diff --git a/.gitignore b/.gitignore
index ccc74cf..70aad83 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libnftnl-1.0.6.tar.xz
+SOURCES/libnftnl-1.0.8.tar.bz2
diff --git a/.libnftnl.metadata b/.libnftnl.metadata
index c439cc2..558b5d2 100644
--- a/.libnftnl.metadata
+++ b/.libnftnl.metadata
@@ -1 +1 @@
-947d9ed587b8a4cd3883721a2878ade962ce6dad SOURCES/libnftnl-1.0.6.tar.xz
+8f9cb4983b54092478ade39f78b2850062729f4b SOURCES/libnftnl-1.0.8.tar.bz2
diff --git a/SOURCES/0001-src-add-range-expression.patch b/SOURCES/0001-src-add-range-expression.patch
deleted file mode 100644
index 48c6c0f..0000000
--- a/SOURCES/0001-src-add-range-expression.patch
+++ /dev/null
@@ -1,569 +0,0 @@
-From 41e4687e83c8eba29b5cf7cbbea74fab56835468 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Thu, 23 Feb 2017 17:07:00 +0100
-Subject: [PATCH] src: add range expression
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1418967
-Upstream Status: unknown commit 200da4866ada0
-Conflicts: Context changes due to missing other features.
-
-commit 200da4866ada06b2ee0f708c93dbdf9dcd0fcfe4
-Author: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Tue Sep 20 17:53:21 2016 +0200
-
- src: add range expression
-
- Add range expression available that is scheduled for linux kernel 4.9.
- This range expression allows us to check if a given value placed in a
- register is within/outside a specified interval.
-
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- include/libnftnl/expr.h | 7 +
- include/linux/netfilter/nf_tables.h | 29 ++++
- src/Makefile.am | 1 +
- src/expr/range.c | 288 ++++++++++++++++++++++++++++++++++++
- src/expr_ops.c | 2 +
- tests/Makefile.am | 4 +
- tests/nft-expr_range-test.c | 109 ++++++++++++++
- tests/test-script.sh | 1 +
- 8 files changed, 441 insertions(+)
- create mode 100644 src/expr/range.c
- create mode 100644 tests/nft-expr_range-test.c
-
-diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
-index f192103..5822a9e 100644
---- a/include/libnftnl/expr.h
-+++ b/include/libnftnl/expr.h
-@@ -61,6 +61,13 @@ enum {
- };
-
- enum {
-+ NFTNL_EXPR_RANGE_SREG = NFTNL_EXPR_BASE,
-+ NFTNL_EXPR_RANGE_OP,
-+ NFTNL_EXPR_RANGE_FROM_DATA,
-+ NFTNL_EXPR_RANGE_TO_DATA,
-+};
-+
-+enum {
- NFTNL_EXPR_IMM_DREG = NFTNL_EXPR_BASE,
- NFTNL_EXPR_IMM_DATA,
- NFTNL_EXPR_IMM_VERDICT,
-diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
-index 6a4dbe0..3b7b7f3 100644
---- a/include/linux/netfilter/nf_tables.h
-+++ b/include/linux/netfilter/nf_tables.h
-@@ -547,6 +547,35 @@ enum nft_cmp_attributes {
- #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)
-
- /**
-+ * enum nft_range_ops - nf_tables range operator
-+ *
-+ * @NFT_RANGE_EQ: equal
-+ * @NFT_RANGE_NEQ: not equal
-+ */
-+enum nft_range_ops {
-+ NFT_RANGE_EQ,
-+ NFT_RANGE_NEQ,
-+};
-+
-+/**
-+ * enum nft_range_attributes - nf_tables range expression netlink attributes
-+ *
-+ * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers)
-+ * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops)
-+ * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes)
-+ * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes)
-+ */
-+enum nft_range_attributes {
-+ NFTA_RANGE_UNSPEC,
-+ NFTA_RANGE_SREG,
-+ NFTA_RANGE_OP,
-+ NFTA_RANGE_FROM_DATA,
-+ NFTA_RANGE_TO_DATA,
-+ __NFTA_RANGE_MAX
-+};
-+#define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1)
-+
-+/**
- * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
- *
- * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 7e580e4..6378815 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -25,6 +25,7 @@ libnftnl_la_SOURCES = utils.c \
- expr/bitwise.c \
- expr/byteorder.c \
- expr/cmp.c \
-+ expr/range.c \
- expr/counter.c \
- expr/ct.c \
- expr/data_reg.c \
-diff --git a/src/expr/range.c b/src/expr/range.c
-new file mode 100644
-index 0000000..1489d58
---- /dev/null
-+++ b/src/expr/range.c
-@@ -0,0 +1,288 @@
-+/*
-+ * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org>
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published
-+ * by the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ */
-+
-+#include "internal.h"
-+
-+#include <stdio.h>
-+#include <stdint.h>
-+#include <string.h>
-+#include <arpa/inet.h>
-+#include <errno.h>
-+
-+#include <libmnl/libmnl.h>
-+#include <linux/netfilter/nf_tables.h>
-+#include <libnftnl/expr.h>
-+#include <libnftnl/rule.h>
-+
-+struct nftnl_expr_range {
-+ union nftnl_data_reg data_from;
-+ union nftnl_data_reg data_to;
-+ enum nft_registers sreg;
-+ enum nft_range_ops op;
-+};
-+
-+static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
-+ const void *data, uint32_t data_len)
-+{
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+
-+ switch(type) {
-+ case NFTNL_EXPR_RANGE_SREG:
-+ range->sreg = *((uint32_t *)data);
-+ break;
-+ case NFTNL_EXPR_RANGE_OP:
-+ range->op = *((uint32_t *)data);
-+ break;
-+ case NFTNL_EXPR_RANGE_FROM_DATA:
-+ memcpy(&range->data_from.val, data, data_len);
-+ range->data_from.len = data_len;
-+ break;
-+ case NFTNL_EXPR_RANGE_TO_DATA:
-+ memcpy(&range->data_to.val, data, data_len);
-+ range->data_to.len = data_len;
-+ break;
-+ default:
-+ return -1;
-+ }
-+ return 0;
-+}
-+
-+static const void *nftnl_expr_range_get(const struct nftnl_expr *e,
-+ uint16_t type, uint32_t *data_len)
-+{
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+
-+ switch(type) {
-+ case NFTNL_EXPR_RANGE_SREG:
-+ *data_len = sizeof(range->sreg);
-+ return &range->sreg;
-+ case NFTNL_EXPR_RANGE_OP:
-+ *data_len = sizeof(range->op);
-+ return &range->op;
-+ case NFTNL_EXPR_RANGE_FROM_DATA:
-+ *data_len = range->data_from.len;
-+ return &range->data_from.val;
-+ case NFTNL_EXPR_RANGE_TO_DATA:
-+ *data_len = range->data_to.len;
-+ return &range->data_to.val;
-+ }
-+ return NULL;
-+}
-+
-+static int nftnl_expr_range_cb(const struct nlattr *attr, void *data)
-+{
-+ const struct nlattr **tb = data;
-+ int type = mnl_attr_get_type(attr);
-+
-+ if (mnl_attr_type_valid(attr, NFTA_RANGE_MAX) < 0)
-+ return MNL_CB_OK;
-+
-+ switch(type) {
-+ case NFTA_RANGE_SREG:
-+ case NFTA_RANGE_OP:
-+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
-+ abi_breakage();
-+ break;
-+ case NFTA_RANGE_FROM_DATA:
-+ case NFTA_RANGE_TO_DATA:
-+ if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0)
-+ abi_breakage();
-+ break;
-+ }
-+
-+ tb[type] = attr;
-+ return MNL_CB_OK;
-+}
-+
-+static void
-+nftnl_expr_range_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
-+{
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_SREG))
-+ mnl_attr_put_u32(nlh, NFTA_RANGE_SREG, htonl(range->sreg));
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_OP))
-+ mnl_attr_put_u32(nlh, NFTA_RANGE_OP, htonl(range->op));
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_FROM_DATA)) {
-+ struct nlattr *nest;
-+
-+ nest = mnl_attr_nest_start(nlh, NFTA_RANGE_FROM_DATA);
-+ mnl_attr_put(nlh, NFTA_DATA_VALUE, range->data_from.len,
-+ range->data_from.val);
-+ mnl_attr_nest_end(nlh, nest);
-+ }
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_TO_DATA)) {
-+ struct nlattr *nest;
-+
-+ nest = mnl_attr_nest_start(nlh, NFTA_RANGE_TO_DATA);
-+ mnl_attr_put(nlh, NFTA_DATA_VALUE, range->data_to.len,
-+ range->data_to.val);
-+ mnl_attr_nest_end(nlh, nest);
-+ }
-+}
-+
-+static int
-+nftnl_expr_range_parse(struct nftnl_expr *e, struct nlattr *attr)
-+{
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+ struct nlattr *tb[NFTA_RANGE_MAX+1] = {};
-+ int ret = 0;
-+
-+ if (mnl_attr_parse_nested(attr, nftnl_expr_range_cb, tb) < 0)
-+ return -1;
-+
-+ if (tb[NFTA_RANGE_SREG]) {
-+ range->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_RANGE_SREG]));
-+ e->flags |= (1 << NFTA_RANGE_SREG);
-+ }
-+ if (tb[NFTA_RANGE_OP]) {
-+ range->op = ntohl(mnl_attr_get_u32(tb[NFTA_RANGE_OP]));
-+ e->flags |= (1 << NFTA_RANGE_OP);
-+ }
-+ if (tb[NFTA_RANGE_FROM_DATA]) {
-+ ret = nftnl_parse_data(&range->data_from,
-+ tb[NFTA_RANGE_FROM_DATA], NULL);
-+ e->flags |= (1 << NFTA_RANGE_FROM_DATA);
-+ }
-+ if (tb[NFTA_RANGE_TO_DATA]) {
-+ ret = nftnl_parse_data(&range->data_to,
-+ tb[NFTA_RANGE_TO_DATA], NULL);
-+ e->flags |= (1 << NFTA_RANGE_TO_DATA);
-+ }
-+
-+ return ret;
-+}
-+
-+static char *expr_range_str[] = {
-+ [NFT_RANGE_EQ] = "eq",
-+ [NFT_RANGE_NEQ] = "neq",
-+};
-+
-+static const char *range2str(uint32_t op)
-+{
-+ if (op > NFT_RANGE_NEQ)
-+ return "unknown";
-+
-+ return expr_range_str[op];
-+}
-+
-+static inline int nftnl_str2range(const char *op)
-+{
-+ if (strcmp(op, "eq") == 0)
-+ return NFT_RANGE_EQ;
-+ else if (strcmp(op, "neq") == 0)
-+ return NFT_RANGE_NEQ;
-+ else {
-+ errno = EINVAL;
-+ return -1;
-+ }
-+}
-+
-+static int nftnl_expr_range_json_parse(struct nftnl_expr *e, json_t *root,
-+ struct nftnl_parse_err *err)
-+{
-+#ifdef JSON_PARSING
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+ const char *op;
-+ uint32_t uval32;
-+ int base;
-+
-+ if (nftnl_jansson_parse_val(root, "sreg", NFTNL_TYPE_U32, &uval32,
-+ err) == 0)
-+ nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_SREG, uval32);
-+
-+ op = nftnl_jansson_parse_str(root, "op", err);
-+ if (op != NULL) {
-+ base = nftnl_str2range(op);
-+ if (base < 0)
-+ return -1;
-+
-+ nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_OP, base);
-+ }
-+
-+ if (nftnl_jansson_data_reg_parse(root, "data_from",
-+ &range->data_from, err) == DATA_VALUE)
-+ e->flags |= (1 << NFTNL_EXPR_RANGE_FROM_DATA);
-+
-+ if (nftnl_jansson_data_reg_parse(root, "data_to",
-+ &range->data_to, err) == DATA_VALUE)
-+ e->flags |= (1 << NFTNL_EXPR_RANGE_TO_DATA);
-+
-+ return 0;
-+#else
-+ errno = EOPNOTSUPP;
-+ return -1;
-+#endif
-+}
-+
-+static int nftnl_expr_range_export(char *buf, size_t size,
-+ const struct nftnl_expr *e, int type)
-+{
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+ NFTNL_BUF_INIT(b, buf, size);
-+
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_SREG))
-+ nftnl_buf_u32(&b, type, range->sreg, SREG);
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_OP))
-+ nftnl_buf_str(&b, type, range2str(range->op), OP);
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_FROM_DATA))
-+ nftnl_buf_reg(&b, type, &range->data_from, DATA_VALUE, DATA);
-+ if (e->flags & (1 << NFTNL_EXPR_RANGE_TO_DATA))
-+ nftnl_buf_reg(&b, type, &range->data_to, DATA_VALUE, DATA);
-+
-+ return nftnl_buf_done(&b);
-+}
-+
-+static int nftnl_expr_range_snprintf_default(char *buf, size_t size,
-+ const struct nftnl_expr *e)
-+{
-+ struct nftnl_expr_range *range = nftnl_expr_data(e);
-+ int len = size, offset = 0, ret;
-+
-+ ret = snprintf(buf, len, "%s reg %u ",
-+ expr_range_str[range->op], range->sreg);
-+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-+
-+ ret = nftnl_data_reg_snprintf(buf + offset, len, &range->data_from,
-+ NFTNL_OUTPUT_DEFAULT, 0, DATA_VALUE);
-+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-+
-+ ret = nftnl_data_reg_snprintf(buf + offset, len, &range->data_to,
-+ NFTNL_OUTPUT_DEFAULT, 0, DATA_VALUE);
-+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-+
-+ return offset;
-+}
-+
-+static int nftnl_expr_range_snprintf(char *buf, size_t size, uint32_t type,
-+ uint32_t flags, const struct nftnl_expr *e)
-+{
-+ switch (type) {
-+ case NFTNL_OUTPUT_DEFAULT:
-+ return nftnl_expr_range_snprintf_default(buf, size, e);
-+ case NFTNL_OUTPUT_XML:
-+ case NFTNL_OUTPUT_JSON:
-+ return nftnl_expr_range_export(buf, size, e, type);
-+ default:
-+ break;
-+ }
-+ return -1;
-+}
-+
-+struct expr_ops expr_ops_range = {
-+ .name = "range",
-+ .alloc_len = sizeof(struct nftnl_expr_range),
-+ .max_attr = NFTA_RANGE_MAX,
-+ .set = nftnl_expr_range_set,
-+ .get = nftnl_expr_range_get,
-+ .parse = nftnl_expr_range_parse,
-+ .build = nftnl_expr_range_build,
-+ .snprintf = nftnl_expr_range_snprintf,
-+ .json_parse = nftnl_expr_range_json_parse,
-+};
-diff --git a/src/expr_ops.c b/src/expr_ops.c
