iptables-1.8.5-8.el8

- Update fixes from upstream once more

Related: rhbz#2211063

0140-iptables-Fix-setting-of-ipv6-counters.patch

@@ -0,0 +1,107 @@
+From 87cf690d64630c1c32986480036c594795224ee7 Mon Sep 17 00:00:00 2001
+From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
+Date: Mon, 19 Jun 2023 12:44:54 +0200
+Subject: [PATCH] iptables: Fix setting of ipv6 counters
+
+When setting counters using ip6tables-nft -c X Y the X and Y values were
+not stored.
+
+This is a fix based on 9baf3bf0e77dab6ca4b167554ec0e57b65d0af01 but
+applied to the nft variant of ipv6 not the legacy.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1647
+Fixes: 0391677c1a0b2 ("xtables: add IPv6 support")
+Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
+Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit ed839159edf8bda8e9196f1056c4038c22d78bfd)
+
+Conflicts:
+	iptables/xshared.c
+-> Applied to iptables/nft-ipv6.c due to missing commit e4f5185d8f29a
+   ("nft: Move proto_parse and post_parse callbacks to xshared")
+---
+ iptables/nft-ipv6.c                                        | 3 +++
+ iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 | 6 +++---
+ iptables/tests/shell/testcases/iptables/0003-list-rules_0  | 6 +++---
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
+index 1f73bbcb8771f..69d9bc41314fc 100644
+--- a/iptables/nft-ipv6.c
++++ b/iptables/nft-ipv6.c
+@@ -298,6 +298,9 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
+ 	if (args->goto_set)
+ 		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
+ 
++	/* nft-variants use cs->counters, legacy uses cs->fw6.counters */
++	cs->counters.pcnt = args->pcnt_cnt;
++	cs->counters.bcnt = args->bcnt_cnt;
+ 	cs->fw6.counters.pcnt = args->pcnt_cnt;
+ 	cs->fw6.counters.bcnt = args->bcnt_cnt;
+ 
+diff --git a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0 b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0
+index c98bdd6e501aa..09e39927ef390 100755
+--- a/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0
++++ b/iptables/tests/shell/testcases/ip6tables/0003-list-rules_0
+@@ -3,7 +3,7 @@
+ set -e
+ 
+ $XT_MULTI ip6tables -N foo
+-$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT
++$XT_MULTI ip6tables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42
+ $XT_MULTI ip6tables -A FORWARD -i eth42 -o eth23 -g foo
+ $XT_MULTI ip6tables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT
+ 
+@@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0
+ -P FORWARD ACCEPT -c 0 0
+ -P OUTPUT ACCEPT -c 0 0
+ -N foo
+--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT
++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT
+ -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo'
+ 
+ diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S)
+@@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT
+ diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -S FORWARD)
+ 
+ EXPECT='-P FORWARD ACCEPT -c 0 0
+--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT
++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT
+ -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo'
+ 
+ diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -S FORWARD)
+diff --git a/iptables/tests/shell/testcases/iptables/0003-list-rules_0 b/iptables/tests/shell/testcases/iptables/0003-list-rules_0
+index d335d44257a49..d07bd151be76b 100755
+--- a/iptables/tests/shell/testcases/iptables/0003-list-rules_0
++++ b/iptables/tests/shell/testcases/iptables/0003-list-rules_0
+@@ -3,7 +3,7 @@
+ set -e
+ 
+ $XT_MULTI iptables -N foo
+-$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT
++$XT_MULTI iptables -A FORWARD -i eth23 -o eth42 -j ACCEPT -c 23 42
+ $XT_MULTI iptables -A FORWARD -i eth42 -o eth23 -g foo
+ $XT_MULTI iptables -t nat -A OUTPUT -o eth123 -m mark --mark 0x42 -j ACCEPT
+ 
+@@ -20,7 +20,7 @@ EXPECT='-P INPUT ACCEPT -c 0 0
+ -P FORWARD ACCEPT -c 0 0
+ -P OUTPUT ACCEPT -c 0 0
+ -N foo
+--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT
++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT
+ -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo'
+ 
+ diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S)
+@@ -32,7 +32,7 @@ EXPECT='-P FORWARD ACCEPT
+ diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -S FORWARD)
+ 
+ EXPECT='-P FORWARD ACCEPT -c 0 0
+--A FORWARD -i eth23 -o eth42 -c 0 0 -j ACCEPT
++-A FORWARD -i eth23 -o eth42 -c 23 42 -j ACCEPT
+ -A FORWARD -i eth42 -o eth23 -c 0 0 -g foo'
+ 
+ diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -S FORWARD)
+-- 
+2.40.0
+

