upg libotr nftables
This commit is contained in:
parent
c5ac6577fc
commit
07ec064fcc
|
@ -7,17 +7,21 @@
|
|||
|
||||
pkgname=libotr
|
||||
pkgver=4.1.1
|
||||
pkgrel=03
|
||||
pkgrel=04
|
||||
pkgdesc='Off-the-Record Messaging Library and Toolkit a thunderbird dependency w/o systemd'
|
||||
url='https://otr.cypherpunks.ca/'
|
||||
depends=('libgcrypt')
|
||||
source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc}
|
||||
missing-include.patch)
|
||||
# "$pkgname-4.1.1-include-socket.h.patch")
|
||||
|
||||
prepare() {
|
||||
cd "${srcdir}/${pkgbase}-${pkgver}"
|
||||
# void patch for lack of systemd
|
||||
patch -Np1 < ../missing-include.patch
|
||||
# Arch now added the patch used by void earlier ??
|
||||
# # FS#75450
|
||||
# patch -d "$pkgname-$pkgver" -N -p 1 -i "${srcdir}/$pkgname-4.1.1-include-socket.h.patch"
|
||||
}
|
||||
|
||||
build() {
|
||||
|
@ -45,6 +49,8 @@ validpgpkeys=('22DF3305DF56667CE15784FCF24DE08F42C2ABAD') # OTR Dev Team
|
|||
sha256sums=(8b3b182424251067a952fb4e6c7b95a21e644fbb27fbd5f8af2b2ed87ca419f5 # libotr-4.1.1.tar.gz
|
||||
3a24fe5ef490292295a5be7484d1148a4dbcace3a703279c9ea8ff7947215e90 # libotr-4.1.1.tar.gz.asc
|
||||
8d2fcb7c90f13539d219f2fab898e4cba031f5703d712f88799d92ab0c9a0b6e) # missing-include.patch
|
||||
# cfda75f8c5bba2e735d2b4f1bb90f60b45fa1d554a97fff75cac467f7873ebde) # libotr-4.1.1-include-socket.h.patch
|
||||
|
||||
## 157c8c0aef8f6a9be163a2cf83948597c368082feea7fe982426a3f0b0f27ea9 libotr-4.1.1-03-x86_64.pkg.tar.lz
|
||||
|
||||
## 7750392b7347a75b6ec6b94722d951123b91ab2f11c29d2faa7b2becce21bc16 libotr-4.1.1-04-x86_64.pkg.tar.lz
|
||||
|
||||
|
|
|
@ -1,19 +1,27 @@
|
|||
# Maintainer: Gaetan Bisson <bisson@archlinux.org>
|
||||
# Maintainer: Levente Polyak <anthraxx@archlinux.org>
|
||||
# Contributor: Gaetan Bisson <bisson@archlinux.org>
|
||||
# Contributor: Pierre Schmitz <pierre@archlinux.de>
|
||||
# Contributor: Bug <Bug2000@gmail.com>
|
||||
|
||||
pkgname=libotr
|
||||
pkgver=4.1.1
|
||||
pkgrel=3
|
||||
pkgrel=4
|
||||
pkgdesc='Off-the-Record Messaging Library and Toolkit'
|
||||
url='https://otr.cypherpunks.ca/'
|
||||
license=('GPL' 'LGPL')
|
||||
arch=('x86_64')
|
||||
depends=('libgcrypt')
|
||||
validpgpkeys=('22DF3305DF56667CE15784FCF24DE08F42C2ABAD') # OTR Dev Team
|
||||
source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc})
|
||||
source=(https://otr.cypherpunks.ca/${pkgname}-${pkgver}.tar.gz{,.asc}
|
||||
"$pkgname-4.1.1-include-socket.h.patch")
|
||||
sha256sums=('8b3b182424251067a952fb4e6c7b95a21e644fbb27fbd5f8af2b2ed87ca419f5'
|
||||
'SKIP')
|
||||
'SKIP'
|
||||
'cfda75f8c5bba2e735d2b4f1bb90f60b45fa1d554a97fff75cac467f7873ebde')
|
||||
|
||||
prepare() {
|
||||
# FS#75450
|
||||
patch -d "$pkgname-$pkgver" -N -p 1 -i "${srcdir}/$pkgname-4.1.1-include-socket.h.patch"
|
||||
}
|
||||
|
||||
build() {
|
||||
cd "${srcdir}/${pkgname}-${pkgver}"
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
From: Rhonda D'Vine <rhonda@debian.org>
|
||||
Date: Thu, 12 May 2022 08:57:07 +0200
|
||||
Bug-Debian: https://bugs.debian.org/1009420
|
||||
Forwarded: no
|
||||
Subject: test suite fails to build without the include
|
||||
|
||||
--- a/tests/regression/client/client.c
|
||||
+++ b/tests/regression/client/client.c
|
||||
@@ -29,6 +29,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/un.h>
|
||||
#include <unistd.h>
|
||||
+#include <sys/socket.h>
|
||||
|
||||
#include <context.h>
|
||||
#include <privkey.h>
|
|
@ -8,15 +8,17 @@
|
|||
pkgname=nftables
|
||||
epoch=1
|
||||
pkgver=1.0.8
|
||||
pkgrel=01
|
||||
pkgrel=02
|
||||
pkgdesc='Netfilter tables userspace tools w/o systemd'
|
||||
url='https://netfilter.org/projects/nftables/'
|
||||
depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses' 'jansson')
|
||||
optdepends=('python: Python bindings')
|
||||
makedepends=('asciidoc' 'python' 'python-setuptools')
|
||||
makedepends=('asciidoc' 'python' 'python-setuptools' 'python-build'
|
||||
'python-installer' 'python-wheel')
|
||||
backup=('etc/nftables.conf')
|
||||
validpgpkeys=('37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team
|
||||
source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz"{,.sig}
|
||||
'meta-stash-context-statement-length.patch'
|
||||
'nftables.conf')
|
||||
# 'nftables.service')
|
||||
|
||||
|
@ -38,20 +40,27 @@ prepare() {
|
|||
|
||||
build() {
|
||||
cd $pkgname-$pkgver
|
||||
autoreconf -fi #FIXME: To remove with 01.patch
|
||||
# autoreconf -fi #FIXME: To remove with 01.patch
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--sbindir=/usr/bin \
|
||||
--sysconfdir=/usr/share \
|
||||
--with-json \
|
||||
--disable-python \
|
||||
--with-cli=readline \
|
||||
--disable-debug
|
||||
make
|
||||
|
||||
# Building the Python module separately due to the automatic build resulting
|
||||
# in an incorrect directory structure and unimportable module (see FS#79229)
|
||||
cd py
|
||||
python -m build --wheel --no-isolation
|
||||
}
|
||||
|
||||
package() {
|
||||
pushd $pkgname-$pkgver
|
||||
make DESTDIR="$pkgdir" install
|
||||
python -m installer --destdir="$pkgdir" py/dist/*.whl
|
||||
popd
|
||||
# basic safe firewall config
|
||||
install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf"
|
||||
|
@ -67,7 +76,8 @@ license=('GPL2')
|
|||
|
||||
sha256sums=(9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50 # nftables-1.0.8.tar.xz
|
||||
eadbbad3eb70bc08a7a8c5598807f81b81860b571243f2e308dae01a97c656ae # nftables-1.0.8.tar.xz.sig
|
||||
3c428a2e5037ff5ea54be060c46a48bf659cd783c8ce5f5ee943fec6ddc61da6 # meta-stash-context-statement-length.patch
|
||||
2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8) # nftables.conf
|
||||
|
||||
## 751183c89602c67916e54c1452a133e9bdca65e730618f4e8a893f833033c7ff nftables-1:1.0.8-01-x86_64.pkg.tar.lz
|
||||
## ad2c0fbfa0ff9956a6a898cead950b8a3b3205dc3d350fbc06f01eae18c6adec nftables-1:1.0.8-02-x86_64.pkg.tar.lz
|
||||
|
||||
|
|
|
@ -3,22 +3,25 @@
|
|||
pkgname=nftables
|
||||
epoch=1
|
||||