-index ae515af..80d9f4c 100644
---- a/src/expr_ops.c
-+++ b/src/expr_ops.c
-@@ -21,6 +21,7 @@ extern struct expr_ops expr_ops_match;
- extern struct expr_ops expr_ops_meta;
- extern struct expr_ops expr_ops_nat;
- extern struct expr_ops expr_ops_payload;
-+extern struct expr_ops expr_ops_range;
- extern struct expr_ops expr_ops_redir;
- extern struct expr_ops expr_ops_reject;
- extern struct expr_ops expr_ops_queue;
-@@ -45,6 +46,7 @@ static struct expr_ops *expr_ops[] = {
- &expr_ops_meta,
- &expr_ops_nat,
- &expr_ops_payload,
-+ &expr_ops_range,
- &expr_ops_redir,
- &expr_ops_reject,
- &expr_ops_queue,
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index c246034..673c4a7 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -27,6 +27,7 @@ check_PROGRAMS = nft-parsing-test \
- nft-expr_nat-test \
- nft-expr_payload-test \
- nft-expr_queue-test \
-+ nft-expr_range-test \
- nft-expr_redir-test \
- nft-expr_reject-test \
- nft-expr_target-test
-@@ -100,6 +101,9 @@ nft_expr_payload_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
- nft_expr_queue_test_SOURCES = nft-expr_queue-test.c
- nft_expr_queue_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
-
-+nft_expr_range_test_SOURCES = nft-expr_range-test.c
-+nft_expr_range_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
-+
- nft_expr_reject_test_SOURCES = nft-expr_reject-test.c
- nft_expr_reject_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
-
-diff --git a/tests/nft-expr_range-test.c b/tests/nft-expr_range-test.c
-new file mode 100644
-index 0000000..b92dfc0
---- /dev/null
-+++ b/tests/nft-expr_range-test.c
-@@ -0,0 +1,109 @@
-+/*
-+ * (C) 2013 by Ana Rey Botello <anarey@gmail.com>
-+ *
-+ * This program is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+
-+#include <netinet/in.h>
-+#include <netinet/ip.h>
-+#include <linux/netfilter/nf_tables.h>
-+#include <libmnl/libmnl.h>
-+#include <libnftnl/rule.h>
-+#include <libnftnl/expr.h>
-+
-+static int test_ok = 1;
-+
-+static void print_err(const char *msg)
-+{
-+ test_ok = 0;
-+ printf("\033[31mERROR:\e[0m %s\n", msg);
-+}
-+
-+static void range_nftnl_expr(struct nftnl_expr *rule_a,
-+ struct nftnl_expr *rule_b)
-+{
-+ uint32_t data_a, data_b;
-+
-+ nftnl_expr_get(rule_a, NFTNL_EXPR_RANGE_FROM_DATA, &data_a);
-+ nftnl_expr_get(rule_b, NFTNL_EXPR_RANGE_FROM_DATA, &data_b);
-+ if (data_a != data_b)
-+ print_err("Size of NFTNL_EXPR_RANGE_FROM_DATA mismatches");
-+ nftnl_expr_get(rule_a, NFTNL_EXPR_RANGE_TO_DATA, &data_a);
-+ nftnl_expr_get(rule_b, NFTNL_EXPR_RANGE_TO_DATA, &data_b);
-+ if (data_a != data_b)
-+ print_err("Size of NFTNL_EXPR_RANGE_TO_DATA mismatches");
-+ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_RANGE_SREG) !=
-+ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_RANGE_SREG))
-+ print_err("Expr NFTNL_EXPR_RANGE_SREG mismatches");
-+ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_RANGE_OP) !=
-+ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_RANGE_OP))
-+ print_err("Expr NFTNL_EXPR_RANGE_OP mismatches");
-+}
-+
-+int main(int argc, char *argv[])
-+{
-+ struct nftnl_rule *a, *b;
-+ struct nftnl_expr *ex;
-+ struct nlmsghdr *nlh;
-+ char buf[4096];
-+ struct nftnl_expr_iter *iter_a, *iter_b;
-+ struct nftnl_expr *rule_a, *rule_b;
-+ uint32_t data_a = 0x01010101, data_b = 0x02020202;
-+
-+ a = nftnl_rule_alloc();
-+ b = nftnl_rule_alloc();
-+ if (a == NULL || b == NULL)
-+ print_err("OOM");
-+ ex = nftnl_expr_alloc("range");
-+ if (ex == NULL)
-+ print_err("OOM");
-+
-+ nftnl_expr_set(ex, NFTNL_EXPR_RANGE_FROM_DATA,
-+ &data_a, sizeof(data_a));
-+ nftnl_expr_set(ex, NFTNL_EXPR_RANGE_TO_DATA,
-+ &data_b, sizeof(data_b));
-+ nftnl_expr_set_u32(ex, NFTNL_EXPR_RANGE_SREG, 0x12345678);
-+ nftnl_expr_set_u32(ex, NFTNL_EXPR_RANGE_OP, 0x78123456);
-+
-+ nftnl_rule_add_expr(a, ex);
-+
-+ nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234);
-+ nftnl_rule_nlmsg_build_payload(nlh, a);
-+
-+ if (nftnl_rule_nlmsg_parse(nlh, b) < 0)
-+ print_err("parsing problems");
-+
-+ iter_a = nftnl_expr_iter_create(a);
-+ iter_b = nftnl_expr_iter_create(b);
-+ if (iter_a == NULL || iter_b == NULL)
-+ print_err("OOM");
-+ rule_a = nftnl_expr_iter_next(iter_a);
-+ rule_b = nftnl_expr_iter_next(iter_b);
-+ if (rule_a == NULL || rule_b == NULL)
-+ print_err("OOM");
-+
-+ range_nftnl_expr(rule_a, rule_b);
-+
-+ if (nftnl_expr_iter_next(iter_a) != NULL ||
-+ nftnl_expr_iter_next(iter_b) != NULL)
-+ print_err("More 1 expr.");
-+
-+ nftnl_expr_iter_destroy(iter_a);
-+ nftnl_expr_iter_destroy(iter_b);
-+ nftnl_rule_free(a);
-+ nftnl_rule_free(b);
-+
-+ if (!test_ok)
-+ exit(EXIT_FAILURE);
-+
-+ printf("%s: \033[32mOK\e[0m\n", argv[0]);
-+ return EXIT_SUCCESS;
-+}
-diff --git a/tests/test-script.sh b/tests/test-script.sh
-index b040158..f4e1b7a 100755
---- a/tests/test-script.sh
-+++ b/tests/test-script.sh
-@@ -12,6 +12,7 @@
- ./nft-expr_match-test
- ./nft-expr_masq-test
- ./nft-expr_meta-test
-+./nft-expr_range-test
- ./nft-expr_redir-test
- ./nft-expr_nat-test
- ./nft-expr_payload-test
---
-1.8.3.1
-
diff --git a/SOURCES/0002-tests-stricter-string-attribute-validation.patch b/SOURCES/0002-tests-stricter-string-attribute-validation.patch
deleted file mode 100644
index da8a9b8..0000000
--- a/SOURCES/0002-tests-stricter-string-attribute-validation.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 7c8016f4afb2c4ec5c717b1c830c655318a0c561 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Fri, 12 May 2017 12:51:22 +0200
-Subject: [PATCH] tests: stricter string attribute validation
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1441084
-Upstream Status: libnftnl commit 57468cfa7916a
-
-commit 57468cfa7916aa6e21c977d1ddb6d0a0ad27edf7
-Author: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Wed Jun 15 13:41:06 2016 +0200
-
- tests: stricter string attribute validation
-
- In nft-expr_lookup-test.c, check for the strings instead of size.
