From 715787b72088885feadbf23586d17214fad712a5 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 11 Nov 2025 22:17:01 +0000 Subject: [PATCH] import UBI libnftnl-1.2.8-4.el10_1 --- ...add-support-for-TRACE_CT-information.patch | 153 ++++++++++++++++++ ...roduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch | 37 +++++ libnftnl.spec | 10 +- 3 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 0002-trace-add-support-for-TRACE_CT-information.patch create mode 100644 0003-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch diff --git a/0002-trace-add-support-for-TRACE_CT-information.patch b/0002-trace-add-support-for-TRACE_CT-information.patch new file mode 100644 index 0000000..f6e2db2 --- /dev/null +++ b/0002-trace-add-support-for-TRACE_CT-information.patch @@ -0,0 +1,153 @@ +From 486a9c5ed53e3f1bea1bc4b8668eefa9453e1aa8 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 15 Jul 2025 20:42:30 +0200 +Subject: [PATCH] trace: add support for TRACE_CT information + +JIRA: https://issues.redhat.com/browse/RHEL-103864 +Upstream Status: libnftnl commit 56e37303ed30a4f9b73ec1f90b53da7dda645748 + +commit 56e37303ed30a4f9b73ec1f90b53da7dda645748 +Author: Florian Westphal +Date: Thu May 22 15:51:15 2025 +0200 + + trace: add support for TRACE_CT information + + Decode direction/id/state/status information. + This will be used by 'nftables monitor trace' to print a packets + conntrack state. + + Signed-off-by: Florian Westphal + Reviewed-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/libnftnl/trace.h | 4 +++ + include/linux/netfilter/nf_tables.h | 8 +++++ + src/trace.c | 46 +++++++++++++++++++++++++++++ + 3 files changed, 58 insertions(+) + +diff --git a/include/libnftnl/trace.h b/include/libnftnl/trace.h +index 18ab0c3..5d66b50 100644 +--- a/include/libnftnl/trace.h ++++ b/include/libnftnl/trace.h +@@ -28,6 +28,10 @@ enum nftnl_trace_attr { + NFTNL_TRACE_VERDICT, + NFTNL_TRACE_NFPROTO, + NFTNL_TRACE_POLICY, ++ NFTNL_TRACE_CT_DIRECTION, ++ NFTNL_TRACE_CT_ID, ++ NFTNL_TRACE_CT_STATE, ++ NFTNL_TRACE_CT_STATUS, + __NFTNL_TRACE_MAX, + }; + #define NFTNL_TRACE_MAX (__NFTNL_TRACE_MAX - 1) +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index c48b193..2c9f833 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -1797,6 +1797,10 @@ enum nft_xfrm_keys { + * @NFTA_TRACE_MARK: nfmark (NLA_U32) + * @NFTA_TRACE_NFPROTO: nf protocol processed (NLA_U32) + * @NFTA_TRACE_POLICY: policy that decided fate of packet (NLA_U32) ++ * @NFTA_TRACE_CT_ID: conntrack id (NLA_U32) ++ * @NFTA_TRACE_CT_DIRECTION: packets direction (NLA_U8) ++ * @NFTA_TRACE_CT_STATUS: conntrack status (NLA_U32) ++ * @NFTA_TRACE_CT_STATE: packet state (new, established, ...) (NLA_U32) + */ + enum nft_trace_attributes { + NFTA_TRACE_UNSPEC, +@@ -1817,6 +1821,10 @@ enum nft_trace_attributes { + NFTA_TRACE_NFPROTO, + NFTA_TRACE_POLICY, + NFTA_TRACE_PAD, ++ NFTA_TRACE_CT_ID, ++ NFTA_TRACE_CT_DIRECTION, ++ NFTA_TRACE_CT_STATUS, ++ NFTA_TRACE_CT_STATE, + __NFTA_TRACE_MAX + }; + #define NFTA_TRACE_MAX (__NFTA_TRACE_MAX - 1) +diff --git a/src/trace.c b/src/trace.c +index f426437..26bf8d7 100644 +--- a/src/trace.c ++++ b/src/trace.c +@@ -48,6 +48,12 @@ struct nftnl_trace { + uint32_t policy; + uint16_t iiftype; + uint16_t oiftype; ++ struct { ++ uint16_t dir; ++ uint32_t id; ++ uint32_t state; ++ uint32_t status; ++ } ct; + + uint32_t flags; + }; +@@ -92,6 +98,10 @@ static int nftnl_trace_parse_attr_cb(const struct nlattr *attr, void *data) + if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0) + abi_breakage(); + break; ++ case NFTA_TRACE_CT_DIRECTION: ++ if (mnl_attr_validate(attr, MNL_TYPE_U8) < 0) ++ abi_breakage(); ++ break; + case NFTA_TRACE_IIFTYPE: + case NFTA_TRACE_OIFTYPE: + if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0) +@@ -104,6 +114,9 @@ static int nftnl_trace_parse_attr_cb(const struct nlattr *attr, void *data) + case NFTA_TRACE_POLICY: + case NFTA_TRACE_NFPROTO: + case NFTA_TRACE_TYPE: ++ case NFTA_TRACE_CT_ID: ++ case NFTA_TRACE_CT_STATE: ++ case