diff --git a/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch b/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch new file mode 100644 index 0000000..6f68126 --- /dev/null +++ b/SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch @@ -0,0 +1,45 @@ +From 77a93baa622f8aa33fa6182d72b380d980e39574 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 8 Aug 2020 00:09:06 +0200 +Subject: [PATCH] include: Resync nf_tables.h cache copy + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684 +Upstream Status: nftables commit f1e5a0499c077 + +commit f1e5a0499c0773f18bc592dd0da0340120daa482 +Author: Stefano Brivio +Date: Mon Apr 13 21:48:02 2020 +0200 + + include: Resync nf_tables.h cache copy + + Get this header in sync with nf.git as of commit ef516e8625dd. + + Signed-off-by: Stefano Brivio + Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter/nf_tables.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 1a99df3..9b54a86 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes { + * @NFT_SET_TIMEOUT: set uses timeouts + * @NFT_SET_EVAL: set can be updated from the evaluation path + * @NFT_SET_OBJECT: set contains stateful objects ++ * @NFT_SET_CONCAT: set contains a concatenation + */ + enum nft_set_flags { + NFT_SET_ANONYMOUS = 0x1, +@@ -283,6 +284,7 @@ enum nft_set_flags { + NFT_SET_TIMEOUT = 0x10, + NFT_SET_EVAL = 0x20, + NFT_SET_OBJECT = 0x40, ++ NFT_SET_CONCAT = 0x80, + }; + + /** +-- +1.8.3.1 + diff --git a/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch b/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch new file mode 100644 index 0000000..60b1a0d --- /dev/null +++ b/SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch @@ -0,0 +1,72 @@ +From 5566405cc171c8fa84e0a13ea96b89245a3fb512 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Sat, 8 Aug 2020 00:05:48 +0200 +Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated + ranges + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684 +Upstream Status: nftables commit 09441b5e92cee + +commit 09441b5e92ceea60198a35cd657904fa7a10ee54 +Author: Stefano Brivio +Date: Mon Apr 13 21:48:03 2020 +0200 + + src: Set NFT_SET_CONCAT flag for sets with concatenated ranges + + Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support + for concatenated set ranges"), crashes with older kernels (< 5.6) + without support for concatenated set ranges: those sets will be sent + to the kernel, which adds them without notion of the fact that + different concatenated fields are actually included, and nft crashes + while trying to list this kind of malformed concatenation. + + Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd + ("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when + sets including concatenated ranges are sent to the kernel, so that + older kernels (with no knowledge of this flag itself) will refuse set + creation. + + Note that, in expr_evaluate_set(), we have to check for the presence + of the flag, also on empty sets that might carry it in context data, + and actually set it in the actual set flags. + + Reported-by: Pablo Neira Ayuso + Signed-off-by: Stefano Brivio + Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 0c84816..f66251b 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) + set->size += i->size - 1; + set->set_flags |= i->set_flags; + expr_free(i); +- } else if (!expr_is_singleton(i)) ++ } else if (!expr_is_singleton(i)) { + set->set_flags |= NFT_SET_INTERVAL; ++ if (i->key->etype == EXPR_CONCAT) ++ set->set_flags |= NFT_SET_CONCAT; ++ } + } + ++ if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT)) ++ set->set_flags |= NFT_SET_CONCAT; ++ + set->set_flags |= NFT_SET_CONSTANT; + + datatype_set(set, ctx->ectx.dtype); +@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) + memcpy(&set->desc.field_len, &set->key->field_len, + sizeof(set->desc.field_len)); + set->desc.field_count = set->key->field_count; ++ set->flags |= NFT_SET_CONCAT; + } + + if (set_is_datamap(set->flags)) { +-- +1.8.3.1 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index ab4e266..741a21a 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 0.9.3 -%define specrelease 15%{?dist} +%define specrelease 16%{?dist} Name: nftables Version: %{rpmversion} @@ -46,6 +46,8 @@ Patch26: 0026-segtree-Use-expr_clone-in-get_set_interval_.patch Patch27: 0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch Patch28: 0028-tests-0034get_element_0-do-not-discard-stderr.patch Patch29: 0029-segtree-Fix-get-element-command-with-prefixes.patch +Patch30: 0030-include-Resync-nf_tables.h-cache-copy.patch +Patch31: 0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch BuildRequires: autogen BuildRequires: autoconf @@ -162,6 +164,10 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py %{python3_sitelib}/nftables/ %changelog +* Sat Aug 08 2020 Phil Sutter [0.9.3-16.el8] +- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684] +- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684] + * Tue Jun 30 2020 Phil Sutter [0.9.3-15.el8] - segtree: Fix get element command with prefixes (Phil Sutter) [1832235] - tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235]