-
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- tests/nft-expr_lookup-test.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c
-index ad028e9..2ca431b 100644
---- a/tests/nft-expr_lookup-test.c
-+++ b/tests/nft-expr_lookup-test.c
-@@ -30,18 +30,15 @@ static void print_err(const char *msg)
- static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
- struct nftnl_expr *rule_b)
- {
-- uint32_t data_lena, data_lenb;
--
- if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_SREG) !=
- nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_SREG))
- print_err("Expr NFTNL_EXPR_LOOkUP_SREG mismatches");
- if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_DREG) !=
- nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_DREG))
- print_err("Expr NFTNL_EXPR_LOOkUP_DREG mismatches");
-- nftnl_expr_get(rule_a, NFTNL_EXPR_LOOKUP_SET, &data_lena);
-- nftnl_expr_get(rule_b, NFTNL_EXPR_LOOKUP_SET, &data_lenb);
-- if (data_lena != data_lenb)
-- print_err("Expr NFTNL_EXPR_LOOKUP_SET size mismatches");
-+ if (strcmp(nftnl_expr_get_str(rule_a, NFTNL_EXPR_LOOKUP_SET),
-+ nftnl_expr_get_str(rule_b, NFTNL_EXPR_LOOKUP_SET)))
-+ print_err("Expr NFTNL_EXPR_LOOKUP_SET mismatches");
- }
-
- int main(int argc, char *argv[])
---
-1.8.3.1
-
diff --git a/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch b/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch
deleted file mode 100644
index 3b681b9..0000000
--- a/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-From 56dfbd950f20ece8193239d92e8f58fb3a48a3a9 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Fri, 12 May 2017 12:51:22 +0200
-Subject: [PATCH] expr: lookup: give support for inverted matching
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1441084
-Upstream Status: libnftnl commit 5ad0e626492e8
-
-commit 5ad0e626492e835fff65369c93d1e571013129e9
-Author: Arturo Borrero <arturo.borrero.glez@gmail.com>
-Date: Fri Jun 24 09:07:02 2016 +0200
-
- expr: lookup: give support for inverted matching
-
- Inverted matching support was included in the kernel, let's give support here
- as well.
-
- Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- include/libnftnl/expr.h | 1 +
- include/linux/netfilter/nf_tables.h | 6 ++++++
- src/expr/lookup.c | 32 +++++++++++++++++++++++++++++---
- tests/nft-expr_lookup-test.c | 4 ++++
- 4 files changed, 40 insertions(+), 3 deletions(-)
-
-diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
-index 5822a9e..b644264 100644
---- a/include/libnftnl/expr.h
-+++ b/include/libnftnl/expr.h
-@@ -114,6 +114,7 @@ enum {
- NFTNL_EXPR_LOOKUP_DREG,
- NFTNL_EXPR_LOOKUP_SET,
- NFTNL_EXPR_LOOKUP_SET_ID,
-+ NFTNL_EXPR_LOOKUP_FLAGS,
- };
-
- enum {
-diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
-index 3b7b7f3..b35a86f 100644
---- a/include/linux/netfilter/nf_tables.h
-+++ b/include/linux/netfilter/nf_tables.h
-@@ -546,6 +546,10 @@ enum nft_cmp_attributes {
- };
- #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)
-
-+enum nft_lookup_flags {
-+ NFT_LOOKUP_F_INV = (1 << 0),
-+};
-+
- /**
- * enum nft_range_ops - nf_tables range operator
- *
-@@ -582,6 +586,7 @@ enum nft_range_attributes {
- * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
- * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
- * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
-+ * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags)
- */
- enum nft_lookup_attributes {
- NFTA_LOOKUP_UNSPEC,
-@@ -589,6 +594,7 @@ enum nft_lookup_attributes {
- NFTA_LOOKUP_SREG,
- NFTA_LOOKUP_DREG,
- NFTA_LOOKUP_SET_ID,
-+ NFTA_LOOKUP_FLAGS,
- __NFTA_LOOKUP_MAX
- };
- #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1)
-diff --git a/src/expr/lookup.c b/src/expr/lookup.c
-index ed32ba6..59a3c5c 100644
---- a/src/expr/lookup.c
-+++ b/src/expr/lookup.c
-@@ -26,6 +26,7 @@ struct nftnl_expr_lookup {
- enum nft_registers dreg;
- char *set_name;
- uint32_t set_id;
-+ uint32_t flags;
- };
-
- static int
-@@ -47,6 +48,9 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type,
- case NFTNL_EXPR_LOOKUP_SET_ID:
- lookup->set_id = *((uint32_t *)data);
- break;
-+ case NFTNL_EXPR_LOOKUP_FLAGS:
-+ lookup->flags = *((uint32_t *)data);
-+ break;
- default:
- return -1;
- }
-@@ -70,6 +74,8 @@ nftnl_expr_lookup_get(const struct nftnl_expr *e, uint16_t type,
- return lookup->set_name;
- case NFTNL_EXPR_LOOKUP_SET_ID:
- return &lookup->set_id;
-+ case NFTNL_EXPR_LOOKUP_FLAGS:
-+ return &lookup->flags;
- }
- return NULL;
- }
-@@ -86,6 +92,7 @@ static int nftnl_expr_lookup_cb(const struct nlattr *attr, void *data)
- case NFTA_LOOKUP_SREG:
- case NFTA_LOOKUP_DREG:
- case NFTA_LOOKUP_SET_ID:
-+ case NFTA_LOOKUP_FLAGS:
- if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
- abi_breakage();
- break;
-@@ -113,6 +120,8 @@ nftnl_expr_lookup_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
- if (e->flags & (1 << NFTNL_EXPR_LOOKUP_SET_ID)) {
- mnl_attr_put_u32(nlh, NFTA_LOOKUP_SET_ID,
- htonl(lookup->set_id));
-+ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS))
-+ mnl_attr_put_u32(nlh, NFTA_LOOKUP_FLAGS, htonl(lookup->flags));
- }
- }
-
-@@ -144,6 +153,10 @@ nftnl_expr_lookup_parse(struct nftnl_expr *e, struct nlattr *attr)
- ntohl(mnl_attr_get_u32(tb[NFTA_LOOKUP_SET_ID]));
- e->flags |= (1 << NFTNL_EXPR_LOOKUP_SET_ID);
- }
-+ if (tb[NFTA_LOOKUP_FLAGS]) {
-+ lookup->flags = ntohl(mnl_attr_get_u32(tb[NFTA_LOOKUP_FLAGS]));
-+ e->flags |= (1 << NFTNL_EXPR_LOOKUP_FLAGS);
-+ }
-
- return ret;
- }
-@@ -154,7 +167,7 @@ nftnl_expr_lookup_json_parse(struct nftnl_expr *e, json_t *root,
- {
- #ifdef JSON_PARSING
- const char *set_name;
-- uint32_t sreg, dreg;
-+ uint32_t sreg, dreg, flags;