pkgver=1.0.8
|
||||
pkgrel=1
|
||||
pkgrel=2
|
||||
pkgdesc='Netfilter tables userspace tools'
|
||||
arch=('x86_64')
|
||||
url='https://netfilter.org/projects/nftables/'
|
||||
license=('GPL2')
|
||||
depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses' 'jansson')
|
||||
optdepends=('python: Python bindings')
|
||||
makedepends=('asciidoc' 'python' 'python-setuptools')
|
||||
makedepends=('asciidoc' 'python' 'python-setuptools' 'python-build'
|
||||
'python-installer' 'python-wheel')
|
||||
backup=('etc/nftables.conf')
|
||||
validpgpkeys=('37D964ACC04981C75500FB9BD55D978A8A1420E4') # Netfilter Core Team
|
||||
source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz"{,.sig}
|
||||
'meta-stash-context-statement-length.patch'
|
||||
'nftables.conf'
|
||||
'nftables.service')
|
||||
install=nftables.install
|
||||
sha256sums=('9373740de41a82dbc98818e0a46a073faeb8a8d0689fa4fa1a74399c32bf3d50'
|
||||
'SKIP'
|
||||
'3c428a2e5037ff5ea54be060c46a48bf659cd783c8ce5f5ee943fec6ddc61da6'
|
||||
'2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8'
|
||||
'deffeef36fe658867dd9203ec13dec85047a6d224ea63334dcf60db97e1809ea')
|
||||
|
||||
|
@ -38,20 +41,26 @@ prepare() {
|
|||
|
||||
build() {
|
||||
cd $pkgname-$pkgver
|
||||
autoreconf -fi #FIXME: To remove with 01.patch
|
||||
./configure \
|
||||
--prefix=/usr \
|
||||
--sbindir=/usr/bin \
|
||||
--sysconfdir=/usr/share \
|
||||
--with-json \
|
||||
--with-cli=readline \
|
||||
--disable-python \
|
||||
--disable-debug
|
||||
make
|
||||
|
||||
# Building the Python module separately due to the automatic build resulting
|
||||
# in an incorrect directory structure and unimportable module (see FS#79229)
|
||||
cd py
|
||||
python -m build --wheel --no-isolation
|
||||
}
|
||||
|
||||
package() {
|
||||
pushd $pkgname-$pkgver
|
||||
make DESTDIR="$pkgdir" install
|
||||
python -m installer --destdir="$pkgdir" py/dist/*.whl
|
||||
popd
|
||||
# basic safe firewall config
|
||||
install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf"
|
||||
|
|
|
@ -3,5 +3,8 @@ python
|
|||
autoconf
|
||||
automake
|
||||
python-setuptools
|
||||
python-build
|
||||
python-installer
|
||||
python-wheel
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,245 @@
|
|||
From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Tue, 18 Jul 2023 23:10:01 +0200
|
||||
Subject: [PATCH] meta: stash context statement length when generating
|
||||
payload/meta dependency
|
||||
|
||||
... meta mark set ip dscp
|
||||
|
||||
generates an implicit dependency from the inet family to match on meta
|
||||
nfproto ip.
|
||||
|
||||
The length of this implicit expression is incorrectly adjusted to the
|
||||
statement length, ie. relational to compare meta nfproto takes 4 bytes
|
||||
instead of 1 byte. The evaluation of 'ip dscp' under the meta mark
|
||||
statement triggers this implicit dependency which should not consider
|
||||
the context statement length since it is added before the statement
|
||||
itself.
