rpms/libnftnl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libnftnl-1.1.5-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 18:36:40 -05:00 committed by Stepan Oksanichenko
parent b65d64bfa0
commit 2186a38689
20 changed files with 279 additions and 2472 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libnftnl-1.1.1.tar.bz2
SOURCES/libnftnl-1.1.5.tar.bz2

2
.libnftnl.metadata
View File

@ -1 +1 @@
d2be642a54e0f105cb5564471ae4aaaed8b97ca6 SOURCES/libnftnl-1.1.1.tar.bz2
a923bae5b028a30c5c8aa4c0f71445885867274b SOURCES/libnftnl-1.1.5.tar.bz2

1348
SOURCES/0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
View File

File diff suppressed because it is too large Load Diff

47
SOURCES/0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch Normal file
View File

@ -0,0 +1,47 @@
From 3f0616b15e32def6d01b4535ac0efb51caa07662 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 2 Dec 2019 18:55:39 +0100
Subject: [PATCH] tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1717129
Upstream Status: libnftnl commit b2388765e0c44
commit b2388765e0c4405442faa13845419f6a35d0134c
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 18:29:56 2019 +0100
tests: flowtable: Don't check NFTNL_FLOWTABLE_SIZE
Marshalling code around that attribute has been dropped by commit
d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE") so it's value is
lost during the test.
Assuming that NFTNL_FLOWTABLE_SIZE will receive kernel support at a
later point, leave the test code in place but just comment it out.
Fixes: d1c4b98c733a5 ("flowtable: remove NFTA_FLOWTABLE_SIZE")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/nft-flowtable-test.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/nft-flowtable-test.c b/tests/nft-flowtable-test.c
index 3edb00d..8ab8d4c 100644
--- a/tests/nft-flowtable-test.c
+++ b/tests/nft-flowtable-test.c
@@ -33,9 +33,11 @@ static void cmp_nftnl_flowtable(struct nftnl_flowtable *a, struct nftnl_flowtabl
if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_USE) !=
nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_USE))
print_err("Flowtable use mismatches");
+#if 0
if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_SIZE) !=
nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_SIZE))
print_err("Flowtable size mismatches");
+#endif
if (nftnl_flowtable_get_u32(a, NFTNL_FLOWTABLE_FLAGS) !=
nftnl_flowtable_get_u32(b, NFTNL_FLOWTABLE_FLAGS))
print_err("Flowtable flags mismatches");
--
1.8.3.1

