joborun-pkg/jobextra
joborun-pkg
/
jobextra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upg libotr nftables

This commit is contained in:
joborun linux 2023-07-30 01:43:21 +03:00
parent c5ac6577fc
commit 07ec064fcc
8 changed files with 312 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libotr/PKGBUILD
View File

@ -7,17 +7,21 @@
pkgname=libotr
pkgver=4.1.1
pkgrel=03
pkgrel=04
pkgdesc='Off-the-Record Messaging Library and Toolkit a thunderbird dependency w/o systemd'
url='https://otr.cypherpunks.ca/'
depends=('libgcrypt')
source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc}
missing-include.patch)
# "$pkgname-4.1.1-include-socket.h.patch")
prepare() {
cd "${srcdir}/${pkgbase}-${pkgver}"
# void patch for lack of systemd
patch -Np1 < ../missing-include.patch
# Arch now added the patch used by void earlier ??
# # FS#75450
# patch -d "$pkgname-$pkgver" -N -p 1 -i "${srcdir}/$pkgname-4.1.1-include-socket.h.patch"
}
build() {
@ -45,6 +49,8 @@ validpgpkeys=('22DF3305DF56667CE15784FCF24DE08F42C2ABAD') # OTR Dev Team
sha256sums=(8b3b182424251067a952fb4e6c7b95a21e644fbb27fbd5f8af2b2ed87ca419f5 # libotr-4.1.1.tar.gz
3a24fe5ef490292295a5be7484d1148a4dbcace3a703279c9ea8ff7947215e90 # libotr-4.1.1.tar.gz.asc
8d2fcb7c90f13539d219f2fab898e4cba031f5703d712f88799d92ab0c9a0b6e) # missing-include.patch
# cfda75f8c5bba2e735d2b4f1bb90f60b45fa1d554a97fff75cac467f7873ebde) # libotr-4.1.1-include-socket.h.patch
## 157c8c0aef8f6a9be163a2cf83948597c368082feea7fe982426a3f0b0f27ea9 libotr-4.1.1-03-x86_64.pkg.tar.lz
## 7750392b7347a75b6ec6b94722d951123b91ab2f11c29d2faa7b2becce21bc16 libotr-4.1.1-04-x86_64.pkg.tar.lz

16
libotr/PKGBUILD-arch
View File

@ -1,19 +1,27 @@
# Maintainer: Gaetan Bisson <bisson@archlinux.org>
# Maintainer: Levente Polyak <anthraxx@archlinux.org>
# Contributor: Gaetan Bisson <bisson@archlinux.org>
# Contributor: Pierre Schmitz <pierre@archlinux.de>
# Contributor: Bug <Bug2000@gmail.com>
pkgname=libotr
pkgver=4.1.1
pkgrel=3
pkgrel=4
pkgdesc='Off-the-Record Messaging Library and Toolkit'
url='https://otr.cypherpunks.ca/'
license=('GPL' 'LGPL')
arch=('x86_64')
depends=('libgcrypt')
validpgpkeys=('22DF3305DF56667CE15784FCF24DE08F42C2ABAD') # OTR Dev Team
source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc})
source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc}
"$pkgname-4.1.1-include-socket.h.patch")
sha256sums=('8b3b182424251067a952fb4e6c7b95a21e644fbb27fbd5f8af2b2ed87ca419f5'
'SKIP')
'SKIP'
'cfda75f8c5bba2e735d2b4f1bb90f60b45fa1d554a97fff75cac467f7873ebde')
prepare() {
# FS#75450
patch -d "$pkgname-$pkgver" -N -p 1 -i "${srcdir}/$pkgname-4.1.1-include-socket.h.patch"
}
build() {
cd "${srcdir}/${pkgname}-${pkgver}"

2
libotr/deps Normal file
View File

@ -0,0 +1,2 @@

16
libotr/libotr-4.1.1-include-socket.h.patch Normal file
View File

@ -0,0 +1,16 @@
From: Rhonda D'Vine <rhonda@debian.org>
Date: Thu, 12 May 2022 08:57:07 +0200
Bug-Debian: https://bugs.debian.org/1009420
Forwarded: no
Subject: test suite fails to build without the include
--- a/tests/regression/client/client.c
+++ b/tests/regression/client/client.c
@@ -29,6 +29,7 @@
#include <sys/types.h>
#include <sys/un.h>
#include <unistd.h>
+#include <sys/socket.h>
#include <context.h>
#include <privkey.h>

