Skip to content

Render iptables SYNPROXY/CT/SET/SNAT options after the jump target#69693

Open
ggiesen wants to merge 3 commits into
saltstack:3006.xfrom
ggiesen:fix-46616-iptables-jump-whitelist
Open

Render iptables SYNPROXY/CT/SET/SNAT options after the jump target#69693
ggiesen wants to merge 3 commits into
saltstack:3006.xfrom
ggiesen:fix-46616-iptables-jump-whitelist

Conversation

@ggiesen

@ggiesen ggiesen commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

The after_jump_arguments whitelist in iptables build_rule() was missing SYNPROXY (mss/wscale/sack-perm/timestamps), CT (zone-orig/zone-reply), SET (map-set) and SNAT/MASQUERADE (random-fully) options, so those flags were emitted before -j and iptables rejected the rule. The fix adds the eight option names to the tuple in alphabetical position so they render after the jump target. Added a dedicated unit test test_build_rule_after_jump_arguments and verified it fails on unpatched code (flags appear before --jump) and passes with the fix; changelog notes the mss/tcpmss-match ambiguity.

What issues does this PR fix or reference?

Fixes #46616

Previous Behavior

See #46616.

New Behavior

Render iptables SYNPROXY/CT/SET/SNAT options after the jump target. Validated by a unit test proven to fail on unpatched 3006.x and pass with the fix (confirmed by adversarial review).

Merge requirements satisfied?

  • Tests written/updated
  • Changelog

Commits signed with GPG?

No

build_rule only emitted a fixed whitelist of options after --jump; the
SYNPROXY (mss, wscale, sack-perm, timestamp), CT (zone-orig,
zone-reply), SET (map-set) and SNAT/MASQUERADE (random-fully) options
rendered before -j, producing rules iptables rejects. Add them to the
after-jump whitelist. Note: mss is also a tcpmss match option
(-m tcpmss --mss), which is now emitted after the jump target.

Fixes saltstack#46616
The direct test builds a SYNPROXY rule through the exact argument shape the
iptables.append state passes to build_rule (full="True" as a string, plus
command="A", family, and the name/table/chain kwargs build_rule must strip),
asserting the new --mss/--wscale/--sack-perm/--timestamp options land after
the --jump target in the full command line. The inverse test guards against
overcorrection: the mark match option (a near-miss sibling of the newly
whitelisted mask/mss names) must keep rendering before the jump, and
pre-existing whitelist entries (SNAT --to-source/--random) must render
unchanged.

Claude-Session: https://claude.ai/code/session_01MF2AuQNhBZg4HDt1x6xxCu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant