import libnftnl-1.1.5-2.el8

2020-01-21 18:36:40 -05:00 · 2020-01-21 18:36:40 -05:00 · 2186a38689
commit 2186a38689
parent b65d64bfa0
20 changed files with 279 additions and 2472 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libnftnl-1.1.1.tar.bz2
+SOURCES/libnftnl-1.1.5.tar.bz2
--- a/.libnftnl.metadata
+++ b/.libnftnl.metadata
@ -1 +1 @@
-d2be642a54e0f105cb5564471ae4aaaed8b97ca6 SOURCES/libnftnl-1.1.1.tar.bz2
+a923bae5b028a30c5c8aa4c0f71445885867274b SOURCES/libnftnl-1.1.5.tar.bz2
--- a/SOURCES/0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
+++ b/SOURCES/0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
--- a/SOURCES/0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch
+++ b/SOURCES/0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch
@ -0,0 +1,47 @@
 From 3f0616b15e32def6d01b4535ac0efb51caa07662 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Mon, 2 Dec 2019 18:55:39 +0100
 Subject: [PATCH] tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1717129
 Upstream Status: libnftnl commit b2388765e0c44
 commit b2388765e0c4405442faa13845419f6a35d0134c
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Mon Dec 2 18:29:56 2019 +0100
    tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE
    Marshalling code around that attribute has been dropped by commit
    d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is
    lost during the test.
    Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a
    later point, leave the test code in place but just comment it out.
    Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 tests/nft-flowtable-test.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/tests/nft-flowtable-test.c b/tests/nft-flowtable-test.c
 index 3edb00d..8ab8d4c 100644
 --- a/tests/nft-flowtable-test.c
 +++ b/tests/nft-flowtable-test.c
@@ -33,9 +33,11 @@ static void cmp_nftnl_flowtable(struct nftnl_flowtable *a, struct nftnl_flowtabl
 	if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_USE) !=
 	    nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_USE))
 		print_err("Flowtable use mismatches");
 +#if 0
 	if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_SIZE) !=
 	    nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_SIZE))
 		print_err("Flowtable size mismatches");
 +#endif
 	if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_FLAGS) !=
 	    nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_FLAGS))
 		print_err("Flowtable flags mismatches");
 -- 
 1.8.3.1
--- a/SOURCES/0002-chain-Support-per-chain-rules-list.patch
+++ b/SOURCES/0002-chain-Support-per-chain-rules-list.patch
@ -1,313 +0,0 @@
 From 8fcb95ed6dcd47c94a924b4018177d8a833d6983 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Mon, 17 Dec 2018 17:30:06 +0100
 Subject: [PATCH] chain: Support per chain rules list
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
 Upstream Status: libnftnl commit e33798478176f
 commit e33798478176f97edf2649cd61444e0375fdc12b
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 6 17:17:51 2018 +0100
    chain: Support per chain rules list
    The implementation basically copies expr_list in struct nftnl_rule.
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/internal.h       |   1 +
 include/libnftnl/chain.h |  15 +++++++
 include/rule.h           |  26 ++++++++++++
 src/chain.c              | 104 ++++++++++++++++++++++++++++++++++++++++++++++-
 src/libnftnl.map         |  10 +++++
 src/rule.c               |  22 ----------
 6 files changed, 155 insertions(+), 23 deletions(-)
 create mode 100644 include/rule.h
 diff --git a/include/internal.h b/include/internal.h
 index 7e97c4a..323f825 100644
 --- a/include/internal.h
 +++ b/include/internal.h
@@ -13,5 +13,6 @@
 #include "expr.h"
 #include "expr_ops.h"
 #include "buffer.h"
 +#include "rule.h"
 #endif /* _LIBNFTNL_INTERNAL_H_ */
 diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
 index 237683e..f04f610 100644
 --- a/include/libnftnl/chain.h
 +++ b/include/libnftnl/chain.h
@@ -13,6 +13,7 @@ extern "C" {
 #endif
 struct nftnl_chain;
 +struct nftnl_rule;
 struct nftnl_chain *nftnl_chain_alloc(void);
 void nftnl_chain_free(const struct nftnl_chain *);
@@ -54,6 +55,10 @@ uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr);
 int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
 uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
 +void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
 +void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
 +void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
 +
 struct nlmsghdr;
 void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t);
@@ -68,6 +73,16 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, ui
 #define nftnl_chain_nlmsg_build_hdr	nftnl_nlmsg_build_hdr
 int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
 +int nftnl_rule_foreach(struct nftnl_chain *c,
 +			  int (*cb)(struct nftnl_rule *r, void *data),
 +			  void *data);
 +
 +struct nftnl_rule_iter;
 +
 +struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c);
 +struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter);
 +void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter);
 +
 struct nftnl_chain_list;
 struct nftnl_chain_list *nftnl_chain_list_alloc(void);
 diff --git a/include/rule.h b/include/rule.h
 new file mode 100644
 index 0000000..5edcb6c
 --- /dev/null
 +++ b/include/rule.h
@@ -0,0 +1,26 @@
 +#ifndef _LIBNFTNL_RULE_INTERNAL_H_
 +#define _LIBNFTNL_RULE_INTERNAL_H_
 +
 +struct nftnl_rule {
 +	struct list_head head;
 +
 +	uint32_t	flags;
 +	uint32_t	family;
 +	const char	*table;
 +	const char	*chain;
 +	uint64_t	handle;
 +	uint64_t	position;
 +	uint32_t	id;
