diff --git a/SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch b/SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch deleted file mode 100644 index b81cec4..0000000 --- a/SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch +++ /dev/null @@ -1,47 +0,0 @@ -From aa456490794b5498ef9429481bb0f7ae6b3650ac Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Sat, 8 Aug 2020 00:09:06 +0200 -Subject: [PATCH] include: Resync nf_tables.h cache copy - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532 -Upstream Status: nftables commit f1e5a0499c077 - -commit f1e5a0499c0773f18bc592dd0da0340120daa482 -Author: Stefano Brivio -Date: Mon Apr 13 21:48:02 2020 +0200 - - include: Resync nf_tables.h cache copy - - Get this header in sync with nf.git as of commit ef516e8625dd. - - Signed-off-by: Stefano Brivio - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - include/linux/netfilter/nf_tables.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h -index 1a99df3348b5c..9b54a86bc5169 100644 ---- a/include/linux/netfilter/nf_tables.h -+++ b/include/linux/netfilter/nf_tables.h -@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes { - * @NFT_SET_TIMEOUT: set uses timeouts - * @NFT_SET_EVAL: set can be updated from the evaluation path - * @NFT_SET_OBJECT: set contains stateful objects -+ * @NFT_SET_CONCAT: set contains a concatenation - */ - enum nft_set_flags { - NFT_SET_ANONYMOUS = 0x1, -@@ -283,6 +284,7 @@ enum nft_set_flags { - NFT_SET_TIMEOUT = 0x10, - NFT_SET_EVAL = 0x20, - NFT_SET_OBJECT = 0x40, -+ NFT_SET_CONCAT = 0x80, - }; - - /** --- -2.27.0 - diff --git a/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch b/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch new file mode 100644 index 0000000..5ee20ac --- /dev/null +++ b/SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch @@ -0,0 +1,119 @@ +From 68392da523f43b9ae09f824fa68b04b20c9c88f5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 May 2020 11:12:37 +0200 +Subject: [PATCH] parser_json: Support ranges in concat expressions + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1805798 +Upstream Status: nftables commit 9475ca305a993 + +commit 9475ca305a993751b05cf26ef8e785a00de98b94 +Author: Phil Sutter +Date: Fri Mar 6 16:15:48 2020 +0100 + + parser_json: Support ranges in concat expressions + + Duplicate commit 8ac2f3b2fca38's changes to bison parser into JSON + parser by introducing a new context flag signalling we're parsing + concatenated expressions. + + Fixes: 8ac2f3b2fca38 ("src: Add support for concatenated set ranges") + Signed-off-by: Phil Sutter + Acked-by: Eric Garver +--- + src/parser_json.c | 51 +++++++++++++++++++++++++++++---------------------- + 1 file changed, 29 insertions(+), 22 deletions(-) + +diff --git a/src/parser_json.c b/src/parser_json.c +index 031930e..c48faa8 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -40,6 +40,7 @@ + #define CTX_F_MANGLE (1 << 5) + #define CTX_F_SES (1 << 6) /* set_elem_expr_stmt */ + #define CTX_F_MAP (1 << 7) /* LHS of map_expr */ ++#define CTX_F_CONCAT (1 << 8) /* inside concat_expr */ + + struct json_ctx { + struct input_descriptor indesc; +@@ -99,6 +100,7 @@ static struct expr *json_parse_primary_expr(struct json_ctx *ctx, json_t *root); + static struct expr *json_parse_set_rhs_expr(struct json_ctx *ctx, json_t *root); + static struct expr *json_parse_set_elem_expr_stmt(struct json_ctx *ctx, json_t *root); + static struct expr *json_parse_map_lhs_expr(struct json_ctx *ctx, json_t *root); ++static struct expr *json_parse_concat_elem_expr(struct json_ctx *ctx, json_t *root); + static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root); + + /* parsing helpers */ +@@ -1058,7 +1060,7 @@ static struct expr *json_parse_concat_expr(struct json_ctx *ctx, + } + + json_array_foreach(root, index, value) { +- tmp = json_parse_primary_expr(ctx, value); ++ tmp = json_parse_concat_elem_expr(ctx, value); + if (!tmp) { + json_error(ctx, "Parsing expr at index %zd failed.", index); + expr_free(expr); +@@ -1354,28 +1356,28 @@ static struct expr *json_parse_expr(struct json_ctx *ctx, json_t *root) + { "set", json_parse_set_expr, CTX_F_RHS | CTX_F_STMT }, /* allow this as stmt expr because that allows set references */ + { "map", json_parse_map_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS }, + /* below three are multiton_rhs_expr */ +- { "prefix", json_parse_prefix_expr, CTX_F_RHS | CTX_F_STMT }, +- { "range", json_parse_range_expr, CTX_F_RHS | CTX_F_STMT }, +- { "payload", json_parse_payload_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP }, +- { "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES }, +- { "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES }, +- { "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP }, +- { "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP }, +- { "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP }, +- { "socket", json_parse_socket_expr, CTX_F_PRIMARY }, +- { "rt", json_parse_rt_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "ct", json_parse_ct_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP }, +- { "numgen", json_parse_numgen_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, ++ { "prefix", json_parse_prefix_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_CONCAT }, ++ { "range", json_parse_range_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_CONCAT }, ++ { "payload", json_parse_payload_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT }, ++ { "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT }, ++ { "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT }, ++ { "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT }, ++ { "socket", json_parse_socket_expr, CTX_F_PRIMARY | CTX_F_CONCAT }, ++ { "rt", json_parse_rt_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "ct", json_parse_ct_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "numgen", json_parse_numgen_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, + /* below two are hash expr */ +- { "jhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "symhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "fib", json_parse_fib_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "|", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "^", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "&", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { ">>", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, +- { "<<", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP }, ++ { "jhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "symhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "fib", json_parse_fib_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "|", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "^", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "&", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { ">>", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, ++ { "<<", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT }, + { "accept", json_parse_verdict_expr, CTX_F_RHS | CTX_F_SET_RHS }, + { "drop", json_parse_verdict_expr, CTX_F_RHS | CTX_F_SET_RHS }, + { "continue", json_parse_verdict_expr, CTX_F_RHS | CTX_F_SET_RHS }, +@@ -1500,6 +1502,11 @@ static struct expr *json_parse_map_lhs_expr(struct json_ctx *ctx, json_t *root) + return json_parse_flagged_expr(ctx, CTX_F_MAP, root); + } + ++static struct expr *json_parse_concat_elem_expr(struct json_ctx *ctx, json_t *root) ++{ ++ return json_parse_flagged_expr(ctx, CTX_F_CONCAT, root); ++} ++ + static struct expr *json_parse_dtype_expr(struct json_ctx *ctx, json_t *root) + { + if (json_is_string(root)) { +-- +1.8.3.1 + diff --git a/SOURCES/0023-doc-Document-notrack-statement.patch b/SOURCES/0023-doc-Document-notrack-statement.patch new file mode 100644 index 0000000..4c31fc5 --- /dev/null +++ b/SOURCES/0023-doc-Document-notrack-statement.patch @@ -0,0 +1,51 @@ +From f7a31d5c3277b29f104fd8ff48df24c8bc790f19 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 24 Jun 2020 18:46:39 +0200 +Subject: [PATCH] doc: Document notrack statement + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1841292 +Upstream Status: nftables commit f16fbe76f62dc + +commit f16fbe76f62dcb9f7395d1837ad2d056463ba55f +Author: Phil Sutter +Date: Mon Jun 22 15:07:40 2020 +0200 + + doc: Document notrack statement + + Merely a stub, but better to mention it explicitly instead of having it + appear in synproxy examples and letting users guess as to what it does. + + Signed-off-by: Phil Sutter + Reviewed-by: Florian Westphal +--- + doc/statements.txt | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/doc/statements.txt b/doc/statements.txt +index 3b82436..749533a 100644 +--- a/doc/statements.txt ++++ b/doc/statements.txt +@@ -262,6 +262,20 @@ table inet raw { + ct event set new,related,destroy + -------------------------------------- + ++NOTRACK STATEMENT ++~~~~~~~~~~~~~~~~~ ++The notrack statement allows to disable connection tracking for certain ++packets. ++ ++[verse] ++*notrack* ++ ++Note that for this statement to be effective, it has to be applied to packets ++before a conntrack lookup happens. Therefore, it needs to sit in a chain with ++either prerouting or output hook and a hook priority of -300 or less. ++ ++See SYNPROXY STATEMENT for an example usage. ++ + META STATEMENT + ~~~~~~~~~~~~~~ + A meta statement sets the value of a meta expression. The existing meta fields +-- +1.8.3.1 + diff --git a/SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch b/SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch deleted file mode 100644 index 75fff95..0000000 --- a/SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch +++ /dev/null @@ -1,74 +0,0 @@ -From c69d7c3c5c1805e41f679487310044f518859214 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Sat, 8 Aug 2020 00:05:48 +0200 -Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated - ranges - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532 -Upstream Status: nftables commit 09441b5e92cee - -commit 09441b5e92ceea60198a35cd657904fa7a10ee54 -Author: Stefano Brivio -Date: Mon Apr 13 21:48:03 2020 +0200 - - src: Set NFT_SET_CONCAT flag for sets with concatenated ranges - - Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support - for concatenated set ranges"), crashes with older kernels (< 5.6) - without support for concatenated set ranges: those sets will be sent - to the kernel, which adds them without notion of the fact that - different concatenated fields are actually included, and nft crashes - while trying to list this kind of malformed concatenation. - - Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd - ("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when - sets including concatenated ranges are sent to the kernel, so that - older kernels (with no knowledge of this flag itself) will refuse set - creation. - - Note that, in expr_evaluate_set(), we have to check for the presence - of the flag, also on empty sets that might carry it in context data, - and actually set it in the actual set flags. - - Reported-by: Pablo Neira Ayuso - Signed-off-by: Stefano Brivio - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 0c848166409f4..f66251b41c058 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) - set->size += i->size - 1; - set->set_flags |= i->set_flags; - expr_free(i); -- } else if (!expr_is_singleton(i)) -+ } else if (!expr_is_singleton(i)) { - set->set_flags |= NFT_SET_INTERVAL; -+ if (i->key->etype == EXPR_CONCAT) -+ set->set_flags |= NFT_SET_CONCAT; -+ } - } - -+ if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT)) -+ set->set_flags |= NFT_SET_CONCAT; -+ - set->set_flags |= NFT_SET_CONSTANT; - - datatype_set(set, ctx->ectx.dtype); -@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) - memcpy(&set->desc.field_len, &set->key->field_len, - sizeof(set->desc.field_len)); - set->desc.field_count = set->key->field_count; -+ set->flags |= NFT_SET_CONCAT; - } - - if (set_is_datamap(set->flags)) { --- -2.27.0 - diff --git a/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch b/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch new file mode 100644 index 0000000..f7ed167 --- /dev/null +++ b/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch @@ -0,0 +1,53 @@ +From 58d8baa70172bb9862276ac5f542248c88d3faf4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 24 Jun 2020 18:48:14 +0200 +Subject: [PATCH] JSON: Improve performance of json_events_cb() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1835300 +Upstream Status: nftables commit c96c7da272e33 + +commit c96c7da272e33a34770c4de4e3e50f7ed264672e +Author: Phil Sutter +Date: Wed May 13 16:29:51 2020 +0200 + + JSON: Improve performance of json_events_cb() + + The function tries to insert handles into JSON input for echo option. + Yet there may be nothing to do if the given netlink message doesn't + contain a handle, e.g. if it is an 'add element' command. Calling + seqnum_to_json() is pointless overhead in that case, and if input is + large this overhead is significant. Better wait with that call until + after checking if the message is relevant at all. + + Signed-off-by: Phil Sutter + Acked-by: Eric Garver +--- + src/parser_json.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/parser_json.c b/src/parser_json.c +index c48faa8..ce8e566 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -3845,12 +3845,15 @@ static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh) + } + int json_events_cb(const struct nlmsghdr *nlh, struct netlink_mon_handler *monh) + { +- json_t *tmp, *json = seqnum_to_json(nlh->nlmsg_seq); + uint64_t handle = handle_from_nlmsg(nlh); ++ json_t *tmp, *json; + void *iter; + +- /* might be anonymous set, ignore message */ +- if (!json || !handle) ++ if (!handle) ++ return MNL_CB_OK; ++ ++ json = seqnum_to_json(nlh->nlmsg_seq); ++ if (!json) + return MNL_CB_OK; + + tmp = json_object_get(json, "add"); +-- +1.8.3.1 + diff --git a/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch b/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch new file mode 100644 index 0000000..3f829d4 --- /dev/null +++ b/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch @@ -0,0 +1,42 @@ +From ab62f33df5ef33f6eff8d88d9475a01822a2f625 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:22 +0200 +Subject: [PATCH] segtree: Fix missing expires value in prefixes + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit 60ba9c22fecc0 + +commit 60ba9c22fecc0ca9bb2a61f6ad39bceed1aee38f +Author: Phil Sutter +Date: Tue Apr 28 20:54:03 2020 +0200 + + segtree: Fix missing expires value in prefixes + + This probable copy'n'paste bug prevented 'expiration' field from being + populated when turning a range into a prefix in + interval_map_decompose(). Consequently, interval sets with timeout did + print expiry value for ranges (such as 10.0.0.1-10.0.0.5) but not + prefixes (10.0.0.0/8, for instance). + + Fixes: bb0e6d8a2851b ("segtree: incorrect handling of comments and timeouts with mapping") + Signed-off-by: Phil Sutter +--- + src/segtree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/segtree.c b/src/segtree.c +index e859f84..1ba4363 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -1086,7 +1086,7 @@ void interval_map_decompose(struct expr *set) + prefix->comment = xstrdup(low->comment); + if (low->timeout) + prefix->timeout = low->timeout; +- if (low->left->expiration) ++ if (low->expiration) + prefix->expiration = low->expiration; + } + +-- +1.8.3.1 + diff --git a/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch b/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch new file mode 100644 index 0000000..5b3fd97 --- /dev/null +++ b/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch @@ -0,0 +1,55 @@ +From 119fbcbd8c37aac314d6ffa6225ab24ee4b0e31e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] segtree: Use expr_clone in get_set_interval_*() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit a2eedcc89d2ed + +commit a2eedcc89d2ed40411c26d53579300c4f1ccb83d +Author: Phil Sutter +Date: Thu Apr 30 13:45:40 2020 +0200 + + segtree: Use expr_clone in get_set_interval_*() + + Both functions perform interval set lookups with either start and end or + only start values as input. Interestingly, in practice they either see + values which are not contained or which match an existing range exactly. + + Make use of the above and just return a clone of the matching entry + instead of creating a new one based on input data. + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index 