From 4b9c63198c7f9eb60eb0aec0e4ba945e709f1fcd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 10 2021 04:20:21 +0000 Subject: import nftables-0.9.3-24.el8 --- diff --git a/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch b/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch new file mode 100644 index 0000000..8207b8f --- /dev/null +++ b/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch @@ -0,0 +1,58 @@ +From ea4457d5c329c8930c610ef3002cfe42bf8a263f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 Dec 2021 14:10:31 +0100 +Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127 +Upstream Status: nftables commit dad3338f1f76a +Conflicts: Context change in README due to missing other commits. + +commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31 +Author: Štěpán Němec +Date: Fri Nov 5 12:39:11 2021 +0100 + + tests: shell: $NFT needs to be invoked unquoted + + The variable has to undergo word splitting, otherwise the shell tries + to find the variable value as an executable, which breaks in cases that + 7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command") + intends to support. + + Mention this in the shell tests README. + + Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")") + Signed-off-by: Štěpán Němec + Signed-off-by: Phil Sutter +--- + tests/shell/README | 3 +++ + tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/shell/README b/tests/shell/README +index e0279bb..aee50e3 100644 +--- a/tests/shell/README ++++ b/tests/shell/README +@@ -25,4 +25,7 @@ path to the nftables binary being tested. + You can pass an arbitrary $NFT value as well: + # NFT=/usr/local/sbin/nft ./run-tests.sh + ++Note that, to support usage such as NFT='valgrind nft', tests must ++invoke $NFT unquoted. ++ + By default the tests are run with the nft binary at '../../src/nft' +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +index 134282d..6620572 100755 +--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -26,4 +26,4 @@ table inet test68_table { + } + EOF + +-( ulimit -s 128 && "$NFT" -f "$ruleset_file" ) ++( ulimit -s 128 && $NFT -f "$ruleset_file" ) +-- +2.31.1 + diff --git a/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch b/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch new file mode 100644 index 0000000..dd6cd97 --- /dev/null +++ b/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch @@ -0,0 +1,59 @@ +From b297f75275737de3e16b5d14916efe35535b6279 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 8 Dec 2021 14:10:54 +0100 +Subject: [PATCH] tests: shell: better parameters for the interval stack + overflow test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127 +Upstream Status: nftables commit 7b81d9cb094ff + +commit 7b81d9cb094ffa96ad821528cf19269dc348f617 +Author: Štěpán Němec +Date: Wed Dec 1 12:12:00 2021 +0100 + + tests: shell: better parameters for the interval stack overflow test + + Wider testing has shown that 128 kB stack is too low (e.g. for systems + with 64 kB page size), leading to false failures in some environments. + + Based on results from a matrix of RHEL 8 and RHEL 9 systems across + x86_64, aarch64, ppc64le and s390x architectures as well as some + anecdotal testing of other Linux distros on x86_64 machines, 400 kB + seems safe: the normal nft stack (which should stay constant during + this test) on all tested systems doesn't exceed 200 kB (stays around + 100 kB on typical systems with 4 kB page size), while always growing + beyond 500 kB in the failing case (nftables before baecd1cf2685) with + the increased set size. + + Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")") + Signed-off-by: Štěpán Němec + Signed-off-by: Phil Sutter +--- + tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +index 6620572..2cbc986 100755 +--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT + { + echo 'define big_set = {' + for ((i = 1; i < 255; i++)); do +- for ((j = 1; j < 80; j++)); do ++ for ((j = 1; j < 255; j++)); do + echo "10.0.$i.$j," + done + done +@@ -26,4 +26,4 @@ table inet test68_table { + } + EOF + +-( ulimit -s 128 && $NFT -f "$ruleset_file" ) ++( ulimit -s 400 && $NFT -f "$ruleset_file" ) +-- +2.31.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 1f66bd6..c449e23 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.9.3 -%define specrelease 23 +%define specrelease 24 Name: nftables Version: %{rpmversion} @@ -85,6 +85,8 @@ Patch65: 0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.pa Patch66: 0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch Patch67: 0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch Patch68: 0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch +Patch69: 0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch +Patch70: 0070-tests-shell-better-parameters-for-the-interval-stack.patch BuildRequires: autogen BuildRequires: autoconf @@ -201,6 +203,10 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Wed Dec 08 2021 Phil Sutter [0.9.3-24.el8] +- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127] +- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127] + * Fri Nov 05 2021 Phil Sutter [0.9.3-23.el8] - tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127] - segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127]