| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Chain rename code missed to adjust the num_chains value which is used to
calculate the number of chain index buckets to allocate during an index
rebuild. So with the right number of chains present, the last chain in a
middle bucket being renamed (and ending up in another bucket) triggers
an index rebuild based on false data. The resulting NULL pointer index
bucket then causes a segfault upon reinsertion.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
|
| |
|
|
|
|
|
|
|
|
|
|
| |
No need for the explicit fcntl() call, request the behaviour when
opening the descriptor.
One fcntl() call setting FD_CLOEXEC remains in extensions/libxt_bpf.c,
the indirect syscall seems not to support passing the flag directly.
Reported-by: Gaurav Gupta <g.gupta@samsung.com>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1104
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4.
The change can't be right: A simple rule append call will reset all
built-in chains' counters. The old code works fine even given the
mentioned "empty restore" use-case, at least if counters don't change on
the fly in-kernel.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=912
Fixes: 7c4d668c9c2ee ("libiptc: fix wrong maptype of base chain counters on restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
Since extensions/ directory does not use automake, some targets have to
be added manually. Apart from that, several Makefiles either missed to
specify relevant files or did not specify them correctly for 'make dist'
to add them to the tarball.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
| |
This header was never included anywhere.
Fixes: aae69bed01982 ("complete libiptc rewrite. Time to load 10k rules goes down from 2.20 minutes to 1.255 seconds (!). Might still contain bugs, use with caution.")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When adding a rule, valgrind prints:
Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s)
at 0x4A8165A: setsockopt (in /lib64/libc.so.6)
by 0x4857A48: iptc_commit (libiptc.c:2676)
by 0x10E4BB: iptables_main (iptables-standalone.c:61)
by 0x49A3349: (below main) (in /lib64/libc.so.6)
Address 0x4b63788 is 40 bytes inside a block of size 1,448 alloc'd
at 0x484659F: calloc (vg_replace_malloc.c:1328)
by 0x4857654: iptc_commit (libiptc.c:2564)
by 0x10E4BB: iptables_main (iptables-standalone.c:61)
by 0x49A3349: (below main) (in /lib64/libc.so.6)
This is because repl->counters is not initialized upon allocation. Since
the field is an array, make use of calloc() which implicitly does the
initialization.
Fixes: e37c0dc100c51 ("Revert the recent addition of memset()'s to TC_COMMIT. One of them is bogus and the other one needs more investigation to why valgrind is complaining.")
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
| |
This is an odd bug: If the number of chains is right and one renames the
last one in the list, libiptc dereferences a NULL pointer. Add fix and
test case for it.
Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
Reported-by: Julien Castets <castets.j@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
| |
A little convenience to prepare a build for analysis with gcov/gprof.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Gcc-10 doesn't like the use of zero-length arrays as last struct member
to denote variable sized objects. The suggested alternative, namely to
use a flexible array member as defined by C99, is problematic as that
doesn't allow for said struct to be embedded into others. With the
relevant structs being part of kernel UAPI, this can't be precluded
though.
The call to memcpy() which triggers the warning copies data from one
struct xt_counters to another. Since this struct is flat and merely
contains two u64 fields, One can use direct assignment instead which
avoids the warning.
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
| |
|
|
|
|
|
|
|
| |
This is present in bionic header files regardless of compiler
being used (likely clang)
Test: builds
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
avoid hyptothetical truncation by leaving space for triling zero byte.
silcences:
In file included from libip4tc.c:113:
libiptc.c: In function ‘iptcc_alloc_chain_head’:
libiptc.c:163:2: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation]
163 | strncpy(c->name, name, TABLE_MAXNAMELEN);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
libiptc.c: In function ‘iptc_rename_chain’:
libiptc.c:2388:2: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation]
2388 | strncpy(c->name, newname, sizeof(IPT_CHAINLABEL));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
hasn't built with IPTC_DEBUG=1 since at least 2004, so remove it.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1275
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Despite the presence of --no-as-needed, the libiptc.so library as
produced inside the openSUSE Build Service has no links to
libip4tc.so or libip6tc.so. I have not looked into why --no-as-needed
is ignored in this instance, but likewise, the situation must have
been like that ever since openSUSE made as-needed a distro-wide
default (gcc 4.8 timeframe or so).
Since I am not aware of any problem reports within SUSE/openSUSE
about this whole situation, it seems safe to assume no one in the
larger scope is still using a bare "-liptc" on the linker command
line and that all parties have moved on to using pkg-config.
Therefore, libiptc.la/so is hereby removed, as are all parts
related to the -Wl,--no-as-needed flag.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Add a few more callbacks used by iptables-save.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
copying its content into 'error_name' field of struct xt_error_target
which is two bytes shorter may overflow. Make sure this doesn't happen
by using strncpy() and set the last byte to zero.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
This change originated from covscan complaining about the strcpy() call
with an unknown size source buffer. But in fact, the size is known (and
equal to the destination size), so pass a pointer to STRUCT_GETINFO to
alloc_handle() instead of it's fields separately. Hopefully this will
silence covscan.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These calls to memset() are passed a length argument which exceeds
t->target.u.user.name's length by one byte and hence overwrite
t->target.u.user.revision as well (relying upon no padding to happen
between both).
