diff --git a/.gitignore b/.gitignore index c9b6c1e..91dae14 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nftables-1.0.4.tar.bz2 +nftables-1.0.9.tar.xz diff --git a/.nftables.metadata b/.nftables.metadata deleted file mode 100644 index b9af18b..0000000 --- a/.nftables.metadata +++ /dev/null @@ -1 +0,0 @@ -e2e8b324cece1409a311284ff4fe26c3a5554809 SOURCES/nftables-1.0.4.tar.bz2 diff --git a/SOURCES/0001-tests-shell-runtime-set-element-automerge.patch b/SOURCES/0001-tests-shell-runtime-set-element-automerge.patch deleted file mode 100644 index 2973639..0000000 --- a/SOURCES/0001-tests-shell-runtime-set-element-automerge.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c994f1d2a31a2b03557b3eb1c8c2de34b97edce1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] tests: shell: runtime set element automerge - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 8fafe4e6b5b30 - -commit 8fafe4e6b5b30f2539f16403da8d5c5f819e523b -Author: Pablo Neira Ayuso -Date: Mon Jun 13 17:05:22 2022 +0200 - - tests: shell: runtime set element automerge - - Add a test to cover runtime set element automerge. - - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - tests/shell/testcases/sets/automerge_0 | 64 ++++++++++++++++++++++++++ - 1 file changed, 64 insertions(+) - create mode 100755 tests/shell/testcases/sets/automerge_0 - -diff --git a/tests/shell/testcases/sets/automerge_0 b/tests/shell/testcases/sets/automerge_0 -new file mode 100755 -index 0000000..c9fb609 ---- /dev/null -+++ b/tests/shell/testcases/sets/automerge_0 -@@ -0,0 +1,64 @@ -+#!/bin/bash -+ -+set -e -+ -+RULESET="table inet x { -+ set y { -+ type inet_service -+ flags interval -+ auto-merge -+ } -+}" -+ -+$NFT -f - <<< $RULESET -+ -+tmpfile=$(mktemp) -+echo -n "add element inet x y { " > $tmpfile -+for ((i=0;i<65535;i+=2)) -+do -+ echo -n "$i, " >> $tmpfile -+ if [ $i -eq 65534 ] -+ then -+ echo -n "$i" >> $tmpfile -+ fi -+done -+echo "}" >> $tmpfile -+ -+$NFT -f $tmpfile -+ -+tmpfile2=$(mktemp) -+for ((i=1;i<65535;i+=2)) -+do -+ echo "$i" >> $tmpfile2 -+done -+ -+tmpfile3=$(mktemp) -+shuf $tmpfile2 > $tmpfile3 -+i=0 -+cat $tmpfile3 | while read line && [ $i -lt 10 ] -+do -+ $NFT add element inet x y { $line } -+ i=$((i+1)) -+done -+ -+for ((i=0;i<10;i++)) -+do -+ from=$(($RANDOM%65535)) -+ to=$(($from+100)) -+ $NFT add element inet x y { $from-$to } -+ if [ $? -ne 0 ] -+ then -+ echo "failed to add $from-$to" -+ exit 1 -+ fi -+ $NFT get element inet x y { $from-$to } -+ if [ $? -ne 0 ] -+ then -+ echo "failed to get $from-$to" -+ exit 1 -+ fi -+done -+ -+rm -f $tmpfile -+rm -f $tmpfile2 -+rm -f $tmpfile3 --- -2.41.0.rc1 - diff --git a/SOURCES/0002-rule-collapse-set-element-commands.patch b/SOURCES/0002-rule-collapse-set-element-commands.patch deleted file mode 100644 index aea8e2c..0000000 --- a/SOURCES/0002-rule-collapse-set-element-commands.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 33792b491be79cb50d163c4ecc553f1258b82159 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] rule: collapse set element commands - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 498a5f0c219d8 - -commit 498a5f0c219d8a118af4f172f248647d9b077101 -Author: Pablo Neira Ayuso -Date: Mon Jun 13 17:22:44 2022 +0200 - - rule: collapse set element commands - - Robots might generate a long list of singleton element commands such as: - - add element t s { 1.0.1.0/24 } - ... - add element t s { 1.0.2.0/23 } - - collapse them into one single command before the evaluation step, ie. - - add element t s { 1.0.1.0/24, ..., 1.0.2.0/23 } - - this speeds up overlap detection and set element automerge operations in - this worst case scenario. - - Since 3da9643fb9ff9 ("intervals: add support to automerge with kernel - elements"), the new interval tracking relies on mergesort. The pattern - above triggers the set sorting for each element. - - This patch adds a list to cmd objects that store collapsed commands. - Moreover, expressions also contain a reference to the original command, - to uncollapse the commands after the evaluation step. - - These commands are uncollapsed after the evaluation step to ensure error - reporting works as expected (command and netlink message are mapped - 1:1). - - For the record: - - - nftables versions <= 1.0.2 did not perform any kind of overlap - check for the described scenario above (because set cache only contained - elements in the kernel in this case). This is a problem for kernels < 5.7 - which rely on userspace to detect overlaps. - - - the overlap detection could be skipped for kernels >= 5.7. - - - The extended netlink error reporting available for set elements - since 5.19-rc might allow to remove the uncollapse step, in this case, - error reporting does not rely on the netlink sequence to refer to the - command triggering the problem. - - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - include/expression.h | 1 + - include/rule.h | 3 ++ - src/libnftables.c | 17 ++++++++-- - src/rule.c | 75 ++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 93 insertions(+), 3 deletions(-) - -diff --git a/include/expression.h b/include/expression.h -index 2c3818e..53194c9 100644 ---- a/include/expression.h -+++ b/include/expression.h -@@ -243,6 +243,7 @@ struct expr { - enum expr_types etype:8; - enum ops op:8; - unsigned int len; -+ struct cmd *cmd; - - union { - struct { -diff --git a/include/rule.h b/include/rule.h -index e232b97..9081225 100644 ---- a/include/rule.h -+++ b/include/rule.h -@@ -700,6 +700,7 @@ struct cmd { - enum cmd_obj obj; - struct handle handle; - uint32_t seqnum; -+ struct list_head collapse_list; - union { - void *data; - struct expr *expr; -@@ -728,6 +729,8 @@ extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, - const struct handle *h, const struct location *loc, - void *data); - extern void nft_cmd_expand(struct cmd *cmd); -+extern bool nft_cmd_collapse(struct list_head *cmds); -+extern void nft_cmd_uncollapse(struct list_head *cmds); - extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type, - const struct handle *h, - const struct location *loc, struct obj *obj); -diff --git a/src/libnftables.c b/src/libnftables.c -index 6a22ea0..aac682b 100644 ---- a/src/libnftables.c -+++ b/src/libnftables.c -@@ -501,7 +501,9 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, - { - struct nft_cache_filter *filter; - struct cmd *cmd, *next; -+ bool collapsed = false; - unsigned int flags; -+ int err = 0; - - filter = nft_cache_filter_init(); - flags = nft_cache_evaluate(nft, cmds, filter); -@@ -512,17 +514,26 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, - - nft_cache_filter_fini(filter); - -+ if (nft_cmd_collapse(cmds)) -+ collapsed = true; -+ - list_for_each_entry_safe(cmd, next, cmds, list) { - struct eval_ctx ectx = { - .nft = nft, - .msgs = msgs, - }; -+ - if (cmd_evaluate(&ectx, cmd) < 0 && -- ++nft->state->nerrs == nft->parser_max_errors) -- return -1; -+ ++nft->state->nerrs == nft->parser_max_errors) { -+ err = -1; -+ break; -+ } - } - -- if (nft->state->nerrs) -+ if (collapsed) -+ nft_cmd_uncollapse(cmds); -+ -+ if (err < 0 || nft->state->nerrs) - return -1; - - list_for_each_entry(cmd, cmds, list) { -diff --git a/src/rule.c b/src/rule.c -index 7f61bdc..0526a14 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -1279,6 +1279,8 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, - cmd->handle = *h; - cmd->location = *loc; - cmd->data = data; -+ init_list_head(&cmd->collapse_list); -+ - return cmd; - } - -@@ -1379,6 +1381,79 @@ void nft_cmd_expand(struct cmd *cmd) - } - } - -+bool nft_cmd_collapse(struct list_head *cmds) -+{ -+ struct cmd *cmd, *next, *elems = NULL; -+ struct expr *expr, *enext; -+ bool collapse = false; -+ -+ list_for_each_entry_safe(cmd, next, cmds, list) { -+ if (cmd->op != CMD_ADD && -+ cmd->op != CMD_CREATE) { -+ elems = NULL; -+ continue; -+ } -+ -+ if (cmd->obj != CMD_OBJ_ELEMENTS) { -+ elems = NULL; -+ continue; -+ } -+ -+ if (!elems) { -+ elems = cmd; -+ continue; -+ } -+ -+ if (cmd->op != elems->op) { -+ elems = cmd; -+ continue; -+ } -+ -+ if (strcmp(elems->handle.table.name, cmd->handle.table.name) || -+ strcmp(elems->handle.set.name, cmd->handle.set.name)) { -+ elems = cmd; -+ continue; -+ } -+ -+ collapse = true; -+ list_for_each_entry_safe(expr, enext, &cmd->expr->expressions, list) { -+ expr->cmd = cmd; -+ list_move_tail(&expr->list, &elems->expr->expressions); -+ } -+ elems->expr->size += cmd->expr->size; -+ list_move_tail(&cmd->list, &elems->collapse_list); -+ } -+ -+ return collapse; -+} -+ -+void nft_cmd_uncollapse(struct list_head *cmds) -+{ -+ struct cmd *cmd, *cmd_next, *collapse_cmd, *collapse_cmd_next; -+ struct expr *expr, *next; -+ -+ list_for_each_entry_safe(cmd, cmd_next, cmds, list) { -+ if (list_empty(&cmd->collapse_list)) -+ continue; -+ -+ assert(cmd->obj == CMD_OBJ_ELEMENTS); -+ -+ list_for_each_entry_safe(expr, next, &cmd->expr->expressions, list) { -+ if (!expr->cmd) -+ continue; -+ -+ list_move_tail(&expr->list, &expr->cmd->expr->expressions); -+ cmd->expr->size--; -+ expr->cmd = NULL; -+ } -+ -+ list_for_each_entry_safe(collapse_cmd, collapse_cmd_next, &cmd->collapse_list, list) { -+ collapse_cmd->elem.set = set_get(cmd->elem.set); -+ list_add(&collapse_cmd->list, &cmd->list); -+ } -+ } -+} -+ - struct markup *markup_alloc(uint32_t format) - { - struct markup *markup; --- -2.41.0.rc1 - diff --git a/SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch b/SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch deleted file mode 100644 index 5e92713..0000000 --- a/SOURCES/0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch +++ /dev/null @@ -1,84 +0,0 @@ -From af9045e2f2029b6573db32bd15ab861d797b86a6 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] intervals: do not report exact overlaps for new elements - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 87ba510fc704f - -commit 87ba510fc704f766b5417d3bfc326e8ab9378c2a -Author: Pablo Neira Ayuso -Date: Mon Jun 13 17:22:47 2022 +0200 - - intervals: do not report exact overlaps for new elements - - Two new elements that represent an exact overlap should not trigger an error. - - add table t - add set t s { type ipv4_addr; flags interval; } - add element t s { 1.0.1.0/24 } - ... - add element t s { 1.0.1.0/24 } - - result in a bogus error. - - # nft -f set.nft - set.nft:1002:19-28: Error: conflicting intervals specified - add element t s { 1.0.1.0/24 } - ^^^^^^^^^^ - - Fixes: 3da9643fb9ff ("intervals: add support to automerge with kernel elements") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 3 +-- - tests/shell/testcases/sets/exact_overlap_0 | 22 ++++++++++++++++++++++ - 2 files changed, 23 insertions(+), 2 deletions(-) - create mode 100755 tests/shell/testcases/sets/exact_overlap_0 - -diff --git a/src/intervals.c b/src/intervals.c -index bc414d6..89f5c33 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -540,8 +540,7 @@ static int setelem_overlap(struct list_head *msgs, struct set *set, - } - - if (mpz_cmp(prev_range.low, range.low) == 0 && -- mpz_cmp(prev_range.high, range.high) == 0 && -- (elem->flags & EXPR_F_KERNEL || prev->flags & EXPR_F_KERNEL)) -+ mpz_cmp(prev_range.high, range.high) == 0) - goto next; - - if (mpz_cmp(prev_range.low, range.low) <= 0 && -diff --git a/tests/shell/testcases/sets/exact_overlap_0 b/tests/shell/testcases/sets/exact_overlap_0 -new file mode 100755 -index 0000000..1ce9304 ---- /dev/null -+++ b/tests/shell/testcases/sets/exact_overlap_0 -@@ -0,0 +1,22 @@ -+#!/bin/bash -+ -+RULESET="add table t -+add set t s { type ipv4_addr; flags interval; } -+add element t s { 1.0.1.0/24 } -+add element t s { 1.0.2.0/23 } -+add element t s { 1.0.8.0/21 } -+add element t s { 1.0.32.0/19 } -+add element t s { 1.1.0.0/24 } -+add element t s { 1.1.2.0/23 } -+add element t s { 1.1.4.0/22 } -+add element t s { 1.1.8.0/24 } -+add element t s { 1.1.9.0/24 } -+add element t s { 1.1.10.0/23 } -+add element t s { 1.1.12.0/22 } -+add element t s { 1.1.16.0/20 } -+add element t s { 1.1.32.0/19 } -+add element t s { 1.0.1.0/24 }" -+ -+$NFT -f - <<< $RULESET || exit 1 -+ -+$NFT add element t s { 1.0.1.0/24 } --- -2.41.0.rc1 - diff --git a/SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch b/SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch deleted file mode 100644 index bfbdfac..0000000 --- a/SOURCES/0004-intervals-do-not-empty-cache-for-maps.patch +++ /dev/null @@ -1,55 +0,0 @@ -From cfb1670ece6414c3d2aad5dd7df572b0cc07acd5 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] intervals: do not empty cache for maps - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit d434de8b50dcf - -commit d434de8b50dcf3f5f4ca027e122a7df9d4e5d8e1 -Author: Pablo Neira Ayuso -Date: Thu Jun 16 10:53:56 2022 +0200 - - intervals: do not empty cache for maps - - Translate set element to range and sort in maps for the NFT_SET_MAP - case, which does not support for automerge yet. - - Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/intervals.c b/src/intervals.c -index 89f5c33..e203413 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -216,6 +216,12 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, - struct cmd *purge_cmd; - struct handle h = {}; - -+ if (set->flags & NFT_SET_MAP) { -+ set_to_range(init); -+ list_expr_sort(&init->expressions); -+ return 0; -+ } -+ - if (existing_set) { - if (existing_set->init) { - list_splice_init(&existing_set->init->expressions, -@@ -229,9 +235,6 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, - set_to_range(init); - list_expr_sort(&init->expressions); - -- if (set->flags & NFT_SET_MAP) -- return 0; -- - ctx.purge = set_expr_alloc(&internal_location, set); - - setelem_automerge(&ctx); --- -2.41.0.rc1 - diff --git a/SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch b/SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch deleted file mode 100644 index ecab071..0000000 --- a/SOURCES/0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 5c5128094c75a184e54e82f2ad43c67423184c3e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 24 Jun 2022 16:02:59 +0200 -Subject: [PATCH] intervals: Do not sort cached set elements over and over - again - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 59e3a59221fb8 - -commit 59e3a59221fb81c289a0868a85140dd452fb1c30 -Author: Phil Sutter -Date: Thu Jun 16 10:56:12 2022 +0200 - - intervals: Do not sort cached set elements over and over again - - When adding element(s) to a non-empty set, code merged the two lists and - sorted the result. With many individual 'add element' commands this - causes substantial overhead. Make use of the fact that - existing_set->init is sorted already, sort only the list of new elements - and use list_splice_sorted() to merge the two sorted lists. - - Add set_sort_splice() and use it for set element overlap detection and - automerge. - - A test case adding ~25k elements in individual commands completes in - about 1/4th of the time with this patch applied. - - Joint work with Pablo. - - Fixes: 3da9643fb9ff9 ("intervals: add support to automerge with kernel elements") - Signed-off-by: Phil Sutter - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - include/expression.h | 1 + - src/intervals.c | 46 +++++++++++++++++++++----------------------- - src/mergesort.c | 2 +- - 3 files changed, 24 insertions(+), 25 deletions(-) - -diff --git a/include/expression.h b/include/expression.h -index 53194c9..cf7319b 100644 ---- a/include/expression.h -+++ b/include/expression.h -@@ -481,6 +481,7 @@ extern struct expr *compound_expr_alloc(const struct location *loc, - extern void compound_expr_add(struct expr *compound, struct expr *expr); - extern void compound_expr_remove(struct expr *compound, struct expr *expr); - extern void list_expr_sort(struct list_head *head); -+extern void list_splice_sorted(struct list_head *list, struct list_head *head); - - extern struct expr *concat_expr_alloc(const struct location *loc); - -diff --git a/src/intervals.c b/src/intervals.c -index e203413..dcc06d1 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -118,6 +118,26 @@ static bool merge_ranges(struct set_automerge_ctx *ctx, - return false; - } - -+static void set_sort_splice(struct expr *init, struct set *set) -+{ -+ struct set *existing_set = set->existing_set; -+ -+ set_to_range(init); -+ list_expr_sort(&init->expressions); -+ -+ if (!existing_set) -+ return; -+ -+ if (existing_set->init) { -+ set_to_range(existing_set->init); -+ list_splice_sorted(&existing_set->init->expressions, -+ &init->expressions); -+ init_list_head(&existing_set->init->expressions); -+ } else { -+ existing_set->init = set_expr_alloc(&internal_location, set); -+ } -+} -+ - static void setelem_automerge(struct set_automerge_ctx *ctx) - { - struct expr *i, *next, *prev = NULL; -@@ -222,18 +242,7 @@ int set_automerge(struct list_head *msgs, struct cmd *cmd, struct set *set, - return 0; - } - -- if (existing_set) { -- if (existing_set->init) { -- list_splice_init(&existing_set->init->expressions, -- &init->expressions); -- } else { -- existing_set->init = set_expr_alloc(&internal_location, -- set); -- } -- } -- -- set_to_range(init); -- list_expr_sort(&init->expressions); -+ set_sort_splice(init, set); - - ctx.purge = set_expr_alloc(&internal_location, set); - -@@ -591,18 +600,7 @@ int set_overlap(struct list_head *msgs, struct set *set, struct expr *init) - struct expr *i, *n, *clone; - int err; - -- if (existing_set) { -- if (existing_set->init) { -- list_splice_init(&existing_set->init->expressions, -- &init->expressions); -- } else { -- existing_set->init = set_expr_alloc(&internal_location, -- set); -- } -- } -- -- set_to_range(init); -- list_expr_sort(&init->expressions); -+ set_sort_splice(init, set); - - err = setelem_overlap(msgs, set, init); - -diff --git a/src/mergesort.c b/src/mergesort.c -index 8e6aac5..dca7142 100644 ---- a/src/mergesort.c -+++ b/src/mergesort.c -@@ -70,7 +70,7 @@ static int expr_msort_cmp(const struct expr *e1, const struct expr *e2) - return ret; - } - --static void list_splice_sorted(struct list_head *list, struct list_head *head) -+void list_splice_sorted(struct list_head *list, struct list_head *head) - { - struct list_head *h = head->next; - struct list_head *l = list->next; --- -2.41.0.rc1 - diff --git a/SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch b/SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch deleted file mode 100644 index b77a4fe..0000000 --- a/SOURCES/0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a2e5f4f59c0d4a3880a4de5e95adffc553216d2e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:15:02 +0100 -Subject: [PATCH] doc: Document limitations of ipsec expression with - xfrm_interface - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 446e76dbde713 - -commit 446e76dbde713327358f17a8af6ce86b8541c836 -Author: Phil Sutter -Date: Thu Jun 23 17:49:20 2022 +0200 - - doc: Document limitations of ipsec expression with xfrm_interface - - Point at a possible solution to match IPsec info of locally generated - traffic routed to an xfrm-type interface. - - Signed-off-by: Phil Sutter - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - doc/primary-expression.txt | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt -index f97778b..4d6b087 100644 ---- a/doc/primary-expression.txt -+++ b/doc/primary-expression.txt -@@ -428,6 +428,10 @@ Destination address of the tunnel| - ipv4_addr/ipv6_addr - |================================= - -+*Note:* When using xfrm_interface, this expression is not useable in output -+hook as the plain packet does not traverse it with IPsec info attached - use a -+chain in postrouting hook instead. -+ - NUMGEN EXPRESSION - ~~~~~~~~~~~~~~~~~ - --- -2.41.0.rc1 - diff --git a/SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch b/SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch deleted file mode 100644 index 91bb404..0000000 --- a/SOURCES/0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 23e6c3545b6c416a0eb7d3c7ac97c74215dcc19c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:18:10 +0100 -Subject: [PATCH] tests/py: Add a test for failing ipsec after counter - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit ed2426bccd3ea - -commit ed2426bccd3ea954adc8a010bf1736e8ed6a81b9 -Author: Phil Sutter -Date: Thu Jun 23 16:28:42 2022 +0200 - - tests/py: Add a test for failing ipsec after counter - - This is a bug in parser/scanner due to scoping: - - | Error: syntax error, unexpected string, expecting saddr or daddr - | add rule ip ipsec-ip4 ipsec-forw counter ipsec out ip daddr 192.168.1.2 - | ^^^^^ - - Signed-off-by: Phil Sutter - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - tests/py/inet/ipsec.t | 2 ++ - tests/py/inet/ipsec.t.json | 21 +++++++++++++++++++++ - tests/py/inet/ipsec.t.payload | 6 ++++++ - 3 files changed, 29 insertions(+) - -diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t -index e924e9b..b18df39 100644 ---- a/tests/py/inet/ipsec.t -+++ b/tests/py/inet/ipsec.t -@@ -19,3 +19,5 @@ ipsec in ip6 daddr dead::beef;ok - ipsec out ip6 saddr dead::feed;ok - - ipsec in spnum 256 reqid 1;fail -+ -+counter ipsec out ip daddr 192.168.1.2;ok -diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json -index d7d3a03..18a64f3 100644 ---- a/tests/py/inet/ipsec.t.json -+++ b/tests/py/inet/ipsec.t.json -@@ -134,3 +134,24 @@ - } - } - ] -+ -+# counter ipsec out ip daddr 192.168.1.2 -+[ -+ { -+ "counter": null -+ }, -+ { -+ "match": { -+ "left": { -+ "ipsec": { -+ "dir": "out", -+ "family": "ip", -+ "key": "daddr", -+ "spnum": 0 -+ } -+ }, -+ "op": "==", -+ "right": "192.168.1.2" -+ } -+ } -+] -diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload -index c46a226..9648255 100644 ---- a/tests/py/inet/ipsec.t.payload -+++ b/tests/py/inet/ipsec.t.payload -@@ -37,3 +37,9 @@ ip ipsec-ip4 ipsec-forw - [ xfrm load out 0 saddr6 => reg 1 ] - [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ] - -+# counter ipsec out ip daddr 192.168.1.2 -+ip ipsec-ip4 ipsec-forw -+ [ counter pkts 0 bytes 0 ] -+ [ xfrm load out 0 daddr4 => reg 1 ] -+ [ cmp eq reg 1 0x0201a8c0 ] -+ --- -2.41.0.rc1 - diff --git a/SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch b/SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch deleted file mode 100644 index fe6996c..0000000 --- a/SOURCES/0008-parser-add-missing-synproxy-scope-closure.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d0d4d54136f10c23e279da40aae188b8fdc09293 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:18:10 +0100 -Subject: [PATCH] parser: add missing synproxy scope closure - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 994bf5004b365 - -commit 994bf5004b365904029f0fe8c2de587178583712 -Author: Florian Westphal -Date: Thu Jun 23 18:28:14 2022 +0200 - - parser: add missing synproxy scope closure - - Fixes: 232f2c3287fc ("scanner: synproxy: Move to own scope") - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/parser_bison.y | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/parser_bison.y b/src/parser_bison.y -index ca5c488..b548d5b 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -2016,7 +2016,7 @@ map_block_obj_type : COUNTER close_scope_counter { $$ = NFT_OBJECT_COUNTER; } - | QUOTA close_scope_quota { $$ = NFT_OBJECT_QUOTA; } - | LIMIT close_scope_limit { $$ = NFT_OBJECT_LIMIT; } - | SECMARK close_scope_secmark { $$ = NFT_OBJECT_SECMARK; } -- | SYNPROXY { $$ = NFT_OBJECT_SYNPROXY; } -+ | SYNPROXY close_scope_synproxy { $$ = NFT_OBJECT_SYNPROXY; } - ; - - map_block : /* empty */ { $$ = $-1; } --- -2.41.0.rc1 - diff --git a/SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch b/SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch deleted file mode 100644 index f785f7b..0000000 --- a/SOURCES/0009-scanner-don-t-pop-active-flex-scanner-scope.