diff options
-rw-r--r-- | net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch | 235 | ||||
-rw-r--r-- | net-firewall/nftables/nftables-1.0.8-r2.ebuild | 223 |
2 files changed, 458 insertions, 0 deletions
diff --git a/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch b/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch new file mode 100644 index 000000000000..1b81ab0e6ef2 --- /dev/null +++ b/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch @@ -0,0 +1,235 @@ +https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230719001444.154070-1-pablo@netfilter.org/ +https://git.netfilter.org/nftables/commit/?id=5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 + +From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Tue, 18 Jul 2023 23:10:01 +0200 +Subject: meta: stash context statement length when generating payload/meta + dependency + +... meta mark set ip dscp + +generates an implicit dependency from the inet family to match on meta +nfproto ip. + +The length of this implicit expression is incorrectly adjusted to the +statement length, ie. relational to compare meta nfproto takes 4 bytes +instead of 1 byte. The evaluation of 'ip dscp' under the meta mark +statement triggers this implicit dependency which should not consider +the context statement length since it is added before the statement +itself. + +This problem shows when listing the ruleset, since netlink_parse_cmp() +where left->len < right->len, hence handling the implicit dependency as +a concatenation, but it is actually a bug in the evaluation step that +leads to incorrect bytecode. + +Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") +Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") +Tested-by: Brian Davidson <davidson.brian@gmail.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- a/src/payload.c ++++ b/src/payload.c +@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, + const struct proto_hdr_template *tmpl; + struct expr *dep, *left, *right; + struct proto_ctx *pctx; ++ unsigned int stmt_len; + struct stmt *stmt; + int protocol; + +@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx, + constant_data_ptr(protocol, tmpl->len)); + + dep = relational_expr_alloc(&expr->location, OP_EQ, left, right); ++ ++ stmt_len = ctx->stmt_len; ++ ctx->stmt_len = 0; ++ + stmt = expr_stmt_alloc(&dep->location, dep); + if (stmt_evaluate(ctx, stmt) < 0) { + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } ++ ctx->stmt_len = stmt_len; + + if (ctx->inner_desc) { + if (tmpl->meta_key) +@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + const struct hook_proto_desc *h; + const struct proto_desc *desc; + struct proto_ctx *pctx; ++ unsigned int stmt_len; + struct stmt *stmt; + uint16_t type; + +@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + "protocol specification is invalid " + "for this family"); + ++ stmt_len = ctx->stmt_len; ++ ctx->stmt_len = 0; ++ + stmt = meta_stmt_meta_iiftype(&expr->location, type); + if (stmt_evaluate(ctx, stmt) < 0) { + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } + *res = stmt; ++ ++ ctx->stmt_len = stmt_len; ++ + return 0; + } + +--- a/tests/py/inet/meta.t ++++ b/tests/py/inet/meta.t +@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok + meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok + ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok + ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok ++ ++meta mark set ip dscp;ok ++meta mark set ip dscp | 0x40;ok ++meta mark set ip6 dscp;ok ++meta mark set ip6 dscp | 0x40;ok +--- a/tests/py/inet/meta.t.json ++++ b/tests/py/inet/meta.t.json +@@ -440,3 +440,89 @@ + } + ] + ++# meta mark set ip dscp ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip" ++ } ++ } ++ } ++ } ++] ++ ++# meta mark set ip dscp | 0x40 ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "|": [ ++ { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip" ++ } ++ }, ++ 64 ++ ] ++ } ++ } ++ } ++] ++ ++# meta mark set ip6 dscp ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip6" ++ } ++ } ++ } ++ } ++] ++ ++# meta mark set ip6 dscp | 0x40 ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "|": [ ++ { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip6" ++ } ++ }, ++ 64 ++ ] ++ } ++ } ++ } ++] ++ +--- a/tests/py/inet/meta.t.payload ++++ b/tests/py/inet/meta.t.payload +@@ -133,3 +133,43 @@ inet test-inet input + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + ++# meta mark set ip dscp ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 1 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip dscp | 0x40 ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 1 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip6 dscp ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 2b @ network header + 0 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] ++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip6 dscp | 0x40 ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 2b @ network header + 0 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] ++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] ++ [ meta set mark with reg 1 ] ++ +-- +cgit v1.2.3 diff --git a/net-firewall/nftables/nftables-1.0.8-r2.ebuild b/net-firewall/nftables/nftables-1.0.8-r2.ebuild new file mode 100644 index 000000000000..d19cafc3218a --- /dev/null +++ b/net-firewall/nftables/nftables-1.0.8-r2.ebuild @@ -0,0 +1,223 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DISTUTILS_OPTIONAL=1 +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{10..11} ) +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc +inherit edo linux-info distutils-r1 systemd verify-sig + +DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" +HOMEPAGE="https://netfilter.org/projects/nftables/" + +if [[ ${PV} =~ ^[9]{4,}$ ]]; then + inherit autotools git-r3 + EGIT_REPO_URI="https://git.netfilter.org/${PN}" + BDEPEND="sys-devel/bison" +else + SRC_URI=" + https://netfilter.org/projects/nftables/files/${P}.tar.xz + verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig ) + " + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" + BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )" +fi + +# See COPYING: new code is GPL-2+, existing code is GPL-2 +LICENSE="GPL-2 GPL-2+" +SLOT="0/1" +IUSE="debug doc +gmp json libedit python +readline static-libs test xtables" +RESTRICT="!test? ( test )" + +RDEPEND=" + >=net-libs/libmnl-1.0.4:= + >=net-libs/libnftnl-1.2.6:= + gmp? ( dev-libs/gmp:= ) + json? ( dev-libs/jansson:= ) + python? ( ${PYTHON_DEPS} ) + readline? ( sys-libs/readline:= ) + xtables? ( >=net-firewall/iptables-1.6.1:= ) +" +DEPEND="${RDEPEND}" +BDEPEND+=" + sys-devel/flex + virtual/pkgconfig + doc? ( + app-text/asciidoc + >=app-text/docbook2X-0.8.8-r4 + ) + python? ( ${DISTUTILS_DEPS} ) +" + +REQUIRED_USE=" + python? ( ${PYTHON_REQUIRED_USE} ) + libedit? ( !readline ) +" + +PATCHES=( + "${FILESDIR}"/${P}-fix-regression-evaluate.patch +) + +src_prepare() { + default + + if [[ ${PV} =~ ^[9]{4,}$ ]] ; then + eautoreconf + fi + + if use python; then + pushd py >/dev/null || die + distutils-r1_src_prepare + popd >/dev/null || die + fi +} + +src_configure() { + local myeconfargs=( + # We handle python separately + --disable-python + --disable-static + --sbindir="${EPREFIX}"/sbin + $(use_enable debug) + $(use_enable doc man-doc) + $(use_with !gmp mini_gmp) + $(use_with json) + $(use_with libedit cli editline) + $(use_with readline cli readline) + $(use_enable static-libs static) + $(use_with xtables) + ) + econf "${myeconfargs[@]}" + + if use python; then + pushd py >/dev/null || die + distutils-r1_src_configure + popd >/dev/null || die + fi +} + +src_compile() { + default + + if use python; then + pushd py >/dev/null || die + distutils-r1_src_compile + popd >/dev/null || die + fi +} + +src_test() { + emake check + + if [[ ${EUID} == 0 ]]; then + edo tests/shell/run-tests.sh -v + else + ewarn "Skipping shell tests (requires root)" + fi + + # Need to rig up Python eclass if using this, but it doesn't seem to work + # for me anyway. + #cd tests/py || die + #"${EPYTHON}" nft-test.py || die +} + +src_install() { + default + + if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then + pushd doc >/dev/null || die + doman *.? + popd >/dev/null || die + fi + + # Do it here instead of in src_prepare to avoid eautoreconf + # rmdir lets us catch if more files end up installed in /etc/nftables + dodir /usr/share/doc/${PF}/skels/ + mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die + rmdir "${ED}"/etc/nftables || die + + exeinto /usr/libexec/${PN} + newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh + newconfd "${FILESDIR}"/${PN}-mk.confd ${PN} + newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} + keepdir /var/lib/nftables + + systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + + if use python ; then + pushd py >/dev/null || die + distutils-r1_src_install + popd >/dev/null || die + fi + + find "${ED}" -type f -name "*.la" -delete || die +} + +pkg_preinst() { + local stderr + + # There's a history of regressions with nftables upgrades. Perform a + # safety check to help us spot them earlier. For the check to pass, the + # currently loaded ruleset, if any, must be successfully evaluated by + # the newly built instance of nft(8). + if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then + # Either nftables isn't yet in use or nft(8) cannot be executed. + return + elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then + # Report errors induced by trying to list the ruleset but don't + # treat them as being fatal. + printf '%s\n' "${stderr}" >&2 + elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then + # Rulesets generated by iptables-nft are special in nature and + # will not always be printed in a way that constitutes a valid + # syntax for ntf(8). Ignore them. + return + elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then + eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of" + eerror "nft. This probably means that there is a regression introduced by v${PV}." + eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)" + if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then + die "Aborting because of failed nft reload!" + fi + fi +} + +pkg_postinst() { + local save_file + save_file="${EROOT}"/var/lib/nftables/rules-save + + # In order for the nftables-restore systemd service to start + # the save_file must exist. + if [[ ! -f "${save_file}" ]]; then + ( umask 177; touch "${save_file}" ) + elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then + ewarn "Your system has dangerous permissions for ${save_file}" + ewarn "It is probably affected by bug #691326." + ewarn "You may need to fix the permissions of the file. To do so," + ewarn "you can run the command in the line below as root." + ewarn " 'chmod 600 \"${save_file}\"'" + fi + + if has_version 'sys-apps/systemd'; then + elog "If you wish to enable the firewall rules on boot (on systemd) you" + elog "will need to enable the nftables-restore service." + elog " 'systemctl enable ${PN}-restore.service'" + elog + elog "If you are creating firewall rules before the next system restart" + elog "the nftables-restore service must be manually started in order to" + elog "save those rules on shutdown." + fi + + if has_version 'sys-apps/openrc'; then + elog "If you wish to enable the firewall rules on boot (on openrc) you" + elog "will need to enable the nftables service." + elog " 'rc-update add ${PN} default'" + elog + elog "If you are creating or updating the firewall rules and wish to save" + elog "them to be loaded on the next restart, use the \"save\" functionality" + elog "in the init script." + elog " 'rc-service ${PN} save'" + fi +} |