-
- set_name = nftnl_jansson_parse_str(root, "set", err);
- if (set_name != NULL)
-@@ -166,6 +179,10 @@ nftnl_expr_lookup_json_parse(struct nftnl_expr *e, json_t *root,
- if (nftnl_jansson_parse_reg(root, "dreg", NFTNL_TYPE_U32, &dreg, err) == 0)
- nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_DREG, dreg);
-
-+ if (nftnl_jansson_parse_val(root, "flags", NFTNL_TYPE_U32,
-+ &flags, err) == 0)
-+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags);
-+
- return 0;
- #else
- errno = EOPNOTSUPP;
-@@ -179,7 +196,7 @@ nftnl_expr_lookup_xml_parse(struct nftnl_expr *e, mxml_node_t *tree,
- {
- #ifdef XML_PARSING
- const char *set_name;
-- uint32_t sreg, dreg;
-+ uint32_t sreg, dreg, flags;
-
- set_name = nftnl_mxml_str_parse(tree, "set", MXML_DESCEND_FIRST,
- NFTNL_XML_MAND, err);
-@@ -194,6 +211,11 @@ nftnl_expr_lookup_xml_parse(struct nftnl_expr *e, mxml_node_t *tree,
- err) == 0)
- nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_DREG, dreg);
-
-+ if (nftnl_mxml_num_parse(tree, "flags", MXML_DESCEND_FIRST, BASE_DEC,
-+ &flags, NFTNL_TYPE_U32,
-+ NFTNL_XML_MAND, err) == 0)
-+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags);
-+
- return 0;
- #else
- errno = EOPNOTSUPP;
-@@ -214,6 +236,8 @@ nftnl_expr_lookup_export(char *buf, size_t size,
- nftnl_buf_u32(&b, type, l->sreg, SREG);
- if (e->flags & (1 << NFTNL_EXPR_LOOKUP_DREG))
- nftnl_buf_u32(&b, type, l->dreg, DREG);
-+ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS))
-+ nftnl_buf_u32(&b, type, l->flags, FLAGS);
-
- return nftnl_buf_done(&b);
- }
-@@ -228,12 +252,14 @@ nftnl_expr_lookup_snprintf_default(char *buf, size_t size,
- ret = snprintf(buf, len, "reg %u set %s ", l->sreg, l->set_name);
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-
--
- if (e->flags & (1 << NFTNL_EXPR_LOOKUP_DREG)) {
- ret = snprintf(buf+offset, len, "dreg %u ", l->dreg);
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
- }
-
-+ ret = snprintf(buf + offset, len, "0x%x ", l->flags);
-+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-+
- return offset;
- }
-
-diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c
-index 2ca431b..e52a68f 100644
---- a/tests/nft-expr_lookup-test.c
-+++ b/tests/nft-expr_lookup-test.c
-@@ -39,6 +39,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
- if (strcmp(nftnl_expr_get_str(rule_a, NFTNL_EXPR_LOOKUP_SET),
- nftnl_expr_get_str(rule_b, NFTNL_EXPR_LOOKUP_SET)))
- print_err("Expr NFTNL_EXPR_LOOKUP_SET mismatches");
-+ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_FLAGS) !=
-+ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_FLAGS))
-+ print_err("Expr NFTNL_EXPR_LOOkUP_FLAGS mismatches");
- }
-
- int main(int argc, char *argv[])
-@@ -63,6 +66,7 @@ int main(int argc, char *argv[])
- nftnl_expr_set_u32(ex, NFTNL_EXPR_LOOKUP_DREG, 0x12345678);
- nftnl_expr_set(ex, NFTNL_EXPR_LOOKUP_SET, &lookup_set,
- sizeof(lookup_set));
-+ nftnl_expr_set_u32(ex, NFTNL_EXPR_LOOKUP_FLAGS, 0x12345678);
-
- nftnl_rule_add_expr(a, ex);
-
---
-1.8.3.1
-
diff --git a/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch b/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch
deleted file mode 100644
index 8abb9dd..0000000
--- a/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 111c6c9c326113cda15ea9180ff8f4b5377434cf Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:28:55 +0200
-Subject: [PATCH] set: prevent memleak in nftnl_jansson_parse_set_info()
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353311
-Upstream Status: libnftnl commit d29f0825c33af
-
-commit d29f0825c33af8c53a939b7f0e8d5beb2ed48c83
-Author: Phil Sutter <psutter@redhat.com>
-Date: Fri Aug 12 01:33:33 2016 +0200
-
- set: prevent memleak in nftnl_jansson_parse_set_info()
-
- During list populating, in error case the function returns without
- freeing the newly allocated 'elem' object, thereby losing any references
- to it.
-
- Signed-off-by: Phil Sutter <phil@nwl.cc>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/set.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/set.c b/src/set.c
-index dbea93b..9560ccc 100644
---- a/src/set.c
-+++ b/src/set.c
-@@ -566,12 +566,12 @@ static int nftnl_jansson_parse_set_info(struct nftnl_set *s, json_t *tree,
- return -1;
-
- json_elem = json_array_get(array, i);
-- if (json_elem == NULL)
-- return -1;
--
-- if (nftnl_jansson_set_elem_parse(elem,
-- json_elem, err) < 0)
-+ if (json_elem == NULL ||
-+ nftnl_jansson_set_elem_parse(elem,
-+ json_elem, err) < 0) {
-+ free(elem);
- return -1;
-+ }
-
- list_add_tail(&elem->head, &s->element_list);
- }
---
-1.8.3.1
-
diff --git a/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch b/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch
deleted file mode 100644
index dbbac28..0000000
--- a/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 7413de9ca21bcb7c3de2af37c99ab858615430fc Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:28:55 +0200
-Subject: [PATCH] utils: Don't return directly from SNPRINTF_BUFFER_SIZE
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353311
-Upstream Status: libnftnl commit 9afae310b019a
-
-commit 9afae310b019aa497afb94833afc9a936bc38a1f
-Author: Phil Sutter <psutter@redhat.com>
-Date: Fri Aug 12 14:39:50 2016 +0200
-
- utils: Don't return directly from SNPRINTF_BUFFER_SIZE
-
- Apart from being a bad idea in general, the return statement contained
- in that macro in some cases leads to returning from functions without
- properly cleaning up, thereby causing memory leaks.
-
- Instead, just sanitize the value in 'ret' to not harm further calls of
- snprintf() (as 'len' will eventually just become zero).
