This commit fixes a memory corruption issue when iptables (with
enabled PACKAGECONFIG libnftnl) is used to access rules created by
nft.
To reproduce the issue:
nft add chain ip filter TESTCHAIN { meta mark set 123 \;}
iptables -t filter -n -L TESTCHAIN
This produced the following output:
Chain TESTCHAIN (0 references)
target prot opt source destination
MARK 0 -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x7b
malloc(): corrupted top size
Aborted (core dumped)
This commit fixes this issue.
(From OE-Core rev: 461d6333dabacdc181c91f31a8dd4ad6682cc0e4)
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When building an image including iptable built with the libnftnl
PACKAGECONFIG, one hits
Downloading file:.../oe-rootfs-repo/armv8a/libkmod2 * check_data_file_clashes: Package iptables wants to install file .../rootfs/etc/ethertypes
But that file is already provided by package * netbase
This used to be handled by
0003-Makefile.am-do-not-install-etc-ethertypes.patch, but that patch
got removed with the 1.8.9->1.8.10 upgrade (commit 4616ada82e70).
I think the rationale for dropping the patch was wrong; the commit log
talks about xtables.conf, which is indeed gone from upstream, but said
patch didn't change anything about xtables.conf, it did
-dist_conf_DATA = etc/ethertypes etc/xtables.conf
+dist_conf_DATA = etc/xtables.conf
However, instead of patching iptables to not install ethertypes, and
having to forward-port that patch, it is much simpler to just remove
the file in this do_install:append.
(From OE-Core rev: 3b9c8d5c26a48123d3845c93f6e04d430569e6a2)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When the libnftnl PACKAGECONFIG is enabled, the "iptables" symlink is correctly
points to xtables-nft-multi, however the "iptables-save" and
"iptables-restore" are still point to the xtables-legacy-multi.
So, when the "iptables" command is used it's using the nftables backend
where is the "iptables-save/restore" are using the legacy backend.
This is not consistent with other distros (e.g. Ubuntu).
The issue was identified when testing the UFW firewall with nftables backend.
(From OE-Core rev: 6579e4333b74232d8b576c399eab88e37da881ac)
Signed-off-by: Kirill Yatsenko <kiriyatsenko@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is done via configure option, and makes
0004-configure.ac-only-check-conntrack-when-libnfnetlink-.patch
unnecessary, as both libnetfilter_conntrack and libnfnetlink
are enabled in lockstep.
(From OE-Core rev: 04ffb341864b443544e9f594248c0c785f601a55)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since we want to be able to stop unpacking to WORKDIR, correct the WORKDIR
references in recipe do_compile/do_install tasks to use UNPACKDIR in the
appropraite places instead.
(From OE-Core rev: d73595df69667fe9d12ecd407b77a0b8dae2109c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- 0003-x is not required anymore because to xtables.conf is dropped.
- format-security.patch is already in upstream.
- Other patches are refreshed.
(From OE-Core rev: 4616ada82e7079f0cc7e995c2f421f43b54d4a08)
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace one format string fixing patch with another format string fixing patch.
(one problem fixed upstream, another introduced)
(From OE-Core rev: 4a7b4d41ddcfaeaf47cf75200f2346639c64b11c)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, when the libnftnl (part of meta-networking) PACKAGECONFIG is
enabled for iptables, both legacy and nft-based binaries are built and
installed in the image. However, the "iptables" symlink in this case
still points to xtables-legacy-multi, rather than xtables-nft-multi.
This patch adds a conditional check to replace the symlink to point to
the latter if iptables is built with libnftnl support, which is
consistent with other major distros (e.g. Fedora). The "iptables-legacy"
symlink remains present and unmodified.
(From OE-Core rev: bc41682ab2a259b7bc6a56fa3ba42907f4c8bf25)
Signed-off-by: tgamblin <trevor.gamblin@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Take inspiration from the ebtables recipe in meta-networking and omit
installation of etc/ethertypes, since it is provided by netbase. If we
don't do this, the following error occurs during build:
Error: Transaction test error:
file /etc/ethertypes conflicts between attempted installs of
iptables-1.8.7-r0.core2_64 and netbase-1:6.3-r0.noarch
(From OE-Core rev: 297fde1a6fc9ddf12bb4b0cba1d5b03664a3f378)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We do not want iptables to depend on bash. So move
iptables-apply/ip6tables-apply to a separate package.
