nftables-1.0.9-7.el9

* Wed Mar 18 2026 Phil Sutter <psutter@redhat.com> [1.0.9-7.el9]
- src: fix reset element support for interval set type (Phil Sutter) [RHEL-153461]
- src: netlink: fix crash when ops doesn't support udata (Phil Sutter) [RHEL-153461]
Resolves: RHEL-153461

0014-src-netlink-fix-crash-when-ops-doesn-t-support-udata.patch

@@ -0,0 +1,42 @@
+From 98fb87d77b87476d5a3847e6482c0ab24d48ca44 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 18 Mar 2026 16:27:12 +0100
+Subject: [PATCH] src: netlink: fix crash when ops doesn't support udata
+
+JIRA: https://issues.redhat.com/browse/https://redhat.atlassian.net/browse/RHEL-153461
+Upstream Status: nftables commit be737a1986bfee0ddea4bee7863dca0123a2bcbc
+
+commit be737a1986bfee0ddea4bee7863dca0123a2bcbc
+Author: Florian Westphal <fw@strlen.de>
+Date:   Thu May 8 16:29:04 2025 +0200
+
+    src: netlink: fix crash when ops doesn't support udata
+
+    Whenever a new version adds udata support to an expression, then old
+    versions of nft will crash when trying to list such a ruleset generated
+    by a more recent version of nftables.
+
+    Fix this by falling back to 'type' format.
+
+    Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support')
+    Signed-off-by: Florian Westphal <fw@strlen.de>
+    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index 120a8ba..04bba59 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -895,7 +895,7 @@ static struct expr *set_make_key(const struct nftnl_udata *attr)
+ 
+ 	etype = nftnl_udata_get_u32(ud[NFTNL_UDATA_SET_TYPEOF_EXPR]);
+ 	ops = expr_ops_by_type_u32(etype);
+-	if (!ops)
++	if (!ops || !ops->parse_udata)
+ 		return NULL;
+ 
+ 	expr = ops->parse_udata(ud[NFTNL_UDATA_SET_TYPEOF_DATA]);

