[gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/, net-firewall/iptables/files/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-firewall/iptables/, net-firewall/iptables/files/
Date:	Thu, 20 Jan 2022 19:12:38
Message-Id:	`1642705946.30b1ce27e3082d81d6c4c5f488c1ec452f01bbab.chutzpah@gentoo`

1

commit:     30b1ce27e3082d81d6c4c5f488c1ec452f01bbab

2

Author:     Patrick McLean <patrick.mclean <AT> sony <DOT> com>

3

AuthorDate: Thu Jan 20 19:11:25 2022 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Thu Jan 20 19:12:26 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30b1ce27

7

8

net-firewall/iptables: revbump upstream double-free (bug #831626)

9

10

Closes: https://bugs.gentoo.org/831626

11

Copyright: Sony Interactive Entertainment Inc.

12

Package-Manager: Portage-3.0.30, Repoman-3.0.3

13

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

14

15

 .../files/iptables-1.8.7-cache-double-free.patch   |  61 +++++++

16

 net-firewall/iptables/iptables-1.8.7-r1.ebuild     | 183 +++++++++++++++++++++

17

 2 files changed, 244 insertions(+)

18

19

diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch

20

new file mode 100644

21

index 000000000000..fc88636d2944

22

--- /dev/null

23

+++ b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch

24

@@ -0,0 +1,61 @@

25

+commit 4318961230bce82958df82b57f1796143bf2f421

26

+Author: Phil Sutter <phil@×××.cc>

27

+Date:   Tue Sep 21 11:39:45 2021 +0200

28

+

29

+    nft: cache: Avoid double free of unrecognized base-chains

30

+

31

+    On error, nft_cache_add_chain() frees the allocated nft_chain object

32

+    along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to

33

+    not free the nftnl_chain again in that case.

34

+

35

+    Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array")

36

+    Signed-off-by: Phil Sutter <phil@×××.cc>

37

+

38

+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c

39

+index 2c88301c..9a03bbfb 100644

40

+--- a/iptables/nft-cache.c

41

++++ b/iptables/nft-cache.c

42

+@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data)

43

+ 		goto out;

44

+ 	}

45

+

46

+-	if (nft_cache_add_chain(h, t, c))

47

+-		goto out;

48

+-

49

++	nft_cache_add_chain(h, t, c);

50

+ 	return MNL_CB_OK;

51

+ out:

52

+ 	nftnl_chain_free(c);

53

+diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0

54

+new file mode 100755

55

+index 00000000..1b85b060

56

+--- /dev/null

57

++++ b/iptables/tests/shell/testcases/chain/0004extra-base_0

58

+@@ -0,0 +1,27 @@

59

++#!/bin/bash

60

++

61

++case $XT_MULTI in

62

++*xtables-nft-multi)

63

++	;;

64

++*)

65

++	echo skip $XT_MULTI

66

++	exit 0

67

++	;;

68

++esac

69

++

70

++set -e

71

++

72

++nft -f - <<EOF

73

++table ip filter {

74

++        chain INPUT {

75

++                type filter hook input priority filter

76

++                counter packets 218 bytes 91375 accept

77

++        }

78

++

79

++        chain x {

80

++                type filter hook input priority filter

81

++        }

82

++}

83

++EOF

84

++

85

++$XT_MULTI iptables -L

86

87

diff --git a/net-firewall/iptables/iptables-1.8.7-r1.ebuild b/net-firewall/iptables/iptables-1.8.7-r1.ebuild

88

new file mode 100644

89

index 000000000000..f748bdb9f289

90

--- /dev/null

91

+++ b/net-firewall/iptables/iptables-1.8.7-r1.ebuild

92

@@ -0,0 +1,183 @@

93

+# Copyright 1999-2022 Gentoo Authors

94

+# Distributed under the terms of the GNU General Public License v2

95

+

96

+EAPI=7

97

+

98

+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript

99

+

100

+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"

101

+HOMEPAGE="https://www.netfilter.org/projects/iptables/"

102

+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"

103

+

104

+LICENSE="GPL-2"

105

+# Subslot reflects PV when libxtables and/or libip*tc was changed

106

+# the last time.

