[packages/iptables] - upated owner-xid patch - updated BRs
baggins
baggins at pld-linux.org
Sat Apr 9 15:45:55 CEST 2016
commit 52cee3e3f1b2b6889412b390b2ab9525147721c2
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Sat Apr 9 22:42:49 2016 +0900
- upated owner-xid patch
- updated BRs
iptables-1.3.5-owner-xid.patch | 240 -----------------------------------------
iptables-owner-xid.patch | 220 +++++++++++++++++++++++++++++++++++++
iptables.spec | 5 +-
3 files changed, 223 insertions(+), 242 deletions(-)
---
diff --git a/iptables.spec b/iptables.spec
index e6b1263..b886a4b 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -67,7 +67,7 @@ Patch12: %{name}-old-1.3.7.patch
# xt_IMQ; http://linuximq.net/patchs/iptables-1.4.12-IMQ-test4.diff
Patch13: %{name}-imq.patch
# enhances ipt_owner/ip6t_owner; http://people.linux-vserver.org/~dhozac/p/m/iptables-1.3.5-owner-xid.patch (currently disabled, needs update for xt_owner)
-Patch14: %{name}-1.3.5-owner-xid.patch
+Patch14: %{name}-owner-xid.patch
# adjusts xt_owner for vserver-enabled kernel
Patch15: %{name}-owner-struct-size-vs.patch
# ipt_stealth; currently disabled (broken, see below)
@@ -78,6 +78,7 @@ BuildRequires: automake
BuildRequires: groff
BuildRequires: libnetfilter_conntrack-devel >= 1.0.4
BuildRequires: libnfnetlink-devel >= 1.0
+BuildRequires: libnftnl-devel
%{?with_pcap:BuildRequires: libpcap-devel}
BuildRequires: libtool
BuildRequires: pkgconfig >= 1:0.9.0
@@ -208,7 +209,7 @@ iptables(8).
%{?with_ipt_rpc:%patch12 -p1}
%patch13 -p1
%if %{with vserver}
-#patch14 -p1
+%patch14 -p1
%patch15 -p1
%endif
# builds but init() api is broken, see warnings
diff --git a/iptables-1.3.5-owner-xid.patch b/iptables-1.3.5-owner-xid.patch
deleted file mode 100644
index 5773c66..0000000
--- a/iptables-1.3.5-owner-xid.patch
+++ /dev/null
@@ -1,240 +0,0 @@
-diff -Nurp iptables-1.3.5.orig/extensions/libip6t_owner.c iptables-1.3.5.owner-xid/extensions/libip6t_owner.c
---- iptables-1.3.5.orig/extensions/libip6t_owner.c 2005-06-29 18:39:54.000000000 +0200
-+++ iptables-1.3.5.owner-xid/extensions/libip6t_owner.c 2006-09-05 20:00:31.000000000 +0200
-@@ -22,6 +22,8 @@ help(void)
- "[!] --pid-owner processid Match local pid\n"
- "[!] --sid-owner sessionid Match local sid\n"
- "[!] --cmd-owner name Match local command name\n"
-+"[!] --nid-owner nid Match local nid\n"
-+"[!] --xid-owner xid Match local xid\n"
- "\n",
- IPTABLES_VERSION);
- #else
-@@ -31,6 +33,8 @@ IPTABLES_VERSION);
- "[!] --gid-owner groupid Match local gid\n"
- "[!] --pid-owner processid Match local pid\n"
- "[!] --sid-owner sessionid Match local sid\n"
-+"[!] --nid-owner nid Match local nid\n"
-+"[!] --xid-owner xid Match local xid\n"
- "\n",
- IPTABLES_VERSION);
- #endif /* IP6T_OWNER_COMM */
-@@ -44,6 +48,8 @@ static struct option opts[] = {
- #ifdef IP6T_OWNER_COMM
- { "cmd-owner", 1, NULL, '5' },
- #endif
-+ { "nid-owner", 1, NULL, '6' },
-+ { "xid-owner", 1, NULL, '7' },
- { }
- };
-
-@@ -129,6 +135,28 @@ parse(int c, char **argv, int invert, un
