summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch235
-rw-r--r--net-firewall/nftables/nftables-1.0.8-r2.ebuild223
2 files changed, 458 insertions, 0 deletions
diff --git a/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch b/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch
new file mode 100644
index 000000000000..1b81ab0e6ef2
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.0.8-fix-regression-evaluate.patch
@@ -0,0 +1,235 @@
+https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230719001444.154070-1-pablo@netfilter.org/
+https://git.netfilter.org/nftables/commit/?id=5f1676ac9f1aeb36d7695c3c354dade013a1e4f3
+
+From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 18 Jul 2023 23:10:01 +0200
+Subject: meta: stash context statement length when generating payload/meta
+ dependency
+
+... meta mark set ip dscp
+
+generates an implicit dependency from the inet family to match on meta
+nfproto ip.
+
+The length of this implicit expression is incorrectly adjusted to the
+statement length, ie. relational to compare meta nfproto takes 4 bytes
+instead of 1 byte. The evaluation of 'ip dscp' under the meta mark
+statement triggers this implicit dependency which should not consider
+the context statement length since it is added before the statement
+itself.
+
+This problem shows when listing the ruleset, since netlink_parse_cmp()
+where left->len < right->len, hence handling the implicit dependency as
+a concatenation, but it is actually a bug in the evaluation step that
+leads to incorrect bytecode.
+
+Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation")
+Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand")
+Tested-by: Brian Davidson <davidson.brian@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+--- a/src/payload.c
++++ b/src/payload.c
+@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx,
+ const struct proto_hdr_template *tmpl;
+ struct expr *dep, *left, *right;
+ struct proto_ctx *pctx;
++ unsigned int stmt_len;
+ struct stmt *stmt;
+ int protocol;
+
+@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx,
+ constant_data_ptr(protocol, tmpl->len));
+
+ dep = relational_expr_alloc(&expr->location, OP_EQ, left, right);
++
++ stmt_len = ctx->stmt_len;
++ ctx->stmt_len = 0;
++
+ stmt = expr_stmt_alloc(&dep->location, dep);
+ if (stmt_evaluate(ctx, stmt) < 0) {
+ return expr_error(ctx->msgs, expr,
+ "dependency statement is invalid");
+ }
++ ctx->stmt_len = stmt_len;
+
+ if (ctx->inner_desc) {
+ if (tmpl->meta_key)
+@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
+ const struct hook_proto_desc *h;
+ const struct proto_desc *desc;
+ struct proto_ctx *pctx;
++ unsigned int stmt_len;
+ struct stmt *stmt;
+ uint16_t type;
+
+@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
+ "protocol specification is invalid "
+ "for this family");
+
++ stmt_len = ctx->stmt_len;
++ ctx->stmt_len = 0;
++
+ stmt = meta_stmt_meta_iiftype(&expr->location, type);
+ if (stmt_evaluate(ctx, stmt) < 0) {
+ return expr_error(ctx->msgs, expr,
+ "dependency statement is invalid");
+ }
+ *res = stmt;
++
++ ctx->stmt_len = stmt_len;
++
+ return 0;
+ }
+
+--- a/tests/py/inet/meta.t
++++ b/tests/py/inet/meta.t
+@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok
+ meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
+ ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
+ ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok
++
++meta mark set ip dscp;ok
++meta mark set ip dscp | 0x40;ok
++meta mark set ip6 dscp;ok
++meta mark set ip6 dscp | 0x40;ok
+--- a/tests/py/inet/meta.t.json
++++ b/tests/py/inet/meta.t.json
+@@ -440,3 +440,89 @@
+ }
+ ]
+
++# meta mark set ip dscp
++[
++ {
++ "mangle": {
++ "key": {
++ "meta": {
++ "key": "mark"
++ }
++ },
++ "value": {
++ "payload": {
++ "field": "dscp",
++ "protocol": "ip"
++ }
++ }
++ }
++ }
++]
++
++# meta mark set ip dscp | 0x40
++[
++ {
++ "mangle": {
++ "key": {
++ "meta": {
++ "key": "mark"
++ }
++ },
++ "value": {
++ "|": [
++ {
++ "payload": {
++ "field": "dscp",
++ "protocol": "ip"
++ }
++ },
++ 64
++ ]
++ }
++ }
++ }
++]
++
++# meta mark set ip6 dscp
++[
++ {
++ "mangle": {
++ "key": {
++ "meta": {
++ "key": "mark"
++ }
++ },
++ "value": {
++ "payload": {
++ "field": "dscp",
++ "protocol": "ip6"
++ }
++ }
++ }
++ }
++]
++
++# meta mark set ip6 dscp | 0x40
++[
++ {
++ "mangle": {