18
nftables/PKGBUILD
View File

@ -8,15 +8,17 @@
pkgname=nftables
epoch=1
pkgver=1.0.8
pkgrel=01
pkgrel=02
pkgdesc='Netfilter tables userspace tools w/o systemd'
url='https://netfilter.org/projects/nftables/'
depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses' 'jansson')
optdepends=('python: Python bindings')
makedepends=('asciidoc' 'python' 'python-setuptools')
makedepends=('asciidoc' 'python' 'python-setuptools' 'python-build'
'python-installer' 'python-wheel')
backup=('etc/nftables.conf')
validpgpkeys=('37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team
source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz"{,.sig}
'meta-stash-context-statement-length.patch'
'nftables.conf')
# 'nftables.service')
@ -38,20 +40,27 @@ prepare() {
build() {
cd $pkgname-$pkgver
autoreconf -fi #FIXME: To remove with 01.patch
# autoreconf -fi #FIXME: To remove with 01.patch
./configure \
--prefix=/usr \
--sbindir=/usr/bin \
--sysconfdir=/usr/share \
--with-json \
--disable-python \
--with-cli=readline \
--disable-debug
make
# Building the Python module separately due to the automatic build resulting
# in an incorrect directory structure and unimportable module (see FS#79229)
cd py
python -m build --wheel --no-isolation
}
package() {
pushd $pkgname-$pkgver
make DESTDIR="$pkgdir" install
python -m installer --destdir="$pkgdir" py/dist/*.whl
popd
# basic safe firewall config
install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf"
@ -67,7 +76,8 @@ license=('GPL2')
sha256sums=(9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50 # nftables-1.0.8.tar.xz
eadbbad3eb70bc08a7a8c5598807f81b81860b571243f2e308dae01a97c656ae # nftables-1.0.8.tar.xz.sig
3c428a2e5037ff5ea54be060c46a48bf659cd783c8ce5f5ee943fec6ddc61da6 # meta-stash-context-statement-length.patch
2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8) # nftables.conf
## 751183c89602c67916e54c1452a133e9bdca65e730618f4e8a893f833033c7ff nftables-1:1.0.8-01-x86_64.pkg.tar.lz
## ad2c0fbfa0ff9956a6a898cead950b8a3b3205dc3d350fbc06f01eae18c6adec nftables-1:1.0.8-02-x86_64.pkg.tar.lz

15
nftables/PKGBUILD-arch
View File

@ -3,22 +3,25 @@
pkgname=nftables
epoch=1
pkgver=1.0.8
pkgrel=1
pkgrel=2
pkgdesc='Netfilter tables userspace tools'
arch=('x86_64')
url='https://netfilter.org/projects/nftables/'
license=('GPL2')
depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses' 'jansson')
optdepends=('python: Python bindings')
makedepends=('asciidoc' 'python' 'python-setuptools')
makedepends=('asciidoc' 'python' 'python-setuptools' 'python-build'
'python-installer' 'python-wheel')
backup=('etc/nftables.conf')
validpgpkeys=('37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team
source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz"{,.sig}
'meta-stash-context-statement-length.patch'
'nftables.conf'
'nftables.service')
install=nftables.install
sha256sums=('9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50'
'SKIP'
'3c428a2e5037ff5ea54be060c46a48bf659cd783c8ce5f5ee943fec6ddc61da6'
'2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8'
'deffeef36fe658867dd9203ec13dec85047a6d224ea63334dcf60db97e1809ea')
@ -38,20 +41,26 @@ prepare() {
build() {
cd $pkgname-$pkgver
autoreconf -fi #FIXME: To remove with 01.patch
./configure \
--prefix=/usr \
--sbindir=/usr/bin \
--sysconfdir=/usr/share \
--with-json \
--with-cli=readline \
--disable-python \
--disable-debug
make
# Building the Python module separately due to the automatic build resulting
# in an incorrect directory structure and unimportable module (see FS#79229)
cd py
python -m build --wheel --no-isolation
}
package() {
pushd $pkgname-$pkgver
make DESTDIR="$pkgdir" install
python -m installer --destdir="$pkgdir" py/dist/*.whl
popd
# basic safe firewall config
install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf"

3
nftables/deps
View File

@ -3,5 +3,8 @@ python
autoconf
automake
python-setuptools
python-build
python-installer
python-wheel

