From 22caf7c26140b5a78920d9fd2240931a4f872475 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 6 Sep 2023 14:29:44 +0200
Subject: [PATCH] iptables-1.8.5-9.el8

- iptables-nft: fix basechain policy configuration

Resolves: rhbz#2236501
---
 ...t-fix-basechain-policy-configuration.patch | 82 +++++++++++++++++++
 iptables.spec                                 |  6 +-
 2 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 0145-iptables-nft-fix-basechain-policy-configuration.patch

diff --git a/0145-iptables-nft-fix-basechain-policy-configuration.patch b/0145-iptables-nft-fix-basechain-policy-configuration.patch
new file mode 100644
index 0000000..4650ca5
--- /dev/null
+++ b/0145-iptables-nft-fix-basechain-policy-configuration.patch
@@ -0,0 +1,82 @@
+From c5533b1a742253bf5c5ad3ae766ef3348f65f923 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 2 Oct 2020 13:44:36 +0200
+Subject: [PATCH 145/145] iptables-nft: fix basechain policy configuration
+
+Previous to this patch, the basechain policy could not be properly
+configured if it wasn't explictly set when loading the ruleset, leading
+to iptables-nft-restore (and ip6tables-nft-restore) trying to send an
+invalid ruleset to the kernel.
+
+Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/nft.c                                |  6 +++-
+ .../nft-only/0008-basechain-policy_0          | 29 +++++++++++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100755 iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index c3b819f1934a8..6096647bc472d 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -685,7 +685,9 @@ nft_chain_builtin_alloc(const struct builtin_table *table,
+ 	nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain->name);
+ 	nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, chain->hook);
+ 	nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, chain->prio);
+-	nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
++	if (policy >= 0)
++		nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
++
+ 	nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type);
+ 
+ 	return c;
+@@ -927,6 +929,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
+ 		c = nft_chain_new(h, table, chain, NF_DROP, counters);
+ 	else if (strcmp(policy, "ACCEPT") == 0)
+ 		c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
++	else if (strcmp(policy, "-") == 0)
++		c = nft_chain_new(h, table, chain, -1, counters);
+ 	else
+ 		errno = EINVAL;
+ 
+diff --git a/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0 b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
+new file mode 100755
+index 0000000000000..a81e9badc43a5
+--- /dev/null
++++ b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
+@@ -0,0 +1,29 @@
++#!/bin/bash
++
++[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
++set -e
++
++$XT_MULTI iptables -t raw -P OUTPUT DROP
++
++# make sure iptables-nft-restore can correctly handle basechain policies when
++# they aren't set with --noflush
++#
++$XT_MULTI iptables-restore --noflush <<EOF
++*raw
++:OUTPUT - [0:0]
++:PREROUTING - [0:0]
++:neutron-linuxbri-OUTPUT - [0:0]
++:neutron-linuxbri-PREROUTING - [0:0]
++-I OUTPUT 1 -j neutron-linuxbri-OUTPUT
++-I PREROUTING 1 -j neutron-linuxbri-PREROUTING
++-I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -j CT --zone 4097
++-I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -j CT --zone 4097
++-I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -j CT --zone 4097
++
++COMMIT
++EOF
++
++$XT_MULTI iptables-save | grep -C2 raw | grep OUTPUT | grep DROP
++if [ $? -ne 0 ]; then
++	exit 1
++fi
+-- 
+2.41.0
+
diff --git a/iptables.spec b/iptables.spec
index 8404004..d888ecf 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -10,7 +10,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.5
-Release: 8%{?dist}
+Release: 9%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -168,6 +168,7 @@ Patch141: 0141-iptables-Fix-handling-of-non-existent-chains.patch
 Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch
 Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch
 Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch
+Patch145: 0145-iptables-nft-fix-basechain-policy-configuration.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -540,6 +541,9 @@ done
 %doc %{_mandir}/man8/ebtables*.8*
 
 %changelog
+* Wed Sep 06 2023 Phil Sutter <psutter@redhat.com> - 1.8.5-9
+- iptables-nft: fix basechain policy configuration
+
 * Fri Jul 28 2023 Phil Sutter <psutter@redhat.com> - 1.8.5-8
 - Update fixes from upstream once more