import nftables-0.9.3-20.el8

SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch

@@ -0,0 +1,497 @@
+From f9dca1704ce66be31eceac4d7317b825269b3d07 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 2 Mar 2021 17:06:06 +0100
+Subject: [PATCH] tests: Disable tests known to fail on RHEL8
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203
+Upstream Status: RHEL-only
+
+RHEL8 kernel does not support:
+
+- ct timeout or expectation objects
+- synproxy
+- flowtables in families other than inet
+- meta time
+- bridge family-specific meta expressions (e.g. ibrvproto, ibrpvid)
+- socket mark
+- osf
+- delete set elements from packet path
+- update stateful objects
+- explicitly setting set element expiration (commit 79ebb5bb4e3)
+- flushing chains and deleting referenced objects in the same
+  transaction (upstream commits with 'bogus EBUSY' in subject)
+
+Disable all related tests to make the testsuites pass.
+---
+ tests/monitor/testcases/object.t                   | 14 +++----
+ tests/py/any/meta.t                                | 36 ++++++++---------
+ tests/py/bridge/meta.t                             |  8 ++--
+ tests/py/inet/osf.t                                | 24 +++++------
+ tests/py/inet/socket.t                             |  2 +-
+ tests/py/inet/synproxy.t                           | 12 +++---
+ tests/py/ip/objects.t                              | 46 +++++++++++-----------
+ tests/py/ip6/sets.t                                |  2 +-
+ .../testcases/flowtable/0002create_flowtable_0     |  8 ++--
+ .../testcases/flowtable/0003add_after_flush_0      |  8 ++--
+ .../testcases/flowtable/0004delete_after_add_0     |  6 +--
+ .../shell/testcases/flowtable/0005delete_in_use_1  | 10 ++---
+ tests/shell/testcases/flowtable/0007prio_0         |  6 +--
+ tests/shell/testcases/flowtable/0008prio_1         |  4 +-
+ .../testcases/flowtable/0009deleteafterflush_0     | 12 +++---
+ tests/shell/testcases/listing/0013objects_0        |  2 +
+ tests/shell/testcases/nft-f/0017ct_timeout_obj_0   |  2 +
+ .../shell/testcases/nft-f/0018ct_expectation_obj_0 |  2 +
+ .../testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 11 ------
+ .../nft-f/dumps/0017ct_timeout_obj_0.nft.disabled  | 11 ++++++
+ .../testcases/optionals/update_object_handles_0    |  2 +
+ .../sets/0036add_set_element_expiration_0          |  2 +
+ tests/shell/testcases/transactions/0046set_0       |  2 +
+ 23 files changed, 122 insertions(+), 110 deletions(-)
+ delete mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
+ create mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
+
+diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t
+index 2afe33c..1b30384 100644
+--- a/tests/monitor/testcases/object.t
++++ b/tests/monitor/testcases/object.t
+@@ -37,10 +37,10 @@ I delete ct helper ip t cth
+ O -
+ J {"delete": {"ct helper": {"family": "ip", "name": "cth", "table": "t", "handle": 0, "type": "sip", "protocol": "tcp", "l3proto": "ip"}}}
+ 
+-I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; }
+-O -
+-J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
+-
+-I delete ct timeout ip t ctt
+-O -
+-J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
++# I add ct timeout ip t ctt { protocol udp; l3proto ip; policy = { unreplied : 15, replied : 12 }; }
++# O -
++# J {"add": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
++# 
++# I delete ct timeout ip t ctt
++# O -
++# J {"delete": {"ct timeout": {"family": "ip", "name": "ctt", "table": "t", "handle": 0, "protocol": "udp", "l3proto": "ip", "policy": {"unreplied": 15, "replied": 12}}}}
+diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
+index 327f973..241b466 100644
+--- a/tests/py/any/meta.t
++++ b/tests/py/any/meta.t
+@@ -204,21 +204,21 @@ meta iif . meta oif vmap { "lo" . "lo" : drop };ok;iif . oif vmap { "lo" . "lo"
+ meta random eq 1;ok;meta random 1
+ meta random gt 1000000;ok;meta random > 1000000
+ 
+-meta time "1970-05-23 21:07:14" drop;ok
+-meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop
+-meta time "2019-06-21 17:00:00" drop;ok
+-meta time "2019-07-01 00:00:00" drop;ok
+-meta time "2019-07-01 00:01:00" drop;ok
+-meta time "2019-07-01 00:00:01" drop;ok
+-meta day "Saturday" drop;ok
+-meta day 6 drop;ok;meta day "Saturday" drop
+-meta day "Satturday" drop;fail
+-meta hour "17:00" drop;ok
+-meta hour "17:00:00" drop;ok;meta hour "17:00" drop
+-meta hour "17:00:01" drop;ok
+-meta hour "00:00" drop;ok
+-meta hour "00:01" drop;ok
+-
+-meta time "meh";fail
+-meta hour "24:00" drop;fail
+-meta day 7 drop;fail
++- meta time "1970-05-23 21:07:14" drop;ok
