From 2cbde3b3db2474b7fa5cfc88b1e6ea2d1764195f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 19:03:31 +0000 Subject: [PATCH] import UBI nftables-1.1.1-4.el10_0 --- .gitignore | 2 +- .nftables.metadata | 1 - ...spurious-dump-failure-in-vmap-timeou.patch | 45 ++ ...-fix-raw-payload-expression-document.patch | 38 ++ ...pse-set-element-commands-from-parser.patch | 339 +++++++++++ ...o-mnl_seqnum_alloc-to-mnl_seqnum_inc.patch | 78 +++ ...-cmd_add_loc-to-take-struct-nlmsghdr.patch | 312 ++++++++++ ...ribute-offset-is-uint32_t-for-struct.patch | 58 ++ ...-netlink-error-reporting-with-large-.patch | 193 ++++++ ...ts-monitor-fix-up-test-case-breakage.patch | 62 ++ ...extend-description-of-fib-expression.patch | 142 +++++ ...pse-set-element-commands-from-parser.patch | 83 +++ ...-Support-typeof-in-set-and-map-types.patch | 526 +++++++++++++++++ ...or-storing-payload-into-missing-file.patch | 43 ++ ...r-Recognize-flowtable-add-del-events.patch | 260 ++++++++ ...allow-to-re-use-existing-metered-set.patch | 271 +++++++++ ...-shell-runtime-set-element-automerge.patch | 97 --- ...2-rule-collapse-set-element-commands.patch | 236 -------- ...-report-exact-overlaps-for-new-eleme.patch | 84 --- ...ntervals-do-not-empty-cache-for-maps.patch | 55 -- ...-sort-cached-set-elements-over-and-o.patch | 139 ----- ...itations-of-ipsec-expression-with-xf.patch | 44 -- ...test-for-failing-ipsec-after-counter.patch | 86 --- ...r-add-missing-synproxy-scope-closure.patch | 38 -- ...-don-t-pop-active-flex-scanner-scope.patch | 144 ----- ...ash-when-trying-to-remove-element-in.patch | 67 --- ...for-EXPR_F_REMOVE-in-case-of-element.patch | 80 --- ...ize-allow-postprocessing-on-concaten.patch | 76 --- ...ize-postprocess-binary-ands-in-conca.patch | 159 ----- ...-stack-of-seen-l2-protocols-not-just.patch | 287 --------- ...015-debug-dump-the-l2-protocol-stack.patch | 44 -- ...test-case-for-ether-and-vlan-listing.patch | 65 -- ...ize-also-postprocess-OP_AND-in-set-e.patch | 99 ---- ...stacked-header-list-for-matching-pay.patch | 198 ------- ...et-concatenation-with-ether-and-vlan.patch | 223 ------- ...l-ctx-for-add-update-statements-with.patch | 200 ------- ...itor-Sanitize-startup-race-condition.patch | 107 ---- ...ize-fix-decoding-of-concat-data-elem.patch | 53 -- ...nearize-fix-timeout-with-map-updates.patch | 66 --- ...-case-for-map-update-from-packet-pat.patch | 73 --- ...potential-array-out-of-bounds-access.patch | 44 -- ..._nf_hooks-leaks-memory-in-error-path.patch | 57 -- ...-meta-parse_iso_date-returns-boolean.patch | 41 -- ...Fix-for-potential-NULL-pointer-deref.patch | 44 -- ...ize-Do-not-return-garbage-from-stack.patch | 42 -- ...ify-chain_optimize-array-allocations.patch | 51 -- ...ize-Sanitize-concat-data-element-dec.patch | 42 -- ...tor-Summarize-failures-per-test-case.patch | 54 -- ...check-address-family-in-set-collapse.patch | 114 ---- ...-for-broken-compatibility-with-older.patch | 86 --- ...les-with-compat-expressions-in-rules.patch | 106 ---- ...-libxtables-access-until-translation.patch | 348 ----------- SOURCES/0037-xt-Purify-enum-nft_xt_type.patch | 54 -- ...nsupported-compat-expression-dumping.patch | 283 --------- ...to-generic-printing-from-translation.patch | 92 --- ...printing-for-extensions-matching-key.patch | 71 --- ...-un-break-rule-insert-with-intervals.patch | 66 --- .../0042-xt-Fix-translation-error-path.patch | 70 --- SOURCES/monitor-run-tests.stderr.expect | 6 - SOURCES/run-tests.stderr.expect | 27 - SPECS/nftables.spec | 554 ------------------ SOURCES/main.nft => main.nft | 0 SOURCES/nat.nft => nat.nft | 7 +- ...st.stderr.expect => nft-test.stderr.expect | 103 +--- SOURCES/nftables.conf => nftables.conf | 0 SOURCES/nftables.service => nftables.service | 0 nftables.spec | 438 ++++++++++++++ SOURCES/router.nft => router.nft | 0 run-tests.stderr.expect | 6 + sources | 1 + 70 files changed, 2920 insertions(+), 5060 deletions(-) delete mode 100644 .nftables.metadata create mode 100644 0001-tests-shell-fix-spurious-dump-failure-in-vmap-timeou.patch create mode 100644 0002-libnftables-json-fix-raw-payload-expression-document.patch create mode 100644 0003-src-collapse-set-element-commands-from-parser.patch create mode 100644 0004-mnl-rename-to-mnl_seqnum_alloc-to-mnl_seqnum_inc.patch create mode 100644 0005-mnl-update-cmd_add_loc-to-take-struct-nlmsghdr.patch create mode 100644 0006-rule-netlink-attribute-offset-is-uint32_t-for-struct.patch create mode 100644 0007-src-fix-extended-netlink-error-reporting-with-large-.patch create mode 100644 0008-tests-monitor-fix-up-test-case-breakage.patch create mode 100644 0009-doc-extend-description-of-fib-expression.patch create mode 100644 0010-json-collapse-set-element-commands-from-parser.patch create mode 100644 0011-json-Support-typeof-in-set-and-map-types.patch create mode 100644 0012-tests-py-Fix-for-storing-payload-into-missing-file.patch create mode 100644 0013-monitor-Recognize-flowtable-add-del-events.patch create mode 100644 0014-evaluate-allow-to-re-use-existing-metered-set.patch delete mode 100644 SOURCES/0001-tests-shell-runtime-set-element-automerge.patch delete mode 100644 SOURCES/0002-rule-collapse-set-element-commands.patch delete mode 100644 SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch delete mode 100644 SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch delete mode 100644 SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch delete mode 100644 SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch delete mode 100644 SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch delete mode 100644 SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch delete mode 100644 SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch delete mode 100644 SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch delete mode 100644 SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch delete mode 100644 SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch delete mode 100644 SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch delete mode 100644 SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch delete mode 100644 SOURCES/0015-debug-dump-the-l2-protocol-stack.patch delete mode 100644 SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch delete mode 100644 SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch delete mode 100644 SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch delete mode 100644 SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch delete mode 100644 SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch delete mode 100644 SOURCES/0021-monitor-Sanitize-startup-race-condition.patch delete mode 100644 SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch delete mode 100644 SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch delete mode 100644 SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch delete mode 100644 SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch delete mode 100644 SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch delete mode 100644 SOURCES/0027-meta-parse_iso_date-returns-boolean.patch delete mode 100644 SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch delete mode 100644 SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch delete mode 100644 SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch delete mode 100644 SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch delete mode 100644 SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch delete mode 100644 SOURCES/0033-rule-check-address-family-in-set-collapse.patch delete mode 100644 SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch delete mode 100644 SOURCES/0035-Warn-for-tables-with-compat-expressions-in-rules.patch delete mode 100644 SOURCES/0036-xt-Delay-libxtables-access-until-translation.patch delete mode 100644 SOURCES/0037-xt-Purify-enum-nft_xt_type.patch delete mode 100644 SOURCES/0038-xt-Rewrite-unsupported-compat-expression-dumping.patch delete mode 100644 SOURCES/0039-xt-Fall-back-to-generic-printing-from-translation.patch delete mode 100644 SOURCES/0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch delete mode 100644 SOURCES/0041-evaluate-un-break-rule-insert-with-intervals.patch delete mode 100644 SOURCES/0042-xt-Fix-translation-error-path.patch delete mode 100644 SOURCES/monitor-run-tests.stderr.expect delete mode 100644 SOURCES/run-tests.stderr.expect delete mode 100644 SPECS/nftables.spec rename SOURCES/main.nft => main.nft (100%) rename SOURCES/nat.nft => nat.nft (79%) rename SOURCES/nft-test.stderr.expect => nft-test.stderr.expect (89%) rename SOURCES/nftables.conf => nftables.conf (100%) rename SOURCES/nftables.service => nftables.service (100%) create mode 100644 nftables.spec rename SOURCES/router.nft => router.nft (100%) create mode 100644 run-tests.stderr.expect create mode 100644 sources diff --git a/.gitignore b/.gitignore index c9b6c1e..f43a315 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nftables-1.0.4.tar.bz2 +nftables-1.1.1.tar.xz diff --git a/.nftables.metadata b/.nftables.metadata deleted file mode 100644 index b9af18b..0000000 --- a/.nftables.metadata +++ /dev/null @@ -1 +0,0 @@ -e2e8b324cece1409a311284ff4fe26c3a5554809 SOURCES/nftables-1.0.4.tar.bz2 diff --git a/0001-tests-shell-fix-spurious-dump-failure-in-vmap-timeou.patch b/0001-tests-shell-fix-spurious-dump-failure-in-vmap-timeou.patch new file mode 100644 index 0000000..fb856a9 --- /dev/null +++ b/0001-tests-shell-fix-spurious-dump-failure-in-vmap-timeou.patch @@ -0,0 +1,45 @@ +From 1ce7bc1ca89494fdbb2fa10b176d33a5944ede01 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] tests: shell: fix spurious dump failure in vmap timeout test + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 95017b8c8f10ada09c2faa7e6bae71b60f38f259 + +commit 95017b8c8f10ada09c2faa7e6bae71b60f38f259 +Author: Florian Westphal +Date: Fri Oct 11 02:32:08 2024 +0200 + + tests: shell: fix spurious dump failure in vmap timeout test + + Blamed commit can update the timeout to 6s, but last line waits + for 5 seconds and expects that to be enough to have all elements vanish. + + Fix the typo to limit update timeout also to 5 seconds and not 6. + This fixes spurious dump failures like this one: + + - elements = { 1.2.3.4 . 22 : jump ssh_input } + + elements = { 1.2.3.4 . 22 : jump ssh_input, + + 10.0.95.144 . 38023 timeout 6s expires 545ms : jump other_input } + + Fixes: db80037c0279 ("tests: shell: extend vmap test with updates") + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + tests/shell/testcases/maps/vmap_timeout | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout +index 3f0563a..6d73f3c 100755 +--- a/tests/shell/testcases/maps/vmap_timeout ++++ b/tests/shell/testcases/maps/vmap_timeout +@@ -32,7 +32,7 @@ for i in $(seq 1 100) ; do + timeout=$((timeout+1)) + expire=$((RANDOM%timeout)) + utimeout=$((RANDOM%5)) +- utimeout=$((timeout+1)) ++ utimeout=$((utimeout+1)) + + timeout_str="timeout ${timeout}s" + expire_str="" diff --git a/0002-libnftables-json-fix-raw-payload-expression-document.patch b/0002-libnftables-json-fix-raw-payload-expression-document.patch new file mode 100644 index 0000000..f5235b9 --- /dev/null +++ b/0002-libnftables-json-fix-raw-payload-expression-document.patch @@ -0,0 +1,38 @@ +From 08d33851ff012bb14237127553be80dbb00fa07d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] libnftables-json: fix raw payload expression documentation + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 570320ab9a0752c7749a6c9cc85b34a5e7ab91b5 + +commit 570320ab9a0752c7749a6c9cc85b34a5e7ab91b5 +Author: Eric Long +Date: Thu Oct 17 23:33:17 2024 +0800 + + libnftables-json: fix raw payload expression documentation + + Raw payload expression accesses payload data in bits, not bytes. + + Fixes: 872f373dc50f7 ("doc: Add JSON schema documentation") + Signed-off-by: Eric Long + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + doc/libnftables-json.adoc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc +index a8a6165..2f29ac0 100644 +--- a/doc/libnftables-json.adoc ++++ b/doc/libnftables-json.adoc +@@ -1182,7 +1182,7 @@ ____ + + Construct a payload expression, i.e. a reference to a certain part of packet + data. The first form creates a raw payload expression to point at a random +-number (*len*) of bytes at a certain offset (*offset*) from a given reference ++number (*len*) of bits at a certain offset (*offset*) from a given reference + point (*base*). The following *base* values are accepted: + + *"ll"*:: diff --git a/0003-src-collapse-set-element-commands-from-parser.patch b/0003-src-collapse-set-element-commands-from-parser.patch new file mode 100644 index 0000000..5703b4a --- /dev/null +++ b/0003-src-collapse-set-element-commands-from-parser.patch @@ -0,0 +1,339 @@ +From 005c220f08964958eae2ca6e40a070b5bc9d6f79 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] src: collapse set element commands from parser + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 20f1c60ac8c88be3bdf3096083b24ada06570a77 + +commit 20f1c60ac8c88be3bdf3096083b24ada06570a77 +Author: Pablo Neira Ayuso +Date: Wed Oct 23 11:43:58 2024 +0200 + + src: collapse set element commands from parser + + 498a5f0c219d ("rule: collapse set element commands") does not help to + reduce memory consumption in the case of large sets defined by one + element per line: + + add element ip x y { 1.1.1.1 } + add element ip x y { 1.1.1.2 } + ... + + This patch reduces memory consumption by ~75%, set elements are + collapsed into an existing cmd object wherever possible to reduce the + number of cmd objects. + + This patch also adds a special case for variables for sets similar to: + + be055af5c58d ("cmd: skip variable set elements when collapsing commands") + + This patch requires this small kernel fix: + + commit b53c116642502b0c85ecef78bff4f826a7dd4145 + Author: Pablo Neira Ayuso + Date: Fri May 20 00:02:06 2022 +0200 + + netfilter: nf_tables: set element extended ACK reporting support + + which is already included in recent -stable kernels: + + # cat ruleset.nft + add table ip x + add chain ip x y + add set ip x y { type ipv4_addr; } + create element ip x y { 1.1.1.1 } + create element ip x y { 1.1.1.1 } + + # nft -f ruleset.nft + ruleset.nft:5:25-31: Error: Could not process rule: File exists + create element ip x y { 1.1.1.1 } + ^^^^^^^ + + since there is no need to relate commands via sequence number anymore, + this allows also removes the uncollapse step. + + Fixes: 498a5f0c219d ("rule: collapse set element commands") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/cmd.h | 7 +-- + include/expression.h | 1 - + include/list.h | 11 +++++ + include/rule.h | 1 - + src/cmd.c | 105 +++++++++++-------------------------------- + src/libnftables.c | 7 --- + src/parser_bison.y | 13 ++++++ + src/rule.c | 1 - + 8 files changed, 54 insertions(+), 92 deletions(-) + +diff --git a/include/cmd.h b/include/cmd.h +index 92a4152..0a8779b 100644 +--- a/include/cmd.h ++++ b/include/cmd.h +@@ -2,12 +2,13 @@ + #define _NFT_CMD_H_ + + void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc); ++struct mnl_err; + void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd, + struct mnl_err *err); + ++bool nft_cmd_collapse_elems(enum cmd_ops op, struct list_head *cmds, ++ struct handle *handle, struct expr *init); ++ + void nft_cmd_expand(struct cmd *cmd); +-void nft_cmd_post_expand(struct cmd *cmd); +-bool nft_cmd_collapse(struct list_head *cmds); +-void nft_cmd_uncollapse(struct list_head *cmds); + + #endif +diff --git a/include/expression.h b/include/expression.h +index 8982110..da2f693 100644 +--- a/include/expression.h ++++ b/include/expression.h +@@ -255,7 +255,6 @@ struct expr { + enum expr_types etype:8; + enum ops op:8; + unsigned int len; +- struct cmd *cmd; + + union { + struct { +diff --git a/include/list.h b/include/list.h +index 857921e..37fbe3e 100644 +--- a/include/list.h ++++ b/include/list.h +@@ -348,6 +348,17 @@ static inline void list_splice_tail_init(struct list_head *list, + #define list_first_entry(ptr, type, member) \ + list_entry((ptr)->next, type, member) + ++/** ++ * list_last_entry - get the last element from a list ++ * @ptr: the list head to take the element from. ++ * @type: the type of the struct this is embedded in. ++ * @member: the name of the list_head within the struct. ++ * ++ * Note, that list is expected to be not empty. ++ */ ++#define list_last_entry(ptr, type, member) \ ++ list_entry((ptr)->prev, type, member) ++ + /** + * list_next_entry - get the next element in list + * @pos: the type * to cursor +diff --git a/include/rule.h b/include/rule.h +index 5b3e12b..a1628d8 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -718,7 +718,6 @@ struct cmd { + enum cmd_obj obj; + struct handle handle; + uint32_t seqnum; +- struct list_head collapse_list; + union { + void *data; + struct expr *expr; +diff --git a/src/cmd.c b/src/cmd.c +index 9a572b5..e010dcb 100644 +--- a/src/cmd.c ++++ b/src/cmd.c +@@ -378,6 +378,32 @@ static void nft_cmd_expand_chain(struct chain *chain, struct list_head *new_cmds + } + } + ++bool nft_cmd_collapse_elems(enum cmd_ops op, struct list_head *cmds, ++ struct handle *handle, struct expr *init) ++{ ++ struct cmd *last_cmd; ++ ++ if (list_empty(cmds)) ++ return false; ++ ++ if (init->etype == EXPR_VARIABLE) ++ return false; ++ ++ last_cmd = list_last_entry(cmds, struct cmd, list); ++ if (last_cmd->op != op || ++ last_cmd->obj != CMD_OBJ_ELEMENTS || ++ last_cmd->expr->etype == EXPR_VARIABLE || ++ last_cmd->handle.family != handle->family || ++ strcmp(last_cmd->handle.table.name, handle->table.name) || ++ strcmp(last_cmd->handle.set.name, handle->set.name)) ++ return false; ++ ++ list_splice_tail_init(&init->expressions, &last_cmd->expr->expressions); ++ last_cmd->expr->size += init->size; ++ ++ return true; ++} ++ + void nft_cmd_expand(struct cmd *cmd) + { + struct list_head new_cmds; +@@ -459,82 +485,3 @@ void nft_cmd_expand(struct cmd *cmd) + break; + } + } +- +-bool nft_cmd_collapse(struct list_head *cmds) +-{ +- struct cmd *cmd, *next, *elems = NULL; +- struct expr *expr, *enext; +- bool collapse = false; +- +- list_for_each_entry_safe(cmd, next, cmds, list) { +- if (cmd->op != CMD_ADD && +- cmd->op != CMD_CREATE) { +- elems = NULL; +- continue; +- } +- +- if (cmd->obj != CMD_OBJ_ELEMENTS) { +- elems = NULL; +- continue; +- } +- +- if (cmd->expr->etype == EXPR_VARIABLE) +- continue; +- +- if (!elems) { +- elems = cmd; +- continue; +- } +- +- if (cmd->op != elems->op) { +- elems = cmd; +- continue; +- } +- +- if (elems->handle.family != cmd->handle.family || +- strcmp(elems->handle.table.name, cmd->handle.table.name) || +- strcmp(elems->handle.set.name, cmd->handle.set.name)) { +- elems = cmd; +- continue; +- } +- +- collapse = true; +- list_for_each_entry_safe(expr, enext, &cmd->expr->expressions, list) { +- expr->cmd = cmd; +- list_move_tail(&expr->list, &elems->expr->expressions); +- } +- elems->expr->size += cmd->expr->size; +- list_move_tail(&cmd->list, &elems->collapse_list); +- } +- +- return collapse; +-} +- +-void nft_cmd_uncollapse(struct list_head *cmds) +-{ +- struct cmd *cmd, *cmd_next, *collapse_cmd, *collapse_cmd_next; +- struct expr *expr, *next; +- +- list_for_each_entry_safe(cmd, cmd_next, cmds, list) { +- if (list_empty(&cmd->collapse_list)) +- continue; +- +- assert(cmd->obj == CMD_OBJ_ELEMENTS); +- +- list_for_each_entry_safe(expr, next, &cmd->expr->expressions, list) { +- if (!expr->cmd) +- continue; +- +- list_move_tail(&expr->list, &expr->cmd->expr->expressions); +- cmd->expr->size--; +- expr->cmd = NULL; +- } +- +- list_for_each_entry_safe(collapse_cmd, collapse_cmd_next, &cmd->collapse_list, list) { +- if (cmd->elem.set) +- collapse_cmd->elem.set = set_get(cmd->elem.set); +- +- list_add(&collapse_cmd->list, &cmd->list); +- } +- } +-} +diff --git a/src/libnftables.c b/src/libnftables.c +index 2ae2150..2834c99 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -513,7 +513,6 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, + { + struct nft_cache_filter *filter; + struct cmd *cmd, *next; +- bool collapsed = false; + unsigned int flags; + int err = 0; + +@@ -529,9 +528,6 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, + + nft_cache_filter_fini(filter); + +- if (nft_cmd_collapse(cmds)) +- collapsed = true; +- + list_for_each_entry(cmd, cmds, list) { + if (cmd->op != CMD_ADD && + cmd->op != CMD_CREATE) +@@ -553,9 +549,6 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, + } + } + +- if (collapsed) +- nft_cmd_uncollapse(cmds); +- + if (err < 0 || nft->state->nerrs) + return -1; + +diff --git a/src/parser_bison.y b/src/parser_bison.y +index e2936d1..602fc60 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -35,6 +35,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -1219,6 +1220,12 @@ add_cmd : TABLE table_spec + } + | ELEMENT set_spec set_block_expr + { ++ if (nft_cmd_collapse_elems(CMD_ADD, state->cmds, &$2, $3)) { ++ handle_free(&$2); ++ expr_free($3); ++ $$ = NULL; ++ break; ++ } + $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3); + } + | FLOWTABLE flowtable_spec flowtable_block_alloc +@@ -1336,6 +1343,12 @@ create_cmd : TABLE table_spec + } + | ELEMENT set_spec set_block_expr + { ++ if (nft_cmd_collapse_elems(CMD_CREATE, state->cmds, &$2, $3)) { ++ handle_free(&$2); ++ expr_free($3); ++ $$ = NULL; ++ break; ++ } + $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_ELEMENTS, &$2, &@$, $3); + } + | FLOWTABLE flowtable_spec flowtable_block_alloc +diff --git a/src/rule.c b/src/rule.c +index 9bc160e..9536e68 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -1332,7 +1332,6 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, + cmd->attr = xzalloc_array(NFT_NLATTR_LOC_MAX, + sizeof(struct nlerr_loc)); + cmd->attr_array_len = NFT_NLATTR_LOC_MAX; +- init_list_head(&cmd->collapse_list); + + return cmd; + } diff --git a/0004-mnl-rename-to-mnl_seqnum_alloc-to-mnl_seqnum_inc.patch b/0004-mnl-rename-to-mnl_seqnum_alloc-to-mnl_seqnum_inc.patch new file mode 100644 index 0000000..4b0a03f --- /dev/null +++ b/0004-mnl-rename-to-mnl_seqnum_alloc-to-mnl_seqnum_inc.patch @@ -0,0 +1,78 @@ +From c2e328edd47ac3d3ed127b313d35ed05839441db Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] mnl: rename to mnl_seqnum_alloc() to mnl_seqnum_inc() + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit b4ce90d52d564efaced298f6e9c575d6942ecf91 + +commit b4ce90d52d564efaced298f6e9c575d6942ecf91 +Author: Pablo Neira Ayuso +Date: Wed Oct 23 22:15:24 2024 +0200 + + mnl: rename to mnl_seqnum_alloc() to mnl_seqnum_inc() + + rename mnl_seqnum_alloc() to mnl_seqnum_inc(). + + No functional change is intended. + + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/mnl.h | 2 +- + src/libnftables.c | 6 +++--- + src/mnl.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/mnl.h b/include/mnl.h +index c9502f3..7c465d4 100644 +--- a/include/mnl.h ++++ b/include/mnl.h +@@ -8,7 +8,7 @@ + + struct mnl_socket *nft_mnl_socket_open(void); + +-uint32_t mnl_seqnum_alloc(uint32_t *seqnum); ++uint32_t mnl_seqnum_inc(uint32_t *seqnum); + uint32_t mnl_genid_get(struct netlink_ctx *ctx); + + struct mnl_err { +diff --git a/src/libnftables.c b/src/libnftables.c +index 2834c99..3550961 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -37,9 +37,9 @@ static int nft_netlink(struct nft_ctx *nft, + if (list_empty(cmds)) + goto out; + +- batch_seqnum = mnl_batch_begin(ctx.batch, mnl_seqnum_alloc(&seqnum)); ++ batch_seqnum = mnl_batch_begin(ctx.batch, mnl_seqnum_inc(&seqnum)); + list_for_each_entry(cmd, cmds, list) { +- ctx.seqnum = cmd->seqnum = mnl_seqnum_alloc(&seqnum); ++ ctx.seqnum = cmd->seqnum = mnl_seqnum_inc(&seqnum); + ret = do_command(&ctx, cmd); + if (ret < 0) { + netlink_io_error(&ctx, &cmd->location, +@@ -50,7 +50,7 @@ static int nft_netlink(struct nft_ctx *nft, + num_cmds++; + } + if (!nft->check) +- mnl_batch_end(ctx.batch, mnl_seqnum_alloc(&seqnum)); ++ mnl_batch_end(ctx.batch, mnl_seqnum_inc(&seqnum)); + + if (!mnl_batch_ready(ctx.batch)) + goto out; +diff --git a/src/mnl.c b/src/mnl.c +index db53a60..c1691da 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -70,7 +70,7 @@ struct mnl_socket *nft_mnl_socket_open(void) + return nf_sock; + } + +-uint32_t mnl_seqnum_alloc(unsigned int *seqnum) ++uint32_t mnl_seqnum_inc(unsigned int *seqnum) + { + return (*seqnum)++; + } diff --git a/0005-mnl-update-cmd_add_loc-to-take-struct-nlmsghdr.patch b/0005-mnl-update-cmd_add_loc-to-take-struct-nlmsghdr.patch new file mode 100644 index 0000000..f6ca67e --- /dev/null +++ b/0005-mnl-update-cmd_add_loc-to-take-struct-nlmsghdr.patch @@ -0,0 +1,312 @@ +From ed5989c26e998985a01dcd6c57415d8110c63f64 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] mnl: update cmd_add_loc() to take struct nlmsghdr + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit f7c2b27c9f8356c634f0405347444e03e10e151b + +commit f7c2b27c9f8356c634f0405347444e03e10e151b +Author: Pablo Neira Ayuso +Date: Wed Oct 23 23:07:31 2024 +0200 + + mnl: update cmd_add_loc() to take struct nlmsghdr + + To prepare for a fix for very large sets. + + No functional change is intended. + + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/cmd.h | 2 +- + src/cmd.c | 4 +-- + src/mnl.c | 77 +++++++++++++++++++++++++-------------------------- + 3 files changed, 41 insertions(+), 42 deletions(-) + +diff --git a/include/cmd.h b/include/cmd.h +index 0a8779b..cf7e43b 100644 +--- a/include/cmd.h ++++ b/include/cmd.h +@@ -1,7 +1,7 @@ + #ifndef _NFT_CMD_H_ + #define _NFT_CMD_H_ + +-void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc); ++void cmd_add_loc(struct cmd *cmd, const struct nlmsghdr *nlh, const struct location *loc); + struct mnl_err; + void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd, + struct mnl_err *err); +diff --git a/src/cmd.c b/src/cmd.c +index e010dcb..78a2aa3 100644 +--- a/src/cmd.c ++++ b/src/cmd.c +@@ -17,14 +17,14 @@ + #include + #include + +-void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc) ++void cmd_add_loc(struct cmd *cmd, const struct nlmsghdr *nlh, const struct location *loc) + { + if (cmd->num_attrs >= cmd->attr_array_len) { + cmd->attr_array_len *= 2; + cmd->attr = xrealloc(cmd->attr, sizeof(struct nlerr_loc) * cmd->attr_array_len); + } + +- cmd->attr[cmd->num_attrs].offset = offset; ++ cmd->attr[cmd->num_attrs].offset = nlh->nlmsg_len; + cmd->attr[cmd->num_attrs].location = loc; + cmd->num_attrs++; + } +diff --git a/src/mnl.c b/src/mnl.c +index c1691da..42d1b0d 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -474,7 +474,7 @@ static int mnl_nft_expr_build_cb(struct nftnl_expr *nle, void *data) + + eloc = nft_expr_loc_find(nle, ctx->lctx); + if (eloc) +- cmd_add_loc(cmd, nlh->nlmsg_len, eloc->loc); ++ cmd_add_loc(cmd, nlh, eloc->loc); + + nest = mnl_attr_nest_start(nlh, NFTA_LIST_ELEM); + nftnl_expr_build_payload(nlh, nle); +@@ -527,9 +527,9 @@ int mnl_nft_rule_add(struct netlink_ctx *ctx, struct cmd *cmd, + cmd->handle.family, + NLM_F_CREATE | flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location); ++ cmd_add_loc(cmd, nlh, &h->table.location); + mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, h->table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->chain.location); ++ cmd_add_loc(cmd, nlh, &h->chain.location); + + if (h->chain_id) + mnl_attr_put_u32(nlh, NFTA_RULE_CHAIN_ID, htonl(h->chain_id)); +@@ -578,11 +578,11 @@ int mnl_nft_rule_replace(struct netlink_ctx *ctx, struct cmd *cmd) + cmd->handle.family, + NLM_F_REPLACE | flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location); ++ cmd_add_loc(cmd, nlh, &h->table.location); + mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, h->table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->chain.location); ++ cmd_add_loc(cmd, nlh, &h->chain.location); + mnl_attr_put_strz(nlh, NFTA_RULE_CHAIN, h->chain.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->handle.location); ++ cmd_add_loc(cmd, nlh, &h->handle.location); + mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(h->handle.id)); + + mnl_nft_rule_build_ctx_init(&rule_ctx, nlh, cmd, &lctx); +@@ -621,14 +621,14 @@ int mnl_nft_rule_del(struct netlink_ctx *ctx, struct cmd *cmd) + nftnl_rule_get_u32(nlr, NFTNL_RULE_FAMILY), + 0, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location); ++ cmd_add_loc(cmd, nlh, &h->table.location); + mnl_attr_put_strz(nlh, NFTA_RULE_TABLE, h->table.name); + if (h->chain.name) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->chain.location); ++ cmd_add_loc(cmd, nlh, &h->chain.location); + mnl_attr_put_strz(nlh, NFTA_RULE_CHAIN, h->chain.name); + } + if (h->handle.id) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->handle.location); ++ cmd_add_loc(cmd, nlh, &h->handle.location); + mnl_attr_put_u64(nlh, NFTA_RULE_HANDLE, htobe64(h->handle.id)); + } + +@@ -792,12 +792,12 @@ static void mnl_nft_chain_devs_build(struct nlmsghdr *nlh, struct cmd *cmd) + + dev_array = nft_dev_array(dev_expr, &num_devs); + if (num_devs == 1) { +- cmd_add_loc(cmd, nlh->nlmsg_len, dev_array[0].location); ++ cmd_add_loc(cmd, nlh, dev_array[0].location); + mnl_attr_put_strz(nlh, NFTA_HOOK_DEV, dev_array[0].ifname); + } else { + nest_dev = mnl_attr_nest_start(nlh, NFTA_HOOK_DEVS); + for (i = 0; i < num_devs; i++) { +- cmd_add_loc(cmd, nlh->nlmsg_len, dev_array[i].location); ++ cmd_add_loc(cmd, nlh, dev_array[i].location); + mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev_array[i].ifname); + mnl_attr_nest_end(nlh, nest_dev); + } +@@ -842,9 +842,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + cmd->handle.family, + NLM_F_CREATE | flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_CHAIN_TABLE, cmd->handle.table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.chain.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.chain.location); + + if (!cmd->chain || !(cmd->chain->flags & CHAIN_F_BINDING)) { + mnl_attr_put_strz(nlh, NFTA_CHAIN_NAME, cmd->handle.chain.name); +@@ -861,7 +861,7 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + if (cmd->chain && cmd->chain->policy) { + mpz_export_data(&policy, cmd->chain->policy->value, + BYTEORDER_HOST_ENDIAN, sizeof(int)); +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->chain->policy->location); ++ cmd_add_loc(cmd, nlh, &cmd->chain->policy->location); + mnl_attr_put_u32(nlh, NFTA_CHAIN_POLICY, htonl(policy)); + } + +@@ -873,7 +873,7 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + struct nlattr *nest; + + if (cmd->chain->type.str) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->chain->type.loc); ++ cmd_add_loc(cmd, nlh, &cmd->chain->type.loc); + mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, cmd->chain->type.str); + } + +@@ -949,13 +949,13 @@ int mnl_nft_chain_del(struct netlink_ctx *ctx, struct cmd *cmd) + cmd->handle.family, + 0, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_CHAIN_TABLE, cmd->handle.table.name); + if (cmd->handle.chain.name) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.chain.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.chain.location); + mnl_attr_put_strz(nlh, NFTA_CHAIN_NAME, cmd->handle.chain.name); + } else if (cmd->handle.handle.id) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.handle.location); + mnl_attr_put_u64(nlh, NFTA_CHAIN_HANDLE, + htobe64(cmd->handle.handle.id)); + } +@@ -1077,7 +1077,7 @@ int mnl_nft_table_add(struct netlink_ctx *ctx, struct cmd *cmd, + cmd->handle.family, + flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_TABLE_NAME, cmd->handle.table.name); + nftnl_table_nlmsg_build_payload(nlh, nlt); + nftnl_table_free(nlt); +@@ -1106,10 +1106,10 @@ int mnl_nft_table_del(struct netlink_ctx *ctx, struct cmd *cmd) + cmd->handle.family, 0, ctx->seqnum); + + if (cmd->handle.table.name) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_TABLE_NAME, cmd->handle.table.name); + } else if (cmd->handle.handle.id) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.handle.location); + mnl_attr_put_u64(nlh, NFTA_TABLE_HANDLE, + htobe64(cmd->handle.handle.id)); + } +@@ -1325,9 +1325,9 @@ int mnl_nft_set_add(struct netlink_ctx *ctx, struct cmd *cmd, + h->family, + NLM_F_CREATE | flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->table.location); ++ cmd_add_loc(cmd, nlh, &h->table.location); + mnl_attr_put_strz(nlh, NFTA_SET_TABLE, h->table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &h->set.location); ++ cmd_add_loc(cmd, nlh, &h->set.location); + mnl_attr_put_strz(nlh, NFTA_SET_NAME, h->set.name); + + nftnl_set_nlmsg_build_payload(nlh, nls); +@@ -1359,13 +1359,13 @@ int mnl_nft_set_del(struct netlink_ctx *ctx, struct cmd *cmd) + h->family, + 0, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_SET_TABLE, cmd->handle.table.name); + if (h->set.name) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.set.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.set.location); + mnl_attr_put_strz(nlh, NFTA_SET_NAME, cmd->handle.set.name); + } else if (h->handle.id) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.handle.location); + mnl_attr_put_u64(nlh, NFTA_SET_HANDLE, + htobe64(cmd->handle.handle.id)); + } +@@ -1544,9 +1544,9 @@ int mnl_nft_obj_add(struct netlink_ctx *ctx, struct cmd *cmd, + NFT_MSG_NEWOBJ, cmd->handle.family, + NLM_F_CREATE | flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_OBJ_TABLE, cmd->handle.table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.obj.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.obj.location); + mnl_attr_put_strz(nlh, NFTA_OBJ_NAME, cmd->handle.obj.name); + + nftnl_obj_nlmsg_build_payload(nlh, nlo); +@@ -1577,14 +1577,14 @@ int mnl_nft_obj_del(struct netlink_ctx *ctx, struct cmd *cmd, int type) + msg_type, cmd->handle.family, + 0, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_OBJ_TABLE, cmd->handle.table.name); + + if (cmd->handle.obj.name) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.obj.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.obj.location); + mnl_attr_put_strz(nlh, NFTA_OBJ_NAME, cmd->handle.obj.name); + } else if (cmd->handle.handle.id) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.handle.location); + mnl_attr_put_u64(nlh, NFTA_OBJ_HANDLE, + htobe64(cmd->handle.handle.id)); + } +@@ -1764,7 +1764,7 @@ next: + list_for_each_entry_from(expr, &set->expressions, list) { + nlse = alloc_nftnl_setelem(set, expr); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &expr->location); ++ cmd_add_loc(cmd, nlh, &expr->location); + nest2 = mnl_attr_nest_start(nlh, ++i); + nftnl_set_elem_nlmsg_build_payload(nlh, nlse); + mnl_attr_nest_end(nlh, nest2); +@@ -2005,7 +2005,7 @@ static void mnl_nft_ft_devs_build(struct nlmsghdr *nlh, struct cmd *cmd) + dev_array = nft_dev_array(dev_expr, &num_devs); + nest_dev = mnl_attr_nest_start(nlh, NFTA_FLOWTABLE_HOOK_DEVS); + for (i = 0; i < num_devs; i++) { +- cmd_add_loc(cmd, nlh->nlmsg_len, dev_array[i].location); ++ cmd_add_loc(cmd, nlh, dev_array[i].location); + mnl_attr_put_strz(nlh, NFTA_DEVICE_NAME, dev_array[i].ifname); + } + +@@ -2037,9 +2037,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd, + NFT_MSG_NEWFLOWTABLE, cmd->handle.family, + NLM_F_CREATE | flags, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_TABLE, cmd->handle.table.name); +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.flowtable.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.flowtable.location); + mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_NAME, cmd->handle.flowtable.name); + + nftnl_flowtable_nlmsg_build_payload(nlh, flo); +@@ -2086,16 +2086,15 @@ int mnl_nft_flowtable_del(struct netlink_ctx *ctx, struct cmd *cmd) + msg_type, cmd->handle.family, + 0, ctx->seqnum); + +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.table.