 +	struct {
 +			void		*data;
 +			uint32_t	len;
 +	} user;
 +	struct {
 +			uint32_t	flags;
 +			uint32_t	proto;
 +	} compat;
 +
 +	struct list_head expr_list;
 +};
 +
 +#endif
 diff --git a/src/chain.c b/src/chain.c
 index eff5186..c374923 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -27,6 +27,7 @@
 #include <linux/netfilter_arp.h>
 #include <libnftnl/chain.h>
 +#include <libnftnl/rule.h>
 #include <buffer.h>
 struct nftnl_chain {
@@ -45,6 +46,8 @@ struct nftnl_chain {
 	uint64_t	bytes;
 	uint64_t	handle;
 	uint32_t	flags;
 +
 +	struct list_head rule_list;
 };
 static const char *nftnl_hooknum2str(int family, int hooknum)
@@ -90,12 +93,25 @@ static const char *nftnl_hooknum2str(int family, int hooknum)
 EXPORT_SYMBOL(nftnl_chain_alloc);
 struct nftnl_chain *nftnl_chain_alloc(void)
 {
 -	return calloc(1, sizeof(struct nftnl_chain));
 +	struct nftnl_chain *c;
 +
 +	c = calloc(1, sizeof(struct nftnl_chain));
 +	if (c == NULL)
 +		return NULL;
 +
 +	INIT_LIST_HEAD(&c->rule_list);
 +
 +	return c;
 }
 EXPORT_SYMBOL(nftnl_chain_free);
 void nftnl_chain_free(const struct nftnl_chain *c)
 {
 +	struct nftnl_rule *r, *tmp;
 +
 +	list_for_each_entry_safe(r, tmp, &c->rule_list, head)
 +		nftnl_rule_free(r);
 +
 	if (c->flags & (1 << NFTNL_CHAIN_NAME))
 		xfree(c->name);
 	if (c->flags & (1 << NFTNL_CHAIN_TABLE))
@@ -406,6 +422,24 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
 		mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, c->type);
 }
 +EXPORT_SYMBOL(nftnl_chain_rule_add);
 +void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
 +{
 +	list_add(&rule->head, &c->rule_list);
 +}
 +
 +EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
 +void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
 +{
 +	list_add_tail(&rule->head, &c->rule_list);
 +}
 +
 +EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
 +void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
 +{
 +	list_add(&rule->head, &pos->head);
 +}
 +
 static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data)
 {
 	const struct nlattr **tb = data;
@@ -875,6 +909,74 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type,
 			   nftnl_chain_do_snprintf);
 }
 +EXPORT_SYMBOL(nftnl_rule_foreach);
 +int nftnl_rule_foreach(struct nftnl_chain *c,
 +                          int (*cb)(struct nftnl_rule *r, void *data),
 +                          void *data)
 +{
 +       struct nftnl_rule *cur, *tmp;
 +       int ret;
 +
 +       list_for_each_entry_safe(cur, tmp, &c->rule_list, head) {
 +               ret = cb(cur, data);
 +               if (ret < 0)
 +                       return ret;
 +       }
 +       return 0;
 +}
 +
 +struct nftnl_rule_iter {
 +	const struct nftnl_chain	*c;
 +	struct nftnl_rule		*cur;
 +};
 +
 +static void nftnl_rule_iter_init(const struct nftnl_chain *c,
 +				 struct nftnl_rule_iter *iter)
 +{
 +	iter->c = c;
 +	if (list_empty(&c->rule_list))
 +		iter->cur = NULL;
 +	else
 +		iter->cur = list_entry(c->rule_list.next, struct nftnl_rule,
 +				       head);
 +}
 +
 +EXPORT_SYMBOL(nftnl_rule_iter_create);
 +struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c)
 +{
 +	struct nftnl_rule_iter *iter;
 +
 +	iter = calloc(1, sizeof(struct nftnl_rule_iter));
 +	if (iter == NULL)
 +		return NULL;
 +
 +	nftnl_rule_iter_init(c, iter);
 +
 +	return iter;
 +}
 +
 +EXPORT_SYMBOL(nftnl_rule_iter_next);
 +struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter)
 +{
 +	struct nftnl_rule *rule = iter->cur;
 +
 +	if (rule == NULL)
 +		return NULL;
 +
 +	/* get next rule, if any */
 +	iter->cur = list_entry(iter->cur->head.next, struct nftnl_rule, head);
 +	if (&iter->cur->head == iter->c->rule_list.next)
 +		return NULL;
 +
 +	return rule;
 +}
 +
 +EXPORT_SYMBOL(nftnl_rule_iter_destroy);
 +void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
 +{
 +	xfree(iter);
 +}
 +
 struct nftnl_chain_list {
 	struct list_head list;
 };
 diff --git a/src/libnftnl.map b/src/libnftnl.map
 index 89414f2..96d5b5f 100644
 --- a/src/libnftnl.map
 +++ b/src/libnftnl.map
@@ -336,3 +336,13 @@ global:
 local: *;
 };
 +
 +LIBNFTNL_12 {
 +  nftnl_chain_rule_add;
 +  nftnl_chain_rule_add_tail;
 +  nftnl_chain_rule_insert_at;
 +  nftnl_rule_foreach;
 +  nftnl_rule_iter_create;
 +  nftnl_rule_iter_next;
 +  nftnl_rule_iter_destroy;
 +} LIBNFTNL_11;
 diff --git a/src/rule.c b/src/rule.c
 index 2c70420..6a43d3e 100644
 --- a/src/rule.c
 +++ b/src/rule.c
@@ -30,28 +30,6 @@
 #include <libnftnl/set.h>
 #include <libnftnl/expr.h>
 -struct nftnl_rule {
 -	struct list_head head;
 -
 -	uint32_t	flags;
 -	uint32_t	family;
 -	const char	*table;
 -	const char	*chain;
 -	uint64_t	handle;
 -	uint64_t	position;
 -	uint32_t	id;
 -	struct {
 -			void		*data;
 -			uint32_t	len;
 -	} user;
 -	struct {
 -			uint32_t	flags;
 -			uint32_t	proto;
 -	} compat;
 -
 -	struct list_head expr_list;
 -};
 -
 EXPORT_SYMBOL(nftnl_rule_alloc);
 struct nftnl_rule *nftnl_rule_alloc(void)
 {
 -- 
 1.8.3.1
--- a/SOURCES/0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch
+++ b/SOURCES/0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch
@ -0,0 +1,39 @@
 From e744735b92ee312cd2ad08776f3c56962ab53710 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 6 Dec 2019 17:31:16 +0100
 Subject: [PATCH] flowtable: Fix memleak in error path of
 nftnl_flowtable_parse_devs()
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
 Upstream Status: libnftnl commit ba1b02594e8d0
 commit ba1b02594e8d05e4c791925a50f9309f89b55c80
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Mon Dec 2 22:57:40 2019 +0100
    flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs()
    In error case, allocated dev_array is not freed.
    Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/flowtable.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/flowtable.c b/src/flowtable.c
 index 324e80f..db31943 100644
 --- a/src/flowtable.c
 +++ b/src/flowtable.c
@@ -419,6 +419,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
 err:
 	while (len--)
 		xfree(dev_array[len]);
 +	xfree(dev_array);
 	return -1;
 }
 -- 
 1.8.3.1
--- a/SOURCES/0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
+++ b/SOURCES/0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
@ -1,107 +0,0 @@
 From 75b3a238485745de01cf6264703ba6c192d7f721 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Mon, 17 Dec 2018 17:30:06 +0100
 Subject: [PATCH] chain: Add lookup functions for chain list and rules in chain
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
 Upstream Status: libnftnl commit 1a829ec0c3285
 commit 1a829ec0c3285baac712352c3a046a4f76013e70
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 6 17:17:52 2018 +0100
    chain: Add lookup functions for chain list and rules in chain
    For now, these lookup functions simply iterate over the linked list
    until they find the right entry. In future, they may make use of more
    optimized data structures behind the curtains.
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/libnftnl/chain.h |  2 ++
 src/chain.c              | 28 ++++++++++++++++++++++++++++
 src/libnftnl.map         |  3 +++
 3 files changed, 33 insertions(+)
 diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
 index f04f610..64e10e9 100644
 --- a/include/libnftnl/chain.h
 +++ b/include/libnftnl/chain.h
@@ -76,6 +76,7 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
 int nftnl_rule_foreach(struct nftnl_chain *c,
 			  int (*cb)(struct nftnl_rule *r, void *data),
 			  void *data);
 +struct nftnl_rule *nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index);
 struct nftnl_rule_iter;
@@ -89,6 +90,7 @@ struct nftnl_chain_list *nftnl_chain_list_alloc(void);
 void nftnl_chain_list_free(struct nftnl_chain_list *list);
 int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list);
 int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, int (*cb)(struct nftnl_chain *t, void *data), void *data);
 +struct nftnl_chain *nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list, const char *chain);
 void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list);
 void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list);
 diff --git a/src/chain.c b/src/chain.c
 index c374923..22bb45c 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -925,6 +925,20 @@ int nftnl_rule_foreach(struct nftnl_chain *c,
        return 0;
 }
 +EXPORT_SYMBOL(nftnl_rule_lookup_byindex);
 +struct nftnl_rule *
 +nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index)
 +{
 +	struct nftnl_rule *r;
 +
 +	list_for_each_entry(r, &c->rule_list, head) {
 +		if (!index)
 +			return r;
 +		index--;
 +	}
 +	return NULL;
 +}
 +
 struct nftnl_rule_iter {
 	const struct nftnl_chain	*c;
 	struct nftnl_rule		*cur;
@@ -1047,6 +1061,20 @@ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list,
 	return 0;
 }
 +EXPORT_SYMBOL(nftnl_chain_list_lookup_byname);
 +struct nftnl_chain *
 +nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
 +			       const char *chain)
 +{
 +	struct nftnl_chain *c;
 +
 +	list_for_each_entry(c, &chain_list->list, head) {
 +		if (!strcmp(chain, c->name))
 +			return c;
 +	}
 +	return NULL;
 +}
 +
 struct nftnl_chain_list_iter {
 	const struct nftnl_chain_list	*list;
 	struct nftnl_chain		*cur;
 diff --git a/src/libnftnl.map b/src/libnftnl.map
 index 96d5b5f..0d3be32 100644
 --- a/src/libnftnl.map
 +++ b/src/libnftnl.map
@@ -345,4 +345,7 @@ LIBNFTNL_12 {
   nftnl_rule_iter_create;
   nftnl_rule_iter_next;
   nftnl_rule_iter_destroy;
 +
 +  nftnl_chain_list_lookup_byname;
 +  nftnl_rule_lookup_byindex;
 } LIBNFTNL_11;
 -- 
 1.8.3.1
--- a/SOURCES/0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch
+++ b/SOURCES/0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch
@ -0,0 +1,38 @@
 From a5241b8fcd2f62d8e71bf9dfebfbcf27a8a61e46 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 6 Dec 2019 17:31:16 +0100
 Subject: [PATCH] chain: Fix memleak in error path of nftnl_chain_parse_devs()
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
 Upstream Status: libnftnl commit 32a8c5f52355e
 commit 32a8c5f52355ef69bf74c28e27345b2e03d948e7
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Mon Dec 2 23:00:20 2019 +0100
    chain: Fix memleak in error path of nftnl_chain_parse_devs()
    In error case, dev_array is not freed when it should.
    Fixes: e3ac19b5ec162 ("chain: multi-device support")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/chain.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/chain.c b/src/chain.c
 index d4050d2..9cc8735 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -636,6 +636,7 @@ static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
 err:
 	while (len--)
 		xfree(dev_array[len]);
 +	xfree(dev_array);
 	return -1;
 }
 -- 
 1.8.3.1
--- a/SOURCES/0004-chain-Hash-chain-list-by-name.patch
+++ b/SOURCES/0004-chain-Hash-chain-list-by-name.patch
@ -1,143 +0,0 @@
 From a3af0aff50cd3e899cb5205d4d5330a96aeffaa5 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Mon, 17 Dec 2018 17:30:06 +0100
 Subject: [PATCH] chain: Hash chain list by name
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
 Upstream Status: libnftnl commit 7170f0929ef50
 commit 7170f0929ef50a1a45d9fd5d058ea6178c8e56ef
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Tue Dec 11 18:44:00 2018 +0100
    chain: Hash chain list by name
    Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In
    theory this could replace the linked list completely but has been left
    in place so that nftnl_chain_list_add_tail() still does what it's
    supposed to and iterators return chains in original order.
