From 2c163010b063916595be8a2f2ca822bcfe1e9c43 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 10 Sep 2025 22:44:43 +0200
Subject: [PATCH] nftables-1.1.1-6.el10

* Wed Sep 10 2025 Phil Sutter <psutter@redhat.com> [1.1.1-6.el10]
- Makefile: Fix for 'make CFLAGS=...' (Phil Sutter) [RHEL-108851]
- table: Embed creating nft version into userdata (Phil Sutter) [RHEL-108851]
- doc: nft.8: Minor NAT STATEMENTS section review (Phil Sutter) [RHEL-106743]
- trace: Fix for memleak in trace_alloc_list() error path (Phil Sutter) [RHEL-111205]
Resolves: RHEL-106743, RHEL-108851, RHEL-111205
---
 ...mleak-in-trace_alloc_list-error-path.patch |  38 +++
 ...-Minor-NAT-STATEMENTS-section-review.patch |  78 ++++++
 ...d-creating-nft-version-into-userdata.patch | 232 ++++++++++++++++++
 0020-Makefile-Fix-for-make-CFLAGS.patch       |  52 ++++
 nftables.spec                                 |  12 +-
 5 files changed, 411 insertions(+), 1 deletion(-)
 create mode 100644 0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.patch
 create mode 100644 0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch
 create mode 100644 0019-table-Embed-creating-nft-version-into-userdata.patch
 create mode 100644 0020-Makefile-Fix-for-make-CFLAGS.patch

diff --git a/0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.patch b/0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.patch
new file mode 100644
index 0000000..82e6231
--- /dev/null
+++ b/0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.patch
@@ -0,0 +1,38 @@
+From 5ed024ecfaf596ec0298f8ad75c5695f9889464c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 9 Sep 2025 16:27:52 +0200
+Subject: [PATCH] trace: Fix for memleak in trace_alloc_list() error path
+
+JIRA: https://issues.redhat.com/browse/RHEL-111205
+Upstream Status: nftables commit fdbb0ec57b5c891c1de17f367b693ab787ea9c2d
+
+commit fdbb0ec57b5c891c1de17f367b693ab787ea9c2d
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Aug 26 12:57:37 2025 +0200
+
+    trace: Fix for memleak in trace_alloc_list() error path
+
+    The allocated 'list_expr' may leak.
+
+    Fixes: cfd768615235b ("src: add conntrack information to trace monitor mode")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+    Signed-off-by: Florian Westphal <fw@strlen.de>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/trace.c b/src/trace.c
+index b270951..47f4c21 100644
+--- a/src/trace.c
++++ b/src/trace.c
+@@ -258,6 +258,7 @@ static struct expr *trace_alloc_list(const struct datatype *dtype,
+ 	v = mpz_get_uint32(value);
+ 	if (v == 0) {
+ 		mpz_clear(value);
++		expr_free(list_expr);
+ 		return NULL;
+ 	}
+ 
diff --git a/0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch b/0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch
new file mode 100644
index 0000000..91eb680
--- /dev/null
+++ b/0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch
@@ -0,0 +1,78 @@
+From 3bb2e6c3d03fa60724ab72b96d1e97fa02d7eed9 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 9 Sep 2025 16:53:21 +0200
+Subject: [PATCH] doc: nft.8: Minor NAT STATEMENTS section review
+
+JIRA: https://issues.redhat.com/browse/RHEL-106743
+Upstream Status: nftables commit 9e1cbf667da2b9c30b41ff887de212b2c38b2eb7
+
+commit 9e1cbf667da2b9c30b41ff887de212b2c38b2eb7
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Jul 31 12:40:11 2025 +0200
+
+    doc: nft.8: Minor NAT STATEMENTS section review
+
+    Synopsis insinuates an IP address argument is mandatory in snat/dnat
+    statements although specifying ports alone is perfectly fine. Adjust it
+    accordingly and add a paragraph briefly describing the behaviour.
+
+    While at it, update the redirect statement description with more
+    relevant examples, the current one is wrong: To *only* alter the
+    destination port, dnat statement must be used, not redirect.
