Three patches for iptables

Three patches for iptables

[Jan Engelhardt]

The following changes since commit 9fdbaa71452edaac9d5906716c15937f670341fa:
  Patrick McHardy (1):
        extensions: add CT extension

are available in the git repository at:

  git://dev.medozas.de/iptables master

Jan Engelhardt (3):
      libxt_comment: avoid use of IPv4-specific examples
      libxt_CT: add a manpage
      iptables: correctly check for too-long chain/target/match names

 extensions/libxt_CT.c        |    2 +-
 extensions/libxt_CT.man      |   25 +++++++++++++++++++++++++
 extensions/libxt_comment.man |    2 +-
 ip6tables-restore.c          |    6 ++++++
 ip6tables.c                  |    4 ++--
 iptables-restore.c           |    6 ++++++
 iptables.c                   |    4 ++--
 xtables.c                    |    5 +++++
 8 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 extensions/libxt_CT.man

[PATCH 1/3] libxt_comment: avoid use of IPv4-specific examples

[Jan Engelhardt]

Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.

References: http://bugs.debian.org/572628
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_comment.man |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_comment.man b/extensions/libxt_comment.man
index 94f871e..faaee2a 100644
--- a/extensions/libxt_comment.man
+++ b/extensions/libxt_comment.man
@@ -3,4 +3,4 @@ Allows you to add comments (up to 256 characters) to any rule.
 \fB\-\-comment\fP \fIcomment\fP
 .TP
 Example:
-iptables \-A INPUT \-s 192.168.0.0/16 \-m comment \-\-comment "A privatized IP block"
+iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"
-- 
1.7.0.2

[PATCH 2/3] libxt_CT: add a manpage

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_CT.c   |    2 +-
 extensions/libxt_CT.man |   25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletions(-)
 create mode 100644 extensions/libxt_CT.man

diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c
index 79fa8d0..0b40fc6 100644
--- a/extensions/libxt_CT.c
+++ b/extensions/libxt_CT.c
@@ -13,7 +13,7 @@ static void ct_help(void)
 "CT target options:\n"
 " --notrack			Don't track connection\n"
 " --helper name			Use conntrack helper 'name' for connection\n"
-" --ctevents event[,event...]	Generate specified conntrack vents for connection\n"
+" --ctevents event[,event...]	Generate specified conntrack events for connection\n"
 " --expevents event[,event...]	Generate specified expectation events for connection\n"
 " --zone ID			Assign/Lookup connection in zone ID\n"
 	);
diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man
new file mode 100644
index 0000000..ff258b7
--- /dev/null
+++ b/extensions/libxt_CT.man
@@ -0,0 +1,25 @@
+The CT target allows to set parameters for a packet or its associated
+connection. The target attaches a "template" connection tracking entry to
+the packet, which is then used by the conntrack core when initializing
+a new ct entry. This target is thus only valid in the "raw" table.
+.TP
+\fB\-\-notrack\fP
+Disables connection tracking for this packet.
+.TP
+\fB\-\-helper\fP \fIname\fP
+Use the helper identified by \fIname\fP for the connection. This is more
+flexible than loading the conntrack helper modules with preset ports.
+.TP
+\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
+Only generate the specified conntrack events for this connection. Possible
+event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
+\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
+the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
+.TP
+\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
+Only generate the specified expectation events for this connection.
+Possible event types are: \fBnew\fP.
+.TP
+\fB\-\-zone\fP \fIid\fP
+Assign this packet to zone \fIid\fP and only have lookups done in that zone.
+By default, packets have zone 0.
-- 
1.7.0.2

[PATCH 3/3] iptables: correctly check for too-long chain/target/match names

[Jan Engelhardt]

* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables-restore.c |    6 ++++++
 ip6tables.c         |    4 ++--
 iptables-restore.c  |    6 ++++++
 iptables.c          |    4 ++--
 xtables.c           |    5 +++++
 5 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index d0efbee..f0725d1 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -253,6 +253,12 @@ int main(int argc, char *argv[])
 				exit(1);
 			}
 
+			if (strlen(chain) > XT_FUNCTION_MAXNAMELEN - 1)
+				xtables_error(PARAMETER_PROBLEM,
+					   "Invalid chain name `%s' "
+					   "(%u chars max)",
+					   chain, XT_FUNCTION_MAXNAMELEN - 1);
+
 			if (ip6tc_builtin(chain, handle) <= 0) {
 				if (noflush && ip6tc_is_chain(chain, handle)) {
 					DEBUGP("Flushing existing user defined chain '%s'\n", chain);
diff --git a/ip6tables.c b/ip6tables.c
index e2359df..6ee4281 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -456,10 +456,10 @@ parse_target(const char *targetname)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name (too short)");
 
-	if (strlen(targetname)+1 > sizeof(ip6t_chainlabel))
+	if (strlen(targetname) > XT_FUNCTION_MAXNAMELEN - 1)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name `%s' (%u chars max)",
-			   targetname, (unsigned int)sizeof(ip6t_chainlabel)-1);
+			   targetname, XT_FUNCTION_MAXNAMELEN - 1);
 
 	for (ptr = targetname; *ptr; ptr++)
 		if (isspace(*ptr))
diff --git a/iptables-restore.c b/iptables-restore.c
index 86d63e2..4a74485 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -259,6 +259,12 @@ main(int argc, char *argv[])
 				exit(1);
 			}
 
+			if (strlen(chain) > XT_FUNCTION_MAXNAMELEN - 1)
+				xtables_error(PARAMETER_PROBLEM,
+					   "Invalid chain name `%s' "
+					   "(%u chars max)",
+					   chain, XT_FUNCTION_MAXNAMELEN - 1);
+
 			if (iptc_builtin(chain, handle) <= 0) {
 				if (noflush && iptc_is_chain(chain, handle)) {
 					DEBUGP("Flushing existing user defined chain '%s'\n", chain);
diff --git a/iptables.c b/iptables.c
index 08eb134..25bc8cc 100644
--- a/iptables.c
+++ b/iptables.c
@@ -460,10 +460,10 @@ parse_target(const char *targetname)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name (too short)");
 
-	if (strlen(targetname)+1 > sizeof(ipt_chainlabel))
+	if (strlen(targetname) > XT_FUNCTION_MAXNAMELEN - 1)
 		xtables_error(PARAMETER_PROBLEM,
 			   "Invalid target name `%s' (%u chars max)",
-			   targetname, (unsigned int)sizeof(ipt_chainlabel)-1);
+			   targetname, XT_FUNCTION_MAXNAMELEN - 1);
 
 	for (ptr = targetname; *ptr; ptr++)
 		if (isspace(*ptr))
diff --git a/xtables.c b/xtables.c
index f3baf84..7340c87 100644
--- a/xtables.c
+++ b/xtables.c
@@ -545,6 +545,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 
+	if (strlen(name) > XT_FUNCTION_MAXNAMELEN - 1)
+		xtables_error(PARAMETER_PROBLEM,
+			   "Invalid match name \"%s\" (%u chars max)",
+			   name, XT_FUNCTION_MAXNAMELEN - 1);
+
 	/* This is ugly as hell. Nonetheless, there is no way of changing
 	 * this without hurting backwards compatibility */
 	if ( (strcmp(name,"icmpv6") == 0) ||
-- 
1.7.0.2

Re: Three patches for iptables

[Patrick McHardy]

Jan Engelhardt wrote:
> The following changes since commit 9fdbaa71452edaac9d5906716c15937f670341fa:
>   Patrick McHardy (1):
>         extensions: add CT extension
> 
> are available in the git repository at:
> 
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (3):
>       libxt_comment: avoid use of IPv4-specific examples
>       libxt_CT: add a manpage
>       iptables: correctly check for too-long chain/target/match names

Pulled, thanks Jan.