0141-iptables-Fix-handling-of-non-existent-chains.patch

@@ -0,0 +1,53 @@
+From 66f7b6b160c53d142ebf5a0b4464ead198f2d7a7 Mon Sep 17 00:00:00 2001
+From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
+Date: Mon, 19 Jun 2023 13:46:36 +0200
+Subject: [PATCH] iptables: Fix handling of non-existent chains
+
+Since 694612adf87 the "compatibility" check considers non-existent
+chains as "incompatible". This broke some scripts which used calls
+like `iptables -L CHAIN404` to test for chain existence and expect
+"No chain/target/match by that name." in the output.
+
+This patch changes the logic of `nft_is_table_compatible()` to
+report non-existent chains as "compatible" which restores the old
+behavior.
+
+Fixes: 694612adf87 ("nft: Fix selective chain compatibility checks")
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1648
+Signed-off-by: Jacek Tomasiak <jtomasiak@arista.com>
+Signed-off-by: Jacek Tomasiak <jacek.tomasiak@gmail.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 82ccfb488eeac5507471099b9b4e6d136cc06e3b)
+---
+ iptables/nft.c                                              | 2 +-
+ iptables/tests/shell/testcases/iptables/0004-return-codes_0 | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 9a56b1fbffcbc..7349904896228 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3594,7 +3594,7 @@ bool nft_is_table_compatible(struct nft_handle *h,
+ 	if (chain) {
+ 		struct nftnl_chain *c = nft_chain_find(h, table, chain);
+ 
+-		return c && !nft_is_chain_compatible(c, h);
++		return !c || !nft_is_chain_compatible(c, h);
+ 	}
+ 
+ 	clist = nft_chain_list_get(h, table, chain);
+diff --git a/iptables/tests/shell/testcases/iptables/0004-return-codes_0 b/iptables/tests/shell/testcases/iptables/0004-return-codes_0
+index dcd9dfd3c0806..10e8c1f284080 100755
+--- a/iptables/tests/shell/testcases/iptables/0004-return-codes_0
++++ b/iptables/tests/shell/testcases/iptables/0004-return-codes_0
+@@ -58,6 +58,7 @@ cmd 1 "$ENOENT" -Z bar
+ cmd 0 -E foo bar
+ cmd 1 "$EEXIST_F" -E foo bar
+ cmd 1 "$ENOENT" -E foo bar2
++cmd 1 "$ENOENT" -L foo
+ cmd 0 -N foo2
+ cmd 1 "$EEXIST_F" -E foo2 bar
+ 
+-- 
+2.40.0
+