245
nftables/meta-stash-context-statement-length.patch Normal file
View File

@ -0,0 +1,245 @@
From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 18 Jul 2023 23:10:01 +0200
Subject: [PATCH] meta: stash context statement length when generating
payload/meta dependency
... meta mark set ip dscp
generates an implicit dependency from the inet family to match on meta
nfproto ip.
The length of this implicit expression is incorrectly adjusted to the
statement length, ie. relational to compare meta nfproto takes 4 bytes
instead of 1 byte. The evaluation of 'ip dscp' under the meta mark
statement triggers this implicit dependency which should not consider
the context statement length since it is added before the statement
itself.
This problem shows when listing the ruleset, since netlink_parse_cmp()
where left->len < right->len, hence handling the implicit dependency as
a concatenation, but it is actually a bug in the evaluation step that
leads to incorrect bytecode.
Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation")
Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand")
Tested-by: Brian Davidson <davidson.brian@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/payload.c | 13 ++++++
tests/py/inet/meta.t | 5 +++
tests/py/inet/meta.t.json | 86 ++++++++++++++++++++++++++++++++++++
tests/py/inet/meta.t.payload | 40 +++++++++++++++++
4 files changed, 144 insertions(+)
diff --git a/src/payload.c b/src/payload.c
index f67b5407..7862745b 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx,
const struct proto_hdr_template *tmpl;
struct expr *dep, *left, *right;
struct proto_ctx *pctx;
+ unsigned int stmt_len;
struct stmt *stmt;
int protocol;
@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx,
constant_data_ptr(protocol, tmpl->len));
dep = relational_expr_alloc(&expr->location, OP_EQ, left, right);
+
+ stmt_len = ctx->stmt_len;
+ ctx->stmt_len = 0;
+
stmt = expr_stmt_alloc(&dep->location, dep);
if (stmt_evaluate(ctx, stmt) < 0) {
return expr_error(ctx->msgs, expr,
"dependency statement is invalid");
}
+ ctx->stmt_len = stmt_len;
if (ctx->inner_desc) {
if (tmpl->meta_key)
@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
const struct hook_proto_desc *h;
const struct proto_desc *desc;
struct proto_ctx *pctx;
+ unsigned int stmt_len;
struct stmt *stmt;
uint16_t type;
@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
"protocol specification is invalid "
"for this family");
+ stmt_len = ctx->stmt_len;
+ ctx->stmt_len = 0;
+
stmt = meta_stmt_meta_iiftype(&expr->location, type);
if (stmt_evaluate(ctx, stmt) < 0) {
return expr_error(ctx->msgs, expr,
"dependency statement is invalid");
}
*res = stmt;
+
+ ctx->stmt_len = stmt_len;
+
return 0;
}
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
index 374738a7..5c062b39 100644
--- a/tests/py/inet/meta.t
+++ b/tests/py/inet/meta.t
@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok
meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok
+
+meta mark set ip dscp;ok
+meta mark set ip dscp | 0x40;ok
+meta mark set ip6 dscp;ok
+meta mark set ip6 dscp | 0x40;ok
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
index 92a1f9bf..3ba0fd1d 100644
--- a/tests/py/inet/meta.t.json
+++ b/tests/py/inet/meta.t.json
@@ -440,3 +440,89 @@
}
]
+# meta mark set ip dscp
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip dscp | 0x40
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip"
+ }
+ },
+ 64
+ ]
+ }
+ }
+ }
+]
+
+# meta mark set ip6 dscp
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip6"
+ }
+ }
+ }
+ }
+]
+
+# meta mark set ip6 dscp | 0x40
+[
+ {
+ "mangle": {
+ "key": {
+ "meta": {
+ "key": "mark"
+ }
+ },
+ "value": {
+ "|": [
+ {
+ "payload": {
+ "field": "dscp",
+ "protocol": "ip6"
+ }
+ },
+ 64
+ ]
+ }
+ }
+ }
+]
+
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
index ea540907..c53b5077 100644
--- a/tests/py/inet/meta.t.payload
+++ b/tests/py/inet/meta.t.payload
@@ -133,3 +133,43 @@ inet test-inet input
[ meta load mark => reg 9 ]
[ lookup reg 1 set __set%d ]
+# meta mark set ip dscp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip dscp | 0x40
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 1b @ network header + 1 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+ [ meta set mark with reg 1 ]
+
+# meta mark set ip6 dscp | 0x40
+inet test-inet input
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x0000000a ]
+ [ payload load 2b @ network header + 0 => reg 1 ]
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
+ [ meta set mark with reg 1 ]
+