++ "key": {
++ "meta": {
++ "key": "mark"
++ }
++ },
++ "value": {
++ "|": [
++ {
++ "payload": {
++ "field": "dscp",
++ "protocol": "ip6"
++ }
++ },
++ 64
++ ]
++ }
++ }
++ }
++]
++
+--- a/tests/py/inet/meta.t.payload
++++ b/tests/py/inet/meta.t.payload
+@@ -133,3 +133,43 @@ inet test-inet input
+ [ meta load mark => reg 9 ]
+ [ lookup reg 1 set __set%d ]
+
++# meta mark set ip dscp
++inet test-inet input
++ [ meta load nfproto => reg 1 ]
++ [ cmp eq reg 1 0x00000002 ]
++ [ payload load 1b @ network header + 1 => reg 1 ]
++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
++ [ meta set mark with reg 1 ]
++
++# meta mark set ip dscp | 0x40
++inet test-inet input
++ [ meta load nfproto => reg 1 ]
++ [ cmp eq reg 1 0x00000002 ]
++ [ payload load 1b @ network header + 1 => reg 1 ]
++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
++ [ meta set mark with reg 1 ]
++
++# meta mark set ip6 dscp
++inet test-inet input
++ [ meta load nfproto => reg 1 ]
++ [ cmp eq reg 1 0x0000000a ]
++ [ payload load 2b @ network header + 0 => reg 1 ]
++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
++ [ meta set mark with reg 1 ]
++
++# meta mark set ip6 dscp | 0x40
++inet test-inet input
++ [ meta load nfproto => reg 1 ]
++ [ cmp eq reg 1 0x0000000a ]
++ [ payload load 2b @ network header + 0 => reg 1 ]
++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
++ [ meta set mark with reg 1 ]
++
+--
+cgit v1.2.3
diff --git a/net-firewall/nftables/nftables-1.0.8-r2.ebuild b/net-firewall/nftables/nftables-1.0.8-r2.ebuild
new file mode 100644
index 000000000000..d19cafc3218a
--- /dev/null
+++ b/net-firewall/nftables/nftables-1.0.8-r2.ebuild
@@ -0,0 +1,223 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_OPTIONAL=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{10..11} )
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/netfilter.org.asc
+inherit edo linux-info distutils-r1 systemd verify-sig
+
+DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools"
+HOMEPAGE="https://netfilter.org/projects/nftables/"
+
+if [[ ${PV} =~ ^[9]{4,}$ ]]; then
+ inherit autotools git-r3
+ EGIT_REPO_URI="https://git.netfilter.org/${PN}"
+ BDEPEND="sys-devel/bison"
+else
+ SRC_URI="
+ https://netfilter.org/projects/nftables/files/${P}.tar.xz
+ verify-sig? ( https://netfilter.org/projects/nftables/files/${P}.tar.xz.sig )
+ "
+ KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-netfilter )"
+fi
+
+# See COPYING: new code is GPL-2+, existing code is GPL-2
+LICENSE="GPL-2 GPL-2+"
+SLOT="0/1"
+IUSE="debug doc +gmp json libedit python +readline static-libs test xtables"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ >=net-libs/libmnl-1.0.4:=
+ >=net-libs/libnftnl-1.2.6:=
+ gmp? ( dev-libs/gmp:= )
+ json? ( dev-libs/jansson:= )
+ python? ( ${PYTHON_DEPS} )
+ readline? ( sys-libs/readline:= )
+ xtables? ( >=net-firewall/iptables-1.6.1:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND+="
+ sys-devel/flex
+ virtual/pkgconfig
+ doc? (
+ app-text/asciidoc
+ >=app-text/docbook2X-0.8.8-r4
+ )
+ python? ( ${DISTUTILS_DEPS} )
+"
+
+REQUIRED_USE="
+ python? ( ${PYTHON_REQUIRED_USE} )
+ libedit? ( !readline )
+"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-fix-regression-evaluate.patch
+)
+
+src_prepare() {
+ default
+
+ if [[ ${PV} =~ ^[9]{4,}$ ]] ; then
+ eautoreconf
+ fi
+
+ if use python; then
+ pushd py >/dev/null || die
+ distutils-r1_src_prepare
+ popd >/dev/null || die
+ fi
+}
+
+src_configure() {
+ local myeconfargs=(
+ # We handle python separately
+ --disable-python
+ --disable-static
+ --sbindir="${EPREFIX}"/sbin
+ $(use_enable debug)
+ $(use_enable doc man-doc)
+ $(use_with !gmp mini_gmp)
+ $(use_with json)
+ $(use_with libedit cli editline)
+ $(use_with readline cli readline)
+ $(use_enable static-libs static)
+ $(use_with xtables)
+ )
+ econf "${myeconfargs[@]}"
+
+ if use python; then
+ pushd py >/dev/null || die
+ distutils-r1_src_configure
+ popd >/dev/null || die
+ fi
+}
+
+src_compile() {
+ default
+
+ if use python; then
+ pushd py >/dev/null || die
+ distutils-r1_src_compile
+ popd >/dev/null || die
+ fi
+}
+
+src_test() {
+ emake check
+
+ if [[ ${EUID} == 0 ]]; then
+ edo tests/shell/run-tests.sh -v
+ else
+ ewarn "Skipping shell tests (requires root)"
+ fi
+
+ # Need to rig up Python eclass if using this, but it doesn't seem to work
+ # for me anyway.
