From d8a888de4dd307791110687fce507e9e0040b924 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Mar 18 2019 11:30:26 +0000 Subject: arptables-0.0.4-16 - Integrate with alternatives - Split systemd service into sub-package - Rename arptables RPM into arptables-legacy - Add recent upstream changes --- diff --git a/0001-build-an-libarptc.a-archive.patch b/0001-build-an-libarptc.a-archive.patch new file mode 100644 index 0000000..395abec --- /dev/null +++ b/0001-build-an-libarptc.a-archive.patch @@ -0,0 +1,48 @@ +From cf6e4aa648c4555bee35c39a72fa5a9eb3f7ce97 Mon Sep 17 00:00:00 2001 +From: Jonh Wendell +Date: Sun, 24 Feb 2013 10:53:52 +0100 +Subject: [PATCH] build an libarptc.a archive + +this allows programs to statically link against libarptc. + +(cherry picked from commit b064d44bd2581444108b1bdf8de1b8752246321f) +Signed-off-by: Phil Sutter +--- + Makefile | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 9a7bea4643de8..38158d9e98ab4 100644 +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ endif + + include extensions/Makefile + +-all: arptables ++all: arptables libarptc/libarptc.a + + arptables.o: arptables.c + $(CC) $(CFLAGS) -c -o $@ $< +@@ -30,6 +30,9 @@ arptables-standalone.o: arptables-standalone.c + libarptc/libarptc.o: libarptc/libarptc.c libarptc/libarptc_incl.c + $(CC) $(CFLAGS) -c -o $@ $< + ++libarptc/libarptc.a: libarptc/libarptc.o ++ $(AR) rcs $@ $< ++ + arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +@@ -62,7 +65,7 @@ clean: + rm -f arptables + rm -f *.o *~ + rm -f extensions/*.o extensions/*~ +- rm -f libarptc/*.o libarptc/*~ ++ rm -f libarptc/*.o libarptc/*~ libarptc/*.a + rm -f include/*~ include/libarptc/*~ + + DIR:=arptables-v$(ARPTABLES_VERSION) +-- +2.21.0 + diff --git a/0002-make-static-analysis-tool-happy-false-positive.patch b/0002-make-static-analysis-tool-happy-false-positive.patch new file mode 100644 index 0000000..ab52b3d --- /dev/null +++ b/0002-make-static-analysis-tool-happy-false-positive.patch @@ -0,0 +1,32 @@ +From 370a0929ce2e08f508df76392de5617c614103ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jarom=C3=ADr=20Kon=C4=8Dick=C3=BD?= +Date: Tue, 15 Oct 2013 21:40:20 +0200 +Subject: [PATCH] make static analysis tool happy (false positive) + +(cherry picked from commit ee4ec133bc5616f3d2b9efd468dfc1d42ca1c17d) +Signed-off-by: Phil Sutter +--- + arptables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arptables.c b/arptables.c +index 5535ab23780d5..8ef445a4700c4 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -1668,10 +1668,12 @@ static char *get_modprobe(void) + + ret = malloc(1024); + if (ret) { +- switch (read(procfile, ret, 1024)) { ++ int read_bytes = read(procfile, ret, 1024); ++ switch (read_bytes) { + case -1: goto fail; + case 1024: goto fail; /* Partial read. Wierd */ + } ++ ret[read_bytes] = '\0'; + if (ret[strlen(ret)-1]=='\n') + ret[strlen(ret)-1]=0; + close(procfile); +-- +2.21.0 + diff --git a/0003-fix-potential-buffer-overflows-reported-by-static-an.patch b/0003-fix-potential-buffer-overflows-reported-by-static-an.patch new file mode 100644 index 0000000..8170ad3 --- /dev/null +++ b/0003-fix-potential-buffer-overflows-reported-by-static-an.patch @@ -0,0 +1,97 @@ +From 103040a94970a52dde285a24f0fbb5193ea74d84 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jarom=C3=ADr=20Kon=C4=8Dick=C3=BD?= +Date: Tue, 15 Oct 2013 21:55:52 +0200 +Subject: [PATCH] fix potential buffer overflows reported by static analysis + +(cherry picked from commit 8f586939999e039563fee6bca4685895067a2b77) +Signed-off-by: Phil Sutter +--- + arptables.c | 9 +++++---- + libarptc/libarptc_incl.c | 16 ++++++++++------ + 2 files changed, 15 insertions(+), 10 deletions(-) + +diff --git a/arptables.c b/arptables.c +index 8ef445a4700c4..4da6fea980bb9 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -1270,7 +1270,7 @@ print_firewall(const struct arpt_entry *fw, + sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); + else + sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); +- strcat(buf, mask_to_dotted(&(fw->arp.smsk))); ++ strncat(buf, mask_to_dotted(&(fw->arp.smsk)), sizeof(buf) - strlen(buf) -1); + printf("-s %s ", buf); + } + +@@ -1294,7 +1294,7 @@ after_devsrc: + sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); + else + sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); +- strcat(buf, mask_to_dotted(&(fw->arp.tmsk))); ++ strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), sizeof(buf) - strlen(buf) -1); + printf("-d %s ", buf); + } + +@@ -1796,7 +1796,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + *table, arptc_strerror(errno)); + } + } +- } ++ } + + memset(&fw, 0, sizeof(fw)); + opts = original_opts; +@@ -2064,7 +2064,8 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + + target->t = fw_calloc(1, size); + target->t->u.target_size = size; +- strcpy(target->t->u.user.name, jumpto); ++ strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name)); ++ target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0'; + /* + target->init(target->t, &fw.nfcache); + */ +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 2fa3d43576933..9c1aeac7ca3de 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -209,8 +209,10 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) + h->counter_map = (void *)h + + sizeof(STRUCT_TC_HANDLE) + + size; +- strcpy(h->info.name, tablename); +- strcpy(h->entries.name, tablename); ++ strncpy(h->info.name, tablename, sizeof(h->info.name)); ++ h->info.name[sizeof(h->info.name)-1] = '\0'; ++ strncpy(h->entries.name, tablename, sizeof(h->entries.name)); ++ h->entries.name[sizeof(h->entries.name)-1] = '\0'; + + return h; + } +@@ -357,8 +359,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev) + h->cache_chain_heads[h->cache_num_chains-1].end + = *prev; + +- strcpy(h->cache_chain_heads[h->cache_num_chains].name, +- (const char *)GET_TARGET(e)->data); ++ strncpy(h->cache_chain_heads[h->cache_num_chains].name, ++ (const char *)GET_TARGET(e)->data, TABLE_MAXNAMELEN-1); ++ h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0'; + h->cache_chain_heads[h->cache_num_chains].start + = (void *)e + e->next_offset; + h->cache_num_chains++; +@@ -368,8 +371,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev) + h->cache_chain_heads[h->cache_num_chains-1].end + = *prev; + +- strcpy(h->cache_chain_heads[h->cache_num_chains].name, +- h->hooknames[builtin-1]); ++ strncpy(h->cache_chain_heads[h->cache_num_chains].name, ++ h->hooknames[builtin-1], TABLE_MAXNAMELEN-1); ++ h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0'; + h->cache_chain_heads[h->cache_num_chains].start + = (void *)e; + h->cache_num_chains++; +-- +2.21.0 + diff --git a/0004-add-GPL-text.patch b/0004-add-GPL-text.patch new file mode 100644 index 0000000..32b8ee6 --- /dev/null +++ b/0004-add-GPL-text.patch @@ -0,0 +1,363 @@ +From 9bb376f78425859a3740b58e28976fb31289eca0 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer +Date: Tue, 15 Oct 2013 21:57:50 +0200 +Subject: [PATCH] add GPL text + +(cherry picked from commit c492c168b2ce99c68c85d4d55a2e842b4995b79d) +Signed-off-by: Phil Sutter +--- + COPYING | 342 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 342 insertions(+) + create mode 100644 COPYING + +diff --git a/COPYING b/COPYING +new file mode 100644 +index 0000000000000..514754e7c28a3 +--- /dev/null ++++ b/COPYING +@@ -0,0 +1,342 @@ ++All code in this package, including the code from the extensions, ++is released under the GPL license, which you find hereafter. ++ ++ GNU GENERAL PUBLIC LICENSE ++ Version 2, June 1991 ++ ++ Copyright (C) 1989, 1991 Free Software Foundation, Inc. ++ 675 Mass Ave, Cambridge, MA 02139, USA ++ Everyone is permitted to copy and distribute verbatim copies ++ of this license document, but changing it is not allowed. ++ ++ Preamble ++ ++ The licenses for most software are designed to take away your ++freedom to share and change it. By contrast, the GNU General Public ++License is intended to guarantee your freedom to share and change free ++software--to make sure the software is free for all its users. This ++General Public License applies to most of the Free Software ++Foundation's software and to any other program whose authors commit to ++using it. (Some other Free Software Foundation software is covered by ++the GNU Library General Public License instead.) You can apply it to ++your programs, too. ++ ++ When we speak of free software, we are referring to freedom, not ++price. Our General Public Licenses are designed to make sure that you ++have the freedom to distribute copies of free software (and charge for ++this service if you wish), that you receive source code or can get it ++if you want it, that you can change the software or use pieces of it ++in new free programs; and that you know you can do these things. ++ ++ To protect your rights, we need to make restrictions that forbid ++anyone to deny you these rights or to ask you to surrender the rights. ++These restrictions translate to certain responsibilities for you if you ++distribute copies of the software, or if you modify it. ++ ++ For example, if you distribute copies of such a program, whether ++gratis or for a fee, you must give the recipients all the rights that ++you have. You must make sure that they, too, receive or can get the ++source code. And you must show them these terms so they know their ++rights. ++ ++ We protect your rights with two steps: (1) copyright the software, and ++(2) offer you this license which gives you legal permission to copy, ++distribute and/or modify the software. ++ ++ Also, for each author's protection and ours, we want to make certain ++that everyone understands that there is no warranty for this free ++software. If the software is modified by someone else and passed on, we ++want its recipients to know that what they have is not the original, so ++that any problems introduced by others will not reflect on the original ++authors' reputations. ++ ++ Finally, any free program is threatened constantly by software ++patents. We wish to avoid the danger that redistributors of a free ++program will individually obtain patent licenses, in effect making the ++program proprietary. To prevent this, we have made it clear that any ++patent must be licensed for everyone's free use or not licensed at all. ++ ++ The precise terms and conditions for copying, distribution and ++modification follow. ++ ++ GNU GENERAL PUBLIC LICENSE ++ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ++ ++ 0. This License applies to any program or other work which contains ++a notice placed by the copyright holder saying it may be distributed ++under the terms of this General Public License. The "Program", below, ++refers to any such program or work, and a "work based on the Program" ++means either the Program or any derivative work under copyright law: ++that is to say, a work containing the Program or a portion of it, ++either verbatim or with modifications and/or translated into another ++language. (Hereinafter, translation is included without limitation in ++the term "modification".) Each licensee is