Fixes to iptables-1.4.12

Fixes to iptables-1.4.12

[Jan Engelhardt]

The following changes since commit 91ca4603f649a9b9fed4f2e31a8c005cdbdacd1e:

  Merge branch 'master' of git://dev.medozas.de/iptables (2011-08-09 13:23:17 +0200)

are available in the git repository at:

  git://dev.medozas.de/iptables master

Bernard Massot (1):
      doc: fix typo in libxt_TRACE

Dwight Davis (1):
      libxt_string: fix space around arguments

Jan Engelhardt (4):
      libxt_u32: fix missing allowance for inversion
      libxt_set: update man page about kernel support on the feature
      libxt_tcp: always print the mask parts
      libxt_set: put differing variable names in directly

 extensions/libxt_SET.c     |   13 +++----------
 extensions/libxt_SET.man   |    5 ++---
 extensions/libxt_TRACE.man |    2 +-
 extensions/libxt_set.c     |   11 +++--------
 extensions/libxt_set.man   |    5 ++---
 extensions/libxt_string.c  |    4 ++--
 extensions/libxt_tcp.c     |    4 +---
 extensions/libxt_u32.c     |    2 +-
 tests/options-most.rules   |    3 ++-
 9 files changed, 17 insertions(+), 32 deletions(-)

[PATCH 1/6] libxt_u32: fix missing allowance for inversion

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_u32.c   |    2 +-
 tests/options-most.rules |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c
index 774d5ea..6d024fb 100644
--- a/extensions/libxt_u32.c
+++ b/extensions/libxt_u32.c
@@ -24,7 +24,7 @@ enum {
 
 static const struct xt_option_entry u32_opts[] = {
 	{.name = "u32", .id = O_U32, .type = XTTYPE_STRING,
-	 .flags = XTOPT_MAND},
+	 .flags = XTOPT_MAND | XTOPT_INVERT},
 	XTOPT_TABLEEND,
 };
 
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 7298a1f..c2e30f2 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -40,7 +40,7 @@
 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p tcp -m tos --tos 0xff/0x01
--A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
+-A INPUT -p tcp -m u32 ! --u32 "0x0=0x0" -m u32 ! --u32 "0x0=0x0"
 -A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
 -A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
 -A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
-- 
1.7.3.4

Re: [PATCH 1/6] libxt_u32: fix missing allowance for inversion

[Jan Engelhardt]

[oh, the mailing list daemon seems unresponsive for I have not 
received the 2nd copy, and neither did the web crawlers...]


On Saturday 2011-08-20 23:40, Dave Taht wrote:

>I keep seeing inversion match fixes go by on this version of iptables. I ran
>across one also, on the port to cerowrt of this version of iptables, in the
>"dscp" tables matches.
>
>http://www.bufferbloat.net/issues/216#note-48
>
>but have not poked into it further (am travelling). Fixed?

This is unfortunate indeed, but somewhat owed to the fact that this was 
not encoded reliably previously, in other words, negations were 
sometimes erroneously allowed as each match checked for this themselves. 

With the move to the Guided Option Parser, negation became centrally 
checked and thus needs to be explicit mentioned. With the initial 
conversion to GOP, I may have missed adding XTOPT_INVERT in some cases 
because of that repetitive action.

Yeah, there are other extensions (xt_dccp) that I have come across in my 
audit sweep of all extensions so far.

Re: [PATCH 1/6] libxt_u32: fix missing allowance for inversion

[Dave Taht]

On Sun, Aug 21, 2011 at 12:25 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> [oh, the mailing list daemon seems unresponsive for I have not
> received the 2nd copy, and neither did the web crawlers...]
>
>

No, I goofed and sent html, which it kicked back.

> On Saturday 2011-08-20 23:40, Dave Taht wrote:
>
> >I keep seeing inversion match fixes go by on this version of iptables. I ran
> >across one also, on the port to cerowrt of this version of iptables, in the
> >"dscp" tables matches.
> >
> >http://www.bufferbloat.net/issues/216#note-48
> >
> >but have not poked into it further (am travelling). Fixed?
>
> This is unfortunate indeed, but somewhat owed to the fact that this was
> not encoded reliably previously, in other words, negations were
> sometimes erroneously allowed as each match checked for this themselves.


>
> With the move to the Guided Option Parser, negation became centrally
> checked and thus needs to be explicit mentioned. With the initial
> conversion to GOP, I may have missed adding XTOPT_INVERT in some cases
> because of that repetitive action.

>
> Yeah, there are other extensions (xt_dccp) that I have come across in my
> audit sweep of all extensions so far.

