.gitignore

@@ -1 +1 @@
-SOURCES/libnftnl-1.2.2.tar.bz2
+SOURCES/libnftnl-1.2.6.tar.xz

.libnftnl.metadata

@@ -1 +1 @@
-a43773c5569d6a80cd94add256bef4dd63dd7571 SOURCES/libnftnl-1.2.2.tar.bz2
+aba10d5003a851fe08685df1d4ff7b60500122d0 SOURCES/libnftnl-1.2.6.tar.xz

SOURCES/0001-libnftnl.map-Restore-custom-LIBNFTNL_RHEL_14-version.patch

@@ -1,47 +0,0 @@
-From 7255af8a844a1444d59023500d176c8c2fff7a62 Mon Sep 17 00:00:00 2001
-From: Phil Sutter <psutter@redhat.com>
-Date: Wed, 28 Jun 2023 15:41:05 +0200
-Subject: [PATCH] libnftnl.map: Restore custom LIBNFTNL_RHEL_14 version
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211096
-Upstream Status: RHEL-only
-
-Avoid breaking old binaries. Keep the custom version name exporting
-symbol nftnl_set_elem_nlmsg_build upstream exported in LIBNFTNL_17.
----
- src/libnftnl.map | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/libnftnl.map b/src/libnftnl.map
-index ad8f2af060aef..26701c2984296 100644
---- a/src/libnftnl.map
-+++ b/src/libnftnl.map
-@@ -360,6 +360,10 @@ LIBNFTNL_13 {
-   nftnl_flowtable_set_data;
- } LIBNFTNL_12;
- 
-+LIBNFTNL_RHEL_14 {
-+  nftnl_set_elem_nlmsg_build;
-+} LIBNFTNL_13;
-+
- LIBNFTNL_14 {
-   nftnl_udata_nest_start;
-   nftnl_udata_nest_end;
-@@ -367,7 +371,7 @@ LIBNFTNL_14 {
-   nftnl_chain_get_array;
-   nftnl_flowtable_set_array;
-   nftnl_flowtable_get_array;
--} LIBNFTNL_13;
-+} LIBNFTNL_RHEL_14;
- 
- LIBNFTNL_15 {
-   nftnl_obj_get_data;
-@@ -385,5 +389,4 @@ LIBNFTNL_16 {
- } LIBNFTNL_15;
- 
- LIBNFTNL_17 {
--  nftnl_set_elem_nlmsg_build;
- } LIBNFTNL_16;
--- 
-2.40.0
-

SOURCES/0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch

@@ -0,0 +1,77 @@
+From 64b18b08a4c7ff6baeca536100e34aacbbafa7f3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 26 Oct 2023 18:05:02 +0200
+Subject: [PATCH] set: Do not leave free'd expr_list elements in place
+
+JIRA: https://issues.redhat.com/browse/RHEL-14149
+Upstream Status: libnftnl commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
+
+commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed May 31 14:09:09 2023 +0200
+
+    set: Do not leave free'd expr_list elements in place
+
+    When freeing elements, remove them also to prevent a potential UAF.
+
+    Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
+    Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/set.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/set.c b/src/set.c
+index c46f827..719e596 100644
+--- a/src/set.c
++++ b/src/set.c
+@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s)
+ 	if (s->flags & (1 << NFTNL_SET_USERDATA))
+ 		xfree(s->user.data);
+ 
+-	list_for_each_entry_safe(expr, next, &s->expr_list, head)
++	list_for_each_entry_safe(expr, next, &s->expr_list, head) {
++		list_del(&expr->head);
+ 		nftnl_expr_free(expr);
++	}
+ 
+ 	list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
+ 		list_del(&elem->head);
+@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
+ 		break;
+ 	case NFTNL_SET_EXPR:
+ 	case NFTNL_SET_EXPRESSIONS:
+-		list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
++		list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
++			list_del(&expr->head);
+ 			nftnl_expr_free(expr);
++		}
+ 		break;
+ 	default:
+ 		return;
+@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
+ 		s->user.len = data_len;
+ 		break;
+ 	case NFTNL_SET_EXPR:
+-		list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
++		list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
++			list_del(&expr->head);
+ 			nftnl_expr_free(expr);
++		}
+ 
+ 		expr = (void *)data;
+ 		list_add(&expr->head, &s->expr_list);
+@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s)
+ 
+ 	return 0;
+ out_set_expr:
+-	list_for_each_entry_safe(expr, next, &s->expr_list, head)
++	list_for_each_entry_safe(expr, next, &s->expr_list, head) {
++		list_del(&expr->head);
+ 		nftnl_expr_free(expr);
++	}
+ 
+ 	return -1;
+ }

SPECS/libnftnl.spec

@@ -1,19 +1,21 @@
-%define rpmversion 1.2.2
+%define libnftnl_rpmversion 1.2.6
-%define specrelease 3
+%define libnftnl_specrelease 2
 
