packages/iputils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update iputils version to 20211215

Browse Source
This commit is contained in:
yinyongkang 2022-07-11 14:30:52 +08:00
parent f1213f9778
commit 9bd7139bda
13 changed files with 10 additions and 717 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
arping-Fix-exit-code-on-w-option.patch
View File

@ -1,24 +0,0 @@
From 4c2dd9f020df2749bdff294756b04aafa99ad624 Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Fri, 18 Mar 2022 19:32:21 +0800
Subject: [PATCH] arping: Fix exit code on -w option when count * interval >
timeout
Signed-off-by: eaglegai <eaglegai@163.com>
---
arping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arping.c b/arping.c
index 20b0554b..fe79d2f8 100644
--- a/arping.c
+++ b/arping.c
@@ -850,7 +850,7 @@ static int event_loop(struct run_state *ctl)
else if (ctl->dad && ctl->quit_on_reply)
/* Duplicate address detection mode return value */
rc |= !(ctl->brd_sent != ctl->received);
- else if (ctl->timeout && !(ctl->count > 0))
+ else if (ctl->timeout && (!(ctl->count > 0) || (ctl->interval > ctl->timeout / ctl->count)))
rc |= !(ctl->received > 0);
else
rc |= (ctl->sent != ctl->received);

60
backport-arping-exit-0-if-running-in-deadline-mode-and-we-see-replies.patch
View File

@ -1,60 +0,0 @@
From 854873bdd28fcdd9cc3fe0c2d29c083a07d07a86 Mon Sep 17 00:00:00 2001
From: Noah Meyerhans <noahm@debian.org>
Date: Wed, 16 Feb 2022 22:27:49 -0800
Subject: [PATCH] arping: exit 0 if running in deadline mode and we see replies
The arping behavior when running in deadline mode without a packet
count (-w without -c) should match that of ping: any replies indicate
that the host is up and should result in a zero (success) exit status.
Fixes: https://github.com/iputils/iputils/issues/392
Closes: https://github.com/iputils/iputils/pull/395
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Noah Meyerhans <noahm@debian.org>
---
arping.c | 2 ++
doc/arping.xml | 14 +++++++-------
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/arping.c b/arping.c
index efe3f53..c41ec74 100644
--- a/arping.c
+++ b/arping.c
@@ -822,6 +822,8 @@ static int event_loop(struct run_state *ctl)
else if (ctl->dad && ctl->quit_on_reply)
/* Duplicate address detection mode return value */
rc |= !(ctl->brd_sent != ctl->received);
+ else if (ctl->timeout && !(ctl->count > 0))
+ rc |= !(ctl->received > 0);
else
rc |= (ctl->sent != ctl->received);
return rc;
diff --git a/doc/arping.xml b/doc/arping.xml
index 711718f..9adbc0c 100644
--- a/doc/arping.xml
+++ b/doc/arping.xml
@@ -202,13 +202,13 @@ xml:id="man.arping">
<listitem>
<para>Specify a timeout, in seconds, before
<command>arping</command> exits regardless of how many
- packets have been sent or received. In this case
- <command>arping</command> does not stop after
- <emphasis remap='I'>count</emphasis> packet are sent, it
- waits either for
- <emphasis remap='I'>deadline</emphasis> expire or until
- <emphasis remap='I'>count</emphasis> probes are
- answered.</para>
+ packets have been sent or received. If any replies are
+ received, exit with status 0, otherwise status 1. When
+ combined with the <emphasis remap="I">count</emphasis>
+ option, exit with status 0 if <emphasis
+ remap="I">count</emphasis> replies are received before the
+ deadline expiration, otherwise status 1.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
--
2.27.0