++- meta time 12341234 drop;ok;meta time "1970-05-23 22:07:14" drop
++- meta time "2019-06-21 17:00:00" drop;ok
++- meta time "2019-07-01 00:00:00" drop;ok
++- meta time "2019-07-01 00:01:00" drop;ok
++- meta time "2019-07-01 00:00:01" drop;ok
++- meta day "Saturday" drop;ok
++- meta day 6 drop;ok;meta day "Saturday" drop
++- meta day "Satturday" drop;fail
++- meta hour "17:00" drop;ok
++- meta hour "17:00:00" drop;ok;meta hour "17:00" drop
++- meta hour "17:00:01" drop;ok
++- meta hour "00:00" drop;ok
++- meta hour "00:01" drop;ok
++
++- meta time "meh";fail
++- meta hour "24:00" drop;fail
++- meta day 7 drop;fail
+diff --git a/tests/py/bridge/meta.t b/tests/py/bridge/meta.t
+index 94525f2..9f55cde 100644
+--- a/tests/py/bridge/meta.t
++++ b/tests/py/bridge/meta.t
+@@ -2,7 +2,7 @@
+ 
+ *bridge;test-bridge;input
+ 
+-meta obrname "br0";ok
+-meta ibrname "br0";ok
+-meta ibrvproto vlan;ok
+-meta ibrpvid 100;ok
++- meta obrname "br0";ok
++- meta ibrname "br0";ok
++- meta ibrvproto vlan;ok
++- meta ibrpvid 100;ok
+diff --git a/tests/py/inet/osf.t b/tests/py/inet/osf.t
+index c828541..5191e72 100644
+--- a/tests/py/inet/osf.t
++++ b/tests/py/inet/osf.t
+@@ -4,15 +4,15 @@
+ *ip6;osfip6;osfchain
+ *inet;osfinet;osfchain
+ 
+-osf name "Linux";ok
+-osf ttl loose name "Linux";ok
+-osf ttl skip name "Linux";ok
+-osf ttl skip version "Linux:3.0";ok
+-osf ttl skip version "morethan:sixteenbytes";fail
+-osf ttl nottl name "Linux";fail
+-osf name "morethansixteenbytes";fail
+-osf name ;fail
+-osf name { "Windows", "MacOs" };ok
+-osf version { "Windows:XP", "MacOs:Sierra" };ok
+-ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
+-ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok
++- osf name "Linux";ok
++- osf ttl loose name "Linux";ok
++- osf ttl skip name "Linux";ok
++- osf ttl skip version "Linux:3.0";ok
++- osf ttl skip version "morethan:sixteenbytes";fail
++- osf ttl nottl name "Linux";fail
++- osf name "morethansixteenbytes";fail
++- osf name ;fail
++- osf name { "Windows", "MacOs" };ok
++- osf version { "Windows:XP", "MacOs:Sierra" };ok
++- ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 };ok
++- ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 };ok
+diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
+index 91846e8..dbc0554 100644
+--- a/tests/py/inet/socket.t
++++ b/tests/py/inet/socket.t
+@@ -8,4 +8,4 @@ socket transparent 0;ok
+ socket transparent 1;ok
+ socket transparent 2;fail
+ 
+-socket mark 0x00000005;ok
++- socket mark 0x00000005;ok
+diff --git a/tests/py/inet/synproxy.t b/tests/py/inet/synproxy.t
+index 55a05e1..9c58239 100644
+--- a/tests/py/inet/synproxy.t
++++ b/tests/py/inet/synproxy.t
+@@ -4,10 +4,10 @@
+ *ip6;synproxyip6;synproxychain
+ *inet;synproxyinet;synproxychain
+ 
+-synproxy;ok
+-synproxy mss 1460 wscale 7;ok
+-synproxy mss 1460 wscale 5 timestamp sack-perm;ok
+-synproxy timestamp sack-perm;ok
+-synproxy timestamp;ok
+-synproxy sack-perm;ok
++-synproxy;ok
++-synproxy mss 1460 wscale 7;ok
++-synproxy mss 1460 wscale 5 timestamp sack-perm;ok
++-synproxy timestamp sack-perm;ok
++-synproxy timestamp;ok
++-synproxy sack-perm;ok
+ 
+diff --git a/tests/py/ip/objects.t b/tests/py/ip/objects.t
+index 4fcde7c..06e94f1 100644
+--- a/tests/py/ip/objects.t
++++ b/tests/py/ip/objects.t
+@@ -33,26 +33,26 @@ ip saddr 192.168.1.3 limit name "lim1";ok
+ ip saddr 192.168.1.3 limit name "lim3";fail
+ limit name tcp dport map {443 : "lim1", 80 : "lim2", 22 : "lim1"};ok
+ 
+-# ct timeout
+-%cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok
+-%cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail
+-%cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok
+-%cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok
+-%cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail
+-
+-ct timeout set "cttime1";ok
+-
+-# ct expectation
+-%ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok
+-%ctexpect2 type ct expectation { protocol udp; };fail
+-%ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail
+-%ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail
+-%ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok
+-
+-ct expectation set "ctexpect1";ok
+-
+-# synproxy
+-%synproxy1 type synproxy mss 1460 wscale 7;ok
+-%synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok
+-
+-synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok
++# # ct timeout
++# %cttime1 type ct timeout { protocol tcp; policy = { established:122 } ;};ok
++# %cttime2 type ct timeout { protocol udp; policy = { syn_sent:122 } ;};fail
++# %cttime3 type ct timeout { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;};ok