107

+SLOT="0/1.8.3"

108

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"

109

+IUSE="conntrack ipv6 netlink nftables pcap static-libs"

110

+

111

+BUILD_DEPEND="

112

+	>=app-eselect/eselect-iptables-20200508

113

+"

114

+COMMON_DEPEND="

115

+	conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )

116

+	netlink? ( net-libs/libnfnetlink )

117

+	nftables? (

118

+		>=net-libs/libmnl-1.0:0=

119

+		>=net-libs/libnftnl-1.1.6:0=

120

+	)

121

+	pcap? ( net-libs/libpcap )

122

+"

123

+DEPEND="${COMMON_DEPEND}

124

+	virtual/os-headers

125

+	>=sys-kernel/linux-headers-4.4:0

126

+"

127

+BDEPEND="${BUILD_DEPEND}

128

+	app-eselect/eselect-iptables

129

+	virtual/pkgconfig

130

+	nftables? (

131

+		sys-devel/flex

132

+		virtual/yacc

133

+	)

134

+"

135

+RDEPEND="${COMMON_DEPEND}

136

+	${BUILD_DEPEND}

137

+	nftables? ( net-misc/ethertypes )

138

+	!<net-firewall/ebtables-2.0.11-r1

139

+	!<net-firewall/arptables-0.0.5-r1

140

+"

141

+

142

+PATCHES=(

143

+	"${FILESDIR}/iptables-1.8.4-no-symlinks.patch"

144

+	"${FILESDIR}/iptables-1.8.2-link.patch"

145

+	# https://bugs.gentoo.org/831626

146

+	"${FILESDIR}/iptables-1.8.7-cache-double-free.patch"

147

+)

148

+

149

+src_prepare() {

150

+	# use the saner headers from the kernel

151

+	rm include/linux/{kernel,types}.h || die

152

+

153

+	default

154

+	eautoreconf

155

+}

156

+

157

+src_configure() {

158

+	# Some libs use $(AR) rather than libtool to build #444282

159

+	tc-export AR

160

+

161

+	# Hack around struct mismatches between userland & kernel for some ABIs. #472388

162

+	use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct

163

+

164

+	sed -i \

165

+		-e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \

166

+		-e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \

167

+		configure || die

168

+

169

+	local myeconfargs=(

170

+		--sbindir="${EPREFIX}/sbin"

171

+		--libexecdir="${EPREFIX}/$(get_libdir)"

172

+		--enable-devel

173

+		--enable-shared

174

+		$(use_enable nftables)

175

+		$(use_enable pcap bpf-compiler)

176

+		$(use_enable pcap nfsynproxy)

177

+		$(use_enable static-libs static)

178

+		$(use_enable ipv6)

179

+	)

180

+	econf "${myeconfargs[@]}"

181

+}

182

+

183

+src_compile() {

184

+	emake V=1

185

+}

186

+

187

+src_install() {

188

+	default

189

+	dodoc INCOMPATIBILITIES iptables/iptables.xslt

190

+

191

+	# all the iptables binaries are in /sbin, so might as well

192

+	# put these small files in with them

193

+	into /

194

+	dosbin iptables/iptables-apply

195

+	dosym iptables-apply /sbin/ip6tables-apply

196

+	doman iptables/iptables-apply.8

197

+

198

+	insinto /usr/include

199

+	doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)

200

+	insinto /usr/include/iptables

201

+	doins include/iptables/internal.h

202

+

203

+	keepdir /var/lib/iptables

204

+	newinitd "${FILESDIR}"/${PN}-r2.init iptables

205

+	newconfd "${FILESDIR}"/${PN}-r1.confd iptables

206

+	if use ipv6 ; then

207

+		keepdir /var/lib/ip6tables

208

+		dosym iptables /etc/init.d/ip6tables

209

+		newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables

210

+	fi

211

+

212

+	if use nftables; then

213

+		# Bug 647458

214

+		rm "${ED}"/etc/ethertypes || die

215

+

216

+		# Bugs 660886 and 669894

217

+		rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} || die

218

+	fi

219

+

220

+	systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service

221

+	if use ipv6 ; then

222

+		systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service

223

+	fi

224

+

225

+	# Move important libs to /lib #332175

226

+	gen_usr_ldscript -a ip{4,6}tc xtables

227

+

228

+	find "${ED}" -type f -name "*.la" -delete || die

229

+}

230

+

231

+pkg_postinst() {

232

+	local default_iptables="xtables-legacy-multi"

