rpms/libnftnl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libnftnl-1.1.1-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2019-05-07 09:47:49 -04:00 committed by Andrew Lukoshko
commit 4e3b75a411
15 changed files with 2643 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/libnftnl-1.1.1.tar.bz2

1
.libnftnl.metadata Normal file
View File

@ -0,0 +1 @@
d2be642a54e0f105cb5564471ae4aaaed8b97ca6 SOURCES/libnftnl-1.1.1.tar.bz2

1348
SOURCES/0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch Normal file
View File

File diff suppressed because it is too large Load Diff

313
SOURCES/0002-chain-Support-per-chain-rules-list.patch Normal file
View File

@ -0,0 +1,313 @@
From 8fcb95ed6dcd47c94a924b4018177d8a833d6983 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Support per chain rules list
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit e33798478176f
commit e33798478176f97edf2649cd61444e0375fdc12b
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 6 17:17:51 2018 +0100
chain: Support per chain rules list
The implementation basically copies expr_list in struct nftnl_rule.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/internal.h | 1 +
include/libnftnl/chain.h | 15 +++++++
include/rule.h | 26 ++++++++++++
src/chain.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++-
src/libnftnl.map | 10 +++++
src/rule.c | 22 ----------
6 files changed, 155 insertions(+), 23 deletions(-)
create mode 100644 include/rule.h
diff --git a/include/internal.h b/include/internal.h
index 7e97c4a..323f825 100644
--- a/include/internal.h
+++ b/include/internal.h
@@ -13,5 +13,6 @@
#include "expr.h"
#include "expr_ops.h"
#include "buffer.h"
+#include "rule.h"
#endif /* _LIBNFTNL_INTERNAL_H_ */
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 237683e..f04f610 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -13,6 +13,7 @@ extern "C" {
#endif
struct nftnl_chain;
+struct nftnl_rule;
struct nftnl_chain *nftnl_chain_alloc(void);
void nftnl_chain_free(const struct nftnl_chain *);
@@ -54,6 +55,10 @@ uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr);
int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
+void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+
struct nlmsghdr;
void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t);
@@ -68,6 +73,16 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, ui
#define nftnl_chain_nlmsg_build_hdr nftnl_nlmsg_build_hdr
int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
+int nftnl_rule_foreach(struct nftnl_chain *c,
+ int (*cb)(struct nftnl_rule *r, void *data),
+ void *data);
+
+struct nftnl_rule_iter;
+
+struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c);
+struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter);
+void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter);
+
struct nftnl_chain_list;
struct nftnl_chain_list *nftnl_chain_list_alloc(void);
diff --git a/include/rule.h b/include/rule.h
new file mode 100644
index 0000000..5edcb6c
--- /dev/null
+++ b/include/rule.h
@@ -0,0 +1,26 @@
+#ifndef _LIBNFTNL_RULE_INTERNAL_H_
+#define _LIBNFTNL_RULE_INTERNAL_H_
+
+struct nftnl_rule {
+ struct list_head head;
+
+ uint32_t flags;
+ uint32_t family;
+ const char *table;
+ const char *chain;
+ uint64_t handle;
+ uint64_t position;
+ uint32_t id;
+ struct {
+ void *data;
+ uint32_t len;
+ } user;
+ struct {
+ uint32_t flags;
+ uint32_t proto;
+ } compat;
+
+ struct list_head expr_list;
+};
+
+#endif
diff --git a/src/chain.c b/src/chain.c
index eff5186..c374923 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -27,6 +27,7 @@
#include <linux/netfilter_arp.h>
#include <libnftnl/chain.h>
+#include <libnftnl/rule.h>
#include <buffer.h>
struct nftnl_chain {
@@ -45,6 +46,8 @@ struct nftnl_chain {
uint64_t bytes;
uint64_t handle;
uint32_t flags;
+
+ struct list_head rule_list;
};
static const char *nftnl_hooknum2str(int family, int hooknum)
