Blame SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch

acfc56
From 5566405cc171c8fa84e0a13ea96b89245a3fb512 Mon Sep 17 00:00:00 2001
acfc56
From: Phil Sutter <psutter@redhat.com>
acfc56
Date: Sat, 8 Aug 2020 00:05:48 +0200
acfc56
Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated
acfc56
 ranges
acfc56
acfc56
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684
acfc56
Upstream Status: nftables commit 09441b5e92cee
acfc56
acfc56
commit 09441b5e92ceea60198a35cd657904fa7a10ee54
acfc56
Author: Stefano Brivio <sbrivio@redhat.com>
acfc56
Date:   Mon Apr 13 21:48:03 2020 +0200
acfc56
acfc56
    src: Set NFT_SET_CONCAT flag for sets with concatenated ranges
acfc56
acfc56
    Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support
acfc56
    for concatenated set ranges"), crashes with older kernels (< 5.6)
acfc56
    without support for concatenated set ranges: those sets will be sent
acfc56
    to the kernel, which adds them without notion of the fact that
acfc56
    different concatenated fields are actually included, and nft crashes
acfc56
    while trying to list this kind of malformed concatenation.
acfc56
acfc56
    Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd
acfc56
    ("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when
acfc56
    sets including concatenated ranges are sent to the kernel, so that
acfc56
    older kernels (with no knowledge of this flag itself) will refuse set
acfc56
    creation.
acfc56
acfc56
    Note that, in expr_evaluate_set(), we have to check for the presence
acfc56
    of the flag, also on empty sets that might carry it in context data,
acfc56
    and actually set it in the actual set flags.
acfc56
acfc56
    Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
acfc56
    Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
acfc56
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
acfc56
---
acfc56
 src/evaluate.c | 9 ++++++++-
acfc56
 1 file changed, 8 insertions(+), 1 deletion(-)
acfc56
acfc56
diff --git a/src/evaluate.c b/src/evaluate.c
acfc56
index 0c84816..f66251b 100644
acfc56
--- a/src/evaluate.c
acfc56
+++ b/src/evaluate.c
acfc56
@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
acfc56
 			set->size      += i->size - 1;
acfc56
 			set->set_flags |= i->set_flags;
acfc56
 			expr_free(i);
acfc56
-		} else if (!expr_is_singleton(i))
acfc56
+		} else if (!expr_is_singleton(i)) {
acfc56
 			set->set_flags |= NFT_SET_INTERVAL;
acfc56
+			if (i->key->etype == EXPR_CONCAT)
acfc56
+				set->set_flags |= NFT_SET_CONCAT;
acfc56
+		}
acfc56
 	}
acfc56
 
acfc56
+	if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT))
acfc56
+		set->set_flags |= NFT_SET_CONCAT;
acfc56
+
acfc56
 	set->set_flags |= NFT_SET_CONSTANT;
acfc56
 
acfc56
 	datatype_set(set, ctx->ectx.dtype);
acfc56
@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
acfc56
 		memcpy(&set->desc.field_len, &set->key->field_len,
acfc56
 		       sizeof(set->desc.field_len));
acfc56
 		set->desc.field_count = set->key->field_count;
acfc56
+		set->flags |= NFT_SET_CONCAT;
acfc56
 	}
acfc56
 
acfc56
 	if (set_is_datamap(set->flags)) {
acfc56
-- 
8ff5ad
2.31.1
acfc56