233

+	if ! eselect iptables show &>/dev/null; then

234

+		elog "Current iptables implementation is unset, setting to ${default_iptables}"

235

+		eselect iptables set "${default_iptables}"

236

+	fi

237

+

238

+	if use nftables; then

239

+		local tables

240

+		for tables in {arp,eb}tables; do

241

+			if ! eselect ${tables} show &>/dev/null; then

242

+				elog "Current ${tables} implementation is unset, setting to ${default_iptables}"

243

+				eselect ${tables} set xtables-nft-multi

244

+			fi

245

+		done

246

+	fi

247

+

248

+	eselect iptables show

249

+}

250

+

251

+pkg_prerm() {

252

+	if [[ -z ${REPLACED_BY_VERSION} ]]; then

253

+		elog "Unsetting iptables symlinks before removal"

254

+		eselect iptables unset

255

+	fi

256

+

257

+	if ! has_version 'net-firewall/ebtables'; then

258

+		elog "Unsetting ebtables symlinks before removal"

259

+		eselect ebtables unset

260

+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then

261

+		elog "Resetting ebtables symlinks to ebtables-legacy"

262

+		eselect ebtables set ebtables-legacy

263

+	fi

264

+

265

+	if ! has_version 'net-firewall/arptables'; then

266

+		elog "Unsetting arptables symlinks before removal"

267

+		eselect arptables unset

268

+	elif [[ -z ${REPLACED_BY_VERSION} ]]; then

269

+		elog "Resetting arptables symlinks to arptables-legacy"

