From 86e59a1ef9148016f717558dda3478f5740c1a06 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Jan 12 2024 16:47:08 +0000 Subject: iptables-1.8.10-5 - Backport fixes from upstream - Fix flatpak build --- diff --git a/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch b/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch new file mode 100644 index 0000000..35b5973 --- /dev/null +++ b/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch @@ -0,0 +1,81 @@ +From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 12 Oct 2023 17:27:42 +0200 +Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL + pointer + +Chain rename code missed to adjust the num_chains value which is used to +calculate the number of chain index buckets to allocate during an index +rebuild. So with the right number of chains present, the last chain in a +middle bucket being renamed (and ending up in another bucket) triggers +an index rebuild based on false data. The resulting NULL pointer index +bucket then causes a segfault upon reinsertion. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713 +Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") +(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620) +--- + .../testcases/chain/0008rename-segfault2_0 | 32 +++++++++++++++++++ + libiptc/libiptc.c | 4 +++ + 2 files changed, 36 insertions(+) + create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0 + +diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 +new file mode 100755 +index 0000000000000..bc473d2511bbd +--- /dev/null ++++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 +@@ -0,0 +1,32 @@ ++#!/bin/bash ++# ++# Another funny rename bug in libiptc: ++# If there is a chain index bucket with only a single chain in it and it is not ++# the last one and that chain is renamed, a chain index rebuild is triggered. ++# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an ++# extra index is allocated and remains NULL. The following insert of renamed ++# chain then segfaults. ++ ++( ++ echo "*filter" ++ # first bucket ++ for ((i = 0; i < 40; i++)); do ++ echo ":chain-a-$i - [0:0]" ++ done ++ # second bucket ++ for ((i = 0; i < 40; i++)); do ++ echo ":chain-b-$i - [0:0]" ++ done ++ # third bucket, just make sure it exists ++ echo ":chain-c-0 - [0:0]" ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore ++ ++# rename all chains of the middle bucket ++( ++ echo "*filter" ++ for ((i = 0; i < 40; i++)); do ++ echo "-E chain-b-$i chain-d-$i" ++ done ++ echo "COMMIT" ++) | $XT_MULTI iptables-restore --noflush +diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c +index e475063367c26..9712a36353b9a 100644 +--- a/libiptc/libiptc.c ++++ b/libiptc/libiptc.c +@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, + return 0; + } + ++ handle->num_chains--; ++ + /* This only unlinks "c" from the list, thus no free(c) */ + iptcc_chain_index_delete_chain(c, handle); + + /* Change the name of the chain */ + strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1); + ++ handle->num_chains++; ++ + /* Insert sorted into to list again */ + iptc_insert_chain(handle, c); + diff --git a/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch b/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch new file mode 100644 index 0000000..c384e4b --- /dev/null +++ b/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch @@ -0,0 +1,81 @@ +From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 3 Nov 2023 17:33:22 +0100 +Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage + +ARPT_ and IPT_INV flags are not interchangeable, e.g.: +define IPT_INV_SRCDEVADDR 0x0080 +define ARPT_INV_SRCDEVADDR 0x0010 + +as these flags can be tested by libarp_foo.so such checks can yield +incorrect results. + +Because arptables-nft uses existing code, e.g. xt_mark, it makes +sense to unify this completely by converting the last users of +ARPT_INV_ constants. + +Note that arptables-legacy does not do run-time module loading via +dlopen(). Functionaliy implemented by "extensions" in the +arptables-legacy git tree are built-in, so this doesn't break +arptables-legacy binaries. + +Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*") +Signed-off-by: Florian Westphal +Signed-off-by: Phil Sutter +(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68) +--- + extensions/libarpt_mangle.c | 4 ++-- + iptables/nft-arp.c | 2 +- + iptables/xshared.h | 4 +++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c +index 765edf34781f3..a846e97ec8f27 100644 +--- a/extensions/libarpt_mangle.c ++++ b/extensions/libarpt_mangle.c +@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, + if (e->arp.arhln_mask == 0) + xtables_error(PARAMETER_PROBLEM, + "no --h-length defined"); +- if (e->arp.invflags & ARPT_INV_ARPHLN) ++ if (e->arp.invflags & IPT_INV_ARPHLN) + xtables_error(PARAMETER_PROBLEM, + "! --h-length not allowed for " + "--mangle-mac-s"); +@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, + if (e->arp.arhln_mask == 0) + xtables_error(PARAMETER_PROBLEM, + "no --h-length defined"); +- if (e->arp.invflags & ARPT_INV_ARPHLN) ++ if (e->arp.invflags & IPT_INV_ARPHLN) + xtables_error(PARAMETER_PROBLEM, + "! hln not allowed for --mangle-mac-d"); + if (e->arp.arhln != 6) +diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c +index aed39ebdd5166..535dd6b83237b 100644 +--- a/iptables/nft-arp.c ++++ b/iptables/nft-arp.c +@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command, + &args->d.naddrs); + + if ((args->s.naddrs > 1 || args->d.naddrs > 1) && +- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) ++ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) + xtables_error(PARAMETER_PROBLEM, + "! not allowed with multiple" + " source or destination IP addresses"); +diff --git a/iptables/xshared.h b/iptables/xshared.h +index a200e0d620ad3..5586385456a4d 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -80,7 +80,9 @@ struct xtables_target; + #define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ + #define EBT_OPTSTRING OPTSTRING_COMMON "hv" + +-/* define invflags which won't collide with IPT ones */ ++/* define invflags which won't collide with IPT ones. ++ * arptables-nft does NOT use the legacy ARPT_INV_* defines. ++ */ + #define IPT_INV_SRCDEVADDR 0x0080 + #define IPT_INV_TGTDEVADDR 0x0100 + #define IPT_INV_ARPHLN 0x0200 diff --git a/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch b/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch new file mode 100644 index 0000000..3386925 --- /dev/null +++ b/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch @@ -0,0 +1,63 @@ +From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 7 Nov 2023 19:12:14 +0100 +Subject: [PATCH] ebtables: Fix corner-case noflush restore bug + +Report came from firwalld, but this is actually rather hard to trigger. +Since a regular chain line prevents it, typical dump/restore use-cases +are unaffected. + +Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation") +Cc: Eric Garver +Signed-off-by: Phil Sutter +(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8) +--- + .../testcases/ebtables/0009-broute-bug_0 | 25 +++++++++++++++++++ + iptables/xtables-eb.c | 2 ++ + 2 files changed, 27 insertions(+) + create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 + +diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 +new file mode 100755 +index 0000000000000..0def0ac58e7be +--- /dev/null ++++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 +@@ -0,0 +1,25 @@ ++#!/bin/sh ++# ++# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring: ++# - with --noflush ++# - a second table after the broute one ++# - A policy command but no chain line for BROUTING chain ++ ++set -e ++ ++case "$XT_MULTI" in ++*xtables-nft-multi) ++ ;; ++*) ++ echo "skip $XT_MULTI" ++ exit 0 ++ ;; ++esac ++ ++$XT_MULTI ebtables-restore --noflush < +Date: Sun, 19 Nov 2023 13:18:26 +0100 +Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused + +Drop the boolean, it was meant to disable some existence checks in +do_parse() prior to the caching rework. Now that do_parse() runs before +any caching is done, the checks in question don't exist anymore so drop +this relict. + +Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands") +Signed-off-by: Phil Sutter +(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb) +--- + iptables/xshared.h | 1 - + iptables/xtables-translate.