-
- Cc: Arturo Borrero <arturo.borrero.glez@gmail.com>
- Signed-off-by: Phil Sutter <phil@nwl.cc>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- include/utils.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/utils.h b/include/utils.h
-index 46ff18a..ae596c5 100644
---- a/include/utils.h
-+++ b/include/utils.h
-@@ -45,7 +45,7 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line);
-
- #define SNPRINTF_BUFFER_SIZE(ret, size, len, offset) \
- if (ret < 0) \
-- return ret; \
-+ ret = 0; \
- offset += ret; \
- if (ret > len) \
- ret = len; \
---
-1.8.3.1
-
diff --git a/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch b/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch
deleted file mode 100644
index 35cd08e..0000000
--- a/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 330acafe4d0dec5dfa3b110e26e24aaa189ea8dc Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:32:00 +0200
-Subject: [PATCH] expr/ct: prevent array index overrun in ctkey2str()
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353309
-Upstream Status: libnftnl commit cca54d5e9c3f4
-
-commit cca54d5e9c3f436cd85bc55415c08bf671bfefe6
-Author: Phil Sutter <phil@nwl.cc>
-Date: Fri Aug 12 01:33:35 2016 +0200
-
- expr/ct: prevent array index overrun in ctkey2str()
-
- The array has NFT_CT_MAX fields, so indices must be less than that
- number.
-
- Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers")
- Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
- Signed-off-by: Phil Sutter <phil@nwl.cc>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/expr/ct.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/expr/ct.c b/src/expr/ct.c
-index 7d96df4..1a53b49 100644
---- a/src/expr/ct.c
-+++ b/src/expr/ct.c
-@@ -173,7 +173,7 @@ static const char *ctkey2str_array[NFT_CT_MAX] = {
-
- static const char *ctkey2str(uint32_t ctkey)
- {
-- if (ctkey > NFT_CT_MAX)
-+ if (ctkey >= NFT_CT_MAX)
- return "unknown";
-
- return ctkey2str_array[ctkey];
---
-1.8.3.1
-
diff --git a/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch b/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch
deleted file mode 100644
index c01f81b..0000000
--- a/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch
+++ /dev/null
@@ -1,224 +0,0 @@
-From 47e07d1a242b18b17602144cc7de260b6291f9e5 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:33:42 +0200
-Subject: [PATCH] src: Fix nftnl_*_get_data() to return the real attribute
- length
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353322
-Upstream Status: libnftnl commit bda7102d60bfd
-
-commit bda7102d60bfdab2aa3f36ebd09a119206f264d0
-Author: Carlos Falgueras García <carlosfg@riseup.net>
-Date: Mon Jul 11 18:07:40 2016 +0200
-
- src: Fix nftnl_*_get_data() to return the real attribute length
-
- All getters must set the memory size of the attributes, ie. this
- includes the nul-termination in strings.
-
- For references to opaque objects hidden behind the curtain, report
- a zero size.
-
- Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/chain.c | 3 +++
- src/expr.c | 1 +
- src/expr/dynset.c | 3 +++
- src/expr/lookup.c | 3 +++
- src/gen.c | 1 +
- src/rule.c | 2 ++
- src/set.c | 2 ++
- src/set_elem.c | 6 ++++++
- src/table.c | 1 +
- src/trace.c | 6 +++---
- 10 files changed, 25 insertions(+), 3 deletions(-)
-
-diff --git a/src/chain.c b/src/chain.c
-index 990c576..c956cec 100644
---- a/src/chain.c
-+++ b/src/chain.c
-@@ -268,8 +268,10 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
-
- switch(attr) {
- case NFTNL_CHAIN_NAME:
-+ *data_len = strlen(c->name) + 1;
- return c->name;
- case NFTNL_CHAIN_TABLE:
-+ *data_len = strlen(c->table) + 1;
- return c->table;
- case NFTNL_CHAIN_HOOKNUM:
- *data_len = sizeof(uint32_t);
-@@ -299,6 +301,7 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
- *data_len = sizeof(uint32_t);
- return c->type;
- case NFTNL_CHAIN_DEV:
-+ *data_len = strlen(c->dev) + 1;
- return c->dev;
- }
- return NULL;
-diff --git a/src/expr.c b/src/expr.c
-index ed07dc4..4a28dd2 100644
---- a/src/expr.c
-+++ b/src/expr.c
-@@ -120,6 +120,7 @@ const void *nftnl_expr_get(const struct nftnl_expr *expr,
-
- switch(type) {
- case NFTNL_EXPR_NAME:
-+ *data_len = strlen(expr->ops->name) + 1;
- ret = expr->ops->name;
- break;
- default:
-diff --git a/src/expr/dynset.c b/src/expr/dynset.c
-index c8d97a5..9b21dfa 100644
---- a/src/expr/dynset.c
-+++ b/src/expr/dynset.c
-@@ -86,10 +86,13 @@ nftnl_expr_dynset_get(const struct nftnl_expr *e, uint16_t type,
- *data_len = sizeof(dynset->timeout);
- return &dynset->timeout;
- case NFTNL_EXPR_DYNSET_SET_NAME:
-+ *data_len = strlen(dynset->set_name) + 1;
- return dynset->set_name;
- case NFTNL_EXPR_DYNSET_SET_ID:
-+ *data_len = sizeof(dynset->set_id);
- return &dynset->set_id;
- case NFTNL_EXPR_DYNSET_EXPR:
-+ *data_len = 0;
- return dynset->expr;
- }
- return NULL;
-diff --git a/src/expr/lookup.c b/src/expr/lookup.c
-index 59a3c5c..1c7f3f7 100644
---- a/src/expr/lookup.c
-+++ b/src/expr/lookup.c
-@@ -71,10 +71,13 @@ nftnl_expr_lookup_get(const struct nftnl_expr *e, uint16_t type,
- *data_len = sizeof(lookup->dreg);
- return &lookup->dreg;
- case NFTNL_EXPR_LOOKUP_SET:
-+ *data_len = strlen(lookup->set_name) + 1;
- return lookup->set_name;
- case NFTNL_EXPR_LOOKUP_SET_ID:
-+ *data_len = sizeof(lookup->set_id);
- return &lookup->set_id;
- case NFTNL_EXPR_LOOKUP_FLAGS:
-+ *data_len = sizeof(lookup->flags);
- return &lookup->flags;
- }
- return NULL;
-diff --git a/src/gen.c b/src/gen.c
-index 115a105..f114a9c 100644
---- a/src/gen.c
-+++ b/src/gen.c
-@@ -101,6 +101,7 @@ const void *nftnl_gen_get_data(const struct nftnl_gen *gen, uint16_t attr,
-
- switch(attr) {
- case NFTNL_GEN_ID:
-+ *data_len = sizeof(gen->id);
- return &gen->id;
- }
- return NULL;
-diff --git a/src/rule.c b/src/rule.c
-index 8ee8648..b0fe30d 100644
---- a/src/rule.c
-+++ b/src/rule.c
-@@ -214,8 +214,10 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
- *data_len = sizeof(uint32_t);
- return &r->family;
- case NFTNL_RULE_TABLE:
-+ *data_len = strlen(r->table) + 1;
- return r->table;
- case NFTNL_RULE_CHAIN:
-+ *data_len = strlen(r->chain) + 1;
- return r->chain;
- case NFTNL_RULE_HANDLE:
- *data_len = sizeof(uint64_t);
-diff --git a/src/set.c b/src/set.c
-index 9560ccc..cc49891 100644
---- a/src/set.c
-+++ b/src/set.c
-@@ -204,8 +204,10 @@ const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr,
