backport some patches from upstream

(cherry picked from commit 54ff14021f8246aaac6f171eedf8e4d82120d5b3)

backport-Fix-checking-of-conntrack-ctproto.patch

@@ -0,0 +1,95 @@
+From 2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Sat, 23 Nov 2013 08:41:58 +0000
+Subject: extensions: Fix checking of conntrack --ctproto 0
+
+There are three issues in the code:
+1) the check (sinfo->invflags & XT_INV_PROTO) is using the wrong mask
+2) in conntrack_mt_parse it is testing (info->invert_flags &
+   XT_INV_PROTO) before the invert bit has been set.
+3) the sense of the error message is the wrong way round
+
+1) To get the error, ! -ctstatus XXX has to be specified, since
+   XT_INV_PROTO == XT_CONNTRACK_STATUS e.g.
+   | iptables -I CHAIN -m conntrack ! --ctstatus ASSURED --ctproto 0 ...
+
+3) Unlike --proto 0 (where 0 means all protocols), in the conntrack
+   match --ctproto 0 appears to mean protocol 0, which can never be.
+   Therefore --ctproto 0 could never match and ! --ctproto 0 will always
+   match. Both of these should be rejected, since the user clearly
+   cannot be intending what was specified.
+
+The attached patch resolves the issue, and also produces an error
+message if --ctproto 0 is specified (as well as ! --ctproto 0 ), since
+--ctproto 0 will never match, and ! --ctproto 0 will always match.
+
+[Phil: - Added Fixes: tag - it's a day 1 bug
+       - Copied patch description from Bugzilla
+       - Reorganized changes to reduce diff
+       - Added test cases]
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=874
+Fixes: 5054e85be3068 ("general conntrack match module userspace support files")
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables//commit/?id=2e704f6ddd6d056e360f3d9c11e8b6c56a20cf23
+
+---
+ extensions/libxt_conntrack.c | 17 ++++++++---------
+ extensions/libxt_conntrack.t |  2 ++
+ 2 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
+index 7734509..3cc678f 100644
+--- a/extensions/libxt_conntrack.c
++++ b/extensions/libxt_conntrack.c
+@@ -346,14 +346,13 @@ static void conntrack_parse(struct xt_option_call *cb)
+ 			sinfo->invflags |= XT_CONNTRACK_STATE;
+ 		break;
+ 	case O_CTPROTO:
++		if (cb->val.protocol == 0)
++			xtables_error(PARAMETER_PROBLEM, cb->invert ?
++				      "condition would always match protocol" :
++				      "rule would never match protocol");
+ 		sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum = cb->val.protocol;
+ 		if (cb->invert)
+ 			sinfo->invflags |= XT_CONNTRACK_PROTO;
+-		if (sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum == 0
+-		    && (sinfo->invflags & XT_INV_PROTO))
+-			xtables_error(PARAMETER_PROBLEM,
+-				   "rule would never match protocol");
+-
+ 		sinfo->flags |= XT_CONNTRACK_PROTO;
+ 		break;
+ 	case O_CTORIGSRC:
+@@ -411,11 +410,11 @@ static void conntrack_mt_parse(struct xt_option_call *cb, uint8_t rev)
+ 			info->invert_flags |= XT_CONNTRACK_STATE;
+ 		break;
+ 	case O_CTPROTO:
++		if (cb->val.protocol == 0)
++			xtables_error(PARAMETER_PROBLEM, cb->invert ?
++				      "conntrack: condition would always match protocol" :
++				      "conntrack: rule would never match protocol");
+ 		info->l4proto = cb->val.protocol;
+-		if (info->l4proto == 0 && (info->invert_flags & XT_INV_PROTO))
+-			xtables_error(PARAMETER_PROBLEM, "conntrack: rule would "
+-			           "never match protocol");
+-
+ 		info->match_flags |= XT_CONNTRACK_PROTO;
+ 		if (cb->invert)
+ 			info->invert_flags |= XT_CONNTRACK_PROTO;
+diff --git a/extensions/libxt_conntrack.t b/extensions/libxt_conntrack.t
+index db53147..2b3c5de 100644
+--- a/extensions/libxt_conntrack.t
++++ b/extensions/libxt_conntrack.t
+@@ -25,3 +25,5 @@
+ -m conntrack --ctstatus EXPECTED;=;OK
+ -m conntrack --ctstatus SEEN_REPLY;=;OK
+ -m conntrack;;FAIL
++-m conntrack --ctproto 0;;FAIL
++-m conntrack ! --ctproto 0;;FAIL
+-- 
+2.33.0
+