@@ -90,12 +93,25 @@ static const char *nftnl_hooknum2str(int family, int hooknum)
EXPORT_SYMBOL(nftnl_chain_alloc);
struct nftnl_chain *nftnl_chain_alloc(void)
{
- return calloc(1, sizeof(struct nftnl_chain));
+ struct nftnl_chain *c;
+
+ c = calloc(1, sizeof(struct nftnl_chain));
+ if (c == NULL)
+ return NULL;
+
+ INIT_LIST_HEAD(&c->rule_list);
+
+ return c;
}
EXPORT_SYMBOL(nftnl_chain_free);
void nftnl_chain_free(const struct nftnl_chain *c)
{
+ struct nftnl_rule *r, *tmp;
+
+ list_for_each_entry_safe(r, tmp, &c->rule_list, head)
+ nftnl_rule_free(r);
+
if (c->flags & (1 << NFTNL_CHAIN_NAME))
xfree(c->name);
if (c->flags & (1 << NFTNL_CHAIN_TABLE))
@@ -406,6 +422,24 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, c->type);
}
+EXPORT_SYMBOL(nftnl_chain_rule_add);
+void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
+{
+ list_add(&rule->head, &c->rule_list);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
+void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
+{
+ list_add_tail(&rule->head, &c->rule_list);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
+void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+{
+ list_add(&rule->head, &pos->head);
+}
+
static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data)
{
const struct nlattr **tb = data;
@@ -875,6 +909,74 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type,
nftnl_chain_do_snprintf);
}
+EXPORT_SYMBOL(nftnl_rule_foreach);
+int nftnl_rule_foreach(struct nftnl_chain *c,
+ int (*cb)(struct nftnl_rule *r, void *data),
+ void *data)
+{
+ struct nftnl_rule *cur, *tmp;
+ int ret;
+
+ list_for_each_entry_safe(cur, tmp, &c->rule_list, head) {
+ ret = cb(cur, data);
+ if (ret < 0)
+ return ret;
+ }
+ return 0;
+}
+
+struct nftnl_rule_iter {
+ const struct nftnl_chain *c;
+ struct nftnl_rule *cur;
+};
+
+static void nftnl_rule_iter_init(const struct nftnl_chain *c,
+ struct nftnl_rule_iter *iter)
+{
+ iter->c = c;
+ if (list_empty(&c->rule_list))
+ iter->cur = NULL;
+ else
+ iter->cur = list_entry(c->rule_list.next, struct nftnl_rule,
+ head);
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_create);
+struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c)
+{
+ struct nftnl_rule_iter *iter;
+
+ iter = calloc(1, sizeof(struct nftnl_rule_iter));
+ if (iter == NULL)
+ return NULL;
+
+ nftnl_rule_iter_init(c, iter);
+
+ return iter;
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_next);
+struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter)
+{
+ struct nftnl_rule *rule = iter->cur;
+
+ if (rule == NULL)
+ return NULL;
+
+ /* get next rule, if any */
+ iter->cur = list_entry(iter->cur->head.next, struct nftnl_rule, head);
+ if (&iter->cur->head == iter->c->rule_list.next)
+ return NULL;
+
+ return rule;
+}
+
+EXPORT_SYMBOL(nftnl_rule_iter_destroy);
+void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
+{
+ xfree(iter);
+}
+
struct nftnl_chain_list {
struct list_head list;
};
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 89414f2..96d5b5f 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -336,3 +336,13 @@ global:
local: *;
};
+
+LIBNFTNL_12 {
+ nftnl_chain_rule_add;
+ nftnl_chain_rule_add_tail;
+ nftnl_chain_rule_insert_at;
+ nftnl_rule_foreach;
+ nftnl_rule_iter_create;
+ nftnl_rule_iter_next;
+ nftnl_rule_iter_destroy;
+} LIBNFTNL_11;
diff --git a/src/rule.c b/src/rule.c
index 2c70420..6a43d3e 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -30,28 +30,6 @@
#include <libnftnl/set.h>
#include <libnftnl/expr.h>
-struct nftnl_rule {
- struct list_head head;
-
- uint32_t flags;
- uint32_t family;
- const char *table;
- const char *chain;
- uint64_t handle;
- uint64_t position;
- uint32_t id;
- struct {
- void *data;
- uint32_t len;
- } user;
- struct {
- uint32_t flags;
- uint32_t proto;
- } compat;
-
- struct list_head expr_list;
-};
-
EXPORT_SYMBOL(nftnl_rule_alloc);
struct nftnl_rule *nftnl_rule_alloc(void)
{
--
1.8.3.1

