libnftnl-1.3.0-2.el10

* Thu Nov 27 2025 Phil Sutter <psutter@redhat.com> [1.3.0-2.el10] - utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings (Phil Sutter) [RHEL-108860] - utils: Add helpers for interface name wildcards (Phil Sutter) [RHEL-108860] Resolves: RHEL-108860
2025-11-27 10:58:57 +01:00 · 2025-11-27 10:58:57 +01:00 · a85ff1d799
commit a85ff1d799
parent 7ac31e990d
3 changed files with 237 additions and 1 deletions
--- a/0002-utils-Add-helpers-for-interface-name-wildcards.patch
+++ b/0002-utils-Add-helpers-for-interface-name-wildcards.patch
@ -0,0 +1,181 @@
+From 34248b6810a186fb214d2fd4a7f047ee0b95818a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 27 Nov 2025 10:57:03 +0100
+Subject: [PATCH] utils: Add helpers for interface name wildcards
+
+JIRA: https://issues.redhat.com/browse/RHEL-108860
+Upstream Status: libnftnl commit f30eae26d813e54897caa1def6501d662dd79228
+
+commit f30eae26d813e54897caa1def6501d662dd79228
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Oct 1 12:59:29 2024 +0200
+
+    utils: Add helpers for interface name wildcards
+
+    Support simple (suffix) wildcards in NFTNL_{CHAIN,FLOWTABLE}_DEVICES
+    identified by NFTA_DEVICE_PREFIX attribute. Add helpers converting to
+    and from the human-readable asterisk-suffix notation.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ include/linux/netfilter/nf_tables.h |  2 ++
+ include/utils.h                     |  5 ++++
+ src/chain.c                         |  4 ++-
+ src/flowtable.c                     |  2 +-
+ src/str_array.c                     | 10 +++++---
+ src/utils.c                         | 39 +++++++++++++++++++++++++++++
+ 6 files changed, 57 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 2beb30b..8e0eb83 100644
+--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
+@@ -1784,10 +1784,12 @@ enum nft_synproxy_attributes {
+  * enum nft_device_attributes - nf_tables device netlink attributes
+  *
+  * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)
+ * @NFTA_DEVICE_PREFIX: device name prefix, a simple wildcard (NLA_STRING)
+  */
+ enum nft_devices_attributes {
+ 	NFTA_DEVICE_UNSPEC,
+ 	NFTA_DEVICE_NAME,
+	NFTA_DEVICE_PREFIX,
+ 	__NFTA_DEVICE_MAX
+ };
+ #define NFTA_DEVICE_MAX		(__NFTA_DEVICE_MAX - 1)
+diff --git a/include/utils.h b/include/utils.h
+index 247d99d..5a3379f 100644
+--- a/include/utils.h
+++ b/include/utils.h
+@@ -83,4 +83,9 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type,
+ int nftnl_set_str_attr(const char **dptr, uint32_t *flags,
+ 		       uint16_t attr, const void *data, uint32_t data_len);
+ 
+struct nlattr;
+
+void nftnl_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname);
+char *nftnl_attr_get_ifname(const struct nlattr *attr);
+
+ #endif
+diff --git a/src/chain.c b/src/chain.c
+index 895108c..8396114 100644
+--- a/src/chain.c
+++ b/src/chain.c
+@@ -464,7 +464,7 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
+ 
+ 		nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS);
+ 		nftnl_str_array_foreach(dev, &c->dev_array, i)
+-			mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev);
+			nftnl_attr_put_ifname(nlh, dev);
+ 		mnl_attr_nest_end(nlh, nest_dev);
+ 	}
+ 
+@@ -648,6 +648,8 @@ static int nftnl_chain_parse_hook(struct nlattr *attr, struct nftnl_chain *c)
+ 		c->flags |= (1 << NFTNL_CHAIN_PRIO);
+ 	}
+ 	if (tb[NFTA_HOOK_DEV]) {
+		if (c->flags & (1 << NFTNL_CHAIN_DEV))
+			xfree(c->dev);
+ 		c->dev = strdup(mnl_attr_get_str(tb[NFTA_HOOK_DEV]));
+ 		if (!c->dev)
+ 			return -1;
+diff --git a/src/flowtable.c b/src/flowtable.c
+index fbbe0a8..59991d6 100644
+--- a/src/flowtable.c
+++ b/src/flowtable.c
+@@ -299,7 +299,7 @@ void nftnl_flowtable_nlmsg_build_payload(struct nlmsghdr *nlh,
+ 
+ 		nest_dev = mnl_attr_nest_start(nlh, NFTA_FLOWTABLE_HOOK_DEVS);
+ 		nftnl_str_array_foreach(dev, &c->dev_array, i)
+-			mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev);
+			nftnl_attr_put_ifname(nlh, dev);
+ 		mnl_attr_nest_end(nlh, nest_dev);
+ 	}
+ 
+diff --git a/src/str_array.c b/src/str_array.c
+index 5669c61..4292c98 100644
+--- a/src/str_array.c
+++ b/src/str_array.c
+@@ -45,9 +45,13 @@ int nftnl_parse_devs(struct nftnl_str_array *sa, const struct nlattr *nest)
+ 	int len = 0;
+ 
+ 	mnl_attr_for_each_nested(attr, nest) {
+-		if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
+		switch(mnl_attr_get_type(attr)) {
+		default:
+ 			return -1;
+-		len++;
+		case NFTA_DEVICE_NAME:
