From 5b069de1e587de9dd7f75e120d8be6b2add1e6c6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 27 2020 18:21:20 +0000 Subject: import nftables-0.9.3-12.el8_2.1 --- diff --git a/SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch b/SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch new file mode 100644 index 0000000..b81cec4 --- /dev/null +++ b/SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch @@ -0,0 +1,47 @@ +From aa456490794b5498ef9429481bb0f7ae6b3650ac Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 8 Aug 2020 00:09:06 +0200 +Subject: [PATCH] include: Resync nf_tables.h cache copy + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532 +Upstream Status: nftables commit f1e5a0499c077 + +commit f1e5a0499c0773f18bc592dd0da0340120daa482 +Author: Stefano Brivio +Date: Mon Apr 13 21:48:02 2020 +0200 + + include: Resync nf_tables.h cache copy + + Get this header in sync with nf.git as of commit ef516e8625dd. + + Signed-off-by: Stefano Brivio + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/linux/netfilter/nf_tables.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 1a99df3348b5c..9b54a86bc5169 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes { + * @NFT_SET_TIMEOUT: set uses timeouts + * @NFT_SET_EVAL: set can be updated from the evaluation path + * @NFT_SET_OBJECT: set contains stateful objects ++ * @NFT_SET_CONCAT: set contains a concatenation + */ + enum nft_set_flags { + NFT_SET_ANONYMOUS = 0x1, +@@ -283,6 +284,7 @@ enum nft_set_flags { + NFT_SET_TIMEOUT = 0x10, + NFT_SET_EVAL = 0x20, + NFT_SET_OBJECT = 0x40, ++ NFT_SET_CONCAT = 0x80, + }; + + /** +-- +2.27.0 + diff --git a/SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch b/SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch new file mode 100644 index 0000000..75fff95 --- /dev/null +++ b/SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch @@ -0,0 +1,74 @@ +From c69d7c3c5c1805e41f679487310044f518859214 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 8 Aug 2020 00:05:48 +0200 +Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated + ranges + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532 +Upstream Status: nftables commit 09441b5e92cee + +commit 09441b5e92ceea60198a35cd657904fa7a10ee54 +Author: Stefano Brivio +Date: Mon Apr 13 21:48:03 2020 +0200 + + src: Set NFT_SET_CONCAT flag for sets with concatenated ranges + + Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support + for concatenated set ranges"), crashes with older kernels (< 5.6) + without support for concatenated set ranges: those sets will be sent + to the kernel, which adds them without notion of the fact that + different concatenated fields are actually included, and nft crashes + while trying to list this kind of malformed concatenation. + + Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd + ("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when + sets including concatenated ranges are sent to the kernel, so that + older kernels (with no knowledge of this flag itself) will refuse set + creation. + + Note that, in expr_evaluate_set(), we have to check for the presence + of the flag, also on empty sets that might carry it in context data, + and actually set it in the actual set flags. + + Reported-by: Pablo Neira Ayuso + Signed-off-by: Stefano Brivio + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/evaluate.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 0c848166409f4..f66251b41c058 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) + set->size += i->size - 1; + set->set_flags |= i->set_flags; + expr_free(i); +- } else if (!expr_is_singleton(i)) ++ } else if (!expr_is_singleton(i)) { + set->set_flags |= NFT_SET_INTERVAL; ++ if (i->key->etype == EXPR_CONCAT) ++ set->set_flags |= NFT_SET_CONCAT; ++ } + } + ++ if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT)) ++ set->set_flags |= NFT_SET_CONCAT; ++ + set->set_flags |= NFT_SET_CONSTANT; + + datatype_set(set, ctx->ectx.dtype); +@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) + memcpy(&set->desc.field_len, &set->key->field_len, + sizeof(set->desc.field_len)); + set->desc.field_count = set->key->field_count; ++ set->flags |= NFT_SET_CONCAT; + } + + if (set_is_datamap(set->flags)) { +-- +2.27.0 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 81d1b36..26fbd56 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.9.3 -%define specrelease 12%{?dist} +%define specrelease 12%{?dist}.1 Name: nftables Version: %{rpmversion} @@ -38,6 +38,8 @@ Patch18: 0018-parser-add-a-helper-for-concat-expression-handling.patc Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch +Patch22: 0022-include-Resync-nf_tables.h-cache-copy.patch +Patch23: 0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch BuildRequires: autogen BuildRequires: autoconf @@ -154,6 +156,10 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Thu Aug 20 2020 Phil Sutter [0.9.3-12.el8.1] +- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1854532] +- include: Resync nf_tables.h cache copy (Phil Sutter) [1854532] + * Thu Mar 26 2020 Phil Sutter [0.9.3-12.el8] - Restore default config to be empty (Phil Sutter) [1694723]