107
SOURCES/0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch Normal file
View File

@ -0,0 +1,107 @@
From 75b3a238485745de01cf6264703ba6c192d7f721 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Add lookup functions for chain list and rules in chain
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit 1a829ec0c3285
commit 1a829ec0c3285baac712352c3a046a4f76013e70
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 6 17:17:52 2018 +0100
chain: Add lookup functions for chain list and rules in chain
For now, these lookup functions simply iterate over the linked list
until they find the right entry. In future, they may make use of more
optimized data structures behind the curtains.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 2 ++
src/chain.c | 28 ++++++++++++++++++++++++++++
src/libnftnl.map | 3 +++
3 files changed, 33 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index f04f610..64e10e9 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -76,6 +76,7 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
int nftnl_rule_foreach(struct nftnl_chain *c,
int (*cb)(struct nftnl_rule *r, void *data),
void *data);
+struct nftnl_rule *nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index);
struct nftnl_rule_iter;
@@ -89,6 +90,7 @@ struct nftnl_chain_list *nftnl_chain_list_alloc(void);
void nftnl_chain_list_free(struct nftnl_chain_list *list);
int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list);
int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, int (*cb)(struct nftnl_chain *t, void *data), void *data);
+struct nftnl_chain *nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list, const char *chain);
void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list);
void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list);
diff --git a/src/chain.c b/src/chain.c
index c374923..22bb45c 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -925,6 +925,20 @@ int nftnl_rule_foreach(struct nftnl_chain *c,
return 0;
}
+EXPORT_SYMBOL(nftnl_rule_lookup_byindex);
+struct nftnl_rule *
+nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index)
+{
+ struct nftnl_rule *r;
+
+ list_for_each_entry(r, &c->rule_list, head) {
+ if (!index)
+ return r;
+ index--;
+ }
+ return NULL;
+}
+
struct nftnl_rule_iter {
const struct nftnl_chain *c;
struct nftnl_rule *cur;
@@ -1047,6 +1061,20 @@ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list,
return 0;
}
+EXPORT_SYMBOL(nftnl_chain_list_lookup_byname);
+struct nftnl_chain *
+nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
+ const char *chain)
+{
+ struct nftnl_chain *c;
+
+ list_for_each_entry(c, &chain_list->list, head) {
+ if (!strcmp(chain, c->name))
+ return c;
+ }
+ return NULL;
+}
+
struct nftnl_chain_list_iter {
const struct nftnl_chain_list *list;
struct nftnl_chain *cur;
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 96d5b5f..0d3be32 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -345,4 +345,7 @@ LIBNFTNL_12 {
nftnl_rule_iter_create;
nftnl_rule_iter_next;
nftnl_rule_iter_destroy;
+
+ nftnl_chain_list_lookup_byname;
+ nftnl_rule_lookup_byindex;
} LIBNFTNL_11;
--
1.8.3.1

143
SOURCES/0004-chain-Hash-chain-list-by-name.patch Normal file
View File

@ -0,0 +1,143 @@
From a3af0aff50cd3e899cb5205d4d5330a96aeffaa5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Mon, 17 Dec 2018 17:30:06 +0100
Subject: [PATCH] chain: Hash chain list by name
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
Upstream Status: libnftnl commit 7170f0929ef50
commit 7170f0929ef50a1a45d9fd5d058ea6178c8e56ef
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Dec 11 18:44:00 2018 +0100
chain: Hash chain list by name
Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In
theory this could replace the linked list completely but has been left
in place so that nftnl_chain_list_add_tail() still does what it's
supposed to and iterators return chains in original order.
Speed was tested using a simple script which creates a dump file
containing a number of custom chains and for each of them two rules in
INPUT chain jumping to it. The following table compares run-time of
iptables-legacy-restore with iptables-nft-restore before and after this
patch:
count legacy nft-old nft-new
----------------------------------------------
10000 26s 38s 31s
50000 137s 339s 149s
So while it is still not as quick, it now scales nicely (at least in
this very primitive test).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/chain.c | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/chain.c b/src/chain.c
index 22bb45c..ae074fd 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -32,6 +32,7 @@
struct nftnl_chain {
struct list_head head;
+ struct hlist_node hnode;
const char *name;
const char *type;
@@ -991,20 +992,27 @@ void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
xfree(iter);
}
+#define CHAIN_NAME_HSIZE 512
+
struct nftnl_chain_list {
+
struct list_head list;
+ struct hlist_head name_hash[CHAIN_NAME_HSIZE];
};
EXPORT_SYMBOL(nftnl_chain_list_alloc);
struct nftnl_chain_list *nftnl_chain_list_alloc(void)
{
struct nftnl_chain_list *list;
+ int i;
list = calloc(1, sizeof(struct nftnl_chain_list));
if (list == NULL)
return NULL;
INIT_LIST_HEAD(&list->list);
+ for (i = 0; i < CHAIN_NAME_HSIZE; i++)
+ INIT_HLIST_HEAD(&list->name_hash[i]);
return list;
}
@@ -1016,6 +1024,7 @@ void nftnl_chain_list_free(struct nftnl_chain_list *list)
list_for_each_entry_safe(r, tmp, &list->list, head) {
list_del(&r->head);
+ hlist_del(&r->hnode);
nftnl_chain_free(r);
}
xfree(list);
@@ -1027,15 +1036,31 @@ int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list)
return list_empty(&list->list);
}
+static uint32_t djb_hash(const char *key)
+{
+ uint32_t i, hash = 5381;
+
+ for (i = 0; i < strlen(key); i++)
+ hash = ((hash << 5) + hash) + key[i];
+
+ return hash;
+}
+
EXPORT_SYMBOL(nftnl_chain_list_add);
void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list)
{
+ int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
+
+ hlist_add_head(&r->hnode, &list->name_hash[key]);
list_add(&r->head, &list->list);
}
EXPORT_SYMBOL(nftnl_chain_list_add_tail);
void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list)
{
+ int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
+
+ hlist_add_head(&r->hnode, &list->name_hash[key]);
list_add_tail(&r->head, &list->list);
}
@@ -1043,6 +1068,7 @@ EXPORT_SYMBOL(nftnl_chain_list_del);
void nftnl_chain_list_del(struct nftnl_chain *r)
{
list_del(&r->head);
+ hlist_del(&r->hnode);
}
EXPORT_SYMBOL(nftnl_chain_list_foreach);
@@ -1066,9 +1092,11 @@ struct nftnl_chain *
nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
const char *chain)
{
+ int key = djb_hash(chain) % CHAIN_NAME_HSIZE;
struct nftnl_chain *c;
+ struct hlist_node *n;
- list_for_each_entry(c, &chain_list->list, head) {
+ hlist_for_each_entry(c, n, &chain_list->name_hash[key], hnode) {
if (!strcmp(chain, c->name))
return c;
}
--
1.8.3.1

40
SOURCES/0005-object-Avoid-obj_ops-array-overrun.patch Normal file
View File

@ -0,0 +1,40 @@
From 34e115c1a9657f07ed8a39b81c6b21fba1faa319 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] object: Avoid obj_ops array overrun
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 16c44d9f42170
commit 16c44d9f42170264c4d484478c76e940951f1b70
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:27 2018 +0100
object: Avoid obj_ops array overrun
In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since
there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in
the future by defining the array size.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/object.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/object.c b/src/object.c
index d8278f3..7fb9bab 100644
--- a/src/object.c
+++ b/src/object.c
@@ -25,7 +25,7 @@
#include <buffer.h>
#include "obj.h"
-static struct obj_ops *obj_ops[] = {
+static struct obj_ops *obj_ops[__NFT_OBJECT_MAX] = {
[NFT_OBJECT_COUNTER] = &obj_ops_counter,
[NFT_OBJECT_QUOTA] = &obj_ops_quota,
[NFT_OBJECT_CT_HELPER] = &obj_ops_ct_helper,
--
1.8.3.1

40
SOURCES/0006-flowtable-Add-missing-break.patch Normal file
View File

@ -0,0 +1,40 @@
From d3d9966d79cc7d6d11124302dd06b7d7522e7305 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Add missing break
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 404ef7222d055
commit 404ef7222d055aacdbd4d73dc0d8731fa8f6cbe4
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:28 2018 +0100
flowtable: Add missing break
In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
case fell through and the same value was copied into ft_flags field.
This can't be right.
Fixes: 41fe3d38ba34b ("flowtable: support for flags")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flowtable.c b/src/flowtable.c
index c1ddae4..aa6ce59 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -163,6 +163,7 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
break;
case NFTNL_FLOWTABLE_SIZE:
memcpy(&c->size, data, sizeof(c->size));
+ break;
case NFTNL_FLOWTABLE_FLAGS:
memcpy(&c->ft_flags, data, sizeof(c->ft_flags));
break;
--
1.8.3.1

57
SOURCES/0007-flowtable-Fix-use-after-free-in-two-spots.patch Normal file
View File

@ -0,0 +1,57 @@
From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix use after free in two spots
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 822dc96815e96
commit 822dc96815e96465822ce4b1187c4b29c06cb7c1
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:29 2018 +0100
flowtable: Fix use after free in two spots
When freeing flowtable devices array, the loop freeing each device
string incorrectly included the call to free the device array itself.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index aa6ce59..61ff29b 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
case NFTNL_FLOWTABLE_FLAGS:
break;
case NFTNL_FLOWTABLE_DEVICES:
- for (i = 0; i < c->dev_array_len; i++) {
+ for (i = 0; i < c->dev_array_len; i++)
xfree(c->dev_array[i]);
- xfree(c->dev_array);
- }
+ xfree(c->dev_array);
break;
default:
return;
@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
len++;
if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
- for (i = 0; i < c->dev_array_len; i++) {
+ for (i = 0; i < c->dev_array_len; i++)
xfree(c->dev_array[i]);
- xfree(c->dev_array);
- }
+ xfree(c->dev_array);
}
c->dev_array = calloc(len + 1, sizeof(char *));
--
1.8.3.1