+
+    Fixes: 6908a677ba04c ("nft.8: Enhance NAT documentation")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ doc/statements.txt | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/doc/statements.txt b/doc/statements.txt
+index 74af1d1..7fe9ed3 100644
+--- a/doc/statements.txt
++++ b/doc/statements.txt
+@@ -399,11 +399,12 @@ NAT STATEMENTS
+ ~~~~~~~~~~~~~~
+ [verse]
+ ____
+-*snat* [[*ip* | *ip6*] [ *prefix* ] *to*] 'ADDR_SPEC' [*:*'PORT_SPEC'] ['FLAGS']
+-*dnat* [[*ip* | *ip6*] [ *prefix* ] *to*] 'ADDR_SPEC' [*:*'PORT_SPEC'] ['FLAGS']
++*snat* [[*ip* | *ip6*] [ *prefix* ] *to*] 'TARGET_SPEC' ['FLAGS']
++*dnat* [[*ip* | *ip6*] [ *prefix* ] *to*] 'TARGET_SPEC' ['FLAGS']
+ *masquerade* [*to :*'PORT_SPEC'] ['FLAGS']
+ *redirect* [*to :*'PORT_SPEC'] ['FLAGS']
+ 
++'TARGET_SPEC' := 'ADDR_SPEC' | ['ADDR_SPEC'] *:*'PORT_SPEC'
+ 'ADDR_SPEC' := 'address' | 'address' *-* 'address'
+ 'PORT_SPEC' := 'port' | 'port' *-* 'port'
+ 
+@@ -413,11 +414,11 @@ ____
+ 
+ The nat statements are only valid from nat chain types. +
+ 
+-The *snat* and *masquerade* statements specify that the source address of the
++The *snat* and *masquerade* statements specify that the source address/port of the
+ packet should be modified. While *snat* is only valid in the postrouting and
+ input chains, *masquerade* makes sense only in postrouting. The dnat and
+ redirect statements are only valid in the prerouting and output chains, they
+-specify that the destination address of the packet should be modified. You can
++specify that the destination address/port of the packet should be modified. You can
+ use non-base chains which are called from base chains of nat chain type too.
+ All future packets in this connection will also be mangled, and rules should
+ cease being examined.
+@@ -427,8 +428,12 @@ outgoing interface's IP address to translate to. It is particularly useful on
+ gateways with dynamic (public) IP addresses.
+ 
+ The *redirect* statement is a special form of dnat which always translates the
+-destination address to the local host's one. It comes in handy if one only wants
+-to alter the destination port of incoming traffic on different interfaces.
++destination address to the local host's one. It comes in handy to intercept
++traffic passing a router and feeding it to a locally running daemon, e.g. when
++building a transparent proxy or application-layer gateway.
++
++For 'TARGET_SPEC', one may specify addresses, ports, or both. If no address or
++no port is specified, the respective packet header field remains unchanged.
+ 
+ When used in the inet family (available with kernel 5.2), the dnat and snat
+ statements require the use of the ip and ip6 keyword in case an address is
diff --git a/0019-table-Embed-creating-nft-version-into-userdata.patch b/0019-table-Embed-creating-nft-version-into-userdata.patch
new file mode 100644
index 0000000..8c65510
--- /dev/null
+++ b/0019-table-Embed-creating-nft-version-into-userdata.patch
@@ -0,0 +1,232 @@
+From 50afb84d7064806ad7acc8364455062fc0751528 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 9 Sep 2025 16:49:27 +0200
+Subject: [PATCH] table: Embed creating nft version into userdata
+
+JIRA: https://issues.redhat.com/browse/RHEL-108851
+Upstream Status: nftables commit 64c07e38f0494093a399a68a31056f5866c4d705
+Conflicts: Context change due to missing --with-unitdir option.
+
+commit 64c07e38f0494093a399a68a31056f5866c4d705
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Mon May 12 22:59:26 2025 +0200
+
+    table: Embed creating nft version into userdata
+
+    Upon listing a table which was created by a newer version of nftables,
+    warn about the potentially incomplete content.