I saw the fixes to dccp go by today, but where I'd hit the problem was
with the 'dscp' matches. I have a test implementation of diffserv (
https://github.com/dtaht/Diffserv ) where a quick test against this
release of iptables showed the inversion regression as per the above
bug note...

regrettably I'm away from a build machine, internet, etc for a few more days.


--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://the-edge.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/6] libxt_u32: fix missing allowance for inversion

[Jan Engelhardt]

On Monday 2011-08-22 18:31, Dave Taht wrote:
>>
>> Yeah, there are other extensions (xt_dccp) that I have come across in my
>> audit sweep of all extensions so far.
>
>I saw the fixes to dccp go by today, but where I'd hit the problem was
>with the 'dscp' matches. I have a test implementation of diffserv (
>https://github.com/dtaht/Diffserv ) where a quick test against this
>release of iptables showed the inversion regression as per the above
>bug note...

The last sent batch contains fixes across the board, including
dscp, dccp, and some others.

[PATCH 2/6] libxt_set: update man page about kernel support on the feature

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_SET.man |    5 ++---
 extensions/libxt_set.man |    5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man
index 739be41..63eb383 100644
--- a/extensions/libxt_SET.man
+++ b/extensions/libxt_SET.man
@@ -21,6 +21,5 @@ one from the set definition
 when adding entry if it already exists, reset the timeout value
 to the specified one or to the default from the set definition
 .PP
-Use of -j SET requires that ipset kernel support is provided. As standard
-kernels do not ship this currently, the ipset or Xtables-addons package needs
-to be installed.
+Use of -j SET requires that ipset kernel support is provided, which, for
+standard kernels, is the case since Linux 2.6.39.
diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man
index 01b115f..1ad9085 100644
--- a/extensions/libxt_set.man
+++ b/extensions/libxt_set.man
@@ -18,6 +18,5 @@ found in the specified set.
 The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 
 not clash with an option of other extensions.
 .PP
-Use of -m set requires that ipset kernel support is provided. As standard
-kernels do not ship this currently, the ipset or Xtables-addons package needs
-to be installed.
+Use of -m set requires that ipset kernel support is provided, which, for
+standard kernels, is the case since Linux 2.6.39.
-- 
1.7.3.4

[PATCH 3/6] libxt_tcp: always print the mask parts

[Jan Engelhardt]

0xFF is unlikely to happen (given that ALL translates to 0x3F at
most), but assuming that through magic, 0xFF was put into memory,
iptables -S/iptables-save would ignore printing it, practically
outputting just one argument to --tcp-flags which currently wants two.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_tcp.c |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 3940d91..e849fa2 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -357,9 +357,7 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match)
 		if (tcpinfo->invflags & XT_TCP_INV_FLAGS)
 			printf(" !");
 		printf(" --tcp-flags ");
-		if (tcpinfo->flg_mask != 0xFF) {
-			print_tcpf(tcpinfo->flg_mask);
-		}
+		print_tcpf(tcpinfo->flg_mask);
 		printf(" ");
 		print_tcpf(tcpinfo->flg_cmp);
 	}
-- 
1.7.3.4

[PATCH 4/6] doc: fix typo in libxt_TRACE

[Jan Engelhardt]

From: Bernard Massot <bernard@massot.ath.cx>

References: http://bugzilla.netfilter.org/show_bug.cgi?id=736
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_TRACE.man |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man
index ea0ce0f..8d590a5 100644
--- a/extensions/libxt_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -1,4 +1,4 @@
-This target marks packes so that the kernel will log every rule which match 
+This target marks packets so that the kernel will log every rule which match 
 the packets as those traverse the tables, chains, rules.
 .PP
 A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
-- 
1.7.3.4

[PATCH 5/6] libxt_set: put differing variable names in directly

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_SET.c |   13 +++----------
 extensions/libxt_set.c |   11 +++--------
 2 files changed, 6 insertions(+), 18 deletions(-)

diff --git a/extensions/libxt_SET.c b/extensions/libxt_SET.c
index 0446603..a11db39 100644
--- a/extensions/libxt_SET.c
+++ b/extensions/libxt_SET.c
@@ -143,9 +143,6 @@ set_target_save_v0(const void *ip, const struct xt_entry_target *target)
 }
 
 /* Revision 1 */
-
-#define set_target_help_v1	set_target_help_v0
-
 static void
 set_target_init_v1(struct xt_entry_target *target)
 {
@@ -204,8 +201,6 @@ set_target_parse_v1(int c, char **argv, int invert, unsigned int *flags,
 	return 1;
 }
 
-#define set_target_check_v1	set_target_check_v0
-
 static void
 print_target(const char *prefix, const struct xt_set_info *info)
 {
@@ -242,8 +237,6 @@ set_target_save_v1(const void *ip, const struct xt_entry_target *target)
 	print_target("--del-set", &info->del_set);
 }
 