313
SOURCES/0002-chain-Support-per-chain-rules-list.patch
View File

@ -1,313 +0,0 @@
From 8fcb95ed6dcd47c94a924b4018177d8a833d6983 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Support per chain rules list
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit e33798478176f
commit e33798478176f97edf2649cd61444e0375fdc12b
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 6 17:17:51 2018 +0100
chain: Support per chain rules list
The implementation basically copies expr_list in struct nftnl_rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/internal.h | 1 +
include/libnftnl/chain.h | 15 +++++++
include/rule.h | 26 ++++++++++++
src/chain.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++-
src/libnftnl.map | 10 +++++
src/rule.c | 22 ----------
6 files changed, 155 insertions(+), 23 deletions(-)
create mode 100644 include/rule.h
diff --git a/include/internal.h b/include/internal.h
index 7e97c4a..323f825 100644
--- a/include/internal.h
+++ b/include/internal.h
@@ -13,5 +13,6 @@
#include "expr.h"
#include "expr_ops.h"
#include "buffer.h"
+#include "rule.h"
#endif /* _LIBNFTNL_INTERNAL_H_ */
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 237683e..f04f610 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -13,6 +13,7 @@ extern "C" {
#endif
struct nftnl_chain;
+struct nftnl_rule;
struct nftnl_chain *nftnl_chain_alloc(void);
void nftnl_chain_free(const struct nftnl_chain *);
@@ -54,6 +55,10 @@ uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr);
int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
+void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+
struct nlmsghdr;
void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t);
@@ -68,6 +73,16 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, ui
#define nftnl_chain_nlmsg_build_hdr nftnl_nlmsg_build_hdr
int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
+int nftnl_rule_foreach(struct nftnl_chain *c,
+ int (*cb)(struct nftnl_rule *r, void *data),
+ void *data);
+
+struct nftnl_rule_iter;
+
+struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c);
+struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter);
+void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter);
+
struct nftnl_chain_list;
struct nftnl_chain_list *nftnl_chain_list_alloc(void);
diff --git a/include/rule.h b/include/rule.h
new file mode 100644
index 0000000..5edcb6c
--- /dev/null
+++ b/include/rule.h
@@ -0,0 +1,26 @@
+#ifndef _LIBNFTNL_RULE_INTERNAL_H_
+#define _LIBNFTNL_RULE_INTERNAL_H_
+
+struct nftnl_rule {
+ struct list_head head;
+
+ uint32_t flags;
+ uint32_t family;
+ const char *table;
+ const char *chain;
+ uint64_t handle;
+ uint64_t position;
+ uint32_t id;
+ struct {
+ void *data;
+ uint32_t len;
+ } user;
+ struct {
+ uint32_t flags;
+ uint32_t proto;
+ } compat;
+
+ struct list_head expr_list;
+};
+
+#endif
diff --git a/src/chain.c b/src/chain.c
index eff5186..c374923 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -27,6 +27,7 @@
#include <linux/netfilter_arp.h>
#include <libnftnl/chain.h>
+#include <libnftnl/rule.h>
#include <buffer.h>
struct nftnl_chain {
@@ -45,6 +46,8 @@ struct nftnl_chain {
uint64_t bytes;
uint64_t handle;
uint32_t flags;
+
+ struct list_head rule_list;
};
static const char *nftnl_hooknum2str(int family, int hooknum)
@@ -90,12 +93,25 @@ static const char *nftnl_hooknum2str(int family, int hooknum)
EXPORT_SYMBOL(nftnl_chain_alloc);
struct nftnl_chain *nftnl_chain_alloc(void)
{
- return calloc(1, sizeof(struct nftnl_chain));
+ struct nftnl_chain *c;
+
+ c = calloc(1, sizeof(struct nftnl_chain));
+ if (c == NULL)
+ return NULL;
+
+ INIT_LIST_HEAD(&c->rule_list);
+
+ return c;
}
EXPORT_SYMBOL(nftnl_chain_free);
void nftnl_chain_free(const struct nftnl_chain *c)
{
+ struct nftnl_rule *r, *tmp;
+
+ list_for_each_entry_safe(r, tmp, &c->rule_list, head)
+ nftnl_rule_free(r);
+
if (c->flags & (1 << NFTNL_CHAIN_NAME))
xfree(c->name);
if (c->flags & (1 << NFTNL_CHAIN_TABLE))
@@ -406,6 +422,24 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, c->type);
}
+EXPORT_SYMBOL(nftnl_chain_rule_add);
+void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
+{
+ list_add(&rule->head, &c->rule_list);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
+void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
+{
+ list_add_tail(&rule->head, &c->rule_list);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
+void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+{
+ list_add(&rule->head, &pos->head);
+}
+
static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data)
{
const struct nlattr **tb = data;
@@ -875,6 +909,74 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type,
nftnl_chain_do_snprintf);
}
+EXPORT_SYMBOL(nftnl_rule_foreach);
+int nftnl_rule_foreach(struct nftnl_chain *c,
+ int (*cb)(struct nftnl_rule *r, void *data),
+ void *data)
+{
+ struct nftnl_rule *cur, *tmp;
+ int ret;
+
+ list_for_each_entry_safe(cur, tmp, &c->rule_list, head) {
+ ret = cb(cur, data);
+ if (ret < 0)
+ return ret;
+ }
+ return 0;
+}
+
+struct nftnl_rule_iter {
+ const struct nftnl_chain *c;
+ struct nftnl_rule *cur;
+};
+
+static void nftnl_rule_iter_init(const struct nftnl_chain *c,
+ struct nftnl_rule_iter *iter)
+{
+ iter->c = c;
+ if (list_empty(&c->rule_list))
+ iter->cur = NULL;
+ else
+ iter->cur = list_entry(c->rule_list.next, struct nftnl_rule,
+ head);
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_create);
+struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c)
+{
+ struct nftnl_rule_iter *iter;
+
+ iter = calloc(1, sizeof(struct nftnl_rule_iter));
+ if (iter == NULL)
+ return NULL;
+
+ nftnl_rule_iter_init(c, iter);
+
+ return iter;
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_next);
+struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter)
+{
+ struct nftnl_rule *rule = iter->cur;
+
+ if (rule == NULL)
+ return NULL;
+
+ /* get next rule, if any */
+ iter->cur = list_entry(iter->cur->head.next, struct nftnl_rule, head);
+ if (&iter->cur->head == iter->c->rule_list.next)
+ return NULL;
+
+ return rule;
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_destroy);
+void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
+{
+ xfree(iter);
+}
+
struct nftnl_chain_list {
struct list_head list;
};
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 89414f2..96d5b5f 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -336,3 +336,13 @@ global:
local: *;
};
+
+LIBNFTNL_12 {
+ nftnl_chain_rule_add;
+ nftnl_chain_rule_add_tail;
+ nftnl_chain_rule_insert_at;
+ nftnl_rule_foreach;
+ nftnl_rule_iter_create;
+ nftnl_rule_iter_next;
+ nftnl_rule_iter_destroy;
+} LIBNFTNL_11;
diff --git a/src/rule.c b/src/rule.c
index 2c70420..6a43d3e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -30,28 +30,6 @@
#include <libnftnl/set.h>
#include <libnftnl/expr.h>
-struct nftnl_rule {
- struct list_head head;
-
- uint32_t flags;
- uint32_t family;
- const char *table;
- const char *chain;
- uint64_t handle;
- uint64_t position;
- uint32_t id;
- struct {
- void *data;
- uint32_t len;
- } user;
- struct {
- uint32_t flags;
- uint32_t proto;
- } compat;
-
- struct list_head expr_list;
-};
-
EXPORT_SYMBOL(nftnl_rule_alloc);
struct nftnl_rule *nftnl_rule_alloc(void)
{
--
1.8.3.1

