Jan Engelhardt [Fri, 22 Mar 2024 17:09:34 +0000 (18:09 +0100)]
Xtables-addons 3.26
The first Linux version to have the new SHASH stuff is Linux 4.20,
but 4.20 does not build anymore under current gcc, so it is
impractical to test, thus the requirement is bumped to the next
LT version, which is 5.4(.272) as of writing.
Matt Lawson [Wed, 13 Mar 2024 16:21:19 +0000 (12:21 -0400)]
xt_SYSRQ: use SHASH_DESC_ON_STACK
Similar to https://codeberg.org/jengelh/xtables-addons/issues/11, the
use of the crypto library in the xt_SYSRQ causes memory corruption
and in my case, causes the kernel to lock up.
Declaring the struct shash_desc variable using the
SHASH_DESC_ON_STACK macro appears to fix the issue at least for me.
Jan Engelhardt [Sat, 30 Dec 2023 17:47:05 +0000 (18:47 +0100)]
xt_pknock: update for shash API
Bug report states:
``crypto.desc`` is used to hold the ``hmac(sha256)`` transform such
that it can be fed to ``crypto_shash_update`` et al. It seems that
those functions require extra memory after the ``shash_desc``. With
the current layout, usage of ``&crypto.desc`` with the
``crypto_shash_*`` functions causes memory corruption which most
often crashes in netfilter after the pknock match filter has
returned.
By removing ``crypto.desc`` and instead using ``SHASH_DESC_ON_STACK``
within ``has_secret``, the issue can be avoided. See other
SHASH_DESC_ON_STACK uses elsewhere in the kernel source.
Additionally, ``crypto_shash_init`` needs to be called before the
first ``crypto_shash_update``.
Jeremy Sowden [Fri, 18 Aug 2023 14:28:28 +0000 (16:28 +0200)]
doc: fix version number in xtables-addons.8
In v3.21 a change was made to the man-page template to use `@PACKAGE_VERSION@`,
instead of manually updating the version number on every release. However,
xtables-addons.8.in is not processed by configure, so the appropriate version is
never filled in.
Update Makefile.mans to handle it.
Fixes: b6611c54f2b5 ("Xtables-addons 3.21") Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Jeremy Sowden [Fri, 18 Aug 2023 12:38:17 +0000 (14:38 +0200)]
build: do not hard-code `AM_DEFAULT_VERBOSITY` in Makefile.iptrules
Currently it is set to zero, which means that the default in
Makefile.iptrules is not consistent with that in the other Makefiles,
and passing `--disable-silent-rules` to configure cannot be used to
change it.
Set it to `@AM_DEFAULT_VERBOSITY@` instead, which will be expanded to the
appropriate default value.
Jeremy Sowden [Mon, 5 Jun 2023 15:10:43 +0000 (00:10 +0900)]
xt_ipp2p: use skb_header_pointer and skb_find_text functions
Use ``skb_header_pointer`` to copy byte ranges for matching, and
``skb_find_text`` for substring searches. Doing so allows the module
to work with non-linear skbs.
However, the conditional that inspects the last ten bytes is followed
by a semicolon, so the printk and return statements are executed
regard- less of what the last ten bytes are.
Remove the semicolon and only execute the printk and return if the
conditional expression is true.
Jan Engelhardt [Sun, 9 Apr 2023 18:55:52 +0000 (20:55 +0200)]
geoip: set autoflush on stdout
stderr is _IONBF by default on linux-glibc, but stdout only _IOLBF.
The progress updates do not use newline, so stdout needs to be
switched to _IONBF to appear in a timely fashion.
geoip: Use stdout for output and stderr for errors/diag
* xt_geoip_build, xt_geoip_build_maxmind: These scripts are emitting
"normal" output to stderr meaning that cronjobs basically have to sink
all output in order to avoid noise. Unfortunately, by doing that, one
also loses errors in the error case and said error might be transient.
A simple 1>/dev/null should work for the normal cron case.
* xt_geoip_build_maxmind: Fix missing $quiet check in the v4 case.
Jeremy Sowden [Thu, 29 Dec 2022 16:35:07 +0000 (17:35 +0100)]
build: support for Linux 6.2
`prandom_u32_max` was deprecated in favour of `get_random_u32_below`,
and removed in 6.2-rc1. Replace the three occurrences of it in the
TARPIT extension, and ad compat support for earlier kernels.
