iptables:fix some patches from commity

(cherry picked from commit f95dbe64fef9d75c17303b05ff94dde6ca716ad0)

backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch

@@ -0,0 +1,51 @@
+From b51aef061378b34fa9544b1af34021d89a76547a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 26 Jan 2023 03:27:16 +0100
+Subject: [PATCH] ebtables-translate: Print flush command after parsing is
+ finished
+
+Otherwise, bad calls like 'ebtables-translate -F -F' produce wrong
+output instead of an error message.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=b51aef061378b34fa9544b1af34021d89a76547a
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/xtables-eb-translate.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
+index 99347c0c..da7e5e3d 100644
+--- a/iptables/xtables-eb-translate.c
++++ b/iptables/xtables-eb-translate.c
+@@ -247,13 +247,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
+ 			ret = 1;
+ 			break;
+ 		case 'F': /* Flush */
+-			if (p.chain) {
+-				printf("flush chain bridge %s %s\n", p.table, p.chain);
+-			} else {
+-				printf("flush table bridge %s\n", p.table);
+-			}
+-			ret = 1;
+-			break;
+ 		case 'Z': /* Zero counters */
+ 			if (c == 'Z') {
+ 				if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L'))
+@@ -506,6 +499,13 @@ print_zero:
+ 
+ 	if (command == 'P') {
+ 		return 0;
++	} else if (command == 'F') {
++			if (p.chain) {
++				printf("flush chain bridge %s %s\n", p.table, p.chain);
++			} else {
++				printf("flush table bridge %s\n", p.table);
++			}
++			ret = 1;
+ 	} else if (command == 'A') {
+ 		ret = nft_rule_eb_xlate_add(h, &p, &cs, true);
+ 		if (!ret)
+-- 
+2.23.0

backport-extensions-among-Fix-for-use-with-ebtables-restore.patch

@@ -0,0 +1,58 @@
+From fca04aa7a53252464c289997e71de10189971da6 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 30 Sep 2022 17:51:55 +0200
+Subject: [PATCH] extensions: among: Fix for use with ebtables-restore
+
+When restoring multiple rules which use among match, new size may be
+smaller than the old one which caused invalid writes by the memcpy()
+call. Expect this and realloc the match only if it needs to grow. Also
+use realloc instead of freeing and allocating from scratch.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=fca04aa7a53252464c289997e71de10189971da6
+
+Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libebt_among.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
+index c607a775..1eab2019 100644
+--- a/extensions/libebt_among.c
++++ b/extensions/libebt_among.c
+@@ -119,7 +119,6 @@ static int bramong_parse(int c, char **argv, int invert,
+ 		 struct xt_entry_match **match)
+ {
+ 	struct nft_among_data *data = (struct nft_among_data *)(*match)->data;
+-	struct xt_entry_match *new_match;
+ 	bool have_ip, dst = false;
+ 	size_t new_size, cnt;
+ 	struct stat stats;
+@@ -170,18 +169,17 @@ static int bramong_parse(int c, char **argv, int invert,
+ 	new_size *= sizeof(struct nft_among_pair);
+ 	new_size += XT_ALIGN(sizeof(struct xt_entry_match)) +
+ 			sizeof(struct nft_among_data);
+-	new_match = xtables_calloc(1, new_size);
+-	memcpy(new_match, *match, (*match)->u.match_size);
+-	new_match->u.match_size = new_size;
+ 
+-	data = (struct nft_among_data *)new_match->data;
++	if (new_size > (*match)->u.match_size) {
++		*match = xtables_realloc(*match, new_size);
++		(*match)->u.match_size = new_size;
++		data = (struct nft_among_data *)(*match)->data;
++	}
++
+ 	have_ip = nft_among_pairs_have_ip(optarg);
+ 	poff = nft_among_prepare_data(data, dst, cnt, invert, have_ip);
+ 	parse_nft_among_pairs(data->pairs + poff, optarg, cnt, have_ip);
+ 
+-	free(*match);
+-	*match = new_match;
+-
+ 	if (c == AMONG_DST_F || c == AMONG_SRC_F) {
+ 		munmap(argv, flen);
+ 		close(fd);
+-- 
+2.23.0

