diff --git a/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch b/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch new file mode 100644 index 0000000..9b3f64f --- /dev/null +++ b/SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch @@ -0,0 +1,497 @@ +From f9dca1704ce66be31eceac4d7317b825269b3d07 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 2 Mar 2021 17:06:06 +0100 +Subject: [PATCH] tests: Disable tests known to fail on RHEL8 + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203 +Upstream Status: RHEL-only + +RHEL8 kernel does not support: + +- ct timeout or expectation objects +- synproxy +- flowtables in families other than inet +- meta time +- bridge family-specific meta expressions (e.g. ibrvproto, ibrpvid) +- socket mark +- osf +- delete set elements from packet path +- update stateful objects +- explicitly setting set element expiration (commit 79ebb5bb4e3) +- flushing chains and deleting referenced objects in the same + transaction (upstream commits with 'bogus EBUSY' in subject) + +Disable all related tests to make the testsuites pass. +--- + tests/monitor/testcases/object.t | 14 +++---- + tests/py/any/meta.t | 36 ++++++++--------- + tests/py/bridge/meta.t | 8 ++-- + tests/py/inet/osf.t | 24 +++++------ + tests/py/inet/socket.t | 2 +- + tests/py/inet/synproxy.t | 12 +++--- + tests/py/ip/objects.t | 46 +++++++++++----------- + tests/py/ip6/sets.t | 2 +- + .../testcases/flowtable/0002create_flowtable_0 | 8 ++-- + .../testcases/flowtable/0003add_after_flush_0 | 8 ++-- + .../testcases/flowtable/0004delete_after_add_0 | 6 +-- + .../shell/testcases/flowtable/0005delete_in_use_1 | 10 ++--- + tests/shell/testcases/flowtable/0007prio_0 | 6 +-- + tests/shell/testcases/flowtable/0008prio_1 | 4 +- + .../testcases/flowtable/0009deleteafterflush_0 | 12 +++--- + tests/shell/testcases/listing/0013objects_0 | 2 + + tests/shell/testcases/nft-f/0017ct_timeout_obj_0 | 2 + + .../shell/testcases/nft-f/0018ct_expectation_obj_0 | 2 + + .../testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 11 ------ + .../nft-f/dumps/0017ct_timeout_obj_0.nft.disabled | 11 ++++++ + .../testcases/optionals/update_object_handles_0 | 2 + + .../sets/0036add_set_element_expiration_0 | 2 + + tests/shell/testcases/transactions/0046set_0 | 2 + + 23 files changed, 122 insertions(+), 110 deletions(-) + delete mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft + create mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled + +diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t +index 2afe33c..1b30384 100644 +--- a/tests/monitor/testcases/object.t ++++ b/tests/monitor/testcases/object.t +@@ -37,10 +37,10 @@ I delete ct helper ip t cth + O - + J {"delete": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}} + +-I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; } +-O - +-J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}} +- +-I delete ct timeout ip t ctt +-O - +-J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}} ++# I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; } ++# O - ++# J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}} ++# ++# I delete ct timeout ip t ctt ++# O - ++# J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}} +diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t +index 327f973..241b466 100644 +--- a/tests/py/any/meta.t ++++ b/tests/py/any/meta.t +@@ -204,21 +204,21 @@ meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo" + meta random eq 1;ok;meta random 1 + meta random gt 1000000;ok;meta random > 1000000 + +-meta time "1970-05-23 21:07:14" drop;ok +-meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop +-meta time "2019-06-21 17:00:00" drop;ok +-meta time "2019-07-01 00:00:00" drop;ok +-meta time "2019-07-01 00:01:00" drop;ok +-meta time "2019-07-01 00:00:01" drop;ok +-meta day "Saturday" drop;ok +-meta day 6 drop;ok;meta day "Saturday" drop +-meta day "Satturday" drop;fail +-meta hour "17:00" drop;ok +-meta hour "17:00:00" drop;ok;meta hour "17:00" drop +-meta hour "17:00:01" drop;ok +-meta hour "00:00" drop;ok +-meta hour "00:01" drop;ok +- +-meta time "meh";fail +-meta hour "24:00" drop;fail +-meta day 7 drop;fail ++- meta time "1970-05-23 21:07:14" drop;ok ++- meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop ++- meta time "2019-06-21 17:00:00" drop;ok ++- meta time "2019-07-01 00:00:00" drop;ok ++- meta time "2019-07-01 00:01:00" drop;ok ++- meta time "2019-07-01 00:00:01" drop;ok ++- meta day "Saturday" drop;ok ++- meta day 6 drop;ok;meta day "Saturday" drop ++- meta day "Satturday" drop;fail ++- meta hour "17:00" drop;ok ++- meta hour "17:00:00" drop;ok;meta hour "17:00" drop ++- meta hour "17:00:01" drop;ok ++- meta hour "00:00" drop;ok ++- meta hour "00:01" drop;ok ++ ++- meta time "meh";fail ++- meta hour "24:00" drop;fail ++- meta day 7 drop;fail +diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t +index 94525f2..9f55cde 100644 +--- a/tests/py/bridge/meta.t ++++ b/tests/py/bridge/meta.t +@@ -2,7 +2,7 @@ + + *bridge;test-bridge;input + +-meta obrname "br0";ok +-meta ibrname "br0";ok +-meta ibrvproto vlan;ok +-meta ibrpvid 100;ok ++- meta obrname "br0";ok ++- meta ibrname "br0";ok ++- meta ibrvproto vlan;ok ++- meta ibrpvid 100;ok +diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t +index c828541..5191e72 100644 +--- a/tests/py/inet/osf.t ++++ b/tests/py/inet/osf.t +@@ -4,15 +4,15 @@ + *ip6;osfip6;osfchain + *inet;osfinet;osfchain + +-osf name "Linux";ok +-osf ttl loose name "Linux";ok +-osf ttl skip name "Linux";ok +-osf ttl skip version "Linux:3.0";ok +-osf ttl skip version "morethan:sixteenbytes";fail +-osf ttl nottl name "Linux";fail +-osf name "morethansixteenbytes";fail +-osf name ;fail +-osf name { "Windows", "MacOs" };ok +-osf version { "Windows:XP", "MacOs:Sierra" };ok +-ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok +-ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok ++- osf name "Linux";ok ++- osf ttl loose name "Linux";ok ++- osf ttl skip name "Linux";ok ++- osf ttl skip version "Linux:3.0";ok ++- osf ttl skip version "morethan:sixteenbytes";fail ++- osf ttl nottl name "Linux";fail ++- osf name "morethansixteenbytes";fail ++- osf name ;fail ++- osf name { "Windows", "MacOs" };ok ++- osf version { "Windows:XP", "MacOs:Sierra" };ok ++- ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok ++- ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok +diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t +index 91846e8..dbc0554 100644 +--- a/tests/py/inet/socket.t ++++ b/tests/py/inet/socket.t +@@ -8,4 +8,4 @@ socket transparent 0;ok + socket transparent 1;ok + socket transparent 2;fail + +-socket mark 0x00000005;ok ++- socket mark 0x00000005;ok +diff --git a/tests/py/inet/synproxy.t b/tests/py/inet/synproxy.t +index 55a05e1..9c58239 100644 +--- a/tests/py/inet/synproxy.t ++++ b/tests/py/inet/synproxy.t +@@ -4,10 +4,10 @@ + *ip6;synproxyip6;synproxychain + *inet;synproxyinet;synproxychain + +-synproxy;ok +-synproxy mss 1460 wscale 7;ok +-synproxy mss 1460 wscale 5 timestamp sack-perm;ok +-synproxy timestamp sack-perm;ok +-synproxy timestamp;ok +-synproxy sack-perm;ok ++-synproxy;ok ++-synproxy mss 1460 wscale 7;ok ++-synproxy mss 1460 wscale 5 timestamp sack-perm;ok ++-synproxy timestamp sack-perm;ok ++-synproxy timestamp;ok ++-synproxy sack-perm;ok + +diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t +index 4fcde7c..06e94f1 100644 +--- a/tests/py/ip/objects.t ++++ b/tests/py/ip/objects.t +@@ -33,26 +33,26 @@ ip saddr 192.168.1.3 limit name "lim1";ok + ip saddr 192.168.1.3 limit name "lim3";fail + limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"};ok + +-# ct timeout +-%cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok +-%cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail +-%cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok +-%cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok +-%cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail +- +-ct timeout set "cttime1";ok +- +-# ct expectation +-%ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok +-%ctexpect2 type ct expectation { protocol udp; };fail +-%ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail +-%ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail +-%ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok +- +-ct expectation set "ctexpect1";ok +- +-# synproxy +-%synproxy1 type synproxy mss 1460 wscale 7;ok +-%synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok +- +-synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok ++# # ct timeout ++# %cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok ++# %cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail ++# %cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok ++# %cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok ++# %cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail ++# ++# ct timeout set "cttime1";ok ++ ++# # ct expectation ++# %ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok ++# %ctexpect2 type ct expectation { protocol udp; };fail ++# %ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail ++# %ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail ++# %ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok ++# ++# ct expectation set "ctexpect1";ok ++ ++# # synproxy ++# %synproxy1 type synproxy mss 1460 wscale 7;ok ++# %synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok ++# ++# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok +diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t +index add82eb..cc43aca 100644 +--- a/tests/py/ip6/sets.t ++++ b/tests/py/ip6/sets.t +@@ -40,4 +40,4 @@ ip6 saddr != @set33 drop;fail + !set5 type ipv6_addr . ipv6_addr;ok + ip6 saddr . ip6 daddr @set5 drop;ok + add @set5 { ip6 saddr . ip6 daddr };ok +-delete @set5 { ip6 saddr . ip6 daddr };ok ++- delete @set5 { ip6 saddr . ip6 daddr };ok +diff --git a/tests/shell/testcases/flowtable/0002create_flowtable_0 b/tests/shell/testcases/flowtable/0002create_flowtable_0 +index 4c85c3f..8b80e34 100755 +--- a/tests/shell/testcases/flowtable/0002create_flowtable_0 ++++ b/tests/shell/testcases/flowtable/0002create_flowtable_0 +@@ -1,12 +1,12 @@ + #!/bin/bash + + set -e +-$NFT add table t +-$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; } +-if $NFT create flowtable t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then ++$NFT add table inet t ++$NFT add flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; } ++if $NFT create flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then + echo "E: flowtable creation not failing on existing set" >&2 + exit 1 + fi +-$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; } ++$NFT add flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; } + + exit 0 +diff --git a/tests/shell/testcases/flowtable/0003add_after_flush_0 b/tests/shell/testcases/flowtable/0003add_after_flush_0 +index 481c7ed..b4243bc 100755 +--- a/tests/shell/testcases/flowtable/0003add_after_flush_0 ++++ b/tests/shell/testcases/flowtable/0003add_after_flush_0 +@@ -1,8 +1,8 @@ + #!/bin/bash + + set -e +-$NFT add table x +-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} ++$NFT add table inet x ++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;} + $NFT flush ruleset +-$NFT add table x +-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} ++$NFT add table inet x ++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;} +diff --git a/tests/shell/testcases/flowtable/0004delete_after_add_0 b/tests/shell/testcases/flowtable/0004delete_after_add_0 +index 8d9a842..4618595 100755 +--- a/tests/shell/testcases/flowtable/0004delete_after_add_0 ++++ b/tests/shell/testcases/flowtable/0004delete_after_add_0 +@@ -1,6 +1,6 @@ + #!/bin/bash + + set -e +-$NFT add table x +-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +-$NFT delete flowtable x y ++$NFT add table inet x ++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;} ++$NFT delete flowtable inet x y +diff --git a/tests/shell/testcases/flowtable/0005delete_in_use_1 b/tests/shell/testcases/flowtable/0005delete_in_use_1 +index ef52620..eda1fb9 100755 +--- a/tests/shell/testcases/flowtable/0005delete_in_use_1 ++++ b/tests/shell/testcases/flowtable/0005delete_in_use_1 +@@ -1,11 +1,11 @@ + #!/bin/bash + + set -e +-$NFT add table x +-$NFT add chain x x +-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;} +-$NFT add rule x x flow add @y ++$NFT add table inet x ++$NFT add chain inet x x ++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;} ++$NFT add rule inet x x flow add @y + +-$NFT delete flowtable x y || exit 0 ++$NFT delete flowtable inet x y || exit 0 + echo "E: delete flowtable in use" + exit 1 +diff --git a/tests/shell/testcases/flowtable/0007prio_0 b/tests/shell/testcases/flowtable/0007prio_0 +index 49bbcac..0ea262f 100755 +--- a/tests/shell/testcases/flowtable/0007prio_0 ++++ b/tests/shell/testcases/flowtable/0007prio_0 +@@ -15,10 +15,10 @@ format_offset () { + fi + } + +-$NFT add table t ++$NFT add table inet t + for offset in -11 -10 0 10 11 + do +- $NFT add flowtable t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }" +- $NFT delete flowtable t f ++ $NFT add flowtable inet t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }" ++ $NFT delete flowtable inet t f + done + +diff --git a/tests/shell/testcases/flowtable/0008prio_1 b/tests/shell/testcases/flowtable/0008prio_1 +index 48953d7..0d8cdff 100755 +--- a/tests/shell/testcases/flowtable/0008prio_1 ++++ b/tests/shell/testcases/flowtable/0008prio_1 +@@ -1,9 +1,9 @@ + #!