32
backport-arping-fix-typo-in-error-checking.patch
View File

@ -1,32 +0,0 @@
From 8a6a2ce3cd0cdf69f0551a3a1e598a191561d18e Mon Sep 17 00:00:00 2001
From: Noah Meyerhans <noahm@debian.org>
Date: Wed, 16 Feb 2022 22:25:30 -0800
Subject: [PATCH] arping: fix typo in error checking
When attempting to check the return value of timerfd_create(), we were
not checking the value of the variable containing the return value.
Fixes: e594ca5 ("arping: use additional timerfd to control when timeout happens")
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Noah Meyerhans <noahm@debian.org>
---
arping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arping.c b/arping.c
index 53fdbb4..efe3f53 100644
--- a/arping.c
+++ b/arping.c
@@ -733,7 +733,7 @@ static int event_loop(struct run_state *ctl)
/* timeout timerfd */
timeoutfd = timerfd_create(CLOCK_MONOTONIC, 0);
- if (tfd == -1) {
+ if (timeoutfd == -1) {
error(0, errno, "timerfd_create failed");
return 1;
}
--
2.27.0

96
backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
View File

@ -1,96 +0,0 @@
From 4646703f6d8eb46355752ec033945405ca482d4e Mon Sep 17 00:00:00 2001
From: Ralf Baechle <ralf@linux-mips.org>
Date: Tue, 7 Feb 2017 22:10:51 +0100
Subject: [PATCH] arping: Fix ARP protocol field for AX.25 and NETROM
Conflict:NA
Reference:https://github.com/iputils/iputils/commit/4646703f6d8eb46355752ec033945405ca482d4e.patch
AX.25 and NETROM differ from other, more ethernet-like protocols in that
they are not using a DIX protocol number but the AX.25 PID. The arping code
doesn't handle this special case resulting in invalid ARP packets being sent.
The interface bpq0 is an AX.25-over-ethernet interface. Without this
fix:
# arping -c 1 -I bpq0 172.20.1.3
ARPING 172.20.1.3 from 172.20.1.2 bpq0
Sent 1 probes (1 broadcast(s))
Received 0 response(s)
With this fix:
# arping -c 1 -I bpq0 172.20.1.3
ARPING 172.20.1.3 from 172.20.1.2 bpq0
Unicast reply from 172.20.1.3 [88:98:60:A0:92:40:02] 1.402ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
Closes: https://github.com/iputils/iputils/pull/360
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[ pvorel: add new lines for readability ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
arping.c | 32 +++++++++++++++++++++++++++++---
1 file changed, 29 insertions(+), 3 deletions(-)
diff --git a/arping.c b/arping.c
index 53fdbb48..5df6d9f0 100644
--- a/arping.c
+++ b/arping.c
@@ -37,6 +37,14 @@
#include "iputils_common.h"
+/*
+ * As of July 2021 AX.25 PID values are not currently defined in any
+ * userspace headers.
+ */
+#ifndef AX25_P_IP
+# define AX25_P_IP 0xcc /* ARPA Internet Protocol */
+#endif
+
#ifdef DEFAULT_DEVICE
# define DEFAULT_DEVICE_STR DEFAULT_DEVICE
#else
@@ -248,7 +256,17 @@ static int send_pack(struct run_state *ctl)
ah->ar_hrd = htons(ME->sll_hatype);
if (ah->ar_hrd == htons(ARPHRD_FDDI))
ah->ar_hrd = htons(ARPHRD_ETHER);
- ah->ar_pro = htons(ETH_P_IP);
+
+ /*
+ * Exceptions everywhere. AX.25 uses the AX.25 PID value not the
+ * DIX code for the protocol. Make these device structure fields.
+ */
+ if (ah->ar_hrd == htons(ARPHRD_AX25) ||
+ ah->ar_hrd == htons(ARPHRD_NETROM))
+ ah->ar_pro = htons(AX25_P_IP);
+ else
+ ah->ar_pro = htons(ETH_P_IP);
+
ah->ar_hln = ME->sll_halen;
ah->ar_pln = 4;
ah->ar_op = ctl->advert ? htons(ARPOP_REPLY) : htons(ARPOP_REQUEST);
@@ -341,9 +359,17 @@ static int recv_pack(struct run_state *ctl, unsigned char *buf, ssize_t len,
(FROM->sll_hatype != ARPHRD_FDDI || ah->ar_hrd != htons(ARPHRD_ETHER)))
return 0;
- /* Protocol must be IP. */
- if (ah->ar_pro != htons(ETH_P_IP))
+ /*
+ * Protocol must be IP - but exceptions everywhere. AX.25 and NETROM
+ * use the AX.25 PID value not the DIX code for the protocol.
+ */
+ if (ah->ar_hrd == htons(ARPHRD_AX25) ||
+ ah->ar_hrd == htons(ARPHRD_NETROM)) {
+ if (ah->ar_pro != htons(AX25_P_IP))
+ return 0;
+ } else if (ah->ar_pro != htons(ETH_P_IP))
return 0;
+
if (ah->ar_pln != 4)
return 0;
if (ah->ar_hln != ((struct sockaddr_ll *)&ctl->me)->sll_halen)