(From OE-Core rev: 9a2386443af23d4b713b9635a0275165565ef8f4)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The iptables-apply is not installed which makes ip6tables-apply as an
invalid symbolic link:
$ ls -l /usr/sbin/ip6tables-apply
lrwxrwxrwx 1 root root 14 Jun 11 08:27 /usr/sbin/ip6tables-apply -> iptables-apply
$ ls -l /usr/sbin/iptables-apply
ls: cannot access '/usr/sbin/iptables-apply': No such file or directory
Backport a patch to fix the issue.
(From OE-Core rev: c3070d3b2e31a31fc32294972e7a3fae46b6e70f)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This release contains the following fixes and enhancements:
xtables-save/xtables-restore:
- Fix parser in `--noflush' mode incorrectly rejecting chain definitions
and empty lines.
- Fix crash when restoring or dumping while other ruleset changes happen
in parallel.
iptables-apply:
- Install the script along with `make install'.
- Introduce parameters `-c' (run command) and `-w' (save successfully
applied rules to file).
- Use `mktemp' instead of `tempfile' for temporary files.
iptables-translate:
- Support `time' match and `NOTRACK' target.
- Fix for special interface names `*', `+' and `eth++'.
ebtables-nft:
- Full among match support, including sets with mixed MAC and MAC+IP
entries.
extensions:
- connlabel: Numeric labels were rejected if a connlabel.conf existed in
the system.
- IDLETIMER: Introduce `--alarm' option.
libxtables:
- Introduce xtables_fini() to properly deinit the library and close any
loaded shared objects.
nfnl_osf:
- Fix lockup after loading the first line from fingerprints file.
- Improve error handling, don't silently exit when deleting a
non-existing fingerprint.
General:
- Fixes for undefined behaviour.
- Replace a few unsafe calls to strcpy().
- Fix some warnings when compiling with clang.
- Various fixes for valgrind-detected problems such as memory leaks and
reachable memory at program exit.
(From OE-Core rev: 0d28b963d91503c557adf87e096eb7a98dff6c76)
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit bc66b2f45a added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.
(From OE-Core rev: 3b8df6b6aba3632de7c3c01c8468fbcedb032493)
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In some cases a distribution may want to install rules file into a
location other than /etc/iptables/ so introduce custom recipe-level
IPTABLES_RULES_DIR parameter which allows conveniently overriding
the rules directory location.
(From OE-Core rev: 64eeedcdc586c221e3684861ba85e8e4bc9c5dd1)
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Introduce cosmetic changes to recipe content, most notably
- Change indentation style to four spaces in task statements
- Reorder several entries according to oe-stylize.py suggestions
(From OE-Core rev: c1d162b6165f11b7b5ae5c6066e7683d5e1379fc)
Signed-off-by: Niko Mauno <niko.mauno@iki.fi>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is currently no way to automatically load iptables rules in OE.
Add a systemd unit file to automatically load rules on network
connection. This is cribbed from the way ArchLinux handles iptables with
some minor modifications for OE.
New rules can be generated directly on the target using:
# iptables-save -f /etc/iptables/iptables.rules
Good documentation for writing rules offline is lacking, but the basics
are explained here:
https://unix.stackexchange.com/q/400163/49405
(From OE-Core rev: 76d3574d17c38d93ba4660bdae5730ac222994d4)
Signed-off-by: Jack Mitchell <jack@embed.me.uk>
Signed-off-by: Diego Rondini <diego.rondini@kynetics.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To enable security flash, get the build error. To fix this,
0003-extensions-format-security-fixes-in-libipt_icmp.patch is required.
(From OE-Core rev: 2e135cea41c1276566a7390320468d1925481558)
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix handling of escape characters in regexs and hence fix python
Deprecation warnings which will be problematic in python 3.8.
Note that some show up as:
"""
meta/classes/package.bbclass:1293: DeprecationWarning: invalid escape sequence \.
"""
where the problem isn't on 1293 in package.bbclass but in some _prepend to a
package.bbclass function in a different file like mesa.inc, often from
do_package_split() calls.
(From OE-Core rev: 4b1c0c7d5525fc4cea9e0f02ec54e92a6fbc6199)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By splitting the iptables modules into separate packages it is
possible to pick and choose the modules to install and thereby reduce
the total size of the installed modules.