|
||||
|
||||
This problem shows when listing the ruleset, since netlink_parse_cmp()
|
||||
where left->len < right->len, hence handling the implicit dependency as
|
||||
a concatenation, but it is actually a bug in the evaluation step that
|
||||
leads to incorrect bytecode.
|
||||
|
||||
Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation")
|
||||
Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand")
|
||||
Tested-by: Brian Davidson <davidson.brian@gmail.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/payload.c | 13 ++++++
|
||||
tests/py/inet/meta.t | 5 +++
|
||||
tests/py/inet/meta.t.json | 86 ++++++++++++++++++++++++++++++++++++
|
||||
tests/py/inet/meta.t.payload | 40 +++++++++++++++++
|
||||
4 files changed, 144 insertions(+)
|
||||
|
||||
diff --git a/src/payload.c b/src/payload.c
|
||||
index f67b5407..7862745b 100644
|
||||
--- a/src/payload.c
|
||||
+++ b/src/payload.c
|
||||
@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx,
|
||||
const struct proto_hdr_template *tmpl;
|
||||
struct expr *dep, *left, *right;
|
||||
struct proto_ctx *pctx;
|
||||
+ unsigned int stmt_len;
|
||||
struct stmt *stmt;
|
||||
int protocol;
|
||||
|
||||
@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx,
|
||||
constant_data_ptr(protocol, tmpl->len));
|
||||
|
||||
dep = relational_expr_alloc(&expr->location, OP_EQ, left, right);
|
||||
+
|
||||
+ stmt_len = ctx->stmt_len;
|
||||
+ ctx->stmt_len = 0;
|
||||
+
|
||||
stmt = expr_stmt_alloc(&dep->location, dep);
|
||||
if (stmt_evaluate(ctx, stmt) < 0) {
|
||||
return expr_error(ctx->msgs, expr,
|
||||
"dependency statement is invalid");
|
||||
}
|
||||
+ ctx->stmt_len = stmt_len;
|
||||
|
||||
if (ctx->inner_desc) {
|
||||
if (tmpl->meta_key)
|
||||
@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
|
||||
const struct hook_proto_desc *h;
|
||||
const struct proto_desc *desc;
|
||||
struct proto_ctx *pctx;
|
||||
+ unsigned int stmt_len;
|
||||
struct stmt *stmt;
|
||||
uint16_t type;
|
||||
|
||||
@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr,
|
||||
"protocol specification is invalid "
|
||||
"for this family");
|
||||
|
||||
+ stmt_len = ctx->stmt_len;
|
||||
+ ctx->stmt_len = 0;
|
||||
+
|
||||
stmt = meta_stmt_meta_iiftype(&expr->location, type);
|
||||
if (stmt_evaluate(ctx, stmt) < 0) {
|
||||
return expr_error(ctx->msgs, expr,
|
||||
"dependency statement is invalid");
|
||||
}
|
||||
*res = stmt;
|
||||
+
|
||||
+ ctx->stmt_len = stmt_len;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
|
||||
index 374738a7..5c062b39 100644
|
||||
--- a/tests/py/inet/meta.t
|
||||
+++ b/tests/py/inet/meta.t
|
||||
@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok
|
||||
meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok
|
||||
ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok
|
||||
ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok
|
||||
+
|
||||
+meta mark set ip dscp;ok
|
||||
+meta mark set ip dscp | 0x40;ok
|
||||
+meta mark set ip6 dscp;ok
|
||||
+meta mark set ip6 dscp | 0x40;ok
|
||||
diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json
|
||||
index 92a1f9bf..3ba0fd1d 100644
|
||||
--- a/tests/py/inet/meta.t.json
|
||||
+++ b/tests/py/inet/meta.t.json
|
||||
@@ -440,3 +440,89 @@
|
||||
}
|
||||
]
|
||||
|
||||
+# meta mark set ip dscp
|
||||
+[
|
||||
+ {
|
||||
+ "mangle": {
|
||||
+ "key": {
|
||||
+ "meta": {
|
||||
+ "key": "mark"
|
||||
+ }
|
