diff --git a/SOURCES/0003-src-avoid-errouneous-assert-with-map-concat.patch b/SOURCES/0003-src-avoid-errouneous-assert-with-map-concat.patch new file mode 100644 index 0000000..a088894 --- /dev/null +++ b/SOURCES/0003-src-avoid-errouneous-assert-with-map-concat.patch @@ -0,0 +1,63 @@ +From ed405d0eafc7b1f71013cf42f9ed550d64ec56c5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 6 Jun 2018 10:44:43 +0200 +Subject: [PATCH] src: avoid errouneous assert with map+concat + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1540917 +Upstream Status: nftables commit 483e5ea7167e1 + +commit 483e5ea7167e1537accf4cb083b88a8beea8f834 +Author: Florian Westphal +Date: Tue Mar 27 09:29:54 2018 +0200 + + src: avoid errouneous assert with map+concat + + Phil reported following assert: + + add rule ip6 f o mark set ip6 saddr . ip6 daddr . tcp dport \ + map { dead::beef . f00::. 22 : 1 } + nft: netlink_linearize.c:655: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. + + This happens because "mark set" will allocate one register (the dreg), + but netlink_gen_concat_expr will populate a lot more register space if + the concat expression strings a lot of expressions together. + + As the assert is useful pseudo-reserve the register space as per + concat->len and undo after generating the expressions. + + Reported-by: Phil Sutter + Signed-off-by: Florian Westphal +--- + src/netlink_linearize.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index a268dcc..e9a4515 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -243,6 +243,7 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx, + { + struct nftnl_expr *nle; + enum nft_registers sreg; ++ int regspace = 0; + + assert(expr->mappings->ops->type == EXPR_SET_REF); + +@@ -251,7 +252,14 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx, + else + sreg = dreg; + ++ /* suppress assert in netlink_gen_expr */ ++ if (expr->map->ops->type == EXPR_CONCAT) { ++ regspace = netlink_register_space(expr->map->len); ++ ctx->reg_low += regspace; ++ } ++ + netlink_gen_expr(ctx, expr->map, sreg); ++ ctx->reg_low -= regspace; + + nle = alloc_nft_expr("lookup"); + netlink_put_register(nle, NFTNL_EXPR_LOOKUP_SREG, sreg); +-- +1.8.3.1 + diff --git a/SOURCES/0004-Review-switch-statements-for-unmarked-fall-through-c.patch b/SOURCES/0004-Review-switch-statements-for-unmarked-fall-through-c.patch new file mode 100644 index 0000000..7efb3ef --- /dev/null +++ b/SOURCES/0004-Review-switch-statements-for-unmarked-fall-through-c.patch @@ -0,0 +1,121 @@ +From 8a8b80fafcbf3843e1736daff707b7cb5b64f31f Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:00 +0200 +Subject: [PATCH] Review switch statements for unmarked fall through cases + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 7f31d3191622b + +commit 7f31d3191622b650521014e311ace96aa7c5522c +Author: Phil Sutter +Date: Wed Feb 28 16:06:16 2018 +0100 + + Review switch statements for unmarked fall through cases + + While revisiting all of them, clear a few oddities as well: + + - There's no point in marking empty fall through cases: They are easy to + spot and a common concept when using switch(). + + - Fix indenting of break statement in one occasion. + + - Drop needless braces around one case which doesn't declare variables. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal +--- + src/ct.c | 2 +- + src/evaluate.c | 1 + + src/hash.c | 2 +- + src/netlink_delinearize.c | 1 + + src/rule.c | 5 +++-- + 5 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/ct.c b/src/ct.c +index 8ab32e9..1e06013 100644 +--- a/src/ct.c ++++ b/src/ct.c +@@ -289,7 +289,7 @@ static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, + } + + switch (key) { +- case NFT_CT_SRC: /* fallthrough */ ++ case NFT_CT_SRC: + case NFT_CT_DST: + desc = proto_find_upper(&proto_inet, nfproto); + if (desc) +diff --git a/src/evaluate.c b/src/evaluate.c +index f16bb33..25a7376 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2705,6 +2705,7 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt) + + map->mappings->set->flags |= + map->mappings->set->init->set_flags; ++ /* fall through */ + case EXPR_SYMBOL: + if (expr_evaluate(ctx, &map->mappings) < 0) + return -1; +diff --git a/src/hash.c b/src/hash.c +index 9cd3c8c..3355cad 100644 +--- a/src/hash.c ++++ b/src/hash.c +@@ -20,7 +20,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx) + switch (expr->hash.type) { + case NFT_HASH_SYM: + nft_print(octx, "symhash"); +- break; ++ break; + case NFT_HASH_JENKINS: + default: + nft_print(octx, "jhash "); +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 11fd330..61cba52 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -1411,6 +1411,7 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx, + case OP_NEQ: + if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF) + break; ++ /* fall through */ + case OP_LOOKUP: + expr_set_type(right, left->dtype, left->byteorder); + break; +diff --git a/src/rule.c b/src/rule.c +index d744cf6..e7ccb2b 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1297,7 +1297,7 @@ static void obj_print_data(const struct obj *obj, + } + } + break; +- case NFT_OBJECT_CT_HELPER: { ++ case NFT_OBJECT_CT_HELPER: + nft_print(octx, "ct helper %s {\n", obj->handle.obj); + nft_print(octx, "\t\ttype \"%s\" protocol ", + obj->ct_helper.name); +@@ -1305,7 +1305,6 @@ static void obj_print_data(const struct obj *obj, + nft_print(octx, "\t\tl3proto %s", + family2str(obj->ct_helper.l3proto)); + break; +- } + case NFT_OBJECT_LIMIT: { + bool inv = obj->limit.flags & NFT_LIMIT_F_INV; + const char *data_unit; +@@ -1617,11 +1616,13 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) + switch (cmd->obj) { + case CMD_OBJ_COUNTERS: + dump = true; ++ /* fall through */ + case CMD_OBJ_COUNTER: + type = NFT_OBJECT_COUNTER; + break; + case CMD_OBJ_QUOTAS: + dump = true; ++ /* fall through */ + case CMD_OBJ_QUOTA: + type = NFT_OBJECT_QUOTA; + break; +-- +1.8.3.1 + diff --git a/SOURCES/0005-monitor-Make-trace-events-respect-output_fp.patch b/SOURCES/0005-monitor-Make-trace-events-respect-output_fp.patch new file mode 100644 index 0000000..8768802 --- /dev/null +++ b/SOURCES/0005-monitor-Make-trace-events-respect-output_fp.patch @@ -0,0 +1,128 @@ +From 696fd8bbb2c654a1d16849fef0f0ae362739def4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:00 +0200 +Subject: [PATCH] monitor: Make trace events respect output_fp + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 657472843e7a7 + +commit 657472843e7a7a4bc7f756356e6636b1f197b745 +Author: Phil Sutter +Date: Wed Feb 28 16:04:27 2018 +0100 + + monitor: Make trace events respect output_fp + + Seems like this was incompletely converted, part of the output went to + output_fp already. