diff --git a/SOURCES/0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch b/SOURCES/0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch new file mode 100644 index 0000000..5290318 --- /dev/null +++ b/SOURCES/0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch @@ -0,0 +1,53 @@ +From 4bd60613ea60da4bf9da226be352dd47f585e8d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= +Date: Fri, 5 Nov 2021 12:39:11 +0100 +Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The variable has to undergo word splitting, otherwise the shell tries +to find the variable value as an executable, which breaks in cases that +7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command") +intends to support. + +Mention this in the shell tests README. + +Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")") +Signed-off-by: Štěpán Němec +Signed-off-by: Phil Sutter +(cherry picked from commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31) + +Conflicts: + tests/shell/README +-> Context change due to missing other patches. +--- + tests/shell/README | 3 +++ + tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tests/shell/README b/tests/shell/README +index e0279bbdc30c3..aee50e3d668b1 100644 +--- a/tests/shell/README ++++ b/tests/shell/README +@@ -25,4 +25,7 @@ path to the nftables binary being tested. + You can pass an arbitrary $NFT value as well: + # NFT=/usr/local/sbin/nft ./run-tests.sh + ++Note that, to support usage such as NFT='valgrind nft', tests must ++invoke $NFT unquoted. ++ + By default the tests are run with the nft binary at '../../src/nft' +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +index 134282de28268..6620572449c3c 100755 +--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -26,4 +26,4 @@ table inet test68_table { + } + EOF + +-( ulimit -s 128 && "$NFT" -f "$ruleset_file" ) ++( ulimit -s 128 && $NFT -f "$ruleset_file" ) +-- +2.33.0 + diff --git a/SOURCES/0020-tests-shell-better-parameters-for-the-interval-stack.patch b/SOURCES/0020-tests-shell-better-parameters-for-the-interval-stack.patch new file mode 100644 index 0000000..39a6426 --- /dev/null +++ b/SOURCES/0020-tests-shell-better-parameters-for-the-interval-stack.patch @@ -0,0 +1,51 @@ +From 0c34164a245bdd03085e906bc9b3327d559535a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= +Date: Wed, 1 Dec 2021 12:12:00 +0100 +Subject: [PATCH] tests: shell: better parameters for the interval stack + overflow test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Wider testing has shown that 128 kB stack is too low (e.g. for systems +with 64 kB page size), leading to false failures in some environments. + +Based on results from a matrix of RHEL 8 and RHEL 9 systems across +x86_64, aarch64, ppc64le and s390x architectures as well as some +anecdotal testing of other Linux distros on x86_64 machines, 400 kB +seems safe: the normal nft stack (which should stay constant during +this test) on all tested systems doesn't exceed 200 kB (stays around +100 kB on typical systems with 4 kB page size), while always growing +beyond 500 kB in the failing case (nftables before baecd1cf2685) with +the increased set size. + +Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")") +Signed-off-by: Štěpán Němec +Signed-off-by: Phil Sutter +(cherry picked from commit 7b81d9cb094ffa96ad821528cf19269dc348f617) +--- + tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +index 6620572449c3c..2cbc986802644 100755 +--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0 ++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0 +@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT + { + echo 'define big_set = {' + for ((i = 1; i < 255; i++)); do +- for ((j = 1; j < 80; j++)); do ++ for ((j = 1; j < 255; j++)); do + echo "10.0.$i.$j," + done + done +@@ -26,4 +26,4 @@ table inet test68_table { + } + EOF + +-( ulimit -s 128 && $NFT -f "$ruleset_file" ) ++( ulimit -s 400 && $NFT -f "$ruleset_file" ) +-- +2.33.0 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index be66a87..672c934 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 0.9.8 -Release: 9%{?dist} +Release: 10%{?dist} # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. Epoch: 1 Summary: Netfilter Tables userspace utillites @@ -32,6 +32,8 @@ Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch +Patch19: 0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch +Patch20: 0020-tests-shell-better-parameters-for-the-interval-stack.patch #BuildRequires: autogen #BuildRequires: autoconf @@ -141,6 +143,10 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ %{python3_sitelib}/nftables/ %changelog +* Wed Dec 08 2021 Phil Sutter - 1:0.9.8-10 +- tests: shell: better parameters for the interval stack overflow test +- tests: shell: $NFT needs to be invoked unquoted + * Thu Nov 11 2021 Phil Sutter - 1:0.9.8-9 - doc: nft.8: Extend monitor description by trace