/bin/bash + +-$NFT add table t ++$NFT add table inet t + for prioname in raw mangle dstnar security srcnat out dummy + do +- $NFT add flowtable t f { hook ingress priority $prioname \; devices = { lo }\; } ++ $NFT add flowtable inet t f { hook ingress priority $prioname \; devices = { lo }\; } + if (($? == 0)) + then + echo "E: $prioname should not be a valid priority name for flowtables" >&2 +diff --git a/tests/shell/testcases/flowtable/0009deleteafterflush_0 b/tests/shell/testcases/flowtable/0009deleteafterflush_0 +index 2cda563..061e22e 100755 +--- a/tests/shell/testcases/flowtable/0009deleteafterflush_0 ++++ b/tests/shell/testcases/flowtable/0009deleteafterflush_0 +@@ -1,9 +1,9 @@ + #!/bin/bash + + set -e +-$NFT add table x +-$NFT add chain x y +-$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;} +-$NFT add rule x y flow add @f +-$NFT flush chain x y +-$NFT delete flowtable x f ++$NFT add table inet x ++$NFT add chain inet x y ++$NFT add flowtable inet x f { hook ingress priority 0\; devices = { lo }\;} ++$NFT add rule inet x y flow add @f ++$NFT flush chain inet x y ++$NFT delete flowtable inet x f +diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0 +index 4d39143..130d02c 100755 +--- a/tests/shell/testcases/listing/0013objects_0 ++++ b/tests/shell/testcases/listing/0013objects_0 +@@ -1,5 +1,7 @@ + #!/bin/bash + ++exit 0 ++ + # list table with all objects and chains + + EXPECTED="table ip test { +diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 +index 4f40779..e0f9e44 100755 +--- a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 ++++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 +@@ -1,5 +1,7 @@ + #!/bin/bash + ++exit 0 ++ + EXPECTED='table ip filter { + ct timeout cttime{ + protocol tcp +diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 +index 4f9872f..f518cf7 100755 +--- a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 ++++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 +@@ -1,5 +1,7 @@ + #!/bin/bash + ++exit 0 ++ + EXPECTED='table ip filter { + ct expectation ctexpect{ + protocol tcp +diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft +deleted file mode 100644 +index 7cff1ed..0000000 +--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft ++++ /dev/null +@@ -1,11 +0,0 @@ +-table ip filter { +- ct timeout cttime { +- protocol tcp +- l3proto ip +- policy = { established : 123, close : 12 } +- } +- +- chain c { +- ct timeout set "cttime" +- } +-} +diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled +new file mode 100644 +index 0000000..7cff1ed +--- /dev/null ++++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled +@@ -0,0 +1,11 @@ ++table ip filter { ++ ct timeout cttime { ++ protocol tcp ++ l3proto ip ++ policy = { established : 123, close : 12 } ++ } ++ ++ chain c { ++ ct timeout set "cttime" ++ } ++} +diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 +index 8b12b8c..e11b4e7 100755 +--- a/tests/shell/testcases/optionals/update_object_handles_0 ++++ b/tests/shell/testcases/optionals/update_object_handles_0 +@@ -1,5 +1,7 @@ + #!/bin/bash + ++exit 0 ++ + set -e + $NFT add table test-ip + $NFT add counter test-ip traffic-counter +diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0 +index 51ed0f2..043bb8f 100755 +--- a/tests/shell/testcases/sets/0036add_set_element_expiration_0 ++++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0 +@@ -1,5 +1,7 @@ + #!/bin/bash + ++exit 0 ++ + set -e + + RULESET="add table ip x +diff --git a/tests/shell/testcases/transactions/0046set_0 b/tests/shell/testcases/transactions/0046set_0 +index 172e24d..1b24964 100755 +--- a/tests/shell/testcases/transactions/0046set_0 ++++ b/tests/shell/testcases/transactions/0046set_0 +@@ -1,5 +1,7 @@ + #!