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/netlink.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/src/netlink.c b/src/netlink.c +index 5d6f5ce..d839ded 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -2587,14 +2587,18 @@ static void netlink_events_cache_update(struct netlink_mon_handler *monh, + } + } + +-static void trace_print_hdr(const struct nftnl_trace *nlt) ++static void trace_print_hdr(const struct nftnl_trace *nlt, ++ struct output_ctx *octx) + { +- printf("trace id %08x ", nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID)); +- printf("%s ", family2str(nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY))); ++ nft_print(octx, "trace id %08x %s ", ++ nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID), ++ family2str(nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY))); + if (nftnl_trace_is_set(nlt, NFTNL_TRACE_TABLE)) +- printf("%s ", nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE)); ++ nft_print(octx, "%s ", ++ nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE)); + if (nftnl_trace_is_set(nlt, NFTNL_TRACE_CHAIN)) +- printf("%s ", nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN)); ++ nft_print(octx, "%s ", ++ nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN)); + } + + static void trace_print_expr(const struct nftnl_trace *nlt, unsigned int attr, +@@ -2611,7 +2615,7 @@ static void trace_print_expr(const struct nftnl_trace *nlt, unsigned int attr, + rel = relational_expr_alloc(&netlink_location, OP_EQ, lhs, rhs); + + expr_print(rel, octx); +- printf(" "); ++ nft_print(octx, " "); + expr_free(rel); + } + +@@ -2661,12 +2665,12 @@ static void trace_print_rule(const struct nftnl_trace *nlt, + if (!rule) + return; + +- trace_print_hdr(nlt); +- printf("rule "); ++ trace_print_hdr(nlt, octx); ++ nft_print(octx, "rule "); + rule_print(rule, octx); +- printf(" ("); ++ nft_print(octx, " ("); + trace_print_verdict(nlt, octx); +- printf(")\n"); ++ nft_print(octx, ")\n"); + } + + static void trace_gen_stmts(struct list_head *stmts, +@@ -2775,9 +2779,9 @@ static void trace_print_packet(const struct nftnl_trace *nlt, + uint32_t nfproto; + struct stmt *stmt, *next; + +- trace_print_hdr(nlt); ++ trace_print_hdr(nlt, octx); + +- printf("packet: "); ++ nft_print(octx, "packet: "); + if (nftnl_trace_is_set(nlt, NFTNL_TRACE_IIF)) + trace_print_expr(nlt, NFTNL_TRACE_IIF, + meta_expr_alloc(&netlink_location, +@@ -2813,10 +2817,10 @@ static void trace_print_packet(const struct nftnl_trace *nlt, + + list_for_each_entry_safe(stmt, next, &stmts, list) { + stmt_print(stmt, octx); +- printf(" "); ++ nft_print(octx, " "); + stmt_free(stmt); + } +- printf("\n"); ++ nft_print(octx, "\n"); + } + + static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, +@@ -2844,11 +2848,11 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, + break; + case NFT_TRACETYPE_POLICY: + case NFT_TRACETYPE_RETURN: +- trace_print_hdr(nlt); ++ trace_print_hdr(nlt, monh->ctx->octx); + + if (nftnl_trace_is_set(nlt, NFTNL_TRACE_VERDICT)) { + trace_print_verdict(nlt, monh->ctx->octx); +- printf(" "); ++ nft_mon_print(monh, " "); + } + + if (nftnl_trace_is_set(nlt, NFTNL_TRACE_MARK)) +@@ -2856,7 +2860,7 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type, + meta_expr_alloc(&netlink_location, + NFT_META_MARK), + monh->ctx->octx); +- printf("\n"); ++ nft_mon_print(monh, "\n"); + break; + } + +-- +1.8.3.1 + diff --git a/SOURCES/0006-monitor-Make-JSON-XML-output-respect-output_fp.patch b/SOURCES/0006-monitor-Make-JSON-XML-output-respect-output_fp.patch new file mode 100644 index 0000000..dc961d6 --- /dev/null +++ b/SOURCES/0006-monitor-Make-JSON-XML-output-respect-output_fp.patch @@ -0,0 +1,120 @@ +From fa5ccccd164b7285c4d105265ece4ea7ccdd996a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:00 +0200 +Subject: [PATCH] monitor: Make JSON/XML output respect output_fp + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 59034b47590d7 + +commit 59034b47590d7cd19ba2fda24bf4426c355f95bc +Author: Phil Sutter +Date: Wed Feb 28 16:04:28 2018 +0100 + + monitor: Make JSON/XML output respect output_fp + + Make sure events callbacks print to output_ctx-defined stream for any + type of output format. + + Since all of them use nft_print() as last call (if anything is printed + at all), the final call to fflush() in netlink_events_cb() can be + dropped. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/netlink.c | 37 ++++++++++++++++++------------------- + 1 file changed, 18 insertions(+), 19 deletions(-) + +diff --git a/src/netlink.c b/src/netlink.c +index d839ded..ca0e207 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -2015,9 +2015,9 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type, + break; + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: +- nftnl_table_fprintf(stdout, nlt, monh->format, +- netlink_msg2nftnl_of(type)); +- fprintf(stdout, "\n"); ++ nftnl_table_fprintf(monh->ctx->octx->output_fp, nlt, ++ monh->format, netlink_msg2nftnl_of(type)); ++ nft_mon_print(monh, "\n"); + break; + } + +@@ -2057,9 +2057,9 @@ static int netlink_events_chain_cb(const struct nlmsghdr *nlh, int type, + break; + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: +- nftnl_chain_fprintf(stdout, nlc, monh->format, +- netlink_msg2nftnl_of(type)); +- fprintf(stdout, "\n"); ++ nftnl_chain_fprintf(monh->ctx->octx->output_fp, nlc, ++ monh->format, netlink_msg2nftnl_of(type)); ++ nft_mon_print(monh, "\n"); + break; + } + +@@ -2104,9 +2104,9 @@ static int netlink_events_set_cb(const struct nlmsghdr *nlh, int type, + break; + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: +- nftnl_set_fprintf(stdout, nls, monh->format, +- netlink_msg2nftnl_of(type)); +- fprintf(stdout, "\n"); ++ nftnl_set_fprintf(monh->ctx->octx->output_fp, nls, ++ monh->format, netlink_msg2nftnl_of(type)); ++ nft_mon_print(monh, "\n"); + break; + } + out: +@@ -2253,9 +2253,9 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, + break; + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: +- nftnl_set_fprintf(stdout, nls, monh->format, +- netlink_msg2nftnl_of(type)); +- fprintf(stdout, "\n"); ++ nftnl_set_fprintf(monh->ctx->octx->output_fp, nls, ++ monh->format, netlink_msg2nftnl_of(type)); ++ nft_mon_print(monh, "\n"); + break; + } + out: +@@ -2298,9 +2298,9 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, + break; + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: +- nftnl_obj_fprintf(stdout, nlo, monh->format, +- netlink_msg2nftnl_of(type)); +- fprintf(stdout, "\n"); ++ nftnl_obj_fprintf(monh->ctx->octx->output_fp, nlo, ++ monh->format, netlink_msg2nftnl_of(type)); ++ nft_mon_print(monh, "\n"); + break; + } + +@@ -2354,9 +2354,9 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, + break; + case NFTNL_OUTPUT_XML: + case NFTNL_OUTPUT_JSON: +- nftnl_rule_fprintf(stdout, nlr, monh->format, +- netlink_msg2nftnl_of(type)); +- fprintf(stdout, "\n"); ++ nftnl_rule_fprintf(monh->ctx->octx->output_fp, nlr, ++ monh->format, netlink_msg2nftnl_of(type)); ++ nft_mon_print(monh, "\n"); + break; + } + +@@ -2985,7 +2985,6 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data) + ret = netlink_events_newgen_cb(nlh, type, monh); + break; + } +- fflush(stdout); + + return ret; + } +-- +1.8.3.1 + diff --git a/SOURCES/0007-cli-Drop-pointless-check-in-cli_append_multiline.patch b/SOURCES/0007-cli-Drop-pointless-check-in-cli_append_multiline.patch new file mode 100644 index 0000000..37cfcee --- /dev/null +++ b/SOURCES/0007-cli-Drop-pointless-check-in-cli_append_multiline.patch @@ -0,0 +1,69 @@ +From a5e89843a77c234f1f858737b676161ff8ee0227 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:00 +0200 +Subject: [PATCH] cli: Drop pointless check in cli_append_multiline() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit f51ed1db70abd +Conflicts: Context change due to missing commit + 4c15b4008c249 ("cli: Use nft_run_cmd_from_buffer()") + +commit f51ed1db70abdbb909e81bc670ffdfa05f421257 +Author: Phil Sutter +Date: Thu Mar 1 15:00:27 2018 +0100 + + cli: Drop pointless check in cli_append_multiline() + + The function is called from cli_complete after it has checked for line + to be != NULL. The other part of the conditional, namely multiline being + NULL, is perfectly valid (if the last read line didn't end with + backslash. Hence drop the conditional completely. + + Since variable eof is not used anywhere outside of the dropped + conditional, get rid of it completely. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/cli.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/cli.c b/src/cli.c +index cadc3af..53427a0 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -46,21 +46,13 @@ static struct mnl_socket *cli_nf_sock; + static void *scanner; + static char histfile[PATH_MAX]; + static char *multiline; +-static bool eof; + + static char *cli_append_multiline(char *line) + { ++ size_t len = strlen(line); + bool complete = false; +- size_t len; + char *s; + +- if (line == NULL && multiline == NULL) { +- eof = true; +- return NULL; +- } +- +- len = strlen(line); +- + if (len == 0) + return NULL; + +@@ -174,7 +166,7 @@ int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock, + state = _state; + scanner = scanner_init(state); + +- while (!eof) ++ while (true) + rl_callback_read_char(); + return 0; + } +-- +1.8.3.1 + diff --git a/SOURCES/0008-erec-Avoid-passing-negative-offset-to-fseek.patch b/SOURCES/0008-erec-Avoid-passing-negative-offset-to-fseek.patch new file mode 100644 index 0000000..e6f747e --- /dev/null +++ b/SOURCES/0008-erec-Avoid-passing-negative-offset-to-fseek.patch @@ -0,0 +1,56 @@ +From 76bfabfffc6d10f3b55c896dc7afc24fa3a71fc9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:47 +0200 +Subject: [PATCH] erec: Avoid passing negative offset to fseek() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 3570b6bc8b4f1 + +commit 3570b6bc8b4f136d07121b28cd79b6356e8e969b +Author: Phil Sutter +Date: Thu Mar 1 15:00:28 2018 +0100 + + erec: Avoid passing negative offset to fseek() + + If the initial call to ftell() fails, variable orig_offset is set to -1. + Avoid passing this to fseek() later on. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/erec.