- *flags = 1;
- break;
- #endif
-+
-+ case '6':
-+ check_inverse(optarg, &invert, &optind, 0);
-+ ownerinfo->nid = strtoul(optarg, &end, 0);
-+ if (*end != '\0' || end == optarg)
-+ exit_error(PARAMETER_PROBLEM, "Bad OWNER NID value `%s'", optarg);
-+ if (invert)
-+ ownerinfo->invert |= IP6T_OWNER_NID;
-+ ownerinfo->match |= IP6T_OWNER_NID;
-+ *flags = 1;
-+ break;
-+
-+ case '7':
-+ check_inverse(optarg, &invert, &optind, 0);
-+ ownerinfo->xid = strtoul(optarg, &end, 0);
-+ if (*end != '\0' || end == optarg)
-+ exit_error(PARAMETER_PROBLEM, "Bad OWNER XID value `%s'", optarg);
-+ if (invert)
-+ ownerinfo->invert |= IP6T_OWNER_XID;
-+ ownerinfo->match |= IP6T_OWNER_XID;
-+ *flags = 1;
-+ break;
-
- default:
- return 0;
-@@ -182,6 +210,12 @@ print_item(struct ip6t_owner_info *info,
- printf("%.*s ", (int)sizeof(info->comm), info->comm);
- break;
- #endif
-+ case IP6T_OWNER_NID:
-+ printf("%u ", info->nid);
-+ break;
-+ case IP6T_OWNER_XID:
-+ printf("%u ", info->xid);
-+ break;
- default:
- break;
- }
-@@ -212,6 +246,8 @@ print(const struct ip6t_ip6 *ip,
- #ifdef IP6T_OWNER_COMM
- print_item(info, IP6T_OWNER_COMM, numeric, "OWNER CMD match ");
- #endif
-+ print_item(info, IP6T_OWNER_NID, numeric, "OWNER NID match ");
-+ print_item(info, IP6T_OWNER_XID, numeric, "OWNER XID match ");
- }
-
- /* Saves the union ip6t_matchinfo in parsable form to stdout. */
-@@ -227,6 +263,8 @@ save(const struct ip6t_ip6 *ip, const st
- #ifdef IP6T_OWNER_COMM
- print_item(info, IP6T_OWNER_COMM, 0, "--cmd-owner ");
- #endif
-+ print_item(info, IP6T_OWNER_NID, 0, "--nid-owner ");
-+ print_item(info, IP6T_OWNER_XID, 0, "--xid-owner ");
- }
-
- static struct ip6tables_match owner = {
-diff -Nurp iptables-1.3.5.orig/extensions/libip6t_owner.man iptables-1.3.5.owner-xid/extensions/libip6t_owner.man
---- iptables-1.3.5.orig/extensions/libip6t_owner.man 2006-01-30 09:41:00.000000000 +0100
-+++ iptables-1.3.5.owner-xid/extensions/libip6t_owner.man 2006-09-05 19:54:47.000000000 +0200
-@@ -20,4 +20,12 @@ process id.
- Matches if the packet was created by a process in the given session
- group.
- .TP
-+.BI "--nid-owner " "network context id"
-+Matches if the packet was created by a process with the given
-+network context id.
-+.TP
-+.BI "--xid-owner " "context id"
-+Matches if the packet was created by a process with the given
-+context id.
-+.TP
- .B NOTE: pid, sid and command matching are broken on SMP
-diff -Nurp iptables-1.3.5.orig/extensions/libipt_owner.c iptables-1.3.5.owner-xid/extensions/libipt_owner.c
---- iptables-1.3.5.orig/extensions/libipt_owner.c 2006-01-30 09:43:10.000000000 +0100
-+++ iptables-1.3.5.owner-xid/extensions/libipt_owner.c 2006-09-05 20:02:30.000000000 +0200
-@@ -22,6 +22,8 @@ help(void)
- "[!] --pid-owner processid Match local pid\n"
- "[!] --sid-owner sessionid Match local sid\n"
- "[!] --cmd-owner name Match local command name\n"
-+"[!] --nid-owner nid Match local nid\n"
-+"[!] --xid-owner xid Match local xid\n"
- "NOTE: pid, sid and command matching are broken on SMP\n"