/bin/bash + ++exit 0 ++ + RULESET='add table ip filter + add chain ip filter group_7933 + add map ip filter group_7933 { type ipv4_addr : classid; flags interval; } +-- +1.8.3.1 + diff --git a/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch b/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch new file mode 100644 index 0000000..f1d018d --- /dev/null +++ b/SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch @@ -0,0 +1,41 @@ +From 1490609a3d82e494168a390b34094bacc5e83c02 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 18 May 2021 18:06:50 +0200 +Subject: [PATCH] monitor: Fix for use after free when printing map elements + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203 +Upstream Status: nftables commit 02174ffad484d + +commit 02174ffad484d9711678e5d415c32307efc39857 +Author: Phil Sutter +Date: Thu Jan 9 17:43:11 2020 +0100 + + monitor: Fix for use after free when printing map elements + + When populating the dummy set, 'data' field must be cloned just like + 'key' field. + + Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets") + Signed-off-by: Phil Sutter + Acked-by: Pablo Neira Ayuso +--- + src/monitor.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/monitor.c b/src/monitor.c +index 7927b6f..142cc92 100644 +--- a/src/monitor.c ++++ b/src/monitor.c +@@ -401,7 +401,8 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, + */ + dummyset = set_alloc(monh->loc); + dummyset->key = expr_clone(set->key); +- dummyset->data = set->data; ++ if (set->data) ++ dummyset->data = expr_clone(set->data); + dummyset->flags = set->flags; + dummyset->init = set_expr_alloc(monh->loc, set); + +-- +1.8.3.1 + diff --git a/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch b/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch new file mode 100644 index 0000000..5804349 --- /dev/null +++ b/SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch @@ -0,0 +1,44 @@ +From 4ee4ed8d54a8b9f0f0a2b195b3b95b892e4e79a3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 18 May 2021 18:06:50 +0200 +Subject: [PATCH] tests: monitor: use correct $nft value in EXIT trap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203 +Upstream Status: nftables commit 990cbbf75c40b + +commit 990cbbf75c40b92e6d6dc66721dfbedf33cacf8f +Author: Štěpán Němec +Date: Wed Jan 27 15:02:03 2021 +0100 + + tests: monitor: use correct $nft value in EXIT trap + + With double quotes, $nft was being expanded to the default value even + in presence of the -H option. + + Signed-off-by: Štěpán Němec + Helped-by: Tomáš Doležal + Acked-by: Phil Sutter + Signed-off-by: Phil Sutter +--- + tests/monitor/run-tests.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh +index ffb833a..c1cacb4 100755 +--- a/tests/monitor/run-tests.sh ++++ b/tests/monitor/run-tests.sh +@@ -19,7 +19,7 @@ if [ ! -d $testdir ]; then + echo "Failed to create test directory" >&2 + exit 1 + fi +-trap "rm -rf $testdir; $nft flush ruleset" EXIT ++trap 'rm -rf $testdir; $nft flush ruleset' EXIT + + command_file=$(mktemp -p $testdir) + output_file=$(mktemp -p $testdir) +-- +1.8.3.1 + diff --git a/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch b/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch new file mode 100644 index 0000000..9d95874 --- /dev/null +++ b/SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch @@ -0,0 +1,57 @@ +From 805fe6f5c9c8f2af78d8e94bd6b5c33724df3c80 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 18 May 2021 18:16:21 +0200 +Subject: [PATCH] evaluate: Reject quoted strings containing only wildcard + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1818117 +Upstream Status: nftables commit 032c9f745c6da + +commit 032c9f745c6daab8c27176a95963b1c32b0a5d12 +Author: Phil Sutter +Date: Thu Sep 24 17:38:45 2020 +0200 + + evaluate: Reject quoted strings containing only wildcard + + Fix for an assertion fail when trying to match against an all-wildcard + interface name: + + | % nft add rule t c iifname '"*"' + | nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed. + | zsh: abort nft add rule t c iifname '"*"' + + Fix this by detecting the string in expr_evaluate_string() and returning + an error message: + + | % nft add rule t c iifname '"*"' + | Error: All-wildcard strings are not supported + | add rule t c iifname "*" + | ^^^ + + While being at it, drop the 'datalen >= 1' clause from the following + conditional as together with the added check for 'datalen == 0', all + possible other values have been caught already. +--- + src/evaluate.