import libnftnl-1.1.1-4.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/libnftnl-1.1.1.tar.bz2

.libnftnl.metadata

@@ -0,0 +1 @@
+d2be642a54e0f105cb5564471ae4aaaed8b97ca6 SOURCES/libnftnl-1.1.1.tar.bz2

SOURCES/0002-chain-Support-per-chain-rules-list.patch

@@ -0,0 +1,313 @@
+From 8fcb95ed6dcd47c94a924b4018177d8a833d6983 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Mon, 17 Dec 2018 17:30:06 +0100
+Subject: [PATCH] chain: Support per chain rules list
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
+Upstream Status: libnftnl commit e33798478176f
+
+commit e33798478176f97edf2649cd61444e0375fdc12b
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 6 17:17:51 2018 +0100
+
+    chain: Support per chain rules list
+
+    The implementation basically copies expr_list in struct nftnl_rule.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/internal.h       |   1 +
+ include/libnftnl/chain.h |  15 +++++++
+ include/rule.h           |  26 ++++++++++++
+ src/chain.c              | 104 ++++++++++++++++++++++++++++++++++++++++++++++-
+ src/libnftnl.map         |  10 +++++
+ src/rule.c               |  22 ----------
+ 6 files changed, 155 insertions(+), 23 deletions(-)
+ create mode 100644 include/rule.h
+
+diff --git a/include/internal.h b/include/internal.h
+index 7e97c4a..323f825 100644
+--- a/include/internal.h
++++ b/include/internal.h
+@@ -13,5 +13,6 @@
+ #include "expr.h"
+ #include "expr_ops.h"
+ #include "buffer.h"
++#include "rule.h"
+ 
+ #endif /* _LIBNFTNL_INTERNAL_H_ */
+diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
+index 237683e..f04f610 100644
+--- a/include/libnftnl/chain.h
++++ b/include/libnftnl/chain.h
+@@ -13,6 +13,7 @@ extern "C" {
+ #endif
+ 
+ struct nftnl_chain;
++struct nftnl_rule;
+ 
+ struct nftnl_chain *nftnl_chain_alloc(void);
+ void nftnl_chain_free(const struct nftnl_chain *);
+@@ -54,6 +55,10 @@ uint32_t nftnl_chain_get_u32(const struct nftnl_chain *c, uint16_t attr);
+ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
+ uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
+ 
++void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
++void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
++void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
++
+ struct nlmsghdr;
+ 
+ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_chain *t);
+@@ -68,6 +73,16 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type, ui
+ #define nftnl_chain_nlmsg_build_hdr	nftnl_nlmsg_build_hdr
+ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
+ 
++int nftnl_rule_foreach(struct nftnl_chain *c,
++			  int (*cb)(struct nftnl_rule *r, void *data),
++			  void *data);
++
++struct nftnl_rule_iter;
++
++struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c);
++struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter);
++void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter);
++
+ struct nftnl_chain_list;
+ 
+ struct nftnl_chain_list *nftnl_chain_list_alloc(void);
+diff --git a/include/rule.h b/include/rule.h
+new file mode 100644
+index 0000000..5edcb6c
+--- /dev/null
++++ b/include/rule.h
+@@ -0,0 +1,26 @@
++#ifndef _LIBNFTNL_RULE_INTERNAL_H_
++#define _LIBNFTNL_RULE_INTERNAL_H_
++
++struct nftnl_rule {
++	struct list_head head;
++
++	uint32_t	flags;
++	uint32_t	family;
++	const char	*table;
++	const char	*chain;
++	uint64_t	handle;
++	uint64_t	position;
++	uint32_t	id;
++	struct {
++			void		*data;
++			uint32_t	len;
++	} user;
++	struct {
++			uint32_t	flags;
++			uint32_t	proto;
++	} compat;
++
++	struct list_head expr_list;
++};
++
++#endif
+diff --git a/src/chain.c b/src/chain.c
+index eff5186..c374923 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -27,6 +27,7 @@
+ #include <linux/netfilter_arp.h>
+ 
+ #include <libnftnl/chain.h>
++#include <libnftnl/rule.h>
+ #include <buffer.h>
+ 
+ struct nftnl_chain {
+@@ -45,6 +46,8 @@ struct nftnl_chain {
+ 	uint64_t	bytes;
+ 	uint64_t	handle;
+ 	uint32_t	flags;
++
++	struct list_head rule_list;
+ };
+ 
+ static const char *nftnl_hooknum2str(int family, int hooknum)
+@@ -90,12 +93,25 @@ static const char *nftnl_hooknum2str(int family, int hooknum)
+ EXPORT_SYMBOL(nftnl_chain_alloc);
+ struct nftnl_chain *nftnl_chain_alloc(void)
+ {
