diff --git a/.gitignore b/.gitignore
index ebc317f..ccc74cf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libnftnl-1.0.6.tar.bz2
+SOURCES/libnftnl-1.0.6.tar.xz
diff --git a/.libnftnl.metadata b/.libnftnl.metadata
index 0758752..c439cc2 100644
--- a/.libnftnl.metadata
+++ b/.libnftnl.metadata
@@ -1 +1 @@
-453f1c2d99d219baeca4ba42aa874f02d2ddf2f7 SOURCES/libnftnl-1.0.6.tar.bz2
+947d9ed587b8a4cd3883721a2878ade962ce6dad SOURCES/libnftnl-1.0.6.tar.xz
diff --git a/SOURCES/0001-src-add-range-expression.patch b/SOURCES/0001-src-add-range-expression.patch
new file mode 100644
index 0000000..48c6c0f
--- /dev/null
+++ b/SOURCES/0001-src-add-range-expression.patch
@@ -0,0 +1,569 @@
+From 41e4687e83c8eba29b5cf7cbbea74fab56835468 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 23 Feb 2017 17:07:00 +0100
+Subject: [PATCH] src: add range expression
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1418967
+Upstream Status: unknown commit 200da4866ada0
+Conflicts: Context changes due to missing other features.
+
+commit 200da4866ada06b2ee0f708c93dbdf9dcd0fcfe4
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue Sep 20 17:53:21 2016 +0200
+
+ src: add range expression
+
+ Add range expression available that is scheduled for linux kernel 4.9.
+ This range expression allows us to check if a given value placed in a
+ register is within/outside a specified interval.
+
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/libnftnl/expr.h | 7 +
+ include/linux/netfilter/nf_tables.h | 29 ++++
+ src/Makefile.am | 1 +
+ src/expr/range.c | 288 ++++++++++++++++++++++++++++++++++++
+ src/expr_ops.c | 2 +
+ tests/Makefile.am | 4 +
+ tests/nft-expr_range-test.c | 109 ++++++++++++++
+ tests/test-script.sh | 1 +
+ 8 files changed, 441 insertions(+)
+ create mode 100644 src/expr/range.c
+ create mode 100644 tests/nft-expr_range-test.c
+
+diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
+index f192103..5822a9e 100644
+--- a/include/libnftnl/expr.h
++++ b/include/libnftnl/expr.h
+@@ -61,6 +61,13 @@ enum {
+ };
+
+ enum {
++ NFTNL_EXPR_RANGE_SREG = NFTNL_EXPR_BASE,
++ NFTNL_EXPR_RANGE_OP,
++ NFTNL_EXPR_RANGE_FROM_DATA,
++ NFTNL_EXPR_RANGE_TO_DATA,
++};
++
++enum {
+ NFTNL_EXPR_IMM_DREG = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_IMM_DATA,
+ NFTNL_EXPR_IMM_VERDICT,
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 6a4dbe0..3b7b7f3 100644
+--- a/include/linux/netfilter/nf_tables.h
++++ b/include/linux/netfilter/nf_tables.h
+@@ -547,6 +547,35 @@ enum nft_cmp_attributes {
+ #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)
+
+ /**
++ * enum nft_range_ops - nf_tables range operator
++ *
++ * @NFT_RANGE_EQ: equal
++ * @NFT_RANGE_NEQ: not equal
++ */
++enum nft_range_ops {
++ NFT_RANGE_EQ,
++ NFT_RANGE_NEQ,
++};
++
++/**
++ * enum nft_range_attributes - nf_tables range expression netlink attributes
++ *
++ * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers)
++ * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops)
++ * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes)
++ * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes)
++ */
++enum nft_range_attributes {
++ NFTA_RANGE_UNSPEC,
++ NFTA_RANGE_SREG,
++ NFTA_RANGE_OP,
++ NFTA_RANGE_FROM_DATA,
++ NFTA_RANGE_TO_DATA,
++ __NFTA_RANGE_MAX
++};
++#define NFTA_RANGE_MAX (__NFTA_RANGE_MAX - 1)
++
++/**
+ * enum nft_lookup_attributes - nf_tables set lookup expression netlink attributes
+ *
+ * @NFTA_LOOKUP_SET: name of the set where to look for (NLA_STRING)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 7e580e4..6378815 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -25,6 +25,7 @@ libnftnl_la_SOURCES = utils.c \
+ expr/bitwise.c \
+ expr/byteorder.c \
+ expr/cmp.c \
++ expr/range.c \
+ expr/counter.c \
+ expr/ct.c \
+ expr/data_reg.c \
+diff --git a/src/expr/range.c b/src/expr/range.c
+new file mode 100644
+index 0000000..1489d58
+--- /dev/null
++++ b/src/expr/range.c
+@@ -0,0 +1,288 @@
++/*
++ * (C) 2016 by Pablo Neira Ayuso <pablo@netfilter.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published
++ * by the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ */
++
++#include "internal.h"
++
++#include <stdio.h>
++#include <stdint.h>
++#include <string.h>
++#include <arpa/inet.h>
++#include <errno.h>
++
++#include <libmnl/libmnl.h>
++#include <linux/netfilter/nf_tables.h>
++#include <libnftnl/expr.h>
++#include <libnftnl/rule.h>
++
++struct nftnl_expr_range {
++ union nftnl_data_reg data_from;
++ union nftnl_data_reg data_to;
++ enum nft_registers sreg;
++ enum nft_range_ops op;
++};
++
++static int nftnl_expr_range_set(struct nftnl_expr *e, uint16_t type,
++ const void *data, uint32_t data_len)
++{
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++
++ switch(type) {
++ case NFTNL_EXPR_RANGE_SREG:
++ range->sreg = *((uint32_t *)data);
++ break;
++ case NFTNL_EXPR_RANGE_OP:
++ range->op = *((uint32_t *)data);
++ break;
++ case NFTNL_EXPR_RANGE_FROM_DATA:
++ memcpy(&range->data_from.val, data, data_len);
++ range->data_from.len = data_len;
++ break;
++ case NFTNL_EXPR_RANGE_TO_DATA:
++ memcpy(&range->data_to.val, data, data_len);
++ range->data_to.len = data_len;
++ break;
++ default:
++ return -1;
++ }
++ return 0;
++}
++
++static const void *nftnl_expr_range_get(const struct nftnl_expr *e,
++ uint16_t type, uint32_t *data_len)
++{
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++
++ switch(type) {
++ case NFTNL_EXPR_RANGE_SREG:
++ *data_len = sizeof(range->sreg);
++ return &range->sreg;
++ case NFTNL_EXPR_RANGE_OP:
++ *data_len = sizeof(range->op);
++ return &range->op;
++ case NFTNL_EXPR_RANGE_FROM_DATA:
++ *data_len = range->data_from.len;
++ return &range->data_from.val;
++ case NFTNL_EXPR_RANGE_TO_DATA:
++ *data_len = range->data_to.len;
++ return &range->data_to.val;
++ }
++ return NULL;
++}
++
++static int nftnl_expr_range_cb(const struct nlattr *attr, void *data)
++{