270

+		eselect arptables set arptables-legacy

271

+	fi

272

+

273

+	# the eselect module failing should not be fatal

274

+	return 0

275

+}

1	commit: 30b1ce27e3082d81d6c4c5f488c1ec452f01bbab
2	Author: Patrick McLean <patrick.mclean <AT> sony <DOT> com>
3	AuthorDate: Thu Jan 20 19:11:25 2022 +0000
4	Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5	CommitDate: Thu Jan 20 19:12:26 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30b1ce27
7
8	net-firewall/iptables: revbump upstream double-free (bug #831626)
9
10	Closes: https://bugs.gentoo.org/831626
11	Copyright: Sony Interactive Entertainment Inc.
12	Package-Manager: Portage-3.0.30, Repoman-3.0.3
13	Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
14
15	.../files/iptables-1.8.7-cache-double-free.patch \| 61 +++++++
16	net-firewall/iptables/iptables-1.8.7-r1.ebuild \| 183 +++++++++++++++++++++
17	2 files changed, 244 insertions(+)
18
19	diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
20	new file mode 100644
21	index 000000000000..fc88636d2944
22	--- /dev/null
23	+++ b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch
24	@@ -0,0 +1,61 @@
25	+commit 4318961230bce82958df82b57f1796143bf2f421
26	+Author: Phil Sutter <phil@×××.cc>
27	+Date: Tue Sep 21 11:39:45 2021 +0200
28	+
29	+ nft: cache: Avoid double free of unrecognized base-chains
30	+
31	+ On error, nft_cache_add_chain() frees the allocated nft_chain object
32	+ along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to
33	+ not free the nftnl_chain again in that case.
34	+
35	+ Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array")
36	+ Signed-off-by: Phil Sutter <phil@×××.cc>
37	+
38	+diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
39	+index 2c88301c..9a03bbfb 100644
40	+--- a/iptables/nft-cache.c
41	++++ b/iptables/nft-cache.c
42	+@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr nlh, void data)
43	+ goto out;
44	+ }
45	+
46	+- if (nft_cache_add_chain(h, t, c))
47	+- goto out;
48	+-
49	++ nft_cache_add_chain(h, t, c);
50	+ return MNL_CB_OK;
51	+ out:
52	+ nftnl_chain_free(c);
53	+diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0
54	+new file mode 100755
55	+index 00000000..1b85b060
56	+--- /dev/null
57	++++ b/iptables/tests/shell/testcases/chain/0004extra-base_0
58	+@@ -0,0 +1,27 @@
59	++#!/bin/bash
60	++
61	++case $XT_MULTI in
62	++*xtables-nft-multi)
63	++ ;;
64	++*)
65	++ echo skip $XT_MULTI
66	++ exit 0
67	++ ;;
68	++esac
69	++
70	++set -e
71	++
72	++nft -f - <<EOF
73	++table ip filter {
74	++ chain INPUT {
75	++ type filter hook input priority filter
76	++ counter packets 218 bytes 91375 accept
77	++ }
78	++
79	++ chain x {
80	++ type filter hook input priority filter
81	++ }
82	++}
83	++EOF
84	++
85	++$XT_MULTI iptables -L
86
87	diff --git a/net-firewall/iptables/iptables-1.8.7-r1.ebuild b/net-firewall/iptables/iptables-1.8.7-r1.ebuild
88	new file mode 100644
89	index 000000000000..f748bdb9f289
90	--- /dev/null
91	+++ b/net-firewall/iptables/iptables-1.8.7-r1.ebuild
92	@@ -0,0 +1,183 @@
93	+# Copyright 1999-2022 Gentoo Authors
94	+# Distributed under the terms of the GNU General Public License v2
95	+
96	+EAPI=7
97	+
98	+inherit systemd toolchain-funcs autotools flag-o-matic usr-ldscript
99	+
100	+DESCRIPTION="Linux kernel (2.4+) firewall, NAT and packet mangling tools"
101	+HOMEPAGE="https://www.netfilter.org/projects/iptables/"
102	+SRC_URI="https://www.netfilter.org/projects/iptables/files/${P}.tar.bz2"
103	+
104	+LICENSE="GPL-2"
105	+# Subslot reflects PV when libxtables and/or libip*tc was changed
106	+# the last time.
107	+SLOT="0/1.8.3"
108	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
109	+IUSE="conntrack ipv6 netlink nftables pcap static-libs"
110	+
111	+BUILD_DEPEND="
112	+ >=app-eselect/eselect-iptables-20200508
113	+"
114	+COMMON_DEPEND="
115	+ conntrack? ( >=net-libs/libnetfilter_conntrack-1.0.6 )
116	+ netlink? ( net-libs/libnfnetlink )
117	+ nftables? (
118	+ >=net-libs/libmnl-1.0:0=
119	+ >=net-libs/libnftnl-1.1.6:0=
120	+ )
121	+ pcap? ( net-libs/libpcap )
122	+"
123	+DEPEND="${COMMON_DEPEND}
124	+ virtual/os-headers
125	+ >=sys-kernel/linux-headers-4.4:0
126	+"
127	+BDEPEND="${BUILD_DEPEND}
128	+ app-eselect/eselect-iptables
129	+ virtual/pkgconfig
130	+ nftables? (
131	+ sys-devel/flex
132	+ virtual/yacc
133	+ )
134	+"
135	+RDEPEND="${COMMON_DEPEND}