62
SOURCES/0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch Normal file
View File

@ -0,0 +1,62 @@
From c3c2777d4b62db4b49fd3dcf8293562defa95112 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix memleak in nftnl_flowtable_parse_devs()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit 8ef66870832d5
commit 8ef66870832d56881703a7798ecdff9e19917b15
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:30 2018 +0100
flowtable: Fix memleak in nftnl_flowtable_parse_devs()
Allocated strings in dev_array were not freed. Fix this by freeing them
on error path and assigning them to c->dev_array directly in regular
path.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 61ff29b..1762bd1 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -364,7 +364,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
mnl_attr_for_each_nested(attr, nest) {
if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
- return -1;
+ goto err;
dev_array[len++] = strdup(mnl_attr_get_str(attr));
if (len >= 8)
break;
@@ -375,14 +375,18 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
c->dev_array = calloc(len + 1, sizeof(char *));
if (!c->dev_array)
- return -1;
+ goto err;
c->dev_array_len = len;
for (i = 0; i < len; i++)
- c->dev_array[i] = strdup(dev_array[i]);
+ c->dev_array[i] = dev_array[i];
return 0;
+err:
+ while (len--)
+ xfree(dev_array[len]);
+ return -1;
}
static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtable *c)
--
1.8.3.1

49
SOURCES/0009-flowtable-Fix-for-reading-garbage.patch Normal file
View File

@ -0,0 +1,49 @@
From 4ec80cc7d08a48a19d112da760e36fa9e47e9106 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:12:15 +0100
Subject: [PATCH] flowtable: Fix for reading garbage
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
Upstream Status: libnftnl commit f8eed54150fd4
commit f8eed54150fd49ed814e63a5db39eda67d4b3938
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Dec 20 21:03:31 2018 +0100
flowtable: Fix for reading garbage
nftnl_flowtable_get_data() doesn't assign to passt data_len pointer
destination in all cases, so initialize it to 0.
Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/flowtable.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/flowtable.c b/src/flowtable.c
index 1762bd1..3c3ba66 100644
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -245,7 +245,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_str);
uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr)
{
- uint32_t data_len;
+ uint32_t data_len = 0;
const uint32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
nftnl_assert(val, attr, data_len == sizeof(uint32_t));
@@ -256,7 +256,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_u32);
int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr)
{
- uint32_t data_len;
+ uint32_t data_len = 0;
const int32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
nftnl_assert(val, attr, data_len == sizeof(int32_t));
--
1.8.3.1

72
SOURCES/0010-src-chain-Add-missing-nftnl_chain_rule_del.patch Normal file
View File

@ -0,0 +1,72 @@
From 36faead4c4a8ab0a87ee766bab6a062e8610067a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:14:56 +0100
Subject: [PATCH] src: chain: Add missing nftnl_chain_rule_del()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
Upstream Status: libnftnl commit de5a23d26828a
commit de5a23d26828a1e1f2d3351b0414925857546496
Author: Phil Sutter <phil@nwl.cc>
Date: Sun Dec 30 17:02:13 2018 +0100
src: chain: Add missing nftnl_chain_rule_del()
Although identical to nftnl_rule_list_del(), this function adheres to
the common naming style of per chain rule list routines introduced
earlier, therefore helps with deprecating the global rule list API at a
later point.
Fixes: e33798478176f ("chain: Support per chain rules list")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 1 +
src/chain.c | 6 ++++++
src/libnftnl.map | 1 +
3 files changed, 8 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 64e10e9..163a824 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -56,6 +56,7 @@ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+void nftnl_chain_rule_del(struct nftnl_rule *rule);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
diff --git a/src/chain.c b/src/chain.c
index ae074fd..6dc8f36 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -429,6 +429,12 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
list_add(&rule->head, &c->rule_list);
}
+EXPORT_SYMBOL(nftnl_chain_rule_del);
+void nftnl_chain_rule_del(struct nftnl_rule *r)
+{
+ list_del(&r->head);
+}
+
EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
{
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 0d3be32..0dad6a2 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -340,6 +340,7 @@ local: *;
LIBNFTNL_12 {
nftnl_chain_rule_add;
nftnl_chain_rule_add_tail;
+ nftnl_chain_rule_del;
nftnl_chain_rule_insert_at;
nftnl_rule_foreach;
nftnl_rule_iter_create;
--
1.8.3.1