- "\n",
- IPTABLES_VERSION);
-@@ -32,6 +34,8 @@ IPTABLES_VERSION);
- "[!] --gid-owner groupid Match local gid\n"
- "[!] --pid-owner processid Match local pid\n"
- "[!] --sid-owner sessionid Match local sid\n"
-+"[!] --nid-owner nid Match local nid\n"
-+"[!] --xid-owner xid Match local xid\n"
- "NOTE: pid and sid matching are broken on SMP\n"
- "\n",
- IPTABLES_VERSION);
-@@ -46,6 +50,8 @@ static struct option opts[] = {
- #ifdef IPT_OWNER_COMM
- { "cmd-owner", 1, NULL, '5' },
- #endif
-+ { "nid-owner", 1, NULL, '6' },
-+ { "xid-owner", 1, NULL, '7' },
- { }
- };
-
-@@ -131,6 +137,28 @@ parse(int c, char **argv, int invert, un
- break;
- #endif
-
-+ case '6':
-+ check_inverse(optarg, &invert, &optind, 0);
-+ ownerinfo->nid = strtoul(optarg, &end, 0);
-+ if (*end != '\0' || end == optarg)
-+ exit_error(PARAMETER_PROBLEM, "Bad OWNER NID value `%s'", optarg);
-+ if (invert)
-+ ownerinfo->invert |= IPT_OWNER_NID;
-+ ownerinfo->match |= IPT_OWNER_NID;
-+ *flags = 1;
-+ break;
-+
-+ case '7':
-+ check_inverse(optarg, &invert, &optind, 0);
-+ ownerinfo->xid = strtoul(optarg, &end, 0);
-+ if (*end != '\0' || end == optarg)
-+ exit_error(PARAMETER_PROBLEM, "Bad OWNER XID value `%s'", optarg);
-+ if (invert)
-+ ownerinfo->invert |= IPT_OWNER_XID;
-+ ownerinfo->match |= IPT_OWNER_XID;
-+ *flags = 1;
-+ break;
-+
- default:
- return 0;
- }
-@@ -183,6 +211,12 @@ print_item(struct ipt_owner_info *info,
- printf("%.*s ", (int)sizeof(info->comm), info->comm);
- break;
- #endif
-+ case IPT_OWNER_NID:
-+ printf("%u ", info->nid);
-+ break;
-+ case IPT_OWNER_XID:
-+ printf("%u ", info->xid);
-+ break;
- default:
- break;
- }
-@@ -213,6 +247,8 @@ print(const struct ipt_ip *ip,
- #ifdef IPT_OWNER_COMM
- print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
- #endif
-+ print_item(info, IPT_OWNER_NID, numeric, "OWNER NID match ");
-+ print_item(info, IPT_OWNER_XID, numeric, "OWNER XID match ");
- }
-
- /* Saves the union ipt_matchinfo in parsable form to stdout. */
-@@ -228,6 +264,8 @@ save(const struct ipt_ip *ip, const stru
- #ifdef IPT_OWNER_COMM
- print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
- #endif
-+ print_item(info, IPT_OWNER_NID, 0, "--nid-owner ");
-+ print_item(info, IPT_OWNER_XID, 0, "--xid-owner ");
- }
-
- static struct iptables_match owner = {
-diff -Nurp iptables-1.3.5.orig/extensions/libipt_owner.man iptables-1.3.5.owner-xid/extensions/libipt_owner.man
---- iptables-1.3.5.orig/extensions/libipt_owner.man 2004-10-10 11:56:26.000000000 +0200
-+++ iptables-1.3.5.owner-xid/extensions/libipt_owner.man 2006-09-05 19:54:53.000000000 +0200
-@@ -25,4 +25,12 @@ Matches if the packet was created by a p
- (this option is present only if iptables was compiled under a kernel
- supporting this feature)
- .TP
-+.BI "--nid-owner " "network context id"
-+Matches if the packet was created by a process with the given
-+network context id.
-+.TP
-+.BI "--xid-owner " "context id"
-+Matches if the packet was created by a process with the given
-+context id.