+
+    Suggested-by: Florian Westphal <fw@strlen.de>
+    Cc: Dan Winship <danwinship@redhat.com>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ Makefile.am    |  3 +++
+ configure.ac   | 24 ++++++++++++++++++++++++
+ include/rule.h |  1 +
+ src/mnl.c      | 21 +++++++++++++++------
+ src/netlink.c  | 33 +++++++++++++++++++++++++++++++++
+ src/rule.c     |  4 ++++
+ 6 files changed, 80 insertions(+), 6 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index ba09e7f..c2a6908 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -33,6 +33,7 @@ sbin_PROGRAMS =
+ check_PROGRAMS =
+ dist_man_MANS =
+ CLEANFILES =
++DISTCLEANFILES =
+ 
+ ###############################################################################
+ 
+@@ -105,6 +106,8 @@ noinst_HEADERS = \
+ 	\
+ 	$(NULL)
+ 
++DISTCLEANFILES += nftversion.h
++
+ ###############################################################################
+ 
+ AM_CPPFLAGS = \
+diff --git a/configure.ac b/configure.ac
+index 816e920..bac8319 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -114,6 +114,30 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [],
+ #include <netdb.h>
+ ]])
+ 
++AC_ARG_WITH([stable-release], [AS_HELP_STRING([--with-stable-release],
++            [Stable release number])],
++            [], [with_stable_release=0])
++AC_CONFIG_COMMANDS([stable_release],
++                   [STABLE_RELEASE=$stable_release],
++                   [stable_release=$with_stable_release])
++AC_CONFIG_COMMANDS([nftversion.h], [
++(
++	echo "static char nftversion[[]] = {"
++	echo "	${VERSION}," | tr '.' ','
++	echo "	${STABLE_RELEASE}"
++	echo "};"
++	echo "static char nftbuildstamp[[]] = {"
++	for ((i = 56; i >= 0; i-= 8)); do
++		echo "	((uint64_t)MAKE_STAMP >> $i) & 0xff,"
++	done
++	echo "};"
++) >nftversion.h
++])
++# Current date should be fetched exactly once per build,
++# so have 'make' call date and pass the value to every 'gcc' call
++AC_SUBST([MAKE_STAMP], ["\$(shell date +%s)"])
++CFLAGS="${CFLAGS} -DMAKE_STAMP=\${MAKE_STAMP}"
++
+ AC_CONFIG_FILES([					\
+ 		Makefile				\
+ 		libnftables.pc				\
+diff --git a/include/rule.h b/include/rule.h
+index 238be23..1b52972 100644
+--- a/include/rule.h
++++ b/include/rule.h
+@@ -170,6 +170,7 @@ struct table {
+ 	uint32_t		owner;
+ 	const char		*comment;
+ 	bool			has_xt_stmts;
++	bool			is_from_future;
+ };
+ 
+ extern struct table *table_alloc(void);
+diff --git a/src/mnl.c b/src/mnl.c
+index 12a6345..e748ab6 100644
+--- a/src/mnl.c
++++ b/src/mnl.c
+@@ -10,6 +10,7 @@
+ 
+ #include <nft.h>
+ #include <iface.h>
++#include <nftversion.h>
+ 
+ #include <libmnl/libmnl.h>
+ #include <libnftnl/common.h>
+@@ -1054,24 +1055,32 @@ int mnl_nft_table_add(struct netlink_ctx *ctx, struct cmd *cmd,
+ 	if (nlt == NULL)
+ 		memory_allocation_error();
+ 
++	udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
++	if (!udbuf)
++		memory_allocation_error();
++
+ 	nftnl_table_set_u32(nlt, NFTNL_TABLE_FAMILY, cmd->handle.family);
+ 	if (cmd->table) {
+ 		nftnl_table_set_u32(nlt, NFTNL_TABLE_FLAGS, cmd->table->flags);
+ 
+ 		if (cmd->table->comment) {
+-			udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
+-			if (!udbuf)
+-				memory_allocation_error();
+ 			if (!nftnl_udata_put_strz(udbuf, NFTNL_UDATA_TABLE_COMMENT, cmd->table->comment))
+ 				memory_allocation_error();
+-			nftnl_table_set_data(nlt, NFTNL_TABLE_USERDATA, nftnl_udata_buf_data(udbuf),
+-					     nftnl_udata_buf_len(udbuf));
+-			nftnl_udata_buf_free(udbuf);
+ 		}