+-	return calloc(1, sizeof(struct nftnl_chain));
++	struct nftnl_chain *c;
++
++	c = calloc(1, sizeof(struct nftnl_chain));
++	if (c == NULL)
++		return NULL;
++
++	INIT_LIST_HEAD(&c->rule_list);
++
++	return c;
+ }
+ 
+ EXPORT_SYMBOL(nftnl_chain_free);
+ void nftnl_chain_free(const struct nftnl_chain *c)
+ {
++	struct nftnl_rule *r, *tmp;
++
++	list_for_each_entry_safe(r, tmp, &c->rule_list, head)
++		nftnl_rule_free(r);
++
+ 	if (c->flags & (1 << NFTNL_CHAIN_NAME))
+ 		xfree(c->name);
+ 	if (c->flags & (1 << NFTNL_CHAIN_TABLE))
+@@ -406,6 +422,24 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
+ 		mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, c->type);
+ }
+ 
++EXPORT_SYMBOL(nftnl_chain_rule_add);
++void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
++{
++	list_add(&rule->head, &c->rule_list);
++}
++
++EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
++void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
++{
++	list_add_tail(&rule->head, &c->rule_list);
++}
++
++EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
++void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
++{
++	list_add(&rule->head, &pos->head);
++}
++
+ static int nftnl_chain_parse_attr_cb(const struct nlattr *attr, void *data)
+ {
+ 	const struct nlattr **tb = data;
+@@ -875,6 +909,74 @@ int nftnl_chain_fprintf(FILE *fp, const struct nftnl_chain *c, uint32_t type,
+ 			   nftnl_chain_do_snprintf);
+ }
+ 
++EXPORT_SYMBOL(nftnl_rule_foreach);
++int nftnl_rule_foreach(struct nftnl_chain *c,
++                          int (*cb)(struct nftnl_rule *r, void *data),
++                          void *data)
++{
++       struct nftnl_rule *cur, *tmp;
++       int ret;
++
++       list_for_each_entry_safe(cur, tmp, &c->rule_list, head) {
++               ret = cb(cur, data);
++               if (ret < 0)
++                       return ret;
++       }
++       return 0;
++}
++
++struct nftnl_rule_iter {
++	const struct nftnl_chain	*c;
++	struct nftnl_rule		*cur;
++};
++
++static void nftnl_rule_iter_init(const struct nftnl_chain *c,
++				 struct nftnl_rule_iter *iter)
++{
++	iter->c = c;
++	if (list_empty(&c->rule_list))
++		iter->cur = NULL;
++	else
++		iter->cur = list_entry(c->rule_list.next, struct nftnl_rule,
++				       head);
++}
++
++EXPORT_SYMBOL(nftnl_rule_iter_create);
++struct nftnl_rule_iter *nftnl_rule_iter_create(const struct nftnl_chain *c)
++{
++	struct nftnl_rule_iter *iter;
++
++	iter = calloc(1, sizeof(struct nftnl_rule_iter));
++	if (iter == NULL)
++		return NULL;
++
++	nftnl_rule_iter_init(c, iter);
++
++	return iter;
++}
++
++EXPORT_SYMBOL(nftnl_rule_iter_next);
++struct nftnl_rule *nftnl_rule_iter_next(struct nftnl_rule_iter *iter)
++{
++	struct nftnl_rule *rule = iter->cur;
++
++	if (rule == NULL)
++		return NULL;
++
++	/* get next rule, if any */
++	iter->cur = list_entry(iter->cur->head.next, struct nftnl_rule, head);
++	if (&iter->cur->head == iter->c->rule_list.next)
++		return NULL;
++
++	return rule;
++}
++
++EXPORT_SYMBOL(nftnl_rule_iter_destroy);
++void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
++{
++	xfree(iter);
++}
++
+ struct nftnl_chain_list {
+ 	struct list_head list;
+ };
+diff --git a/src/libnftnl.map b/src/libnftnl.map
+index 89414f2..96d5b5f 100644
+--- a/src/libnftnl.map
++++ b/src/libnftnl.map
+@@ -336,3 +336,13 @@ global:
+ 
+ local: *;
+ };
++
++LIBNFTNL_12 {
++  nftnl_chain_rule_add;
++  nftnl_chain_rule_add_tail;
++  nftnl_chain_rule_insert_at;
++  nftnl_rule_foreach;
++  nftnl_rule_iter_create;
++  nftnl_rule_iter_next;
++  nftnl_rule_iter_destroy;
++} LIBNFTNL_11;
+diff --git a/src/rule.c b/src/rule.c
+index 2c70420..6a43d3e 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -30,28 +30,6 @@
+ #include <libnftnl/set.h>
+ #include <libnftnl/expr.h>
+ 
+-struct nftnl_rule {
+-	struct list_head head;
+-
+-	uint32_t	flags;
+-	uint32_t	family;
+-	const char	*table;
+-	const char	*chain;
+-	uint64_t	handle;
+-	uint64_t	position;
+-	uint32_t	id;
+-	struct {
+-			void		*data;
+-			uint32_t	len;
+-	} user;
+-	struct {
+-			uint32_t	flags;
+-			uint32_t	proto;
+-	} compat;
+-
+-	struct list_head expr_list;
+-};
+-
+ EXPORT_SYMBOL(nftnl_rule_alloc);
+ struct nftnl_rule *nftnl_rule_alloc(void)
+ {
+-- 
+1.8.3.1
+