addressed as "you". ++ ++Activities other than copying, distribution and modification are not ++covered by this License; they are outside its scope. The act of ++running the Program is not restricted, and the output from the Program ++is covered only if its contents constitute a work based on the ++Program (independent of having been made by running the Program). ++Whether that is true depends on what the Program does. ++ ++ 1. You may copy and distribute verbatim copies of the Program's ++source code as you receive it, in any medium, provided that you ++conspicuously and appropriately publish on each copy an appropriate ++copyright notice and disclaimer of warranty; keep intact all the ++notices that refer to this License and to the absence of any warranty; ++and give any other recipients of the Program a copy of this License ++along with the Program. ++ ++You may charge a fee for the physical act of transferring a copy, and ++you may at your option offer warranty protection in exchange for a fee. ++ ++ 2. You may modify your copy or copies of the Program or any portion ++of it, thus forming a work based on the Program, and copy and ++distribute such modifications or work under the terms of Section 1 ++above, provided that you also meet all of these conditions: ++ ++ a) You must cause the modified files to carry prominent notices ++ stating that you changed the files and the date of any change. ++ ++ b) You must cause any work that you distribute or publish, that in ++ whole or in part contains or is derived from the Program or any ++ part thereof, to be licensed as a whole at no charge to all third ++ parties under the terms of this License. ++ ++ c) If the modified program normally reads commands interactively ++ when run, you must cause it, when started running for such ++ interactive use in the most ordinary way, to print or display an ++ announcement including an appropriate copyright notice and a ++ notice that there is no warranty (or else, saying that you provide ++ a warranty) and that users may redistribute the program under ++ these conditions, and telling the user how to view a copy of this ++ License. (Exception: if the Program itself is interactive but ++ does not normally print such an announcement, your work based on ++ the Program is not required to print an announcement.) ++ ++These requirements apply to the modified work as a whole. If ++identifiable sections of that work are not derived from the Program, ++and can be reasonably considered independent and separate works in ++themselves, then this License, and its terms, do not apply to those ++sections when you distribute them as separate works. But when you ++distribute the same sections as part of a whole which is a work based ++on the Program, the distribution of the whole must be on the terms of ++this License, whose permissions for other licensees extend to the ++entire whole, and thus to each and every part regardless of who wrote it. ++ ++Thus, it is not the intent of this section to claim rights or contest ++your rights to work written entirely by you; rather, the intent is to ++exercise the right to control the distribution of derivative or ++collective works based on the Program. ++ ++In addition, mere aggregation of another work not based on the Program ++with the Program (or with a work based on the Program) on a volume of ++a storage or distribution medium does not bring the other work under ++the scope of this License. ++ ++ 3. You may copy and distribute the Program (or a work based on it, ++under Section 2) in object code or executable form under the terms of ++Sections 1 and 2 above provided that you also do one of the following: ++ ++ a) Accompany it with the complete corresponding machine-readable ++ source code, which must be distributed under the terms of Sections ++ 1 and 2 above on a medium customarily used for software interchange; or, ++ ++ b) Accompany it with a written offer, valid for at least three ++ years, to give any third party, for a charge no more than your ++ cost of physically performing source distribution, a complete ++ machine-readable copy of the corresponding source code, to be ++ distributed under the terms of Sections 1 and 2 above on a medium ++ customarily used for software interchange; or, ++ ++ c) Accompany it with the information you received as to the offer ++ to distribute corresponding source code. (This alternative is ++ allowed only for noncommercial distribution and only if you ++ received the program in object code or executable form with such ++ an offer, in accord with Subsection b above.) ++ ++The source code for a work means the preferred form of the work for ++making modifications to it. For an executable work, complete source ++code means all the source code for all modules it contains, plus any ++associated interface definition files, plus the scripts used to ++control compilation and installation of the executable. However, as a ++special exception, the source code distributed need not include ++anything that is normally distributed (in either source or binary ++form) with the major components (compiler, kernel, and so on) of the ++operating system on which the executable runs, unless that component ++itself accompanies the executable. ++ ++If distribution of executable or object code is made by offering ++access to copy from a designated place, then offering equivalent ++access to copy the source code from the same place counts as ++distribution of the source code, even though third parties are not ++compelled to copy the source along with the object code. ++ ++ 4. You may not copy, modify, sublicense, or distribute the Program ++except as expressly provided under this License. Any attempt ++otherwise to copy, modify, sublicense or distribute the Program is ++void, and will automatically terminate your rights under this License. ++However, parties who have received copies, or rights, from you under ++this License will not have their licenses terminated so long as such ++parties remain in full compliance. ++ ++ 5. You are not required to accept this License, since you have not ++signed it. However, nothing else grants you permission to modify or ++distribute the Program or its derivative works. These actions are ++prohibited by law if you do not accept this License. Therefore, by ++modifying or distributing the Program (or any work based on the ++Program), you indicate your acceptance of this License to do so, and ++all its terms and conditions for copying, distributing or modifying ++the Program or works based on it. ++ ++ 6. Each time you redistribute the Program (or any work based on the ++Program), the recipient automatically receives a license from the ++original licensor to copy, distribute or modify the Program subject to ++these terms and conditions. You may not impose any further ++restrictions on the recipients' exercise of the rights granted herein. ++You are not responsible for enforcing compliance by third parties to ++this License. ++ ++ 7. If, as a consequence of a court judgment or allegation of patent ++infringement or for any other reason (not limited to patent issues), ++conditions are imposed on you (whether by court order, agreement or ++otherwise) that contradict the conditions of this License, they do not ++excuse you from the conditions of this License. If you cannot ++distribute so as to satisfy simultaneously your obligations under this ++License and any other pertinent obligations, then as a consequence you ++may not distribute the Program at all. For example, if a patent ++license would not permit royalty-free redistribution of the Program by ++all those who receive copies directly or indirectly through you, then ++the only way you could satisfy both it and this License would be to ++refrain entirely from distribution of the Program. ++ ++If any portion of this section is held invalid or unenforceable under ++any particular circumstance, the balance of the section is intended to ++apply and the section as a whole is intended to apply in other ++circumstances. ++ ++It is not the purpose of this section to induce you to infringe any ++patents or other property right claims or to contest validity of any ++such claims; this section has the sole purpose of protecting the ++integrity of the free software distribution system, which is ++implemented by public license practices. Many people have made ++generous contributions to the wide range of software distributed ++through that system in reliance on consistent application of that ++system; it is up to the author/donor to decide if he or she is willing ++to distribute software through any other system and a licensee cannot ++impose that choice. ++ ++This section is intended to make thoroughly clear what is believed to ++be a consequence of the rest of this License. ++ ++ 8. If the distribution and/or use of the Program is restricted in ++certain countries either by patents or by copyrighted interfaces, the ++original copyright holder who places the Program under this License ++may add an explicit geographical distribution limitation excluding ++those countries, so that distribution is permitted only in or among ++countries not thus excluded. In such case, this License incorporates ++the limitation as if written in the body of this License. ++ ++ 9. The Free Software Foundation may publish revised and/or new versions ++of the General Public License from time to time. Such new versions will ++be similar in spirit to the present version, but may differ in detail to ++address new problems or concerns. ++ ++Each version is given a distinguishing version number. If the Program ++specifies a version number of this License which applies to it and "any ++later version", you have the option of following the terms and conditions ++either of that version or of any later version published by the Free ++Software Foundation. If the Program does not specify a version number of ++this License, you may choose any version ever published by the Free Software ++Foundation. ++ ++ 10. If you wish to incorporate parts of the Program into other free ++programs whose distribution conditions are different, write to the author ++to ask for permission. For software which is copyrighted by the Free ++Software Foundation, write to the Free Software Foundation; we sometimes ++make exceptions for this. Our decision will be guided by the two goals ++of preserving the free status of all derivatives of our free software and ++of promoting the sharing and reuse of software generally. ++ ++ NO WARRANTY ++ ++ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY ++FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN ++OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES ++PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED ++OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS ++TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE ++PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, ++REPAIR OR CORRECTION. ++ ++ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR ++REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, ++INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING ++OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED ++TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY ++YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER ++PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGES. ++ ++ END OF TERMS AND CONDITIONS ++ ++ Appendix: How to Apply These Terms to Your New Programs ++ ++ If you develop a new program, and you want it to be of the greatest ++possible use to the public, the best way to achieve this is to make it ++free software which everyone can redistribute and change under these terms. ++ ++ To do so, attach the following notices to the program. It is safest ++to attach them to the start of each source file to most effectively ++convey the exclusion of warranty; and each file should have at least ++the "copyright" line and a pointer to where the full notice is found. ++ ++ ++ Copyright (C) 19yy ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 2 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ ++Also add information on how to contact you by electronic and paper mail. ++ ++If the program is interactive, make it output a short notice like this ++when it starts in an interactive mode: ++ ++ Gnomovision version 69, Copyright (C) 19yy name of author ++ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. ++ This is free software, and you are welcome to redistribute it ++ under certain conditions; type `show c' for details. ++ ++The hypothetical commands `show w' and `show c' should show the appropriate ++parts of the General Public License. Of course, the commands you use may ++be called something other than `show w' and `show c'; they could even be ++mouse-clicks or menu items--whatever suits your program. ++ ++You should also get your employer (if you work as a programmer) or your ++school, if any, to sign a "copyright disclaimer" for the program, if ++necessary. Here is a sample; alter the names: ++ ++ Yoyodyne, Inc., hereby disclaims all copyright interest in the program ++ `Gnomovision' (which makes passes at compilers) written by James Hacker. ++ ++ , 1 April 1989 ++ Ty Coon, President of Vice ++ ++This General Public License does not permit incorporating your program into ++proprietary programs. If your program is a subroutine library, you may ++consider it more useful to permit linking proprietary applications with the ++library. If this is what you want to do, use the GNU Library General ++Public License instead of this License. +-- +2.21.0 + diff --git a/0005-Add-man-pages-for-arptables-save-restore.patch b/0005-Add-man-pages-for-arptables-save-restore.patch new file mode 100644 index 0000000..e15b15a --- /dev/null +++ b/0005-Add-man-pages-for-arptables-save-restore.patch @@ -0,0 +1,107 @@ +From 4c4c2e4080114126a38cd856f6aad011ebe08b49 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Mon, 18 Nov 2013 21:42:52 +0100 +Subject: [PATCH] Add man pages for arptables-{save,restore} + +(cherry picked from commit f79b957fadfb22396d527743ecc154f1e30277dd) +Signed-off-by: Phil Sutter +--- + arptables-restore.8 | 41 +++++++++++++++++++++++++++++++++++++++++ + arptables-save.8 | 37 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+) + create mode 100644 arptables-restore.8 + create mode 100644 arptables-save.8 + +diff --git a/arptables-restore.8 b/arptables-restore.8 +new file mode 100644 +index 0000000000000..4f2f623673415 +--- /dev/null ++++ b/arptables-restore.8 +@@ -0,0 +1,41 @@ ++.TH ARPTABLES-RESTORE 8 "Nov 07, 2013" "" "" ++.\" ++.\" Man page written by Jesper Dangaard Brouer based on a ++.\" Man page written by Harald Welte ++.\" It is based on the iptables-restore man page. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables-restore \(em Restore ARP Tables ++.SH SYNOPSIS ++\fBarptables\-restore ++.SH DESCRIPTION ++.PP ++.B arptables-restore ++is used to restore ARP Tables from data specified on STDIN or ++via a file as first argument. ++Use I/O redirection provided by your shell to read from a file ++.TP ++.B arptables-restore ++flushes (deletes) all previous contents of the respective ARP Table. ++.SH BUGS ++None known as of arptables-0.0.4 release ++.SH AUTHOR ++Jesper Dangaard Brouer ++.SH SEE ALSO ++\fBarptables\-save\fP(8), \fBarptables\fP(8) ++.PP +diff --git a/arptables-save.8 b/arptables-save.8 +new file mode 100644 +index 0000000000000..34791a9c087f0 +--- /dev/null ++++ b/arptables-save.8 +@@ -0,0 +1,37 @@ ++.TH ARPTABLES-SAVE 8 "Nov 07, 2013" "" "" ++.\" ++.\" Man page written by Jesper Dangaard Brouer based on a ++.\" Man page written by Harald Welte ++.\" It is based on the iptables-save man page. ++.\" ++.\" This program is free software; you can redistribute it and/or modify ++.\" it under the terms of the GNU General Public License as published by ++.\" the Free Software Foundation; either version 2 of the License, or ++.\" (at your option) any later version. ++.\" ++.\" This program is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public License ++.\" along with this program; if not, write to the Free Software ++.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++.\" ++.\" ++.SH NAME ++arptables-save \(em dump arptables rules to stdout ++.SH SYNOPSIS ++\fBarptables\-save ++.SH DESCRIPTION ++.PP ++.B arptables-save ++is used to dump the contents of an ARP Table in easily parseable format ++to STDOUT. Use I/O-redirection provided by your shell to write to a file. ++.SH BUGS ++None known as of arptables-0.0.4 release ++.SH AUTHOR ++Jesper Dangaard Brouer ++.SH SEE ALSO ++\fBarptables\-restore\fP(8), \fBarptables\fP(8) ++.PP +-- +2.21.0 + diff --git a/0006-arptables-install-man-pages.patch b/0006-arptables-install-man-pages.patch new file mode 100644 index 0000000..10fc68d --- /dev/null +++ b/0006-arptables-install-man-pages.patch @@ -0,0 +1,58 @@ +From feaadda185a25290f98e5c09b859b2000818cf87 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Sun, 2 Mar 2014 22:08:02 +0100 +Subject: [PATCH] arptables: install man pages + +(cherry picked from commit 36daba3cd378cabf915fa6ef882ad3dc7add4282) +Signed-off-by: Phil Sutter +--- + Makefile | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index 38158d9e98ab4..7bead0d9134f3 100644 +--- a/Makefile ++++ b/Makefile +@@ -6,10 +6,13 @@ PREFIX:=/usr/local + LIBDIR:=$(PREFIX)/lib + BINDIR:=$(PREFIX)/sbin + MANDIR:=$(PREFIX)/man ++man8dir=$(MANDIR)/man8 + INITDIR:=/etc/rc.d/init.d + SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + ++MANS = arptables.8 arptables-save.8 arptables-restore.8 ++ + COPT_FLAGS:=-O2 + CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include/ -Iinclude/ -DARPTABLES_VERSION=\"$(ARPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DARPTC_DEBUG + +@@ -36,10 +39,6 @@ libarptc/libarptc.a: libarptc/libarptc.o + arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +-$(DESTDIR)$(MANDIR)/man8/arptables.8: arptables.8 +- mkdir -p $(@D) +- install -m 0644 $< $@ +- + $(DESTDIR)$(BINDIR)/arptables: arptables + mkdir -p $(DESTDIR)$(BINDIR) + install -m 0755 $< $@ +@@ -57,8 +56,13 @@ scripts: arptables-save arptables-restore arptables.sysv + if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ $(DESTDIR)$(INITDIR)/arptables; fi + rm -f arptables-save_ arptables-restore_ arptables.sysv_ + ++.PHONY: install-man ++install-man: $(MANS) ++ [ -d "$(DESTDIR)$(man8dir)" ] || mkdir -p "$(DESTDIR)$(man8dir)" ++ install -m 0644 $^ $(DESTDIR)$(man8dir)/ ++ + .PHONY: install +-install: $(DESTDIR)$(MANDIR)/man8/arptables.8 $(DESTDIR)$(BINDIR)/arptables scripts ++install: install-man $(DESTDIR)$(BINDIR)/arptables scripts + + .PHONY: clean + clean: +-- +2.21.0 + diff --git a/0007-arptables-add-missing-long-option-set-counters-and-u.patch b/0007-arptables-add-missing-long-option-set-counters-and-u.patch new file mode 100644 index 0000000..13ed8fa --- /dev/null +++ b/0007-arptables-add-missing-long-option-set-counters-and-u.patch @@ -0,0 +1,56 @@ +From 81f722a8a632ab2e0a50861d8505d460447bf5d7 Mon Sep 17 00:00:00 2001 +From: Jesper Dangaard Brouer +Date: Sun, 2 Mar 2014 22:08:30 +0100 +Subject: [PATCH] arptables: add missing long option --set-counters and update + documentation + +(cherry picked from commit 9fcaf703f93658ec0ae2ae1013b191a76835b94a) +Signed-off-by: Phil Sutter +--- + arptables.8 | 8 ++++++++ + arptables.c | 3 ++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arptables.8 b/arptables.8 +index 0b6b62e1a7efd..78b2c60978c40 100644 +--- a/arptables.8 ++++ b/arptables.8 +@@ -215,6 +215,14 @@ The target of the rule. This is one of the following values: + a target extension (see + .BR "TARGET EXTENSIONS" ")" + or a user-defined chain name. ++.TP ++.BI "-c, --set-counters " "PKTS BYTES" ++This enables the administrator to initialize the packet and byte ++counters of a rule (during ++.B INSERT, ++.B APPEND, ++.B REPLACE ++operations). + + .SS RULE-SPECIFICATIONS + The following command line arguments make up a rule specification (as used +diff --git a/arptables.c b/arptables.c +index 4da6fea980bb9..3fb8ed5c40e73 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -152,6 +152,7 @@ static struct option original_opts[] = { + { "help", 2, 0, 'h' }, + { "line-numbers", 0, 0, '0' }, + { "modprobe", 1, 0, 'M' }, ++ { "set-counters", 1, 0, 'c' }, + { 0 } + }; + +@@ -529,7 +530,7 @@ exit_printhelp(void) + " --line-numbers print line numbers when listing\n" + " --exact -x expand numbers (display exact values)\n" + " --modprobe= try to insert modules using this command\n" +-" --set-counters PKTS BYTES set the counter during insert/append\n" ++" --set-counters -c PKTS BYTES set the counter during insert/append\n" + "[!] --version -V print package version.\n"); + printf(" opcode strings: \n"); + for (i = 0; i < NUMOPCODES; i++) +-- +2.21.0 + diff --git a/0008-arptables-fix-potential-buffer-overflow-author-dcb.patch b/0008-arptables-fix-potential-buffer-overflow-author-dcb.patch new file mode 100644 index 0000000..855952f --- /dev/null +++ b/0008-arptables-fix-potential-buffer-overflow-author-dcb.patch @@ -0,0 +1,26 @@ +From 2aa3fc519050787aa05395b3821fbc4ddfe41ac5 Mon Sep 17 00:00:00 2001 +From: Bart De Schuymer +Date: Tue, 6 May 2014 21:07:13 +0200 +Subject: [PATCH] arptables: fix potential buffer overflow (author: dcb) + +(cherry picked from commit c29948407c6e1960b9ca0ff3f1479773c95d25c9) +Signed-off-by: Phil Sutter +--- + arptables.