packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patches from upstream

Browse Source
This commit is contained in:
eaglegai 2021-08-03 15:19:59 +08:00
parent d4fd6f6ce4
commit f0418b2273
3 changed files with 186 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch Normal file
View File

@ -0,0 +1,106 @@
From 1c97bd67ee6c1097196ad12b36d011fbd3855f2d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 21 Jan 2021 16:41:35 +0100
Subject: [PATCH] evaluate: disallow ct original {s,d}ddr from
concatenations
Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from
maps") to cover concatenations too.
Error: specify either ip or ip6 for address matching
add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 }
^^^^^^^^^^^^^^^^^
The old syntax for ct original saddr without either ip or ip6 results
in unknown key size, which breaks the listing. The old syntax is only
allowed in simple rules for backward compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Conflict:NA
Reference:https://git.netfilter.org/nftables/commit/?id=7d3a0799cfd0a7dbd179f2742b6632e66d1e9b6a
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 17 +++++++++++++++++
tests/py/ip/ct.t | 4 ++++
tests/py/ip/ct.t.payload | 19 +++++++++++++++++++
3 files changed, 40 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 53806424..a2274445 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1241,6 +1241,12 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
list_for_each_entry_safe(i, next, &(*expr)->expressions, list) {
unsigned dsize_bytes;
+ if (i->etype == EXPR_CT &&
+ (i->ct.key == NFT_CT_SRC ||
+ i->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, i,
+ "specify either ip or ip6 for address matching");
+
if (expr_is_constant(*expr) && dtype && off == 0)
return expr_binary_error(ctx->msgs, i, *expr,
"unexpected concat component, "
@@ -1423,6 +1429,17 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
map->map->ct.key == NFT_CT_DST))
return expr_error(ctx->msgs, map->map,
"specify either ip or ip6 for address matching");
+ else if (map->map->etype == EXPR_CONCAT) {
+ struct expr *i;
+
+ list_for_each_entry(i, &map->map->expressions, list) {
+ if (i->etype == EXPR_CT &&
+ (i->ct.key == NFT_CT_SRC ||
+ i->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, i,
+ "specify either ip or ip6 for address matching");
+ }
+ }
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &map->map) < 0)
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index c5ce1274..a387863e 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -24,3 +24,7 @@ ct reply ip daddr dead::beef;fail
meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
+meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail
+meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok
+ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail
+ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index 4f9e9809..6e2f23a7 100644
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -69,3 +69,22 @@ ip
[ ct load dst_ip => reg 1 , dir original ]
[ lookup reg 1 set __map%d dreg 1 ]
[ meta set mark with reg 1 ]
+
+# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }
+__map%d test-ip4 b
+__map%d test-ip4 0
+ element 01010101 00000014 : 0000001e 0 [end]
+ip
+ [ ct load src_ip => reg 1 , dir original ]
+ [ meta load mark => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
+# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 01010101 00000014 : 0 [end]
+ip
+ [ ct load src_ip => reg 1 , dir original ]
+ [ meta load mark => reg 9 ]
+ [ lookup reg 1 set __set%d ]
--
2.27.0

70
backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch Normal file
View File

@ -0,0 +1,70 @@
From 93c192706eac3bbb017cfb5a8e1d56b81050ad3b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 15 Jan 2021 18:40:11 +0100
Subject: [PATCH] evaluate: disallow ct original {s,d}ddr from maps
test.nft:6:55-71: Error: specify either ip or ip6 for address matching
add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
^^^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Conflict:NA
Reference:https://git.netfilter.org/nftables/commit/?id=8b043938e77b1f421beccff595117d6e4ff8eecc
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 6 ++++++
tests/py/ip/ct.t | 3 +++
tests/py/ip/ct.t.payload | 9 +++++++++
3 files changed, 18 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 303ae280..53806424 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1418,6 +1418,12 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
const struct datatype *dtype;
struct expr *key, *data;
+ if (map->map->etype == EXPR_CT &&
+ (map->map->ct.key == NFT_CT_SRC ||
+ map->map->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, map->map,
+ "specify either ip or ip6 for address matching");
+
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &map->map) < 0)
return -1;
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index d3247f79..c5ce1274 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -21,3 +21,6 @@ ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-s
# wrong address family
ct reply ip daddr dead::beef;fail
+
+meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
+meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index d5faed4c..4f9e9809 100644
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -60,3 +60,12 @@ ip test-ip4 output
[ cmp eq reg 1 0x00000011 ]
[ ct load proto_src => reg 1 , dir reply ]
[ cmp eq reg 1 0x00003500 ]
+
+# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+ element 01010101 : 00000011 0 [end]
+ip
+ [ ct load dst_ip => reg 1 , dir original ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
--
2.27.0

11
nftables.spec
View File

@ -1,6 +1,6 @@
Name: nftables
Version: 0.9.6
Release: 3
Release: 4
Epoch: 1
Summary: A subsystem of the Linux kernel processing network data
License: GPLv2
@ -16,6 +16,8 @@ Patch6003: backport-evaluate-Reject-quoted-strings-containing-only-wildcard
Patch6004: backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
Patch6005: backport-json-Fix-memleak-in-set_dtype_json.patch
Patch6006: backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
Patch6007: backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch
Patch6008: backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch
BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
BuildRequires: iptables-devel jansson-devel python3-devel
@ -106,6 +108,13 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
%{python3_sitelib}/nftables/
%changelog
* Tue Aug 03 2021 gaihuiying <gaihuiying1@huawei.com> - 0.9.6-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:evaluate disallow ct original s d ddr from maps
evaluate disallow ct original s d ddr from concatena
* Tue Jul 28 2021 zengwefeng<zwfeng@huawei.com> - 0.9.6-3
- Type:bugfix
- CVE:NA