From 252916c45d6177de66b610792fcd0a9131d93409 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 07:14:00 +0000 Subject: import nftables-0.9.3-25.el8 --- diff --git a/SOURCES/0001-main-enforce-options-before-commands.patch b/SOURCES/0001-main-enforce-options-before-commands.patch index 45b750c..f1401bd 100644 --- a/SOURCES/0001-main-enforce-options-before-commands.patch +++ b/SOURCES/0001-main-enforce-options-before-commands.patch @@ -27,17 +27,17 @@ Date: Fri Dec 13 11:32:46 2019 +0100 Signed-off-by: Pablo Neira Ayuso --- - src/main.c | 46 +++++++++++++++++++++- - tests/shell/testcases/cache/0001_cache_handling_0 | 2 +- - tests/shell/testcases/chains/0016delete_handle_0 | 4 +- - .../shell/testcases/chains/0039negative_priority_0 | 8 ++++ - .../shell/testcases/flowtable/0010delete_handle_0 | 2 +- - .../shell/testcases/maps/0008interval_map_delete_0 | 2 +- - tests/shell/testcases/optionals/comments_0 | 2 +- - tests/shell/testcases/optionals/comments_handles_0 | 2 +- - .../testcases/optionals/delete_object_handles_0 | 4 +- - tests/shell/testcases/optionals/handles_0 | 2 +- - tests/shell/testcases/sets/0028delete_handle_0 | 2 +- + src/main.c | 46 ++++++++++++++++++- + .../testcases/cache/0001_cache_handling_0 | 2 +- + .../testcases/chains/0016delete_handle_0 | 4 +- + .../testcases/chains/0039negative_priority_0 | 8 ++++ + .../testcases/flowtable/0010delete_handle_0 | 2 +- + .../testcases/maps/0008interval_map_delete_0 | 2 +- + tests/shell/testcases/optionals/comments_0 | 2 +- + .../testcases/optionals/comments_handles_0 | 2 +- + .../optionals/delete_object_handles_0 | 4 +- + tests/shell/testcases/optionals/handles_0 | 2 +- + .../shell/testcases/sets/0028delete_handle_0 | 2 +- 11 files changed, 64 insertions(+), 12 deletions(-) create mode 100755 tests/shell/testcases/chains/0039negative_priority_0 @@ -240,5 +240,5 @@ index 4e8b322..5ad17c2 100755 EXPECTED="table ip test-ip { -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0002-main-restore-debug.patch b/SOURCES/0002-main-restore-debug.patch index 442f24b..9bd8b72 100644 --- a/SOURCES/0002-main-restore-debug.patch +++ b/SOURCES/0002-main-restore-debug.patch @@ -46,5 +46,5 @@ index 74199f9..6ab1b89 100644 !strcmp(argv[i], "--file")) { skip = true; -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0003-monitor-Do-not-decompose-non-anonymous-sets.patch b/SOURCES/0003-monitor-Do-not-decompose-non-anonymous-sets.patch index 5f1d629..6611382 100644 --- a/SOURCES/0003-monitor-Do-not-decompose-non-anonymous-sets.patch +++ b/SOURCES/0003-monitor-Do-not-decompose-non-anonymous-sets.patch @@ -64,5 +64,5 @@ index 0000000..59930c5 +O - +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}} -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0004-monitor-Fix-output-for-ranges-in-anonymous-sets.patch b/SOURCES/0004-monitor-Fix-output-for-ranges-in-anonymous-sets.patch index 42209e3..90f2aea 100644 --- a/SOURCES/0004-monitor-Fix-output-for-ranges-in-anonymous-sets.patch +++ b/SOURCES/0004-monitor-Fix-output-for-ranges-in-anonymous-sets.patch @@ -76,5 +76,5 @@ index 59930c5..1fbcfe2 100644 +O - +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}} -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0005-xfrm-spi-is-big-endian.patch b/SOURCES/0005-xfrm-spi-is-big-endian.patch index 8dd30e8..e7ee4af 100644 --- a/SOURCES/0005-xfrm-spi-is-big-endian.patch +++ b/SOURCES/0005-xfrm-spi-is-big-endian.patch @@ -47,5 +47,5 @@ index 6049c66..c46a226 100644 [ cmp lte reg 1 0x31020000 ] -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0006-tests-shell-Search-diff-tool-once-and-for-all.patch b/SOURCES/0006-tests-shell-Search-diff-tool-once-and-for-all.patch index e6adbfc..e1e9c1f 100644 --- a/SOURCES/0006-tests-shell-Search-diff-tool-once-and-for-all.patch +++ b/SOURCES/0006-tests-shell-Search-diff-tool-once-and-for-all.patch @@ -25,39 +25,39 @@ Date: Tue Jan 14 16:50:35 2020 +0100 Signed-off-by: Phil Sutter Acked-by: Pablo Neira Ayuso --- - tests/shell/run-tests.sh | 7 ++++++- - tests/shell/testcases/flowtable/0010delete_handle_0 | 3 +-- - tests/shell/testcases/listing/0003table_0 | 6 ++---- - tests/shell/testcases/listing/0004table_0 | 3 +-- - tests/shell/testcases/listing/0005ruleset_ip_0 | 3 +-- - tests/shell/testcases/listing/0006ruleset_ip6_0 | 3 +-- - tests/shell/testcases/listing/0007ruleset_inet_0 | 3 +-- - tests/shell/testcases/listing/0008ruleset_arp_0 | 3 +-- - tests/shell/testcases/listing/0009ruleset_bridge_0 | 3 +-- - tests/shell/testcases/listing/0010sets_0 | 3 +-- - tests/shell/testcases/listing/0011sets_0 | 3 +-- - tests/shell/testcases/listing/0012sets_0 | 3 +-- - tests/shell/testcases/listing/0013objects_0 | 3 +-- - tests/shell/testcases/listing/0014objects_0 | 6 ++---- - tests/shell/testcases/listing/0015dynamic_0 | 3 +-- - tests/shell/testcases/listing/0017objects_0 | 3 +-- - tests/shell/testcases/listing/0018data_0 | 3 +-- - tests/shell/testcases/listing/0019set_0 | 3 +-- - tests/shell/testcases/listing/0020flowtable_0 | 3 +-- - tests/shell/testcases/maps/0003map_add_many_elements_0 | 3 +-- - tests/shell/testcases/maps/0004interval_map_create_once_0 | 3 +-- - tests/shell/testcases/maps/0008interval_map_delete_0 | 3 +-- - tests/shell/testcases/netns/0001nft-f_0 | 3 +-- - tests/shell/testcases/netns/0002loosecommands_0 | 3 +-- - tests/shell/testcases/netns/0003many_0 | 3 +-- - tests/shell/testcases/nft-f/0016redefines_1 | 3 +-- - tests/shell/testcases/optionals/delete_object_handles_0 | 3 +-- - tests/shell/testcases/optionals/update_object_handles_0 | 3 +-- - .../shell/testcases/rule_management/0001addinsertposition_0 | 12 ++++-------- - tests/shell/testcases/sets/0028delete_handle_0 | 3 +-- - tests/shell/testcases/sets/0036add_set_element_expiration_0 | 5 ++++- - tests/shell/testcases/transactions/0003table_0 | 4 +--- - tests/shell/testcases/transactions/0040set_0 | 3 +-- + tests/shell/run-tests.sh | 7 ++++++- + tests/shell/testcases/flowtable/0010delete_handle_0 | 3 +-- + tests/shell/testcases/listing/0003table_0 | 6 ++---- + tests/shell/testcases/listing/0004table_0 | 3 +-- + tests/shell/testcases/listing/0005ruleset_ip_0 | 3 +-- + tests/shell/testcases/listing/0006ruleset_ip6_0 | 3 +-- + tests/shell/testcases/listing/0007ruleset_inet_0 | 3 +-- + tests/shell/testcases/listing/0008ruleset_arp_0 | 3 +-- + tests/shell/testcases/listing/0009ruleset_bridge_0 | 3 +-- + tests/shell/testcases/listing/0010sets_0 | 3 +-- + tests/shell/testcases/listing/0011sets_0 | 3 +-- + tests/shell/testcases/listing/0012sets_0 | 3 +-- + tests/shell/testcases/listing/0013objects_0 | 3 +-- + tests/shell/testcases/listing/0014objects_0 | 6 ++---- + tests/shell/testcases/listing/0015dynamic_0 | 3 +-- + tests/shell/testcases/listing/0017objects_0 | 3 +-- + tests/shell/testcases/listing/0018data_0 | 3 +-- + tests/shell/testcases/listing/0019set_0 | 3 +-- + tests/shell/testcases/listing/0020flowtable_0 | 3 +-- + .../shell/testcases/maps/0003map_add_many_elements_0 | 3 +-- + .../testcases/maps/0004interval_map_create_once_0 | 3 +-- + tests/shell/testcases/maps/0008interval_map_delete_0 | 3 +-- + tests/shell/testcases/netns/0001nft-f_0 | 3 +-- + tests/shell/testcases/netns/0002loosecommands_0 | 3 +-- + tests/shell/testcases/netns/0003many_0 | 3 +-- + tests/shell/testcases/nft-f/0016redefines_1 | 3 +-- + .../testcases/optionals/delete_object_handles_0 | 3 +-- + .../testcases/optionals/update_object_handles_0 | 3 +-- + .../rule_management/0001addinsertposition_0 | 12 ++++-------- + tests/shell/testcases/sets/0028delete_handle_0 | 3 +-- + .../testcases/sets/0036add_set_element_expiration_0 | 5 ++++- + tests/shell/testcases/transactions/0003table_0 | 4 +--- + tests/shell/testcases/transactions/0040set_0 | 3 +-- 33 files changed, 46 insertions(+), 75 deletions(-) diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh @@ -569,5 +569,5 @@ index a404abc..468816b 100755 fi -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0007-cache-Fix-for-doubled-output-after-reset-command.patch b/SOURCES/0007-cache-Fix-for-doubled-output-after-reset-command.patch index b1aba78..2374687 100644 --- a/SOURCES/0007-cache-Fix-for-doubled-output-after-reset-command.patch +++ b/SOURCES/0007-cache-Fix-for-doubled-output-after-reset-command.patch @@ -81,5 +81,5 @@ index 3bd16f2..21200c3 100755 + exit 1 +fi -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0008-netlink-Fix-leak-in-unterminated-string-deserializer.patch b/SOURCES/0008-netlink-Fix-leak-in-unterminated-string-deserializer.patch index b15c611..414c39f 100644 --- a/SOURCES/0008-netlink-Fix-leak-in-unterminated-string-deserializer.patch +++ b/SOURCES/0008-netlink-Fix-leak-in-unterminated-string-deserializer.patch @@ -47,5 +47,5 @@ index 154353b..06a0312 100644 static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0009-netlink-Fix-leaks-in-netlink_parse_cmp.patch b/SOURCES/0009-netlink-Fix-leaks-in-netlink_parse_cmp.patch index 46e878c..9043fb1 100644 --- a/SOURCES/0009-netlink-Fix-leaks-in-netlink_parse_cmp.patch +++ b/SOURCES/0009-netlink-Fix-leaks-in-netlink_parse_cmp.patch @@ -71,5 +71,5 @@ index 06a0312..88dbd5a 100644 static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0010-netlink-Avoid-potential-NULL-pointer-deref-in-netlin.patch b/SOURCES/0010-netlink-Avoid-potential-NULL-pointer-deref-in-netlin.patch index b48f1e6..b772afc 100644 --- a/SOURCES/0010-netlink-Avoid-potential-NULL-pointer-deref-in-netlin.patch +++ b/SOURCES/0010-netlink-Avoid-potential-NULL-pointer-deref-in-netlin.patch @@ -38,5 +38,5 @@ index 498326d..cb1b7fe 100644 nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS, NFT_PAYLOAD_L4CSUM_PSEUDOHDR); -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0011-tests-json_echo-Fix-for-Python3.patch b/SOURCES/0011-tests-json_echo-Fix-for-Python3.patch index f907886..be98168 100644 --- a/SOURCES/0011-tests-json_echo-Fix-for-Python3.patch +++ b/SOURCES/0011-tests-json_echo-Fix-for-Python3.patch @@ -35,5 +35,5 @@ index a636d5f..fa7d69a 100755 if not k in data: continue -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0012-tests-json_echo-Support-testing-host-binaries.patch b/SOURCES/0012-tests-json_echo-Support-testing-host-binaries.patch index c2958df..88cfa7f 100644 --- a/SOURCES/0012-tests-json_echo-Support-testing-host-binaries.patch +++ b/SOURCES/0012-tests-json_echo-Support-testing-host-binaries.patch @@ -64,5 +64,5 @@ index fa7d69a..36a377a 100755 # various commands to work with -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0013-tests-monitor-Support-running-individual-test-cases.patch b/SOURCES/0013-tests-monitor-Support-running-individual-test-cases.patch index 26c9079..deef550 100644 --- a/SOURCES/0013-tests-monitor-Support-running-individual-test-cases.patch +++ b/SOURCES/0013-tests-monitor-Support-running-individual-test-cases.patch @@ -60,5 +60,5 @@ index 0478cf6..efacdaa 100755 # files are like this: # -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0014-tests-monitor-Support-testing-host-s-nft-binary.patch b/SOURCES/0014-tests-monitor-Support-testing-host-s-nft-binary.patch index 502b623..8ab1067 100644 --- a/SOURCES/0014-tests-monitor-Support-testing-host-s-nft-binary.patch +++ b/SOURCES/0014-tests-monitor-Support-testing-host-s-nft-binary.patch @@ -36,5 +36,5 @@ index efacdaa..ffb833a 100755 testcases+=" $1" shift -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0015-tests-py-Support-testing-host-binaries.patch b/SOURCES/0015-tests-py-Support-testing-host-binaries.patch index 007fc9b..8e0cf3d 100644 --- a/SOURCES/0015-tests-py-Support-testing-host-binaries.patch +++ b/SOURCES/0015-tests-py-Support-testing-host-binaries.patch @@ -72,5 +72,5 @@ index 6edca3c..01ee6c9 100755 test_files = files_ok = run_total = 0 tests = passed = warnings = errors = 0 -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0016-doc-nft.8-Mention-wildcard-interface-matching.patch b/SOURCES/0016-doc-nft.8-Mention-wildcard-interface-matching.patch index f534eec..c4bc399 100644 --- a/SOURCES/0016-doc-nft.8-Mention-wildcard-interface-matching.patch +++ b/SOURCES/0016-doc-nft.8-Mention-wildcard-interface-matching.patch @@ -39,5 +39,5 @@ index 5473d59..a5cab9d 100644 [options="header"] |================== -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0017-scanner-Extend-asteriskstring-definition.patch b/SOURCES/0017-scanner-Extend-asteriskstring-definition.patch index 09717b0..6468662 100644 --- a/SOURCES/0017-scanner-Extend-asteriskstring-definition.patch +++ b/SOURCES/0017-scanner-Extend-asteriskstring-definition.patch @@ -35,5 +35,5 @@ index d32adf4..7daf5c1 100644 slash \/ -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0018-parser-add-a-helper-for-concat-expression-handling.patch b/SOURCES/0018-parser-add-a-helper-for-concat-expression-handling.patch index 5a93472..d973cdf 100644 --- a/SOURCES/0018-parser-add-a-helper-for-concat-expression-handling.patch +++ b/SOURCES/0018-parser-add-a-helper-for-concat-expression-handling.patch @@ -16,7 +16,7 @@ Date: Wed Dec 11 14:31:44 2019 +0100 Signed-off-by: Florian Westphal --- - src/parser_bison.y | 99 ++++++++++++++++++++++++------------------------------ + src/parser_bison.y | 99 ++++++++++++++++++++-------------------------- 1 file changed, 43 insertions(+), 56 deletions(-) diff --git a/src/parser_bison.y b/src/parser_bison.y @@ -158,5 +158,5 @@ index 707f467..0fd9b94 100644 ; -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0019-include-resync-nf_tables.h-cache-copy.patch b/SOURCES/0019-include-resync-nf_tables.h-cache-copy.patch index bd55b39..af7fa1b 100644 --- a/SOURCES/0019-include-resync-nf_tables.h-cache-copy.patch +++ b/SOURCES/0019-include-resync-nf_tables.h-cache-copy.patch @@ -33,7 +33,7 @@ index ed8881a..1a99df3 100644 /** * enum nft_verdicts - nf_tables internal verdicts -@@ -299,15 +300,29 @@ enum nft_set_policies { +@@ -299,14 +300,28 @@ enum nft_set_policies { * enum nft_set_desc_attributes - set element description * * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) @@ -47,7 +47,7 @@ index ed8881a..1a99df3 100644 }; #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) - /** ++/** + * enum nft_set_field_attributes - attributes of concatenated fields + * + * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) @@ -59,10 +59,9 @@ index ed8881a..1a99df3 100644 +}; +#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) + -+/** + /** * enum nft_set_attributes - nf_tables set netlink attributes * - * @NFTA_SET_TABLE: table name (NLA_STRING) @@ -368,6 +383,7 @@ enum nft_set_elem_flags { * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) @@ -80,5 +79,5 @@ index ed8881a..1a99df3 100644 }; #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch b/SOURCES/0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch index 663f661..01d4785 100644 --- a/SOURCES/0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch +++ b/SOURCES/0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch @@ -177,5 +177,5 @@ index 3ca1805..4669577 100644 return new_set; } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0021-src-Add-support-for-concatenated-set-ranges.patch b/SOURCES/0021-src-Add-support-for-concatenated-set-ranges.patch index 00f8f9e..5d9101b 100644 --- a/SOURCES/0021-src-Add-support-for-concatenated-set-ranges.patch +++ b/SOURCES/0021-src-Add-support-for-concatenated-set-ranges.patch @@ -82,12 +82,12 @@ Date: Thu Jan 30 01:16:57 2020 +0100 Signed-off-by: Pablo Neira Ayuso --- include/expression.h | 1 + - include/rule.h | 5 +++ - src/evaluate.c | 5 +++ - src/netlink.c | 109 +++++++++++++++++++++++++++++++++++------------ - src/parser_bison.y | 17 ++++++-- - src/rule.c | 13 +++--- - src/segtree.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++ + include/rule.h | 5 ++ + src/evaluate.c | 5 ++ + src/netlink.c | 109 +++++++++++++++++++++++++++++----------- + src/parser_bison.y | 17 +++++-- + src/rule.c | 13 ++--- + src/segtree.c | 117 +++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 229 insertions(+), 38 deletions(-) diff --git a/include/expression.h b/include/expression.h @@ -573,5 +573,5 @@ index 7217dbc..e859f84 100644 { struct expr **elements, **ranges; -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch b/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch index 5ee20ac..665aa6b 100644 --- a/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch +++ b/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch @@ -20,7 +20,7 @@ Date: Fri Mar 6 16:15:48 2020 +0100 Signed-off-by: Phil Sutter Acked-by: Eric Garver --- - src/parser_json.c | 51 +++++++++++++++++++++++++++++---------------------- + src/parser_json.c | 51 +++++++++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/src/parser_json.c b/src/parser_json.c @@ -115,5 +115,5 @@ index 031930e..c48faa8 100644 { if (json_is_string(root)) { -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0023-doc-Document-notrack-statement.patch b/SOURCES/0023-doc-Document-notrack-statement.patch index 4c31fc5..d0aa129 100644 --- a/SOURCES/0023-doc-Document-notrack-statement.patch +++ b/SOURCES/0023-doc-Document-notrack-statement.patch @@ -47,5 +47,5 @@ index 3b82436..749533a 100644 ~~~~~~~~~~~~~~ A meta statement sets the value of a meta expression. The existing meta fields -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch b/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch index f7ed167..baa1dca 100644 --- a/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch +++ b/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch @@ -49,5 +49,5 @@ index c48faa8..ce8e566 100644 tmp = json_object_get(json, "add"); -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch b/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch index 3f829d4..06b95e6 100644 --- a/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch +++ b/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch @@ -38,5 +38,5 @@ index e859f84..1ba4363 100644 } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch b/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch index 5b3fd97..f54752a 100644 --- a/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch +++ b/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch @@ -51,5 +51,5 @@ index 1ba4363..dc4db6b 100644 } break; -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch b/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch index f67ee6b..2506813 100644 --- a/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch +++ b/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch @@ -21,7 +21,7 @@ Date: Thu Apr 30 13:57:35 2020 +0200 Signed-off-by: Phil Sutter --- - src/segtree.c | 63 +++++++++++++++-------------------------------------------- + src/segtree.c | 63 +++++++++++++-------------------------------------- 1 file changed, 16 insertions(+), 47 deletions(-) diff --git a/src/segtree.c b/src/segtree.c @@ -127,5 +127,5 @@ index dc4db6b..6e1f696 100644 compound_expr_add(new_init, range); else -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch b/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch index 78e70d9..b8615d6 100644 --- a/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch +++ b/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch @@ -37,5 +37,5 @@ index c7e7298..e23dbda 100755 out="${out#* \{ }" out="${out% \}}" -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch b/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch index 22cb037..7d699a6 100644 --- a/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch +++ b/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch @@ -23,7 +23,7 @@ Date: Thu Apr 30 14:02:44 2020 +0200 Signed-off-by: Phil Sutter --- src/segtree.c | 1 + - tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++++++++-------- + tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++------ 2 files changed, 45 insertions(+), 18 deletions(-) diff --git a/src/segtree.c b/src/segtree.c @@ -131,5 +131,5 @@ index e23dbda..3343529 100755 exit $RC -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch b/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch index 6f68126..12fcf75 100644 --- a/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch +++ b/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch @@ -41,5 +41,5 @@ index 1a99df3..9b54a86 100644 /** -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch b/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch index 60b1a0d..d8149bf 100644 --- a/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch +++ b/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch @@ -68,5 +68,5 @@ index 0c84816..f66251b 100644 if (set_is_datamap(set->flags)) { -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0032-src-store-expr-not-dtype-to-track-data-in-sets.patch b/SOURCES/0032-src-store-expr-not-dtype-to-track-data-in-sets.patch index 9428a85..4fa4cf1 100644 --- a/SOURCES/0032-src-store-expr-not-dtype-to-track-data-in-sets.patch +++ b/SOURCES/0032-src-store-expr-not-dtype-to-track-data-in-sets.patch @@ -46,18 +46,18 @@ Date: Tue Jul 16 19:03:55 2019 +0200 --- include/datatype.h | 1 - include/netlink.h | 1 - - include/rule.h | 6 ++---- - src/datatype.c | 5 ----- - src/evaluate.c | 58 +++++++++++++++++++++++++++++++++++++----------------- + include/rule.h | 6 ++--- + src/datatype.c | 5 ---- + src/evaluate.c | 58 ++++++++++++++++++++++++++++++++-------------- src/expression.c | 2 +- src/json.c | 4 ++-- - src/mnl.c | 6 +++--- + src/mnl.c | 6 ++--- src/monitor.c | 2 +- - src/netlink.c | 32 ++++++++++++++---------------- + src/netlink.c | 32 ++++++++++++------------- src/parser_bison.y | 3 +-- - src/parser_json.c | 8 ++++++-- - src/rule.c | 8 ++++---- - src/segtree.c | 8 ++++++-- + src/parser_json.c | 8 +++++-- + src/rule.c | 8 +++---- + src/segtree.c | 8 +++++-- 14 files changed, 81 insertions(+), 63 deletions(-) diff --git a/include/datatype.h b/include/datatype.h @@ -499,5 +499,5 @@ index 073c6ec..d6e3ce2 100644 tree->debug_mask = debug_mask; } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0033-evaluate-Perform-set-evaluation-on-implicitly-declar.patch b/SOURCES/0033-evaluate-Perform-set-evaluation-on-implicitly-declar.patch index 95ce04e..1d5b5fc 100644 --- a/SOURCES/0033-evaluate-Perform-set-evaluation-on-implicitly-declar.patch +++ b/SOURCES/0033-evaluate-Perform-set-evaluation-on-implicitly-declar.patch @@ -116,5 +116,5 @@ index 578dcae..fc45cef 100644 } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0034-evaluate-missing-datatype-definition-in-implicit_set.patch b/SOURCES/0034-evaluate-missing-datatype-definition-in-implicit_set.patch index e96c30c..3b7244d 100644 --- a/SOURCES/0034-evaluate-missing-datatype-definition-in-implicit_set.patch +++ b/SOURCES/0034-evaluate-missing-datatype-definition-in-implicit_set.patch @@ -33,9 +33,9 @@ Date: Sun Jun 7 15:23:21 2020 +0200 Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso --- - src/evaluate.c | 22 ++++++++++++---------- - tests/shell/testcases/maps/0009vmap_0 | 19 +++++++++++++++++++ - tests/shell/testcases/maps/dumps/0009vmap_0 | 13 +++++++++++++ + src/evaluate.c | 22 +++++++++++---------- + tests/shell/testcases/maps/0009vmap_0 | 19 ++++++++++++++++++ + tests/shell/testcases/maps/dumps/0009vmap_0 | 13 ++++++++++++ 3 files changed, 44 insertions(+), 10 deletions(-) create mode 100755 tests/shell/testcases/maps/0009vmap_0 create mode 100644 tests/shell/testcases/maps/dumps/0009vmap_0 @@ -163,5 +163,5 @@ index 0000000..540a8af + } +} -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0035-mergesort-unbreak-listing-with-binops.patch b/SOURCES/0035-mergesort-unbreak-listing-with-binops.patch index 1ce1b28..7171ddd 100644 --- a/SOURCES/0035-mergesort-unbreak-listing-with-binops.patch +++ b/SOURCES/0035-mergesort-unbreak-listing-with-binops.patch @@ -84,5 +84,5 @@ index 55f1bc2..076e562 100644 + [ lookup reg 1 set __set%d ] + -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0036-proto-add-sctp-crc32-checksum-fixup.patch b/SOURCES/0036-proto-add-sctp-crc32-checksum-fixup.patch index 495b8bb..a9e9f8c 100644 --- a/SOURCES/0036-proto-add-sctp-crc32-checksum-fixup.patch +++ b/SOURCES/0036-proto-add-sctp-crc32-checksum-fixup.patch @@ -130,5 +130,5 @@ index 40ce590..8360abf 100644 [ICMP6HDR_TYPE] = ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type), [ICMP6HDR_CODE] = ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code), -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0037-proto-Fix-ARP-header-field-ordering.patch b/SOURCES/0037-proto-Fix-ARP-header-field-ordering.patch index e29a957..8a0782d 100644 --- a/SOURCES/0037-proto-Fix-ARP-header-field-ordering.patch +++ b/SOURCES/0037-proto-Fix-ARP-header-field-ordering.patch @@ -35,11 +35,11 @@ Date: Tue Nov 10 13:07:49 2020 +0100 --- include/proto.h | 2 +- src/proto.c | 2 +- - tests/py/arp/arp.t | 3 +++ - tests/py/arp/arp.t.json | 56 +++++++++++++++++++++++++++++++++++++++ - tests/py/arp/arp.t.json.output | 28 ++++++++++++++++++++ - tests/py/arp/arp.t.payload | 10 +++++++ - tests/py/arp/arp.t.payload.netdev | 14 ++++++++++ + tests/py/arp/arp.t | 3 ++ + tests/py/arp/arp.t.json | 56 +++++++++++++++++++++++++++++++ + tests/py/arp/arp.t.json.output | 28 ++++++++++++++++ + tests/py/arp/arp.t.payload | 10 ++++++ + tests/py/arp/arp.t.payload.netdev | 14 ++++++++ 7 files changed, 113 insertions(+), 2 deletions(-) diff --git a/include/proto.h b/include/proto.h @@ -229,5 +229,5 @@ index 667691f..f57610c 100644 + [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ] + -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0038-json-echo-Speedup-seqnum_to_json.patch b/SOURCES/0038-json-echo-Speedup-seqnum_to_json.patch index 31d0eca..a62f001 100644 --- a/SOURCES/0038-json-echo-Speedup-seqnum_to_json.patch +++ b/SOURCES/0038-json-echo-Speedup-seqnum_to_json.patch @@ -104,5 +104,5 @@ index ddc694f..107dc38 100644 } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0039-json-Fix-seqnum_to_json-functionality.patch b/SOURCES/0039-json-Fix-seqnum_to_json-functionality.patch index b07dcff..73e9ad1 100644 --- a/SOURCES/0039-json-Fix-seqnum_to_json-functionality.patch +++ b/SOURCES/0039-json-Fix-seqnum_to_json-functionality.patch @@ -112,5 +112,5 @@ index 107dc38..785f0e7 100644 tmp = json_object_get(json, "add"); if (!tmp) -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0040-json-don-t-leave-dangling-pointers-on-hlist.patch b/SOURCES/0040-json-don-t-leave-dangling-pointers-on-hlist.patch index a415cc2..165db16 100644 --- a/SOURCES/0040-json-don-t-leave-dangling-pointers-on-hlist.patch +++ b/SOURCES/0040-json-don-t-leave-dangling-pointers-on-hlist.patch @@ -43,5 +43,5 @@ index 785f0e7..986f128 100644 } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0041-json-init-parser-state-for-every-new-buffer-file.patch b/SOURCES/0041-json-init-parser-state-for-every-new-buffer-file.patch index 2906409..6291fbf 100644 --- a/SOURCES/0041-json-init-parser-state-for-every-new-buffer-file.patch +++ b/SOURCES/0041-json-init-parser-state-for-every-new-buffer-file.patch @@ -42,5 +42,5 @@ index 986f128..662bb4b 100644 if (!nft->json_root) return -EINVAL; -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch b/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch index 9b3f64f..6a866a1 100644 --- a/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch +++ b/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch @@ -23,32 +23,30 @@ RHEL8 kernel does not support: Disable all related tests to make the testsuites pass. --- - tests/monitor/testcases/object.t | 14 +++---- - tests/py/any/meta.t | 36 ++++++++--------- - tests/py/bridge/meta.t | 8 ++-- - tests/py/inet/osf.t | 24 +++++------ - tests/py/inet/socket.t | 2 +- - tests/py/inet/synproxy.t | 12 +++--- - tests/py/ip/objects.t | 46 +++++++++++----------- - tests/py/ip6/sets.t | 2 +- - .../testcases/flowtable/0002create_flowtable_0 | 8 ++-- - .../testcases/flowtable/0003add_after_flush_0 | 8 ++-- - .../testcases/flowtable/0004delete_after_add_0 | 6 +-- - .../shell/testcases/flowtable/0005delete_in_use_1 | 10 ++--- - tests/shell/testcases/flowtable/0007prio_0 | 6 +-- - tests/shell/testcases/flowtable/0008prio_1 | 4 +- - .../testcases/flowtable/0009deleteafterflush_0 | 12 +++--- - tests/shell/testcases/listing/0013objects_0 | 2 + - tests/shell/testcases/nft-f/0017ct_timeout_obj_0 | 2 + - .../shell/testcases/nft-f/0018ct_expectation_obj_0 | 2 + - .../testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 11 ------ - .../nft-f/dumps/0017ct_timeout_obj_0.nft.disabled | 11 ++++++ - .../testcases/optionals/update_object_handles_0 | 2 + - .../sets/0036add_set_element_expiration_0 | 2 + - tests/shell/testcases/transactions/0046set_0 | 2 + - 23 files changed, 122 insertions(+), 