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 80b1505ca2ef8432375dc524cc6763e7ef795b1a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:18:10 +0100 -Subject: [PATCH] scanner: don't pop active flex scanner scope - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 8623772af0610 - -commit 8623772af06103ed4ccca3d07e55afbf3d952d6d -Author: Florian Westphal -Date: Thu Jun 23 19:56:19 2022 +0200 - - scanner: don't pop active flex scanner scope - - Currently we can pop a flex scope that is still active, i.e. the - scanner_pop_start_cond() for the scope has not been done. - - Example: - counter ipsec out ip daddr 192.168.1.2 counter name "ipsec_out" - - Here, parser fails because 'daddr' is parsed as STRING, not as DADDR token. - - Bug is as follows: - COUNTER changes scope to COUNTER. (COUNTER). - Next, IPSEC scope gets pushed, stack is: COUNTER, IPSEC. - - Then, the 'COUNTER' scope close happens. Because active scope has changed, - we cannot pop (we would pop the 'ipsec' scope in flex). - The pop operation gets delayed accordingly. - - Next, IP gets pushed, stack is: COUNTER, IPSEC, IP, plus the information - that one scope closure/pop was delayed. - - Then, the IP scope is closed. Because a pop operation was delayed, we pop again, - which brings us back to COUNTER state. - - This is bogus: The pop operation CANNOT be done yet, because the ipsec scope - is still open, but the existing code lacks the information to detect this. - - After popping the IP scope, we must remain in IPSEC scope until bison - parser calls scanner_pop_start_cond(, IPSEC). - - This adds a counter per flex scope so that we can detect this case. - In above case, after the IP scope gets closed, the "new" (previous) - scope (IPSEC) will be treated as active and its close is attempted again - on the next call to scanner_pop_start_cond(). - - After this patch, transition in above rule is: - - push counter (COUNTER) - push IPSEC (COUNTER, IPSEC) - pop COUNTER (delayed: COUNTER, IPSEC, pending-pop for COUNTER), - push IP (COUNTER, IPSEC, IP, pending-pop for COUNTER) - pop IP (COUNTER, IPSEC, pending-pop for COUNTER) - parse DADDR (we're in IPSEC scope, its valid token) - pop IPSEC (pops all remaining scopes). - - We could also resurrect the commit: - "scanner: flags: move to own scope", the test case passes with the - new scope closure logic. - - Fixes: bff106c5b277 ("scanner: add support for scope nesting") - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/parser.h | 3 +++ - src/scanner.l | 11 +++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/include/parser.h b/include/parser.h -index f32154c..5e5ad28 100644 ---- a/include/parser.h -+++ b/include/parser.h -@@ -26,6 +26,7 @@ struct parser_state { - unsigned int flex_state_pop; - unsigned int startcond_type; - struct list_head *cmds; -+ unsigned int *startcond_active; - }; - - enum startcond_type { -@@ -82,6 +83,8 @@ enum startcond_type { - PARSER_SC_STMT_REJECT, - PARSER_SC_STMT_SYNPROXY, - PARSER_SC_STMT_TPROXY, -+ -+ __SC_MAX - }; - - struct mnl_socket; -diff --git a/src/scanner.l b/src/scanner.l -index 2154281..ed7256b 100644 ---- a/src/scanner.l -+++ b/src/scanner.l -@@ -1148,6 +1148,8 @@ void *scanner_init(struct parser_state *state) - yylex_init_extra(state, &scanner); - yyset_out(NULL, scanner); - -+ state->startcond_active = xzalloc_array(__SC_MAX, -+ sizeof(*state->startcond_active)); - return scanner; - } - -@@ -1177,6 +1179,8 @@ void scanner_destroy(struct nft_ctx *nft) - struct parser_state *state = yyget_extra(nft->scanner); - - input_descriptor_list_destroy(state); -+ xfree(state->startcond_active); -+ - yylex_destroy(nft->scanner); - } - -@@ -1185,6 +1189,7 @@ static void scanner_push_start_cond(void *scanner, enum startcond_type type) - struct parser_state *state = yyget_extra(scanner); - - state->startcond_type = type; -+ state->startcond_active[type]++; - - yy_push_state((int)type, scanner); - } -@@ -1193,6 +1198,8 @@ void scanner_pop_start_cond(void *scanner, enum startcond_type t) - { - struct parser_state *state = yyget_extra(scanner); - -+ state->startcond_active[t]--; -+ - if (state->startcond_type != t) { - state->flex_state_pop++; - return; /* Can't pop just yet! */ -@@ -1202,6 +1209,10 @@ void scanner_pop_start_cond(void *scanner, enum startcond_type t) - state->flex_state_pop--; - state->startcond_type = yy_top_state(scanner); - yy_pop_state(scanner); -+ -+ t = state->startcond_type; -+ if (state->startcond_active[t]) -+ return; - } - - state->startcond_type = yy_top_state(scanner); --- -2.41.0.rc1 - diff --git a/SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch b/SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch deleted file mode 100644 index 5ac725f..0000000 --- a/SOURCES/0010-intervals-fix-crash-when-trying-to-remove-element-in.patch +++ /dev/null @@ -1,67 +0,0 @@ -From babfd73139d19750a7b1f94fdc1b5405f5affe61 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:25:59 +0100 -Subject: [PATCH] intervals: fix crash when trying to remove element in empty - set - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 5357cb7b5cb93 - -commit 5357cb7b5cb93fc9b20d4d95b093d6b9f86b7727 -Author: Pablo Neira Ayuso -Date: Thu Jun 23 14:20:17 2022 +0200 - - intervals: fix crash when trying to remove element in empty set - - The set deletion routine expects an initialized set, otherwise it crashes. - - Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 6 +++++- - tests/shell/testcases/sets/errors_0 | 14 ++++++++++++++ - 2 files changed, 19 insertions(+), 1 deletion(-) - create mode 100755 tests/shell/testcases/sets/errors_0 - -diff --git a/src/intervals.c b/src/intervals.c -index dcc06d1..c21b3ee 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -475,7 +475,11 @@ int set_delete(struct list_head *msgs, struct cmd *cmd, struct set *set, - if (set->automerge) - automerge_delete(msgs, set, init, debug_mask); - -- set_to_range(existing_set->init); -+ if (existing_set->init) { -+ set_to_range(existing_set->init); -+ } else { -+ existing_set->init = set_expr_alloc(&internal_location, set); -+ } - - list_splice_init(&init->expressions, &del_list); - -diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 -new file mode 100755 -index 0000000..2960b69 ---- /dev/null -+++ b/tests/shell/testcases/sets/errors_0 -@@ -0,0 +1,14 @@ -+#!/bin/bash -+ -+set -e -+ -+RULESET="table ip x { -+ set y { -+ type ipv4_addr -+ flags interval -+ } -+} -+ -+delete element ip x y { 2.3.4.5 }" -+ -+$NFT -f - <<< $RULESET || exit 0 --- -2.41.0.rc1 - diff --git a/SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch b/SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch deleted file mode 100644 index fd1cbc3..0000000 --- a/SOURCES/0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 3ea1e90779e232776e72548e9a768df1771e0f2c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:25:59 +0100 -Subject: [PATCH] intervals: check for EXPR_F_REMOVE in case of element - mismatch - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 6d1ee9267e7e5 - -commit 6d1ee9267e7e5e429a84d7bb8a8644f9eebddb22 -Author: Pablo Neira Ayuso -Date: Thu Jun 23 18:41:21 2022 +0200 - - intervals: check for EXPR_F_REMOVE in case of element mismatch - - If auto-merge is disable and element to be deleted finds no exact - matching, then bail out. - - Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/intervals.c | 4 ++++ - tests/shell/testcases/sets/errors_0 | 20 ++++++++++++++++++-- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/src/intervals.c b/src/intervals.c -index c21b3ee..13009ca 100644 ---- a/src/intervals.c -+++ b/src/intervals.c -@@ -421,6 +421,10 @@ static int setelem_delete(struct list_head *msgs, struct set *set, - expr_error(msgs, i, "element does not exist"); - err = -1; - goto err; -+ } else if (i->flags & EXPR_F_REMOVE) { -+ expr_error(msgs, i, "element does not exist"); -+ err = -1; -+ goto err; - } - prev = NULL; - } -diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0 -index 2960b69..a676ac7 100755 ---- a/tests/shell/testcases/sets/errors_0 -+++ b/tests/shell/testcases/sets/errors_0 -@@ -1,7 +1,5 @@ - #!/bin/bash - --set -e -- - RULESET="table ip x { - set y { - type ipv4_addr -@@ -11,4 +9,22 @@ RULESET="table ip x { - - delete element ip x y { 2.3.4.5 }" - -+$NFT -f - <<< $RULESET -+if [ $? -eq 0 ] -+then -+ exit 1 -+fi -+ -+RULESET="table ip x { -+ set y { -+ type ipv4_addr -+ flags interval -+ } -+} -+ -+add element x y { 1.1.1.1/24 } -+delete element x y { 1.1.1.1/24 } -+add element x y { 1.1.1.1/24 } -+delete element x y { 2.2.2.2/24 }" -+ - $NFT -f - <<< $RULESET || exit 0 --- -2.41.0.rc1 - diff --git a/SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch b/SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch deleted file mode 100644 index f0e3f60..0000000 --- a/SOURCES/0012-netlink_delinearize-allow-postprocessing-on-concaten.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 477a5632894a8bf6cba1f6e69a3f7d58d220820b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] netlink_delinearize: allow postprocessing on concatenated - elements - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 0542a431e8dcc - -commit 0542a431e8dccfa86fa5b1744f536e61a0b204f3 -Author: Florian Westphal -Date: Tue Jun 14 21:57:58 2022 +0200 - - netlink_delinearize: allow postprocessing on concatenated elements - - Currently there is no case where the individual expressions inside a - mapped concatenation need to be munged. - - However, to support proper delinearization for an input like - 'rule netdev nt nc set update ether saddr . vlan id timeout 5s @macset' - - we need to allow this. - - Right now, this gets listed as: - - update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } - - because the ethernet protocol is replaced by vlan beforehand, - so we fail to map @ll,48,48 to a vlan protocol. - - Likewise, we can't map the vlan info either because we cannot - cope with the 'and' operation properly, nor is it removed. - - Prepare for this by deleting and re-adding so that we do not - corrupt the linked list. - - After this, the list can be safely changed and a followup patch - can start to delete/reallocate expressions. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/netlink_delinearize.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 068c3bb..2f13990 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -2538,16 +2538,21 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - unsigned int type = expr->dtype->type, ntype = 0; - int off = expr->dtype->subtypes; - const struct datatype *dtype; -+ LIST_HEAD(tmp); -+ struct expr *n; - -- list_for_each_entry(i, &expr->expressions, list) { -+ list_for_each_entry_safe(i, n, &expr->expressions, list) { - if (type) { - dtype = concat_subtype_lookup(type, --off); - expr_set_type(i, dtype, dtype->byteorder); - } -+ list_del(&i->list); - expr_postprocess(ctx, &i); -+ list_add_tail(&i->list, &tmp); - - ntype = concat_subtype_add(ntype, i->dtype->type); - } -+ list_splice(&tmp, &expr->expressions); - datatype_set(expr, concat_type_alloc(ntype)); - break; - } --- -2.41.0.rc1 - diff --git a/SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch b/SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch deleted file mode 100644 index 7ef74f0..0000000 --- a/SOURCES/0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 120ec5410b0c9f8f84f2bfdf092228cc61899785 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] netlink_delinearize: postprocess binary ands in - concatenations - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 89688c947efc3 - -commit 89688c947efc36d25c58c85650414fa3a491732e -Author: Florian Westphal -Date: Tue Jun 14 21:56:48 2022 +0200 - - netlink_delinearize: postprocess binary ands in concatenations - - Input: - update ether saddr . vlan id timeout 5s @macset - ether saddr . vlan id @macset - - Before this patch, gets rendered as: - update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } - @ll,48,48 . @ll,112,16 & 0xfff @macset - - After this, listing will show: - update @macset { @ll,48,48 . vlan id timeout 5s } - @ll,48,48 . vlan id @macset - - The @ll, ... is due to vlan description replacing the ethernet one, - so payload decode fails to take the concatenation apart (the ethernet - header payload info is matched vs. vlan template). - - This will be adjusted by a followup patch. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/netlink.h | 6 ++++++ - src/netlink_delinearize.c | 45 ++++++++++++++++++++++++++++++++++----- - 2 files changed, 46 insertions(+), 5 deletions(-) - -diff --git a/include/netlink.h b/include/netlink.h -index e8e0f68..71c888f 100644 ---- a/include/netlink.h -+++ b/include/netlink.h -@@ -42,10 +42,16 @@ struct netlink_parse_ctx { - struct netlink_ctx *nlctx; - }; - -+ -+#define RULE_PP_IN_CONCATENATION (1 << 0) -+ -+#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION) -+ - struct rule_pp_ctx { - struct proto_ctx pctx; - struct payload_dep_ctx pdctx; - struct stmt *stmt; -+ unsigned int flags; - }; - - extern const struct input_descriptor indesc_netlink; -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 2f13990..cba419d 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -2259,12 +2259,13 @@ static void binop_adjust(const struct expr *binop, struct expr *right, - } - } - --static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, -- struct expr **expr_binop) -+static void __binop_postprocess(struct rule_pp_ctx *ctx, -+ struct expr *expr, -+ struct expr *left, -+ struct expr *mask, -+ struct expr **expr_binop) - { - struct expr *binop = *expr_binop; -- struct expr *left = binop->left; -- struct expr *mask = binop->right; - unsigned int shift; - - assert(binop->etype == EXPR_BINOP); -@@ -2300,15 +2301,26 @@ static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, - - assert(binop->left == left); - *expr_binop = expr_get(left); -- expr_free(binop); - - if (left->etype == EXPR_PAYLOAD) - payload_match_postprocess(ctx, expr, left); - else if (left->etype == EXPR_EXTHDR && right) - expr_set_type(right, left->dtype, left->byteorder); -+ -+ expr_free(binop); - } - } - -+static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr, -+ struct expr **expr_binop) -+{ -+ struct expr *binop = *expr_binop; -+ struct expr *left = binop->left; -+ struct expr *mask = binop->right; -+ -+ __binop_postprocess(ctx, expr, left, mask, expr_binop); -+} -+ - static void map_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr) - { - struct expr *binop = expr->map; -@@ -2541,6 +2553,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - LIST_HEAD(tmp); - struct expr *n; - -+ ctx->flags |= RULE_PP_IN_CONCATENATION; - list_for_each_entry_safe(i, n, &expr->expressions, list) { - if (type) { - dtype = concat_subtype_lookup(type, --off); -@@ -2552,6 +2565,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - - ntype = concat_subtype_add(ntype, i->dtype->type); - } -+ ctx->flags &= ~RULE_PP_IN_CONCATENATION; - list_splice(&tmp, &expr->expressions); - datatype_set(expr, concat_type_alloc(ntype)); - break; -@@ -2568,6 +2582,27 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - expr_set_type(expr->right, &integer_type, - BYTEORDER_HOST_ENDIAN); - break; -+ case OP_AND: -+ expr_set_type(expr->right, expr->left->dtype, -+ expr->left->byteorder); -+ -+ /* Do not process OP_AND in ordinary rule context. -+ * -+ * Removal needs to be performed as part of the relational -+ * operation because the RHS constant might need to be adjusted -+ * (shifted). -+ * -+ * This is different in set element context or concatenations: -+ * There is no relational operation (eq, neq and so on), thus -+ * it needs to be processed right away. -+ */ -+ if ((ctx->flags & RULE_PP_REMOVE_OP_AND) && -+ expr->left->etype == EXPR_PAYLOAD && -+ expr->right->etype == EXPR_VALUE) { -+ __binop_postprocess(ctx, expr, expr->left, expr->right, exprp); -+ return; -+ } -+ break; - default: - expr_set_type(expr->right, expr->left->dtype, - expr->left->byteorder); --- -2.41.0.rc1 - diff --git a/SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch b/SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch deleted file mode 100644 index 8ce0ca7..0000000 --- a/SOURCES/0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 5246e288a724e7b9641c94f228096dc1529bb2ea Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] proto: track full stack of seen l2 protocols, not just - cumulative offset - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 0d9daa0407212 - -commit 0d9daa0407212c8cc89b3ea8aee031ddf0109b08 -Author: Florian Westphal -Date: Mon Jul 25 14:32:13 2022 +0200 - - proto: track full stack of seen l2 protocols, not just cumulative offset - - For input, a cumulative size counter of all pushed l2 headers is enough, - because we have the full expression tree available to us. - - For delinearization we need to track all seen l2 headers, else we lose - information that we might need at a later time. - - Consider: - - rule netdev nt nc set update ether saddr . vlan id - - during delinearization, the vlan proto_desc replaces the ethernet one, - and by the time we try to split the concatenation apart we will search - the ether saddr offset vs. the templates for proto_vlan. - - This replaces the offset with an array that stores the protocol - descriptions seen. - - Then, if the payload offset is larger than our description, search the - l2 stack and adjust the offset until we're within the expected offset - boundary. - - Reported-by: Eric Garver - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/proto.h | 3 +- - src/evaluate.c | 15 +++++++-- - src/netlink_delinearize.c | 5 --- - src/payload.c | 67 ++++++++++++++++++++++++++++++++------- - src/proto.c | 2 -- - 5 files changed, 71 insertions(+), 21 deletions(-) - -diff --git a/include/proto.h b/include/proto.h -index a04240a..35e760c 100644 ---- a/include/proto.h -+++ b/include/proto.h -@@ -193,13 +193,14 @@ struct proto_ctx { - struct { - struct location location; - const struct proto_desc *desc; -- unsigned int offset; - struct { - struct location location; - const struct proto_desc *desc; - } protos[PROTO_CTX_NUM_PROTOS]; - unsigned int num_protos; - } protocol[PROTO_BASE_MAX + 1]; -+ const struct proto_desc *stacked_ll[PROTO_CTX_NUM_PROTOS]; -+ uint8_t stacked_ll_count; - }; - - extern void proto_ctx_init(struct proto_ctx *ctx, unsigned int family, -diff --git a/src/evaluate.c b/src/evaluate.c -index 82bf131..9246064 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -678,7 +678,13 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, - conflict_resolution_gen_dependency(ctx, link, payload, &nstmt) < 0) - return 1; - -- payload->payload.offset += ctx->pctx.protocol[base].offset; -+ if (base == PROTO_BASE_LL_HDR) { -+ unsigned int i; -+ -+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) -+ payload->payload.offset += ctx->pctx.stacked_ll[i]->length; -+ } -+ - rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); - - return 0; -@@ -727,7 +733,12 @@ static int __expr_evaluate_payload(struct eval_ctx *ctx, struct expr *expr) - if (desc == payload->payload.desc) { - const struct proto_hdr_template *tmpl; - -- payload->payload.offset += ctx->pctx.protocol[base].offset; -+ if (desc->base == PROTO_BASE_LL_HDR) { -+ unsigned int i; -+ -+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) -+ payload->payload.offset += ctx->pctx.stacked_ll[i]->length; -+ } - check_icmp: - if (desc != &proto_icmp && desc != &proto_icmp6) - return 0; -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index cba419d..0b5519d 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -1976,11 +1976,6 @@ static void payload_match_postprocess(struct rule_pp_ctx *ctx, - struct expr *expr, - struct expr *payload) - { -- enum proto_bases base = payload->payload.base; -- -- assert(payload->payload.offset >= ctx->pctx.protocol[base].offset); -- payload->payload.offset -= ctx->pctx.protocol[base].offset; -- - switch (expr->op) { - case OP_EQ: - case OP_NEQ: -diff --git a/src/payload.c b/src/payload.c -index 66418cd..2c0d0ac 100644 ---- a/src/payload.c -+++ b/src/payload.c -@@ -116,8 +116,13 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx, - if (desc->base == base->base) { - assert(base->length > 0); - -- if (!left->payload.is_raw) -- ctx->protocol[base->base].offset += base->length; -+ if (!left->payload.is_raw) { -+ if (desc->base == PROTO_BASE_LL_HDR && -+ ctx->stacked_ll_count < PROTO_CTX_NUM_PROTOS) { -+ ctx->stacked_ll[ctx->stacked_ll_count] = base; -+ ctx->stacked_ll_count++; -+ } -+ } - } - proto_ctx_update(ctx, desc->base, loc, desc); - } -@@ -869,6 +874,38 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, - } - } - -+static const struct proto_desc *get_stacked_desc(const struct proto_ctx *ctx, -+ const struct proto_desc *top, -+ const struct expr *e, -+ unsigned int *skip) -+{ -+ unsigned int i, total, payload_offset = e->payload.offset; -+ -+ assert(e->etype == EXPR_PAYLOAD); -+ -+ if (e->payload.base != PROTO_BASE_LL_HDR || -+ payload_offset < top->length) { -+ *skip = 0; -+ return top; -+ } -+ -+ for (i = 0, total = 0; i < ctx->stacked_ll_count; i++) { -+ const struct proto_desc *stacked; -+ -+ stacked = ctx->stacked_ll[i]; -+ if (payload_offset < stacked->length) { -+ *skip = total; -+ return stacked; -+ } -+ -+ payload_offset -= stacked->length; -+ total += stacked->length; -+ } -+ -+ *skip = total; -+ return top; -+} -+ - /** - * payload_expr_complete - fill in type information of a raw payload expr - * -@@ -880,9 +917,10 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, - */ - void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx) - { -+ unsigned int payload_offset = expr->payload.offset; - const struct proto_desc *desc; - const struct proto_hdr_template *tmpl; -- unsigned int i; -+ unsigned int i, total; - - assert(expr->etype == EXPR_PAYLOAD); - -@@ -891,9 +929,12 @@ void payload_expr_complete(struct expr *expr, const struct proto_ctx *ctx) - return; - assert(desc->base == expr->payload.base); - -+ desc = get_stacked_desc(ctx, desc, expr, &total); -+ payload_offset -= total; -+ - for (i = 0; i < array_size(desc->templates); i++) { - tmpl = &desc->templates[i]; -- if (tmpl->offset != expr->payload.offset || -+ if (tmpl->offset != payload_offset || - tmpl->len != expr->len) - continue; - -@@ -950,6 +991,7 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask, - unsigned int payload_len = expr->len; - const struct proto_desc *desc; - unsigned int off, i, len = 0; -+ unsigned int total; - - assert(expr->etype == EXPR_PAYLOAD); - -@@ -959,10 +1001,8 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask, - - assert(desc->base == expr->payload.base); - -- if (ctx->protocol[expr->payload.base].offset) { -- assert(payload_offset >= ctx->protocol[expr->payload.base].offset); -- payload_offset -= ctx->protocol[expr->payload.base].offset; -- } -+ desc = get_stacked_desc(ctx, desc, expr, &total); -+ payload_offset -= total; - - off = round_up(mask->len, BITS_PER_BYTE) - mask_len; - payload_offset += off; -@@ -1009,10 +1049,11 @@ bool payload_expr_trim(struct expr *expr, struct expr *mask, - void payload_expr_expand(struct list_head *list, struct expr *expr, - const struct proto_ctx *ctx) - { -+ unsigned int payload_offset = expr->payload.offset; - const struct proto_hdr_template *tmpl; - const struct proto_desc *desc; -+ unsigned int i, total; - struct expr *new; -- unsigned int i; - - assert(expr->etype == EXPR_PAYLOAD); - -@@ -1021,13 +1062,16 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, - goto raw; - assert(desc->base == expr->payload.base); - -+ desc = get_stacked_desc(ctx, desc, expr, &total); -+ payload_offset -= total; -+ - for (i = 1; i < array_size(desc->templates); i++) { - tmpl = &desc->templates[i]; - - if (tmpl->len == 0) - break; - -- if (tmpl->offset != expr->payload.offset) -+ if (tmpl->offset != payload_offset) - continue; - - if (tmpl->icmp_dep && ctx->th_dep.icmp.type && -@@ -1039,6 +1083,7 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, - list_add_tail(&new->list, list); - expr->len -= tmpl->len; - expr->payload.offset += tmpl->len; -+ payload_offset += tmpl->len; - if (expr->len == 0) - return; - } else if (expr->len > 0) { -@@ -1051,7 +1096,7 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, - } - raw: - new = payload_expr_alloc(&expr->location, NULL, 0); -- payload_init_raw(new, expr->payload.base, expr->payload.offset, -+ payload_init_raw(new, expr->payload.base, payload_offset, - expr->len); - list_add_tail(&new->list, list); - } -diff --git a/src/proto.c b/src/proto.c -index a013a00..2663f21 100644 ---- a/src/proto.c -+++ b/src/proto.c -@@ -160,8 +160,6 @@ static void proto_ctx_debug(const struct proto_ctx *ctx, enum proto_bases base, - proto_base_names[i], - ctx->protocol[i].desc ? ctx->protocol[i].desc->name : - "none"); -- if (ctx->protocol[i].offset) -- pr_debug(" (offset: %u)", ctx->protocol[i].offset); - if (i == base) - pr_debug(" <-"); - pr_debug("\n"); --- -2.41.0.rc1 - diff --git a/SOURCES/0015-debug-dump-the-l2-protocol-stack.patch b/SOURCES/0015-debug-dump-the-l2-protocol-stack.patch deleted file mode 100644 index dd296ec..0000000 --- a/SOURCES/0015-debug-dump-the-l2-protocol-stack.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33df569ad87c851596c02663fb4941bc0783d08c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] debug: dump the l2 protocol stack - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit dbd5f348c71de - -commit dbd5f348c71decf0baa8fb592c576f63fa232f50 -Author: Florian Westphal -Date: Mon Jul 25 16:42:23 2022 +0200 - - debug: dump the l2 protocol stack - - Previously we used to print the cumulative size of the headers, - update this to print the tracked l2 stack. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/proto.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/proto.c b/src/proto.c -index 2663f21..c496482 100644 ---- a/src/proto.c -+++ b/src/proto.c -@@ -154,6 +154,12 @@ static void proto_ctx_debug(const struct proto_ctx *ctx, enum proto_bases base, - if (!(debug_mask & NFT_DEBUG_PROTO_CTX)) - return; - -+ if (base == PROTO_BASE_LL_HDR && ctx->stacked_ll_count) { -+ pr_debug(" saved ll headers:"); -+ for (i = 0; i < ctx->stacked_ll_count; i++) -+ pr_debug(" %s", ctx->stacked_ll[i]->name); -+ } -+ - pr_debug("update %s protocol context:\n", proto_base_names[base]); - for (i = PROTO_BASE_LL_HDR; i <= PROTO_BASE_MAX; i++) { - pr_debug(" %-20s: %s", --- -2.41.0.rc1 - diff --git a/SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch b/SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch deleted file mode 100644 index 6e16638..0000000 --- a/SOURCES/0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 1773e6c1975ee4a6b00c24a99bf57b4597af295d Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] tests: add a test case for ether and vlan listing - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit f680055cd4377 - -commit f680055cd4377f2f531f5f77b3aaa7550988665d -Author: Florian Westphal -Date: Mon Jul 25 19:31:22 2022 +0200 - - tests: add a test case for ether and vlan listing - - before this patch series, test fails dump validation: - - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - - ether saddr . vlan id @macset - + update @macset { @ll,48,48 . @ll,112,16 & 0xfff timeout 5s } counter packets 0 bytes 0 - + @ll,48,48 . @ll,112,16 & 0xfff @macset - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - tests/shell/testcases/sets/0070stacked_l2_headers | 6 ++++++ - .../sets/dumps/0070stacked_l2_headers.nft | 14 ++++++++++++++ - 2 files changed, 20 insertions(+) - create mode 100755 tests/shell/testcases/sets/0070stacked_l2_headers - create mode 100644 tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft - -diff --git a/tests/shell/testcases/sets/0070stacked_l2_headers b/tests/shell/testcases/sets/0070stacked_l2_headers -new file mode 100755 -index 0000000..07820b7 ---- /dev/null -+++ b/tests/shell/testcases/sets/0070stacked_l2_headers -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+set -e -+dumpfile=$(dirname $0)/dumps/$(basename $0).nft -+ -+$NFT -f "$dumpfile" -diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -new file mode 100644 -index 0000000..ef254b9 ---- /dev/null -+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -@@ -0,0 +1,14 @@ -+table netdev nt { -+ set macset { -+ typeof ether saddr . vlan id -+ size 1024 -+ flags dynamic,timeout -+ } -+ -+ chain nc { -+ update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 -+ ether saddr . vlan id @macset -+ vlan pcp 1 -+ ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 -+ } -+} --- -2.41.0.rc1 - diff --git a/SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch b/SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch deleted file mode 100644 index 7c89f29..0000000 --- a/SOURCES/0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch +++ /dev/null @@ -1,99 +0,0 @@ -From bba1a2086ec7bcc0cfa8df9e12c6cc1375180011 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:57 +0100 -Subject: [PATCH] netlink_delinearize: also postprocess OP_AND in set element - context - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit b1e3ed0335d13 - -commit b1e3ed0335d13d206a2a2698a1ba189fa396dbf3 -Author: Florian Westphal -Date: Mon Aug 1 13:03:18 2022 +0200 - - netlink_delinearize: also postprocess OP_AND in set element context - - Pablo reports: - add rule netdev nt y update @macset { vlan id timeout 5s } - - listing still shows the raw expression: - update @macset { @ll,112,16 & 0xfff timeout 5s } - - so also cover the 'set element' case. - - Reported-by: Pablo Neira Ayuso - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - include/netlink.h | 4 +++- - src/netlink_delinearize.c | 2 ++ - .../sets/dumps/0070stacked_l2_headers.nft | 14 ++++++++++++++ - 3 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/include/netlink.h b/include/netlink.h -index 71c888f..63d07ed 100644 ---- a/include/netlink.h -+++ b/include/netlink.h -@@ -44,8 +44,10 @@ struct netlink_parse_ctx { - - - #define RULE_PP_IN_CONCATENATION (1 << 0) -+#define RULE_PP_IN_SET_ELEM (1 << 1) - --#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION) -+#define RULE_PP_REMOVE_OP_AND (RULE_PP_IN_CONCATENATION | \ -+ RULE_PP_IN_SET_ELEM) - - struct rule_pp_ctx { - struct proto_ctx pctx; -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 0b5519d..c6ad84d 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -2660,7 +2660,9 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) - expr_postprocess(ctx, &expr->prefix); - break; - case EXPR_SET_ELEM: -+ ctx->flags |= RULE_PP_IN_SET_ELEM; - expr_postprocess(ctx, &expr->key); -+ ctx->flags &= ~RULE_PP_IN_SET_ELEM; - break; - case EXPR_EXTHDR: - exthdr_dependency_kill(&ctx->pdctx, expr, ctx->pctx.family); -diff --git a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -index ef254b9..0057e9c 100644 ---- a/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -+++ b/tests/shell/testcases/sets/dumps/0070stacked_l2_headers.nft -@@ -1,14 +1,28 @@ - table netdev nt { -+ set vlanidset { -+ typeof vlan id -+ size 1024 -+ flags dynamic,timeout -+ } -+ - set macset { - typeof ether saddr . vlan id - size 1024 - flags dynamic,timeout - } - -+ set ipset { -+ typeof vlan id . ip saddr -+ size 1024 -+ flags dynamic,timeout -+ } -+ - chain nc { - update @macset { ether saddr . vlan id timeout 5s } counter packets 0 bytes 0 - ether saddr . vlan id @macset - vlan pcp 1 - ether saddr 0a:0b:0c:0d:0e:0f vlan id 42 -+ update @vlanidset { vlan id timeout 5s } counter packets 0 bytes 0 -+ update @ipset { vlan id . ip saddr timeout 5s } counter packets 0 bytes 0 - } - } --- -2.41.0.rc1 - diff --git a/SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch b/SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch deleted file mode 100644 index 287058c..0000000 --- a/SOURCES/0018-evaluate-search-stacked-header-list-for-matching-pay.patch +++ /dev/null @@ -1,198 +0,0 @@ -From da9367286d4589a3371d547cd8e6dd6d985cc69a Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:58 +0100 -Subject: [PATCH] evaluate: search stacked header list for matching payload dep - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 87c3041bfd244 - -commit 87c3041bfd244aaf39e644d33c0df4fe04079e1c -Author: Florian Westphal -Date: Mon Jul 25 20:02:28 2022 +0200 - - evaluate: search stacked header list for matching payload dep - - "ether saddr 0:1:2:3:4:6 vlan id 2" works, but reverse fails: - - "vlan id 2 ether saddr 0:1:2:3:4:6" will give - Error: conflicting protocols specified: vlan vs. ether - - After "proto: track full stack of seen l2 protocols, not just cumulative offset", - we have a list of all l2 headers, so search those to see if we had this - proto base in the past before rejecting this. - - Reported-by: Eric Garver - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 21 +++++++--- - tests/py/bridge/vlan.t | 3 ++ - tests/py/bridge/vlan.t.json | 56 +++++++++++++++++++++++++++ - tests/py/bridge/vlan.t.payload | 16 ++++++++ - tests/py/bridge/vlan.t.payload.netdev | 20 ++++++++++ - 5 files changed, 110 insertions(+), 6 deletions(-) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 9246064..d67f915 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -659,13 +659,22 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, - struct stmt *nstmt = NULL; - int link, err; - -- if (payload->payload.base == PROTO_BASE_LL_HDR && -- proto_is_dummy(desc)) { -- err = meta_iiftype_gen_dependency(ctx, payload, &nstmt); -- if (err < 0) -- return err; -+ if (payload->payload.base == PROTO_BASE_LL_HDR) { -+ if (proto_is_dummy(desc)) { -+ err = meta_iiftype_gen_dependency(ctx, payload, &nstmt); -+ if (err < 0) -+ return err; - -- rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); -+ rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); -+ } else { -+ unsigned int i; -+ -+ /* payload desc stored in the L2 header stack? No conflict. */ -+ for (i = 0; i < ctx->pctx.stacked_ll_count; i++) { -+ if (ctx->pctx.stacked_ll[i] == payload->payload.desc) -+ return 0; -+ } -+ } - } - - assert(base <= PROTO_BASE_MAX); -diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t -index 924ed4e..4920601 100644 ---- a/tests/py/bridge/vlan.t -+++ b/tests/py/bridge/vlan.t -@@ -47,3 +47,6 @@ ether type ip vlan id 1 ip saddr 10.0.0.1;fail - - # mangling - vlan id 1 vlan id set 2;ok -+ -+ether saddr 00:01:02:03:04:05 vlan id 1;ok -+vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 -diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json -index e7640f9..58d4a40 100644 ---- a/tests/py/bridge/vlan.t.json -+++ b/tests/py/bridge/vlan.t.json -@@ -761,3 +761,59 @@ - } - } - ] -+ -+# ether saddr 00:01:02:03:04:05 vlan id 1 -+[ -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "saddr", -+ "protocol": "ether" -+ } -+ }, -+ "op": "==", -+ "right": "00:01:02:03:04:05" -+ } -+ }, -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "id", -+ "protocol": "vlan" -+ } -+ }, -+ "op": "==", -+ "right": 1 -+ } -+ } -+] -+ -+# vlan id 2 ether saddr 0:1:2:3:4:6 -+[ -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "saddr", -+ "protocol": "ether" -+ } -+ }, -+ "op": "==", -+ "right": "00:01:02:03:04:06" -+ } -+ }, -+ { -+ "match": { -+ "left": { -+ "payload": { -+ "field": "id", -+ "protocol": "vlan" -+ } -+ }, -+ "op": "==", -+ "right": 2 -+ } -+ } -+] -diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload -index 6c8d595..713670e 100644 ---- a/tests/py/bridge/vlan.t.payload -+++ b/tests/py/bridge/vlan.t.payload -@@ -276,3 +276,19 @@ bridge - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] - [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] -+ -+# ether saddr 00:01:02:03:04:05 vlan id 1 -+bridge test-bridge input -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810504 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000100 ] -+ -+# vlan id 2 ether saddr 0:1:2:3:4:6 -+bridge test-bridge input -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810604 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000200 ] -diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev -index d2c7d74..98a2a2b 100644 ---- a/tests/py/bridge/vlan.t.payload.netdev -+++ b/tests/py/bridge/vlan.t.payload.netdev -@@ -322,3 +322,23 @@ netdev - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x000000f0 ) ^ 0x00000200 ] - [ payload write reg 1 => 2b @ link header + 14 csum_type 0 csum_off 0 csum_flags 0x0 ] -+ -+# vlan id 2 ether saddr 0:1:2:3:4:6 -+netdev test-netdev ingress -+ [ meta load iiftype => reg 1 ] -+ [ cmp eq reg 1 0x00000001 ] -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810604 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000200 ] -+ -+# ether saddr 00:01:02:03:04:05 vlan id 1 -+netdev test-netdev ingress -+ [ meta load iiftype => reg 1 ] -+ [ cmp eq reg 1 0x00000001 ] -+ [ payload load 8b @ link header + 6 => reg 1 ] -+ [ cmp eq reg 1 0x03020100 0x00810504 ] -+ [ payload load 2b @ link header + 14 => reg 1 ] -+ [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ cmp eq reg 1 0x00000100 ] --- -2.41.0.rc1 - diff --git a/SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch b/SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch deleted file mode 100644 index 6bde45c..0000000 --- a/SOURCES/0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch +++ /dev/null @@ -1,223 +0,0 @@ -From f2988bad7c73e30ea4a80f348f7adf8078e6ef57 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 10:27:58 +0100 -Subject: [PATCH] src: allow anon set concatenation with ether and vlan - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit c1c223f1b5818 - -commit c1c223f1b58188542222ee2d9a4a8cc133d1dc3b -Author: Florian Westphal -Date: Mon Jul 25 21:34:52 2022 +0200 - - src: allow anon set concatenation with ether and vlan - - vlan id uses integer type (which has a length of 0). - - Using it was possible, but listing would assert: - python: mergesort.c:24: concat_expr_msort_value: Assertion `ilen > 0' failed. - - There are two reasons for this. - First reason is that the udata/typeof information lacks the 'vlan id' - part, because internally this is 'payload . binop(payload AND mask)'. - - binop lacks an udata store. It makes little sense to store it, - 'typeof' keyword expects normal match syntax. - - So, when storing udata, store the left hand side of the binary - operation, i.e. the load of the 2-byte key. - - With that resolved, delinerization could work, but concat_elem_expr() - would splice 12 bits off the elements value, but it should be 16 (on - a byte boundary). - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/expression.c | 17 +++++++++-- - src/netlink.c | 10 +++++-- - tests/py/bridge/vlan.t | 2 ++ - tests/py/bridge/vlan.t.json | 41 +++++++++++++++++++++++++++ - tests/py/bridge/vlan.t.payload | 12 ++++++++ - tests/py/bridge/vlan.t.payload.netdev | 14 +++++++++ - 6 files changed, 91 insertions(+), 5 deletions(-) - -diff --git a/src/expression.c b/src/expression.c -index deb649e..7390089 100644 ---- a/src/expression.c -+++ b/src/expression.c -@@ -879,17 +879,30 @@ static void concat_expr_print(const struct expr *expr, struct output_ctx *octx) - #define NFTNL_UDATA_SET_KEY_CONCAT_SUB_DATA 1 - #define NFTNL_UDATA_SET_KEY_CONCAT_SUB_MAX 2 - -+static struct expr *expr_build_udata_recurse(struct expr *e) -+{ -+ switch (e->etype) { -+ case EXPR_BINOP: -+ return e->left; -+ default: -+ break; -+ } -+ -+ return e; -+} -+ - static int concat_expr_build_udata(struct nftnl_udata_buf *udbuf, - const struct expr *concat_expr) - { - struct nftnl_udata *nest; -+ struct expr *expr, *tmp; - unsigned int i = 0; -- struct expr *expr; - -- list_for_each_entry(expr, &concat_expr->expressions, list) { -+ list_for_each_entry_safe(expr, tmp, &concat_expr->expressions, list) { - struct nftnl_udata *nest_expr; - int err; - -+ expr = expr_build_udata_recurse(expr); - if (!expr_ops(expr)->build_udata || i >= NFT_REG32_SIZE) - return -1; - -diff --git a/src/netlink.c b/src/netlink.c -index 89d864e..799cf9b 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -1114,17 +1114,21 @@ static struct expr *concat_elem_expr(struct expr *key, - struct expr *data, int *off) - { - const struct datatype *subtype; -+ unsigned int sub_length; - struct expr *expr; - - if (key) { - (*off)--; -- expr = constant_expr_splice(data, key->len); -+ sub_length = round_up(key->len, BITS_PER_BYTE); -+ -+ expr = constant_expr_splice(data, sub_length); - expr->dtype = datatype_get(key->dtype); - expr->byteorder = key->byteorder; - expr->len = key->len; - } else { - subtype = concat_subtype_lookup(dtype->type, --(*off)); -- expr = constant_expr_splice(data, subtype->size); -+ sub_length = round_up(subtype->size, BITS_PER_BYTE); -+ expr = constant_expr_splice(data, sub_length); - expr->dtype = subtype; - expr->byteorder = subtype->byteorder; - } -@@ -1136,7 +1140,7 @@ static struct expr *concat_elem_expr(struct expr *key, - expr->dtype->basetype->type == TYPE_BITMASK) - expr = bitmask_expr_to_binops(expr); - -- data->len -= netlink_padding_len(expr->len); -+ data->len -= netlink_padding_len(sub_length); - - return expr; - } -diff --git a/tests/py/bridge/vlan.t b/tests/py/bridge/vlan.t -index 4920601..95bdff4 100644 ---- a/tests/py/bridge/vlan.t -+++ b/tests/py/bridge/vlan.t -@@ -50,3 +50,5 @@ vlan id 1 vlan id set 2;ok - - ether saddr 00:01:02:03:04:05 vlan id 1;ok - vlan id 2 ether saddr 0:1:2:3:4:6;ok;ether saddr 00:01:02:03:04:06 vlan id 2 -+ -+ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 };ok -diff --git a/tests/py/bridge/vlan.t.json b/tests/py/bridge/vlan.t.json -index 58d4a40..f77756f 100644 ---- a/tests/py/bridge/vlan.t.json -+++ b/tests/py/bridge/vlan.t.json -@@ -817,3 +817,44 @@ - } - } - ] -+ -+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } -+[ -+ { -+ "match": { -+ "left": { -+ "concat": [ -+ { -+ "payload": { -+ "field": "saddr", -+ "protocol": "ether" -+ } -+ }, -+ { -+ "payload": { -+ "field": "id", -+ "protocol": "vlan" -+ } -+ } -+ ] -+ }, -+ "op": "==", -+ "right": { -+ "set": [ -+ { -+ "concat": [ -+ "0a:0b:0c:0d:0e:0f", -+ 42 -+ ] -+ }, -+ { -+ "concat": [ -+ "0a:0b:0c:0d:0e:0f", -+ 4095 -+ ] -+ } -+ ] -+ } -+ } -+ } -+] -diff --git a/tests/py/bridge/vlan.t.payload b/tests/py/bridge/vlan.t.payload -index 713670e..62e4b89 100644 ---- a/tests/py/bridge/vlan.t.payload -+++ b/tests/py/bridge/vlan.t.payload -@@ -292,3 +292,15 @@ bridge test-bridge input - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000200 ] -+ -+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } -+__set%d test-bridge 3 size 2 -+__set%d test-bridge 0 -+ element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] -+bridge test-bridge input -+ [ payload load 2b @ link header + 12 => reg 1 ] -+ [ cmp eq reg 1 0x00000081 ] -+ [ payload load 6b @ link header + 6 => reg 1 ] -+ [ payload load 2b @ link header + 14 => reg 10 ] -+ [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ lookup reg 1 set __set%d ] -diff --git a/tests/py/bridge/vlan.t.payload.netdev b/tests/py/bridge/vlan.t.payload.netdev -index 98a2a2b..1018d4c 100644 ---- a/tests/py/bridge/vlan.t.payload.netdev -+++ b/tests/py/bridge/vlan.t.payload.netdev -@@ -342,3 +342,17 @@ netdev test-netdev ingress - [ payload load 2b @ link header + 14 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ] - [ cmp eq reg 1 0x00000100 ] -+ -+# ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } -+__set%d test-netdev 3 size 2 -+__set%d test-netdev 0 -+ element 0d0c0b0a 00000f0e 00002a00 : 0 [end] element 0d0c0b0a 00000f0e 0000ff0f : 0 [end] -+netdev test-netdev ingress -+ [ meta load iiftype => reg 1 ] -+ [ cmp eq reg 1 0x00000001 ] -+ [ payload load 2b @ link header + 12 => reg 1 ] -+ [ cmp eq reg 1 0x00000081 ] -+ [ payload load 6b @ link header + 6 => reg 1 ] -+ [ payload load 2b @ link header + 14 => reg 10 ] -+ [ bitwise reg 10 = ( reg 10 & 0x0000ff0f ) ^ 0x00000000 ] -+ [ lookup reg 1 set __set%d ] --- -2.41.0.rc1 - diff --git a/SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch b/SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch deleted file mode 100644 index 251fee2..0000000 --- a/SOURCES/0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch +++ /dev/null @@ -1,200 +0,0 @@ -From baea5b0f3199d21a8089ab792aee86621f67202c Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 12:45:30 +0100 -Subject: [PATCH] evaluate: set eval ctx for add/update statements with integer - constants - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 4cc6b20d31498 - -commit 4cc6b20d31498d90e90ff574ce8b70276afcee8f -Author: Florian Westphal -Date: Mon Jan 23 19:03:28 2023 +0100 - - evaluate: set eval ctx for add/update statements with integer constants - - Eric reports that nft asserts when using integer basetype constants with - 'typeof' sets. Example: - table netdev t { - set s { - typeof ether saddr . vlan id - flags dynamic,timeout - } - - chain c { } - } - - loads fine. But adding a rule with add/update statement fails: - nft 'add rule netdev t c set update ether saddr . 0 @s' - nft: netlink_linearize.c:867: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed. - - When the 'ether saddr . 