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/erec.c b/src/erec.c +index 80806ff..8de249d 100644 +--- a/src/erec.c ++++ b/src/erec.c +@@ -121,7 +121,7 @@ void erec_print(struct output_ctx *octx, const struct error_record *erec, + char buf[1024] = {}; + char *pbuf = NULL; + unsigned int i, end; +- int l, ret; ++ int l; + off_t orig_offset = 0; + FILE *f = octx->output_fp; + +@@ -136,12 +136,12 @@ void erec_print(struct output_ctx *octx, const struct error_record *erec, + break; + case INDESC_FILE: + orig_offset = ftell(indesc->fp); +- fseek(indesc->fp, loc->line_offset, SEEK_SET); +- ret = fread(buf, 1, sizeof(buf) - 1, indesc->fp); +- if (ret > 0) ++ if (orig_offset >= 0 && ++ !fseek(indesc->fp, loc->line_offset, SEEK_SET) && ++ fread(buf, 1, sizeof(buf) - 1, indesc->fp) > 0 && ++ !fseek(indesc->fp, orig_offset, SEEK_SET)) + *strchrnul(buf, '\n') = '\0'; + line = buf; +- fseek(indesc->fp, orig_offset, SEEK_SET); + break; + case INDESC_INTERNAL: + case INDESC_NETLINK: +-- +1.8.3.1 + diff --git a/SOURCES/0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch b/SOURCES/0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch new file mode 100644 index 0000000..27225a4 --- /dev/null +++ b/SOURCES/0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch @@ -0,0 +1,60 @@ +From 56d8528fdd3c3f7db138622d94d2a6bac6b46e4e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:47 +0200 +Subject: [PATCH] evaluate: Fix memleak in stmt_reject_gen_dependency() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit edcf3adcf4c4c + +commit edcf3adcf4c4cf58cb0b965b984a512b12181a58 +Author: Phil Sutter +Date: Thu Mar 1 15:00:29 2018 +0100 + + evaluate: Fix memleak in stmt_reject_gen_dependency() + + The allocated payload expression is not used after returning from that + function, so it needs to be freed again. + + Simple test case: + + | nft add rule inet t c reject with tcp reset + + Valgrind reports definitely lost 144 bytes. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 25a7376..8552e4a 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2136,8 +2136,10 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, + if (ret <= 0) + return ret; + +- if (payload_gen_dependency(ctx, payload, &nstmt) < 0) +- return -1; ++ if (payload_gen_dependency(ctx, payload, &nstmt) < 0) { ++ ret = -1; ++ goto out; ++ } + + /* + * Unlike payload deps this adds the dependency at the beginning, i.e. +@@ -2148,7 +2150,9 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, + * Otherwise we'd log things that won't be rejected. + */ + list_add(&nstmt->list, &ctx->rule->stmts); +- return 0; ++out: ++ xfree(payload); ++ return ret; + } + + static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx, +-- +1.8.3.1 + diff --git a/SOURCES/0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch b/SOURCES/0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch new file mode 100644 index 0000000..c94449d --- /dev/null +++ b/SOURCES/0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch @@ -0,0 +1,49 @@ +From 76a8ca39b3f95b898cd92546fb87ccaa2d1922c7 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:47 +0200 +Subject: [PATCH] hash: Fix potential null-pointer dereference in + hash_expr_cmp() + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 5043a1e4847c0 + +commit 5043a1e4847c0149dabaf0b529a14a43b957e5e4 +Author: Phil Sutter +Date: Thu Mar 1 15:00:30 2018 +0100 + + hash: Fix potential null-pointer dereference in hash_expr_cmp() + + The first part of the conditional: + + | (e1->hash.expr || expr_cmp(e1->hash.expr, e2->hash.expr)) + + will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer + dereference. This is probably a typo, the intention when introducing + this was to avoid the call to expr_cmp() for symmetric hash expressions + which don't use expr->hash.expr. Inverting the existence check should + fix this. + + Fixes: 3a86406729782 ("src: hash: support of symmetric hash") + Cc: Laura Garcia Liebana + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/hash.c b/src/hash.c +index 3355cad..e699963 100644 +--- a/src/hash.c ++++ b/src/hash.c +@@ -36,7 +36,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx) + + static bool hash_expr_cmp(const struct expr *e1, const struct expr *e2) + { +- return (e1->hash.expr || ++ return (!e1->hash.expr || + expr_cmp(e1->hash.expr, e2->hash.expr)) && + e1->hash.mod == e2->hash.mod && + e1->hash.seed_set == e2->hash.seed_set && +-- +1.8.3.1 + diff --git a/SOURCES/0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch b/SOURCES/0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch new file mode 100644 index 0000000..077a5ea --- /dev/null +++ b/SOURCES/0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch @@ -0,0 +1,41 @@ +From 094f7dd2dce0c449313f1f1ea69dc849fc89b62a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:47 +0200 +Subject: [PATCH] netlink: Complain if setting O_NONBLOCK fails + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 4342fcbd40534 + +commit 4342fcbd40534158107ebe6a10e5f7886b3e8ced +Author: Phil Sutter +Date: Thu Mar 1 15:00:31 2018 +0100 + + netlink: Complain if setting O_NONBLOCK fails + + Assuming that code is not aware that reads from netlink socket may + block, treat inability to set O_NONBLOCK flag as fatal initialization + error aborting program execution. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index ca0e207..ebfad18 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -58,7 +58,8 @@ struct mnl_socket *netlink_open_sock(void) + if (nf_sock == NULL) + netlink_init_error(); + +- fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK); ++ if (fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK)) ++ netlink_init_error(); + + return nf_sock; + } +-- +1.8.3.1 + diff --git a/SOURCES/0012-netlink_delinearize-Fix-resource-leaks.patch b/SOURCES/0012-netlink_delinearize-Fix-resource-leaks.patch new file mode 100644 index 0000000..02b1cc8 --- /dev/null +++ b/SOURCES/0012-netlink_delinearize-Fix-resource-leaks.patch @@ -0,0 +1,351 @@ +From 5e9e2dc7e972f6bbbc0156ad97b4ee9d11fcb837 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:22:47 +0200 +Subject: [PATCH] netlink_delinearize: Fix resource leaks + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157 +Upstream Status: nftables commit 671851617c8d8 + +commit 671851617c8d8c1dfe9822eee8dcc7b827fff850 +Author: Phil Sutter +Date: Thu Mar 1 15:00:32 2018 +0100 + + netlink_delinearize: Fix resource leaks + + Most of the cases are basically the same: Error path fails to free the + previously allocated statement or expression. A few cases received + special treatment though: + + - In netlink_parse_payload_stmt(), the leak is easily avoided by code + reordering. + + - In netlink_parse_exthdr(), there's no point in introducing a goto + label since there is but a single affected error check. + + - In netlink_parse_hash() non-error path leaked as well if sreg + contained a concatenated expression. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + src/netlink_delinearize.c | 144 +++++++++++++++++++++++++++++----------------- + 1 file changed, 92 insertions(+), 52 deletions(-) + +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 61cba52..e25160a 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -470,15 +470,15 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx, + offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_OFFSET) * BITS_PER_BYTE; + len = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_LEN) * BITS_PER_BYTE; + +- expr = payload_expr_alloc(loc, NULL, 0); +- payload_init_raw(expr, base, offset, len); +- + sreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_SREG); + val = netlink_get_register(ctx, loc, sreg); + if (val == NULL) + return netlink_error(ctx, loc, + "payload statement has no expression"); + ++ expr = payload_expr_alloc(loc, NULL, 0); ++ payload_init_raw(expr, base, offset, len); ++ + stmt = payload_stmt_alloc(loc, expr, val); + + list_add_tail(&stmt->list, &ctx->rule->stmts); +@@ -523,9 +523,11 @@ static void netlink_parse_exthdr(struct netlink_parse_ctx *ctx, + + sreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_SREG); + val = netlink_get_register(ctx, loc, sreg); +- if (val == NULL) ++ if (val == NULL) { ++ xfree(expr); + return netlink_error(ctx, loc, + "exthdr statement has no expression"); ++ } + + expr_set_type(val, expr->dtype, expr->byteorder); + +@@ -556,22 +558,27 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx, + sreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_SREG); + hexpr = netlink_get_register(ctx, loc, sreg); + +- if (hexpr == NULL) +- return ++ if (hexpr == NULL) { + netlink_error(ctx, loc, + "hash statement has no expression"); ++ goto out_err; ++ } + len = nftnl_expr_get_u32(nle, + NFTNL_EXPR_HASH_LEN) * BITS_PER_BYTE; + if (hexpr->len < len) { ++ xfree(hexpr); + hexpr = netlink_parse_concat_expr(ctx, loc, sreg, len); + if (hexpr == NULL) +- return; ++ goto out_err; + } + expr->hash.expr = hexpr; + } + + dreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_DREG); + netlink_set_register(ctx, dreg, expr); ++ return; ++out_err: ++ xfree(expr); + } + + static void netlink_parse_fib(struct netlink_parse_ctx *ctx, +@@ -853,10 +860,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, + reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MIN); + if (reg1) { + addr = netlink_get_register(ctx, loc, reg1); +- if (addr == NULL) +- return netlink_error(ctx, loc, +- "NAT statement has no address " +- "expression"); ++ if (addr == NULL) { ++ netlink_error(ctx, loc, ++ "NAT statement has no address expression"); ++ goto out_err; ++ } + + if (family == AF_INET) + expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN); +@@ -869,10 +877,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, + reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX); + if (reg2 && reg2 != reg1) { + addr = netlink_get_register(ctx, loc, reg2); +- if (addr == NULL) +- return netlink_error(ctx, loc, +- "NAT statement has no address " +- "expression"); ++ if (addr == NULL) { ++ netlink_error(ctx, loc, ++ "NAT statement has no address expression"); ++ goto out_err; ++ } + + if (family == AF_INET) + expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN); +@@ -887,10 +896,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, + reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN); + if (reg1) { + proto = netlink_get_register(ctx, loc, reg1); +- if (proto == NULL) +- return netlink_error(ctx, loc, +- "NAT statement has no proto " +- "expression"); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "NAT statement has no proto expression"); ++ goto out_err; ++ } + + expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); + stmt->nat.proto = proto; +@@ -899,10 +909,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, + reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MAX); + if (reg2 && reg2 != reg1) { + proto = netlink_get_register(ctx, loc, reg2); +- if (proto == NULL) +- return netlink_error(ctx, loc, +- "NAT statement has no proto " +- "expression"); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "NAT statement has no proto expression"); ++ goto out_err; ++ } + + expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); + if (stmt->nat.proto != NULL) +@@ -911,6 +922,9 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, + } + + ctx->stmt = stmt; ++ return; ++out_err: ++ xfree(stmt); + } + + static void netlink_parse_masq(struct netlink_parse_ctx *ctx, +@@ -931,10 +945,11 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, + reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN); + if (reg1) { + proto = netlink_get_register(ctx, loc, reg1); +- if (proto == NULL) +- return netlink_error(ctx, loc, +- "MASQUERADE statement" +- "has no proto expression"); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "MASQUERADE statement has no proto expression"); ++ goto out_err; ++ } + expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); + stmt->masq.proto = proto; + } +@@ -942,10 +957,11 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, + reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX); + if (reg2 && reg2 != reg1) { + proto = netlink_get_register(ctx, loc, reg2); +- if (proto == NULL) +- return netlink_error(ctx, loc, +- "MASQUERADE statement" +- "has no proto