 Name:           libnftnl
-Version:        %{rpmversion}
+Version:        %{libnftnl_rpmversion}
-Release:        %{specrelease}%{?dist}
+Release:        %{libnftnl_specrelease}%{?dist}%{?buildid}
 Summary:        Library for low-level interaction with nftables Netlink's API over libmnl
 License:        GPLv2+
-URL:            http://netfilter.org/projects/libnftnl/
+URL:            https://netfilter.org/projects/libnftnl/
-Source0:        http://ftp.netfilter.org/pub/libnftnl/libnftnl-%{version}.tar.bz2
+Source0:        %{url}/files/%{name}-%{version}.tar.xz
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
-BuildRequires:  libmnl-devel
 
-Patch0001: 0001-libnftnl.map-Restore-custom-LIBNFTNL_RHEL_14-version.patch
+Patch1:             0001-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
+
+BuildRequires:  libmnl-devel
+BuildRequires:  gcc
+BuildRequires:  make
+#BuildRequires:  autoconf
+#BuildRequires:  automake
 
 %description
 A library for low-level interaction with nftables Netlink's API over libmnl.
@@ -33,23 +35,19 @@ developing applications that use %{name}.
 # This is what autogen.sh (only in git repo) does - without it, patches changing
 # Makefile.am cause the build system to regenerate Makefile.in and trying to use
 # automake-1.14 for that which is not available in RHEL.
-autoreconf -fi
+#autoreconf -fi
-rm -rf autom4te*.cache
+#rm -rf autom4te*.cache
 
 %configure --disable-static --disable-silent-rules
-make %{?_smp_mflags}
+%make_build
 
 %check
-make %{?_smp_mflags} check
+%make_build check
 
 %install
 %make_install
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
 %files
 %doc COPYING
 %{_libdir}/*.so.*
@@ -60,78 +58,82 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
 %{_includedir}/libnftnl
 
 %changelog
-* Wed Jun 28 2023 Phil Sutter <psutter@redhat.com> [1.2.2-3.el8]
+* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.2.6-2.el9]
-- Export nftnl_set_elem_nlmsg_build symbol in the right version
+- spec: Avoid variable name clash, add missing dist tag (Phil Sutter) [RHEL-14149]
 
-* Wed Jun 28 2023 Phil Sutter <psutter@redhat.com> [1.2.2-2.el8]
+* Thu Oct 26 2023 Phil Sutter <psutter@redhat.com> [1.2.6-1.el9]
-- libnftnl.map: Restore custom LIBNFTNL_RHEL_14 version (Phil Sutter) [2211096]
+- set: Do not leave free'd expr_list elements in place (Phil Sutter) [RHEL-14149]
+- Rebase onto version 1.2.6 (Phil Sutter) [RHEL-14149]
 
-* Tue May 30 2023 Phil Sutter <psutter@redhat.com> [1.2.2-1.el8]
+* Tue Jun 07 2022 Phil Sutter <psutter@redhat.com> - 1.2.2-1
-- Rebase onto version 1.2.2 (Phil Sutter) [2211096]
+- New version 1.2.2
 
-* Fri Jan 21 2022 Phil Sutter <psutter@redhat.com> [1.1.5-5.el8]
+* Wed May 18 2022 Phil Sutter <psutter@redhat.com> - 1.2.1-1
-- set: expose nftnl_set_elem_nlmsg_build() (Phil Sutter) [2040754]
+- Fix debug printing for tcp option reset expression
-- expr: dynset: release stateful expression from .free path (Phil Sutter) [2040478]
+- new version 1.2.1
-- set_elem: missing set and build for NFTNL_SET_ELEM_EXPR (Phil Sutter) [2040478]
 
-* Wed Feb 19 2020 Phil Sutter <psutter@redhat.com> [1.1.5-4.el8]
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.9-4
-- src: Fix for reading garbage in nftnl_chain getters (Phil Sutter) [1758673]
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Fri Feb 14 2020 Phil Sutter <psutter@redhat.com> [1.1.5-3.el8]
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.1.9-3
-- set_elem: Introduce support for NFTNL_SET_ELEM_KEY_END (Phil Sutter) [1795223]
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- set: Add support for NFTA_SET_DESC_CONCAT attributes (Phil Sutter) [1795223]
-- include: resync nf_tables.h cache copy (Phil Sutter) [1795223]
 
-* Fri Dec 06 2019 Phil Sutter <psutter@redhat.com> [1.1.5-2.el8]
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.9-2
-- chain: Correctly check realloc() call (Phil Sutter) [1778952]
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-- flowtable: Correctly check realloc() call (Phil Sutter) [1778952]
-- chain: Fix memleak in error path of nftnl_chain_parse_devs() (Phil Sutter) [1778952]
-- flowtable: Fix memleak in error path of nftnl_flowtable_parse_devs() (Phil Sutter) [1778952]
 
