packages/iptables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some upstream patches

Browse Source
This commit is contained in:
yangl777 2024-11-21 11:53:40 +00:00
parent a4ad7f0af7
commit b0cd0fc9cf
3 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
backport-extensions-recent-Fix-format-string-for-unsigned-values.patch Normal file
View File

@ -0,0 +1,56 @@
From 8696f659eadd58505469841a3af16ad2c830e8e5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 20 Jun 2024 18:17:16 +0200
Subject: extensions: recent: Fix format string for unsigned values
Both fields 'seconds' and 'hit_count' are unsigned, use '%u'
accordingly. While being at it, also fix coding-style in those lines.
Basically a day-1 bug, have Fixes: point at a reasonably old commit.
Fixes: af1660fe0e88c ("Move libipt_recent to libxt_recent")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables/commit/?id=8696f659eadd58505469841a3af16ad2c830e8e5
---
extensions/libxt_recent.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
index 055ae350..0221d446 100644
--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
@@ -193,10 +193,12 @@ static void recent_print(const void *ip, const struct xt_entry_match *match,
printf(" UPDATE");
if (info->check_set & XT_RECENT_REMOVE)
printf(" REMOVE");
- if(info->seconds) printf(" seconds: %d", info->seconds);
+ if (info->seconds)
+ printf(" seconds: %u", info->seconds);
if (info->check_set & XT_RECENT_REAP)
printf(" reap");
- if(info->hit_count) printf(" hit_count: %d", info->hit_count);
+ if (info->hit_count)
+ printf(" hit_count: %u", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" TTL-Match");
printf(" name: %s", info->name);
@@ -233,10 +235,12 @@ static void recent_save(const void *ip, const struct xt_entry_match *match,
printf(" --update");
if (info->check_set & XT_RECENT_REMOVE)
printf(" --remove");
- if(info->seconds) printf(" --seconds %d", info->seconds);
+ if (info->seconds)
+ printf(" --seconds %u", info->seconds);
if (info->check_set & XT_RECENT_REAP)
printf(" --reap");
- if(info->hit_count) printf(" --hitcount %d", info->hit_count);
+ if (info->hit_count)
+ printf(" --hitcount %u", info->hit_count);
if (info->check_set & XT_RECENT_TTL)
printf(" --rttl");
printf(" --name %s",info->name);
--
cgit v1.2.3

36
backport-nft-cmd-Init-struct-nft_cmd-head-early.patch Normal file
View File

@ -0,0 +1,36 @@
From db7fc1862b8bd5e2eea83ed4089fcf35fc01c032 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 23 Jul 2024 21:31:34 +0200
Subject: nft: cmd: Init struct nft_cmd::head early
Calling nft_cmd_free() in error case segfaults otherwise if the to be
freed object is not part of a list yet.
Exposed by commit eab75ed36a4f2 ("nft: Avoid memleak in error path of
nft_cmd_new()"), but belongs to commit a7f1e208cdf9c (and may go well
along with it).
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference:https://git.netfilter.org/iptables/commit/?id=db7fc1862b8bd5e2eea83ed4089fcf35fc01c032
---
iptables/nft-cmd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index b38da9bd..58d5aa11 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -28,6 +28,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
struct nft_cmd *cmd;
cmd = xtables_calloc(1, sizeof(struct nft_cmd));
+ INIT_LIST_HEAD(&cmd->head);
cmd->error.lineno = h->error.lineno;
cmd->command = command;
cmd->table = xtables_strdup(table);
--
cgit v1.2.3

11
iptables.spec
View File

@ -2,7 +2,7 @@
%global legacy_actions %{_libexecdir}/initscripts/legacy-actions %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
Name: iptables Name: iptables
Version: 1.8.9 Version: 1.8.9
Release: 7 Release: 8
Summary: IP packet filter administration utilities Summary: IP packet filter administration utilities
License: GPL-2.0-only and Artistic-2.0 License: GPL-2.0-only and Artistic-2.0
URL: https://www.netfilter.org/ URL: https://www.netfilter.org/
@ -29,6 +29,8 @@ Patch12: backport-libiptc-Fix-for-another-segfault-due-to-chain-index-N
Patch13: backport-libxtables-Fix-memleak-of-matches-udata.patch Patch13: backport-libxtables-Fix-memleak-of-matches-udata.patch
Patch14: backport-xshared-Fix-parsing-of-empty-string-arg-in-c-option.patch Patch14: backport-xshared-Fix-parsing-of-empty-string-arg-in-c-option.patch
Patch15: tests-extensions-add-some-testcases.patch Patch15: tests-extensions-add-some-testcases.patch
Patch16: backport-extensions-recent-Fix-format-string-for-unsigned-values.patch
Patch17: backport-nft-cmd-Init-struct-nft_cmd-head-early.patch
BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd BuildRequires: bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
@ -340,6 +342,13 @@ fi
%{_datadir}/xtables/iptables.xslt %{_datadir}/xtables/iptables.xslt
%changelog %changelog
* Thu Nov 21 2024 yanglu <yanglu72@h-partners.com> - 1.8.9-8
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:extensions:recent:Fix format string for unsigned values
nft:cmd:Init struct nft_cmd::head early
* Mon Sep 30 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.8.9-7 * Mon Sep 30 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.8.9-7
- Type: bugfix - Type: bugfix
- ID: NA - ID: NA