-
- switch(attr) {
- case NFTNL_SET_TABLE:
-+ *data_len = strlen(s->table) + 1;
- return s->table;
- case NFTNL_SET_NAME:
-+ *data_len = strlen(s->name) + 1;
- return s->name;
- case NFTNL_SET_FLAGS:
- *data_len = sizeof(uint32_t);
-diff --git a/src/set_elem.c b/src/set_elem.c
-index b9c7e1e..157a233 100644
---- a/src/set_elem.c
-+++ b/src/set_elem.c
-@@ -166,25 +166,31 @@ const void *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t
-
- switch(attr) {
- case NFTNL_SET_ELEM_FLAGS:
-+ *data_len = sizeof(s->set_elem_flags);
- return &s->set_elem_flags;
- case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */
- *data_len = s->key.len;
- return &s->key.val;
- case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */
-+ *data_len = sizeof(s->data.verdict);
- return &s->data.verdict;
- case NFTNL_SET_ELEM_CHAIN: /* NFTA_SET_ELEM_DATA */
-+ *data_len = strlen(s->data.chain) + 1;
- return s->data.chain;
- case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */
- *data_len = s->data.len;
- return &s->data.val;
- case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */
-+ *data_len = sizeof(s->timeout);
- return &s->timeout;
- case NFTNL_SET_ELEM_EXPIRATION: /* NFTA_SET_ELEM_EXPIRATION */
-+ *data_len = sizeof(s->expiration);
- return &s->expiration;
- case NFTNL_SET_ELEM_USERDATA:
- *data_len = s->user.len;
- return s->user.data;
- case NFTNL_SET_ELEM_EXPR:
-+ *data_len = 0;
- return s->expr;
- }
- return NULL;
-diff --git a/src/table.c b/src/table.c
-index 42fe49f..b58ce73 100644
---- a/src/table.c
-+++ b/src/table.c
-@@ -145,6 +145,7 @@ const void *nftnl_table_get_data(const struct nftnl_table *t, uint16_t attr,
-
- switch(attr) {
- case NFTNL_TABLE_NAME:
-+ *data_len = strlen(t->name) + 1;
- return t->name;
- case NFTNL_TABLE_FLAGS:
- *data_len = sizeof(uint32_t);
-diff --git a/src/trace.c b/src/trace.c
-index 921fa21..2572d2c 100644
---- a/src/trace.c
-+++ b/src/trace.c
-@@ -165,13 +165,13 @@ const void *nftnl_trace_get_data(const struct nftnl_trace *trace,
- *data_len = sizeof(uint32_t);
- return &trace->type;
- case NFTNL_TRACE_CHAIN:
-- *data_len = strlen(trace->chain);
-+ *data_len = strlen(trace->chain) + 1;
- return trace->chain;
- case NFTNL_TRACE_TABLE:
-- *data_len = strlen(trace->table);
-+ *data_len = strlen(trace->table) + 1;
- return trace->table;
- case NFTNL_TRACE_JUMP_TARGET:
-- *data_len = strlen(trace->jump_target);
-+ *data_len = strlen(trace->jump_target) + 1;
- return trace->jump_target;
- case NFTNL_TRACE_TRANSPORT_HEADER:
- *data_len = trace->th.len;
---
-1.8.3.1
-
diff --git a/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch b/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch
deleted file mode 100644
index 8095cdd..0000000
--- a/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 42797f72106dffd348e195b5d8d81bfe1eaff3d6 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:33:42 +0200
-Subject: [PATCH] ruleset: Initialize ctx.flags before calling
- nftnl_ruleset_ctx_set()
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353322
-Upstream Status: libnftnl commit 6257aaf53ede6
-
-commit 6257aaf53ede6456e28b0224d215c811f534ff35
-Author: Phil Sutter <phil@nwl.cc>
-Date: Fri Aug 12 01:33:39 2016 +0200
-
- ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set()
-
- The called function otherwise accesses uninitialized data.
-
- Signed-off-by: Phil Sutter <phil@nwl.cc>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/ruleset.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/ruleset.c b/src/ruleset.c
-index 414b7c4..ec4cb1d 100644
---- a/src/ruleset.c
-+++ b/src/ruleset.c
-@@ -555,6 +555,7 @@ static int nftnl_ruleset_json_parse(const void *json,
-
- ctx.cb = cb;
- ctx.format = type;
-+ ctx.flags = 0;
-
- ctx.set_list = nftnl_set_list_alloc();
- if (ctx.set_list == NULL)
-@@ -686,6 +687,7 @@ static int nftnl_ruleset_xml_parse(const void *xml, struct nftnl_parse_err *err,
-
- ctx.cb = cb;
- ctx.format = type;
-+ ctx.flags = 0;
-
- ctx.set_list = nftnl_set_list_alloc();
- if (ctx.set_list == NULL)
---
-1.8.3.1
-
diff --git a/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch b/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch
deleted file mode 100644
index 360d024..0000000
--- a/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 546add7a95c037d9149b2c921b22f32ccb26896e Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:34:38 +0200
-Subject: [PATCH] expr/limit: Drop unreachable code in limit_to_type()
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353312
-Upstream Status: libnftnl commit e381cd99e9eb0
-
-commit e381cd99e9eb0e9519a976c8288f6b9e051ada3a
-Author: Phil Sutter <phil@nwl.cc>
-Date: Fri Aug 12 01:33:36 2016 +0200
-
- expr/limit: Drop unreachable code in limit_to_type()
-
- The function returns from inside the switch() in any case, so the final
- return statement is never reached.
-
- Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support")
- Signed-off-by: Phil Sutter <phil@nwl.cc>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/expr/limit.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/src/expr/limit.c b/src/expr/limit.c
-index 4bd096e..cdff81d 100644
---- a/src/expr/limit.c
-+++ b/src/expr/limit.c
-@@ -259,7 +259,6 @@ static const char *limit_to_type(enum nft_limit_type type)
- case NFT_LIMIT_PKT_BYTES:
- return "bytes";
- }
-- return "unknown";
- }
-
- static int nftnl_expr_limit_snprintf_default(char *buf, size_t len,
---
-1.8.3.1
-
diff --git a/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch b/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch
deleted file mode 100644
index 3404edd..0000000
--- a/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 70f1f3c92363364544843c26c6ecf4555a89f0b4 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 12:35:54 +0200
-Subject: [PATCH] src: Avoid returning uninitialized data
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353319
-Upstream Status: libnftnl commit 7a150cacc1754
-
-commit 7a150cacc1754f66525f0e87b14b35fbc2a6338e
-Author: Phil Sutter <phil@nwl.cc>
-Date: Fri Aug 12 01:33:38 2016 +0200
-
- src: Avoid returning uninitialized data
-
- Although the 'err' pointer should be interesting for users only if the
- parser returned non-zero, having it point to uninitialized data is
- generally a bad thing.