95
backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
View File

@ -1,95 +0,0 @@
From 7c65999f98bc4a1984594b7fad1af0eaf0b9d34b Mon Sep 17 00:00:00 2001
From: Lahav Schlesinger <lschlesinger@drivenets.com>
Date: Wed, 30 Jun 2021 13:06:13 +0300
Subject: [PATCH] ping: Fix ping6 binding to VRF and address
Since Linux kernel commit 1893ff20275b ("net/ipv6: Add l3mdev check to
ipv6_chk_addr_and_flags") from v4.17-rc1 ping fails when trying to
create IPv6 SOCK_RAW socket (e.g. if net.ipv4.ping_group_range = 1 0)
and passing both -I <vrf_interface> and -I <local_ipv6_addr>.
It works for IPv4 SOCK_RAW socket.
# ip netns add tmp_ns
# ip -n tmp_ns link add vrf_1 type vrf table 10001
# ip -n tmp_ns link add lo10 type dummy
# ip -n tmp_ns link set lo10 master vrf_1
# ip -n tmp_ns link set vrf_1 up
# ip -n tmp_ns link set lo10 up
# ip -n tmp_ns link set lo up
# ip -n tmp_ns addr add 1:2::3:4/128 dev lo10
# ip -n tmp_ns addr add 1.2.3.4/32 dev lo10
# ip netns exec tmp_ns ping -6 1:2::3:4 -I vrf_1 -I 1:2::3:4 -c 1 # IPv6 broken
ping: bind icmp socket: Cannot assign requested address
# ping 1.2.3.4 -I vrf_1 -I 1.2.3.4 -c 1 # IPv4 working
PING 1.2.3.4 (1.2.3.4) from 1.2.3.4 vrf_1: 56(84) bytes of data.
64 bytes from 1.2.3.4: icmp_seq=1 ttl=64 time=0.090 ms
--- 1.2.3.4 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
ping fails because it doesn't actually bind to the VRF interface, while
after 1893ff20275b, binding to an IPv6 address searches only on the same
l3mdev as the device the function receives. If the socket wasn't
SO_BINDTODEVICE-ed, then the kernel will only search for devices that
are not ensalved to an l3mdev device (= in the default VRF), which will
cause the bind() to fail.
Only SOCK_RAW socket is affected. SOCK_DGRAM is not affected because
Linux kernel doesn't check the device the socket was SO_BINDTODEVICE-ed
to, but only the device from addr->sin6_scope_id (which if none is
passed, it will again only search devices in the default VRF).
NOTE: creating network namespace to reproduce the issue is needed just
on systems with net.ipv4.ping_group_range = 0 2147483647 (e.g. current
Fedora, openSUSE, Ubuntu), which causes to use SOCK_DGRAM socket.
Alternatively to force SOCK_RAW to it'd be enough just to properly set
net.ipv4.ping_group_range:
# echo "1 0" > /proc/sys/net/ipv4/ping_group_range
Closes: https://github.com/iputils/iputils/pull/344
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Lahav Schlesinger <lschlesinger@drivenets.com>
[ pvorel: adjusted commit message ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Conflict:NA
Reference: https://github.com/iputils/iputils/commit/7c65999f98bc4a1984594b7fad1af0eaf0b9d34b.patch
---
ping/ping6_common.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ping/ping6_common.c b/ping/ping6_common.c
index fee11891..f40d279d 100644
--- a/ping/ping6_common.c
+++ b/ping/ping6_common.c
@@ -224,6 +224,8 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
if (rts->device) {
struct cmsghdr *cmsg;
struct in6_pktinfo *ipi;
+ int rc;
+ int errno_save;
cmsg = (struct cmsghdr *)(rts->cmsgbuf + rts->cmsglen);
rts->cmsglen += CMSG_SPACE(sizeof(*ipi));
@@ -234,6 +236,15 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
ipi = (struct in6_pktinfo *)CMSG_DATA(cmsg);
memset(ipi, 0, sizeof(*ipi));
ipi->ipi6_ifindex = if_name2index(rts->device);
+
+ enable_capability_raw();
+ rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
+ rts->device, strlen(rts->device) + 1);
+ errno_save = errno;
+ disable_capability_raw();
+
+ if (rc == -1)
+ error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
}
if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) {

32
backport-ping-Fix-potential-memory-leakage.patch
View File

@ -1,32 +0,0 @@
From 626ea66f3d54ba6e749230d3aa0ce8f4ddfded9c Mon Sep 17 00:00:00 2001
From: lvgenggeng <lvgenggeng@uniontech.com>
Date: Tue, 31 May 2022 08:37:38 +0800
Subject: [PATCH] ping: Fix potential memory leakage
If user use '-p' opt multi-times, the previous pointer generated by
strdup() will be discarded.
Closes: https://github.com/iputils/iputils/pull/409
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: lvgenggeng <lvgenggeng@uniontech.com>
---
ping/ping.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ping/ping.c b/ping/ping.c
index 8a7f701..10f2cf3 100644
--- a/ping/ping.c
+++ b/ping/ping.c
@@ -449,6 +449,7 @@ main(int argc, char **argv)
break;
case 'p':
rts.opt_pingfilled = 1;
+ free(outpack_fill);
outpack_fill = strdup(optarg);
if (!outpack_fill)
error(2, errno, _("memory allocation failed"));
--
2.27.0

129
backport-ping-Print-reply-from-Subnet-Router-anycast-address.patch
View File

@ -1,129 +0,0 @@
From 15a5e5c7aace5a7a782ff802988e04ed4c1148a5 Mon Sep 17 00:00:00 2001
From: Petr Vorel <pvorel@suse.cz>
Date: Mon, 18 Oct 2021 15:13:44 +0200
Subject: [PATCH] ping: Print reply from Subnet-Router anycast address
by detecting Subnet-Router address for 64 bit prefix and suppress
address comparison check.
5e052ad ("ping: discard packets with wrong source address") correctly
hid replies with wrong source address to comply RFC 1122 (Section
3.2.1.3: "The IP source address in an ICMP Echo Reply MUST be the same
as the specific-destination address").
While change in 5e052ad works for broadcast and multicast addresses and
some of anycast addresses, it does not work for (at least) Subnet-Router
anycast address):
# VETH1_IPV6=fd00:dead:beef:1234::1
# VPEER1_IPV6=fd00:dead:beef:1234::2
# ip netns add ns-ipv6
# ip li add name veth1 type veth peer name vpeer1
# ip -6 addr add $VETH1_IPV6/64 dev veth1
# ip li set dev veth1 up
# ip li set dev vpeer1 netns ns-ipv6
# ip netns exec ns-ipv6 ip li set dev lo up
# ip netns exec ns-ipv6 ip -6 addr add $VPEER1_IPV6/64 dev vpeer1
# ip netns exec ns-ipv6 ip li set vpeer1 up
# ip netns exec ns-ipv6 ip -6 route add default dev vpeer1 via $VETH1_IPV6
# sysctl -w net.ipv6.conf.all.forwarding=1
$ ping -c1 ff02::1 # anycast - all nodes
PING ff02::1(ff02::1) 56 data bytes
64 bytes from fe80::9c9c:ffff:fe14:e9d2%vpeer1: icmp_seq=1 ttl=64 time=0.064 ms
$ ping -c1 ff02::2 # anycast - all routers
PING ff02::2(ff02::2) 56 data bytes
64 bytes from fe80::5496:9ff:fef5:8f01%vpeer1: icmp_seq=1 ttl=64 time=0.088 ms
$ ping -c1 -W5 fd00:dead:beef:1234:: # Subnet-Router anycast
PING fd00:dead:beef:1234::(fd00:dead:beef:1234::) 56 data bytes
Subnet-Router anycast address works for both busybox ping (without
printing the real source address) and fping:
$ busybox ping -c1 fd00:dead:beef:1234::