backport-extensions-libebt_redirect-Fix-xlate-return-code.patch

@@ -0,0 +1,31 @@
+From 8543b6f2f4a3a15a5ece7dd1b320b477ce36a8d5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 16 Nov 2022 13:03:05 +0100
+Subject: [PATCH] extensions: libebt_redirect: Fix xlate return code
+
+The callback is supposed to return 1 on success, not 0.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=8543b6f2f4a3a15a5ece7dd1b320b477ce36a8d5
+
+Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libebt_redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
+index 6e653997..4d4c7a02 100644
+--- a/extensions/libebt_redirect.c
++++ b/extensions/libebt_redirect.c
+@@ -86,7 +86,7 @@ static int brredir_xlate(struct xt_xlate *xl,
+ 	xt_xlate_add(xl, "meta set pkttype host");
+ 	if (red->target != EBT_ACCEPT)
+ 		xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
+-	return 0;
++	return 1;
+ }
+ 
+ static struct xtables_target brredirect_target = {
+-- 
+2.23.0

backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch

@@ -0,0 +1,40 @@
+From 800bed28b2b7bbd931166c7426640ae619f03342 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 16 Nov 2022 13:09:16 +0100
+Subject: [PATCH] extensions: libipt_ttl: Sanitize xlate callback
+
+Catch unexpected values in info->mode, also fix indenting.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=800bed28b2b7bbd931166c7426640ae619f03342
+
+Fixes: 1b320a1a1dc1f ("extensions: libipt_ttl: Add translation to nft")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libipt_ttl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libipt_ttl.c b/extensions/libipt_ttl.c
+index 6bdd2196..86ba554e 100644
+--- a/extensions/libipt_ttl.c
++++ b/extensions/libipt_ttl.c
+@@ -106,7 +106,7 @@ static int ttl_xlate(struct xt_xlate *xl,
+ 	const struct ipt_ttl_info *info =
+ 		(struct ipt_ttl_info *) params->match->data;
+ 
+-		switch (info->mode) {
++	switch (info->mode) {
+ 		case IPT_TTL_EQ:
+ 			xt_xlate_add(xl, "ip ttl");
+ 			break;
+@@ -121,7 +121,7 @@ static int ttl_xlate(struct xt_xlate *xl,
+ 			break;
+ 		default:
+ 			/* Should not happen. */
+-			break;
++			return 0;
+ 	}
+ 
+ 	xt_xlate_add(xl, " %u", info->ttl);
+-- 
+2.23.0