NFTA_TRACE_CT_STATUS: + if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) + abi_breakage(); + break; +@@ -194,6 +207,18 @@ const void *nftnl_trace_get_data(const struct nftnl_trace *trace, + case NFTNL_TRACE_POLICY: + *data_len = sizeof(uint32_t); + return &trace->policy; ++ case NFTNL_TRACE_CT_DIRECTION: ++ *data_len = sizeof(uint16_t); ++ return &trace->ct.dir; ++ case NFTNL_TRACE_CT_ID: ++ *data_len = sizeof(uint32_t); ++ return &trace->ct.id; ++ case NFTNL_TRACE_CT_STATE: ++ *data_len = sizeof(uint32_t); ++ return &trace->ct.state; ++ case NFTNL_TRACE_CT_STATUS: ++ *data_len = sizeof(uint32_t); ++ return &trace->ct.status; + case __NFTNL_TRACE_MAX: + break; + } +@@ -423,5 +448,26 @@ int nftnl_trace_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_trace *t) + t->flags |= (1 << NFTNL_TRACE_MARK); + } + ++ if (tb[NFTA_TRACE_CT_DIRECTION]) { ++ t->ct.dir = mnl_attr_get_u8(tb[NFTA_TRACE_CT_DIRECTION]); ++ t->flags |= (1 << NFTNL_TRACE_CT_DIRECTION); ++ } ++ ++ if (tb[NFTA_TRACE_CT_ID]) { ++ /* NFT_CT_ID is expected to be in big endian */ ++ t->ct.id = mnl_attr_get_u32(tb[NFTA_TRACE_CT_ID]); ++ t->flags |= (1 << NFTNL_TRACE_CT_ID); ++ } ++ ++ if (tb[NFTA_TRACE_CT_STATE]) { ++ t->ct.state = ntohl(mnl_attr_get_u32(tb[NFTA_TRACE_CT_STATE])); ++ t->flags |= (1 << NFTNL_TRACE_CT_STATE); ++ } ++ ++ if (tb[NFTA_TRACE_CT_STATUS]) { ++ t->ct.status = ntohl(mnl_attr_get_u32(tb[NFTA_TRACE_CT_STATUS])); ++ t->flags |= (1 << NFTNL_TRACE_CT_STATUS); ++ } ++ + return 0; + } diff --git a/0003-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch b/0003-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch new file mode 100644 index 0000000..61e3591 --- /dev/null +++ b/0003-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch @@ -0,0 +1,37 @@ +From 775bf5eba066f61c7737d6995f276765f76328d9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 10 Sep 2025 17:29:07 +0200 +Subject: [PATCH] udata: Introduce NFTNL_UDATA_TABLE_NFT{VER,BLD} + +JIRA: https://issues.redhat.com/browse/RHEL-113823 +Upstream Status: libnftnl commit eb8fb569c501dc088dc950061369102687f8d2a5 + +commit eb8fb569c501dc088dc950061369102687f8d2a5 +Author: Phil Sutter +Date: Tue Aug 12 18:47:14 2025 +0200 + + udata: Introduce NFTNL_UDATA_TABLE_NFT{VER,BLD} + + Register these table udata types here to avoid accidental overlaps. + + Signed-off-by: Phil Sutter + Acked-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/libnftnl/udata.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/libnftnl/udata.h b/include/libnftnl/udata.h +index dbf3a60..9b8a3b6 100644 +--- a/include/libnftnl/udata.h ++++ b/include/libnftnl/udata.h +@@ -11,6 +11,8 @@ extern "C" { + + enum nftnl_udata_table_types { + NFTNL_UDATA_TABLE_COMMENT, ++ NFTNL_UDATA_TABLE_NFTVER, ++ NFTNL_UDATA_TABLE_NFTBLD, + __NFTNL_UDATA_TABLE_MAX + }; + #define NFTNL_UDATA_TABLE_MAX (__NFTNL_UDATA_TABLE_MAX - 1) diff --git a/libnftnl.spec b/libnftnl.spec index 89c1601..fa1f238 100644 --- a/libnftnl.spec +++ b/libnftnl.spec @@ -1,12 +1,14 @@ Name: libnftnl Version: 1.2.8 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Library for low-level interaction with nftables Netlink's API over libmnl License: GPL-2.0-or-later URL: https://netfilter.org/projects/libnftnl/ Source0: %{url}/files/%{name}-%{version}.tar.xz Patch1: 0001-set-Fix-for-array-overrun-when-setting-NFTNL_SET_DES.patch +Patch2: 0002-trace-add-support-for-TRACE_CT-information.patch +Patch3: 0003-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch BuildRequires: libmnl-devel BuildRequires: gcc @@ -55,6 +57,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %{_includedir}/libnftnl %changelog +* Wed Sep 10 2025 Phil Sutter [1.2.8-4.el10] +- udata: Introduce NFTNL_UDATA_TABLE_NFT{VER,BLD} (Phil Sutter) [RHEL-113823] + +* Tue Jul 15 2025 Phil Sutter [1.2.8-3.el10] +- trace: add support for TRACE_CT information (Phil Sutter) [RHEL-103864] + * Wed Dec 04 2024 Phil Sutter [1.2.8-2.el10] - set: Fix for array overrun when setting NFTNL_SET_DESC_CONCAT (Phil Sutter) [RHEL-34697]