0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch

@@ -0,0 +1,339 @@
+From 83ad886f653aa21e8c12903272ce8e7a863f56b3 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 11 Jul 2023 22:06:44 +0200
+Subject: [PATCH] nft-bridge: pass context structure to ops->add() to improve
+ anonymous set support
+
+Add context structure to improve bridge among support which creates an
+anonymous set. This context structure specifies the command and it
+allows to optionally store a anonymous set.
+
+Use this context to generate native bytecode only if this is an
+add/insert/replace command.
+
+This fixes a dangling anonymous set that is created on rule removal.
+
+Fixes: 26753888720d ("nft: bridge: Rudimental among extension support")
+Reported-and-tested-by: Igor Raits <igor@gooddata.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 4e95200ded923f0eb5579c33b91176193c59dbe0)
+
+Conflicts:
+	iptables/nft-arp.c
+	iptables/nft-bridge.c
+	iptables/nft-ipv4.c
+	iptables/nft-ipv6.c
+	iptables/nft-shared.h
+	iptables/nft.c
+	iptables/nft.h
+-> Manually applied, too many conflicts.
+---
+ iptables/nft-arp.c    |  3 ++-
+ iptables/nft-bridge.c |  9 +++++----
+ iptables/nft-cmd.c    |  6 +++++-
+ iptables/nft-ipv4.c   |  5 +++--
+ iptables/nft-ipv6.c   |  5 +++--
+ iptables/nft-shared.h |  4 +++-
+ iptables/nft.c        | 42 +++++++++++++++++++++++++++++-------------
+ iptables/nft.h        |  9 ++++++---
+ 8 files changed, 56 insertions(+), 27 deletions(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index fa1676e7fd878..2b6bda617e32c 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -54,7 +54,8 @@ static bool need_devaddr(struct arpt_devaddr_info *info)
+ 	return false;
+ }
+ 
+-static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
++static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
++		       struct nftnl_rule *r, void *data)
+ {
+ 	struct iptables_command_state *cs = data;
+ 	struct arpt_entry *fw = &cs->arp;
+diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
+index 48bcda61cfb9c..11422a187097c 100644
+--- a/iptables/nft-bridge.c
++++ b/iptables/nft-bridge.c
+@@ -131,17 +131,18 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
+ 
+ static int
+ nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw,
+-		     struct nftnl_rule *r, struct xt_entry_match *m)
++		     struct nft_rule_ctx *ctx, struct nftnl_rule *r,
++		     struct xt_entry_match *m)
+ {
+ 	if (!strcmp(m->u.user.name, "802_3") &&
+ 	    !(fw->bitmask & EBT_802_3))
+ 		xtables_error(PARAMETER_PROBLEM,
+ 			      "For 802.3 DSAP/SSAP filtering the protocol must be LENGTH");
+ 
+-	return add_match(h, r, m);
++	return add_match(h, ctx, r, m);
+ }
+ 
+-static int nft_bridge_add(struct nft_handle *h,
++static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
+ 			  struct nftnl_rule *r, void *data)
+ {
+ 	struct iptables_command_state *cs = data;
+@@ -202,7 +203,7 @@ static int nft_bridge_add(struct nft_handle *h,
+ 
+ 	for (iter = cs->match_list; iter; iter = iter->next) {
+ 		if (iter->ismatch) {
+-			if (nft_bridge_add_match(h, fw, r, iter->u.match->m))
++			if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m))
+ 				break;
+ 		} else {
+ 			if (add_target(r, iter->u.watcher->t))
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index fd038503d87e1..9d1c082ef62d0 100644
+--- a/iptables/nft-cmd.c
++++ b/iptables/nft-cmd.c
+@@ -13,12 +13,16 @@
+ #include <string.h>
+ #include "nft.h"
+ #include "nft-cmd.h"
++#include <libnftnl/set.h>
+ 
+ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 			    const char *table, const char *chain,
+ 			    struct iptables_command_state *state,
+ 			    int rulenum, bool verbose)
+ {
++	struct nft_rule_ctx ctx = {
++		.command = command,
++	};
+ 	struct nftnl_rule *rule;
+ 	struct nft_cmd *cmd;
+ 
+@@ -34,7 +38,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 	cmd->verbose = verbose;
+ 
+ 	if (state) {
+-		rule = nft_rule_new(h, chain, table, state);
++		rule = nft_rule_new(h, &ctx, chain, table, state);
+ 		if (!rule) {
+ 			nft_cmd_free(cmd);
+ 			return NULL;
+diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
+index a70e9ece248fe..e06d086bbf82a 100644
+--- a/iptables/nft-ipv4.c
++++ b/iptables/nft-ipv4.c
+@@ -26,7 +26,8 @@
+ #include "nft.h"
+ #include "nft-shared.h"
+ 
+-static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
++static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
++			struct nftnl_rule *r, void *data)
+ {
+ 	struct iptables_command_state *cs = data;
+ 	struct xtables_rule_match *matchp;
+@@ -79,7 +80,7 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
+ 	add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
+ 
+ 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
+-		ret = add_match(h, r, matchp->match->m);
++		ret = add_match(h, ctx, r, matchp->match->m);
+ 		if (ret < 0)
+ 			return ret;
+ 	}
+diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
+index 69d9bc41314fc..7c8e8b82cf521 100644
+--- a/iptables/nft-ipv6.c
++++ b/iptables/nft-ipv6.c
+@@ -25,7 +25,8 @@
+ #include "nft.h"
+ #include "nft-shared.h"
+ 
+-static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
++static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
++			struct nftnl_rule *r, void *data)
+ {
+ 	struct iptables_command_state *cs = data;
+ 	struct xtables_rule_match *matchp;
+@@ -68,7 +69,7 @@ static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
+ 	add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
+ 
+ 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
+-		ret = add_match(h, r, matchp->match->m);
++		ret = add_match(h, ctx, r, matchp->match->m);
+ 		if (ret < 0)
+ 			return ret;
+ 	}
+diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
+index e3c1b202b8638..c29ad12e9151a 100644
+--- a/iptables/nft-shared.h
++++ b/iptables/nft-shared.h
+@@ -35,6 +35,7 @@
+ 			| FMT_NUMERIC | FMT_NOTABLE)
+ #define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
+ 
++struct nft_rule_ctx;