39
SOURCES/0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch Normal file
View File

@ -0,0 +1,39 @@
From e744735b92ee312cd2ad08776f3c56962ab53710 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] flowtable: Fix memleak in error path of
nftnl_flowtable_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit ba1b02594e8d0
commit ba1b02594e8d05e4c791925a50f9309f89b55c80
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 22:57:40 2019 +0100
flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs()
In error case, allocated dev_array is not freed.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flowtable.c b/src/flowtable.c
index 324e80f..db31943 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -419,6 +419,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
err:
while (len--)
xfree(dev_array[len]);
+ xfree(dev_array);
return -1;
}
--
1.8.3.1

107
SOURCES/0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
View File

@ -1,107 +0,0 @@
From 75b3a238485745de01cf6264703ba6c192d7f721 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Add lookup functions for chain list and rules in chain
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit 1a829ec0c3285
commit 1a829ec0c3285baac712352c3a046a4f76013e70
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 6 17:17:52 2018 +0100
chain: Add lookup functions for chain list and rules in chain
For now, these lookup functions simply iterate over the linked list
until they find the right entry. In future, they may make use of more
optimized data structures behind the curtains.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 2 ++
src/chain.c | 28 ++++++++++++++++++++++++++++
src/libnftnl.map | 3 +++
3 files changed, 33 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index f04f610..64e10e9 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -76,6 +76,7 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
int nftnl_rule_foreach(struct nftnl_chain *c,
int (*cb)(struct nftnl_rule *r, void *data),
void *data);
+struct nftnl_rule *nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index);
struct nftnl_rule_iter;
@@ -89,6 +90,7 @@ struct nftnl_chain_list *nftnl_chain_list_alloc(void);
void nftnl_chain_list_free(struct nftnl_chain_list *list);
int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list);
int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, int (*cb)(struct nftnl_chain *t, void *data), void *data);
+struct nftnl_chain *nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list, const char *chain);
void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list);
void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list);
diff --git a/src/chain.c b/src/chain.c
index c374923..22bb45c 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -925,6 +925,20 @@ int nftnl_rule_foreach(struct nftnl_chain *c,
return 0;
}
+EXPORT_SYMBOL(nftnl_rule_lookup_byindex);
+struct nftnl_rule *
+nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index)
+{
+ struct nftnl_rule *r;
+
+ list_for_each_entry(r, &c->rule_list, head) {
+ if (!index)
+ return r;
+ index--;
+ }
+ return NULL;
+}
+
struct nftnl_rule_iter {
const struct nftnl_chain *c;
struct nftnl_rule *cur;
@@ -1047,6 +1061,20 @@ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list,
return 0;
}
+EXPORT_SYMBOL(nftnl_chain_list_lookup_byname);
+struct nftnl_chain *
+nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
+ const char *chain)
+{
+ struct nftnl_chain *c;
+
+ list_for_each_entry(c, &chain_list->list, head) {
+ if (!strcmp(chain, c->name))
+ return c;
+ }
+ return NULL;
+}
+
struct nftnl_chain_list_iter {
const struct nftnl_chain_list *list;
struct nftnl_chain *cur;
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 96d5b5f..0d3be32 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -345,4 +345,7 @@ LIBNFTNL_12 {
nftnl_rule_iter_create;
nftnl_rule_iter_next;
nftnl_rule_iter_destroy;
+
+ nftnl_chain_list_lookup_byname;
+ nftnl_rule_lookup_byindex;
} LIBNFTNL_11;
--
1.8.3.1

38
SOURCES/0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch Normal file
View File

@ -0,0 +1,38 @@
From a5241b8fcd2f62d8e71bf9dfebfbcf27a8a61e46 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] chain: Fix memleak in error path of nftnl_chain_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit 32a8c5f52355e
commit 32a8c5f52355ef69bf74c28e27345b2e03d948e7
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 23:00:20 2019 +0100
chain: Fix memleak in error path of nftnl_chain_parse_devs()
In error case, dev_array is not freed when it should.
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/chain.c b/src/chain.c
index d4050d2..9cc8735 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -636,6 +636,7 @@ static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
err:
while (len--)
xfree(dev_array[len]);
+ xfree(dev_array);
return -1;
}
--
1.8.3.1