    Speed was tested using a simple script which creates a dump file
    containing a number of custom chains and for each of them two rules in
    INPUT chain jumping to it. The following table compares run-time of
    iptables-legacy-restore with iptables-nft-restore before and after this
    patch:
    count      legacy       nft-old        nft-new
    ----------------------------------------------
    10000         26s           38s            31s
    50000        137s          339s           149s
    So while it is still not as quick, it now scales nicely (at least in
    this very primitive test).
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/chain.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)
 diff --git a/src/chain.c b/src/chain.c
 index 22bb45c..ae074fd 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -32,6 +32,7 @@
 struct nftnl_chain {
 	struct list_head head;
 +	struct hlist_node hnode;
 	const char	*name;
 	const char	*type;
@@ -991,20 +992,27 @@ void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
 	xfree(iter);
 }
 +#define CHAIN_NAME_HSIZE	512
 +
 struct nftnl_chain_list {
 +
 	struct list_head list;
 +	struct hlist_head name_hash[CHAIN_NAME_HSIZE];
 };
 EXPORT_SYMBOL(nftnl_chain_list_alloc);
 struct nftnl_chain_list *nftnl_chain_list_alloc(void)
 {
 	struct nftnl_chain_list *list;
 +	int i;
 	list = calloc(1, sizeof(struct nftnl_chain_list));
 	if (list == NULL)
 		return NULL;
 	INIT_LIST_HEAD(&list->list);
 +	for (i = 0; i < CHAIN_NAME_HSIZE; i++)
 +		INIT_HLIST_HEAD(&list->name_hash[i]);
 	return list;
 }
@@ -1016,6 +1024,7 @@ void nftnl_chain_list_free(struct nftnl_chain_list *list)
 	list_for_each_entry_safe(r, tmp, &list->list, head) {
 		list_del(&r->head);
 +		hlist_del(&r->hnode);
 		nftnl_chain_free(r);
 	}
 	xfree(list);
@@ -1027,15 +1036,31 @@ int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list)
 	return list_empty(&list->list);
 }
 +static uint32_t djb_hash(const char *key)
 +{
 +	uint32_t i, hash = 5381;
 +
 +	for (i = 0; i < strlen(key); i++)
 +		hash = ((hash << 5) + hash) + key[i];
 +
 +	return hash;
 +}
 +
 EXPORT_SYMBOL(nftnl_chain_list_add);
 void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list)
 {
 +	int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
 +
 +	hlist_add_head(&r->hnode, &list->name_hash[key]);
 	list_add(&r->head, &list->list);
 }
 EXPORT_SYMBOL(nftnl_chain_list_add_tail);
 void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list)
 {
 +	int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
 +
 +	hlist_add_head(&r->hnode, &list->name_hash[key]);
 	list_add_tail(&r->head, &list->list);
 }
@@ -1043,6 +1068,7 @@ EXPORT_SYMBOL(nftnl_chain_list_del);
 void nftnl_chain_list_del(struct nftnl_chain *r)
 {
 	list_del(&r->head);
 +	hlist_del(&r->hnode);
 }
 EXPORT_SYMBOL(nftnl_chain_list_foreach);
@@ -1066,9 +1092,11 @@ struct nftnl_chain *
 nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
 			       const char *chain)
 {
 +	int key = djb_hash(chain) % CHAIN_NAME_HSIZE;
 	struct nftnl_chain *c;
 +	struct hlist_node *n;
 -	list_for_each_entry(c, &chain_list->list, head) {
 +	hlist_for_each_entry(c, n, &chain_list->name_hash[key], hnode) {
 		if (!strcmp(chain, c->name))
 			return c;
 	}
 -- 
 1.8.3.1
--- a/SOURCES/0004-flowtable-Correctly-check-realloc-call.patch
+++ b/SOURCES/0004-flowtable-Correctly-check-realloc-call.patch
@ -0,0 +1,61 @@
 From 8f24f6eed8d905fb6b64d003ae3f4f1e657301aa Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 6 Dec 2019 17:31:16 +0100
 Subject: [PATCH] flowtable: Correctly check realloc() call
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
 Upstream Status: libnftnl commit 835d645f40525
 commit 835d645f4052551c5c1829c37a07c882f2260f65
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Mon Dec 2 23:08:07 2019 +0100
    flowtable: Correctly check realloc() call
    If realloc() fails, it returns NULL but the original pointer is
    untouchted and therefore still has to be freed. Unconditionally
    overwriting the old pointer is therefore a bad idea, use a temporary
    variable instead.
    Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/flowtable.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
 diff --git a/src/flowtable.c b/src/flowtable.c
 index db31943..9ba3b6d 100644
 --- a/src/flowtable.c
 +++ b/src/flowtable.c
@@ -388,7 +388,7 @@ static int nftnl_flowtable_parse_hook_cb(const struct nlattr *attr, void *data)
 static int nftnl_flowtable_parse_devs(struct nlattr *nest,
 				      struct nftnl_flowtable *c)
 {
 -	const char **dev_array;
 +	const char **dev_array, **tmp;
 	int len = 0, size = 8;
 	struct nlattr *attr;
@@ -401,14 +401,13 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
 			goto err;
 		dev_array[len++] = strdup(mnl_attr_get_str(attr));
 		if (len >= size) {
 -			dev_array = realloc(dev_array,
 -					    size * 2 * sizeof(char *));
 -			if (!dev_array)
 +			tmp = realloc(dev_array, size * 2 * sizeof(char *));
 +			if (!tmp)
 				goto err;
 			size *= 2;
 -			memset(&dev_array[len], 0,
 -			       (size - len) * sizeof(char *));
 +			memset(&tmp[len], 0, (size - len) * sizeof(char *));
 +			dev_array = tmp;
 		}
 	}
 -- 
 1.8.3.1
--- a/SOURCES/0005-chain-Correctly-check-realloc-call.patch
+++ b/SOURCES/0005-chain-Correctly-check-realloc-call.patch
@ -0,0 +1,61 @@
 From 2facd747b6bbcd3716841e6213b7b9e9b94c556a Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 6 Dec 2019 17:31:16 +0100
 Subject: [PATCH] chain: Correctly check realloc() call
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
 Upstream Status: libnftnl commit d95a703746d53
 commit d95a703746d5394d56a9f464e343594e4882da0d
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Mon Dec 2 23:12:34 2019 +0100
    chain: Correctly check realloc() call
    If realloc() fails, it returns NULL but the original pointer is
    untouchted and therefore still has to be freed. Unconditionally
    overwriting the old pointer is therefore a bad idea, use a temporary
    variable instead.
    Fixes: e3ac19b5ec162 ("chain: multi-device support")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/chain.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
 diff --git a/src/chain.c b/src/chain.c
 index 9cc8735..b9a16fc 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -605,7 +605,7 @@ static int nftnl_chain_parse_hook_cb(const struct nlattr *attr, void *data)
 static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
 {
 -	const char **dev_array;
 +	const char **dev_array, **tmp;
 	int len = 0, size = 8;
 	struct nlattr *attr;
@@ -618,14 +618,13 @@ static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
 			goto err;
 		dev_array[len++] = strdup(mnl_attr_get_str(attr));
 		if (len >= size) {
 -			dev_array = realloc(dev_array,
 -					    size * 2 * sizeof(char *));
 -			if (!dev_array)
 +			tmp = realloc(dev_array, size * 2 * sizeof(char *));
 +			if (!tmp)
 				goto err;
 			size *= 2;
 -			memset(&dev_array[len], 0,
 -			       (size - len) * sizeof(char *));
 +			memset(&tmp[len], 0, (size - len) * sizeof(char *));
 +			dev_array = tmp;
 		}
 	}
 -- 
 1.8.3.1
--- a/SOURCES/0005-object-Avoid-obj_ops-array-overrun.patch
+++ b/SOURCES/0005-object-Avoid-obj_ops-array-overrun.patch
@ -1,40 +0,0 @@
 From 34e115c1a9657f07ed8a39b81c6b21fba1faa319 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:12:15 +0100
 Subject: [PATCH] object: Avoid obj_ops array overrun
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
 Upstream Status: libnftnl commit 16c44d9f42170
 commit 16c44d9f42170264c4d484478c76e940951f1b70
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 20 21:03:27 2018 +0100
    object: Avoid obj_ops array overrun
    In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since
    there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in
    the future by defining the array size.
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/object.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/object.c b/src/object.c
 index d8278f3..7fb9bab 100644
 --- a/src/object.c
 +++ b/src/object.c
@@ -25,7 +25,7 @@
 #include <buffer.h>
 #include "obj.h"
 -static struct obj_ops *obj_ops[] = {
 +static struct obj_ops *obj_ops[__NFT_OBJECT_MAX] = {
 	[NFT_OBJECT_COUNTER]	= &obj_ops_counter,
 	[NFT_OBJECT_QUOTA]	= &obj_ops_quota,
 	[NFT_OBJECT_CT_HELPER]	= &obj_ops_ct_helper,
 -- 
 1.8.3.1
--- a/SOURCES/0006-flowtable-Add-missing-break.patch
+++ b/SOURCES/0006-flowtable-Add-missing-break.patch
@ -1,40 +0,0 @@
 From d3d9966d79cc7d6d11124302dd06b7d7522e7305 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:12:15 +0100
 Subject: [PATCH] flowtable: Add missing break
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
 Upstream Status: libnftnl commit 404ef7222d055
 commit 404ef7222d055aacdbd4d73dc0d8731fa8f6cbe4
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 20 21:03:28 2018 +0100
    flowtable: Add missing break
    In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
    case fell through and the same value was copied into ft_flags field.
    This can't be right.
    Fixes: 41fe3d38ba34b ("flowtable: support for flags")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/flowtable.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/flowtable.c b/src/flowtable.c
 index c1ddae4..aa6ce59 100644
 --- a/src/flowtable.c
 +++ b/src/flowtable.c
@@ -163,6 +163,7 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
 		break;
 	case NFTNL_FLOWTABLE_SIZE:
 		memcpy(&c->size, data, sizeof(c->size));
 +		break;
 	case NFTNL_FLOWTABLE_FLAGS:
 		memcpy(&c->ft_flags, data, sizeof(c->ft_flags));
 		break;
 -- 
 1.8.3.1
--- a/SOURCES/0007-flowtable-Fix-use-after-free-in-two-spots.patch
+++ b/SOURCES/0007-flowtable-Fix-use-after-free-in-two-spots.patch
@ -1,57 +0,0 @@
 From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:12:15 +0100
 Subject: [PATCH] flowtable: Fix use after free in two spots
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
 Upstream Status: libnftnl commit 822dc96815e96
 commit 822dc96815e96465822ce4b1187c4b29c06cb7c1
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 20 21:03:29 2018 +0100
    flowtable: Fix use after free in two spots
    When freeing flowtable devices array, the loop freeing each device
    string incorrectly included the call to free the device array itself.