SOURCES/0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch

@@ -0,0 +1,107 @@
+From 75b3a238485745de01cf6264703ba6c192d7f721 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Mon, 17 Dec 2018 17:30:06 +0100
+Subject: [PATCH] chain: Add lookup functions for chain list and rules in chain
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
+Upstream Status: libnftnl commit 1a829ec0c3285
+
+commit 1a829ec0c3285baac712352c3a046a4f76013e70
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 6 17:17:52 2018 +0100
+
+    chain: Add lookup functions for chain list and rules in chain
+
+    For now, these lookup functions simply iterate over the linked list
+    until they find the right entry. In future, they may make use of more
+    optimized data structures behind the curtains.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/libnftnl/chain.h |  2 ++
+ src/chain.c              | 28 ++++++++++++++++++++++++++++
+ src/libnftnl.map         |  3 +++
+ 3 files changed, 33 insertions(+)
+
+diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
+index f04f610..64e10e9 100644
+--- a/include/libnftnl/chain.h
++++ b/include/libnftnl/chain.h
+@@ -76,6 +76,7 @@ int nftnl_chain_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_chain *t);
+ int nftnl_rule_foreach(struct nftnl_chain *c,
+ 			  int (*cb)(struct nftnl_rule *r, void *data),
+ 			  void *data);
++struct nftnl_rule *nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index);
+ 
+ struct nftnl_rule_iter;
+ 
+@@ -89,6 +90,7 @@ struct nftnl_chain_list *nftnl_chain_list_alloc(void);
+ void nftnl_chain_list_free(struct nftnl_chain_list *list);
+ int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list);
+ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list, int (*cb)(struct nftnl_chain *t, void *data), void *data);
++struct nftnl_chain *nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list, const char *chain);
+ 
+ void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list);
+ void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list);
+diff --git a/src/chain.c b/src/chain.c
+index c374923..22bb45c 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -925,6 +925,20 @@ int nftnl_rule_foreach(struct nftnl_chain *c,
+        return 0;
+ }
+ 
++EXPORT_SYMBOL(nftnl_rule_lookup_byindex);
++struct nftnl_rule *
++nftnl_rule_lookup_byindex(struct nftnl_chain *c, uint32_t index)
++{
++	struct nftnl_rule *r;
++
++	list_for_each_entry(r, &c->rule_list, head) {
++		if (!index)
++			return r;
++		index--;
++	}
++	return NULL;
++}
++
+ struct nftnl_rule_iter {
+ 	const struct nftnl_chain	*c;
+ 	struct nftnl_rule		*cur;
+@@ -1047,6 +1061,20 @@ int nftnl_chain_list_foreach(struct nftnl_chain_list *chain_list,
+ 	return 0;
+ }
+ 
++EXPORT_SYMBOL(nftnl_chain_list_lookup_byname);
++struct nftnl_chain *
++nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
++			       const char *chain)
++{
++	struct nftnl_chain *c;
++
++	list_for_each_entry(c, &chain_list->list, head) {
++		if (!strcmp(chain, c->name))
++			return c;
++	}
++	return NULL;
++}
++
+ struct nftnl_chain_list_iter {
+ 	const struct nftnl_chain_list	*list;
+ 	struct nftnl_chain		*cur;
+diff --git a/src/libnftnl.map b/src/libnftnl.map
+index 96d5b5f..0d3be32 100644
+--- a/src/libnftnl.map
++++ b/src/libnftnl.map
+@@ -345,4 +345,7 @@ LIBNFTNL_12 {
+   nftnl_rule_iter_create;
+   nftnl_rule_iter_next;
+   nftnl_rule_iter_destroy;
++
++  nftnl_chain_list_lookup_byname;
++  nftnl_rule_lookup_byindex;
+ } LIBNFTNL_11;
+-- 
+1.8.3.1
+

SOURCES/0004-chain-Hash-chain-list-by-name.patch

@@ -0,0 +1,143 @@
+From a3af0aff50cd3e899cb5205d4d5330a96aeffaa5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Mon, 17 Dec 2018 17:30:06 +0100
+Subject: [PATCH] chain: Hash chain list by name
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1658533
+Upstream Status: libnftnl commit 7170f0929ef50
+
+commit 7170f0929ef50a1a45d9fd5d058ea6178c8e56ef
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Dec 11 18:44:00 2018 +0100
+
+    chain: Hash chain list by name
+
+    Introduce a hash table to speedup nftnl_chain_list_lookup_byname(). In
+    theory this could replace the linked list completely but has been left
+    in place so that nftnl_chain_list_add_tail() still does what it's
+    supposed to and iterators return chains in original order.
+
+    Speed was tested using a simple script which creates a dump file
+    containing a number of custom chains and for each of them two rules in
+    INPUT chain jumping to it. The following table compares run-time of
+    iptables-legacy-restore with iptables-nft-restore before and after this
+    patch:
+
+    count      legacy       nft-old        nft-new
+    ----------------------------------------------
+    10000         26s           38s            31s
+    50000        137s          339s           149s
+
+    So while it is still not as quick, it now scales nicely (at least in
+    this very primitive test).
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/chain.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/src/chain.c b/src/chain.c
+index 22bb45c..ae074fd 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -32,6 +32,7 @@
+ 
+ struct nftnl_chain {
+ 	struct list_head head;
++	struct hlist_node hnode;
+ 
+ 	const char	*name;
+ 	const char	*type;
+@@ -991,20 +992,27 @@ void nftnl_rule_iter_destroy(struct nftnl_rule_iter *iter)
+ 	xfree(iter);
+ }
+ 
++#define CHAIN_NAME_HSIZE	512
++
+ struct nftnl_chain_list {
++
+ 	struct list_head list;
++	struct hlist_head name_hash[CHAIN_NAME_HSIZE];
+ };
+ 
+ EXPORT_SYMBOL(nftnl_chain_list_alloc);
+ struct nftnl_chain_list *nftnl_chain_list_alloc(void)
+ {
+ 	struct nftnl_chain_list *list;
++	int i;
+ 
+ 	list = calloc(1, sizeof(struct nftnl_chain_list));
+ 	if (list == NULL)
+ 		return NULL;
+ 
+ 	INIT_LIST_HEAD(&list->list);
++	for (i = 0; i < CHAIN_NAME_HSIZE; i++)
++		INIT_HLIST_HEAD(&list->name_hash[i]);
+ 
+ 	return list;
+ }
+@@ -1016,6 +1024,7 @@ void nftnl_chain_list_free(struct nftnl_chain_list *list)
+ 
+ 	list_for_each_entry_safe(r, tmp, &list->list, head) {
+ 		list_del(&r->head);
++		hlist_del(&r->hnode);
+ 		nftnl_chain_free(r);
+ 	}
+ 	xfree(list);
+@@ -1027,15 +1036,31 @@ int nftnl_chain_list_is_empty(const struct nftnl_chain_list *list)
+ 	return list_empty(&list->list);
+ }
+ 
++static uint32_t djb_hash(const char *key)
++{
++	uint32_t i, hash = 5381;
++
++	for (i = 0; i < strlen(key); i++)
++		hash = ((hash << 5) + hash) + key[i];
++
++	return hash;
++}
++
+ EXPORT_SYMBOL(nftnl_chain_list_add);
+ void nftnl_chain_list_add(struct nftnl_chain *r, struct nftnl_chain_list *list)
+ {
++	int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
++
++	hlist_add_head(&r->hnode, &list->name_hash[key]);
+ 	list_add(&r->head, &list->list);
+ }
+ 
+ EXPORT_SYMBOL(nftnl_chain_list_add_tail);
+ void nftnl_chain_list_add_tail(struct nftnl_chain *r, struct nftnl_chain_list *list)
+ {
++	int key = djb_hash(r->name) % CHAIN_NAME_HSIZE;
++
++	hlist_add_head(&r->hnode, &list->name_hash[key]);
+ 	list_add_tail(&r->head, &list->list);
+ }
+ 
+@@ -1043,6 +1068,7 @@ EXPORT_SYMBOL(nftnl_chain_list_del);
+ void nftnl_chain_list_del(struct nftnl_chain *r)
+ {
+ 	list_del(&r->head);
++	hlist_del(&r->hnode);
+ }
+ 
+ EXPORT_SYMBOL(nftnl_chain_list_foreach);
+@@ -1066,9 +1092,11 @@ struct nftnl_chain *
+ nftnl_chain_list_lookup_byname(struct nftnl_chain_list *chain_list,
+ 			       const char *chain)
+ {
++	int key = djb_hash(chain) % CHAIN_NAME_HSIZE;
+ 	struct nftnl_chain *c;
++	struct hlist_node *n;
+ 
+-	list_for_each_entry(c, &chain_list->list, head) {
++	hlist_for_each_entry(c, n, &chain_list->name_hash[key], hnode) {
+ 		if (!strcmp(chain, c->name))
+ 			return c;
+ 	}
+-- 
+1.8.3.1
+