||||
+ },
|
||||
+ "value": {
|
||||
+ "payload": {
|
||||
+ "field": "dscp",
|
||||
+ "protocol": "ip"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+]
|
||||
+
|
||||
+# meta mark set ip dscp | 0x40
|
||||
+[
|
||||
+ {
|
||||
+ "mangle": {
|
||||
+ "key": {
|
||||
+ "meta": {
|
||||
+ "key": "mark"
|
||||
+ }
|
||||
+ },
|
||||
+ "value": {
|
||||
+ "|": [
|
||||
+ {
|
||||
+ "payload": {
|
||||
+ "field": "dscp",
|
||||
+ "protocol": "ip"
|
||||
+ }
|
||||
+ },
|
||||
+ 64
|
||||
+ ]
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+]
|
||||
+
|
||||
+# meta mark set ip6 dscp
|
||||
+[
|
||||
+ {
|
||||
+ "mangle": {
|
||||
+ "key": {
|
||||
+ "meta": {
|
||||
+ "key": "mark"
|
||||
+ }
|
||||
+ },
|
||||
+ "value": {
|
||||
+ "payload": {
|
||||
+ "field": "dscp",
|
||||
+ "protocol": "ip6"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+]
|
||||
+
|
||||
+# meta mark set ip6 dscp | 0x40
|
||||
+[
|
||||
+ {
|
||||
+ "mangle": {
|
||||
+ "key": {
|
||||
+ "meta": {
|
||||
+ "key": "mark"
|
||||
+ }
|
||||
+ },
|
||||
+ "value": {
|
||||
+ "|": [
|
||||
+ {
|
||||
+ "payload": {
|
||||
+ "field": "dscp",
|
||||
+ "protocol": "ip6"
|
||||
+ }
|
||||
+ },
|
||||
+ 64
|
||||
+ ]
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+]
|
||||
+
|
||||
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
|
||||
index ea540907..c53b5077 100644
|
||||
--- a/tests/py/inet/meta.t.payload
|
||||
+++ b/tests/py/inet/meta.t.payload
|
||||
@@ -133,3 +133,43 @@ inet test-inet input
|
||||
[ meta load mark => reg 9 ]
|
||||
[ lookup reg 1 set __set%d ]
|
||||
|
||||
+# meta mark set ip dscp
|
||||
+inet test-inet input
|
||||
+ [ meta load nfproto => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x00000002 ]
|
||||
+ [ payload load 1b @ network header + 1 => reg 1 ]
|
||||
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
|
||||
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
|
||||
+ [ meta set mark with reg 1 ]
|
||||
+
|
||||
+# meta mark set ip dscp | 0x40
|
||||
+inet test-inet input
|
||||
+ [ meta load nfproto => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x00000002 ]
|
||||
+ [ payload load 1b @ network header + 1 => reg 1 ]
|
||||
+ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ]
|
||||
+ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ]
|
||||
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
|
||||
+ [ meta set mark with reg 1 ]
|
||||
+
|
||||
+# meta mark set ip6 dscp
|
||||
+inet test-inet input
|
||||
+ [ meta load nfproto => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x0000000a ]
|
||||
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||||
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
|
||||
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
|
||||
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
|
||||
+ [ meta set mark with reg 1 ]
|
||||
+
|
||||
+# meta mark set ip6 dscp | 0x40
|
||||
+inet test-inet input
|
||||
+ [ meta load nfproto => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x0000000a ]
|
||||
+ [ payload load 2b @ network header + 0 => reg 1 ]
|
||||
+ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ]
|
||||
+ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ]
|
||||
+ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ]
|
||||
+ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ]
|
||||
+ [ meta set mark with reg 1 ]
|
||||
+
|
Loading…
Reference in New Issue