71
SOURCES/0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch Normal file
View File

@ -0,0 +1,71 @@
From fca027631250013cae7323e058575deb72b8510a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 29 Jan 2019 18:14:56 +0100
Subject: [PATCH] src: chain: Fix nftnl_chain_rule_insert_at()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
Upstream Status: libnftnl commit 278a3b779a731
commit 278a3b779a731b3565595259b07b9065f6a6f425
Author: Phil Sutter <phil@nwl.cc>
Date: Mon Jan 14 17:42:50 2019 +0100
src: chain: Fix nftnl_chain_rule_insert_at()
Extrapolating from iptables nomenclature, one would expect that "insert"
means to prepend the new item to the referenced one, not append. Change
nftnl_chain_rule_insert_at() to do just that and introduce
nftnl_chain_rule_append_at() to insert a rule after the referenced one.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/chain.h | 1 +
src/chain.c | 6 ++++++
src/libnftnl.map | 1 +
3 files changed, 8 insertions(+)
diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
index 163a824..31b48cf 100644
--- a/include/libnftnl/chain.h
+++ b/include/libnftnl/chain.h
@@ -59,6 +59,7 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_del(struct nftnl_rule *rule);
void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
struct nlmsghdr;
diff --git a/src/chain.c b/src/chain.c
index 6dc8f36..7326c2a 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -444,6 +444,12 @@ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
{
+ list_add_tail(&rule->head, &pos->head);
+}
+
+EXPORT_SYMBOL(nftnl_chain_rule_append_at);
+void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+{
list_add(&rule->head, &pos->head);
}
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 0dad6a2..192eef8 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -342,6 +342,7 @@ LIBNFTNL_12 {
nftnl_chain_rule_add_tail;
nftnl_chain_rule_del;
nftnl_chain_rule_insert_at;
+ nftnl_chain_rule_append_at;
nftnl_rule_foreach;
nftnl_rule_iter_create;
nftnl_rule_iter_next;
--
1.8.3.1

150
SOURCES/0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch Normal file
View File

@ -0,0 +1,150 @@
From 3eb9b26b8b79b0bd5b153cfdad8eb10c86ae2b64 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 31 Jan 2019 19:03:53 +0100
Subject: [PATCH] src: rule: Support NFTA_RULE_POSITION_ID attribute
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1670565
Upstream Status: libnftnl commit 7a7137adf6c14
commit 7a7137adf6c143f7cccc6440a5340a43033b61e7
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Jan 15 20:59:04 2019 +0100
src: rule: Support NFTA_RULE_POSITION_ID attribute
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/libnftnl/rule.h | 1 +
include/linux/netfilter/nf_tables.h | 2 ++
include/rule.h | 1 +
src/rule.c | 20 ++++++++++++++++++++
4 files changed, 24 insertions(+)
diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
index 8501c86..78bfead 100644
--- a/include/libnftnl/rule.h
+++ b/include/libnftnl/rule.h
@@ -28,6 +28,7 @@ enum nftnl_rule_attr {
NFTNL_RULE_POSITION,
NFTNL_RULE_USERDATA,
NFTNL_RULE_ID,
+ NFTNL_RULE_POSITION_ID,
__NFTNL_RULE_MAX
};
#define NFTNL_RULE_MAX (__NFTNL_RULE_MAX - 1)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 91449ef..adfae98 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -218,6 +218,7 @@ enum nft_chain_attributes {