++# %cttime4 type ct timeout { protocol udp; policy = { replied:14, unreplied:19 } ;};ok
++# %cttime5 type ct timeout {protocol tcp; policy = { estalbished:100 } ;};fail
++# 
++# ct timeout set "cttime1";ok
++
++# # ct expectation
++# %ctexpect1 type ct expectation { protocol tcp; dport 1234; timeout 2m; size 12; };ok
++# %ctexpect2 type ct expectation { protocol udp; };fail
++# %ctexpect3 type ct expectation { protocol tcp; dport 4321; };fail
++# %ctexpect4 type ct expectation { protocol tcp; dport 4321; timeout 2m; };fail
++# %ctexpect5 type ct expectation { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; };ok
++# 
++# ct expectation set "ctexpect1";ok
++
++# # synproxy
++# %synproxy1 type synproxy mss 1460 wscale 7;ok
++# %synproxy2 type synproxy mss 1460 wscale 7 timestamp sack-perm;ok
++# 
++# synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"};ok
+diff --git a/tests/py/ip6/sets.t b/tests/py/ip6/sets.t
+index add82eb..cc43aca 100644
+--- a/tests/py/ip6/sets.t
++++ b/tests/py/ip6/sets.t
+@@ -40,4 +40,4 @@ ip6 saddr != @set33 drop;fail
+ !set5 type ipv6_addr . ipv6_addr;ok
+ ip6 saddr . ip6 daddr @set5 drop;ok
+ add @set5 { ip6 saddr . ip6 daddr };ok
+-delete @set5 { ip6 saddr . ip6 daddr };ok
++- delete @set5 { ip6 saddr . ip6 daddr };ok
+diff --git a/tests/shell/testcases/flowtable/0002create_flowtable_0 b/tests/shell/testcases/flowtable/0002create_flowtable_0
+index 4c85c3f..8b80e34 100755
+--- a/tests/shell/testcases/flowtable/0002create_flowtable_0
++++ b/tests/shell/testcases/flowtable/0002create_flowtable_0
+@@ -1,12 +1,12 @@
+ #!/bin/bash
+ 
+ set -e
+-$NFT add table t
+-$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; }
+-if $NFT create flowtable t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then
++$NFT add table inet t
++$NFT add flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; }
++if $NFT create flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; } 2>/dev/null ; then
+ 	echo "E: flowtable creation not failing on existing set" >&2
+ 	exit 1
+ fi
+-$NFT add flowtable t f { hook ingress priority 10 \; devices = { lo }\; }
++$NFT add flowtable inet t f { hook ingress priority 10 \; devices = { lo }\; }
+ 
+ exit 0
+diff --git a/tests/shell/testcases/flowtable/0003add_after_flush_0 b/tests/shell/testcases/flowtable/0003add_after_flush_0
+index 481c7ed..b4243bc 100755
+--- a/tests/shell/testcases/flowtable/0003add_after_flush_0
++++ b/tests/shell/testcases/flowtable/0003add_after_flush_0
+@@ -1,8 +1,8 @@
+ #!/bin/bash
+ 
+ set -e
+-$NFT add table x
+-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
++$NFT add table inet x
++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
+ $NFT flush ruleset
+-$NFT add table x
+-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
++$NFT add table inet x
++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
+diff --git a/tests/shell/testcases/flowtable/0004delete_after_add_0 b/tests/shell/testcases/flowtable/0004delete_after_add_0
+index 8d9a842..4618595 100755
+--- a/tests/shell/testcases/flowtable/0004delete_after_add_0
++++ b/tests/shell/testcases/flowtable/0004delete_after_add_0
+@@ -1,6 +1,6 @@
+ #!/bin/bash
+ 
+ set -e
+-$NFT add table x
+-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
+-$NFT delete flowtable x y
++$NFT add table inet x
++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
++$NFT delete flowtable inet x y
+diff --git a/tests/shell/testcases/flowtable/0005delete_in_use_1 b/tests/shell/testcases/flowtable/0005delete_in_use_1
+index ef52620..eda1fb9 100755
+--- a/tests/shell/testcases/flowtable/0005delete_in_use_1
++++ b/tests/shell/testcases/flowtable/0005delete_in_use_1
+@@ -1,11 +1,11 @@
+ #!/bin/bash
+ 
+ set -e
+-$NFT add table x
+-$NFT add chain x x
+-$NFT add flowtable x y { hook ingress priority 0\; devices = { lo }\;}
+-$NFT add rule x x flow add @y
++$NFT add table inet x
++$NFT add chain inet x x
++$NFT add flowtable inet x y { hook ingress priority 0\; devices = { lo }\;}
++$NFT add rule inet x x flow add @y
+ 
+-$NFT delete flowtable x y || exit 0
++$NFT delete flowtable inet x y || exit 0
+ echo "E: delete flowtable in use"
+ exit 1
+diff --git a/tests/shell/testcases/flowtable/0007prio_0 b/tests/shell/testcases/flowtable/0007prio_0
+index 49bbcac..0ea262f 100755
+--- a/tests/shell/testcases/flowtable/0007prio_0
++++ b/tests/shell/testcases/flowtable/0007prio_0
+@@ -15,10 +15,10 @@ format_offset () {
+ 	fi
+ }
+ 
+-$NFT add table t
++$NFT add table inet t
+ for offset in -11 -10 0 10 11
+ do
+-	$NFT add flowtable t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }"