expression"); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "MASQUERADE statement has no proto expression"); ++ goto out_err; ++ } + expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); + if (stmt->masq.proto != NULL) + proto = range_expr_alloc(loc, stmt->masq.proto, proto); +@@ -953,6 +969,9 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, + } + + ctx->stmt = stmt; ++ return; ++out_err: ++ xfree(stmt); + } + + static void netlink_parse_redir(struct netlink_parse_ctx *ctx, +@@ -974,10 +993,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, + reg1 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MIN); + if (reg1) { + proto = netlink_get_register(ctx, loc, reg1); +- if (proto == NULL) +- return netlink_error(ctx, loc, +- "redirect statement has no proto " +- "expression"); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "redirect statement has no proto expression"); ++ goto out_err; ++ } + + expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); + stmt->redir.proto = proto; +@@ -986,10 +1006,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, + reg2 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MAX); + if (reg2 && reg2 != reg1) { + proto = netlink_get_register(ctx, loc, reg2); +- if (proto == NULL) +- return netlink_error(ctx, loc, +- "redirect statement has no proto " +- "expression"); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "redirect statement has no proto expression"); ++ goto out_err; ++ } + + expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); + if (stmt->redir.proto != NULL) +@@ -999,6 +1020,9 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, + } + + ctx->stmt = stmt; ++ return; ++out_err: ++ xfree(stmt); + } + + static void netlink_parse_dup(struct netlink_parse_ctx *ctx, +@@ -1014,9 +1038,11 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx, + reg1 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_ADDR); + if (reg1) { + addr = netlink_get_register(ctx, loc, reg1); +- if (addr == NULL) +- return netlink_error(ctx, loc, +- "DUP statement has no destination expression"); ++ if (addr == NULL) { ++ netlink_error(ctx, loc, ++ "DUP statement has no destination expression"); ++ goto out_err; ++ } + + switch (ctx->table->handle.family) { + case NFPROTO_IPV4: +@@ -1033,9 +1059,11 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx, + reg2 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_DEV); + if (reg2) { + dev = netlink_get_register(ctx, loc, reg2); +- if (dev == NULL) +- return netlink_error(ctx, loc, +- "DUP statement has no output expression"); ++ if (dev == NULL) { ++ netlink_error(ctx, loc, ++ "DUP statement has no output expression"); ++ goto out_err; ++ } + + expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN); + if (stmt->dup.to == NULL) +@@ -1045,6 +1073,9 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx, + } + + ctx->stmt = stmt; ++ return; ++out_err: ++ xfree(stmt); + } + + static void netlink_parse_fwd(struct netlink_parse_ctx *ctx, +@@ -1060,15 +1091,20 @@ static void netlink_parse_fwd(struct netlink_parse_ctx *ctx, + reg1 = netlink_parse_register(nle, NFTNL_EXPR_FWD_SREG_DEV); + if (reg1) { + dev = netlink_get_register(ctx, loc, reg1); +- if (dev == NULL) +- return netlink_error(ctx, loc, +- "fwd statement has no output expression"); ++ if (dev == NULL) { ++ netlink_error(ctx, loc, ++ "fwd statement has no output expression"); ++ goto out_err; ++ } + + expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN); + stmt->fwd.to = dev; + } + + ctx->stmt = stmt; ++ return; ++out_err: ++ xfree(stmt); + } + + static void netlink_parse_queue(struct netlink_parse_ctx *ctx, +@@ -1135,10 +1171,11 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, + dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL); + if (dnle != NULL) { + if (netlink_parse_expr(dnle, ctx) < 0) +- return; +- if (ctx->stmt == NULL) +- return netlink_error(ctx, loc, +- "Could not parse dynset stmt"); ++ goto out_err; ++ if (ctx->stmt == NULL) { ++ netlink_error(ctx, loc, "Could not parse dynset stmt"); ++ goto out_err; ++ } + dstmt = ctx->stmt; + } + +@@ -1155,6 +1192,9 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, + } + + ctx->stmt = stmt; ++ return; ++out_err: ++ xfree(expr); + } + + static void netlink_parse_objref(struct netlink_parse_ctx *ctx, +-- +1.8.3.1 + diff --git a/SOURCES/0013-nft.8-Fix-reject-statement-documentation.patch b/SOURCES/0013-nft.8-Fix-reject-statement-documentation.patch new file mode 100644 index 0000000..d33971f --- /dev/null +++ b/SOURCES/0013-nft.8-Fix-reject-statement-documentation.patch @@ -0,0 +1,60 @@ +From c2e843f9386bfa01bfbdd2742ce89f6c474ac0ee Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:23:54 +0200 +Subject: [PATCH] nft.8: Fix reject statement documentation + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571938 +Upstream Status: nftables commit 9b3036bb9f00d + +commit 9b3036bb9f00d6e244ed92e0e782c5617ae40b84 +Author: Phil Sutter +Date: Wed Jun 6 10:56:26 2018 +0200 + + nft.8: Fix reject statement documentation + + First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In + addition to that, parameter 'type' expects an icmp*_code type, not + icmp*_type. The respective table column was already correct, but in + synopsis it was wrong. + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal +--- + doc/nft.xml | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/doc/nft.xml b/doc/nft.xml +index c7e12c9..3da5fda 100644 +--- a/doc/nft.xml ++++ b/doc/nft.xml +@@ -4472,14 +4472,14 @@ ip6 filter output log flags all + with + + icmp +- icmp6 ++ icmpv6 + icmpx + + type + +- icmp_type +- icmp6_type +- icmpx_type ++ icmp_code ++ icmpv6_code ++ icmpx_code + + + +@@ -4516,7 +4516,7 @@ ip6 filter output log flags all + icmp_code + + +- icmp6 ++ icmpv6 + ip6 + icmpv6_code + +-- +1.8.3.1 + diff --git a/SOURCES/0014-doc-reword-insert-position-this-expects-rule-handle-.patch b/SOURCES/0014-doc-reword-insert-position-this-expects-rule-handle-.patch new file mode 100644 index 0000000..ed9eb84 --- /dev/null +++ b/SOURCES/0014-doc-reword-insert-position-this-expects-rule-handle-.patch @@ -0,0 +1,56 @@ +From 9abe6ef333d4d1f7c83e10ee73bca70f64b9fdba Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:36:59 +0200 +Subject: [PATCH] doc: reword insert position, this expects rule handle to + insert, not a relative postition + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571968 +Upstream Status: nftables commit 45172efadbede +Conflicts: Context change due to missing commit f9cb9580b924f + ("doc: nft.8 aim for consistent synopses throughout") + +commit 45172efadbedee2b2dedc1e771046cca7edb0111 +Author: Florian Westphal +Date: Tue Apr 24 16:54:52 2018 +0200 + + doc: reword insert position, this expects rule handle to insert, not a relative postition + + Signed-off-by: Florian Westphal +--- + doc/nft.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/doc/nft.xml b/doc/nft.xml +index 3da5fda..45a392f 100644 +--- a/doc/nft.xml ++++ b/doc/nft.xml +@@ -835,7 +835,7 @@ filter input iif $int_ifs accept + family + table + chain +- position position ++ position handle + statement + + +@@ -868,7 +868,7 @@ filter input iif $int_ifs accept + + Add a new rule described by the list of statements. The rule is appended to the + given chain unless a position is specified, in which case the rule is appended to +- the rule given by the position. ++ the rule given by the handle. + + + +@@ -877,7 +877,7 @@ filter input iif $int_ifs accept + + + Similar to the add command, but the rule is prepended to the +- beginning of the chain or before the rule at the given position. ++ beginning of the chain or before the rule with the given handle. + + + +-- +1.8.3.1 + diff --git a/SOURCES/0015-Deprecate-add-insert-rule-position-argument.patch b/SOURCES/0015-Deprecate-add-insert-rule-position-argument.patch new file mode 100644 index 0000000..83f6343 --- /dev/null +++ b/SOURCES/0015-Deprecate-add-insert-rule-position-argument.patch @@ -0,0 +1,92 @@ +From 197711f42a7580918c99536ff891eef7dd040c6b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:37:57 +0200 +Subject: [PATCH] Deprecate add/insert rule 'position' argument + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571968 +Upstream Status: nftables commit effb881c9cef2 +Conflicts: Context change due to missing commit f9cb9580b924f + ("doc: nft.8 aim for consistent synopses throughout") + +commit effb881c9cef28aca47adeec5014e0457507539e +Author: Phil Sutter +Date: Wed May 9 16:03:40 2018 +0200 + + Deprecate add/insert rule 'position' argument + + Instead, use 'handle' keyword for the same effect since that is more + consistent with respect to replace/delete commands. The old keyword is + still supported for backwards compatibility and also listed in man page + along with a hint that it shouldn't be used anymore. + + Signed-off-by: Phil Sutter + Signed-off-by: Pablo Neira Ayuso +--- + doc/nft.xml | 17 +++++++++++++---- + src/parser_bison.y | 8 ++++++++ + 2 files changed, 21 insertions(+), 4 deletions(-) + +diff --git a/doc/nft.xml b/doc/nft.xml +index 45a392f..e6cfb78 100644 +--- a/doc/nft.xml ++++ b/doc/nft.xml +@@ -835,7 +835,13 @@ filter input iif $int_ifs accept + family + table + chain +- position handle ++ ++ ++ handle ++ position ++ ++ handle ++ + statement + + +@@ -867,8 +873,10 @@ filter input iif $int_ifs accept + + + Add a new rule described by the list of statements. The rule is appended to the +- given chain unless a position is specified, in which case the rule is appended to +- the rule given by the handle. ++ given chain unless a handle is specified, in which case the ++ rule is appended to the rule given by the handle. ++ The alternative name position is deprecated and should not be ++ used anymore. + + + +@@ -877,7 +885,8 @@ filter input iif $int_ifs accept + + + Similar to the add command, but the rule is prepended to the +- beginning of the chain or before the rule with the given handle. ++ beginning of the chain or before the rule with the given ++ handle. + + + +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 7016f5b..f9878ba 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -1708,6 +1708,14 @@ rule_position : chain_spec + handle_merge(&$1, &$2); + $$ = $1; + } ++ | chain_spec handle_spec ++ { ++ $2.position.location = $2.handle.location; ++ $2.position.id = $2.handle.id; ++ $2.handle.id = 0; ++ handle_merge(&$1, &$2); ++ $$ = $1; ++ } + ; + + ruleid_spec : chain_spec handle_spec +-- +1.8.3.1 + diff --git a/SOURCES/0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch b/SOURCES/0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch new file mode 100644 index 0000000..891358c --- /dev/null +++ b/SOURCES/0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch @@ -0,0 +1,54 @@ +From d8f1860f72840104bff3742f477c572b57a9c3c1 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 20 Jun 2018 09:38:55 +0200 +Subject: [PATCH] evaluate: explicitly deny concatenated types in interval sets + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1576426 +Upstream Status: nftables commit 9a3d80172a61e + +commit 9a3d80172a61e89c2862bcf41cb58313c236b308 +Author: Phil Sutter +Date: Wed Jun 6 13:21:49 2018 +0200 + + evaluate: explicitly deny concatenated types in interval sets + + Previously, this triggered a program abort: + + | # nft add table ip t + | # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }' + | # nft add element ip t my_set '{10.0.0.1 . tcp }' + | BUG: invalid range expression type concat + | nft: expression.c:1085: range_expr_value_low: Assertion `0' failed. + + With this patch in place, the 'add set' command above gives an error + message: + + | # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }' + | Error: concatenated types not supported in interval sets + | add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; } + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + Signed-off-by: Phil Sutter + Signed-off-by: Florian Westphal +--- + src/evaluate.