PING fd00:dead:beef:1234:: (fd00:dead:beef:1234::): 56 data bytes
64 bytes from fd00:dead:beef:1234::1: seq=0 ttl=64 time=0.122 ms
$ fping -c1 fd00:dead:beef:1234::
[<- fd00:dead:beef:1234::1]fd00:dead:beef:1234:: : [0], 64 bytes, 0.096 ms (0.096 avg, 0% loss)
RFC 4291 specifies Subnet-Router anycast address as [1]:
The Subnet-Router anycast address is predefined. Its format is as
follows:
| n bits | 128-n bits |
+------------------------------------------------+----------------+
| subnet prefix | 00000000000000 |
+------------------------------------------------+----------------+
The "subnet prefix" in an anycast address is the prefix that
identifies a specific link. This anycast address is syntactically
the same as a unicast address for an interface on the link with the
interface identifier set to zero.
=> to detect Subnet-Router anycast address we need to know prefix, which
we don't know, thus detect it for prefix 64 (the default IPv6 prefix).
[1] https://datatracker.ietf.org/doc/html/rfc4291#section-2.6.1
Fixes: 5e052ad ("ping: discard packets with wrong source address")
Closes: https://github.com/iputils/iputils/issues/371
Reported-by: Tim Sandquist
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
ping/ping.h | 1 +
ping/ping6_common.c | 12 +++++++++++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/ping/ping.h b/ping/ping.h
index 1be4df58..ce1d719d 100644
--- a/ping/ping.h
+++ b/ping/ping.h
@@ -212,6 +212,7 @@ struct ping_rts {
#endif
/* Used only in ping6_common.c */
+ int subnet_router_anycast; /* Subnet-Router anycast (RFC 4291) */
struct sockaddr_in6 firsthop;
unsigned char cmsgbuf[4096];
size_t cmsglen;
diff --git a/ping/ping6_common.c b/ping/ping6_common.c
index 986210b6..e807070e 100644
--- a/ping/ping6_common.c
+++ b/ping/ping6_common.c
@@ -102,6 +102,7 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
struct socket_st *sock)
{
int hold, packlen;
+ size_t i;
unsigned char *packet;
char *target;
struct icmp6_filter filter;
@@ -248,6 +249,15 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
rts->pmtudisc = IPV6_PMTUDISC_DO;
}
+ /* detect Subnet-Router anycast at least for the default prefix 64 */
+ rts->subnet_router_anycast = 1;
+ for (i = 8; i < sizeof(struct in6_addr); i++) {
+ if (rts->whereto6.sin6_addr.s6_addr[i]) {
+ rts->subnet_router_anycast = 0;
+ break;
+ }
+ }
+
if (rts->pmtudisc >= 0) {
if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER, &rts->pmtudisc,
sizeof rts->pmtudisc) == -1)
@@ -819,7 +829,7 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
}
if (icmph->icmp6_type == ICMP6_ECHO_REPLY) {
- if (!rts->multicast &&
+ if (!rts->multicast && !rts->subnet_router_anycast &&
memcmp(&from->sin6_addr.s6_addr, &rts->whereto6.sin6_addr.s6_addr, 16))
return 1;
if (!is_ours(rts, sock, icmph->icmp6_id))

145
backport-ping-Print-reply-with-wrong-source-with-warning.patch
View File

@ -1,145 +0,0 @@
From 5f6bec5ab57cc8beaa78f5756a0ffbdf01f28d36 Mon Sep 17 00:00:00 2001
From: Petr Vorel <pvorel@suse.cz>
Date: Fri, 15 Oct 2021 17:38:51 +0200
Subject: [PATCH] ping: Print reply with wrong source with warning
5e052ad ("ping: discard packets with wrong source address") correctly
hid replies with wrong source address to comply RFC 1122 (Section
3.2.1.3: "The IP source address in an ICMP Echo Reply MUST be the same
as the specific-destination address").
This caused to hide reply when pinging Subnet-Router anycast address.
Although it was fixed in the previous commit, relax this to admit the
reply but print warning "DIFFERENT ADDRESS!". ping is diagnostic program,
with insisting on RFC we force people to use tcpdump to see replies.
Link: https://github.com/iputils/iputils/issues/371
Reviewed-by: Matteo Croce <mcroce@microsoft.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
ping/ping.c | 10 ++++++----
ping/ping.h | 3 ++-
ping/ping6_common.c | 13 ++++++++-----
ping/ping_common.c | 6 +++++-
4 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/ping/ping.c b/ping/ping.c
index 0655bf4a..81ee7c86 100644
--- a/ping/ping.c
+++ b/ping/ping.c
@@ -1504,6 +1504,7 @@ int ping4_parse_reply(struct ping_rts *rts, struct socket_st *sock,
int reply_ttl;
uint8_t *opts, *tmp_ttl;
int olen;
+ int wrong_source = 0;
/* Check the IP header */
ip = (struct iphdr *)buf;
@@ -1544,15 +1545,16 @@ int ping4_parse_reply(struct ping_rts *rts, struct socket_st *sock,
csfailed = in_cksum((unsigned short *)icp, cc, 0);
if (icp->type == ICMP_ECHOREPLY) {
- if (!rts->broadcast_pings && !rts->multicast &&
- from->sin_addr.s_addr != rts->whereto.sin_addr.s_addr)
- return 1;
if (!is_ours(rts, sock, icp->un.echo.id))
return 1; /* 'Twas not our ECHO */
+
+ if (!rts->broadcast_pings && !rts->multicast &&
+ from->sin_addr.s_addr != rts->whereto.sin_addr.s_addr)
+ wrong_source = 1;
if (gather_statistics(rts, (uint8_t *)icp, sizeof(*icp), cc,
ntohs(icp->un.echo.sequence),
reply_ttl, 0, tv, pr_addr(rts, from, sizeof *from),
- pr_echo_reply, rts->multicast)) {
+ pr_echo_reply, rts->multicast, wrong_source)) {
fflush(stdout);
return 0;
}
diff --git a/ping/ping.h b/ping/ping.h
index ce1d719d..1697c3ec 100644
--- a/ping/ping.h
+++ b/ping/ping.h
@@ -389,7 +389,8 @@ extern void common_options(int ch);
extern int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
int cc, uint16_t seq, int hops,
int csfailed, struct timeval *tv, char *from,
- void (*pr_reply)(uint8_t *ptr, int cc), int multicast);
+ void (*pr_reply)(uint8_t *ptr, int cc), int multicast,
+ int wrong_source);
extern void print_timestamp(struct ping_rts *rts);
void fill(struct ping_rts *rts, char *patp, unsigned char *packet, size_t packet_size);
diff --git a/ping/ping6_common.c b/ping/ping6_common.c
index e807070e..fee11891 100644
--- a/ping/ping6_common.c
+++ b/ping/ping6_common.c
@@ -803,6 +803,7 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
struct cmsghdr *c;
struct icmp6_hdr *icmph;
int hops = -1;
+ int wrong_source = 0;
for (c = CMSG_FIRSTHDR(msg); c; c = CMSG_NXTHDR(msg, c)) {
if (c->cmsg_level != IPPROTO_IPV6)
@@ -829,16 +830,18 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
}
if (icmph->icmp6_type == ICMP6_ECHO_REPLY) {
- if (!rts->multicast && !rts->subnet_router_anycast &&
- memcmp(&from->sin6_addr.s6_addr, &rts->whereto6.sin6_addr.s6_addr, 16))
- return 1;
if (!is_ours(rts, sock, icmph->icmp6_id))
return 1;
+
+ if (!rts->multicast && !rts->subnet_router_anycast &&
+ memcmp(&from->sin6_addr.s6_addr, &rts->whereto6.sin6_addr.s6_addr, 16))
+ wrong_source = 1;
+
if (gather_statistics(rts, (uint8_t *)icmph, sizeof(*icmph), cc,
ntohs(icmph->icmp6_seq),
hops, 0, tv, pr_addr(rts, from, sizeof *from),
pr_echo_reply,
- rts->multicast)) {
+ rts->multicast, wrong_source)) {
fflush(stdout);
return 0;
}
@@ -851,7 +854,7 @@ int ping6_parse_reply(struct ping_rts *rts, socket_st *sock,
seq,
hops, 0, tv, pr_addr(rts, from, sizeof *from),
pr_niquery_reply,
- rts->multicast))
+ rts->multicast, 0))
return 0;
} else {
int nexthdr;
diff --git a/ping/ping_common.c b/ping/ping_common.c
index 357c39d7..03362590 100644
--- a/ping/ping_common.c
+++ b/ping/ping_common.c
@@ -711,7 +711,8 @@ int main_loop(struct ping_rts *rts, ping_func_set_st *fset, socket_st *sock,
int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
int cc, uint16_t seq, int hops,
int csfailed, struct timeval *tv, char *from,
- void (*pr_reply)(uint8_t *icmph, int cc), int multicast)
+ void (*pr_reply)(uint8_t *icmph, int cc), int multicast,
+ int wrong_source)
{
int dupflag = 0;
long triptime = 0;
@@ -804,10 +805,13 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
printf(_(" time=%ld.%03ld ms"), triptime / 1000,
triptime % 1000);
}
+
if (dupflag && (!multicast || rts->opt_verbose))
printf(_(" (DUP!)"));
if (csfailed)
printf(_(" (BAD CHECKSUM!)"));
+ if (wrong_source)
+ printf(_(" (DIFFERENT ADDRESS!)"));
/* check the data */
cp = ((unsigned char *)ptr) + sizeof(struct timeval);