1ba4363..dc4db6b 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -695,9 +695,7 @@ static struct expr *get_set_interval_find(const struct table *table, + range_expr_value_high(high, i); + if (mpz_cmp(left->key->value, low) >= 0 && + mpz_cmp(right->key->value, high) <= 0) { +- range = range_expr_alloc(&internal_location, +- expr_clone(left->key), +- expr_clone(right->key)); ++ range = expr_clone(i->key); + goto out; + } + break; +@@ -729,9 +727,7 @@ static struct expr *get_set_interval_end(const struct table *table, + case EXPR_RANGE: + range_expr_value_low(low, i); + if (mpz_cmp(low, left->key->value) == 0) { +- range = range_expr_alloc(&internal_location, +- expr_clone(left->key), +- expr_clone(i->key->right)); ++ range = expr_clone(i->key); + goto out; + } + break; +-- +1.8.3.1 + diff --git a/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch b/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch new file mode 100644 index 0000000..f67ee6b --- /dev/null +++ b/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch @@ -0,0 +1,131 @@ +From 40cdcccf0fc6f4d0d4c2248d4bd9bf3193a922e9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] segtree: Merge get_set_interval_find() and + get_set_interval_end() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit f21e73d6700b8 + +commit f21e73d6700b873eb1a295f43bbad9caaca577e2 +Author: Phil Sutter +Date: Thu Apr 30 13:57:35 2020 +0200 + + segtree: Merge get_set_interval_find() and get_set_interval_end() + + Both functions were very similar already. Under the assumption that they + will always either see a range (or start of) that matches exactly or not + at all, reduce complexity and make get_set_interval_find() accept NULL + (left or) right values. This way it becomes a full replacement for + get_set_interval_end(). + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 63 +++++++++++++++-------------------------------------------- + 1 file changed, 16 insertions(+), 47 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index dc4db6b..6e1f696 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -681,63 +681,31 @@ static struct expr *get_set_interval_find(const struct table *table, + { + struct expr *range = NULL; + struct set *set; +- mpz_t low, high; + struct expr *i; ++ mpz_t val; + + set = set_lookup(table, set_name); +- mpz_init2(low, set->key->len); +- mpz_init2(high, set->key->len); ++ mpz_init2(val, set->key->len); + + list_for_each_entry(i, &set->init->expressions, list) { + switch (i->key->etype) { + case EXPR_RANGE: +- range_expr_value_low(low, i); +- range_expr_value_high(high, i); +- if (mpz_cmp(left->key->value, low) >= 0 && +- mpz_cmp(right->key->value, high) <= 0) { +- range = expr_clone(i->key); +- goto out; +- } +- break; +- default: +- break; +- } +- } +-out: +- mpz_clear(low); +- mpz_clear(high); +- +- return range; +-} +- +-static struct expr *get_set_interval_end(const struct table *table, +- const char *set_name, +- struct expr *left) +-{ +- struct expr *i, *range = NULL; +- struct set *set; +- mpz_t low, high; ++ range_expr_value_low(val, i); ++ if (left && mpz_cmp(left->key->value, val)) ++ break; + +- set = set_lookup(table, set_name); +- mpz_init2(low, set->key->len); +- mpz_init2(high, set->key->len); ++ range_expr_value_high(val, i); ++ if (right && mpz_cmp(right->key->value, val)) ++ break; + +- list_for_each_entry(i, &set->init->expressions, list) { +- switch (i->key->etype) { +- case EXPR_RANGE: +- range_expr_value_low(low, i); +- if (mpz_cmp(low, left->key->value) == 0) { +- range = expr_clone(i->key); +- goto out; +- } +- break; ++ range = expr_clone(i->key); ++ goto out; + default: + break; + } + } + out: +- mpz_clear(low); +- mpz_clear(high); ++ mpz_clear(val); + + return range; + } +@@ -767,9 +735,9 @@ int get_set_decompose(struct table *table, struct set *set) + left = NULL; + } else { + if (left) { +- range = get_set_interval_end(table, +- set->handle.set.name, +- left); ++ range = get_set_interval_find(table, ++ set->handle.set.name, ++ left, NULL); + if (range) + compound_expr_add(new_init, range); + else +@@ -780,7 +748,8 @@ int get_set_decompose(struct table *table, struct set *set) + } + } + if (left) { +- range = get_set_interval_end(table, set->handle.set.name, left); ++ range = get_set_interval_find(table, set->handle.set.name, ++ left, NULL); + if (range) + compound_expr_add(new_init, range); + else +-- +1.8.3.1 + diff --git a/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch b/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch new file mode 100644 index 0000000..78e70d9 --- /dev/null +++ b/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch @@ -0,0 +1,41 @@ +From 4337d4eafe66b594b56b43261c8742d6b65d5ee8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] tests: 0034get_element_0: do not discard stderr + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit ff29e6c09aed9 + +commit ff29e6c09aed922a42e0e0551c34dd5d87067512 +Author: Florian Westphal +Date: Sat Feb 22 00:02:25 2020 +0100 + + tests: 0034get_element_0: do not discard stderr + + run_tests.sh alreadty discards stderr by default, but will show it in + case the test script is run directly (passed as argument). + + Discarding stderr also in the script prevents one from seeing + BUG() assertions and the like. + + Signed-off-by: Florian Westphal +--- + tests/shell/testcases/sets/0034get_element_0 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 +index c7e7298..e23dbda 100755 +--- a/tests/shell/testcases/sets/0034get_element_0 ++++ b/tests/shell/testcases/sets/0034get_element_0 +@@ -3,7 +3,7 @@ + RC=0 + + check() { # (elems, expected) +- out=$($NFT get element ip t s "{ $1 }" 2>/dev/null) ++ out=$($NFT get element ip t s "{ $1 }") + out=$(grep "elements =" <<< "$out") + out="${out#* \{ }" + out="${out% \}}" +-- +1.8.3.1 + diff --git a/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch b/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch new file mode 100644 index 0000000..22cb037 --- /dev/null +++ b/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch @@ -0,0 +1,135 @@ +From 3a2016f539e46183965bada40946e259c33158d9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] segtree: Fix get element command with prefixes + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit 506fb113f7ca4 + +commit 506fb113f7ca4fbb3d6da09ef6f9dc2b31f54a1f +Author: Phil Sutter +Date: Thu Apr 30 14:02:44 2020 +0200 + + segtree: Fix get element command with prefixes + + Code wasn't aware of prefix elements in interval sets. With previous + changes in place, they merely need to be accepted in + get_set_interval_find() - value comparison and expression duplication is + identical to ranges. + + Extend sets/0034get_element_0 test to cover prefixes as well. While + being at it, also cover concatenated ranges. + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 1 + + tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++++++++-------- + 2 files changed, 45 insertions(+), 18 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index 6e1f696..073c6ec 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -689,6 +689,7 @@ static struct expr *get_set_interval_find(const struct table *table, + + list_for_each_entry(i, &set->init->expressions, list) { + switch (i->key->etype) { ++ case EXPR_PREFIX: + case EXPR_RANGE: + range_expr_value_low(val, i); + if (left && mpz_cmp(left->key->value, val)) +diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 +index e23dbda..3343529 100755 +--- a/tests/shell/testcases/sets/0034get_element_0 ++++ b/tests/shell/testcases/sets/0034get_element_0 +@@ -2,43 +2,69 @@ + + RC=0 + +-check() { # (elems, expected) +- out=$($NFT get element ip t s "{ $1 }") ++check() { # (set, elems, expected) ++ out=$($NFT get element ip t $1 "{ $2 }") + out=$(grep "elements =" <<< "$out") + out="${out#* \{ }" + out="${out% \}}" +- [[ "$out" == "$2" ]] && return +- echo "ERROR: asked for '$1', expecting '$2' but got '$out'" ++ [[ "$out" == "$3" ]] && return ++ echo "ERROR: asked for '$2' in set $1, expecting '$3' but got '$out'" + ((RC++)) + } + + RULESET="add table ip t + add set ip t s { type inet_service; flags interval; } + add element ip t s { 10, 20-30, 40, 50-60 } ++add set ip t ips { type ipv4_addr; flags interval; } ++add element ip t ips { 10.0.0.1, 10.0.0.5-10.0.0.8 } ++add element ip t ips { 10.0.0.128/25, 10.0.1.0/24, 10.0.2.3-10.0.2.12 } ++add set ip t cs { type ipv4_addr . inet_service; flags interval; } ++add element ip t cs { 10.0.0.1 . 