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 8552e4a..ab1347f 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2865,6 +2865,10 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) + "specified in %s definition", + set->key->dtype->name, type); + } ++ if (set->flags & NFT_SET_INTERVAL && ++ set->key->ops->type == EXPR_CONCAT) ++ return set_error(ctx, set, "concatenated types not supported in interval sets"); ++ + if (set->flags & NFT_SET_MAP) { + if (set->datatype == NULL) + return set_error(ctx, set, "map definition does not " +-- +1.8.3.1 + diff --git a/SOURCES/nft.8 b/SOURCES/nft.8 index 156e8f4..5b89ebf 100644 --- a/SOURCES/nft.8 +++ b/SOURCES/nft.8 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH nft 8 "13 October 2017" "" "" +.TH nft 8 "20 June 2018" "" "" .SH NAME nft \- Administration tool for packet filtering and classification .SH SYNOPSIS @@ -485,7 +485,10 @@ Base chains also allow to set the chain's \*(T, i.e. what happens to 'nh .fi .ad l -[add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [position \fIposition\fR] {\fIstatement\fR}\&... +[add | insert] \fBrule\fR [\fIfamily\fR] {\fItable\fR} {\fIchain\fR} [ +{handle | position} +\fIhandle\fR +] {\fIstatement\fR}\&... .ad b 'hy 'nh @@ -506,12 +509,15 @@ of grammatical rules: expressions and statements. .TP \*(T<\fBadd\fR\*(T> Add a new rule described by the list of statements. The rule is appended to the -given chain unless a position is specified, in which case the rule is appended to -the rule given by the position. +given chain unless a \*(T is specified, in which case the +rule is appended to the rule given by the \fIhandle\fR. +The alternative name \*(T is deprecated and should not be +used anymore. .TP \*(T<\fBinsert\fR\*(T> Similar to the \fBadd\fR command, but the rule is prepended to the -beginning of the chain or before the rule at the given position. +beginning of the chain or before the rule with the given +\fIhandle\fR. .TP \*(T<\fBreplace\fR\*(T> Similar to the \fBadd\fR command, but the rule replaces the specified rule. @@ -4030,9 +4036,9 @@ ip6 filter output log flags all 'in \n(.iu+\nxu [ with -{icmp | icmp6 | icmpx} +{icmp | icmpv6 | icmpx} type -{icmp_type | icmp6_type | icmpx_type} +{icmp_code | icmpv6_code | icmpx_code} ] 'in \n(.iu-\nxu .ad b @@ -4077,7 +4083,7 @@ T} T{ icmp_code T} T{ -icmp6 +icmpv6 T} T{ ip6 T} T{ diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 9dc7432..e561487 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,10 +1,11 @@ %define rpmversion 0.8 -%define specrelease 7%{?dist} +%define specrelease 10%{?dist} %define libnftnlversion 1.0.8-1 Name: nftables Version: %{rpmversion} Release: %{specrelease} +Epoch: 1 Summary: Netfilter Tables userspace utillites License: GPLv2 URL: http://netfilter.org/projects/nftables/ @@ -24,6 +25,20 @@ BuildRequires: libnftnl-devel >= %{libnftnlversion} BuildRequires: systemd Patch0: 0001-src-fix-protocol-context-update-on-big-endian-system.patch Patch1: 0002-netlink_linearize-exthdr-op-must-be-u32.patch +Patch2: 0003-src-avoid-errouneous-assert-with-map-concat.patch +Patch3: 0004-Review-switch-statements-for-unmarked-fall-through-c.patch +Patch4: 0005-monitor-Make-trace-events-respect-output_fp.patch +Patch5: 0006-monitor-Make-JSON-XML-output-respect-output_fp.patch +Patch6: 0007-cli-Drop-pointless-check-in-cli_append_multiline.patch +Patch7: 0008-erec-Avoid-passing-negative-offset-to-fseek.patch +Patch8: 0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch +Patch9: 0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch +Patch10: 0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch +Patch11: 0012-netlink_delinearize-Fix-resource-leaks.patch +Patch12: 0013-nft.8-Fix-reject-statement-documentation.patch +Patch13: 0014-doc-reword-insert-position-this-expects-rule-handle-.patch +Patch14: 0015-Deprecate-add-insert-rule-position-argument.patch +Patch15: 0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch %description Netfilter Tables userspace utilities. @@ -72,6 +87,27 @@ chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/* %{_unitdir}/nftables.service %changelog +* Wed Jun 20 2018 Phil Sutter [0.8-10.el7] +- Bump epoch to allow upgrading from EPEL (Phil Sutter) [1575059] + +* Wed Jun 20 2018 Phil Sutter [0.8-9.el7] +- evaluate: explicitly deny concatenated types in interval sets (Phil Sutter) [1576426] +- Deprecate add/insert rule 'position' argument (Phil Sutter) [1571968] +- doc: reword insert position, this expects rule handle to insert, not a relative postition (Phil Sutter) [1571968] +- nft.8: Fix reject statement documentation (Phil Sutter) [1571938] +- netlink_delinearize: Fix resource leaks (Phil Sutter) [1504157] +- netlink: Complain if setting O_NONBLOCK fails (Phil Sutter) [1504157] +- hash: Fix potential null-pointer dereference in hash_expr_cmp() (Phil Sutter) [1504157] +- evaluate: Fix memleak in stmt_reject_gen_dependency() (Phil Sutter) [1504157] +- erec: Avoid passing negative offset to fseek() (Phil Sutter) [1504157] +- cli: Drop pointless check in cli_append_multiline() (Phil Sutter) [1504157] +- monitor: Make JSON/XML output respect output_fp (Phil Sutter) [1504157] +- monitor: Make trace events respect output_fp (Phil Sutter) [1504157] +- Review switch statements for unmarked fall through cases (Phil Sutter) [1504157] + +* Wed Jun 06 2018 Phil Sutter [0.8-8.el7] +- src: avoid errouneous assert with map+concat (Phil Sutter) [1540917] + * Mon Dec 18 2017 Phil Sutter [0.8-7.el7] - A proper fix for incompatible docbook2man (Phil Sutter) [1523239]