-#define set_target_opts_v1	set_target_opts_v0
-
 /* Revision 2 */
 
 static void
@@ -376,13 +369,13 @@ static struct xtables_target set_tg_reg[] = {
 		.family		= NFPROTO_UNSPEC,
 		.size		= XT_ALIGN(sizeof(struct xt_set_info_target_v1)),
 		.userspacesize	= XT_ALIGN(sizeof(struct xt_set_info_target_v1)),
-		.help		= set_target_help_v1,
+		.help		= set_target_help_v0,
 		.init		= set_target_init_v1,
 		.parse		= set_target_parse_v1,
-		.final_check	= set_target_check_v1,
+		.final_check	= set_target_check_v0,
 		.print		= set_target_print_v1,
 		.save		= set_target_save_v1,
-		.extra_opts	= set_target_opts_v1,
+		.extra_opts	= set_target_opts_v0,
 	},
 	{
 		.name		= "SET",
diff --git a/extensions/libxt_set.c b/extensions/libxt_set.c
index 6b39147..77e3f07 100644
--- a/extensions/libxt_set.c
+++ b/extensions/libxt_set.c
@@ -128,11 +128,6 @@ set_save_v0(const void *ip, const struct xt_entry_match *match)
 }
 
 /* Revision 1 */
-
-#define set_help_v1	set_help_v0
-#define set_opts_v1	set_opts_v0
-#define set_check_v1	set_check_v0
-
 static int
 set_parse_v1(int c, char **argv, int invert, unsigned int *flags,
 	     const void *entry, struct xt_entry_match **match)
@@ -232,12 +227,12 @@ static struct xtables_match set_mt_reg[] = {
 		.family		= NFPROTO_UNSPEC,
 		.size		= XT_ALIGN(sizeof(struct xt_set_info_match_v1)),
 		.userspacesize	= XT_ALIGN(sizeof(struct xt_set_info_match_v1)),
-		.help		= set_help_v1,
+		.help		= set_help_v0,
 		.parse		= set_parse_v1,
-		.final_check	= set_check_v1,
+		.final_check	= set_check_v0,
 		.print		= set_print_v1,
 		.save		= set_save_v1,
-		.extra_opts	= set_opts_v1,
+		.extra_opts	= set_opts_v0,
 	},
 };
 
-- 
1.7.3.4

[PATCH 6/6] libxt_string: fix space around arguments

[Jan Engelhardt]

From: Dwight Davis <sivad_thgiwd@yahoo.ca>

Fix oversight from commit v1.4.11~80.

References: http://bugs.debian.org/637499
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_string.c |    4 ++--
 tests/options-most.rules  |    1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 8cee335..257f5f8 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -229,7 +229,7 @@ print_hex_string(const char *str, const unsigned short int len)
 {
 	unsigned int i;
 	/* start hex block */
-	printf("\"|");
+	printf(" \"|");
 	for (i=0; i < len; i++) {
 		/* see if we need to prepend a zero */
 		if ((unsigned char) str[i] <= 0x0F)
@@ -238,7 +238,7 @@ print_hex_string(const char *str, const unsigned short int len)
 			printf("%x", (unsigned char) str[i]);
 	}
 	/* close hex block */
-	printf("|\" ");
+	printf("|\"");
 }
 
 static void
diff --git a/tests/options-most.rules b/tests/options-most.rules
index c2e30f2..4a3cd99 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -37,6 +37,7 @@
 -A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
 -A INPUT -p tcp -m socket --transparent
 -A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
+-A INPUT -p tcp -m string --hex-string "|00|" --algo kmp --from 1 --to 2 --icase
 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p tcp -m tos --tos 0xff/0x01
-- 
1.7.3.4

Re: Fixes to iptables-1.4.12

[Patrick McHardy]

On 20.08.2011 21:24, Jan Engelhardt wrote:
> The following changes since commit 91ca4603f649a9b9fed4f2e31a8c005cdbdacd1e:
> 
>   Merge branch 'master' of git://dev.medozas.de/iptables (2011-08-09 13:23:17 +0200)
> 
> are available in the git repository at:
> 
>   git://dev.medozas.de/iptables master
> 
> Bernard Massot (1):
>       doc: fix typo in libxt_TRACE
> 
> Dwight Davis (1):
>       libxt_string: fix space around arguments
> 
> Jan Engelhardt (4):
>       libxt_u32: fix missing allowance for inversion
>       libxt_set: update man page about kernel support on the feature
>       libxt_tcp: always print the mask parts
>       libxt_set: put differing variable names in directly
> 

Pulled, thanks Jan.