From a85ff1d7990adf7d7bfb515857aa8e5c00aac7c0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 27 Nov 2025 10:58:57 +0100
Subject: [PATCH] libnftnl-1.3.0-2.el10

* Thu Nov 27 2025 Phil Sutter <psutter@redhat.com> [1.3.0-2.el10]
- utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings (Phil Sutter) [RHEL-108860]
- utils: Add helpers for interface name wildcards (Phil Sutter) [RHEL-108860]
Resolves: RHEL-108860
---
 ...helpers-for-interface-name-wildcards.patch | 181 ++++++++++++++++++
 ...isk-from-end-of-NFTA_DEVICE_PREFIX-s.patch |  49 +++++
 libnftnl.spec                                 |   8 +-
 3 files changed, 237 insertions(+), 1 deletion(-)
 create mode 100644 0002-utils-Add-helpers-for-interface-name-wildcards.patch
 create mode 100644 0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch

diff --git a/0002-utils-Add-helpers-for-interface-name-wildcards.patch b/0002-utils-Add-helpers-for-interface-name-wildcards.patch
new file mode 100644
index 0000000..6bf9528
--- /dev/null
+++ b/0002-utils-Add-helpers-for-interface-name-wildcards.patch
@@ -0,0 +1,181 @@
+From 34248b6810a186fb214d2fd4a7f047ee0b95818a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 27 Nov 2025 10:57:03 +0100
+Subject: [PATCH] utils: Add helpers for interface name wildcards
+
+JIRA: https://issues.redhat.com/browse/RHEL-108860
+Upstream Status: libnftnl commit f30eae26d813e54897caa1def6501d662dd79228
+
+commit f30eae26d813e54897caa1def6501d662dd79228
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Oct 1 12:59:29 2024 +0200
+
+    utils: Add helpers for interface name wildcards
+
+    Support simple (suffix) wildcards in NFTNL_{CHAIN,FLOWTABLE}_DEVICES
+    identified by NFTA_DEVICE_PREFIX attribute. Add helpers converting to
+    and from the human-readable asterisk-suffix notation.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ include/linux/netfilter/nf_tables.h |  2 ++
+ include/utils.h                     |  5 ++++
+ src/chain.c                         |  4 ++-
+ src/flowtable.c                     |  2 +-
+ src/str_array.c                     | 10 +++++---
+ src/utils.c                         | 39 +++++++++++++++++++++++++++++
+ 6 files changed, 57 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 2beb30b..8e0eb83 100644
+--- a/include/linux/netfilter/nf_tables.h
++++ b/include/linux/netfilter/nf_tables.h
+@@ -1784,10 +1784,12 @@ enum nft_synproxy_attributes {
+  * enum nft_device_attributes - nf_tables device netlink attributes
+  *
+  * @NFTA_DEVICE_NAME: name of this device (NLA_STRING)
++ * @NFTA_DEVICE_PREFIX: device name prefix, a simple wildcard (NLA_STRING)
+  */
+ enum nft_devices_attributes {
+ 	NFTA_DEVICE_UNSPEC,
+ 	NFTA_DEVICE_NAME,
++	NFTA_DEVICE_PREFIX,
+ 	__NFTA_DEVICE_MAX
+ };
+ #define NFTA_DEVICE_MAX		(__NFTA_DEVICE_MAX - 1)
+diff --git a/include/utils.h b/include/utils.h
+index 247d99d..5a3379f 100644
+--- a/include/utils.h
++++ b/include/utils.h
+@@ -83,4 +83,9 @@ int nftnl_fprintf(FILE *fpconst, const void *obj, uint32_t cmd, uint32_t type,
+ int nftnl_set_str_attr(const char **dptr, uint32_t *flags,
+ 		       uint16_t attr, const void *data, uint32_t data_len);
+ 
++struct nlattr;
++
++void nftnl_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname);
++char *nftnl_attr_get_ifname(const struct nlattr *attr);
++
+ #endif
+diff --git a/src/chain.c b/src/chain.c
+index 895108c..8396114 100644
+--- a/src/chain.c
++++ b/src/chain.c
+@@ -464,7 +464,7 @@ void nftnl_chain_nlmsg_build_payload(struct nlmsghdr *nlh, const struct nftnl_ch
+ 
+ 		nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS);
+ 		nftnl_str_array_foreach(dev, &c->dev_array, i)
+-			mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev);
++			nftnl_attr_put_ifname(nlh, dev);
+ 		mnl_attr_nest_end(nlh, nest_dev);
+ 	}
+ 
+@@ -648,6 +648,8 @@ static int nftnl_chain_parse_hook(struct nlattr *attr, struct nftnl_chain *c)
+ 		c->flags |= (1 << NFTNL_CHAIN_PRIO);
+ 	}
+ 	if (tb[NFTA_HOOK_DEV]) {
++		if (c->flags & (1 << NFTNL_CHAIN_DEV))
++			xfree(c->dev);
+ 		c->dev = strdup(mnl_attr_get_str(tb[NFTA_HOOK_DEV]));
+ 		if (!c->dev)
+ 			return -1;
+diff --git a/src/flowtable.c b/src/flowtable.c
+index fbbe0a8..59991d6 100644
+--- a/src/flowtable.c
++++ b/src/flowtable.c
+@@ -299,7 +299,7 @@ void nftnl_flowtable_nlmsg_build_payload(struct nlmsghdr *nlh,
+ 
+ 		nest_dev = mnl_attr_nest_start(nlh, NFTA_FLOWTABLE_HOOK_DEVS);
+ 		nftnl_str_array_foreach(dev, &c->dev_array, i)
+-			mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev);
++			nftnl_attr_put_ifname(nlh, dev);
+ 		mnl_attr_nest_end(nlh, nest_dev);
+ 	}
+ 
+diff --git a/src/str_array.c b/src/str_array.c
+index 5669c61..4292c98 100644
+--- a/src/str_array.c
++++ b/src/str_array.c
+@@ -45,9 +45,13 @@ int nftnl_parse_devs(struct nftnl_str_array *sa, const struct nlattr *nest)
+ 	int len = 0;
+ 
+ 	mnl_attr_for_each_nested(attr, nest) {
+-		if (mnl_attr_get_type(attr) != NFTA_DEVICE_NAME)
++		switch(mnl_attr_get_type(attr)) {
++		default:
+ 			return -1;
+-		len++;
++		case NFTA_DEVICE_NAME:
++		case NFTA_DEVICE_PREFIX:
++			len++;
++		}
+ 	}
+ 
+ 	nftnl_str_array_clear(sa);
+@@ -56,7 +60,7 @@ int nftnl_parse_devs(struct nftnl_str_array *sa, const struct nlattr *nest)
+ 		return -1;
+ 
+ 	mnl_attr_for_each_nested(attr, nest) {
+-		sa->array[sa->len] = strdup(mnl_attr_get_str(attr));
++		sa->array[sa->len] = nftnl_attr_get_ifname(attr);
+ 		if (!sa->array[sa->len]) {
+ 			nftnl_str_array_clear(sa);
+ 			return -1;
+diff --git a/src/utils.c b/src/utils.c
+index 5f2c5bf..c4bbd4f 100644
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -13,8 +13,11 @@
+ #include <errno.h>
+ #include <inttypes.h>
+ 
++#include <libmnl/libmnl.h>
++
+ #include <libnftnl/common.h>
+ 
++#include <linux/if.h>
+ #include <linux/netfilter.h>
+ #include <linux/netfilter/nf_tables.h>
+ 
+@@ -146,3 +149,39 @@ int nftnl_set_str_attr(const char **dptr, uint32_t *flags,
+ 	*flags |= (1 << attr);
+ 	return 0;
+ }
++
++static bool is_wildcard_str(const char *str)
++{
++	size_t len = strlen(str);
++
++	if (len < 1 || str[len - 1] != '*')
++		return false;
++	if (len < 2 || str[len - 2] != '\\')
++		return true;
++	/* XXX: ignore backslash escaping for now */
++	return false;
++}
++
++void nftnl_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname)
++{
++	uint16_t attr = is_wildcard_str(ifname) ?
++			NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
++
++	mnl_attr_put_strz(nlh, attr, ifname);
++}
++
++char *nftnl_attr_get_ifname(const struct nlattr *attr)