+ #cd tests/py || die
+ #"${EPYTHON}" nft-test.py || die
+}
+
+src_install() {
+ default
+
+ if ! use doc && [[ ! ${PV} =~ ^[9]{4,}$ ]]; then
+ pushd doc >/dev/null || die
+ doman *.?
+ popd >/dev/null || die
+ fi
+
+ # Do it here instead of in src_prepare to avoid eautoreconf
+ # rmdir lets us catch if more files end up installed in /etc/nftables
+ dodir /usr/share/doc/${PF}/skels/
+ mv "${ED}"/etc/nftables/osf "${ED}"/usr/share/doc/${PF}/skels/osf || die
+ rmdir "${ED}"/etc/nftables || die
+
+ exeinto /usr/libexec/${PN}
+ newexe "${FILESDIR}"/libexec/${PN}-mk.sh ${PN}.sh
+ newconfd "${FILESDIR}"/${PN}-mk.confd ${PN}
+ newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN}
+ keepdir /var/lib/nftables
+
+ systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service
+
+ if use python ; then
+ pushd py >/dev/null || die
+ distutils-r1_src_install
+ popd >/dev/null || die
+ fi
+
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_preinst() {
+ local stderr
+
+ # There's a history of regressions with nftables upgrades. Perform a
+ # safety check to help us spot them earlier. For the check to pass, the
+ # currently loaded ruleset, if any, must be successfully evaluated by
+ # the newly built instance of nft(8).
+ if [[ -n ${ROOT} ]] || [[ ! -d /sys/module/nftables ]] || [[ ! -x /sbin/nft ]]; then
+ # Either nftables isn't yet in use or nft(8) cannot be executed.
+ return
+ elif ! stderr=$(umask 177; /sbin/nft -t list ruleset 2>&1 >"${T}"/ruleset.nft); then
+ # Report errors induced by trying to list the ruleset but don't
+ # treat them as being fatal.
+ printf '%s\n' "${stderr}" >&2
+ elif [[ ${stderr} == *"is managed by iptables-nft"* ]]; then
+ # Rulesets generated by iptables-nft are special in nature and
+ # will not always be printed in a way that constitutes a valid
+ # syntax for ntf(8). Ignore them.
+ return
+ elif set -- "${ED}"/usr/lib*/libnftables.so; ! LD_LIBRARY_PATH=${1%/*} "${ED}"/sbin/nft -c -f -- "${T}"/ruleset.nft; then
+ eerror "Your currently loaded ruleset cannot be parsed by the newly built instance of"
+ eerror "nft. This probably means that there is a regression introduced by v${PV}."
+ eerror "(To make the ebuild fail instead of warning, set NFTABLES_ABORT_ON_RELOAD_FAILURE=1.)"
+ if [[ -n ${NFTABLES_ABORT_ON_RELOAD_FAILURE} ]] ; then
+ die "Aborting because of failed nft reload!"
+ fi
+ fi
+}
+
+pkg_postinst() {
+ local save_file
+ save_file="${EROOT}"/var/lib/nftables/rules-save
+
+ # In order for the nftables-restore systemd service to start
+ # the save_file must exist.
+ if [[ ! -f "${save_file}" ]]; then
+ ( umask 177; touch "${save_file}" )
+ elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
+ ewarn "Your system has dangerous permissions for ${save_file}"
+ ewarn "It is probably affected by bug #691326."
+ ewarn "You may need to fix the permissions of the file. To do so,"
+ ewarn "you can run the command in the line below as root."
+ ewarn " 'chmod 600 \"${save_file}\"'"
+ fi
+
+ if has_version 'sys-apps/systemd'; then
+ elog "If you wish to enable the firewall rules on boot (on systemd) you"
+ elog "will need to enable the nftables-restore service."
+ elog " 'systemctl enable ${PN}-restore.service'"
+ elog
+ elog "If you are creating firewall rules before the next system restart"
+ elog "the nftables-restore service must be manually started in order to"
+ elog "save those rules on shutdown."
+ fi
+
+ if has_version 'sys-apps/openrc'; then
+ elog "If you wish to enable the firewall rules on boot (on openrc) you"
+ elog "will need to enable the nftables service."
+ elog " 'rc-update add ${PN} default'"
+ elog
+ elog "If you are creating or updating the firewall rules and wish to save"
+ elog "them to be loaded on the next restart, use the \"save\" functionality"
+ elog "in the init script."
+ elog " 'rc-service ${PN} save'"
+ fi
+}