0' concat expression is processed, there is - no set definition available anymore to deduce the required size of the - integer constant. - - nft eval step then derives the required length using the data types. - '0' has integer basetype, so the deduced length is 0. - - The assertion triggers because serialization step finds that it - needs one more register. - - 2 are needed to store the ethernet address, another register is - needed for the vlan id. - - Update eval step to make the expression context store the set key - information when processing the preceeding set reference, then - let stmt_evaluate_set() preserve the existing context instead of - zeroing it again via stmt_evaluate_arg(). - - This makes concat expression evaluation compute the total size - needed based on the sets key definition. - - Reported-by: Eric Garver - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 32 +++++++++++++++++-- - .../maps/dumps/typeof_maps_concat.nft | 11 +++++++ - tests/shell/testcases/maps/typeof_maps_concat | 6 ++++ - .../sets/dumps/typeof_sets_concat.nft | 12 +++++++ - tests/shell/testcases/sets/typeof_sets_concat | 6 ++++ - 5 files changed, 65 insertions(+), 2 deletions(-) - create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat.nft - create mode 100755 tests/shell/testcases/maps/typeof_maps_concat - create mode 100644 tests/shell/testcases/sets/dumps/typeof_sets_concat.nft - create mode 100755 tests/shell/testcases/sets/typeof_sets_concat - -diff --git a/src/evaluate.c b/src/evaluate.c -index d67f915..7f81411 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -1526,6 +1526,14 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set, - return ret; - } - -+static void expr_evaluate_set_ref(struct eval_ctx *ctx, struct expr *expr) -+{ -+ struct set *set = expr->set; -+ -+ expr_set_context(&ctx->ectx, set->key->dtype, set->key->len); -+ ctx->ectx.key = set->key; -+} -+ - static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) - { - struct expr *set = *expr, *i, *next; -@@ -2388,6 +2396,7 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr) - case EXPR_VARIABLE: - return expr_evaluate_variable(ctx, expr); - case EXPR_SET_REF: -+ expr_evaluate_set_ref(ctx, *expr); - return 0; - case EXPR_VALUE: - return expr_evaluate_value(ctx, expr); -@@ -2550,6 +2559,25 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, - return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr); - } - -+/* like stmt_evaluate_arg, but keep existing context created -+ * by previous expr_evaluate(). -+ * -+ * This is needed for add/update statements: -+ * ctx->ectx.key has the set key, which may be needed for 'typeof' -+ * sets: the 'add/update' expression might contain integer data types. -+ * -+ * Without the key we cannot derive the element size. -+ */ -+static int stmt_evaluate_key(struct eval_ctx *ctx, struct stmt *stmt, -+ const struct datatype *dtype, unsigned int len, -+ enum byteorder byteorder, struct expr **expr) -+{ -+ if (expr_evaluate(ctx, expr) < 0) -+ return -1; -+ -+ return __stmt_evaluate_arg(ctx, stmt, dtype, len, byteorder, expr); -+} -+ - static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt) - { - if (stmt_evaluate_arg(ctx, stmt, &verdict_type, 0, 0, &stmt->expr) < 0) -@@ -3762,7 +3790,7 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) - return expr_error(ctx->msgs, stmt->set.set, - "Expression does not refer to a set"); - -- if (stmt_evaluate_arg(ctx, stmt, -+ if (stmt_evaluate_key(ctx, stmt, - stmt->set.set->set->key->dtype, - stmt->set.set->set->key->len, - stmt->set.set->set->key->byteorder, -@@ -3805,7 +3833,7 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) - return expr_error(ctx->msgs, stmt->map.set, - "Expression does not refer to a set"); - -- if (stmt_evaluate_arg(ctx, stmt, -+ if (stmt_evaluate_key(ctx, stmt, - stmt->map.set->set->key->dtype, - stmt->map.set->set->key->len, - stmt->map.set->set->key->byteorder, -diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft -new file mode 100644 -index 0000000..1ca98d8 ---- /dev/null -+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat.nft -@@ -0,0 +1,11 @@ -+table netdev t { -+ map m { -+ typeof ether saddr . vlan id : meta mark -+ size 1234 -+ flags dynamic,timeout -+ } -+ -+ chain c { -+ ether type != 8021q update @m { ether daddr . 123 timeout 1m : 0x0000002a } counter packets 0 bytes 0 return -+ } -+} -diff --git a/tests/shell/testcases/maps/typeof_maps_concat b/tests/shell/testcases/maps/typeof_maps_concat -new file mode 100755 -index 0000000..07820b7 ---- /dev/null -+++ b/tests/shell/testcases/maps/typeof_maps_concat -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+set -e -+dumpfile=$(dirname $0)/dumps/$(basename $0).nft -+ -+$NFT -f "$dumpfile" -diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft -new file mode 100644 -index 0000000..dbaf7cd ---- /dev/null -+++ b/tests/shell/testcases/sets/dumps/typeof_sets_concat.nft -@@ -0,0 +1,12 @@ -+table netdev t { -+ set s { -+ typeof ether saddr . vlan id -+ size 2048 -+ flags dynamic,timeout -+ } -+ -+ chain c { -+ ether type != 8021q add @s { ether saddr . 0 timeout 5s } counter packets 0 bytes 0 return -+ ether type != 8021q update @s { ether daddr . 123 timeout 1m } counter packets 0 bytes 0 return -+ } -+} -diff --git a/tests/shell/testcases/sets/typeof_sets_concat b/tests/shell/testcases/sets/typeof_sets_concat -new file mode 100755 -index 0000000..07820b7 ---- /dev/null -+++ b/tests/shell/testcases/sets/typeof_sets_concat -@@ -0,0 +1,6 @@ -+#!/bin/bash -+ -+set -e -+dumpfile=$(dirname $0)/dumps/$(basename $0).nft -+ -+$NFT -f "$dumpfile" --- -2.41.0.rc1 - diff --git a/SOURCES/0021-monitor-Sanitize-startup-race-condition.patch b/SOURCES/0021-monitor-Sanitize-startup-race-condition.patch deleted file mode 100644 index b58c6a4..0000000 --- a/SOURCES/0021-monitor-Sanitize-startup-race-condition.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 6e522a03cfda57267224ecdd653dcfda9c4efe62 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 9 Feb 2023 15:25:37 +0100 -Subject: [PATCH] monitor: Sanitize startup race condition - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 545edb7a8ef0a - -commit 545edb7a8ef0a8acf991b1b7857fddc24d7b151a -Author: Phil Sutter -Date: Wed Sep 28 23:26:42 2022 +0200 - - monitor: Sanitize startup race condition - - During startup, 'nft monitor' first fetches the current ruleset and then - keeps this cache up to date based on received events. This is racey, as - any ruleset changes in between the initial fetch and the socket opening - are not recognized. - - This script demonstrates the problem: - - | #!/bin/bash - | - | while true; do - | nft flush ruleset - | iptables-nft -A FORWARD - | done & - | maniploop=$! - | - | trap "kill $maniploop; kill \$!; wait" EXIT - | - | while true; do - | nft monitor rules >/dev/null & - | sleep 0.2 - | kill $! - | done - - If the table add event is missed, the rule add event callback fails to - deserialize the rule and calls abort(). - - Avoid the inconvenient program exit by returning NULL from - netlink_delinearize_rule() instead of aborting and make callers check - the return value. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/cache.c | 1 + - src/monitor.c | 5 +++++ - src/netlink_delinearize.c | 5 ++++- - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/cache.c b/src/cache.c -index fd8df88..701aec6 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -490,6 +490,7 @@ static int list_rule_cb(struct nftnl_rule *nlr, void *data) - - netlink_dump_rule(nlr, ctx); - rule = netlink_delinearize_rule(ctx, nlr); -+ assert(rule); - list_add_tail(&rule->list, &ctx->list); - - return 0; -diff --git a/src/monitor.c b/src/monitor.c -index 7fa92eb..a6b30a1 100644 ---- a/src/monitor.c -+++ b/src/monitor.c -@@ -551,6 +551,10 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, - - nlr = netlink_rule_alloc(nlh); - r = netlink_delinearize_rule(monh->ctx, nlr); -+ if (!r) { -+ fprintf(stderr, "W: Received event for an unknown table.\n"); -+ goto out_free_nlr; -+ } - nlr_for_each_set(nlr, rule_map_decompose_cb, NULL, - &monh->ctx->nft->cache); - cmd = netlink_msg2cmd(type, nlh->nlmsg_flags); -@@ -587,6 +591,7 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type, - break; - } - rule_free(r); -+out_free_nlr: - nftnl_rule_free(nlr); - return MNL_CB_OK; - } -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index c6ad84d..1d47c74 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -3194,7 +3194,10 @@ struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx, - pctx->rule = rule_alloc(&netlink_location, &h); - pctx->table = table_cache_find(&ctx->nft->cache.table_cache, - h.table.name, h.family); -- assert(pctx->table != NULL); -+ if (!pctx->table) { -+ errno = ENOENT; -+ return NULL; -+ } - - pctx->rule->comment = nftnl_rule_get_comment(nlr); - --- -2.41.0.rc1 - diff --git a/SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch b/SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch deleted file mode 100644 index de7d6e7..0000000 --- a/SOURCES/0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9126153259c891ef55571f358d1e56b3f2274fc4 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Feb 2023 17:52:16 +0100 -Subject: [PATCH] netlink_delinearize: fix decoding of concat data element - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit db59a5c1204c9 - -commit db59a5c1204c9246a82a115a8761f15809578479 -Author: Florian Westphal -Date: Mon Dec 12 11:04:34 2022 +0100 - - netlink_delinearize: fix decoding of concat data element - - Its possible to use update as follows: - - meta l4proto tcp update @pinned { ip saddr . ct original proto-src : ip daddr . ct original proto-dst } - - ... but when listing, only the first element of the concatenation is - shown. - - Check if the element size is too small and parse subsequent registers as - well. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/netlink_delinearize.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index 1d47c74..e9e0845 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -1659,6 +1659,14 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, - if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) { - sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA); - expr_data = netlink_get_register(ctx, loc, sreg_data); -+ -+ if (expr_data->len < set->data->len) { -+ expr_free(expr_data); -+ expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len); -+ if (expr_data == NULL) -+ netlink_error(ctx, loc, -+ "Could not parse dynset map data expressions"); -+ } - } - - if (expr_data != NULL) { --- -2.41.0.rc1 - diff --git a/SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch b/SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch deleted file mode 100644 index 28725cc..0000000 --- a/SOURCES/0023-netlink_linearize-fix-timeout-with-map-updates.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d6e25e9fb09649963852ba79a249efeb067c6db4 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Feb 2023 17:52:16 +0100 -Subject: [PATCH] netlink_linearize: fix timeout with map updates - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 284c038ef4c69 - -commit 284c038ef4c69d042ef91272d90c143019ecea1f -Author: Florian Westphal -Date: Mon Dec 12 11:04:35 2022 +0100 - - netlink_linearize: fix timeout with map updates - - Map updates can use timeouts, just like with sets, but the - linearization step did not pass this info to the kernel. - - meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport - - Listing this won't show the "timeout 90s" because kernel never saw it to - begin with. - - Also update evaluation step to reject a timeout that was set on - the data part: Timeouts are only allowed for the key-value pair - as a whole. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/evaluate.c | 3 +++ - src/netlink_linearize.c | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/src/evaluate.c b/src/evaluate.c -index 7f81411..6d0a0f5 100644 ---- a/src/evaluate.c -+++ b/src/evaluate.c -@@ -3858,6 +3858,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) - if (stmt->map.data->comment != NULL) - return expr_error(ctx->msgs, stmt->map.data, - "Data expression comments are not supported"); -+ if (stmt->map.data->timeout > 0) -+ return expr_error(ctx->msgs, stmt->map.data, -+ "Data expression timeouts are not supported"); - - list_for_each_entry(this, &stmt->map.stmt_list, list) { - if (stmt_evaluate(ctx, this) < 0) -diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c -index c8bbcb7..6de0a96 100644 ---- a/src/netlink_linearize.c -+++ b/src/netlink_linearize.c -@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, - nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id); - nft_rule_add_expr(ctx, nle, &stmt->location); - -+ if (stmt->map.key->timeout > 0) -+ nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT, -+ stmt->map.key->timeout); -+ - list_for_each_entry(this, &stmt->map.stmt_list, list) - num_stmts++; - --- -2.41.0.rc1 - diff --git a/SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch b/SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch deleted file mode 100644 index 75ffdd2..0000000 --- a/SOURCES/0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 254a7ef45c890e297d9390a6f20b9132ad17c5d1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Fri, 17 Feb 2023 17:52:16 +0100 -Subject: [PATCH] tests: add a test case for map update from packet path with - concat - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit b8e1940aa1907 - -commit b8e1940aa190773b23b3ee9349beb20c31f42bdb -Author: Florian Westphal -Date: Mon Dec 12 11:04:36 2022 +0100 - - tests: add a test case for map update from packet path with concat - - add a second test case for map updates, this time with both - a timeout and a data element that consists of a concatenation. - - Signed-off-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - .../maps/dumps/typeof_maps_concat_update_0.nft | 12 ++++++++++++ - .../testcases/maps/typeof_maps_concat_update_0 | 18 ++++++++++++++++++ - 2 files changed, 30 insertions(+) - create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft - create mode 100755 tests/shell/testcases/maps/typeof_maps_concat_update_0 - -diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft -new file mode 100644 -index 0000000..d91b795 ---- /dev/null -+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft -@@ -0,0 +1,12 @@ -+table ip foo { -+ map pinned { -+ typeof ip daddr . tcp dport : ip daddr . tcp dport -+ size 65535 -+ flags dynamic,timeout -+ timeout 6m -+ } -+ -+ chain pr { -+ update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } -+ } -+} -diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0 -new file mode 100755 -index 0000000..645ae14 ---- /dev/null -+++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0 -@@ -0,0 +1,18 @@ -+#!/bin/bash -+ -+# check update statement does print both concatentations (key and data). -+ -+EXPECTED="table ip foo { -+ map pinned { -+ typeof ip daddr . tcp dport : ip daddr . tcp dport -+ size 65535 -+ flags dynamic,timeout -+ timeout 6m -+ } -+ chain pr { -+ meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport } -+ } -+}" -+ -+set -e -+$NFT -f - <<< $EXPECTED --- -2.41.0.rc1 - diff --git a/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch b/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch deleted file mode 100644 index 5b86c4e..0000000 --- a/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch +++ /dev/null @@ -1,44 +0,0 @@ -From dbb1bcfbe480866f06977b2648b0a1595091b2b9 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:40 +0100 -Subject: [PATCH] owner: Fix potential array out of bounds access - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 9967911e3dabb - -commit 9967911e3dabb32901617e81e56602af3b37287f -Author: Pablo Neira Ayuso -Date: Wed Dec 21 17:37:46 2022 +0100 - - owner: Fix potential array out of bounds access - - If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will - return 'sizeof(tmp)'. Using this value as index is illegal. - - Original update from Phil, for the conntrack-tools tree, which also has - a copy of this function. - - Fixes: 6d085b22a8b5 ("table: support for the table owner flag") - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/owner.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/owner.c b/src/owner.c -index 2d98a2e..20bed38 100644 ---- a/src/owner.c -+++ b/src/owner.c -@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode) - continue; - - rl = readlink(procname, tmp, sizeof(tmp)); -- if (rl <= 0 || rl > (ssize_t)sizeof(tmp)) -+ if (rl <= 0 || rl >= (ssize_t)sizeof(tmp)) - continue; - - tmp[rl] = 0; --- -2.41.0.rc1 - diff --git a/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch b/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch deleted file mode 100644 index 2d7936d..0000000 --- a/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b5fd150a3fbad94381276bedc816d4a6fdecfaf9 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit ef66f321e49b3 - -commit ef66f321e49b337c7e678bb90d6acb94f331dfc4 -Author: Phil Sutter -Date: Wed Jan 11 12:28:15 2023 +0100 - - mnl: dump_nf_hooks() leaks memory in error path - - Have to free the basehook object before returning to caller. - - Fixes: 4694f7230195b ("src: add support for base hook dumping") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/mnl.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/mnl.c b/src/mnl.c -index 7dd77be..269d3f1 100644 ---- a/src/mnl.c -+++ b/src/mnl.c -@@ -2211,16 +2211,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data) - struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {}; - uint32_t type; - -- if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0) -+ if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], -+ dump_nf_chain_info_cb, nested) < 0) { -+ basehook_free(hook); - return -1; -+ } - - type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE])); - if (type == NFNL_HOOK_TYPE_NFTABLES) { - struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {}; - const char *tablename, *chainname; - -- if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0) -+ if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], -+ dump_nf_attr_chain_cb, -+ info) < 0) { -+ basehook_free(hook); - return -1; -+ } - - tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]); - chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]); --- -2.41.0.rc1 - diff --git a/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch b/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch deleted file mode 100644 index 32fee0e..0000000 --- a/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch +++ /dev/null @@ -1,41 +0,0 @@ -From f5f1b17763264d88593eba175438818cf6533471 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] meta: parse_iso_date() returns boolean - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit db6e97bd667bf - -commit db6e97bd667bf205cee22049f9d0fd6550cb43a7 -Author: Phil Sutter -Date: Wed Jan 11 11:26:41 2023 +0100 - - meta: parse_iso_date() returns boolean - - Returning ts if 'ts == (time_t) -1' signals success to caller despite - failure. - - Fixes: 4460b839b945a ("meta: fix compiler warning in date_type_parse()") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/meta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/meta.c b/src/meta.c -index 80ace25..73bd1c4 100644 ---- a/src/meta.c -+++ b/src/meta.c -@@ -433,7 +433,7 @@ success: - cur_tm = localtime(&ts); - - if (ts == (time_t) -1 || cur_tm == NULL) -- return ts; -+ return false; - - /* Substract tm_gmtoff to get the current time */ - *tstamp = ts - cur_tm->tm_gmtoff; --- -2.41.0.rc1 - diff --git a/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch b/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch deleted file mode 100644 index 480aa54..0000000 --- a/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 3fbbb074303ec3dafd97fcdeaa0a292068c23140 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] netlink: Fix for potential NULL-pointer deref - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 927d5674e7bf6 - -commit 927d5674e7bf656428f97c54c9171006e8c3c75e -Author: Phil Sutter -Date: Tue Jan 10 22:36:58 2023 +0100 - - netlink: Fix for potential NULL-pointer deref - - If memory allocation fails, calloc() returns NULL which was not checked - for. The code seems to expect zero array size though, so simply - replacing this call by one of the x*calloc() ones won't work. So guard - the call also by a check for 'len'. - - Fixes: db0697ce7f602 ("src: support for flowtable listing") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/netlink.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/netlink.c b/src/netlink.c -index 799cf9b..dee1732 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -1700,7 +1700,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, - while (dev_array[len]) - len++; - -- flowtable->dev_array = calloc(1, len * sizeof(char *)); -+ if (len) -+ flowtable->dev_array = xmalloc(len * sizeof(char *)); - for (i = 0; i < len; i++) - flowtable->dev_array[i] = xstrdup(dev_array[i]); - --- -2.41.0.rc1 - diff --git a/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch b/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch deleted file mode 100644 index bd97af1..0000000 --- a/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 8bdba078567b879054880ec957a78842c5a18848 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] optimize: Do not return garbage from stack - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit d4d47e5bdf943 - -commit d4d47e5bdf943be494aeb5d5a29b8f5212acbddf -Author: Phil Sutter -Date: Fri Jan 13 17:09:53 2023 +0100 - - optimize: Do not return garbage from stack - - If input does not contain a single 'add' command (unusual, but - possible), 'ret' value was not initialized by nft_optimize() before - returning its value. - - Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/optimize.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/optimize.c b/src/optimize.c -index 3a3049d..6514cbb 100644 ---- a/src/optimize.c -+++ b/src/optimize.c -@@ -1017,7 +1017,7 @@ static int cmd_optimize(struct nft_ctx *nft, struct cmd *cmd) - int nft_optimize(struct nft_ctx *nft, struct list_head *cmds) - { - struct cmd *cmd; -- int ret; -+ int ret = 0; - - list_for_each_entry(cmd, cmds, list) { - switch (cmd->op) { --- -2.41.0.rc1 - diff --git a/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch b/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch deleted file mode 100644 index 362d0f5..0000000 --- a/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 2438c7dafba336236e2e5dc1a6c57b6e157327cf Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] optimize: Clarify chain_optimize() array allocations - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit b83a0416cdc88 - -commit b83a0416cdc881c6ac35739cd858e4fe5fb2e04f -Author: Phil Sutter -Date: Tue Jan 10 22:13:44 2023 +0100 - - optimize: Clarify chain_optimize() array allocations - - Arguments passed to sizeof() where deemed suspicious by covscan due to - the different type. Consistently specify size of an array 'a' using - 'sizeof(*a) * nmemb'. - - For the statement arrays in stmt_matrix, even use xzalloc_array() since - the item count is fixed and therefore can't be zero. - - Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/optimize.