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index a966ed4..0181750 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -321,8 +321,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) + return 0; + } + +- if (datalen >= 1 && +- data[datalen - 1] == '\\') { ++ if (datalen == 0) ++ return expr_error(ctx->msgs, expr, ++ "All-wildcard strings are not supported"); ++ ++ if (data[datalen - 1] == '\\') { + char unescaped_str[data_len]; + + memset(unescaped_str, 0, sizeof(unescaped_str)); +-- +1.8.3.1 + diff --git a/SOURCES/0046-src-Support-odd-sized-payload-matches.patch b/SOURCES/0046-src-Support-odd-sized-payload-matches.patch new file mode 100644 index 0000000..f68adc2 --- /dev/null +++ b/SOURCES/0046-src-Support-odd-sized-payload-matches.patch @@ -0,0 +1,64 @@ +From 64f34f34acedad6cce70f2dd91c82a814d4ffe34 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 19 May 2021 18:03:43 +0200 +Subject: [PATCH] src: Support odd-sized payload matches + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1934926 +Upstream Status: nftables commit 8a927c56d83ed + +commit 8a927c56d83ed0f78785011bd92a53edc25a0ca0 +Author: Phil Sutter +Date: Tue Oct 27 17:05:25 2020 +0100 + + src: Support odd-sized payload matches + + When expanding a payload match, don't disregard oversized templates at + the right offset. A more flexible user may extract less bytes from the + packet if only parts of a field are interesting, e.g. only the prefix of + source/destination address. Support that by using the template, but fix + the length. Later when creating a relational expression for it, detect + the unusually small payload expression length and turn the RHS value + into a prefix expression. + + Signed-off-by: Phil Sutter +--- + src/netlink_delinearize.c | 6 ++++++ + src/payload.c | 5 +++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 88dbd5a..8bdee12 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -1577,6 +1577,12 @@ static void payload_match_expand(struct rule_pp_ctx *ctx, + tmp = constant_expr_splice(right, left->len); + expr_set_type(tmp, left->dtype, left->byteorder); + ++ if (left->payload.tmpl && (left->len < left->payload.tmpl->len)) { ++ mpz_lshift_ui(tmp->value, left->payload.tmpl->len - left->len); ++ tmp->len = left->payload.tmpl->len; ++ tmp = prefix_expr_alloc(&tmp->location, tmp, left->len); ++ } ++ + nexpr = relational_expr_alloc(&expr->location, expr->op, + left, tmp); + if (expr->op == OP_EQ) +diff --git a/src/payload.c b/src/payload.c +index 3576400..45280ef 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -746,6 +746,11 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, + expr->payload.offset += tmpl->len; + if (expr->len == 0) + return; ++ } else if (expr->len > 0) { ++ new = payload_expr_alloc(&expr->location, desc, i); ++ new->len = expr->len; ++ list_add_tail(&new->list, list); ++ return; + } else + break; + } +-- +1.8.3.1 + diff --git a/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch b/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch new file mode 100644 index 0000000..ffb3bd1 --- /dev/null +++ b/SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch @@ -0,0 +1,241 @@ +From 6fb6d8f15a82b3348184f6950a436becb06931cb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 19 May 2021 18:03:43 +0200 +Subject: [PATCH] src: Optimize prefix matches on byte-boundaries + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1934926 +Upstream Status: nftables commit 25338cdb6c77a +Conflicts: There is a hidden dependency on commit ee4391d0ac1e7 ("nat: + transform range to prefix expression when possible"). + Backport only the single chunk required to keep prefix + parsing intact to avoid having to backport 9599d9d25a6b3 + ("src: NAT support for intervals in maps") as a dependency + which is clearly oversized for the sake of this purpose. + +commit 25338cdb6c77aa2f0977afbbb612571c9d325213 +Author: Phil Sutter +Date: Tue Oct 27 17:33:15 2020 +0100 + + src: Optimize prefix matches on byte-boundaries + + If a prefix expression's length is on a byte-boundary, it is sufficient + to just reduce the length passed to "cmp" expression. No need for + explicit bitwise