+ struct xtables_args;
+ struct nft_handle;
+ struct xt_xlate;
+@@ -74,7 +75,8 @@ struct nft_xt_ctx {
+ };
+ 
+ struct nft_family_ops {
+-	int (*add)(struct nft_handle *h, struct nftnl_rule *r, void *data);
++	int (*add)(struct nft_handle *h, struct nft_rule_ctx *ctx,
++		   struct nftnl_rule *r, void *data);
+ 	bool (*is_same)(const void *data_a,
+ 			const void *data_b);
+ 	void (*print_payload)(struct nftnl_expr *e,
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 7349904896228..936204a432621 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1064,7 +1064,8 @@ gen_lookup(uint32_t sreg, const char *set_name, uint32_t set_id, uint32_t flags)
+ #define NFT_DATATYPE_ETHERADDR	9
+ 
+ static int __add_nft_among(struct nft_handle *h, const char *table,
+-			   struct nftnl_rule *r, struct nft_among_pair *pairs,
++			   struct nft_rule_ctx *ctx, struct nftnl_rule *r,
++			   struct nft_among_pair *pairs,
+ 			   int cnt, bool dst, bool inv, bool ip)
+ {
+ 	uint32_t set_id, type = NFT_DATATYPE_ETHERADDR, len = ETH_ALEN;
+@@ -1142,7 +1143,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
+ 	return 0;
+ }
+ 
+-static int add_nft_among(struct nft_handle *h,
++static int add_nft_among(struct nft_handle *h, struct nft_rule_ctx *ctx,
+ 			 struct nftnl_rule *r, struct xt_entry_match *m)
+ {
+ 	struct nft_among_data *data = (struct nft_among_data *)m->data;
+@@ -1157,25 +1158,33 @@ static int add_nft_among(struct nft_handle *h,
+ 	}
+ 
+ 	if (data->src.cnt)
+-		__add_nft_among(h, table, r, data->pairs, data->src.cnt,
++		__add_nft_among(h, table, ctx, r, data->pairs, data->src.cnt,
+ 				false, data->src.inv, data->src.ip);
+ 	if (data->dst.cnt)
+-		__add_nft_among(h, table, r, data->pairs + data->src.cnt,
++		__add_nft_among(h, table, ctx, r, data->pairs + data->src.cnt,
+ 				data->dst.cnt, true, data->dst.inv,
+ 				data->dst.ip);
+ 	return 0;
+ }
+ 
+-int add_match(struct nft_handle *h,
++int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
+ 	      struct nftnl_rule *r, struct xt_entry_match *m)
+ {
+ 	struct nftnl_expr *expr;
+ 	int ret;
+ 
+-	if (!strcmp(m->u.user.name, "limit"))
+-		return add_nft_limit(r, m);
+-	else if (!strcmp(m->u.user.name, "among"))
+-		return add_nft_among(h, r, m);
++	switch (ctx->command) {
++	case NFT_COMPAT_RULE_APPEND:
++	case NFT_COMPAT_RULE_INSERT:
++	case NFT_COMPAT_RULE_REPLACE:
++		if (!strcmp(m->u.user.name, "limit"))
++			return add_nft_limit(r, m);
++		else if (!strcmp(m->u.user.name, "among"))
++			return add_nft_among(h, ctx, r, m);
++		break;
++	default:
++		break;
++	}
+ 
+ 	expr = nftnl_expr_alloc("match");
+ 	if (expr == NULL)
+@@ -1378,7 +1387,8 @@ void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv)
+ }
+ 
+ struct nftnl_rule *
+-nft_rule_new(struct nft_handle *h, const char *chain, const char *table,
++nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *ctx,
++	     const char *chain, const char *table,
+ 	     void *data)
+ {
+ 	struct nftnl_rule *r;
+@@ -1391,7 +1401,7 @@ nft_rule_new(struct nft_handle *h, const char *chain, const char *table,
+ 	nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table);
+ 	nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain);
+ 
+-	if (h->ops->add(h, r, data) < 0)
++	if (h->ops->add(h, ctx, r, data) < 0)
+ 		goto err;
+ 
+ 	return r;
+@@ -2599,6 +2609,9 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
+ {
+ 	struct iptables_command_state cs = {};
+ 	struct nftnl_rule *r, *new_rule;
++	struct nft_rule_ctx ctx = {
++		.command = NFT_COMPAT_RULE_APPEND,
++	};
+ 	struct nftnl_chain *c;
+ 	int ret = 0;
+ 
+@@ -2617,7 +2630,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
+ 
+ 	h->ops->rule_to_cs(h, r, &cs);
+ 	cs.counters.pcnt = cs.counters.bcnt = 0;
+-	new_rule = nft_rule_new(h, chain, table, &cs);
++	new_rule = nft_rule_new(h, &ctx, chain, table, &cs);
+ 	h->ops->clear_cs(&cs);
+ 
+ 	if (!new_rule)
+@@ -2981,6 +2994,9 @@ static int ebt_add_policy_rule(struct nftnl_chain *c, void *data)
+ 		.eb.bitmask = EBT_NOPROTO,
+ 	};
+ 	struct nftnl_udata_buf *udata;
++	struct nft_rule_ctx ctx = {
++		.command	= NFT_COMPAT_RULE_APPEND,
++	};
+ 	struct nft_handle *h = data;
+ 	struct nftnl_rule *r;
+ 	const char *pname;
+@@ -3008,7 +3024,7 @@ static int ebt_add_policy_rule(struct nftnl_chain *c, void *data)
+ 
+ 	command_jump(&cs, pname);
+ 
+-	r = nft_rule_new(h, nftnl_chain_get_str(c, NFTNL_CHAIN_NAME),
++	r = nft_rule_new(h, &ctx, nftnl_chain_get_str(c, NFTNL_CHAIN_NAME),
+ 			 nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE), &cs);
+ 	ebt_cs_clean(&cs);
+ 
+diff --git a/iptables/nft.h b/iptables/nft.h
+index bd783231156b7..7baceaa44f698 100644
+--- a/iptables/nft.h
++++ b/iptables/nft.h
+@@ -165,9 +165,11 @@ struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h,
+ /*
+  * Operations with rule-set.
+  */
+-struct nftnl_rule;
++struct nft_rule_ctx {
++	int			command;
++};
+ 
+-struct nftnl_rule *nft_rule_new(struct nft_handle *h, const char *chain, const char *table, void *data);
++struct nftnl_rule *nft_rule_new(struct nft_handle *h, struct nft_rule_ctx *rule, const char *chain, const char *table, void *data);
+ int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, struct nftnl_rule *ref, bool verbose);
+ int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, int rulenum, bool verbose);
+ int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct nftnl_rule *r, bool verbose);
+@@ -185,7 +187,8 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *
+  */
+ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
+ int add_verdict(struct nftnl_rule *r, int verdict);
+-int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m);
++int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
++	      struct nftnl_rule *r, struct xt_entry_match *m);
+ int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
+ int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
+ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
+-- 
+2.40.0
+