-+.TP
- .B NOTE: pid, sid and command matching are broken on SMP
-diff -Nurp iptables-1.3.5.orig/include/linux/netfilter_ipv6/ip6t_owner.h iptables-1.3.5.owner-xid/include/linux/netfilter_ipv6/ip6t_owner.h
---- iptables-1.3.5.orig/include/linux/netfilter_ipv6/ip6t_owner.h 2004-10-10 11:56:23.000000000 +0200
-+++ iptables-1.3.5.owner-xid/include/linux/netfilter_ipv6/ip6t_owner.h 2006-09-05 19:52:12.000000000 +0200
-@@ -1,11 +1,15 @@
- #ifndef _IP6T_OWNER_H
- #define _IP6T_OWNER_H
-
-+#include <linux/types.h>
-+
- /* match and invert flags */
- #define IP6T_OWNER_UID 0x01
- #define IP6T_OWNER_GID 0x02
- #define IP6T_OWNER_PID 0x04
- #define IP6T_OWNER_SID 0x08
-+#define IP6T_OWNER_NID 0x20
-+#define IP6T_OWNER_XID 0x40
-
- struct ip6t_owner_info {
- uid_t uid;
-@@ -13,6 +17,8 @@ struct ip6t_owner_info {
- pid_t pid;
- pid_t sid;
- u_int8_t match, invert; /* flags */
-+ u_int32_t nid;
-+ u_int32_t xid;
- };
-
- #endif /*_IPT_OWNER_H*/
diff --git a/iptables-owner-xid.patch b/iptables-owner-xid.patch
new file mode 100644
index 0000000..1e480cb
--- /dev/null
+++ b/iptables-owner-xid.patch
@@ -0,0 +1,220 @@
+--- iptables-1.6.0/extensions/libxt_owner.c.orig 2016-04-09 22:02:13.847585590 +0900
++++ iptables-1.6.0/extensions/libxt_owner.c 2016-04-09 22:24:01.855632355 +0900
+@@ -64,6 +64,8 @@
+ O_PROCESS,
+ O_SESSION,
+ O_COMM,
++ O_NID,
++ O_XID,
+ };
+
+ static void owner_mt_help_v0(void)
+@@ -75,6 +77,8 @@
+ "[!] --pid-owner processid Match local PID\n"
+ "[!] --sid-owner sessionid Match local SID\n"
+ "[!] --cmd-owner name Match local command name\n"
++"[!] --nid-owner nid Match local nid\n"
++"[!] --xid-owner xid Match local xid\n"
+ "NOTE: PID, SID and command matching are broken on SMP\n");
+ }
+
+@@ -86,6 +90,8 @@
+ "[!] --gid-owner groupid Match local GID\n"
+ "[!] --pid-owner processid Match local PID\n"
+ "[!] --sid-owner sessionid Match local SID\n"
++"[!] --nid-owner nid Match local nid\n"
++"[!] --xid-owner xid Match local xid\n"
+ "NOTE: PID and SID matching are broken on SMP\n");
+ }
+
+@@ -112,6 +118,12 @@
+ .max = INT_MAX},
+ {.name = "cmd-owner", .id = O_COMM, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, comm)},
++ {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
++ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
++ .max = INT_MAX},
++ {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
++ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
++ .max = INT_MAX},
+ XTOPT_TABLEEND,
+ };
+ #undef s
+@@ -128,10 +140,17 @@
+ {.name = "sid-owner", .id = O_SESSION, .type = XTTYPE_UINT32,
+ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, sid),
+ .max = INT_MAX},
++ {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
++ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
++ .max = INT_MAX},
++ {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
++ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
++ .max = INT_MAX},
+ XTOPT_TABLEEND,
+ };
+ #undef s
+
++#define s struct xt_owner_match_info
+ static const struct xt_option_entry owner_mt_opts[] = {
+ {.name = "uid-owner", .id = O_USER, .type = XTTYPE_STRING,
+ .flags = XTOPT_INVERT},
+@@ -139,8 +157,15 @@
+ .flags = XTOPT_INVERT},
+ {.name = "socket-exists", .id = O_SOCK_EXISTS, .type = XTTYPE_NONE,
+ .flags = XTOPT_INVERT},
++ {.name = "nid-owner", .id = O_NID, .type = XTTYPE_UINT32,
++ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, nid),
++ .max = INT_MAX},
++ {.name = "xid-owner", .id = O_XID, .type = XTTYPE_UINT32,
++ .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, xid),
++ .max = INT_MAX},
+ XTOPT_TABLEEND,
+ };
++#undef s
+
+ static void owner_mt_parse_v0(struct xt_option_call *cb)
+ {
+@@ -186,6 +210,16 @@
+ info->invert |= IPT_OWNER_COMM;
+ info->match |= IPT_OWNER_COMM;
+ break;
++ case O_NID:
++ if (cb->invert)
++ info->invert |= IPT_OWNER_NID;
++ info->match |= IPT_OWNER_NID;
++ break;
++ case O_XID:
++ if (cb->invert)
++ info->invert |= IPT_OWNER_XID;
++ info->match |= IPT_OWNER_XID;
++ break;
+ }
+ }
+
+@@ -228,6 +262,16 @@
+ info->invert |= IP6T_OWNER_SID;
+ info->match |= IP6T_OWNER_SID;
+ break;
++ case O_NID:
++ if (cb->invert)
++ info->invert |= IPT_OWNER_NID;
++ info->match |= IPT_OWNER_NID;
++ break;
++ case O_XID:
++ if (cb->invert)
++ info->invert |= IPT_OWNER_XID;
++ info->match |= IPT_OWNER_XID;
++ break;
+ }
+ }
+
+@@ -283,6 +327,16 @@
+ info->invert |= XT_OWNER_SOCKET;
+ info->match |= XT_OWNER_SOCKET;
+ break;
++ case O_NID:
++ if (cb->invert)
++ info->invert |= IPT_OWNER_NID;
++ info->match |= IPT_OWNER_NID;
++ break;
++ case O_XID:
++ if (cb->invert)
++ info->invert |= IPT_OWNER_XID;
++ info->match |= IPT_OWNER_XID;
++ break;
+ }
+ }
+
+@@ -340,6 +394,12 @@
+ case IPT_OWNER_COMM:
+ printf(" %.*s", (int)sizeof(info->comm), info->comm);
+ break;
++ case IPT_OWNER_NID:
++ printf("%u ", info->nid);
++ break;
++ case IPT_OWNER_XID:
++ printf("%u ", info->xid);
++ break;
+ }
+ }
+
+@@ -385,6 +445,12 @@
+ case IP6T_OWNER_SID:
+ printf(" %u", (unsigned int)info->sid);
+ break;
++ case IP6T_OWNER_NID:
++ printf("%u ", info->nid);
++ break;
++ case IP6T_OWNER_XID:
++ printf("%u ", info->xid);
++ break;
+ }
+ }
+
+@@ -430,6 +496,12 @@
+ }
+ printf(" %u", (unsigned int)info->gid_min);
+ break;
++ case XT_OWNER_NID:
++ printf("%u ", info->nid);
++ break;
++ case XT_OWNER_XID:
++ printf("%u ", info->xid);
++ break;
+ }
+ }
+
+@@ -444,6 +516,8 @@
+ owner_mt_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
+ owner_mt_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
+ owner_mt_print_item_v0(info, "owner CMD match", IPT_OWNER_COMM, numeric);
++ owner_mt_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
++ owner_mt_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
+ }
+
+ static void
+@@ -456,6 +530,8 @@
+ owner_mt6_print_item_v0(info, "owner GID match", IPT_OWNER_GID, numeric);
+ owner_mt6_print_item_v0(info, "owner PID match", IPT_OWNER_PID, numeric);
+ owner_mt6_print_item_v0(info, "owner SID match", IPT_OWNER_SID, numeric);
++ owner_mt6_print_item_v0(info, "owner NID match", IPT_OWNER_NID, numeric);
++ owner_mt6_print_item_v0(info, "owner XID match", IPT_OWNER_XID, numeric);
+ }
+
+ static void owner_mt_print(const void *ip, const struct xt_entry_match *match,
+@@ -466,6 +542,8 @@
+ owner_mt_print_item(info, "owner socket exists", XT_OWNER_SOCKET, numeric);
+ owner_mt_print_item(info, "owner UID match", XT_OWNER_UID, numeric);
+ owner_mt_print_item(info, "owner GID match", XT_OWNER_GID, numeric);
++ owner_mt_print_item(info, "owner NID match", XT_OWNER_NID, numeric);
++ owner_mt_print_item(info, "owner XID match", XT_OWNER_XID, numeric);
+ }
+
+ static void
+@@ -478,6 +556,8 @@
+ owner_mt_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
+ owner_mt_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
+ owner_mt_print_item_v0(info, "--cmd-owner", IPT_OWNER_COMM, true);
++ owner_mt_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
++ owner_mt_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
+ }
+
+ static void
+@@ -489,6 +569,8 @@
+ owner_mt6_print_item_v0(info, "--gid-owner", IPT_OWNER_GID, true);
+ owner_mt6_print_item_v0(info, "--pid-owner", IPT_OWNER_PID, true);
+ owner_mt6_print_item_v0(info, "--sid-owner", IPT_OWNER_SID, true);
++ owner_mt6_print_item_v0(info, "--nid-owner", IPT_OWNER_NID, true);
++ owner_mt6_print_item_v0(info, "--xid-owner", IPT_OWNER_XID, true);
+ }
+
+ static void owner_mt_save(const void *ip, const struct xt_entry_match *match)
+@@ -498,6 +580,8 @@
+ owner_mt_print_item(info, "--socket-exists", XT_OWNER_SOCKET, true);
+ owner_mt_print_item(info, "--uid-owner", XT_OWNER_UID, true);
+ owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID, true);
++ owner_mt_print_item(info, "--nid-owner", XT_OWNER_NID, true);
++ owner_mt_print_item(info, "--xid-owner", XT_OWNER_XID, true);
+ }
+
+ static struct xtables_match owner_mt_reg[] = {
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/iptables.git/commitdiff/72bb90f622b756025958bda31f9bc33719436545
More information about the pld-cvs-commit
mailing list