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/optimize.c b/src/optimize.c -index 6514cbb..baa6abc 100644 ---- a/src/optimize.c -+++ b/src/optimize.c -@@ -918,10 +918,11 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules) - ctx->num_rules++; - } - -- ctx->rule = xzalloc(sizeof(ctx->rule) * ctx->num_rules); -- ctx->stmt_matrix = xzalloc(sizeof(struct stmt *) * ctx->num_rules); -+ ctx->rule = xzalloc(sizeof(*ctx->rule) * ctx->num_rules); -+ ctx->stmt_matrix = xzalloc(sizeof(*ctx->stmt_matrix) * ctx->num_rules); - for (i = 0; i < ctx->num_rules; i++) -- ctx->stmt_matrix[i] = xzalloc(sizeof(struct stmt *) * MAX_STMTS); -+ ctx->stmt_matrix[i] = xzalloc_array(MAX_STMTS, -+ sizeof(**ctx->stmt_matrix)); - - merge = xzalloc(sizeof(*merge) * ctx->num_rules); - --- -2.41.0.rc1 - diff --git a/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch b/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch deleted file mode 100644 index 633f671..0000000 --- a/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 21d7fa6f6a40d56c5c23eedd6ddb6a411fb8e62b Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Tue, 21 Feb 2023 19:50:41 +0100 -Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit 1344d9e53ba4d - -commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683 -Author: Phil Sutter -Date: Tue Feb 21 18:36:01 2023 +0100 - - netlink_delinearize: Sanitize concat data element decoding - - The call to netlink_get_register() might return NULL, catch this before - dereferencing the pointer. - - Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element") - Signed-off-by: Phil Sutter - Acked-by: Florian Westphal - -Signed-off-by: Phil Sutter ---- - src/netlink_delinearize.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c -index e9e0845..cadb8ec 100644 ---- a/src/netlink_delinearize.c -+++ b/src/netlink_delinearize.c -@@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, - sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA); - expr_data = netlink_get_register(ctx, loc, sreg_data); - -- if (expr_data->len < set->data->len) { -+ if (expr_data && expr_data->len < set->data->len) { - expr_free(expr_data); - expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len); - if (expr_data == NULL) --- -2.41.0.rc1 - diff --git a/SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch b/SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch deleted file mode 100644 index e899032..0000000 --- a/SOURCES/0032-tests-monitor-Summarize-failures-per-test-case.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a2446688362b6b81bd0fa0dc22cb5cc2fa3378c1 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 20 Jul 2023 15:55:05 +0200 -Subject: [PATCH] tests: monitor: Summarize failures per test case - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2211076 -Upstream Status: nftables commit c2b28dcebd058 - -commit c2b28dcebd058b978692b8e1899e79b96c025396 -Author: Phil Sutter -Date: Thu Jul 20 12:08:45 2023 +0200 - - tests: monitor: Summarize failures per test case - - Explicitly print when tests from a file fail in addition to the diff + - "output differs" message. - - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - tests/monitor/run-tests.sh | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh -index b5ca47d..f1ac790 100755 ---- a/tests/monitor/run-tests.sh -+++ b/tests/monitor/run-tests.sh -@@ -161,7 +161,10 @@ for variant in $variants; do - output_append=${variant}_output_append - - for testcase in ${testcases:-testcases/*.t}; do -- echo "$variant: running tests from file $(basename $testcase)" -+ filename=$(basename $testcase) -+ echo "$variant: running tests from file $filename" -+ rc_start=$rc -+ - # files are like this: - # - # I add table ip t -@@ -199,6 +202,10 @@ for variant in $variants; do - $run_test - let "rc += $?" - } -+ -+ let "rc_diff = rc - rc_start" -+ [[ $rc_diff -ne 0 ]] && \ -+ echo "$variant: $rc_diff tests from file $filename failed" - done - done - exit $rc --- -2.41.0 - diff --git a/SOURCES/0033-rule-check-address-family-in-set-collapse.patch b/SOURCES/0033-rule-check-address-family-in-set-collapse.patch deleted file mode 100644 index ceb1d2c..0000000 --- a/SOURCES/0033-rule-check-address-family-in-set-collapse.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 955758b3ef4772bb92fc63a8f6d424f93ebb7a2f Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 21 Sep 2023 15:24:03 +0200 -Subject: [PATCH] rule: check address family in set collapse - -JIRA: https://issues.redhat.com/browse/RHEL-5160 -Upstream Status: nftables commit a817ea9655dee - -commit a817ea9655dee1915423a802c0133e3611e02b3a -Author: Derek Hageman -Date: Thu Sep 1 10:10:41 2022 -0600 - - rule: check address family in set collapse - - 498a5f0c219d added collapsing of set operations in different commands. - However, the logic is currently too relaxed. It is valid to have a - table and set with identical names on different address families. - For example: - - table ip a { - set x { - type inet_service; - } - } - table ip6 a { - set x { - type inet_service; - } - } - add element ip a x { 1 } - add element ip a x { 2 } - add element ip6 a x { 2 } - - The above currently results in nothing being added to the ip6 family - table due to being collapsed into the ip table add. Prior to - 498a5f0c219d the set add would work. The fix is simply to check the - family in addition to the table and set names before allowing a - collapse. - - [ Add testcase to tests/shell --pablo ] - - Fixes: 498a5f0c219d ("rule: collapse set element commands") - Signed-off-by: Derek Hageman - Signed-off-by: Pablo Neira Ayuso - -Signed-off-by: Phil Sutter ---- - src/rule.c | 3 ++- - tests/shell/testcases/sets/collapse_elem_0 | 19 +++++++++++++++++++ - .../testcases/sets/dumps/collapse_elem_0.nft | 12 ++++++++++++ - 3 files changed, 33 insertions(+), 1 deletion(-) - create mode 100755 tests/shell/testcases/sets/collapse_elem_0 - create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft - -diff --git a/src/rule.c b/src/rule.c -index 0526a14..3b60cca 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -1409,7 +1409,8 @@ bool nft_cmd_collapse(struct list_head *cmds) - continue; - } - -- if (strcmp(elems->handle.table.name, cmd->handle.table.name) || -+ if (elems->handle.family != cmd->handle.family || -+ strcmp(elems->handle.table.name, cmd->handle.table.name) || - strcmp(elems->handle.set.name, cmd->handle.set.name)) { - elems = cmd; - continue; -diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0 -new file mode 100755 -index 0000000..7699e9d ---- /dev/null -+++ b/tests/shell/testcases/sets/collapse_elem_0 -@@ -0,0 +1,19 @@ -+#!/bin/bash -+ -+set -e -+ -+RULESET="table ip a { -+ set x { -+ type inet_service; -+ } -+} -+table ip6 a { -+ set x { -+ type inet_service; -+ } -+} -+add element ip a x { 1 } -+add element ip a x { 2 } -+add element ip6 a x { 2 }" -+ -+$NFT -f - <<< $RULESET -diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft -new file mode 100644 -index 0000000..a3244fc ---- /dev/null -+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft -@@ -0,0 +1,12 @@ -+table ip a { -+ set x { -+ type inet_service -+ elements = { 1, 2 } -+ } -+} -+table ip6 a { -+ set x { -+ type inet_service -+ elements = { 2 } -+ } -+} --- -2.41.0 - diff --git a/SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch b/SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch deleted file mode 100644 index 1b991b3..0000000 --- a/SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch +++ /dev/null @@ -1,86 +0,0 @@ -From fa2b3f20274f5e66b67e2c3d2b7d957b9200473e Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Wed, 15 Nov 2023 17:06:19 +0100 -Subject: [PATCH] parser_bison: Fix for broken compatibility with older dumps - -JIRA: https://issues.redhat.com/browse/RHEL-2596 -Upstream Status: nftables commit 22fab8681a50014174cdd02ace90f74b9e9eefe9 - -commit 22fab8681a50014174cdd02ace90f74b9e9eefe9 -Author: Phil Sutter -Date: Thu Oct 19 18:40:04 2023 +0200 - - parser_bison: Fix for broken compatibility with older dumps - - Commit e6d1d0d611958 ("src: add set element multi-statement - support") changed the order of expressions and other state attached to set - elements are expected in input. This broke parsing of ruleset dumps - created by nft commands prior to that commit. - - Restore compatibility by also accepting the old ordering. - - Fixes: e6d1d0d611958 ("src: add set element multi-statement support") - Signed-off-by: Phil Sutter - -Signed-off-by: Phil Sutter ---- - src/parser_bison.y | 6 ++++ - tests/shell/testcases/sets/elem_opts_compat_0 | 29 +++++++++++++++++++ - 2 files changed, 35 insertions(+) - create mode 100755 tests/shell/testcases/sets/elem_opts_compat_0 - -diff --git a/src/parser_bison.y b/src/parser_bison.y -index b548d5b..b882f3b 100644 ---- a/src/parser_bison.y -+++ b/src/parser_bison.y -@@ -4283,6 +4283,12 @@ meter_key_expr_alloc : concat_expr - - set_elem_expr : set_elem_expr_alloc - | set_elem_expr_alloc set_elem_expr_options -+ | set_elem_expr_alloc set_elem_expr_options set_elem_stmt_list -+ { -+ $$ = $1; -+ list_splice_tail($3, &$$->stmt_list); -+ xfree($3); -+ } - ; - - set_elem_key_expr : set_lhs_expr { $$ = $1; } -diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0 -new file mode 100755 -index 0000000..e012953 ---- /dev/null -+++ b/tests/shell/testcases/sets/elem_opts_compat_0 -@@ -0,0 +1,29 @@ -+#!/bin/sh -+ -+# ordering of element options and expressions has changed, make sure parser -+# accepts both ways -+ -+set -e -+ -+$NFT -f - < "2022-07-01 11:00:00" accept: This rule should not have failed. -any/meta.t: ERROR: line 213: add rule ip test-ip4 input meta day "Saturday" drop: This rule should not have failed. -any/meta.t: ERROR: line 214: add rule ip test-ip4 input meta day 6 drop: This rule should not have failed. -any/meta.t: ERROR: line 216: add rule ip test-ip4 input meta hour "17:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 217: add rule ip test-ip4 input meta hour "17:00:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 218: add rule ip test-ip4 input meta hour "17:00:01" drop: This rule should not have failed. -any/meta.t: ERROR: line 219: add rule ip test-ip4 input meta hour "00:00" drop: This rule should not have failed. -any/meta.t: ERROR: line 220: add rule ip test-ip4 input meta hour "00:01" drop: This rule should not have failed. -any/meta.t: ERROR: line 221: add rule ip test-ip4 input time < "2022-07-01 11:00:00" accept: This rule should not have failed. -any/meta.t: ERROR: line 222: add rule ip test-ip4 input time > "2022-07-01 11:00:00" accept: This rule should not have failed. -any/meta.t: ERROR: line 226: The chain egress does not exist in netdev test-netdev. I cannot delete it. -any/limit.t: ERROR: line 3: I cannot create the chain 'egress' -any/limit.t: ERROR: line 12: add rule netdev test-netdev egress limit rate 400/minute: This rule should not have failed. -any/limit.t: ERROR: line 13: add rule netdev test-netdev egress limit rate 20/second: This rule should not have failed. -any/limit.t: ERROR: line 14: add rule netdev test-netdev egress limit rate 400/hour: This rule should not have failed. -any/limit.t: ERROR: line 15: add rule netdev test-netdev egress limit rate 40/day: This rule should not have failed. -any/limit.t: ERROR: line 16: add rule netdev test-netdev egress limit rate 400/week: This rule should not have failed. -any/limit.t: ERROR: line 17: add rule netdev test-netdev egress limit rate 1023/second burst 10 packets: This rule should not have failed. -any/limit.t: ERROR: line 20: add rule netdev test-netdev egress limit rate 1 kbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 21: add rule netdev test-netdev egress limit rate 2 kbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 22: add rule netdev test-netdev egress limit rate 1025 kbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 23: add rule netdev test-netdev egress limit rate 1023 mbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 24: add rule netdev test-netdev egress limit rate 10230 mbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 25: add rule netdev test-netdev egress limit rate 1023000 mbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 28: add rule netdev test-netdev egress limit rate 1 bytes / second: This rule should not have failed. -any/limit.t: ERROR: line 29: add rule netdev test-netdev egress limit rate 1 kbytes / second: This rule should not have failed. -any/limit.t: ERROR: line 30: add rule netdev test-netdev egress limit rate 1 mbytes / second: This rule should not have failed. -any/limit.t: ERROR: line 33: add rule netdev test-netdev egress limit rate 1025 bytes/second burst 512 bytes: This rule should not have failed. -any/limit.t: ERROR: line 34: add rule netdev test-netdev egress limit rate 1025 kbytes/second burst 1023 kbytes: This rule should not have failed. -any/limit.t: ERROR: line 35: add rule netdev test-netdev egress limit rate 1025 mbytes/second burst 1025 kbytes: This rule should not have failed. -any/limit.t: ERROR: line 36: add rule netdev test-netdev egress limit rate 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed. -any/limit.t: ERROR: line 38: add rule netdev test-netdev egress limit rate over 400/minute: This rule should not have failed. -any/limit.t: ERROR: line 39: add rule netdev test-netdev egress limit rate over 20/second: This rule should not have failed. -any/limit.t: ERROR: line 40: add rule netdev test-netdev egress limit rate over 400/hour: This rule should not have failed. -any/limit.t: ERROR: line 41: add rule netdev test-netdev egress limit rate over 40/day: This rule should not have failed. -any/limit.t: ERROR: line 42: add rule netdev test-netdev egress limit rate over 400/week: This rule should not have failed. -any/limit.t: ERROR: line 43: add rule netdev test-netdev egress limit rate over 1023/second burst 10 packets: This rule should not have failed. -any/limit.t: ERROR: line 45: add rule netdev test-netdev egress limit rate over 1 kbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 46: add rule netdev test-netdev egress limit rate over 2 kbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 47: add rule netdev test-netdev egress limit rate over 1025 kbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 48: add rule netdev test-netdev egress limit rate over 1023 mbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 49: add rule netdev test-netdev egress limit rate over 10230 mbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 50: add rule netdev test-netdev egress limit rate over 1023000 mbytes/second: This rule should not have failed. -any/limit.t: ERROR: line 52: add rule netdev test-netdev egress limit rate over 1025 bytes/second burst 512 bytes: This rule should not have failed. -any/limit.t: ERROR: line 53: add rule netdev test-netdev egress limit rate over 1025 kbytes/second burst 1023 kbytes: This rule should not have failed. -any/limit.t: ERROR: line 54: add rule netdev test-netdev egress limit rate over 1025 mbytes/second burst 1025 kbytes: This rule should not have failed. -any/limit.t: ERROR: line 55: add rule netdev test-netdev egress limit rate over 1025000 mbytes/second burst 1023 mbytes: This rule should not have failed. -any/limit.t: ERROR: line 55: The chain egress does not exist in netdev test-netdev. I cannot delete it. -any/ct.t: ERROR: line 62: add rule ip test-ip4 output ct mark set (meta mark | 0x10) << 8: This rule should not have failed. -any/ct.t: ERROR: line 133: add rule ip test-ip4 output ct id 12345: This rule should not have failed. -arp/arp.t: ERROR: line 4: I cannot create the chain 'egress' -arp/arp.t: ERROR: line 9: add rule netdev test-netdev egress arp htype 1: This rule should not have failed. -arp/arp.t: ERROR: line 10: add rule netdev test-netdev egress arp htype != 1: This rule should not have failed. -arp/arp.t: ERROR: line 11: add rule netdev test-netdev egress arp htype 22: This rule should not have failed. -arp/arp.t: ERROR: line 12: add rule netdev test-netdev egress arp htype != 233: This rule should not have failed. -arp/arp.t: ERROR: line 13: add rule netdev test-netdev egress arp htype 33-45: This rule should not have failed. -arp/arp.t: ERROR: line 14: add rule netdev test-netdev egress arp htype != 33-45: This rule should not have failed. -arp/arp.t: ERROR: line 15: add rule netdev test-netdev egress arp htype { 33, 55, 67, 88}: This rule should not have failed. -arp/arp.t: ERROR: line 16: add rule netdev test-netdev egress arp htype != { 33, 55, 67, 88}: This rule should not have failed. -arp/arp.t: ERROR: line 18: add rule netdev test-netdev egress arp ptype 0x0800: This rule should not have failed. -arp/arp.t: ERROR: line 20: add rule netdev test-netdev egress arp hlen 22: This rule should not have failed. -arp/arp.t: ERROR: line 21: add rule netdev test-netdev egress arp hlen != 233: This rule should not have failed. -arp/arp.t: ERROR: line 22: add rule netdev test-netdev egress arp hlen 33-45: This rule should not have failed. -arp/arp.t: ERROR: line 23: add rule netdev test-netdev egress arp hlen != 33-45: This rule should not have failed. -arp/arp.t: ERROR: line 24: add rule netdev test-netdev egress arp hlen { 33, 55, 67, 88}: This rule should not have failed. -arp/arp.t: ERROR: line 25: add rule netdev test-netdev egress arp hlen != { 33, 55, 67, 88}: This rule should not have failed. -arp/arp.t: ERROR: line 27: add rule netdev test-netdev egress arp plen 22: This rule should not have failed. -arp/arp.t: ERROR: line 28: add rule netdev test-netdev egress arp plen != 233: This rule should not have failed. -arp/arp.t: ERROR: line 29: add rule netdev test-netdev egress arp plen 33-45: This rule should not have failed. -arp/arp.t: ERROR: line 30: add rule netdev test-netdev egress arp plen != 33-45: This rule should not have failed. -arp/arp.t: ERROR: line 31: add rule netdev test-netdev egress arp plen { 33, 55, 67, 88}: This rule should not have failed. -arp/arp.t: ERROR: line 32: add rule netdev test-netdev egress arp plen != { 33, 55, 67, 88}: This rule should not have failed. -arp/arp.t: ERROR: line 34: add rule netdev test-netdev egress arp operation {nak, inreply, inrequest, rreply, rrequest, reply, request}: This rule should not have failed. -arp/arp.t: ERROR: line 35: add rule netdev test-netdev egress arp operation != {nak, inreply, inrequest, rreply, rrequest, reply, request}: This rule should not have failed. -arp/arp.t: ERROR: line 36: add rule netdev test-netdev egress arp operation 1-2: This rule should not have failed. -arp/arp.t: ERROR: line 37: add rule netdev test-netdev egress arp operation request: This rule should not have failed. -arp/arp.t: ERROR: line 38: add rule netdev test-netdev egress arp operation reply: This rule should not have failed. -arp/arp.t: ERROR: line 39: add rule netdev test-netdev egress arp operation rrequest: This rule should not have failed. -arp/arp.t: ERROR: line 40: add rule netdev test-netdev egress arp operation rreply: This rule should not have failed. -arp/arp.t: ERROR: line 41: add rule netdev test-netdev egress arp operation inrequest: This rule should not have failed. -arp/arp.t: ERROR: line 42: add rule netdev test-netdev egress arp operation inreply: This rule should not have failed. -arp/arp.t: ERROR: line 43: add rule netdev test-netdev egress arp operation nak: This rule should not have failed. -arp/arp.t: ERROR: line 44: add rule netdev test-netdev egress arp operation != request: This rule should not have failed. -arp/arp.t: ERROR: line 45: add rule netdev test-netdev egress arp operation != reply: This rule should not have failed. -arp/arp.t: ERROR: line 46: add rule netdev test-netdev egress arp operation != rrequest: This rule should not have failed. -arp/arp.t: ERROR: line 47: add rule netdev test-netdev egress arp operation != rreply: This rule should not have failed. -arp/arp.t: ERROR: line 48: add rule netdev test-netdev egress arp operation != inrequest: This rule should not have failed. -arp/arp.t: ERROR: line 49: add rule netdev test-netdev egress arp operation != inreply: This rule should not have failed. -arp/arp.t: ERROR: line 50: add rule netdev test-netdev egress arp operation != nak: This rule should not have failed. -arp/arp.t: ERROR: line 52: add rule netdev test-netdev egress arp saddr ip 1.2.3.4: This rule should not have failed. -arp/arp.t: ERROR: line 53: add rule netdev test-netdev egress arp daddr ip 4.3.2.1: This rule should not have failed. -arp/arp.t: ERROR: line 54: add rule netdev test-netdev egress arp saddr ether aa:bb:cc:aa:bb:cc: This rule should not have failed. -arp/arp.t: ERROR: line 55: add rule netdev test-netdev egress arp daddr ether aa:bb:cc:aa:bb:cc: This rule should not have failed. -arp/arp.t: ERROR: line 57: add rule netdev test-netdev egress arp saddr ip 192.168.1.1 arp daddr ether fe:ed:00:c0:ff:ee: This rule should not have failed. -arp/arp.t: ERROR: line 58: add rule netdev test-netdev egress arp daddr ether fe:ed:00:c0:ff:ee arp saddr ip 192.168.1.1: This rule should not have failed. -arp/arp.t: ERROR: line 60: add rule netdev test-netdev egress meta iifname "invalid" arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566: This rule should not have failed. -arp/arp.t: ERROR: line 60: The chain egress does not exist in netdev test-netdev. I cannot delete it. -bridge/vlan.t: ERROR: line 3: I cannot create the chain 'egress' -bridge/vlan.t: ERROR: line 8: add rule netdev test-netdev egress vlan id 4094: This rule should not have failed. -bridge/vlan.t: ERROR: line 9: add rule netdev test-netdev egress vlan id 0: This rule should not have failed. -bridge/vlan.t: ERROR: line 12: add rule netdev test-netdev egress vlan id 4094 vlan dei 0: This rule should not have failed. -bridge/vlan.t: ERROR: line 13: add rule netdev test-netdev egress vlan id 4094 vlan dei 1: This rule should not have failed. -bridge/vlan.t: ERROR: line 14: add rule netdev test-netdev egress vlan id 4094 vlan dei != 1: This rule should not have failed. -bridge/vlan.t: ERROR: line 15: add rule netdev test-netdev egress vlan id 4094 vlan cfi 1: This rule should not have failed. -bridge/vlan.t: ERROR: line 19: add rule netdev test-netdev egress vlan id 4094 vlan dei 1 vlan pcp 7: This rule should not have failed. -bridge/vlan.t: ERROR: line 20: add rule netdev test-netdev egress vlan id 4094 vlan dei 1 vlan pcp 3: This rule should not have failed. -bridge/vlan.t: ERROR: line 22: add rule netdev test-netdev egress ether type vlan vlan id 4094: This rule should not have failed. -bridge/vlan.t: ERROR: line 23: add rule netdev test-netdev egress ether type vlan vlan id 0: This rule should not have failed. -bridge/vlan.t: ERROR: line 24: add rule netdev test-netdev egress ether type vlan vlan id 4094 vlan dei 0: This rule should not have failed. -bridge/vlan.t: ERROR: line 25: add rule netdev test-netdev egress ether type vlan vlan id 4094 vlan dei 1: This rule should not have failed. -bridge/vlan.t: ERROR: line 28: add rule netdev test-netdev egress vlan id 4094 tcp dport 22: This rule should not have failed. -bridge/vlan.t: ERROR: line 29: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.1: This rule should not have failed. -bridge/vlan.t: ERROR: line 30: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.0/23: This rule should not have failed. -bridge/vlan.t: ERROR: line 31: add rule netdev test-netdev egress vlan id 1 ip saddr 10.0.0.0/23 udp dport 53: This rule should not have failed. -bridge/vlan.t: ERROR: line 32: add rule netdev test-netdev egress ether type vlan vlan id 1 ip saddr 10.0.0.0/23 udp dport 53: This rule should not have failed. -bridge/vlan.t: ERROR: line 34: add rule netdev test-netdev egress vlan id { 1, 2, 4, 100, 4095 } vlan pcp 1-3: This rule should not have failed. -bridge/vlan.t: ERROR: line 37: add rule netdev test-netdev egress ether type vlan ip protocol 1 accept: This rule should not have failed. -bridge/vlan.t: ERROR: line 40: add rule netdev test-netdev egress ether type 8021ad vlan id 1 ip protocol 6 accept: This rule should not have failed. -bridge/vlan.t: ERROR: line 41: add rule netdev test-netdev egress ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip counter: This rule should not have failed. -bridge/vlan.t: ERROR: line 42: add rule netdev test-netdev egress ether type 8021ad vlan id 1 vlan type 8021q vlan id 2 vlan type ip ip protocol 6: This rule should not have failed. -bridge/vlan.t: ERROR: line 49: add rule netdev test-netdev egress vlan id 1 vlan id set 2: This rule should not have failed. -bridge/vlan.t: ERROR: line 51: add rule netdev test-netdev egress ether saddr 00:01:02:03:04:05 vlan id 1: This rule should not have failed. -bridge/vlan.t: ERROR: line 52: add rule netdev test-netdev egress vlan id 2 ether saddr 0:1:2:3:4:6: This rule should not have failed. -bridge/vlan.t: ERROR: line 54: add rule netdev test-netdev egress ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 }: This rule should not have failed. -bridge/vlan.t: ERROR: line 54: The chain egress does not exist in netdev test-netdev. I cannot delete it. -bridge/meta.t: ERROR: line 7: add rule bridge test-bridge input meta ibrvproto vlan: This rule should not have failed. -bridge/meta.t: ERROR: line 8: add rule bridge test-bridge input meta ibrpvid 100: This rule should not have failed. -inet/dccp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/dccp.t: ERROR: line 10: add rule netdev test-netdev egress dccp sport 21-35: This rule should not have failed. -inet/dccp.t: ERROR: line 11: add rule netdev test-netdev egress dccp sport != 21-35: This rule should not have failed. -inet/dccp.t: ERROR: line 12: add rule netdev test-netdev egress dccp sport {23, 24, 25}: This rule should not have failed. -inet/dccp.t: ERROR: line 13: add rule netdev test-netdev egress dccp sport != {23, 24, 25}: This rule should not have failed. -inet/dccp.t: ERROR: line 15: add rule netdev test-netdev egress dccp sport 20-50: This rule should not have failed. -inet/dccp.t: ERROR: line 19: add rule netdev test-netdev egress dccp dport {23, 24, 25}: This rule should not have failed. -inet/dccp.t: ERROR: line 20: add rule netdev test-netdev egress dccp dport != {23, 24, 25}: This rule should not have failed. -inet/dccp.t: ERROR: line 22: add rule netdev test-netdev egress dccp type {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}: This rule should not have failed. -inet/dccp.t: ERROR: line 23: add rule netdev test-netdev egress dccp type != {request, response, data, ack, dataack, closereq, close, reset, sync, syncack}: This rule should not have failed. -inet/dccp.t: ERROR: line 24: add rule netdev test-netdev egress dccp type request: This rule should not have failed. -inet/dccp.t: ERROR: line 25: add rule netdev test-netdev egress dccp type != request: This rule should not have failed. -inet/dccp.