+-	$NFT delete flowtable t f
++	$NFT add flowtable inet t f "{ hook ingress priority filter `format_offset $offset`; devices = { lo }; }"
++	$NFT delete flowtable inet t f
+ done
+ 
+diff --git a/tests/shell/testcases/flowtable/0008prio_1 b/tests/shell/testcases/flowtable/0008prio_1
+index 48953d7..0d8cdff 100755
+--- a/tests/shell/testcases/flowtable/0008prio_1
++++ b/tests/shell/testcases/flowtable/0008prio_1
+@@ -1,9 +1,9 @@
+ #!/bin/bash
+ 
+-$NFT add table t
++$NFT add table inet t
+ for prioname in raw mangle dstnar security srcnat out dummy
+ do
+-	$NFT add flowtable t f { hook ingress priority $prioname \; devices = { lo }\; }
++	$NFT add flowtable inet t f { hook ingress priority $prioname \; devices = { lo }\; }
+ 	if (($? == 0))
+ 	then
+ 		echo "E: $prioname should not be a valid priority name for flowtables" >&2
+diff --git a/tests/shell/testcases/flowtable/0009deleteafterflush_0 b/tests/shell/testcases/flowtable/0009deleteafterflush_0
+index 2cda563..061e22e 100755
+--- a/tests/shell/testcases/flowtable/0009deleteafterflush_0
++++ b/tests/shell/testcases/flowtable/0009deleteafterflush_0
+@@ -1,9 +1,9 @@
+ #!/bin/bash
+ 
+ set -e
+-$NFT add table x
+-$NFT add chain x y
+-$NFT add flowtable x f { hook ingress priority 0\; devices = { lo }\;}
+-$NFT add rule x y flow add @f
+-$NFT flush chain x y
+-$NFT delete flowtable x f
++$NFT add table inet x
++$NFT add chain inet x y
++$NFT add flowtable inet x f { hook ingress priority 0\; devices = { lo }\;}
++$NFT add rule inet x y flow add @f
++$NFT flush chain inet x y
++$NFT delete flowtable inet x f
+diff --git a/tests/shell/testcases/listing/0013objects_0 b/tests/shell/testcases/listing/0013objects_0
+index 4d39143..130d02c 100755
+--- a/tests/shell/testcases/listing/0013objects_0
++++ b/tests/shell/testcases/listing/0013objects_0
+@@ -1,5 +1,7 @@
+ #!/bin/bash
+ 
++exit 0
++
+ # list table with all objects and chains
+ 
+ EXPECTED="table ip test {
+diff --git a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0 b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
+index 4f40779..e0f9e44 100755
+--- a/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
++++ b/tests/shell/testcases/nft-f/0017ct_timeout_obj_0
+@@ -1,5 +1,7 @@
+ #!/bin/bash
+ 
++exit 0
++
+ EXPECTED='table ip filter {
+ 	ct timeout cttime{
+ 		protocol tcp
+diff --git a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0 b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
+index 4f9872f..f518cf7 100755
+--- a/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
++++ b/tests/shell/testcases/nft-f/0018ct_expectation_obj_0
+@@ -1,5 +1,7 @@
+ #!/bin/bash
+ 
++exit 0
++
+ EXPECTED='table ip filter {
+ 	ct expectation ctexpect{
+ 		protocol tcp
+diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
+deleted file mode 100644
+index 7cff1ed..0000000
+--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
++++ /dev/null
+@@ -1,11 +0,0 @@
+-table ip filter {
+-	ct timeout cttime {
+-		protocol tcp
+-		l3proto ip
+-		policy = { established : 123, close : 12 }
+-	}
+-
+-	chain c {
+-		ct timeout set "cttime"
+-	}
+-}
+diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
+new file mode 100644
+index 0000000..7cff1ed
+--- /dev/null
++++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
+@@ -0,0 +1,11 @@
++table ip filter {
++	ct timeout cttime {
++		protocol tcp
++		l3proto ip
++		policy = { established : 123, close : 12 }
++	}
++
++	chain c {
++		ct timeout set "cttime"
++	}
++}
+diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0
+index 8b12b8c..e11b4e7 100755
+--- a/tests/shell/testcases/optionals/update_object_handles_0
++++ b/tests/shell/testcases/optionals/update_object_handles_0
+@@ -1,5 +1,7 @@
+ #!/bin/bash
+ 
++exit 0
++
+ set -e
+ $NFT add table test-ip
+ $NFT add counter test-ip traffic-counter
+diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0
+index 51ed0f2..043bb8f 100755
+--- a/tests/shell/testcases/sets/0036add_set_element_expiration_0
++++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0
+@@ -1,5 +1,7 @@
+ #!/bin/bash
+ 
++exit 0
++
+ set -e
+ 
+ RULESET="add table ip x
+diff --git a/tests/shell/testcases/transactions/0046set_0 b/tests/shell/testcases/transactions/0046set_0
+index 172e24d..1b24964 100755
+--- a/tests/shell/testcases/transactions/0046set_0
++++ b/tests/shell/testcases/transactions/0046set_0
+@@ -1,5 +1,7 @@
+ #!/bin/bash
+ 
++exit 0
++
+ RULESET='add table ip filter
+ add chain ip filter group_7933
+ add map ip filter group_7933 { type ipv4_addr : classid; flags interval; }
+-- 
+1.8.3.1
+

SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch

@@ -0,0 +1,41 @@
+From 1490609a3d82e494168a390b34094bacc5e83c02 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 18 May 2021 18:06:50 +0200
+Subject: [PATCH] monitor: Fix for use after free when printing map elements
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203
+Upstream Status: nftables commit 02174ffad484d
+
+commit 02174ffad484d9711678e5d415c32307efc39857
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Jan 9 17:43:11 2020 +0100
+
+    monitor: Fix for use after free when printing map elements
+
+    When populating the dummy set, 'data' field must be cloned just like
+    'key' field.
+
+    Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/monitor.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/monitor.c b/src/monitor.c
+index 7927b6f..142cc92 100644
+--- a/src/monitor.c
++++ b/src/monitor.c
+@@ -401,7 +401,8 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
+ 	 */
+ 	dummyset = set_alloc(monh->loc);
+ 	dummyset->key = expr_clone(set->key);
+-	dummyset->data = set->data;
++	if (set->data)
++		dummyset->data = expr_clone(set->data);
+ 	dummyset->flags = set->flags;
+ 	dummyset->init = set_expr_alloc(monh->loc, set);
+ 
+-- 
+1.8.3.1
+

SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch

@@ -0,0 +1,44 @@
+From 4ee4ed8d54a8b9f0f0a2b195b3b95b892e4e79a3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 18 May 2021 18:06:50 +0200
+Subject: [PATCH] tests: monitor: use correct $nft value in EXIT trap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919203
+Upstream Status: nftables commit 990cbbf75c40b
+
+commit 990cbbf75c40b92e6d6dc66721dfbedf33cacf8f
+Author: Štěpán Němec <snemec@redhat.com>
+Date:   Wed Jan 27 15:02:03 2021 +0100
+
+    tests: monitor: use correct $nft value in EXIT trap
+
+    With double quotes, $nft was being expanded to the default value even
+    in presence of the -H option.
+
+    Signed-off-by: Štěpán Němec <snemec@redhat.com>
+    Helped-by: Tomáš Doležal <todoleza@redhat.com>
+    Acked-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ tests/monitor/run-tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
+index ffb833a..c1cacb4 100755
+--- a/tests/monitor/run-tests.sh
++++ b/tests/monitor/run-tests.sh
+@@ -19,7 +19,7 @@ if [ ! -d $testdir ]; then
+ 	echo "Failed to create test directory" >&2
+ 	exit 1
+ fi
+-trap "rm -rf $testdir; $nft flush ruleset" EXIT
++trap 'rm -rf $testdir; $nft flush ruleset' EXIT
+ 
+ command_file=$(mktemp -p $testdir)
+ output_file=$(mktemp -p $testdir)
+-- 
+1.8.3.1
+

SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch

@@ -0,0 +1,57 @@
+From 805fe6f5c9c8f2af78d8e94bd6b5c33724df3c80 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 18 May 2021 18:16:21 +0200
+Subject: [PATCH] evaluate: Reject quoted strings containing only wildcard
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1818117
+Upstream Status: nftables commit 032c9f745c6da
+
+commit 032c9f745c6daab8c27176a95963b1c32b0a5d12
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Sep 24 17:38:45 2020 +0200
+
+    evaluate: Reject quoted strings containing only wildcard
+
+    Fix for an assertion fail when trying to match against an all-wildcard
+    interface name:
+
+    | % nft add rule t c iifname '"*"'
+    | nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed.
+    | zsh: abort      nft add rule t c iifname '"*"'
+
+    Fix this by detecting the string in expr_evaluate_string() and returning
+    an error message:
+
+    | % nft add rule t c iifname '"*"'
+    | Error: All-wildcard strings are not supported
+    | add rule t c iifname "*"
+    |                      ^^^
+
+    While being at it, drop the 'datalen >= 1' clause from the following
+    conditional as together with the added check for 'datalen == 0', all
+    possible other values have been caught already.
+---
+ src/evaluate.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index a966ed4..0181750 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -321,8 +321,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
+ 		return 0;
+ 	}
+ 
+-	if (datalen >= 1 &&
+-	    data[datalen - 1] == '\\') {
++	if (datalen == 0)
++		return expr_error(ctx->msgs, expr,
++				  "All-wildcard strings are not supported");
++
++	if (data[datalen - 1] == '\\') {
+ 		char unescaped_str[data_len];
+ 
+ 		memset(unescaped_str, 0, sizeof(unescaped_str));
+-- 
+1.8.3.1
+