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arptables.c b/arptables.c +index 3fb8ed5c40e73..64ac3aa226a2c 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -763,6 +763,7 @@ parse_hostnetworkmask(const char *name, struct in_addr **addrpp, + int i, j, k, n; + + strncpy(buf, name, sizeof(buf) - 1); ++ buf[sizeof(buf) - 1] = '\0'; + if ((p = strrchr(buf, '/')) != NULL) { + *p = '\0'; + addrp = parse_mask(p + 1); +-- +2.21.0 + diff --git a/0009-arptables-remove-dead-dynamic-hooks-code.patch b/0009-arptables-remove-dead-dynamic-hooks-code.patch new file mode 100644 index 0000000..b6f9a0a --- /dev/null +++ b/0009-arptables-remove-dead-dynamic-hooks-code.patch @@ -0,0 +1,59 @@ +From 27791d35cf3fd7e7ca1389804b6e1820fa70bc0f Mon Sep 17 00:00:00 2001 +From: Gustavo Zacarias +Date: Tue, 11 Nov 2014 10:20:22 -0300 +Subject: [PATCH] arptables: remove dead dynamic hooks code + +The code is unused and #if'ed away, it also breaks pure-static +builds because of the dlfcn.h include. + +Signed-off-by: Gustavo Zacarias +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 4b7d6b0cac33d41cb3c74694ada06e19aa7e920e) +Signed-off-by: Phil Sutter +--- + arptables.c | 1 - + libarptc/libarptc_incl.c | 15 --------------- + 2 files changed, 16 deletions(-) + +diff --git a/arptables.c b/arptables.c +index 64ac3aa226a2c..845e226a98a30 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -35,7 +35,6 @@ + #include + #include + #include +-#include + #include + #include + #include +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 9c1aeac7ca3de..1d2e8b7b7ac01 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -257,22 +257,7 @@ TC_INIT(const char *tablename) + == NULL) + return NULL; + +-/* Too hard --RR */ +-#if 0 +- sprintf(pathname, "%s/%s", ARPT_LIB_DIR, info.name); +- dynlib = dlopen(pathname, RTLD_NOW); +- if (!dynlib) { +- errno = ENOENT; +- return NULL; +- } +- h->hooknames = dlsym(dynlib, "hooknames"); +- if (!h->hooknames) { +- errno = ENOENT; +- return NULL; +- } +-#else + h->hooknames = hooknames; +-#endif + + /* Initialize current state */ + h->info = info; +-- +2.21.0 + diff --git a/0010-src-cache-in-tree-and-use-x_tables.h.patch b/0010-src-cache-in-tree-and-use-x_tables.h.patch new file mode 100644 index 0000000..1a1e7bb --- /dev/null +++ b/0010-src-cache-in-tree-and-use-x_tables.h.patch @@ -0,0 +1,603 @@ +From f4f26b8d839a8fcd0ae43d2944436e1dbafdfda6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 1 Apr 2015 12:16:30 +0200 +Subject: [PATCH] src: cache in tree and use x_tables.h + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 5700dbf07266c1ab888dceee75a040eb7af40950) +Signed-off-by: Phil Sutter +--- + include/libarptc/libarptc.h | 1 + + include/linux/netfilter/x_tables.h | 185 +++++++++++++++++++ + include/linux/netfilter_arp/arp_tables.h | 222 +++++------------------ + libarptc/libarptc_incl.c | 17 +- + 4 files changed, 233 insertions(+), 192 deletions(-) + create mode 100644 include/linux/netfilter/x_tables.h + +diff --git a/include/libarptc/libarptc.h b/include/libarptc/libarptc.h +index e4f11752a201d..ff4606fb9ae16 100644 +--- a/include/libarptc/libarptc.h ++++ b/include/libarptc/libarptc.h +@@ -3,6 +3,7 @@ + /* Library which manipulates filtering rules. */ + + #include ++#include + #include + + #ifndef ARPT_MIN_ALIGN +diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h +new file mode 100644 +index 0000000000000..4120970072771 +--- /dev/null ++++ b/include/linux/netfilter/x_tables.h +@@ -0,0 +1,185 @@ ++#ifndef _X_TABLES_H ++#define _X_TABLES_H ++#include ++#include ++ ++#define XT_FUNCTION_MAXNAMELEN 30 ++#define XT_EXTENSION_MAXNAMELEN 29 ++#define XT_TABLE_MAXNAMELEN 32 ++ ++struct xt_entry_match { ++ union { ++ struct { ++ __u16 match_size; ++ ++ /* Used by userspace */ ++ char name[XT_EXTENSION_MAXNAMELEN]; ++ __u8 revision; ++ } user; ++ struct { ++ __u16 match_size; ++ ++ /* Used inside the kernel */ ++ struct xt_match *match; ++ } kernel; ++ ++ /* Total length */ ++ __u16 match_size; ++ } u; ++ ++ unsigned char data[0]; ++}; ++ ++struct xt_entry_target { ++ union { ++ struct { ++ __u16 target_size; ++ ++ /* Used by userspace */ ++ char name[XT_EXTENSION_MAXNAMELEN]; ++ __u8 revision; ++ } user; ++ struct { ++ __u16 target_size; ++ ++ /* Used inside the kernel */ ++ struct xt_target *target; ++ } kernel; ++ ++ /* Total length */ ++ __u16 target_size; ++ } u; ++ ++ unsigned char data[0]; ++}; ++ ++#define XT_TARGET_INIT(__name, __size) \ ++{ \ ++ .target.u.user = { \ ++ .target_size = XT_ALIGN(__size), \ ++ .name = __name, \ ++ }, \ ++} ++ ++struct xt_standard_target { ++ struct xt_entry_target target; ++ int verdict; ++}; ++ ++struct xt_error_target { ++ struct xt_entry_target target; ++ char errorname[XT_FUNCTION_MAXNAMELEN]; ++}; ++ ++/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision ++ * kernel supports, if >= revision. */ ++struct xt_get_revision { ++ char name[XT_EXTENSION_MAXNAMELEN]; ++ __u8 revision; ++}; ++ ++/* CONTINUE verdict for targets */ ++#define XT_CONTINUE 0xFFFFFFFF ++ ++/* For standard target */ ++#define XT_RETURN (-NF_REPEAT - 1) ++ ++/* this is a dummy structure to find out the alignment requirement for a struct ++ * containing all the fundamental data types that are used in ipt_entry, ++ * ip6t_entry and arpt_entry. This sucks, and it is a hack. It will be my ++ * personal pleasure to remove it -HW ++ */ ++struct _xt_align { ++ __u8 u8; ++ __u16 u16; ++ __u32 u32; ++ __u64 u64; ++}; ++ ++#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align)) ++ ++/* Standard return verdict, or do jump. */ ++#define XT_STANDARD_TARGET "" ++/* Error verdict. */ ++#define XT_ERROR_TARGET "ERROR" ++ ++#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0) ++#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0) ++ ++struct xt_counters { ++ __u64 pcnt, bcnt; /* Packet and byte counters */ ++}; ++ ++/* The argument to IPT_SO_ADD_COUNTERS. */ ++struct xt_counters_info { ++ /* Which table. */ ++ char name[XT_TABLE_MAXNAMELEN]; ++ ++ unsigned int num_counters; ++ ++ /* The counters (actually `number' of these). */ ++ struct xt_counters counters[0]; ++}; ++ ++#define XT_INV_PROTO 0x40 /* Invert the sense of PROTO. */ ++ ++/* fn returns 0 to continue iteration */ ++#define XT_MATCH_ITERATE(type, e, fn, args...) \ ++({ \ ++ unsigned int __i; \ ++ int __ret = 0; \ ++ struct xt_entry_match *__m; \ ++ \ ++ for (__i = sizeof(type); \ ++ __i < (e)->target_offset; \ ++ __i += __m->u.match_size) { \ ++ __m = (void *)e + __i; \ ++ \ ++ __ret = fn(__m , ## args); \ ++ if (__ret != 0) \ ++ break; \ ++ } \ ++ __ret; \ ++}) ++ ++/* fn returns 0 to continue iteration */ ++#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \ ++({ \ ++ unsigned int __i, __n; \ ++ int __ret = 0; \ ++ type *__entry; \ ++ \ ++ for (__i = 0, __n = 0; __i < (size); \ ++ __i += __entry->next_offset, __n++) { \ ++ __entry = (void *)(entries) + __i; \ ++ if (__n < n) \ ++ continue; \ ++ \ ++ __ret = fn(__entry , ## args); \ ++ if (__ret != 0) \ ++ break; \ ++ } \ ++ __ret; \ ++}) ++ ++/* fn returns 0 to continue iteration */ ++#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \ ++ XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args) ++ ++ ++/* pos is normally a struct ipt_entry/ip6t_entry/etc. */ ++#define xt_entry_foreach(pos, ehead, esize) \ ++ for ((pos) = (typeof(pos))(ehead); \ ++ (pos) < (typeof(pos))((char *)(ehead) + (esize)); \ ++ (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset)) ++ ++/* can only be xt_entry_match, so no use of typeof here */ ++#define xt_ematch_foreach(pos, entry) \ ++ for ((pos) = (struct xt_entry_match *)entry->elems; \ ++ (pos) < (struct xt_entry_match *)((char *)(entry) + \ ++ (entry)->target_offset); \ ++ (pos) = (struct xt_entry_match *)((char *)(pos) + \ ++ (pos)->u.match_size)) ++ ++ ++#endif /* _X_TABLES_H */ +diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h +index 0acda6620bd19..bb1ec648af257 100644 +--- a/include/linux/netfilter_arp/arp_tables.h ++++ b/include/linux/netfilter_arp/arp_tables.h +@@ -9,18 +9,25 @@ + #ifndef _ARPTABLES_H + #define _ARPTABLES_H + +-#ifdef __KERNEL__ +-#include + #include +-#include +-#include +-#include +-#endif + + #include + +-#define ARPT_FUNCTION_MAXNAMELEN 30 +-#define ARPT_TABLE_MAXNAMELEN 32 ++#include ++ ++#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN ++#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN ++#define arpt_entry_target xt_entry_target ++#define arpt_standard_target xt_standard_target ++#define arpt_error_target xt_error_target ++#define ARPT_CONTINUE XT_CONTINUE ++#define ARPT_RETURN XT_RETURN ++#define arpt_counters_info xt_counters_info ++#define arpt_counters xt_counters ++#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET ++#define ARPT_ERROR_TARGET XT_ERROR_TARGET ++#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ ++ XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args) + + #define ARPT_DEV_ADDR_LEN_MAX 16 + +@@ -37,16 +44,16 @@ struct arpt_arp { + struct in_addr smsk, tmsk; + + /* Device hw address length, src+target device addresses */ +- u_int8_t arhln, arhln_mask; ++ __u8 arhln, arhln_mask; + struct arpt_devaddr_info src_devaddr; + struct arpt_devaddr_info tgt_devaddr; + + /* ARP operation code. */ +- u_int16_t arpop, arpop_mask; ++ __be16 arpop, arpop_mask; + + /* ARP hardware address and protocol address format. */ +- u_int16_t arhrd, arhrd_mask; +- u_int16_t arpro, arpro_mask; ++ __be16 arhrd, arhrd_mask; ++ __be16 arpro, arpro_mask; + + /* The protocol address length is only accepted if it is 4 + * so there is no use in offering a way to do filtering on it. +@@ -56,43 +63,9 @@ struct arpt_arp { + unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ]; + + /* Flags word */ +- u_int8_t flags; ++ __u8 flags; + /* Inverse flags */ +- u_int16_t invflags; +-}; +- +-struct arpt_entry_target +-{ +- union { +- struct { +- u_int16_t target_size; +- +- /* Used by userspace */ +- char name[ARPT_FUNCTION_MAXNAMELEN]; +- } user; +- struct { +- u_int16_t target_size; +- +- /* Used inside the kernel */ +- struct arpt_target *target; +- } kernel; +- +- /* Total length */ +- u_int16_t target_size; +- } u; +- +- unsigned char data[0]; +-}; +- +-struct arpt_standard_target +-{ +- struct arpt_entry_target target; +- int verdict; +-}; +- +-struct arpt_counters +-{ +- u_int64_t pcnt, bcnt; /* Packet and byte counters */ ++ __u16 invflags; + }; + + /* Values for "flag" field in struct arpt_ip (general arp structure). +@@ -121,15 +94,15 @@ struct arpt_entry + struct arpt_arp arp; + + /* Size of arpt_entry + matches */ +- u_int16_t target_offset; ++ __u16 target_offset; + /* Size of arpt_entry + matches + target */ +- u_int16_t next_offset; ++ __u16 next_offset; + + /* Back pointer */ + unsigned int comefrom; + + /* Packet and byte counters. */ +- struct arpt_counters counters; ++ struct xt_counters counters; + + /* The matches (if any), then the target. */ + unsigned char elems[0]; +@@ -139,8 +112,10 @@ struct arpt_entry + * New IP firewall options for [gs]etsockopt at the RAW IP level. + * Unlike BSD Linux inherits IP options so you don't have to use a raw + * socket for this. Instead we check rights in the calls. ++ * ++ * ATTENTION: check linux/in.h before adding new number here. + */ +-#define ARPT_BASE_CTL 96 /* base for firewall socket options */ ++#define ARPT_BASE_CTL 96 + + #define ARPT_SO_SET_REPLACE (ARPT_BASE_CTL) + #define ARPT_SO_SET_ADD_COUNTERS (ARPT_BASE_CTL + 1) +@@ -148,29 +123,24 @@ struct arpt_entry + + #define ARPT_SO_GET_INFO (ARPT_BASE_CTL) + #define ARPT_SO_GET_ENTRIES (ARPT_BASE_CTL + 1) +-#define ARPT_SO_GET_MAX ARPT_SO_GET_ENTRIES +- +-/* CONTINUE verdict for targets */ +-#define ARPT_CONTINUE 0xFFFFFFFF +- +-/* For standard target */ +-#define ARPT_RETURN (-NF_REPEAT - 1) ++/* #define ARPT_SO_GET_REVISION_MATCH (APRT_BASE_CTL + 2) */ ++#define