John Thomson [Mon, 24 Oct 2022 09:58:02 +0000 (11:58 +0200)]
build: support for Linux 6.1
6.1 commit de492c83cae0 ("prandom: remove unused functions") removed
prandom_u32, which was replaced and deprecated for get_random_u32 in
5.19 d4150779e60f ("random32: use real rng for non-deterministic
randomness"). get_random_u32 was introduced in 4.11 c440408cf690
("random: convert get_random_int/long into get_random_u32/u64")
Use the cocci script from 81895a65ec63 ("treewide: use prandom_u32_max()
when possible, part 1"), along with a best guess for _max changes, introduced:
3.14 f337db64af05 ("random32: add prandom_u32_max and convert open coded users")
D. Stussy [Sun, 10 Mar 2019 06:45:11 +0000 (06:45 +0000)]
xt_asn: new module
Recevied by private mail.
Date: Thu, 7 Mar 2019 00:49:16 +0000 (UTC)
"""
New feature: In thinking about various blocking of IP address groups,
I came to the conclusion that blocking by ASN may be a good
choice. Therefore, taking the lead of the geoip match module,
attached is what I have for an ASN matching module. I assume that the
support files generated will be the same format as those used for the
geoip match. [...]
I bet someone might want the ASNs on the same rule to be sorted in
numerical order. However, geoip didn't do that with country names, so
I didn't bother.
Matching by ASN may be "better" than matching by an ipset of all one
entities IP blocks (assuming that all of an entity's ASNs are known
if multiples exist). Of course, I would like to see this module make
it into your next release (3.3). ;-)
"""
Date: Sun, 10 Mar 2019 06:45:11 +0000 (UTC)
"""
I think I got everything including the documentation and build script
this time. [...]
I noticed that some other people tried to write similar patches (saw
one on github), but those have things that were missed.
I'm running the module on my colocated server now, and it's working
well. Already blocked ASN 4134 (a botnet-infected Chinese net) a few
hundred times in the first hour.
"""
Thomas Voegtle [Thu, 9 Jun 2022 13:19:22 +0000 (15:19 +0200)]
xt_ECHO: use flowi6_to_flowi_common starting Linux 5.10.121
Upstream commit 3df98d79215a "lsm,selinux: pass flowi_common instead of flowi
to the LSM hooks" was backported to Linux 5.10.121 and you can't use flowi
anymore.
Jeremy Sowden [Fri, 4 Feb 2022 13:26:42 +0000 (14:26 +0100)]
extensions: replace PDE_DATA
The `PDE_DATA` function for retrieving private data from a procfs inode
has been replaced by `pde_data` in 5.17. Replace all instances of the
former with the latter, but add a macro to xtables_compat.h in order to
preserve compatibility with older kernels.
Jeremy Sowden [Mon, 13 Sep 2021 19:46:07 +0000 (21:46 +0200)]
xt_ipp2p: fix compatibility with pre-5.1 kernels
`ip_transport_len` and `ipv6_transport_len` were introduced in 5.1.
They are both single-statement static inline functions, so add fall-back
implementations for compatibility with older kernels.
Jeremy Sowden [Sun, 22 Aug 2021 16:35:53 +0000 (17:35 +0100)]
xt_condition: remove `wmb` when adding new variable
Originally, some accesses to `conditions_list` were protected by RCU and
the memory-barrier was needed to ensure that the new variable was fully
initialized before being added to the list. These days, however, all
accesses are protected by the `proc_lock` mutex, so the barrier is no
longer required.
Jeremy Sowden [Sat, 21 Aug 2021 10:17:24 +0000 (12:17 +0200)]
Add DWARF object files to .gitignore.
If we build against a kernel with `CONFIG_DEBUG_INFO_SPLIT` enabled, the
kernel compiler flags will include `-gsplit-dwarf`, and the linker will
emit .dwo files.
Jan Engelhardt [Thu, 11 Mar 2021 16:11:47 +0000 (17:11 +0100)]
xt_pknock: fix build failure under platforms like ARM 32-bit
./arch/arm/include/asm/div64.h:24:45: note: expected "uint64_t *"
{aka "long long unsigned int *"} but argument is of type
"long unsigned int *"
24 | static inline uint32_t __div64_32(uint64_t *n, uint32_t base)
The original patch for long division on x86 didn't take into account
the use of short circuit logic for checking if peer is NULL before
testing it. Here is a revised patch to v3.16.
Jan Engelhardt [Fri, 5 Feb 2021 19:14:55 +0000 (20:14 +0100)]
xt_pknock: replace obsolete function get_seconds
get_seconds is removed in 5.11; its replacement ktime_get_real_seconds
is available since 3.19. The timestamps should not be affected by clock
resets, so will be switched to ktime_get_seconds.
Jeremy Sowden [Sun, 22 Nov 2020 14:05:30 +0000 (15:05 +0100)]
geoip: use correct download URL for MaxMind DBs
The download URL for the GeoLite2 DBs has changed and includes a
licence key. Update the download script to read the key from file or
stdin and use the correct URL.