backport-Fix-for-non-CIDR-compatible-hostmasks.patch

@@ -0,0 +1,55 @@
+From 41139aee5e53304182a25f1e573f034b313f7232 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 28 Nov 2023 20:21:49 +0100
+Subject: libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
+
+In order to parse the mask, xtopt_parse_hostmask() calls
+xtopt_parse_plenmask() thereby limiting netmask support to prefix
+lengths (alternatively specified in IP address notation).
+
+In order to lift this impractical restriction, make
+xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
+fall back to xtopt_parse_mask() which correctly initializes val.hmask
+itself and indicates non-CIDR-compatible masks by setting val.hlen to
+-1.
+
+So in order to support these odd masks, it is sufficient for
+xtopt_parse_plenmask() to skip its mask building from val.hlen value and
+take whatever val.hmask contains.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables//commit/?id=41139aee5e53304182a25f1e573f034b313f7232
+
+---
+ libxtables/xtoptions.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index 0dcdf60..bc14958 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -714,6 +714,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
+ 
+ 	xtopt_parse_plen(cb);
+ 
++	/* may not be convertible to CIDR notation */
++	if (cb->val.hlen == (uint8_t)-1)
++		goto out_put;
++
+ 	memset(mask, 0xFF, sizeof(union nf_inet_addr));
+ 	/* This shifting is AF-independent. */
+ 	if (cb->val.hlen == 0) {
+@@ -734,6 +738,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
+ 	mask[1] = htonl(mask[1]);
+ 	mask[2] = htonl(mask[2]);
+ 	mask[3] = htonl(mask[3]);
++out_put:
+ 	if (entry->flags & XTOPT_PUT)
+ 		memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
+ }
+-- 
+2.33.0
+

backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch

@@ -0,0 +1,33 @@
+From 17d724f20e3c97ea8ce8765ca532a3cf49a98b31 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sun, 17 Dec 2023 13:02:36 +0100
+Subject: libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
+
+Do as the comment in xtopt_parse_hostmask() claims and omit
+XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
+will catch the incompatibility.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+
+Conflict:There is no need to modify the header file comments
+Reference:https://git.netfilter.org/iptables//commit/?id=17d724f20e3c97ea8ce8765ca532a3cf49a98b31
+
+---
+ libxtables/xtoptions.c | 1 -
+ 1 files changed, 1 deletions(-)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index bc14958..95038c2 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -58,7 +58,6 @@ static const size_t xtopt_psize[] = {
+ 	[XTTYPE_STRING]      = -1,
+ 	[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
+ 	[XTTYPE_HOST]        = sizeof(union nf_inet_addr),
+-	[XTTYPE_HOSTMASK]    = sizeof(union nf_inet_addr),
+ 	[XTTYPE_PROTOCOL]    = sizeof(uint8_t),
+ 	[XTTYPE_PORT]        = sizeof(uint16_t),
+ 	[XTTYPE_PORTRC]      = sizeof(uint16_t[2]),
+-- 
+2.33.0
+

backport-Special-casing-for-among-match-in-compare_matches.patch

@@ -0,0 +1,49 @@
+From 10583537004f7ecd4aa11f6c12b7ba73fb77fc11 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 21 Jul 2023 13:14:36 +0200
+Subject: nft: Special casing for among match in compare_matches()
+
+When other extensions may have "garbage" appended to their data which
+should not be considered for match comparison, among match is the
+opposite in that it extends its data beyond the value in 'size' field.
+Add special casing to cover for this, avoiding false-positive rule
+comparison.
+
+Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables//commit/?id=10583537004f7ecd4aa11f6c12b7ba73fb77fc11
+
+---
+ iptables/nft-shared.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index 10553ab..4c20ceb 100644
+--- a/iptables/nft-shared.c
++++ b/iptables/nft-shared.c
+@@ -933,6 +933,7 @@ bool compare_matches(struct xtables_rule_match *mt1,
+ 	for (mp1 = mt1, mp2 = mt2; mp1 && mp2; mp1 = mp1->next, mp2 = mp2->next) {
+ 		struct xt_entry_match *m1 = mp1->match->m;
+ 		struct xt_entry_match *m2 = mp2->match->m;
++		size_t cmplen = mp1->match->userspacesize;
+ 
+ 		if (strcmp(m1->u.user.name, m2->u.user.name) != 0) {
+ 			DEBUGP("mismatching match name\n");
+@@ -944,8 +945,10 @@ bool compare_matches(struct xtables_rule_match *mt1,
+ 			return false;
+ 		}
+ 
+-		if (memcmp(m1->data, m2->data,
+-			   mp1->match->userspacesize) != 0) {
++		if (!strcmp(m1->u.user.name, "among"))
++			cmplen = m1->u.match_size - sizeof(*m1);
++
++		if (memcmp(m1->data, m2->data, cmplen) != 0) {
+ 			DEBUGP("mismatch match data\n");
+ 			return false;
+ 		}
+-- 
+2.33.0
+

backport-exit-if-called-by-setuid-executeable.patch

@@ -0,0 +1,36 @@
+From ef7781eb1437a2d6fd37eb3567c599e3ea682b96 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 19 Jul 2021 16:35:09 +0200
+Subject: libxtables: exit if called by setuid executeable
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/patch/?id=ef7781eb1437a2d6fd37eb3567c599e3ea682b96
+
+iptables (legacy or nft, doesn't matter) cannot be safely used with
+setuid binaries.
+
+Add a safety check for this.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ libxtables/xtables.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index 9fff1e0d..b261e97b 100644
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -245,6 +245,10 @@ static void dlreg_free(void)
+ 
+ void xtables_init(void)
+ {
++	/* xtables cannot be used with setuid in a safe way. */
++	if (getuid() != geteuid())
++		_exit(111);
++
+ 	xtables_libdir = getenv("XTABLES_LIBDIR");
+ 	if (xtables_libdir != NULL)
+ 		return;
+-- 
+cgit v1.2.3
+

backport-fix-for-non-verbose-check-command.patch

@@ -0,0 +1,33 @@
+From 57d1422dbbc41c36ed2e9f6c67aa040c65a429a0 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 3 Aug 2021 10:55:20 +0200
+Subject: nft: Fix for non-verbose check command
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/patch/?id=57d1422dbbc41c36ed2e9f6c67aa040c65a429a0
+
+Check command was unconditionally verbose since v1.8.5. Make it respect
+--verbose option again.
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index f1deb82f..795dff86 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3126,7 +3126,7 @@ static int nft_prepare(struct nft_handle *h)
+ 		case NFT_COMPAT_RULE_CHECK:
+ 			assert_chain_exists(h, cmd->table, cmd->jumpto);
+ 			ret = nft_rule_check(h, cmd->chain, cmd->table,
+-					     cmd->obj.rule, cmd->rulenum);
++					     cmd->obj.rule, cmd->verbose);
+ 			break;
+ 		case NFT_COMPAT_RULE_ZERO:
+ 			ret = nft_rule_zero_counters(h, cmd->chain, cmd->table,
+-- 
+cgit v1.2.3
+

backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch

@@ -0,0 +1,39 @@
+From 43f78733059ecd28d8567d8205cab5ed62d93458 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 3 Aug 2023 17:59:03 +0200
+Subject: Revert "libiptc: fix wrong maptype of base chain counters on restore"
+
+This reverts commit 7c4d668c9c2ee007c82063b7fc784cbbf46b2ec4.
+
+The change can't be right: A simple rule append call will reset all
+built-in chains' counters. The old code works fine even given the
+mentioned "empty restore" use-case, at least if counters don't change on
+the fly in-kernel.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=912
+Fixes: 7c4d668c9c2ee ("libiptc: fix wrong maptype of base chain counters on restore")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables//commit/?id=43f78733059ecd28d8567d8205cab5ed62d93458
+
+---
+ libiptc/libiptc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
+index ceeb017..2deccd6 100644
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -813,7 +813,7 @@ static int __iptcc_p_del_policy(struct xtc_handle *h, unsigned int num)
+ 
+ 		/* save counter and counter_map information */
+ 		h->chain_iterator_cur->counter_map.maptype =
+-						COUNTER_MAP_ZEROED;
++						COUNTER_MAP_NORMAL_MAP;
+ 		h->chain_iterator_cur->counter_map.mappos = num-1;
+ 		memcpy(&h->chain_iterator_cur->counters, &pr->entry->counters,
+ 			sizeof(h->chain_iterator_cur->counters));
+-- 
+2.33.0
+

backport-libipt_icmp-Fix-confusion-between-255-and-any.patch

@@ -0,0 +1,56 @@
+From 5b5430d627bbc227a2d51d4312c371f2015834c6 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 1 Aug 2023 23:28:20 +0200
+Subject: extensions: libipt_icmp: Fix confusion between 255/255 and any
+
+Per definition, ICMP type "any" is type 255 and the full range of codes
+(0-255). Save callback though ignored the actual code values, printing
+"any" for every type 255 match. This at least confuses users as they
+can't find their rule added as '--icmp-type 255/255' anymore.
+
+It is not entirely clear what the fixed commit was trying to establish,
+but the save output is certainly not correct (especially since print
+callback gets things right).
+
+Reported-by: Amelia Downs <adowns@vmware.com>
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1600
+Fixes: fc9237da4e845 ("Fix '-p icmp -m icmp' issue (Closes: #37)")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:The front patch be8c605 is not integrated. As a result, test cases need to be adapted.
+Reference:https://git.netfilter.org/iptables//commit/?id=5b5430d627bbc227a2d51d4312c371f2015834c6
+
+---
+ extensions/libipt_icmp.c | 3 ++-
+ extensions/libipt_icmp.t | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
+index e5e2366..b06fdee 100644
+--- a/extensions/libipt_icmp.c
++++ b/extensions/libipt_icmp.c
+@@ -216,7 +216,8 @@ static void icmp_save(const void *ip, const struct xt_entry_match *match)
+ 		printf(" !");
+ 
+ 	/* special hack for 'any' case */
+-	if (icmp->type == 0xFF) {
++	if (icmp->type == 0xFF &&
++	    icmp->code[0] == 0 && icmp->code[1] == 0xFF) {
+ 		printf(" --icmp-type any");
+ 	} else {
+ 		printf(" --icmp-type %u", icmp->type);
+diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t
+index 09771a3..44a1144 100644
+--- a/extensions/libipt_icmp.t
++++ b/extensions/libipt_icmp.t
+@@ -13,6 +13,7 @@
+ # we accept "iptables -I INPUT -p tcp -m tcp", why not this below?
+ # ERROR: cannot load: iptables -A INPUT -p icmp -m icmp
+ # -p icmp -m icmp;=;OK
++-p icmp -m icmp --icmp-type 255/255;=;OK
+ -p icmp -m icmp ! --icmp-type 1/0;=;OK
+ -p icmp -m icmp --icmp-type router;;FAIL
+ -p icmp -m icmp --icmp-type -1;;FAIL
+-- 
+2.33.0
+

backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch

@@ -0,0 +1,85 @@
+From e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Oct 2023 17:27:42 +0200
+Subject: libiptc: Fix for another segfault due to chain index NULL pointer
+
+Chain rename code missed to adjust the num_chains value which is used to
+calculate the number of chain index buckets to allocate during an index
+rebuild. So with the right number of chains present, the last chain in a
+middle bucket being renamed (and ending up in another bucket) triggers
+an index rebuild based on false data. The resulting NULL pointer index
+bucket then causes a segfault upon reinsertion.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
+Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620
+---
+ .../shell/testcases/chain/0008rename-segfault2_0   | 32 ++++++++++++++++++++++
+ libiptc/libiptc.c                                  |  4 +++
+ 2 files changed, 36 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
+
+diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
+new file mode 100755
+index 00000000..bc473d25
+--- /dev/null
++++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
+@@ -0,0 +1,32 @@
++#!/bin/bash
++#
++# Another funny rename bug in libiptc:
++# If there is a chain index bucket with only a single chain in it and it is not
++# the last one and that chain is renamed, a chain index rebuild is triggered.
++# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
++# extra index is allocated and remains NULL. The following insert of renamed
++# chain then segfaults.
++
++(
++	echo "*filter"
++	# first bucket
++	for ((i = 0; i < 40; i++)); do
++		echo ":chain-a-$i - [0:0]"
++	done
++	# second bucket
++	for ((i = 0; i < 40; i++)); do
++		echo ":chain-b-$i - [0:0]"
++	done
++	# third bucket, just make sure it exists
++	echo ":chain-c-0 - [0:0]"
++	echo "COMMIT"
++) | $XT_MULTI iptables-restore
++
++# rename all chains of the middle bucket
++(
++	echo "*filter"
++	for ((i = 0; i < 40; i++)); do
++		echo "-E chain-b-$i chain-d-$i"
++	done
++	echo "COMMIT"
++) | $XT_MULTI iptables-restore --noflush
+diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
+index e4750633..9712a363 100644
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
+ 		return 0;
+ 	}
+ 
++	handle->num_chains--;
++
+ 	/* This only unlinks "c" from the list, thus no free(c) */
+ 	iptcc_chain_index_delete_chain(c, handle);
+ 
+ 	/* Change the name of the chain */
+ 	strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
+ 
++	handle->num_chains++;
++
+ 	/* Insert sorted into to list again */
+ 	iptc_insert_chain(handle, c);
+ 
+-- 
+cgit v1.2.3
+

backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch

@@ -0,0 +1,69 @@
+From 97bf4e68fc0794adba3243fd96f40f4568e7216f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 7 Oct 2022 18:29:07 +0200
+Subject: libiptc: Fix for segfault when renaming a chain
+
+This is an odd bug: If the number of chains is right and one renames the
+last one in the list, libiptc dereferences a NULL pointer. Add fix and
+test case for it.
+
+Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
+Reported-by: Julien Castets <castets.j@gmail.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=97bf4e68fc0794adba3243fd96f40f4568e7216f
+---
+ .../tests/shell/testcases/chain/0006rename-segfault_0 | 19 +++++++++++++++++++
+ libiptc/libiptc.c                                     |  9 +++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/chain/0006rename-segfault_0
+
+diff --git a/iptables/tests/shell/testcases/chain/0006rename-segfault_0 b/iptables/tests/shell/testcases/chain/0006rename-segfault_0
+new file mode 100755
+index 00000000..c10a8006
+--- /dev/null
++++ b/iptables/tests/shell/testcases/chain/0006rename-segfault_0
+@@ -0,0 +1,19 @@
++#!/bin/bash
++#
++# Cover for a bug in libiptc:
++# - the chain 'node-98-tmp' is the last in the list sorted by name
++# - there are 81 chains in total, so three chain index buckets
++# - the last index bucket contains only the 'node-98-tmp' chain
++# => rename temporarily removes it from the bucket, leaving a NULL bucket
++#    behind which is dereferenced later when inserting the chain again with new
++#    name again
++
++(
++	echo "*filter"
++	for chain in node-1 node-10 node-101 node-102 node-104 node-107 node-11 node-12 node-13 node-14 node-15 node-16 node-17 node-18 node-19 node-2 node-20 node-21 node-22 node-23 node-25 node-26 node-27 node-28 node-29 node-3 node-30 node-31 node-32 node-33 node-34 node-36 node-37 node-39 node-4 node-40 node-41 node-42 node-43 node-44 node-45 node-46 node-47 node-48 node-49 node-5 node-50 node-51 node-53 node-54 node-55 node-56 node-57 node-58 node-59 node-6 node-60 node-61 node-62 node-63 node-64 node-65 node-66 node-68 node-69 node-7 node-70 node-71 node-74 node-75 node-76 node-8 node-80 node-81 node-86 node-89 node-9 node-92 node-93 node-95 node-98-tmp; do
++		echo ":$chain - [0:0]"
++	done
++	echo "COMMIT"
++) | $XT_MULTI iptables-restore
++$XT_MULTI iptables -E node-98-tmp node-98
++exit $?
+diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
+index ceeb017b..97823f93 100644
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -606,6 +606,15 @@ static int iptcc_chain_index_delete_chain(struct chain_head *c, struct xtc_handl
+ 
+ 	if (index_ptr == &c->list) { /* Chain used as index ptr */
+ 
++		/* If this is the last chain in the list, its index bucket just
++		 * became empty. Adjust the size to avoid a NULL-pointer deref
++		 * later.
++		 */
++		if (next == &h->chains) {
++			h->chain_index_sz--;
++			return 0;
++		}
++
+ 		/* See if its possible to avoid a rebuild, by shifting
+ 		 * to next pointer.  Its possible if the next pointer
+ 		 * is located in the same index bucket.
+-- 
+cgit v1.2.3
+

backport-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch

@@ -0,0 +1,31 @@
+From ffe88f8f01263687e82ef4d3d2bdc0cb5444711e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:04:30 +0200
+Subject: libxtables: Fix memleak in xtopt_parse_hostmask()
+
+The allocated hostmask duplicate needs to be freed again.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=ffe88f8f01263687e82ef4d3d2bdc0cb5444711e
+---
+ libxtables/xtoptions.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index d329f2ff..0dcdf607 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
+ 	cb->arg = p;
+ 	xtopt_parse_plenmask(cb);
+ 	cb->arg = orig_arg;
++	free(work);
+ }
+ 
+ static void xtopt_parse_ethermac(struct xt_option_call *cb)
+-- 
+cgit v1.2.3
+

backport-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch

@@ -0,0 +1,36 @@
+From eab75ed36a4f204ddab0c40ba42c5a300634d5c3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 2 Jun 2021 11:55:20 +0200
+Subject: nft: Avoid memleak in error path of nft_cmd_new()
+
+If rule allocation fails, free the allocated 'cmd' before returning to
+caller.
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=eab75ed36a4f204ddab0c40ba42c5a300634d5c3
+---
+ iptables/nft-cmd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index f2b935c5..c3f6c14e 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 
+ 	if (state) {
+ 		rule = nft_rule_new(h, chain, table, state);
+-		if (!rule)
++		if (!rule) {
++			nft_cmd_free(cmd);
+ 			return NULL;
++		}
+ 
+ 		cmd->obj.rule = rule;
+ 
+-- 
+cgit v1.2.3
+