backport-iptables-Plug-memleaks-in-print_firewall.patch

@@ -0,0 +1,92 @@
+From fb63f8b7337aa11a667537e6a3b399062ede2eb5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 25 Nov 2022 21:35:28 +0100
+Subject: [PATCH] iptables: Plug memleaks in print_firewall()
+
+When adding a rule in verbose mode, valgrind prints:
+
+192 bytes in 1 blocks are definitely lost in loss record 1 of 2
+   at 0x48417E5: malloc (vg_replace_malloc.c:381)
+   by 0x486B158: xtables_malloc (xtables.c:446)
+   by 0x486C1F6: xtables_find_match (xtables.c:826)
+   by 0x10E684: print_match (iptables.c:115)
+   by 0x10E684: print_firewall (iptables.c:169)
+   by 0x10FC0C: print_firewall_line (iptables.c:196)
+   by 0x10FC0C: append_entry (iptables.c:221)
+   by 0x10FC0C: do_command4 (iptables.c:776)
+   by 0x10E45B: iptables_main (iptables-standalone.c:59)
+   by 0x49A2349: (below main) (in /lib64/libc.so.6)
+
+200 bytes in 1 blocks are definitely lost in loss record 2 of 2
+   at 0x48417E5: malloc (vg_replace_malloc.c:381)
+   by 0x486B158: xtables_malloc (xtables.c:446)
+   by 0x486BBD6: xtables_find_target (xtables.c:956)
+   by 0x10E579: print_firewall (iptables.c:145)
+   by 0x10FC0C: print_firewall_line (iptables.c:196)
+   by 0x10FC0C: append_entry (iptables.c:221)
+   by 0x10FC0C: do_command4 (iptables.c:776)
+   by 0x10E45B: iptables_main (iptables-standalone.c:59)
+   by 0x49A2349: (below main) (in /lib64/libc.so.6)
+
+If the match/target was cloned, it needs to be freed. Basically a bug since
+day 1.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=fb63f8b7337aa11a667537e6a3b399062ede2eb5
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/ip6tables.c | 6 ++++++
+ iptables/iptables.c  | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 062b2b15..1d232657 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m,
+ 			printf("%s%s ", match->name, unsupported_rev);
+ 		else
+ 			printf("%s ", match->name);
++
++		if (match->next == match)
++			free(match);
+ 	} else {
+ 		if (name[0])
+ 			printf("UNKNOWN match `%s' ", name);
+@@ -179,6 +182,9 @@ print_firewall(const struct ip6t_entry *fw,
+ 			tg->print(&fw->ipv6, t, format & FMT_NUMERIC);
+ 		else if (target->print)
+ 			printf(" %s%s", target->name, unsupported_rev);
++
++		if (target->next == target)
++			free(target);
+ 	} else if (t->u.target_size != sizeof(*t))
+ 		printf("[%u bytes of unknown target data] ",
+ 		       (unsigned int)(t->u.target_size - sizeof(*t)));
+diff --git a/iptables/iptables.c b/iptables/iptables.c
+index 0351b39f..d246198f 100644
+--- a/iptables/iptables.c
++++ b/iptables/iptables.c
+@@ -122,6 +122,9 @@ print_match(const struct xt_entry_match *m,
+ 			printf("%s%s ", match->name, unsupported_rev);
+ 		else
+ 			printf("%s ", match->name);
++
++		if (match->next == match)
++			free(match);
+ 	} else {
+ 		if (name[0])
+ 			printf("UNKNOWN match `%s' ", name);
+@@ -178,6 +181,9 @@ print_firewall(const struct ipt_entry *fw,
+ 			tg->print(&fw->ip, t, format & FMT_NUMERIC);
+ 		else if (target->print)
+ 			printf(" %s%s", target->name, unsupported_rev);
++
++		if (target->next == target)
++			free(target);
+ 	} else if (t->u.target_size != sizeof(*t))
+ 		printf("[%u bytes of unknown target data] ",
+ 		       (unsigned int)(t->u.target_size - sizeof(*t)));
+-- 
+2.23.0

backport-iptables-restore-Free-handle-with-test-also.patch

@@ -0,0 +1,48 @@
+From 18880dbde615449d00a3e38f3713a19d4566258e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 25 Nov 2022 19:24:38 +0100
+Subject: [PATCH] iptables-restore: Free handle with --test also
+
+When running 'iptables-restore -t', valgrind reports:
+
+1,496 (160 direct, 1,336 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4
+   at 0x48417E5: malloc (vg_replace_malloc.c:381)
+   by 0x4857A46: alloc_handle (libiptc.c:1279)
+   by 0x4857A46: iptc_init (libiptc.c:1342)
+   by 0x1167CE: create_handle (iptables-restore.c:72)
+   by 0x1167CE: ip46tables_restore_main (iptables-restore.c:229)
+   by 0x116DAE: iptables_restore_main (iptables-restore.c:388)
+   by 0x49A2349: (below main) (in /lib64/libc.so.6)
+
+Free the handle pointer before parsing the next table.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=18880dbde615449d00a3e38f3713a19d4566258e
+
+Fixes: 1c9015b2cb483 ("libiptc: remove indirections")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/iptables-restore.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
+index 05661bf6..6f7ddf93 100644
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -185,12 +185,12 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
+ 			if (!testing) {
+ 				DEBUGP("Calling commit\n");
+ 				ret = cb->ops->commit(handle);
+-				cb->ops->free(handle);
+-				handle = NULL;
+ 			} else {
+ 				DEBUGP("Not calling commit, testing\n");
+ 				ret = 1;
+ 			}
++			cb->ops->free(handle);
++			handle = NULL;
+ 
+ 			/* Done with the current table, release the lock. */
+ 			if (lock >= 0) {
+-- 
+2.23.0

backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch

@@ -0,0 +1,52 @@
+From aa0c54030300441e9fd66c7016d0090f6736d449 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 25 Nov 2022 21:21:22 +0100
+Subject: [PATCH] nft: Plug memleak in nft_rule_zero_counters()
+
+When zeroing a specific rule, valgrind reports:
+
+40 bytes in 1 blocks are definitely lost in loss record 1 of 1
+   at 0x484659F: calloc (vg_replace_malloc.c:1328)
+   by 0x48DE128: xtables_calloc (xtables.c:434)
+   by 0x11C7C6: nft_parse_immediate (nft-shared.c:1071)
+   by 0x11C7C6: nft_rule_to_iptables_command_state (nft-shared.c:1236)
+   by 0x119AF5: nft_rule_zero_counters (nft.c:2877)
+   by 0x11A3CA: nft_prepare (nft.c:3445)
+   by 0x11A7A8: nft_commit (nft.c:3479)
+   by 0x114258: xtables_main.isra.0 (xtables-standalone.c:94)
+   by 0x1142D9: xtables_ip6_main (xtables-standalone.c:118)
+   by 0x49F2349: (below main) (in /lib64/libc.so.6)
+
+Have to free the matches/target in populated iptables_command_state object
+again. While being at it, call the proper family_ops callbacks since this is
+family-agnostic code.
+
+Conflict: NA
+Reference: https://git.netfilter.org/iptables/commit?id=aa0c54030300441e9fd66c7016d0090f6736d449
+
+Fixes: a69cc575295ee ("xtables: allow to reset the counters of an existing rule")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ iptables/nft.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 67c5877c..430888e8 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -2874,10 +2874,11 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
+ 		goto error;
+ 	}
+ 
+-	nft_rule_to_iptables_command_state(h, r, &cs);
+-
++	h->ops->rule_to_cs(h, r, &cs);
+ 	cs.counters.pcnt = cs.counters.bcnt = 0;
+ 	new_rule = nft_rule_new(h, chain, table, &cs);
++	h->ops->clear_cs(&cs);
++
+ 	if (!new_rule)
+ 		return 1;
+ 
+-- 
+2.23.0

iptables.spec

@@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.7
-Release:	  11
+Release:	  12
 Summary:	  IP packet filter administration utilities
 License:	  GPLv2 and Artistic Licence 2.0 and ISC
 URL:		  https://www.netfilter.org/
@@ -23,6 +23,14 @@ Patch6:           backport-nft-Expand-extended-error-reporting-to-nft_cmd-too.pa
 Patch7:           backport-xtables-restore-Extend-failure-error-message.patch
 Patch8:           enabled-makecheck-in-extensions.patch
 
+Patch9:           backport-extensions-among-Fix-for-use-with-ebtables-restore.patch
+Patch10:          backport-extensions-libebt_redirect-Fix-xlate-return-code.patch
+Patch11:          backport-extensions-libipt_ttl-Sanitize-xlate-callback.patch
+Patch12:          backport-iptables-restore-Free-handle-with-test-also.patch
+Patch13:          backport-nft-Plug-memleak-in-nft_rule_zero_counters.patch
+Patch14:          backport-iptables-Plug-memleaks-in-print_firewall.patch
+Patch15:          backport-ebtables-translate-Print-flush-command-after-parsing-is-finished.patch
+
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
 BuildRequires:    autogen autoconf automake libtool
@@ -330,6 +338,18 @@ fi
 %{_mandir}/man8/xtables-legacy*
 
 %changelog
+* Tue Mar 21 2023 zhanghao <zhanghao383@huawei.com> - 1.8.7-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:extensions among Fix for use with ebtables restore
+extensions libebt redirect Fix xlate return code
+extensions libipt ttl Sanitize xlate callback
+iptables restore  Free handle with test also
+nft Plug memleak in nft rule zero counters
+iptables Plug memleaks in print firewall
+ebtables translate Print flush command after parsing is finished
+
 * Wed Nov 30 2022 huangyu <huangyu106@huawei.com> - 1.8.7-11
 - Type:feature
 - ID:NA