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/iptables/xshared.h b/iptables/xshared.h +index 5586385456a4d..c77556a1987dc 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -284,7 +284,6 @@ struct xt_cmd_parse { + bool restore; + int line; + int verbose; +- bool xlate; + struct xt_cmd_parse_ops *ops; + }; + +diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c +index 88e0a6b639494..c019cd2991305 100644 +--- a/iptables/xtables-translate.c ++++ b/iptables/xtables-translate.c +@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[], + .table = *table, + .restore = restore, + .line = line, +- .xlate = true, + .ops = &h->ops->cmd_parse, + }; + struct iptables_command_state cs = { diff --git a/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch b/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch new file mode 100644 index 0000000..c743e75 --- /dev/null +++ b/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch @@ -0,0 +1,31 @@ +From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sun, 19 Nov 2023 13:25:36 +0100 +Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON + +Fixes: 51d9d9e081344 ("ebtables: Support verbose mode") +Signed-off-by: Phil Sutter +(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a) +--- + iptables/xshared.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/iptables/xshared.h b/iptables/xshared.h +index c77556a1987dc..815b9d3e98726 100644 +--- a/iptables/xshared.h ++++ b/iptables/xshared.h +@@ -75,10 +75,10 @@ struct xtables_globals; + struct xtables_rule_match; + struct xtables_target; + +-#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:" +-#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x" +-#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ +-#define EBT_OPTSTRING OPTSTRING_COMMON "hv" ++#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v" ++#define IPT_OPTSTRING OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x" ++#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */ ++#define EBT_OPTSTRING OPTSTRING_COMMON "h" + + /* define invflags which won't collide with IPT ones. + * arptables-nft does NOT use the legacy ARPT_INV_* defines. diff --git a/0006-ebtables-Align-line-number-formatting-with-legacy.patch b/0006-ebtables-Align-line-number-formatting-with-legacy.patch new file mode 100644 index 0000000..07bea3a --- /dev/null +++ b/0006-ebtables-Align-line-number-formatting-with-legacy.patch @@ -0,0 +1,28 @@ +From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Nov 2023 22:58:47 +0100 +Subject: [PATCH] ebtables: Align line number formatting with legacy + +Legacy ebtables appends a dot to the number printed in first column if +--Ln flag was given. + +Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat") +Signed-off-by: Phil Sutter +(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf) +--- + iptables/nft-bridge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c +index d9a8ad2b0f373..e414ef5584392 100644 +--- a/iptables/nft-bridge.c ++++ b/iptables/nft-bridge.c +@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state cs = {}; + + if (format & FMT_LINENUMBERS) +- printf("%d ", num); ++ printf("%d. ", num); + + nft_rule_to_ebtables_command_state(h, r, &cs); + __nft_bridge_save_rule(&cs, format); diff --git a/0007-man-Do-not-escape-exclamation-marks.patch b/0007-man-Do-not-escape-exclamation-marks.patch new file mode 100644 index 0000000..b088c63 --- /dev/null +++ b/0007-man-Do-not-escape-exclamation-marks.patch @@ -0,0 +1,44 @@ +From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Nov 2023 13:29:17 +0100 +Subject: [PATCH] man: Do not escape exclamation marks + +This appears to be not necessary, also mandoc complains about it: + +| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \! + +Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage") +Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage") +Signed-off-by: Phil Sutter +(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a) +--- + extensions/libip6t_DNPT.man | 2 +- + extensions/libip6t_SNPT.man | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man +index 9b060f5b7179b..72c6ae5d422a2 100644 +--- a/extensions/libip6t_DNPT.man ++++ b/extensions/libip6t_DNPT.man +@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length + .PP + You have to use the SNPT target to undo the translation. Example: + .IP +-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 ++ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0 + \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 + .IP + ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 +diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man +index 97e0071b43cc1..0c926978377a7 100644 +--- a/extensions/libip6t_SNPT.man ++++ b/extensions/libip6t_SNPT.man +@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length + .PP + You have to use the DNPT target to undo the