+ 	} else {
+ 		nftnl_table_set_u32(nlt, NFTNL_TABLE_FLAGS, 0);
+ 	}
+ 
++	if (!nftnl_udata_put(udbuf, NFTNL_UDATA_TABLE_NFTVER,
++			     sizeof(nftversion), nftversion) ||
++	    !nftnl_udata_put(udbuf, NFTNL_UDATA_TABLE_NFTBLD,
++	                     sizeof(nftbuildstamp), nftbuildstamp))
++		memory_allocation_error();
++	nftnl_table_set_data(nlt, NFTNL_TABLE_USERDATA,
++			     nftnl_udata_buf_data(udbuf),
++			     nftnl_udata_buf_len(udbuf));
++	nftnl_udata_buf_free(udbuf);
++
+ 	nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
+ 				    NFT_MSG_NEWTABLE,
+ 				    cmd->handle.family,
+diff --git a/src/netlink.c b/src/netlink.c
+index 2ced863..7f9730d 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -10,6 +10,7 @@
+  */
+ 
+ #include <nft.h>
++#include <nftversion.h>
+ 
+ #include <errno.h>
+ #include <libmnl/libmnl.h>
+@@ -728,6 +729,14 @@ static int table_parse_udata_cb(const struct nftnl_udata *attr, void *data)
+ 			if (value[len - 1] != '\0')
+ 				return -1;
+ 			break;
++		case NFTNL_UDATA_TABLE_NFTVER:
++			if (len != sizeof(nftversion))
++				return -1;
++			break;
++		case NFTNL_UDATA_TABLE_NFTBLD:
++			if (len != sizeof(nftbuildstamp))
++				return -1;
++			break;
+ 		default:
+ 			return 0;
+ 	}
+@@ -735,6 +744,29 @@ static int table_parse_udata_cb(const struct nftnl_udata *attr, void *data)
+ 	return 0;
+ }
+ 
++static int version_cmp(const struct nftnl_udata **ud)
++{
++	const char *udbuf;
++	size_t i;
++
++	/* netlink attribute lengths checked by table_parse_udata_cb() */
++	if (ud[NFTNL_UDATA_TABLE_NFTVER]) {
++		udbuf = nftnl_udata_get(ud[NFTNL_UDATA_TABLE_NFTVER]);
++		for (i = 0; i < sizeof(nftversion); i++) {
++			if (nftversion[i] != udbuf[i])
++				return nftversion[i] - udbuf[i];
++		}
++	}
++	if (ud[NFTNL_UDATA_TABLE_NFTBLD]) {
++		udbuf = nftnl_udata_get(ud[NFTNL_UDATA_TABLE_NFTBLD]);
++		for (i = 0; i < sizeof(nftbuildstamp); i++) {
++			if (nftbuildstamp[i] != udbuf[i])
++				return nftbuildstamp[i] - udbuf[i];
++		}
++	}
++	return 0;
++}
++
+ struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
+ 					const struct nftnl_table *nlt)
+ {
+@@ -759,6 +791,7 @@ struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
+ 		}
+ 		if (ud[NFTNL_UDATA_TABLE_COMMENT])
+ 			table->comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_TABLE_COMMENT]));
++		table->is_from_future = version_cmp(ud) < 0;
+ 	}
+ 
+ 	return table;
+diff --git a/src/rule.c b/src/rule.c
+index 151ed53..e4d6f53 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1274,6 +1274,10 @@ static void table_print(const struct table *table, struct output_ctx *octx)
+ 		fprintf(octx->error_fp,
+ 			"# Warning: table %s %s is managed by iptables-nft, do not touch!\n",
+ 			family, table->handle.table.name);
++	if (table->is_from_future)
++		fprintf(octx->error_fp,
++			"# Warning: table %s %s was created by a newer version of nftables? Content may be incomplete!\n",
++			family, table->handle.table.name);
+ 
+ 	nft_print(octx, "table %s %s {", family, table->handle.table.name);
+ 	if (nft_output_handle(octx) || table->flags & TABLE_F_OWNER)
diff --git a/0020-Makefile-Fix-for-make-CFLAGS.patch b/0020-Makefile-Fix-for-make-CFLAGS.patch
new file mode 100644
index 0000000..8f74b90
--- /dev/null
+++ b/0020-Makefile-Fix-for-make-CFLAGS.patch
@@ -0,0 +1,52 @@
+From 575c0a20b143f5487a184c2c5c866dd8b14a69f5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 9 Sep 2025 16:50:13 +0200
+Subject: [PATCH] Makefile: Fix for 'make CFLAGS=...'
+
+JIRA: https://issues.redhat.com/browse/RHEL-108851
+Upstream Status: nftables commit 229fa8b440b67debb12beca830e57a9ea25a2745
+
+commit 229fa8b440b67debb12beca830e57a9ea25a2745
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Sep 9 00:14:16 2025 +0200
+
+    Makefile: Fix for 'make CFLAGS=...'
+
+    Appending to CFLAGS from configure.ac like this was too naive, passing
+    custom CFLAGS in make arguments overwrites it. Extend AM_CFLAGS instead.
+
+    Fixes: 64c07e38f0494 ("table: Embed creating nft version into userdata")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ Makefile.am  | 2 ++
+ configure.ac | 1 -
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index c2a6908..58c6959 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -154,6 +154,8 @@ AM_CFLAGS = \
+ 	\
+ 	$(GCC_FVISIBILITY_HIDDEN) \
+ 	\
++	-DMAKE_STAMP=$(MAKE_STAMP) \
++	\
+ 	$(NULL)
+ 
+ AM_YFLAGS = -d -Wno-yacc
+diff --git a/configure.ac b/configure.ac
+index bac8319..c14aa67 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -136,7 +136,6 @@ AC_CONFIG_COMMANDS([nftversion.h], [
+ # Current date should be fetched exactly once per build,
+ # so have 'make' call date and pass the value to every 'gcc' call
+ AC_SUBST([MAKE_STAMP], ["\$(shell date +%s)"])
+-CFLAGS="${CFLAGS} -DMAKE_STAMP=\${MAKE_STAMP}"
+ 
+ AC_CONFIG_FILES([					\
+ 		Makefile				\
diff --git a/nftables.spec b/nftables.spec
index 7ee9a27..ba6f2b1 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.1.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utilities
@@ -32,6 +32,10 @@ Patch13:            0013-monitor-Recognize-flowtable-add-del-events.patch
 Patch14:            0014-evaluate-allow-to-re-use-existing-metered-set.patch
 Patch15:            0015-src-split-monitor-trace-code-into-new-trace.c.patch
 Patch16:            0016-src-add-conntrack-information-to-trace-monitor-mode.patch
+Patch17:            0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.patch
+Patch18:            0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch
+Patch19:            0019-table-Embed-creating-nft-version-into-userdata.patch
+Patch20:            0020-Makefile-Fix-for-make-CFLAGS.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -146,6 +150,12 @@ cd py/
 %files -n python3-nftables -f %{pyproject_files}
 
 %changelog
+* Wed Sep 10 2025 Phil Sutter <psutter@redhat.com> [1.1.1-6.el10]
+- Makefile: Fix for 'make CFLAGS=...' (Phil Sutter) [RHEL-108851]
+- table: Embed creating nft version into userdata (Phil Sutter) [RHEL-108851]
+- doc: nft.8: Minor NAT STATEMENTS section review (Phil Sutter) [RHEL-106743]
+- trace: Fix for memleak in trace_alloc_list() error path (Phil Sutter) [RHEL-111205]
+
 * Wed Jul 16 2025 Phil Sutter <psutter@redhat.com> [1.1.1-5.el10]
 - src: add conntrack information to trace monitor mode (Phil Sutter) [RHEL-102994]
 - src: split monitor trace code into new trace.c (Phil Sutter) [RHEL-102994]