143
SOURCES/0004-chain-Hash-chain-list-by-name.patch
View File

@ -1,143 +0,0 @@
From a3af0aff50cd3e899cb5205d4d5330a96aeffaa5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Hash chain list by name
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit 7170f0929ef50
commit 7170f0929ef50a1a45d9fd5d058ea6178c8e56ef
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Dec 11 18:44:00 2018 +0100
chain: Hash chain list by name
Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In
theory this could replace the linked list completely but has been left
in place so that nftnl_chain_list_add_tail() still does what it's
supposed to and iterators return chains in original order.
Speed was tested using a simple script which creates a dump file
containing a number of custom chains and for each of them two rules in
INPUT chain jumping to it. The following table compares run-time of
iptables-legacy-restore with iptables-nft-restore before and after this
patch:
count legacy nft-old nft-new
----------------------------------------------
10000 26s 38s 31s
50000 137s 339s 149s
So while it is still not as quick, it now scales nicely (at least in
this very primitive test).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/chain.c b/src/chain.c
index 22bb45c..ae074fd 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -32,6 +32,7 @@
struct nftnl_chain {
struct list_head head;
+ struct hlist_node hnode;
const char *name;
const char *type;
@@ -991,20 +992,27 @@ void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
xfree(iter);
}
+#define CHAIN_NAME_HSIZE 512
+
struct nftnl_chain_list {
+
struct list_head list;
+ struct hlist_head name_hash[CHAIN_NAME_HSIZE];
};
EXPORT_SYMBOL(nftnl_chain_list_alloc);
struct nftnl_chain_list *nftnl_chain_list_alloc(void)
{
struct nftnl_chain_list *list;
+ int i;
list = calloc(1, sizeof(struct nftnl_chain_list));
if (list == NULL)
return NULL;
INIT_LIST_HEAD(&list->list);
+ for (i = 0; i < CHAIN_NAME_HSIZE; i++)
+ INIT_HLIST_HEAD(&list->name_hash[i]);
return list;
}
@@ -1016,6 +1024,7 @@ void nftnl_chain_list_free(struct nftnl_chain_list *list)
list_for_each_entry_safe(r, tmp, &list->list, head) {
list_del(&r->head);
+ hlist_del(&r->hnode);
nftnl_chain_free(r);
}
xfree(list);
@@ -1027,15 +1036,31 @@ int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list)
return list_empty(&list->list);
}
+static uint32_t djb_hash(const char *key)
+{
+ uint32_t i, hash = 5381;
+
+ for (i = 0; i < strlen(key); i++)
+ hash = ((hash << 5) + hash) + key[i];
+
+ return hash;
+}
+
EXPORT_SYMBOL(nftnl_chain_list_add);
void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list)
{
+ int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
+
+ hlist_add_head(&r->hnode, &list->name_hash[key]);
list_add(&r->head, &list->list);
}
EXPORT_SYMBOL(nftnl_chain_list_add_tail);
void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list)
{
+ int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
+
+ hlist_add_head(&r->hnode, &list->name_hash[key]);
list_add_tail(&r->head, &list->list);
}
@@ -1043,6 +1068,7 @@ EXPORT_SYMBOL(nftnl_chain_list_del);
void nftnl_chain_list_del(struct nftnl_chain *r)
{
list_del(&r->head);
+ hlist_del(&r->hnode);
}
EXPORT_SYMBOL(nftnl_chain_list_foreach);
@@ -1066,9 +1092,11 @@ struct nftnl_chain *
nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
const char *chain)
{
+ int key = djb_hash(chain) % CHAIN_NAME_HSIZE;
struct nftnl_chain *c;
+ struct hlist_node *n;
- list_for_each_entry(c, &chain_list->list, head) {
+ hlist_for_each_entry(c, n, &chain_list->name_hash[key], hnode) {
if (!strcmp(chain, c->name))
return c;
}
--
1.8.3.1

61
SOURCES/0004-flowtable-Correctly-check-realloc-call.patch Normal file
View File

@ -0,0 +1,61 @@
From 8f24f6eed8d905fb6b64d003ae3f4f1e657301aa Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] flowtable: Correctly check realloc() call
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit 835d645f40525
commit 835d645f4052551c5c1829c37a07c882f2260f65
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 23:08:07 2019 +0100
flowtable: Correctly check realloc() call
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: 7f99639dd9217 ("flowtable: device array dynamic allocation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index db31943..9ba3b6d 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -388,7 +388,7 @@ static int nftnl_flowtable_parse_hook_cb(const struct nlattr *attr, void *data)
static int nftnl_flowtable_parse_devs(struct nlattr *nest,
struct nftnl_flowtable *c)
{
- const char **dev_array;
+ const char **dev_array, **tmp;
int len = 0, size = 8;
struct nlattr *attr;
@@ -401,14 +401,13 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= size) {
- dev_array = realloc(dev_array,
- size * 2 * sizeof(char *));
- if (!dev_array)
+ tmp = realloc(dev_array, size * 2 * sizeof(char *));
+ if (!tmp)
goto err;
size *= 2;
- memset(&dev_array[len], 0,
- (size - len) * sizeof(char *));
+ memset(&tmp[len], 0, (size - len) * sizeof(char *));
+ dev_array = tmp;
}
}
--
1.8.3.1

61
SOURCES/0005-chain-Correctly-check-realloc-call.patch Normal file
View File

@ -0,0 +1,61 @@
From 2facd747b6bbcd3716841e6213b7b9e9b94c556a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 6 Dec 2019 17:31:16 +0100
Subject: [PATCH] chain: Correctly check realloc() call
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778952
Upstream Status: libnftnl commit d95a703746d53
commit d95a703746d5394d56a9f464e343594e4882da0d
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Dec 2 23:12:34 2019 +0100
chain: Correctly check realloc() call
If realloc() fails, it returns NULL but the original pointer is
untouchted and therefore still has to be freed. Unconditionally
overwriting the old pointer is therefore a bad idea, use a temporary
variable instead.
Fixes: e3ac19b5ec162 ("chain: multi-device support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/chain.c b/src/chain.c
index 9cc8735..b9a16fc 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -605,7 +605,7 @@ static int nftnl_chain_parse_hook_cb(const struct nlattr *attr, void *data)
static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
{
- const char **dev_array;
+ const char **dev_array, **tmp;
int len = 0, size = 8;
struct nlattr *attr;
@@ -618,14 +618,13 @@ static int nftnl_chain_parse_devs(struct nlattr *nest, struct nftnl_chain *c)
goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= size) {
- dev_array = realloc(dev_array,
- size * 2 * sizeof(char *));
- if (!dev_array)
+ tmp = realloc(dev_array, size * 2 * sizeof(char *));
+ if (!tmp)
goto err;
size *= 2;
- memset(&dev_array[len], 0,
- (size - len) * sizeof(char *));
+ memset(&tmp[len], 0, (size - len) * sizeof(char *));
+ dev_array = tmp;
}
}
--
1.8.3.1

40
SOURCES/0005-object-Avoid-obj_ops-array-overrun.patch
View File

@ -1,40 +0,0 @@
From 34e115c1a9657f07ed8a39b81c6b21fba1faa319 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] object: Avoid obj_ops array overrun
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 16c44d9f42170
commit 16c44d9f42170264c4d484478c76e940951f1b70
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:27 2018 +0100
object: Avoid obj_ops array overrun
In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since
there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in
the future by defining the array size.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/object.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/object.c b/src/object.c
index d8278f3..7fb9bab 100644
--- a/src/object.c
+++ b/src/object.c
@@ -25,7 +25,7 @@
#include <buffer.h>
#include "obj.h"
-static struct obj_ops *obj_ops[] = {
+static struct obj_ops *obj_ops[__NFT_OBJECT_MAX] = {
[NFT_OBJECT_COUNTER] = &obj_ops_counter,
[NFT_OBJECT_QUOTA] = &obj_ops_quota,
[NFT_OBJECT_CT_HELPER] = &obj_ops_ct_helper,
--
1.8.3.1

40
SOURCES/0006-flowtable-Add-missing-break.patch
View File

@ -1,40 +0,0 @@
From d3d9966d79cc7d6d11124302dd06b7d7522e7305 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Add missing break
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 404ef7222d055
commit 404ef7222d055aacdbd4d73dc0d8731fa8f6cbe4
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:28 2018 +0100
flowtable: Add missing break
In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
case fell through and the same value was copied into ft_flags field.
This can't be right.
Fixes: 41fe3d38ba34b ("flowtable: support for flags")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flowtable.c b/src/flowtable.c
index c1ddae4..aa6ce59 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -163,6 +163,7 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
break;
case NFTNL_FLOWTABLE_SIZE:
memcpy(&c->size, data, sizeof(c->size));
+ break;
case NFTNL_FLOWTABLE_FLAGS:
memcpy(&c->ft_flags, data, sizeof(c->ft_flags));
break;
--
1.8.3.1

57
SOURCES/0007-flowtable-Fix-use-after-free-in-two-spots.patch
View File

@ -1,57 +0,0 @@
From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix use after free in two spots
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 822dc96815e96
commit 822dc96815e96465822ce4b1187c4b29c06cb7c1
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:29 2018 +0100
flowtable: Fix use after free in two spots
When freeing flowtable devices array, the loop freeing each device
string incorrectly included the call to free the device array itself.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index aa6ce59..61ff29b 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
case NFTNL_FLOWTABLE_FLAGS:
break;
case NFTNL_FLOWTABLE_DEVICES:
- for (i = 0; i < c->dev_array_len; i++) {
+ for (i = 0; i < c->dev_array_len; i++)
xfree(c->dev_array[i]);
- xfree(c->dev_array);
- }
+ xfree(c->dev_array);
break;
default:
return;
@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
len++;
if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
- for (i = 0; i < c->dev_array_len; i++) {
+ for (i = 0; i < c->dev_array_len; i++)
xfree(c->dev_array[i]);
- xfree(c->dev_array);
- }
+ xfree(c->dev_array);
}
c->dev_array = calloc(len + 1, sizeof(char *));
--
1.8.3.1

62
SOURCES/0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
View File

@ -1,62 +0,0 @@
From c3c2777d4b62db4b49fd3dcf8293562defa95112 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix memleak in nftnl_flowtable_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 8ef66870832d5
commit 8ef66870832d56881703a7798ecdff9e19917b15
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:30 2018 +0100
flowtable: Fix memleak in nftnl_flowtable_parse_devs()
Allocated strings in dev_array were not freed. Fix this by freeing them
on error path and assigning them to c->dev_array directly in regular
path.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 61ff29b..1762bd1 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -364,7 +364,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
mnl_attr_for_each_nested(attr, nest) {
if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
- return -1;
+ goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= 8)
break;
@@ -375,14 +375,18 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
c->dev_array = calloc(len + 1, sizeof(char *));
if (!c->dev_array)
- return -1;
+ goto err;
c->dev_array_len = len;
for (i = 0; i < len; i++)
- c->dev_array[i] = strdup(dev_array[i]);
+ c->dev_array[i] = dev_array[i];
return 0;
+err:
+ while (len--)
+ xfree(dev_array[len]);
+ return -1;
}
static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtable *c)
--
1.8.3.1

49
SOURCES/0009-flowtable-Fix-for-reading-garbage.patch
View File

@ -1,49 +0,0 @@
From 4ec80cc7d08a48a19d112da760e36fa9e47e9106 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix for reading garbage
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit f8eed54150fd4
commit f8eed54150fd49ed814e63a5db39eda67d4b3938
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:31 2018 +0100
flowtable: Fix for reading garbage
nftnl_flowtable_get_data() doesn't assign to passt data_len pointer
destination in all cases, so initialize it to 0.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 1762bd1..3c3ba66 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -245,7 +245,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_str);
uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr)
{
- uint32_t data_len;
+ uint32_t data_len = 0;
const uint32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
nftnl_assert(val, attr, data_len == sizeof(uint32_t));
@@ -256,7 +256,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_u32);
int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr)
{
- uint32_t data_len;
+ uint32_t data_len = 0;
const int32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
nftnl_assert(val, attr, data_len == sizeof(int32_t));
--
1.8.3.1

72
SOURCES/0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
View File

@ -1,72 +0,0 @@
From 36faead4c4a8ab0a87ee766bab6a062e8610067a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:14:56 +0100
Subject: [PATCH] src: chain: Add missing nftnl_chain_rule_del()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
Upstream Status: libnftnl commit de5a23d26828a
commit de5a23d26828a1e1f2d3351b0414925857546496
Author: Phil Sutter <phil@nwl.cc>
Date: Sun Dec 30 17:02:13 2018 +0100
src: chain: Add missing nftnl_chain_rule_del()
Although identical to nftnl_rule_list_del(), this function adheres to
the common naming style of per chain rule list routines introduced
earlier, therefore helps with deprecating the global rule list API at a
later point.
Fixes: e33798478176f ("chain: Support per chain rules list")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 1 +
src/chain.c | 6 ++++++
src/libnftnl.map | 1 +
3 files changed, 8 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 64e10e9..163a824 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -56,6 +56,7 @@ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_del(struct nftnl_rule *rule);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
diff --git a/src/chain.c b/src/chain.c
index ae074fd..6dc8f36 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -429,6 +429,12 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
list_add(&rule->head, &c->rule_list);
}
+EXPORT_SYMBOL(nftnl_chain_rule_del);
+void nftnl_chain_rule_del(struct nftnl_rule *r)
+{
+ list_del(&r->head);
+}
+
EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
{
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 0d3be32..0dad6a2 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -340,6 +340,7 @@ local: *;
LIBNFTNL_12 {
nftnl_chain_rule_add;
nftnl_chain_rule_add_tail;
+ nftnl_chain_rule_del;
nftnl_chain_rule_insert_at;
nftnl_rule_foreach;
nftnl_rule_iter_create;
--
1.8.3.1

71
SOURCES/0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
View File

@ -1,71 +0,0 @@
From fca027631250013cae7323e058575deb72b8510a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:14:56 +0100
Subject: [PATCH] src: chain: Fix nftnl_chain_rule_insert_at()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
Upstream Status: libnftnl commit 278a3b779a731
commit 278a3b779a731b3565595259b07b9065f6a6f425
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Jan 14 17:42:50 2019 +0100
src: chain: Fix nftnl_chain_rule_insert_at()
Extrapolating from iptables nomenclature, one would expect that "insert"
means to prepend the new item to the referenced one, not append. Change
nftnl_chain_rule_insert_at() to do just that and introduce
nftnl_chain_rule_append_at() to insert a rule after the referenced one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 1 +
src/chain.c | 6 ++++++
src/libnftnl.map | 1 +
3 files changed, 8 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 163a824..31b48cf 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -59,6 +59,7 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_del(struct nftnl_rule *rule);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
struct nlmsghdr;
diff --git a/src/chain.c b/src/chain.c
index 6dc8f36..7326c2a 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -444,6 +444,12 @@ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
{
+ list_add_tail(&rule->head, &pos->head);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_append_at);
+void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+{
list_add(&rule->head, &pos->head);
}
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 0dad6a2..192eef8 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -342,6 +342,7 @@ LIBNFTNL_12 {
nftnl_chain_rule_add_tail;
nftnl_chain_rule_del;
nftnl_chain_rule_insert_at;
+ nftnl_chain_rule_append_at;
nftnl_rule_foreach;
nftnl_rule_iter_create;
nftnl_rule_iter_next;
--
1.8.3.1

150
SOURCES/0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
View File

@ -1,150 +0,0 @@
From 3eb9b26b8b79b0bd5b153cfdad8eb10c86ae2b64 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 31 Jan 2019 19:03:53 +0100
Subject: [PATCH] src: rule: Support NFTA_RULE_POSITION_ID attribute
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1670565
Upstream Status: libnftnl commit 7a7137adf6c14
commit 7a7137adf6c143f7cccc6440a5340a43033b61e7
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Jan 15 20:59:04 2019 +0100
src: rule: Support NFTA_RULE_POSITION_ID attribute
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/rule.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
include/rule.h | 1 +
src/rule.c | 20 ++++++++++++++++++++
4 files changed, 24 insertions(+)
diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
index 8501c86..78bfead 100644
--- a/include/libnftnl/rule.h
+++ b/include/libnftnl/rule.h
@@ -28,6 +28,7 @@ enum nftnl_rule_attr {
NFTNL_RULE_POSITION,
NFTNL_RULE_USERDATA,
NFTNL_RULE_ID,
+ NFTNL_RULE_POSITION_ID,
__NFTNL_RULE_MAX
};
#define NFTNL_RULE_MAX (__NFTNL_RULE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 91449ef..adfae98 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -218,6 +218,7 @@ enum nft_chain_attributes {
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
*/
enum nft_rule_attributes {
NFTA_RULE_UNSPEC,
@@ -230,6 +231,7 @@ enum nft_rule_attributes {
NFTA_RULE_USERDATA,
NFTA_RULE_PAD,
NFTA_RULE_ID,
+ NFTA_RULE_POSITION_ID,
__NFTA_RULE_MAX
};
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
diff --git a/include/rule.h b/include/rule.h
index 5edcb6c..036c722 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -11,6 +11,7 @@ struct nftnl_rule {
uint64_t handle;
uint64_t position;
uint32_t id;
+ uint32_t position_id;
struct {
void *data;
uint32_t len;
diff --git a/src/rule.c b/src/rule.c
index 6a43d3e..d9b97b6 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -87,6 +87,7 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr)
case NFTNL_RULE_POSITION:
case NFTNL_RULE_FAMILY:
case NFTNL_RULE_ID:
+ case NFTNL_RULE_POSITION_ID:
break;
case NFTNL_RULE_USERDATA:
xfree(r->user.data);
@@ -103,6 +104,7 @@ static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = {
[NFTNL_RULE_FAMILY] = sizeof(uint32_t),
[NFTNL_RULE_POSITION] = sizeof(uint64_t),
[NFTNL_RULE_ID] = sizeof(uint32_t),
+ [NFTNL_RULE_POSITION_ID] = sizeof(uint32_t),
};
EXPORT_SYMBOL(nftnl_rule_set_data);
@@ -158,6 +160,9 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
case NFTNL_RULE_ID:
r->id = *((uint32_t *)data);
break;
+ case NFTNL_RULE_POSITION_ID:
+ memcpy(&r->position_id, data, sizeof(r->position_id));
+ break;
}
r->flags |= (1 << attr);
return 0;
@@ -222,6 +227,9 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
case NFTNL_RULE_ID:
*data_len = sizeof(uint32_t);
return &r->id;
+ case NFTNL_RULE_POSITION_ID:
+ *data_len = sizeof(uint32_t);
+ return &r->position_id;
}
return NULL;
}
@@ -313,6 +321,8 @@ void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r)
}
if (r->flags & (1 << NFTNL_RULE_ID))
mnl_attr_put_u32(nlh, NFTA_RULE_ID, htonl(r->id));
+ if (r->flags & (1 << NFTNL_RULE_POSITION_ID))
+ mnl_attr_put_u32(nlh, NFTA_RULE_POSITION_ID, htonl(r->position_id));
}
EXPORT_SYMBOL(nftnl_rule_add_expr);
@@ -352,6 +362,7 @@ static int nftnl_rule_parse_attr_cb(const struct nlattr *attr, void *data)
abi_breakage();
break;
case NFTA_RULE_ID:
+ case NFTA_RULE_POSITION_ID:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
break;
@@ -483,6 +494,10 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r)
r->id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_ID]));
r->flags |= (1 << NFTNL_RULE_ID);
}
+ if (tb[NFTA_RULE_POSITION_ID]) {
+ r->position_id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_POSITION_ID]));
+ r->flags |= (1 << NFTNL_RULE_POSITION_ID);
+ }
r->family = nfg->nfgen_family;
r->flags |= (1 << NFTNL_RULE_FAMILY);
@@ -729,6 +744,11 @@ static int nftnl_rule_snprintf_default(char *buf, size_t size,
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
}
+ if (r->flags & (1 << NFTNL_RULE_POSITION_ID)) {
+ ret = snprintf(buf + offset, remain, "%u ", r->position_id);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
+
ret = snprintf(buf + offset, remain, "\n");
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
--
1.8.3.1

49
SPECS/libnftnl.spec
View File

@ -1,5 +1,5 @@
%define rpmversion 1.1.1
%define specrelease 4%{?dist}
%define rpmversion 1.1.5
%define specrelease 2%{?dist}
Name: libnftnl
Version: %{rpmversion}
@ -12,18 +12,11 @@ BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: libmnl-devel
Patch0: 0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
Patch1: 0002-chain-Support-per-chain-rules-list.patch
Patch2: 0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
Patch3: 0004-chain-Hash-chain-list-by-name.patch
Patch4: 0005-object-Avoid-obj_ops-array-overrun.patch
Patch5: 0006-flowtable-Add-missing-break.patch
Patch6: 0007-flowtable-Fix-use-after-free-in-two-spots.patch
Patch7: 0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
Patch8: 0009-flowtable-Fix-for-reading-garbage.patch
Patch9: 0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
Patch10: 0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
Patch11: 0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
Patch0: 0001-tests-flowtable-Don-t-check-NFTNL_FLOWTABLE_SIZE.patch
Patch1: 0002-flowtable-Fix-memleak-in-error-path-of-nftnl_flowtab.patch
Patch2: 0003-chain-Fix-memleak-in-error-path-of-nftnl_chain_parse.patch
Patch3: 0004-flowtable-Correctly-check-realloc-call.patch
Patch4: 0005-chain-Correctly-check-realloc-call.patch
%description
A library for low-level interaction with nftables Netlink's API over libmnl.
@ -51,10 +44,6 @@ make %{?_smp_mflags}
%check
make %{?_smp_mflags} check
cd tests
# JSON parsing would fail since it's not compiled in, so disable here
sed -i -e '/^\.\/nft-parsing-test /d' test-script.sh
sh ./test-script.sh
%install
%make_install
@ -74,6 +63,30 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%{_includedir}/libnftnl
%changelog
* Fri Dec 06 2019 Phil Sutter <psutter@redhat.com> [1.1.5-2.el8]
- chain: Correctly check realloc() call (Phil Sutter) [1778952]
- flowtable: Correctly check realloc() call (Phil Sutter) [1778952]
- chain: Fix memleak in error path of nftnl_chain_parse_devs() (Phil Sutter) [1778952]
- flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs() (Phil Sutter) [1778952]
* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> [1.1.5-1.el8]
- Rebase onto upstream version 1.1.5 (Phil Sutter) [1717129]
* Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> [1.1.4-3.el8]
- set: Export nftnl_set_list_lookup_byname() (Phil Sutter) [1762563]
* Thu Oct 17 2019 Phil Sutter <psutter@redhat.com> [1.1.4-2.el8]
- obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser (Phil Sutter) [1758673]
- set_elem: Validate nftnl_set_elem_set() parameters (Phil Sutter) [1758673]
- obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() (Phil Sutter) [1758673]
- set: Don't bypass checks in nftnl_set_set_u{32,64}() (Phil Sutter) [1758673]
- obj/tunnel: Fix for undefined behaviour (Phil Sutter) [1758673]
- set_elem: Fix return code of nftnl_set_elem_set() (Phil Sutter) [1758673]
- obj: ct_timeout: Check return code of mnl_attr_parse_nested() (Phil Sutter) [1758673]
* Fri Oct 04 2019 Phil Sutter <psutter@redhat.com> [1.1.4-1.el8]
- Rebase to upstream version 1.1.4 (Phil Sutter) [1717129]
* Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8]
- src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565]