ARPT_SO_GET_REVISION_TARGET (ARPT_BASE_CTL + 3) ++#define ARPT_SO_GET_MAX (ARPT_SO_GET_REVISION_TARGET) + + /* The argument to ARPT_SO_GET_INFO */ +-struct arpt_getinfo +-{ ++struct arpt_getinfo { + /* Which table: caller fills this in. */ +- char name[ARPT_TABLE_MAXNAMELEN]; ++ char name[XT_TABLE_MAXNAMELEN]; + + /* Kernel fills these in. */ + /* Which hook entry points are valid: bitmask */ + unsigned int valid_hooks; + + /* Hook entry points: one per netfilter hook. */ +- unsigned int hook_entry[3]; ++ unsigned int hook_entry[NF_ARP_NUMHOOKS]; + + /* Underflow points. */ +- unsigned int underflow[3]; ++ unsigned int underflow[NF_ARP_NUMHOOKS]; + + /* Number of entries */ + unsigned int num_entries; +@@ -180,10 +150,9 @@ struct arpt_getinfo + }; + + /* The argument to ARPT_SO_SET_REPLACE. */ +-struct arpt_replace +-{ ++struct arpt_replace { + /* Which table. */ +- char name[ARPT_TABLE_MAXNAMELEN]; ++ char name[XT_TABLE_MAXNAMELEN]; + + /* Which hook entry points are valid: bitmask. You can't + change this. */ +@@ -196,38 +165,25 @@ struct arpt_replace + unsigned int size; + + /* Hook entry points. */ +- unsigned int hook_entry[3]; ++ unsigned int hook_entry[NF_ARP_NUMHOOKS]; + + /* Underflow points. */ +- unsigned int underflow[3]; ++ unsigned int underflow[NF_ARP_NUMHOOKS]; + + /* Information about old entries: */ + /* Number of counters (must be equal to current number of entries). */ + unsigned int num_counters; + /* The old entries' counters. */ +- struct arpt_counters *counters; ++ struct xt_counters *counters; + + /* The entries (hang off end: not really an array). */ + struct arpt_entry entries[0]; + }; + +-/* The argument to ARPT_SO_ADD_COUNTERS. */ +-struct arpt_counters_info +-{ +- /* Which table. */ +- char name[ARPT_TABLE_MAXNAMELEN]; +- +- unsigned int num_counters; +- +- /* The counters (actually `number' of these). */ +- struct arpt_counters counters[0]; +-}; +- + /* The argument to ARPT_SO_GET_ENTRIES. */ +-struct arpt_get_entries +-{ ++struct arpt_get_entries { + /* Which table: user fills this in. */ +- char name[ARPT_TABLE_MAXNAMELEN]; ++ char name[XT_TABLE_MAXNAMELEN]; + + /* User fills this in: total entry size. */ + unsigned int size; +@@ -236,107 +192,13 @@ struct arpt_get_entries + struct arpt_entry entrytable[0]; + }; + +-/* Standard return verdict, or do jump. */ +-#define ARPT_STANDARD_TARGET "" +-/* Error verdict. */ +-#define ARPT_ERROR_TARGET "ERROR" +- + /* Helper functions */ +-static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e) ++static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e) + { + return (void *)e + e->target_offset; + } + +-/* fn returns 0 to continue iteration */ +-#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \ +-({ \ +- unsigned int __i; \ +- int __ret = 0; \ +- struct arpt_entry *__entry; \ +- \ +- for (__i = 0; __i < (size); __i += __entry->next_offset) { \ +- __entry = (void *)(entries) + __i; \ +- \ +- __ret = fn(__entry , ## args); \ +- if (__ret != 0) \ +- break; \ +- } \ +- __ret; \ +-}) +- + /* + * Main firewall chains definitions and global var's definitions. + */ +-#ifdef __KERNEL__ +- +-/* Registration hooks for targets. */ +-struct arpt_target +-{ +- struct list_head list; +- +- const char name[ARPT_FUNCTION_MAXNAMELEN]; +- +- /* Returns verdict. */ +- unsigned int (*target)(struct sk_buff **pskb, +- unsigned int hooknum, +- const struct net_device *in, +- const struct net_device *out, +- const void *targinfo, +- void *userdata); +- +- /* Called when user tries to insert an entry of this type: +- hook_mask is a bitmask of hooks from which it can be +- called. */ +- /* Should return true or false. */ +- int (*checkentry)(const char *tablename, +- const struct arpt_entry *e, +- void *targinfo, +- unsigned int targinfosize, +- unsigned int hook_mask); +- +- /* Called when entry of this type deleted. */ +- void (*destroy)(void *targinfo, unsigned int targinfosize); +- +- /* Set this to THIS_MODULE if you are a module, otherwise NULL */ +- struct module *me; +-}; +- +-extern int arpt_register_target(struct arpt_target *target); +-extern void arpt_unregister_target(struct arpt_target *target); +- +-/* Furniture shopping... */ +-struct arpt_table +-{ +- struct list_head list; +- +- /* A unique name... */ +- char name[ARPT_TABLE_MAXNAMELEN]; +- +- /* Seed table: copied in register_table */ +- struct arpt_replace *table; +- +- /* What hooks you will enter on */ +- unsigned int valid_hooks; +- +- /* Lock for the curtain */ +- rwlock_t lock; +- +- /* Man behind the curtain... */ +- struct arpt_table_info *private; +- +- /* Set this to THIS_MODULE if you are a module, otherwise NULL */ +- struct module *me; +-}; +- +-extern int arpt_register_table(struct arpt_table *table); +-extern void arpt_unregister_table(struct arpt_table *table); +-extern unsigned int arpt_do_table(struct sk_buff **pskb, +- unsigned int hook, +- const struct net_device *in, +- const struct net_device *out, +- struct arpt_table *table, +- void *userdata); +- +-#define ARPT_ALIGN(s) (((s) + (__alignof__(struct arpt_entry)-1)) & ~(__alignof__(struct arpt_entry)-1)) +-#endif /*__KERNEL__*/ + #endif /* _ARPTABLES_H */ +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 1d2e8b7b7ac01..a034930600344 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -40,13 +40,6 @@ struct counter_map + unsigned int mappos; + }; + +-/* Convenience structures */ +-struct arpt_error_target +-{ +- STRUCT_ENTRY_TARGET t; +- char error[TABLE_MAXNAMELEN]; +-}; +- + struct chain_cache + { + char name[TABLE_MAXNAMELEN]; +@@ -1342,9 +1335,9 @@ TC_CREATE_CHAIN(const ARPT_CHAINLABEL chain, TC_HANDLE_T *handle) + newc.head.next_offset + = sizeof(STRUCT_ENTRY) + + ALIGN(sizeof(struct arpt_error_target)); +- strcpy(newc.name.t.u.user.name, ERROR_TARGET); +- newc.name.t.u.target_size = ALIGN(sizeof(struct arpt_error_target)); +- strcpy(newc.name.error, chain); ++ strcpy(newc.name.target.u.user.name, ERROR_TARGET); ++ newc.name.target.u.target_size = ALIGN(sizeof(struct arpt_error_target)); ++ strcpy(newc.name.errorname, chain); + + newc.ret.target_offset = sizeof(STRUCT_ENTRY); + newc.ret.next_offset +@@ -1482,8 +1475,8 @@ int TC_RENAME_CHAIN(const ARPT_CHAINLABEL oldname, + t = (struct arpt_error_target *) + GET_TARGET(get_entry(*handle, labeloff)); + +- memset(t->error, 0, sizeof(t->error)); +- strcpy(t->error, newname); ++ memset(t->errorname, 0, sizeof(t->errorname)); ++ strcpy(t->errorname, newname); + set_changed(*handle); + + return 1; +-- +2.21.0 + diff --git a/0011-src-fix-compilation-warning.patch b/0011-src-fix-compilation-warning.patch new file mode 100644 index 0000000..5d229c0 --- /dev/null +++ b/0011-src-fix-compilation-warning.patch @@ -0,0 +1,61 @@ +From 633ad43b19b4e5e26fff16c339f9fdd5293c2ffc Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 2 Apr 2015 10:33:18 +0200 +Subject: [PATCH] src: fix compilation warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +libarptc/libarptc.c: In function ‘dump_entry’: +libarptc/libarptc.c:137:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 2 has type ‘__u64’ [-Wformat] +libarptc/libarptc.c:137:9: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘__u64’ [-Wformat] + +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 935acea0326785834b22f2233e1b1e3f8d000f7d) +Signed-off-by: Phil Sutter +--- + arptables.c | 7 ++++--- + libarptc/libarptc.c | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/arptables.c b/arptables.c +index 845e226a98a30..f820ffa894e00 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -2164,16 +2164,17 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + "-%c requires packet and byte counter", + opt2char(OPT_COUNTERS)); + +- if (sscanf(pcnt, "%"PRIu64, &fw.counters.pcnt) != 1) ++ if (sscanf(pcnt, "%"PRIu64, ++ (uint64_t *)&fw.counters.pcnt) != 1) + exit_error(PARAMETER_PROBLEM, + "-%c packet counter not numeric", + opt2char(OPT_COUNTERS)); + +- if (sscanf(bcnt, "%"PRIu64, &fw.counters.bcnt) != 1) ++ if (sscanf(bcnt, "%"PRIu64, ++ (uint64_t *)&fw.counters.bcnt) != 1) + exit_error(PARAMETER_PROBLEM, + "-%c byte counter not numeric", + opt2char(OPT_COUNTERS)); +- + break; + + +diff --git a/libarptc/libarptc.c b/libarptc/libarptc.c +index 2dcaaefff5b41..0025a75efc9ea 100644 +--- a/libarptc/libarptc.c ++++ b/libarptc/libarptc.c +@@ -134,7 +134,7 @@ dump_entry(STRUCT_ENTRY *e, const TC_HANDLE_T handle) + printf("Flags: %02X\n", e->arp.flags); + printf("Invflags: %02X\n", e->arp.invflags); + printf("Counters: %"PRIu64" packets, %"PRIu64" bytes\n", +- e->counters.pcnt, e->counters.bcnt); ++ (uint64_t)e->counters.pcnt, (uint64_t)e->counters.bcnt); + /* + printf("Cache: %08X ", e->nfcache); + if (e->nfcache & NFC_ALTERED) printf("ALTERED "); +-- +2.21.0 + diff --git a/0012-arptables-Add-revision-field-for-arptables-userspace.patch b/0012-arptables-Add-revision-field-for-arptables-userspace.patch new file mode 100644 index 0000000..8da02b1 --- /dev/null +++ b/0012-arptables-Add-revision-field-for-arptables-userspace.patch @@ -0,0 +1,115 @@ +From 4c30ed220bbcc4a8060b382b536a615dd296a6fa Mon Sep 17 00:00:00 2001 +From: Zhang Chunyu +Date: Sun, 29 Mar 2015 22:35:47 -0400 +Subject: [PATCH] arptables: Add revision field for arptables userspace + +Signed-off-by: Gao feng +Signed-off-by: Zhang Chunyu +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit dbbe9f7de36aa3c7dd61dc89092c03f7902e474e) +Signed-off-by: Phil Sutter +--- + arptables.c | 2 ++ + extensions/arpt_CLASSIFY.c | 1 + + extensions/arpt_mangle.c | 1 + + extensions/arpt_standard.c | 1 + + include/arptables.h | 6 ++++++ + libarptc/libarptc_incl.c | 2 +- + 6 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/arptables.c b/arptables.c +index f820ffa894e00..fbe7350be3f32 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -2067,6 +2067,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + target->t->u.target_size = size; + strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name)); + target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0'; ++ target->t->u.user.revision = target->revision; + /* + target->init(target->t, &fw.nfcache); + */ +@@ -2392,6 +2393,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) + target->t = fw_calloc(1, size); + target->t->u.target_size = size; + strcpy(target->t->u.user.name, jumpto); ++ target->t->u.user.revision = target->revision; + target->init(target->t); + } + +diff --git a/extensions/arpt_CLASSIFY.c b/extensions/arpt_CLASSIFY.c +index cb5770be8053c..7893aed31c057 100644 +--- a/extensions/arpt_CLASSIFY.c ++++ b/extensions/arpt_CLASSIFY.c +@@ -105,6 +105,7 @@ struct arptables_target classify + ARPTABLES_VERSION, + ARPT_ALIGN(sizeof(struct xt_classify_target_info)), + ARPT_ALIGN(sizeof(struct xt_classify_target_info)), ++ 0, + &help, + &init, + &parse, +diff --git a/extensions/arpt_mangle.c b/extensions/arpt_mangle.c +index c38fc1668236d..c7c3a7a42fc36 100644 +--- a/extensions/arpt_mangle.c ++++ b/extensions/arpt_mangle.c +@@ -199,6 +199,7 @@ struct arptables_target change + ARPTABLES_VERSION, + ARPT_ALIGN(sizeof(struct arpt_mangle)), + ARPT_ALIGN(sizeof(struct arpt_mangle)), ++ 0, + &help, + &init, + &parse, +diff --git a/extensions/arpt_standard.c b/extensions/arpt_standard.c +index cb3891d871102..6c2b1874acb59 100644 +--- a/extensions/arpt_standard.c ++++ b/extensions/arpt_standard.c +@@ -54,6 +54,7 @@ struct arptables_target standard + ARPTABLES_VERSION, + ARPT_ALIGN(sizeof(int)), + ARPT_ALIGN(sizeof(int)), ++ 0, + &help, + &init, + &parse, +diff --git a/include/arptables.h b/include/arptables.h +index 820b66460cfbe..82e6e9a80445e 100644 +--- a/include/arptables.h ++++ b/include/arptables.h +@@ -32,6 +32,9 @@ struct arptables_match + /* Size of match data relevent for userspace comparison purposes */ + size_t userspacesize; + ++ /* Revision of target (0 by default). */ ++ u_int8_t revision; ++ + /* Function which prints out usage message. */ + void (*help)(void); + +@@ -81,6 +84,9 @@ struct arptables_target + /* Size of target data relevent for userspace comparison purposes */ + size_t userspacesize; + ++ /* Revision of target (0 by default). */ ++ u_int8_t revision; ++ + /* Function which prints out usage message. */ + void (*help)(void); + +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index a034930600344..87404ce185d77 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -872,7 +872,7 @@ map_target(const TC_HANDLE_T handle, + /* memset to all 0 for your memcmp convenience. */ + memset(t->u.user.name + strlen(t->u.user.name), + 0, +- FUNCTION_MAXNAMELEN - strlen(t->u.user.name)); ++ FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name)); + return 1; + } + +-- +2.21.0 + diff --git a/0013-arptables-Add-MARK-target.patch b/0013-arptables-Add-MARK-target.patch new file mode 100644 index 0000000..33c6dac --- /dev/null +++ b/0013-arptables-Add-MARK-target.patch @@ -0,0 +1,218 @@ +From 31eaf6577094b474932846d817c25fdd734e1aa8 Mon Sep 17 00:00:00 2001 +From: Zhang Chunyu +Date: Sun, 29 Mar 2015 22:35:48 -0400 +Subject: [PATCH] arptables: Add MARK target + +We can use MARK target to set make value for arp packet. + +Signed-off-by: Gao feng +Signed-off-by: Zhang Chunyu +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 4bb2f8340783fd3a3f70aa6f8807428a280f8474) +Signed-off-by: Phil Sutter +--- + arptables.8 | 17 +++++ + extensions/Makefile | 2 +- + extensions/arpt_MARK.c | 150 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 168 insertions(+), 1 deletion(-) + create mode 100644 extensions/arpt_MARK.c + +diff --git a/arptables.8 b/arptables.8 +index 78b2c60978c40..676b8840c60f2 100644 +--- a/arptables.8 ++++ b/arptables.8 +@@ -315,6 +315,23 @@ sify the packet into a specific CBQ class). + Set the major and minor class value. The values are always + interpreted as hexadecimal even if no 0x prefix is given. + ++.SS MARK ++This module allows you to set the skb->mark value (and thus classify ++the packet by the mark in u32) ++ ++.TP ++.BR "--set-mark mark" ++Set the mark value. The values are always ++interpreted as hexadecimal even if no 0x prefix is given ++ ++.TP ++.BR "--and-mark mark" ++Binary AND the mark with bits. ++ ++.TP ++.BR "--or-mark mark" ++Binary OR the mark with bits. ++ + .SH MAILINGLISTS + .BR "" "See " http://netfilter.org/mailinglists.html + .SH SEE ALSO +diff --git a/extensions/Makefile b/extensions/Makefile +index 09b244ead15ac..0189cc9066674 100644 +--- a/extensions/Makefile ++++ b/extensions/Makefile +@@ -1,6 +1,6 @@ + #! /usr/bin/make + +-EXT_FUNC+=standard mangle CLASSIFY ++EXT_FUNC+=standard mangle CLASSIFY MARK + EXT_OBJS+=$(foreach T,$(EXT_FUNC), extensions/arpt_$(T).o) + + extensions/ebt_%.o: extensions/arpt_%.c include/arptables.h include/arptables_common.h +diff --git a/extensions/arpt_MARK.c b/extensions/arpt_MARK.c +new file mode 100644 +index 0000000000000..3e5a9f96db8a7 +--- /dev/null ++++ b/extensions/arpt_MARK.c +@@ -0,0 +1,150 @@ ++/* ++ * (C) 2014 by Gao Feng ++ * ++ * arpt_MARK.c -- arptables extension to set mark for arp packet ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static void help(void) ++{ ++ printf( ++"MARK target v%s options:\n" ++"--set-mark mark : set the mark value\n" ++"--and-mark value : binary AND the mark with value\n" ++"--or-mark value : binary OR the mark with value\n", ++ ARPTABLES_VERSION); ++} ++ ++#define MARK_OPT 1 ++#define AND_MARK_OPT 2 ++#define OR_MARK_OPT 3 ++ ++static struct option opts[] = { ++ { .name = "set-mark", .has_arg = required_argument, .flag = 0, .val = MARK_OPT }, ++ { .name = "and-mark", .has_arg = required_argument, .flag = 0, .val = AND_MARK_OPT }, ++ { .name = "or-mark", .has_arg = required_argument, .flag = 0, .val = OR_MARK_OPT }, ++ { .name = NULL} ++}; ++ ++static void init(struct arpt_entry_target *t) ++{ ++ struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *) t->data; ++ ++ info->mark = 0; ++} ++ ++static int parse(int c, char **argv, int invert, unsigned int *flags, ++ const struct arpt_entry *e, struct arpt_entry_target **t) ++{ ++ struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *)(*t)->data; ++ int i; ++ ++ switch (c) { ++ case MARK_OPT: ++ if (sscanf(argv[optind-1], "%x", &i) != 1) { ++ exit_error(PARAMETER_PROBLEM, ++ "Bad mark value `%s'", optarg); ++ return 0; ++ } ++ info->mark = i; ++ if (*flags) ++ exit_error(PARAMETER_PROBLEM, ++ "MARK: Can't specify --set-mark twice"); ++ *flags = 1; ++ break; ++ case AND_MARK_OPT: ++ if (sscanf(argv[optind-1], "%x", &i) != 1) { ++ exit_error(PARAMETER_PROBLEM, ++ "Bad mark value `%s'", optarg); ++ return 0; ++ } ++ info->mark = 0; ++ info->mask = ~i; ++ if (*flags) ++ exit_error(PARAMETER_PROBLEM, ++ "MARK: Can't specify --and-mark twice"); ++ *flags = 1; ++ break; ++ case OR_MARK_OPT: ++ if (sscanf(argv[optind-1], "%x", &i) != 1) { ++ exit_error(PARAMETER_PROBLEM, ++ "Bad mark value `%s'", optarg); ++ return 0; ++ } ++ info->mark = info->mask = i; ++ if (*flags) ++ exit_error(PARAMETER_PROBLEM, ++ "MARK: Can't specify --or-mark twice"); ++ *flags = 1; ++ break; ++ default: ++ return 0; ++ } ++ return 1; ++} ++ ++static void final_check(unsigned int flags) ++{ ++ if (!flags) ++ exit_error(PARAMETER_PROBLEM, "MARK: Parameter --set-mark/--and-mark/--or-mark is required"); ++} ++ ++static void print(const struct arpt_arp *ip, ++ const struct arpt_entry_target *target, int numeric) ++{ ++ struct xt_mark_tginfo2 *info = (struct xt_mark_tginfo2 *)(target->data); ++ ++ if (info->mark == 0) ++ printf("--and-mark %x", (unsigned int)(uint32_t)~info->mask); ++ else if (info->mark == info->mask) ++ printf("--or-mark %x", info->mark); ++ else ++ printf("--set-mark %x", info->mark); ++} ++ ++static void save(const struct arpt_arp *ip, ++ const struct arpt_entry_target *target) ++{ ++} ++ ++static struct arptables_target mark = { ++ .next = NULL, ++ .name = "MARK", ++ .version = ARPTABLES_VERSION, ++ .size = ARPT_ALIGN(sizeof(struct xt_mark_tginfo2)), ++ .userspacesize = ARPT_ALIGN(sizeof(struct xt_mark_tginfo2)), ++ .revision = 2, ++ .help = help, ++ .init = init, ++ .parse = parse, ++ .final_check = final_check, ++ .print = print, ++ .save = save, ++ .extra_opts = opts ++}; ++ ++static void _init(void) __attribute__ ((constructor)); ++static void _init(void) ++{ ++ register_target(&mark); ++} +-- +2.21.0 + diff --git a/0014-src-Use-stdint-types.patch b/0014-src-Use-stdint-types.patch new file mode 100644 index 0000000..28412f8 --- /dev/null +++ b/0014-src-Use-stdint-types.patch @@ -0,0 +1,145 @@ +From 43423fdfe9cfc69d5759ef04b9d91e3cf60a8142 Mon Sep 17 00:00:00 2001 +From: Felix Janda +Date: Sat, 16 May 2015 10:31:24 +0200 +Subject: [PATCH] src: Use stdint types + +Signed-off-by: Felix Janda +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 047f37b1d5d865084a435fd7594b8c5c332ccb8d) +Signed-off-by: Phil Sutter +--- + arptables.c | 8 ++++---- + include/arptables.h | 7 ++++--- + include/libarptc/libarptc.h | 7 ++++--- + libarptc/libarptc.c | 4 ++-- + libarptc/libarptc_incl.c | 2 +- + 5 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/arptables.c b/arptables.c +index fbe7350be3f32..4e9af67f92042 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -230,7 +230,7 @@ extern void dump_entries(const arptc_handle_t handle); + /etc/protocols */ + struct pprot { + char *name; +- u_int8_t num; ++ uint8_t num; + }; + + /* Primitive headers... */ +@@ -926,7 +926,7 @@ mask_to_dotted(const struct in_addr *mask) + { + int i; + static char buf[20]; +- u_int32_t maskaddr, bits; ++ uint32_t maskaddr, bits; + + maskaddr = ntohl(mask->s_addr); + +@@ -968,7 +968,7 @@ string_to_number(const char *s, unsigned int min, unsigned int max, + } + + static void +-set_option(unsigned int *options, unsigned int option, u_int16_t *invflg, ++set_option(unsigned int *options, unsigned int option, uint16_t *invflg, + int invert) + { + if (*options & option) +@@ -1108,7 +1108,7 @@ register_target(struct arptables_target *me) + } + + static void +-print_num(u_int64_t number, unsigned int format) ++print_num(uint64_t number, unsigned int format) + { + if (format & FMT_KILOMEGAGIGA) { + if (number > 99999) { +diff --git a/include/arptables.h b/include/arptables.h +index 82e6e9a80445e..34f53c1cadbd8 100644 +--- a/include/arptables.h ++++ b/include/arptables.h +@@ -1,6 +1,7 @@ + #ifndef _ARPTABLES_USER_H + #define _ARPTABLES_USER_H + ++#include + #include "arptables_common.h" + #include "libarptc/libarptc.h" + +@@ -33,7 +34,7 @@ struct arptables_match + size_t userspacesize; + + /* Revision of target (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Function which prints out usage message. */ + void (*help)(void); +@@ -85,7 +86,7 @@ struct arptables_target + size_t userspacesize; + + /* Revision of target (0 by default). */ +- u_int8_t revision; ++ uint8_t revision; + + /* Function which prints out usage message. */ + void (*help)(void); +@@ -132,7 +133,7 @@ extern char *mask_to_dotted(const struct in_addr *mask); + + extern void parse_hostnetworkmask(const char *name, struct in_addr **addrpp, + struct in_addr *maskp, unsigned int *naddrs); +-extern u_int16_t parse_protocol(const char *s); ++extern uint16_t parse_protocol(const char *s); + + extern int do_command(int argc, char *argv[], char **table, + arptc_handle_t *handle); +diff --git a/include/libarptc/libarptc.h b/include/libarptc/libarptc.h +index ff4606fb9ae16..18e8bb06fee6b 100644 +--- a/include/libarptc/libarptc.h ++++ b/include/libarptc/libarptc.h +@@ -7,9 +7,10 @@ + #include + + #ifndef ARPT_MIN_ALIGN +-/* arpt_entry has pointers and u_int64_t's in it, so if you align to +- it, you'll also align to any crazy matches and targets someone +- might write */ ++/* arpt_entry has pointers and uint64_t's in it, so if you align to ++ * it, you'll also align to any crazy matches and targets someone ++ * might write. ++ */ + #define ARPT_MIN_ALIGN (__alignof__(struct arpt_entry)) + #endif + +diff --git a/libarptc/libarptc.c b/libarptc/libarptc.c +index 0025a75efc9ea..6d9773553e679 100644 +--- a/libarptc/libarptc.c ++++ b/libarptc/libarptc.c +@@ -256,8 +256,8 @@ unconditional(const struct arpt_arp *arp) + { + unsigned int i; + +- for (i = 0; i < sizeof(*arp)/sizeof(u_int32_t); i++) +- if (((u_int32_t *)arp)[i]) ++ for (i = 0; i < sizeof(*arp) / sizeof(uint32_t); i++) ++ if (((uint32_t *)arp)[i]) + return 0; + + return 1; +diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c +index 87404ce185d77..ca23da6474990 100644 +--- a/libarptc/libarptc_incl.c ++++ b/libarptc/libarptc_incl.c +@@ -1688,7 +1688,7 @@ TC_COMMIT(TC_HANDLE_T *handle) + /* Kernel will think that pointer should be 64-bits, and get + padding. So we accomodate here (assumption: alignment of + `counters' is on 64-bit boundary). */ +- u_int64_t *kernptr = (u_int64_t *)&newcounters->counters; ++ uint64_t *kernptr = (uint64_t *)&newcounters->counters; + if ((unsigned long)&newcounters->counters % 8 != 0) { + fprintf(stderr, + "counters alignment incorrect! Mail rusty!\n"); +-- +2.21.0 + diff --git a/0015-src-Remove-support-for-libc5.patch b/0015-src-Remove-support-for-libc5.patch new file mode 100644 index 0000000..84c4c62 --- /dev/null +++ b/0015-src-Remove-support-for-libc5.patch @@ -0,0 +1,63 @@ +From 938f4d10663d99dff32ce92c7a2ce1af6de47aa2 Mon Sep 17 00:00:00 2001 +From: Felix Janda +Date: Sat, 16 May 2015 10:31:41 +0200 +Subject: [PATCH] src: Remove support for libc5 + +Fixes compilation with musl libc + +Signed-off-by: Felix Janda +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit f4ab8f63f11a72f14687a6646d04ae1bae3fa45f) +Signed-off-by: Phil Sutter +--- + include/libarptc/arpt_kernel_headers.h | 12 ------------ + libarptc/libarptc.c | 4 ---- + 2 files changed, 16 deletions(-) + +diff --git a/include/libarptc/arpt_kernel_headers.h b/include/libarptc/arpt_kernel_headers.h +index 442cc54cd3962..140e99973ad15 100644 +--- a/include/libarptc/arpt_kernel_headers.h ++++ b/include/libarptc/arpt_kernel_headers.h +@@ -5,7 +5,6 @@ + + #include + +-#if defined(__GLIBC__) && __GLIBC__ == 2 + #include + #include + #include +@@ -14,16 +13,5 @@ + #include + #include + #include +-#else +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#include +-#endif + + #endif +diff --git a/libarptc/libarptc.c b/libarptc/libarptc.c +index 6d9773553e679..e979dad6cebbe 100644 +--- a/libarptc/libarptc.c ++++ b/libarptc/libarptc.c +@@ -23,10 +23,6 @@ + #define inline + #endif + +-#if !defined(__GLIBC__) || (__GLIBC__ < 2) +-typedef unsigned int socklen_t; +-#endif +- + #include "libarptc/libarptc.h" + + #define IP_VERSION 4 +-- +2.21.0 + diff --git a/0016-arptables-cleanup-sysvinit-script.patch b/0016-arptables-cleanup-sysvinit-script.patch new file mode 100644 index 0000000..cd4a33c --- /dev/null +++ b/0016-arptables-cleanup-sysvinit-script.patch @@ -0,0 +1,158 @@ +From 6e39026e78c20319d1f5006bbe6ad0f7541d58ae Mon Sep 17 00:00:00 2001 +From: Arturo Borrero Gonzalez +Date: Thu, 3 May 2018 11:28:31 +0200 +Subject: [PATCH] arptables: cleanup sysvinit script + +This file belong to downstream distributions. Also, it's unmaintained. + +Signed-off-by: Arturo Borrero Gonzalez +(cherry picked from commit 988d6a4cd1b12718177bf3065f07faeabb208713) +Signed-off-by: Phil Sutter +--- + Makefile | 8 +--- + arptables.sysv | 103 ------------------------------------------------- + 2 files changed, 2 insertions(+), 109 deletions(-) + delete mode 100644 arptables.sysv + +diff --git a/Makefile b/Makefile +index 7bead0d9134f3..139c9cae9ff6c 100644 +--- a/Makefile ++++ b/Makefile +@@ -7,7 +7,6 @@ LIBDIR:=$(PREFIX)/lib + BINDIR:=$(PREFIX)/sbin + MANDIR:=$(PREFIX)/man + man8dir=$(MANDIR)/man8 +-INITDIR:=/etc/rc.d/init.d + SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + +@@ -46,15 +45,12 @@ $(DESTDIR)$(BINDIR)/arptables: arptables + tmp1:=$(shell printf $(BINDIR) | sed 's/\//\\\//g') + tmp2:=$(shell printf $(SYSCONFIGDIR) | sed 's/\//\\\//g') + .PHONY: scripts +-scripts: arptables-save arptables-restore arptables.sysv ++scripts: arptables-save arptables-restore + cat arptables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-save_ + install -m 0755 arptables-save_ $(DESTDIR)$(BINDIR)/arptables-save + cat arptables-restore | sed 's/__EXEC_PATH__/$(tmp1)/g' > arptables-restore_ + install -m 0755 arptables-restore_ $(DESTDIR)$(BINDIR)/arptables-restore +- cat arptables.sysv | sed 's/__EXEC_PATH__/$(tmp1)/g' | sed 's/__SYSCONFIG__/$(tmp2)/g' > arptables.sysv_ +- if [ "$(DESTDIR)" != "" ]; then mkdir -p $(DESTDIR)$(INITDIR); fi +- if test -d $(DESTDIR)$(INITDIR); then install -m 0755 arptables.sysv_ $(DESTDIR)$(INITDIR)/arptables; fi +- rm -f arptables-save_ arptables-restore_ arptables.sysv_ ++ rm -f arptables-save_ arptables-restore_ + + .PHONY: install-man + install-man: $(MANS) +diff --git a/arptables.sysv b/arptables.sysv +deleted file mode 100644 +index ea5cf092ef2c8..0000000000000 +--- a/arptables.sysv ++++ /dev/null +@@ -1,103 +0,0 @@ +-#!/bin/bash +-# +-# init script for arptables +-# +-# Original by Dag Wieers . +-# Modified/changed to arptables by +-# Rok Papez . +-# +-# chkconfig: - 16 84 +-# description: Arp filtering tables +-# +-# config: __SYSCONFIG__/arptables +- +-source /etc/init.d/functions +-source /etc/sysconfig/network +- +-# Check that networking is up. +-[ ${NETWORKING} = "no" ] && exit 0 +- +-[ -x __EXEC_PATH__/arptables ] || exit 1 +-[ -x __EXEC_PATH__/arptables-save ] || exit 1 +-[ -x __EXEC_PATH__/arptables-restore ] || exit 1 +- +-[ "$1" != "save" -o -r __SYSCONFIG__/arptables ] || exit 1 +- +-RETVAL=0 +-prog="arptables" +-desc="Arp filtering" +- +-start() { +- echo -n $"Starting $desc ($prog): " +- __EXEC_PATH__/arptables-restore < __SYSCONFIG__/arptables || RETVAL=1 +- +- if [ $RETVAL -eq 0 ]; then +- success "$prog startup" +- rm -f /var/lock/subsys/$prog +- else +- failure "$prog startup" +- fi +- +- echo +- return $RETVAL +-} +- +-stop() { +- echo -n $"Stopping $desc ($prog): " +- __EXEC_PATH__/arptables-restore < /dev/null || RETVAL=1 +- +- if [ $RETVAL -eq 0 ]; then +- success "$prog shutdown" +- rm -f %{_localstatedir}/lock/subsys/$prog +- else +- failure "$prog shutdown" +- fi +- +- echo +- return $RETVAL +-} +- +-restart() { +- stop +- start +-} +- +-save() { +- echo -n $"Saving $desc ($prog): " +- __EXEC_PATH__/arptables-save > __SYSCONFIG__/arptables || RETVAL=1 +- +- if [ $RETVAL -eq 0 ]; then +- success "$prog saved" +- else +- failure "$prog saved" +- fi +- echo +-} +- +-case "$1" in +- start) +- start +- ;; +- stop) +- stop +- ;; +- restart|reload) +- restart +- ;; +- condrestart) +- [ -e /var/lock/subsys/$prog ] && restart +- RETVAL=$? +- ;; +- save) +- save +- ;; +- status) +- __EXEC_PATH__/arptables-save +- RETVAL=$? +- ;; +- *) +- echo $"Usage $0 {start|stop|restart|condrestart|save|status}" +- RETVAL=1 +-esac +- +-exit $RETVAL +-- +2.21.0 + diff --git a/0017-arptables-legacy-renaming.patch b/0017-arptables-legacy-renaming.patch new file mode 100644 index 0000000..497edd7 --- /dev/null +++ b/0017-arptables-legacy-renaming.patch @@ -0,0 +1,129 @@ +From 0c80be6f74250dbc70d071a84bc3b7a7d15b80f2 Mon Sep 17 00:00:00 2001 +From: Arturo Borrero Gonzalez +Date: Wed, 20 Jun 2018 15:43:39 +0200 +Subject: [PATCH] arptables: legacy renaming + +The original arptables tool is now the legacy version, let's rename it. + +A more uptodate client of the arptables tool is provided in the iptables +tarball. The new tool was formerly known as arptables-compat. + +The new -legacy binary should have no problem if called via a symlink. + +Signed-off-by: Arturo Borrero Gonzalez +Signed-off-by: Florian Westphal +(cherry picked from commit 28b22d55615447c94c5058e0aacec612ebc27f2a) +Signed-off-by: Phil Sutter +--- + Makefile | 12 ++++++------ + arptables.8 => arptables-legacy.8 | 16 ++++++++++++++-- + arptables.c | 2 +- + 3 files changed, 21 insertions(+), 9 deletions(-) + rename arptables.8 => arptables-legacy.8 (94%) + +diff --git a/Makefile b/Makefile +index 139c9cae9ff6c..5f3f81290165c 100644 +--- a/Makefile ++++ b/Makefile +@@ -10,7 +10,7 @@ man8dir=$(MANDIR)/man8 + SYSCONFIGDIR:=/etc/sysconfig + DESTDIR:= + +-MANS = arptables.8 arptables-save.8 arptables-restore.8 ++MANS = arptables-legacy.8 arptables-save.8 arptables-restore.8 + + COPT_FLAGS:=-O2 + CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include/ -Iinclude/ -DARPTABLES_VERSION=\"$(ARPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DARPTC_DEBUG +@@ -21,7 +21,7 @@ endif + + include extensions/Makefile + +-all: arptables libarptc/libarptc.a ++all: arptables-legacy libarptc/libarptc.a + + arptables.o: arptables.c + $(CC) $(CFLAGS) -c -o $@ $< +@@ -35,10 +35,10 @@ libarptc/libarptc.o: libarptc/libarptc.c libarptc/libarptc_incl.c + libarptc/libarptc.a: libarptc/libarptc.o + $(AR) rcs $@ $< + +-arptables: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) ++arptables-legacy: arptables-standalone.o arptables.o libarptc/libarptc.o $(EXT_OBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ + +-$(DESTDIR)$(BINDIR)/arptables: arptables ++$(DESTDIR)$(BINDIR)/arptables-legacy: arptables-legacy + mkdir -p $(DESTDIR)$(BINDIR) + install -m 0755 $< $@ + +@@ -58,11 +58,11 @@ install-man: $(MANS) + install -m 0644 $^ $(DESTDIR)$(man8dir)/ + + .PHONY: install +-install: install-man $(DESTDIR)$(BINDIR)/arptables scripts ++install: install-man $(DESTDIR)$(BINDIR)/arptables-legacy scripts + + .PHONY: clean + clean: +- rm -f arptables ++ rm -f arptables-legacy + rm -f *.o *~ + rm -f extensions/*.o extensions/*~ + rm -f libarptc/*.o libarptc/*~ libarptc/*.a +diff --git a/arptables.8 b/arptables-legacy.8 +similarity index 94% +rename from arptables.8 +rename to arptables-legacy.8 +index 676b8840c60f2..3ce99e3757004 100644 +--- a/arptables.8 ++++ b/arptables-legacy.8 +@@ -1,4 +1,4 @@ +-.TH ARPTABLES 8 "November 2011" ++.TH ARPTABLES 8 "June 2018" + .\" + .\" Man page originally written by Jochen Friedrich , + .\" maintained by Bart De Schuymer. +@@ -22,7 +22,7 @@ + .\" + .