0015-src-fix-reset-element-support-for-interval-set-type.patch

@@ -0,0 +1,130 @@
+From 0a38b9fcf1841e68088f2db39e3c96b3ad3b0369 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 18 Mar 2026 22:17:46 +0100
+Subject: [PATCH] src: fix reset element support for interval set type
+
+JIRA: https://issues.redhat.com/browse/https://redhat.atlassian.net/browse/RHEL-153461
+Upstream Status: nftables commit 2b164aec4295d5f4f6d45aa098279494ab44289b
+
+commit 2b164aec4295d5f4f6d45aa098279494ab44289b
+Author: Florian Westphal <fw@strlen.de>
+Date:   Thu Mar 6 14:23:30 2025 +0100
+
+    src: fix reset element support for interval set type
+
+    Running reset command yields on an interval (rbtree) set yields:
+    nft reset element inet filter rbtreeset {1.2.3.4}
+    BUG: unhandled op 8
+
+    This is easy to fix, CMD_RESET doesn't add or remove so it should be
+    treated like CMD_GET.
+
+    Unfortunately, this still doesn't work properly:
+
+    nft get element inet filter rbset {1.2.3.4}
+    returns:
+     ... elements = { 1.2.3.4 }
+
+    but its expected that "get" and "reset" also return stateful objects
+    associated with the element.  This works for other set types, but for
+    rbtree, the list of statements gets lost during segtree processing.
+
+    After fix, get/reset returns:
+      elements = { 1.2.3.4 counter packets 10 ...
+
+    A follow up patch will add a test case.
+
+    Fixes: 83e0f4402fb7 ("Implement 'reset {set,map,element}' commands")
+    Signed-off-by: Florian Westphal <fw@strlen.de>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/evaluate.c |  1 +
+ src/segtree.c  | 36 ++++++++++++++++++++++++++++++------
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 2196e92..711990a 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -1729,6 +1729,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
+ 				 ctx->nft->debug_mask);
+ 		break;
+ 	case CMD_GET:
++	case CMD_RESET:
+ 		break;
+ 	default:
+ 		BUG("unhandled op %d\n", ctx->cmd->op);
+diff --git a/src/segtree.c b/src/segtree.c
+index 28172b3..c4029f9 100644
+--- a/src/segtree.c
++++ b/src/segtree.c
+@@ -206,6 +206,27 @@ static struct expr *expr_to_set_elem(struct expr *e)
+ 	return __expr_to_set_elem(e, expr);
+ }
+ 
++static void set_compound_expr_add(struct expr *compound, struct expr *expr, struct expr *orig)
++{
++	struct expr *elem;
++
++	switch (expr->etype) {
++	case EXPR_SET_ELEM:
++		list_splice_init(&orig->stmt_list, &expr->stmt_list);
++		compound_expr_add(compound, expr);
++		break;
++	case EXPR_MAPPING:
++		list_splice_init(&orig->left->stmt_list, &expr->left->stmt_list);
++		compound_expr_add(compound, expr);
++		break;
++	default:
++		elem = set_elem_expr_alloc(&orig->location, expr);
++		list_splice_init(&orig->stmt_list, &elem->stmt_list);
++		compound_expr_add(compound, elem);
++		break;
++	}
++}
++
+ int get_set_decompose(struct set *cache_set, struct set *set)
+ {
+ 	struct expr *i, *next, *range;
+@@ -227,20 +248,23 @@ int get_set_decompose(struct set *cache_set, struct set *set)
+ 				errno = ENOENT;
+ 				return -1;
+ 			}
++
++			set_compound_expr_add(new_init, range, left);
++
+ 			expr_free(left);
+ 			expr_free(i);
+ 
+-			compound_expr_add(new_init, range);
+ 			left = NULL;
+ 		} else {
+ 			if (left) {
+ 				range = get_set_interval_find(cache_set,
+ 							      left, NULL);
++
+ 				if (range)
+-					compound_expr_add(new_init, range);
++					set_compound_expr_add(new_init, range, left);
+ 				else
+-					compound_expr_add(new_init,
+-							  expr_to_set_elem(left));
++					set_compound_expr_add(new_init,
++							      expr_to_set_elem(left), left);
+ 			}
+ 			left = i;
+ 		}
+@@ -248,9 +272,9 @@ int get_set_decompose(struct set *cache_set, struct set *set)
+ 	if (left) {
+ 		range = get_set_interval_find(cache_set, left, NULL);
+ 		if (range)
+-			compound_expr_add(new_init, range);
++			set_compound_expr_add(new_init, range, left);
+ 		else
+-			compound_expr_add(new_init, expr_to_set_elem(left));
++			set_compound_expr_add(new_init, expr_to_set_elem(left), left);
+ 	}
+ 
+ 	expr_free(set->init);

nftables.spec

@@ -1,5 +1,5 @@
 %define nft_rpmversion 1.0.9
-%define nft_specrelease 6
+%define nft_specrelease 7
 
 Name:           nftables
 Version:        %{nft_rpmversion}
@@ -32,6 +32,8 @@ Patch10:            0010-tests-py-missing-json-output-in-never-merge-across-n.pa
 Patch11:            0011-Revert-doc-part-of-src-add-tcp-option-reset-support.patch
 Patch12:            0012-Revert-doc-part-of-meta-introduce-meta-broute-suppor.patch
 Patch13:            0013-Revert-doc-part-of-exthdr-add-boolean-DCCP-option-ma.patch
+Patch14:            0014-src-netlink-fix-crash-when-ops-doesn-t-support-udata.patch
+Patch15:            0015-src-fix-reset-element-support-for-interval-set-type.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -144,6 +146,10 @@ cd py/
 %files -n python3-nftables -f %{pyproject_files}
 
 %changelog
+* Wed Mar 18 2026 Phil Sutter <psutter@redhat.com> [1.0.9-7.el9]
+- src: fix reset element support for interval set type (Phil Sutter) [RHEL-153461]
+- src: netlink: fix crash when ops doesn't support udata (Phil Sutter) [RHEL-153461]
+
 * Wed Nov 26 2025 Phil Sutter <psutter@redhat.com> [1.0.9-6.el9]
 - Revert doc/ part of "exthdr: add boolean DCCP option matching" (Phil Sutter) [RHEL-126817]
 - Revert doc/ part of "meta: introduce meta broute support" (Phil Sutter) [RHEL-126817]