SOURCES/0005-object-Avoid-obj_ops-array-overrun.patch

@@ -0,0 +1,40 @@
+From 34e115c1a9657f07ed8a39b81c6b21fba1faa319 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:12:15 +0100
+Subject: [PATCH] object: Avoid obj_ops array overrun
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
+Upstream Status: libnftnl commit 16c44d9f42170
+
+commit 16c44d9f42170264c4d484478c76e940951f1b70
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 20 21:03:27 2018 +0100
+
+    object: Avoid obj_ops array overrun
+
+    In version 1.1.1, obj_ops array was smaller than __NFT_OBJECT_MAX since
+    there are no ops for NFT_OBJECT_CONNLIMIT. Avoid this potential issue in
+    the future by defining the array size.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/object.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/object.c b/src/object.c
+index d8278f3..7fb9bab 100644
+--- a/src/object.c
++++ b/src/object.c
+@@ -25,7 +25,7 @@
+ #include <buffer.h>
+ #include "obj.h"
+ 
+-static struct obj_ops *obj_ops[] = {
++static struct obj_ops *obj_ops[__NFT_OBJECT_MAX] = {
+ 	[NFT_OBJECT_COUNTER]	= &obj_ops_counter,
+ 	[NFT_OBJECT_QUOTA]	= &obj_ops_quota,
+ 	[NFT_OBJECT_CT_HELPER]	= &obj_ops_ct_helper,
+-- 
+1.8.3.1
+

SOURCES/0006-flowtable-Add-missing-break.patch

@@ -0,0 +1,40 @@
+From d3d9966d79cc7d6d11124302dd06b7d7522e7305 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:12:15 +0100
+Subject: [PATCH] flowtable: Add missing break
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
+Upstream Status: libnftnl commit 404ef7222d055
+
+commit 404ef7222d055aacdbd4d73dc0d8731fa8f6cbe4
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 20 21:03:28 2018 +0100
+
+    flowtable: Add missing break
+
+    In nftnl_flowtable_set_data(), when setting flowtable size, the switch()
+    case fell through and the same value was copied into ft_flags field.
+    This can't be right.
+
+    Fixes: 41fe3d38ba34b ("flowtable: support for flags")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/flowtable.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/flowtable.c b/src/flowtable.c
+index c1ddae4..aa6ce59 100644
+--- a/src/flowtable.c
++++ b/src/flowtable.c
+@@ -163,6 +163,7 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
+ 		break;
+ 	case NFTNL_FLOWTABLE_SIZE:
+ 		memcpy(&c->size, data, sizeof(c->size));
++		break;
+ 	case NFTNL_FLOWTABLE_FLAGS:
+ 		memcpy(&c->ft_flags, data, sizeof(c->ft_flags));
+ 		break;
+-- 
+1.8.3.1
+

SOURCES/0007-flowtable-Fix-use-after-free-in-two-spots.patch

@@ -0,0 +1,57 @@
+From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:12:15 +0100
+Subject: [PATCH] flowtable: Fix use after free in two spots
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
+Upstream Status: libnftnl commit 822dc96815e96
+
+commit 822dc96815e96465822ce4b1187c4b29c06cb7c1
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 20 21:03:29 2018 +0100
+
+    flowtable: Fix use after free in two spots
+
+    When freeing flowtable devices array, the loop freeing each device
+    string incorrectly included the call to free the device array itself.
+
+    Fixes: eb58f53372e74 ("src: add flowtable support")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/flowtable.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/flowtable.c b/src/flowtable.c
+index aa6ce59..61ff29b 100644
+--- a/src/flowtable.c
++++ b/src/flowtable.c
+@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
+ 	case NFTNL_FLOWTABLE_FLAGS:
+ 		break;
+ 	case NFTNL_FLOWTABLE_DEVICES:
+-		for (i = 0; i < c->dev_array_len; i++) {
++		for (i = 0; i < c->dev_array_len; i++)
+ 			xfree(c->dev_array[i]);
+-			xfree(c->dev_array);
+-		}
++		xfree(c->dev_array);
+ 		break;
+ 	default:
+ 		return;
+@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
+ 			len++;
+ 
+ 		if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
+-			for (i = 0; i < c->dev_array_len; i++) {
++			for (i = 0; i < c->dev_array_len; i++)
+ 				xfree(c->dev_array[i]);
+-				xfree(c->dev_array);
+-			}
++			xfree(c->dev_array);
+ 		}
+ 
+ 		c->dev_array = calloc(len + 1, sizeof(char *));
+-- 
+1.8.3.1
+