++ const struct nlattr **tb = data;
++ int type = mnl_attr_get_type(attr);
++
++ if (mnl_attr_type_valid(attr, NFTA_RANGE_MAX) < 0)
++ return MNL_CB_OK;
++
++ switch(type) {
++ case NFTA_RANGE_SREG:
++ case NFTA_RANGE_OP:
++ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
++ abi_breakage();
++ break;
++ case NFTA_RANGE_FROM_DATA:
++ case NFTA_RANGE_TO_DATA:
++ if (mnl_attr_validate(attr, MNL_TYPE_BINARY) < 0)
++ abi_breakage();
++ break;
++ }
++
++ tb[type] = attr;
++ return MNL_CB_OK;
++}
++
++static void
++nftnl_expr_range_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
++{
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_SREG))
++ mnl_attr_put_u32(nlh, NFTA_RANGE_SREG, htonl(range->sreg));
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_OP))
++ mnl_attr_put_u32(nlh, NFTA_RANGE_OP, htonl(range->op));
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_FROM_DATA)) {
++ struct nlattr *nest;
++
++ nest = mnl_attr_nest_start(nlh, NFTA_RANGE_FROM_DATA);
++ mnl_attr_put(nlh, NFTA_DATA_VALUE, range->data_from.len,
++ range->data_from.val);
++ mnl_attr_nest_end(nlh, nest);
++ }
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_TO_DATA)) {
++ struct nlattr *nest;
++
++ nest = mnl_attr_nest_start(nlh, NFTA_RANGE_TO_DATA);
++ mnl_attr_put(nlh, NFTA_DATA_VALUE, range->data_to.len,
++ range->data_to.val);
++ mnl_attr_nest_end(nlh, nest);
++ }
++}
++
++static int
++nftnl_expr_range_parse(struct nftnl_expr *e, struct nlattr *attr)
++{
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++ struct nlattr *tb[NFTA_RANGE_MAX+1] = {};
++ int ret = 0;
++
++ if (mnl_attr_parse_nested(attr, nftnl_expr_range_cb, tb) < 0)
++ return -1;
++
++ if (tb[NFTA_RANGE_SREG]) {
++ range->sreg = ntohl(mnl_attr_get_u32(tb[NFTA_RANGE_SREG]));
++ e->flags |= (1 << NFTA_RANGE_SREG);
++ }
++ if (tb[NFTA_RANGE_OP]) {
++ range->op = ntohl(mnl_attr_get_u32(tb[NFTA_RANGE_OP]));
++ e->flags |= (1 << NFTA_RANGE_OP);
++ }
++ if (tb[NFTA_RANGE_FROM_DATA]) {
++ ret = nftnl_parse_data(&range->data_from,
++ tb[NFTA_RANGE_FROM_DATA], NULL);
++ e->flags |= (1 << NFTA_RANGE_FROM_DATA);
++ }
++ if (tb[NFTA_RANGE_TO_DATA]) {
++ ret = nftnl_parse_data(&range->data_to,
++ tb[NFTA_RANGE_TO_DATA], NULL);
++ e->flags |= (1 << NFTA_RANGE_TO_DATA);
++ }
++
++ return ret;
++}
++
++static char *expr_range_str[] = {
++ [NFT_RANGE_EQ] = "eq",
++ [NFT_RANGE_NEQ] = "neq",
++};
++
++static const char *range2str(uint32_t op)
++{
++ if (op > NFT_RANGE_NEQ)
++ return "unknown";
++
++ return expr_range_str[op];
++}
++
++static inline int nftnl_str2range(const char *op)
++{
++ if (strcmp(op, "eq") == 0)
++ return NFT_RANGE_EQ;
++ else if (strcmp(op, "neq") == 0)
++ return NFT_RANGE_NEQ;
++ else {
++ errno = EINVAL;
++ return -1;
++ }
++}
++
++static int nftnl_expr_range_json_parse(struct nftnl_expr *e, json_t *root,
++ struct nftnl_parse_err *err)
++{
++#ifdef JSON_PARSING
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++ const char *op;
++ uint32_t uval32;
++ int base;
++
++ if (nftnl_jansson_parse_val(root, "sreg", NFTNL_TYPE_U32, &uval32,
++ err) == 0)
++ nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_SREG, uval32);
++
++ op = nftnl_jansson_parse_str(root, "op", err);
++ if (op != NULL) {
++ base = nftnl_str2range(op);
++ if (base < 0)
++ return -1;
++
++ nftnl_expr_set_u32(e, NFTNL_EXPR_RANGE_OP, base);
++ }
++
++ if (nftnl_jansson_data_reg_parse(root, "data_from",
++ &range->data_from, err) == DATA_VALUE)
++ e->flags |= (1 << NFTNL_EXPR_RANGE_FROM_DATA);
++
++ if (nftnl_jansson_data_reg_parse(root, "data_to",
++ &range->data_to, err) == DATA_VALUE)
++ e->flags |= (1 << NFTNL_EXPR_RANGE_TO_DATA);
++
++ return 0;
++#else
++ errno = EOPNOTSUPP;
++ return -1;
++#endif
++}
++
++static int nftnl_expr_range_export(char *buf, size_t size,
++ const struct nftnl_expr *e, int type)
++{
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++ NFTNL_BUF_INIT(b, buf, size);
++
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_SREG))
++ nftnl_buf_u32(&b, type, range->sreg, SREG);
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_OP))
++ nftnl_buf_str(&b, type, range2str(range->op), OP);
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_FROM_DATA))
++ nftnl_buf_reg(&b, type, &range->data_from, DATA_VALUE, DATA);
++ if (e->flags & (1 << NFTNL_EXPR_RANGE_TO_DATA))
++ nftnl_buf_reg(&b, type, &range->data_to, DATA_VALUE, DATA);
++
++ return nftnl_buf_done(&b);
++}
++
++static int nftnl_expr_range_snprintf_default(char *buf, size_t size,
++ const struct nftnl_expr *e)
++{
++ struct nftnl_expr_range *range = nftnl_expr_data(e);
++ int len = size, offset = 0, ret;
++
++ ret = snprintf(buf, len, "%s reg %u ",
++ expr_range_str[range->op], range->sreg);
++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
++
++ ret = nftnl_data_reg_snprintf(buf + offset, len, &range->data_from,
++ NFTNL_OUTPUT_DEFAULT, 0, DATA_VALUE);
++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
++
++ ret = nftnl_data_reg_snprintf(buf + offset, len, &range->data_to,
++ NFTNL_OUTPUT_DEFAULT, 0, DATA_VALUE);
++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
++
++ return offset;
++}
++
++static int nftnl_expr_range_snprintf(char *buf, size_t size, uint32_t type,
++ uint32_t flags, const struct nftnl_expr *e)
++{
++ switch (type) {
++ case NFTNL_OUTPUT_DEFAULT:
++ return nftnl_expr_range_snprintf_default(buf, size, e);
++ case NFTNL_OUTPUT_XML:
++ case NFTNL_OUTPUT_JSON:
++ return nftnl_expr_range_export(buf, size, e, type);
++ default:
++ break;
++ }
++ return -1;
++}
++
++struct expr_ops expr_ops_range = {
++ .name = "range",
++ .alloc_len = sizeof(struct nftnl_expr_range),
++ .max_attr = NFTA_RANGE_MAX,
++ .set = nftnl_expr_range_set,
++ .get = nftnl_expr_range_get,
++ .parse = nftnl_expr_range_parse,
++ .build = nftnl_expr_range_build,
++ .snprintf = nftnl_expr_range_snprintf,
++ .json_parse = nftnl_expr_range_json_parse,
++};
+diff --git a/src/expr_ops.c b/src/expr_ops.c
+index ae515af..80d9f4c 100644
+--- a/src/expr_ops.c
++++ b/src/expr_ops.c
+@@ -21,6 +21,7 @@ extern struct expr_ops expr_ops_match;
+ extern struct expr_ops expr_ops_meta;
+ extern struct expr_ops expr_ops_nat;
+ extern struct expr_ops expr_ops_payload;
++extern struct expr_ops expr_ops_range;
+ extern struct expr_ops expr_ops_redir;
+ extern struct expr_ops expr_ops_reject;
+ extern struct expr_ops expr_ops_queue;
+@@ -45,6 +46,7 @@ static struct expr_ops *expr_ops[] = {
+ &expr_ops_meta,
+ &expr_ops_nat,
+ &expr_ops_payload,
++ &expr_ops_range,
+ &expr_ops_redir,
+ &expr_ops_reject,
+ &expr_ops_queue,
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index c246034..673c4a7 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -27,6 +27,7 @@ check_PROGRAMS = nft-parsing-test \
+ nft-expr_nat-test \
+ nft-expr_payload-test \
+ nft-expr_queue-test \
++ nft-expr_range-test \
+ nft-expr_redir-test \
+ nft-expr_reject-test \
+ nft-expr_target-test
+@@ -100,6 +101,9 @@ nft_expr_payload_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+ nft_expr_queue_test_SOURCES = nft-expr_queue-test.c
+ nft_expr_queue_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+
++nft_expr_range_test_SOURCES = nft-expr_range-test.c
++nft_expr_range_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
++
+ nft_expr_reject_test_SOURCES = nft-expr_reject-test.c
+ nft_expr_reject_test_LDADD = ../src/libnftnl.la ${LIBMNL_LIBS}
+
+diff --git a/tests/nft-expr_range-test.c b/tests/nft-expr_range-test.c
+new file mode 100644
+index 0000000..b92dfc0
+--- /dev/null
++++ b/tests/nft-expr_range-test.c
+@@ -0,0 +1,109 @@
++/*
++ * (C) 2013 by Ana Rey Botello <anarey@gmail.com>
++ *
++ * This program is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <netinet/in.h>
++#include <netinet/ip.h>
++#include <linux/netfilter/nf_tables.h>
++#include <libmnl/libmnl.h>
++#include <libnftnl/rule.h>
++#include <libnftnl/expr.h>
++
++static int test_ok = 1;
++
++static void print_err(const char *msg)
++{
++ test_ok = 0;
++ printf("\033[31mERROR:\e[0m %s\n", msg);
++}
++
++static void range_nftnl_expr(struct nftnl_expr *rule_a,
++ struct nftnl_expr *rule_b)
++{
++ uint32_t data_a, data_b;
++
++ nftnl_expr_get(rule_a, NFTNL_EXPR_RANGE_FROM_DATA, &data_a);
++ nftnl_expr_get(rule_b, NFTNL_EXPR_RANGE_FROM_DATA, &data_b);
++ if (data_a != data_b)
++ print_err("Size of NFTNL_EXPR_RANGE_FROM_DATA mismatches");
++ nftnl_expr_get(rule_a, NFTNL_EXPR_RANGE_TO_DATA, &data_a);
++ nftnl_expr_get(rule_b, NFTNL_EXPR_RANGE_TO_DATA, &data_b);
++ if (data_a != data_b)
++ print_err("Size of NFTNL_EXPR_RANGE_TO_DATA mismatches");
++ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_RANGE_SREG) !=
++ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_RANGE_SREG))
++ print_err("Expr NFTNL_EXPR_RANGE_SREG mismatches");
++ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_RANGE_OP) !=
++ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_RANGE_OP))
++ print_err("Expr NFTNL_EXPR_RANGE_OP mismatches");
++}
++
++int main(int argc, char *argv[])
++{
++ struct nftnl_rule *a, *b;
++ struct nftnl_expr *ex;
++ struct nlmsghdr *nlh;
++ char buf[4096];
++ struct nftnl_expr_iter *iter_a, *iter_b;
++ struct nftnl_expr *rule_a, *rule_b;
++ uint32_t data_a = 0x01010101, data_b = 0x02020202;
++
++ a = nftnl_rule_alloc();
++ b = nftnl_rule_alloc();
++ if (a == NULL || b == NULL)
++ print_err("OOM");
++ ex = nftnl_expr_alloc("range");
++ if (ex == NULL)
++ print_err("OOM");
++
++ nftnl_expr_set(ex, NFTNL_EXPR_RANGE_FROM_DATA,
++ &data_a, sizeof(data_a));
++ nftnl_expr_set(ex, NFTNL_EXPR_RANGE_TO_DATA,
++ &data_b, sizeof(data_b));
++ nftnl_expr_set_u32(ex, NFTNL_EXPR_RANGE_SREG, 0x12345678);
++ nftnl_expr_set_u32(ex, NFTNL_EXPR_RANGE_OP, 0x78123456);
++
++ nftnl_rule_add_expr(a, ex);
++
++ nlh = nftnl_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, 0, 1234);
++ nftnl_rule_nlmsg_build_payload(nlh, a);
++
++ if (nftnl_rule_nlmsg_parse(nlh, b) < 0)
++ print_err("parsing problems");
++
++ iter_a = nftnl_expr_iter_create(a);
++ iter_b = nftnl_expr_iter_create(b);
++ if (iter_a == NULL || iter_b == NULL)
++ print_err("OOM");
++ rule_a = nftnl_expr_iter_next(iter_a);
++ rule_b = nftnl_expr_iter_next(iter_b);
++ if (rule_a == NULL || rule_b == NULL)
++ print_err("OOM");
++
++ range_nftnl_expr(rule_a, rule_b);
++
++ if (nftnl_expr_iter_next(iter_a) != NULL ||
++ nftnl_expr_iter_next(iter_b) != NULL)
++ print_err("More 1 expr.");
++
++ nftnl_expr_iter_destroy(iter_a);
++ nftnl_expr_iter_destroy(iter_b);
++ nftnl_rule_free(a);
++ nftnl_rule_free(b);
++
++ if (!test_ok)
++ exit(EXIT_FAILURE);
++
++ printf("%s: \033[32mOK\e[0m\n", argv[0]);
++ return EXIT_SUCCESS;
++}
+diff --git a/tests/test-script.sh b/tests/test-script.sh
+index b040158..f4e1b7a 100755
+--- a/tests/test-script.sh
++++ b/tests/test-script.sh
+@@ -12,6 +12,7 @@
+ ./nft-expr_match-test
+ ./nft-expr_masq-test
+ ./nft-expr_meta-test
++./nft-expr_range-test
+ ./nft-expr_redir-test
+ ./nft-expr_nat-test
+ ./nft-expr_payload-test
+--
+1.8.3.1
+
diff --git a/SOURCES/0002-tests-stricter-string-attribute-validation.patch b/SOURCES/0002-tests-stricter-string-attribute-validation.patch
new file mode 100644
index 0000000..da8a9b8
--- /dev/null
+++ b/SOURCES/0002-tests-stricter-string-attribute-validation.patch
@@ -0,0 +1,50 @@
+From 7c8016f4afb2c4ec5c717b1c830c655318a0c561 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 12 May 2017 12:51:22 +0200
+Subject: [PATCH] tests: stricter string attribute validation
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1441084
+Upstream Status: libnftnl commit 57468cfa7916a
+
+commit 57468cfa7916aa6e21c977d1ddb6d0a0ad27edf7
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed Jun 15 13:41:06 2016 +0200
+
+ tests: stricter string attribute validation
+
+ In nft-expr_lookup-test.c, check for the strings instead of size.
+
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ tests/nft-expr_lookup-test.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c
+index ad028e9..2ca431b 100644
+--- a/tests/nft-expr_lookup-test.c
++++ b/tests/nft-expr_lookup-test.c
+@@ -30,18 +30,15 @@ static void print_err(const char *msg)
+ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
+ struct nftnl_expr *rule_b)
+ {
+- uint32_t data_lena, data_lenb;
+-
+ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_SREG) !=
+ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_SREG))
+ print_err("Expr NFTNL_EXPR_LOOkUP_SREG mismatches");
+ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_DREG) !=
+ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_DREG))
+ print_err("Expr NFTNL_EXPR_LOOkUP_DREG mismatches");
+- nftnl_expr_get(rule_a, NFTNL_EXPR_LOOKUP_SET, &data_lena);
+- nftnl_expr_get(rule_b, NFTNL_EXPR_LOOKUP_SET, &data_lenb);
+- if (data_lena != data_lenb)
+- print_err("Expr NFTNL_EXPR_LOOKUP_SET size mismatches");
++ if (strcmp(nftnl_expr_get_str(rule_a, NFTNL_EXPR_LOOKUP_SET),
++ nftnl_expr_get_str(rule_b, NFTNL_EXPR_LOOKUP_SET)))
++ print_err("Expr NFTNL_EXPR_LOOKUP_SET mismatches");
+ }
+
+ int main(int argc, char *argv[])
+--
+1.8.3.1
+
diff --git a/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch b/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch
new file mode 100644
index 0000000..3b681b9
--- /dev/null
+++ b/SOURCES/0003-expr-lookup-give-support-for-inverted-matching.patch
@@ -0,0 +1,219 @@
+From 56dfbd950f20ece8193239d92e8f58fb3a48a3a9 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 12 May 2017 12:51:22 +0200
+Subject: [PATCH] expr: lookup: give support for inverted matching
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1441084
+Upstream Status: libnftnl commit 5ad0e626492e8
+
+commit 5ad0e626492e835fff65369c93d1e571013129e9
+Author: Arturo Borrero <arturo.borrero.glez@gmail.com>
+Date: Fri Jun 24 09:07:02 2016 +0200
+
+ expr: lookup: give support for inverted matching
+
+ Inverted matching support was included in the kernel, let's give support here
+ as well.
+
+ Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/libnftnl/expr.h | 1 +
+ include/linux/netfilter/nf_tables.h | 6 ++++++
+ src/expr/lookup.c | 32 +++++++++++++++++++++++++++++---
+ tests/nft-expr_lookup-test.c | 4 ++++
+ 4 files changed, 40 insertions(+), 3 deletions(-)
+
+diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
+index 5822a9e..b644264 100644
+--- a/include/libnftnl/expr.h
++++ b/include/libnftnl/expr.h
+@@ -114,6 +114,7 @@ enum {
+ NFTNL_EXPR_LOOKUP_DREG,
+ NFTNL_EXPR_LOOKUP_SET,
+ NFTNL_EXPR_LOOKUP_SET_ID,
++ NFTNL_EXPR_LOOKUP_FLAGS,
+ };
+
+ enum {
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 3b7b7f3..b35a86f 100644
+--- a/include/linux/netfilter/nf_tables.h
++++ b/include/linux/netfilter/nf_tables.h
+@@ -546,6 +546,10 @@ enum nft_cmp_attributes {
+ };
+ #define NFTA_CMP_MAX (__NFTA_CMP_MAX - 1)
+
++enum nft_lookup_flags {
++ NFT_LOOKUP_F_INV = (1 << 0),
++};
++
+ /**
+ * enum nft_range_ops - nf_tables range operator
+ *
+@@ -582,6 +586,7 @@ enum nft_range_attributes {
+ * @NFTA_LOOKUP_SREG: source register of the data to look for (NLA_U32: nft_registers)
+ * @NFTA_LOOKUP_DREG: destination register (NLA_U32: nft_registers)
+ * @NFTA_LOOKUP_SET_ID: uniquely identifies a set in a transaction (NLA_U32)
++ * @NFTA_LOOKUP_FLAGS: flags (NLA_U32: enum nft_lookup_flags)
+ */
+ enum nft_lookup_attributes {
+ NFTA_LOOKUP_UNSPEC,
+@@ -589,6 +594,7 @@ enum nft_lookup_attributes {
+ NFTA_LOOKUP_SREG,
+ NFTA_LOOKUP_DREG,
+ NFTA_LOOKUP_SET_ID,
++ NFTA_LOOKUP_FLAGS,
+ __NFTA_LOOKUP_MAX
+ };
+ #define NFTA_LOOKUP_MAX (__NFTA_LOOKUP_MAX - 1)
+diff --git a/src/expr/lookup.c b/src/expr/lookup.c
+index ed32ba6..59a3c5c 100644
+--- a/src/expr/lookup.c
++++ b/src/expr/lookup.c
+@@ -26,6 +26,7 @@ struct nftnl_expr_lookup {
+ enum nft_registers dreg;
+ char *set_name;
+ uint32_t set_id;
++ uint32_t flags;
+ };
+
+ static int
+@@ -47,6 +48,9 @@ nftnl_expr_lookup_set(struct nftnl_expr *e, uint16_t type,
+ case NFTNL_EXPR_LOOKUP_SET_ID:
+ lookup->set_id = *((uint32_t *)data);
+ break;
++ case NFTNL_EXPR_LOOKUP_FLAGS:
++ lookup->flags = *((uint32_t *)data);
++ break;
+ default:
+ return -1;
+ }
+@@ -70,6 +74,8 @@ nftnl_expr_lookup_get(const struct nftnl_expr *e, uint16_t type,
+ return lookup->set_name;
+ case NFTNL_EXPR_LOOKUP_SET_ID:
+ return &lookup->set_id;
++ case NFTNL_EXPR_LOOKUP_FLAGS:
++ return &lookup->flags;
+ }
+ return NULL;
+ }
+@@ -86,6 +92,7 @@ static int nftnl_expr_lookup_cb(const struct nlattr *attr, void *data)
+ case NFTA_LOOKUP_SREG:
+ case NFTA_LOOKUP_DREG:
+ case NFTA_LOOKUP_SET_ID:
++ case NFTA_LOOKUP_FLAGS:
+ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ abi_breakage();
+ break;
+@@ -113,6 +120,8 @@ nftnl_expr_lookup_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
+ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_SET_ID)) {
+ mnl_attr_put_u32(nlh, NFTA_LOOKUP_SET_ID,
+ htonl(lookup->set_id));
++ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS))
++ mnl_attr_put_u32(nlh, NFTA_LOOKUP_FLAGS, htonl(lookup->flags));
+ }
+ }
+
+@@ -144,6 +153,10 @@ nftnl_expr_lookup_parse(struct nftnl_expr *e, struct nlattr *attr)
+ ntohl(mnl_attr_get_u32(tb[NFTA_LOOKUP_SET_ID]));
+ e->flags |= (1 << NFTNL_EXPR_LOOKUP_SET_ID);
+ }
++ if (tb[NFTA_LOOKUP_FLAGS]) {
++ lookup->flags = ntohl(mnl_attr_get_u32(tb[NFTA_LOOKUP_FLAGS]));
++ e->flags |= (1 << NFTNL_EXPR_LOOKUP_FLAGS);
++ }
+
+ return ret;
+ }
+@@ -154,7 +167,7 @@ nftnl_expr_lookup_json_parse(struct nftnl_expr *e, json_t *root,
+ {
+ #ifdef JSON_PARSING
+ const char *set_name;
+- uint32_t sreg, dreg;
++ uint32_t sreg, dreg, flags;
+
+ set_name = nftnl_jansson_parse_str(root, "set", err);
+ if (set_name != NULL)
+@@ -166,6 +179,10 @@ nftnl_expr_lookup_json_parse(struct nftnl_expr *e, json_t *root,
+ if (nftnl_jansson_parse_reg(root, "dreg", NFTNL_TYPE_U32, &dreg, err) == 0)
+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_DREG, dreg);
+
++ if (nftnl_jansson_parse_val(root, "flags", NFTNL_TYPE_U32,
++ &flags, err) == 0)
++ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags);
++
+ return 0;
+ #else
+ errno = EOPNOTSUPP;
+@@ -179,7 +196,7 @@ nftnl_expr_lookup_xml_parse(struct nftnl_expr *e, mxml_node_t *tree,
+ {
+ #ifdef XML_PARSING
+ const char *set_name;
+- uint32_t sreg, dreg;
++ uint32_t sreg, dreg, flags;
+
+ set_name = nftnl_mxml_str_parse(tree, "set", MXML_DESCEND_FIRST,
+ NFTNL_XML_MAND, err);
+@@ -194,6 +211,11 @@ nftnl_expr_lookup_xml_parse(struct nftnl_expr *e, mxml_node_t *tree,
+ err) == 0)
+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_DREG, dreg);
+
++ if (nftnl_mxml_num_parse(tree, "flags", MXML_DESCEND_FIRST, BASE_DEC,
++ &flags, NFTNL_TYPE_U32,
++ NFTNL_XML_MAND, err) == 0)
++ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags);
++
+ return 0;
+ #else
+ errno = EOPNOTSUPP;
+@@ -214,6 +236,8 @@ nftnl_expr_lookup_export(char *buf, size_t size,
+ nftnl_buf_u32(&b, type, l->sreg, SREG);
+ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_DREG))
+ nftnl_buf_u32(&b, type, l->dreg, DREG);
++ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_FLAGS))
++ nftnl_buf_u32(&b, type, l->flags, FLAGS);
+
+ return nftnl_buf_done(&b);
+ }
+@@ -228,12 +252,14 @@ nftnl_expr_lookup_snprintf_default(char *buf, size_t size,
+ ret = snprintf(buf, len, "reg %u set %s ", l->sreg, l->set_name);
+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
+-
+ if (e->flags & (1 << NFTNL_EXPR_LOOKUP_DREG)) {
+ ret = snprintf(buf+offset, len, "dreg %u ", l->dreg);
+ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+ }
+
++ ret = snprintf(buf + offset, len, "0x%x ", l->flags);
++ SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
++
+ return offset;
+ }
+
+diff --git a/tests/nft-expr_lookup-test.c b/tests/nft-expr_lookup-test.c
+index 2ca431b..e52a68f 100644
+--- a/tests/nft-expr_lookup-test.c
++++ b/tests/nft-expr_lookup-test.c
+@@ -39,6 +39,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
+ if (strcmp(nftnl_expr_get_str(rule_a, NFTNL_EXPR_LOOKUP_SET),
+ nftnl_expr_get_str(rule_b, NFTNL_EXPR_LOOKUP_SET)))
+ print_err("Expr NFTNL_EXPR_LOOKUP_SET mismatches");
++ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_LOOKUP_FLAGS) !=
++ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_LOOPUP_FLAGS))
++ print_err("Expr NFTNL_EXPR_LOOkUP_FLAGS mismatches");
+ }
+
+ int main(int argc, char *argv[])
+@@ -63,6 +66,7 @@ int main(int argc, char *argv[])
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_LOOKUP_DREG, 0x12345678);
+ nftnl_expr_set(ex, NFTNL_EXPR_LOOKUP_SET, &lookup_set,
+ sizeof(lookup_set));
++ nftnl_expr_set_u32(ex, NFTNL_EXPR_LOOKUP_FLAGS, 0x12345678);
+
+ nftnl_rule_add_expr(a, ex);
+
+--
+1.8.3.1
+
diff --git a/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch b/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch
new file mode 100644
index 0000000..8abb9dd
--- /dev/null
+++ b/SOURCES/0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch
@@ -0,0 +1,49 @@
+From 111c6c9c326113cda15ea9180ff8f4b5377434cf Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:28:55 +0200
+Subject: [PATCH] set: prevent memleak in nftnl_jansson_parse_set_info()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353311
+Upstream Status: libnftnl commit d29f0825c33af
+
+commit d29f0825c33af8c53a939b7f0e8d5beb2ed48c83
+Author: Phil Sutter <psutter@redhat.com>
+Date: Fri Aug 12 01:33:33 2016 +0200
+
+ set: prevent memleak in nftnl_jansson_parse_set_info()
+
+ During list populating, in error case the function returns without
+ freeing the newly allocated 'elem' object, thereby losing any references
+ to it.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/set.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/set.c b/src/set.c
+index dbea93b..9560ccc 100644
+--- a/src/set.c
++++ b/src/set.c
+@@ -566,12 +566,12 @@ static int nftnl_jansson_parse_set_info(struct nftnl_set *s, json_t *tree,
+ return -1;
+
+ json_elem = json_array_get(array, i);
+- if (json_elem == NULL)
+- return -1;
+-
+- if (nftnl_jansson_set_elem_parse(elem,
+- json_elem, err) < 0)
++ if (json_elem == NULL ||
++ nftnl_jansson_set_elem_parse(elem,
++ json_elem, err) < 0) {
++ free(elem);
+ return -1;
++ }
+
+ list_add_tail(&elem->head, &s->element_list);
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch b/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch
new file mode 100644
index 0000000..dbbac28
--- /dev/null
+++ b/SOURCES/0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch
@@ -0,0 +1,44 @@
+From 7413de9ca21bcb7c3de2af37c99ab858615430fc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:28:55 +0200
+Subject: [PATCH] utils: Don't return directly from SNPRINTF_BUFFER_SIZE
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353311
+Upstream Status: libnftnl commit 9afae310b019a
+
+commit 9afae310b019aa497afb94833afc9a936bc38a1f
+Author: Phil Sutter <psutter@redhat.com>
+Date: Fri Aug 12 14:39:50 2016 +0200
+
+ utils: Don't return directly from SNPRINTF_BUFFER_SIZE
+
+ Apart from being a bad idea in general, the return statement contained
+ in that macro in some cases leads to returning from functions without
+ properly cleaning up, thereby causing memory leaks.
+
+ Instead, just sanitize the value in 'ret' to not harm further calls of
+ snprintf() (as 'len' will eventually just become zero).
+
+ Cc: Arturo Borrero <arturo.borrero.glez@gmail.com>
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/utils.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/utils.h b/include/utils.h
+index 46ff18a..ae596c5 100644
+--- a/include/utils.h
++++ b/include/utils.h
+@@ -45,7 +45,7 @@ void __nftnl_assert_fail(uint16_t attr, const char *filename, int line);
+
+ #define SNPRINTF_BUFFER_SIZE(ret, size, len, offset) \
+ if (ret < 0) \
+- return ret; \
++ ret = 0; \
+ offset += ret; \
+ if (ret > len) \
+ ret = len; \
+--
+1.8.3.1
+
diff --git a/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch b/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch
new file mode 100644
index 0000000..35cd08e
--- /dev/null
+++ b/SOURCES/0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch
@@ -0,0 +1,41 @@
+From 330acafe4d0dec5dfa3b110e26e24aaa189ea8dc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:32:00 +0200
+Subject: [PATCH] expr/ct: prevent array index overrun in ctkey2str()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353309
+Upstream Status: libnftnl commit cca54d5e9c3f4
+
+commit cca54d5e9c3f436cd85bc55415c08bf671bfefe6
+Author: Phil Sutter <phil@nwl.cc>
+Date: Fri Aug 12 01:33:35 2016 +0200
+
+ expr/ct: prevent array index overrun in ctkey2str()
+
+ The array has NFT_CT_MAX fields, so indices must be less than that
+ number.
+
+ Fixes: 977b7a1dbe1bd ("ct: xml: use key names instead of numbers")
+ Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/expr/ct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/expr/ct.c b/src/expr/ct.c
+index 7d96df4..1a53b49 100644
+--- a/src/expr/ct.c
++++ b/src/expr/ct.c
+@@ -173,7 +173,7 @@ static const char *ctkey2str_array[NFT_CT_MAX] = {
+
+ static const char *ctkey2str(uint32_t ctkey)
+ {
+- if (ctkey > NFT_CT_MAX)
++ if (ctkey >= NFT_CT_MAX)
+ return "unknown";
+
+ return ctkey2str_array[ctkey];
+--
+1.8.3.1
+
diff --git a/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch b/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch
new file mode 100644
index 0000000..c01f81b
--- /dev/null
+++ b/SOURCES/0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch
@@ -0,0 +1,224 @@
+From 47e07d1a242b18b17602144cc7de260b6291f9e5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:33:42 +0200
+Subject: [PATCH] src: Fix nftnl_*_get_data() to return the real attribute
+ length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353322
+Upstream Status: libnftnl commit bda7102d60bfd
+
+commit bda7102d60bfdab2aa3f36ebd09a119206f264d0
+Author: Carlos Falgueras García <carlosfg@riseup.net>
+Date: Mon Jul 11 18:07:40 2016 +0200
+
+ src: Fix nftnl_*_get_data() to return the real attribute length
+
+ All getters must set the memory size of the attributes, ie. this
+ includes the nul-termination in strings.
+
+ For references to opaque objects hidden behind the curtain, report
+ a zero size.
+
+ Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/chain.c | 3 +++
+ src/expr.c | 1 +
+ src/expr/dynset.c | 3 +++
+ src/expr/lookup.c | 3 +++
+ src/gen.c | 1 +
+ src/rule.c | 2 ++
+ src/set.c | 2 ++
+ src/set_elem.c | 6 ++++++
+ src/table.c | 1 +
+ src/trace.c | 6 +++---
+ 10 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/chain.c b/src/chain.c
+index 990c576..c956cec 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -268,8 +268,10 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
+
+ switch(attr) {
+ case NFTNL_CHAIN_NAME:
++ *data_len = strlen(c->name) + 1;
+ return c->name;
+ case NFTNL_CHAIN_TABLE:
++ *data_len = strlen(c->table) + 1;
+ return c->table;
+ case NFTNL_CHAIN_HOOKNUM:
+ *data_len = sizeof(uint32_t);
+@@ -299,6 +301,7 @@ const void *nftnl_chain_get_data(const struct nftnl_chain *c, uint16_t attr,
+ *data_len = sizeof(uint32_t);
+ return c->type;
+ case NFTNL_CHAIN_DEV:
++ *data_len = strlen(c->dev) + 1;
+ return c->dev;
+ }
+ return NULL;
+diff --git a/src/expr.c b/src/expr.c
+index ed07dc4..4a28dd2 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -120,6 +120,7 @@ const void *nftnl_expr_get(const struct nftnl_expr *expr,
+
+ switch(type) {
+ case NFTNL_EXPR_NAME:
++ *data_len = strlen(expr->ops->name) + 1;
+ ret = expr->ops->name;
+ break;
+ default:
+diff --git a/src/expr/dynset.c b/src/expr/dynset.c
+index c8d97a5..9b21dfa 100644
+--- a/src/expr/dynset.c
++++ b/src/expr/dynset.c
+@@ -86,10 +86,13 @@ nftnl_expr_dynset_get(const struct nftnl_expr *e, uint16_t type,
+ *data_len = sizeof(dynset->timeout);
+ return &dynset->timeout;
+ case NFTNL_EXPR_DYNSET_SET_NAME:
++ *data_len = strlen(dynset->set_name) + 1;
+ return dynset->set_name;
+ case NFTNL_EXPR_DYNSET_SET_ID:
++ *data_len = sizeof(dynset->set_id);
+ return &dynset->set_id;
+ case NFTNL_EXPR_DYNSET_EXPR:
++ *data_len = 0;
+ return dynset->expr;
+ }
+ return NULL;
+diff --git a/src/expr/lookup.c b/src/expr/lookup.c
+index 59a3c5c..1c7f3f7 100644
+--- a/src/expr/lookup.c
++++ b/src/expr/lookup.c
+@@ -71,10 +71,13 @@ nftnl_expr_lookup_get(const struct nftnl_expr *e, uint16_t type,
+ *data_len = sizeof(lookup->dreg);
+ return &lookup->dreg;
+ case NFTNL_EXPR_LOOKUP_SET:
++ *data_len = strlen(lookup->set_name) + 1;
+ return lookup->set_name;
+ case NFTNL_EXPR_LOOKUP_SET_ID:
++ *data_len = sizeof(lookup->set_id);
+ return &lookup->set_id;
+ case NFTNL_EXPR_LOOKUP_FLAGS:
++ *data_len = sizeof(lookup->flags);
+ return &lookup->flags;
+ }
+ return NULL;
+diff --git a/src/gen.c b/src/gen.c
+index 115a105..f114a9c 100644
+--- a/src/gen.c
++++ b/src/gen.c
+@@ -101,6 +101,7 @@ const void *nftnl_gen_get_data(const struct nftnl_gen *gen, uint16_t attr,
+
+ switch(attr) {
+ case NFTNL_GEN_ID:
++ *data_len = sizeof(gen->id);
+ return &gen->id;
+ }
+ return NULL;
+diff --git a/src/rule.c b/src/rule.c
+index 8ee8648..b0fe30d 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -214,8 +214,10 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
+ *data_len = sizeof(uint32_t);
+ return &r->family;
+ case NFTNL_RULE_TABLE:
++ *data_len = strlen(r->table) + 1;
+ return r->table;
+ case NFTNL_RULE_CHAIN:
++ *data_len = strlen(r->chain) + 1;
+ return r->chain;
+ case NFTNL_RULE_HANDLE:
+ *data_len = sizeof(uint64_t);
+diff --git a/src/set.c b/src/set.c
+index 9560ccc..cc49891 100644
+--- a/src/set.c
++++ b/src/set.c
+@@ -204,8 +204,10 @@ const void *nftnl_set_get_data(const struct nftnl_set *s, uint16_t attr,
+
+ switch(attr) {
+ case NFTNL_SET_TABLE:
++ *data_len = strlen(s->table) + 1;
+ return s->table;
+ case NFTNL_SET_NAME:
++ *data_len = strlen(s->name) + 1;
+ return s->name;
+ case NFTNL_SET_FLAGS:
+ *data_len = sizeof(uint32_t);
+diff --git a/src/set_elem.c b/src/set_elem.c
+index b9c7e1e..157a233 100644
+--- a/src/set_elem.c
++++ b/src/set_elem.c
+@@ -166,25 +166,31 @@ const void *nftnl_set_elem_get(struct nftnl_set_elem *s, uint16_t attr, uint32_t
+
+ switch(attr) {
+ case NFTNL_SET_ELEM_FLAGS:
++ *data_len = sizeof(s->set_elem_flags);
+ return &s->set_elem_flags;
+ case NFTNL_SET_ELEM_KEY: /* NFTA_SET_ELEM_KEY */
+ *data_len = s->key.len;
+ return &s->key.val;
+ case NFTNL_SET_ELEM_VERDICT: /* NFTA_SET_ELEM_DATA */
++ *data_len = sizeof(s->data.verdict);
+ return &s->data.verdict;
+ case NFTNL_SET_ELEM_CHAIN: /* NFTA_SET_ELEM_DATA */
++ *data_len = strlen(s->data.chain) + 1;
+ return s->data.chain;
+ case NFTNL_SET_ELEM_DATA: /* NFTA_SET_ELEM_DATA */
+ *data_len = s->data.len;
+ return &s->data.val;
+ case NFTNL_SET_ELEM_TIMEOUT: /* NFTA_SET_ELEM_TIMEOUT */
++ *data_len = sizeof(s->timeout);
+ return &s->timeout;
+ case NFTNL_SET_ELEM_EXPIRATION: /* NFTA_SET_ELEM_EXPIRATION */
++ *data_len = sizeof(s->expiration);
+ return &s->expiration;
+ case NFTNL_SET_ELEM_USERDATA:
+ *data_len = s->user.len;
+ return s->user.data;
+ case NFTNL_SET_ELEM_EXPR:
++ *data_len = 0;
+ return s->expr;
+ }
+ return NULL;
+diff --git a/src/table.c b/src/table.c
+index 42fe49f..b58ce73 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -145,6 +145,7 @@ const void *nftnl_table_get_data(const struct nftnl_table *t, uint16_t attr,
+
+ switch(attr) {
+ case NFTNL_TABLE_NAME:
++ *data_len = strlen(t->name) + 1;
+ return t->name;
+ case NFTNL_TABLE_FLAGS:
+ *data_len = sizeof(uint32_t);
+diff --git a/src/trace.c b/src/trace.c
+index 921fa21..2572d2c 100644
+--- a/src/trace.c
++++ b/src/trace.c
+@@ -165,13 +165,13 @@ const void *nftnl_trace_get_data(const struct nftnl_trace *trace,
+ *data_len = sizeof(uint32_t);
+ return &trace->type;
+ case NFTNL_TRACE_CHAIN:
+- *data_len = strlen(trace->chain);
++ *data_len = strlen(trace->chain) + 1;
+ return trace->chain;
+ case NFTNL_TRACE_TABLE:
+- *data_len = strlen(trace->table);
++ *data_len = strlen(trace->table) + 1;
+ return trace->table;
+ case NFTNL_TRACE_JUMP_TARGET:
+- *data_len = strlen(trace->jump_target);
++ *data_len = strlen(trace->jump_target) + 1;
+ return trace->jump_target;
+ case NFTNL_TRACE_TRANSPORT_HEADER:
+ *data_len = trace->th.len;
+--
+1.8.3.1
+
diff --git a/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch b/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch
new file mode 100644
index 0000000..8095cdd
--- /dev/null
+++ b/SOURCES/0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch
@@ -0,0 +1,46 @@
+From 42797f72106dffd348e195b5d8d81bfe1eaff3d6 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:33:42 +0200
+Subject: [PATCH] ruleset: Initialize ctx.flags before calling
+ nftnl_ruleset_ctx_set()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353322
+Upstream Status: libnftnl commit 6257aaf53ede6
+
+commit 6257aaf53ede6456e28b0224d215c811f534ff35
+Author: Phil Sutter <phil@nwl.cc>
+Date: Fri Aug 12 01:33:39 2016 +0200
+
+ ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set()
+
+ The called function otherwise accesses uninitialized data.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/ruleset.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/ruleset.c b/src/ruleset.c
+index 414b7c4..ec4cb1d 100644
+--- a/src/ruleset.c
++++ b/src/ruleset.c
+@@ -555,6 +555,7 @@ static int nftnl_ruleset_json_parse(const void *json,
+
+ ctx.cb = cb;
+ ctx.format = type;
++ ctx.flags = 0;
+
+ ctx.set_list = nftnl_set_list_alloc();
+ if (ctx.set_list == NULL)
+@@ -686,6 +687,7 @@ static int nftnl_ruleset_xml_parse(const void *xml, struct nftnl_parse_err *err,
+
+ ctx.cb = cb;
+ ctx.format = type;
++ ctx.flags = 0;
+
+ ctx.set_list = nftnl_set_list_alloc();
+ if (ctx.set_list == NULL)
+--
+1.8.3.1
+
diff --git a/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch b/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch
new file mode 100644
index 0000000..360d024
--- /dev/null
+++ b/SOURCES/0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch
@@ -0,0 +1,39 @@
+From 546add7a95c037d9149b2c921b22f32ccb26896e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:34:38 +0200
+Subject: [PATCH] expr/limit: Drop unreachable code in limit_to_type()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353312
+Upstream Status: libnftnl commit e381cd99e9eb0
+
+commit e381cd99e9eb0e9519a976c8288f6b9e051ada3a
+Author: Phil Sutter <phil@nwl.cc>
+Date: Fri Aug 12 01:33:36 2016 +0200
+
+ expr/limit: Drop unreachable code in limit_to_type()
+
+ The function returns from inside the switch() in any case, so the final
+ return statement is never reached.
+
+ Fixes: 7769cbd9dfe69 ("expr: limit: add per-byte limiting support")
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/expr/limit.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/expr/limit.c b/src/expr/limit.c
+index 4bd096e..cdff81d 100644
+--- a/src/expr/limit.c
++++ b/src/expr/limit.c
+@@ -259,7 +259,6 @@ static const char *limit_to_type(enum nft_limit_type type)
+ case NFT_LIMIT_PKT_BYTES:
+ return "bytes";
+ }
+- return "unknown";
+ }
+
+ static int nftnl_expr_limit_snprintf_default(char *buf, size_t len,
+--
+1.8.3.1
+
diff --git a/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch b/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch
new file mode 100644
index 0000000..3404edd
--- /dev/null
+++ b/SOURCES/0010-src-Avoid-returning-uninitialized-data.patch
@@ -0,0 +1,82 @@
+From 70f1f3c92363364544843c26c6ecf4555a89f0b4 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 12:35:54 +0200
+Subject: [PATCH] src: Avoid returning uninitialized data
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353319
+Upstream Status: libnftnl commit 7a150cacc1754
+
+commit 7a150cacc1754f66525f0e87b14b35fbc2a6338e
+Author: Phil Sutter <phil@nwl.cc>
+Date: Fri Aug 12 01:33:38 2016 +0200
+
+ src: Avoid returning uninitialized data
+
+ Although the 'err' pointer should be interesting for users only if the
+ parser returned non-zero, having it point to uninitialized data is
+ generally a bad thing.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/chain.c | 2 +-
+ src/rule.c | 2 +-
+ src/set.c | 2 +-
+ src/table.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/chain.c b/src/chain.c
+index c956cec..ff87d1b 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -801,7 +801,7 @@ static int nftnl_chain_do_parse(struct nftnl_chain *c, enum nftnl_parse_type typ
+ enum nftnl_parse_input input)
+ {
+ int ret;
+- struct nftnl_parse_err perr;
++ struct nftnl_parse_err perr = {};
+
+ switch (type) {
+ case NFTNL_PARSE_XML:
+diff --git a/src/rule.c b/src/rule.c
+index b0fe30d..f202d03 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -689,7 +689,7 @@ static int nftnl_rule_do_parse(struct nftnl_rule *r, enum nftnl_parse_type type,
+ enum nftnl_parse_input input)
+ {
+ int ret;
+- struct nftnl_parse_err perr;
++ struct nftnl_parse_err perr = {};
+
+ switch (type) {
+ case NFTNL_PARSE_XML:
+diff --git a/src/set.c b/src/set.c
+index cc49891..7e44769 100644
+--- a/src/set.c
++++ b/src/set.c
+@@ -739,7 +739,7 @@ static int nftnl_set_do_parse(struct nftnl_set *s, enum nftnl_parse_type type,
+ enum nftnl_parse_input input)
+ {
+ int ret;
+- struct nftnl_parse_err perr;
++ struct nftnl_parse_err perr = {};
+
+ switch (type) {
+ case NFTNL_PARSE_XML:
+diff --git a/src/table.c b/src/table.c
+index b58ce73..6eb344e 100644
+--- a/src/table.c
++++ b/src/table.c
+@@ -359,7 +359,7 @@ static int nftnl_table_do_parse(struct nftnl_table *t, enum nftnl_parse_type typ
+ enum nftnl_parse_input input)
+ {
+ int ret;
+- struct nftnl_parse_err perr;
++ struct nftnl_parse_err perr = {};
+
+ switch (type) {
+ case NFTNL_PARSE_XML:
+--
+1.8.3.1
+
diff --git a/SOURCES/0011-chain-dynamically-allocate-name.patch b/SOURCES/0011-chain-dynamically-allocate-name.patch
new file mode 100644
index 0000000..ea72666
--- /dev/null
+++ b/SOURCES/0011-chain-dynamically-allocate-name.patch
@@ -0,0 +1,108 @@
+From 52e03423b7fb8d3ae8cae1770c70c7519a03f341 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 16 May 2017 15:29:27 +0200
+Subject: [PATCH] chain: dynamically allocate name
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1353320
+Upstream Status: libnftnl commit 23c2ef2f9812a
+Conflicts: Patch applied manually to fit the rest of the code which was
+ changed changed a lot upstream. Future backports of the
+ following commits have to adjust code added here as well:
+ * 8f4de3888ce74 ("src: return value on setters that
+ internally allocate memory")
+ * 46b887ca6b038 ("src: simplify unsetters")
+ * 50b175dbd598e ("src: check for flags before releasing
+ attributes")
+
+commit 23c2ef2f9812a04c3bd8248de70cad37a176550a
+Author: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri Jun 10 14:34:10 2016 +0200
+
+ chain: dynamically allocate name
+
+ Just in case we ever support chain with larger names in the future,
+ this will ensure the library doesn't break. Although I don't expect
+ allocating more bytes for this anytime soon, but let's be conservative
+ here.
+
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/chain.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/chain.c b/src/chain.c
+index ff87d1b..a91f1bc 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -32,7 +32,7 @@
+ struct nftnl_chain {
+ struct list_head head;
+
+- char name[NFT_CHAIN_MAXNAMELEN];
++ const char *name;
+ const char *type;
+ const char *table;
+ const char *dev;
+@@ -95,13 +95,14 @@ EXPORT_SYMBOL_ALIAS(nftnl_chain_alloc, nft_chain_alloc);
+
+ void nftnl_chain_free(const struct nftnl_chain *c)
+ {
++ if (c->name != NULL)
++ xfree(c->name);
+ if (c->table != NULL)
+ xfree(c->table);
+ if (c->type != NULL)
+ xfree(c->type);
+ if (c->dev != NULL)
+ xfree(c->dev);
+-
+ xfree(c);
+ }
+ EXPORT_SYMBOL_ALIAS(nftnl_chain_free, nft_chain_free);
+@@ -118,6 +119,12 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr)
+ return;
+
+ switch (attr) {
++ case NFTNL_CHAIN_NAME:
++ if (c->name) {
++ xfree(c->name);
++ c->name = NULL;
++ }
++ break;
+ case NFTNL_CHAIN_TABLE:
+ if (c->table) {
+ xfree(c->table);
+@@ -132,7 +139,6 @@ void nftnl_chain_unset(struct nftnl_chain *c, uint16_t attr)
+ c->type = NULL;
+ }
+ break;
+- case NFTNL_CHAIN_NAME:
+ case NFTNL_CHAIN_HOOKNUM:
+ case NFTNL_CHAIN_PRIO:
+ case NFTNL_CHAIN_POLICY:
+@@ -175,7 +181,10 @@ void nftnl_chain_set_data(struct nftnl_chain *c, uint16_t attr,
+
+ switch(attr) {
+ case NFTNL_CHAIN_NAME:
+- strncpy(c->name, data, NFT_CHAIN_MAXNAMELEN);
++ if (c->name)
++ xfree(c->name);
++
++ c->name = strdup(data);
+ break;
+ case NFTNL_CHAIN_TABLE:
+ if (c->table)
+@@ -533,8 +542,8 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *c)
+ return -1;
+
+ if (tb[NFTA_CHAIN_NAME]) {
+- strncpy(c->name, mnl_attr_get_str(tb[NFTA_CHAIN_NAME]),
+- NFT_CHAIN_MAXNAMELEN);
++ xfree(c->name);
++ c->name = strdup(mnl_attr_get_str(tb[NFTA_CHAIN_NAME]));
+ c->flags |= (1 << NFTNL_CHAIN_NAME);
+ }
+ if (tb[NFTA_CHAIN_TABLE]) {
+--
+1.8.3.1
+
diff --git a/SPECS/libnftnl.spec b/SPECS/libnftnl.spec
index 608c7b2..cf41127 100644
--- a/SPECS/libnftnl.spec
+++ b/SPECS/libnftnl.spec
@@ -1,13 +1,30 @@
+%define rpmversion 1.0.6
+%define specrelease 6%{?dist}
+
Name: libnftnl
-Version: 1.0.6
-Release: 1%{?dist}
+Version: %{rpmversion}
+Release: %{specrelease}%{?buildid}
Summary: Library for low-level interaction with nftables Netlink's API over libmnl
License: GPLv2+
URL: http://netfilter.org/projects/libnftnl/
-Source0: http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2
+Source0: %{name}-%{version}.tar.xz
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: libtool
BuildRequires: libmnl-devel
#BuildRequires: mxml-devel
BuildRequires: jansson-devel
+Patch0: 0001-src-add-range-expression.patch
+Patch1: 0002-tests-stricter-string-attribute-validation.patch
+Patch2: 0003-expr-lookup-give-support-for-inverted-matching.patch
+Patch3: 0004-set-prevent-memleak-in-nftnl_jansson_parse_set_info.patch
+Patch4: 0005-utils-Don-t-return-directly-from-SNPRINTF_BUFFER_SIZ.patch
+Patch5: 0006-expr-ct-prevent-array-index-overrun-in-ctkey2str.patch
+Patch6: 0007-src-Fix-nftnl_-_get_data-to-return-the-real-attribut.patch
+Patch7: 0008-ruleset-Initialize-ctx.flags-before-calling-nftnl_ru.patch
+Patch8: 0009-expr-limit-Drop-unreachable-code-in-limit_to_type.patch
+Patch9: 0010-src-Avoid-returning-uninitialized-data.patch
+Patch10: 0011-chain-dynamically-allocate-name.patch
%description
A library for low-level interaction with nftables Netlink's API over libmnl.
@@ -20,9 +37,15 @@ The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
-%setup -q
+%autosetup -p1
%build
+# This is what autogen.sh (only in git repo) does - without it, patches changing
+# Makefile.am cause the build system to regenerate Makefile.in and trying to use
+# automake-1.14 for that which is not available in RHEL.
+autoreconf -fi
+rm -rf autom4te*.cache
+
%configure --disable-static --disable-silent-rules \
--with-json-parsing --without-xml-parsing
make %{?_smp_mflags}
@@ -48,5 +71,28 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%{_includedir}/libnftnl
%changelog
+* Tue May 16 2017 Phil Sutter <psutter@redhat.com> [1.0.6-6.el7]
+- chain: dynamically allocate name (Phil Sutter) [1353320]
+- src: Avoid returning uninitialized data (Phil Sutter) [1353319]
+- expr/limit: Drop unreachable code in limit_to_type() (Phil Sutter) [1353312]
+- ruleset: Initialize ctx.flags before calling nftnl_ruleset_ctx_set() (Phil Sutter) [1353322]
+- src: Fix nftnl_*_get_data() to return the real attribute length (Phil Sutter) [1353322]
+- expr/ct: prevent array index overrun in ctkey2str() (Phil Sutter) [1353309]
+- utils: Don't return directly from SNPRINTF_BUFFER_SIZE (Phil Sutter) [1353311]
+- set: prevent memleak in nftnl_jansson_parse_set_info() (Phil Sutter) [1353311]
+
+* Fri May 12 2017 Phil Sutter <psutter@redhat.com> [1.0.6-5.el7]
+- expr: lookup: give support for inverted matching (Phil Sutter) [1441084]
+- tests: stricter string attribute validation (Phil Sutter) [1441084]
+
+* Thu Feb 23 2017 Phil Sutter <psutter@redhat.com> [1.0.6-4.el7]
+- Add automake and libtool as additional build requirements (Phil Sutter) [1418967]
+
+* Thu Feb 23 2017 Phil Sutter <psutter@redhat.com> [1.0.6-3.el7]
+- Fix libnftnl.spec for patches changing Makefile.am (Phil Sutter) [1418967]
+
+* Thu Feb 23 2017 Phil Sutter <psutter@redhat.com> [1.0.6-2.el7]
+- src: add range expression (Phil Sutter) [1418967]
+
* Wed Jun 29 2016 Phil Sutter <psutter@redhat.com> 1.0.6-1
- Rebased from Fedora Rawhide and adjusted for RHEL review.