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/map.t: ERROR: line 3: I cannot create the chain 'egress' -inet/map.t: ERROR: line 9: add rule netdev test-netdev egress mark set ip saddr map { 10.2.3.2 : 0x0000002a, 10.2.3.1 : 0x00000017}: This rule should not have failed. -inet/map.t: ERROR: line 10: add rule netdev test-netdev egress mark set ip hdrlength map { 5 : 0x00000017, 4 : 0x00000001}: This rule should not have failed. -inet/map.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/synproxy.t: ERROR: line 7: add rule ip synproxyip synproxychain synproxy: This rule should not have failed. -inet/synproxy.t: ERROR: line 8: add rule ip synproxyip synproxychain synproxy mss 1460 wscale 7: This rule should not have failed. -inet/synproxy.t: ERROR: line 9: add rule ip synproxyip synproxychain synproxy mss 1460 wscale 5 timestamp sack-perm: This rule should not have failed. -inet/synproxy.t: ERROR: line 10: add rule ip synproxyip synproxychain synproxy timestamp sack-perm: This rule should not have failed. -inet/synproxy.t: ERROR: line 11: add rule ip synproxyip synproxychain synproxy timestamp: This rule should not have failed. -inet/synproxy.t: ERROR: line 12: add rule ip synproxyip synproxychain synproxy sack-perm: This rule should not have failed. -inet/sets.t: ERROR: line 3: I cannot create the chain 'egress' -inet/sets.t: ERROR: line 15: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed. -inet/sets.t: ERROR: line 18: add rule netdev test-netdev egress ip6 daddr != @set2 accept: This rule should not have failed. -inet/sets.t: ERROR: line 24: add rule netdev test-netdev egress ip saddr . ip daddr . tcp dport @set3 accept: This rule should not have failed. -inet/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443 } accept: This rule should not have failed. -inet/sets.t: ERROR: line 25: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/ip.t: ERROR: line 3: I cannot create the chain 'egress' -inet/ip.t: ERROR: line 10: add rule netdev test-netdev egress ip saddr . ip daddr . ether saddr { 1.1.1.1 . 2.2.2.2 . ca:fe:ca:fe:ca:fe }: This rule should not have failed. -inet/ip.t: ERROR: line 12: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/udp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/udp.t: ERROR: line 10: add rule netdev test-netdev egress udp sport 80 accept: This rule should not have failed. -inet/udp.t: ERROR: line 11: add rule netdev test-netdev egress udp sport != 60 accept: This rule should not have failed. -inet/udp.t: ERROR: line 12: add rule netdev test-netdev egress udp sport 50-70 accept: This rule should not have failed. -inet/udp.t: ERROR: line 13: add rule netdev test-netdev egress udp sport != 50-60 accept: This rule should not have failed. -inet/udp.t: ERROR: line 14: add rule netdev test-netdev egress udp sport { 49, 50} drop: This rule should not have failed. -inet/udp.t: ERROR: line 15: add rule netdev test-netdev egress udp sport != { 50, 60} accept: This rule should not have failed. -inet/udp.t: ERROR: line 19: add rule netdev test-netdev egress udp dport 80 accept: This rule should not have failed. -inet/udp.t: ERROR: line 20: add rule netdev test-netdev egress udp dport != 60 accept: This rule should not have failed. -inet/udp.t: ERROR: line 21: add rule netdev test-netdev egress udp dport 70-75 accept: This rule should not have failed. -inet/udp.t: ERROR: line 22: add rule netdev test-netdev egress udp dport != 50-60 accept: This rule should not have failed. -inet/udp.t: ERROR: line 23: add rule netdev test-netdev egress udp dport { 49, 50} drop: This rule should not have failed. -inet/udp.t: ERROR: line 24: add rule netdev test-netdev egress udp dport != { 50, 60} accept: This rule should not have failed. -inet/udp.t: ERROR: line 26: add rule netdev test-netdev egress udp length 6666: This rule should not have failed. -inet/udp.t: ERROR: line 27: add rule netdev test-netdev egress udp length != 6666: This rule should not have failed. -inet/udp.t: ERROR: line 28: add rule netdev test-netdev egress udp length 50-65 accept: This rule should not have failed. -inet/udp.t: ERROR: line 29: add rule netdev test-netdev egress udp length != 50-65 accept: This rule should not have failed. -inet/udp.t: ERROR: line 30: add rule netdev test-netdev egress udp length { 50, 65} accept: This rule should not have failed. -inet/udp.t: ERROR: line 31: add rule netdev test-netdev egress udp length != { 50, 65} accept: This rule should not have failed. -inet/udp.t: ERROR: line 33: add rule netdev test-netdev egress udp checksum 6666 drop: This rule should not have failed. -inet/udp.t: ERROR: line 34: add rule netdev test-netdev egress udp checksum != { 444, 555} accept: This rule should not have failed. -inet/udp.t: ERROR: line 36: add rule netdev test-netdev egress udp checksum 22: This rule should not have failed. -inet/udp.t: ERROR: line 37: add rule netdev test-netdev egress udp checksum != 233: This rule should not have failed. -inet/udp.t: ERROR: line 38: add rule netdev test-netdev egress udp checksum 33-45: This rule should not have failed. -inet/udp.t: ERROR: line 39: add rule netdev test-netdev egress udp checksum != 33-45: This rule should not have failed. -inet/udp.t: ERROR: line 40: add rule netdev test-netdev egress udp checksum { 33, 55, 67, 88}: This rule should not have failed. -inet/udp.t: ERROR: line 41: add rule netdev test-netdev egress udp checksum != { 33, 55, 67, 88}: This rule should not have failed. -inet/udp.t: ERROR: line 44: add rule netdev test-netdev egress iif "lo" udp checksum set 0: This rule should not have failed. -inet/udp.t: ERROR: line 45: add rule netdev test-netdev egress iif "lo" udp dport set 65535: This rule should not have failed. -inet/udp.t: ERROR: line 45: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/ether.t: ERROR: line 3: I cannot create the chain 'egress' -inet/ether.t: ERROR: line 11: add rule netdev test-netdev egress tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4 accept: This rule should not have failed. -inet/ether.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept: This rule should not have failed. -inet/ether.t: ERROR: line 14: add rule netdev test-netdev egress ether saddr 00:0f:54:0c:11:04 accept: This rule should not have failed. -inet/ether.t: ERROR: line 14: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/comp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/comp.t: ERROR: line 12: add rule netdev test-netdev egress comp nexthdr != esp: This rule should not have failed. -inet/comp.t: ERROR: line 18: add rule netdev test-netdev egress comp flags 0x0: This rule should not have failed. -inet/comp.t: ERROR: line 19: add rule netdev test-netdev egress comp flags != 0x23: This rule should not have failed. -inet/comp.t: ERROR: line 20: add rule netdev test-netdev egress comp flags 0x33-0x45: This rule should not have failed. -inet/comp.t: ERROR: line 21: add rule netdev test-netdev egress comp flags != 0x33-0x45: This rule should not have failed. -inet/comp.t: ERROR: line 22: add rule netdev test-netdev egress comp flags {0x33, 0x55, 0x67, 0x88}: This rule should not have failed. -inet/comp.t: ERROR: line 23: add rule netdev test-netdev egress comp flags != {0x33, 0x55, 0x67, 0x88}: This rule should not have failed. -inet/comp.t: ERROR: line 25: add rule netdev test-netdev egress comp cpi 22: This rule should not have failed. -inet/comp.t: ERROR: line 26: add rule netdev test-netdev egress comp cpi != 233: This rule should not have failed. -inet/comp.t: ERROR: line 27: add rule netdev test-netdev egress comp cpi 33-45: This rule should not have failed. -inet/comp.t: ERROR: line 28: add rule netdev test-netdev egress comp cpi != 33-45: This rule should not have failed. -inet/comp.t: ERROR: line 29: add rule netdev test-netdev egress comp cpi {33, 55, 67, 88}: This rule should not have failed. -inet/comp.t: ERROR: line 30: add rule netdev test-netdev egress comp cpi != {33, 55, 67, 88}: This rule should not have failed. -inet/comp.t: ERROR: line 30: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/udplite.t: ERROR: line 3: I cannot create the chain 'egress' -inet/udplite.t: ERROR: line 10: add rule netdev test-netdev egress udplite sport 80 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 11: add rule netdev test-netdev egress udplite sport != 60 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 12: add rule netdev test-netdev egress udplite sport 50-70 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 13: add rule netdev test-netdev egress udplite sport != 50-60 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 14: add rule netdev test-netdev egress udplite sport { 49, 50} drop: This rule should not have failed. -inet/udplite.t: ERROR: line 15: add rule netdev test-netdev egress udplite sport != { 49, 50} accept: This rule should not have failed. -inet/udplite.t: ERROR: line 17: add rule netdev test-netdev egress udplite dport 80 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 18: add rule netdev test-netdev egress udplite dport != 60 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 19: add rule netdev test-netdev egress udplite dport 70-75 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 20: add rule netdev test-netdev egress udplite dport != 50-60 accept: This rule should not have failed. -inet/udplite.t: ERROR: line 21: add rule netdev test-netdev egress udplite dport { 49, 50} drop: This rule should not have failed. -inet/udplite.t: ERROR: line 22: add rule netdev test-netdev egress udplite dport != { 49, 50} accept: This rule should not have failed. -inet/udplite.t: ERROR: line 31: add rule netdev test-netdev egress udplite checksum 6666 drop: This rule should not have failed. -inet/udplite.t: ERROR: line 32: add rule netdev test-netdev egress udplite checksum != { 444, 555} accept: This rule should not have failed. -inet/udplite.t: ERROR: line 33: add rule netdev test-netdev egress udplite checksum 22: This rule should not have failed. -inet/udplite.t: ERROR: line 34: add rule netdev test-netdev egress udplite checksum != 233: This rule should not have failed. -inet/udplite.t: ERROR: line 35: add rule netdev test-netdev egress udplite checksum 33-45: This rule should not have failed. -inet/udplite.t: ERROR: line 36: add rule netdev test-netdev egress udplite checksum != 33-45: This rule should not have failed. -inet/udplite.t: ERROR: line 37: add rule netdev test-netdev egress udplite checksum { 33, 55, 67, 88}: This rule should not have failed. -inet/udplite.t: ERROR: line 38: add rule netdev test-netdev egress udplite checksum != { 33, 55, 67, 88}: This rule should not have failed. -inet/udplite.t: ERROR: line 38: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/osf.t: ERROR: line 7: add rule ip osfip osfchain osf name "Linux": This rule should not have failed. -inet/osf.t: ERROR: line 8: add rule ip osfip osfchain osf ttl loose name "Linux": This rule should not have failed. -inet/osf.t: ERROR: line 9: add rule ip osfip osfchain osf ttl skip name "Linux": This rule should not have failed. -inet/osf.t: ERROR: line 10: add rule ip osfip osfchain osf ttl skip version "Linux:3.0": This rule should not have failed. -inet/osf.t: ERROR: line 15: add rule ip osfip osfchain osf name { "Windows", "MacOs" }: This rule should not have failed. -inet/osf.t: ERROR: line 16: add rule ip osfip osfchain osf version { "Windows:XP", "MacOs:Sierra" }: This rule should not have failed. -inet/osf.t: ERROR: line 17: add rule ip osfip osfchain ct mark set osf name map { "Windows" : 0x00000001, "MacOs" : 0x00000002 }: This rule should not have failed. -inet/osf.t: ERROR: line 18: add rule ip osfip osfchain ct mark set osf version map { "Windows:XP" : 0x00000003, "MacOs:Sierra" : 0x00000004 }: This rule should not have failed. -inet/tcp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/tcp.t: ERROR: line 12: add rule netdev test-netdev egress tcp dport 22: This rule should not have failed. -inet/tcp.t: ERROR: line 13: add rule netdev test-netdev egress tcp dport != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 14: add rule netdev test-netdev egress tcp dport 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 15: add rule netdev test-netdev egress tcp dport != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 16: add rule netdev test-netdev egress tcp dport { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 17: add rule netdev test-netdev egress tcp dport != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 18: add rule netdev test-netdev egress tcp dport {telnet, http, https} accept: This rule should not have failed. -inet/tcp.t: ERROR: line 19: add rule netdev test-netdev egress tcp dport vmap { 22 : accept, 23 : drop }: This rule should not have failed. -inet/tcp.t: ERROR: line 20: add rule netdev test-netdev egress tcp dport vmap { 25:accept, 28:drop }: This rule should not have failed. -inet/tcp.t: ERROR: line 21: add rule netdev test-netdev egress tcp dport { 22, 53, 80, 110 }: This rule should not have failed. -inet/tcp.t: ERROR: line 22: add rule netdev test-netdev egress tcp dport != { 22, 53, 80, 110 }: This rule should not have failed. -inet/tcp.t: ERROR: line 26: add rule netdev test-netdev egress tcp sport 22: This rule should not have failed. -inet/tcp.t: ERROR: line 27: add rule netdev test-netdev egress tcp sport != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 28: add rule netdev test-netdev egress tcp sport 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 29: add rule netdev test-netdev egress tcp sport != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 30: add rule netdev test-netdev egress tcp sport { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 31: add rule netdev test-netdev egress tcp sport != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 32: add rule netdev test-netdev egress tcp sport vmap { 25:accept, 28:drop }: This rule should not have failed. -inet/tcp.t: ERROR: line 34: add rule netdev test-netdev egress tcp sport 8080 drop: This rule should not have failed. -inet/tcp.t: ERROR: line 35: add rule netdev test-netdev egress tcp sport 1024 tcp dport 22: This rule should not have failed. -inet/tcp.t: ERROR: line 36: add rule netdev test-netdev egress tcp sport 1024 tcp dport 22 tcp sequence 0: This rule should not have failed. -inet/tcp.t: ERROR: line 38: add rule netdev test-netdev egress tcp sequence 0 tcp sport 1024 tcp dport 22: This rule should not have failed. -inet/tcp.t: ERROR: line 39: add rule netdev test-netdev egress tcp sequence 0 tcp sport { 1024, 1022} tcp dport 22: This rule should not have failed. -inet/tcp.t: ERROR: line 41: add rule netdev test-netdev egress tcp sequence 22: This rule should not have failed. -inet/tcp.t: ERROR: line 42: add rule netdev test-netdev egress tcp sequence != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 43: add rule netdev test-netdev egress tcp sequence 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 44: add rule netdev test-netdev egress tcp sequence != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 45: add rule netdev test-netdev egress tcp sequence { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 46: add rule netdev test-netdev egress tcp sequence != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 48: add rule netdev test-netdev egress tcp ackseq 42949672 drop: This rule should not have failed. -inet/tcp.t: ERROR: line 49: add rule netdev test-netdev egress tcp ackseq 22: This rule should not have failed. -inet/tcp.t: ERROR: line 50: add rule netdev test-netdev egress tcp ackseq != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 51: add rule netdev test-netdev egress tcp ackseq 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 52: add rule netdev test-netdev egress tcp ackseq != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 53: add rule netdev test-netdev egress tcp ackseq { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 54: add rule netdev test-netdev egress tcp ackseq != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 66: add rule netdev test-netdev egress tcp flags { fin, syn, rst, psh, ack, urg, ecn, cwr} drop: This rule should not have failed. -inet/tcp.t: ERROR: line 67: add rule netdev test-netdev egress tcp flags != { fin, urg, ecn, cwr} drop: This rule should not have failed. -inet/tcp.t: ERROR: line 68: add rule netdev test-netdev egress tcp flags cwr: This rule should not have failed. -inet/tcp.t: ERROR: line 69: add rule netdev test-netdev egress tcp flags != cwr: This rule should not have failed. -inet/tcp.t: ERROR: line 70: add rule netdev test-netdev egress tcp flags == syn: This rule should not have failed. -inet/tcp.t: ERROR: line 71: add rule netdev test-netdev egress tcp flags fin,syn / fin,syn: This rule should not have failed. -inet/tcp.t: ERROR: line 72: add rule netdev test-netdev egress tcp flags != syn / fin,syn: This rule should not have failed. -inet/tcp.t: ERROR: line 73: add rule netdev test-netdev egress tcp flags & syn != 0: This rule should not have failed. -inet/tcp.t: ERROR: line 74: add rule netdev test-netdev egress tcp flags & syn == 0: This rule should not have failed. -inet/tcp.t: ERROR: line 75: add rule netdev test-netdev egress tcp flags & (syn | ack) != 0: This rule should not have failed. -inet/tcp.t: ERROR: line 76: add rule netdev test-netdev egress tcp flags & (syn | ack) == 0: This rule should not have failed. -inet/tcp.t: ERROR: line 78: add rule netdev test-netdev egress tcp flags & syn == syn: This rule should not have failed. -inet/tcp.t: ERROR: line 79: add rule netdev test-netdev egress tcp flags & syn != syn: This rule should not have failed. -inet/tcp.t: ERROR: line 80: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) syn: This rule should not have failed. -inet/tcp.t: ERROR: line 81: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) == syn: This rule should not have failed. -inet/tcp.t: ERROR: line 82: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) != syn: This rule should not have failed. -inet/tcp.t: ERROR: line 83: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) == (syn | ack): This rule should not have failed. -inet/tcp.t: ERROR: line 84: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | ack) != (syn | ack): This rule should not have failed. -inet/tcp.t: ERROR: line 85: add rule netdev test-netdev egress tcp flags & (syn | ack) == (syn | ack): This rule should not have failed. -inet/tcp.t: ERROR: line 86: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | psh | ack | urg | ecn | cwr) == fin | syn | rst | psh | ack | urg | ecn | cwr: This rule should not have failed. -inet/tcp.t: ERROR: line 87: add rule netdev test-netdev egress tcp flags { syn, syn | ack }: This rule should not have failed. -inet/tcp.t: ERROR: line 88: add rule netdev test-netdev egress tcp flags & (fin | syn | rst | psh | ack | urg) == { fin, ack, psh | ack, fin | psh | ack }: This rule should not have failed. -inet/tcp.t: ERROR: line 89: add rule netdev test-netdev egress tcp flags ! fin,rst: This rule should not have failed. -inet/tcp.t: ERROR: line 92: add rule netdev test-netdev egress tcp window 22222: This rule should not have failed. -inet/tcp.t: ERROR: line 93: add rule netdev test-netdev egress tcp window 22: This rule should not have failed. -inet/tcp.t: ERROR: line 94: add rule netdev test-netdev egress tcp window != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 95: add rule netdev test-netdev egress tcp window 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 96: add rule netdev test-netdev egress tcp window != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 97: add rule netdev test-netdev egress tcp window { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 98: add rule netdev test-netdev egress tcp window != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 100: add rule netdev test-netdev egress tcp checksum 22: This rule should not have failed. -inet/tcp.t: ERROR: line 101: add rule netdev test-netdev egress tcp checksum != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 102: add rule netdev test-netdev egress tcp checksum 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 103: add rule netdev test-netdev egress tcp checksum != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 104: add rule netdev test-netdev egress tcp checksum { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 105: add rule netdev test-netdev egress tcp checksum != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 107: add rule netdev test-netdev egress tcp urgptr 1234 accept: This rule should not have failed. -inet/tcp.t: ERROR: line 108: add rule netdev test-netdev egress tcp urgptr 22: This rule should not have failed. -inet/tcp.t: ERROR: line 109: add rule netdev test-netdev egress tcp urgptr != 233: This rule should not have failed. -inet/tcp.t: ERROR: line 110: add rule netdev test-netdev egress tcp urgptr 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 111: add rule netdev test-netdev egress tcp urgptr != 33-45: This rule should not have failed. -inet/tcp.t: ERROR: line 112: add rule netdev test-netdev egress tcp urgptr { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 113: add rule netdev test-netdev egress tcp urgptr != { 33, 55, 67, 88}: This rule should not have failed. -inet/tcp.t: ERROR: line 115: add rule netdev test-netdev egress tcp doff 8: This rule should not have failed. -inet/tcp.t: ERROR: line 115: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/ip_tcp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/ip_tcp.t: ERROR: line 10: add rule netdev test-netdev egress ip protocol tcp tcp dport 22: This rule should not have failed. -inet/ip_tcp.t: ERROR: line 13: add rule netdev test-netdev egress ip protocol tcp ip saddr 1.2.3.4 tcp dport 22: This rule should not have failed. -inet/ip_tcp.t: ERROR: line 16: add rule netdev test-netdev egress ip protocol tcp counter ip saddr 1.2.3.4 tcp dport 22: This rule should not have failed. -inet/ip_tcp.t: ERROR: line 19: add rule netdev test-netdev egress ip protocol tcp counter tcp dport 22: This rule should not have failed. -inet/ip_tcp.t: ERROR: line 21: add rule netdev test-netdev egress ether type ip tcp dport 22: This rule should not have failed. -inet/ip_tcp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/meta.t: ERROR: line 23: add rule inet test-inet input meta mark set ct mark >> 8: This rule should not have failed. -inet/ah.t: ERROR: line 3: I cannot create the chain 'egress' -inet/ah.t: ERROR: line 22: add rule netdev test-netdev egress ah hdrlength 11-23: This rule should not have failed. -inet/ah.t: ERROR: line 23: add rule netdev test-netdev egress ah hdrlength != 11-23: This rule should not have failed. -inet/ah.t: ERROR: line 24: add rule netdev test-netdev egress ah hdrlength {11, 23, 44 }: This rule should not have failed. -inet/ah.t: ERROR: line 25: add rule netdev test-netdev egress ah hdrlength != {11, 23, 44 }: This rule should not have failed. -inet/ah.t: ERROR: line 27: add rule netdev test-netdev egress ah reserved 22: This rule should not have failed. -inet/ah.t: ERROR: line 28: add rule netdev test-netdev egress ah reserved != 233: This rule should not have failed. -inet/ah.t: ERROR: line 29: add rule netdev test-netdev egress ah reserved 33-45: This rule should not have failed. -inet/ah.t: ERROR: line 30: add rule netdev test-netdev egress ah reserved != 33-45: This rule should not have failed. -inet/ah.t: ERROR: line 31: add rule netdev test-netdev egress ah reserved {23, 100}: This rule should not have failed. -inet/ah.t: ERROR: line 32: add rule netdev test-netdev egress ah reserved != {23, 100}: This rule should not have failed. -inet/ah.t: ERROR: line 34: add rule netdev test-netdev egress ah spi 111: This rule should not have failed. -inet/ah.t: ERROR: line 35: add rule netdev test-netdev egress ah spi != 111: This rule should not have failed. -inet/ah.t: ERROR: line 36: add rule netdev test-netdev egress ah spi 111-222: This rule should not have failed. -inet/ah.t: ERROR: line 37: add rule netdev test-netdev egress ah spi != 111-222: This rule should not have failed. -inet/ah.t: ERROR: line 38: add rule netdev test-netdev egress ah spi {111, 122}: This rule should not have failed. -inet/ah.t: ERROR: line 39: add rule netdev test-netdev egress ah spi != {111, 122}: This rule should not have failed. -inet/ah.t: ERROR: line 42: add rule netdev test-netdev egress ah sequence 123: This rule should not have failed. -inet/ah.t: ERROR: line 43: add rule netdev test-netdev egress ah sequence != 123: This rule should not have failed. -inet/ah.t: ERROR: line 44: add rule netdev test-netdev egress ah sequence {23, 25, 33}: This rule should not have failed. -inet/ah.t: ERROR: line 45: add rule netdev test-netdev egress ah sequence != {23, 25, 33}: This rule should not have failed. -inet/ah.t: ERROR: line 46: add rule netdev test-netdev egress ah sequence 23-33: This rule should not have failed. -inet/ah.t: ERROR: line 47: add rule netdev test-netdev egress ah sequence != 23-33: This rule should not have failed. -inet/ah.t: ERROR: line 47: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/vmap.t: ERROR: line 3: I cannot create the chain 'egress' -inet/vmap.t: ERROR: line 8: add rule netdev test-netdev egress iifname . ip protocol . th dport vmap { "eth0" . tcp . 22 : accept, "eth1" . udp . 67 : drop }: This rule should not have failed. -inet/vmap.t: ERROR: line 9: add rule inet test-inet input ip saddr . @ih,32,32 { 1.1.1.1 . 0x14, 2.2.2.2 . 0x1e }: This rule should not have failed. -inet/vmap.t: ERROR: line 10: add rule netdev test-netdev egress udp length . @th,160,128 vmap { 47-63 . 0xe373135363130333131303735353203 : accept }: This rule should not have failed. -inet/vmap.t: ERROR: line 10: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/ether-ip.t: ERROR: line 3: I cannot create the chain 'egress' -inet/ether-ip.t: ERROR: line 8: add rule netdev test-netdev egress tcp dport 22 iiftype ether ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:4 accept: This rule should not have failed. -inet/ether-ip.t: ERROR: line 9: add rule netdev test-netdev egress tcp dport 22 ip daddr 1.2.3.4 ether saddr 00:0f:54:0c:11:04: This rule should not have failed. -inet/ether-ip.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/esp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/esp.t: ERROR: line 10: add rule netdev test-netdev egress esp spi 100: This rule should not have failed. -inet/esp.t: ERROR: line 11: add rule netdev test-netdev egress esp spi != 100: This rule should not have failed. -inet/esp.t: ERROR: line 12: add rule netdev test-netdev egress esp spi 111-222: This rule should not have failed. -inet/esp.t: ERROR: line 13: add rule netdev test-netdev egress esp spi != 111-222: This rule should not have failed. -inet/esp.t: ERROR: line 14: add rule netdev test-netdev egress esp spi { 100, 102}: This rule should not have failed. -inet/esp.t: ERROR: line 15: add rule netdev test-netdev egress esp spi != { 100, 102}: This rule should not have failed. -inet/esp.t: ERROR: line 17: add rule netdev test-netdev egress esp sequence 22: This rule should not have failed. -inet/esp.t: ERROR: line 18: add rule netdev test-netdev egress esp sequence 22-24: This rule should not have failed. -inet/esp.t: ERROR: line 19: add rule netdev test-netdev egress esp sequence != 22-24: This rule should not have failed. -inet/esp.t: ERROR: line 20: add rule netdev test-netdev egress esp sequence { 22, 24}: This rule should not have failed. -inet/esp.t: ERROR: line 21: add rule netdev test-netdev egress esp sequence != { 22, 24}: This rule should not have failed. -inet/esp.t: ERROR: line 21: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/sctp.t: ERROR: line 3: I cannot create the chain 'egress' -inet/sctp.t: ERROR: line 10: add rule netdev test-netdev egress sctp sport 23: This rule should not have failed. -inet/sctp.t: ERROR: line 11: add rule netdev test-netdev egress sctp sport != 23: This rule should not have failed. -inet/sctp.t: ERROR: line 12: add rule netdev test-netdev egress sctp sport 23-44: This rule should not have failed. -inet/sctp.t: ERROR: line 13: add rule netdev test-netdev egress sctp sport != 23-44: This rule should not have failed. -inet/sctp.t: ERROR: line 14: add rule netdev test-netdev egress sctp sport { 23, 24, 25}: This rule should not have failed. -inet/sctp.t: ERROR: line 15: add rule netdev test-netdev egress sctp sport != { 23, 24, 25}: This rule should not have failed. -inet/sctp.t: ERROR: line 17: add rule netdev test-netdev egress sctp dport 23: This rule should not have failed. -inet/sctp.t: ERROR: line 18: add rule netdev test-netdev egress sctp dport != 23: This rule should not have failed. -inet/sctp.t: ERROR: line 19: add rule netdev test-netdev egress sctp dport 23-44: This rule should not have failed. -inet/sctp.t: ERROR: line 20: add rule netdev test-netdev egress sctp dport != 23-44: This rule should not have failed. -inet/sctp.t: ERROR: line 21: add rule netdev test-netdev egress sctp dport { 23, 24, 25}: This rule should not have failed. -inet/sctp.t: ERROR: line 22: add rule netdev test-netdev egress sctp dport != { 23, 24, 25}: This rule should not have failed. -inet/sctp.t: ERROR: line 24: add rule netdev test-netdev egress sctp checksum 1111: This rule should not have failed. -inet/sctp.t: ERROR: line 25: add rule netdev test-netdev egress sctp checksum != 11: This rule should not have failed. -inet/sctp.t: ERROR: line 26: add rule netdev test-netdev egress sctp checksum 21-333: This rule should not have failed. -inet/sctp.t: ERROR: line 27: add rule netdev test-netdev egress sctp checksum != 32-111: This rule should not have failed. -inet/sctp.t: ERROR: line 28: add rule netdev test-netdev egress sctp checksum { 22, 33, 44}: This rule should not have failed. -inet/sctp.t: ERROR: line 29: add rule netdev test-netdev egress sctp checksum != { 22, 33, 44}: This rule should not have failed. -inet/sctp.t: ERROR: line 31: add rule netdev test-netdev egress sctp vtag 22: This rule should not have failed. -inet/sctp.t: ERROR: line 32: add rule netdev test-netdev egress sctp vtag != 233: This rule should not have failed. -inet/sctp.t: ERROR: line 33: add rule netdev test-netdev egress sctp vtag 33-45: This rule should not have failed. -inet/sctp.t: ERROR: line 34: add rule netdev test-netdev egress sctp vtag != 33-45: This rule should not have failed. -inet/sctp.t: ERROR: line 35: add rule netdev test-netdev egress sctp vtag {33, 55, 67, 88}: This rule should not have failed. -inet/sctp.t: ERROR: line 36: add rule netdev test-netdev egress sctp vtag != {33, 55, 67, 88}: This rule should not have failed. -inet/sctp.t: ERROR: line 39: add rule netdev test-netdev egress sctp chunk data exists: This rule should not have failed. -inet/sctp.t: ERROR: line 40: add rule netdev test-netdev egress sctp chunk init exists: This rule should not have failed. -inet/sctp.t: ERROR: line 41: add rule netdev test-netdev egress sctp chunk init-ack exists: This rule should not have failed. -inet/sctp.t: ERROR: line 42: add rule netdev test-netdev egress sctp chunk sack exists: This rule should not have failed. -inet/sctp.t: ERROR: line 43: add rule netdev test-netdev egress sctp chunk heartbeat exists: This rule should not have failed. -inet/sctp.t: ERROR: line 44: add rule netdev test-netdev egress sctp chunk heartbeat-ack exists: This rule should not have failed. -inet/sctp.t: ERROR: line 45: add rule netdev test-netdev egress sctp chunk abort exists: This rule should not have failed. -inet/sctp.t: ERROR: line 46: add rule netdev test-netdev egress sctp chunk shutdown exists: This rule should not have failed. -inet/sctp.t: ERROR: line 47: add rule netdev test-netdev egress sctp chunk shutdown-ack exists: This rule should not have failed. -inet/sctp.t: ERROR: line 48: add rule netdev test-netdev egress sctp chunk error exists: This rule should not have failed. -inet/sctp.t: ERROR: line 49: add rule netdev test-netdev egress sctp chunk cookie-echo exists: This rule should not have failed. -inet/sctp.t: ERROR: line 50: add rule netdev test-netdev egress sctp chunk cookie-ack exists: This rule should not have failed. -inet/sctp.t: ERROR: line 51: add rule netdev test-netdev egress sctp chunk ecne exists: This rule should not have failed. -inet/sctp.t: ERROR: line 52: add rule netdev test-netdev egress sctp chunk cwr exists: This rule should not have failed. -inet/sctp.t: ERROR: line 53: add rule netdev test-netdev egress sctp chunk shutdown-complete exists: This rule should not have failed. -inet/sctp.t: ERROR: line 54: add rule netdev test-netdev egress sctp chunk asconf-ack exists: This rule should not have failed. -inet/sctp.t: ERROR: line 55: add rule netdev test-netdev egress sctp chunk forward-tsn exists: This rule should not have failed. -inet/sctp.t: ERROR: line 56: add rule netdev test-netdev egress sctp chunk asconf exists: This rule should not have failed. -inet/sctp.t: ERROR: line 59: add rule netdev test-netdev egress sctp chunk data type 0: This rule should not have failed. -inet/sctp.t: ERROR: line 60: add rule netdev test-netdev egress sctp chunk init flags 23: This rule should not have failed. -inet/sctp.t: ERROR: line 61: add rule netdev test-netdev egress sctp chunk init-ack length 42: This rule should not have failed. -inet/sctp.t: ERROR: line 64: add rule netdev test-netdev egress sctp chunk data stream 1337: This rule should not have failed. -inet/sctp.t: ERROR: line 65: add rule netdev test-netdev egress sctp chunk init initial-tsn 5: This rule should not have failed. -inet/sctp.t: ERROR: line 66: add rule netdev test-netdev egress sctp chunk init-ack num-outbound-streams 3: This rule should not have failed. -inet/sctp.t: ERROR: line 67: add rule netdev test-netdev egress sctp chunk sack a-rwnd 1: This rule should not have failed. -inet/sctp.t: ERROR: line 68: add rule netdev test-netdev egress sctp chunk shutdown cum-tsn-ack 65535: This rule should not have failed. -inet/sctp.t: ERROR: line 69: add rule netdev test-netdev egress sctp chunk ecne lowest-tsn 5: This rule should not have failed. -inet/sctp.t: ERROR: line 70: add rule netdev test-netdev egress sctp chunk cwr lowest-tsn 8: This rule should not have failed. -inet/sctp.t: ERROR: line 71: add rule netdev test-netdev egress sctp chunk asconf-ack seqno 12345: This rule should not have failed. -inet/sctp.t: ERROR: line 72: add rule netdev test-netdev egress sctp chunk forward-tsn new-cum-tsn 31337: This rule should not have failed. -inet/sctp.t: ERROR: line 73: add rule netdev test-netdev egress sctp chunk asconf seqno 12345: This rule should not have failed. -inet/sctp.t: ERROR: line 73: The chain egress does not exist in netdev test-netdev. I cannot delete it. -inet/socket.t: ERROR: line 11: add rule ip sockip4 sockchain socket mark 0x00000005: This rule should not have failed. -inet/socket.t: ERROR: line 13: add rule ip sockip4 sockchain socket wildcard 0: This rule should not have failed. -inet/socket.t: ERROR: line 14: add rule ip sockip4 sockchain socket wildcard 1: This rule should not have failed. -ip/objects.t: ERROR: line 37: add ct timeout ip test-ip4 cttime1 { protocol tcp; policy = { established:122 } ;}: I cannot add the ct timeout cttime1 -ip/objects.t: ERROR: line 39: add ct timeout ip test-ip4 cttime3 { protocol tcp; policy = { established:132, close:16, close_wait:16 } ; l3proto ip ;}: I cannot add the ct timeout cttime3 -ip/objects.t: ERROR: line 40: add ct timeout ip test-ip4 cttime4 { protocol udp; policy = { replied:14, unreplied:19 } ;}: I cannot add the ct timeout cttime4 -ip/objects.t: ERROR: line 43: add rule ip test-ip4 output ct timeout set "cttime1": This rule should not have failed. -ip/objects.t: ERROR: line 46: add ct expectation ip test-ip4 ctexpect1 { protocol tcp; dport 1234; timeout 2m; size 12; }: I cannot add the ct expectation ctexpect1 -ip/objects.t: ERROR: line 50: add ct expectation ip test-ip4 ctexpect5 { protocol udp; dport 9876; timeout 2m; size 12; l3proto ip; }: I cannot add the ct expectation ctexpect5 -ip/objects.t: ERROR: line 52: add rule ip test-ip4 output ct expectation set "ctexpect1": This rule should not have failed. -ip/objects.t: ERROR: line 55: add synproxy ip test-ip4 synproxy1 mss 1460 wscale 7: I cannot add the synproxy synproxy1 -ip/objects.t: ERROR: line 56: add synproxy ip test-ip4 synproxy2 mss 1460 wscale 7 timestamp sack-perm: I cannot add the synproxy synproxy2 -ip/objects.t: ERROR: line 58: add rule ip test-ip4 output synproxy name tcp dport map {443 : "synproxy1", 80 : "synproxy2"}: This rule should not have failed. -ip/sets.t: ERROR: line 3: I cannot create the chain 'egress' -ip/sets.t: ERROR: line 32: add rule netdev test-netdev egress ip saddr @set1 drop: This rule should not have failed. -ip/sets.t: ERROR: line 33: add rule netdev test-netdev egress ip saddr != @set1 drop: This rule should not have failed. -ip/sets.t: ERROR: line 34: add rule netdev test-netdev egress ip saddr @set2 drop: This rule should not have failed. -ip/sets.t: ERROR: line 35: add rule netdev test-netdev egress ip saddr != @set2 drop: This rule should not have failed. -ip/sets.t: ERROR: line 52: add rule netdev test-netdev egress ip saddr . ip daddr @set5 drop: This rule should not have failed. -ip/sets.t: ERROR: line 53: add rule netdev test-netdev egress add @set5 { ip saddr . ip daddr }: This rule should not have failed. -ip/sets.t: ERROR: line 56: add rule netdev test-netdev egress ip saddr { { 1.1.1.0, 3.3.3.0 }, 2.2.2.0 }: This rule should not have failed. -ip/sets.t: ERROR: line 57: add rule netdev test-netdev egress ip saddr { { 1.1.1.0/24, 3.3.3.0/24 }, 2.2.2.0/24 }: This rule should not have failed. -ip/sets.t: ERROR: line 60: add element ip test-ip4 set6 { 192.168.3.5, * }: This rule should not have failed. -ip/sets.t: ERROR: line 61: add rule netdev test-netdev egress ip saddr @set6 drop: This rule should not have failed. -ip/sets.t: ERROR: line 63: add rule ip test-ip4 input ip saddr vmap { 1.1.1.1 : drop, * : accept }: This rule should not have failed. -ip/sets.t: ERROR: line 64: add rule ip test-ip4 input meta mark set ip saddr map { 1.1.1.1 : 0x00000001, * : 0x00000002 }: This rule should not have failed. -ip/sets.t: ERROR: line 65: The chain egress does not exist in netdev test-netdev. I cannot delete it. -ip/ip.t: ERROR: line 3: I cannot create the chain 'egress' -ip/ip.t: ERROR: line 28: add rule netdev test-netdev egress ip dscp cs1: This rule should not have failed. -ip/ip.t: ERROR: line 29: add rule netdev test-netdev egress ip dscp != cs1: This rule should not have failed. -ip/ip.t: ERROR: line 30: add rule netdev test-netdev egress ip dscp 0x38: This rule should not have failed. -ip/ip.t: ERROR: line 31: add rule netdev test-netdev egress ip dscp != 0x20: This rule should not have failed. -ip/ip.t: ERROR: line 32: add rule netdev test-netdev egress ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, ef}: This rule should not have failed. -ip/ip.t: ERROR: line 34: add rule netdev test-netdev egress ip dscp != {cs0, cs3}: This rule should not have failed. -ip/ip.t: ERROR: line 35: add rule netdev test-netdev egress ip dscp vmap { cs1 : continue , cs4 : accept } counter: This rule should not have failed. -ip/ip.t: ERROR: line 37: add rule netdev test-netdev egress ip length 232: This rule should not have failed. -ip/ip.t: ERROR: line 38: add rule netdev test-netdev egress ip length != 233: This rule should not have failed. -ip/ip.t: ERROR: line 39: add rule netdev test-netdev egress ip length 333-435: This rule should not have failed. -ip/ip.t: ERROR: line 40: add rule netdev test-netdev egress ip length != 333-453: This rule should not have failed. -ip/ip.t: ERROR: line 41: add rule netdev test-netdev egress ip length { 333, 553, 673, 838}: This rule should not have failed. -ip/ip.t: ERROR: line 42: add rule netdev test-netdev egress ip length != { 333, 553, 673, 838}: This rule should not have failed. -ip/ip.t: ERROR: line 44: add rule netdev test-netdev egress ip id 22: This rule should not have failed. -ip/ip.t: ERROR: line 45: add rule netdev test-netdev egress ip id != 233: This rule should not have failed. -ip/ip.t: ERROR: line 46: add rule netdev test-netdev egress ip id 33-45: This rule should not have failed. -ip/ip.t: ERROR: line 47: add rule netdev test-netdev egress ip id != 33-45: This rule should not have failed. -ip/ip.t: ERROR: line 48: add rule netdev test-netdev egress ip id { 33, 55, 67, 88}: This rule should not have failed. -ip/ip.t: ERROR: line 49: add rule netdev test-netdev egress ip id != { 33, 55, 67, 88}: This rule should not have failed. -ip/ip.t: ERROR: line 51: add rule netdev test-netdev egress ip frag-off 222 accept: This rule should not have failed. -ip/ip.t: ERROR: line 52: add rule netdev test-netdev egress ip frag-off != 233: This rule should not have failed. -ip/ip.t: ERROR: line 53: add rule netdev test-netdev egress ip frag-off 33-45: This rule should not have failed. -ip/ip.t: ERROR: line 54: add rule netdev test-netdev egress ip frag-off != 33-45: This rule should not have failed. -ip/ip.t: ERROR: line 55: add rule netdev test-netdev egress ip frag-off { 33, 55, 67, 88}: This rule should not have failed. -ip/ip.t: ERROR: line 56: add rule netdev test-netdev egress ip frag-off != { 33, 55, 67, 88}: This rule should not have failed. -ip/ip.t: ERROR: line 58: add rule netdev test-netdev egress ip ttl 0 drop: This rule should not have failed. -ip/ip.t: ERROR: line 59: add rule netdev test-netdev egress ip ttl 233: This rule should not have failed. -ip/ip.t: ERROR: line 60: add rule netdev test-netdev egress ip ttl 33-55: This rule should not have failed. -ip/ip.t: ERROR: line 61: add rule netdev test-netdev egress ip ttl != 45-50: This rule should not have failed. -ip/ip.t: ERROR: line 62: add rule netdev test-netdev egress ip ttl {43, 53, 45 }: This rule should not have failed. -ip/ip.t: ERROR: line 63: add rule netdev test-netdev egress ip ttl != {43, 53, 45 }: This rule should not have failed. -ip/ip.t: ERROR: line 65: add rule netdev test-netdev egress ip protocol tcp: This rule should not have failed. -ip/ip.t: ERROR: line 66: add rule netdev test-netdev egress ip protocol != tcp: This rule should not have failed. -ip/ip.t: ERROR: line 67: add rule netdev test-netdev egress ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept: This rule should not have failed. -ip/ip.t: ERROR: line 68: add rule netdev test-netdev egress ip protocol != { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp} accept: This rule should not have failed. -ip/ip.t: ERROR: line 70: add rule netdev test-netdev egress ip protocol 255: This rule should not have failed. -ip/ip.t: ERROR: line 73: add rule netdev test-netdev egress ip checksum 13172 drop: This rule should not have failed. -ip/ip.t: ERROR: line 74: add rule netdev test-netdev egress ip checksum 22: This rule should not have failed. -ip/ip.t: ERROR: line 75: add rule netdev test-netdev egress ip checksum != 233: This rule should not have failed. -ip/ip.t: ERROR: line 76: add rule netdev test-netdev egress ip checksum 33-45: This rule should not have failed. -ip/ip.t: ERROR: line 77: add rule netdev test-netdev egress ip checksum != 33-45: This rule