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.table.location); + mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_TABLE, cmd->handle.table.name); + + if (cmd->handle.flowtable.name) { +- cmd_add_loc(cmd, nlh->nlmsg_len, +- &cmd->handle.flowtable.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.flowtable.location); + mnl_attr_put_strz(nlh, NFTA_FLOWTABLE_NAME, + cmd->handle.flowtable.name); + } else if (cmd->handle.handle.id) { +- cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->handle.handle.location); ++ cmd_add_loc(cmd, nlh, &cmd->handle.handle.location); + mnl_attr_put_u64(nlh, NFTA_FLOWTABLE_HANDLE, + htobe64(cmd->handle.handle.id)); + } diff --git a/0006-rule-netlink-attribute-offset-is-uint32_t-for-struct.patch b/0006-rule-netlink-attribute-offset-is-uint32_t-for-struct.patch new file mode 100644 index 0000000..a3f5fe1 --- /dev/null +++ b/0006-rule-netlink-attribute-offset-is-uint32_t-for-struct.patch @@ -0,0 +1,58 @@ +From 66dc95d7a3f7c0e4527f4e960f5c397fd3b82af5 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] rule: netlink attribute offset is uint32_t for struct + nlerr_loc + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 42b081df747729b0d83b69d2816be4091af56a58 + +commit 42b081df747729b0d83b69d2816be4091af56a58 +Author: Pablo Neira Ayuso +Date: Thu Oct 24 00:08:24 2024 +0200 + + rule: netlink attribute offset is uint32_t for struct nlerr_loc + + The maximum netlink message length (nlh->nlmsg_len) is uint32_t, struct + nlerr_loc stores the offset to the netlink attribute which must be + uint32_t, not uint16_t. + + While at it, remove check for zero netlink attribute offset in + nft_cmd_error() which should not ever happen, likely this check was + there to prevent the uint16_t offset overflow. + + Fixes: f8aec603aa7e ("src: initial extended netlink error reporting") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/rule.h | 2 +- + src/cmd.c | 2 -- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/include/rule.h b/include/rule.h +index a1628d8..3fcfa44 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -695,7 +695,7 @@ void monitor_free(struct monitor *m); + #define NFT_NLATTR_LOC_MAX 32 + + struct nlerr_loc { +- uint16_t offset; ++ uint32_t offset; + const struct location *location; + }; + +diff --git a/src/cmd.c b/src/cmd.c +index 78a2aa3..0c7a43e 100644 +--- a/src/cmd.c ++++ b/src/cmd.c +@@ -323,8 +323,6 @@ void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd, + uint32_t i; + + for (i = 0; i < cmd->num_attrs; i++) { +- if (!cmd->attr[i].offset) +- break; + if (cmd->attr[i].offset == err->offset) + loc = cmd->attr[i].location; + } diff --git a/0007-src-fix-extended-netlink-error-reporting-with-large-.patch b/0007-src-fix-extended-netlink-error-reporting-with-large-.patch new file mode 100644 index 0000000..2d7a413 --- /dev/null +++ b/0007-src-fix-extended-netlink-error-reporting-with-large-.patch @@ -0,0 +1,193 @@ +From c62c11ee27daf90c74a46353df4936b869624e72 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] src: fix extended netlink error reporting with large set + elements + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 68d2de3ca6c6eb18f5b32f7b4324a85c9c6c358e + +commit 68d2de3ca6c6eb18f5b32f7b4324a85c9c6c358e +Author: Pablo Neira Ayuso +Date: Thu Oct 24 00:24:55 2024 +0200 + + src: fix extended netlink error reporting with large set elements + + Large sets can expand into several netlink messages, use sequence number + and attribute offset to correlate the set element and the location. + + When set element command expands into several netlink messages, + increment sequence number for each netlink message. Update struct cmd to + store the range of netlink messages that result from this command. + + struct nlerr_loc remains in the same size in x86_64. + + # nft -f set-65535.nft + set-65535.nft:65029:22-32: Error: Could not process rule: File exists + create element x y { 1.1.254.253 } + ^^^^^^^^^^^ + + Fixes: f8aec603aa7e ("src: initial extended netlink error reporting") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + include/rule.h | 4 +++- + src/cmd.c | 4 +++- + src/libnftables.c | 12 ++++++++---- + src/mnl.c | 9 +++++---- + src/parser_json.c | 4 ++-- + 5 files changed, 21 insertions(+), 12 deletions(-) + +diff --git a/include/rule.h b/include/rule.h +index 3fcfa44..48e148e 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -695,6 +695,7 @@ void monitor_free(struct monitor *m); + #define NFT_NLATTR_LOC_MAX 32 + + struct nlerr_loc { ++ uint32_t seqnum; + uint32_t offset; + const struct location *location; + }; +@@ -717,7 +718,8 @@ struct cmd { + enum cmd_ops op; + enum cmd_obj obj; + struct handle handle; +- uint32_t seqnum; ++ uint32_t seqnum_from; ++ uint32_t seqnum_to; + union { + void *data; + struct expr *expr; +diff --git a/src/cmd.c b/src/cmd.c +index 0c7a43e..eb44b98 100644 +--- a/src/cmd.c ++++ b/src/cmd.c +@@ -24,6 +24,7 @@ void cmd_add_loc(struct cmd *cmd, const struct nlmsghdr *nlh, const struct locat + cmd->attr = xrealloc(cmd->attr, sizeof(struct nlerr_loc) * cmd->attr_array_len); + } + ++ cmd->attr[cmd->num_attrs].seqnum = nlh->nlmsg_seq; + cmd->attr[cmd->num_attrs].offset = nlh->nlmsg_len; + cmd->attr[cmd->num_attrs].location = loc; + cmd->num_attrs++; +@@ -323,7 +324,8 @@ void nft_cmd_error(struct netlink_ctx *ctx, struct cmd *cmd, + uint32_t i; + + for (i = 0; i < cmd->num_attrs; i++) { +- if (cmd->attr[i].offset == err->offset) ++ if (cmd->attr[i].seqnum == err->seqnum && ++ cmd->attr[i].offset == err->offset) + loc = cmd->attr[i].location; + } + +diff --git a/src/libnftables.c b/src/libnftables.c +index 3550961..1df22b3 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -39,7 +39,7 @@ static int nft_netlink(struct nft_ctx *nft, + + batch_seqnum = mnl_batch_begin(ctx.batch, mnl_seqnum_inc(&seqnum)); + list_for_each_entry(cmd, cmds, list) { +- ctx.seqnum = cmd->seqnum = mnl_seqnum_inc(&seqnum); ++ ctx.seqnum = cmd->seqnum_from = mnl_seqnum_inc(&seqnum); + ret = do_command(&ctx, cmd); + if (ret < 0) { + netlink_io_error(&ctx, &cmd->location, +@@ -47,6 +47,8 @@ static int nft_netlink(struct nft_ctx *nft, + strerror(errno)); + goto out; + } ++ seqnum = cmd->seqnum_to = ctx.seqnum; ++ mnl_seqnum_inc(&seqnum); + num_cmds++; + } + if (!nft->check) +@@ -80,12 +82,14 @@ static int nft_netlink(struct nft_ctx *nft, + cmd = list_first_entry(cmds, struct cmd, list); + + list_for_each_entry_from(cmd, cmds, list) { +- last_seqnum = cmd->seqnum; +- if (err->seqnum == cmd->seqnum || ++ last_seqnum = cmd->seqnum_to; ++ if ((err->seqnum >= cmd->seqnum_from && ++ err->seqnum <= cmd->seqnum_to) || + err->seqnum == batch_seqnum) { + nft_cmd_error(&ctx, cmd, err); + errno = err->err; +- if (err->seqnum == cmd->seqnum) { ++ if (err->seqnum >= cmd->seqnum_from || ++ err->seqnum <= cmd->seqnum_to) { + mnl_err_list_free(err); + break; + } +diff --git a/src/mnl.c b/src/mnl.c +index 42d1b0d..12a6345 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -1722,7 +1722,7 @@ static void netlink_dump_setelem_done(struct netlink_ctx *ctx) + static int mnl_nft_setelem_batch(const struct nftnl_set *nls, struct cmd *cmd, + struct nftnl_batch *batch, + enum nf_tables_msg_types msg_type, +- unsigned int flags, uint32_t seqnum, ++ unsigned int flags, uint32_t *seqnum, + const struct expr *set, + struct netlink_ctx *ctx) + { +@@ -1741,7 +1741,7 @@ static int mnl_nft_setelem_batch(const struct nftnl_set *nls, struct cmd *cmd, + next: + nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), msg_type, + nftnl_set_get_u32(nls, NFTNL_SET_FAMILY), +- flags, seqnum); ++ flags, *seqnum); + + if (nftnl_set_is_set(nls, NFTNL_SET_TABLE)) { + mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_TABLE, +@@ -1774,6 +1774,7 @@ next: + if (mnl_nft_attr_nest_overflow(nlh, nest1, nest2)) { + mnl_attr_nest_end(nlh, nest1); + mnl_nft_batch_continue(batch); ++ mnl_seqnum_inc(seqnum); + goto next; + } + } +@@ -1808,7 +1809,7 @@ int mnl_nft_setelem_add(struct netlink_ctx *ctx, struct cmd *cmd, + netlink_dump_set(nls, ctx); + + err = mnl_nft_setelem_batch(nls, cmd, ctx->batch, NFT_MSG_NEWSETELEM, +- flags, ctx->seqnum, expr, ctx); ++ flags, &ctx->seqnum, expr, ctx); + nftnl_set_free(nls); + + return err; +@@ -1868,7 +1869,7 @@ int mnl_nft_setelem_del(struct netlink_ctx *ctx, struct cmd *cmd, + msg_type = NFT_MSG_DESTROYSETELEM; + + err = mnl_nft_setelem_batch(nls, cmd, ctx->batch, msg_type, 0, +- ctx->seqnum, init, ctx); ++ &ctx->seqnum, init, ctx); + nftnl_set_free(nls); + + return err; +diff --git a/src/parser_json.c b/src/parser_json.c +index bbe3b1c..37ec34c 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -4269,13 +4269,13 @@ static json_t *seqnum_to_json(const uint32_t seqnum) + cur = json_cmd_assoc_list; + json_cmd_assoc_list = cur->next; + +- key = cur->cmd->seqnum % CMD_ASSOC_HSIZE; ++ key = cur->cmd->seqnum_from % CMD_ASSOC_HSIZE; + hlist_add_head(&cur->hnode, &json_cmd_assoc_hash[key]); + } + + key = seqnum % CMD_ASSOC_HSIZE; + hlist_for_each_entry(cur, n, &json_cmd_assoc_hash[key], hnode) { +- if (cur->cmd->seqnum == seqnum) ++ if (cur->cmd->seqnum_from == seqnum) + return cur->json; + } + diff --git a/0008-tests-monitor-fix-up-test-case-breakage.patch b/0008-tests-monitor-fix-up-test-case-breakage.patch new file mode 100644 index 0000000..74272ef --- /dev/null +++ b/0008-tests-monitor-fix-up-test-case-breakage.patch @@ -0,0 +1,62 @@ +From 42ba69f76beabde5f22a8616469fb296ac72e16e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] tests: monitor: fix up test case breakage + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit c416416b03d804663c5f7a738a3e1449eeb28157 + +commit c416416b03d804663c5f7a738a3e1449eeb28157 +Author: Florian Westphal +Date: Tue Oct 29 21:12:19 2024 +0100 + + tests: monitor: fix up test case breakage + + Monitor test fails: + + echo: running tests from file set-simple.t + echo output differs! + -add element ip t portrange { 1024-65535 } + add element ip t portrange { 100-200 } + +add element ip t portrange { 1024-65535 } + +# new generation 510 by process 129009 (nft) + + I also noticed -j mode did not work correctly, add missing json annotations + in set-concat-interval.t while at it. + + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + tests/monitor/testcases/set-concat-interval.t | 3 +++ + tests/monitor/testcases/set-simple.t | 5 +++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tests/monitor/testcases/set-concat-interval.t b/tests/monitor/testcases/set-concat-interval.t +index 763dc31..75f3828 100644 +--- a/tests/monitor/testcases/set-concat-interval.t ++++ b/tests/monitor/testcases/set-concat-interval.t +@@ -10,3 +10,6 @@ I add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; elem + O add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; } + O add element ip t s { 20-80 . 0x14 : accept } + O add element ip t s { 1-10 . 0xa : drop } ++J {"add": {"map": {"family": "ip", "name": "s", "table": "t", "type": ["integer", "integer"], "handle": 0, "map": "verdict", "flags": ["interval"]}}} ++J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [20, 80]}, 20]}, {"accept": null}]]}}}} ++J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [1, 10]}, 10]}, {"drop": null}]]}}}} +diff --git a/tests/monitor/testcases/set-simple.t b/tests/monitor/testcases/set-simple.t +index 8ca4f32..6853a0e 100644 +--- a/tests/monitor/testcases/set-simple.t ++++ b/tests/monitor/testcases/set-simple.t +@@ -37,9 +37,10 @@ J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem" + # make sure half open before other element works + I add element ip t portrange { 1024-65535 } + I add element ip t portrange { 100-200 } +-O - +-J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}} ++O add element ip t portrange { 100-200 } ++O add element ip t portrange { 1024-65535 } + J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [100, 200]}]}}}} ++J {"add": {"element": {"family": "ip", "table": "t", "name": "portrange", "elem": {"set": [{"range": [1024, 65535]}]}}}} + + # make sure deletion of elements works + I delete element ip t portrange { 0-10 } diff --git a/0009-doc-extend-description-of-fib-expression.patch b/0009-doc-extend-description-of-fib-expression.patch new file mode 100644 index 0000000..b1e2689 --- /dev/null +++ b/0009-doc-extend-description-of-fib-expression.patch @@ -0,0 +1,142 @@ +From 86deb09d9886a9ef9c089a6edc0859419e8b4dfd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:45 +0100 +Subject: [PATCH] doc: extend description of fib expression + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit be4b61c05a2491aad596aa9243b17b13c937b347 + +commit be4b61c05a2491aad596aa9243b17b13c937b347 +Author: Florian Westphal +Date: Thu Oct 10 15:37:42 2024 +0200 + + doc: extend description of fib expression + + Describe the input keys and the result types. + Mention which input keys are mandatory and which keys are mutually + exclusive. + + Describe which hooks can be used with the various lookup modifiers + and extend the examples with more information on fib expression + capabilities. + + Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1663 + Signed-off-by: Florian Westphal + Reviewed-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + doc/primary-expression.txt | 77 +++++++++++++++++++++++++++++++------- + 1 file changed, 63 insertions(+), 14 deletions(-) + +diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt +index 782494b..c6a33bb 100644 +--- a/doc/primary-expression.txt ++++ b/doc/primary-expression.txt +@@ -310,17 +310,48 @@ table inet x { + FIB EXPRESSIONS + ~~~~~~~~~~~~~~~ + [verse] +-*fib* {*saddr* | *daddr* | *mark* | *iif* | *oif*} [*.* ...] {*oif* | *oifname* | *type*} ++*fib* 'FIB_TUPLE' 'FIB_RESULT' ++'FIB_TUPLE' := { *saddr* | *daddr*} [ *.* { *iif* | *oif* } *.* *mark* ] ++'FIB_RESULT' := { *oif* | *oifname* | *type* } + +-A fib expression queries the fib (forwarding information base) to obtain +-information such as the output interface index a particular address would use. +-The input is a tuple of elements that is used as input to the fib lookup +-functions. + +-.fib expression specific types ++A fib expression queries the fib (forwarding information base) to obtain information ++such as the output interface index. ++ ++The first arguments to the *fib* expression are the input keys to be passed to the fib lookup function. ++One of *saddr* or *daddr* is mandatory, they are also mutually exclusive. ++ ++*mark*, *iif* and *oif* keywords are optional modifiers to influence the search result, see ++the *FIB_TUPLE* keyword table below for a description. ++The *iif* and *oif* tuple keywords are also mutually exclusive. ++ ++The last argument to the *fib* expression is the desired result type. ++ ++*oif* asks to obtain the interface index that would be used to send packets to the packets source ++(*saddr* key) or destination (*daddr* key). If no routing entry is found, the returned interface ++index is 0. ++ ++*oifname* is like *oif*, but it fills the interface name instead. This is useful to check dynamic ++interfaces such as ppp devices. If no entry is found, an empty interface name is returned. ++ ++*type* returns the address type such as unicast or multicast. A complete list of supported ++address types can be shown with *nft* *describe* *fib_addrtype*. ++ ++.FIB_TUPLE keywords + [options="header"] + |================== +-|Keyword| Description| Type ++|flag| Description ++|daddr| Perform a normal route lookup: search fib for route to the *destination address* of the packet. ++|saddr| Perform a reverse route lookup: search the fib for route to the *source address* of the packet. ++|mark | consider the packet mark (nfmark) when querying the fib. ++|iif | if fib lookups provides a route then check its output interface is identical to the packets *input* interface. ++|oif | if fib lookups provides a route then check its output interface is identical to the packets *output* interface. This flag can only be used with the *type* result. ++|======================= ++ ++.FIB_RESULT keywords ++[options="header"] ++|================== ++|Keyword| Description| Result Type + |oif| + Output interface index| + integer (32 bit) +@@ -329,25 +360,43 @@ Output interface name| + string + |type| + Address type | +-fib_addrtype ++fib_addrtype (see *nft* *describe* *fib_addrtype* for a list) + |======================= + +-Use *nft* *describe* *fib_addrtype* to get a list of all address types. ++The *oif* and *oifname* result is only valid in the *prerouting*, *input* and *forward* hooks. ++The *type* can be queried from any one of *prerouting*, *input*, *forward* *output* and *postrouting*. ++ ++For *type*, the presence of the *iif* keyword in the 'FIB_TUPLE' modifiers restrict the available ++hooks to those where the packet is associated with an incoming interface, i.e. *prerouting*, *input* and *forward*. ++Likewise, the *oif* keyword in the 'FIB_TUPLE' modifier list will limit the available hooks to ++*forward*, *output* and *postrouting*. + + .Using fib expressions + ---------------------- + # drop packets without a reverse path + filter prerouting fib saddr . iif oif missing drop + +-In this example, 'saddr . iif' looks up routing information based on the source address and the input interface. +-oif picks the output interface index from the routing information. ++In this example, 'saddr . iif' looks up a route to the *source address* of the packet and restricts matching ++results to the interface that the packet arrived on, then stores the output interface index from the obtained ++fib route result. ++ + If no route was found for the source address/input interface combination, the output interface index is zero. +-In case the input interface is specified as part of the input key, the output interface index is always the same as the input interface index or zero. +-If only 'saddr oif' is given, then oif can be any interface index or zero. ++Hence, this rule will drop all packets that do not have a strict reverse path (hypothetical reply packet ++would be sent via the interface the tested packet arrived on). ++ ++If only 'saddr oif' is used as the input key, then this rule would only drop packets where the fib cannot ++find a route. In most setups this will never drop packets because the default route is returned. + +-# drop packets to address not configured on incoming interface ++# drop packets if the destination ip address is not configured on the incoming interface + filter prerouting fib daddr . iif type != { local, broadcast, multicast } drop + ++This queries the fib based on the current packets' destination address and the incoming interface. ++ ++If the packet is sent to a unicast address that is configured on a different interface, then the packet ++will be dropped as such an address would be classified as 'unicast' type. ++Without the 'iif' modifier, any address configured on the local machine is 'local', and unicast addresses ++not configured on any interface would return the type 'unicast'. ++ + # perform lookup in a specific 'blackhole' table (0xdead, needs ip appropriate ip rule) + filter prerouting meta mark set 0xdead fib daddr . mark type vmap { blackhole : drop, prohibit : jump prohibited, unreachable : drop } + ---------------------- diff --git a/0010-json-collapse-set-element-commands-from-parser.patch b/0010-json-collapse-set-element-commands-from-parser.patch new file mode 100644 index 0000000..ca21fc0 --- /dev/null +++ b/0010-json-collapse-set-element-commands-from-parser.patch @@ -0,0 +1,83 @@ +From 21295af879d5cc6a41bd823e708a97684034ed1e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:46 +0100 +Subject: [PATCH] json: collapse set element commands from parser + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 193faa5475a5df7d9ac0b1a8fe647196de3e5688 + +commit 193faa5475a5df7d9ac0b1a8fe647196de3e5688 +Author: Pablo Neira Ayuso +Date: Thu Oct 31 21:38:02 2024 +0100 + + json: collapse set element commands from parser + + Update json parser to collapse {add,create} element commands to reduce + memory consumption in the case of large sets defined by one element per + command: + + {"nftables": [{"add": {"element": {"family": "ip", "table": "x", "name": + "y", "elem": [{"set": ["1.1.0.0"]}]}}},...]} + + Add CTX_F_COLLAPSED flag to report that command has been collapsed. + + This patch reduces memory consumption by ~32% this case. + + Fixes: 20f1c60ac8c8 ("src: collapse set element commands from parser") + Reported-by: Eric Garver + Tested-by: Eric Garver + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/parser_json.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/parser_json.c b/src/parser_json.c +index 37ec34c..68c0600 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -49,6 +50,7 @@ + #define CTX_F_SES (1 << 6) /* set_elem_expr_stmt */ + #define CTX_F_MAP (1 << 7) /* LHS of map_expr */ + #define CTX_F_CONCAT (1 << 8) /* inside concat_expr */ ++#define CTX_F_COLLAPSED (1 << 9) + + struct json_ctx { + struct nft_ctx *nft; +@@ -3490,6 +3492,15 @@ static struct cmd *json_parse_cmd_add_element(struct json_ctx *ctx, + handle_free(&h); + return NULL; + } ++ ++ if ((op == CMD_CREATE || op == CMD_ADD) && ++ nft_cmd_collapse_elems(op, ctx->cmds, &h, expr)) { ++ handle_free(&h); ++ expr_free(expr); ++ ctx->flags |= CTX_F_COLLAPSED; ++ return NULL; ++ } ++ + return cmd_alloc(op, cmd_obj, &h, int_loc, expr); + } + +@@ -4319,6 +4330,11 @@ static int __json_parse(struct json_ctx *ctx) + cmd = json_parse_cmd(ctx, value); + + if (!cmd) { ++ if (ctx->flags & CTX_F_COLLAPSED) { ++ ctx->flags &= ~CTX_F_COLLAPSED; ++ continue; ++ } ++ + json_error(ctx, "Parsing command array at index %zd failed.", index); + return -1; + } diff --git a/0011-json-Support-typeof-in-set-and-map-types.patch b/0011-json-Support-typeof-in-set-and-map-types.patch new file mode 100644 index 0000000..2345b6a --- /dev/null +++ b/0011-json-Support-typeof-in-set-and-map-types.patch @@ -0,0 +1,526 @@ +From d66b043a46f4b8e48ab96503613d4ea7483899d4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:46 +0100 +Subject: [PATCH] json: Support typeof in set and map types + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit bb6312484af93a83a9ec8716f3887a43566a775a + +commit bb6312484af93a83a9ec8716f3887a43566a775a +Author: Phil Sutter +Date: Sat Sep 28 00:55:34 2024 +0200 + + json: Support typeof in set and map types + + Implement this as a special "type" property value which is an object + with sole property "typeof". The latter's value is the JSON + representation of the expression in set->key, so for concatenated + typeofs it is a concat expression. + + All this is a bit clumsy right now but it works and it should be + possible to tear it down a bit for more user-friendliness in a + compatible way by either replacing the concat expression by the array it + contains or even the whole "typeof" object - the parser would just + assume any object (or objects in an array) in the "type" property value + are expressions to extract a type from. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + doc/libnftables-json.adoc | 7 ++- + src/json.c | 13 ++++- + src/parser_json.c | 9 +++ + tests/monitor/testcases/map-expr.t | 2 +- + tests/monitor/testcases/set-concat-interval.t | 2 +- + .../maps/dumps/0012map_concat_0.json-nft | 21 +++++-- + .../maps/dumps/0017_map_variable_0.json-nft | 18 +++++- + .../maps/dumps/named_limits.json-nft | 55 ++++++++++++++++--- + .../dumps/typeof_maps_add_delete.json-nft | 9 ++- + .../maps/dumps/typeof_maps_update_0.json-nft | 9 ++- + .../maps/dumps/vmap_timeout.json-nft | 22 ++++++-- + .../packetpath/dumps/set_lookups.json-nft | 42 +++++++++++--- + .../sets/dumps/0048set_counters_0.json-nft | 9 ++- + .../testcases/sets/dumps/inner_0.json-nft | 34 ++++++++++-- + .../set_element_timeout_updates.json-nft | 9 ++- + 15 files changed, 220 insertions(+), 41 deletions(-) + +diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc +index 2f29ac0..244eb41 100644 +--- a/doc/libnftables-json.adoc ++++ b/doc/libnftables-json.adoc +@@ -341,7 +341,7 @@ ____ + "auto-merge":* 'BOOLEAN' + *}}* + +-'SET_TYPE' := 'STRING' | *[* 'SET_TYPE_LIST' *]* ++'SET_TYPE' := 'STRING' | *[* 'SET_TYPE_LIST' *]* | *{ "typeof":* 'EXPRESSION' *}* + 'SET_TYPE_LIST' := 'STRING' [*,* 'SET_TYPE_LIST' ] + 'SET_POLICY' := *"performance"* | *"memory"* + 'SET_FLAG_LIST' := 'SET_FLAG' [*,* 'SET_FLAG_LIST' ] +@@ -381,8 +381,9 @@ that they translate a unique key to a value. + Automatic merging of adjacent/overlapping set elements in interval sets. + + ==== TYPE +-The set type might be a string, such as *"ipv4_addr"* or an array +-consisting of strings (for concatenated types). ++The set type might be a string, such as *"ipv4_addr"*, an array ++consisting of strings (for concatenated types) or a *typeof* object containing ++an expression to extract the type from. + + ==== ELEM + A single set element might be given as string, integer or boolean value for +diff --git a/src/json.c b/src/json.c +index b1531ff..1f609bf 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -96,6 +96,17 @@ static json_t *set_dtype_json(const struct expr *key) + return root; + } + ++static json_t *set_key_dtype_json(const struct set *set, ++ struct output_ctx *octx) ++{ ++ bool use_typeof = set->key_typeof_valid; ++ ++ if (!use_typeof) ++ return set_dtype_json(set->key); ++ ++ return json_pack("{s:o}", "typeof", expr_print_json(set->key, octx)); ++} ++ + static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) + { + char buf[1024]; +@@ -158,7 +169,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) + "family", family2str(set->handle.family), + "name", set->handle.set.name, + "table", set->handle.table.name, +- "type", set_dtype_json(set->key), ++ "type", set_key_dtype_json(set, octx), + "handle", set->handle.handle.id); + + if (set->comment) +diff --git a/src/parser_json.c b/src/parser_json.c +index 68c0600..02cfcd6 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -1731,7 +1731,16 @@ static struct expr *json_parse_dtype_expr(struct json_ctx *ctx, json_t *root) + compound_expr_add(expr, i); + } + return expr; ++ } else if (json_is_object(root)) { ++ const char *key; ++ json_t *val; ++ ++ if (!json_unpack_stmt(ctx, root, &key, &val) && ++ !strcmp(key, "typeof")) { ++ return json_parse_expr(ctx, val); ++ } + } ++ + json_error(ctx, "Invalid set datatype."); + return NULL; + } +diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t +index 8729c0b..d11ad0e 100644 +--- a/tests/monitor/testcases/map-expr.t ++++ b/tests/monitor/testcases/map-expr.t +@@ -3,4 +3,4 @@ I add table ip t + I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; } + O - + J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} +-J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} ++J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": {"typeof": {"concat": [{"meta": {"key": "day"}}, {"meta": {"key": "hour"}}]}}, "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} +diff --git a/tests/monitor/testcases/set-concat-interval.t b/tests/monitor/testcases/set-concat-interval.t +index 75f3828..3542b82 100644 +--- a/tests/monitor/testcases/set-concat-interval.t ++++ b/tests/monitor/testcases/set-concat-interval.t +@@ -10,6 +10,6 @@ I add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; elem + O add map ip t s { typeof udp length . @ih,32,32 : verdict; flags interval; } + O add element ip t s { 20-80 . 0x14 : accept } + O add element ip t s { 1-10 . 0xa : drop } +-J {"add": {"map": {"family": "ip", "name": "s", "table": "t", "type": ["integer", "integer"], "handle": 0, "map": "verdict", "flags": ["interval"]}}} ++J {"add": {"map": {"family": "ip", "name": "s", "table": "t", "type": {"typeof": {"concat": [{"payload": {"protocol": "udp", "field": "length"}}, {"payload": {"base": "ih", "offset": 32, "len": 32}}]}}, "handle": 0, "map": "verdict", "flags": ["interval"]}}} + J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [20, 80]}, 20]}, {"accept": null}]]}}}} + J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [[{"concat": [{"range": [1, 10]}, 10]}, {"drop": null}]]}}}} +diff --git a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft +index 0005223..88bf498 100644 +--- a/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft ++++ b/tests/shell/testcases/maps/dumps/0012map_concat_0.json-nft +@@ -31,10 +31,23 @@ + "family": "ip", + "name": "w", + "table": "x", +- "type": [ +- "ipv4_addr", +- "mark" +- ], ++ "type": { ++ "typeof": { ++ "concat": [ ++ { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ }, ++ { ++ "meta": { ++ "key": "mark" ++ } ++ } ++ ] ++ } ++ }, + "handle": 0, + "map": "verdict", + "flags": [ +diff --git a/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft +index 725498c..8eacf61 100644 +--- a/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft ++++ b/tests/shell/testcases/maps/dumps/0017_map_variable_0.json-nft +@@ -19,7 +19,14 @@ + "family": "ip", + "name": "y", + "table": "x", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "map": "mark", + "elem": [ +@@ -39,7 +46,14 @@ + "family": "ip", + "name": "z", + "table": "x", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "map": "mark", + "elem": [ +diff --git a/tests/shell/testcases/maps/dumps/named_limits.json-nft b/tests/shell/testcases/maps/dumps/named_limits.json-nft +index 7fa1298..3c6845a 100644 +--- a/tests/shell/testcases/maps/dumps/named_limits.json-nft ++++ b/tests/shell/testcases/maps/dumps/named_limits.json-nft +@@ -75,7 +75,14 @@ + "family": "inet", + "name": "tarpit4", + "table": "filter", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "size": 10000, + "flags": [ +@@ -90,7 +97,14 @@ + "family": "inet", + "name": "tarpit6", + "table": "filter", +- "type": "ipv6_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip6", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "size": 10000, + "flags": [ +@@ -105,11 +119,29 @@ + "family": "inet", + "name": "addr4limit", + "table": "filter", +- "type": [ +- "inet_proto", +- "ipv4_addr", +- "inet_service" +- ], ++ "type": { ++ "typeof": { ++ "concat": [ ++ { ++ "meta": { ++ "key": "l4proto" ++ } ++ }, ++ { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ }, ++ { ++ "payload": { ++ "protocol": "tcp", ++ "field": "sport" ++ } ++ } ++ ] ++ } ++ }, + "handle": 0, + "map": "limit", + "flags": [ +@@ -244,7 +276,14 @@ + "family": "inet", + "name": "saddr6limit", + "table": "filter", +- "type": "ipv6_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip6", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "map": "limit", + "flags": [ +diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +index b3204a2..effe02d 100644 +--- a/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft ++++ b/tests/shell/testcases/maps/dumps/typeof_maps_add_delete.json-nft +@@ -39,7 +39,14 @@ + "family": "ip", + "name": "dynmark", + "table": "dynset", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "daddr" ++ } ++ } ++ }, + "handle": 0, + "map": "mark", + "size": 64, +diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft +index 1d50477..7315146 100644 +--- a/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft ++++ b/tests/shell/testcases/maps/dumps/typeof_maps_update_0.json-nft +@@ -50,7 +50,14 @@ + "family": "ip", + "name": "sticky-set-svc-153CN2XYVUHRQ7UB", + "table": "kube-nfproxy-v4", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "daddr" ++ } ++ } ++ }, + "handle": 0, + "map": "mark", + "size": 65535, +diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft +index 1c3aa59..71e9a9e 100644 +--- a/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft ++++ b/tests/shell/testcases/maps/dumps/vmap_timeout.json-nft +@@ -87,10 +87,24 @@ + "family": "inet", + "name": "portaddrmap", + "table": "filter", +- "type": [ +- "ipv4_addr", +- "inet_service" +- ], ++ "type": { ++ "typeof": { ++ "concat": [ ++ { ++ "payload": { ++ "protocol": "ip", ++ "field": "daddr" ++ } ++ }, ++ { ++ "payload": { ++ "protocol": "th", ++ "field": "dport" ++ } ++ } ++ ] ++ } ++ }, + "handle": 0, + "map": "verdict", + "flags": [ +diff --git a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft +index 24363f9..bcf6914 100644 +--- a/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft ++++ b/tests/shell/testcases/packetpath/dumps/set_lookups.json-nft +@@ -60,10 +60,23 @@ + "family": "ip", + "name": "s2", + "table": "t", +- "type": [ +- "ipv4_addr", +- "iface_index" +- ], ++ "type": { ++ "typeof": { ++ "concat": [ ++ { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ }, ++ { ++ "meta": { ++ "key": "iif" ++ } ++ } ++ ] ++ } ++ }, + "handle": 0, + "elem": [ + { +@@ -113,10 +126,23 @@ + "family": "ip", + "name": "nomatch", + "table": "t", +- "type": [ +- "ipv4_addr", +- "iface_index" +- ], ++ "type": { ++ "typeof": { ++ "concat": [ ++ { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ }, ++ { ++ "meta": { ++ "key": "iif" ++ } ++ } ++ ] ++ } ++ }, + "handle": 0, + "elem": [ + { +diff --git a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft +index 62a6a17..4be4112 100644 +--- a/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft ++++ b/tests/shell/testcases/sets/dumps/0048set_counters_0.json-nft +@@ -31,7 +31,14 @@ + "family": "ip", + "name": "y", + "table": "x", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "elem": [ + { +diff --git a/tests/shell/testcases/sets/dumps/inner_0.json-nft b/tests/shell/testcases/sets/dumps/inner_0.json-nft +index 8d84e1c..e5dc198 100644 +--- a/tests/shell/testcases/sets/dumps/inner_0.json-nft ++++ b/tests/shell/testcases/sets/dumps/inner_0.json-nft +@@ -27,10 +27,26 @@ + "family": "netdev", + "name": "x", + "table": "x", +- "type": [ +- "ipv4_addr", +- "ipv4_addr" +- ], ++ "type": { ++ "typeof": { ++ "concat": [ ++ { ++ "payload": { ++ "tunnel": "vxlan", ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ }, ++ { ++ "payload": { ++ "tunnel": "vxlan", ++ "protocol": "ip", ++ "field": "daddr" ++ } ++ } ++ ] ++ } ++ }, + "handle": 0, + "elem": [ + { +@@ -47,7 +63,15 @@ + "family": "netdev", + "name": "y", + "table": "x", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "tunnel": "vxlan", ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "size": 65535, + "flags": [ +diff --git a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft +index aa90829..d92d8d7 100644 +--- a/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft ++++ b/tests/shell/testcases/sets/dumps/set_element_timeout_updates.json-nft +@@ -31,7 +31,14 @@ + "family": "ip", + "name": "s", + "table": "t", +- "type": "ipv4_addr", ++ "type": { ++ "typeof": { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ }, + "handle": 0, + "flags": [ + "timeout" diff --git a/0012-tests-py-Fix-for-storing-payload-into-missing-file.patch b/0012-tests-py-Fix-for-storing-payload-into-missing-file.patch new file mode 100644 index 0000000..504ae68 --- /dev/null +++ b/0012-tests-py-Fix-for-storing-payload-into-missing-file.patch @@ -0,0 +1,43 @@ +From 6c31db6766df3bdeb1ff6039e651a54850b68aa3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:46 +0100 +Subject: [PATCH] tests: py: Fix for storing payload into missing file + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit c1c0c54e237c880adaa8172b93d7450e6c617cfc + +commit c1c0c54e237c880adaa8172b93d7450e6c617cfc +Author: Phil Sutter +Date: Wed Oct 2 19:55:49 2024 +0200 + + tests: py: Fix for storing payload into missing file + + When running a test for which no corresponding *.payload file exists, + the *.payload.got file name was incorrectly constructed due to + 'payload_path' variable not being set. + + Fixes: 2cfab7a3e10fc ("tests/py: Write dissenting payload into the right file") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + tests/py/nft-test.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py +index 00799e2..7acdb77 100755 +--- a/tests/py/nft-test.py ++++ b/tests/py/nft-test.py +@@ -769,10 +769,9 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path): + + if rule[1].strip() == "ok": + payload_expected = None +- payload_path = None ++ payload_path = "%s.payload" % filename_path + try: +- payload_log = open("%s.payload" % filename_path) +- payload_path = payload_log.name ++ payload_log = open(payload_path) + payload_expected = payload_find_expected(payload_log, rule[0]) + except: + payload_log = None diff --git a/0013-monitor-Recognize-flowtable-add-del-events.patch b/0013-monitor-Recognize-flowtable-add-del-events.patch new file mode 100644 index 0000000..ee74367 --- /dev/null +++ b/0013-monitor-Recognize-flowtable-add-del-events.patch @@ -0,0 +1,260 @@ +From 8cfbb8c3427f232484bacab3116f6925f3976c7b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 7 Nov 2024 18:38:46 +0100 +Subject: [PATCH] monitor: Recognize flowtable add/del events + +JIRA: https://issues.redhat.com/browse/RHEL-65346 +Upstream Status: nftables commit 73a8adfc2432ec8337288cc90e7c9f4509139846 + +commit 73a8adfc2432ec8337288cc90e7c9f4509139846 +Author: Phil Sutter +Date: Wed May 15 16:01:20 2024 +0200 + + monitor: Recognize flowtable add/del events + + These were entirely ignored before, add the necessary code analogous to + e.g. objects. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + include/json.h | 10 ++++ + include/netlink.h | 1 + + include/rule.h | 1 + + src/json.c | 6 +++ + src/monitor.c | 61 ++++++++++++++++++++++ + src/parser_json.c | 6 +++ + src/rule.c | 15 ++++++ + tests/monitor/testcases/flowtable-simple.t | 10 ++++ + 8 files changed, 110 insertions(+) + create mode 100644 tests/monitor/testcases/flowtable-simple.t + +diff --git a/include/json.h b/include/json.h +index 39be892..0670b87 100644 +--- a/include/json.h ++++ b/include/json.h +@@ -11,6 +11,7 @@ struct nlmsghdr; + struct rule; + struct set; + struct obj; ++struct flowtable; + struct stmt; + struct symbol_table; + struct table; +@@ -113,6 +114,8 @@ void monitor_print_element_json(struct netlink_mon_handler *monh, + const char *cmd, struct set *s); + void monitor_print_obj_json(struct netlink_mon_handler *monh, + const char *cmd, struct obj *o); ++void monitor_print_flowtable_json(struct netlink_mon_handler *monh, ++ const char *cmd, struct flowtable *ft); + void monitor_print_rule_json(struct netlink_mon_handler *monh, + const char *cmd, struct rule *r); + +@@ -254,6 +257,13 @@ static inline void monitor_print_obj_json(struct netlink_mon_handler *monh, + /* empty */ + } + ++static inline void ++monitor_print_flowtable_json(struct netlink_mon_handler *monh, ++ const char *cmd, struct flowtable *ft) ++{ ++ /* empty */ ++} ++ + static inline void monitor_print_rule_json(struct netlink_mon_handler *monh, + const char *cmd, struct rule *r) + { +diff --git a/include/netlink.h b/include/netlink.h +index cf7ba36..e9667a2 100644 +--- a/include/netlink.h ++++ b/include/netlink.h +@@ -97,6 +97,7 @@ extern struct nftnl_table *netlink_table_alloc(const struct nlmsghdr *nlh); + extern struct nftnl_chain *netlink_chain_alloc(const struct nlmsghdr *nlh); + extern struct nftnl_set *netlink_set_alloc(const struct nlmsghdr *nlh); + extern struct nftnl_obj *netlink_obj_alloc(const struct nlmsghdr *nlh); ++extern struct nftnl_flowtable *netlink_flowtable_alloc(const struct nlmsghdr *nlh); + extern struct nftnl_rule *netlink_rule_alloc(const struct nlmsghdr *nlh); + + struct nft_data_linearize { +diff --git a/include/rule.h b/include/rule.h +index 48e148e..238be23 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -551,6 +551,7 @@ extern struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, + const struct table **table); + + void flowtable_print(const struct flowtable *n, struct output_ctx *octx); ++void flowtable_print_plain(const struct flowtable *ft, struct output_ctx *octx); + + /** + * enum cmd_ops - command operations +diff --git a/src/json.c b/src/json.c +index 1f609bf..64a6888 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -2108,6 +2108,12 @@ void monitor_print_obj_json(struct netlink_mon_handler *monh, + monitor_print_json(monh, cmd, obj_print_json(o)); + } + ++void monitor_print_flowtable_json(struct netlink_mon_handler *monh, ++ const char *cmd, struct flowtable *ft) ++{ ++ monitor_print_json(monh, cmd, flowtable_print_json(ft)); ++} ++ + void monitor_print_rule_json(struct netlink_mon_handler *monh, + const char *cmd, struct rule *r) + { +diff --git a/src/monitor.c b/src/monitor.c +index 2fc16d6..a787db8 100644 +--- a/src/monitor.c ++++ b/src/monitor.c +@@ -127,6 +127,19 @@ struct nftnl_obj *netlink_obj_alloc(const struct nlmsghdr *nlh) + return nlo; + } + ++struct nftnl_flowtable *netlink_flowtable_alloc(const struct nlmsghdr *nlh) ++{ ++ struct nftnl_flowtable *nlf; ++ ++ nlf = nftnl_flowtable_alloc(); ++ if (nlf == NULL) ++ memory_allocation_error(); ++ if (nftnl_flowtable_nlmsg_parse(nlh, nlf) < 0) ++ netlink_abi_error(); ++ ++ return nlf; ++} ++ + static uint32_t netlink_msg2nftnl_of(uint32_t type, uint16_t flags) + { + switch (type) { +@@ -542,6 +555,50 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type, + return MNL_CB_OK; + } + ++static int netlink_events_flowtable_cb(const struct nlmsghdr *nlh, int type, ++ struct netlink_mon_handler *monh) ++{ ++ const char *family, *cmd; ++ struct nftnl_flowtable *nlf; ++ struct flowtable *ft; ++ ++ nlf = netlink_flowtable_alloc(nlh); ++ ++ ft = netlink_delinearize_flowtable(monh->ctx, nlf); ++ if (!ft) { ++ nftnl_flowtable_free(nlf); ++ return MNL_CB_ERROR; ++ } ++ family = family2str(ft->handle.family); ++ cmd = netlink_msg2cmd(type, nlh->nlmsg_flags); ++ ++ switch (monh->format) { ++ case NFTNL_OUTPUT_DEFAULT: ++ nft_mon_print(monh, "%s ", cmd); ++ ++ switch (type) { ++ case NFT_MSG_NEWFLOWTABLE: ++ flowtable_print_plain(ft, &monh->ctx->nft->output); ++ break; ++ case NFT_MSG_DELFLOWTABLE: ++ nft_mon_print(monh, "flowtable %s %s %s", family, ++ ft->handle.table.name, ++ ft->handle.flowtable.name); ++ break; ++ } ++ nft_mon_print(monh, "\n"); ++ break; ++ case NFTNL_OUTPUT_JSON: ++ monitor_print_flowtable_json(monh, cmd, ft); ++ if (!nft_output_echo(&monh->ctx->nft->output)) ++ nft_mon_print(monh, "\n"); ++ break; ++ } ++ flowtable_free(ft); ++ nftnl_flowtable_free(nlf); ++ return MNL_CB_OK; ++} ++ + static void rule_map_decompose_cb(struct set *s, void *data) + { + if (!set_is_anonymous(s->flags)) +@@ -962,6 +1019,10 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data) + case NFT_MSG_DELOBJ: + ret = netlink_events_obj_cb(nlh, type, monh); + break; ++ case NFT_MSG_NEWFLOWTABLE: ++ case NFT_MSG_DELFLOWTABLE: ++ ret = netlink_events_flowtable_cb(nlh, type, monh); ++ break; + case NFT_MSG_NEWGEN: + ret = netlink_events_newgen_cb(nlh, type, monh); + break; +diff --git a/src/parser_json.c b/src/parser_json.c +index 02cfcd6..bae2c3c 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -4437,6 +4437,7 @@ static int json_echo_error(struct netlink_mon_handler *monh, + + static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh) + { ++ struct nftnl_flowtable *nlf; + struct nftnl_table *nlt; + struct nftnl_chain *nlc; + struct nftnl_rule *nlr; +@@ -4473,6 +4474,11 @@ static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh) + handle = nftnl_obj_get_u64(nlo, NFTNL_OBJ_HANDLE); + nftnl_obj_free(nlo); + break; ++ case NFT_MSG_NEWFLOWTABLE: ++ nlf = netlink_flowtable_alloc(nlh); ++ handle = nftnl_flowtable_get_u64(nlf, NFTNL_FLOWTABLE_HANDLE); ++ nftnl_flowtable_free(nlf); ++ break; + } + return handle; + } +diff --git a/src/rule.c b/src/rule.c +index 9536e68..151ed53 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -2154,6 +2154,21 @@ void flowtable_print(const struct flowtable *s, struct output_ctx *octx) + do_flowtable_print(s, &opts, octx); + } + ++void flowtable_print_plain(const struct flowtable *ft, struct output_ctx *octx) ++{ ++ struct print_fmt_options opts = { ++ .tab = "", ++ .nl = " ", ++ .table = ft->handle.table.name, ++ .family = family2str(ft->handle.family), ++ .stmt_separator = "; ", ++ }; ++ ++ flowtable_print_declaration(ft, &opts, octx); ++ nft_print(octx, "}"); ++} ++ ++ + struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, + const struct nft_cache *cache, + const struct table **t) +diff --git a/tests/monitor/testcases/flowtable-simple.t b/tests/monitor/testcases/flowtable-simple.t +new file mode 100644 +index 0000000..df8eccb +--- /dev/null ++++ b/tests/monitor/testcases/flowtable-simple.t +@@ -0,0 +1,10 @@ ++# setup first ++I add table ip t ++I add flowtable ip t ft { hook ingress priority 0; devices = { lo }; } ++O - ++J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} ++J {"add": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} ++ ++I delete flowtable ip t ft ++O - ++J {"delete": {"flowtable": {"family": "ip", "name": "ft", "table": "t", "handle": 0, "hook": "ingress", "prio": 0, "dev": "lo"}}} diff --git a/0014-evaluate-allow-to-re-use-existing-metered-set.patch b/0014-evaluate-allow-to-re-use-existing-metered-set.patch new file mode 100644 index 0000000..2d6f92e --- /dev/null +++ b/0014-evaluate-allow-to-re-use-existing-metered-set.patch @@ -0,0 +1,271 @@ +From b3c1312b5815b004614d79eae2ad731c6883ce6f Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 22 Jan 2025 10:18:04 +0100 +Subject: [PATCH] evaluate: allow to re-use existing metered set + +JIRA: https://issues.redhat.com/browse/RHEL-75507 +Upstream Status: nftables commit 639a111e91341cffdc6d86b847aa654646c799cf + +commit 639a111e91341cffdc6d86b847aa654646c799cf +Author: Florian Westphal +Date: Wed Jan 22 10:18:04 2025 +0100 + + evaluate: allow to re-use existing metered set + + Blamed commit translates old meter syntax (which used to allocate an + anonymous set) to dynamic sets. + + A side effect of this is that re-adding a meter rule after chain was + flushed results in an error, unlike anonymous sets named sets are not + impacted by the flush. + + Refine this: if a set of the same name exists and is compatible, then + re-use it instead of returning an error. + + Also pick up the reproducer kindly provided by the reporter and place it + in the shell test directory. + + Fixes: b8f8ddfff733 ("evaluate: translate meter into dynamic set") + Reported-by: Yi Chen + Signed-off-by: Florian Westphal + +Signed-off-by: Eric Garver +--- + src/evaluate.c | 43 +++++-- + .../sets/dumps/meter_set_reuse.json-nft | 105 ++++++++++++++++++ + .../testcases/sets/dumps/meter_set_reuse.nft | 11 ++ + tests/shell/testcases/sets/meter_set_reuse | 20 ++++ + 4 files changed, 170 insertions(+), 9 deletions(-) + create mode 100644 tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft + create mode 100644 tests/shell/testcases/sets/dumps/meter_set_reuse.nft + create mode 100755 tests/shell/testcases/sets/meter_set_reuse + +diff --git a/src/evaluate.c b/src/evaluate.c +index 593a0140e92a..c9cbaa6ae648 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -3338,7 +3338,7 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt) + + static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) + { +- struct expr *key, *set, *setref; ++ struct expr *key, *setref; + struct set *existing_set; + struct table *table; + +@@ -3349,7 +3349,9 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) + return table_not_found(ctx); + + existing_set = set_cache_find(table, stmt->meter.name); +- if (existing_set) ++ if (existing_set && ++ (!set_is_meter_compat(existing_set->flags) || ++ set_is_map(existing_set->flags))) + return cmd_error(ctx, &stmt->location, + "%s; meter '%s' overlaps an existing %s '%s' in family %s", + strerror(EEXIST), +@@ -3370,17 +3372,40 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) + + /* Declare an empty set */ + key = stmt->meter.key; +- set = set_expr_alloc(&key->location, NULL); +- set->set_flags |= NFT_SET_EVAL; +- if (key->timeout) +- set->set_flags |= NFT_SET_TIMEOUT; ++ if (existing_set) { ++ if ((existing_set->flags & NFT_SET_TIMEOUT) && !key->timeout) ++ return expr_error(ctx->msgs, stmt->meter.key, ++ "existing set '%s' has timeout flag", ++ stmt->meter.name); ++ ++ if ((existing_set->flags & NFT_SET_TIMEOUT) == 0 && key->timeout) ++ return expr_error(ctx->msgs, stmt->meter.key, ++ "existing set '%s' lacks timeout flag", ++ stmt->meter.name); ++ ++ if (stmt->meter.size > 0 && existing_set->desc.size != stmt->meter.size) ++ return expr_error(ctx->msgs, stmt->meter.key, ++ "existing set '%s' has size %u, meter has %u", ++ stmt->meter.name, existing_set->desc.size, ++ stmt->meter.size); ++ setref = set_ref_expr_alloc(&key->location, existing_set); ++ } else { ++ struct expr *set; ++ ++ set = set_expr_alloc(&key->location, existing_set); ++ if (key->timeout) ++ set->set_flags |= NFT_SET_TIMEOUT; ++ ++ set->set_flags |= NFT_SET_EVAL; ++ setref = implicit_set_declaration(ctx, stmt->meter.name, ++ expr_get(key), NULL, set, 0); ++ if (setref) ++ setref->set->desc.size = stmt->meter.size; ++ } + +- setref = implicit_set_declaration(ctx, stmt->meter.name, +- expr_get(key), NULL, set, 0); + if (!setref) + return -1; + +- setref->set->desc.size = stmt->meter.size; + stmt->meter.set = setref; + + if (stmt_evaluate(ctx, stmt->meter.stmt) < 0) +diff --git a/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft b/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft +new file mode 100644 +index 000000000000..ab4ac06184d0 +--- /dev/null ++++ b/tests/shell/testcases/sets/dumps/meter_set_reuse.json-nft +@@ -0,0 +1,105 @@ ++{ ++ "nftables": [ ++ { ++ "metainfo": { ++ "version": "VERSION", ++ "release_name": "RELEASE_NAME", ++ "json_schema_version": 1 ++ } ++ }, ++ { ++ "table": { ++ "family": "ip", ++ "name": "filter", ++ "handle": 0 ++ } ++ }, ++ { ++ "chain": { ++ "family": "ip", ++ "table": "filter", ++ "name": "input", ++ "handle": 0 ++ } ++ }, ++ { ++ "set": { ++ "family": "ip", ++ "name": "http1", ++ "table": "filter", ++ "type": [ ++ "inet_service", ++ "ipv4_addr" ++ ], ++ "handle": 0, ++ "size": 65535, ++ "flags": [ ++ "dynamic" ++ ] ++ } ++ }, ++ { ++ "rule": { ++ "family": "ip", ++ "table": "filter", ++ "chain": "input", ++ "handle": 0, ++ "expr": [ ++ { ++ "match": { ++ "op": "==", ++ "left": { ++ "payload": { ++ "protocol": "tcp", ++ "field": "dport" ++ } ++ }, ++ "right": 80 ++ } ++ }, ++ { ++ "set": { ++ "op": "add", ++ "elem": { ++ "concat": [ ++ { ++ "payload": { ++ "protocol": "tcp", ++ "field": "dport" ++ } ++ }, ++ { ++ "payload": { ++ "protocol": "ip", ++ "field": "saddr" ++ } ++ } ++ ] ++ }, ++ "set": "@http1", ++ "stmt": [ ++ { ++ "limit": { ++ "rate": 200, ++ "burst": 5, ++ "per": "second", ++ "inv": true ++ } ++ } ++ ] ++ } ++ }, ++ { ++ "counter": { ++ "packets": 0, ++ "bytes": 0 ++ } ++ }, ++ { ++ "drop": null ++ } ++ ] ++ } ++ } ++ ] ++} +diff --git a/tests/shell/testcases/sets/dumps/meter_set_reuse.nft b/tests/shell/testcases/sets/dumps/meter_set_reuse.nft +new file mode 100644 +index 000000000000..f911acaffb85 +--- /dev/null ++++ b/tests/shell/testcases/sets/dumps/meter_set_reuse.nft +@@ -0,0 +1,11 @@ ++table ip filter { ++ set http1 { ++ type inet_service . ipv4_addr ++ size 65535 ++ flags dynamic ++ } ++ ++ chain input { ++ tcp dport 80 add @http1 { tcp dport . ip saddr limit rate over 200/second burst 5 packets } counter packets 0 bytes 0 drop ++ } ++} +diff --git a/tests/shell/testcases/sets/meter_set_reuse b/tests/shell/testcases/sets/meter_set_reuse +new file mode 100755 +index 000000000000..94eccc1a7b82 +--- /dev/null ++++ b/tests/shell/testcases/sets/meter_set_reuse +@@ -0,0 +1,20 @@ ++#!/bin/bash ++ ++set -e ++ ++addrule() ++{ ++ $NFT add rule ip filter input tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop ++} ++ ++$NFT add table filter ++$NFT add chain filter input ++addrule ++ ++$NFT list meters ++ ++# This used to remove the anon set, but not anymore ++$NFT flush chain filter input ++ ++# This re-add should work. ++addrule +-- +2.48.1 + diff --git a/SOURCES/0001-tests-shell-runtime-set-element-automerge.patch b/SOURCES/0001-tests-shell-runtime-set-element-automerge.patch deleted file mode 100644 index 2973639..0000000 --- a/SOURCES/0001-tests-shell-runtime-set-element-automerge.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c994f1d2a31a2b03557b3eb1c8c2de34b97edce1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] tests: shell: runtime set element automerge - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 8fafe4e6b5b30 - -commit 8fafe4e6b5b30f2539f16403da8d5c5f819e523b -Author: Pablo Neira Ayuso -Date: Mon Jun 13 17:05:22 2022 +0200 - - tests: shell: runtime set element automerge - - Add a test to cover runtime set element automerge. - - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - tests/shell/testcases/sets/automerge_0 | 64 ++++++++++++++++++++++++++ - 1 file changed, 64 insertions(+) - create mode 100755 tests/shell/testcases/sets/automerge_0 - -diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0 -new file mode 100755 -index 0000000..c9fb609 ---- /dev/null -+++ b/tests/shell/testcases/sets/automerge_0 -@@ -0,0 +1,64 @@ -+#!/bin/bash -+ -+set -e -+ -+RULESET="table inet x { -+ set y { -+ type inet_service -+ flags interval -+ auto-merge -+ } -+}" -+ -+$NFT -f - <<< $RULESET -+ -+tmpfile=$(mktemp) -+echo -n "add element inet x y { " > $tmpfile -+for ((i=0;i<65535;i+=2)) -+do -+ echo -n "$i, " >> $tmpfile -+ if [ $i -eq 65534 ] -+ then -+ echo -n "$i" >> $tmpfile -+ fi -+done -+echo "}" >> $tmpfile -+ -+$NFT -f $tmpfile -+ -+tmpfile2=$(mktemp) -+for ((i=1;i<65535;i+=2)) -+do -+ echo "$i" >> $tmpfile2 -+done -+ -+tmpfile3=$(mktemp) -+shuf $tmpfile2 > $tmpfile3 -+i=0 -+cat $tmpfile3 | while read line && [ $i -lt 10 ] -+do -+ $NFT add element inet x y { $line } -+ i=$((i+1)) -+done -+ -+for ((i=0;i<10;i++)) -+do -+ from=$(($RANDOM%65535)) -+ to=$(($from+100)) -+ $NFT add element inet x y { $from-$to } -+ if [ $? -ne 0 ] -+ then -+ echo "failed to add $from-$to" -+ exit 1 -+ fi -+ $NFT get element inet x y { $from-$to } -+ if [ $? -ne 0 ] -+ then -+ echo "failed to get $from-$to" -+ exit 1 -+ fi -+done -+ -+rm -f $tmpfile -+rm -f $tmpfile2 -+rm -f $tmpfile3 --- -2.41.0.rc1 - diff --git a/SOURCES/0002-rule-collapse-set-element-commands.patch b/SOURCES/0002-rule-collapse-set-element-commands.patch deleted file mode 100644 index aea8e2c..0000000 --- a/SOURCES/0002-rule-collapse-set-element-commands.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 33792b491be79cb50d163c4ecc553f1258b82159 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] rule: collapse set element commands - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 498a5f0c219d8 - -commit 498a5f0c219d8a118af4f172f248647d9b077101 -Author: Pablo Neira Ayuso -Date: Mon Jun 13 17:22:44 2022 +0200 - - rule: collapse set element commands - - Robots might generate a long list of singleton element commands such as: - - add element t s { 1.0.1.0/24 } - ... - add element t s { 1.0.2.0/23 } - - collapse them into one single command before the evaluation step, ie. - - add element t s { 1.0.1.0/24, ..., 1.0.2.0/23 } - - this speeds up overlap detection and set element automerge operations in - this worst case scenario. - - Since 3da9643fb9ff9 ("intervals: add support to automerge with kernel - elements"), the new interval tracking relies on mergesort. The pattern - above triggers the set sorting for each element. - - This patch adds a list to cmd objects that store collapsed commands. - Moreover, expressions also contain a reference to the original command, - to uncollapse the commands after the evaluation step. - - These commands are uncollapsed after the evaluation step to ensure error - reporting works as expected (command and netlink message are mapped - 1:1). - - For the record: - - - nftables versions <= 1.0.2 did not perform any kind of overlap - check for the described scenario above (because set cache only contained - elements in the kernel in this case). This is a problem for kernels < 5.7 - which rely on userspace to detect overlaps. - - - the overlap detection could be skipped for kernels >= 5.7. - - - The extended netlink error reporting available for set elements - since 5.19-rc might allow to remove the uncollapse step, in this case, - error reporting does not rely on the netlink sequence to refer to the - command triggering the problem. - - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - include/expression.h | 1 + - include/rule.h | 3 ++ - src/libnftables.c | 17 ++++++++-- - src/rule.c | 75 ++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 93 insertions(+), 3 deletions(-) - -diff --git a/include/expression.h b/include/expression.h -index 2c3818e..53194c9 100644 ---- a/include/expression.h -+++ b/include/expression.h -@@ -243,6 +243,7 @@ struct expr { - enum expr_types etype:8; - enum ops op:8; - unsigned int len; -+ struct cmd *cmd; - - union { - struct { -diff --git a/include/rule.h b/include/rule.h -index e232b97..9081225 100644 ---- a/include/rule.h -+++ b/include/rule.h -@@ -700,6 +700,7 @@ struct cmd { - enum cmd_obj obj; - struct handle handle; - uint32_t seqnum; -+ struct list_head collapse_list; - union { - void *data; - struct expr *expr; -@@ -728,6 +729,8 @@ extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, - const struct handle *h, const struct location *loc, - void *data); - extern void nft_cmd_expand(struct cmd *cmd); -+extern bool nft_cmd_collapse(struct list_head *cmds); -+extern void nft_cmd_uncollapse(struct list_head *cmds); - extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type, - const struct handle *h, - const struct location *loc, struct obj *obj); -diff --git a/src/libnftables.c b/src/libnftables.c -index 6a22ea0..aac682b 100644 ---- a/src/libnftables.c -+++ b/src/libnftables.c -@@ -501,7 +501,9 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, - { - struct nft_cache_filter *filter; - struct cmd *cmd, *next; -+ bool collapsed = false; - unsigned int flags; -+ int err = 0; - - filter = nft_cache_filter_init(); - flags = nft_cache_evaluate(nft, cmds, filter); -@@ -512,17 +514,26 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, - - nft_cache_filter_fini(filter); - -+ if (nft_cmd_collapse(cmds)) -+ collapsed = true; -+ - list_for_each_entry_safe(cmd, next, cmds, list) { - struct eval_ctx ectx = { - .nft = nft, - .msgs = msgs, - }; -+ - if (cmd_evaluate(&ectx, cmd) < 0 && -- ++nft->state->nerrs == nft->parser_max_errors) -- return -1; -+ ++nft->state->nerrs == nft->parser_max_errors) { -+ err = -1; -+ break; -+ } - } - -- if (nft->state->nerrs) -+ if (collapsed) -+ nft_cmd_uncollapse(cmds); -+ -+ if (err < 0 || nft->state->nerrs) - return -1; - - list_for_each_entry(cmd, cmds, list) { -diff --git a/src/rule.c b/src/rule.c -index 7f61bdc..0526a14 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -1279,6 +1279,8 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, - cmd->handle = *h; - cmd->location = *loc; - cmd->data = data; -+ init_list_head(&cmd->collapse_list); -+ - return cmd; - } - -@@ -1379,6 +1381,79 @@ void nft_cmd_expand(struct cmd *cmd) - } - } - -+bool nft_cmd_collapse(struct list_head *cmds) -+{ -+ struct cmd *cmd, *next, *elems = NULL; -+ struct expr *expr, *enext; -+ bool collapse = false; -+ -+ list_for_each_entry_safe(cmd, next, cmds, list) { -+ if (cmd->op != CMD_ADD && -+ cmd->op != CMD_CREATE) { -+ elems = NULL; -+ continue; -+ } -+ -+ if (cmd->obj != CMD_OBJ_ELEMENTS) { -+ elems = NULL; -+ continue; -+ } -+ -+ if (!elems) { -+ elems = cmd; -+ continue; -+ } -+ -+ if (cmd->op != elems->op) { -+ elems = cmd; -+ continue; -+ } -+ -+ if (strcmp(elems->handle.table.name, cmd->handle.table.name) || -+ strcmp(elems->handle.set.name, cmd->handle.set.name)) { -+ elems = cmd; -+ continue; -+ } -+ -+ collapse = true; -+ list_for_each_entry_safe(expr, enext, &cmd->expr->expressions, list) { -+ expr->cmd = cmd; -+ list_move_tail(&expr->list, &elems->expr->expressions); -+ } -+ elems->expr->size += cmd->expr->size; -+ list_move_tail(&cmd->list, &elems->collapse_list); -+ } -+ -+ return collapse; -+} -+ -+void nft_cmd_uncollapse(struct list_head *cmds) -+{ -+ struct cmd *cmd, *cmd_next, *collapse_cmd, *collapse_cmd_next; -+ struct expr *expr, *next; -+ -+ list_for_each_entry_safe(cmd, cmd_next, cmds, list) { -+ if (list_empty(&cmd->collapse_list)) -+ continue; -+ -+ assert(cmd->obj == CMD_OBJ_ELEMENTS); -+ -+ list_for_each_entry_safe(expr, next, &cmd->expr->expressions, list) { -+ if (!expr->cmd) -+ continue; -+ -+ list_move_tail(&expr->list, &expr->cmd->expr->expressions); -+ cmd->expr->size--; -+ expr->cmd = NULL; -+ } -+ -+ list_for_each_entry_safe(collapse_cmd, collapse_cmd_next, &cmd->collapse_list, list) { -+ collapse_cmd->elem.set = set_get(cmd->elem.set); -+ list_add(&collapse_cmd->list, &cmd->list); -+ } -+ } -+} -+ - struct markup *markup_alloc(uint32_t format) - { - struct markup *markup; --- -2.41.0.rc1 - diff --git a/SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch b/SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch deleted file mode 100644 index 5e92713..0000000 --- a/SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch +++ /dev/null @@ -1,84 +0,0 @@ -From af9045e2f2029b6573db32bd15ab861d797b86a6 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] intervals: do not report exact overlaps for new elements - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 87ba510fc704f - -commit 87ba510fc704f766b5417d3bfc326e8ab9378c2a -Author: Pablo Neira Ayuso -Date: Mon Jun 13 17:22:47 2022 +0200 - - intervals: do not report exact overlaps for new elements - - Two new elements that represent an exact overlap should not trigger an error. - - add table t - add set t s { type ipv4_addr; flags interval; } - add element t s { 1.0.1.0/24 } - ... - add element t s { 1.0.1.0/24 } - - result in a bogus error. - - # nft -f set.nft - set.nft:1002:19-28: Error: conflicting intervals specified - add element t s { 1.0.1.0/24 } - ^^^^^^^^^^ - - Fixes: 3da9643fb9ff ("intervals: add support to automerge with kernel elements") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 3 +-- - tests/shell/testcases/sets/exact_overlap_0 | 22 ++++++++++++++++++++++ - 2 files changed, 23 insertions(+), 2 deletions(-) - create mode 100755 tests/shell/testcases/sets/exact_overlap_0 - -diff --git a/src/intervals.c b/src/intervals.c -index bc414d6..89f5c33 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -540,8 +540,7 @@ static int setelem_overlap(struct list_head *msgs, struct set *set, - } - - if (mpz_cmp(prev_range.low, range.low) == 0 && -- mpz_cmp(prev_range.high, range.high) == 0 && -- (elem->flags & EXPR_F_KERNEL || prev->flags & EXPR_F_KERNEL)) -+ mpz_cmp(prev_range.high, range.high) == 0) - goto next; - - if (mpz_cmp(prev_range.low, range.low) <= 0 && -diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0 -new file mode 100755 -index 0000000..1ce9304 ---- /dev/null -+++ b/tests/shell/testcases/sets/exact_overlap_0 -@@ -0,0 +1,22 @@ -+#!/bin/bash -+ -+RULESET="add table t -+add set t s { type ipv4_addr; flags interval; } -+add element t s { 1.0.1.0/24 } -+add element t s { 1.0.2.0/23 } -+add element t s { 1.0.8.0/21 } -+add element t s { 1.0.32.0/19 } -+add element t s { 1.1.0.0/24 } -+add element t s { 1.1.2.0/23 } -+add element t s { 1.1.4.0/22 } -+add element t s { 1.1.8.0/24 } -+add element t s { 1.1.9.0/24 } -+add element t s { 1.1.10.0/23 } -+add element t s { 1.1.12.0/22 } -+add element t s { 1.1.16.0/20 } -+add element t s { 1.1.32.0/19 } -+add element t s { 1.0.1.0/24 }" -+ -+$NFT -f - <<< $RULESET || exit 1 -+ -+$NFT add element t s { 1.0.1.0/24 } --- -2.41.0.rc1 - diff --git a/SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch b/SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch deleted file mode 100644 index bfbdfac..0000000 --- a/SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch +++ /dev/null @@ -1,55 +0,0 @@ -From cfb1670ece6414c3d2aad5dd7df572b0cc07acd5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] intervals: do not empty cache for maps - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit d434de8b50dcf - -commit d434de8b50dcf3f5f4ca027e122a7df9d4e5d8e1 -Author: Pablo Neira Ayuso -Date: Thu Jun 16 10:53:56 2022 +0200 - - intervals: do not empty cache for maps - - Translate set element to range and sort in maps for the NFT_SET_MAP - case, which does not support for automerge yet. - - Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/intervals.c b/src/intervals.c -index 89f5c33..e203413 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -216,6 +216,12 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, - struct cmd *purge_cmd; - struct handle h = {}; - -+ if (set->flags & NFT_SET_MAP) { -+ set_to_range(init); -+ list_expr_sort(&init->expressions); -+ return 0; -+ } -+ - if (existing_set) { - if (existing_set->init) { - list_splice_init(&existing_set->init->expressions, -@@ -229,9 +235,6 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, - set_to_range(init); - list_expr_sort(&init->expressions); - -- if (set->flags & NFT_SET_MAP) -- return 0; -- - ctx.purge = set_expr_alloc(&internal_location, set); - - setelem_automerge(&ctx); --- -2.41.0.rc1 - diff --git a/SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch b/SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch deleted file mode 100644 index ecab071..0000000 --- a/SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 5c5128094c75a184e54e82f2ad43c67423184c3e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] intervals: Do not sort cached set elements over and over - again - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 59e3a59221fb8 - -commit 59e3a59221fb81c289a0868a85140dd452fb1c30 -Author: Phil Sutter -Date: Thu Jun 16 10:56:12 2022 +0200 - - intervals: Do not sort cached set elements over and over again - - When adding element(s) to a non-empty set, code merged the two lists and - sorted the result. With many individual 'add element' commands this - causes substantial overhead. Make use of the fact that - existing_set->init is sorted already, sort only the list of new elements - and use list_splice_sorted() to merge the two sorted lists. - - Add set_sort_splice() and use it for set element overlap detection and - automerge. - - A test case adding ~25k elements in individual commands completes in - about 1/4th of the time with this patch applied. - - Joint work with Pablo. - - Fixes: 3da9643fb9ff9 ("intervals: add support to automerge with kernel elements") - Signed-off-by: Phil Sutter - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - include/expression.h | 1 + - src/intervals.c | 46 +++++++++++++++++++++----------------------- - src/mergesort.c | 2 +- - 3 files changed, 24 insertions(+), 25 deletions(-) - -diff --git a/include/expression.h b/include/expression.h -index 53194c9..cf7319b 100644 ---- a/include/expression.h -+++ b/include/expression.h -@@ -481,6 +481,7 @@ extern struct expr *compound_expr_alloc(const struct location *loc, - extern void compound_expr_add(struct expr *compound, struct expr *expr); - extern void compound_expr_remove(struct expr *compound, struct expr *expr); - extern void list_expr_sort(struct list_head *head); -+extern void list_splice_sorted(struct list_head *list, struct list_head *head); - - extern struct expr *concat_expr_alloc(const struct location *loc); - -diff --git a/src/intervals.c b/src/intervals.c -index e203413..dcc06d1 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -118,6 +118,26 @@ static bool merge_ranges(struct set_automerge_ctx *ctx, - return false; - } - -+static void set_sort_splice(struct expr *init, struct set *set) -+{ -+ struct set *existing_set = set->existing_set; -+ -+ set_to_range(init); -+ list_expr_sort(&init->expressions); -+ -+ if (!existing_set) -+ return; -+ -+ if (existing_set->init) { -+ set_to_range(existing_set->init); -+ list_splice_sorted(&existing_set->init->expressions, -+ &init->expressions); -+ init_list_head(&existing_set->init->expressions); -+ } else { -+ existing_set->init = set_expr_alloc(&internal_location, set); -+ } -+} -+ - static void setelem_automerge(struct set_automerge_ctx *ctx) - { - struct expr *i, *next, *prev = NULL; -@@ -222,18 +242,7 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, - return 0; - } - -- if (existing_set) { -- if (existing_set->init) { -- list_splice_init(&existing_set->init->expressions, -- &init->expressions); -- } else { -- existing_set->init = set_expr_alloc(&internal_location, -- set); -- } -- } -- -- set_to_range(init); -- list_expr_sort(&init->expressions); -+ set_sort_splice(init, set); - - ctx.purge = set_expr_alloc(&internal_location, set); - -@@ -591,18 +600,7 @@ int set_overlap(struct list_head *msgs, struct set *set, struct expr *init) - struct expr *i, *n, *clone; - int err; - -- if (existing_set) { -- if (existing_set->init) { -- list_splice_init(&existing_set->init->expressions, -- &init->expressions); -- } else { -- existing_set->init = set_expr_alloc(&internal_location, -- set); -- } -- } -- -- set_to_range(init); -- list_expr_sort(&init->expressions); -+ set_sort_splice(init, set); - - err = setelem_overlap(msgs, set, init); - -diff --git a/src/mergesort.c b/src/mergesort.c -index 8e6aac5..dca7142 100644 ---- a/src/mergesort.c -+++ b/src/mergesort.c -@@ -70,7 +70,7 @@ static int expr_msort_cmp(const struct expr *e1, const struct expr *e2) - return ret; - } - --static void list_splice_sorted(struct list_head *list, struct list_head *head) -+void list_splice_sorted(struct list_head *list, struct list_head *head) - { - struct list_head *h = head->next; - struct list_head *l = list->next; --- -2.41.0.rc1 - diff --git a/SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch b/SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch deleted file mode 100644 index b77a4fe..0000000 --- a/SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a2e5f4f59c0d4a3880a4de5e95adffc553216d2e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:15:02 +0100 -Subject: [PATCH] doc: Document limitations of ipsec expression with - xfrm_interface - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 446e76dbde713 - -commit 446e76dbde713327358f17a8af6ce86b8541c836 -Author: Phil Sutter -Date: Thu Jun 23 17:49:20 2022 +0200 - - doc: Document limitations of ipsec expression with xfrm_interface - - Point at a possible solution to match IPsec info of locally generated - traffic routed to an xfrm-type interface. - - Signed-off-by: Phil Sutter - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - doc/primary-expression.txt | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt -index f97778b..4d6b087 100644 ---- a/doc/primary-expression.txt -+++ b/doc/primary-expression.txt -@@ -428,6 +428,10 @@ Destination address of the tunnel| - ipv4_addr/ipv6_addr - |================================= - -+*Note:* When using xfrm_interface, this expression is not useable in output -+hook as the plain packet does not traverse it with IPsec info attached - use a -+chain in postrouting hook instead. -+ - NUMGEN EXPRESSION - ~~~~~~~~~~~~~~~~~ - --- -2.41.0.rc1 - diff --git