    Fixes: eb58f53372e74 ("src: add flowtable support")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/flowtable.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)
 diff --git a/src/flowtable.c b/src/flowtable.c
 index aa6ce59..61ff29b 100644
 --- a/src/flowtable.c
 +++ b/src/flowtable.c
@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
 	case NFTNL_FLOWTABLE_FLAGS:
 		break;
 	case NFTNL_FLOWTABLE_DEVICES:
 -		for (i = 0; i < c->dev_array_len; i++) {
 +		for (i = 0; i < c->dev_array_len; i++)
 			xfree(c->dev_array[i]);
 -			xfree(c->dev_array);
 -		}
 +		xfree(c->dev_array);
 		break;
 	default:
 		return;
@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
 			len++;
 		if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
 -			for (i = 0; i < c->dev_array_len; i++) {
 +			for (i = 0; i < c->dev_array_len; i++)
 				xfree(c->dev_array[i]);
 -				xfree(c->dev_array);
 -			}
 +			xfree(c->dev_array);
 		}
 		c->dev_array = calloc(len + 1, sizeof(char *));
 -- 
 1.8.3.1
--- a/SOURCES/0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
+++ b/SOURCES/0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
@ -1,62 +0,0 @@
 From c3c2777d4b62db4b49fd3dcf8293562defa95112 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:12:15 +0100
 Subject: [PATCH] flowtable: Fix memleak in nftnl_flowtable_parse_devs()
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
 Upstream Status: libnftnl commit 8ef66870832d5
 commit 8ef66870832d56881703a7798ecdff9e19917b15
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 20 21:03:30 2018 +0100
    flowtable: Fix memleak in nftnl_flowtable_parse_devs()
    Allocated strings in dev_array were not freed. Fix this by freeing them
    on error path and assigning them to c->dev_array directly in regular
    path.
    Fixes: eb58f53372e74 ("src: add flowtable support")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/flowtable.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/src/flowtable.c b/src/flowtable.c
 index 61ff29b..1762bd1 100644
 --- a/src/flowtable.c
 +++ b/src/flowtable.c
@@ -364,7 +364,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
 	mnl_attr_for_each_nested(attr, nest) {
 		if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
 -			return -1;
 +			goto err;
 		dev_array[len++] = strdup(mnl_attr_get_str(attr));
 		if (len >= 8)
 			break;
@@ -375,14 +375,18 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
 	c->dev_array = calloc(len + 1, sizeof(char *));
 	if (!c->dev_array)
 -		return -1;
 +		goto err;
 	c->dev_array_len = len;
 	for (i = 0; i < len; i++)
 -		c->dev_array[i] = strdup(dev_array[i]);
 +		c->dev_array[i] = dev_array[i];
 	return 0;
 +err:
 +	while (len--)
 +		xfree(dev_array[len]);
 +	return -1;
 }
 static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtable *c)
 -- 
 1.8.3.1
--- a/SOURCES/0009-flowtable-Fix-for-reading-garbage.patch
+++ b/SOURCES/0009-flowtable-Fix-for-reading-garbage.patch
@ -1,49 +0,0 @@
 From 4ec80cc7d08a48a19d112da760e36fa9e47e9106 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:12:15 +0100
 Subject: [PATCH] flowtable: Fix for reading garbage
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
 Upstream Status: libnftnl commit f8eed54150fd4
 commit f8eed54150fd49ed814e63a5db39eda67d4b3938
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Thu Dec 20 21:03:31 2018 +0100
    flowtable: Fix for reading garbage
    nftnl_flowtable_get_data() doesn't assign to passt data_len pointer
    destination in all cases, so initialize it to 0.
    Fixes: eb58f53372e74 ("src: add flowtable support")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/flowtable.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/flowtable.c b/src/flowtable.c
 index 1762bd1..3c3ba66 100644
 --- a/src/flowtable.c
 +++ b/src/flowtable.c
@@ -245,7 +245,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_str);
 uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr)
 {
 -	uint32_t data_len;
 +	uint32_t data_len = 0;
 	const uint32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
 	nftnl_assert(val, attr, data_len == sizeof(uint32_t));
@@ -256,7 +256,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_u32);
 int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr)
 {
 -	uint32_t data_len;
 +	uint32_t data_len = 0;
 	const int32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
 	nftnl_assert(val, attr, data_len == sizeof(int32_t));
 -- 
 1.8.3.1
--- a/SOURCES/0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
+++ b/SOURCES/0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
@ -1,72 +0,0 @@
 From 36faead4c4a8ab0a87ee766bab6a062e8610067a Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:14:56 +0100
 Subject: [PATCH] src: chain: Add missing nftnl_chain_rule_del()
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
 Upstream Status: libnftnl commit de5a23d26828a
 commit de5a23d26828a1e1f2d3351b0414925857546496
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Sun Dec 30 17:02:13 2018 +0100
    src: chain: Add missing nftnl_chain_rule_del()
    Although identical to nftnl_rule_list_del(), this function adheres to
    the common naming style of per chain rule list routines introduced
    earlier, therefore helps with deprecating the global rule list API at a
    later point.
    Fixes: e33798478176f ("chain: Support per chain rules list")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/libnftnl/chain.h | 1 +
 src/chain.c              | 6 ++++++
 src/libnftnl.map         | 1 +
 3 files changed, 8 insertions(+)
 diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
 index 64e10e9..163a824 100644
 --- a/include/libnftnl/chain.h
 +++ b/include/libnftnl/chain.h
@@ -56,6 +56,7 @@ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
 uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
 void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
 +void nftnl_chain_rule_del(struct nftnl_rule *rule);
 void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
 void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
 diff --git a/src/chain.c b/src/chain.c
 index ae074fd..6dc8f36 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -429,6 +429,12 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
 	list_add(&rule->head, &c->rule_list);
 }
 +EXPORT_SYMBOL(nftnl_chain_rule_del);
 +void nftnl_chain_rule_del(struct nftnl_rule *r)
 +{
 +	list_del(&r->head);
 +}
 +
 EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
 void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
 {
 diff --git a/src/libnftnl.map b/src/libnftnl.map
 index 0d3be32..0dad6a2 100644
 --- a/src/libnftnl.map
 +++ b/src/libnftnl.map
@@ -340,6 +340,7 @@ local: *;
 LIBNFTNL_12 {
   nftnl_chain_rule_add;
   nftnl_chain_rule_add_tail;
 +  nftnl_chain_rule_del;
   nftnl_chain_rule_insert_at;
   nftnl_rule_foreach;
   nftnl_rule_iter_create;
 -- 
 1.8.3.1
--- a/SOURCES/0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
+++ b/SOURCES/0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
@ -1,71 +0,0 @@
 From fca027631250013cae7323e058575deb72b8510a Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Tue, 29 Jan 2019 18:14:56 +0100
 Subject: [PATCH] src: chain: Fix nftnl_chain_rule_insert_at()
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
 Upstream Status: libnftnl commit 278a3b779a731
 commit 278a3b779a731b3565595259b07b9065f6a6f425
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Mon Jan 14 17:42:50 2019 +0100
    src: chain: Fix nftnl_chain_rule_insert_at()
    Extrapolating from iptables nomenclature, one would expect that "insert"
    means to prepend the new item to the referenced one, not append. Change
    nftnl_chain_rule_insert_at() to do just that and introduce
    nftnl_chain_rule_append_at() to insert a rule after the referenced one.
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/libnftnl/chain.h | 1 +
 src/chain.c              | 6 ++++++
 src/libnftnl.map         | 1 +
 3 files changed, 8 insertions(+)
 diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
 index 163a824..31b48cf 100644
 --- a/include/libnftnl/chain.h
 +++ b/include/libnftnl/chain.h
@@ -59,6 +59,7 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
 void nftnl_chain_rule_del(struct nftnl_rule *rule);
 void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
 void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
 +void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
 struct nlmsghdr;
 diff --git a/src/chain.c b/src/chain.c
 index 6dc8f36..7326c2a 100644
 --- a/src/chain.c
 +++ b/src/chain.c
@@ -444,6 +444,12 @@ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
 EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
 void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
 {
 +	list_add_tail(&rule->head, &pos->head);
 +}
 +
 +EXPORT_SYMBOL(nftnl_chain_rule_append_at);
 +void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
 +{
 	list_add(&rule->head, &pos->head);
 }
 diff --git a/src/libnftnl.map b/src/libnftnl.map
 index 0dad6a2..192eef8 100644
 --- a/src/libnftnl.map
 +++ b/src/libnftnl.map
@@ -342,6 +342,7 @@ LIBNFTNL_12 {
   nftnl_chain_rule_add_tail;
   nftnl_chain_rule_del;
   nftnl_chain_rule_insert_at;
 +  nftnl_chain_rule_append_at;
   nftnl_rule_foreach;
   nftnl_rule_iter_create;
   nftnl_rule_iter_next;
 -- 
 1.8.3.1
--- a/SOURCES/0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
+++ b/SOURCES/0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
@ -1,150 +0,0 @@
 From 3eb9b26b8b79b0bd5b153cfdad8eb10c86ae2b64 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Thu, 31 Jan 2019 19:03:53 +0100
 Subject: [PATCH] src: rule: Support NFTA_RULE_POSITION_ID attribute
 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1670565
 Upstream Status: libnftnl commit 7a7137adf6c14
 commit 7a7137adf6c143f7cccc6440a5340a43033b61e7
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Tue Jan 15 20:59:04 2019 +0100
    src: rule: Support NFTA_RULE_POSITION_ID attribute
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/libnftnl/rule.h             |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 include/rule.h                      |  1 +
 src/rule.c                          | 20 ++++++++++++++++++++
 4 files changed, 24 insertions(+)
 diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
 index 8501c86..78bfead 100644
 --- a/include/libnftnl/rule.h
 +++ b/include/libnftnl/rule.h
@@ -28,6 +28,7 @@ enum nftnl_rule_attr {
 	NFTNL_RULE_POSITION,
 	NFTNL_RULE_USERDATA,
 	NFTNL_RULE_ID,
 +	NFTNL_RULE_POSITION_ID,
 	__NFTNL_RULE_MAX
 };
 #define NFTNL_RULE_MAX (__NFTNL_RULE_MAX - 1)
 diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
 index 91449ef..adfae98 100644
 --- a/include/linux/netfilter/nf_tables.h
 +++ b/include/linux/netfilter/nf_tables.h
@@ -218,6 +218,7 @@ enum nft_chain_attributes {
  * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
  * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
  * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
 + * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
  */
 enum nft_rule_attributes {
 	NFTA_RULE_UNSPEC,
@@ -230,6 +231,7 @@ enum nft_rule_attributes {
 	NFTA_RULE_USERDATA,
 	NFTA_RULE_PAD,
 	NFTA_RULE_ID,
 +	NFTA_RULE_POSITION_ID,
 	__NFTA_RULE_MAX
 };
 #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
 diff --git a/include/rule.h b/include/rule.h
 index 5edcb6c..036c722 100644
 --- a/include/rule.h
 +++ b/include/rule.h
@@ -11,6 +11,7 @@ struct nftnl_rule {
 	uint64_t	handle;
 	uint64_t	position;
 	uint32_t	id;
 +	uint32_t	position_id;
 	struct {
 			void		*data;
 			uint32_t	len;
 diff --git a/src/rule.c b/src/rule.c
 index 6a43d3e..d9b97b6 100644
 --- a/src/rule.c
 +++ b/src/rule.c
@@ -87,6 +87,7 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr)
 	case NFTNL_RULE_POSITION:
 	case NFTNL_RULE_FAMILY:
 	case NFTNL_RULE_ID:
 +	case NFTNL_RULE_POSITION_ID:
 		break;
 	case NFTNL_RULE_USERDATA:
 		xfree(r->user.data);
@@ -103,6 +104,7 @@ static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = {
 	[NFTNL_RULE_FAMILY]		= sizeof(uint32_t),
 	[NFTNL_RULE_POSITION]		= sizeof(uint64_t),
 	[NFTNL_RULE_ID]			= sizeof(uint32_t),
 +	[NFTNL_RULE_POSITION_ID]	= sizeof(uint32_t),
 };
 EXPORT_SYMBOL(nftnl_rule_set_data);
@@ -158,6 +160,9 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
 	case NFTNL_RULE_ID:
 		r->id = *((uint32_t *)data);
 		break;
 +	case NFTNL_RULE_POSITION_ID:
 +		memcpy(&r->position_id, data, sizeof(r->position_id));
 +		break;
 	}
 	r->flags |= (1 << attr);
 	return 0;
@@ -222,6 +227,9 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
 	case NFTNL_RULE_ID:
 		*data_len = sizeof(uint32_t);
 		return &r->id;
 +	case NFTNL_RULE_POSITION_ID:
 +		*data_len = sizeof(uint32_t);
 +		return &r->position_id;
 	}
 	return NULL;
 }
@@ -313,6 +321,8 @@ void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r)
 	}
 	if (r->flags & (1 << NFTNL_RULE_ID))
