diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..70aad83 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libnftnl-1.0.8.tar.bz2 diff --git a/.libnftnl.metadata b/.libnftnl.metadata new file mode 100644 index 0000000..558b5d2 --- /dev/null +++ b/.libnftnl.metadata @@ -0,0 +1 @@ +8f9cb4983b54092478ade39f78b2850062729f4b SOURCES/libnftnl-1.0.8.tar.bz2 diff --git a/SOURCES/0001-data_reg-Add-a-missing-break-in-nftnl_data_reg_snpri.patch b/SOURCES/0001-data_reg-Add-a-missing-break-in-nftnl_data_reg_snpri.patch new file mode 100644 index 0000000..ad2e01f --- /dev/null +++ b/SOURCES/0001-data_reg-Add-a-missing-break-in-nftnl_data_reg_snpri.patch @@ -0,0 +1,47 @@ +From 0809d0fbaabbeafd5034aaf829e1b84d10cb64e1 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 22 Jul 2019 17:34:25 +0200 +Subject: [PATCH] data_reg: Add a missing break in nftnl_data_reg_snprintf + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510538 +Upstream Status: libnftnl commit 4177002b26f02 + +commit 4177002b26f025891cc509b54dc76bcf98f1c35f +Author: Phil Sutter +Date: Thu Dec 14 20:40:20 2017 +0100 + + data_reg: Add a missing break in nftnl_data_reg_snprintf + + The code works fine as-is, but if reg_type == DATA_VALUE && + output_format == NFTNL_OUTPUT_XML, we fall through to DATA_CHAIN case + and therefore pointlessly check output_format again. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/expr/data_reg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c +index a246952..7023202 100644 +--- a/src/expr/data_reg.c ++++ b/src/expr/data_reg.c +@@ -207,6 +207,7 @@ int nftnl_data_reg_snprintf(char *buf, size_t size, + default: + break; + } ++ break; + case DATA_VERDICT: + case DATA_CHAIN: + switch(output_format) { +@@ -220,6 +221,7 @@ int nftnl_data_reg_snprintf(char *buf, size_t size, + default: + break; + } ++ break; + default: + break; + } +-- +1.8.3.1 + diff --git a/SOURCES/0002-gen-Remove-a-pointless-call-to-mnl_nlmsg_get_payload.patch b/SOURCES/0002-gen-Remove-a-pointless-call-to-mnl_nlmsg_get_payload.patch new file mode 100644 index 0000000..975fd02 --- /dev/null +++ b/SOURCES/0002-gen-Remove-a-pointless-call-to-mnl_nlmsg_get_payload.patch @@ -0,0 +1,43 @@ +From c837a18ced48cac1ac221e8213a6851c6636476e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 22 Jul 2019 17:34:25 +0200 +Subject: [PATCH] gen: Remove a pointless call to mnl_nlmsg_get_payload() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510538 +Upstream Status: libnftnl commit fd9ab5c922cd8 + +commit fd9ab5c922cd8d15e8f0251c70bcd9532158e9b0 +Author: Phil Sutter +Date: Thu Dec 14 20:40:21 2017 +0100 + + gen: Remove a pointless call to mnl_nlmsg_get_payload() + + It is a common idiom in all *_nlmsg_parse() functions, but + nftnl_gen_nlmsg_parse() doesn't make use of the data pointer and the + compiler probably can't eliminate it since there could be a side-effect. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/gen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/gen.c b/src/gen.c +index 58b3a96..eafb015 100644 +--- a/src/gen.c ++++ b/src/gen.c +@@ -143,9 +143,9 @@ static int nftnl_gen_parse_attr_cb(const struct nlattr *attr, void *data) + int nftnl_gen_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_gen *gen) + { + struct nlattr *tb[NFTA_GEN_MAX + 1] = {}; +- struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh); + +- if (mnl_attr_parse(nlh, sizeof(*nfg), nftnl_gen_parse_attr_cb, tb) < 