Render iptables SYNPROXY/CT/SET/SNAT options after the jump target#69693
Open
ggiesen wants to merge 3 commits into
Open
Render iptables SYNPROXY/CT/SET/SNAT options after the jump target#69693ggiesen wants to merge 3 commits into
ggiesen wants to merge 3 commits into
Conversation
build_rule only emitted a fixed whitelist of options after --jump; the SYNPROXY (mss, wscale, sack-perm, timestamp), CT (zone-orig, zone-reply), SET (map-set) and SNAT/MASQUERADE (random-fully) options rendered before -j, producing rules iptables rejects. Add them to the after-jump whitelist. Note: mss is also a tcpmss match option (-m tcpmss --mss), which is now emitted after the jump target. Fixes saltstack#46616
The direct test builds a SYNPROXY rule through the exact argument shape the iptables.append state passes to build_rule (full="True" as a string, plus command="A", family, and the name/table/chain kwargs build_rule must strip), asserting the new --mss/--wscale/--sack-perm/--timestamp options land after the --jump target in the full command line. The inverse test guards against overcorrection: the mark match option (a near-miss sibling of the newly whitelisted mask/mss names) must keep rendering before the jump, and pre-existing whitelist entries (SNAT --to-source/--random) must render unchanged. Claude-Session: https://claude.ai/code/session_01MF2AuQNhBZg4HDt1x6xxCu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
The after_jump_arguments whitelist in iptables build_rule() was missing SYNPROXY (mss/wscale/sack-perm/timestamps), CT (zone-orig/zone-reply), SET (map-set) and SNAT/MASQUERADE (random-fully) options, so those flags were emitted before -j and iptables rejected the rule. The fix adds the eight option names to the tuple in alphabetical position so they render after the jump target. Added a dedicated unit test test_build_rule_after_jump_arguments and verified it fails on unpatched code (flags appear before --jump) and passes with the fix; changelog notes the mss/tcpmss-match ambiguity.
What issues does this PR fix or reference?
Fixes #46616
Previous Behavior
See #46616.
New Behavior
Render iptables SYNPROXY/CT/SET/SNAT options after the jump target. Validated by a unit test proven to fail on unpatched 3006.x and pass with the fix (confirmed by adversarial review).
Merge requirements satisfied?
Commits signed with GPG?
No