From ac684a7d54992739d0ed5f80f859e8a662ade122 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 04:11:05 +0000 Subject: import nftables-0.9.3-26.el8 --- diff --git a/SOURCES/0077-mnl-do-not-use-expr-identifier-to-fetch-device-name.patch b/SOURCES/0077-mnl-do-not-use-expr-identifier-to-fetch-device-name.patch new file mode 100644 index 0000000..037fbce --- /dev/null +++ b/SOURCES/0077-mnl-do-not-use-expr-identifier-to-fetch-device-name.patch @@ -0,0 +1,130 @@ +From 2747cab9c49b570347c86ff59daec93a1432b0bc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 Apr 2022 14:37:00 +0200 +Subject: [PATCH] mnl: do not use expr->identifier to fetch device name + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2070924 +Upstream Status: nftables commit 78bbe7f7a55be + +commit 78bbe7f7a55be48909067e25900de27623d8fa6a +Author: Pablo Neira Ayuso +Date: Wed Feb 19 21:05:26 2020 +0100 + + mnl: do not use expr->identifier to fetch device name + + This string might not be nul-terminated, resulting in spurious errors + when adding netdev chains. + + Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") + Fixes: 92911b362e90 ("src: add support to add flowtables") + Signed-off-by: Pablo Neira Ayuso +--- + src/mnl.c | 33 +++++++++++++++++++++++++++++---- + src/parser_bison.y | 6 +++--- + 2 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/src/mnl.c b/src/mnl.c +index 44cf1a4..f881d97 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -26,6 +26,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -529,7 +530,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd, + { + int priority, policy, i = 0; + struct nftnl_chain *nlc; ++ unsigned int ifname_len; + const char **dev_array; ++ char ifname[IFNAMSIZ]; + struct nlmsghdr *nlh; + struct expr *expr; + int dev_array_len; +@@ -562,7 +565,12 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd, + dev_array = xmalloc(sizeof(char *) * 8); + dev_array_len = 8; + list_for_each_entry(expr, &cmd->chain->dev_expr->expressions, list) { +- dev_array[i++] = expr->identifier; ++ ifname_len = div_round_up(expr->len, BITS_PER_BYTE); ++ memset(ifname, 0, sizeof(ifname)); ++ mpz_export_data(ifname, expr->value, ++ BYTEORDER_HOST_ENDIAN, ++ ifname_len); ++ dev_array[i++] = xstrdup(ifname); + if (i == dev_array_len) { + dev_array_len *= 2; + dev_array = xrealloc(dev_array, +@@ -577,6 +585,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd, + nftnl_chain_set_data(nlc, NFTNL_CHAIN_DEVICES, dev_array, + sizeof(char *) * dev_array_len); + ++ i = 0; ++ while (dev_array[i] != NULL) ++ xfree(dev_array[i++]); ++ + xfree(dev_array); + } + } +@@ -1488,7 +1500,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd, + unsigned int flags) + { + struct nftnl_flowtable *flo; ++ unsigned int ifname_len; + const char **dev_array; ++ char ifname[IFNAMSIZ]; + struct nlmsghdr *nlh; + int i = 0, len = 1; + struct expr *expr; +@@ -1513,13 +1527,24 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd, + list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) + len++; + +- dev_array = calloc(len, sizeof(char *)); +- list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) +- dev_array[i++] = expr->identifier; ++ dev_array = xmalloc(sizeof(char *) * len); ++ ++ list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) { ++ ifname_len = div_round_up(expr->len, BITS_PER_BYTE); ++ memset(ifname, 0, sizeof(ifname)); ++ mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN, ++ ifname_len); ++ dev_array[i++] = xstrdup(ifname); ++ } + + dev_array[i] = NULL; + nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES, + dev_array, sizeof(char *) * len); ++ ++ i = 0; ++ while (dev_array[i] != NULL) ++ xfree(dev_array[i++]); ++ + free(dev_array); + + netlink_dump_flowtable(flo, ctx); +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 2cdf8ec..dc87571 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -1909,9 +1909,9 @@ flowtable_list_expr : flowtable_expr_member + + flowtable_expr_member : STRING + { +- $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE, +- current_scope(state), +- $1); ++ $$ = constant_expr_alloc(&@$, &string_type, ++ BYTEORDER_HOST_ENDIAN, ++ strlen($1) * BITS_PER_BYTE, $1); + xfree($1); + } + ; +-- +2.34.1 + diff --git a/SOURCES/0078-tests-shell-auto-removal-of-chain-hook-on-netns-remo.patch b/SOURCES/0078-tests-shell-auto-removal-of-chain-hook-on-netns-remo.patch new file mode 100644 index 0000000..acbe3c2 --- /dev/null +++ b/SOURCES/0078-tests-shell-auto-removal-of-chain-hook-on-netns-remo.patch @@ -0,0 +1,47 @@ +From 66369d42095a214672c1f935eed91902d4cca8d5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 Apr 2022 14:37:00 +0200 +Subject: [PATCH] tests: shell: auto-removal of chain hook on netns removal + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2070924 +Upstream Status: nftables commit e632eea21f4b3 +Conflicts: Commit b4775dec9f80b ("src: ingress inet support") creating + the test not backported, RHEL8 does not support inet ingress. + Script adjusted accordingly. + +commit e632eea21f4b3d03b629a5c1ac7e776d65785873 +Author: Florian Westphal +Date: Tue Oct 19 14:07:25 2021 +0200 + + tests: shell: auto-removal of chain hook on netns removal + + This is the nft equivalent of the syzbot report that lead to + kernel commit 68a3765c659f8 + ("netfilter: nf_tables: skip netdev events generated on netns removal"). + + Signed-off-by: Florian Westphal +--- + tests/shell/testcases/chains/0043chain_ingress_0 | 11 +++++++++++ + 1 file changed, 11 insertions(+) + create mode 100755 tests/shell/testcases/chains/0043chain_ingress_0 + +diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0 +new file mode 100755 +index 0000000..09d6907 +--- /dev/null ++++ b/tests/shell/testcases/chains/0043chain_ingress_0 +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++set -e ++ ++# Test auto-removal of chain hook on netns removal ++unshare -n bash -c "ip link add br0 type bridge; \ ++ $NFT add table netdev test; \ ++ $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \ ++" || exit 1 ++ ++exit 0 +-- +2.34.1 + diff --git a/SOURCES/0079-rule-memleak-in-__do_add_setelems.patch b/SOURCES/0079-rule-memleak-in-__do_add_setelems.patch new file mode 100644 index 0000000..df12438 --- /dev/null +++ b/SOURCES/0079-rule-memleak-in-__do_add_setelems.patch @@ -0,0 +1,53 @@ +From bc2bfe4b68d213c74c634e87dee0116c066209e4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 Apr 2022 14:46:47 +0200 +Subject: [PATCH] rule: memleak in __do_add_setelems() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 +Upstream Status: nftables commit b6d50bfde21b5 + +commit b6d50bfde21b5a24a606cbf22137e04e8e0f195d +Author: Pablo Neira Ayuso +Date: Thu Apr 30 14:18:45 2020 +0200 + + rule: memleak in __do_add_setelems() + + This patch invokes interval_map_decompose() with named sets: + + ==3402== 2,352 (128 direct, 2,224 indirect) bytes in 1 blocks are definitely lost in loss record 9 of 9 + ==3402== at 0x483577F: malloc (vg_replace_malloc.c:299) + ==3402== by 0x48996A8: xmalloc (utils.c:36) + ==3402== by 0x4899778: xzalloc (utils.c:65) + ==3402== by 0x487CB46: expr_alloc (expression.c:45) + ==3402== by 0x487E2A0: mapping_expr_alloc (expression.c:1140) + ==3402== by 0x4898AA8: interval_map_decompose (segtree.c:1095) + ==3402== by 0x4872BDF: __do_add_setelems (rule.c:1569) + ==3402== by 0x4872BDF: __do_add_setelems (rule.c:1559) + ==3402== by 0x4877936: do_command (rule.c:2710) + ==3402== by 0x489F1CB: nft_netlink.isra.5 (libnftables.c:42) + ==3402== by 0x489FB07: nft_run_cmd_from_filename (libnftables.c:508) + ==3402== by 0x10A9AA: main (main.c:455) + + Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch") + Signed-off-by: Pablo Neira Ayuso +--- + src/rule.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/rule.c b/src/rule.c +index f7d888b..b2aa1d7 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1511,7 +1511,8 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set, + if (mnl_nft_setelem_add(ctx, set, expr, flags) < 0) + return -1; + +- if (set->init != NULL && ++ if (!set_is_anonymous(set->flags) && ++ set->init != NULL && + set->flags & NFT_SET_INTERVAL && + set->desc.field_count <= 1) { + interval_map_decompose(expr); +-- +2.34.1 + diff --git a/SOURCES/0080-rule-fix-element-cache-update-in-__do_add_setelems.patch b/SOURCES/0080-rule-fix-element-cache-update-in-__do_add_setelems.patch new file mode 100644 index 0000000..37d8031 --- /dev/null +++ b/SOURCES/0080-rule-fix-element-cache-update-in-__do_add_setelems.patch @@ -0,0 +1,43 @@ +From 0e284af80adefc8d8738c7191eff0ca7c6ad64a6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 Apr 2022 14:46:47 +0200 +Subject: [PATCH] rule: fix element cache update in __do_add_setelems() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 +Upstream Status: nftables commit e68938f2bf89f + +commit e68938f2bf89fcc9a99e12c9b7a10c1838f2a133 +Author: Pablo Neira Ayuso +Date: Thu Apr 30 16:30:15 2020 +0200 + + rule: fix element cache update in __do_add_setelems() + + The set->init and expr arguments might actually refer to the same list + of elements. Skip set element cache update introduced by dd44081d91ce + ("segtree: Fix add and delete of element in same batch") otherwise + list_splice_tail_init() actually operates with the same list as + arguments. Valgrind reports this problem as a memleak since the result + of this operation was an empty set element list. + + Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch") + Signed-off-by: Pablo Neira Ayuso +--- + src/rule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rule.c b/src/rule.c +index b2aa1d7..9ae6d19 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1512,7 +1512,7 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set, + return -1; + + if (!set_is_anonymous(set->flags) && +- set->init != NULL && ++ set->init != NULL && set->init != expr && + set->flags & NFT_SET_INTERVAL && + set->desc.field_count <= 1) { + interval_map_decompose(expr); +-- +2.34.1 + diff --git a/SOURCES/0081-src-rename-CMD_OBJ_SETELEM-to-CMD_OBJ_ELEMENTS.patch b/SOURCES/0081-src-rename-CMD_OBJ_SETELEM-to-CMD_OBJ_ELEMENTS.patch new file mode 100644 index 0000000..3c72981 --- /dev/null +++ b/SOURCES/0081-src-rename-CMD_OBJ_SETELEM-to-CMD_OBJ_ELEMENTS.patch @@ -0,0 +1,208 @@ +From 43d5837615201d68108151e70c06cc0e90622fcc Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 Apr 2022 14:46:47 +0200 +Subject: [PATCH] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 +Upstream Status: nftables commit 9ed076c6f5abc + +commit 9ed076c6f5abcbbad1b6b721dca29f87963f0ecc +Author: Pablo Neira Ayuso +Date: Fri May 8 14:44:01 2020 +0200 + + src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS + + The CMD_OBJ_ELEMENTS provides an expression that contains the list of + set elements. This leaves room to introduce CMD_OBJ_SETELEMS in a follow + up patch. + + Signed-off-by: Pablo Neira Ayuso +--- + include/rule.h | 4 ++-- + src/cache.c | 6 +++--- + src/evaluate.c | 6 +++--- + src/parser_bison.y | 8 ++++---- + src/parser_json.c | 2 +- + src/rule.c | 8 ++++---- + 6 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/include/rule.h b/include/rule.h +index 3637462..7fe607f 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -542,7 +542,7 @@ enum cmd_ops { + * enum cmd_obj - command objects + * + * @CMD_OBJ_INVALID: invalid +- * @CMD_OBJ_SETELEM: set element(s) ++ * @CMD_OBJ_ELEMENTS: set element(s) + * @CMD_OBJ_SET: set + * @CMD_OBJ_SETS: multiple sets + * @CMD_OBJ_RULE: rule +@@ -570,7 +570,7 @@ enum cmd_ops { + */ + enum cmd_obj { + CMD_OBJ_INVALID, +- CMD_OBJ_SETELEM, ++ CMD_OBJ_ELEMENTS, + CMD_OBJ_SET, + CMD_OBJ_SETS, + CMD_OBJ_RULE, +diff --git a/src/cache.c b/src/cache.c +index 05f0d68..a45111a 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -25,7 +25,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) + case CMD_OBJ_FLOWTABLE: + flags |= NFT_CACHE_TABLE; + break; +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + flags |= NFT_CACHE_TABLE | + NFT_CACHE_CHAIN | + NFT_CACHE_SET | +@@ -53,7 +53,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags) + static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags) + { + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + flags |= NFT_CACHE_SETELEM; + break; + default: +@@ -66,7 +66,7 @@ static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags) + static unsigned int evaluate_cache_get(struct cmd *cmd, unsigned int flags) + { + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + flags |= NFT_CACHE_TABLE | + NFT_CACHE_SET | + NFT_CACHE_SETELEM; +diff --git a/src/evaluate.c b/src/evaluate.c +index e495faf..fd6db8a 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -3815,7 +3815,7 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table) + static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd) + { + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + return setelem_evaluate(ctx, &cmd->expr); + case CMD_OBJ_SET: + handle_merge(&cmd->set->handle, &cmd->handle); +@@ -3847,7 +3847,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd) + static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd) + { + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + return setelem_evaluate(ctx, &cmd->expr); + case CMD_OBJ_SET: + case CMD_OBJ_RULE: +@@ -3874,7 +3874,7 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd) + struct set *set; + + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + table = table_lookup(&cmd->handle, &ctx->nft->cache); + if (table == NULL) + return table_not_found(ctx); +diff --git a/src/parser_bison.y b/src/parser_bison.y +index dc87571..96f0a4c 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -1019,7 +1019,7 @@ add_cmd : TABLE table_spec + } + | ELEMENT set_spec set_block_expr + { +- $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEM, &$2, &@$, $3); ++ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3); + } + | FLOWTABLE flowtable_spec flowtable_block_alloc + '{' flowtable_block '}' +@@ -1116,7 +1116,7 @@ create_cmd : TABLE table_spec + } + | ELEMENT set_spec set_block_expr + { +- $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SETELEM, &$2, &@$, $3); ++ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_ELEMENTS, &$2, &@$, $3); + } + | FLOWTABLE flowtable_spec flowtable_block_alloc + '{' flowtable_block '}' +@@ -1208,7 +1208,7 @@ delete_cmd : TABLE table_spec + } + | ELEMENT set_spec set_block_expr + { +- $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SETELEM, &$2, &@$, $3); ++ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_ELEMENTS, &$2, &@$, $3); + } + | FLOWTABLE flowtable_spec + { +@@ -1266,7 +1266,7 @@ delete_cmd : TABLE table_spec + + get_cmd : ELEMENT set_spec set_block_expr + { +- $$ = cmd_alloc(CMD_GET, CMD_OBJ_SETELEM, &$2, &@$, $3); ++ $$ = cmd_alloc(CMD_GET, CMD_OBJ_ELEMENTS, &$2, &@$, $3); + } + ; + +diff --git a/src/parser_json.c b/src/parser_json.c +index 2250be9..15902a8 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -3391,7 +3391,7 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx, + { "rule", CMD_OBJ_RULE, json_parse_cmd_add_rule }, + { "set", CMD_OBJ_SET, json_parse_cmd_add_set }, + { "map", CMD_OBJ_SET, json_parse_cmd_add_set }, +- { "element", CMD_OBJ_SETELEM, json_parse_cmd_add_element }, ++ { "element", CMD_OBJ_ELEMENTS, json_parse_cmd_add_element }, + { "flowtable", CMD_OBJ_FLOWTABLE, json_parse_cmd_add_flowtable }, + { "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object }, + { "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object }, +diff --git a/src/rule.c b/src/rule.c +index 9ae6d19..afb6dc9 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1456,7 +1456,7 @@ void cmd_free(struct cmd *cmd) + handle_free(&cmd->handle); + if (cmd->data != NULL) { + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + expr_free(cmd->expr); + break; + case CMD_OBJ_SET: +@@ -1580,7 +1580,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl) + return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND); + case CMD_OBJ_SET: + return do_add_set(ctx, cmd, flags); +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + return do_add_setelems(ctx, cmd, flags); + case CMD_OBJ_COUNTER: + case CMD_OBJ_QUOTA: +@@ -1659,7 +1659,7 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd) + return mnl_nft_rule_del(ctx, cmd); + case CMD_OBJ_SET: + return mnl_nft_set_del(ctx, cmd); +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + return do_delete_setelems(ctx, cmd); + case CMD_OBJ_COUNTER: + return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_COUNTER); +@@ -2519,7 +2519,7 @@ static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd) + table = table_lookup(&cmd->handle, &ctx->nft->cache); + + switch (cmd->obj) { +- case CMD_OBJ_SETELEM: ++ case CMD_OBJ_ELEMENTS: + return do_get_setelems(ctx, cmd, table); + default: + BUG("invalid command object type %u\n", cmd->obj); +-- +2.34.1 + diff --git a/SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch b/SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch new file mode 100644 index 0000000..ca0dd91 --- /dev/null +++ b/SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch @@ -0,0 +1,125 @@ +From 61c295c9dec447239ed2c84b0073594ffecf7554 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 27 Apr 2022 14:46:47 +0200 +Subject: [PATCH] src: add CMD_OBJ_SETELEMS + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 +Upstream Status: nftables commit c9eae091983ae +Conflicts: Context change due to missing commit 086ec6f30c96e + ("mnl: extended error support for create command"). + +commit c9eae091983ae9ffcf2ca5b666bc03d5a1916c2f +Author: Pablo Neira Ayuso +Date: Fri May 8 14:44:03 2020 +0200 + + src: add CMD_OBJ_SETELEMS + + This new command type results from expanding the set definition in two + commands: One to add the set and another to add the elements. This + results in 1:1 mapping between the command object to the netlink API. + The command is then translated into a netlink message which gets a + unique sequence number. This sequence number allows to correlate the + netlink extended error reporting with the corresponding command. + + Signed-off-by: Pablo Neira Ayuso +--- + include/rule.h | 2 ++ + src/rule.c | 23 +++++++++++++++++++---- + 2 files changed, 21 insertions(+), 4 deletions(-) + +diff --git a/include/rule.h b/include/rule.h +index 7fe607f..1efd4fb 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -545,6 +545,7 @@ enum cmd_ops { + * @CMD_OBJ_ELEMENTS: set element(s) + * @CMD_OBJ_SET: set + * @CMD_OBJ_SETS: multiple sets ++ * @CMD_OBJ_SETELEMS: set elements + * @CMD_OBJ_RULE: rule + * @CMD_OBJ_CHAIN: chain + * @CMD_OBJ_CHAINS: multiple chains +@@ -572,6 +573,7 @@ enum cmd_obj { + CMD_OBJ_INVALID, + CMD_OBJ_ELEMENTS, + CMD_OBJ_SET, ++ CMD_OBJ_SETELEMS, + CMD_OBJ_SETS, + CMD_OBJ_RULE, + CMD_OBJ_CHAIN, +diff --git a/src/rule.c b/src/rule.c +index afb6dc9..c43e0cd 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1352,11 +1352,11 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, + void nft_cmd_expand(struct cmd *cmd) + { + struct list_head new_cmds; ++ struct set *set, *newset; + struct flowtable *ft; + struct table *table; + struct chain *chain; + struct rule *rule; +- struct set *set; + struct obj *obj; + struct cmd *new; + struct handle h; +@@ -1412,6 +1412,18 @@ void nft_cmd_expand(struct cmd *cmd) + } + list_splice(&new_cmds, &cmd->list); + break; ++ case CMD_OBJ_SET: ++ set = cmd->set; ++ memset(&h, 0, sizeof(h)); ++ handle_merge(&h, &set->handle); ++ newset = set_clone(set); ++ newset->handle.set_id = set->handle.set_id; ++ newset->init = set->init; ++ set->init = NULL; ++ new = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEMS, &h, ++ &set->location, newset); ++ list_add(&new->list, &cmd->list); ++ break; + default: + break; + } +@@ -1460,6 +1472,7 @@ void cmd_free(struct cmd *cmd) + expr_free(cmd->expr); + break; + case CMD_OBJ_SET: ++ case CMD_OBJ_SETELEMS: + set_free(cmd->set); + break; + case CMD_OBJ_RULE: +@@ -1545,7 +1558,7 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd, + } + + static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd, +- uint32_t flags) ++ uint32_t flags, bool