0) ++ if (mnl_attr_parse(nlh, sizeof(struct nfgenmsg), ++ nftnl_gen_parse_attr_cb, tb) < 0) + return -1; + + if (tb[NFTA_GEN_ID]) { +-- +1.8.3.1 + diff --git a/SOURCES/0003-object-Avoid-returning-garbage-in-nftnl_obj_do_parse.patch b/SOURCES/0003-object-Avoid-returning-garbage-in-nftnl_obj_do_parse.patch new file mode 100644 index 0000000..d45ae54 --- /dev/null +++ b/SOURCES/0003-object-Avoid-returning-garbage-in-nftnl_obj_do_parse.patch @@ -0,0 +1,40 @@ +From 307bdafb53adb68f78816dec22e45dd18960ec33 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 22 Jul 2019 17:34:25 +0200 +Subject: [PATCH] object: Avoid returning garbage in nftnl_obj_do_parse() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510538 +Upstream Status: libnftnl commit 8f228f6842494 + +commit 8f228f6842494ea7f83ff9aaa19ec32681628c9f +Author: Phil Sutter +Date: Thu Dec 14 20:40:22 2017 +0100 + + object: Avoid returning garbage in nftnl_obj_do_parse() + + It may happen that 'perr' variable does not get initialized, so making + parameter 'err' point to it in any case is error-prone. Avoid this by + initializing 'perr' upon declaration. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/object.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/object.c b/src/object.c +index 9a4ee71..da3423b 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -358,7 +358,7 @@ static int nftnl_obj_do_parse(struct nftnl_obj *obj, enum nftnl_parse_type type, + const void *data, struct nftnl_parse_err *err, + enum nftnl_parse_input input) + { +- struct nftnl_parse_err perr; ++ struct nftnl_parse_err perr = {}; + int ret; + + switch (type) { +-- +1.8.3.1 + diff --git a/SOURCES/0004-ruleset-Avoid-reading-garbage-in-nftnl_ruleset_cb.patch b/SOURCES/0004-ruleset-Avoid-reading-garbage-in-nftnl_ruleset_cb.patch new file mode 100644 index 0000000..f9815ba --- /dev/null +++ b/SOURCES/0004-ruleset-Avoid-reading-garbage-in-nftnl_ruleset_cb.patch @@ -0,0 +1,49 @@ +From 3620cf73a4e58e08891d3188a6a4c06a16546fe0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 22 Jul 2019 17:34:25 +0200 +Subject: [PATCH] ruleset: Avoid reading garbage in nftnl_ruleset_cb() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510538 +Upstream Status: libnftnl commit dbaf6ea8f6a1a + +commit dbaf6ea8f6a1a1e7f1d5abc2e4e2fef891c471b7 +Author: Phil Sutter +Date: Thu Dec 14 20:40:23 2017 +0100 + + ruleset: Avoid reading garbage in nftnl_ruleset_cb() + + If nftnl_ruleset_json_parse() is called with arg == NULL, ctx.data is + left uninitialized and will later be used in nftnl_ruleset_cb(). Avoid + this by using a C99-style initializer for 'ctx' which sets all omitted + fields to zero. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/ruleset.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/ruleset.c b/src/ruleset.c +index 3de9b87..cf86ca6 100644 +--- a/src/ruleset.c ++++ b/src/ruleset.c +@@ -519,11 +519,11 @@ static int nftnl_ruleset_json_parse(const void *json, + json_error_t error; + int i, len; + const char *key; +- struct nftnl_parse_ctx ctx; +- +- ctx.cb = cb; +- ctx.format = type; +- ctx.flags = 0; ++ struct nftnl_parse_ctx ctx = { ++ .cb = cb, ++ .format = type, ++ .flags = 0, ++ }; + + ctx.set_list = nftnl_set_list_alloc(); + if (ctx.set_list == NULL) +-- +1.8.3.1 + diff --git a/SOURCES/0005-set_elem-Don-t-return-garbage-in-nftnl_set_elems_par.patch b/SOURCES/0005-set_elem-Don-t-return-garbage-in-nftnl_set_elems_par.patch