diff --git a/SOURCES/0069-monitor-Do-not-decompose-non-anonymous-sets.patch b/SOURCES/0069-monitor-Do-not-decompose-non-anonymous-sets.patch new file mode 100644 index 0000000..0204a92 --- /dev/null +++ b/SOURCES/0069-monitor-Do-not-decompose-non-anonymous-sets.patch @@ -0,0 +1,61 @@ +From 7859b19a1e8307b5bee6ca71261dd0bc06fda6f2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 9 Jan 2020 13:34:20 +0100 +Subject: [PATCH] monitor: Do not decompose non-anonymous sets + +They have been decomposed already, trying to do that again causes a +segfault. This is a similar fix as in commit 8ecb885589591 ("src: +restore --echo with anonymous sets"). + +Signed-off-by: Phil Sutter +Acked-by: Pablo Neira Ayuso +(cherry picked from commit 5d57fa3e99bb9f2044e236d4ddb7d874cfefe1dd) +Signed-off-by: Phil Sutter +--- + src/monitor.c | 2 +- + tests/monitor/testcases/set-interval.t | 20 ++++++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 tests/monitor/testcases/set-interval.t + +diff --git a/src/monitor.c b/src/monitor.c +index 14ccbc5fe04ca..ba8e11888a215 100644 +--- a/src/monitor.c ++++ b/src/monitor.c +@@ -500,7 +500,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, + + static void rule_map_decompose_cb(struct set *s, void *data) + { +- if (s->flags & NFT_SET_INTERVAL) ++ if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS)) + interval_map_decompose(s->init); + } + +diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t +new file mode 100644 +index 0000000000000..59930c58243d8 +--- /dev/null ++++ b/tests/monitor/testcases/set-interval.t +@@ -0,0 +1,20 @@ ++# setup first ++I add table ip t ++I add chain ip t c ++O - ++J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} ++J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}} ++ ++# add set with elements, monitor output expectedly differs ++I add set ip t s { type inet_service; flags interval; elements = { 20, 30-40 }; } ++O add set ip t s { type inet_service; flags interval; } ++O add element ip t s { 20 } ++O add element ip t s { 30-40 } ++J {"add": {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}} ++J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [20]}}}} ++J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [{"range": [30, 40]}]}}}} ++ ++# this would crash nft ++I add rule ip t c tcp dport @s ++O - ++J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}} +-- +2.24.1 + diff --git a/SOURCES/0070-monitor-Fix-output-for-ranges-in-anonymous-sets.patch b/SOURCES/0070-monitor-Fix-output-for-ranges-in-anonymous-sets.patch new file mode 100644 index 0000000..a0a5510 --- /dev/null +++ b/SOURCES/0070-monitor-Fix-output-for-ranges-in-anonymous-sets.patch @@ -0,0 +1,94 @@ +From 299aeba9aa84ae0556a0bba18b7adace89069a91 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 13 Jan 2020 14:53:24 +0100 +Subject: [PATCH] monitor: Fix output for ranges in anonymous sets + +Previous fix for named interval sets was simply wrong: Instead of +limiting decomposing to anonymous interval sets, it effectively disabled +it entirely. + +Since code needs to check for both interval and anonymous bits +separately, introduce set_is_interval() helper to keep the code +readable. + +Also extend test case to assert ranges in anonymous sets are correctly +printed by echo or monitor modes. Without this fix, range boundaries are +printed as individual set elements. + +Fixes: 5d57fa3e99bb9 ("monitor: Do not decompose non-anonymous sets") +Signed-off-by: Phil Sutter +Reviewed-by: Pablo Neira Ayuso +(cherry picked from commit ddbacd70d061eb1b6808f501969809bfb5d03001) + +Conflicts: + include/rule.h +- Context change due to missing other set_is_*() helpers. +- Manually added set_is_anonymous() helper since code fix uses it. +- Manually added missing include statement to make NFT_SET_* flags + known. + +Signed-off-by: Phil Sutter +--- + include/rule.h | 11 +++++++++++ + src/monitor.c | 2 +- + tests/monitor/testcases/set-interval.t | 5 +++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/include/rule.h b/include/rule.h +index 12c2984a14362..c2d1d5212649f 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + /** + * struct handle_spec - handle ID +@@ -289,6 +290,16 @@ extern const char *set_policy2str(uint32_t policy); + extern void set_print(const struct set *set, struct output_ctx *octx); + extern void set_print_plain(const struct set *s, struct output_ctx *octx); + ++static inline bool set_is_anonymous(uint32_t set_flags) ++{ ++ return set_flags & NFT_SET_ANONYMOUS; ++} ++ ++static inline bool set_is_interval(uint32_t set_flags) ++{ ++ return set_flags & NFT_SET_INTERVAL; ++} ++ + #include + + struct counter { +diff --git a/src/monitor.c b/src/monitor.c +index ba8e11888a215..9bb3424d76be2 100644 +--- a/src/monitor.c ++++ b/src/monitor.c +@@ -500,7 +500,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, + + static void rule_map_decompose_cb(struct set *s, void *data) + { +- if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS)) ++ if (set_is_interval(s->flags) && set_is_anonymous(s->flags)) + interval_map_decompose(s->init); + } + +diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t +index 59930c58243d8..1fbcfe222a2b0 100644 +--- a/tests/monitor/testcases/set-interval.t ++++ b/tests/monitor/testcases/set-interval.t +@@ -18,3 +18,8 @@ J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set" + I add rule ip t c tcp dport @s + O - + J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}} ++ ++# test anonymous interval sets as well ++I add rule ip t c tcp dport { 20, 30-40 } ++O - ++J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}} +-- +2.24.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 8525f0a..b6c5d3f 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 0.9.0 -Release: 14%{?dist} +Release: 14%{?dist}.1 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. Epoch: 1 Summary: Netfilter Tables userspace utillites @@ -79,6 +79,8 @@ Patch65: 0065-tests-shell-Add-testcase-for-cache-update-problems.patch Patch66: 0066-src-update-cache-if-cmd-is-more-specific.patch Patch67: 0067-src-fix-jumps-on-bigendian-arches.patch Patch68: 0068-src-json-fix-constant-parsing-on-bigendian.patch +Patch69: 0069-monitor-Do-not-decompose-non-anonymous-sets.patch +Patch70: 0070-monitor-Fix-output-for-ranges-in-anonymous-sets.patch BuildRequires: autogen BuildRequires: autoconf @@ -167,6 +169,10 @@ chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft %{_includedir}/nftables/libnftables.h %changelog +* Wed Feb 12 2020 Phil Sutter - 1:0.9.0-14.1 +- monitor: Fix output for ranges in anonymous sets +- monitor: Do not decompose non-anonymous sets + * Mon Aug 12 2019 Phil Sutter - 1:0.9.0-14 - src: fix jumps on bigendian arches - src: json: fix constant parsing on bigendian