diff --git a/SOURCES/0023-doc-Document-notrack-statement.patch b/SOURCES/0023-doc-Document-notrack-statement.patch new file mode 100644 index 0000000..4c31fc5 --- /dev/null +++ b/SOURCES/0023-doc-Document-notrack-statement.patch @@ -0,0 +1,51 @@ +From f7a31d5c3277b29f104fd8ff48df24c8bc790f19 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 24 Jun 2020 18:46:39 +0200 +Subject: [PATCH] doc: Document notrack statement + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1841292 +Upstream Status: nftables commit f16fbe76f62dc + +commit f16fbe76f62dcb9f7395d1837ad2d056463ba55f +Author: Phil Sutter +Date: Mon Jun 22 15:07:40 2020 +0200 + + doc: Document notrack statement + + Merely a stub, but better to mention it explicitly instead of having it + appear in synproxy examples and letting users guess as to what it does. + + Signed-off-by: Phil Sutter + Reviewed-by: Florian Westphal +--- + doc/statements.txt | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/doc/statements.txt b/doc/statements.txt +index 3b82436..749533a 100644 +--- a/doc/statements.txt ++++ b/doc/statements.txt +@@ -262,6 +262,20 @@ table inet raw { + ct event set new,related,destroy + -------------------------------------- + ++NOTRACK STATEMENT ++~~~~~~~~~~~~~~~~~ ++The notrack statement allows to disable connection tracking for certain ++packets. ++ ++[verse] ++*notrack* ++ ++Note that for this statement to be effective, it has to be applied to packets ++before a conntrack lookup happens. Therefore, it needs to sit in a chain with ++either prerouting or output hook and a hook priority of -300 or less. ++ ++See SYNPROXY STATEMENT for an example usage. ++ + META STATEMENT + ~~~~~~~~~~~~~~ + A meta statement sets the value of a meta expression. The existing meta fields +-- +1.8.3.1 + diff --git a/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch b/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch new file mode 100644 index 0000000..f7ed167 --- /dev/null +++ b/SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch @@ -0,0 +1,53 @@ +From 58d8baa70172bb9862276ac5f542248c88d3faf4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 24 Jun 2020 18:48:14 +0200 +Subject: [PATCH] JSON: Improve performance of json_events_cb() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1835300 +Upstream Status: nftables commit c96c7da272e33 + +commit c96c7da272e33a34770c4de4e3e50f7ed264672e +Author: Phil Sutter +Date: Wed May 13 16:29:51 2020 +0200 + + JSON: Improve performance of json_events_cb() + + The function tries to insert handles into JSON input for echo option. + Yet there may be nothing to do if the given netlink message doesn't + contain a handle, e.g. if it is an 'add element' command. Calling + seqnum_to_json() is pointless overhead in that case, and if input is + large this overhead is significant. Better wait with that call until + after checking if the message is relevant at all. + + Signed-off-by: Phil Sutter + Acked-by: Eric Garver +--- + src/parser_json.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/parser_json.c b/src/parser_json.c +index c48faa8..ce8e566 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -3845,12 +3845,15 @@ static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh) + } + int json_events_cb(const struct nlmsghdr *nlh, struct netlink_mon_handler *monh) + { +- json_t *tmp, *json = seqnum_to_json(nlh->nlmsg_seq); + uint64_t handle = handle_from_nlmsg(nlh); ++ json_t *tmp, *json; + void *iter; + +- /* might be anonymous set, ignore message */ +- if (!json || !handle) ++ if (!handle) ++ return MNL_CB_OK; ++ ++ json = seqnum_to_json(nlh->nlmsg_seq); ++ if (!json) + return MNL_CB_OK; + + tmp = json_object_get(json, "add"); +-- +1.8.3.1 + diff --git a/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch b/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch new file mode 100644 index 0000000..3f829d4 --- /dev/null +++ b/SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch @@ -0,0 +1,42 @@ +From ab62f33df5ef33f6eff8d88d9475a01822a2f625 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:22 +0200 +Subject: [PATCH] segtree: Fix missing expires value in prefixes + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit 60ba9c22fecc0 + +commit 60ba9c22fecc0ca9bb2a61f6ad39bceed1aee38f +Author: Phil Sutter +Date: Tue Apr 28 20:54:03 2020 +0200 + + segtree: Fix missing expires value in prefixes + + This probable copy'n'paste bug prevented 'expiration' field from being + populated when turning a range into a prefix in + interval_map_decompose(). Consequently, interval sets with timeout did + print expiry value for ranges (such as 10.0.0.1-10.0.0.5) but not + prefixes (10.0.0.0/8, for instance). + + Fixes: bb0e6d8a2851b ("segtree: incorrect handling of comments and timeouts with mapping") + Signed-off-by: Phil Sutter +--- + src/segtree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/segtree.c b/src/segtree.c +index e859f84..1ba4363 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -1086,7 +1086,7 @@ void interval_map_decompose(struct expr *set) + prefix->comment = xstrdup(low->comment); + if (low->timeout) + prefix->timeout = low->timeout; +- if (low->left->expiration) ++ if (low->expiration) + prefix->expiration = low->expiration; + } + +-- +1.8.3.1 + diff --git a/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch b/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch new file mode 100644 index 0000000..5b3fd97 --- /dev/null +++ b/SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch @@ -0,0 +1,55 @@ +From 119fbcbd8c37aac314d6ffa6225ab24ee4b0e31e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] segtree: Use expr_clone in get_set_interval_*() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit a2eedcc89d2ed + +commit a2eedcc89d2ed40411c26d53579300c4f1ccb83d +Author: Phil Sutter +Date: Thu Apr 30 13:45:40 2020 +0200 + + segtree: Use expr_clone in get_set_interval_*() + + Both functions perform interval set lookups with either start and end or + only start values as input. Interestingly, in practice they either see + values which are not contained or which match an existing range exactly. + + Make use of the above and just return a clone of the matching entry + instead of creating a new one based on input data. + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index 1ba4363..dc4db6b 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -695,9 +695,7 @@ static struct expr *get_set_interval_find(const struct table *table, + range_expr_value_high(high, i); + if (mpz_cmp(left->key->value, low) >= 0 && + mpz_cmp(right->key->value, high) <= 0) { +- range = range_expr_alloc(&internal_location, +- expr_clone(left->key), +- expr_clone(right->key)); ++ range = expr_clone(i->key); + goto out; + } + break; +@@ -729,9 +727,7 @@ static struct expr *get_set_interval_end(const struct table *table, + case EXPR_RANGE: + range_expr_value_low(low, i); + if (mpz_cmp(low, left->key->value) == 0) { +- range = range_expr_alloc(&internal_location, +- expr_clone(left->key), +- expr_clone(i->key->right)); ++ range = expr_clone(i->key); + goto out; + } + break; +-- +1.8.3.1 + diff --git a/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch b/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch new file mode 100644 index 0000000..f67ee6b --- /dev/null +++ b/SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch @@ -0,0 +1,131 @@ +From 40cdcccf0fc6f4d0d4c2248d4bd9bf3193a922e9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] segtree: Merge get_set_interval_find() and + get_set_interval_end() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit f21e73d6700b8 + +commit f21e73d6700b873eb1a295f43bbad9caaca577e2 +Author: Phil Sutter +Date: Thu Apr 30 13:57:35 2020 +0200 + + segtree: Merge get_set_interval_find() and get_set_interval_end() + + Both functions were very similar already. Under the assumption that they + will always either see a range (or start of) that matches exactly or not + at all, reduce complexity and make get_set_interval_find() accept NULL + (left or) right values. This way it becomes a full replacement for + get_set_interval_end(). + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 63 +++++++++++++++-------------------------------------------- + 1 file changed, 16 insertions(+), 47 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index dc4db6b..6e1f696 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -681,63 +681,31 @@ static struct expr *get_set_interval_find(const struct table *table, + { + struct expr *range = NULL; + struct set *set; +- mpz_t low, high; + struct expr *i; ++ mpz_t val; + + set = set_lookup(table, set_name); +- mpz_init2(low, set->key->len); +- mpz_init2(high, set->key->len); ++ mpz_init2(val, set->key->len); + + list_for_each_entry(i, &set->init->expressions, list) { + switch (i->key->etype) { + case EXPR_RANGE: +- range_expr_value_low(low, i); +- range_expr_value_high(high, i); +- if (mpz_cmp(left->key->value, low) >= 0 && +- mpz_cmp(right->key->value, high) <= 0) { +- range = expr_clone(i->key); +- goto out; +- } +- break; +- default: +- break; +- } +- } +-out: +- mpz_clear(low); +- mpz_clear(high); +- +- return range; +-} +- +-static struct expr *get_set_interval_end(const struct table *table, +- const char *set_name, +- struct expr *left) +-{ +- struct expr *i, *range = NULL; +- struct set *set; +- mpz_t low, high; ++ range_expr_value_low(val, i); ++ if (left && mpz_cmp(left->key->value, val)) ++ break; + +- set = set_lookup(table, set_name); +- mpz_init2(low, set->key->len); +- mpz_init2(high, set->key->len); ++ range_expr_value_high(val, i); ++ if (right && mpz_cmp(right->key->value, val)) ++ break; + +- list_for_each_entry(i, &set->init->expressions, list) { +- switch (i->key->etype) { +- case EXPR_RANGE: +- range_expr_value_low(low, i); +- if (mpz_cmp(low, left->key->value) == 0) { +- range = expr_clone(i->key); +- goto out; +- } +- break; ++ range = expr_clone(i->key); ++ goto out; + default: + break; + } + } + out: +- mpz_clear(low); +- mpz_clear(high); ++ mpz_clear(val); + + return range; + } +@@ -767,9 +735,9 @@ int get_set_decompose(struct table *table, struct set *set) + left = NULL; + } else { + if (left) { +- range = get_set_interval_end(table, +- set->handle.set.name, +- left); ++ range = get_set_interval_find(table, ++ set->handle.set.name, ++ left, NULL); + if (range) + compound_expr_add(new_init, range); + else +@@ -780,7 +748,8 @@ int get_set_decompose(struct table *table, struct set *set) + } + } + if (left) { +- range = get_set_interval_end(table, set->handle.set.name, left); ++ range = get_set_interval_find(table, set->handle.set.name, ++ left, NULL); + if (range) + compound_expr_add(new_init, range); + else +-- +1.8.3.1 + diff --git a/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch b/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch new file mode 100644 index 0000000..78e70d9 --- /dev/null +++ b/SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch @@ -0,0 +1,41 @@ +From 4337d4eafe66b594b56b43261c8742d6b65d5ee8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] tests: 0034get_element_0: do not discard stderr + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit ff29e6c09aed9 + +commit ff29e6c09aed922a42e0e0551c34dd5d87067512 +Author: Florian Westphal +Date: Sat Feb 22 00:02:25 2020 +0100 + + tests: 0034get_element_0: do not discard stderr + + run_tests.sh alreadty discards stderr by default, but will show it in + case the test script is run directly (passed as argument). + + Discarding stderr also in the script prevents one from seeing + BUG() assertions and the like. + + Signed-off-by: Florian Westphal +--- + tests/shell/testcases/sets/0034get_element_0 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 +index c7e7298..e23dbda 100755 +--- a/tests/shell/testcases/sets/0034get_element_0 ++++ b/tests/shell/testcases/sets/0034get_element_0 +@@ -3,7 +3,7 @@ + RC=0 + + check() { # (elems, expected) +- out=$($NFT get element ip t s "{ $1 }" 2>/dev/null) ++ out=$($NFT get element ip t s "{ $1 }") + out=$(grep "elements =" <<< "$out") + out="${out#* \{ }" + out="${out% \}}" +-- +1.8.3.1 + diff --git a/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch b/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch new file mode 100644 index 0000000..22cb037 --- /dev/null +++ b/SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch @@ -0,0 +1,135 @@ +From 3a2016f539e46183965bada40946e259c33158d9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 30 Jun 2020 16:20:23 +0200 +Subject: [PATCH] segtree: Fix get element command with prefixes + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235 +Upstream Status: nftables commit 506fb113f7ca4 + +commit 506fb113f7ca4fbb3d6da09ef6f9dc2b31f54a1f +Author: Phil Sutter +Date: Thu Apr 30 14:02:44 2020 +0200 + + segtree: Fix get element command with prefixes + + Code wasn't aware of prefix elements in interval sets. With previous + changes in place, they merely need to be accepted in + get_set_interval_find() - value comparison and expression duplication is + identical to ranges. + + Extend sets/0034get_element_0 test to cover prefixes as well. While + being at it, also cover concatenated ranges. + + Signed-off-by: Phil Sutter +--- + src/segtree.c | 1 + + tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++++++++-------- + 2 files changed, 45 insertions(+), 18 deletions(-) + +diff --git a/src/segtree.c b/src/segtree.c +index 6e1f696..073c6ec 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -689,6 +689,7 @@ static struct expr *get_set_interval_find(const struct table *table, + + list_for_each_entry(i, &set->init->expressions, list) { + switch (i->key->etype) { ++ case EXPR_PREFIX: + case EXPR_RANGE: + range_expr_value_low(val, i); + if (left && mpz_cmp(left->key->value, val)) +diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0 +index e23dbda..3343529 100755 +--- a/tests/shell/testcases/sets/0034get_element_0 ++++ b/tests/shell/testcases/sets/0034get_element_0 +@@ -2,43 +2,69 @@ + + RC=0 + +-check() { # (elems, expected) +- out=$($NFT get element ip t s "{ $1 }") ++check() { # (set, elems, expected) ++ out=$($NFT get element ip t $1 "{ $2 }") + out=$(grep "elements =" <<< "$out") + out="${out#* \{ }" + out="${out% \}}" +- [[ "$out" == "$2" ]] && return +- echo "ERROR: asked for '$1', expecting '$2' but got '$out'" ++ [[ "$out" == "$3" ]] && return ++ echo "ERROR: asked for '$2' in set $1, expecting '$3' but got '$out'" + ((RC++)) + } + + RULESET="add table ip t + add set ip t s { type inet_service; flags interval; } + add element ip t s { 10, 20-30, 40, 50-60 } ++add set ip t ips { type ipv4_addr; flags interval; } ++add element ip t ips { 10.0.0.1, 10.0.0.5-10.0.0.8 } ++add element ip t ips { 10.0.0.128/25, 10.0.1.0/24, 10.0.2.3-10.0.2.12 } ++add set ip t cs { type ipv4_addr . inet_service; flags interval; } ++add element ip t cs { 10.0.0.1 . 22, 10.1.0.0/16 . 1-1024 } ++add element ip t cs { 10.2.0.1-10.2.0.8 . 1024-65535 } + " + + $NFT -f - <<< "$RULESET" + + # simple cases, (non-)existing values and ranges +-check 10 10 +-check 11 "" +-check 20-30 20-30 +-check 15-18 "" ++check s 10 10 ++check s 11 "" ++check s 20-30 20-30 ++check s 15-18 "" + + # multiple single elements, ranges smaller than present +-check "10, 40" "10, 40" +-check "22-24, 26-28" "20-30, 20-30" +-check 21-29 20-30 ++check s "10, 40" "10, 40" ++check s "22-24, 26-28" "20-30, 20-30" ++check s 21-29 20-30 + + # mixed single elements and ranges +-check "10, 20" "10, 20-30" +-check "10, 22" "10, 20-30" +-check "10, 22-24" "10, 20-30" ++check s "10, 20" "10, 20-30" ++check s "10, 22" "10, 20-30" ++check s "10, 22-24" "10, 20-30" + + # non-existing ranges matching elements +-check 10-40 "" +-check 10-20 "" +-check 10-25 "" +-check 25-55 "" ++check s 10-40 "" ++check s 10-20 "" ++check s 10-25 "" ++check s 25-55 "" ++ ++# playing with IPs, ranges and prefixes ++check ips 10.0.0.1 10.0.0.1 ++check ips 10.0.0.2 "" ++check ips 10.0.1.0/24 10.0.1.0/24 ++check ips 10.0.1.2/31 10.0.1.0/24 ++check ips 10.0.1.0 10.0.1.0/24 ++check ips 10.0.1.3 10.0.1.0/24 ++check ips 10.0.1.255 10.0.1.0/24 ++check ips 10.0.2.3-10.0.2.12 10.0.2.3-10.0.2.12 ++check ips 10.0.2.10 10.0.2.3-10.0.2.12 ++check ips 10.0.2.12 10.0.2.3-10.0.2.12 ++ ++# test concatenated ranges, i.e. Pi, Pa and Po ++check cs "10.0.0.1 . 22" "10.0.0.1 . 22" ++check cs "10.0.0.1 . 23" "" ++check cs "10.0.0.2 . 22" "" ++check cs "10.1.0.1 . 42" "10.1.0.0/16 . 1-1024" ++check cs "10.1.1.0/24 . 10-20" "10.1.0.0/16 . 1-1024" ++check cs "10.2.0.3 . 20000" "10.2.0.1-10.2.0.8 . 1024-65535" + + exit $RC +-- +1.8.3.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 1c4acbf..ab4e266 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.9.3 -%define specrelease 13%{?dist} +%define specrelease 15%{?dist} Name: nftables Version: %{rpmversion} @@ -39,6 +39,13 @@ Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch Patch22: 0022-parser_json-Support-ranges-in-concat-expressions.patch +Patch23: 0023-doc-Document-notrack-statement.patch +Patch24: 0024-JSON-Improve-performance-of-json_events_cb.patch +Patch25: 0025-segtree-Fix-missing-expires-value-in-prefixes.patch +Patch26: 0026-segtree-Use-expr_clone-in-get_set_interval_.patch +Patch27: 0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch +Patch28: 0028-tests-0034get_element_0-do-not-discard-stderr.patch +Patch29: 0029-segtree-Fix-get-element-command-with-prefixes.patch BuildRequires: autogen BuildRequires: autoconf @@ -155,6 +162,17 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Tue Jun 30 2020 Phil Sutter [0.9.3-15.el8] +- segtree: Fix get element command with prefixes (Phil Sutter) [1832235] +- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235] +- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235] +- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235] +- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235] + +* Wed Jun 24 2020 Phil Sutter [0.9.3-14.el8] +- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300] +- doc: Document notrack statement (Phil Sutter) [1841292] + * Wed May 27 2020 Phil Sutter [0.9.3-13.el8] - parser_json: Support ranges in concat expressions (Phil Sutter) [1805798]