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
* @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
*/
enum nft_rule_attributes {
NFTA_RULE_UNSPEC,
@@ -230,6 +231,7 @@ enum nft_rule_attributes {
NFTA_RULE_USERDATA,
NFTA_RULE_PAD,
NFTA_RULE_ID,
+ NFTA_RULE_POSITION_ID,
__NFTA_RULE_MAX
};
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
diff --git a/include/rule.h b/include/rule.h
index 5edcb6c..036c722 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -11,6 +11,7 @@ struct nftnl_rule {
uint64_t handle;
uint64_t position;
uint32_t id;
+ uint32_t position_id;
struct {
void *data;
uint32_t len;
diff --git a/src/rule.c b/src/rule.c
index 6a43d3e..d9b97b6 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -87,6 +87,7 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr)
case NFTNL_RULE_POSITION:
case NFTNL_RULE_FAMILY:
case NFTNL_RULE_ID:
+ case NFTNL_RULE_POSITION_ID:
break;
case NFTNL_RULE_USERDATA:
xfree(r->user.data);
@@ -103,6 +104,7 @@ static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = {
[NFTNL_RULE_FAMILY] = sizeof(uint32_t),
[NFTNL_RULE_POSITION] = sizeof(uint64_t),
[NFTNL_RULE_ID] = sizeof(uint32_t),
+ [NFTNL_RULE_POSITION_ID] = sizeof(uint32_t),
};
EXPORT_SYMBOL(nftnl_rule_set_data);
@@ -158,6 +160,9 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
case NFTNL_RULE_ID:
r->id = *((uint32_t *)data);
break;
+ case NFTNL_RULE_POSITION_ID:
+ memcpy(&r->position_id, data, sizeof(r->position_id));
+ break;
}
r->flags |= (1 << attr);
return 0;
@@ -222,6 +227,9 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
case NFTNL_RULE_ID:
*data_len = sizeof(uint32_t);
return &r->id;
+ case NFTNL_RULE_POSITION_ID:
+ *data_len = sizeof(uint32_t);
+ return &r->position_id;
}
return NULL;
}
@@ -313,6 +321,8 @@ void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r)
}
if (r->flags & (1 << NFTNL_RULE_ID))
mnl_attr_put_u32(nlh, NFTA_RULE_ID, htonl(r->id));
+ if (r->flags & (1 << NFTNL_RULE_POSITION_ID))
+ mnl_attr_put_u32(nlh, NFTA_RULE_POSITION_ID, htonl(r->position_id));
}
EXPORT_SYMBOL(nftnl_rule_add_expr);
@@ -352,6 +362,7 @@ static int nftnl_rule_parse_attr_cb(const struct nlattr *attr, void *data)
abi_breakage();
break;
case NFTA_RULE_ID:
+ case NFTA_RULE_POSITION_ID:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
break;
@@ -483,6 +494,10 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r)
r->id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_ID]));
r->flags |= (1 << NFTNL_RULE_ID);
}
+ if (tb[NFTA_RULE_POSITION_ID]) {
+ r->position_id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_POSITION_ID]));
+ r->flags |= (1 << NFTNL_RULE_POSITION_ID);
+ }
r->family = nfg->nfgen_family;
r->flags |= (1 << NFTNL_RULE_FAMILY);
@@ -729,6 +744,11 @@ static int nftnl_rule_snprintf_default(char *buf, size_t size,
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
}
+ if (r->flags & (1 << NFTNL_RULE_POSITION_ID)) {
+ ret = snprintf(buf + offset, remain, "%u ", r->position_id);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
+
ret = snprintf(buf + offset, remain, "\n");
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
--
1.8.3.1