add) + { + struct set *set = cmd->set; + +@@ -1556,7 +1569,7 @@ static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd, + &ctx->nft->output) < 0) + return -1; + } +- if (mnl_nft_set_add(ctx, cmd, flags) < 0) ++ if (add && mnl_nft_set_add(ctx, cmd, flags) < 0) + return -1; + if (set->init != NULL) { + return __do_add_setelems(ctx, set, set->init, flags); +@@ -1579,7 +1592,9 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl) + case CMD_OBJ_RULE: + return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND); + case CMD_OBJ_SET: +- return do_add_set(ctx, cmd, flags); ++ return do_add_set(ctx, cmd, flags, true); ++ case CMD_OBJ_SETELEMS: ++ return do_add_set(ctx, cmd, flags, false); + case CMD_OBJ_ELEMENTS: + return do_add_setelems(ctx, cmd, flags); + case CMD_OBJ_COUNTER: +-- +2.34.1 + diff --git a/SOURCES/0083-libnftables-call-nft_cmd_expand-only-with-CMD_ADD.patch b/SOURCES/0083-libnftables-call-nft_cmd_expand-only-with-CMD_ADD.patch new file mode 100644 index 0000000..1a95385 --- /dev/null +++ b/SOURCES/0083-libnftables-call-nft_cmd_expand-only-with-CMD_ADD.patch @@ -0,0 +1,43 @@ +From 34a7632a4d72c16d2a087fcc6450d1a783858124 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 28 Apr 2022 14:14:39 +0200 +Subject: [PATCH] libnftables: call nft_cmd_expand() only with CMD_ADD + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 +Upstream Status: nftables commit b81519f1641b5 + +commit b81519f1641b508c289ddfefc800b2c20ab243e6 +Author: Pablo Neira Ayuso +Date: Fri May 8 14:44:02 2020 +0200 + + libnftables: call nft_cmd_expand() only with CMD_ADD + + Restrict the expansion logic to the CMD_ADD command which is where this + is only required. + + Signed-off-by: Pablo Neira Ayuso +--- + src/libnftables.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libnftables.c b/src/libnftables.c +index cd2fcf2..ab01909 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -421,8 +421,12 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, + if (nft->state->nerrs) + return -1; + +- list_for_each_entry(cmd, cmds, list) ++ list_for_each_entry(cmd, cmds, list) { ++ if (cmd->op != CMD_ADD) ++ continue; ++ + nft_cmd_expand(cmd); ++ } + + return 0; + } +-- +2.34.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 1462bc8..1b83bcb 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.9.3 -%define specrelease 25 +%define specrelease 26 %define libnftnl_ver 1.1.5-5 Name: nftables @@ -94,6 +94,13 @@ Patch73: 0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.pa Patch74: 0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch Patch75: 0075-tests-py-add-dnat-to-port-without-defining-destinati.patch Patch76: 0076-mnl-do-not-build-nftnl_set-element-list.patch +Patch77: 0077-mnl-do-not-use-expr-identifier-to-fetch-device-name.patch +Patch78: 0078-tests-shell-auto-removal-of-chain-hook-on-netns-remo.patch +Patch79: 0079-rule-memleak-in-__do_add_setelems.patch +Patch80: 0080-rule-fix-element-cache-update-in-__do_add_setelems.patch +Patch81: 0081-src-rename-CMD_OBJ_SETELEM-to-CMD_OBJ_ELEMENTS.patch +Patch82: 0082-src-add-CMD_OBJ_SETELEMS.patch +Patch83: 0083-libnftables-call-nft_cmd_expand-only-with-CMD_ADD.patch BuildRequires: autogen BuildRequires: autoconf @@ -210,6 +217,15 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Thu Apr 28 2022 Phil Sutter [0.9.3-26.el8] +- libnftables: call nft_cmd_expand() only with CMD_ADD (Phil Sutter) [2073287] +- src: add CMD_OBJ_SETELEMS (Phil Sutter) [2073287] +- src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS (Phil Sutter) [2073287] +- rule: fix element cache update in __do_add_setelems() (Phil Sutter) [2073287] +- rule: memleak in __do_add_setelems() (Phil Sutter) [2073287] +- tests: shell: auto-removal of chain hook on netns removal (Phil Sutter) [2070924] +- mnl: do not use expr->identifier to fetch device name (Phil Sutter) [2070924] + * Fri Feb 04 2022 Phil Sutter [0.9.3-25.el8] - mnl: do not build nftnl_set element list (Phil Sutter) [2047821] - tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773]