translation. Example: + .IP +-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0 ++ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0 + \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64 + .IP + ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 diff --git a/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch b/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch new file mode 100644 index 0000000..c0bbec2 --- /dev/null +++ b/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch @@ -0,0 +1,49 @@ +From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 28 Nov 2023 20:21:49 +0100 +Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks + +In order to parse the mask, xtopt_parse_hostmask() calls +xtopt_parse_plenmask() thereby limiting netmask support to prefix +lengths (alternatively specified in IP address notation). + +In order to lift this impractical restriction, make +xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may +fall back to xtopt_parse_mask() which correctly initializes val.hmask +itself and indicates non-CIDR-compatible masks by setting val.hlen to +-1. + +So in order to support these odd masks, it is sufficient for +xtopt_parse_plenmask() to skip its mask building from val.hlen value and +take whatever val.hmask contains. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") +Signed-off-by: Phil Sutter +(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232) +--- + libxtables/xtoptions.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index b16bbfbe32311..d91a78f470eda 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) + + xtopt_parse_plen(cb); + ++ /* may not be convertible to CIDR notation */ ++ if (cb->val.hlen == (uint8_t)-1) ++ goto out_put; ++ + memset(mask, 0xFF, sizeof(union nf_inet_addr)); + /* This shifting is AF-independent. */ + if (cb->val.hlen == 0) { +@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb) + mask[1] = htonl(mask[1]); + mask[2] = htonl(mask[2]); + mask[3] = htonl(mask[3]); ++out_put: + if (entry->flags & XTOPT_PUT) + memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr)); + } diff --git a/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch b/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch new file mode 100644 index 0000000..7745634 --- /dev/null +++ b/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch @@ -0,0 +1,114 @@ +From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 19 Dec 2023 00:56:07 +0100 +Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting + +Parameter 'wait' passed to xtables_lock() signals three modes of +operation, depending on its value: + + 0: --wait not specified, do not wait if lock is busy +-1: --wait specified without value, wait indefinitely until lock becomes + free +>0: Wait for 'wait' seconds for lock to become free, abort otherwise + +Since fixed commit, the first two cases were treated the same apart from +calling alarm(0), but that is a nop if no alarm is pending. Fix the code +by requesting a non-blocking flock() in the second case. While at it, +restrict the alarm setup to the third case only. + +Cc: Jethro Beekman +Cc: howardjohn@google.com +Cc: Antonio Ojea +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728 +Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals") +Signed-off-by: Phil Sutter +(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9) +--- + .../shell/testcases/iptables/0010-wait_0 | 55 +++++++++++++++++++ + iptables/xshared.c | 4 +- + 2 files changed, 57 insertions(+), 2 deletions(-) + create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0 + +diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0 +new file mode 100755 +index 0000000000000..4481f966ce435 +--- /dev/null ++++ b/iptables/tests/shell/testcases/iptables/0010-wait_0 +@@ -0,0 +1,55 @@ ++#!