189
SPECS/libnftnl.spec Normal file
View File

@ -0,0 +1,189 @@
%define rpmversion 1.1.1
%define specrelease 4%{?dist}
Name: libnftnl
Version: %{rpmversion}
Release: %{specrelease}%{?buildid}
Summary: Library for low-level interaction with nftables Netlink's API over libmnl
License: GPLv2+
URL: http://netfilter.org/projects/libnftnl/
Source0: http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: libmnl-devel
Patch0: 0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
Patch1: 0002-chain-Support-per-chain-rules-list.patch
Patch2: 0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
Patch3: 0004-chain-Hash-chain-list-by-name.patch
Patch4: 0005-object-Avoid-obj_ops-array-overrun.patch
Patch5: 0006-flowtable-Add-missing-break.patch
Patch6: 0007-flowtable-Fix-use-after-free-in-two-spots.patch
Patch7: 0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
Patch8: 0009-flowtable-Fix-for-reading-garbage.patch
Patch9: 0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
Patch10: 0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
Patch11: 0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
%description
A library for low-level interaction with nftables Netlink's API over libmnl.
%package devel
Summary: Development files for %{name}
Requires: %{name}%{_isa} = %{version}-%{release}
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
%autosetup -p1
%build
# This is what autogen.sh (only in git repo) does - without it, patches changing
# Makefile.am cause the build system to regenerate Makefile.in and trying to use
# automake-1.14 for that which is not available in RHEL.
autoreconf -fi
rm -rf autom4te*.cache
%configure --disable-static --disable-silent-rules
make %{?_smp_mflags}
%check
make %{?_smp_mflags} check
cd tests
# JSON parsing would fail since it's not compiled in, so disable here
sed -i -e '/^\.\/nft-parsing-test /d' test-script.sh
sh ./test-script.sh
%install
%make_install
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%doc COPYING
%{_libdir}/*.so.*
%files devel
%{_libdir}/libnft*.so
%{_libdir}/pkgconfig/libnftnl.pc
%{_includedir}/libnftnl
%changelog
* Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8]
- src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565]
* Tue Jan 29 2019 Phil Sutter <psutter@redhat.com> [1.1.1-3.el8]
- src: chain: Fix nftnl_chain_rule_insert_at() (Phil Sutter) [1666495]
- src: chain: Add missing nftnl_chain_rule_del() (Phil Sutter) [1666495]
- flowtable: Fix for reading garbage (Phil Sutter) [1661327]
- flowtable: Fix memleak in nftnl_flowtable_parse_devs() (Phil Sutter) [1661327]
- flowtable: Fix use after free in two spots (Phil Sutter) [1661327]
- flowtable: Add missing break (Phil Sutter) [1661327]
- object: Avoid obj_ops array overrun (Phil Sutter) [1661327]
* Mon Dec 17 2018 Phil Sutter <psutter@redhat.com> [1.1.1-2.el8]
- chain: Hash chain list by name (Phil Sutter) [1658533]
- chain: Add lookup functions for chain list and rules in chain (Phil Sutter) [1658533]
- chain: Support per chain rules list (Phil Sutter) [1658533]
- src: remove nftnl_rule_cmp() and nftnl_expr_cmp() (Phil Sutter) [1658533]
* Thu Jul 12 2018 Phil Sutter <psutter@redhat.com> [1.1.1-1.el8]
- Rebase onto upstream version 1.1.1
- Sync spec file with RHEL7
- Disable JSON parsing, deprecated by upstream
- Make use of builtin testsuite
* Sat Jun 23 2018 Phil Sutter - 1.0.9-3
- Drop leftover mxml dependency [1594917]
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 08 2018 Kevin Fenzi <kevin@scrye.com> - 1.0.9-1
- Update to 1.0.9. Fixes bug #1531004
* Sat Oct 21 2017 Kevin Fenzi <kevin@scrye.com> - 1.0.8-4
- Update to 1.0.8. Fixes bug #1504350
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Dec 22 2016 Kevin Fenzi <kevin@scrye.com> - 1.0.7-1
- Update to 1.0.7. Fixes bug #1406201
* Wed Jun 01 2016 Kevin Fenzi <kevin@scrye.com> - 1.0.6-1
- Update to 1.0.6. Fixes bug #1341384
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Sep 17 2015 Kevin Fenzi <kevin@scrye.com> 1.0.5-1
- Update to 1.0.5. Fixes bug #1263684
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Dec 26 2014 Kevin Fenzi <kevin@scrye.com> 1.0.3-1
- Update to final 1.0.3
* Wed Sep 03 2014 Kevin Fenzi <kevin@scrye.com> 1.0.3-0.1.20140903git
- Update to 20140903 git snapshot
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Wed Jun 25 2014 Kevin Fenzi <kevin@scrye.com> 1.0.2-1
- Update to 1.0.2
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Apr 24 2014 Kevin Fenzi <kevin@scrye.com> 1.0.1-1.
- Update to 1.0.1
* Sun Mar 30 2014 Kevin Fenzi <kevin@scrye.com> 1.0.0-1.20140330git
- Update to 20140330 snapshot
- Sync version to be a post 1.0.0 snapshot
* Wed Mar 26 2014 Kevin Fenzi <kevin@scrye.com> 0-0.10.20140326git
- Update to 20140326 snapshot
* Fri Mar 07 2014 Kevin Fenzi <kevin@scrye.com> 0-0.9.20140307git
- Update to 20140307 snapshot
* Sat Jan 25 2014 Kevin Fenzi <kevin@scrye.com> 0-0.8.20140125git
- Update to 20140125
* Thu Jan 23 2014 Kevin Fenzi <kevin@scrye.com> 0-0.7.20140122git
- Add obsoletes/provides to devel subpackage as well.
* Wed Jan 22 2014 Kevin Fenzi <kevin@scrye.com> 0-0.6.20140122git
- Renamed libnftnl
- Update to 20140122 snapshot.
* Sat Jan 18 2014 Kevin Fenzi <kevin@scrye.com> 0-0.5.20140118git
- Update to 20140118 snapshot.
* Sat Jan 11 2014 Kevin Fenzi <kevin@scrye.com> 0-0.4.20140111git
- Update to 20140111 snapshot.
- Enable xml (some tests stll fail, but it otherwise builds ok)
* Mon Dec 02 2013 Kevin Fenzi <kevin@scrye.com> 0-0.3.20131202git
- Update to 20131202 snapshot, switch to upstream snapshot repo instead of git checkouts.
* Mon Dec 02 2013 Kevin Fenzi <kevin@scrye.com> 0-0.2
- Fixes from review.
* Sat Nov 30 2013 Kevin Fenzi <kevin@scrye.com> 0-0.1
- initial version for Fedora review