110 deletions(-) - delete mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft - create mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled + tests/monitor/testcases/object.t | 14 +++--- + tests/py/any/meta.t | 36 +++++++-------- + tests/py/bridge/meta.t | 8 ++-- + tests/py/inet/osf.t | 24 +++++----- + tests/py/inet/socket.t | 2 +- + tests/py/inet/synproxy.t | 12 ++--- + tests/py/ip/objects.t | 46 +++++++++---------- + tests/py/ip6/sets.t | 2 +- + .../flowtable/0002create_flowtable_0 | 8 ++-- + .../testcases/flowtable/0003add_after_flush_0 | 8 ++-- + .../flowtable/0004delete_after_add_0 | 6 +-- + .../testcases/flowtable/0005delete_in_use_1 | 10 ++-- + tests/shell/testcases/flowtable/0007prio_0 | 6 +-- + tests/shell/testcases/flowtable/0008prio_1 | 4 +- + .../flowtable/0009deleteafterflush_0 | 12 ++--- + tests/shell/testcases/listing/0013objects_0 | 2 + + .../testcases/nft-f/0017ct_timeout_obj_0 | 2 + + .../testcases/nft-f/0018ct_expectation_obj_0 | 2 + + ....nft => 0017ct_timeout_obj_0.nft.disabled} | 0 + .../optionals/update_object_handles_0 | 2 + + .../sets/0036add_set_element_expiration_0 | 2 + + tests/shell/testcases/transactions/0046set_0 | 2 + + 22 files changed, 111 insertions(+), 99 deletions(-) + rename tests/shell/testcases/nft-f/dumps/{0017ct_timeout_obj_0.nft => 0017ct_timeout_obj_0.nft.disabled} (100%) diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t index 2afe33c..1b30384 100644 @@ -422,40 +420,10 @@ index 4f9872f..f518cf7 100755 EXPECTED='table ip filter { ct expectation ctexpect{ protocol tcp -diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft -deleted file mode 100644 -index 7cff1ed..0000000 ---- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft -+++ /dev/null -@@ -1,11 +0,0 @@ --table ip filter { -- ct timeout cttime { -- protocol tcp -- l3proto ip -- policy = { established : 123, close : 12 } -- } -- -- chain c { -- ct timeout set "cttime" -- } --} -diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled -new file mode 100644 -index 0000000..7cff1ed ---- /dev/null -+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled -@@ -0,0 +1,11 @@ -+table ip filter { -+ ct timeout cttime { -+ protocol tcp -+ l3proto ip -+ policy = { established : 123, close : 12 } -+ } -+ -+ chain c { -+ ct timeout set "cttime" -+ } -+} +diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled +similarity index 100% +rename from tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft +rename to tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 index 8b12b8c..e11b4e7 100755 --- a/tests/shell/testcases/optionals/update_object_handles_0 @@ -493,5 +461,5 @@ index 172e24d..1b24964 100755 add chain ip filter group_7933 add map ip filter group_7933 { type ipv4_addr : classid; flags interval; } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch b/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch index f1d018d..2f86c7a 100644 --- a/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch +++ b/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch @@ -37,5 +37,5 @@ index 7927b6f..142cc92 100644 dummyset->init = set_expr_alloc(monh->loc, set); -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch b/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch index 5804349..cfb0df1 100644 --- a/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch +++ b/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch @@ -40,5 +40,5 @@ index ffb833a..c1cacb4 100755 command_file=$(mktemp -p $testdir) output_file=$(mktemp -p $testdir) -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch b/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch index 9d95874..2178c15 100644 --- a/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch +++ b/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch @@ -53,5 +53,5 @@ index a966ed4..0181750 100644 memset(unescaped_str, 0, sizeof(unescaped_str)); -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0046-src-Support-odd-sized-payload-matches.patch b/SOURCES/0046-src-Support-odd-sized-payload-matches.patch index f68adc2..9b17f0c 100644 --- a/SOURCES/0046-src-Support-odd-sized-payload-matches.patch +++ b/SOURCES/0046-src-Support-odd-sized-payload-matches.patch @@ -60,5 +60,5 @@ index 3576400..45280ef 100644 break; } -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch b/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch index ffb3bd1..c6288ac 100644 --- a/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch +++ b/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch @@ -237,5 +237,5 @@ index b2e8363..18b8bcb 100644 # ip6 saddr ::1 ip6 daddr ::2 ip6 test-ip6 input -- -1.8.3.1 +2.31.1 diff --git a/SOURCES/0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch b/SOURCES/0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch new file mode 100644 index 0000000..32f88c4 --- /dev/null +++ b/SOURCES/0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch @@ -0,0 +1,100 @@ +From 8cb078a2f9f69259325c10f479c198349ef01ef2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 6 Oct 2021 17:24:44 +0200 +Subject: [PATCH] parser_json: Fix error reporting for invalid syntax + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994141 +Upstream Status: nftables commit 9fe5d1bc18cfa + +commit 9fe5d1bc18cfaed2ecf717e3dd9a97ff5b0e183c +Author: Phil Sutter +Date: Wed Sep 1 16:41:44 2021 +0200 + + parser_json: Fix error reporting for invalid syntax + + Errors emitted by the JSON parser caused BUG() in erec_print() due to + input descriptor values being bogus. + + Due to lack of 'include' support, JSON parser uses a single input + descriptor only and it lived inside the json_ctx object on stack of + nft_parse_json_*() functions. + + By the time errors are printed though, that scope is not valid anymore. + Move the static input descriptor object to avoid this. + + Fixes: 586ad210368b7 ("libnftables: Implement JSON parser") + Signed-off-by: Phil Sutter +--- + src/parser_json.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/parser_json.c b/src/parser_json.c +index a069a89..ef4d4fb 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -44,7 +44,6 @@ + #define CTX_F_CONCAT (1 << 8) /* inside concat_expr */ + + struct json_ctx { +- struct input_descriptor indesc; + struct nft_ctx *nft; + struct list_head *msgs; + struct list_head *cmds; +@@ -107,11 +106,12 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root); + /* parsing helpers */ + + const struct location *int_loc = &internal_location; ++static struct input_descriptor json_indesc; + + static void json_lib_error(struct json_ctx *ctx, json_error_t *err) + { + struct location loc = { +- .indesc = &ctx->indesc, ++ .indesc = &json_indesc, + .line_offset = err->position - err->column, + .first_line = err->line, + .last_line = err->line, +@@ -3864,16 +3864,15 @@ int nft_parse_json_buffer(struct nft_ctx *nft, const char *buf, + struct list_head *msgs, struct list_head *cmds) + { + struct json_ctx ctx = { +- .indesc = { +- .type = INDESC_BUFFER, +- .data = buf, +- }, + .nft = nft, + .msgs = msgs, + .cmds = cmds, + }; + int ret; + ++ json_indesc.type = INDESC_BUFFER; ++ json_indesc.data = buf; ++ + parser_init(nft, nft->state, msgs, cmds, nft->top_scope); + nft->json_root = json_loads(buf, 0, NULL); + if (!nft->json_root) +@@ -3892,10 +3891,6 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename, + struct list_head *msgs, struct list_head *cmds) + { + struct json_ctx ctx = { +- .indesc = { +- .type = INDESC_FILE, +- .name = filename, +- }, + .nft = nft, + .msgs = msgs, + .cmds = cmds, +@@ -3903,6 +3898,9 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename, + json_error_t err; + int ret; + ++ json_indesc.type = INDESC_FILE; ++ json_indesc.name = filename; ++ + parser_init(nft, nft->state, msgs, cmds, nft->top_scope); + nft->json_root = json_load_file(filename, 0, &err); + if (!nft->json_root) +-- +2.31.1 + diff --git a/SOURCES/0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch b/SOURCES/0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch new file mode 100644 index 0000000..09f6950 --- /dev/null +++ b/SOURCES/0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch @@ -0,0 +1,37 @@ +From bb4718fa421938c4a501b9a55df68de16a572f23 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 6 Oct 2021 17:32:04 +0200 +Subject: [PATCH] parser_bison: Fix for implicit declaration of isalnum + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059 +Upstream Status: nftables commit 7c3b2a7acbdc7 + +commit 7c3b2a7acbdc793b822a230ec0c28086c7d0365d +Author: Phil Sutter +Date: Fri Jun 11 16:03:32 2021 +0200 + + parser_bison: Fix for implicit declaration of isalnum + + Have to include ctype.h to make it known. + + Fixes: e76bb37940181 ("src: allow for variables in the log prefix string") + Signed-off-by: Phil Sutter +--- + src/parser_bison.y | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 5ab5744..d38ec30 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -10,6 +10,7 @@ + + %{ + ++#include + #include + #include + #include +-- +2.31.1 + diff --git a/SOURCES/0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch b/SOURCES/0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch new file mode 100644 index 0000000..0f6e5ee --- /dev/null +++ b/SOURCES/0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch @@ -0,0 +1,46 @@ +From 99d51194569f2784261f452ee821c42c3a7a6808 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 6 Oct 2021 17:32:04 +0200 +Subject: [PATCH] parser_json: Fix for memleak in tcp option error path + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059 +Upstream Status: nftables commit f7b0eef8391ae + +commit f7b0eef8391ae7f89a3a82f6eeecaebe199224d7 +Author: Phil Sutter +Date: Fri Jun 11 16:07:02 2021 +0200 + + parser_json: Fix for memleak in tcp option error path + + If 'kind' value is invalid, the function returned without freeing 'expr' + first. Fix this by performing the check before allocation. + + Fixes: cb21869649208 ("json: tcp: add raw tcp option match support") + Signed-off-by: Phil Sutter +--- + src/parser_json.