\" + .SH NAME +-arptables \- ARP table administration ++arptables \- ARP table administration (legacy) + .SH SYNOPSIS + .BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ] + .br +@@ -37,6 +37,18 @@ arptables \- ARP table administration + .BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name" + .br + .BR "arptables " [ "-t table" ] " -P chain target " [ options ] ++ ++.SH LEGACY ++This tool uses the old xtables/setsockopt framework, and is a legacy version ++of arptables. That means that a new, more modern tool exists with the same ++functionality using the nf_tables framework and you are encouraged to migrate now. ++The new binaries (formerly known as -compat) uses the same syntax and ++semantics than this legacy one. ++ ++You can still use this legacy tool. You should probably get some specific ++information from your Linux distribution or vendor. ++More docs are available at https://wiki.nftables.org ++ + .SH DESCRIPTION + .B arptables + is a user space tool, it is used to set up and maintain the +diff --git a/arptables.c b/arptables.c +index 4e9af67f92042..09c9ca25217d0 100644 +--- a/arptables.c ++++ b/arptables.c +@@ -468,7 +468,7 @@ exit_printhelp(void) + struct arptables_target *t = NULL; + int i; + +- printf("%s v%s\n\n" ++ printf("%s v%s (legacy)\n\n" + "Usage: %s -[AD] chain rule-specification [options]\n" + " %s -[RI] chain rulenum rule-specification [options]\n" + " %s -D chain rulenum [options]\n" +-- +2.21.0 + diff --git a/arptables-helper b/arptables-helper deleted file mode 100644 index 11685ab..0000000 --- a/arptables-helper +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/sh -# config: /etc/sysconfig/arptables - -# Source 'em up -. /etc/init.d/functions - -ARPTABLES_CONFIG=/etc/sysconfig/arptables - -arp_table() { - if fgrep -qsx $1 /proc/net/arp_tables_names; then - arptables -t "$@" - fi -} - -flush_delete_chains() { - chains=$(cat /proc/net/arp_tables_names 2>/dev/null) - echo -n $"Flushing all chains:" - let ret=0 - for i in $chains; do arptables -t $i -F; let ret+=$?; done - arptables -F; let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo - - echo -n $"Removing user defined chains:" - let ret=0 - for i in $chains; do arptables -t $i -X; let ret+=$?; done - arptables -X; let ret+=$? - if [ $ret -eq 0 ]; then - success - else - failure - fi - echo -} - -start() { - if [ ! -x /usr/sbin/arptables ]; then - exit 4 - fi - - # don't do squat if we don't have the config file - if [ -f $ARPTABLES_CONFIG ]; then - # If we don't clear these first, we might be adding to - # pre-existing rules. - flush_delete_chains - - for i in $(cat /proc/net/arp_tables_names 2>/dev/null); do - arptables -t $i -Z; - done - - echo -n $"Applying arptables firewall rules: " - /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ - success || \ - failure - echo - touch /var/lock/subsys/arptables - else - failure - echo - echo $"Configuration file /etc/sysconfig/arptables missing" - exit 6 - fi -} - -stop() { - flush_delete_chains - echo -n $"Resetting built-in chains to the default ACCEPT policy:" - arp_table filter -P INPUT ACCEPT && \ - arp_table filter -P OUTPUT ACCEPT && \ - success || \ - failure - echo - rm -f /var/lock/subsys/arptables -} - -case "$1" in -start) - start - ;; - -stop) - stop - ;; - -restart|reload) - # "restart" is really just "start" as this isn't a daemon, - # and "start" clears any pre-defined rules anyway. - # This is really only here to make those who expect it happy - start - ;; - -condrestart|try-restart|force-reload) - [ -e /var/lock/subsys/arptables ] && start - ;; - -*) - exit 2 -esac - -exit 0 diff --git a/arptables-legacy-helper b/arptables-legacy-helper new file mode 100644 index 0000000..11685ab --- /dev/null +++ b/arptables-legacy-helper @@ -0,0 +1,104 @@ +#!/bin/sh +# config: /etc/sysconfig/arptables + +# Source 'em up +. /etc/init.d/functions + +ARPTABLES_CONFIG=/etc/sysconfig/arptables + +arp_table() { + if fgrep -qsx $1 /proc/net/arp_tables_names; then + arptables -t "$@" + fi +} + +flush_delete_chains() { + chains=$(cat /proc/net/arp_tables_names 2>/dev/null) + echo -n $"Flushing all chains:" + let ret=0 + for i in $chains; do arptables -t $i -F; let ret+=$?; done + arptables -F; let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo + + echo -n $"Removing user defined chains:" + let ret=0 + for i in $chains; do arptables -t $i -X; let ret+=$?; done + arptables -X; let ret+=$? + if [ $ret -eq 0 ]; then + success + else + failure + fi + echo +} + +start() { + if [ ! -x /usr/sbin/arptables ]; then + exit 4 + fi + + # don't do squat if we don't have the config file + if [ -f $ARPTABLES_CONFIG ]; then + # If we don't clear these first, we might be adding to + # pre-existing rules. + flush_delete_chains + + for i in $(cat /proc/net/arp_tables_names 2>/dev/null); do + arptables -t $i -Z; + done + + echo -n $"Applying arptables firewall rules: " + /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ + success || \ + failure + echo + touch /var/lock/subsys/arptables + else + failure + echo + echo $"Configuration file /etc/sysconfig/arptables missing" + exit 6 + fi +} + +stop() { + flush_delete_chains + echo -n $"Resetting built-in chains to the default ACCEPT policy:" + arp_table filter -P INPUT ACCEPT && \ + arp_table filter -P OUTPUT ACCEPT && \ + success || \ + failure + echo + rm -f /var/lock/subsys/arptables +} + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +restart|reload) + # "restart" is really just "start" as this isn't a daemon, + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy + start + ;; + +condrestart|try-restart|force-reload) + [ -e /var/lock/subsys/arptables ] && start + ;; + +*) + exit 2 +esac + +exit 0 diff --git a/arptables.spec b/arptables.spec index 15f2f48..14d77f2 100644 --- a/arptables.spec +++ b/arptables.spec @@ -1,26 +1,35 @@ Summary: User space tool to set up tables of ARP rules in kernel Name: arptables Version: 0.0.4 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2+ URL: http://ebtables.sourceforge.net/ Source0: http://downloads.sourceforge.net/ebtables/arptables/arptables-v%{version}.tar.gz Source1: arptables.service -Source2: arptables-helper -# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -# http://marc.info/?l=netfilter-devel&m=137908241011194&w=2 -Source3: COPYING +Source2: arptables-legacy-helper + +Patch1: 0001-build-an-libarptc.a-archive.patch +Patch2: 0002-make-static-analysis-tool-happy-false-positive.patch +Patch3: 0003-fix-potential-buffer-overflows-reported-by-static-an.patch +Patch4: 0004-add-GPL-text.patch +Patch5: 0005-Add-man-pages-for-arptables-save-restore.patch +Patch6: 0006-arptables-install-man-pages.patch +Patch7: 0007-arptables-add-missing-long-option-set-counters-and-u.patch +Patch8: 0008-arptables-fix-potential-buffer-overflow-author-dcb.patch +Patch9: 0009-arptables-remove-dead-dynamic-hooks-code.patch +Patch10: 0010-src-cache-in-tree-and-use-x_tables.h.patch +Patch11: 0011-src-fix-compilation-warning.patch +Patch12: 0012-arptables-Add-revision-field-for-arptables-userspace.patch +Patch13: 0013-arptables-Add-MARK-target.patch +Patch14: 0014-src-Use-stdint-types.patch +Patch15: 0015-src-Remove-support-for-libc5.patch +Patch16: 0016-arptables-cleanup-sysvinit-script.patch +Patch17: 0017-arptables-legacy-renaming.patch BuildRequires: gcc BuildRequires: perl-generators BuildRequires: systemd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd - -Obsoletes: arptables_jf < 0.0.8-37 -Provides: arptables_jf = 0.0.8-37 %description The arptables is a user space tool used to set up and maintain @@ -28,10 +37,50 @@ the tables of ARP rules in the Linux kernel. These rules inspect the ARP frames which they see. arptables is analogous to the iptables user space tool, but is less complicated. -%prep -%setup -q -n arptables-v%{version} +%package legacy +Summary: Legacy user space tool to set up tables of ARP rules in kernel +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Provides: arptables-helper + +%description legacy +The arptables is a user space tool used to set up and maintain +the tables of ARP rules in the Linux kernel. These rules inspect +the ARP frames which they see. arptables is analogous to the iptables +user space tool, but is less complicated. + +Note that it is considered legacy upstream since nftables provides the same +functionality in a much newer code-base. To aid in migration, there is +arptables-nft utility, a drop-in replacement for the legacy one which uses +nftables internally. It is provided by iptables-arptables package. -cp %{SOURCE3} COPYING +%package services +Summary: arptables systemd services +%{?systemd_ordering} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: arptables-helper + +%description services +arptables systemd services + +This package provides the systemd arptables service that has been split +out of the base package for better integration with alternatives. + +%package compat +Summary: Transitioning helper package for services sub-package split +Obsoletes: arptables < 0.0.4-16 +Requires: arptables-legacy = %{version}-%{release} +Requires: arptables-services = %{version}-%{release} + +%description compat +This package only exists to help transition arptables users to the +new package split. It will be removed after one distribution release +cycle, please do not reference it or depend on it in any way. + +%prep +%autosetup -p1 -n arptables-v%{version} %build # Makefile uses $(KERNEL_DIR) to redefine where to look for header files. @@ -42,33 +91,94 @@ make all 'COPT_FLAGS=%{optflags}' 'LDFLAGS=%{build_ldflags}' %{_smp_mflags} %install make install DESTDIR=%{buildroot} BINDIR=%{_sbindir} MANDIR=%{_mandir} +pfx=%{buildroot}%{_sbindir} +manpfx=%{buildroot}%{_mandir}/man8 +for sfx in "-restore" "-save"; do + mv $pfx/arptables$sfx $pfx/arptables-legacy$sfx + touch $pfx/arptables$sfx + mv $manpfx/arptables${sfx}.8 $manpfx/arptables-legacy${sfx}.8 + touch $manpfx/arptables${sfx}.8 +done install -p -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/arptables.service mkdir -p %{buildroot}%{_libexecdir}/ install -p -D -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/ +touch %{buildroot}%{_libexecdir}/arptables-helper rm -rf %{buildroot}%{_initrddir} mkdir -p %{buildroot}%{_sysconfdir}/sysconfig echo '# Configure prior to use' > %{buildroot}%{_sysconfdir}/sysconfig/arptables -%post -%systemd_post arptables.service - -%preun +%post legacy +pfx=%{_sbindir}/arptables +manpfx=%{_mandir}/man8/arptables +lepfx=%{_libexecdir}/arptables +for sfx in "-restore" "-save"; do + if [ "$(readlink -e $pfx$sfx)" == $pfx$sfx ]; then + rm -f $pfx$sfx + fi + if [ "$(readlink -e $manpfx${sfx}.8.gz)" == $manpfx${sfx}.8.gz ]; then + rm -f $manpfx${sfx}.8.gz + fi +done +if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then + rm -f $lepfx-helper +fi +%{_sbindir}/update-alternatives --install \ + $pfx arptables $pfx-legacy 10 \ + --slave $pfx-save arptables-save $pfx-legacy-save \ + --slave $pfx-restore arptables-restore $pfx-legacy-restore \ + --slave $manpfx.8.gz arptables-man $manpfx-legacy.8.gz \ + --slave $manpfx-save.8.gz arptables-save-man $manpfx-legacy-save.8.gz \ + --slave $manpfx-restore.8.gz arptables-restore-man $manpfx-legacy-restore.8.gz \ + --slave $lepfx-helper arptables-helper $lepfx-legacy-helper + +%preun legacy %systemd_preun arptables.service -%postun +%postun legacy %systemd_postun_with_restart arptables.service +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove \ + arptables %{_sbindir}/arptables-legacy +fi + +%post services +%systemd_post arptables.service +%preun services +%systemd_preun arptables.service -%files -%doc COPYING -%{_sbindir}/arptables* -%{_libexecdir}/arptables-helper -%{_mandir}/*/arptables* +%postun services +%?ldconfig +%systemd_postun arptables.service + +%files legacy +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_sbindir}/arptables-legacy* +%{_libexecdir}/arptables-legacy-helper +%{_mandir}/*/arptables-legacy* +%ghost %{_sbindir}/arptables +%ghost %{_sbindir}/arptables-save +%ghost %{_sbindir}/arptables-restore +%ghost %{_mandir}/man8/arptables.8.gz +%ghost %{_mandir}/man8/arptables-save.8.gz +%ghost %{_mandir}/man8/arptables-restore.8.gz +%ghost %{_libexecdir}/arptables-helper + +%files services %{_unitdir}/arptables.service %config(noreplace) %{_sysconfdir}/sysconfig/arptables +%files compat + %changelog +* Mon Feb 18 2019 Phil Sutter - 0.0.4-16 +- Integrate with alternatives +- Split systemd service into sub-package +- Rename arptables RPM into arptables-legacy +- Add recent upstream changes + * Thu Jan 31 2019 Fedora Release Engineering - 0.0.4-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild