From 4b9c63198c7f9eb60eb0aec0e4ba945e709f1fcd Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Dec 10 2021 04:20:21 +0000
Subject: import nftables-0.9.3-24.el8


---

diff --git a/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch b/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
new file mode 100644
index 0000000..8207b8f
--- /dev/null
+++ b/SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
@@ -0,0 +1,58 @@
+From ea4457d5c329c8930c610ef3002cfe42bf8a263f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 8 Dec 2021 14:10:31 +0100
+Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
+Upstream Status: nftables commit dad3338f1f76a
+Conflicts: Context change in README due to missing other commits.
+
+commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31
+Author: Štěpán Němec <snemec@redhat.com>
+Date:   Fri Nov 5 12:39:11 2021 +0100
+
+    tests: shell: $NFT needs to be invoked unquoted
+
+    The variable has to undergo word splitting, otherwise the shell tries
+    to find the variable value as an executable, which breaks in cases that
+    7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
+    intends to support.
+
+    Mention this in the shell tests README.
+
+    Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
+    Signed-off-by: Štěpán Němec <snemec@redhat.com>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ tests/shell/README                                       | 3 +++
+ tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tests/shell/README b/tests/shell/README
+index e0279bb..aee50e3 100644
+--- a/tests/shell/README
++++ b/tests/shell/README
+@@ -25,4 +25,7 @@ path to the nftables binary being tested.
+ You can pass an arbitrary $NFT value as well:
+  # NFT=/usr/local/sbin/nft ./run-tests.sh
+ 
++Note that, to support usage such as NFT='valgrind nft', tests must
++invoke $NFT unquoted.
++
+ By default the tests are run with the nft binary at '../../src/nft'
+diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+index 134282d..6620572 100755
+--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+@@ -26,4 +26,4 @@ table inet test68_table {
+ }
+ EOF
+ 
+-( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
++( ulimit -s 128 && $NFT -f "$ruleset_file" )
+-- 
+2.31.1
+
diff --git a/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch b/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch
new file mode 100644
index 0000000..dd6cd97
--- /dev/null
+++ b/SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch
@@ -0,0 +1,59 @@
+From b297f75275737de3e16b5d14916efe35535b6279 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 8 Dec 2021 14:10:54 +0100
+Subject: [PATCH] tests: shell: better parameters for the interval stack
+ overflow test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
+Upstream Status: nftables commit 7b81d9cb094ff
+
+commit 7b81d9cb094ffa96ad821528cf19269dc348f617
+Author: Štěpán Němec <snemec@redhat.com>
+Date:   Wed Dec 1 12:12:00 2021 +0100
+
+    tests: shell: better parameters for the interval stack overflow test
+
+    Wider testing has shown that 128 kB stack is too low (e.g. for systems
+    with 64 kB page size), leading to false failures in some environments.
+
+    Based on results from a matrix of RHEL 8 and RHEL 9 systems across
+    x86_64, aarch64, ppc64le and s390x architectures as well as some
+    anecdotal testing of other Linux distros on x86_64 machines, 400 kB
+    seems safe: the normal nft stack (which should stay constant during
+    this test) on all tested systems doesn't exceed 200 kB (stays around
+    100 kB on typical systems with 4 kB page size), while always growing
+    beyond 500 kB in the failing case (nftables before baecd1cf2685) with
+    the increased set size.
+
+    Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
+    Signed-off-by: Štěpán Němec <snemec@redhat.com>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+index 6620572..2cbc986 100755
+--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT
+ {
+ 	echo 'define big_set = {'
+ 	for ((i = 1; i < 255; i++)); do
+-		for ((j = 1; j < 80; j++)); do
++		for ((j = 1; j < 255; j++)); do
+ 			echo "10.0.$i.$j,"
+ 		done
+ 	done
+@@ -26,4 +26,4 @@ table inet test68_table {
+ }
+ EOF
+ 
+-( ulimit -s 128 && $NFT -f "$ruleset_file" )
++( ulimit -s 400 && $NFT -f "$ruleset_file" )
+-- 
+2.31.1
+
diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec
index 1f66bd6..c449e23 100644
--- a/SPECS/nftables.spec
+++ b/SPECS/nftables.spec
@@ -1,5 +1,5 @@
 %define rpmversion 0.9.3
-%define specrelease 23
+%define specrelease 24
 
 Name:           nftables
 Version:        %{rpmversion}
@@ -85,6 +85,8 @@ Patch65:            0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.pa
 Patch66:            0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch
 Patch67:            0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
 Patch68:            0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
+Patch69:            0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
+Patch70:            0070-tests-shell-better-parameters-for-the-interval-stack.patch
 
 BuildRequires: autogen
 BuildRequires: autoconf
@@ -201,6 +203,10 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
 %{python3_sitelib}/nftables/
 
 %changelog
+* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> [0.9.3-24.el8]
+- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127]
+- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127]
+
 * Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> [0.9.3-23.el8]
 - tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127]
 - segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127]