a/SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch b/SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch deleted file mode 100644 index 91bb404..0000000 --- a/SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 23e6c3545b6c416a0eb7d3c7ac97c74215dcc19c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:18:10 +0100 -Subject: [PATCH] tests/py: Add a test for failing ipsec after counter - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit ed2426bccd3ea - -commit ed2426bccd3ea954adc8a010bf1736e8ed6a81b9 -Author: Phil Sutter -Date: Thu Jun 23 16:28:42 2022 +0200 - - tests/py: Add a test for failing ipsec after counter - - This is a bug in parser/scanner due to scoping: - - | Error: syntax error, unexpected string, expecting saddr or daddr - | add rule ip ipsec-ip4 ipsec-forw counter ipsec out ip daddr 192.168.1.2 - | ^^^^^ - - Signed-off-by: Phil Sutter - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - tests/py/inet/ipsec.t | 2 ++ - tests/py/inet/ipsec.t.json | 21 +++++++++++++++++++++ - tests/py/inet/ipsec.t.payload | 6 ++++++ - 3 files changed, 29 insertions(+) - -diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t -index e924e9b..b18df39 100644 ---- a/tests/py/inet/ipsec.t -+++ b/tests/py/inet/ipsec.t -@@ -19,3 +19,5 @@ ipsec in ip6 daddr dead::beef;ok - ipsec out ip6 saddr dead::feed;ok - - ipsec in spnum 256 reqid 1;fail -+ -+counter ipsec out ip daddr 192.168.1.2;ok -diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json -index d7d3a03..18a64f3 100644 ---- a/tests/py/inet/ipsec.t.json -+++ b/tests/py/inet/ipsec.t.json -@@ -134,3 +134,24 @@ - } - } - ] -+ -+# counter ipsec out ip daddr 192.168.1.2 -+[ -+ { -+ "counter": null -+ }, -+ { -+ "match": { -+ "left": { -+ "ipsec": { -+ "dir": "out", -+ "family": "ip", -+ "key": "daddr", -+ "spnum": 0 -+ } -+ }, -+ "op": "==", -+ "right": "192.168.1.2" -+ } -+ } -+] -diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload -index c46a226..9648255 100644 ---- a/tests/py/inet/ipsec.t.payload -+++ b/tests/py/inet/ipsec.t.payload -@@ -37,3 +37,9 @@ ip ipsec-ip4 ipsec-forw - [ xfrm load out 0 saddr6 => reg 1 ] - [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ] - -+# counter ipsec out ip daddr 192.168.1.2 -+ip ipsec-ip4 ipsec-forw -+ [ counter pkts 0 bytes 0 ] -+ [ xfrm load out 0 daddr4 => reg 1 ] -+ [ cmp eq reg 1 0x0201a8c0 ] -+ --- -2.41.0.rc1 - diff --git a/SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch b/SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch deleted file mode 100644 index fe6996c..0000000 --- a/SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d0d4d54136f10c23e279da40aae188b8fdc09293 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:18:10 +0100 -Subject: [PATCH] parser: add missing synproxy scope closure - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 994bf5004b365 - -commit 994bf5004b365904029f0fe8c2de587178583712 -Author: Florian Westphal -Date: Thu Jun 23 18:28:14 2022 +0200 - - parser: add missing synproxy scope closure - - Fixes: 232f2c3287fc ("scanner: synproxy: Move to own scope") - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/parser_bison.y | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/parser_bison.y b/src/parser_bison.y -index ca5c488..b548d5b 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -2016,7 +2016,7 @@ map_block_obj_type : COUNTER close_scope_counter { $$ = NFT_OBJECT_COUNTER; } - | QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; } - | LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; } - | SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; } -- | SYNPROXY { $$ = NFT_OBJECT_SYNPROXY; } -+ | SYNPROXY close_scope_synproxy { $$ = NFT_OBJECT_SYNPROXY; } - ; - - map_block : /* empty */ { $$ = $-1; } --- -2.41.0.rc1 - diff --git a/SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch b/SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch deleted file mode 100644 index f785f7b..0000000 --- a/SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 80b1505ca2ef8432375dc524cc6763e7ef795b1a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:18:10 +0100 -Subject: [PATCH] scanner: don't pop active flex scanner scope - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 8623772af0610 - -commit 8623772af06103ed4ccca3d07e55afbf3d952d6d -Author: Florian Westphal -Date: Thu Jun 23 19:56:19 2022 +0200 - - scanner: don't pop active flex scanner scope - - Currently we can pop a flex scope that is still active, i.e. the - scanner_pop_start_cond() for the scope has not been done. - - Example: - counter ipsec out ip daddr 192.168.1.2 counter name "ipsec_out" - - Here, parser fails because 'daddr' is parsed as STRING, not as DADDR token. - - Bug is as follows: - COUNTER changes scope to COUNTER. (COUNTER). - Next, IPSEC scope gets pushed, stack is: COUNTER, IPSEC. - - Then, the 'COUNTER' scope close happens. Because active scope has changed, - we cannot pop (we would pop the 'ipsec' scope in flex). - The pop operation gets delayed accordingly. - - Next, IP gets pushed, stack is: COUNTER, IPSEC, IP, plus the information - that one scope closure/pop was delayed. - - Then, the IP scope is closed. Because a pop operation was delayed, we pop again, - which brings us back to COUNTER state. - - This is bogus: The pop operation CANNOT be done yet, because the ipsec scope - is still open, but the existing code lacks the information to detect this. - - After popping the IP scope, we must remain in IPSEC scope until bison - parser calls scanner_pop_start_cond(, IPSEC). - - This adds a counter per flex scope so that we can detect this case. - In above case, after the IP scope gets closed, the "new" (previous) - scope (IPSEC) will be treated as active and its close is attempted again - on the next call to scanner_pop_start_cond(). - - After this patch, transition in above rule is: - - push counter (COUNTER) - push IPSEC (COUNTER, IPSEC) - pop COUNTER (delayed: COUNTER, IPSEC, pending-pop for COUNTER), - push IP (COUNTER, IPSEC, IP, pending-pop for COUNTER) - pop IP (COUNTER, IPSEC, pending-pop for COUNTER) - parse DADDR (we're in IPSEC scope, its valid token) - pop IPSEC (pops all remaining scopes). - - We could also resurrect the commit: - "scanner: flags: move to own scope", the test case passes with the - new scope closure logic. - - Fixes: bff106c5b277 ("scanner: add support for scope nesting") - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/parser.h | 3 +++ - src/scanner.l | 11 +++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/include/parser.h b/include/parser.h -index f32154c..5e5ad28 100644 ---- a/include/parser.h -+++ b/include/parser.h -@@ -26,6 +26,7 @@ struct parser_state { - unsigned int flex_state_pop; - unsigned int startcond_type; - struct list_head *cmds; -+ unsigned int *startcond_active; - }; - - enum startcond_type { -@@ -82,6 +83,8 @@ enum startcond_type { - PARSER_SC_STMT_REJECT, - PARSER_SC_STMT_SYNPROXY, - PARSER_SC_STMT_TPROXY, -+ -+ __SC_MAX - }; - - struct mnl_socket; -diff --git a/src/scanner.l b/src/scanner.l -index 2154281..ed7256b 100644 ---- a/src/scanner.l -+++ b/src/scanner.l -@@ -1148,6 +1148,8 @@ void *scanner_init(struct parser_state *state) - yylex_init_extra(state, &scanner); - yyset_out(NULL, scanner); - -+ state->startcond_active = xzalloc_array(__SC_MAX, -+ sizeof(*state->startcond_active)); - return scanner; - } - -@@ -1177,6 +1179,8 @@ void scanner_destroy(struct nft_ctx *nft) - struct parser_state *state = yyget_extra(nft->scanner); - - input_descriptor_list_destroy(state); -+ xfree(state->startcond_active); -+ - yylex_destroy(nft->scanner); - } - -@@ -1185,6 +1189,7 @@ static void scanner_push_start_cond(void *scanner, enum startcond_type type) - struct parser_state *state = yyget_extra(scanner); - - state->startcond_type = type; -+ state->startcond_active[type]++; - - yy_push_state((int)type, scanner); - } -@@ -1193,6 +1198,8 @@ void scanner_pop_start_cond(void *scanner, enum startcond_type t) - { - struct parser_state *state = yyget_extra(scanner); - -+ state->startcond_active[t]--; -+ - if (state->startcond_type != t) { - state->flex_state_pop++; - return; /* Can't pop just yet! */ -@@ -1202,6 +1209,10 @@ void scanner_pop_start_cond(void *scanner, enum startcond_type t) - state->flex_state_pop--; - state->startcond_type = yy_top_state(scanner); - yy_pop_state(scanner); -+ -+ t = state->startcond_type; -+ if (state->startcond_active[t]) -+ return; - } - - state->startcond_type = yy_top_state(scanner); --- -2.41.0.rc1 - diff --git a/SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch b/SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch deleted file mode 100644 index 5ac725f..0000000 --- a/SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch +++ /dev/null @@ -1,67 +0,0 @@ -From babfd73139d19750a7b1f94fdc1b5405f5affe61 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:25:59 +0100 -Subject: [PATCH] intervals: fix crash when trying to remove element in empty - set - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 5357cb7b5cb93 - -commit 5357cb7b5cb93fc9b20d4d95b093d6b9f86b7727 -Author: Pablo Neira Ayuso -Date: Thu Jun 23 14:20:17 2022 +0200 - - intervals: fix crash when trying to remove element in empty set - - The set deletion routine expects an initialized set, otherwise it crashes. - - Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 6 +++++- - tests/shell/testcases/sets/errors_0 | 14 ++++++++++++++ - 2 files changed, 19 insertions(+), 1 deletion(-) - create mode 100755 tests/shell/testcases/sets/errors_0 - -diff --git a/src/intervals.c b/src/intervals.c -index dcc06d1..c21b3ee 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -475,7 +475,11 @@ int set_delete(struct list_head *msgs, struct cmd *cmd, struct set *set, - if (set->automerge) - automerge_delete(msgs, set, init, debug_mask); - -- set_to_range(existing_set->init); -+ if (existing_set->init) { -+ set_to_range(existing_set->init); -+ } else { -+ existing_set->init = set_expr_alloc(&internal_location, set); -+ } - - list_splice_init(&init->expressions, &del_list); - -diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 -new file mode 100755 -index 0000000..2960b69 ---- /dev/null -+++ b/tests/shell/testcases/sets/errors_0 -@@ -0,0 +1,14 @@ -+#!/bin/bash -+ -+set -e -+ -+RULESET="table ip x { -+ set y { -+ type ipv4_addr -+ flags interval -+ } -+} -+ -+delete element ip x y { 2.3.4.5 }" -+ -+$NFT -f - <<< $RULESET || exit 0 --- -2.41.0.rc1 - diff --git a/SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch b/SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch deleted file mode 100644 index fd1cbc3..0000000 --- a/SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 3ea1e90779e232776e72548e9a768df1771e0f2c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:25:59 +0100 -Subject: [PATCH] intervals: check for EXPR_F_REMOVE in case of element - mismatch - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 6d1ee9267e7e5 - -commit 6d1ee9267e7e5e429a84d7bb8a8644f9eebddb22 -Author: Pablo Neira Ayuso -Date: Thu Jun 23 18:41:21 2022 +0200 - - intervals: check for EXPR_F_REMOVE in case of element mismatch - - If auto-merge is disable and element to be deleted finds no exact - matching, then bail out. - - Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 4 ++++ - tests/shell/testcases/sets/errors_0 | 20 ++++++++++++++++++-- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/src/intervals.c b/src/intervals.c -index c21b3ee..13009ca 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -421,6 +421,10 @@ static int setelem_delete(struct list_head *msgs, struct set *set, - expr_error(msgs, i, "element does not exist"); - err = -1; - goto err; -+ } else if (i->flags & EXPR_F_REMOVE) { -+ expr_error(msgs, i, "element does not exist"); -+ err = -1; -+ goto err; - } - prev = NULL; - } -diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 -index 2960b69..a676ac7 100755 ---- a/tests/shell/testcases/sets/errors_0 -+++ b/tests/shell/testcases/sets/errors_0 -@@ -1,7 +1,5 @@ - #!/bin/bash - --set -e -- - RULESET="table ip x { - set y { - type ipv4_addr -@@ -11,4 +9,22 @@ RULESET="table ip x { - - delete element ip x y { 2.3.4.5 }" - -+$NFT -f - <<< $RULESET -+if [ $? -eq 0 ] -+then -+ exit 1 -+fi -+ -+RULESET="table ip x { -+ set y { -+ type ipv4_addr -+ flags interval -+ } -+} -+ -+add element x y { 1.1.1.1/24 } -+delete element x y { 1.1.1.1/24 } -+add element x y { 1.1.1.1/24 } -+delete element x y { 2.2.2.2/24 }" -+ - $NFT -f - <<< $RULESET || exit 0 --- -2.41.0.rc1 - diff --git a/SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch b/SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch deleted file mode 100644 index f0e3f60..0000000 --- a/SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 477a5632894a8bf6cba1f6e69a3f7d58d220820b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] netlink_delinearize: allow postprocessing on concatenated - elements - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 0542a431e8dcc - -commit 0542a431e8dccfa86fa5b1744f536e61a0b204f3 -Author: Florian Westphal -Date: Tue Jun 14 21:57:58 2022 +0200 - - netlink_delinearize: allow postprocessing on concatenated elements - - Currently there is no case where the individual expressions inside a - mapped concatenation need to be munged. - - However, to support proper delinearization for an input like - 'rule netdev nt nc set update ether saddr . vlan id timeout 5s @macset' - - we need to allow this. - - Right now, this gets listed as: - - update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } - - because the ethernet protocol is replaced by vlan beforehand, - so we fail to map @ll,48,48 to a vlan protocol. - - Likewise, we can't map the vlan info either because we cannot - cope with the 'and' operation properly, nor is it removed. - - Prepare for this by deleting and re-adding so that we do not - corrupt the linked list. - - After this, the list can be safely changed and a followup patch - can start to delete/reallocate expressions. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/netlink_delinearize.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 068c3bb..2f13990 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -2538,16 +2538,21 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - unsigned int type = expr->dtype->type, ntype = 0; - int off = expr->dtype->subtypes; - const struct datatype *dtype; -+ LIST_HEAD(tmp); -+ struct expr *n; - -- list_for_each_entry(i, &expr->expressions, list) { -+ list_for_each_entry_safe(i, n, &expr->expressions, list) { - if (type) { - dtype = concat_subtype_lookup(type, --off); - expr_set_type(i, dtype, dtype->byteorder); - } -+ list_del(&i->list); - expr_postprocess(ctx, &i); -+ list_add_tail(&i->list, &tmp); - - ntype = concat_subtype_add(ntype, i->dtype->type); - } -+ list_splice(&tmp, &expr->expressions); - datatype_set(expr, concat_type_alloc(ntype)); - break; - } --- -2.41.0.rc1 - diff --git a/SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch b/SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch deleted file mode 100644 index 7ef74f0..0000000 --- a/SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 120ec5410b0c9f8f84f2bfdf092228cc61899785 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] netlink_delinearize: postprocess binary ands in - concatenations - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 89688c947efc3 - -commit 89688c947efc36d25c58c85650414fa3a491732e -Author: Florian Westphal -Date: Tue Jun 14 21:56:48 2022 +0200 - - netlink_delinearize: postprocess binary ands in concatenations - - Input: - update ether saddr . vlan id timeout 5s @macset - ether saddr . vlan id @macset - - Before this patch, gets rendered as: - update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } - @ll,48,48 . @ll,112,16 & 0xfff @macset - - After this, listing will show: - update @macset { @ll,48,48 . vlan id timeout 5s } - @ll,48,48 . vlan id @macset - - The @ll, ... is due to vlan description replacing the ethernet one, - so payload decode fails to take the concatenation apart (the ethernet - header payload info is matched vs. vlan template). - - This will be adjusted by a followup patch. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/netlink.h | 6 ++++++ - src/netlink_delinearize.c | 45 ++++++++++++++++++++++++++++++++++----- - 2 files changed, 46 insertions(+), 5 deletions(-) - -diff --git a/include/netlink.h b/include/netlink.h -index e8e0f68..71c888f 100644 ---- a/include/netlink.h -+++ b/include/netlink.h -@@ -42,10 +42,16 @@ struct netlink_parse_ctx { - struct netlink_ctx *nlctx; - }; - -+ -+#define RULE_PP_IN_CONCATENATION (1 << 0) -+ -+#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION) -+ - struct rule_pp_ctx { - struct proto_ctx pctx; - struct payload_dep_ctx pdctx; - struct stmt *stmt; -+ unsigned int flags; - }; - - extern const struct input_descriptor indesc_netlink; -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 2f13990..cba419d 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -2259,12 +2259,13 @@ static void binop_adjust(const struct expr *binop, struct expr *right, - } - } - --static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, -- struct expr **expr_binop) -+static void __binop_postprocess(struct rule_pp_ctx *ctx, -+ struct expr *expr, -+ struct expr *left, -+ struct expr *mask, -+ struct expr **expr_binop) - { - struct expr *binop = *expr_binop; -- struct expr *left = binop->left; -- struct expr *mask = binop->right; - unsigned int shift; - - assert(binop->etype == EXPR_BINOP); -@@ -2300,15 +2301,26 @@ static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, - - assert(binop->left == left); - *expr_binop = expr_get(left); -- expr_free(binop); - - if (left->etype == EXPR_PAYLOAD) - payload_match_postprocess(ctx, expr, left); - else if (left->etype == EXPR_EXTHDR && right) - expr_set_type(right, left->dtype, left->byteorder); -+ -+ expr_free(binop); - } - } - -+static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, -+ struct expr **expr_binop) -+{ -+ struct expr *binop = *expr_binop; -+ struct expr *left = binop->left; -+ struct expr *mask = binop->right; -+ -+ __binop_postprocess(ctx, expr, left, mask, expr_binop); -+} -+ - static void map_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr) - { - struct expr *binop = expr->map; -@@ -2541,6 +2553,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - LIST_HEAD(tmp); - struct expr *n; - -+ ctx->flags |= RULE_PP_IN_CONCATENATION; - list_for_each_entry_safe(i, n, &expr->expressions, list) { - if (type) { - dtype = concat_subtype_lookup(type, --off); -@@ -2552,6 +2565,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - - ntype = concat_subtype_add(ntype, i->dtype->type); - } -+ ctx->flags &= ~RULE_PP_IN_CONCATENATION; - list_splice(&tmp, &expr->expressions); - datatype_set(expr, concat_type_alloc(ntype)); - break; -@@ -2568,6 +2582,27 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - expr_set_type(expr->right, &integer_type, - BYTEORDER_HOST_ENDIAN); - break; -+ case OP_AND: -+ expr_set_type(expr->right, expr->left->dtype, -+ expr->left->byteorder); -+ -+ /* Do not process OP_AND in ordinary rule context. -+ * -+ * Removal needs to be performed as part of the relational -+ * operation because the RHS constant might need to be adjusted -+ * (shifted). -+ * -+ * This is different in set element context or concatenations: -+ * There is no relational operation (eq, neq and so on), thus -+ * it needs to be processed right away. -+ */ -+ if ((ctx->flags & RULE_PP_REMOVE_OP_AND) && -+ expr->left->etype == EXPR_PAYLOAD && -+ expr->right->etype == EXPR_VALUE) { -+ __binop_postprocess(ctx, expr, expr->left, expr->right, exprp); -+ return; -+ } -+ break; - default: - expr_set_type(expr->right, expr->left->dtype, - expr->left->byteorder); --- -2.41.0.rc1 - diff --git a/SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch b/SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch deleted file mode 100644 index 8ce0ca7..0000000 --- a/SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 5246e288a724e7b9641c94f228096dc1529bb2ea Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] proto: track full stack of seen l2 protocols, not just - cumulative offset - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 0d9daa0407212 - -commit 0d9daa0407212c8cc89b3ea8aee031ddf0109b08 -Author: Florian Westphal -Date: Mon Jul 25 14:32:13 2022 +0200 - - proto: track full stack of seen l2 protocols, not just cumulative offset - - For input, a cumulative size counter of all pushed l2 headers is enough, - because we have the full expression tree available to us. - - For delinearization we need to track all seen l2 headers, else we lose - information that we might need at a later time. - - Consider: - - rule netdev nt nc set update ether saddr . vlan id - - during delinearization, the vlan proto_desc replaces the ethernet one, - and by the time we try to split the concatenation apart we will search - the ether saddr offset vs. the templates for proto_vlan. - - This replaces the offset with an array that stores the protocol - descriptions seen. - - Then, if the payload offset is larger than our description, search the - l2 stack and adjust the offset until we're within the expected offset - boundary. - - Reported-by: Eric Garver - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/proto.h | 3 +- - src/evaluate.c | 15 +++++++-- - src/netlink_delinearize.c | 5 --- - src/payload.c | 67 ++++++++++++++++++++++++++++++++------- - src/proto.c | 2 -- - 5 files changed, 71 insertions(+), 21 deletions(-) - -diff --git a/include/proto.h b/include/proto.h -index a04240a..35e760c 100644 ---- a/include/proto.h -+++ b/include/proto.h -@@ -193,13 +193,14 @@ struct proto_ctx { - struct { - struct location location; - const struct proto_desc *desc; -- unsigned int offset; - struct { - struct location location; - const struct proto_desc *desc; - } protos[PROTO_CTX_NUM_PROTOS]; - unsigned int num_protos; - } protocol[PROTO_BASE_MAX + 1]; -+ const struct proto_desc *stacked_ll[PROTO_CTX_NUM_PROTOS]; -+ uint8_t stacked_ll_count; - }; - - extern void proto_ctx_init(struct proto_ctx *ctx, unsigned int family, -diff --git a/src/evaluate.c b/src/evaluate.c -index 82bf131..9246064 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -678,7 +678,13 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, - conflict_resolution_gen_dependency(ctx, link, payload, &nstmt) < 0) - return 1; - -- payload->payload.offset += ctx->pctx.protocol[base].offset; -+ if (base == PROTO_BASE_LL_HDR) { -+ unsigned int i; -+ -+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) -+ payload->payload.offset += ctx->pctx.stacked_ll[i]->length; -+ } -+ - rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); - - return 0; -@@ -727,7 +733,12 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr) - if (desc == payload->payload.desc) { - const struct proto_hdr_template *tmpl; - -- payload->payload.offset += ctx->pctx.protocol[base].offset; -+ if (desc->base == PROTO_BASE_LL_HDR) { -+ unsigned int i; -+ -+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) -+ payload->payload.offset += ctx->pctx.stacked_ll[i]->length; -+ } - check_icmp: - if (desc != &proto_icmp && desc != &proto_icmp6) - return 0; -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index cba419d..0b5519d 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -1976,11 +1976,6 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, - struct expr *expr, - struct expr *payload) - { -- enum proto_bases base = payload->payload.base; -- -- assert(payload->payload.offset >= ctx->pctx.protocol[base].offset); -- payload->payload.offset -= ctx->pctx.protocol[base].offset; -- - switch (expr->op) { - case OP_EQ: - case OP_NEQ: -diff --git a/src/payload.c b/src/payload.c -index 66418cd..2c0d0ac 100644 ---- a/src/payload.c -+++ b/src/payload.c -@@ -116,8 +116,13 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, - if (desc->base == base->base) { - assert(base->length > 0); - -- if (!left->payload.is_raw) -- ctx->protocol[base->base].offset += base->length; -+ if (!left->payload.is_raw) { -+ if (desc->base == PROTO_BASE_LL_HDR && -+ ctx->stacked_ll_count < PROTO_CTX_NUM_PROTOS) { -+ ctx->stacked_ll[ctx->stacked_ll_count] = base; -+ ctx->stacked_ll_count++; -+ } -+ } - } - proto_ctx_update(ctx, desc->base, loc, desc); - } -@@ -869,6 +874,38 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, - } - } - -+static const struct proto_desc *get_stacked_desc(const struct proto_ctx *ctx, -+ const struct proto_desc *top, -+ const struct expr *e, -+ unsigned int *skip) -+{ -+ unsigned int i, total, payload_offset = e->payload.offset; -+ -+ assert(e->etype == EXPR_PAYLOAD); -+ -+ if (e->payload.base != PROTO_BASE_LL_HDR || -+ payload_offset < top->length) { -+ *skip = 0; -+ return top; -+ } -+ -+ for (i = 0, total = 0; i < ctx->stacked_ll_count; i++) { -+ const struct proto_desc *stacked; -+ -+ stacked = ctx->stacked_ll[i]; -+ if (payload_offset < stacked->length) { -+ *skip = total; -+ return stacked; -+ } -+ -+ payload_offset -= stacked->length; -+ total += stacked->length; -+ } -+ -+ *skip = total; -+ return top; -+} -+ - /** - * payload_expr_complete - fill in type information of a raw payload expr - * -@@ -880,9 +917,10 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, - */ - void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx) - { -+ unsigned int payload_offset = expr->payload.offset; - const struct proto_desc *desc; - const struct proto_hdr_template *tmpl; -- unsigned int i; -+ unsigned int i, total; - - assert(expr->etype == EXPR_PAYLOAD); - -@@ -891,9 +929,12 @@ void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx) - return; - assert(desc->base == expr->payload.base); - -+ desc = get_stacked_desc(ctx, desc, expr, &total); -+ payload_offset -= total; -+ - for (i = 0; i < array_size(desc->templates); i++) { - tmpl = &desc->templates[i]; -- if (tmpl->offset != expr->payload.offset || -+ if (tmpl->offset != payload_offset || - tmpl->len != expr->len) - continue; - -@@ -950,6 +991,7 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask, - unsigned int payload_len = expr->len; - const struct proto_desc *desc; - unsigned int off, i, len = 0; -+ unsigned int total; - - assert(expr->etype == EXPR_PAYLOAD); - -@@ -959,10 +1001,8 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask, - - assert(desc->base == expr->payload.base); - -- if (ctx->protocol[expr->payload.base].offset) { -- assert(payload_offset >= ctx->protocol[expr->payload.base].offset); -- payload_offset -= ctx->protocol[expr->payload.base].offset; -- } -+ desc = get_stacked_desc(ctx, desc, expr, &total); -+ payload_offset -= total; - - off = round_up(mask->len, BITS_PER_BYTE) - mask_len; - payload_offset += off; -@@ -1009,10 +1049,11 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask, - void payload_expr_expand(struct list_head *list, struct expr *expr, - const struct proto_ctx *ctx) - { -+ unsigned int payload_offset = expr->payload.offset; - const struct proto_hdr_template *tmpl; - const struct proto_desc *desc; -+ unsigned int i, total; - struct expr *new; -- unsigned int i; - - assert(expr->etype == EXPR_PAYLOAD); - -@@ -1021,13 +1062,16 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, - goto raw; - assert(desc->base == expr->payload.base); - -+ desc = get_stacked_desc(ctx, desc, expr, &total); -+ payload_offset -= total; -+ - for (i = 1; i < array_size(desc->templates); i++) { - tmpl = &desc->templates[i]; - - if (tmpl->len == 0) - break; - -- if (tmpl->offset != expr->payload.offset) -+ if (tmpl->offset != payload_offset) - continue; - - if (tmpl->icmp_dep && ctx->th_dep.icmp.type && -@@ -1039,6 +1083,7 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, - list_add_tail(&new->list, list); - expr->len -= tmpl->len; - expr->payload.offset += tmpl->len; -+ payload_offset += tmpl->len; - if (expr->len == 0) - return; - } else if (expr->len > 0) { -@@ -1051,7 +1096,7 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, - } - raw: - new = payload_expr_alloc(&expr->location, NULL, 0); -- payload_init_raw(new, expr->payload.base, expr->payload.offset, -+ payload_init_raw(new, expr->payload.base, payload_offset, - expr->len); - list_add_tail(&new->list, list); - } -diff --git a/src/proto.c b/src/proto.c -index a013a00..2663f21 100644 ---- a/src/proto.c -+++ b/src/proto.c -@@ -160,8 +160,6 @@ static void proto_ctx_debug(const struct proto_ctx *ctx, enum proto_bases base, - proto_base_names[i], - ctx->protocol[i].desc ? ctx->protocol[i].desc->name : - "none"); -- if (ctx->protocol[i].offset) -- pr_debug(" (offset: %u)", ctx->protocol[i].offset); - if (i == base) - pr_debug(" <-"); - pr_debug("\n"); --- -2.41.0.rc1 - diff --git a/SOURCES/0015-debug-dump-the-l2-protocol-stack.patch b/SOURCES/0015-debug-dump-the-l2-protocol-stack.patch deleted file mode 100644 index dd296ec..0000000 --- a/SOURCES/0015-debug-dump-the-l2-protocol-stack.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33df569ad87c851596c02663fb4941bc0783d08c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] debug: dump the l2 protocol stack - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit dbd5f348c71de - -commit dbd5f348c71decf0baa8fb592c576f63fa232f50 -Author: Florian Westphal -Date: Mon Jul 25 16:42:23 2022 +0200 - - debug: dump the l2 protocol stack - - Previously we used to print the cumulative size of the headers, - update this to print the tracked l2 stack. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/proto.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/proto.c b/src/proto.c -index 2663f21..c496482 100644 ---- a/src/proto.c -+++ b/src/proto.c -@@ -154,6 +154,12 @@ static void proto_ctx_debug(const struct proto_ctx *ctx, enum proto_bases base, - if (!(debug_mask & NFT_DEBUG_PROTO_CTX)) - return; - -+ if (base == PROTO_BASE_LL_HDR && ctx->stacked_ll_count) { -+ pr_debug(" saved ll headers:"); -+ for (i = 0; i < ctx->stacked_ll_count; i++) -+ pr_debug(" %s", ctx->stacked_ll[i]->name); -+ } -+ - pr_debug("update %s protocol context:\n", proto_base_names[base]); - for (i = PROTO_BASE_LL_HDR; i <= PROTO_BASE_MAX; i++) { - pr_debug(" %-20s: %s", --- -2.41.0.rc1 - diff --git a/SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch b/SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch deleted file mode 100644 index 6e16638..0000000 --- a/SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 1773e6c1975ee4a6b00c24a99bf57b4597af295d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] tests: add a test case for ether and vlan listing - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit f680055cd4377 - -commit f680055cd4377f2f531f5f77b3aaa7550988665d -Author: Florian Westphal -Date: Mon Jul 25 19:31:22 2022 +0200 - - tests: add a test case for ether and vlan listing - - before this patch series, test fails dump validation: - - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - - ether saddr . vlan id @macset - + update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } counter packets 0 bytes 0 - + @ll,48,48 . @ll,112,16 & 0xfff @macset - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - tests/shell/testcases/sets/0070stacked_l2_headers | 6 ++++++ - .../sets/dumps/0070stacked_l2_headers.nft | 14 ++++++++++++++ - 2 files changed, 20 insertions(+) - create mode 100755 tests/shell/testcases/sets/0070stacked_l2_headers - create mode 100644 tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft - -diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers -new file mode 100755 -index 0000000..07820b7 ---- /dev/null -+++ b/tests/shell/testcases/sets/0070stacked_l2_headers -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+set -e -+dumpfile=$(dirname $0)/dumps/$(basename $0).nft -+ -+$NFT -f "$dumpfile" -diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -new file mode 100644 -index 0000000..ef254b9 ---- /dev/null -+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -@@ -0,0 +1,14 @@ -+table netdev nt { -+ set macset { -+ typeof ether saddr . vlan id -+ size 1024 -+ flags dynamic,timeout -+ } -+ -+ chain nc { -+ update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 -+ ether saddr . vlan id @macset -+ vlan pcp 1 -+ ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 -+ } -+} --- -2.41.0.rc1 - diff --git a/SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch b/SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch deleted file mode 100644 index 7c89f29..0000000 --- a/SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch +++ /dev/null @@ -1,99 +0,0 @@ -From bba1a2086ec7bcc0cfa8df9e12c6cc1375180011 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] netlink_delinearize: also postprocess OP_AND in set element - context - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit b1e3ed0335d13 - -commit b1e3ed0335d13d206a2a2698a1ba189fa396dbf3 -Author: Florian Westphal -Date: Mon Aug 1 13:03:18 2022 +0200 - - netlink_delinearize: also postprocess OP_AND in set element context - - Pablo reports: - add rule netdev nt y update @macset { vlan id timeout 5s } - - listing still shows the raw expression: - update @macset { @ll,112,16 & 0xfff timeout 5s } - - so also cover the 'set element' case. - - Reported-by: Pablo Neira Ayuso - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/netlink.h | 4 +++- - src/netlink_delinearize.c | 2 ++ - .../sets/dumps/0070stacked_l2_headers.nft | 14 ++++++++++++++ - 3 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/include/netlink.h b/include/netlink.h -index 71c888f..63d07ed 100644 ---- a/include/netlink.h -+++ b/include/netlink.h -@@ -44,8 +44,10 @@ struct netlink_parse_ctx { - - - #define RULE_PP_IN_CONCATENATION (1 << 0) -+#define RULE_PP_IN_SET_ELEM (1 << 1) - --#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION) -+#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION | \ -+ RULE_PP_IN_SET_ELEM) - - struct rule_pp_ctx { - struct proto_ctx pctx; -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 0b5519d..c6ad84d 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -2660,7 +2660,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - expr_postprocess(ctx, &expr->prefix); - break; - case EXPR_SET_ELEM: -+ ctx->flags |= RULE_PP_IN_SET_ELEM; - expr_postprocess(ctx, &expr->key); -+ ctx->flags &= ~RULE_PP_IN_SET_ELEM; - break; - case EXPR_EXTHDR: - exthdr_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family); -diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -index ef254b9..0057e9c 100644 ---- a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -@@ -1,14 +1,28 @@ - table netdev nt { -+ set vlanidset { -+ typeof vlan id -+ size 1024 -+ flags dynamic,timeout -+ } -+ - set macset { - typeof ether saddr . vlan id - size 1024 - flags dynamic,timeout - } - -+ set ipset { -+ typeof vlan id . ip saddr -+ size 1024 -+ flags dynamic,timeout -+ } -+ - chain nc { - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - ether saddr . vlan id @macset - vlan pcp 1 - ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 -+ update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0 -+ update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0 - } - } --- -2.41.0.rc1 - diff --git a/SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch b/SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch deleted file mode 100644 index 287058c..0000000 --- a/SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch +++ /dev/null @@ -1,198 +0,0 @@ -From da9367286d4589a3371d547cd8e6dd6d985cc69a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:58 +0100 -Subject: [PATCH] evaluate: search stacked header list for matching payload dep - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 87c3041bfd244 - -commit 87c3041bfd244aaf39e644d33c0df4fe04079e1c -Author: Florian Westphal -Date: Mon Jul 25 20:02:28 2022 +0200 - - evaluate: search stacked header list for matching payload dep - - "ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails: - - "vlan id 2 ether saddr 0:1:2:3:4:6" will give - Error: conflicting protocols specified: vlan vs. ether - - After "proto: track full stack of seen l2 protocols, not just cumulative offset", - we have a list of all l2 headers, so search those to see if we had this - proto base in the past before rejecting this. - - Reported-by: Eric Garver - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 21 +++++++--- - tests/py/bridge/vlan.t | 3 ++ - tests/py/bridge/vlan.t.json | 56 +++++++++++++++++++++++++++ - tests/py/bridge/vlan.t.payload | 16 ++++++++ - tests/py/bridge/vlan.t.payload.netdev | 20 ++++++++++ - 5 files changed, 110 insertions(+), 6 deletions(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 9246064..d67f915 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -659,13 +659,22 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, - struct stmt *nstmt = NULL; - int link, err; - -- if (payload->payload.base == PROTO_BASE_LL_HDR && -- proto_is_dummy(desc)) { -- err = meta_iiftype_gen_dependency(ctx, payload, &nstmt); -- if (err < 0) -- return err; -+ if (payload->payload.base == PROTO_BASE_LL_HDR) { -+ if (proto_is_dummy(desc)) { -+ err = meta_iiftype_gen_dependency(ctx, payload, &nstmt); -+ if (err < 0) -+ return err; - -- rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); -+ rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); -+ } else { -+ unsigned int i; -+ -+ /* payload desc stored in the L2 header stack? No conflict. */ -+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) { -+ if (ctx->pctx.stacked_ll[i] == payload->payload.desc) -+ return 0; -+ } -+ } - } - - assert(base <= PROTO_BASE_MAX); -diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t -index 924ed4e..4920601 100644 ---- a/tests/py/bridge/vlan.t -+++ b/tests/py/bridge/vlan.t -@@ -47,3 +47,6 @@ ether type ip vlan id 1 ip saddr 10.0.0.1;fail - - # mangling - vlan id 1 vlan id set 2;ok -+ -+ether saddr 00:01:02:03:04:05 vlan id 1;ok -+vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 -diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json -index e7640f9..58d4a40 100644 ---- a/tests/py/bridge/vlan.t.json -+++ b/tests/py/bridge/vlan.t.json -@@ -761,3 +761,59 @@ - } - } - ] -+ -+# ether saddr 00:01:02:03:04:05 vlan id 1 -+[ -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "saddr", -+ "protocol": "ether" -+ } -+ }, -+ "op": "==", -+ "right": "00:01:02:03:04:05" -+ } -+ }, -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "id", -+ "protocol": "vlan" -+ } -+ }, -+ "op": "==", -+ "right": 1 -+ } -+ } -+] -+ -+# vlan id 2 ether saddr 0:1:2:3:4:6 -+[ -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "saddr", -+ "protocol": "ether" -+ } -+ }, -+ "op": "==", -+ "right": "00:01:02:03:04:06" -+ } -+ }, -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "id", -+ "protocol": "vlan" -+ } -+ }, -+ "op": "==", -+ "right": 2 -+ } -+ } -+] -diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload -index 6c8d595..713670e 100644 ---- a/tests/py/bridge/vlan.t.payload -+++ b/tests/py/bridge/vlan.t.payload -@@ -276,3 +276,19 @@ bridge - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] - [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] -+ -+# ether saddr 00:01:02:03:04:05 vlan id 1 -+bridge test-bridge input -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810504 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000100 ] -+ -+# vlan id 2 ether saddr 0:1:2:3:4:6 -+bridge test-bridge input -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810604 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000200 ] -diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev -index d2c7d74..98a2a2b 100644 ---- a/tests/py/bridge/vlan.t.payload.netdev -+++ b/tests/py/bridge/vlan.t.payload.netdev -@@ -322,3 +322,23 @@ netdev - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] - [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] -+ -+# vlan id 2 ether saddr 0:1:2:3:4:6 -+netdev test-netdev ingress -+ [ meta load iiftype => reg 1 ] -+ [ cmp eq reg 1 0x00000001 ] -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810604 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000200 ] -+ -+# ether saddr 00:01:02:03:04:05 vlan id 1 -+netdev test-netdev ingress -+ [ meta load iiftype => reg 1 ] -+ [ cmp eq reg 1 0x00000001 ] -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810504 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000100 ] --- -2.41.0.rc1 - diff --git a/SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch b/SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch deleted file mode 100644 index 6bde45c..0000000 --- a/SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch +++ /dev/null @@ -1,223 +0,0 @@ -From f2988bad7c73e30ea4a80f348f7adf8078e6ef57 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:58 +0100 -Subject: [PATCH] src: allow anon set concatenation with ether and vlan - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit c1c223f1b5818 - -commit c1c223f1b58188542222ee2d9a4a8cc133d1dc3b -Author: Florian Westphal -Date: Mon Jul 25 21:34:52 2022 +0200 - - src: allow anon set concatenation with ether and vlan - - vlan id uses integer type (which has a length of 0). - - Using it was possible, but listing would assert: - python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed. - - There are two reasons for this. - First reason is that the udata/typeof information lacks the 'vlan id' - part, because internally this is 'payload . binop(payload AND mask)'. - - binop lacks an udata store. It makes little sense to store it, - 'typeof' keyword expects normal match syntax. - - So, when storing udata, store the left hand side of the binary - operation, i.e. the load of the 2-byte key. - - With that resolved, delinerization could work, but concat_elem_expr() - would splice 12 bits off the elements value, but it should be 16 (on - a byte boundary). - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/expression.c | 17 +++++++++-- - src/netlink.c | 10 +++++-- - tests/py/bridge/vlan.t | 2 ++ - tests/py/bridge/vlan.t.json | 41 +++++++++++++++++++++++++++ - tests/py/bridge/vlan.t.payload | 12 ++++++++ - tests/py/bridge/vlan.t.payload.netdev | 14 +++++++++ - 6 files changed, 91 insertions(+), 5 deletions(-) - -diff --git a/src/expression.c b/src/expression.c -index deb649e..7390089 100644 ---- a/src/expression.c -+++ b/src/expression.c -@@ -879,17 +879,30 @@ static void concat_expr_print(const struct expr *expr, struct output_ctx *octx) - #define NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA 1 - #define NFTNL_UDATA_SET_KEY_CONCAT_SUB_MAX 2 - -+static struct expr *expr_build_udata_recurse(struct expr *e) -+{ -+ switch (e->etype) { -+ case EXPR_BINOP: -+ return e->left; -+ default: -+ break; -+ } -+ -+ return e; -+} -+ - static int concat_expr_build_udata(struct nftnl_udata_buf *udbuf, - const struct expr *concat_expr) - { - struct nftnl_udata *nest; -+ struct expr *expr, *tmp; - unsigned int i = 0; -- struct expr *expr; - -- list_for_each_entry(expr, &concat_expr->expressions, list) { -+ list_for_each_entry_safe(expr, tmp, &concat_expr->expressions, list) { - struct nftnl_udata *nest_expr; - int err; - -+ expr = expr_build_udata_recurse(expr); - if (!expr_ops(expr)->build_udata || i >= NFT_REG32_SIZE) - return -1; - -diff --git a/src/netlink.c b/src/netlink.c -index 89d864e..799cf9b 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -1114,17 +1114,21 @@ static struct expr *concat_elem_expr(struct expr *key, - struct expr *data, int *off) - { - const struct datatype *subtype; -+ unsigned int sub_length; - struct expr *expr; - - if (key) { - (*off)--; -- expr = constant_expr_splice(data, key->len); -+ sub_length = round_up(key->len, BITS_PER_BYTE); -+ -+ expr = constant_expr_splice(data, sub_length); - expr->dtype = datatype_get(key->dtype); - expr->byteorder = key->byteorder; - expr->len = key->len; - } else { - subtype = concat_subtype_lookup(dtype->type, --(*off)); -- expr = constant_expr_splice(data, subtype->size); -+ sub_length = round_up(subtype->size, BITS_PER_BYTE); -+ expr = constant_expr_splice(data, sub_length); - expr->dtype = subtype; - expr->byteorder = subtype->byteorder; - } -@@ -1136,7 +1140,7 @@ static struct expr *concat_elem_expr(struct expr *key, - expr->dtype->basetype->type == TYPE_BITMASK) - expr = bitmask_expr_to_binops(expr); - -- data->len -= netlink_padding_len(expr->len); -+ data->len -= netlink_padding_len(sub_length); - - return expr; - } -diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t -index 4920601..95bdff4 100644 ---- a/tests/py/bridge/vlan.t -+++ b/tests/py/bridge/vlan.t -@@ -50,3 +50,5 @@ vlan id 1 vlan id set 2;ok - - ether saddr 00:01:02:03:04:05 vlan id 1;ok - vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 -+ -+ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok -diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json -index 58d4a40..f77756f 100644 ---- a/tests/py/bridge/vlan.t.json -+++ b/tests/py/bridge/vlan.t.json -@@ -817,3 +817,44 @@ - } - } - ] -+ -+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } -+[ -+ { -+ "match": { -+ "left": { -+ "concat": [ -+ { -+ "payload": { -+ "field": "saddr", -+ "protocol": "ether" -+ } -+ }, -+ { -+ "payload": { -+ "field": "id", -+ "protocol": "vlan" -+ } -+ } -+ ] -+ }, -+ "op": "==", -+ "right": { -+ "set": [ -+ { -+ "concat": [ -+ "0a:0b:0c:0d:0e:0f", -+ 42 -+ ] -+ }, -+ { -+ "concat": [ -+ "0a:0b:0c:0d:0e:0f", -+ 4095 -+ ] -+ } -+ ] -+ } -+ } -+ } -+] -diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload -index 713670e..62e4b89 100644 ---- a/tests/py/bridge/vlan.t.payload -+++ b/tests/py/bridge/vlan.t.payload -@@ -292,3 +292,15 @@ bridge test-bridge input - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000200 ] -+ -+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } -+__set%d test-bridge 3 size 2 -+__set%d test-bridge 0 -+ element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] -+bridge test-bridge input -+ [ payload load 2b @ link header + 12 => reg 1 ] -+ [ cmp eq reg 1 0x00000081 ] -+ [ payload load 6b @ link header + 6 => reg 1 ] -+ [ payload load 2b @ link header + 14 => reg 10 ] -+ [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ lookup reg 1 set __set%d ] -diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev -index 98a2a2b..1018d4c 100644 ---- a/tests/py/bridge/vlan.t.payload.netdev -+++ b/tests/py/bridge/vlan.t.payload.netdev -@@ -342,3 +342,17 @@ netdev test-netdev ingress - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000100 ] -+ -+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } -+__set%d test-netdev 3 size 2 -+__set%d test-netdev 0 -+ element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] -+netdev test-netdev ingress -+ [ meta load iiftype => reg 1 ] -+ [ cmp eq reg 1 0x00000001 ] -+ [ payload load 2b @ link header + 12 => reg 1 ] -+ [ cmp eq reg 1 0x00000081 ] -+ [ payload load 6b @ link header + 6 => reg 1 ] -+ [ payload load 2b @ link header + 14 => reg 10 ] -+ [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ lookup reg 1 set __set%d ] --- -2.41.0.rc1 - diff --git a/SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch b/SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch deleted file mode 100644 index 251fee2..0000000 --- a/SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch +++ /dev/null @@ -1,200 +0,0 @@ -From baea5b0f3199d21a8089ab792aee86621f67202c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 12:45:30 +0100 -Subject: [PATCH] evaluate: set eval ctx for add/update statements with integer - constants - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 4cc6b20d31498 - -commit 4cc6b20d31498d90e90ff574ce8b70276afcee8f -Author: Florian Westphal -Date: Mon Jan 23 19:03:28 2023 +0100 - - evaluate: set eval ctx for add/update statements with integer constants - - Eric reports that nft asserts when using integer basetype constants with - 'typeof' sets. Example: - table netdev t { - set s { - typeof ether saddr . vlan id - flags dynamic,timeout - } - - chain c { } - } - - loads fine. But adding a rule with add/update statement fails: - nft 'add rule netdev t c set update ether saddr . 0 @s' - nft: netlink_linearize.c:867: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. - - When the 'ether saddr . 0' concat expression is processed, there is - no set definition available anymore to deduce the required size of the - integer constant. - - nft eval step then derives the required length using the data types. - '0' has integer basetype, so the deduced length is 0. - - The assertion triggers because serialization step finds that it - needs one more register. - - 2 are needed to store the ethernet address, another register is - needed for the vlan id. - - Update eval step to make the expression context store the set key - information when processing the preceeding set reference, then - let stmt_evaluate_set() preserve the existing context instead of - zeroing it again via stmt_evaluate_arg(). - - This makes concat expression evaluation compute the total size - needed based on the sets key definition. - - Reported-by: Eric Garver - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 32 +++++++++++++++++-- - .../maps/dumps/typeof_maps_concat.nft | 11 +++++++ - tests/shell/testcases/maps/typeof_maps_concat | 6 ++++ - .../sets/dumps/typeof_sets_concat.nft | 12 +++++++ - tests/shell/testcases/sets/typeof_sets_concat | 6 ++++ - 5 files changed, 65 insertions(+), 2 deletions(-) - create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat.nft - create mode 100755 tests/shell/testcases/maps/typeof_maps_concat - create mode 100644 tests/shell/testcases/sets/dumps/typeof_sets_concat.nft - create mode 100755 tests/shell/testcases/sets/typeof_sets_concat - -diff --git a/src/evaluate.c b/src/evaluate.c -index d67f915..7f81411 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -1526,6 +1526,14 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set, - return ret; - } - -+static void expr_evaluate_set_ref(struct eval_ctx *ctx, struct expr *expr) -+{ -+ struct set *set = expr->set; -+ -+ expr_set_context(&ctx->ectx, set->key->dtype, set->key->len); -+ ctx->ectx.key = set->key; -+} -+ - static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) - { - struct expr *set = *expr, *i, *next; -@@ -2388,6 +2396,7 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr) - case EXPR_VARIABLE: - return expr_evaluate_variable(ctx, expr); - case EXPR_SET_REF: -+ expr_evaluate_set_ref(ctx, *expr); - return 0; - case EXPR_VALUE: - return expr_evaluate_value(ctx, expr); -@@ -2550,6 +2559,25 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, - return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr); - } - -+/* like stmt_evaluate_arg, but keep existing context created -+ * by previous expr_evaluate(). -+ * -+ * This is needed for add/update statements: -+ * ctx->ectx.key has the set key, which may be needed for 'typeof' -+ * sets: the 'add/update' expression might contain integer data types. -+ * -+ * Without the key we cannot derive the element size. -+ */ -+static int stmt_evaluate_key(struct eval_ctx *ctx, struct stmt *stmt, -+ const struct datatype *dtype, unsigned int len, -+ enum byteorder byteorder, struct expr **expr) -+{ -+ if (expr_evaluate(ctx, expr) < 0) -+ return -1; -+ -+ return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr); -+} -+ - static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt) - { - if (stmt_evaluate_arg(ctx, stmt, &verdict_type, 0, 0, &stmt->expr) < 0) -@@ -3762,7 +3790,7 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) - return expr_error(ctx->msgs, stmt->set.set, - "Expression does not refer to a set"); - -- if (stmt_evaluate_arg(ctx, stmt, -+ if (stmt_evaluate_key(ctx, stmt, - stmt->set.set->set->key->dtype, - stmt->set.set->set->key->len, - stmt->set.set->set->key->byteorder, -@@ -3805,7 +3833,7 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) - return expr_error(ctx->msgs, stmt->map.set, - "Expression does not refer to a set"); - -- if (stmt_evaluate_arg(ctx, stmt, -+ if (stmt_evaluate_key(ctx, stmt, - stmt->map.set->set->key->dtype, - stmt->map.set->set->key->len, - stmt->map.set->set->key->byteorder, -diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft -new file mode 100644 -index 0000000..1ca98d8 ---- /dev/null -+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft -@@ -0,0 +1,11 @@ -+table netdev t { -+ map m { -+ typeof ether saddr . vlan id : meta mark -+ size 1234 -+ flags dynamic,timeout -+ } -+ -+ chain c { -+ ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return -+ } -+} -diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat -new file mode 100755 -index 0000000..07820b7 ---- /dev/null -+++ b/tests/shell/testcases/maps/typeof_maps_concat -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+set -e -+dumpfile=$(dirname $0)/dumps/$(basename $0).nft -+ -+$NFT -f "$dumpfile" -diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft -new file mode 100644 -index 0000000..dbaf7cd ---- /dev/null -+++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft -@@ -0,0 +1,12 @@ -+table netdev t { -+ set s { -+ typeof ether saddr . vlan id -+ size 2048 -+ flags dynamic,timeout -+ } -+ -+ chain c { -+ ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return -+ ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return -+ } -+} -diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat -new file mode 100755 -index 0000000..07820b7 ---- /dev/null -+++ b/tests/shell/testcases/sets/typeof_sets_concat -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+set -e -+dumpfile=$(dirname $0)/dumps/$(basename $0).nft -+ -+$NFT -f "$dumpfile" --- -2.41.0.rc1 - diff --git a/SOURCES/0021-monitor-Sanitize-startup-race-condition.patch b/SOURCES/0021-monitor-Sanitize-startup-race-condition.patch deleted file mode 100644 index b58c6a4..0000000 --- a/SOURCES/0021-monitor-Sanitize-startup-race-condition.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 6e522a03cfda57267224ecdd653dcfda9c4efe62 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 15:25:37 +0100 -Subject: [PATCH] monitor: Sanitize startup race condition - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 545edb7a8ef0a - -commit 545edb7a8ef0a8acf991b1b7857fddc24d7b151a -Author: Phil Sutter -Date: Wed Sep 28 23:26:42 2022 +0200 - - monitor: Sanitize startup race condition - - During startup, 'nft monitor' first fetches the current ruleset and then - keeps this cache up to date based on received events. This is racey, as - any ruleset changes in between the initial fetch and the socket opening - are not recognized. - - This script demonstrates the problem: - - | #!/bin/bash - | - | while true; do - | nft flush ruleset - | iptables-nft -A FORWARD - | done & - | maniploop=$! - | - | trap "kill $maniploop; kill \$!; wait" EXIT - | - | while true; do - | nft monitor rules >/dev/null & - | sleep 0.2 - | kill $! - | done - - If the table add event is missed, the rule add event callback fails to - deserialize the rule and calls abort(). - - Avoid the inconvenient program exit by returning NULL from - netlink_delinearize_rule() instead of aborting and make callers check - the return value. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/cache.c | 1 + - src/monitor.c | 5 +++++ - src/netlink_delinearize.c | 5 ++++- - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/cache.c b/src/cache.c -index fd8df88..701aec6 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -490,6 +490,7 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *data) - - netlink_dump_rule(nlr, ctx); - rule = netlink_delinearize_rule(ctx, nlr); -+ assert(rule); - list_add_tail(&rule->list, &ctx->list); - - return 0; -diff --git a/src/monitor.c b/src/monitor.c -index 7fa92eb..a6b30a1 100644 ---- a/src/monitor.c -+++ b/src/monitor.c -@@ -551,6 +551,10 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, - - nlr = netlink_rule_alloc(nlh); - r = netlink_delinearize_rule(monh->ctx, nlr); -+ if (!r) { -+ fprintf(stderr, "W: Received event for an unknown table.\n"); -+ goto out_free_nlr; -+ } - nlr_for_each_set(nlr, rule_map_decompose_cb, NULL, - &monh->ctx->nft->cache); - cmd = netlink_msg2cmd(type, nlh->nlmsg_flags); -@@ -587,6 +591,7 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, - break; - } - rule_free(r); -+out_free_nlr: - nftnl_rule_free(nlr); - return MNL_CB_OK; - } -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index c6ad84d..1d47c74 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -3194,7 +3194,10 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx, - pctx->rule = rule_alloc(&netlink_location, &h); - pctx->table = table_cache_find(&ctx->nft->cache.table_cache, - h.table.name, h.family); -- assert(pctx->table != NULL); -+ if (!pctx->table) { -+ errno = ENOENT; -+ return NULL; -+ } - - pctx->rule->comment = nftnl_rule_get_comment(nlr); - --- -2.41.0.rc1 - diff --git a/SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch b/SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch deleted file mode 100644 index de7d6e7..0000000 --- a/SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9126153259c891ef55571f358d1e56b3f2274fc4 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Feb 2023 17:52:16 +0100 -Subject: [PATCH] netlink_delinearize: fix decoding of concat data element - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit db59a5c1204c9 - -commit db59a5c1204c9246a82a115a8761f15809578479 -Author: Florian Westphal -Date: Mon Dec 12 11:04:34 2022 +0100 - - netlink_delinearize: fix decoding of concat data element - - Its possible to use update as follows: - - meta l4proto tcp update @pinned { ip saddr . ct original proto-src : ip daddr . ct original proto-dst } - - ... but when listing, only the first element of the concatenation is - shown. - - Check if the element size is too small and parse subsequent registers as - well. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/netlink_delinearize.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 1d47c74..e9e0845 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -1659,6 +1659,14 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, - if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) { - sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA); - expr_data = netlink_get_register(ctx, loc, sreg_data); -+ -+ if (expr_data->len < set->data->len) { -+ expr_free(expr_data); -+ expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len); -+ if (expr_data == NULL) -+ netlink_error(ctx, loc, -+ "Could not parse dynset map data expressions"); -+ } - } - - if (expr_data != NULL) { --- -2.41.0.rc1 - diff --git a/SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch b/SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch deleted file mode 100644 index 28725cc..0000000 --- a/SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d6e25e9fb09649963852ba79a249efeb067c6db4 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Feb 2023 17:52:16 +0100 -Subject: [PATCH] netlink_linearize: fix timeout with map updates - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 284c038ef4c69 - -commit 284c038ef4c69d042ef91272d90c143019ecea1f -Author: Florian Westphal -Date: Mon Dec 12 11:04:35 2022 +0100 - - netlink_linearize: fix timeout with map updates - - Map updates can use timeouts, just like with sets, but the - linearization step did not pass this info to the kernel. - - meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport - - Listing this won't show the "timeout 90s" because kernel never saw it to - begin with. - - Also update evaluation step to reject a timeout that was set on - the data part: Timeouts are only allowed for the key-value pair - as a whole. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 3 +++ - src/netlink_linearize.c | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 7f81411..6d0a0f5 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -3858,6 +3858,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) - if (stmt->map.data->comment != NULL) - return expr_error(ctx->msgs, stmt->map.data, - "Data expression comments are not supported"); -+ if (stmt->map.data->timeout > 0) -+ return expr_error(ctx->msgs, stmt->map.data, -+ "Data expression timeouts are not supported"); - - list_for_each_entry(this, &stmt->map.stmt_list, list) { - if (stmt_evaluate(ctx, this) < 0) -diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c -index c8bbcb7..6de0a96 100644 ---- a/src/netlink_linearize.c -+++ b/src/netlink_linearize.c -@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, - nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id); - nft_rule_add_expr(ctx, nle, &stmt->location); - -+ if (stmt->map.key->timeout > 0) -+ nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT, -+ stmt->map.key->timeout); -+ - list_for_each_entry(this, &stmt->map.stmt_list, list) - num_stmts++; - --- -2.41.0.rc1 - diff --git a/SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch b/SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch deleted file mode 100644 index 75ffdd2..0000000 --- a/SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 254a7ef45c890e297d9390a6f20b9132ad17c5d1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Feb 2023 17:52:16 +0100 -Subject: [PATCH] tests: add a test case for map update from packet path with - concat - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit b8e1940aa1907 - -commit b8e1940aa190773b23b3ee9349beb20c31f42bdb -Author: Florian Westphal -Date: Mon Dec 12 11:04:36 2022 +0100 - - tests: add a test case for map update from packet path with concat - - add a second test case for map updates, this time with both - a timeout and a data element that consists of a concatenation. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - .../maps/dumps/typeof_maps_concat_update_0.nft | 12 ++++++++++++ - .../testcases/maps/typeof_maps_concat_update_0 | 18 ++++++++++++++++++ - 2 files changed, 30 insertions(+) - create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft - create mode 100755 tests/shell/testcases/maps/typeof_maps_concat_update_0 - -diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft -new file mode 100644 -index 0000000..d91b795 ---- /dev/null -+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft -@@ -0,0 +1,12 @@ -+table ip foo { -+ map pinned { -+ typeof ip daddr . tcp dport : ip daddr . tcp dport -+ size 65535 -+ flags dynamic,timeout -+ timeout 6m -+ } -+ -+ chain pr { -+ update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } -+ } -+} -diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0 -new file mode 100755 -index 0000000..645ae14 ---- /dev/null -+++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0 -@@ -0,0 +1,18 @@ -+#!/bin/bash -+ -+# check update statement does print both concatentations (key and data). -+ -+EXPECTED="table ip foo { -+ map pinned { -+ typeof ip daddr . tcp dport : ip daddr . tcp dport -+ size 65535 -+ flags dynamic,timeout -+ timeout 6m -+ } -+ chain pr { -+ meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } -+ } -+}" -+ -+set -e -+$NFT -f - <<< $EXPECTED --- -2.41.0.rc1 - diff --git a/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch b/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch deleted file mode 100644 index 5b86c4e..0000000 --- a/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch +++ /dev/null @@ -1,44 +0,0 @@ -From dbb1bcfbe480866f06977b2648b0a1595091b2b9 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:40 +0100 -Subject: [PATCH] owner: Fix potential array out of bounds access - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 9967911e3dabb - -commit 9967911e3dabb32901617e81e56602af3b37287f -Author: Pablo Neira Ayuso -Date: Wed Dec 21 17:37:46 2022 +0100 - - owner: Fix potential array out of bounds access - - If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will - return 'sizeof(tmp)'. Using this value as index is illegal. - - Original update from Phil, for the conntrack-tools tree, which also has - a copy of this function. - - Fixes: 6d085b22a8b5 ("table: support for the table owner flag") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/owner.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/owner.c b/src/owner.c -index 2d98a2e..20bed38 100644 ---- a/src/owner.c -+++ b/src/owner.c -@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode) - continue; - - rl = readlink(procname, tmp, sizeof(tmp)); -- if (rl <= 0 || rl > (ssize_t)sizeof(tmp)) -+ if (rl <= 0 || rl >= (ssize_t)sizeof(tmp)) - continue; - - tmp[rl] = 0; --- -2.41.0.rc1 - diff --git a/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch b/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch deleted file mode 100644 index 2d7936d..0000000 --- a/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b5fd150a3fbad94381276bedc816d4a6fdecfaf9 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit ef66f321e49b3 - -commit ef66f321e49b337c7e678bb90d6acb94f331dfc4 -Author: Phil Sutter -Date: Wed Jan 11 12:28:15 2023 +0100 - - mnl: dump_nf_hooks() leaks memory in error path - - Have to free the basehook object before returning to caller. - - Fixes: 4694f7230195b ("src: add support for base hook dumping") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/mnl.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/mnl.c b/src/mnl.c -index 7dd77be..269d3f1 100644 ---- a/src/mnl.c -+++ b/src/mnl.c -@@ -2211,16 +2211,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data) - struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {}; - uint32_t type; - -- if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0) -+ if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], -+ dump_nf_chain_info_cb, nested) < 0) { -+ basehook_free(hook); - return -1; -+ } - - type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE])); - if (type == NFNL_HOOK_TYPE_NFTABLES) { - struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {}; - const char *tablename, *chainname; - -- if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0) -+ if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], -+ dump_nf_attr_chain_cb, -+ info) < 0) { -+ basehook_free(hook); - return -1; -+ } - - tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]); - chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]); --- -2.41.0.rc1 - diff --git a/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch b/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch deleted file mode 100644 index 32fee0e..0000000 --- a/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch +++ /dev/null @@ -1,41 +0,0 @@ -From f5f1b17763264d88593eba175438818cf6533471 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] meta: parse_iso_date() returns boolean - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit db6e97bd667bf - -commit db6e97bd667bf205cee22049f9d0fd6550cb43a7 -Author: Phil Sutter -Date: Wed Jan 11 11:26:41 2023 +0100 - - meta: parse_iso_date() returns boolean - - Returning ts if 'ts == (time_t) -1' signals success to caller despite - failure. - - Fixes: 4460b839b945a ("meta: fix compiler warning in date_type_parse()") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/meta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/meta.c b/src/meta.c -index 80ace25..73bd1c4 100644 ---- a/src/meta.c -+++ b/src/meta.c -@@ -433,7 +433,7 @@ success: - cur_tm = localtime(&ts); - - if (ts == (time_t) -1 || cur_tm == NULL) -- return ts; -+ return false; - - /* Substract tm_gmtoff to get the current time */ - *tstamp = ts - cur_tm->tm_gmtoff; --- -2.41.0.rc1 - diff --git a/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch b/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch deleted file mode 100644 index 480aa54..0000000 --- a/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3fbbb074303ec3dafd97fcdeaa0a292068c23140 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] netlink: Fix for potential NULL-pointer deref - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 927d5674e7bf6 - -commit 927d5674e7bf656428f97c54c9171006e8c3c75e -Author: Phil Sutter -Date: Tue Jan 10 22:36:58 2023 +0100 - - netlink: Fix for potential NULL-pointer deref - - If memory allocation fails, calloc() returns NULL which was not checked - for. The code seems to expect zero array size though, so simply - replacing this call by one of the x*calloc() ones won't work. So guard - the call also by a check for 'len'. - - Fixes: db0697ce7f602 ("src: support for flowtable listing") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/netlink.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/netlink.c b/src/netlink.c -index 799cf9b..dee1732 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -1700,7 +1700,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, - while (dev_array[len]) - len++; - -- flowtable->dev_array = calloc(1, len * sizeof(char *)); -+ if (len) -+ flowtable->dev_array = xmalloc(len * sizeof(char *)); - for (i = 0; i < len; i++) - flowtable->dev_array[i] = xstrdup(dev_array[i]); - --- -2.41.0.rc1 - diff --git a/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch b/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch deleted file mode 100644 index bd97af1..0000000 --- a/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 8bdba078567b879054880ec957a78842c5a18848 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] optimize: Do not return garbage from stack - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit d4d47e5bdf943 - -commit d4d47e5bdf943be494aeb5d5a29b8f5212acbddf -Author: Phil Sutter -Date: Fri Jan 13 17:09:53 2023 +0100 - - optimize: Do not return garbage from stack - - If input does not contain a single 'add' command (unusual, but - possible), 'ret' value was not initialized by nft_optimize() before - returning its value. - - Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/optimize.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/optimize.c b/src/optimize.c -index 3a3049d..6514cbb 100644 ---- a/src/optimize.c -+++ b/src/optimize.c -@@ -1017,7 +1017,7 @@ static int cmd_optimize(struct nft_ctx *nft, struct cmd *cmd) - int nft_optimize(struct nft_ctx *nft, struct list_head *cmds) - { - struct cmd *cmd; -- int ret; -+ int ret = 0; - - list_for_each_entry(cmd, cmds, list) { - switch (cmd->op) { --- -2.41.0.rc1 - diff --git a/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch b/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch deleted file mode 100644 index 362d0f5..0000000 --- a/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2438c7dafba336236e2e5dc1a6c57b6e157327cf Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] optimize: Clarify chain_optimize() array allocations - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit b83a0416cdc88 - -commit b83a0416cdc881c6ac35739cd858e4fe5fb2e04f -Author: Phil Sutter -Date: Tue Jan 10 22:13:44 2023 +0100 - - optimize: Clarify chain_optimize() array allocations - - Arguments passed to sizeof() where deemed suspicious by covscan due to - the different type. Consistently specify size of an array 'a' using - 'sizeof(*a) * nmemb'. - - For the statement arrays in stmt_matrix, even use xzalloc_array() since - the item count is fixed and therefore can't be zero. - - Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/optimize.