Avoid this obscure behaviour by passing the correct field size and
explicitly overwriting 'revision' field.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking a rule that includes a jump to a module-based target currently
sets the "changed" flag on the handle, which then causes TC_COMMIT() to
run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This
seems wrong for simply checking rules, an operation which is documented
as "...does not alter the existing iptables configuration..." but yet
it clearly could do so.
Fix that by ensuring that rule check operations for module targets
don't set the changed flag, and thus exit early from TC_COMMIT().
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
While at it, update comment format for the respective blocks.
Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
When using open(O_CREAT), you must supply the mode bits, otherwise the
func will pull random garbage off the stack.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value]
for (pos = list_entry((head)->next, typeof(*pos), member), \
^
libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry'
list_for_each_entry(c, &h->chains, list) {
^
[ Patch copied from one similar of Patrick McHardy on libnftnl ]
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This patch changes the NETMAP target extension (IPv6 side) to use
the xtables_ip6mask_to_cidr available in libxtables.
As a side effect, we get rid of the libip6tc dependency.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
There is an issue on TC_INIT retry path:
In error case, TC_FREE is called and close sockfd.
The retry does not reopen then always fail.
The proposing patch reopens sockfd in retry patch.
Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, Unix-like systems leak file descriptors after fork/exec
call. I think this seem to result in SELinux spotting a strange AVC
log messages according to what I can find on the web.
Fedora 18 iptables source includes this change.
Maciej says:
"iptables does potentially fork/exec modprobe to load modules.
That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing.
You can do automated inspection of what gets carried across such
privilege changes and any unexpected open file descriptors flag
problems, patches like this cut down on the noise."
Signed-off-by: Maciej enczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Fixed a memory leak in the dry run path of function delete_entry().
Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Fixed a memory leak in the error path of function cache_add_entry().
Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c.
This is breaking my iptables scripts:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Incompatible with this kernel.
|
| |
|
|
| |
Jan Engelhardt showed no objections to this patch.
|
| |\ |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Command used:
git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)
and then fix all occurrences.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
No real API/ABI change incurred, since the definition of the structs'
types is not visible anyhow.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CC libip4tc.lo
In file included from libip4tc.c:118:0:
libiptc.c:70:8: error: redefinition of "struct xt_error_target"
../include/linux/netfilter/x_tables.h:69:8: note: originally defined here
Remove libiptc's duplicate definition and substitute names.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libiptc.c:407: dead_error_condition: On this path, the condition
"res > 0" cannot be false.
libiptc.c:396: at_least: After this line, the value of "res" is at
least 1.
libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as
false.
libiptc.c:396: new_values: Noticing condition "res < 0".
libiptc.c:425: new_values: Noticing condition "res < 0".
libiptc.c:407: new_values: Noticing condition "res > 0".
libiptc.c:435: dead_error_line: Execution cannot reach this statement
"return list_pos;".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
| |
These got lost on commit v1.4.11-12-g5c8f5b6.
Note: When /usr/include/libiptc/libiptc.h exists, this error is
masked away :-/ (IMO, #include-with-quotes "foo.h" should not
search system dirs...)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags
no-op code.
CC libiptc/libip4tc.lo
In file included from libiptc/libip4tc.c:118:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:113:0:
libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain":
libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used
libiptc/libiptc.c: In function "alloc_handle":
libiptc/libiptc.c:1282:9: warning: variable "len" set but not used
CC xtables_multi-iptables-xml.o
iptables-xml.c: In function "do_rule_part":
iptables-xml.c:376:8: warning: variable "thisChain" set but not used
CC xtables_multi-ip6tables.o
ip6tables.c: In function "print_firewall":
ip6tables.c:552:10: warning: variable "flags" set but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.
Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.
This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a ruleset that does not reset any chain policies/counters, such as
*filter
COMMIT
is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In file included from libiptc/libip4tc.c:117:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘iptc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip4tc.c: In function ‘dump_entry’:
libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
CC libiptc/libip6tc.lo
In file included from libiptc/libip6tc.c:112:0:
libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’:
libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libiptc.c: In function ‘ip6tc_get_target’:
libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break
strict-aliasing rules
libiptc/libip6tc.c: In function ‘dump_entry’:
libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break
strict-aliasing rules
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the two warnings in libiptc.c:
CC libiptc/libip4tc.lo
libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used
CC libiptc/libip6tc.lo
libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used
libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
Add notes about my scalability work on the library libiptc.
This should make in more obvious who to complain to.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Cleanup whitespaces while going through the code.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