SOURCES/0046-src-Support-odd-sized-payload-matches.patch

@@ -0,0 +1,64 @@
+From 64f34f34acedad6cce70f2dd91c82a814d4ffe34 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 19 May 2021 18:03:43 +0200
+Subject: [PATCH] src: Support odd-sized payload matches
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1934926
+Upstream Status: nftables commit 8a927c56d83ed
+
+commit 8a927c56d83ed0f78785011bd92a53edc25a0ca0
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Oct 27 17:05:25 2020 +0100
+
+    src: Support odd-sized payload matches
+
+    When expanding a payload match, don't disregard oversized templates at
+    the right offset. A more flexible user may extract less bytes from the
+    packet if only parts of a field are interesting, e.g. only the prefix of
+    source/destination address. Support that by using the template, but fix
+    the length. Later when creating a relational expression for it, detect
+    the unusually small payload expression length and turn the RHS value
+    into a prefix expression.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ src/netlink_delinearize.c | 6 ++++++
+ src/payload.c             | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 88dbd5a..8bdee12 100644
+--- a/src/netlink_delinearize.c
++++ b/src/netlink_delinearize.c
+@@ -1577,6 +1577,12 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
+ 		tmp = constant_expr_splice(right, left->len);
+ 		expr_set_type(tmp, left->dtype, left->byteorder);
+ 
++		if (left->payload.tmpl && (left->len < left->payload.tmpl->len)) {
++			mpz_lshift_ui(tmp->value, left->payload.tmpl->len - left->len);
++			tmp->len = left->payload.tmpl->len;
++			tmp = prefix_expr_alloc(&tmp->location, tmp, left->len);
++		}
++
+ 		nexpr = relational_expr_alloc(&expr->location, expr->op,
+ 					      left, tmp);
+ 		if (expr->op == OP_EQ)
+diff --git a/src/payload.c b/src/payload.c
+index 3576400..45280ef 100644
+--- a/src/payload.c
++++ b/src/payload.c
+@@ -746,6 +746,11 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
+ 			expr->payload.offset += tmpl->len;
+ 			if (expr->len == 0)
+ 				return;
++		} else if (expr->len > 0) {
++			new = payload_expr_alloc(&expr->location, desc, i);
++			new->len = expr->len;
++			list_add_tail(&new->list, list);
++			return;
+ 		} else
+ 			break;
+ 	}
+-- 
+1.8.3.1
+

SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch

@@ -0,0 +1,241 @@
+From 6fb6d8f15a82b3348184f6950a436becb06931cb Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 19 May 2021 18:03:43 +0200
+Subject: [PATCH] src: Optimize prefix matches on byte-boundaries
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1934926
+Upstream Status: nftables commit 25338cdb6c77a
+Conflicts: There is a hidden dependency on commit ee4391d0ac1e7 ("nat:
+	   transform range to prefix expression when possible").
+	   Backport only the single chunk required to keep prefix
+	   parsing intact to avoid having to backport 9599d9d25a6b3
+	   ("src: NAT support for intervals in maps") as a dependency
+	   which is clearly oversized for the sake of this purpose.
+
+commit 25338cdb6c77aa2f0977afbbb612571c9d325213
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Oct 27 17:33:15 2020 +0100
+
+    src: Optimize prefix matches on byte-boundaries
+
+    If a prefix expression's length is on a byte-boundary, it is sufficient
+    to just reduce the length passed to "cmp" expression. No need for
+    explicit bitwise modification of data on LHS. The relevant code is
+    already there, used for string prefix matches. There is one exception
+    though, namely zero-length prefixes: Kernel doesn't accept zero-length
+    "cmp" expressions, so keep them in the old code-path for now.
+
+    This patch depends upon the previous one to correctly parse odd-sized
+    payload matches but has to extend support for non-payload LHS as well.
+    In practice, this is needed for "ct" expressions as they allow matching
+    against IP address prefixes, too.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ src/netlink_delinearize.c       | 8 ++++++--
+ src/netlink_linearize.c         | 4 +++-
+ tests/py/ip/ct.t.payload        | 4 ----
+ tests/py/ip/ip.t.payload        | 6 ++----
+ tests/py/ip/ip.t.payload.bridge | 6 ++----
+ tests/py/ip/ip.t.payload.inet   | 6 ++----
+ tests/py/ip/ip.t.payload.netdev | 6 ++----
+ tests/py/ip6/ip6.t.payload.inet | 5 ++---
+ tests/py/ip6/ip6.t.payload.ip6  | 5 ++---
+ 9 files changed, 21 insertions(+), 29 deletions(-)
+
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 8bdee12..157a473 100644
+--- a/src/netlink_delinearize.c
++++ b/src/netlink_delinearize.c
+@@ -291,8 +291,9 @@ static void netlink_parse_cmp(struct netlink_parse_ctx *ctx,
+ 
+ 	if (left->len > right->len &&
+ 	    expr_basetype(left) != &string_type) {
+-		netlink_error(ctx, loc, "Relational expression size mismatch");
+-		goto err_free;
++		mpz_lshift_ui(right->value, left->len - right->len);
++		right = prefix_expr_alloc(loc, right, right->len);
++		right->prefix->len = left->len;
+ 	} else if (left->len > 0 && left->len < right->len) {
+ 		expr_free(left);
+ 		left = netlink_parse_concat_expr(ctx, loc, sreg, right->len);
+@@ -2164,6 +2165,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
+ 		expr_postprocess(ctx, &expr->left);
+ 		expr_postprocess(ctx, &expr->right);
+ 		break;
++	case EXPR_PREFIX:
++		expr_postprocess(ctx, &expr->prefix);
++		break;
+ 	case EXPR_SET_ELEM:
+ 		expr_postprocess(ctx, &expr->key);
+ 		break;
+diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
+index 606d97a..25be634 100644
+--- a/src/netlink_linearize.c
++++ b/src/netlink_linearize.c
+@@ -501,7 +501,9 @@ static void netlink_gen_relational(struct netlink_linearize_ctx *ctx,
+ 		return netlink_gen_flagcmp(ctx, expr, dreg);
+ 	case EXPR_PREFIX:
+ 		sreg = get_register(ctx, expr->left);
+-		if (expr_basetype(expr->left)->type != TYPE_STRING) {
++		if (expr_basetype(expr->left)->type != TYPE_STRING &&
++		    (!expr->right->prefix_len ||
++		     expr->right->prefix_len % BITS_PER_BYTE)) {
+ 			len = div_round_up(expr->right->len, BITS_PER_BYTE);
+ 			netlink_gen_expr(ctx, expr->left, sreg);
+ 			right = netlink_gen_prefix(ctx, expr, sreg);
+diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
+index d5faed4..a7e08f9 100644
+--- a/tests/py/ip/ct.t.payload
++++ b/tests/py/ip/ct.t.payload
+@@ -21,25 +21,21 @@ ip test-ip4 output
+ # ct original ip saddr 192.168.1.0/24
+ ip test-ip4 output
+   [ ct load src_ip => reg 1 , dir original ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+   [ cmp eq reg 1 0x0001a8c0 ]
+ 
+ # ct reply ip saddr 192.168.1.0/24
+ ip test-ip4 output
+   [ ct load src_ip => reg 1 , dir reply ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+   [ cmp eq reg 1 0x0001a8c0 ]
+ 
+ # ct original ip daddr 192.168.1.0/24
+ ip test-ip4 output
+   [ ct load dst_ip => reg 1 , dir original ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+   [ cmp eq reg 1 0x0001a8c0 ]
+ 
+ # ct reply ip daddr 192.168.1.0/24
+ ip test-ip4 output
+   [ ct load dst_ip => reg 1 , dir reply ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
+   [ cmp eq reg 1 0x0001a8c0 ]
+ 
+ # ct l3proto ipv4
+diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload
+index d627b22..825c0f0 100644
+--- a/tests/py/ip/ip.t.payload
++++ b/tests/py/ip/ip.t.payload
+@@ -358,14 +358,12 @@ ip test-ip4 input
+ 
+ # ip saddr 192.168.2.0/24
+ ip test-ip4 input
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp eq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr != 192.168.2.0/24
+ ip test-ip4 input
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp neq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr 192.168.3.1 ip daddr 192.168.3.100
+diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge
+index 91a4fde..e958a5b 100644
+--- a/tests/py/ip/ip.t.payload.bridge
++++ b/tests/py/ip/ip.t.payload.bridge
+@@ -466,16 +466,14 @@ bridge test-bridge input
+ bridge test-bridge input 
+   [ meta load protocol => reg 1 ]
+   [ cmp eq reg 1 0x00000008 ]
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp eq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr != 192.168.2.0/24
+ bridge test-bridge input 
+   [ meta load protocol => reg 1 ]
+   [ cmp eq reg 1 0x00000008 ]
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp neq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr 192.168.3.1 ip daddr 192.168.3.100
+diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet
+index b9cb28a..6501473 100644
+--- a/tests/py/ip/ip.t.payload.inet
++++ b/tests/py/ip/ip.t.payload.inet
+@@ -466,16 +466,14 @@ inet test-inet input
+ inet test-inet input
+   [ meta load nfproto => reg 1 ]
+   [ cmp eq reg 1 0x00000002 ]
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp eq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr != 192.168.2.0/24
+ inet test-inet input
+   [ meta load nfproto => reg 1 ]
+   [ cmp eq reg 1 0x00000002 ]
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp neq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr 192.168.3.1 ip daddr 192.168.3.100
+diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev
+index 588e5ca..58ae358 100644
+--- a/tests/py/ip/ip.t.payload.netdev
++++ b/tests/py/ip/ip.t.payload.netdev
+@@ -379,16 +379,14 @@ netdev test-netdev ingress
+ netdev test-netdev ingress 
+   [ meta load protocol => reg 1 ]
+   [ cmp eq reg 1 0x00000008 ]
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp eq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr != 192.168.2.0/24
+ netdev test-netdev ingress 
+   [ meta load protocol => reg 1 ]
+   [ cmp eq reg 1 0x00000008 ]
+-  [ payload load 4b @ network header + 12 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
++  [ payload load 3b @ network header + 12 => reg 1 ]
+   [ cmp neq reg 1 0x0002a8c0 ]
+ 
+ # ip saddr 192.168.3.1 ip daddr 192.168.3.100
+diff --git a/tests/py/ip6/ip6.t.payload.inet b/tests/py/ip6/ip6.t.payload.inet
+index d015c8e..ffc9b9f 100644
+--- a/tests/py/ip6/ip6.t.payload.inet
++++ b/tests/py/ip6/ip6.t.payload.inet
+@@ -604,9 +604,8 @@ inet test-inet input
+ inet test-inet input
+   [ meta load nfproto => reg 1 ]
+   [ cmp eq reg 1 0x0000000a ]
+-  [ payload load 16b @ network header + 8 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
+-  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
++  [ payload load 8b @ network header + 8 => reg 1 ]
++  [ cmp eq reg 1 0x00000000 0x00000000 ]
+ 
+ # ip6 saddr ::1 ip6 daddr ::2
+ inet test-inet input
+diff --git a/tests/py/ip6/ip6.t.payload.ip6 b/tests/py/ip6/ip6.t.payload.ip6
+index b2e8363..18b8bcb 100644
+--- a/tests/py/ip6/ip6.t.payload.ip6
++++ b/tests/py/ip6/ip6.t.payload.ip6
+@@ -452,9 +452,8 @@ ip6 test-ip6 input
+ 
+ # ip6 saddr ::/64
+ ip6 test-ip6 input
+-  [ payload load 16b @ network header + 8 => reg 1 ]
+-  [ bitwise reg 1 = (reg=1 & 0xffffffff 0xffffffff 0x00000000 0x00000000 ) ^ 0x00000000 0x00000000 0x00000000 0x00000000 ]
+-  [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
++  [ payload load 8b @ network header + 8 => reg 1 ]
++  [ cmp eq reg 1 0x00000000 0x00000000 ]
+ 
+ # ip6 saddr ::1 ip6 daddr ::2
+ ip6 test-ip6 input
+-- 
+1.8.3.1
+

SPECS/nftables.spec

@@ -1,9 +1,9 @@
 %define rpmversion 0.9.3
-%define specrelease 18%{?dist}
+%define specrelease 20
 
 Name:           nftables
 Version:        %{rpmversion}
-Release:        %{specrelease}%{?buildid}
+Release:        %{specrelease}%{?dist}%{?buildid}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utillites
@@ -58,6 +58,12 @@ Patch38:            0038-json-echo-Speedup-seqnum_to_json.patch
 Patch39:            0039-json-Fix-seqnum_to_json-functionality.patch
 Patch40:            0040-json-don-t-leave-dangling-pointers-on-hlist.patch
 Patch41:            0041-json-init-parser-state-for-every-new-buffer-file.patch
+Patch42:            0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch
+Patch43:            0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch
+Patch44:            0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch
+Patch45:            0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch
+Patch46:            0046-src-Support-odd-sized-payload-matches.patch
+Patch47:            0047-src-Optimize-prefix-matches-on-byte-boundaries.patch
 
 BuildRequires: autogen
 BuildRequires: autoconf
@@ -174,6 +180,18 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
 %{python3_sitelib}/nftables/
 
 %changelog
+* Thu May 20 2021 Phil Sutter <psutter@redhat.com> [0.9.3-20.el8]
+- src: Optimize prefix matches on byte-boundaries (Phil Sutter) [1934926]
+- src: Support odd-sized payload matches (Phil Sutter) [1934926]
+- spec: Add an rpminspect.yaml file to steer rpminspect (Phil Sutter) [1962184]
+- spec: Explicitly state dist string in Release tag (Phil Sutter) [1962184]
+
+* Wed May 19 2021 Phil Sutter <psutter@redhat.com> [0.9.3-19.el8]
+- evaluate: Reject quoted strings containing only wildcard (Phil Sutter) [1818117]
+- tests: monitor: use correct $nft value in EXIT trap (Phil Sutter) [1919203]
+- monitor: Fix for use after free when printing map elements (Phil Sutter) [1919203]
+- tests: Disable tests known to fail on RHEL8 (Phil Sutter) [1919203]
+
 * Sat Feb 20 2021 Phil Sutter <psutter@redhat.com> [0.9.3-18.el8]
 - json: init parser state for every new buffer/file (Phil Sutter) [1930873]