modification of data on LHS. The relevant code is + already there, used for string prefix matches. There is one exception + though, namely zero-length prefixes: Kernel doesn't accept zero-length + "cmp" expressions, so keep them in the old code-path for now. + + This patch depends upon the previous one to correctly parse odd-sized + payload matches but has to extend support for non-payload LHS as well. + In practice, this is needed for "ct" expressions as they allow matching + against IP address prefixes, too. + + Signed-off-by: Phil Sutter +--- + src/netlink_delinearize.c | 8 ++++++-- + src/netlink_linearize.c | 4 +++- + tests/py/ip/ct.t.payload | 4 ---- + tests/py/ip/ip.t.payload | 6 ++---- + tests/py/ip/ip.t.payload.bridge | 6 ++---- + tests/py/ip/ip.t.payload.inet | 6 ++---- + tests/py/ip/ip.t.payload.netdev | 6 ++---- + tests/py/ip6/ip6.t.payload.inet | 5 ++--- + tests/py/ip6/ip6.t.payload.ip6 | 5 ++--- + 9 files changed, 21 insertions(+), 29 deletions(-) + +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 8bdee12..157a473 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -291,8 +291,9 @@ static void netlink_parse_cmp(struct netlink_parse_ctx *ctx, + + if (left->len > right->len && + expr_basetype(left) != &string_type) { +- netlink_error(ctx, loc, "Relational expression size mismatch"); +- goto err_free; ++ mpz_lshift_ui(right->value, left->len - right->len); ++ right = prefix_expr_alloc(loc, right, right->len); ++ right->prefix->len = left->len; + } else if (left->len > 0 && left->len < right->len) { + expr_free(left); + left = netlink_parse_concat_expr(ctx, loc, sreg, right->len); +@@ -2164,6 +2165,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) + expr_postprocess(ctx, &expr->left); + expr_postprocess(ctx, &expr->right); + break; ++ case EXPR_PREFIX: ++ expr_postprocess(ctx, &expr->prefix); ++ break; + case EXPR_SET_ELEM: + expr_postprocess(ctx, &expr->key); + break; +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index 606d97a..25be634 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -501,7 +501,9 @@ static void netlink_gen_relational(struct netlink_linearize_ctx *ctx, + return netlink_gen_flagcmp(ctx, expr, dreg); + case EXPR_PREFIX: + sreg = get_register(ctx, expr->left); +- if (expr_basetype(expr->left)->type != TYPE_STRING) { ++ if (expr_basetype(expr->left)->type != TYPE_STRING && ++ (!expr->right->prefix_len || ++ expr->right->prefix_len % BITS_PER_BYTE)) { + len = div_round_up(expr->right->len, BITS_PER_BYTE); + netlink_gen_expr(ctx, expr->left, sreg); + right = netlink_gen_prefix(ctx, expr, sreg); +diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload +index d5faed4..a7e08f9 100644 +--- a/tests/py/ip/ct.t.payload ++++ b/tests/py/ip/ct.t.payload +@@ -21,25 +21,21 @@ ip test-ip4 output + # ct original ip saddr 192.168.1.0/24 + ip test-ip4 output + [ ct load src_ip => reg 1 , dir original ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0001a8c0 ] + + # ct reply ip saddr 192.168.1.0/24 + ip test-ip4 output + [ ct load src_ip => reg 1 , dir reply ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0001a8c0 ] + + # ct original ip daddr 192.168.1.0/24 + ip test-ip4 output + [ ct load dst_ip => reg 1 , dir original ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0001a8c0 ] + + # ct reply ip daddr 192.168.1.0/24 + ip test-ip4 output + [ ct load dst_ip => reg 1 , dir reply ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0001a8c0 ] + + # ct l3proto ipv4 +diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload +index d627b22..825c0f0 100644 +--- a/tests/py/ip/ip.t.payload ++++ b/tests/py/ip/ip.t.payload +@@ -358,14 +358,12 @@ ip test-ip4 input + + # ip saddr 192.168.2.0/24 + ip test-ip4 input +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + + # ip saddr != 192.168.2.0/24 + ip test-ip4 input +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + + # ip saddr 192.168.3.1 ip daddr 192.168.3.100 +diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge +index 91a4fde..e958a5b 100644 +--- a/tests/py/ip/ip.t.payload.bridge ++++ b/tests/py/ip/ip.t.payload.bridge +@@ -466,16 +466,14 @@ bridge test-bridge input + bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + + # ip saddr != 192.168.2.0/24 + bridge test-bridge input + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + + # ip