iptables: docs & address parsing

iptables: docs & address parsing

[Jan Engelhardt]

The following changes since commit 094f104af71ca859c7c44406baed401659ad9421:

  libipt_ECN: set proper option flags (2011-02-19 20:08:29 +0100)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (5):
      doc: mention other possible nf_loggers for TRACE
      doc: fix odd partial sentence in libipt_TTL
      libxt_quota: require --quota to be specified
      doc: rateest options can be optional
      libxtables: fix memory scribble beyond end of array

Wes Campaigne (4):
      libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
      xtables: fix excessive memory allocation in host_to_ipaddr
      xtables: fix the broken detection/removal of redundant addresses
      xtables: use all IPv6 addresses resolved from a hostname

 extensions/libipt_TTL.man    |    6 ++--
 extensions/libxt_TRACE.man   |    8 ++++--
 extensions/libxt_quota.c     |   10 +++++++-
 extensions/libxt_rateest.man |    8 +++---
 xtables.c                    |   55 ++++++++++++++++++++++-------------------
 5 files changed, 50 insertions(+), 37 deletions(-)

[PATCH 1/9] doc: mention other possible nf_loggers for TRACE

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_TRACE.man |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man
index d28c3a0..ea0ce0f 100644
--- a/extensions/libxt_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -1,7 +1,9 @@
 This target marks packes so that the kernel will log every rule which match 
-the packets as those traverse the tables, chains, rules. (The ipt_LOG or
-ip6t_LOG module 
-is required for the logging.) The packets are logged with the string prefix: 
+the packets as those traverse the tables, chains, rules.
+.PP
+A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
+to be visible.
+The packets are logged with the string prefix:
 "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for 
 plain rule, "return" for implicit rule at the end of a user defined chain 
 and "policy" for the policy of the built in chains. 
-- 
1.7.1

[PATCH 2/9] doc: fix odd partial sentence in libipt_TTL

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libipt_TTL.man |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/extensions/libipt_TTL.man b/extensions/libipt_TTL.man
index 89fc18f..cf3d1a2 100644
--- a/extensions/libipt_TTL.man
+++ b/extensions/libipt_TTL.man
@@ -3,11 +3,11 @@ how many hops (routers) a packet can traverse until it's time to live is
 exceeded.
 .PP
 Setting or incrementing the TTL field can potentially be very dangerous,
-so it should be avoided at any cost.  
-.PP
-.B Don't ever set or increment the value on packets that leave your local network!
+so it should be avoided at any cost. This target is only valid in
 .B mangle
 table.
+.PP
+.B Don't ever set or increment the value on packets that leave your local network!
 .TP
 \fB\-\-ttl\-set\fP \fIvalue\fP
 Set the TTL value to `value'.
-- 
1.7.1

[PATCH 3/9] libxt_quota: require --quota to be specified

[Jan Engelhardt]

It is pretty pointless to use -m quota without specifying --quota.
There would be nothing left to count down on.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_quota.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_quota.c b/extensions/libxt_quota.c
index e6ed9bc..e3699ad 100644
--- a/extensions/libxt_quota.c
+++ b/extensions/libxt_quota.c
@@ -72,12 +72,19 @@ quota_parse(int c, char **argv, int invert, unsigned int *flags,
 
 		if (invert)
 			info->flags |= XT_QUOTA_INVERT;
-
+		*flags |= 1;
 		break;
 	}
 	return 1;
 }
 
+static void quota_check(unsigned int flags)
+{
+	if (flags == 0)
+		xtables_error(PARAMETER_PROBLEM,
+			"quota: the --quota argument must be specified\n");
+}
+
 static struct xtables_match quota_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "quota",
@@ -86,6 +93,7 @@ static struct xtables_match quota_match = {
 	.userspacesize	= offsetof(struct xt_quota_info, master),
 	.help		= quota_help,
 	.parse		= quota_parse,
+	.final_check	= quota_check,
 	.print		= quota_print,
 	.save		= quota_save,
 	.extra_opts	= quota_opts,
-- 
1.7.1

[PATCH 4/9] doc: rateest options can be optional

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_rateest.man |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_rateest.man b/extensions/libxt_rateest.man
index de064af..75303c5 100644
--- a/extensions/libxt_rateest.man
+++ b/extensions/libxt_rateest.man
@@ -11,14 +11,14 @@ Name of the second rate estimator (if difference is to be calculated).
 \fB\-\-rateest\-delta\fP
 Compare difference(s) to given rate(s)
 .TP
-\fB\-\-rateest\-bps1\fP \fIvalue\fP
+\fB\-\-rateest\-bps1\fP [\fIvalue\fP]
 .TP
-\fB\-\-rateest\-bps2\fP \fIvalue\fP
+\fB\-\-rateest\-bps2\fP [\fIvalue\fP]
 Compare bytes per second.
 .TP
-\fB\-\-rateest\-pps1\fP \fIvalue\fP
+\fB\-\-rateest\-pps1\fP [\fIvalue\fP]
 .TP
-\fB\-\-rateest\-pps2\fP \fIvalue\fP
+\fB\-\-rateest\-pps2\fP [\fIvalue\fP]
 Compare packets per second.
 .TP
 [\fB!\fP] \fB\-\-rateest\-lt\fP
-- 
1.7.1

[PATCH 5/9] libxtables: fix memory scribble beyond end of array

[Jan Engelhardt]

When using -s "", the "n" variable in the code remains uninitialized
and usually scribbes beyond the end of the array.