SOURCES/0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch

@@ -0,0 +1,62 @@
+From c3c2777d4b62db4b49fd3dcf8293562defa95112 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:12:15 +0100
+Subject: [PATCH] flowtable: Fix memleak in nftnl_flowtable_parse_devs()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
+Upstream Status: libnftnl commit 8ef66870832d5
+
+commit 8ef66870832d56881703a7798ecdff9e19917b15
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 20 21:03:30 2018 +0100
+
+    flowtable: Fix memleak in nftnl_flowtable_parse_devs()
+
+    Allocated strings in dev_array were not freed. Fix this by freeing them
+    on error path and assigning them to c->dev_array directly in regular
+    path.
+
+    Fixes: eb58f53372e74 ("src: add flowtable support")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/flowtable.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/flowtable.c b/src/flowtable.c
+index 61ff29b..1762bd1 100644
+--- a/src/flowtable.c
++++ b/src/flowtable.c
+@@ -364,7 +364,7 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
+ 
+ 	mnl_attr_for_each_nested(attr, nest) {
+ 		if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
+-			return -1;
++			goto err;
+ 		dev_array[len++] = strdup(mnl_attr_get_str(attr));
+ 		if (len >= 8)
+ 			break;
+@@ -375,14 +375,18 @@ static int nftnl_flowtable_parse_devs(struct nlattr *nest,
+ 
+ 	c->dev_array = calloc(len + 1, sizeof(char *));
+ 	if (!c->dev_array)
+-		return -1;
++		goto err;
+ 
+ 	c->dev_array_len = len;
+ 
+ 	for (i = 0; i < len; i++)
+-		c->dev_array[i] = strdup(dev_array[i]);
++		c->dev_array[i] = dev_array[i];
+ 
+ 	return 0;
++err:
++	while (len--)
++		xfree(dev_array[len]);
++	return -1;
+ }
+ 
+ static int nftnl_flowtable_parse_hook(struct nlattr *attr, struct nftnl_flowtable *c)
+-- 
+1.8.3.1
+

SOURCES/0009-flowtable-Fix-for-reading-garbage.patch

@@ -0,0 +1,49 @@
+From 4ec80cc7d08a48a19d112da760e36fa9e47e9106 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:12:15 +0100
+Subject: [PATCH] flowtable: Fix for reading garbage
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
+Upstream Status: libnftnl commit f8eed54150fd4
+
+commit f8eed54150fd49ed814e63a5db39eda67d4b3938
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Dec 20 21:03:31 2018 +0100
+
+    flowtable: Fix for reading garbage
+
+    nftnl_flowtable_get_data() doesn't assign to passt data_len pointer
+    destination in all cases, so initialize it to 0.
+
+    Fixes: eb58f53372e74 ("src: add flowtable support")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/flowtable.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/flowtable.c b/src/flowtable.c
+index 1762bd1..3c3ba66 100644
+--- a/src/flowtable.c
++++ b/src/flowtable.c
+@@ -245,7 +245,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_str);
+ 
+ uint32_t nftnl_flowtable_get_u32(const struct nftnl_flowtable *c, uint16_t attr)
+ {
+-	uint32_t data_len;
++	uint32_t data_len = 0;
+ 	const uint32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
+ 
+ 	nftnl_assert(val, attr, data_len == sizeof(uint32_t));
+@@ -256,7 +256,7 @@ EXPORT_SYMBOL(nftnl_flowtable_get_u32);
+ 
+ int32_t nftnl_flowtable_get_s32(const struct nftnl_flowtable *c, uint16_t attr)
+ {
+-	uint32_t data_len;
++	uint32_t data_len = 0;
+ 	const int32_t *val = nftnl_flowtable_get_data(c, attr, &data_len);
+ 
+ 	nftnl_assert(val, attr, data_len == sizeof(int32_t));
+-- 
+1.8.3.1
+

SOURCES/0010-src-chain-Add-missing-nftnl_chain_rule_del.patch

@@ -0,0 +1,72 @@
+From 36faead4c4a8ab0a87ee766bab6a062e8610067a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:14:56 +0100
+Subject: [PATCH] src: chain: Add missing nftnl_chain_rule_del()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
+Upstream Status: libnftnl commit de5a23d26828a
+
+commit de5a23d26828a1e1f2d3351b0414925857546496
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Sun Dec 30 17:02:13 2018 +0100
+
+    src: chain: Add missing nftnl_chain_rule_del()
+
+    Although identical to nftnl_rule_list_del(), this function adheres to
+    the common naming style of per chain rule list routines introduced
+    earlier, therefore helps with deprecating the global rule list API at a
+    later point.
+
+    Fixes: e33798478176f ("chain: Support per chain rules list")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/libnftnl/chain.h | 1 +
+ src/chain.c              | 6 ++++++
+ src/libnftnl.map         | 1 +
+ 3 files changed, 8 insertions(+)
+
+diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
+index 64e10e9..163a824 100644
+--- a/include/libnftnl/chain.h
++++ b/include/libnftnl/chain.h
+@@ -56,6 +56,7 @@ int32_t nftnl_chain_get_s32(const struct nftnl_chain *c, uint16_t attr);
+ uint64_t nftnl_chain_get_u64(const struct nftnl_chain *c, uint16_t attr);
+ 
+ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
++void nftnl_chain_rule_del(struct nftnl_rule *rule);
+ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
+ void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+ 
+diff --git a/src/chain.c b/src/chain.c
+index ae074fd..6dc8f36 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -429,6 +429,12 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c)
+ 	list_add(&rule->head, &c->rule_list);
+ }
+ 
++EXPORT_SYMBOL(nftnl_chain_rule_del);
++void nftnl_chain_rule_del(struct nftnl_rule *r)
++{
++	list_del(&r->head);
++}
++
+ EXPORT_SYMBOL(nftnl_chain_rule_add_tail);
+ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
+ {
+diff --git a/src/libnftnl.map b/src/libnftnl.map
+index 0d3be32..0dad6a2 100644
+--- a/src/libnftnl.map
++++ b/src/libnftnl.map
+@@ -340,6 +340,7 @@ local: *;
+ LIBNFTNL_12 {
+   nftnl_chain_rule_add;
+   nftnl_chain_rule_add_tail;
++  nftnl_chain_rule_del;
+   nftnl_chain_rule_insert_at;
+   nftnl_rule_foreach;
+   nftnl_rule_iter_create;
+-- 
+1.8.3.1
+