/bin/bash ++ ++case "$XT_MULTI" in ++*xtables-legacy-multi) ++ ;; ++*) ++ echo skip $XT_MULTI ++ exit 0 ++ ;; ++esac ++ ++coproc RESTORE { $XT_MULTI iptables-restore; } ++echo "*filter" >&${RESTORE[1]} ++ ++ ++$XT_MULTI iptables -A FORWARD -j ACCEPT & ++ipt_pid=$! ++ ++waitpid -t 1 $ipt_pid ++[[ $? -eq 3 ]] && { ++ echo "process waits when it should not" ++ exit 1 ++} ++wait $ipt_pid ++[[ $? -eq 0 ]] && { ++ echo "process exited 0 despite busy lock" ++ exit 1 ++} ++ ++t0=$(date +%s) ++$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT ++t1=$(date +%s) ++[[ $((t1 - t0)) -ge 3 ]] || { ++ echo "wait time not expired" ++ exit 1 ++} ++ ++$XT_MULTI iptables -w -A FORWARD -j ACCEPT & ++ipt_pid=$! ++ ++waitpid -t 3 $ipt_pid ++[[ $? -eq 3 ]] || { ++ echo "no indefinite wait" ++ exit 1 ++} ++kill $ipt_pid ++waitpid -t 3 $ipt_pid ++[[ $? -eq 3 ]] && { ++ echo "killed waiting iptables call did not exit in time" ++ exit 1 ++} ++ ++kill $RESTORE_PID ++wait ++exit 0 +diff --git a/iptables/xshared.c b/iptables/xshared.c +index 5f75a0a57a023..690502c457dd0 100644 +--- a/iptables/xshared.c ++++ b/iptables/xshared.c +@@ -270,7 +270,7 @@ static int xtables_lock(int wait) + return XT_LOCK_FAILED; + } + +- if (wait != -1) { ++ if (wait > 0) { + sigact_alarm.sa_handler = alarm_ignore; + sigact_alarm.sa_flags = SA_RESETHAND; + sigemptyset(&sigact_alarm.sa_mask); +@@ -278,7 +278,7 @@ static int xtables_lock(int wait) + alarm(wait); + } + +- if (flock(fd, LOCK_EX) == 0) ++ if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0) + return fd; + + if (errno == EINTR) { diff --git a/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch b/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch new file mode 100644 index 0000000..ea88fa3 --- /dev/null +++ b/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch @@ -0,0 +1,40 @@ +From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sun, 17 Dec 2023 13:02:36 +0100 +Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK + +Do as the comment in xtopt_parse_hostmask() claims and omit +XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate() +will catch the incompatibility. + +Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support") +(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31) +--- + include/xtables.h | 1 - + libxtables/xtoptions.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/include/xtables.h b/include/xtables.h +index 087a1d600f9ae..9def9b43b6e58 100644 +--- a/include/xtables.h ++++ b/include/xtables.h +@@ -61,7 +61,6 @@ struct in_addr; + * %XTTYPE_SYSLOGLEVEL: syslog level by name or number + * %XTTYPE_HOST: one host or address (ptr: union nf_inet_addr) + * %XTTYPE_HOSTMASK: one host or address, with an optional prefix length +- * (ptr: union nf_inet_addr; only host portion is stored) + * %XTTYPE_PROTOCOL: protocol number/name from /etc/protocols (ptr: uint8_t) + * %XTTYPE_PORT: 16-bit port name or number (supports %XTOPT_NBO) + * %XTTYPE_PORTRC: colon-separated port range (names acceptable), +diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c +index d91a78f470eda..ba68056dc99f7 100644 +--- a/libxtables/xtoptions.c ++++ b/libxtables/xtoptions.c +@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = { + [XTTYPE_STRING] = -1, + [XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t), + [XTTYPE_HOST] = sizeof(union nf_inet_addr), +- [XTTYPE_HOSTMASK] = sizeof(union nf_inet_addr), + [XTTYPE_PROTOCOL] = sizeof(uint8_t), + [XTTYPE_PORT] = sizeof(uint16_t), + [XTTYPE_PORTRC] = sizeof(uint16_t[2]), diff --git a/iptables.spec b/iptables.spec index cc4091e..fcc549e 100644 --- a/iptables.spec +++ b/iptables.spec @@ -11,7 +11,7 @@ Name: iptables Summary: Tools for managing Linux kernel packet filtering capabilities URL: https://www.netfilter.org/projects/iptables Version: 1.8.10 -Release: 4%{?dist} +Release: 5%{?dist} Source: %{url}/files/%{name}-%{version}.tar.xz Source1: iptables.init Source2: iptables-config @@ -20,6 +20,17 @@ Source4: sysconfig_iptables Source5: sysconfig_ip6tables Source6: arptables-nft-helper +Patch001: 0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch +Patch002: 0002-arptables-nft-remove-ARPT_INV-flags-usage.patch +Patch003: 0003-ebtables-Fix-corner-case-noflush-restore-bug.patch +Patch004: 0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch +Patch005: 0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch +Patch006: 0006-ebtables-Align-line-number-formatting-with-legacy.patch +Patch007: 0007-man-Do-not-escape-exclamation-marks.patch +Patch008: 0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch +Patch009: 0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch +Patch010: 0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch + # pf.os: ISC license # iptables-apply: Artistic Licence 2.0 License: GPL-2.0-only AND Artistic-2.0 AND ISC @@ -415,6 +426,10 @@ fi %changelog +* Thu Jan 11 2024 Phil Sutter - 1.8.10-5 +- Backport fixes from upstream +- Fix flatpak build + * Tue Nov 07 2023 Phil Sutter - 1.8.10-4 - The actual obsoletes fix