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/optimize.c b/src/optimize.c -index 6514cbb..baa6abc 100644 ---- a/src/optimize.c -+++ b/src/optimize.c -@@ -918,10 +918,11 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules) - ctx->num_rules++; - } - -- ctx->rule = xzalloc(sizeof(ctx->rule) * ctx->num_rules); -- ctx->stmt_matrix = xzalloc(sizeof(struct stmt *) * ctx->num_rules); -+ ctx->rule = xzalloc(sizeof(*ctx->rule) * ctx->num_rules); -+ ctx->stmt_matrix = xzalloc(sizeof(*ctx->stmt_matrix) * ctx->num_rules); - for (i = 0; i < ctx->num_rules; i++) -- ctx->stmt_matrix[i] = xzalloc(sizeof(struct stmt *) * MAX_STMTS); -+ ctx->stmt_matrix[i] = xzalloc_array(MAX_STMTS, -+ sizeof(**ctx->stmt_matrix)); - - merge = xzalloc(sizeof(*merge) * ctx->num_rules); - --- -2.41.0.rc1 - diff --git a/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch b/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch deleted file mode 100644 index 633f671..0000000 --- a/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 21d7fa6f6a40d56c5c23eedd6ddb6a411fb8e62b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 1344d9e53ba4d - -commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683 -Author: Phil Sutter -Date: Tue Feb 21 18:36:01 2023 +0100 - - netlink_delinearize: Sanitize concat data element decoding - - The call to netlink_get_register() might return NULL, catch this before - dereferencing the pointer. - - Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element") - Signed-off-by: Phil Sutter - Acked-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/netlink_delinearize.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index e9e0845..cadb8ec 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, - sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA); - expr_data = netlink_get_register(ctx, loc, sreg_data); - -- if (expr_data->len < set->data->len) { -+ if (expr_data && expr_data->len < set->data->len) { - expr_free(expr_data); - expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len); - if (expr_data == NULL) --- -2.41.0.rc1 - diff --git a/SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch b/SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch deleted file mode 100644 index e899032..0000000 --- a/SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a2446688362b6b81bd0fa0dc22cb5cc2fa3378c1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 20 Jul 2023 15:55:05 +0200 -Subject: [PATCH] tests: monitor: Summarize failures per test case - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit c2b28dcebd058 - -commit c2b28dcebd058b978692b8e1899e79b96c025396 -Author: Phil Sutter -Date: Thu Jul 20 12:08:45 2023 +0200 - - tests: monitor: Summarize failures per test case - - Explicitly print when tests from a file fail in addition to the diff + - "output differs" message. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - tests/monitor/run-tests.sh | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh -index b5ca47d..f1ac790 100755 ---- a/tests/monitor/run-tests.sh -+++ b/tests/monitor/run-tests.sh -@@ -161,7 +161,10 @@ for variant in $variants; do - output_append=${variant}_output_append - - for testcase in ${testcases:-testcases/*.t}; do -- echo "$variant: running tests from file $(basename $testcase)" -+ filename=$(basename $testcase) -+ echo "$variant: running tests from file $filename" -+ rc_start=$rc -+ - # files are like this: - # - # I add table ip t -@@ -199,6 +202,10 @@ for variant in $variants; do - $run_test - let "rc += $?" - } -+ -+ let "rc_diff = rc - rc_start" -+ [[ $rc_diff -ne 0 ]] && \ -+ echo "$variant: $rc_diff tests from file $filename failed" - done - done - exit $rc --- -2.41.0 - diff --git a/SOURCES/0033-rule-check-address-family-in-set-collapse.patch b/SOURCES/0033-rule-check-address-family-in-set-collapse.patch deleted file mode 100644 index ceb1d2c..0000000 --- a/SOURCES/0033-rule-check-address-family-in-set-collapse.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 955758b3ef4772bb92fc63a8f6d424f93ebb7a2f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 21 Sep 2023 15:24:03 +0200 -Subject: [PATCH] rule: check address family in set collapse - -JIRA: https://issues.redhat.com/browse/RHEL-5160 -Upstream Status: nftables commit a817ea9655dee - -commit a817ea9655dee1915423a802c0133e3611e02b3a -Author: Derek Hageman -Date: Thu Sep 1 10:10:41 2022 -0600 - - rule: check address family in set collapse - - 498a5f0c219d added collapsing of set operations in different commands. - However, the logic is currently too relaxed. It is valid to have a - table and set with identical names on different address families. - For example: - - table ip a { - set x { - type inet_service; - } - } - table ip6 a { - set x { - type inet_service; - } - } - add element ip a x { 1 } - add element ip a x { 2 } - add element ip6 a x { 2 } - - The above currently results in nothing being added to the ip6 family - table due to being collapsed into the ip table add. Prior to - 498a5f0c219d the set add would work. The fix is simply to check the - family in addition to the table and set names before allowing a - collapse. - - [ Add testcase to tests/shell --pablo ] - - Fixes: 498a5f0c219d ("rule: collapse set element commands") - Signed-off-by: Derek Hageman - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/rule.c | 3 ++- - tests/shell/testcases/sets/collapse_elem_0 | 19 +++++++++++++++++++ - .../testcases/sets/dumps/collapse_elem_0.nft | 12 ++++++++++++ - 3 files changed, 33 insertions(+), 1 deletion(-) - create mode 100755 tests/shell/testcases/sets/collapse_elem_0 - create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft - -diff --git a/src/rule.c b/src/rule.c -index 0526a14..3b60cca 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -1409,7 +1409,8 @@ bool nft_cmd_collapse(struct list_head *cmds) - continue; - } - -- if (strcmp(elems->handle.table.name, cmd->handle.table.name) || -+ if (elems->handle.family != cmd->handle.family || -+ strcmp(elems->handle.table.name, cmd->handle.table.name) || - strcmp(elems->handle.set.name, cmd->handle.set.name)) { - elems = cmd; - continue; -diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 -new file mode 100755 -index 0000000..7699e9d ---- /dev/null -+++ b/tests/shell/testcases/sets/collapse_elem_0 -@@ -0,0 +1,19 @@ -+#!/bin/bash -+ -+set -e -+ -+RULESET="table ip a { -+ set x { -+ type inet_service; -+ } -+} -+table ip6 a { -+ set x { -+ type inet_service; -+ } -+} -+add element ip a x { 1 } -+add element ip a x { 2 } -+add element ip6 a x { 2 }" -+ -+$NFT -f - <<< $RULESET -diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft -new file mode 100644 -index 0000000..a3244fc ---- /dev/null -+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft -@@ -0,0 +1,12 @@ -+table ip a { -+ set x { -+ type inet_service -+ elements = { 1, 2 } -+ } -+} -+table ip6 a { -+ set x { -+ type inet_service -+ elements = { 2 } -+ } -+} --- -2.41.0 - diff --git a/SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch b/SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch deleted file mode 100644 index 1b991b3..0000000 --- a/SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch +++ /dev/null @@ -1,86 +0,0 @@ -From fa2b3f20274f5e66b67e2c3d2b7d957b9200473e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 15 Nov 2023 17:06:19 +0100 -Subject: [PATCH] parser_bison: Fix for broken compatibility with older dumps - -JIRA: https://issues.redhat.com/browse/RHEL-2596 -Upstream Status: nftables commit 22fab8681a50014174cdd02ace90f74b9e9eefe9 - -commit 22fab8681a50014174cdd02ace90f74b9e9eefe9 -Author: Phil Sutter -Date: Thu Oct 19 18:40:04 2023 +0200 - - parser_bison: Fix for broken compatibility with older dumps - - Commit e6d1d0d611958 ("src: add set element multi-statement - support") changed the order of expressions and other state attached to set - elements are expected in input. This broke parsing of ruleset dumps - created by nft commands prior to that commit. - - Restore compatibility by also accepting the old ordering. - - Fixes: e6d1d0d611958 ("src: add set element multi-statement support") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/parser_bison.y | 6 ++++ - tests/shell/testcases/sets/elem_opts_compat_0 | 29 +++++++++++++++++++ - 2 files changed, 35 insertions(+) - create mode 100755 tests/shell/testcases/sets/elem_opts_compat_0 - -diff --git a/src/parser_bison.y b/src/parser_bison.y -index b548d5b..b882f3b 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -4283,6 +4283,12 @@ meter_key_expr_alloc : concat_expr - - set_elem_expr : set_elem_expr_alloc - | set_elem_expr_alloc set_elem_expr_options -+ | set_elem_expr_alloc set_elem_expr_options set_elem_stmt_list -+ { -+ $$ = $1; -+ list_splice_tail($3, &$$->stmt_list); -+ xfree($3); -+ } - ; - - set_elem_key_expr : set_lhs_expr { $$ = $1; } -diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0 -new file mode 100755 -index 0000000..e012953 ---- /dev/null -+++ b/tests/shell/testcases/sets/elem_opts_compat_0 -@@ -0,0 +1,29 @@ -+#!/bin/sh -+ -+# ordering of element options and expressions has changed, make sure parser -+# accepts both ways -+ -+set -e -+ -+$NFT -f - < -Date: Wed, 14 Aug 2024 16:20:37 +0200 -Subject: [PATCH] Warn for tables with compat expressions in rules - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit c327e9331e50d7b4d6cfd0a82fb38bec73703bfb - -commit c327e9331e50d7b4d6cfd0a82fb38bec73703bfb -Author: Phil Sutter -Date: Tue Oct 11 18:46:55 2022 +0200 - - Warn for tables with compat expressions in rules - - While being able to "look inside" compat expressions using nft is a nice - feature, it is also (yet another) pitfall for unaware users, deceiving - them into assuming interchangeability (or at least compatibility) - between iptables-nft and nft. - - In reality, which involves 'nft list ruleset | nft -f -', any correctly - translated compat expressions will turn into native nftables ones not - understood by (the version of) iptables-nft which created them in the - first place. Other compat expressions will vanish, potentially - compromising the firewall ruleset. - - Emit a warning (as comment) to give users a chance to stop and - reconsider before shooting their own foot. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/rule.h | 1 + - src/rule.c | 16 +++++++++++++--- - src/xt.c | 2 ++ - 3 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/include/rule.h b/include/rule.h -index 9081225..c77146a 100644 ---- a/include/rule.h -+++ b/include/rule.h -@@ -169,6 +169,7 @@ struct table { - unsigned int refcnt; - uint32_t owner; - const char *comment; -+ bool has_xt_stmts; - }; - - extern struct table *table_alloc(void); -diff --git a/src/rule.c b/src/rule.c -index 3b60cca..2fe29b1 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -1227,6 +1227,11 @@ static void table_print(const struct table *table, struct output_ctx *octx) - const char *delim = ""; - const char *family = family2str(table->handle.family); - -+ if (table->has_xt_stmts) -+ fprintf(octx->error_fp, -+ "# Warning: table %s %s is managed by iptables-nft, do not touch!\n", -+ family, table->handle.table.name); -+ - nft_print(octx, "table %s %s {", family, table->handle.table.name); - if (nft_output_handle(octx) || table->flags & TABLE_F_OWNER) - nft_print(octx, " #"); -@@ -2373,9 +2378,14 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd) - static void table_print_declaration(struct table *table, - struct output_ctx *octx) - { -- nft_print(octx, "table %s %s {\n", -- family2str(table->handle.family), -- table->handle.table.name); -+ const char *family = family2str(table->handle.family); -+ -+ if (table->has_xt_stmts) -+ fprintf(octx->error_fp, -+ "# Warning: table %s %s is managed by iptables-nft, do not touch!\n", -+ family, table->handle.table.name); -+ -+ nft_print(octx, "table %s %s {\n", family, table->handle.table.name); - } - - static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd, -diff --git a/src/xt.c b/src/xt.c -index 789de99..a541735 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -238,6 +238,7 @@ void netlink_parse_match(struct netlink_parse_ctx *ctx, - stmt->xt.name = strdup(name); - stmt->xt.type = NFT_XT_MATCH; - #endif -+ ctx->table->has_xt_stmts = true; - rule_stmt_append(ctx->rule, stmt); - } - -@@ -283,6 +284,7 @@ void netlink_parse_target(struct netlink_parse_ctx *ctx, - stmt->xt.name = strdup(name); - stmt->xt.type = NFT_XT_TARGET; - #endif -+ ctx->table->has_xt_stmts = true; - rule_stmt_append(ctx->rule, stmt); - } - --- -2.45.0 - diff --git a/SOURCES/0036-xt-Delay-libxtables-access-until-translation.patch b/SOURCES/0036-xt-Delay-libxtables-access-until-translation.patch deleted file mode 100644 index d80e80c..0000000 --- a/SOURCES/0036-xt-Delay-libxtables-access-until-translation.patch +++ /dev/null @@ -1,348 +0,0 @@ -From 2664d616defd4f63edba2cabe7966d092ea6569f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 14 Aug 2024 16:20:37 +0200 -Subject: [PATCH] xt: Delay libxtables access until translation - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit 5c30feeee5cfee74840444b63329fa5a13b471d2 - -commit 5c30feeee5cfee74840444b63329fa5a13b471d2 -Author: Phil Sutter -Date: Thu Nov 10 18:44:43 2022 +0100 - - xt: Delay libxtables access until translation - - There is no point in spending efforts setting up the xt match/target - when it is not printed afterwards. So just store the statement data from - libnftnl in struct xt_stmt and perform the extension lookup from - xt_stmt_xlate() instead. - - This means some data structures are only temporarily allocated for the - sake of passing to libxtables callbacks, no need to drag them around. - Also no need to clone the looked up extension, it is needed only to call - the functions it provides. - - While being at it, select numeric output in xt_xlate_*_params - - otherwise there will be reverse DNS lookups which should not happen by - default. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/statement.h | 9 +-- - src/xt.c | 192 ++++++++++++++++++-------------------------- - 2 files changed, 80 insertions(+), 121 deletions(-) - -diff --git a/include/statement.h b/include/statement.h -index 2a2d300..8651fc7 100644 ---- a/include/statement.h -+++ b/include/statement.h -@@ -264,12 +264,11 @@ struct xtables_target; - struct xt_stmt { - const char *name; - enum nft_xt_type type; -+ uint32_t rev; -+ uint32_t family; -+ size_t infolen; -+ void *info; - uint32_t proto; -- union { -- struct xtables_match *match; -- struct xtables_target *target; -- }; -- void *entry; - }; - - extern struct stmt *xt_stmt_alloc(const struct location *loc); -diff --git a/src/xt.c b/src/xt.c -index a541735..7880fa1 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -28,51 +28,94 @@ - - #ifdef HAVE_LIBXTABLES - #include -+ -+static void *xt_entry_alloc(const struct xt_stmt *xt, uint32_t af); - #endif - - void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - { - #ifdef HAVE_LIBXTABLES - struct xt_xlate *xl = xt_xlate_alloc(10240); -+ struct xtables_target *tg; -+ struct xt_entry_target *t; -+ struct xtables_match *mt; -+ struct xt_entry_match *m; -+ size_t size; -+ void *entry; -+ -+ xtables_set_nfproto(stmt->xt.family); -+ entry = xt_entry_alloc(&stmt->xt, stmt->xt.family); - - switch (stmt->xt.type) { - case NFT_XT_MATCH: -- if (stmt->xt.match->xlate) { -+ mt = xtables_find_match(stmt->xt.name, XTF_TRY_LOAD, NULL); -+ if (!mt) { -+ fprintf(stderr, "XT match %s not found\n", -+ stmt->xt.name); -+ return; -+ } -+ size = XT_ALIGN(sizeof(*m)) + stmt->xt.infolen; -+ -+ m = xzalloc(size); -+ memcpy(&m->data, stmt->xt.info, stmt->xt.infolen); -+ -+ m->u.match_size = size; -+ m->u.user.revision = stmt->xt.rev; -+ -+ if (mt->xlate) { - struct xt_xlate_mt_params params = { -- .ip = stmt->xt.entry, -- .match = stmt->xt.match->m, -- .numeric = 0, -+ .ip = entry, -+ .match = m, -+ .numeric = 1, - }; - -- stmt->xt.match->xlate(xl, ¶ms); -+ mt->xlate(xl, ¶ms); - nft_print(octx, "%s", xt_xlate_get(xl)); -- } else if (stmt->xt.match->print) { -+ } else if (mt->print) { - printf("#"); -- stmt->xt.match->print(&stmt->xt.entry, -- stmt->xt.match->m, 0); -+ mt->print(&entry, m, 0); - } -+ xfree(m); - break; - case NFT_XT_WATCHER: - case NFT_XT_TARGET: -- if (stmt->xt.target->xlate) { -+ tg = xtables_find_target(stmt->xt.name, XTF_TRY_LOAD); -+ if (!tg) { -+ fprintf(stderr, "XT target %s not found\n", -+ stmt->xt.name); -+ return; -+ } -+ size = XT_ALIGN(sizeof(*t)) + stmt->xt.infolen; -+ -+ t = xzalloc(size); -+ memcpy(&t->data, stmt->xt.info, stmt->xt.infolen); -+ -+ t->u.target_size = size; -+ t->u.user.revision = stmt->xt.rev; -+ -+ strcpy(t->u.user.name, tg->name); -+ -+ if (tg->xlate) { - struct xt_xlate_tg_params params = { -- .ip = stmt->xt.entry, -- .target = stmt->xt.target->t, -- .numeric = 0, -+ .ip = entry, -+ .target = t, -+ .numeric = 1, - }; - -- stmt->xt.target->xlate(xl, ¶ms); -+ tg->xlate(xl, ¶ms); - nft_print(octx, "%s", xt_xlate_get(xl)); -- } else if (stmt->xt.target->print) { -+ } else if (tg->print) { - printf("#"); -- stmt->xt.target->print(NULL, stmt->xt.target->t, 0); -+ tg->print(NULL, t, 0); - } -+ xfree(t); - break; - default: - break; - } - - xt_xlate_free(xl); -+ xfree(entry); - #else - nft_print(octx, "# xt_%s", stmt->xt.name); - #endif -@@ -80,33 +123,12 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - - void xt_stmt_destroy(struct stmt *stmt) - { --#ifdef HAVE_LIBXTABLES -- switch (stmt->xt.type) { -- case NFT_XT_MATCH: -- if (!stmt->xt.match) -- break; -- if (stmt->xt.match->m) -- xfree(stmt->xt.match->m); -- xfree(stmt->xt.match); -- break; -- case NFT_XT_WATCHER: -- case NFT_XT_TARGET: -- if (!stmt->xt.target) -- break; -- if (stmt->xt.target->t) -- xfree(stmt->xt.target->t); -- xfree(stmt->xt.target); -- break; -- default: -- break; -- } --#endif -- xfree(stmt->xt.entry); - xfree(stmt->xt.name); -+ xfree(stmt->xt.info); - } - - #ifdef HAVE_LIBXTABLES --static void *xt_entry_alloc(struct xt_stmt *xt, uint32_t af) -+static void *xt_entry_alloc(const struct xt_stmt *xt, uint32_t af) - { - union nft_entry { - struct ipt_entry ipt; -@@ -173,24 +195,6 @@ static uint32_t xt_proto(const struct proto_ctx *pctx) - - return 0; - } -- --static struct xtables_target *xt_target_clone(struct xtables_target *t) --{ -- struct xtables_target *clone; -- -- clone = xzalloc(sizeof(struct xtables_target)); -- memcpy(clone, t, sizeof(struct xtables_target)); -- return clone; --} -- --static struct xtables_match *xt_match_clone(struct xtables_match *m) --{ -- struct xtables_match *clone; -- -- clone = xzalloc(sizeof(struct xtables_match)); -- memcpy(clone, m, sizeof(struct xtables_match)); -- return clone; --} - #endif - - /* -@@ -201,43 +205,22 @@ void netlink_parse_match(struct netlink_parse_ctx *ctx, - const struct location *loc, - const struct nftnl_expr *nle) - { -- struct stmt *stmt; -- const char *name; --#ifdef HAVE_LIBXTABLES -- struct xtables_match *mt; - const char *mtinfo; -- struct xt_entry_match *m; -+ struct stmt *stmt; - uint32_t mt_len; - -- xtables_set_nfproto(ctx->table->handle.family); -- -- name = nftnl_expr_get_str(nle, NFTNL_EXPR_MT_NAME); -- -- mt = xtables_find_match(name, XTF_TRY_LOAD, NULL); -- if (!mt) { -- fprintf(stderr, "XT match %s not found\n", name); -- return; -- } - mtinfo = nftnl_expr_get(nle, NFTNL_EXPR_MT_INFO, &mt_len); - -- m = xzalloc(sizeof(struct xt_entry_match) + mt_len); -- memcpy(&m->data, mtinfo, mt_len); -- -- m->u.match_size = mt_len + XT_ALIGN(sizeof(struct xt_entry_match)); -- m->u.user.revision = nftnl_expr_get_u32(nle, NFTNL_EXPR_MT_REV); -- - stmt = xt_stmt_alloc(loc); -- stmt->xt.name = strdup(name); -+ stmt->xt.name = strdup(nftnl_expr_get_str(nle, NFTNL_EXPR_MT_NAME)); - stmt->xt.type = NFT_XT_MATCH; -- stmt->xt.match = xt_match_clone(mt); -- stmt->xt.match->m = m; --#else -- name = nftnl_expr_get_str(nle, NFTNL_EXPR_MT_NAME); -+ stmt->xt.rev = nftnl_expr_get_u32(nle, NFTNL_EXPR_MT_REV); -+ stmt->xt.family = ctx->table->handle.family; -+ -+ stmt->xt.infolen = mt_len; -+ stmt->xt.info = xmalloc(mt_len); -+ memcpy(stmt->xt.info, mtinfo, mt_len); - -- stmt = xt_stmt_alloc(loc); -- stmt->xt.name = strdup(name); -- stmt->xt.type = NFT_XT_MATCH; --#endif - ctx->table->has_xt_stmts = true; - rule_stmt_append(ctx->rule, stmt); - } -@@ -246,44 +229,22 @@ void netlink_parse_target(struct netlink_parse_ctx *ctx, - const struct location *loc, - const struct nftnl_expr *nle) - { -- struct stmt *stmt; -- const char *name; --#ifdef HAVE_LIBXTABLES -- struct xtables_target *tg; - const void *tginfo; -- struct xt_entry_target *t; -- size_t size; -+ struct stmt *stmt; - uint32_t tg_len; - -- xtables_set_nfproto(ctx->table->handle.family); -- -- name = nftnl_expr_get_str(nle, NFTNL_EXPR_TG_NAME); -- tg = xtables_find_target(name, XTF_TRY_LOAD); -- if (!tg) { -- fprintf(stderr, "XT target %s not found\n", name); -- return; -- } - tginfo = nftnl_expr_get(nle, NFTNL_EXPR_TG_INFO, &tg_len); - -- size = XT_ALIGN(sizeof(struct xt_entry_target)) + tg_len; -- t = xzalloc(size); -- memcpy(&t->data, tginfo, tg_len); -- t->u.target_size = size; -- t->u.user.revision = nftnl_expr_get_u32(nle, NFTNL_EXPR_TG_REV); -- strcpy(t->u.user.name, tg->name); -- - stmt = xt_stmt_alloc(loc); -- stmt->xt.name = strdup(name); -+ stmt->xt.name = strdup(nftnl_expr_get_str(nle, NFTNL_EXPR_TG_NAME)); - stmt->xt.type = NFT_XT_TARGET; -- stmt->xt.target = xt_target_clone(tg); -- stmt->xt.target->t = t; --#else -- name = nftnl_expr_get_str(nle, NFTNL_EXPR_TG_NAME); -+ stmt->xt.rev = nftnl_expr_get_u32(nle, NFTNL_EXPR_TG_REV); -+ stmt->xt.family = ctx->table->handle.family; -+ -+ stmt->xt.infolen = tg_len; -+ stmt->xt.info = xmalloc(tg_len); -+ memcpy(stmt->xt.info, tginfo, tg_len); - -- stmt = xt_stmt_alloc(loc); -- stmt->xt.name = strdup(name); -- stmt->xt.type = NFT_XT_TARGET; --#endif - ctx->table->has_xt_stmts = true; - rule_stmt_append(ctx->rule, stmt); - } -@@ -311,7 +272,6 @@ void stmt_xt_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt, - stmt->xt.type = NFT_XT_WATCHER; - - stmt->xt.proto = xt_proto(&rctx->pctx); -- stmt->xt.entry = xt_entry_alloc(&stmt->xt, rctx->pctx.family); - } - - static int nft_xt_compatible_revision(const char *name, uint8_t rev, int opt) --- -2.45.0 - diff --git a/SOURCES/0037-xt-Purify-enum-nft_xt_type.patch b/SOURCES/0037-xt-Purify-enum-nft_xt_type.patch deleted file mode 100644 index 31ec6eb..0000000 --- a/SOURCES/0037-xt-Purify-enum-nft_xt_type.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 89e01c6c9c9197193e83ec2b2adf14d1c6eb6f1f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 14 Aug 2024 16:20:37 +0200 -Subject: [PATCH] xt: Purify enum nft_xt_type - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit e432477f5c013d0ca56f9fc5f9ac7cf35301b0b9 - -commit e432477f5c013d0ca56f9fc5f9ac7cf35301b0b9 -Author: Phil Sutter -Date: Thu Nov 24 16:24:05 2022 +0100 - - xt: Purify enum nft_xt_type - - Remove NFT_XT_MAX from the enum, it is not a valid xt type. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - include/statement.h | 2 +- - src/xt.c | 2 -- - 2 files changed, 1 insertion(+), 3 deletions(-) - -diff --git a/include/statement.h b/include/statement.h -index 8651fc7..e648fb1 100644 ---- a/include/statement.h -+++ b/include/statement.h -@@ -255,8 +255,8 @@ enum nft_xt_type { - NFT_XT_MATCH = 0, - NFT_XT_TARGET, - NFT_XT_WATCHER, -- NFT_XT_MAX - }; -+#define NFT_XT_MAX (NFT_XT_WATCHER + 1) - - struct xtables_match; - struct xtables_target; -diff --git a/src/xt.c b/src/xt.c -index 7880fa1..300416a 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -110,8 +110,6 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - } - xfree(t); - break; -- default: -- break; - } - - xt_xlate_free(xl); --- -2.45.0 - diff --git a/SOURCES/0038-xt-Rewrite-unsupported-compat-expression-dumping.patch b/SOURCES/0038-xt-Rewrite-unsupported-compat-expression-dumping.patch deleted file mode 100644 index 61db4e8..0000000 --- a/SOURCES/0038-xt-Rewrite-unsupported-compat-expression-dumping.patch +++ /dev/null @@ -1,283 +0,0 @@ -From 5b2f626cb8770f485c20ae4f815763deac89a632 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 14 Aug 2024 16:20:37 +0200 -Subject: [PATCH] xt: Rewrite unsupported compat expression dumping - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit 79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f -Conflicts: -* One chunk manually applied, upstream moved stmt_print_json() in commit - e66f3187d891a ("json: add table map statement support"). - -commit 79195a8cc9e9d9cf2d17165bf07ac4cc9d55539f -Author: Phil Sutter -Date: Thu Nov 24 14:17:17 2022 +0100 - - xt: Rewrite unsupported compat expression dumping - - Choose a format which provides more information and is easily parseable. - Then teach parsers about it and make it explicitly reject the ruleset - giving a meaningful explanation. Also update the man pages with some - more details. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - doc/libnftables-json.adoc | 18 +++++++++++++++--- - doc/statements.txt | 17 +++++++++++++++++ - include/json.h | 2 ++ - include/parser.h | 1 + - src/json.c | 19 +++++++++++++------ - src/parser_bison.y | 18 ++++++++++++++++++ - src/parser_json.c | 5 +++++ - src/scanner.l | 3 +++ - src/statement.c | 1 + - src/xt.c | 8 +++++++- - 10 files changed, 82 insertions(+), 10 deletions(-) - -diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc -index 9cc17ff..284ffab 100644 ---- a/doc/libnftables-json.adoc -+++ b/doc/libnftables-json.adoc -@@ -1059,10 +1059,22 @@ Assign connection tracking expectation. - - === XT - [verse] --*{ "xt": null }* -+____ -+*{ "xt": { -+ "type":* 'TYPENAME'*, -+ "name":* 'STRING' -+*}}* -+ -+'TYPENAME' := *match* | *target* | *watcher* -+____ -+ -+This represents an xt statement from xtables compat interface. It is a -+fallback if translation is not available or not complete. -+ -+Seeing this means the ruleset (or parts of it) were created by *iptables-nft* -+and one should use that to manage it. - --This represents an xt statement from xtables compat interface. Sadly, at this --point, it is not possible to provide any further information about its content. -+*BEWARE:* nftables won't restore these statements. - - == EXPRESSIONS - Expressions are the building blocks of (most) statements. In their most basic -diff --git a/doc/statements.txt b/doc/statements.txt -index 6aaf806..a00bd5d 100644 ---- a/doc/statements.txt -+++ b/doc/statements.txt -@@ -778,3 +778,20 @@ ____ - # jump to different chains depending on layer 4 protocol type: - nft add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain , icmp : jump icmp-chain } - ------------------------ -+ -+XT STATEMENT -+~~~~~~~~~~~~ -+This represents an xt statement from xtables compat interface. It is a -+fallback if translation is not available or not complete. -+ -+[verse] -+____ -+*xt* 'TYPE' 'NAME' -+ -+'TYPE' := *match* | *target* | *watcher* -+____ -+ -+Seeing this means the ruleset (or parts of it) were created by *iptables-nft* -+and one should use that to manage it. -+ -+*BEWARE:* nftables won't restore these statements. -diff --git a/include/json.h b/include/json.h -index b0d78eb..f691678 100644 ---- a/include/json.h -+++ b/include/json.h -@@ -92,6 +92,7 @@ json_t *connlimit_stmt_json(const struct stmt *stmt, struct output_ctx *octx); - json_t *tproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); - json_t *synproxy_stmt_json(const struct stmt *stmt, struct output_ctx *octx); - json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx); -+json_t *xt_stmt_json(const struct stmt *stmt, struct output_ctx *octx); - - int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd); - -@@ -194,6 +195,7 @@ STMT_PRINT_STUB(connlimit) - STMT_PRINT_STUB(tproxy) - STMT_PRINT_STUB(synproxy) - STMT_PRINT_STUB(optstrip) -+STMT_PRINT_STUB(xt) - - #undef STMT_PRINT_STUB - #undef EXPR_PRINT_STUB -diff --git a/include/parser.h b/include/parser.h -index 5e5ad28..bd61b8f 100644 ---- a/include/parser.h -+++ b/include/parser.h -@@ -50,6 +50,7 @@ enum startcond_type { - PARSER_SC_TCP, - PARSER_SC_TYPE, - PARSER_SC_VLAN, -+ PARSER_SC_XT, - PARSER_SC_CMD_EXPORT, - PARSER_SC_CMD_IMPORT, - PARSER_SC_CMD_LIST, -diff --git a/src/json.c b/src/json.c -index a525fd1..622fe08 100644 ---- a/src/json.c -+++ b/src/json.c -@@ -173,12 +173,6 @@ static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) - char buf[1024]; - FILE *fp; - -- /* XXX: Can't be supported at this point: -- * xt_stmt_xlate() ignores output_fp. -- */ -- if (stmt->ops->type == STMT_XT) -- return json_pack("{s:n}", "xt"); -- - if (stmt->ops->json) - return stmt->ops->json(stmt, octx); - -@@ -1584,6 +1578,19 @@ json_t *optstrip_stmt_json(const struct stmt *stmt, struct output_ctx *octx) - expr_print_json(stmt->optstrip.expr, octx)); - } - -+json_t *xt_stmt_json(const struct stmt *stmt, struct output_ctx *octx) -+{ -+ static const char *xt_typename[NFT_XT_MAX] = { -+ [NFT_XT_MATCH] = "match", -+ [NFT_XT_TARGET] = "target", -+ [NFT_XT_WATCHER] = "watcher", -+ }; -+ -+ return json_pack("{s:{s:s, s:s}}", "xt", -+ "type", xt_typename[stmt->xt.type], -+ "name", stmt->xt.name); -+} -+ - static json_t *table_print_json_full(struct netlink_ctx *ctx, - struct table *table) - { -diff --git a/src/parser_bison.y b/src/parser_bison.y -index b882f3b..a9d16f8 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -615,6 +615,8 @@ int nft_lex(void *, void *, void *); - %token IN "in" - %token OUT "out" - -+%token XT "xt" -+ - %type limit_rate_pkts - %type limit_rate_bytes - -@@ -889,6 +891,9 @@ int nft_lex(void *, void *, void *); - %type optstrip_stmt - %destructor { stmt_free($$); } optstrip_stmt - -+%type xt_stmt -+%destructor { stmt_free($$); } xt_stmt -+ - %type boolean_expr - %destructor { expr_free($$); } boolean_expr - %type boolean_keys -@@ -981,6 +986,7 @@ close_scope_udplite : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_UDPL - - close_scope_log : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_LOG); } - close_scope_synproxy : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_SYNPROXY); } -+close_scope_xt : { scanner_pop_start_cond(nft->scanner, PARSER_SC_XT); } - - common_block : INCLUDE QUOTED_STRING stmt_separator - { -@@ -2861,6 +2867,18 @@ stmt : verdict_stmt - | synproxy_stmt close_scope_synproxy - | chain_stmt - | optstrip_stmt -+ | xt_stmt close_scope_xt -+ ; -+ -+xt_stmt : XT STRING STRING -+ { -+ $$ = NULL; -+ xfree($2); -+ xfree($3); -+ erec_queue(error(&@$, "unsupported xtables compat expression, use iptables-nft with this ruleset"), -+ state->msgs); -+ YYERROR; -+ } - ; - - chain_stmt_type : JUMP { $$ = NFT_JUMP; } -diff --git a/src/parser_json.c b/src/parser_json.c -index fb40100..1699a44 100644 ---- a/src/parser_json.c -+++ b/src/parser_json.c -@@ -2716,6 +2716,11 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) - return verdict_stmt_alloc(int_loc, expr); - } - -+ if (!strcmp(type, "xt")) { -+ json_error(ctx, "unsupported xtables compat expression, use iptables-nft with this ruleset"); -+ return NULL; -+ } -+ - for (i = 0; i < array_size(stmt_parser_tbl); i++) { - if (!strcmp(type, stmt_parser_tbl[i].key)) - return stmt_parser_tbl[i].cb(ctx, stmt_parser_tbl[i].key, tmp); -diff --git a/src/scanner.l b/src/scanner.l -index ed7256b..64d21df 100644 ---- a/src/scanner.l -+++ b/src/scanner.l -@@ -215,6 +215,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - %s SCANSTATE_TCP - %s SCANSTATE_TYPE - %s SCANSTATE_VLAN -+%s SCANSTATE_XT - %s SCANSTATE_CMD_EXPORT - %s SCANSTATE_CMD_IMPORT - %s SCANSTATE_CMD_LIST -@@ -803,6 +804,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) - - "secmark" { scanner_push_start_cond(yyscanner, SCANSTATE_SECMARK); return SECMARK; } - -+"xt" { scanner_push_start_cond(yyscanner, SCANSTATE_XT); return XT; } -+ - {addrstring} { - yylval->string = xstrdup(yytext); - return STRING; -diff --git a/src/statement.c b/src/statement.c -index 30caf9c..0448c85 100644 ---- a/src/statement.c -+++ b/src/statement.c -@@ -997,6 +997,7 @@ static const struct stmt_ops xt_stmt_ops = { - .name = "xt", - .print = xt_stmt_print, - .destroy = xt_stmt_destroy, -+ .json = xt_stmt_json, - }; - - struct stmt *xt_stmt_alloc(const struct location *loc) -diff --git a/src/xt.c b/src/xt.c -index 300416a..12b52aa 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -115,7 +115,13 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - xt_xlate_free(xl); - xfree(entry); - #else -- nft_print(octx, "# xt_%s", stmt->xt.name); -+ static const char *typename[NFT_XT_MAX] = { -+ [NFT_XT_MATCH] = "match", -+ [NFT_XT_TARGET] = "target", -+ [NFT_XT_WATCHER] = "watcher", -+ }; -+ -+ nft_print(octx, "xt %s %s", typename[stmt->xt.type], stmt->xt.name); - #endif - } - --- -2.45.0 - diff --git a/SOURCES/0039-xt-Fall-back-to-generic-printing-from-translation.patch b/SOURCES/0039-xt-Fall-back-to-generic-printing-from-translation.patch deleted file mode 100644 index ab0c493..0000000 --- a/SOURCES/0039-xt-Fall-back-to-generic-printing-from-translation.patch +++ /dev/null @@ -1,92 +0,0 @@ -From e0a2f227d1d3cfb60561144318e81f74a7516d38 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 14 Aug 2024 16:21:18 +0200 -Subject: [PATCH] xt: Fall back to generic printing from translation - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit e41c53ca5b043e8cee493bf4a7f78195827279d2 - -commit e41c53ca5b043e8cee493bf4a7f78195827279d2 -Author: Phil Sutter -Date: Thu Nov 24 16:16:41 2022 +0100 - - xt: Fall back to generic printing from translation - - If translation is not available or fails, print the generic format - instead of calling the print callback (which does not respect - output_fp) or silently failing. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/xt.c | 31 +++++++++++++------------------ - 1 file changed, 13 insertions(+), 18 deletions(-) - -diff --git a/src/xt.c b/src/xt.c -index 12b52aa..b75c94e 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -34,6 +34,12 @@ static void *xt_entry_alloc(const struct xt_stmt *xt, uint32_t af); - - void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - { -+ static const char *typename[NFT_XT_MAX] = { -+ [NFT_XT_MATCH] = "match", -+ [NFT_XT_TARGET] = "target", -+ [NFT_XT_WATCHER] = "watcher", -+ }; -+ int rc = 0; - #ifdef HAVE_LIBXTABLES - struct xt_xlate *xl = xt_xlate_alloc(10240); - struct xtables_target *tg; -@@ -69,11 +75,7 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - .numeric = 1, - }; - -- mt->xlate(xl, ¶ms); -- nft_print(octx, "%s", xt_xlate_get(xl)); -- } else if (mt->print) { -- printf("#"); -- mt->print(&entry, m, 0); -+ rc = mt->xlate(xl, ¶ms); - } - xfree(m); - break; -@@ -102,27 +104,20 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - .numeric = 1, - }; - -- tg->xlate(xl, ¶ms); -- nft_print(octx, "%s", xt_xlate_get(xl)); -- } else if (tg->print) { -- printf("#"); -- tg->print(NULL, t, 0); -+ rc = tg->xlate(xl, ¶ms); - } - xfree(t); - break; - } - -+ if (rc == 1) -+ nft_print(octx, "%s", xt_xlate_get(xl)); - xt_xlate_free(xl); - xfree(entry); --#else -- static const char *typename[NFT_XT_MAX] = { -- [NFT_XT_MATCH] = "match", -- [NFT_XT_TARGET] = "target", -- [NFT_XT_WATCHER] = "watcher", -- }; -- -- nft_print(octx, "xt %s %s", typename[stmt->xt.type], stmt->xt.name); - #endif -+ if (!rc) -+ nft_print(octx, "xt %s %s", -+ typename[stmt->xt.type], stmt->xt.name); - } - - void xt_stmt_destroy(struct stmt *stmt) --- -2.45.0 - diff --git a/SOURCES/0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch b/SOURCES/0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch deleted file mode 100644 index 961b423..0000000 --- a/SOURCES/0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch +++ /dev/null @@ -1,71 +0,0 @@ -From eafc3f2d2dbc367b022a51a9208cc6d861b9e10d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 14 Aug 2024 16:21:19 +0200 -Subject: [PATCH] xt: Fix fallback printing for extensions matching keywords - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit aef5330fe7827f760b70d5d27010445c3adb3d3c - -commit aef5330fe7827f760b70d5d27010445c3adb3d3c -Author: Phil Sutter -Date: Thu Mar 9 14:31:31 2023 +0100 - - xt: Fix fallback printing for extensions matching keywords - - Yet another Bison workaround: Instead of the fancy error message, an - incomprehensible syntax error is emitted: - - | # iptables-nft -A FORWARD -p tcp -m osf --genre linux - | # nft list ruleset | nft -f - - | # Warning: table ip filter is managed by iptables-nft, do not touch! - | /dev/stdin:4:29-31: Error: syntax error, unexpected osf, expecting string - | meta l4proto tcp xt match osf counter packets 0 bytes 0 - | ^^^ - - Avoid this by quoting the extension name when printing: - - | # nft list ruleset | sudo ./src/nft -f - - | # Warning: table ip filter is managed by iptables-nft, do not touch! - | /dev/stdin:4:20-33: Error: unsupported xtables compat expression, use iptables-nft with this ruleset - | meta l4proto tcp xt match "osf" counter packets 0 bytes 0 - | ^^^^^^^^^^^^^^ - - Fixes: 79195a8cc9e9d ("xt: Rewrite unsupported compat expression dumping") - Fixes: e41c53ca5b043 ("xt: Fall back to generic printing from translation") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/parser_bison.y | 2 +- - src/xt.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/parser_bison.y b/src/parser_bison.y -index a9d16f8..1ca0c25 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -2870,7 +2870,7 @@ stmt : verdict_stmt - | xt_stmt close_scope_xt - ; - --xt_stmt : XT STRING STRING -+xt_stmt : XT STRING string - { - $$ = NULL; - xfree($2); -diff --git a/src/xt.c b/src/xt.c -index b75c94e..31cf40e 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -116,7 +116,7 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - xfree(entry); - #endif - if (!rc) -- nft_print(octx, "xt %s %s", -+ nft_print(octx, "xt %s \"%s\"", - typename[stmt->xt.type], stmt->xt.name); - } - --- -2.45.0 - diff --git a/SOURCES/0041-evaluate-un-break-rule-insert-with-intervals.patch b/SOURCES/0041-evaluate-un-break-rule-insert-with-intervals.patch deleted file mode 100644 index b49f195..0000000 --- a/SOURCES/0041-evaluate-un-break-rule-insert-with-intervals.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 39c9fb961fe827a104e17a8ffa7ed63e51e3f522 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 29 Oct 2024 19:40:56 +0100 -Subject: [PATCH] evaluate: un-break rule insert with intervals - -JIRA: https://issues.redhat.com/browse/RHEL-62895 -Upstream Status: nftables commit 91626261c9dfedbd1e8ff40959b453418ebc8fb6 - -commit 91626261c9dfedbd1e8ff40959b453418ebc8fb6 -Author: Florian Westphal -Date: Tue Sep 20 15:26:07 2022 +0200 - - evaluate: un-break rule insert with intervals - - 'rule inet dscpclassify dscp_match meta l4proto { udp } th dport { 3478 } th sport { 3478-3497, 16384-16387 } goto ct_set_ef' - works with 'nft add', but not 'nft insert', the latter yields: "BUG: unhandled op 4". - - Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") - Signed-off-by: Florian Westphal - Acked-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 1 + - tests/shell/testcases/rule_management/0003insert_0 | 4 ++++ - tests/shell/testcases/rule_management/dumps/0003insert_0.nft | 1 + - 3 files changed, 6 insertions(+) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 6d0a0f5..c6d656b 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -1505,6 +1505,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set, - switch (ctx->cmd->op) { - case CMD_CREATE: - case CMD_ADD: -+ case CMD_INSERT: - if (set->automerge) { - ret = set_automerge(ctx->msgs, ctx->cmd, set, init, - ctx->nft->debug_mask); -diff --git a/tests/shell/testcases/rule_management/0003insert_0 b/tests/shell/testcases/rule_management/0003insert_0 -index 329ccc2..c343d57 100755 ---- a/tests/shell/testcases/rule_management/0003insert_0 -+++ b/tests/shell/testcases/rule_management/0003insert_0 -@@ -9,3 +9,7 @@ $NFT add chain t c - $NFT insert rule t c accept - $NFT insert rule t c drop - $NFT insert rule t c masquerade -+ -+# check 'evaluate: un-break rule insert with intervals' -+ -+$NFT insert rule t c tcp sport { 3478-3497, 16384-16387 } -diff --git a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft -index 9421f4a..b1875ab 100644 ---- a/tests/shell/testcases/rule_management/dumps/0003insert_0.nft -+++ b/tests/shell/testcases/rule_management/dumps/0003insert_0.nft -@@ -1,5 +1,6 @@ - table ip t { - chain c { -+ tcp sport { 3478-3497, 16384-16387 } - masquerade - drop - accept --- -2.46.2 - diff --git a/SOURCES/0042-xt-Fix-translation-error-path.patch b/SOURCES/0042-xt-Fix-translation-error-path.patch deleted file mode 100644 index 8157f86..0000000 --- a/SOURCES/0042-xt-Fix-translation-error-path.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 5e5919ad698c6edfd0c1bbbd47d97309c0cb7a83 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 29 Nov 2024 12:01:39 +0100 -Subject: [PATCH] xt: Fix translation error path - -JIRA: https://issues.redhat.com/browse/RHEL-5806 -Upstream Status: nftables commit ce3d71348ee77d2d7ffa6a825afbc7471e92bc89 - -commit ce3d71348ee77d2d7ffa6a825afbc7471e92bc89 -Author: Phil Sutter -Date: Tue Mar 28 13:46:10 2023 +0200 - - xt: Fix translation error path - - If xtables support was compiled in but the required libxtables DSO is - not found, nft prints an error message and leaks memory: - - | counter packets 0 bytes 0 XT target MASQUERADE not found - - This is not as bad as it seems, the output combines stdout and stderr. - Dropping stderr produces an incomplete ruleset listing, though. While - this seemingly inline output can't easily be avoided, fix a few things: - - * Respect octx->error_fp, libnftables might have been configured to - redirect stderr somewhere else. - * Align error message formatting with others. - * Don't return immediately, but free allocated memory and fall back to - printing the expression in "untranslated" form. - - Fixes: 5c30feeee5cfe ("xt: Delay libxtables access until translation") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/xt.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/xt.c b/src/xt.c -index 31cf40e..6d5866d 100644 ---- a/src/xt.c -+++ b/src/xt.c -@@ -56,9 +56,10 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - case NFT_XT_MATCH: - mt = xtables_find_match(stmt->xt.name, XTF_TRY_LOAD, NULL); - if (!mt) { -- fprintf(stderr, "XT match %s not found\n", -+ fprintf(octx->error_fp, -+ "# Warning: XT match %s not found\n", - stmt->xt.name); -- return; -+ break; - } - size = XT_ALIGN(sizeof(*m)) + stmt->xt.infolen; - -@@ -83,9 +84,10 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx) - case NFT_XT_TARGET: - tg = xtables_find_target(stmt->xt.name, XTF_TRY_LOAD); - if (!tg) { -- fprintf(stderr, "XT target %s not found\n", -+ fprintf(octx->error_fp, -+ "# Warning: XT target %s not found\n", - stmt->xt.name); -- return; -+ break; - } - size = XT_ALIGN(sizeof(*t)) + stmt->xt.infolen; - --- -2.46.2 - diff --git a/SOURCES/monitor-run-tests.stderr.expect b/SOURCES/monitor-run-tests.stderr.expect deleted file mode 100644 index c732d96..0000000 --- a/SOURCES/monitor-run-tests.stderr.expect +++ /dev/null @@ -1,6 +0,0 @@ -monitor: 2 tests from file object.t failed -monitor: 3 tests from file set-interval.t failed -monitor: 3 tests from file simple.t failed -echo: 2 tests from file object.t failed -echo: 3 tests from file set-interval.t failed -echo: 3 tests from file simple.t failed diff --git a/SOURCES/run-tests.stderr.expect b/SOURCES/run-tests.stderr.expect deleted file mode 100644 index 77cf01e..0000000 --- a/SOURCES/run-tests.stderr.expect +++ /dev/null @@ -1,27 +0,0 @@ -W: [FAILED] ././tests/shell/testcases/cache/0008_delete_by_handle_0 -W: [FAILED] ././tests/shell/testcases/cache/0010_implicit_chain_0 -W: [FAILED] ././tests/shell/testcases/chains/0021prio_0 -W: [FAILED] ././tests/shell/testcases/chains/0040mark_shift_0 -W: [FAILED] ././tests/shell/testcases/chains/0040mark_shift_1 -W: [FAILED] ././tests/shell/testcases/chains/0041chain_binding_0 -W: [FAILED] ././tests/shell/testcases/chains/0043chain_ingress_0 -W: [FAILED] ././tests/shell/testcases/flowtable/0013addafterdelete_0 -W: [FAILED] ././tests/shell/testcases/flowtable/0014addafterdelete_0 -W: [FAILED] ././tests/shell/testcases/listing/0013objects_0 -W: [FAILED] ././tests/shell/testcases/maps/0011vmap_0 -W: [FAILED] ././tests/shell/testcases/maps/typeof_integer_0 -W: [FAILED] ././tests/shell/testcases/maps/typeof_maps_0 -W: [FAILED] ././tests/shell/testcases/maps/typeof_raw_0 -W: [FAILED] ././tests/shell/testcases/nft-f/0017ct_timeout_obj_0 -W: [FAILED] ././tests/shell/testcases/nft-f/0018ct_expectation_obj_0 -W: [DUMP FAIL] ././tests/shell/testcases/optionals/comments_chain_0 -W: [FAILED] ././tests/shell/testcases/optionals/comments_objects_0 -W: [DUMP FAIL] ././tests/shell/testcases/optionals/comments_table_0 -W: [FAILED] ././tests/shell/testcases/owner/0001-flowtable-uaf -W: [FAILED] ././tests/shell/testcases/sets/0024named_objects_0 -W: [FAILED] ././tests/shell/testcases/sets/0044interval_overlap_0 -W: [FAILED] ././tests/shell/testcases/sets/0046netmap_0 -W: [FAILED] ././tests/shell/testcases/sets/0063set_catchall_0 -W: [FAILED] ././tests/shell/testcases/sets/0064map_catchall_0 -W: [FAILED] ././tests/shell/testcases/sets/typeof_raw_0 -W: [FAILED] ././tests/shell/testcases/sets/typeof_sets_0 diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec deleted file mode 100644 index c4fcde2..0000000 --- a/SPECS/nftables.spec +++ /dev/null @@ -1,554 +0,0 @@ -%define nft_rpmversion 1.0.4 -%define nft_specrelease 7 -%define libnftnl_ver 1.2.2-1 - -Name: nftables -Version: %{nft_rpmversion} -Release: %{nft_specrelease}%{?dist}%{?buildid} -# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. -Epoch: 1 -Summary: Netfilter Tables userspace utillites - -License: GPLv2 -URL: https://netfilter.org/projects/nftables/ -Source0: %{url}/files/%{name}-%{version}.tar.bz2 -Source1: nftables.service -Source2: nftables.conf -Source3: main.nft -Source4: router.nft -Source5: nat.nft -Source6: nft-test.stderr.expect -Source7: run-tests.stderr.expect -Source8: monitor-run-tests.stderr.expect - -Patch1: 0001-tests-shell-runtime-set-element-automerge.patch -Patch2: 0002-rule-collapse-set-element-commands.patch -Patch3: 0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch -Patch4: 0004-intervals-do-not-empty-cache-for-maps.patch -Patch5: 0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch -Patch6: 0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch -Patch7: 0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch -Patch8: 0008-parser-add-missing-synproxy-scope-closure.patch -Patch9: 0009-scanner-don-t-pop-active-flex-scanner-scope.patch -Patch10: 0010-intervals-fix-crash-when-trying-to-remove-element-in.patch -Patch11: 0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch -Patch12: 0012-netlink_delinearize-allow-postprocessing-on-concaten.patch -Patch13: 0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch -Patch14: 0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch -Patch15: 0015-debug-dump-the-l2-protocol-stack.patch -Patch16: 0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch -Patch17: 0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch -Patch18: 0018-evaluate-search-stacked-header-list-for-matching-pay.patch -Patch19: 0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch -Patch20: 0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch -Patch21: 0021-monitor-Sanitize-startup-race-condition.patch -Patch22: 0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch -Patch23: 0023-netlink_linearize-fix-timeout-with-map-updates.patch -Patch24: 0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch -Patch25: 0025-owner-Fix-potential-array-out-of-bounds-access.patch -Patch26: 0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch -Patch27: 0027-meta-parse_iso_date-returns-boolean.patch -Patch28: 0028-netlink-Fix-for-potential-NULL-pointer-deref.patch -Patch29: 0029-optimize-Do-not-return-garbage-from-stack.patch -Patch30: 0030-optimize-Clarify-chain_optimize-array-allocations.patch -Patch31: 0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch -Patch32: 0032-tests-monitor-Summarize-failures-per-test-case.patch -Patch33: 0033-rule-check-address-family-in-set-collapse.patch -Patch34: 0034-parser_bison-Fix-for-broken-compatibility-with-older.patch -Patch35: 0035-Warn-for-tables-with-compat-expressions-in-rules.patch -Patch36: 0036-xt-Delay-libxtables-access-until-translation.patch -Patch37: 0037-xt-Purify-enum-nft_xt_type.patch -Patch38: 0038-xt-Rewrite-unsupported-compat-expression-dumping.patch -Patch39: 0039-xt-Fall-back-to-generic-printing-from-translation.patch -Patch40: 0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch -Patch41: 0041-evaluate-un-break-rule-insert-with-intervals.patch -Patch42: 0042-xt-Fix-translation-error-path.patch - -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool -BuildRequires: make -BuildRequires: gcc -BuildRequires: flex -BuildRequires: bison -BuildRequires: pkgconfig(libmnl) >= 1.0.4 -BuildRequires: gmp-devel -BuildRequires: readline-devel -BuildRequires: pkgconfig(libnftnl) >= %{libnftnl_ver} -BuildRequires: systemd -BuildRequires: asciidoc -BuildRequires: pkgconfig(xtables) >= 1.6.1 -BuildRequires: jansson-devel -BuildRequires: python3-devel - -Requires: libnftnl >= %{libnftnl_ver} - -%description -Netfilter Tables userspace utilities. - -%package devel -Summary: Development library for nftables / libnftables -Group: Development/Libraries -Requires: %{name} = %{epoch}:%{version}-%{release} -Requires: pkgconfig - -%description devel -Development tools and static libraries and header files for the libnftables library. - -%package -n python3-nftables -Summary: Python module providing an interface to libnftables -Requires: %{name} = %{epoch}:%{version}-%{release} - -%description -n python3-nftables -The nftables python module provides an interface to libnftables via ctypes. - -%prep -%autosetup -p1 -cp -a %{SOURCE6} ./tests/py/ -cp -a %{SOURCE7} ./tests/shell/ -cp -a %{SOURCE8} ./tests/monitor/run-tests.stderr.expect - -%build -autoreconf -fi -rm -Rf autom4te*.cache config.h.in~ -%configure --disable-silent-rules --with-json --with-xtables \ - --enable-python --with-python-bin=%{__python3} --with-cli=readline -make %{?_smp_mflags} - -%install -%make_install -find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' - -# Don't ship static lib (for now at least) -rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a - -chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* - -mkdir -p $RPM_BUILD_ROOT/%{_unitdir} -cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ - -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig -cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ - -rm $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft -cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \ - $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ - -find $RPM_BUILD_ROOT/%{_sysconfdir} \ - \( -type d -exec chmod 0700 {} \; \) , \ - \( -type f -exec chmod 0600 {} \; \) - -# make nftables.py use the real library file name -# to avoid nftables-devel package dependency -sofile=$(readlink $RPM_BUILD_ROOT/%{_libdir}/libnftables.so) -sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ - $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py -touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py - -%post -%systemd_post nftables.service - -%preun -%systemd_preun nftables.service - -%postun -%systemd_postun_with_restart nftables.service - -%post devel -%ldconfig_post - -%postun devel -%ldconfig_postun - -%files -%license COPYING -%config(noreplace) %{_sysconfdir}/nftables/ -%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf -%{_sbindir}/nft -%{_libdir}/libnftables.so.* -%{_mandir}/man5/libnftables-json.5* -%{_mandir}/man8/nft* -%{_unitdir}/nftables.service -%{_docdir}/nftables/examples/*.nft - -%files devel -%{_libdir}/libnftables.so -%{_libdir}/pkgconfig/libnftables.pc -%{_includedir}/nftables/libnftables.h -%{_mandir}/man3/libnftables.3* - -%files -n python3-nftables -%{python3_sitelib}/nftables-*.egg-info -%{python3_sitelib}/nftables/ - -%changelog -* Fri Nov 29 2024 Phil Sutter [1.0.4-7.el8] -- xt: Fix translation error path (Phil Sutter) [RHEL-5806] - -* Tue Oct 29 2024 Phil Sutter [1.0.4-6.el8] -- evaluate: un-break rule insert with intervals (Phil Sutter) [RHEL-62895] - -* Wed Aug 14 2024 Phil Sutter [1.0.4-5.el8] -- xt: Fix fallback printing for extensions matching keywords (Phil Sutter) [RHEL-5806] -- xt: Fall back to generic printing from translation (Phil Sutter) [RHEL-5806] -- xt: Rewrite unsupported compat expression dumping (Phil Sutter) [RHEL-5806] -- xt: Purify enum nft_xt_type (Phil Sutter) [RHEL-5806] -- xt: Delay libxtables access until translation (Phil Sutter) [RHEL-5806] -- Warn for tables with compat expressions in rules (Phil Sutter) [RHEL-5806] - -* Wed Nov 15 2023 Phil Sutter [1.0.4-4.el8] -- parser_bison: Fix for broken compatibility with older dumps (Phil Sutter) [RHEL-2596] - -* Thu Sep 21 2023 Phil Sutter [1.0.4-3.el8] -- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL] -- rule: check address family in set collapse (Phil Sutter) [RHEL-5160] - -* Thu Jul 20 2023 Phil Sutter [1.0.4-2.el8] -- Add expected error records for testsuite runs (Phil Sutter) [2211076] -- tests: monitor: Summarize failures per test case (Phil Sutter) [2211076] - -* Tue May 30 2023 Phil Sutter [1.0.4-1.el8] -- Synchronize patch level with nftables-1.0.4-10.el9 (Phil Sutter) [2211076] -- Rebase onto version 1.0.4 (Phil Sutter) [2211076] - -* Thu Apr 28 2022 Phil Sutter [0.9.3-26.el8] -- libnftables: call nft_cmd_expand() only with CMD_ADD (Phil Sutter) [2073287] -- src: add CMD_OBJ_SETELEMS (Phil Sutter) [2073287] -- src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS (Phil Sutter) [2073287] -- rule: fix element cache update in __do_add_setelems() (Phil Sutter) [2073287] -- rule: memleak in __do_add_setelems() (Phil Sutter) [2073287] -- tests: shell: auto-removal of chain hook on netns removal (Phil Sutter) [2070924] -- mnl: do not use expr->identifier to fetch device name (Phil Sutter) [2070924] - -* Fri Feb 04 2022 Phil Sutter [0.9.3-25.el8] -- mnl: do not build nftnl_set element list (Phil Sutter) [2047821] -- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773] -- evaluate: fix inet nat with no layer 3 info (Phil Sutter) [2030773] -- evaluate: attempt to set_eval flag if dynamic updates requested (Phil Sutter) [2039594] -- src: support for restoring element counters (Phil Sutter) [2039594] -- netlink: remove unused parameter from netlink_gen_stmt_stateful() (Phil Sutter) [2039594] - -* Wed Dec 08 2021 Phil Sutter [0.9.3-24.el8] -- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127] -- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127] - -* Fri Nov 05 2021 Phil Sutter [0.9.3-23.el8] -- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127] -- segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127] - -* Wed Oct 06 2021 Phil Sutter [0.9.3-22.el8] -- json: Drop pointless assignment in exthdr_expr_json() (Phil Sutter) [1999059] -- parser_json: Fix for memleak in tcp option error path (Phil Sutter) [1999059] -- parser_bison: Fix for implicit declaration of isalnum (Phil Sutter) [1999059] -- parser_json: Fix error reporting for invalid syntax (Phil Sutter) [1994141] - -* Mon Aug 02 2021 Phil Sutter [0.9.3-21.el8] -- tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203] -- doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365] -- include: missing sctp_chunk.h in Makefile.am (Phil Sutter) [1979334] -- exthdr: Implement SCTP Chunk matching (Phil Sutter) [1979334] -- scanner: sctp: Move to own scope (Phil Sutter) [1979334] -- scanner: introduce start condition stack (Phil Sutter) [1979334] -- json: Simplify non-tcpopt exthdr printing a bit (Phil Sutter) [1979334] -- json: tcp: add raw tcp option match support (Phil Sutter) [1979334] -- tcp: add raw tcp option match support (Phil Sutter) [1979334] -- tcpopt: allow to check for presence of any tcp option (Phil Sutter) [1979334] -- tcpopt: split tcpopt_hdr_fields into per-option enum (Phil Sutter) [1979334] -- tcpopt: rename noop to nop (Phil Sutter) [1979334] -- tcpopts: clean up parser -> tcpopt.c plumbing (Phil Sutter) [1979334] -- parser: merge sack-perm/sack-permitted and maxseg/mss (Phil Sutter) [1979334] -- tests/py: Move tcpopt.t to any/ directory (Phil Sutter) [1979334] - -* Thu May 20 2021 Phil Sutter [0.9.3-20.el8] -- src: Optimize prefix matches on byte-boundaries (Phil Sutter) [1934926] -- src: Support odd-sized payload matches (Phil Sutter) [1934926] -- spec: Add an rpminspect.yaml file to steer rpminspect (Phil Sutter) [1962184] -- spec: Explicitly state dist string in Release tag (Phil Sutter) [1962184] - -* Wed May 19 2021 Phil Sutter [0.9.3-19.el8] -- evaluate: Reject quoted strings containing only wildcard (Phil Sutter) [1818117] -- tests: monitor: use correct $nft value in EXIT trap (Phil Sutter) [1919203] -- monitor: Fix for use after free when printing map elements (Phil Sutter) [1919203] -- tests: Disable tests known to fail on RHEL8 (Phil Sutter) [1919203] - -* Sat Feb 20 2021 Phil Sutter [0.9.3-18.el8] -- json: init parser state for every new buffer/file (Phil Sutter) [1930873] - -* Tue Jan 12 2021 Phil Sutter [0.9.3-17.el8] -- json: don't leave dangling pointers on hlist (Phil Sutter) [1900565] -- json: Fix seqnum_to_json() functionality (Phil Sutter) [1900565] -- json: echo: Speedup seqnum_to_json() (Phil Sutter) [1900565] -- proto: Fix ARP header field ordering (Phil Sutter) [1896334] -- proto: add sctp crc32 checksum fixup (Phil Sutter) [1895804] -- mergesort: unbreak listing with binops (Phil Sutter) [1891790] -- evaluate: missing datatype definition in implicit_set_declaration() (Phil Sutter) [1877022] -- evaluate: Perform set evaluation on implicitly declared (anonymous) sets (Phil Sutter) [1877022] -- src: store expr, not dtype to track data in sets (Phil Sutter) [1877022] - -* Sat Aug 08 2020 Phil Sutter [0.9.3-16.el8] -- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684] -- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684] - -* Tue Jun 30 2020 Phil Sutter [0.9.3-15.el8] -- segtree: Fix get element command with prefixes (Phil Sutter) [1832235] -- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235] -- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235] -- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235] -- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235] - -* Wed Jun 24 2020 Phil Sutter [0.9.3-14.el8] -- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300] -- doc: Document notrack statement (Phil Sutter) [1841292] - -* Wed May 27 2020 Phil Sutter [0.9.3-13.el8] -- parser_json: Support ranges in concat expressions (Phil Sutter) [1805798] - -* Thu Mar 26 2020 Phil Sutter [0.9.3-12.el8] -- Restore default config to be empty (Phil Sutter) [1694723] - -* Mon Feb 17 2020 Phil Sutter [0.9.3-11.el8] -- Package requires libnftnl-1.1.5-3 (Phil Sutter) [1795224] -- src: Add support for concatenated set ranges (Phil Sutter) [1795224] -- src: Add support for NFTNL_SET_DESC_CONCAT (Phil Sutter) [1795224] -- include: resync nf_tables.h cache copy (Phil Sutter) [1795224] -- parser: add a helper for concat expression handling (Phil Sutter) [1795224] - -* Wed Feb 12 2020 Phil Sutter [0.9.3-10.el8] -- scanner: Extend asteriskstring definition (Phil Sutter) [1763652] -- doc: nft.8: Mention wildcard interface matching (Phil Sutter) [1763652] -- tests: py: Support testing host binaries (Phil Sutter) [1754047] -- tests: monitor: Support testing host's nft binary (Phil Sutter) [1754047] -- tests: monitor: Support running individual test cases (Phil Sutter) [1754047] -- tests: json_echo: Support testing host binaries (Phil Sutter) [1754047] -- tests: json_echo: Fix for Python3 (Phil Sutter) [1754047] - -* Mon Jan 27 2020 Phil Sutter [0.9.3-9.el8] -- netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt() (Phil Sutter) [1793030] -- netlink: Fix leaks in netlink_parse_cmp() (Phil Sutter) [1793030] -- netlink: Fix leak in unterminated string deserializer (Phil Sutter) [1793030] - -* Fri Jan 17 2020 Phil Sutter [0.9.3-8.el8] -- cache: Fix for doubled output after reset command (Phil Sutter) [1790793] -- tests: shell: Search diff tool once and for all (Phil Sutter) [1790793] -- xfrm: spi is big-endian (Phil Sutter) [1790963] - -* Mon Jan 13 2020 Phil Sutter [0.9.3-7.el8] -- monitor: Fix output for ranges in anonymous sets (Phil Sutter) [1774742] - -* Fri Jan 10 2020 Phil Sutter [0.9.3-6.el8] -- monitor: Do not decompose non-anonymous sets (Phil Sutter) [1774742] -- main: restore --debug (Phil Sutter) [1778883] -- main: enforce options before commands (Phil Sutter) [1778883] - -* Fri Jan 10 2020 Phil Sutter [0.9.3-5.el8] -- Install an improved sample config (Phil Sutter) [1694723] - -* Wed Dec 04 2019 Phil Sutter [0.9.3-4.el8] -- Explicitly depend on newer libnftl version (Phil Sutter) [1643192] - -* Tue Dec 03 2019 Phil Sutter [0.9.3-3.el8] -- Fix permissions of osf-related configs (Phil Sutter) [1776462] - -* Tue Dec 03 2019 Phil Sutter [0.9.3-2.el8] -- Add example scripts to nftables package (Phil Sutter) [1643192] - -* Mon Dec 02 2019 Phil Sutter [0.9.3-1.el8] -- Rebase onto upstream release 0.9.3 (Phil Sutter) [1643192] - -* Mon Oct 21 2019 Phil Sutter [0.9.2-4.el8] -- tproxy: Add missing error checking when parsing from netlink (Phil Sutter) [1643192] -- parser_json: Fix checking of parse_policy() return code (Phil Sutter) [1643192] - -* Fri Oct 18 2019 Phil Sutter [0.9.2-3.el8] -- spec: Avoid multilib problems due to updated nftables.py (Phil Sutter) [1643192] - -* Fri Oct 18 2019 Phil Sutter [0.9.2-2.el8] -- rule: Fix for single line ct timeout printing (Phil Sutter) [1643192] -- tests/monitor: Fix for changed ct timeout format (Phil Sutter) [1643192] -- monitor: Add missing newline to error message (Phil Sutter) [1643192] -- src: restore --echo with anonymous sets (Phil Sutter) [1643192] - -* Tue Oct 15 2019 Phil Sutter [0.9.2-1.el8] -- src: obj: fix memleak in handle_free() (Phil Sutter) [1643192] -- libnftables: memleak when list of commands is empty (Phil Sutter) [1643192] -- mnl: do not cache sender buffer size (Phil Sutter) [1643192] -- src: meter: avoid double-space in list ruleset output (Phil Sutter) [1643192] -- src: parser_json: fix crash while restoring secmark object (Phil Sutter) [1643192] -- nftables: don't crash in 'list ruleset' if policy is not set (Phil Sutter) [1643192] -- json: tests: fix typo in ct expectation json test (Phil Sutter) [1643192] -- parser_bison: Fix 'exists' keyword on Big Endian (Phil Sutter) [1643192] -- json: fix type mismatch on "ct expect" json exporting (Phil Sutter) [1643192] -- libnftables: use-after-free in exit path (Phil Sutter) [1643192] -- netlink_delinearize: fix wrong conversion to "list" in ct mark (Phil Sutter) [1643192] -- mnl: fix --echo buffer size again (Phil Sutter) [1643192] -- parser_json: fix crash on insert rule to bad references (Phil Sutter) [1643192] -- evaluate: flag fwd and queue statements as terminal (Phil Sutter) [1643192] -- tests: shell: check that rule add with index works with echo (Phil Sutter) [1643192] -- cache: fix --echo with index/position (Phil Sutter) [1643192] -- src: secmark: fix brace indentation and missing quotes in selctx output (Phil Sutter) [1643192] -- Add python3-nftables sub-package (Phil Sutter) [1643192] -- Rebase onto upstream version 0.9.2 (Phil Sutter) [1643192] - -* Mon Aug 12 2019 Phil Sutter - 1:0.9.0-14 -- src: fix jumps on bigendian arches -- src: json: fix constant parsing on bigendian - -* Thu Aug 08 2019 Phil Sutter - 1:0.9.0-13 -- Fix for adding a rule with index and set reference - -* Wed Jul 31 2019 Phil Sutter - 1:0.9.0-12 -- Fix permissions of /etc/nftables directory - -* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-11 -- Fix segfault with xtables support - -* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-10 -- Fix typo in spec file - -* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-9 -- Allow variables in jump statement -- Make example configs readable only by root -- Document nft list parameters -- Document vmap statement -- Install netdev-ingress.nft sample config in the right spot -- Backport upstream fixes since last release - -* Fri Mar 01 2019 Phil Sutter - 1:0.9.0-8 -- Add missing patch to spec file - -* Fri Dec 21 2018 Phil Sutter - 1:0.9.0-7 -- src: Reject 'export vm json' command - -* Tue Dec 18 2018 Phil Sutter - 1:0.9.0-6 -- Rebuild for updated libnftnl - -* Thu Dec 13 2018 Phil Sutter - 1:0.9.0-5 -- nft.8: Document log level audit -- nft.8: Clarify 'index' option of add rule command - -* Thu Oct 25 2018 Phil Sutter - 1:0.9.0-4 -- Add fixes for covscan report -- Fix for ECN keyword in LHS of relational -- Update meta pkt_type value description -- Fix for segfault with JSON output if xt expression is present -- Add missing nft suffix to files included from /etc/sysconfig/nftables.conf -- Use native JSON API in nft monitor - -* Thu Oct 11 2018 Phil Sutter - 1:0.9.0-3 -- Enable xtables support -- Enable JSON support - -* Mon Sep 10 2018 Phil Sutter - 1:0.9.0-2 -- Allow icmpx in inet/bridge families - -* Tue Aug 14 2018 Phil Sutter - 1:0.9.0-1 -- New version 0.9.0 -- Install libnftables -- Add devel sub-package -- Add gcc BuildRequires - -* Sat Mar 03 2018 Kevin Fenzi - 0.8.3-1 -- Update to 0.8.3. Fixes bug #1551207 - -* Thu Feb 08 2018 Fedora Release Engineering - 1:0.8.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Feb 05 2018 Kevin Fenzi - 0.8.2-1 -- Update to 0.8.2. Fixes bug #1541582 - -* Tue Jan 16 2018 Kevin Fenzi - 0.8.1-1 -- Update to 0.8.1. Fixes bug #1534982 - -* Sun Oct 22 2017 Kevin Fenzi - 0.8-1 -- Update to 0.8. - -* Thu Aug 03 2017 Fedora Release Engineering - 1:0.7-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 1:0.7-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 1:0.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Jan 12 2017 Igor Gnatenko - 1:0.7-2 -- Rebuild for readline 7.x - -* Thu Dec 22 2016 Kevin Fenzi - 0.7-1 -- Update to 0.7 - -* Fri Jul 15 2016 Kevin Fenzi - 0.6-2 -- Rebuild for new glibc symbols - -* Thu Jun 02 2016 Kevin Fenzi - 0.6-1 -- Update to 0.6. - -* Sun Apr 10 2016 Kevin Fenzi - 0.5-4 -- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936 - -* Fri Mar 25 2016 Kevin Fenzi - 0.5-3 -- Add systemd unit file. Fixes bug #1313936 - -* Thu Feb 04 2016 Fedora Release Engineering - 1:0.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Sep 17 2015 Kevin Fenzi 0.5-1 -- Update to 0.5 - -* Wed Jun 17 2015 Fedora Release Engineering - 1:0.