136	+ ${BUILD_DEPEND}
137	+ nftables? ( net-misc/ethertypes )
138	+ !<net-firewall/ebtables-2.0.11-r1
139	+ !<net-firewall/arptables-0.0.5-r1
140	+"
141	+
142	+PATCHES=(
143	+ "${FILESDIR}/iptables-1.8.4-no-symlinks.patch"
144	+ "${FILESDIR}/iptables-1.8.2-link.patch"
145	+ # https://bugs.gentoo.org/831626
146	+ "${FILESDIR}/iptables-1.8.7-cache-double-free.patch"
147	+)
148	+
149	+src_prepare() {
150	+ # use the saner headers from the kernel
151	+ rm include/linux/{kernel,types}.h \|\| die
152	+
153	+ default
154	+ eautoreconf
155	+}
156	+
157	+src_configure() {
158	+ # Some libs use $(AR) rather than libtool to build #444282
159	+ tc-export AR
160	+
161	+ # Hack around struct mismatches between userland & kernel for some ABIs. #472388
162	+ use amd64 && [[ ${ABI} == "x32" ]] && append-flags -fpack-struct
163	+
164	+ sed -i \
165	+ -e "/nfnetlink=[01]/s:=[01]:=$(usex netlink 1 0):" \
166	+ -e "/nfconntrack=[01]/s:=[01]:=$(usex conntrack 1 0):" \
167	+ configure \|\| die
168	+
169	+ local myeconfargs=(
170	+ --sbindir="${EPREFIX}/sbin"
171	+ --libexecdir="${EPREFIX}/$(get_libdir)"
172	+ --enable-devel
173	+ --enable-shared
174	+ $(use_enable nftables)
175	+ $(use_enable pcap bpf-compiler)
176	+ $(use_enable pcap nfsynproxy)
177	+ $(use_enable static-libs static)
178	+ $(use_enable ipv6)
179	+ )
180	+ econf "${myeconfargs[@]}"
181	+}
182	+
183	+src_compile() {
184	+ emake V=1
185	+}
186	+
187	+src_install() {
188	+ default
189	+ dodoc INCOMPATIBILITIES iptables/iptables.xslt
190	+
191	+ # all the iptables binaries are in /sbin, so might as well
192	+ # put these small files in with them
193	+ into /
194	+ dosbin iptables/iptables-apply
195	+ dosym iptables-apply /sbin/ip6tables-apply
196	+ doman iptables/iptables-apply.8
197	+
198	+ insinto /usr/include
199	+ doins include/iptables.h $(use ipv6 && echo include/ip6tables.h)
200	+ insinto /usr/include/iptables
201	+ doins include/iptables/internal.h
202	+
203	+ keepdir /var/lib/iptables
204	+ newinitd "${FILESDIR}"/${PN}-r2.init iptables
205	+ newconfd "${FILESDIR}"/${PN}-r1.confd iptables
206	+ if use ipv6 ; then
207	+ keepdir /var/lib/ip6tables
208	+ dosym iptables /etc/init.d/ip6tables
209	+ newconfd "${FILESDIR}"/ip6tables-r1.confd ip6tables
210	+ fi
211	+
212	+ if use nftables; then
213	+ # Bug 647458
214	+ rm "${ED}"/etc/ethertypes \|\| die
215	+
216	+ # Bugs 660886 and 669894
217	+ rm "${ED}"/sbin/{arptables,ebtables}{,-{save,restore}} \|\| die
218	+ fi
219	+
220	+ systemd_dounit "${FILESDIR}"/systemd/iptables-{re,}store.service
221	+ if use ipv6 ; then
222	+ systemd_dounit "${FILESDIR}"/systemd/ip6tables-{re,}store.service
223	+ fi
224	+
225	+ # Move important libs to /lib #332175
226	+ gen_usr_ldscript -a ip{4,6}tc xtables
227	+
228	+ find "${ED}" -type f -name "*.la" -delete \|\| die
229	+}
230	+
231	+pkg_postinst() {
232	+ local default_iptables="xtables-legacy-multi"
233	+ if ! eselect iptables show &>/dev/null; then
234	+ elog "Current iptables implementation is unset, setting to ${default_iptables}"
235	+ eselect iptables set "${default_iptables}"
236	+ fi
237	+
238	+ if use nftables; then
239	+ local tables
240	+ for tables in {arp,eb}tables; do
241	+ if ! eselect ${tables} show &>/dev/null; then
242	+ elog "Current ${tables} implementation is unset, setting to ${default_iptables}"
243	+ eselect ${tables} set xtables-nft-multi
244	+ fi
245	+ done
246	+ fi
247	+
248	+ eselect iptables show
249	+}
250	+
251	+pkg_prerm() {
252	+ if [[ -z ${REPLACED_BY_VERSION} ]]; then
253	+ elog "Unsetting iptables symlinks before removal"
254	+ eselect iptables unset
255	+ fi
256	+
257	+ if ! has_version 'net-firewall/ebtables'; then
258	+ elog "Unsetting ebtables symlinks before removal"
259	+ eselect ebtables unset
260	+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
261	+ elog "Resetting ebtables symlinks to ebtables-legacy"
262	+ eselect ebtables set ebtables-legacy
263	+ fi
264	+
265	+ if ! has_version 'net-firewall/arptables'; then
266	+ elog "Unsetting arptables symlinks before removal"
267	+ eselect arptables unset
268	+ elif [[ -z ${REPLACED_BY_VERSION} ]]; then
269	+ elog "Resetting arptables symlinks to arptables-legacy"
270	+ eselect arptables set arptables-legacy
271	+ fi
272	+
273	+ # the eselect module failing should not be fatal
274	+ return 0
275	+}

Gentoo Archives: gentoo-commits