-
- Signed-off-by: Phil Sutter <phil@nwl.cc>
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/chain.c | 2 +-
- src/rule.c | 2 +-
- src/set.c | 2 +-
- src/table.c | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/chain.c b/src/chain.c
-index c956cec..ff87d1b 100644
---- a/src/chain.c
-+++ b/src/chain.c
-@@ -801,7 +801,7 @@ static int nftnl_chain_do_parse(struct nftnl_chain *c, enum nftnl_parse_type typ
- enum nftnl_parse_input input)
- {
- int ret;
-- struct nftnl_parse_err perr;
-+ struct nftnl_parse_err perr = {};
-
- switch (type) {
- case NFTNL_PARSE_XML:
-diff --git a/src/rule.c b/src/rule.c
-index b0fe30d..f202d03 100644
---- a/src/rule.c
-+++ b/src/rule.c
-@@ -689,7 +689,7 @@ static int nftnl_rule_do_parse(struct nftnl_rule *r, enum nftnl_parse_type type,
- enum nftnl_parse_input input)
- {
- int ret;
-- struct nftnl_parse_err perr;
-+ struct nftnl_parse_err perr = {};
-
- switch (type) {
- case NFTNL_PARSE_XML:
-diff --git a/src/set.c b/src/set.c
-index cc49891..7e44769 100644
---- a/src/set.c
-+++ b/src/set.c
-@@ -739,7 +739,7 @@ static int nftnl_set_do_parse(struct nftnl_set *s, enum nftnl_parse_type type,
- enum nftnl_parse_input input)
- {
- int ret;
-- struct nftnl_parse_err perr;
-+ struct nftnl_parse_err perr = {};
-
- switch (type) {
- case NFTNL_PARSE_XML:
-diff --git a/src/table.c b/src/table.c
-index b58ce73..6eb344e 100644
---- a/src/table.c
-+++ b/src/table.c
-@@ -359,7 +359,7 @@ static int nftnl_table_do_parse(struct nftnl_table *t, enum nftnl_parse_type typ
- enum nftnl_parse_input input)
- {
- int ret;
-- struct nftnl_parse_err perr;
-+ struct nftnl_parse_err perr = {};
-
- switch (type) {
- case NFTNL_PARSE_XML:
---
-1.8.3.1
-
diff --git a/SOURCES/0011-chain-dynamically-allocate-name.patch b/SOURCES/0011-chain-dynamically-allocate-name.patch
deleted file mode 100644
index ea72666..0000000
--- a/SOURCES/0011-chain-dynamically-allocate-name.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 52e03423b7fb8d3ae8cae1770c70c7519a03f341 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Tue, 16 May 2017 15:29:27 +0200
-Subject: [PATCH] chain: dynamically allocate name
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353320
-Upstream Status: libnftnl commit 23c2ef2f9812a
-Conflicts: Patch applied manually to fit the rest of the code which was
- changed changed a lot upstream. Future backports of the
- following commits have to adjust code added here as well:
- * 8f4de3888ce74 ("src: return value on setters that
- internally allocate memory")
- * 46b887ca6b038 ("src: simplify unsetters")
- * 50b175dbd598e ("src: check for flags before releasing
- attributes")
-
-commit 23c2ef2f9812a04c3bd8248de70cad37a176550a
-Author: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Fri Jun 10 14:34:10 2016 +0200
-
- chain: dynamically allocate name
-
- Just in case we ever support chain with larger names in the future,
- this will ensure the library doesn't break. Although I don't expect
- allocating more bytes for this anytime soon, but let's be conservative
- here.
-
- Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- src/chain.c | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/src/chain.c b/src/chain.c
-index ff87d1b..a91f1bc 100644
---- a/src/chain.c
-+++ b/src/chain.c
-@@ -32,7 +32,7 @@
- struct nftnl_chain {
- struct list_head head;
-
-- char name[NFT_CHAIN_MAXNAMELEN];
-+ const char *name;
- const char *type;
- const char *table;
- const char *dev;
-@@ -95,13 +95,14 @@ EXPORT_SYMBOL_ALIAS(nftnl_chain_alloc, nft_chain_alloc);
-
- void nftnl_chain_free(const struct nftnl_chain *c)
- {
-+ if (c->name != NULL)
-+ xfree(c->name);
- if (c->table != NULL)
- xfree(c->table);
- if (c->type != NULL)
- xfree(c->type);
- if (c->dev != NULL)
- xfree(c->dev);
--
- xfree(c);
- }
- EXPORT_SYMBOL_ALIAS(nftnl_chain_free, nft_chain_free);
-@@ -118,6 +119,12 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr)
- return;
-
- switch (attr) {
-+ case NFTNL_CHAIN_NAME:
-+ if (c->name) {
-+ xfree(c->name);
-+ c->name = NULL;
-+ }
-+ break;
- case NFTNL_CHAIN_TABLE:
- if (c->table) {
- xfree(c->table);
-@@ -132,7 +139,6 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr)
- c->type = NULL;
- }
- break;
-- case NFTNL_CHAIN_NAME:
- case NFTNL_CHAIN_HOOKNUM:
- case NFTNL_CHAIN_PRIO:
- case NFTNL_CHAIN_POLICY:
-@@ -175,7 +181,10 @@ void nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr,
-
- switch(attr) {
- case NFTNL_CHAIN_NAME:
-- strncpy(c->name, data, NFT_CHAIN_MAXNAMELEN);
-+ if (c->name)
-+ xfree(c->name);
-+
-+ c->name = strdup(data);
- break;
- case NFTNL_CHAIN_TABLE:
- if (c->table)
-@@ -533,8 +542,8 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c)
- return -1;
-
- if (tb[NFTA_CHAIN_NAME]) {
-- strncpy(c->name, mnl_attr_get_str(tb[NFTA_CHAIN_NAME]),
-- NFT_CHAIN_MAXNAMELEN);
-+ xfree(c->name);
-+ c->name = strdup(mnl_attr_get_str(tb[NFTA_CHAIN_NAME]));
- c->flags |= (1 << NFTNL_CHAIN_NAME);
- }
- if (tb[NFTA_CHAIN_TABLE]) {
---
-1.8.3.1
-
diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec
index cf41127..9883a5a 100644
--- a/SPECS/libnftnl.spec
+++ b/SPECS/libnftnl.spec
@@ -1,5 +1,5 @@
-%define rpmversion 1.0.6
-%define specrelease 6%{?dist}
+%define rpmversion 1.0.8
+%define specrelease 1%{?dist}
Name: libnftnl
Version: %{rpmversion}
@@ -7,24 +7,13 @@ Release: %{specrelease}%{?buildid}
Summary: Library for low-level interaction with nftables Netlink's API over libmnl
License: GPLv2+
URL: http://netfilter.org/projects/libnftnl/
-Source0: %{name}-%{version}.tar.xz
+Source0: http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: libmnl-devel
#BuildRequires: mxml-devel
BuildRequires: jansson-devel
-Patch0: 0001-src-add-range-expression.patch
-Patch1: 0002-tests-stricter-string-attribute-validation.patch
-Patch2: 0003-expr-lookup-give-support-for-inverted-matching.patch
-Patch3: 0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch
-Patch4: 0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch
-Patch5: 0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch
-Patch6: 0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch
-Patch7: 0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch
-Patch8: 0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch
-Patch9: 0010-src-Avoid-returning-uninitialized-data.patch
-Patch10: 0011-chain-dynamically-allocate-name.patch
%description
A library for low-level interaction with nftables Netlink's API over libmnl.
@@ -71,6 +60,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%{_includedir}/libnftnl
%changelog
+* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [1.0.8-1.el7]
+- Rebase onto upstream version 1.0.8 (Phil Sutter) [1472260]
+
* Tue May 16 2017 Phil Sutter <psutter@redhat.com> [1.0.6-6.el7]
- chain: dynamically allocate name (Phil Sutter) [1353320]
- src: Avoid returning uninitialized data (Phil Sutter) [1353319]