+		case NFTA_DEVICE_PREFIX:
+			len++;
+		}
+ 	}
+ 
+ 	nftnl_str_array_clear(sa);
+@@ -56,7 +60,7 @@ int nftnl_parse_devs(struct nftnl_str_array *sa, const struct nlattr *nest)
+ 		return -1;
+ 
+ 	mnl_attr_for_each_nested(attr, nest) {
+-		sa->array[sa->len] = strdup(mnl_attr_get_str(attr));
+		sa->array[sa->len] = nftnl_attr_get_ifname(attr);
+ 		if (!sa->array[sa->len]) {
+ 			nftnl_str_array_clear(sa);
+ 			return -1;
+diff --git a/src/utils.c b/src/utils.c
+index 5f2c5bf..c4bbd4f 100644
+--- a/src/utils.c
+++ b/src/utils.c
+@@ -13,8 +13,11 @@
+ #include <errno.h>
+ #include <inttypes.h>
+ 
+#include <libmnl/libmnl.h>
+
+ #include <libnftnl/common.h>
+ 
+#include <linux/if.h>
+ #include <linux/netfilter.h>
+ #include <linux/netfilter/nf_tables.h>
+ 
+@@ -146,3 +149,39 @@ int nftnl_set_str_attr(const char **dptr, uint32_t *flags,
+ 	*flags |= (1 << attr);
+ 	return 0;
+ }
+
+static bool is_wildcard_str(const char *str)
+{
+	size_t len = strlen(str);
+
+	if (len < 1 || str[len - 1] != '*')
+		return false;
+	if (len < 2 || str[len - 2] != '\\')
+		return true;
+	/* XXX: ignore backslash escaping for now */
+	return false;
+}
+
+void nftnl_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname)
+{
+	uint16_t attr = is_wildcard_str(ifname) ?
+			NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
+
+	mnl_attr_put_strz(nlh, attr, ifname);
+}
+
+char *nftnl_attr_get_ifname(const struct nlattr *attr)
+{
+	const char *dev = mnl_attr_get_str(attr);
+	char buf[IFNAMSIZ];
+
+	switch (mnl_attr_get_type(attr)) {
+	case NFTA_DEVICE_NAME:
+		return strdup(dev);
+	case NFTA_DEVICE_PREFIX:
+		snprintf(buf, IFNAMSIZ, "%s*", dev);
+		return strdup(buf);
+	default:
+		return NULL;
+	}
+}
--- a/0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch
+++ b/0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch
@ -0,0 +1,49 @@
+From 5282d94c17c8fd08229687639d5c5f48c7bc1fc5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 27 Nov 2025 10:57:03 +0100
+Subject: [PATCH] utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings
+
+JIRA: https://issues.redhat.com/browse/RHEL-108860
+Upstream Status: libnftnl commit 6f24a13a19b8690444564f50e1866fae5abf7687
+
+commit 6f24a13a19b8690444564f50e1866fae5abf7687
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Oct 7 17:45:25 2025 +0200
+
+    utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings
+
+    The asterisk left in place becomes part of the prefix by accident and is thus
+    both included when matching interface names as well as dumped back to user
+    space.
+
+    Fixes: f30eae26d813e ("utils: Add helpers for interface name wildcards")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/utils.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/utils.c b/src/utils.c
+index c4bbd4f..d73c5f6 100644
+--- a/src/utils.c
+++ b/src/utils.c
+@@ -164,9 +164,16 @@ static bool is_wildcard_str(const char *str)
+ 
+ void nftnl_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname)
+ {
+-	uint16_t attr = is_wildcard_str(ifname) ?
+-			NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
+	uint16_t attr = NFTA_DEVICE_NAME;
+	char pfx[IFNAMSIZ];
+ 
+	if (is_wildcard_str(ifname)) {
+		snprintf(pfx, IFNAMSIZ, "%s", ifname);
+		pfx[strlen(pfx) - 1] = '\0';
+
+		attr = NFTA_DEVICE_PREFIX;
+		ifname = pfx;
+	}
+ 	mnl_attr_put_strz(nlh, attr, ifname);
+ }
+ 
--- a/libnftnl.spec
+++ b/libnftnl.spec
@ -1,12 +1,14 @@
 Name:           libnftnl
 Version:        1.3.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
 License:        GPL-2.0-or-later
 URL:            https://netfilter.org/projects/libnftnl/
 Source0:        %{url}/files/%{name}-%{version}.tar.xz

 Patch1:             0001-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch
+Patch2:             0002-utils-Add-helpers-for-interface-name-wildcards.patch
+Patch3:             0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch

 BuildRequires:  libmnl-devel
 BuildRequires:  gcc
@ -55,6 +57,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 %{_includedir}/libnftnl

 %changelog
+* Thu Nov 27 2025 Phil Sutter <psutter@redhat.com> [1.3.0-2.el10]
+- utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings (Phil Sutter) [RHEL-108860]
+- utils: Add helpers for interface name wildcards (Phil Sutter) [RHEL-108860]
+
 * Thu Nov 20 2025 Phil Sutter <psutter@redhat.com> [1.3.0-1.el10]
 - Rebase onto version 1.3.0 (Phil Sutter) [RHEL-121193]