0143-nft-Special-casing-for-among-match-in-compare_matche.patch

@@ -0,0 +1,46 @@
+From 1dcbf8ed6849543fcaffb8af0d50e08e27232ce2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 21 Jul 2023 13:14:36 +0200
+Subject: [PATCH] nft: Special casing for among match in compare_matches()
+
+When other extensions may have "garbage" appended to their data which
+should not be considered for match comparison, among match is the
+opposite in that it extends its data beyond the value in 'size' field.
+Add special casing to cover for this, avoiding false-positive rule
+comparison.
+
+Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 10583537004f7ecd4aa11f6c12b7ba73fb77fc11)
+---
+ iptables/nft-shared.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index ed093c07d7617..0b5745f7e82f4 100644
+--- a/iptables/nft-shared.c
++++ b/iptables/nft-shared.c
+@@ -911,6 +911,7 @@ bool compare_matches(struct xtables_rule_match *mt1,
+ 	for (mp1 = mt1, mp2 = mt2; mp1 && mp2; mp1 = mp1->next, mp2 = mp2->next) {
+ 		struct xt_entry_match *m1 = mp1->match->m;
+ 		struct xt_entry_match *m2 = mp2->match->m;
++		size_t cmplen = mp1->match->userspacesize;
+ 
+ 		if (strcmp(m1->u.user.name, m2->u.user.name) != 0) {
+ 			DEBUGP("mismatching match name\n");
+@@ -922,8 +923,10 @@ bool compare_matches(struct xtables_rule_match *mt1,
+ 			return false;
+ 		}
+ 
+-		if (memcmp(m1->data, m2->data,
+-			   mp1->match->userspacesize) != 0) {
++		if (!strcmp(m1->u.user.name, "among"))
++			cmplen = m1->u.match_size - sizeof(*m1);
++
++		if (memcmp(m1->data, m2->data, cmplen) != 0) {
+ 			DEBUGP("mismatch match data\n");
+ 			return false;
+ 		}
+-- 
+2.40.0
+