new file mode 100644 index 0000000..738363e --- /dev/null +++ b/SOURCES/0005-set_elem-Don-t-return-garbage-in-nftnl_set_elems_par.patch @@ -0,0 +1,40 @@ +From 3ac27a998613799b4e0245443c27af6f718d245d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 22 Jul 2019 17:34:25 +0200 +Subject: [PATCH] set_elem: Don't return garbage in nftnl_set_elems_parse() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510538 +Upstream Status: libnftnl commit 8bcf10b504c69 + +commit 8bcf10b504c692deb3c98d395f42d34141f21e59 +Author: Phil Sutter +Date: Thu Dec 14 20:40:24 2017 +0100 + + set_elem: Don't return garbage in nftnl_set_elems_parse() + + This might happen if netlink message is malformed (no nested attributes + are present), so treat this as an error and return -1 instead of + garbage to caller. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/set_elem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/set_elem.c b/src/set_elem.c +index e45dbc6..71c279a 100644 +--- a/src/set_elem.c ++++ b/src/set_elem.c +@@ -490,7 +490,7 @@ nftnl_set_elem_list_parse_attr_cb(const struct nlattr *attr, void *data) + static int nftnl_set_elems_parse(struct nftnl_set *s, const struct nlattr *nest) + { + struct nlattr *attr; +- int ret; ++ int ret = -1; + + mnl_attr_for_each_nested(attr, nest) { + if (mnl_attr_get_type(attr) != NFTA_LIST_ELEM) +-- +1.8.3.1 + diff --git a/SOURCES/0006-trace-Check-return-value-of-mnl_attr_parse_nested.patch b/SOURCES/0006-trace-Check-return-value-of-mnl_attr_parse_nested.patch new file mode 100644 index 0000000..aff7621 --- /dev/null +++ b/SOURCES/0006-trace-Check-return-value-of-mnl_attr_parse_nested.patch @@ -0,0 +1,40 @@ +From 947195e8e7adf0120222f5e15d0a2d2ed2895031 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 22 Jul 2019 17:34:26 +0200 +Subject: [PATCH] trace: Check return value of mnl_attr_parse_nested() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1510538 +Upstream Status: libnftnl commit 57f85977ed72e + +commit 57f85977ed72ee3d623bbc2391d503f8a7e72c5d +Author: Phil Sutter +Date: Thu Dec 14 20:40:25 2017 +0100 + + trace: Check return value of mnl_attr_parse_nested() + + This is done everywhere else as well, so certainly not a bad thing here + either. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/trace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/trace.c b/src/trace.c +index bd05d3c..b016e72 100644 +--- a/src/trace.c ++++ b/src/trace.c +@@ -301,7 +301,8 @@ static int nftnl_trace_parse_verdict(const struct nlattr *attr, + { + struct nlattr *tb[NFTA_VERDICT_MAX+1]; + +- mnl_attr_parse_nested(attr, nftnl_trace_parse_verdict_cb, tb); ++ if (mnl_attr_parse_nested(attr, nftnl_trace_parse_verdict_cb, tb) < 0) ++ return -1; + + if (!tb[NFTA_VERDICT_CODE]) + abi_breakage(); +-- +1.8.3.1 + diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec new file mode 100644 index 0000000..6320d3e --- /dev/null +++ b/SPECS/libnftnl.spec @@ -0,0 +1,107 @@ +%define rpmversion 1.0.8 +%define specrelease 3%{?dist} + +Name: libnftnl +Version: %{rpmversion} +Release: %{specrelease}%{?buildid} +Summary: Library for low-level interaction with nftables Netlink's API over libmnl +License: GPLv2+ +URL: http://netfilter.org/projects/libnftnl/ +Source0: http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2 +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: libmnl-devel +#BuildRequires: mxml-devel +BuildRequires: jansson-devel +Patch0: 0001-data_reg-Add-a-missing-break-in-nftnl_data_reg_snpri.patch +Patch1: 0002-gen-Remove-a-pointless-call-to-mnl_nlmsg_get_payload.patch +Patch2: 0003-object-Avoid-returning-garbage-in-nftnl_obj_do_parse.patch +Patch3: 0004-ruleset-Avoid-reading-garbage-in-nftnl_ruleset_cb.patch +Patch4: 0005-set_elem-Don-t-return-garbage-in-nftnl_set_elems_par.patch +Patch5: 0006-trace-Check-return-value-of-mnl_attr_parse_nested.patch + +%description +A library for low-level interaction with nftables Netlink's API over libmnl. + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{_isa} = %{version}-%{release} +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%prep +%autosetup -p1 + +%build +# This is what autogen.sh (only in git repo) does - without it, patches changing +# Makefile.am cause the build system to regenerate Makefile.in and trying to use +# automake-1.14 for that which is not available in RHEL. +autoreconf -fi +rm -rf autom4te*.cache + +%configure --disable-static --disable-silent-rules \ + --with-json-parsing --without-xml-parsing +make %{?_smp_mflags} + +%check +make %{?_smp_mflags} check + +%install +%make_install +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%doc COPYING +%{_libdir}/*.so.* + +%files devel +%{_libdir}/libnft*.so +%{_libdir}/pkgconfig/libnftnl.pc +%{_includedir}/libnftnl + +%changelog +* Thu Aug 22 2019 Phil Sutter [1.0.8-3.el7] +- Rebuild for build system fixes (Phil Sutter) [1510538] + +* Mon Jul 22 2019 Phil Sutter [1.0.8-2.el7] +- trace: Check return value of mnl_attr_parse_nested() (Phil Sutter) [1510538] +- set_elem: Don't return garbage in nftnl_set_elems_parse() (Phil Sutter) [1510538] +- ruleset: Avoid reading garbage in nftnl_ruleset_cb() (Phil Sutter) [1510538] +- object: Avoid returning garbage in nftnl_obj_do_parse() (Phil Sutter) [1510538] +- gen: Remove a pointless call to mnl_nlmsg_get_payload() (Phil Sutter) [1510538] +- data_reg: Add a missing break in nftnl_data_reg_snprintf (Phil Sutter) [1510538] + +* Fri Oct 13 2017 Phil Sutter [1.0.8-1.el7] +- Rebase onto upstream version 1.0.8 (Phil Sutter) [1472260] + +* Tue May 16 2017 Phil Sutter [1.0.6-6.el7] +- chain: dynamically allocate name (Phil Sutter) [1353320] +- src: Avoid returning uninitialized data (Phil Sutter) [1353319] +- expr/limit: Drop unreachable code in limit_to_type() (Phil Sutter) [1353312] +- ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set() (Phil Sutter) [1353322] +- src: Fix nftnl_*_get_data() to return the real attribute length (Phil Sutter) [1353322] +- expr/ct: prevent array index overrun in ctkey2str() (Phil Sutter) [1353309] +- utils: Don't return directly from SNPRINTF_BUFFER_SIZE (Phil Sutter) [1353311] +- set: prevent memleak in nftnl_jansson_parse_set_info() (Phil Sutter) [1353311] + +* Fri May 12 2017 Phil Sutter [1.0.6-5.el7] +- expr: lookup: give support for inverted matching (Phil Sutter) [1441084] +- tests: stricter string attribute validation (Phil Sutter) [1441084] + +* Thu Feb 23 2017 Phil Sutter [1.0.6-4.el7] +- Add automake and libtool as additional build requirements (Phil Sutter) [1418967] + +* Thu Feb 23 2017 Phil Sutter [1.0.6-3.el7] +- Fix libnftnl.spec for patches changing Makefile.am (Phil Sutter) [1418967] + +* Thu Feb 23 2017 Phil Sutter [1.0.6-2.el7] +- src: add range expression (Phil Sutter) [1418967] + +* Wed Jun 29 2016 Phil Sutter 1.0.6-1 +- Rebased from Fedora Rawhide and adjusted for RHEL review.