Furthermore, "n" is just as big as entries in the last host lookup.
When specifying more than one item to -s, e.g. "-s host,host", "n" is
less than "count", and we are not masking the addresses at all
(leaving them at addr/32 resp. addr/128).

The issue goes back to the initial code from v1.4.5~21.

References: http://bugs.debian.org/611990
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtables.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xtables.c b/xtables.c
index 57d5d13..f66fb27 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1272,7 +1272,7 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
 		free(addrp);
 	}
 	*naddrs = count;
-	for (i = 0; i < n; ++i)
+	for (i = 0; i < count; ++i)
 		(*addrpp+i)->s_addr &= (*maskpp+i)->s_addr;
 }
 
@@ -1587,7 +1587,7 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 		free(addrp);
 	}
 	*naddrs = count;
-	for (i = 0; i < n; ++i)
+	for (i = 0; i < count; ++i)
 		for (j = 0; j < 4; ++j)
 			(*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j];
 }
-- 
1.7.1

[PATCH 6/9] libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6

[Jan Engelhardt]

From: Wes Campaigne <westacular@gmail.com>

[Split hunk from Wes's submission. Added commit message. -j.eng]

ai_protocol normally specifies the L4 protocol one wants to
specifically inquire about when a service (2nd parameter to
getaddrinfo) is specified. Such a service lookup would potentially
yield nothing, because there just is not any "mytunnel 2222/ipv6" in
/etc/services, since IPPROTO_IPV6 itself is not a protocol with a
concept of (port-based) services to begin with.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtables.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/xtables.c b/xtables.c
index f66fb27..83c5b41 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1424,8 +1424,6 @@ host_to_ip6addr(const char *name, unsigned int *naddr)
 	hints.ai_flags    = AI_CANONNAME;
 	hints.ai_family   = AF_INET6;
 	hints.ai_socktype = SOCK_RAW;
-	hints.ai_protocol = IPPROTO_IPV6;
-	hints.ai_next     = NULL;
 
 	*naddr = 0;
 	if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) {
-- 
1.7.1

[PATCH 7/9] xtables: fix excessive memory allocation in host_to_ipaddr

[Jan Engelhardt]

From: Wes Campaigne <westacular@gmail.com>

host_to_ipaddr was unnecessarily asking for an array of length n^2 to
store just n addresses.

Signed-off-by: Wes Campaigne <westacular@gmail.com>
---
 xtables.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/xtables.c b/xtables.c
index 83c5b41..b45bf92 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1143,7 +1143,7 @@ static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr)
 
 		while (host->h_addr_list[*naddr] != NULL)
 			++*naddr;
-		addr = xtables_calloc(*naddr, sizeof(struct in_addr) * *naddr);
+		addr = xtables_calloc(*naddr, sizeof(struct in_addr));
 		for (i = 0; i < *naddr; i++)
 			memcpy(&addr[i], host->h_addr_list[i],
 			       sizeof(struct in_addr));
-- 
1.7.1

[PATCH 8/9] xtables: fix the broken detection/removal of redundant addresses

[Jan Engelhardt]

From: Wes Campaigne <westacular@gmail.com>

	[To observe this issue, populate a hostname (DNS or local db)
	with multiple adresses across multiple subnets (cf. prefixlen
	below)

	# e.g. /etc/hosts
	127.0.0.2       lo-x
	127.0.0.3       lo-x
	127.0.1.4       lo-x
	127.0.1.5       lo-x
	127.0.2.6       lo-x

	Then invoke xtables_ipparse_any by e.g. `-m conntrack
	--ctorigsrc lo-x/24`. -j.eng]

This same block of code, apparently to detect if addresses are
identical after applying the mask, and to skip the duplicates and the
ones made redundant by the mask, has been present and unchanged from
as far back as I could find (circa iptables 1.2).

By inspection, it was wrong, and always has been: once the code finds
a duplicate, it will drop the rest of the array one by one as it
re-detects the same duplicate over and over. When the addresses came
from a single hostname lookup, and their order was random, then this
created unpredictable behaviour by iptables, which seem to ignore some
of those addresses at random times.

I suspect the original idea also involved a swap between the duplicate
and the address from the (current) end of the array, but a line of
code to do that seems to have never existed. I have finally added it.
(Well, as much as is needed: there does not need to be a full swap,
because we are just going to ignore the duplicate, pretend the array
is one shorter, and never look at the contents of the end again. So,
we can get away with just copying from the end.)

[Reword comment about shuffle: replace by mentioning tail copy to
replace dup. -j.eng]

Signed-off-by: Wes Campaigne <westacular@gmail.com>
---
 xtables.c |   18 ++++++++++++++----
 1 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/xtables.c b/xtables.c
index b45bf92..660fbd0 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1311,8 +1311,13 @@ void xtables_ipparse_any(const char *name, struct in_addr **addrpp,
 		addrp[j++].s_addr &= maskp->s_addr;
 		for (k = 0; k < j - 1; ++k)
 			if (addrp[k].s_addr == addrp[j-1].s_addr) {
-				--*naddrs;
-				--j;
+				/*
+				 * Nuke the dup by copying an address from the
+				 * tail here, and check the current position
+				 * again (--j).
+				 */
+				memcpy(&addrp[--j], &addrp[--*naddrs],
+				       sizeof(struct in_addr));
 				break;
 			}
 	}
@@ -1620,8 +1625,13 @@ void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp,
 		++j;
 		for (k = 0; k < j - 1; ++k)
 			if (IN6_ARE_ADDR_EQUAL(&addrp[k], &addrp[j - 1])) {
-				--*naddrs;
-				--j;
+				/*
+				 * Nuke the dup by copying an address from the
+				 * tail here, and check the current position
+				 * again (--j).
+				 */
+				memcpy(&addrp[--j], &addrp[--*naddrs],
+				       sizeof(struct in_addr));
 				break;
 			}
 	}
-- 
1.7.1

[PATCH 9/9] xtables: use all IPv6 addresses resolved from a hostname

[Jan Engelhardt]

From: Wes Campaigne <westacular@gmail.com>

Fixes a long-standing issue where host_to_ip6addr would only ever
examine/return the first item of the address chain returned by
getaddrinfo, instead of traversing the chain and copying each of them.

This has always been how host_to_ip6addr behaves, and all of the other
related IPv6 code is already written to handle multiple possible
addresses.

[Style fixups. Removal of redundant i<*naddrs check. -j.eng]

Signed-off-by: Wes Campaigne <westacular@gmail.com>
---
 xtables.c |   29 ++++++++++++-----------------
 1 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/xtables.c b/xtables.c
index 660fbd0..2f00e39 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1420,10 +1420,11 @@ struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
 static struct in6_addr *
 host_to_ip6addr(const char *name, unsigned int *naddr)
 {
-	static struct in6_addr *addr;
+	struct in6_addr *addr;
 	struct addrinfo hints;
-	struct addrinfo *res;
+	struct addrinfo *res, *p;
 	int err;
+	unsigned int i;
 
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_flags    = AI_CANONNAME;
@@ -1437,20 +1438,20 @@ host_to_ip6addr(const char *name, unsigned int *naddr)
 #endif
 		return NULL;
 	} else {
-		if (res->ai_family != AF_INET6 ||
-		    res->ai_addrlen != sizeof(struct sockaddr_in6))
-			return NULL;
-
+		/* Find length of address chain */
+		for (p = res; p != NULL; p = p->ai_next)
+			++*naddr;
 #ifdef DEBUG
 		fprintf(stderr, "resolved: len=%d  %s ", res->ai_addrlen,
 		        xtables_ip6addr_to_numeric(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr));
 #endif
-		/* Get the first element of the address-chain */
-		addr = xtables_malloc(sizeof(struct in6_addr));
-		memcpy(addr, &((const struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
-		       sizeof(struct in6_addr));
+		/* Copy each element of the address chain */
+		addr = xtables_calloc(*naddr, sizeof(struct in6_addr));
+		for (i = 0, p = res; p != NULL; p = p->ai_next)
+			memcpy(&addr[i++],
+			       &((const struct sockaddr_in6 *)p->ai_addr)->sin6_addr,
+			       sizeof(struct in6_addr));
 		freeaddrinfo(res);
-		*naddr = 1;
 		return addr;
 	}
 
@@ -1562,12 +1563,6 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 			strcpy(buf, "::");
 
 		addrp = ip6parse_hostnetwork(buf, &n);
-		/* ip6parse_hostnetwork only ever returns one IP
-		address (it exits if the resolution fails).
-		Therefore, n will always be 1 here.  Leaving the
-		code below in anyway in case ip6parse_hostnetwork
-		is improved some day to behave like
-		ipparse_hostnetwork: */
 		if (n > 1) {
 			count += n - 1;
 			*addrpp = xtables_realloc(*addrpp,
-- 
1.7.1

Re: iptables: docs & address parsing

[Patrick McHardy]

On 27.02.2011 02:31, Jan Engelhardt wrote:
> The following changes since commit 094f104af71ca859c7c44406baed401659ad9421:
> 
>   libipt_ECN: set proper option flags (2011-02-19 20:08:29 +0100)
> 
> are available in the git repository at:
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (5):
>       doc: mention other possible nf_loggers for TRACE
>       doc: fix odd partial sentence in libipt_TTL
>       libxt_quota: require --quota to be specified
>       doc: rateest options can be optional
>       libxtables: fix memory scribble beyond end of array
> 
> Wes Campaigne (4):
>       libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
>       xtables: fix excessive memory allocation in host_to_ipaddr
>       xtables: fix the broken detection/removal of redundant addresses
>       xtables: use all IPv6 addresses resolved from a hostname

Pulled, thanks Jan.