-* Mon Dec 02 2019 Phil Sutter <psutter@redhat.com> [1.1.5-1.el8]
+* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 1.1.9-1
-- Rebase onto upstream version 1.1.5 (Phil Sutter) [1717129]
+- Update to 1.1.9. Fixes rhbz#1916855
 
-* Thu Oct 24 2019 Phil Sutter <psutter@redhat.com> [1.1.4-3.el8]
+* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 1.1.8-1
-- set: Export nftnl_set_list_lookup_byname() (Phil Sutter) [1762563]
+- Update to 1.1.8. Fixes bug #1891597
 
-* Thu Oct 17 2019 Phil Sutter <psutter@redhat.com> [1.1.4-2.el8]
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.7-3
-- obj/ct_timeout: Fix NFTA_CT_TIMEOUT_DATA parser (Phil Sutter) [1758673]
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-- set_elem: Validate nftnl_set_elem_set() parameters (Phil Sutter) [1758673]
-- obj/ct_timeout: Avoid array overrun in timeout_parse_attr_data() (Phil Sutter) [1758673]
-- set: Don't bypass checks in nftnl_set_set_u{32,64}() (Phil Sutter) [1758673]
-- obj/tunnel: Fix for undefined behaviour (Phil Sutter) [1758673]
-- set_elem: Fix return code of nftnl_set_elem_set() (Phil Sutter) [1758673]
-- obj: ct_timeout: Check return code of mnl_attr_parse_nested() (Phil Sutter) [1758673]
 
-* Fri Oct 04 2019 Phil Sutter <psutter@redhat.com> [1.1.4-1.el8]
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.1.7-2
-- Rebase to upstream version 1.1.4 (Phil Sutter) [1717129]
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 
-* Thu Jan 31 2019 Phil Sutter <psutter@redhat.com> [1.1.1-4.el8]
+* Fri Jun 05 2020 Phil Sutter <psutter@redhat.com> - 1.1.7-1
-- src: rule: Support NFTA_RULE_POSITION_ID attribute (Phil Sutter) [1670565]
+- Rebase onto upstream version 1.1.7
 
-* Tue Jan 29 2019 Phil Sutter <psutter@redhat.com> [1.1.1-3.el8]
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.5-2
-- src: chain: Fix nftnl_chain_rule_insert_at() (Phil Sutter) [1666495]
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-- src: chain: Add missing nftnl_chain_rule_del() (Phil Sutter) [1666495]
-- flowtable: Fix for reading garbage (Phil Sutter) [1661327]
-- flowtable: Fix memleak in nftnl_flowtable_parse_devs() (Phil Sutter) [1661327]
-- flowtable: Fix use after free in two spots (Phil Sutter) [1661327]
-- flowtable: Add missing break (Phil Sutter) [1661327]
-- object: Avoid obj_ops array overrun (Phil Sutter) [1661327]
 
-* Mon Dec 17 2018 Phil Sutter <psutter@redhat.com> [1.1.1-2.el8]
+* Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> - 1.1.5-1
-- chain: Hash chain list by name (Phil Sutter) [1658533]
+- Update to 1.1.5. Fixes bug #1778850
-- chain: Add lookup functions for chain list and rules in chain (Phil Sutter) [1658533]
-- chain: Support per chain rules list (Phil Sutter) [1658533]
-- src: remove nftnl_rule_cmp() and nftnl_expr_cmp() (Phil Sutter) [1658533]
 
-* Thu Jul 12 2018 Phil Sutter <psutter@redhat.com> [1.1.1-1.el8]
+* Fri Aug 23 2019 Kevin Fenzi <kevin@scrye.com> - 1.1.4-1
-- Rebase onto upstream version 1.1.1
+- Update to 1.1.4. Fixes bug #1743175
-- Sync spec file with RHEL7
-- Disable JSON parsing, deprecated by upstream
-- Make use of builtin testsuite
 
-* Sat Jun 23 2018 Phil Sutter - 1.0.9-3
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.3-2
-- Drop leftover mxml dependency [1594917]
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Jun 16 2019 Kevin Fenzi <kevin@scrye.com> - 1.1.3-1
+- Update to 1.1.3. Fixes bug #1714231
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 20 2018 Kevin Fenzi <kevin@scrye.com> - 1.1.1-5
+- Fix FTBFS bug #1604620
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jun 25 2018 Phil Sutter <psutter@redhat.com> - 1.1.1-3
+- Disable running tests/test-script.sh again, it breaks builds on big endian.
+
+* Thu Jun 14 2018 Phil Sutter <psutter@redhat.com> - 1.1.1-2
+- Drop leftover mxml dependency. Fixes bug #1594107
+- Enable running tests/test-scrip.sh again when checking.
+
+* Sat Jun 09 2018 Kevin Fenzi <kevin@scrye.com> - 1.1.1-1
+- Update to 1.1.1. Fixes bug #1589403
+
+* Fri May 04 2018 Kevin Fenzi <kevin@scrye.com> - 1.1.0-1
+- Update to 1.1.0. Fixes bug #1574094
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild