Skip to content

Render iptables SYNPROXY/CT/SET/SNAT options after the jump target#69693

Open
ggiesen wants to merge 3 commits into
saltstack:3006.xfrom
ggiesen:fix-46616-iptables-jump-whitelist
Open

Render iptables SYNPROXY/CT/SET/SNAT options after the jump target#69693
ggiesen wants to merge 3 commits into
saltstack:3006.xfrom
ggiesen:fix-46616-iptables-jump-whitelist

Conversation

@ggiesen

@ggiesen ggiesen commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

The after_jump_arguments whitelist in iptables build_rule() was missing SYNPROXY (mss/wscale/sack-perm/timestamps), CT (zone-orig/zone-reply), SET (map-set) and SNAT/MASQUERADE (random-fully) options, so those flags were emitted before -j and iptables rejected the rule. The fix adds the eight option names to the tuple in alphabetical position so they render after the jump target. Added a dedicated unit test test_build_rule_after_jump_arguments and verified it fails on unpatched code (flags appear before --jump) and passes with the fix; changelog notes the mss/tcpmss-match ambiguity.

What issues does this PR fix or reference?

Fixes #46616

Previous Behavior

See #46616.

New Behavior

Render iptables SYNPROXY/CT/SET/SNAT options after the jump target. Validated by a unit test proven to fail on unpatched 3006.x and pass with the fix (confirmed by adversarial review).

Merge requirements satisfied?

  • Tests written/updated
  • Changelog

Commits signed with GPG?

No

build_rule only emitted a fixed whitelist of options after --jump; the
SYNPROXY (mss, wscale, sack-perm, timestamp), CT (zone-orig,
zone-reply), SET (map-set) and SNAT/MASQUERADE (random-fully) options
rendered before -j, producing rules iptables rejects. Add them to the
after-jump whitelist. Note: mss is also a tcpmss match option
(-m tcpmss --mss), which is now emitted after the jump target.

Fixes saltstack#46616
The direct test builds a SYNPROXY rule through the exact argument shape the
iptables.append state passes to build_rule (full="True" as a string, plus
command="A", family, and the name/table/chain kwargs build_rule must strip),
asserting the new --mss/--wscale/--sack-perm/--timestamp options land after
the --jump target in the full command line. The inverse test guards against
overcorrection: the mark match option (a near-miss sibling of the newly
whitelisted mask/mss names) must keep rendering before the jump, and
pre-existing whitelist entries (SNAT --to-source/--random) must render
unchanged.

Claude-Session: https://claude.ai/code/session_01MF2AuQNhBZg4HDt1x6xxCu
@dwoz dwoz added the test:full Run the full test suite label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test:full Run the full test suite

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants