id=43f78733059ecd28d8567d8205cab5ed62d93458
---
libiptc/libiptc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index ceeb017..2deccd6 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -813,7 +813,7 @@ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num)
/* save counter and counter_map information */
h->chain_iterator_cur->counter_map.maptype =
- COUNTER_MAP_ZEROED;
+ COUNTER_MAP_NORMAL_MAP;
h->chain_iterator_cur->counter_map.mappos = num-1;
memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
sizeof(h->chain_iterator_cur->counters));
--
2.33.0

56
backport-iptables-Fix-handling-of-non-existent-chains.patch Normal file
View File

@ -0,0 +1,56 @@
From 82ccfb488eeac5507471099b9b4e6d136cc06e3b Mon Sep 17 00:00:00 2001
From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Date: Mon, 19 Jun 2023 13:46:36 +0200
Subject: iptables: Fix handling of non-existent chains
Since 694612adf87 the "compatibility" check considers non-existent
chains as "incompatible". This broke some scripts which used calls
like `iptables -L CHAIN404` to test for chain existence and expect
"No chain/target/match by that name." in the output.
This patch changes the logic of `nft_is_table_compatible()` to
report non-existent chains as "compatible" which restores the old
behavior.
Fixes: 694612adf87 ("nft: Fix selective chain compatibility checks")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1648
Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict: NA
Reference: https://git.netfilter.org/iptables/commit?id=82ccfb488eeac5507471099b9b4e6d136cc06e3b
---
iptables/nft.c | 2 +-
iptables/tests/shell/testcases/iptables/0004-return-codes_0 | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 1cb104e7..020553a4 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3860,7 +3860,7 @@ bool nft_is_table_compatible(struct nft_handle *h,
if (chain) {
struct nft_chain *c = nft_chain_find(h, table, chain);
- return c && !nft_is_chain_compatible(c, h);
+ return !c || !nft_is_chain_compatible(c, h);
}
return !nft_chain_foreach(h, table, nft_is_chain_compatible, h);
diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0
index 33c5f1f3..234f3040 100755
--- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0
+++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0
@@ -58,6 +58,7 @@ cmd 1 "$ENOENT" -Z bar
cmd 0 -E foo bar
cmd 1 "$EEXIST_F" -E foo bar
cmd 1 "$ENOENT" -E foo bar2
+cmd 1 "$ENOENT" -L foo
cmd 0 -N foo2
cmd 1 "$EEXIST_F" -E foo2 bar
--
cgit v1.2.3

53
backport-libipt_icmp-Fix-confusion-between-255-and-any.patch Normal file
View File

@ -0,0 +1,53 @@
From 5b5430d627bbc227a2d51d4312c371f2015834c6 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 1 Aug 2023 23:28:20 +0200
Subject: extensions: libipt_icmp: Fix confusion between 255/255 and any
Per definition, ICMP type "any" is type 255 and the full range of codes
(0-255). Save callback though ignored the actual code values, printing
"any" for every type 255 match. This at least confuses users as they
can't find their rule added as '--icmp-type 255/255' anymore.
It is not entirely clear what the fixed commit was trying to establish,
but the save output is certainly not correct (especially since print
callback gets things right).
Reported-by: Amelia Downs <adowns@vmware.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1600
Fixes: fc9237da4e845 ("Fix '-p icmp -m icmp' issue (Closes: #37)")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables//commit/?id=5b5430d627bbc227a2d51d4312c371f2015834c6
---
extensions/libipt_icmp.c | 3 ++-
extensions/libipt_icmp.t | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index b0318aeb..171b3b39 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -108,7 +108,8 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
printf(" !");
/* special hack for 'any' case */
- if (icmp->type == 0xFF) {
+ if (icmp->type == 0xFF &&
+ icmp->code[0] == 0 && icmp->code[1] == 0xFF) {
printf(" --icmp-type any");
} else {
printf(" --icmp-type %u", icmp->type);
diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t
index f4ba65c2..ce4a33f9 100644
--- a/extensions/libipt_icmp.t
+++ b/extensions/libipt_icmp.t
@@ -13,3 +13,5 @@
# we accept "iptables -I INPUT -p tcp -m tcp", why not this below?
# ERROR: cannot load: iptables -A INPUT -p icmp -m icmp
# -p icmp -m icmp;=;OK
+-p icmp -m icmp --icmp-type 255/255;=;OK
+-p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK
--
cgit v1.2.3

85
backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch Normal file
View File

@ -0,0 +1,85 @@
From e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 12 Oct 2023 17:27:42 +0200
Subject: libiptc: Fix for another segfault due to chain index NULL pointer
Chain rename code missed to adjust the num_chains value which is used to
calculate the number of chain index buckets to allocate during an index
rebuild. So with the right number of chains present, the last chain in a
middle bucket being renamed (and ending up in another bucket) triggers
an index rebuild based on false data. The resulting NULL pointer index
bucket then causes a segfault upon reinsertion.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
Conflict:NA
Reference:https://git.netfilter.org/iptables/commit/?id=e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620
---
.../shell/testcases/chain/0008rename-segfault2_0 | 32 ++++++++++++++++++++++
libiptc/libiptc.c | 4 +++
2 files changed, 36 insertions(+)
create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
new file mode 100755
index 00000000..bc473d25
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# Another funny rename bug in libiptc:
+# If there is a chain index bucket with only a single chain in it and it is not
+# the last one and that chain is renamed, a chain index rebuild is triggered.
+# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
+# extra index is allocated and remains NULL. The following insert of renamed
+# chain then segfaults.
+
+(
+ echo "*filter"
+ # first bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-a-$i - [0:0]"
+ done
+ # second bucket
+ for ((i = 0; i < 40; i++)); do
+ echo ":chain-b-$i - [0:0]"
+ done
+ # third bucket, just make sure it exists
+ echo ":chain-c-0 - [0:0]"
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore
+
+# rename all chains of the middle bucket
+(
+ echo "*filter"
+ for ((i = 0; i < 40; i++)); do
+ echo "-E chain-b-$i chain-d-$i"
+ done
+ echo "COMMIT"
+) | $XT_MULTI iptables-restore --noflush
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index e4750633..9712a363 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
return 0;
}
+ handle->num_chains--;
+
/* This only unlinks "c" from the list, thus no free(c) */
iptcc_chain_index_delete_chain(c, handle);
/* Change the name of the chain */
strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
+ handle->num_chains++;
+
/* Insert sorted into to list again */
iptc_insert_chain(handle, c);
--
cgit v1.2.3

32
backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch Normal file
View File

@ -0,0 +1,32 @@
From e900d40afdb731d2270a5110833ae49192974355 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 14 Mar 2023 22:36:50 +0100
Subject: [PATCH] xtables-eb: fix crash when opts isn't reallocated
opts may point to statically allocated memory.
This fixes abort() from libc.
Conflict: NA
Reference: https://git.netfilter.org/iptables/commit?id=e900d40afdb731d2270a5110833ae49192974355
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/xtables-eb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3a73e797..068dffd2 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -675,7 +675,8 @@ void nft_fini_eb(struct nft_handle *h)
free(target->t);
}
- free(opts);
+ if (opts != ebt_original_options)
+ free(opts);
nft_fini(h);
xtables_fini();
--
2.23.0

28
iptables.spec
View File

@ -2,7 +2,7 @@
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions
Name: iptables
Version: 1.8.9
Release: 2
Release: 3
Summary: IP packet filter administration utilities
License: GPLv2 and Artistic Licence 2.0 and ISC
URL: https://www.netfilter.org/
@ -16,6 +16,17 @@ Source5: sysconfig_ip6tables
Patch0: 0001-extensions-NAT-Fix-for-Werror-format-security.patch
Patch1: enabled-makecheck-in-extensions.patch
Patch2: bugfix-add-check-fw-in-entry.patch
Patch3: backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch
Patch4: backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch
Patch5: backport-iptables-Fix-handling-of-non-existent-chains.patch
Patch6: backport-Special-casing-for-among-match-in-compare_matches.patch
Patch7: backport-libipt_icmp-Fix-confusion-between-255-and-any.patch
Patch8: backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch
Patch9: backport-Fix-checking-of-conntrack-ctproto.patch
Patch10: backport-Fix-for-non-CIDR-compatible-hostmasks.patch
Patch11: backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch
Patch12: backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch
BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
BuildRequires: libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@ -332,6 +343,21 @@ fi
%{_datadir}/xtables/iptables.xslt
%changelog
* Thu Apr 18 2024 yanglu <yanglu72@h-partners.com> - 1.8.9-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:ebtables translate Print flush command after parsing is finished
fix crash when opts isn't reallocated
Fix handling of non-existent chains
nft: Special casing for among match in compare_matches
extensions: libipt_icmp: Fix confusion between 255/255 and any
Revert libiptc: fix wrong maptype of base chain counters on restore
extensions: Fix checking of conntrack --ctproto 0
libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
libiptc: Fix for another segfault due to chain index NULL pointer
* Wed Feb 15 2023 zhanghao <zhanghao383@huawei.com> - 1.8.9-2
- Type:requirement
- ID:NA