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Sat Jan 10 2015 Kevin Fenzi 0.4-2 -- Add patch to fix nft -f dep gen. - -* Fri Dec 26 2014 Kevin Fenzi 0.4-1 -- Update to 0.4 -- Add Epoch to fix versioning. - -* Wed Sep 03 2014 Kevin Fenzi 0.100-4.20140903git -- Update to 20140903 snapshot - -* Sun Aug 17 2014 Fedora Release Engineering - 0.100-4.20140704git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Jul 04 2014 Kevin Fenzi 0.100-3.20140704git -- Update to new snapshot - -* Sat Jun 07 2014 Fedora Release Engineering - 0.100-2.20140426git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Apr 26 2014 Kevin Fenzi 0.100-1.20140426git -- Update t0 20140426 - -* Sun Mar 30 2014 Kevin Fenzi 0.100-1.20140330git -- Update to 20140330 snapshot -- Sync versions to be post 0.100 release. - -* Wed Mar 26 2014 Kevin Fenzi 0-0.7.20140326git -- Update to 20140326 snapshot -- Fix permissions on man pages. - -* Mon Mar 24 2014 Kevin Fenzi 0-0.6.20140324git -- Update to 20140324 snapshot - -* Fri Mar 07 2014 Kevin Fenzi 0-0.5.20140307git -- Update to 20140307 - -* Sat Jan 25 2014 Kevin Fenzi 0-0.4.20140125git -- Update to 20140125 snapshot - -* Sat Jan 18 2014 Kevin Fenzi 0-0.3.20140118git -- Update to 20140118 snapshot -- Fixed License tag to be correct -- Fixed changelog -- nft scripts now use full path for nft -- Fixed man page building -- Dropped unneeded rm in install -- Patched build to not be silent. - -* Tue Dec 03 2013 Kevin Fenzi 0-0.2.20131202git -- Use upstream snapshots for source. -- Use 0 for version. - -* Sat Nov 30 2013 Kevin Fenzi 0-0.1 -- initial version for Fedora review diff --git a/SOURCES/main.nft b/main.nft similarity index 100% rename from SOURCES/main.nft rename to main.nft diff --git a/SOURCES/nat.nft b/nat.nft similarity index 79% rename from SOURCES/nat.nft rename to nat.nft index 905179c..d8e152d 100644 --- a/SOURCES/nat.nft +++ b/nat.nft @@ -18,9 +18,10 @@ table ip nftables_svc { elements = { 192.168.122.0/24 } } - # force port randomization for non-locally originated connections using - # suspicious port values to prevent port-shadow attacks, i.e. - # accidental matching of new inbound connections vs. existing ones + # [CVE-2021-3773] force port randomization for non-locally originated + # connections using suspicious port values to prevent port-shadow + # attacks, i.e. accidental matching of new inbound connections vs. + # existing ones chain do_masquerade { meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random masquerade diff --git a/SOURCES/nft-test.stderr.expect b/nft-test.stderr.expect similarity index 89% rename from SOURCES/nft-test.stderr.expect rename to nft-test.stderr.expect index d9edac9..a90ee54 100644 --- a/SOURCES/nft-test.stderr.expect +++ b/nft-test.stderr.expect @@ -181,23 +181,23 @@ any/meta.t: ERROR: line 199: add rule netdev test-netdev egress meta iif . meta any/meta.t: ERROR: line 200: add rule netdev test-netdev egress meta iif . meta oif vmap { "lo" . "lo" : drop }: This rule should not have failed. any/meta.t: ERROR: line 202: add rule netdev test-netdev egress meta random eq 1: This rule should not have failed. any/meta.t: ERROR: line 203: add rule netdev test-netdev egress meta random gt 1000000: This rule should not have failed. -any/meta.t: ERROR: line 205: add rule ip test-ip4 input meta time "1970-05-23 21:07:14" drop: This rule should not have failed. -any/meta.t: ERROR: line 206: add rule ip test-ip4 input meta time 12341234 drop: This rule should not have failed. -any/meta.t: ERROR: line 207: add rule ip test-ip4 input meta time "2019-06-21 17:00:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 208: add rule ip test-ip4 input meta time "2019-07-01 00:00:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 209: add rule ip test-ip4 input meta time "2019-07-01 00:01:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 210: add rule ip test-ip4 input meta time "2019-07-01 00:00:01" drop: This rule should not have failed. -any/meta.t: ERROR: line 211: add rule ip test-ip4 input meta time < "2022-07-01 11:00:00" accept: This rule should not have failed. -any/meta.t: ERROR: line 212: add rule ip test-ip4 input meta time > "2022-07-01 11:00:00" accept: This rule should not have failed. -any/meta.t: ERROR: line 213: add rule ip test-ip4 input meta day "Saturday" drop: This rule should not have failed. -any/meta.t: ERROR: line 214: add rule ip test-ip4 input meta day 6 drop: This rule should not have failed. -any/meta.t: ERROR: line 216: add rule ip test-ip4 input meta hour "17:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 217: add rule ip test-ip4 input meta hour "17:00:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 218: add rule ip test-ip4 input meta hour "17:00:01" drop: This rule should not have failed. -any/meta.t: ERROR: line 219: add rule ip test-ip4 input meta hour "00:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 220: add rule ip test-ip4 input meta hour "00:01" drop: This rule should not have failed. -any/meta.t: ERROR: line 221: add rule ip test-ip4 input time < "2022-07-01 11:00:00" accept: This rule should not have failed. -any/meta.t: ERROR: line 222: add rule ip test-ip4 input time > "2022-07-01 11:00:00" accept: This rule should not have failed. +any/meta.t: ERROR: line 205: add rule netdev test-netdev egress meta time "1970-05-23 21:07:14" drop: This rule should not have failed. +any/meta.t: ERROR: line 206: add rule netdev test-netdev egress meta time 12341234 drop: This rule should not have failed. +any/meta.t: ERROR: line 207: add rule netdev test-netdev egress meta time "2019-06-21 17:00:00" drop: This rule should not have failed. +any/meta.t: ERROR: line 208: add rule netdev test-netdev egress meta time "2019-07-01 00:00:00" drop: This rule should not have failed. +any/meta.t: ERROR: line 209: add rule netdev test-netdev egress meta time "2019-07-01 00:01:00" drop: This rule should not have failed. +any/meta.t: ERROR: line 210: add rule netdev test-netdev egress meta time "2019-07-01 00:00:01" drop: This rule should not have failed. +any/meta.t: ERROR: line 211: add rule netdev test-netdev egress meta time < "2022-07-01 11:00:00" accept: This rule should not have failed. +any/meta.t: ERROR: line 212: add rule netdev test-netdev egress meta time > "2022-07-01 11:00:00" accept: This rule should not have failed. +any/meta.t: ERROR: line 213: add rule netdev test-netdev egress meta day "Saturday" drop: This rule should not have failed. +any/meta.t: ERROR: line 214: add rule netdev test-netdev egress meta day 6 drop: This rule should not have failed. +any/meta.t: ERROR: line 216: add rule netdev test-netdev egress meta hour "17:00" drop: This rule should not have failed. +any/meta.t: ERROR: line 217: add rule netdev test-netdev egress meta hour "17:00:00" drop: This rule should not have failed. +any/meta.t: ERROR: line 218: add rule netdev test-netdev egress meta hour "17:00:01" drop: This rule should not have failed. +any/meta.t: ERROR: line 219: add rule netdev test-netdev egress meta hour "00:00" drop: This rule should not have failed. +any/meta.t: ERROR: line 220: add rule netdev test-netdev egress meta hour "00:01" drop: This rule should not have failed. +any/meta.t: ERROR: line 221: add rule netdev test-netdev egress time < "2022-07-01 11:00:00" accept: This rule should not have failed. +any/meta.t: ERROR: line 222: add rule netdev test-netdev egress time > "2022-07-01 11:00:00" accept: This rule should not have failed. any/meta.t: ERROR: line 226: The chain egress does not exist in netdev test-netdev. I cannot delete it. any/limit.t: ERROR: line 3: I cannot create the chain 'egress' any/limit.t: ERROR: line 12: add rule netdev test-netdev egress limit rate 400/minute: This rule should not have failed. @@ -236,8 +236,6 @@ any/limit.t: ERROR: line 53: add rule netdev test-netdev egress limit rate over any/limit.t: ERROR: line 54: add rule netdev test-netdev egress limit rate over 1025 mbytes/second burst 1025 kbytes: This rule should not have failed. any/limit.t: ERROR: line 55: add rule netdev test-netdev egress limit rate over 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed. any/limit.t: ERROR: line 55: The chain egress does not exist in netdev test-netdev. I cannot delete it. -any/ct.t: ERROR: line 62: add rule ip test-ip4 output ct mark set (meta mark | 0x10) << 8: This rule should not have failed. -any/ct.t: ERROR: line 133: add rule ip test-ip4 output ct id 12345: This rule should not have failed. arp/arp.t: ERROR: line 4: I cannot create the chain 'egress' arp/arp.t: ERROR: line 9: add rule netdev test-netdev egress arp htype 1: This rule should not have failed. arp/arp.t: ERROR: line 10: add rule netdev test-netdev egress arp htype != 1: This rule should not have failed. @@ -313,8 +311,6 @@ bridge/vlan.t: ERROR: line 51: add rule netdev test-netdev egress ether saddr 00 bridge/vlan.t: ERROR: line 52: add rule netdev test-netdev egress vlan id 2 ether saddr 0:1:2:3:4:6: This rule should not have failed. bridge/vlan.t: ERROR: line 54: add rule netdev test-netdev egress ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }: This rule should not have failed. bridge/vlan.t: ERROR: line 54: The chain egress does not exist in netdev test-netdev. I cannot delete it. -bridge/meta.t: ERROR: line 7: add rule bridge test-bridge input meta ibrvproto vlan: This rule should not have failed. -bridge/meta.t: ERROR: line 8: add rule bridge test-bridge input meta ibrpvid 100: This rule should not have failed. inet/dccp.t: ERROR: line 3: I cannot create the chain 'egress' inet/dccp.t: ERROR: line 10: add rule netdev test-netdev egress dccp sport 21-35: This rule should not have failed. inet/dccp.t: ERROR: line 11: add rule netdev test-netdev egress dccp sport != 21-35: This rule should not have failed. @@ -332,12 +328,6 @@ inet/map.t: ERROR: line 3: I cannot create the chain 'egress' inet/map.t: ERROR: line 9: add rule netdev test-netdev egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}: This rule should not have failed. inet/map.t: ERROR: line 10: add rule netdev test-netdev egress mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}: This rule should not have failed. inet/map.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/synproxy.t: ERROR: line 7: add rule ip synproxyip synproxychain synproxy: This rule should not have failed. -inet/synproxy.t: ERROR: line 8: add rule ip synproxyip synproxychain synproxy mss 1460 wscale 7: This rule should not have failed. -inet/synproxy.t: ERROR: line 9: add rule ip synproxyip synproxychain synproxy mss 1460 wscale 5 timestamp sack-perm: This rule should not have failed. -inet/synproxy.t: ERROR: line 10: add rule ip synproxyip synproxychain synproxy timestamp sack-perm: This rule should not have failed. -inet/synproxy.t: ERROR: line 11: add rule ip synproxyip synproxychain synproxy timestamp: This rule should not have failed. -inet/synproxy.t: ERROR: line 12: add rule ip synproxyip synproxychain synproxy sack-perm: This rule should not have failed. inet/sets.t: ERROR: line 3: I cannot create the chain 'egress' inet/sets.t: ERROR: line 15: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed. inet/sets.t: ERROR: line 18: add rule netdev test-netdev egress ip6 daddr != @set2 accept: This rule should not have failed. @@ -419,14 +409,6 @@ inet/udplite.t: ERROR: line 36: add rule netdev test-netdev egress udplite check inet/udplite.t: ERROR: line 37: add rule netdev test-netdev egress udplite checksum { 33, 55, 67, 88}: This rule should not have failed. inet/udplite.t: ERROR: line 38: add rule netdev test-netdev egress udplite checksum != { 33, 55, 67, 88}: This rule should not have failed. inet/udplite.t: ERROR: line 38: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/osf.t: ERROR: line 7: add rule ip osfip osfchain osf name "Linux": This rule should not have failed. -inet/osf.t: ERROR: line 8: add rule ip osfip osfchain osf ttl loose name "Linux": This rule should not have failed. -inet/osf.t: ERROR: line 9: add rule ip osfip osfchain osf ttl skip name "Linux": This rule should not have failed. -inet/osf.t: ERROR: line 10: add rule ip osfip osfchain osf ttl skip version "Linux:3.0": This rule should not have failed. -inet/osf.t: ERROR: line 15: add rule ip osfip osfchain osf name { "Windows", "MacOs" }: This rule should not have failed. -inet/osf.t: ERROR: line 16: add rule ip osfip osfchain osf version { "Windows:XP", "MacOs:Sierra" }: This rule should not have failed. -inet/osf.t: ERROR: line 17: add rule ip osfip osfchain ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }: This rule should not have failed. -inet/osf.t: ERROR: line 18: add rule ip osfip osfchain ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }: This rule should not have failed. inet/tcp.t: ERROR: line 3: I cannot create the chain 'egress' inet/tcp.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22: This rule should not have failed. inet/tcp.t: ERROR: line 13: add rule netdev test-netdev egress tcp dport != 233: This rule should not have failed. @@ -516,7 +498,6 @@ inet/ip_tcp.t: ERROR: line 16: add rule netdev test-netdev egress ip protocol tc inet/ip_tcp.t: ERROR: line 19: add rule netdev test-netdev egress ip protocol tcp counter tcp dport 22: This rule should not have failed. inet/ip_tcp.t: ERROR: line 21: add rule netdev test-netdev egress ether type ip tcp dport 22: This rule should not have failed. inet/ip_tcp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/meta.t: ERROR: line 23: add rule inet test-inet input meta mark set ct mark >> 8: This rule should not have failed. inet/ah.t: ERROR: line 3: I cannot create the chain 'egress' inet/ah.t: ERROR: line 22: add rule netdev test-netdev egress ah hdrlength 11-23: This rule should not have failed. inet/ah.t: ERROR: line 23: add rule netdev test-netdev egress ah hdrlength != 11-23: This rule should not have failed. @@ -620,19 +601,6 @@ inet/sctp.t: ERROR: line 71: add rule netdev test-netdev egress sctp chunk ascon inet/sctp.t: ERROR: line 72: add rule netdev test-netdev egress sctp chunk forward-tsn new-cum-tsn 31337: This rule should not have failed. inet/sctp.t: ERROR: line 73: add rule netdev test-netdev egress sctp chunk asconf seqno 12345: This rule should not have failed. inet/sctp.t: ERROR: line 73: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/socket.t: ERROR: line 11: add rule ip sockip4 sockchain socket mark 0x00000005: This rule should not have failed. -inet/socket.t: ERROR: line 13: add rule ip sockip4 sockchain socket wildcard 0: This rule should not have failed. -inet/socket.t: ERROR: line 14: add rule ip sockip4 sockchain socket wildcard 1: This rule should not have failed. -ip/objects.t: ERROR: line 37: add ct timeout ip test-ip4 cttime1 { protocol tcp; policy = { established:122 } ;}: I cannot add the ct timeout cttime1 -ip/objects.t: ERROR: line 39: add ct timeout ip test-ip4 cttime3 { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;}: I cannot add the ct timeout cttime3 -ip/objects.t: ERROR: line 40: add ct timeout ip test-ip4 cttime4 { protocol udp; policy = { replied:14, unreplied:19 } ;}: I cannot add the ct timeout cttime4 -ip/objects.t: ERROR: line 43: add rule ip test-ip4 output ct timeout set "cttime1": This rule should not have failed. -ip/objects.t: ERROR: line 46: add ct expectation ip test-ip4 ctexpect1 { protocol tcp; dport 1234; timeout 2m; size 12; }: I cannot add the ct expectation ctexpect1 -ip/objects.t: ERROR: line 50: add ct expectation ip test-ip4 ctexpect5 { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; }: I cannot add the ct expectation ctexpect5 -ip/objects.t: ERROR: line 52: add rule ip test-ip4 output ct expectation set "ctexpect1": This rule should not have failed. -ip/objects.t: ERROR: line 55: add synproxy ip test-ip4 synproxy1 mss 1460 wscale 7: I cannot add the synproxy synproxy1 -ip/objects.t: ERROR: line 56: add synproxy ip test-ip4 synproxy2 mss 1460 wscale 7 timestamp sack-perm: I cannot add the synproxy synproxy2 -ip/objects.t: ERROR: line 58: add rule ip test-ip4 output synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}: This rule should not have failed. ip/sets.t: ERROR: line 3: I cannot create the chain 'egress' ip/sets.t: ERROR: line 32: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed. ip/sets.t: ERROR: line 33: add rule netdev test-netdev egress ip saddr != @set1 drop: This rule should not have failed. @@ -642,10 +610,9 @@ ip/sets.t: ERROR: line 52: add rule netdev test-netdev egress ip saddr . ip dadd ip/sets.t: ERROR: line 53: add rule netdev test-netdev egress add @set5 { ip saddr . ip daddr }: This rule should not have failed. ip/sets.t: ERROR: line 56: add rule netdev test-netdev egress ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }: This rule should not have failed. ip/sets.t: ERROR: line 57: add rule netdev test-netdev egress ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }: This rule should not have failed. -ip/sets.t: ERROR: line 60: add element ip test-ip4 set6 { 192.168.3.5, * }: This rule should not have failed. ip/sets.t: ERROR: line 61: add rule netdev test-netdev egress ip saddr @set6 drop: This rule should not have failed. -ip/sets.t: ERROR: line 63: add rule ip test-ip4 input ip saddr vmap { 1.1.1.1 : drop, * : accept }: This rule should not have failed. -ip/sets.t: ERROR: line 64: add rule ip test-ip4 input meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }: This rule should not have failed. +ip/sets.t: ERROR: line 63: add rule netdev test-netdev egress ip saddr vmap { 1.1.1.1 : drop, * : accept }: This rule should not have failed. +ip/sets.t: ERROR: line 64: add rule netdev test-netdev egress meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }: This rule should not have failed. ip/sets.t: ERROR: line 65: The chain egress does not exist in netdev test-netdev. I cannot delete it. ip/ip.t: ERROR: line 3: I cannot create the chain 'egress' ip/ip.t: ERROR: line 28: add rule netdev test-netdev egress ip dscp cs1: This rule should not have failed. @@ -729,15 +696,12 @@ ip/ip.t: ERROR: line 126: add rule netdev test-netdev egress iif "lo" ip dscp se ip/ip.t: ERROR: line 128: add rule netdev test-netdev egress ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }: This rule should not have failed. ip/ip.t: ERROR: line 129: add rule netdev test-netdev egress ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }: This rule should not have failed. ip/ip.t: ERROR: line 129: The chain egress does not exist in netdev test-netdev. I cannot delete it. -ip/snat.t: ERROR: line 17: add rule ip test-ip4 postrouting snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }: This rule should not have failed. -ip/meta.t: ERROR: line 16: add rule ip test-ip4 input meta sdif "lo" accept: This rule should not have failed. -ip/meta.t: ERROR: line 17: add rule ip test-ip4 input meta sdifname != "vrf1" accept: This rule should not have failed. ip6/sets.t: ERROR: line 3: I cannot create the chain 'egress' ip6/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr @set2 drop: This rule should not have failed. ip6/sets.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr != @set2 drop: This rule should not have failed. ip6/sets.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr . ip6 daddr @set5 drop: This rule should not have failed. ip6/sets.t: ERROR: line 43: add rule netdev test-netdev egress add @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed. -ip6/sets.t: ERROR: line 44: add rule ip6 test-ip6 input delete @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed. +ip6/sets.t: ERROR: line 44: add rule netdev test-netdev egress delete @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed. ip6/sets.t: ERROR: line 44: The chain egress does not exist in netdev test-netdev. I cannot delete it. ip6/frag.t: ERROR: line 3: I cannot create the chain 'egress' ip6/frag.t: ERROR: line 9: add rule netdev test-netdev egress frag nexthdr tcp: This rule should not have failed. @@ -769,8 +733,6 @@ ip6/frag.t: ERROR: line 38: add rule netdev test-netdev egress frag id != 33-45: ip6/frag.t: ERROR: line 39: add rule netdev test-netdev egress frag id { 33, 55, 67, 88}: This rule should not have failed. ip6/frag.t: ERROR: line 40: add rule netdev test-netdev egress frag id != { 33, 55, 67, 88}: This rule should not have failed. ip6/frag.t: ERROR: line 40: The chain egress does not exist in netdev test-netdev. I cannot delete it. -ip6/meta.t: ERROR: line 15: add rule ip6 test-ip6 input meta sdif "lo" accept: This rule should not have failed. -ip6/meta.t: ERROR: line 16: add rule ip6 test-ip6 input meta sdifname != "vrf1" accept: This rule should not have failed. ip6/vmap.t: ERROR: line 3: I cannot create the chain 'egress' ip6/vmap.t: ERROR: line 9: add rule netdev test-netdev egress ip6 saddr vmap { abcd::3 : accept }: This rule should not have failed. ip6/vmap.t: ERROR: line 14: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed. @@ -820,31 +782,6 @@ netdev/fwd.t: ERROR: line 6: add rule netdev test-netdev egress fwd to "lo": Thi netdev/fwd.t: ERROR: line 7: add rule netdev test-netdev egress fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed. netdev/fwd.t: ERROR: line 9: add rule netdev test-netdev egress fwd ip to 192.168.2.200 device "lo": This rule should not have failed. netdev/fwd.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it. -netdev/reject.t: ERROR: line 5: add rule netdev test-netdev ingress reject with icmp host-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 6: add rule netdev test-netdev ingress reject with icmp net-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 7: add rule netdev test-netdev ingress reject with icmp prot-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 8: add rule netdev test-netdev ingress reject with icmp port-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 9: add rule netdev test-netdev ingress reject with icmp net-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 10: add rule netdev test-netdev ingress reject with icmp host-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 11: add rule netdev test-netdev ingress reject with icmp admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 13: add rule netdev test-netdev ingress reject with icmpv6 no-route: This rule should not have failed. -netdev/reject.t: ERROR: line 14: add rule netdev test-netdev ingress reject with icmpv6 admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 15: add rule netdev test-netdev ingress reject with icmpv6 addr-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 16: add rule netdev test-netdev ingress reject with icmpv6 port-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 17: add rule netdev test-netdev ingress reject with icmpv6 policy-fail: This rule should not have failed. -netdev/reject.t: ERROR: line 18: add rule netdev test-netdev ingress reject with icmpv6 reject-route: This rule should not have failed. -netdev/reject.t: ERROR: line 20: add rule netdev test-netdev ingress mark 12345 reject with tcp reset: This rule should not have failed. -netdev/reject.t: ERROR: line 22: add rule netdev test-netdev ingress reject: This rule should not have failed. -netdev/reject.t: ERROR: line 23: add rule netdev test-netdev ingress meta protocol ip reject: This rule should not have failed. -netdev/reject.t: ERROR: line 24: add rule netdev test-netdev ingress meta protocol ip6 reject: This rule should not have failed. -netdev/reject.t: ERROR: line 26: add rule netdev test-netdev ingress reject with icmpx host-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 27: add rule netdev test-netdev ingress reject with icmpx no-route: This rule should not have failed. -netdev/reject.t: ERROR: line 28: add rule netdev test-netdev ingress reject with icmpx admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 29: add rule netdev test-netdev ingress reject with icmpx port-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 31: add rule netdev test-netdev ingress meta protocol ip reject with icmp host-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 32: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpv6 no-route: This rule should not have failed. -netdev/reject.t: ERROR: line 39: add rule netdev test-netdev ingress meta protocol ip reject with icmpx admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 40: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpx admin-prohibited: This rule should not have failed. netdev/dup.t: ERROR: line 2: I cannot create the chain 'egress' netdev/dup.t: ERROR: line 6: add rule netdev test-netdev egress dup to "lo": This rule should not have failed. netdev/dup.t: ERROR: line 7: add rule netdev test-netdev egress dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed. diff --git a/SOURCES/nftables.conf b/nftables.conf similarity index 100% rename from SOURCES/nftables.conf rename to nftables.conf diff --git a/SOURCES/nftables.service b/nftables.service similarity index 100% rename from SOURCES/nftables.service rename to nftables.service diff --git a/nftables.spec b/nftables.spec new file mode 100644 index 0000000..31f6f98 --- /dev/null +++ b/nftables.spec @@ -0,0 +1,438 @@ +Name: nftables +Version: 1.1.1 +Release: 4%{?dist} +# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. +Epoch: 1 +Summary: Netfilter Tables userspace utilities + +License: GPL-2.0-only +URL: https://netfilter.org/projects/nftables/ +Source0: %{url}/files/%{name}-%{version}.tar.xz +Source1: nftables.service +Source2: nftables.conf +Source3: main.nft +Source4: router.nft +Source5: nat.nft +Source6: nft-test.stderr.expect +Source7: run-tests.stderr.expect + +Patch1: 0001-tests-shell-fix-spurious-dump-failure-in-vmap-timeou.patch +Patch2: 0002-libnftables-json-fix-raw-payload-expression-document.patch +Patch3: 0003-src-collapse-set-element-commands-from-parser.patch +Patch4: 0004-mnl-rename-to-mnl_seqnum_alloc-to-mnl_seqnum_inc.patch +Patch5: 0005-mnl-update-cmd_add_loc-to-take-struct-nlmsghdr.patch +Patch6: 0006-rule-netlink-attribute-offset-is-uint32_t-for-struct.patch +Patch7: 0007-src-fix-extended-netlink-error-reporting-with-large-.patch +Patch8: 0008-tests-monitor-fix-up-test-case-breakage.patch +Patch9: 0009-doc-extend-description-of-fib-expression.patch +Patch10: 0010-json-collapse-set-element-commands-from-parser.patch +Patch11: 0011-json-Support-typeof-in-set-and-map-types.patch +Patch12: 0012-tests-py-Fix-for-storing-payload-into-missing-file.patch +Patch13: 0013-monitor-Recognize-flowtable-add-del-events.patch +Patch14: 0014-evaluate-allow-to-re-use-existing-metered-set.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: make +BuildRequires: gcc +BuildRequires: flex +BuildRequires: bison +BuildRequires: pkgconfig(libmnl) >= 1.0.4 +BuildRequires: gmp-devel +BuildRequires: pkgconfig(libnftnl) >= 1.2.8 +BuildRequires: systemd +BuildRequires: asciidoc +BuildRequires: pkgconfig(xtables) >= 1.6.1 +BuildRequires: jansson-devel +BuildRequires: python3-devel +BuildRequires: readline-devel + +%generate_buildrequires +cd py/ +%pyproject_buildrequires + +%description +Netfilter Tables userspace utilities. + +%package devel +Summary: Development library for nftables / libnftables +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: pkgconfig + +%description devel +Development tools and static libraries and header files for the libnftables library. + +%package -n python3-nftables +Summary: Python module providing an interface to libnftables +Requires: %{name} = %{epoch}:%{version}-%{release} +%{?python_provide:%python_provide python3-nftables} + +%description -n python3-nftables +The nftables python module provides an interface to libnftables via ctypes. + +%prep +%autosetup -p1 +cp -a %{SOURCE6} ./tests/py/ +cp -a %{SOURCE7} ./tests/shell/ + +%build +autoreconf -fi +rm -Rf autom4te*.cache config.h.in~ +%configure --disable-silent-rules --with-xtables --with-json --with-cli=readline +%make_build +cd py/ +%pyproject_wheel + +%install +%make_install +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +# Don't ship static lib (for now at least) +rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a + +# drop vendor-provided configs, they are not really useful +rm -f $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft + +chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* + +mkdir -p $RPM_BUILD_ROOT/%{_unitdir} +cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ + +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig +cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ + +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \ + $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ + +find $RPM_BUILD_ROOT/%{_sysconfdir} \ + \( -type d -exec chmod 0700 {} \; \) , \ + \( -type f -exec chmod 0600 {} \; \) + +cd py/ +%pyproject_install +%pyproject_save_files nftables + +%post +%systemd_post nftables.service +%ldconfig_post + +%preun +%systemd_preun nftables.service + +%postun +%systemd_postun_with_restart nftables.service +%ldconfig_postun + +%files +%license COPYING +%config(noreplace) %{_sysconfdir}/nftables/ +%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf +%{_sbindir}/nft +%{_libdir}/libnftables.so.* +%{_mandir}/man5/libnftables-json.5* +%{_mandir}/man8/nft* +%{_unitdir}/nftables.service +%{_docdir}/nftables/examples/*.nft + +%files devel +%{_libdir}/libnftables.so +%{_libdir}/pkgconfig/libnftables.pc +%{_includedir}/nftables/libnftables.h +%{_mandir}/man3/libnftables.3* + +%files -n python3-nftables -f %{pyproject_files} + +%changelog +* Mon Mar 03 2025 Eric Garver [1.1.1-4.el10] +- evaluate: allow to re-use existing metered set [RHEL-75507] + +* Fri Nov 15 2024 Phil Sutter [1.1.1-3.el10] +- Fix for typo in gating.yaml (Phil Sutter) [RHEL-65346] + +* Thu Nov 14 2024 Phil Sutter [1.1.1-2.el10] +- Fix gating.yaml for internal CI (Phil Sutter) [RHEL-65346] + +* Thu Nov 07 2024 Phil Sutter [1.1.1-1.el10] +- monitor: Recognize flowtable add/del events (Phil Sutter) [RHEL-65346] +- tests: py: Fix for storing payload into missing file (Phil Sutter) [RHEL-65346] +- json: Support typeof in set and map types (Phil Sutter) [RHEL-65346] +- json: collapse set element commands from parser (Phil Sutter) [RHEL-65346] +- doc: extend description of fib expression (Phil Sutter) [RHEL-65346] +- tests: monitor: fix up test case breakage (Phil Sutter) [RHEL-65346] +- src: fix extended netlink error reporting with large set elements (Phil Sutter) [RHEL-65346] +- rule: netlink attribute offset is uint32_t for struct nlerr_loc (Phil Sutter) [RHEL-65346] +- mnl: update cmd_add_loc() to take struct nlmsghdr (Phil Sutter) [RHEL-65346] +- mnl: rename to mnl_seqnum_alloc() to mnl_seqnum_inc() (Phil Sutter) [RHEL-65346] +- src: collapse set element commands from parser (Phil Sutter) [RHEL-65346] +- libnftables-json: fix raw payload expression documentation (Phil Sutter) [RHEL-65346] +- tests: shell: fix spurious dump failure in vmap timeout test (Phil Sutter) [RHEL-65346] +- Rebase onto version 1.1.1 (Phil Sutter) [RHEL-65346] + +* Tue Oct 29 2024 Troy Dawson - 1:1.0.9-5.1 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Wed Jul 03 2024 Phil Sutter [1.0.9-5.el10] +- Sync with RHEL9 package (Phil Sutter) + +* Mon Jun 24 2024 Troy Dawson - 1:1.0.9-4 +- Bump release for June 2024 mass rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 1:1.0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1:1.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Oct 19 2023 Phil Sutter - 1:1.0.9-1 +- Fix devel sub-package description +- Utilize pyproject-rpm-macros for the python sub-package +- new version 1.0.9 + +* Fri Aug 11 2023 Phil Sutter - 1:1.0.7-4 +- Convert license to SPDX format + +* Thu Jul 20 2023 Fedora Release Engineering - 1:1.0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 15 2023 Python Maint - 1:1.0.7-2 +- Rebuilt for Python 3.12 + +* Sat Apr 01 2023 Kevin Fenzi - 1.0.7-1 +- Update to 1.0.7. Fixes rhbz#2155658 +- Build the package with setuptools instead of distutils. Fixes: rhbz#2154872 + +* Thu Jan 19 2023 Fedora Release Engineering - 1:1.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Aug 10 2022 Phil Sutter - 1:1.0.5-1 +- New version 1.0.5 + +* Fri Jul 22 2022 Fedora Release Engineering - 1:1.0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 1:1.0.4-2 +- Rebuilt for Python 3.11 + +* Fri Jun 10 2022 Phil Sutter - 1:1.0.4-1 +- Review package dependencies +- Update to 1.0.4. Fixes rhbz#2056594 + +* Tue Mar 08 2022 Phil Sutter - 1:1.0.1-4 +- Prevent port-shadow attacks in sample nat config. Fixes rhbz#2061917 + +* Thu Feb 03 2022 Phil Sutter - 1:1.0.1-3 +- Ship a more advanced default config. Fixes rhbz#1999596 + +* Thu Jan 20 2022 Fedora Release Engineering - 1:1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 27 2021 Kevin Fenzi - 1.0.1-1 +- Update to 1.1.1. Fixes rhbz#2024594 + +* Fri Aug 27 2021 Kevin Fenzi - 1.0.0-1 +- Update to 1.1.0. Fixes rhbz#1995737 + +* Thu Jul 22 2021 Fedora Release Engineering - 1:0.9.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 1:0.9.9-2 +- Rebuilt for Python 3.10 + +* Wed Jun 02 2021 Phil Sutter - 1:0.9.9-1 +- Update to 0.9.9. Fixes rhbz#1964718 + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1:0.9.8-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 1:0.9.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Jan 16 2021 Kevin Fenzi - 0.9.8-1 +- Update to 0.9.8. Fixes rhbz#1916940 + +* Sat Oct 31 2020 Kevin Fenzi - 0.9.7-1 +- Update to 0.9.7. Fixes bug #1891769 + +* Thu Oct 29 2020 Stephen Gallagher - 1:0.9.6-2 +- Drop upstreamed patch + +* Sat Sep 05 2020 Neal Gompa - 1:0.9.6-1 +- Update to 0.9.6 (RH#1846663) + +* Tue Jul 28 2020 Fedora Release Engineering - 1:0.9.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1:0.9.3-5 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Tue May 26 2020 Miro Hrončok - 1:0.9.3-4 +- Rebuilt for Python 3.9 + +* Fri May 15 2020 Richard Shaw - 1:0.9.3-3 +- Add patch for json performance with ipsets, fixes RHBZ#1834853. + +* Wed Jan 29 2020 Fedora Release Engineering - 1:0.9.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Dec 04 2019 Phil Sutter - 1:0.9.3-1 +- Update to 0.9.3. Fixes bug #1778959 + +* Tue Oct 01 2019 Phil Sutter - 1:0.9.2-3 +- Drop unneeded docbook2X build dependency +- Add python3-nftables sub-package + +* Fri Aug 23 2019 Kevin Fenzi - 0.9.2-2 +- Move libnftables section 3 man page to devel package. + +* Fri Aug 23 2019 Kevin Fenzi - 0.9.2-1 +- Update to 0.9.2. Fixes bug #1743223 + +* Thu Jul 25 2019 Fedora Release Engineering - 1:0.9.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 28 2019 Kevin Fenzi - 0.9.1-2 +- Add some filters to nftables.conf + +* Tue Jun 25 2019 Kevin Fenzi - 0.9.1-1 +- Update to 0.9.1. Fixes bug #1723515 + +* Mon Jun 17 2019 Kevin Fenzi - 0.9.0-7 +- Rebuild for new libnftnl. + +* Sat Mar 16 2019 Kevin Fenzi - 1:0.9.0-6 +- Fix permissions. Bug #1685242 + +* Sun Feb 17 2019 Igor Gnatenko - 1:0.9.0-5 +- Rebuild for readline 8.0 + +* Fri Feb 01 2019 Fedora Release Engineering - 1:0.9.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Nov 04 2018 Kevin Fenzi - 0.9.0-3 +- Fix config file to have correct include names. Fixes bug #1642103 + +* Fri Jul 13 2018 Fedora Release Engineering - 1:0.9.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sat Jun 09 2018 Kevin Fenzi - 0.9.0-1 +- Update to 0.9.0. Fixes bug #1589404 + +* Fri May 11 2018 Kevin Fenzi - 0.8.5-1 +- Update to 0.8.5. Fixes bug #1576802 + +* Sun May 06 2018 Kevin Fenzi - 0.8.4-2 +- Fix devel package to require the Epoch too. +- Fix libraries split + +* Fri May 04 2018 Kevin Fenzi - 0.8.4-1 +- Update to 0.8.4. Fixes bug #1574096 + +* Sat Mar 03 2018 Kevin Fenzi - 0.8.3-1 +- Update to 0.8.3. Fixes bug #1551207 + +* Thu Feb 08 2018 Fedora Release Engineering - 1:0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Feb 05 2018 Kevin Fenzi - 0.8.2-1 +- Update to 0.8.2. Fixes bug #1541582 + +* Tue Jan 16 2018 Kevin Fenzi - 0.8.1-1 +- Update to 0.8.1. Fixes bug #1534982 + +* Sun Oct 22 2017 Kevin Fenzi - 0.8-1 +- Update to 0.8. + +* Thu Aug 03 2017 Fedora Release Engineering - 1:0.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:0.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1:0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 12 2017 Igor Gnatenko - 1:0.7-2 +- Rebuild for readline 7.x + +* Thu Dec 22 2016 Kevin Fenzi - 0.7-1 +- Update to 0.7 + +* Fri Jul 15 2016 Kevin Fenzi - 0.6-2 +- Rebuild for new glibc symbols + +* Thu Jun 02 2016 Kevin Fenzi - 0.6-1 +- Update to 0.6. + +* Sun Apr 10 2016 Kevin Fenzi - 0.5-4 +- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936 + +* Fri Mar 25 2016 Kevin Fenzi - 0.5-3 +- Add systemd unit file. Fixes bug #1313936 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Sep 17 2015 Kevin Fenzi 0.5-1 +- Update to 0.5 + +* Wed Jun 17 2015 Fedora Release Engineering - 1:0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jan 10 2015 Kevin Fenzi 0.4-2 +- Add patch to fix nft -f dep gen. + +* Fri Dec 26 2014 Kevin Fenzi 0.4-1 +- Update to 0.4 +- Add Epoch to fix versioning. + +* Wed Sep 03 2014 Kevin Fenzi 0.100-4.20140903git +- Update to 20140903 snapshot + +* Sun Aug 17 2014 Fedora Release Engineering - 0.100-4.20140704git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 04 2014 Kevin Fenzi 0.100-3.20140704git +- Update to new snapshot + +* Sat Jun 07 2014 Fedora Release Engineering - 0.100-2.20140426git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Apr 26 2014 Kevin Fenzi 0.100-1.20140426git +- Update t0 20140426 + +* Sun Mar 30 2014 Kevin Fenzi 0.100-1.20140330git +- Update to 20140330 snapshot +- Sync versions to be post 0.100 release. + +* Wed Mar 26 2014 Kevin Fenzi 0-0.7.20140326git +- Update to 20140326 snapshot +- Fix permissions on man pages. + +* Mon Mar 24 2014 Kevin Fenzi 0-0.6.20140324git +- Update to 20140324 snapshot + +* Fri Mar 07 2014 Kevin Fenzi 0-0.5.20140307git +- Update to 20140307 + +* Sat Jan 25 2014 Kevin Fenzi 0-0.4.20140125git +- Update to 20140125 snapshot + +* Sat Jan 18 2014 Kevin Fenzi 0-0.3.20140118git +- Update to 20140118 snapshot +- Fixed License tag to be correct +- Fixed changelog +- nft scripts now use full path for nft +- Fixed man page building +- Dropped unneeded rm in install +- Patched build to not be silent. + +* Tue Dec 03 2013 Kevin Fenzi 0-0.2.20131202git +- Use upstream snapshots for source. +- Use 0 for version. + +* Sat Nov 30 2013 Kevin Fenzi 0-0.1 +- initial version for Fedora review diff --git a/SOURCES/router.nft b/router.nft similarity index 100% rename from SOURCES/router.nft rename to router.nft diff --git a/run-tests.stderr.expect b/run-tests.stderr.expect new file mode 100644 index 0000000..2364359 --- /dev/null +++ b/run-tests.stderr.expect @@ -0,0 +1,6 @@ +W: [FAILED] ././tests/shell/testcases/cache/0010_implicit_chain_0 +W: [FAILED] ././tests/shell/testcases/chains/0021prio_0 +W: [FAILED] ././tests/shell/testcases/chains/0041chain_binding_0 +W: [FAILED] ././tests/shell/testcases/maps/typeof_integer_0 +W: [FAILED] ././tests/shell/testcases/maps/typeof_raw_0 +W: [FAILED] ././tests/shell/testcases/sets/typeof_raw_0 diff --git a/sources b/sources new file mode 100644 index 0000000..1a90c60 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (nftables-1.1.1.tar.xz) = 676413d4adadffb15d52c1f8f6432636cab83a7bcda1a18d9f0e6b58819a2c027a49922588c02bd9ad386de930eaa697bfe74c0938b595bf1ee485bfa7cf2e50