++{
++	const char *dev = mnl_attr_get_str(attr);
++	char buf[IFNAMSIZ];
++
++	switch (mnl_attr_get_type(attr)) {
++	case NFTA_DEVICE_NAME:
++		return strdup(dev);
++	case NFTA_DEVICE_PREFIX:
++		snprintf(buf, IFNAMSIZ, "%s*", dev);
++		return strdup(buf);
++	default:
++		return NULL;
++	}
++}
diff --git a/0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch b/0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch
new file mode 100644
index 0000000..e1951b6
--- /dev/null
+++ b/0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch
@@ -0,0 +1,49 @@
+From 5282d94c17c8fd08229687639d5c5f48c7bc1fc5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 27 Nov 2025 10:57:03 +0100
+Subject: [PATCH] utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings
+
+JIRA: https://issues.redhat.com/browse/RHEL-108860
+Upstream Status: libnftnl commit 6f24a13a19b8690444564f50e1866fae5abf7687
+
+commit 6f24a13a19b8690444564f50e1866fae5abf7687
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Oct 7 17:45:25 2025 +0200
+
+    utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings
+
+    The asterisk left in place becomes part of the prefix by accident and is thus
+    both included when matching interface names as well as dumped back to user
+    space.
+
+    Fixes: f30eae26d813e ("utils: Add helpers for interface name wildcards")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/utils.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/utils.c b/src/utils.c
+index c4bbd4f..d73c5f6 100644
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -164,9 +164,16 @@ static bool is_wildcard_str(const char *str)
+ 
+ void nftnl_attr_put_ifname(struct nlmsghdr *nlh, const char *ifname)
+ {
+-	uint16_t attr = is_wildcard_str(ifname) ?
+-			NFTA_DEVICE_PREFIX : NFTA_DEVICE_NAME;
++	uint16_t attr = NFTA_DEVICE_NAME;
++	char pfx[IFNAMSIZ];
+ 
++	if (is_wildcard_str(ifname)) {
++		snprintf(pfx, IFNAMSIZ, "%s", ifname);
++		pfx[strlen(pfx) - 1] = '\0';
++
++		attr = NFTA_DEVICE_PREFIX;
++		ifname = pfx;
++	}
+ 	mnl_attr_put_strz(nlh, attr, ifname);
+ }
+ 
diff --git a/libnftnl.spec b/libnftnl.spec
index d436e5d..d37a5cf 100644
--- a/libnftnl.spec
+++ b/libnftnl.spec
@@ -1,12 +1,14 @@
 Name:           libnftnl
 Version:        1.3.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
 License:        GPL-2.0-or-later
 URL:            https://netfilter.org/projects/libnftnl/
 Source0:        %{url}/files/%{name}-%{version}.tar.xz
 
 Patch1:             0001-udata-Introduce-NFTNL_UDATA_TABLE_NFT-VER-BLD.patch
+Patch2:             0002-utils-Add-helpers-for-interface-name-wildcards.patch
+Patch3:             0003-utils-Drop-asterisk-from-end-of-NFTA_DEVICE_PREFIX-s.patch
 
 BuildRequires:  libmnl-devel
 BuildRequires:  gcc
@@ -55,6 +57,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 %{_includedir}/libnftnl
 
 %changelog
+* Thu Nov 27 2025 Phil Sutter <psutter@redhat.com> [1.3.0-2.el10]
+- utils: Drop asterisk from end of NFTA_DEVICE_PREFIX strings (Phil Sutter) [RHEL-108860]
+- utils: Add helpers for interface name wildcards (Phil Sutter) [RHEL-108860]
+
 * Thu Nov 20 2025 Phil Sutter <psutter@redhat.com> [1.3.0-1.el10]
 - Rebase onto version 1.3.0 (Phil Sutter) [RHEL-121193]