saddr 192.168.3.1 ip daddr 192.168.3.100 +diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet +index b9cb28a..6501473 100644 +--- a/tests/py/ip/ip.t.payload.inet ++++ b/tests/py/ip/ip.t.payload.inet +@@ -466,16 +466,14 @@ inet test-inet input + inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + + # ip saddr != 192.168.2.0/24 + inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + + # ip saddr 192.168.3.1 ip daddr 192.168.3.100 +diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev +index 588e5ca..58ae358 100644 +--- a/tests/py/ip/ip.t.payload.netdev ++++ b/tests/py/ip/ip.t.payload.netdev +@@ -379,16 +379,14 @@ netdev test-netdev ingress + netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0002a8c0 ] + + # ip saddr != 192.168.2.0/24 + netdev test-netdev ingress + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] +- [ payload load 4b @ network header + 12 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ] ++ [ payload load 3b @ network header + 12 => reg 1 ] + [ cmp neq reg 1 0x0002a8c0 ] + + # ip saddr 192.168.3.1 ip daddr 192.168.3.100 +diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet +index d015c8e..ffc9b9f 100644 +--- a/tests/py/ip6/ip6.t.payload.inet ++++ b/tests/py/ip6/ip6.t.payload.inet +@@ -604,9 +604,8 @@ inet test-inet input + inet test-inet input + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] +- [ payload load 16b @ network header + 8 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] +- [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] ++ [ payload load 8b @ network header + 8 => reg 1 ] ++ [ cmp eq reg 1 0x00000000 0x00000000 ] + + # ip6 saddr ::1 ip6 daddr ::2 + inet test-inet input +diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6 +index b2e8363..18b8bcb 100644 +--- a/tests/py/ip6/ip6.t.payload.ip6 ++++ b/tests/py/ip6/ip6.t.payload.ip6 +@@ -452,9 +452,8 @@ ip6 test-ip6 input + + # ip6 saddr ::/64 + ip6 test-ip6 input +- [ payload load 16b @ network header + 8 => reg 1 ] +- [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ] +- [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ] ++ [ payload load 8b @ network header + 8 => reg 1 ] ++ [ cmp eq reg 1 0x00000000 0x00000000 ] + + # ip6 saddr ::1 ip6 daddr ::2 + ip6 test-ip6 input +-- +1.8.3.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 57a7d1f..a45844a 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,9 +1,9 @@ %define rpmversion 0.9.3 -%define specrelease 18%{?dist} +%define specrelease 20 Name: nftables Version: %{rpmversion} -Release: %{specrelease}%{?buildid} +Release: %{specrelease}%{?dist}%{?buildid} # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. Epoch: 1 Summary: Netfilter Tables userspace utillites @@ -58,6 +58,12 @@ Patch38: 0038-json-echo-Speedup-seqnum_to_json.patch Patch39: 0039-json-Fix-seqnum_to_json-functionality.patch Patch40: 0040-json-don-t-leave-dangling-pointers-on-hlist.patch Patch41: 0041-json-init-parser-state-for-every-new-buffer-file.patch +Patch42: 0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch +Patch43: 0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch +Patch44: 0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch +Patch45: 0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch +Patch46: 0046-src-Support-odd-sized-payload-matches.patch +Patch47: 0047-src-Optimize-prefix-matches-on-byte-boundaries.patch BuildRequires: autogen BuildRequires: autoconf @@ -174,6 +180,18 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Thu May 20 2021 Phil Sutter [0.9.3-20.el8] +- src: Optimize prefix matches on byte-boundaries (Phil Sutter) [1934926] +- src: Support odd-sized payload matches (Phil Sutter) [1934926] +- spec: Add an rpminspect.yaml file to steer rpminspect (Phil Sutter) [1962184] +- spec: Explicitly state dist string in Release tag (Phil Sutter) [1962184] + +* Wed May 19 2021 Phil Sutter [0.9.3-19.el8] +- evaluate: Reject quoted strings containing only wildcard (Phil Sutter) [1818117] +- tests: monitor: use correct $nft value in EXIT trap (Phil Sutter) [1919203] +- monitor: Fix for use after free when printing map elements (Phil Sutter) [1919203] +- tests: Disable tests known to fail on RHEL8 (Phil Sutter) [1919203] + * Sat Feb 20 2021 Phil Sutter [0.9.3-18.el8] - json: init parser state for every new buffer/file (Phil Sutter) [1930873]