54
backport-ping6-Avoid-binding-to-non-VRF.patch
View File

@ -1,54 +0,0 @@
From f52b582248f1f870e870a9973621805d969906b4 Mon Sep 17 00:00:00 2001
From: Petr Vorel <pvorel@suse.cz>
Date: Tue, 9 Nov 2021 02:39:56 +0100
Subject: [PATCH] ping6: Avoid binding to non-VRF
This fixes permission issue when specifying just address (without VRF)
unless having CAP_NET_ADMIN (i.e. root) permission:
$ ./builddir/ping/ping -c1 -I lo ::1
./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted
because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on
opt_strictsource.
Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address")
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Conflict:NA
Reference: https://github.com/iputils/iputils/commit/f52b582248f1f870e870a9973621805d969906b4.patch
---
ping/ping6_common.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/ping/ping6_common.c b/ping/ping6_common.c
index f40d279d..7a43ef6a 100644
--- a/ping/ping6_common.c
+++ b/ping/ping6_common.c
@@ -237,14 +237,16 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
memset(ipi, 0, sizeof(*ipi));
ipi->ipi6_ifindex = if_name2index(rts->device);
- enable_capability_raw();
- rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
- rts->device, strlen(rts->device) + 1);
- errno_save = errno;
- disable_capability_raw();
-
- if (rc == -1)
- error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
+ if (rts->opt_strictsource) {
+ enable_capability_raw();
+ rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
+ rts->device, strlen(rts->device) + 1);
+ errno_save = errno;
+ disable_capability_raw();
+
+ if (rc == -1)
+ error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
+ }
}
if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) {

37
bugfix-rdisc-remove-PrivateUsers=yes-from-systemd-service-file.patch
View File

@ -1,37 +0,0 @@
From 21d0826711b750367edaf01645aac1d03b3b7611 Mon Sep 17 00:00:00 2001
From: Sami Kerola <kerolasa@iki.fi>
Date: Wed, 3 Mar 2021 20:51:18 +0000
Subject: [PATCH] rdisc: remove PrivateUsers=yes from systemd service file
Quoting systemd.exec(5) manual page 'Specifically this means that the
process will have zero process capabilities on the host's user namespace'.
That does not combine will with CAP_NET_RAW that needs to take effect host's
namespace.
Secondly add CapabilityBoundingSet that is will ensure capabilities are
limited to the one and only capability it needs.
Fixes: https://github.com/iputils/iputils/issues/314
Reference: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
---
systemd/rdisc.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/systemd/rdisc.service.in b/systemd/rdisc.service.in
index 4e2a1ec..6ef7fc3 100644
--- a/systemd/rdisc.service.in
+++ b/systemd/rdisc.service.in
@@ -9,8 +9,8 @@ EnvironmentFile=-/etc/sysconfig/rdisc
ExecStart=@sbindir@/rdisc -f -t $OPTIONS $SEND_ADDRESS $RECEIVE_ADDRESS
AmbientCapabilities=CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_RAW
PrivateTmp=yes
-PrivateUsers=yes
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
--
2.23.0

BIN
iputils-20211215.tar.gz Normal file
View File

Binary file not shown.

BIN
iputils-s20210722.tar.gz
View File

Binary file not shown.

23
iputils.spec
View File

@ -1,11 +1,11 @@
Name: iputils
Version: 20210722
Release: 6
Version: 20211215
Release: 1
Summary: Network monitoring tools including ping
License: BSD and GPLv2+
URL: https://github.com/iputils/iputils
Source0: https://github.com/iputils/iputils/archive/s%{version}.tar.gz#/%{name}-s%{version}.tar.gz
Source0: https://github.com/iputils/iputils/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: ifenslave.tar.gz
Source2: rdisc.service
Source3: ninfod.service
@ -14,15 +14,6 @@ Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch0000: iputils-ifenslave.patch
Patch0001: iputils-ifenslave-CWE-170.patch
Patch0002: backport-arping-exit-0-if-running-in-deadline-mode-and-we-see-replies.patch
Patch0003: backport-arping-fix-typo-in-error-checking.patch
Patch0004: backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
Patch0005: backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
Patch0006: backport-ping6-Avoid-binding-to-non-VRF.patch
Patch0007: arping-Fix-exit-code-on-w-option.patch
Patch0008: backport-ping-Print-reply-from-Subnet-Router-anycast-address.patch
Patch0009: backport-ping-Print-reply-with-wrong-source-with-warning.patch
Patch0010: backport-ping-Fix-potential-memory-leakage.patch
BuildRequires: gcc meson libidn2-devel openssl-devel libcap-devel libxslt
BuildRequires: docbook5-style-xsl systemd iproute glibc-kernheaders gettext
@ -56,7 +47,7 @@ cp %{SOURCE4} %{SOURCE5} .
export CFLAGS="-fpie"
export LDFLAGS="-pie -Wl,-z,relro,-z,now"
%meson -DBUILD_TFTPD=false
%meson
%meson_build
gcc -Wall $RPM_OPT_FLAGS $CFLAGS $RPM_LD_FLAGS $LDFLAGS ifenslave.c -o ifenslave
@ -121,6 +112,12 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
%{_unitdir}/ninfod.service
%changelog
* Mon Jul 11 2022 yinyongkang <yinyongkang@kylinos.cn> - 20211215-1
- Type:requirements
- ID:NA
- SUG:NA
- DESC: update iputils to 20211215
* Mon Jun 20 2022 lvgenggeng <lvgenggeng@uniontech.com> - 20210722-6
- Type:bugfix
- ID:NA