SOURCES/0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch

@@ -0,0 +1,71 @@
+From fca027631250013cae7323e058575deb72b8510a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 29 Jan 2019 18:14:56 +0100
+Subject: [PATCH] src: chain: Fix nftnl_chain_rule_insert_at()
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1666495
+Upstream Status: libnftnl commit 278a3b779a731
+
+commit 278a3b779a731b3565595259b07b9065f6a6f425
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Mon Jan 14 17:42:50 2019 +0100
+
+    src: chain: Fix nftnl_chain_rule_insert_at()
+
+    Extrapolating from iptables nomenclature, one would expect that "insert"
+    means to prepend the new item to the referenced one, not append. Change
+    nftnl_chain_rule_insert_at() to do just that and introduce
+    nftnl_chain_rule_append_at() to insert a rule after the referenced one.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/libnftnl/chain.h | 1 +
+ src/chain.c              | 6 ++++++
+ src/libnftnl.map         | 1 +
+ 3 files changed, 8 insertions(+)
+
+diff --git a/include/libnftnl/chain.h b/include/libnftnl/chain.h
+index 163a824..31b48cf 100644
+--- a/include/libnftnl/chain.h
++++ b/include/libnftnl/chain.h
+@@ -59,6 +59,7 @@ void nftnl_chain_rule_add(struct nftnl_rule *rule, struct nftnl_chain *c);
+ void nftnl_chain_rule_del(struct nftnl_rule *rule);
+ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c);
+ void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
++void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos);
+ 
+ struct nlmsghdr;
+ 
+diff --git a/src/chain.c b/src/chain.c
+index 6dc8f36..7326c2a 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -444,6 +444,12 @@ void nftnl_chain_rule_add_tail(struct nftnl_rule *rule, struct nftnl_chain *c)
+ EXPORT_SYMBOL(nftnl_chain_rule_insert_at);
+ void nftnl_chain_rule_insert_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
+ {
++	list_add_tail(&rule->head, &pos->head);
++}
++
++EXPORT_SYMBOL(nftnl_chain_rule_append_at);
++void nftnl_chain_rule_append_at(struct nftnl_rule *rule, struct nftnl_rule *pos)
++{
+ 	list_add(&rule->head, &pos->head);
+ }
+ 
+diff --git a/src/libnftnl.map b/src/libnftnl.map
+index 0dad6a2..192eef8 100644
+--- a/src/libnftnl.map
++++ b/src/libnftnl.map
+@@ -342,6 +342,7 @@ LIBNFTNL_12 {
+   nftnl_chain_rule_add_tail;
+   nftnl_chain_rule_del;
+   nftnl_chain_rule_insert_at;
++  nftnl_chain_rule_append_at;
+   nftnl_rule_foreach;
+   nftnl_rule_iter_create;
+   nftnl_rule_iter_next;
+-- 
+1.8.3.1
+