0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch

@@ -0,0 +1,67 @@
+From 4cde53b041a39a0fe9a1c2701b00216f34510f7b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sat, 15 Jul 2023 01:35:39 +0200
+Subject: [PATCH] nft: Do not pass nft_rule_ctx to add_nft_among()
+
+It is not used, must be a left-over from an earlier version of the fixed
+commit.
+
+Fixes: 4e95200ded923 ("nft-bridge: pass context structure to ops->add() to improve anonymous set support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit bd71c11a95ab2b44794843fd8a3698039a7db211)
+
+Conflicts:
+	iptables/nft.c
+-> Context conflict due to missing other native expression conversions.
+---
+ iptables/nft.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 936204a432621..c3b819f1934a8 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -1064,8 +1064,7 @@ gen_lookup(uint32_t sreg, const char *set_name, uint32_t set_id, uint32_t flags)
+ #define NFT_DATATYPE_ETHERADDR	9
+ 
+ static int __add_nft_among(struct nft_handle *h, const char *table,
+-			   struct nft_rule_ctx *ctx, struct nftnl_rule *r,
+-			   struct nft_among_pair *pairs,
++			   struct nftnl_rule *r, struct nft_among_pair *pairs,
+ 			   int cnt, bool dst, bool inv, bool ip)
+ {
+ 	uint32_t set_id, type = NFT_DATATYPE_ETHERADDR, len = ETH_ALEN;
+@@ -1143,7 +1142,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
+ 	return 0;
+ }
+ 
+-static int add_nft_among(struct nft_handle *h, struct nft_rule_ctx *ctx,
++static int add_nft_among(struct nft_handle *h,
+ 			 struct nftnl_rule *r, struct xt_entry_match *m)
+ {
+ 	struct nft_among_data *data = (struct nft_among_data *)m->data;
+@@ -1158,10 +1157,10 @@ static int add_nft_among(struct nft_handle *h, struct nft_rule_ctx *ctx,
+ 	}
+ 
+ 	if (data->src.cnt)
+-		__add_nft_among(h, table, ctx, r, data->pairs, data->src.cnt,
++		__add_nft_among(h, table, r, data->pairs, data->src.cnt,
+ 				false, data->src.inv, data->src.ip);
+ 	if (data->dst.cnt)
+-		__add_nft_among(h, table, ctx, r, data->pairs + data->src.cnt,
++		__add_nft_among(h, table, r, data->pairs + data->src.cnt,
+ 				data->dst.cnt, true, data->dst.inv,
+ 				data->dst.ip);
+ 	return 0;
+@@ -1180,7 +1179,7 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
+ 		if (!strcmp(m->u.user.name, "limit"))
+ 			return add_nft_limit(r, m);
+ 		else if (!strcmp(m->u.user.name, "among"))
+-			return add_nft_among(h, ctx, r, m);
++			return add_nft_among(h, r, m);
+ 		break;
+ 	default:
+ 		break;
+-- 
+2.40.0
+

iptables.spec

@@ -10,7 +10,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: http://www.netfilter.org/projects/iptables
 Version: 1.8.5
-Release: 7%{?dist}
+Release: 8%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -163,6 +163,11 @@ Patch136: 0136-tests-iptables-test-Fix-conditional-colors-on-stderr.patch
 Patch137: 0137-tests-shell-update-format-of-registers-in-bitwise-pa.patch
 Patch138: 0138-tests-shell-Fix-nft-only-0009-needless-bitwise_0.patch
 Patch139: 0139-tests-shell-Sanitize-nft-only-0009-needless-bitwise_.patch
+Patch140: 0140-iptables-Fix-setting-of-ipv6-counters.patch
+Patch141: 0141-iptables-Fix-handling-of-non-existent-chains.patch
+Patch142: 0142-nft-bridge-pass-context-structure-to-ops-add-to-impr.patch
+Patch143: 0143-nft-Special-casing-for-among-match-in-compare_matche.patch
+Patch144: 0144-nft-Do-not-pass-nft_rule_ctx-to-add_nft_among.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -535,6 +540,9 @@ done
 %doc %{_mandir}/man8/ebtables*.8*
 
 %changelog
+* Fri Jul 28 2023 Phil Sutter <psutter@redhat.com> - 1.8.5-8
+- Update fixes from upstream once more
+
 * Wed Jul 19 2023 Phil Sutter <psutter@redhat.com> - 1.8.5-7
 - Fix shell test-case for older gawk version