22, 10.1.0.0/16 . 1-1024 } ++add element ip t cs { 10.2.0.1-10.2.0.8 . 1024-65535 } + " + + $NFT -f - <<< "$RULESET" + + # simple cases, (non-)existing values and ranges +-check 10 10 +-check 11 "" +-check 20-30 20-30 +-check 15-18 "" ++check s 10 10 ++check s 11 "" ++check s 20-30 20-30 ++check s 15-18 "" + + # multiple single elements, ranges smaller than present +-check "10, 40" "10, 40" +-check "22-24, 26-28" "20-30, 20-30" +-check 21-29 20-30 ++check s "10, 40" "10, 40" ++check s "22-24, 26-28" "20-30, 20-30" ++check s 21-29 20-30 + + # mixed single elements and ranges +-check "10, 20" "10, 20-30" +-check "10, 22" "10, 20-30" +-check "10, 22-24" "10, 20-30" ++check s "10, 20" "10, 20-30" ++check s "10, 22" "10, 20-30" ++check s "10, 22-24" "10, 20-30" + + # non-existing ranges matching elements +-check 10-40 "" +-check 10-20 "" +-check 10-25 "" +-check 25-55 "" ++check s 10-40 "" ++check s 10-20 "" ++check s 10-25 "" ++check s 25-55 "" ++ ++# playing with IPs, ranges and prefixes ++check ips 10.0.0.1 10.0.0.1 ++check ips 10.0.0.2 "" ++check ips 10.0.1.0/24 10.0.1.0/24 ++check ips 10.0.1.2/31 10.0.1.0/24 ++check ips 10.0.1.0 10.0.1.0/24 ++check ips 10.0.1.3 10.0.1.0/24 ++check ips 10.0.1.255 10.0.1.0/24 ++check ips 10.0.2.3-10.0.2.12 10.0.2.3-10.0.2.12 ++check ips 10.0.2.10 10.0.2.3-10.0.2.12 ++check ips 10.0.2.12 10.0.2.3-10.0.2.12 ++ ++# test concatenated ranges, i.e. Pi, Pa and Po ++check cs "10.0.0.1 . 22" "10.0.0.1 . 22" ++check cs "10.0.0.1 . 23" "" ++check cs "10.0.0.2 . 22" "" ++check cs "10.1.0.1 . 42" "10.1.0.0/16 . 1-1024" ++check cs "10.1.1.0/24 . 10-20" "10.1.0.0/16 . 1-1024" ++check cs "10.2.0.3 . 20000" "10.2.0.1-10.2.0.8 . 1024-65535" + + exit $RC +-- +1.8.3.1 + diff --git a/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch b/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch new file mode 100644 index 0000000..6f68126 --- /dev/null +++ b/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch @@ -0,0 +1,45 @@ +From 77a93baa622f8aa33fa6182d72b380d980e39574 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 8 Aug 2020 00:09:06 +0200 +Subject: [PATCH] include: Resync nf_tables.h cache copy + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684 +Upstream Status: nftables commit f1e5a0499c077 + +commit f1e5a0499c0773f18bc592dd0da0340120daa482 +Author: Stefano Brivio +Date: Mon Apr 13 21:48:02 2020 +0200 + + include: Resync nf_tables.h cache copy + + Get this header in sync with nf.git as of commit ef516e8625dd. + + Signed-off-by: Stefano Brivio + Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/nf_tables.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 1a99df3..9b54a86 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes { + * @NFT_SET_TIMEOUT: set uses timeouts + * @NFT_SET_EVAL: set can be updated from the evaluation path + * @NFT_SET_OBJECT: set contains stateful objects ++ * @NFT_SET_CONCAT: set contains a concatenation + */ + enum nft_set_flags { + NFT_SET_ANONYMOUS = 0x1, +@@ -283,6 +284,7 @@ enum nft_set_flags { + NFT_SET_TIMEOUT = 0x10, + NFT_SET_EVAL = 0x20, + NFT_SET_OBJECT = 0x40, ++ NFT_SET_CONCAT = 0x80, + }; + + /** +-- +1.8.3.1 + diff --git a/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch b/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch new file mode 100644 index 0000000..60b1a0d --- /dev/null +++ b/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch @@ -0,0 +1,72 @@ +From 5566405cc171c8fa84e0a13ea96b89245a3fb512 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 8 Aug 2020 00:05:48 +0200 +Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated + ranges + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684 +Upstream Status: nftables commit 09441b5e92cee + +commit 09441b5e92ceea60198a35cd657904fa7a10ee54 +Author: Stefano Brivio +Date: Mon Apr 13 21:48:03 2020 +0200 + + src: Set NFT_SET_CONCAT flag for sets with concatenated ranges + + Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support + for concatenated set ranges"), crashes with older kernels (< 5.6) + without support for concatenated set ranges: those sets will be sent + to the kernel, which adds them without notion of the fact that + different concatenated fields are actually included, and nft crashes + while trying to list this kind of malformed concatenation. + + Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd + ("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when + sets including concatenated ranges are sent to the kernel, so that + older kernels (with no knowledge of this flag itself) will refuse set + creation. + + Note that, in expr_evaluate_set(), we have to check for the presence + of the flag, also on empty sets that might carry it in context data, + and actually set it in the actual set flags. + + Reported-by: Pablo Neira Ayuso + Signed-off-by: Stefano Brivio + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 0c84816..f66251b 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) + set->size += i->size - 1; + set->set_flags |= i->set_flags; + expr_free(i); +- } else if (!expr_is_singleton(i)) ++ } else if (!expr_is_singleton(i)) { + set->set_flags |= NFT_SET_INTERVAL; ++ if (i->key->etype == EXPR_CONCAT) ++ set->set_flags |= NFT_SET_CONCAT; ++ } + } + ++ if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT)) ++ set->set_flags |= NFT_SET_CONCAT; ++ + set->set_flags |= NFT_SET_CONSTANT; + + datatype_set(set, ctx->ectx.dtype); +@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) + memcpy(&set->desc.field_len, &set->key->field_len, + sizeof(set->desc.field_len)); + set->desc.field_count = set->key->field_count; ++ set->flags |= NFT_SET_CONCAT; + } + + if (set_is_datamap(set->flags)) { +-- +1.8.3.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 26fbd56..741a21a 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.9.3 -%define specrelease 12%{?dist}.1 +%define specrelease 16%{?dist} Name: nftables Version: %{rpmversion} @@ -38,8 +38,16 @@ Patch18: 0018-parser-add-a-helper-for-concat-expression-handling.patc Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch -Patch22: 0022-include-Resync-nf_tables.h-cache-copy.patch -Patch23: 0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch +Patch22: 0022-parser_json-Support-ranges-in-concat-expressions.patch +Patch23: 0023-doc-Document-notrack-statement.patch +Patch24: 0024-JSON-Improve-performance-of-json_events_cb.patch +Patch25: 0025-segtree-Fix-missing-expires-value-in-prefixes.patch +Patch26: 0026-segtree-Use-expr_clone-in-get_set_interval_.patch +Patch27: 0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch +Patch28: 0028-tests-0034get_element_0-do-not-discard-stderr.patch +Patch29: 0029-segtree-Fix-get-element-command-with-prefixes.patch +Patch30: 0030-include-Resync-nf_tables.h-cache-copy.patch +Patch31: 0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch BuildRequires: autogen BuildRequires: autoconf @@ -156,9 +164,23 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog -* Thu Aug 20 2020 Phil Sutter [0.9.3-12.el8.1] -- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1854532] -- include: Resync nf_tables.h cache copy (Phil Sutter) [1854532] +* Sat Aug 08 2020 Phil Sutter [0.9.3-16.el8] +- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684] +- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684] + +* Tue Jun 30 2020 Phil Sutter [0.9.3-15.el8] +- segtree: Fix get element command with prefixes (Phil Sutter) [1832235] +- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235] +- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235] +- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235] +- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235] + +* Wed Jun 24 2020 Phil Sutter [0.9.3-14.el8] +- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300] +- doc: Document notrack statement (Phil Sutter) [1841292] + +* Wed May 27 2020 Phil Sutter [0.9.3-13.el8] +- parser_json: Support ranges in concat expressions (Phil Sutter) [1805798] * Thu Mar 26 2020 Phil Sutter [0.9.3-12.el8] - Restore default config to be empty (Phil Sutter) [1694723]