SOURCES/0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch

@@ -0,0 +1,150 @@
+From 3eb9b26b8b79b0bd5b153cfdad8eb10c86ae2b64 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 31 Jan 2019 19:03:53 +0100
+Subject: [PATCH] src: rule: Support NFTA_RULE_POSITION_ID attribute
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1670565
+Upstream Status: libnftnl commit 7a7137adf6c14
+
+commit 7a7137adf6c143f7cccc6440a5340a43033b61e7
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Jan 15 20:59:04 2019 +0100
+
+    src: rule: Support NFTA_RULE_POSITION_ID attribute
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ include/libnftnl/rule.h             |  1 +
+ include/linux/netfilter/nf_tables.h |  2 ++
+ include/rule.h                      |  1 +
+ src/rule.c                          | 20 ++++++++++++++++++++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/include/libnftnl/rule.h b/include/libnftnl/rule.h
+index 8501c86..78bfead 100644
+--- a/include/libnftnl/rule.h
++++ b/include/libnftnl/rule.h
+@@ -28,6 +28,7 @@ enum nftnl_rule_attr {
+ 	NFTNL_RULE_POSITION,
+ 	NFTNL_RULE_USERDATA,
+ 	NFTNL_RULE_ID,
++	NFTNL_RULE_POSITION_ID,
+ 	__NFTNL_RULE_MAX
+ };
+ #define NFTNL_RULE_MAX (__NFTNL_RULE_MAX - 1)
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 91449ef..adfae98 100644
+--- a/include/linux/netfilter/nf_tables.h
++++ b/include/linux/netfilter/nf_tables.h
+@@ -218,6 +218,7 @@ enum nft_chain_attributes {
+  * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
+  * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
+  * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
++ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
+  */
+ enum nft_rule_attributes {
+ 	NFTA_RULE_UNSPEC,
+@@ -230,6 +231,7 @@ enum nft_rule_attributes {
+ 	NFTA_RULE_USERDATA,
+ 	NFTA_RULE_PAD,
+ 	NFTA_RULE_ID,
++	NFTA_RULE_POSITION_ID,
+ 	__NFTA_RULE_MAX
+ };
+ #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
+diff --git a/include/rule.h b/include/rule.h
+index 5edcb6c..036c722 100644
+--- a/include/rule.h
++++ b/include/rule.h
+@@ -11,6 +11,7 @@ struct nftnl_rule {
+ 	uint64_t	handle;
+ 	uint64_t	position;
+ 	uint32_t	id;
++	uint32_t	position_id;
+ 	struct {
+ 			void		*data;
+ 			uint32_t	len;
+diff --git a/src/rule.c b/src/rule.c
+index 6a43d3e..d9b97b6 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -87,6 +87,7 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t attr)
+ 	case NFTNL_RULE_POSITION:
+ 	case NFTNL_RULE_FAMILY:
+ 	case NFTNL_RULE_ID:
++	case NFTNL_RULE_POSITION_ID:
+ 		break;
+ 	case NFTNL_RULE_USERDATA:
+ 		xfree(r->user.data);
+@@ -103,6 +104,7 @@ static uint32_t nftnl_rule_validate[NFTNL_RULE_MAX + 1] = {
+ 	[NFTNL_RULE_FAMILY]		= sizeof(uint32_t),
+ 	[NFTNL_RULE_POSITION]		= sizeof(uint64_t),
+ 	[NFTNL_RULE_ID]			= sizeof(uint32_t),
++	[NFTNL_RULE_POSITION_ID]	= sizeof(uint32_t),
+ };
+ 
+ EXPORT_SYMBOL(nftnl_rule_set_data);
+@@ -158,6 +160,9 @@ int nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
+ 	case NFTNL_RULE_ID:
+ 		r->id = *((uint32_t *)data);
+ 		break;
++	case NFTNL_RULE_POSITION_ID:
++		memcpy(&r->position_id, data, sizeof(r->position_id));
++		break;
+ 	}
+ 	r->flags |= (1 << attr);
+ 	return 0;
+@@ -222,6 +227,9 @@ const void *nftnl_rule_get_data(const struct nftnl_rule *r, uint16_t attr,
+ 	case NFTNL_RULE_ID:
+ 		*data_len = sizeof(uint32_t);
+ 		return &r->id;
++	case NFTNL_RULE_POSITION_ID:
++		*data_len = sizeof(uint32_t);
++		return &r->position_id;
+ 	}
+ 	return NULL;
+ }
+@@ -313,6 +321,8 @@ void nftnl_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nftnl_rule *r)
+ 	}
+ 	if (r->flags & (1 << NFTNL_RULE_ID))
+ 		mnl_attr_put_u32(nlh, NFTA_RULE_ID, htonl(r->id));
++	if (r->flags & (1 << NFTNL_RULE_POSITION_ID))
++		mnl_attr_put_u32(nlh, NFTA_RULE_POSITION_ID, htonl(r->position_id));
+ }
+ 
+ EXPORT_SYMBOL(nftnl_rule_add_expr);
+@@ -352,6 +362,7 @@ static int nftnl_rule_parse_attr_cb(const struct nlattr *attr, void *data)
+ 			abi_breakage();
+ 		break;
+ 	case NFTA_RULE_ID:
++	case NFTA_RULE_POSITION_ID:
+ 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+ 			abi_breakage();
+ 		break;
+@@ -483,6 +494,10 @@ int nftnl_rule_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_rule *r)
+ 		r->id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_ID]));
+ 		r->flags |= (1 << NFTNL_RULE_ID);
+ 	}
++	if (tb[NFTA_RULE_POSITION_ID]) {
++		r->position_id = ntohl(mnl_attr_get_u32(tb[NFTA_RULE_POSITION_ID]));
++		r->flags |= (1 << NFTNL_RULE_POSITION_ID);
++	}
+ 
+ 	r->family = nfg->nfgen_family;
+ 	r->flags |= (1 << NFTNL_RULE_FAMILY);
+@@ -729,6 +744,11 @@ static int nftnl_rule_snprintf_default(char *buf, size_t size,
+ 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ 	}
+ 
++	if (r->flags & (1 << NFTNL_RULE_POSITION_ID)) {
++		ret = snprintf(buf + offset, remain, "%u ", r->position_id);
++		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
++	}
++
+ 	ret = snprintf(buf + offset, remain, "\n");
+ 	SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ 
+-- 
+1.8.3.1
+