backport-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch

@@ -0,0 +1,32 @@
+From ca11c7b7036b5821c17b8d08dc2a29f55b461a93 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 31 Aug 2021 12:26:20 +0200
+Subject: nft: Use xtables_malloc() in mnl_err_list_node_add()
+
+The function called malloc() without checking for memory allocation
+failure. Simply replace the call by xtables_malloc() to fix that.
+
+Fixes: 4e2020952d6f9 ("xtables: use libnftnl batch API")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=ca11c7b7036b5821c17b8d08dc2a29f55b461a93
+---
+ iptables/nft.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 795dff86..a470939d 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -143,7 +143,7 @@ struct mnl_err {
+ static void mnl_err_list_node_add(struct list_head *err_list, int error,
+ 				  int seqnum)
+ {
+-	struct mnl_err *err = malloc(sizeof(struct mnl_err));
++	struct mnl_err *err = xtables_malloc(sizeof(struct mnl_err));
+ 
+ 	err->seqnum = seqnum;
+ 	err->err = error;
+-- 
+cgit v1.2.3

backport-use-fully-random-so-that-nft-can-understand.patch

@@ -0,0 +1,60 @@
+From 943fbf3e1850ae1f52f29c2f4f2aca399779b368 Mon Sep 17 00:00:00 2001
+From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Date: Wed, 4 Aug 2021 18:50:57 +0300
+Subject: ip6tables: masquerade: use fully-random so that nft can understand
+ the rule
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/patch/?id=943fbf3e1850ae1f52f29c2f4f2aca399779b368
+
+Here is the problem:
+
+[]# nft -v
+nftables v0.9.8 (E.D.S.)
+[]# iptables-nft -v
+iptables v1.8.7 (nf_tables): no command specified
+Try `iptables -h' or 'iptables --help' for more information.
+[]# nft flush ruleset
+[]# ip6tables-nft -t nat -A POSTROUTING  -j MASQUERADE --random-full
+[]# nft list ruleset
+table ip6 nat {
+	chain POSTROUTING {
+		type nat hook postrouting priority srcnat; policy accept;
+		counter packets 0 bytes 0 masquerade  random-fully
+	}
+}
+[]# nft list ruleset > /tmp/ruleset
+[]# nft flush ruleset
+[]# nft -f /tmp/ruleset
+/tmp/ruleset:4:54-54: Error: syntax error, unexpected newline
+		counter packets 0 bytes 0 masquerade  random-fully
+
+That's because nft list ruleset saves "random-fully" which is wrong
+format for nft -f, right should be "fully-random".
+
+We face this problem because we run k8s in Virtuozzo container, and k8s
+creates those "random-fully" rules by iptables(nft) and then CRIU can't
+restore those rules using nft.
+
+Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ extensions/libip6t_MASQUERADE.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c
+index f92760fa..f28f071b 100644
+--- a/extensions/libip6t_MASQUERADE.c
++++ b/extensions/libip6t_MASQUERADE.c
+@@ -163,7 +163,7 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
+ 
+ 	xt_xlate_add(xl, " ");
+ 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+-		xt_xlate_add(xl, "random-fully ");
++		xt_xlate_add(xl, "fully-random ");
+ 
+ 	return 1;
+ }
+-- 
+cgit v1.2.3
+

iptables.spec

@@ -2,36 +2,50 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.7
-Release:	  14
+Release:	  15
 Summary:	  IP packet filter administration utilities
 License:	  GPLv2 and Artistic Licence 2.0 and ISC
 URL:		  https://www.netfilter.org/
 Source0:  	  https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2
-Source1:          iptables.init
-Source2:          iptables-config
-Source3:          iptables.service
-Source4:          sysconfig_iptables
-Source5:          sysconfig_ip6tables
+Source1:      iptables.init
+Source2:      iptables-config
+Source3:      iptables.service
+Source4:      sysconfig_iptables
+Source5:      sysconfig_ip6tables
 