 		mnl_attr_put_u32(nlh, NFTA_RULE_ID, htonl(r->id));
 +	if (r->flags & (1 << NFTNL_RULE_POSITION_ID))
 +		mnl_attr_put_u32(nlh, NFTA_RULE_POSITION_ID, htonl(r->position_id));
 }
 EXPORT_SYMBOL(nftnl_rule_add_expr);
@@ -352,6 +362,7 @@ static int nftnl_rule_parse_attr_cb(const struct nlattr *attr, void *data)
 			abi_breakage();
 		break;
 	case NFTA_RULE_ID:
 +	case NFTA_RULE_POSITION_ID:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			abi_breakage();
 		break;
@@ -483,6 +494,10 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r)
 		r->id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_ID]));
 		r->flags |= (1 << NFTNL_RULE_ID);
 	}
 +	if (tb[NFTA_RULE_POSITION_ID]) {
 +		r->position_id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_POSITION_ID]));
 +		r->flags |= (1 << NFTNL_RULE_POSITION_ID);
 +	}
 	r->family = nfg->nfgen_family;
 	r->flags |= (1 << NFTNL_RULE_FAMILY);
@@ -729,6 +744,11 @@ static int nftnl_rule_snprintf_default(char *buf, size_t size,
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 	}
 +	if (r->flags & (1 << NFTNL_RULE_POSITION_ID)) {
 +		ret = snprintf(buf + offset, remain, "%u ", r->position_id);
 +		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 +	}
 +
 	ret = snprintf(buf + offset, remain, "\n");
 	SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 -- 
 1.8.3.1
--- a/SPECS/libnftnl.spec
+++ b/SPECS/libnftnl.spec
@ -1,5 +1,5 @@
-%define rpmversion 1.1.1
+%define rpmversion 1.1.5
-%define specrelease 4%{?dist}
+%define specrelease 2%{?dist}
 Name:           libnftnl
 Version:        %{rpmversion}
@ -12,18 +12,11 @@ BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
 BuildRequires:  libmnl-devel
-Patch0:             0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
+Patch0:             0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch
-Patch1:             0002-chain-Support-per-chain-rules-list.patch
+Patch1:             0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch
-Patch2:             0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
+Patch2:             0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch
-Patch3:             0004-chain-Hash-chain-list-by-name.patch
+Patch3:             0004-flowtable-Correctly-check-realloc-call.patch
-Patch4:             0005-object-Avoid-obj_ops-array-overrun.patch
+Patch4:             0005-chain-Correctly-check-realloc-call.patch
 Patch5:             0006-flowtable-Add-missing-break.patch
 Patch6:             0007-flowtable-Fix-use-after-free-in-two-spots.patch
 Patch7:             0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
 Patch8:             0009-flowtable-Fix-for-reading-garbage.patch
 Patch9:             0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
 Patch10:            0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
 Patch11:            0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
 %description
 A library for low-level interaction with nftables Netlink's API over libmnl.
@ -51,10 +44,6 @@ make %{?_smp_mflags}
 %check
 make %{?_smp_mflags} check
 cd tests
 # JSON parsing would fail since it's not compiled in, so disable here
 sed -i -e '/^\.\/nft-parsing-test /d' test-script.sh
 sh ./test-script.sh
 %install
 %make_install
@ -74,6 +63,30 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 %{_includedir}/libnftnl
 %changelog
 * Fri Dec 06 2019 Phil Sutter <psutter@redhat.com> [1.1.5-2.el8]
 - chain: Correctly check realloc() call (Phil Sutter) [1778952]
 - flowtable: Correctly check realloc() call (Phil Sutter) [1778952]
 - chain: Fix memleak in error path of nftnl_chain_parse_devs() (Phil Sutter) [1778952]
 - flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs() (Phil Sutter) [1778952]
 * Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> [1.1.5-1.el8]
 - Rebase onto upstream version 1.1.5 (Phil Sutter) [1717129]
 * Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> [1.1.4-3.el8]
 - set: Export nftnl_set_list_lookup_byname() (Phil Sutter) [1762563]
 * Thu Oct 17 2019 Phil Sutter <psutter@redhat.com> [1.1.4-2.el8]
 - obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser (Phil Sutter) [1758673]
 - set_elem: Validate nftnl_set_elem_set() parameters (Phil Sutter) [1758673]
 - obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() (Phil Sutter) [1758673]
 - set: Don't bypass checks in nftnl_set_set_u{32,64}() (Phil Sutter) [1758673]
 - obj/tunnel: Fix for undefined behaviour (Phil Sutter) [1758673]
 - set_elem: Fix return code of nftnl_set_elem_set() (Phil Sutter) [1758673]
 - obj: ct_timeout: Check return code of mnl_attr_parse_nested() (Phil Sutter) [1758673]
 * Fri Oct 04 2019 Phil Sutter <psutter@redhat.com> [1.1.4-1.el8]
 - Rebase to upstream version 1.1.4 (Phil Sutter) [1717129]
 * Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8]
 - src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565]
`@ -1 +1 @@`
	`SOURCES/libnftnl-1.1.1.tar.bz2`	`SOURCES/libnftnl-1.1.5.tar.bz2`
`@ -1 +1 @@`
	`d2be642a54e0f105cb5564471ae4aaaed8b97ca6 SOURCES/libnftnl-1.1.1.tar.bz2`	`a923bae5b028a30c5c8aa4c0f71445885867274b SOURCES/libnftnl-1.1.5.tar.bz2`