SPECS/libnftnl.spec

@@ -0,0 +1,189 @@
+%define rpmversion 1.1.1
+%define specrelease 4%{?dist}
+
+Name:           libnftnl
+Version:        %{rpmversion}
+Release:        %{specrelease}%{?buildid}
+Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
+License:        GPLv2+
+URL:            http://netfilter.org/projects/libnftnl/
+Source0:        http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  libmnl-devel
+Patch0:             0001-src-remove-nftnl_rule_cmp-and-nftnl_expr_cmp.patch
+Patch1:             0002-chain-Support-per-chain-rules-list.patch
+Patch2:             0003-chain-Add-lookup-functions-for-chain-list-and-rules-.patch
+Patch3:             0004-chain-Hash-chain-list-by-name.patch
+Patch4:             0005-object-Avoid-obj_ops-array-overrun.patch
+Patch5:             0006-flowtable-Add-missing-break.patch
+Patch6:             0007-flowtable-Fix-use-after-free-in-two-spots.patch
+Patch7:             0008-flowtable-Fix-memleak-in-nftnl_flowtable_parse_devs.patch
+Patch8:             0009-flowtable-Fix-for-reading-garbage.patch
+Patch9:             0010-src-chain-Add-missing-nftnl_chain_rule_del.patch
+Patch10:            0011-src-chain-Fix-nftnl_chain_rule_insert_at.patch
+Patch11:            0012-src-rule-Support-NFTA_RULE_POSITION_ID-attribute.patch
+
+%description
+A library for low-level interaction with nftables Netlink's API over libmnl.
+
+%package        devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{_isa} = %{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%prep
+%autosetup -p1
+
+%build
+# This is what autogen.sh (only in git repo) does - without it, patches changing
+# Makefile.am cause the build system to regenerate Makefile.in and trying to use
+# automake-1.14 for that which is not available in RHEL.
+autoreconf -fi
+rm -rf autom4te*.cache
+
+%configure --disable-static --disable-silent-rules
+make %{?_smp_mflags}
+
+%check
+make %{?_smp_mflags} check
+cd tests
+# JSON parsing would fail since it's not compiled in, so disable here
+sed -i -e '/^\.\/nft-parsing-test /d' test-script.sh
+sh ./test-script.sh
+
+%install
+%make_install
+find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%files
+%doc COPYING
+%{_libdir}/*.so.*
+
+%files devel
+%{_libdir}/libnft*.so
+%{_libdir}/pkgconfig/libnftnl.pc
+%{_includedir}/libnftnl
+
+%changelog
+* Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8]
+- src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565]
+
+* Tue Jan 29 2019 Phil Sutter <psutter@redhat.com> [1.1.1-3.el8]
+- src: chain: Fix nftnl_chain_rule_insert_at() (Phil Sutter) [1666495]
+- src: chain: Add missing nftnl_chain_rule_del() (Phil Sutter) [1666495]
+- flowtable: Fix for reading garbage (Phil Sutter) [1661327]
+- flowtable: Fix memleak in nftnl_flowtable_parse_devs() (Phil Sutter) [1661327]
+- flowtable: Fix use after free in two spots (Phil Sutter) [1661327]
+- flowtable: Add missing break (Phil Sutter) [1661327]
+- object: Avoid obj_ops array overrun (Phil Sutter) [1661327]
+
+* Mon Dec 17 2018 Phil Sutter <psutter@redhat.com> [1.1.1-2.el8]
+- chain: Hash chain list by name (Phil Sutter) [1658533]
+- chain: Add lookup functions for chain list and rules in chain (Phil Sutter) [1658533]
+- chain: Support per chain rules list (Phil Sutter) [1658533]
+- src: remove nftnl_rule_cmp() and nftnl_expr_cmp() (Phil Sutter) [1658533]
+
+* Thu Jul 12 2018 Phil Sutter <psutter@redhat.com> [1.1.1-1.el8]
+- Rebase onto upstream version 1.1.1
+- Sync spec file with RHEL7
+- Disable JSON parsing, deprecated by upstream
+- Make use of builtin testsuite
+
+* Sat Jun 23 2018 Phil Sutter - 1.0.9-3
+- Drop leftover mxml dependency [1594917]
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 08 2018 Kevin Fenzi <kevin@scrye.com> - 1.0.9-1
+- Update to 1.0.9. Fixes bug #1531004
+
+* Sat Oct 21 2017 Kevin Fenzi <kevin@scrye.com> - 1.0.8-4
+- Update to 1.0.8. Fixes bug #1504350
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Dec 22 2016 Kevin Fenzi <kevin@scrye.com> - 1.0.7-1
+- Update to 1.0.7. Fixes bug #1406201
+
+* Wed Jun 01 2016 Kevin Fenzi <kevin@scrye.com> - 1.0.6-1
+- Update to 1.0.6. Fixes bug #1341384
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Sep 17 2015 Kevin Fenzi <kevin@scrye.com> 1.0.5-1
+- Update to 1.0.5. Fixes bug #1263684
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Dec 26 2014 Kevin Fenzi <kevin@scrye.com> 1.0.3-1
+- Update to final 1.0.3
+
+* Wed Sep 03 2014 Kevin Fenzi <kevin@scrye.com> 1.0.3-0.1.20140903git
+- Update to 20140903 git snapshot
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jun 25 2014 Kevin Fenzi <kevin@scrye.com> 1.0.2-1
+- Update to 1.0.2
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Apr 24 2014 Kevin Fenzi <kevin@scrye.com> 1.0.1-1.
+- Update to 1.0.1
+
+* Sun Mar 30 2014 Kevin Fenzi <kevin@scrye.com> 1.0.0-1.20140330git
+- Update to 20140330 snapshot
+- Sync version to be a post 1.0.0 snapshot
+
+* Wed Mar 26 2014 Kevin Fenzi <kevin@scrye.com> 0-0.10.20140326git
+- Update to 20140326 snapshot
+
+* Fri Mar 07 2014 Kevin Fenzi <kevin@scrye.com> 0-0.9.20140307git
+- Update to 20140307 snapshot
+
+* Sat Jan 25 2014 Kevin Fenzi <kevin@scrye.com> 0-0.8.20140125git
+- Update to 20140125
+
+* Thu Jan 23 2014 Kevin Fenzi <kevin@scrye.com> 0-0.7.20140122git
+- Add obsoletes/provides to devel subpackage as well. 
+
+* Wed Jan 22 2014 Kevin Fenzi <kevin@scrye.com> 0-0.6.20140122git
+- Renamed libnftnl
+- Update to 20140122 snapshot.
+
+* Sat Jan 18 2014 Kevin Fenzi <kevin@scrye.com> 0-0.5.20140118git
+- Update to 20140118 snapshot.
+
+* Sat Jan 11 2014 Kevin Fenzi <kevin@scrye.com> 0-0.4.20140111git
+- Update to 20140111 snapshot. 
+- Enable xml (some tests stll fail, but it otherwise builds ok)
+
+* Mon Dec 02 2013 Kevin Fenzi <kevin@scrye.com> 0-0.3.20131202git
+- Update to 20131202 snapshot, switch to upstream snapshot repo instead of git checkouts. 
+
+* Mon Dec 02 2013 Kevin Fenzi <kevin@scrye.com> 0-0.2
+- Fixes from review. 
+
+* Sat Nov 30 2013 Kevin Fenzi <kevin@scrye.com> 0-0.1
+- initial version for Fedora review