Backwards compatibility is maintained by adding a recommendation of
iptables-modules, which is a meta package that depends on all the
generated packages.
(From OE-Core rev: 2e99caca64704d1ec51f4f65048d945e5ff1384f)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These were adding definitions for the second time
(see bug #10450 for why) or adding an include that isn't anymore
necessary for musl builds.
(From OE-Core rev: bed5ea53c74c4b444b2145e7a83ca9fd44ea30ec)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is generic enough, That it can be applied universally
and makes maintainence easier
(From OE-Core rev: f769b8389091b4ffaff8f6f8fc7e53462ce176a5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.6.0 -> 1.6.1
Refreshed the following patches:
a) 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
b) 0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch
(From OE-Core rev: 0148bb131b2ac68f168562e9eaedce8aa4e4a875)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.4.21 -> 1.6.0
xtables_globals structure layout has changed.
* Refreshed below listed patches to work with this release:
1. 0001-configure-Add-option-to-enable-disable-libnfnetlink.patch
2. 0001-fix-build-with-musl.patch
* Added PACKAGECONFIG for libnftnl
(From OE-Core rev: 8609c4e5eadfdd60664640c4ae07e250c98dd86b)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In some recipes overly-split -dbg packages were merged into PN-dbg. Unless
there's a very good reason, recipes should have a single -dev and -dbg package.
(From OE-Core rev: a3b000643898d7402b9e57c02e8d10e677cc9722)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Package libnetfilter-conntrack depends on package libnfnetlink. iptables
checks package libnetfilter-conntrack whatever its package config
libnfnetlink is enabled or not. When libnfnetlink is disabled but
package libnetfilter-conntrack exists, it fails randomly with:
| In file included from .../iptables/1.4.21-r0/iptables-1.4.21/extensions/libxt_connlabel.c:8:0:
| .../tmp/sysroots/qemumips/usr/include/libnetfilter_conntrack/libnetfilter_conntrack.h:14:42: fatal error: libnfnetlink/linux_nfnetlink.h: No such file or directory
| compilation terminated.
| GNUmakefile:96: recipe for target 'libxt_connlabel.oo' failed
Only check libnetfilter-conntrack when libnfnetlink is enabled to fix it.
(From OE-Core rev: 31f34494b842d6c49b040db70ba5da428594f32c)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added needed headers and resuffled existing ones to get it portable
Added defined for missing TCOPTS*
Change-Id: I74977dd052c5569b00631379d7f4bacfb86cf381
(From OE-Core rev: d30fba63286dc8f5ac72ac65fae6af6001e58ec2)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These recipes all use pkg-config in some way but were missing
dependencies on the tool, this patch adds them.
(From OE-Core rev: 2543b14dd0ca13005be0df027543431fc8e882ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
(From OE-Core rev: d83b16dbf0862be387f84228710cb165c6d2b03b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Detection of libnfnetlink is automatic in configure which means
that when you have meta-networking in your cosmos, it would create
a race condition where if libnfnetlink is already staged then it
will be enabled otherwise disabled. The issue happens quite often
with sstate and high parallelism. Since the dependency libnfnetlink
is not part of OE-Core, this patch turns it into a PACKAGECONFIG
which is diabled by default and iptables is patched to provide
the knob.
If you want to enable libnfnetlink support then it can be done
in a bbappend where you are sure that you are also including
meta-networking in your distro.
While at it also turned ipv6 support into packageconfig
(From OE-Core rev: 0332551d90c866c5874529e81819b81b534e14be)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replaced incorrect "firstline" with correct "beginline" for telling
where license segment in file begins. Old md5sum was calculated from
the beginning of the file, not from beginning of the license segment.
(From OE-Core rev: bc36eadd5dee7390977629358cab3f13d6ddcf5c)
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* when libnfnetlink is available (provided by
meta-networking/recipes-filter/libnfnetlink/libnfnetlink_1.0.1.bb
it's autodetected and utils subdirectory with pf.os is used.
* unfortunately there isn't configure switch to explicitly disable
libnfnetlink and it's also in different layer so we cannot add it to
DEPENDS
* it's undeterminitic, but pf.os is the only difference AFAIK, so not
worth patching configure switch
* fixes:
iptables-1.4.15: iptables: Files/directories were installed but not
shipped
/usr/share/xtables
/usr/share/xtables/pf.os
(From OE-Core rev: b789152b56ddbd6761989327cae558558401fd46)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