 Patch0:		  bugfix-add-check-fw-in-entry.patch
-Patch1:           tests-extensions-add-some-testcases.patch
-Patch2:           backport-xshared-Fix-response-to-unprivileged-users.patch
-Patch3:           backport-Improve-error-messages-for-unsupported-extensions.patch
-Patch4:           backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch
-Patch5:           backport-libxtables-Register-only-the-highest-revision-extension.patch
-Patch6:           backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch
-Patch7:           backport-xtables-restore-Extend-failure-error-message.patch
-Patch8:           enabled-makecheck-in-extensions.patch
+Patch1:       tests-extensions-add-some-testcases.patch
+Patch2:	      backport-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
+Patch3:	      backport-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
+Patch4:	      backport-exit-if-called-by-setuid-executeable.patch
+Patch5:	      backport-fix-for-non-verbose-check-command.patch
+Patch6:	      backport-use-fully-random-so-that-nft-can-understand.patch
+Patch7:	      backport-nft-Use-xtables_malloc-in-mnl_err_list_node_add.patch
+Patch8:       backport-xshared-Fix-response-to-unprivileged-users.patch
+Patch9:       backport-Improve-error-messages-for-unsupported-extensions.patch
+Patch10:      backport-nft-Fix-EPERM-handling-for-extensions-without-rev-0.patch
+Patch11:      backport-libxtables-Register-only-the-highest-revision-extension.patch
+Patch12:      backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.patch
+Patch13:      backport-xtables-restore-Extend-failure-error-message.patch
+Patch14:      enabled-makecheck-in-extensions.patch
 
-Patch9:           backport-extensions-among-Fix-for-use-with-ebtables-restore.patch
-Patch10:          backport-extensions-libebt_redirect-Fix-xlate-return-code.patch
-Patch11:          backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch
-Patch12:          backport-iptables-restore-Free-handle-with-test-also.patch
-Patch13:          backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch
-Patch14:          backport-iptables-Plug-memleaks-in-print_firewall.patch
-Patch15:          backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch
-Patch16:          backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch
-Patch17:          backport-iptables-Fix-handling-of-non-existent-chains.patch
+Patch15:      backport-extensions-among-Fix-for-use-with-ebtables-restore.patch
+Patch16:      backport-extensions-libebt_redirect-Fix-xlate-return-code.patch
+Patch17:      backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch
+Patch18:      backport-iptables-restore-Free-handle-with-test-also.patch
+Patch19:      backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch
+Patch20:      backport-iptables-Plug-memleaks-in-print_firewall.patch
+Patch21:      backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch
+Patch22:      backport-xtables-eb-fix-crash-when-opts-isn-t-reallocated.patch
+Patch23:      backport-iptables-Fix-handling-of-non-existent-chains.patch
+Patch24:      backport-Special-casing-for-among-match-in-compare_matches.patch
+Patch25:      backport-libipt_icmp-Fix-confusion-between-255-and-any.patch
+Patch26:      backport-fix-wrong-maptype-of-base-chain-counters-on-restore.patch
+Patch27:      backport-Fix-checking-of-conntrack-ctproto.patch
+Patch28:      backport-Fix-for-non-CIDR-compatible-hostmasks.patch
+Patch29:      backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch
+Patch30:      backport-libiptc-Fix-for-segfault-when-renaming-a-chain.patch
+Patch31:      backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@@ -340,6 +354,25 @@ fi
 %{_mandir}/man8/xtables-legacy*
 
 %changelog
+* Thu Apr 18 2024 yanglu <yanglu72@h-partners.com> - 1.8.7-15
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:libxtables：Fix memleak in xtopt_parse_hostmask
+       nft：Avoid memleak in error path of nft_cmd_new
+       exit if called by setuid executeable
+       fix for non verbose check command
+       use fully random so that nft can understand
+       Use xtables_malloc in mnl_err_list_node_add
+       nft: Special casing for among match in compare_matches
+       extensions: libipt_icmp: Fix confusion between 255/255 and any
+       Revert libiptc: fix wrong maptype of base chain counters on restore
+       extensions: Fix checking of conntrack --ctproto 0
+       libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
+       libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
+       libiptc: Fix for another segfault due to chain index NULL pointer
+       libiptc: Fix for segfault when renaming a chain
+
 * Mon Aug 14 2023 zhanghao <zhanghao383@huawei.com> - 1.8.7-14
 - Type:bugfix
 - CVE:NA