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/parser_json.c b/src/parser_json.c +index ef4d4fb..2250be9 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -610,12 +610,12 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx, + "base", &kind, "offset", &offset, "len", &len)) { + uint32_t flag = 0; + +- expr = tcpopt_expr_alloc(int_loc, kind, +- TCPOPT_COMMON_KIND); +- + if (kind < 0 || kind > 255) + return NULL; + ++ expr = tcpopt_expr_alloc(int_loc, kind, ++ TCPOPT_COMMON_KIND); ++ + if (offset == TCPOPT_COMMON_KIND && len == 8) + flag = NFT_EXTHDR_F_PRESENT; + +-- +2.31.1 + diff --git a/SOURCES/0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch b/SOURCES/0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch new file mode 100644 index 0000000..8000cf3 --- /dev/null +++ b/SOURCES/0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch @@ -0,0 +1,37 @@ +From 5f30a3447d28381fdf534ff4ed90167455d1283b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 6 Oct 2021 17:32:04 +0200 +Subject: [PATCH] json: Drop pointless assignment in exthdr_expr_json() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059 +Upstream Status: nftables commit c1616dfd1ce40 + +commit c1616dfd1ce40bac197924c8947e1c646e915dca +Author: Phil Sutter +Date: Fri Jun 11 16:23:22 2021 +0200 + + json: Drop pointless assignment in exthdr_expr_json() + + The updated value of 'is_exists' is no longer read at this point. + + Fixes: cb21869649208 ("json: tcp: add raw tcp option match support") + Signed-off-by: Phil Sutter +--- + src/json.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/json.c b/src/json.c +index dfc9031..ecec51c 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -679,7 +679,6 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx) + "base", expr->exthdr.raw_type, + "offset", expr->exthdr.offset, + "len", expr->len); +- is_exists = false; + } + + return json_pack("{s:o}", "tcp option", root); +-- +2.31.1 + diff --git a/SOURCES/0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch b/SOURCES/0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch new file mode 100644 index 0000000..b5501fd --- /dev/null +++ b/SOURCES/0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch @@ -0,0 +1,69 @@ +From 36cf5177c724540aea5a42f9dc6ef5476f86179a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 5 Nov 2021 16:06:45 +0100 +Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127 +Upstream Status: nftables commit baecd1cf26851 + +commit baecd1cf26851a4c5b7d469206a488f14fe5b147 +Author: Phil Sutter +Date: Wed Jun 9 15:49:52 2021 +0200 + + segtree: Fix segfault when restoring a huge interval set + + Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as + set_to_segtree() exhausts the stack. Prevent this by allocating the + pointer array on heap and make sure it is freed before returning to + caller. + + With this patch in place, restoring said set succeeds with allocation of + about 3GB of memory, according to valgrind. + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index d6e3ce2..b852961 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -414,10 +414,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, + struct expr *init, struct seg_tree *tree, + bool add, bool merge) + { +- struct elementary_interval *intervals[init->size]; ++ struct elementary_interval **intervals; + struct expr *i, *next; + unsigned int n; +- int err; ++ int err = 0; + + /* We are updating an existing set with new elements, check if the new + * interval overlaps with any of the existing ones. +@@ -428,6 +428,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, + return err; + } + ++ intervals = xmalloc_array(init->size, sizeof(intervals[0])); + n = expr_to_intervals(init, tree->keylen, intervals); + + list_for_each_entry_safe(i, next, &init->expressions, list) { +@@ -446,10 +447,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, + for (n = 0; n < init->size; n++) { + err = ei_insert(msgs, tree, intervals[n], merge); + if (err < 0) +- return err; ++ break; + } + +- return 0; ++ xfree(intervals); ++ return err; + } + + static bool segtree_needs_first_segment(const struct set *set, +-- +2.31.1 + diff --git a/SOURCES/0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch b/SOURCES/0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch new file mode 100644 index 0000000..b909cfe --- /dev/null +++ b/SOURCES/0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch @@ -0,0 +1,74 @@ +From cc6c59e683c503b461b4a80526f4bc9cbb0660bf Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 5 Nov 2021 16:06:45 +0100 +Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when + restoring a huge interval set") +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127 +Upstream Status: nftables commit d8ccad2a2b73c + +commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043 +Author: Štěpán Němec +Date: Wed Oct 20 14:42:20 2021 +0200 + + tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") + + Test inspired by [1] with both the set and stack size reduced by the + same power of 2, to preserve the (pre-baecd1cf2685) segfault on one + hand, and make the test successfully complete (post-baecd1cf2685) in a + few seconds even on weaker hardware on the other. + + (The reason I stopped at 128kB stack size is that with 64kB I was + getting segfaults even with baecd1cf2685 applied.) + + [1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127 + + Signed-off-by: Štěpán Němec + Helped-by: Phil Sutter + Signed-off-by: Phil Sutter +--- + .../sets/0068interval_stack_overflow_0 | 29 +++++++++++++++++++ + 1 file changed, 29 insertions(+) + create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0 + +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +new file mode 100755 +index 0000000..134282d +--- /dev/null ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -0,0 +1,29 @@ ++#!/bin/bash ++ ++set -e ++ ++ruleset_file=$(mktemp) ++ ++trap 'rm -f "$ruleset_file"' EXIT ++ ++{ ++ echo 'define big_set = {' ++ for ((i = 1; i < 255; i++)); do ++ for ((j = 1; j < 80; j++)); do ++ echo "10.0.$i.$j," ++ done ++ done ++ echo '10.1.0.0/24 }' ++} >"$ruleset_file" ++ ++cat >>"$ruleset_file" <<\EOF ++table inet test68_table { ++ set test68_set { ++ type ipv4_addr ++ flags interval ++ elements = { $big_set } ++ } ++} ++EOF ++ ++( ulimit -s 128 && "$NFT" -f "$ruleset_file" ) +-- +2.31.1 + diff --git a/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch b/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch new file mode 100644 index 0000000..8207b8f --- /dev/null +++ b/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch @@ -0,0 +1,58 @@ +From ea4457d5c329c8930c610ef3002cfe42bf8a263f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 Dec 2021 14:10:31 +0100 +Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127 +Upstream Status: nftables commit dad3338f1f76a +Conflicts: Context change in README due to missing other commits. + +commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31 +Author: Štěpán Němec +Date: Fri Nov 5 12:39:11 2021 +0100 + + tests: shell: $NFT needs to be invoked unquoted + + The variable has to undergo word splitting, otherwise the shell tries + to find the variable value as an executable, which breaks in cases that + 7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command") + intends to support. + + Mention this in the shell tests README. + + Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")") + Signed-off-by: Štěpán Němec + Signed-off-by: Phil Sutter +--- + tests/shell/README | 3 +++ + tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/shell/README b/tests/shell/README +index e0279bb..aee50e3 100644 +--- a/tests/shell/README ++++ b/tests/shell/README +@@ -25,4 +25,7 @@ path to the nftables binary being tested. + You can pass an arbitrary $NFT value as well: + # NFT=/usr/local/sbin/nft ./run-tests.sh + ++Note that, to support usage such as NFT='valgrind nft', tests must ++invoke $NFT unquoted. ++ + By default the tests are run with the nft binary at '../../src/nft' +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +index 134282d..6620572 100755 +--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -26,4 +26,4 @@ table inet test68_table { + } + EOF + +-( ulimit -s 128 && "$NFT" -f "$ruleset_file" ) ++( ulimit -s 128 && $NFT -f "$ruleset_file" ) +-- +2.31.1 + diff --git a/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch b/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch new file mode 100644 index 0000000..dd6cd97 --- /dev/null +++ b/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch @@ -0,0 +1,59 @@ +From b297f75275737de3e16b5d14916efe35535b6279 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 Dec 2021 14:10:54 +0100 +Subject: [PATCH] tests: shell: better parameters for the interval stack + overflow test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127 +Upstream Status: nftables commit 7b81d9cb094ff + +commit 7b81d9cb094ffa96ad821528cf19269dc348f617 +Author: Štěpán Němec +Date: Wed Dec 1 12:12:00 2021 +0100 + + tests: shell: better parameters for the interval stack overflow test + + Wider testing has shown that 128 kB stack is too low (e.g. for systems + with 64 kB page size), leading to false failures in some environments. + + Based on results from a matrix of RHEL 8 and RHEL 9 systems across + x86_64, aarch64, ppc64le and s390x architectures as well as some + anecdotal testing of other Linux distros on x86_64 machines, 400 kB + seems safe: the normal nft stack (which should stay constant during + this test) on all tested systems doesn't exceed 200 kB (stays around + 100 kB on typical systems with 4 kB page size), while always growing + beyond 500 kB in the failing case (nftables before baecd1cf2685) with + the increased set size. + + Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")") + Signed-off-by: Štěpán Němec + Signed-off-by: Phil Sutter +--- + tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +index 6620572..2cbc986 100755 +--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT + { + echo 'define big_set = {' + for ((i = 1; i < 255; i++)); do +- for ((j = 1; j < 80; j++)); do ++ for ((j = 1; j < 255; j++)); do + echo "10.0.$i.$j," + done + done +@@ -26,4 +26,4 @@ table inet test68_table { + } + EOF + +-( ulimit -s 128 && $NFT -f "$ruleset_file" ) ++( ulimit -s 400 && $NFT -f "$ruleset_file" ) +-- +2.31.1 + diff --git a/SOURCES/0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch b/SOURCES/0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch new file mode 100644 index 0000000..d254375 --- /dev/null +++ b/SOURCES/0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch @@ -0,0 +1,134 @@ +From cf85778a263a34aa2aeee565f3e046693164a097 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 13 Jan 2022 20:37:56 +0100 +Subject: [PATCH] netlink: remove unused parameter from + netlink_gen_stmt_stateful() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594 +Upstream Status: nftables commit 3f3e897f42965 + +commit 3f3e897f429659ff6c8387245d0d4115952a6c31 +Author: Pablo Neira Ayuso +Date: Wed Mar 11 13:02:26 2020 +0100 + + netlink: remove unused parameter from netlink_gen_stmt_stateful() + + Remove context from netlink_gen_stmt_stateful(). + + Signed-off-by: Pablo Neira Ayuso +--- + src/netlink_linearize.c | 36 +++++++++++++----------------------- + 1 file changed, 13 insertions(+), 23 deletions(-) + +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index 28b0e6a..f5c6116 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -780,9 +780,7 @@ static void netlink_gen_objref_stmt(struct netlink_linearize_ctx *ctx, + nftnl_rule_add_expr(ctx->nlr, nle); + } + +-static struct nftnl_expr * +-netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx, +- const struct stmt *stmt) ++static struct nftnl_expr *netlink_gen_connlimit_stmt(const struct stmt *stmt) + { + struct nftnl_expr *nle; + +@@ -795,9 +793,7 @@ netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx, + return nle; + } + +-static struct nftnl_expr * +-netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx, +- const struct stmt *stmt) ++static struct nftnl_expr *netlink_gen_counter_stmt(const struct stmt *stmt) + { + struct nftnl_expr *nle; + +@@ -814,9 +810,7 @@ netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx, + return nle; + } + +-static struct nftnl_expr * +-netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx, +- const struct stmt *stmt) ++static struct nftnl_expr *netlink_gen_limit_stmt(const struct stmt *stmt) + { + struct nftnl_expr *nle; + +@@ -832,9 +826,7 @@ netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx, + return nle; + } + +-static struct nftnl_expr * +-netlink_gen_quota_stmt(struct netlink_linearize_ctx *ctx, +- const struct stmt *stmt) ++static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt) + { + struct nftnl_expr *nle; + +@@ -846,19 +838,17 @@ netlink_gen_quota_stmt(struct netlink_linearize_ctx *ctx, + return nle; + } + +-static struct nftnl_expr * +-netlink_gen_stmt_stateful(struct netlink_linearize_ctx *ctx, +- const struct stmt *stmt) ++static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) + { + switch (stmt->ops->type) { + case STMT_CONNLIMIT: +- return netlink_gen_connlimit_stmt(ctx, stmt); ++ return netlink_gen_connlimit_stmt(stmt); + case STMT_COUNTER: +- return netlink_gen_counter_stmt(ctx, stmt); ++ return netlink_gen_counter_stmt(stmt); + case STMT_LIMIT: +- return netlink_gen_limit_stmt(ctx, stmt); ++ return netlink_gen_limit_stmt(stmt); + case STMT_QUOTA: +- return netlink_gen_quota_stmt(ctx, stmt); ++ return netlink_gen_quota_stmt(stmt); + default: + BUG("unknown stateful statement type %s\n", stmt->ops->name); + } +@@ -1307,7 +1297,7 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx, + + if (stmt->set.stmt) + nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, +- netlink_gen_stmt_stateful(ctx, stmt->set.stmt), 0); ++ netlink_gen_stmt_stateful(stmt->set.stmt), 0); + } + + static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, +@@ -1337,7 +1327,7 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, + + if (stmt->map.stmt) + nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, +- netlink_gen_stmt_stateful(ctx, stmt->map.stmt), 0); ++ netlink_gen_stmt_stateful(stmt->map.stmt), 0); + + nftnl_rule_add_expr(ctx->nlr, nle); + } +@@ -1369,7 +1359,7 @@ static void netlink_gen_meter_stmt(struct netlink_linearize_ctx *ctx, + nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name); + nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id); + nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR, +- netlink_gen_stmt_stateful(ctx, stmt->meter.stmt), 0); ++ netlink_gen_stmt_stateful(stmt->meter.stmt), 0); + nftnl_rule_add_expr(ctx->nlr, nle); + } + +@@ -1415,7 +1405,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx, + case STMT_COUNTER: + case STMT_LIMIT: + case STMT_QUOTA: +- nle = netlink_gen_stmt_stateful(ctx, stmt); ++ nle = netlink_gen_stmt_stateful(stmt); + nftnl_rule_add_expr(ctx->nlr, nle); + break; + case STMT_NOTRACK: +-- +2.31.1 + diff --git a/SOURCES/0072-src-support-for-restoring-element-counters.patch b/SOURCES/0072-src-support-for-restoring-element-counters.patch new file mode 100644 index 0000000..ad66222 --- /dev/null +++ b/SOURCES/0072-src-support-for-restoring-element-counters.patch @@ -0,0 +1,150 @@ +From 0db42cc2d2647ec61441e29445c9f6e0f8946613 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 13 Jan 2022 20:37:56 +0100 +Subject: [PATCH] src: support for restoring element counters + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594 +Upstream Status: nftables commit 1fe6089ddd87e + +commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85 +Author: Pablo Neira Ayuso +Date: Wed Mar 11 13:00:01 2020 +0100 + + src: support for restoring element counters + + This patch allows you to restore counters in dynamic sets: + + table ip test { + set test { + type ipv4_addr + size 65535 + flags dynamic,timeout + timeout 30d + gc-interval 1d + elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 } + } + chain output { + type filter hook output priority 0; + update @test { ip saddr } + } + } + + You can also add counters to elements from the control place, ie. + + table ip test { + set test { + type ipv4_addr + size 65535 + elements = { 192.168.2.1 counter packets 75 bytes 19043 } + } + + chain output { + type filter hook output priority filter; policy accept; + ip daddr @test + } + } + + Signed-off-by: Pablo Neira Ayuso +--- + include/netlink.h | 1 + + src/netlink.c | 3 +++ + src/netlink_linearize.c | 2 +- + src/parser_bison.y | 36 +++++++++++++++++++++++++++++++++++- + 4 files changed, 40 insertions(+), 2 deletions(-) + +diff --git a/include/netlink.h b/include/netlink.h +index 88d12ba..059092e 100644 +--- a/include/netlink.h ++++ b/include/netlink.h +@@ -97,6 +97,7 @@ extern void netlink_gen_data(const struct expr *expr, + extern void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder, + unsigned int len, + struct nft_data_linearize *data); ++extern struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt); + + extern struct expr *netlink_alloc_value(const struct location *loc, + const struct nft_data_delinearize *nld); +diff --git a/src/netlink.c b/src/netlink.c +index 64e51e5..825c2cc 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -136,6 +136,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, + if (elem->expiration) + nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION, + elem->expiration); ++ if (elem->stmt) ++ nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR, ++ netlink_gen_stmt_stateful(elem->stmt), 0); + if (elem->comment || expr->elem_flags) { + udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); + if (!udbuf) +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index f5c6116..3fa1339 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -838,7 +838,7 @@ static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt) + return nle; + } + +-static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) ++struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt) + { + switch (stmt->ops->type) { + case STMT_CONNLIMIT: +diff --git a/src/parser_bison.y b/src/parser_bison.y +index d38ec30..2cdf8ec 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -3654,7 +3654,7 @@ meter_key_expr_alloc : concat_expr + ; + + set_elem_expr : set_elem_expr_alloc +- | set_elem_expr_alloc set_elem_options ++ | set_elem_expr_alloc set_elem_expr_options + ; + + set_elem_expr_alloc : set_lhs_expr +@@ -3684,6 +3684,40 @@ set_elem_option : TIMEOUT time_spec + } + ; + ++set_elem_expr_options : set_elem_expr_option ++ { ++ $$ = $0; ++ } ++ | set_elem_expr_options set_elem_expr_option ++ ; ++ ++set_elem_expr_option : TIMEOUT time_spec ++ { ++ $0->timeout = $2; ++ } ++ | EXPIRES time_spec ++ { ++ $0->expiration = $2; ++ } ++ | COUNTER ++ { ++ $0->stmt = counter_stmt_alloc(&@$); ++ } ++ | COUNTER PACKETS NUM BYTES NUM ++ { ++ struct stmt *stmt; ++ ++ stmt = counter_stmt_alloc(&@$); ++ stmt->counter.packets = $3; ++ stmt->counter.bytes = $5; ++ $0->stmt = stmt; ++ } ++ | comment_spec ++ { ++ $0->comment = $1; ++ } ++ ; ++ + set_lhs_expr : concat_rhs_expr + | wildcard_expr + ; +-- +2.31.1 + diff --git a/SOURCES/0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch b/SOURCES/0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch new file mode 100644 index 0000000..670afae --- /dev/null +++ b/SOURCES/0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch @@ -0,0 +1,127 @@ +From 48021b277a1ab92480c43e1fa7573b00e33f5212 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 14 Jan 2022 11:39:17 +0100 +Subject: [PATCH] evaluate: attempt to set_eval flag if dynamic updates + requested + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594 +Upstream Status: nftables commit 8d443adfcc8c1 +Conflicts: +* Context change due to missing commit 242965f452e64 + ("src: add support for multi-statement in dynamic sets and maps") +* Adjusted test-case: Due to missing kernel commit 7b1394892de8d + ("netfilter: nft_dynset: relax superfluous check on set updates"), + 'update' statement is allowed only if timeout flag is present + +commit 8d443adfcc8c19effd6be9a9c903ee96e374f2e8 +Author: Florian Westphal +Date: Tue Jan 11 12:08:59 2022 +0100 + + evaluate: attempt to set_eval flag if dynamic updates requested + + When passing no upper size limit, the dynset expression forces + an internal 64k upperlimit. + + In some cases, this can result in 'nft -f' to restore the ruleset. + Avoid this by always setting the EVAL flag on a set definition when + we encounter packet-path update attempt in the batch. + + Reported-by: Yi Chen + Suggested-by: Pablo Neira Ayuso + Signed-off-by: Florian Westphal +--- + src/evaluate.c | 11 +++++++ + .../testcases/sets/dumps/dynset_missing.nft | 12 +++++++ + tests/shell/testcases/sets/dynset_missing | 32 +++++++++++++++++++ + 3 files changed, 55 insertions(+) + create mode 100644 tests/shell/testcases/sets/dumps/dynset_missing.nft + create mode 100755 tests/shell/testcases/sets/dynset_missing + +diff --git a/src/evaluate.c b/src/evaluate.c +index 00ec20b..9381f23 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -3076,6 +3076,8 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt) + + static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) + { ++ struct set *this_set; ++ + expr_set_context(&ctx->ectx, NULL, 0); + if (expr_evaluate(ctx, &stmt->set.set) < 0) + return -1; +@@ -3103,6 +3105,15 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) + "meter statement must be stateful"); + } + ++ this_set = stmt->set.set->set; ++ ++ /* Make sure EVAL flag is set on set definition so that kernel ++ * picks a set that allows updates from the packet path. ++ * ++ * Alternatively we could error out in case 'flags dynamic' was ++ * not given, but we can repair this here. ++ */ ++ this_set->flags |= NFT_SET_EVAL; + return 0; + } + +diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft +new file mode 100644 +index 0000000..fdb1b97 +--- /dev/null ++++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft +@@ -0,0 +1,12 @@ ++table ip test { ++ set dlist { ++ type ipv4_addr ++ size 65535 ++ flags dynamic,timeout ++ } ++ ++ chain output { ++ type filter hook output priority filter; policy accept; ++ udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0 ++ } ++} +diff --git a/tests/shell/testcases/sets/dynset_missing b/tests/shell/testcases/sets/dynset_missing +new file mode 100755 +index 0000000..89afcd5 +--- /dev/null ++++ b/tests/shell/testcases/sets/dynset_missing +@@ -0,0 +1,32 @@ ++#!/bin/bash ++ ++set -e ++ ++$NFT -f /dev/stdin < $tmpfile ++ ++# this restore works, because set is still the rhash backend. ++$NFT -f $tmpfile # success ++$NFT flush ruleset ++ ++# fails without commit 'attempt to set_eval flag if dynamic updates requested', ++# because set in $tmpfile has 'size x' but no 'flags dynamic'. ++$NFT -f $tmpfile +-- +2.31.1 + diff --git a/SOURCES/0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch b/SOURCES/0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch new file mode 100644 index 0000000..c9fae43 --- /dev/null +++ b/SOURCES/0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch @@ -0,0 +1,49 @@ +From 1fe92af5a03608b94e8e1e2ff26e24adfe2ea09a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 21 Jan 2022 12:35:39 +0100 +Subject: [PATCH] evaluate: fix inet nat with no layer 3 info + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2030773 +Upstream Status: nftables commit 9a36033ce5063 + +commit 9a36033ce50638a403d1421935cdd1287ee5de6b +Author: Pablo Neira Ayuso +Date: Tue Jul 20 18:59:44 2021 +0200 + + evaluate: fix inet nat with no layer 3 info + + nft currently reports: + + Error: Could not process rule: Protocol error + add rule inet x y meta l4proto tcp dnat to :80 + ^^^^ + + default to NFPROTO_INET family, otherwise kernel bails out EPROTO when + trying to load the conntrack helper. + + Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428 + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 9381f23..e495faf 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2757,9 +2757,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt) + stmt->nat.family = ctx->pctx.family; + return 0; + case NFPROTO_INET: +- if (!stmt->nat.addr) ++ if (!stmt->nat.addr) { ++ stmt->nat.family = NFPROTO_INET; + return 0; +- ++ } + if (stmt->nat.family != NFPROTO_UNSPEC) + return 0; + +-- +2.31.1 + diff --git a/SOURCES/0075-tests-py-add-dnat-to-port-without-defining-destinati.patch b/SOURCES/0075-tests-py-add-dnat-to-port-without-defining-destinati.patch new file mode 100644 index 0000000..f4e0e5e --- /dev/null +++ b/SOURCES/0075-tests-py-add-dnat-to-port-without-defining-destinati.patch @@ -0,0 +1,86 @@ +From eeba2cd956485d3059dabf86a7ad8dd59ee682dd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 4 Feb 2022 14:18:44 +0100 +Subject: [PATCH] tests: py: add dnat to port without defining destination + address + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2030773 +Upstream Status: nftables commit 0f27e258b37a5 +Conflicts: Context changes due to missing commit ae1d822630e6d + ("src: context tracking for multiple transport protocols") + +commit 0f27e258b37a592233d6ad5381cd1fae65e57514 +Author: Pablo Neira Ayuso +Date: Thu Jul 22 17:43:56 2021 +0200 + + tests: py: add dnat to port without defining destination address + + Add a test to cover dnat to port without destination address. + + Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428 + Signed-off-by: Pablo Neira Ayuso +--- + tests/py/inet/dnat.t | 1 + + tests/py/inet/dnat.t.json | 20 ++++++++++++++++++++ + tests/py/inet/dnat.t.payload | 8 ++++++++ + 3 files changed, 29 insertions(+) + +diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t +index fcdf943..6beceda 100644 +--- a/tests/py/inet/dnat.t ++++ b/tests/py/inet/dnat.t +@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok + + iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok + iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok ++meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80 + + dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok + dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok +diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json +index ac6dac6..f88e9cf 100644 +--- a/tests/py/inet/dnat.t.json ++++ b/tests/py/inet/dnat.t.json +@@ -164,3 +164,23 @@ + } + ] + ++# meta l4proto tcp dnat to :80 ++[ ++ { ++ "match": { ++ "left": { ++ "meta": { ++ "key": "l4proto" ++ } ++ }, ++ "op": "==", ++ "right": 6 ++ } ++ }, ++ { ++ "dnat": { ++ "port": 80 ++ } ++ } ++] ++ +diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload +index b81caf7..6d8569d 100644 +--- a/tests/py/inet/dnat.t.payload ++++ b/tests/py/inet/dnat.t.payload +@@ -52,3 +52,11 @@ inet test-inet prerouting + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __map%d dreg 1 ] + [ nat dnat ip addr_min reg 1 addr_max reg 0 ] ++ ++# meta l4proto tcp dnat to :80 ++inet ++ [ meta load l4proto => reg 1 ] ++ [ cmp eq reg 1 0x00000006 ] ++ [ immediate reg 1 0x00005000 ] ++ [ nat dnat inet proto_min reg 1 flags 0x2 ] ++ +-- +2.31.1 + diff --git a/SOURCES/0076-mnl-do-not-build-nftnl_set-element-list.patch b/SOURCES/0076-mnl-do-not-build-nftnl_set-element-list.patch new file mode 100644 index 0000000..9e9c18d --- /dev/null +++ b/SOURCES/0076-mnl-do-not-build-nftnl_set-element-list.patch @@ -0,0 +1,214 @@ +From bd940a4efd2b5897f8a8e58ec7733417b3710e1e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 Dec 2021 13:28:49 +0100 +Subject: [PATCH] mnl: do not build nftnl_set element list + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047821 +Upstream Status: nftables commit b4b234f5a29e8 +Conflicts: Context change due to missing commit 66746e7dedeb0 + ("src: support for nat with interval concatenation"). + +commit b4b234f5a29e819045679acd95820a7457d4d7de +Author: Pablo Neira Ayuso +Date: Thu Nov 4 12:53:11 2021 +0100 + + mnl: do not build nftnl_set element list + + Do not call alloc_setelem_cache() to build the set element list in + nftnl_set. Instead, translate one single set element expression to + nftnl_set_elem object at a time and use this object to build the netlink + header. + + Using a huge test set containing 1.1 million element blocklist, this + patch is reducing userspace memory consumption by 40%. + + Signed-off-by: Pablo Neira Ayuso +--- + include/netlink.h | 2 + + src/mnl.c | 112 ++++++++++++++++++++++++++++++++++++---------- + src/netlink.c | 4 +- + 3 files changed, 93 insertions(+), 25 deletions(-) + +diff --git a/include/netlink.h b/include/netlink.h +index 059092e..3443582 100644 +--- a/include/netlink.h ++++ b/include/netlink.h +@@ -56,6 +56,8 @@ struct netlink_ctx { + + extern struct nftnl_expr *alloc_nft_expr(const char *name); + extern void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls); ++struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, ++ const struct expr *expr); + + extern struct nftnl_table *netlink_table_alloc(const struct nlmsghdr *nlh); + extern struct nftnl_chain *netlink_chain_alloc(const struct nlmsghdr *nlh); +diff --git a/src/mnl.c b/src/mnl.c +index 23341e6..44cf1a4 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -1201,33 +1201,102 @@ static int set_elem_cb(const struct nlmsghdr *nlh, void *data) + return MNL_CB_OK; + } + +-static int mnl_nft_setelem_batch(struct nftnl_set *nls, ++static bool mnl_nft_attr_nest_overflow(struct nlmsghdr *nlh, ++ const struct nlattr *from, ++ const struct nlattr *to) ++{ ++ int len = (void *)to + to->nla_len - (void *)from; ++ ++ /* The attribute length field is 16 bits long, thus the maximum payload ++ * that an attribute can convey is UINT16_MAX. In case of overflow, ++ * discard the last attribute that did not fit into the nest. ++ */ ++ if (len > UINT16_MAX) { ++ nlh->nlmsg_len -= to->nla_len; ++ return true; ++ } ++ return false; ++} ++ ++static void netlink_dump_setelem(const struct nftnl_set_elem *nlse, ++ struct netlink_ctx *ctx) ++{ ++ FILE *fp = ctx->nft->output.output_fp; ++ char buf[4096]; ++ ++ if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp) ++ return; ++ ++ nftnl_set_elem_snprintf(buf, sizeof(buf), nlse, NFTNL_OUTPUT_DEFAULT, 0); ++ fprintf(fp, "\t%s", buf); ++} ++ ++static void netlink_dump_setelem_done(struct netlink_ctx *ctx) ++{ ++ FILE *fp = ctx->nft->output.output_fp; ++ ++ if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp) ++ return; ++ ++ fprintf(fp, "\n"); ++} ++ ++static int mnl_nft_setelem_batch(const struct nftnl_set *nls, + struct nftnl_batch *batch, + enum nf_tables_msg_types cmd, +- unsigned int flags, uint32_t seqnum) ++ unsigned int flags, uint32_t seqnum, ++ const struct expr *set, ++ struct netlink_ctx *ctx) + { ++ struct nlattr *nest1, *nest2; ++ struct nftnl_set_elem *nlse; + struct nlmsghdr *nlh; +- struct nftnl_set_elems_iter *iter; +- int ret; +- +- iter = nftnl_set_elems_iter_create(nls); +- if (iter == NULL) +- memory_allocation_error(); ++ struct expr *expr = NULL; ++ int i = 0; + + if (cmd == NFT_MSG_NEWSETELEM) + flags |= NLM_F_CREATE; + +- while (nftnl_set_elems_iter_cur(iter)) { +- nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), cmd, +- nftnl_set_get_u32(nls, NFTNL_SET_FAMILY), +- flags, seqnum); +- ret = nftnl_set_elems_nlmsg_build_payload_iter(nlh, iter); +- mnl_nft_batch_continue(batch); +- if (ret <= 0) +- break; ++ if (set) ++ expr = list_first_entry(&set->expressions, struct expr, list); ++ ++next: ++ nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), cmd, ++ nftnl_set_get_u32(nls, NFTNL_SET_FAMILY), ++ flags, seqnum); ++ ++ if (nftnl_set_is_set(nls, NFTNL_SET_TABLE)) { ++ mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_TABLE, ++ nftnl_set_get_str(nls, NFTNL_SET_TABLE)); ++ } ++ if (nftnl_set_is_set(nls, NFTNL_SET_NAME)) { ++ mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_SET, ++ nftnl_set_get_str(nls, NFTNL_SET_NAME)); + } ++ if (nftnl_set_is_set(nls, NFTNL_SET_ID)) { ++ mnl_attr_put_u32(nlh, NFTA_SET_ELEM_LIST_SET_ID, ++ htonl(nftnl_set_get_u32(nls, NFTNL_SET_ID))); ++ } ++ ++ if (!set || list_empty(&set->expressions)) ++ return 0; + +- nftnl_set_elems_iter_destroy(iter); ++ assert(expr); ++ nest1 = mnl_attr_nest_start(nlh, NFTA_SET_ELEM_LIST_ELEMENTS); ++ list_for_each_entry_from(expr, &set->expressions, list) { ++ nlse = alloc_nftnl_setelem(set, expr); ++ nest2 = nftnl_set_elem_nlmsg_build(nlh, nlse, ++i); ++ netlink_dump_setelem(nlse, ctx); ++ nftnl_set_elem_free(nlse); ++ if (mnl_nft_attr_nest_overflow(nlh, nest1, nest2)) { ++ mnl_attr_nest_end(nlh, nest1); ++ mnl_nft_batch_continue(batch); ++ goto next; ++ } ++ } ++ mnl_attr_nest_end(nlh, nest1); ++ mnl_nft_batch_continue(batch); ++ netlink_dump_setelem_done(ctx); + + return 0; + } +@@ -1249,11 +1318,10 @@ int mnl_nft_setelem_add(struct netlink_ctx *ctx, const struct set *set, + if (h->set_id) + nftnl_set_set_u32(nls, NFTNL_SET_ID, h->set_id); + +- alloc_setelem_cache(expr, nls); + netlink_dump_set(nls, ctx); + +- err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_NEWSETELEM, flags, +- ctx->seqnum); ++ err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_NEWSETELEM, ++ flags, ctx->seqnum, expr, ctx); + nftnl_set_free(nls); + + return err; +@@ -1306,12 +1374,10 @@ int mnl_nft_setelem_del(struct netlink_ctx *ctx, const struct cmd *cmd) + else if (h->handle.id) + nftnl_set_set_u64(nls, NFTNL_SET_HANDLE, h->handle.id); + +- if (cmd->expr) +- alloc_setelem_cache(cmd->expr, nls); + netlink_dump_set(nls, ctx); + + err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_DELSETELEM, 0, +- ctx->seqnum); ++ ctx->seqnum, cmd->expr, ctx); + nftnl_set_free(nls); + + return err; +diff --git a/src/netlink.c b/src/netlink.c +index 825c2cc..f8c97d0 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -95,8 +95,8 @@ struct nftnl_expr *alloc_nft_expr(const char *name) + return nle; + } + +-static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, +- const struct expr *expr) ++struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set, ++ const struct expr *expr) + { + const struct expr *elem, *data; + struct nftnl_set_elem *nlse; +-- +2.31.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 8a4bcdf..1462bc8 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,6 @@ %define rpmversion 0.9.3 -%define specrelease 21 +%define specrelease 25 +%define libnftnl_ver 1.1.5-5 Name: nftables Version: %{rpmversion} @@ -79,6 +80,20 @@ Patch59: 0059-exthdr-Implement-SCTP-Chunk-matching.patch Patch60: 0060-include-missing-sctp_chunk.h-in-Makefile.am.patch Patch61: 0061-doc-nft.8-Extend-monitor-description-by-trace.patch Patch62: 0062-tests-shell-Fix-bogus-testsuite-failure-with-100Hz.patch +Patch63: 0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch +Patch64: 0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch +Patch65: 0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch +Patch66: 0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch +Patch67: 0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch +Patch68: 0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch +Patch69: 0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch +Patch70: 0070-tests-shell-better-parameters-for-the-interval-stack.patch +Patch71: 0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch +Patch72: 0072-src-support-for-restoring-element-counters.patch +Patch73: 0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch +Patch74: 0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch +Patch75: 0075-tests-py-add-dnat-to-port-without-defining-destinati.patch +Patch76: 0076-mnl-do-not-build-nftnl_set-element-list.patch BuildRequires: autogen BuildRequires: autoconf @@ -90,14 +105,14 @@ BuildRequires: bison BuildRequires: libmnl-devel BuildRequires: gmp-devel BuildRequires: readline-devel -BuildRequires: pkgconfig(libnftnl) >= 1.1.5-3 +BuildRequires: pkgconfig(libnftnl) >= %{libnftnl_ver} BuildRequires: systemd BuildRequires: asciidoc BuildRequires: iptables-devel BuildRequires: jansson-devel BuildRequires: python3-devel -Requires: libnftnl >= 1.1.5-3 +Requires: libnftnl >= %{libnftnl_ver} %description Netfilter Tables userspace utilities. @@ -195,6 +210,28 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Fri Feb 04 2022 Phil Sutter [0.9.3-25.el8] +- mnl: do not build nftnl_set element list (Phil Sutter) [2047821] +- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773] +- evaluate: fix inet nat with no layer 3 info (Phil Sutter) [2030773] +- evaluate: attempt to set_eval flag if dynamic updates requested (Phil Sutter) [2039594] +- src: support for restoring element counters (Phil Sutter) [2039594] +- netlink: remove unused parameter from netlink_gen_stmt_stateful() (Phil Sutter) [2039594] + +* Wed Dec 08 2021 Phil Sutter [0.9.3-24.el8] +- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127] +- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127] + +* Fri Nov 05 2021 Phil Sutter [0.9.3-23.el8] +- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127] +- segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127] + +* Wed Oct 06 2021 Phil Sutter [0.9.3-22.el8] +- json: Drop pointless assignment in exthdr_expr_json() (Phil Sutter) [1999059] +- parser_json: Fix for memleak in tcp option error path (Phil Sutter) [1999059] +- parser_bison: Fix for implicit declaration of isalnum (Phil Sutter) [1999059] +- parser_json: Fix error reporting for invalid syntax (Phil Sutter) [1994141] + * Mon Aug 02 2021 Phil Sutter [0.9.3-21.el8] - tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203] - doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365]