should not have failed. -ip/ip.t: ERROR: line 78: add rule netdev test-netdev egress ip checksum { 33, 55, 67, 88}: This rule should not have failed. -ip/ip.t: ERROR: line 79: add rule netdev test-netdev egress ip checksum != { 33, 55, 67, 88}: This rule should not have failed. -ip/ip.t: ERROR: line 83: add rule netdev test-netdev egress ip saddr 192.168.2.0/24: This rule should not have failed. -ip/ip.t: ERROR: line 84: add rule netdev test-netdev egress ip saddr != 192.168.2.0/24: This rule should not have failed. -ip/ip.t: ERROR: line 85: add rule netdev test-netdev egress ip saddr 192.168.3.1 ip daddr 192.168.3.100: This rule should not have failed. -ip/ip.t: ERROR: line 86: add rule netdev test-netdev egress ip saddr != 1.1.1.1: This rule should not have failed. -ip/ip.t: ERROR: line 87: add rule netdev test-netdev egress ip saddr 1.1.1.1: This rule should not have failed. -ip/ip.t: ERROR: line 88: add rule netdev test-netdev egress ip daddr 192.168.0.1-192.168.0.250: This rule should not have failed. -ip/ip.t: ERROR: line 89: add rule netdev test-netdev egress ip daddr 10.0.0.0-10.255.255.255: This rule should not have failed. -ip/ip.t: ERROR: line 90: add rule netdev test-netdev egress ip daddr 172.16.0.0-172.31.255.255: This rule should not have failed. -ip/ip.t: ERROR: line 91: add rule netdev test-netdev egress ip daddr 192.168.3.1-192.168.4.250: This rule should not have failed. -ip/ip.t: ERROR: line 92: add rule netdev test-netdev egress ip daddr != 192.168.0.1-192.168.0.250: This rule should not have failed. -ip/ip.t: ERROR: line 93: add rule netdev test-netdev egress ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept: This rule should not have failed. -ip/ip.t: ERROR: line 94: add rule netdev test-netdev egress ip daddr != { 192.168.5.1, 192.168.5.2, 192.168.5.3 } accept: This rule should not have failed. -ip/ip.t: ERROR: line 96: add rule netdev test-netdev egress ip daddr 192.168.1.2-192.168.1.55: This rule should not have failed. -ip/ip.t: ERROR: line 97: add rule netdev test-netdev egress ip daddr != 192.168.1.2-192.168.1.55: This rule should not have failed. -ip/ip.t: ERROR: line 98: add rule netdev test-netdev egress ip saddr 192.168.1.3-192.168.33.55: This rule should not have failed. -ip/ip.t: ERROR: line 99: add rule netdev test-netdev egress ip saddr != 192.168.1.3-192.168.33.55: This rule should not have failed. -ip/ip.t: ERROR: line 101: add rule netdev test-netdev egress ip daddr 192.168.0.1: This rule should not have failed. -ip/ip.t: ERROR: line 102: add rule netdev test-netdev egress ip daddr 192.168.0.1 drop: This rule should not have failed. -ip/ip.t: ERROR: line 103: add rule netdev test-netdev egress ip daddr 192.168.0.2: This rule should not have failed. -ip/ip.t: ERROR: line 105: add rule netdev test-netdev egress ip saddr & 0xff == 1: This rule should not have failed. -ip/ip.t: ERROR: line 106: add rule netdev test-netdev egress ip saddr & 0.0.0.255 < 0.0.0.127: This rule should not have failed. -ip/ip.t: ERROR: line 108: add rule netdev test-netdev egress ip saddr & 0xffff0000 == 0xffff0000: This rule should not have failed. -ip/ip.t: ERROR: line 110: add rule netdev test-netdev egress ip version 4 ip hdrlength 5: This rule should not have failed. -ip/ip.t: ERROR: line 111: add rule netdev test-netdev egress ip hdrlength 0: This rule should not have failed. -ip/ip.t: ERROR: line 112: add rule netdev test-netdev egress ip hdrlength 15: This rule should not have failed. -ip/ip.t: ERROR: line 113: add rule netdev test-netdev egress ip hdrlength vmap { 0-4 : drop, 5 : accept, 6 : continue } counter: This rule should not have failed. -ip/ip.t: ERROR: line 117: add rule netdev test-netdev egress iif "lo" ip daddr set 127.0.0.1: This rule should not have failed. -ip/ip.t: ERROR: line 118: add rule netdev test-netdev egress iif "lo" ip checksum set 0: This rule should not have failed. -ip/ip.t: ERROR: line 119: add rule netdev test-netdev egress iif "lo" ip id set 0: This rule should not have failed. -ip/ip.t: ERROR: line 120: add rule netdev test-netdev egress iif "lo" ip ecn set 1: This rule should not have failed. -ip/ip.t: ERROR: line 121: add rule netdev test-netdev egress iif "lo" ip ecn set ce: This rule should not have failed. -ip/ip.t: ERROR: line 122: add rule netdev test-netdev egress iif "lo" ip ttl set 23: This rule should not have failed. -ip/ip.t: ERROR: line 123: add rule netdev test-netdev egress iif "lo" ip protocol set 1: This rule should not have failed. -ip/ip.t: ERROR: line 125: add rule netdev test-netdev egress iif "lo" ip dscp set af23: This rule should not have failed. -ip/ip.t: ERROR: line 126: add rule netdev test-netdev egress iif "lo" ip dscp set cs0: This rule should not have failed. -ip/ip.t: ERROR: line 128: add rule netdev test-netdev egress ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 }: This rule should not have failed. -ip/ip.t: ERROR: line 129: add rule netdev test-netdev egress ip saddr . ip daddr vmap { 192.168.5.1-192.168.5.128 . 192.168.6.1-192.168.6.128 : accept }: This rule should not have failed. -ip/ip.t: ERROR: line 129: The chain egress does not exist in netdev test-netdev. I cannot delete it. -ip/snat.t: ERROR: line 17: add rule ip test-ip4 postrouting snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24 }: This rule should not have failed. -ip/meta.t: ERROR: line 16: add rule ip test-ip4 input meta sdif "lo" accept: This rule should not have failed. -ip/meta.t: ERROR: line 17: add rule ip test-ip4 input meta sdifname != "vrf1" accept: This rule should not have failed. -ip6/sets.t: ERROR: line 3: I cannot create the chain 'egress' -ip6/sets.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr @set2 drop: This rule should not have failed. -ip6/sets.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr != @set2 drop: This rule should not have failed. -ip6/sets.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr . ip6 daddr @set5 drop: This rule should not have failed. -ip6/sets.t: ERROR: line 43: add rule netdev test-netdev egress add @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed. -ip6/sets.t: ERROR: line 44: add rule ip6 test-ip6 input delete @set5 { ip6 saddr . ip6 daddr }: This rule should not have failed. -ip6/sets.t: ERROR: line 44: The chain egress does not exist in netdev test-netdev. I cannot delete it. -ip6/frag.t: ERROR: line 3: I cannot create the chain 'egress' -ip6/frag.t: ERROR: line 9: add rule netdev test-netdev egress frag nexthdr tcp: This rule should not have failed. -ip6/frag.t: ERROR: line 10: add rule netdev test-netdev egress frag nexthdr != icmp: This rule should not have failed. -ip6/frag.t: ERROR: line 11: add rule netdev test-netdev egress frag nexthdr {esp, ah, comp, udp, udplite, tcp, dccp, sctp}: This rule should not have failed. -ip6/frag.t: ERROR: line 12: add rule netdev test-netdev egress frag nexthdr != {esp, ah, comp, udp, udplite, tcp, dccp, sctp}: This rule should not have failed. -ip6/frag.t: ERROR: line 13: add rule netdev test-netdev egress frag nexthdr esp: This rule should not have failed. -ip6/frag.t: ERROR: line 14: add rule netdev test-netdev egress frag nexthdr ah: This rule should not have failed. -ip6/frag.t: ERROR: line 16: add rule netdev test-netdev egress frag reserved 22: This rule should not have failed. -ip6/frag.t: ERROR: line 17: add rule netdev test-netdev egress frag reserved != 233: This rule should not have failed. -ip6/frag.t: ERROR: line 18: add rule netdev test-netdev egress frag reserved 33-45: This rule should not have failed. -ip6/frag.t: ERROR: line 19: add rule netdev test-netdev egress frag reserved != 33-45: This rule should not have failed. -ip6/frag.t: ERROR: line 20: add rule netdev test-netdev egress frag reserved { 33, 55, 67, 88}: This rule should not have failed. -ip6/frag.t: ERROR: line 21: add rule netdev test-netdev egress frag reserved != { 33, 55, 67, 88}: This rule should not have failed. -ip6/frag.t: ERROR: line 23: add rule netdev test-netdev egress frag frag-off 22: This rule should not have failed. -ip6/frag.t: ERROR: line 24: add rule netdev test-netdev egress frag frag-off != 233: This rule should not have failed. -ip6/frag.t: ERROR: line 25: add rule netdev test-netdev egress frag frag-off 33-45: This rule should not have failed. -ip6/frag.t: ERROR: line 26: add rule netdev test-netdev egress frag frag-off != 33-45: This rule should not have failed. -ip6/frag.t: ERROR: line 27: add rule netdev test-netdev egress frag frag-off { 33, 55, 67, 88}: This rule should not have failed. -ip6/frag.t: ERROR: line 28: add rule netdev test-netdev egress frag frag-off != { 33, 55, 67, 88}: This rule should not have failed. -ip6/frag.t: ERROR: line 30: add rule netdev test-netdev egress frag reserved2 1: This rule should not have failed. -ip6/frag.t: ERROR: line 31: add rule netdev test-netdev egress frag more-fragments 0: This rule should not have failed. -ip6/frag.t: ERROR: line 32: add rule netdev test-netdev egress frag more-fragments 1: This rule should not have failed. -ip6/frag.t: ERROR: line 34: add rule netdev test-netdev egress frag id 1: This rule should not have failed. -ip6/frag.t: ERROR: line 35: add rule netdev test-netdev egress frag id 22: This rule should not have failed. -ip6/frag.t: ERROR: line 36: add rule netdev test-netdev egress frag id != 33: This rule should not have failed. -ip6/frag.t: ERROR: line 37: add rule netdev test-netdev egress frag id 33-45: This rule should not have failed. -ip6/frag.t: ERROR: line 38: add rule netdev test-netdev egress frag id != 33-45: This rule should not have failed. -ip6/frag.t: ERROR: line 39: add rule netdev test-netdev egress frag id { 33, 55, 67, 88}: This rule should not have failed. -ip6/frag.t: ERROR: line 40: add rule netdev test-netdev egress frag id != { 33, 55, 67, 88}: This rule should not have failed. -ip6/frag.t: ERROR: line 40: The chain egress does not exist in netdev test-netdev. I cannot delete it. -ip6/meta.t: ERROR: line 15: add rule ip6 test-ip6 input meta sdif "lo" accept: This rule should not have failed. -ip6/meta.t: ERROR: line 16: add rule ip6 test-ip6 input meta sdifname != "vrf1" accept: This rule should not have failed. -ip6/vmap.t: ERROR: line 3: I cannot create the chain 'egress' -ip6/vmap.t: ERROR: line 9: add rule netdev test-netdev egress ip6 saddr vmap { abcd::3 : accept }: This rule should not have failed. -ip6/vmap.t: ERROR: line 14: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 15: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 16: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 17: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 18: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 19: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 20: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 21: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 22: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 23: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 24: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 25: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 26: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 27: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 28: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 29: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 30: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 31: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 32: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 33: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 34: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 35: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 36: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 37: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 38: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 39: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 40: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 41: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 42: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 43: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 44: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 45: add rule netdev test-netdev egress ip6 saddr vmap { ::1234:1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 46: add rule netdev test-netdev egress ip6 saddr vmap { 1234::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 47: add rule netdev test-netdev egress ip6 saddr vmap { 1234:1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 48: add rule netdev test-netdev egress ip6 saddr vmap { ::1234 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 49: add rule netdev test-netdev egress ip6 saddr vmap { 1234:: : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 50: add rule netdev test-netdev egress ip6 saddr vmap { ::/64 : accept}: This rule should not have failed. -ip6/vmap.t: ERROR: line 52: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:: : accept, ::aaaa : drop}: This rule should not have failed. -ip6/vmap.t: ERROR: line 53: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept, ::bbbb : drop}: This rule should not have failed. -ip6/vmap.t: ERROR: line 54: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::cccc : drop}: This rule should not have failed. -ip6/vmap.t: ERROR: line 55: add rule netdev test-netdev egress ip6 saddr vmap {1234:1234:1234:1234:1234:1234:aaaa:::accept,::dddd: drop}: This rule should not have failed. -ip6/vmap.t: ERROR: line 58: The chain egress does not exist in netdev test-netdev. I cannot delete it. -netdev/fwd.t: ERROR: line 2: I cannot create the chain 'egress' -netdev/fwd.t: ERROR: line 6: add rule netdev test-netdev egress fwd to "lo": This rule should not have failed. -netdev/fwd.t: ERROR: line 7: add rule netdev test-netdev egress fwd to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed. -netdev/fwd.t: ERROR: line 9: add rule netdev test-netdev egress fwd ip to 192.168.2.200 device "lo": This rule should not have failed. -netdev/fwd.t: ERROR: line 9: The chain egress does not exist in netdev test-netdev. I cannot delete it. -netdev/reject.t: ERROR: line 5: add rule netdev test-netdev ingress reject with icmp host-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 6: add rule netdev test-netdev ingress reject with icmp net-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 7: add rule netdev test-netdev ingress reject with icmp prot-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 8: add rule netdev test-netdev ingress reject with icmp port-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 9: add rule netdev test-netdev ingress reject with icmp net-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 10: add rule netdev test-netdev ingress reject with icmp host-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 11: add rule netdev test-netdev ingress reject with icmp admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 13: add rule netdev test-netdev ingress reject with icmpv6 no-route: This rule should not have failed. -netdev/reject.t: ERROR: line 14: add rule netdev test-netdev ingress reject with icmpv6 admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 15: add rule netdev test-netdev ingress reject with icmpv6 addr-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 16: add rule netdev test-netdev ingress reject with icmpv6 port-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 17: add rule netdev test-netdev ingress reject with icmpv6 policy-fail: This rule should not have failed. -netdev/reject.t: ERROR: line 18: add rule netdev test-netdev ingress reject with icmpv6 reject-route: This rule should not have failed. -netdev/reject.t: ERROR: line 20: add rule netdev test-netdev ingress mark 12345 reject with tcp reset: This rule should not have failed. -netdev/reject.t: ERROR: line 22: add rule netdev test-netdev ingress reject: This rule should not have failed. -netdev/reject.t: ERROR: line 23: add rule netdev test-netdev ingress meta protocol ip reject: This rule should not have failed. -netdev/reject.t: ERROR: line 24: add rule netdev test-netdev ingress meta protocol ip6 reject: This rule should not have failed. -netdev/reject.t: ERROR: line 26: add rule netdev test-netdev ingress reject with icmpx host-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 27: add rule netdev test-netdev ingress reject with icmpx no-route: This rule should not have failed. -netdev/reject.t: ERROR: line 28: add rule netdev test-netdev ingress reject with icmpx admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 29: add rule netdev test-netdev ingress reject with icmpx port-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 31: add rule netdev test-netdev ingress meta protocol ip reject with icmp host-unreachable: This rule should not have failed. -netdev/reject.t: ERROR: line 32: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpv6 no-route: This rule should not have failed. -netdev/reject.t: ERROR: line 39: add rule netdev test-netdev ingress meta protocol ip reject with icmpx admin-prohibited: This rule should not have failed. -netdev/reject.t: ERROR: line 40: add rule netdev test-netdev ingress meta protocol ip6 reject with icmpx admin-prohibited: This rule should not have failed. -netdev/dup.t: ERROR: line 2: I cannot create the chain 'egress' -netdev/dup.t: ERROR: line 6: add rule netdev test-netdev egress dup to "lo": This rule should not have failed. -netdev/dup.t: ERROR: line 7: add rule netdev test-netdev egress dup to meta mark map { 0x00000001 : "lo", 0x00000002 : "lo"}: This rule should not have failed. -netdev/dup.t: ERROR: line 8: The chain egress does not exist in netdev test-netdev. I cannot delete it. diff --git a/SOURCES/run-tests.stderr.expect b/SOURCES/run-tests.stderr.expect deleted file mode 100644 index 77cf01e..0000000 --- a/SOURCES/run-tests.stderr.expect +++ /dev/null @@ -1,27 +0,0 @@ -W: [FAILED] ././tests/shell/testcases/cache/0008_delete_by_handle_0 -W: [FAILED] ././tests/shell/testcases/cache/0010_implicit_chain_0 -W: [FAILED] ././tests/shell/testcases/chains/0021prio_0 -W: [FAILED] ././tests/shell/testcases/chains/0040mark_shift_0 -W: [FAILED] ././tests/shell/testcases/chains/0040mark_shift_1 -W: [FAILED] ././tests/shell/testcases/chains/0041chain_binding_0 -W: [FAILED] ././tests/shell/testcases/chains/0043chain_ingress_0 -W: [FAILED] ././tests/shell/testcases/flowtable/0013addafterdelete_0 -W: [FAILED] ././tests/shell/testcases/flowtable/0014addafterdelete_0 -W: [FAILED] ././tests/shell/testcases/listing/0013objects_0 -W: [FAILED] ././tests/shell/testcases/maps/0011vmap_0 -W: [FAILED] ././tests/shell/testcases/maps/typeof_integer_0 -W: [FAILED] ././tests/shell/testcases/maps/typeof_maps_0 -W: [FAILED] ././tests/shell/testcases/maps/typeof_raw_0 -W: [FAILED] ././tests/shell/testcases/nft-f/0017ct_timeout_obj_0 -W: [FAILED] ././tests/shell/testcases/nft-f/0018ct_expectation_obj_0 -W: [DUMP FAIL] ././tests/shell/testcases/optionals/comments_chain_0 -W: [FAILED] ././tests/shell/testcases/optionals/comments_objects_0 -W: [DUMP FAIL] ././tests/shell/testcases/optionals/comments_table_0 -W: [FAILED] ././tests/shell/testcases/owner/0001-flowtable-uaf -W: [FAILED] ././tests/shell/testcases/sets/0024named_objects_0 -W: [FAILED] ././tests/shell/testcases/sets/0044interval_overlap_0 -W: [FAILED] ././tests/shell/testcases/sets/0046netmap_0 -W: [FAILED] ././tests/shell/testcases/sets/0063set_catchall_0 -W: [FAILED] ././tests/shell/testcases/sets/0064map_catchall_0 -W: [FAILED] ././tests/shell/testcases/sets/typeof_raw_0 -W: [FAILED] ././tests/shell/testcases/sets/typeof_sets_0 diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec deleted file mode 100644 index b988917..0000000 --- a/SPECS/nftables.spec +++ /dev/null @@ -1,532 +0,0 @@ -%define nft_rpmversion 1.0.4 -%define nft_specrelease 4 -%define libnftnl_ver 1.2.2-1 - -Name: nftables -Version: %{nft_rpmversion} -Release: %{nft_specrelease}%{?dist}%{?buildid} -# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. -Epoch: 1 -Summary: Netfilter Tables userspace utillites - -License: GPLv2 -URL: https://netfilter.org/projects/nftables/ -Source0: %{url}/files/%{name}-%{version}.tar.bz2 -Source1: nftables.service -Source2: nftables.conf -Source3: main.nft -Source4: router.nft -Source5: nat.nft -Source6: nft-test.stderr.expect -Source7: run-tests.stderr.expect -Source8: monitor-run-tests.stderr.expect - -Patch1: 0001-tests-shell-runtime-set-element-automerge.patch -Patch2: 0002-rule-collapse-set-element-commands.patch -Patch3: 0003-intervals-do-not-report-exact-overlaps-for-new-eleme.patch -Patch4: 0004-intervals-do-not-empty-cache-for-maps.patch -Patch5: 0005-intervals-Do-not-sort-cached-set-elements-over-and-o.patch -Patch6: 0006-doc-Document-limitations-of-ipsec-expression-with-xf.patch -Patch7: 0007-tests-py-Add-a-test-for-failing-ipsec-after-counter.patch -Patch8: 0008-parser-add-missing-synproxy-scope-closure.patch -Patch9: 0009-scanner-don-t-pop-active-flex-scanner-scope.patch -Patch10: 0010-intervals-fix-crash-when-trying-to-remove-element-in.patch -Patch11: 0011-intervals-check-for-EXPR_F_REMOVE-in-case-of-element.patch -Patch12: 0012-netlink_delinearize-allow-postprocessing-on-concaten.patch -Patch13: 0013-netlink_delinearize-postprocess-binary-ands-in-conca.patch -Patch14: 0014-proto-track-full-stack-of-seen-l2-protocols-not-just.patch -Patch15: 0015-debug-dump-the-l2-protocol-stack.patch -Patch16: 0016-tests-add-a-test-case-for-ether-and-vlan-listing.patch -Patch17: 0017-netlink_delinearize-also-postprocess-OP_AND-in-set-e.patch -Patch18: 0018-evaluate-search-stacked-header-list-for-matching-pay.patch -Patch19: 0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch -Patch20: 0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch -Patch21: 0021-monitor-Sanitize-startup-race-condition.patch -Patch22: 0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch -Patch23: 0023-netlink_linearize-fix-timeout-with-map-updates.patch -Patch24: 0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch -Patch25: 0025-owner-Fix-potential-array-out-of-bounds-access.patch -Patch26: 0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch -Patch27: 0027-meta-parse_iso_date-returns-boolean.patch -Patch28: 0028-netlink-Fix-for-potential-NULL-pointer-deref.patch -Patch29: 0029-optimize-Do-not-return-garbage-from-stack.patch -Patch30: 0030-optimize-Clarify-chain_optimize-array-allocations.patch -Patch31: 0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch -Patch32: 0032-tests-monitor-Summarize-failures-per-test-case.patch -Patch33: 0033-rule-check-address-family-in-set-collapse.patch -Patch34: 0034-parser_bison-Fix-for-broken-compatibility-with-older.patch - -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool -BuildRequires: make -BuildRequires: gcc -BuildRequires: flex -BuildRequires: bison -BuildRequires: pkgconfig(libmnl) >= 1.0.4 -BuildRequires: gmp-devel -BuildRequires: readline-devel -BuildRequires: pkgconfig(libnftnl) >= %{libnftnl_ver} -BuildRequires: systemd -BuildRequires: asciidoc -BuildRequires: pkgconfig(xtables) >= 1.6.1 -BuildRequires: jansson-devel -BuildRequires: python3-devel - -Requires: libnftnl >= %{libnftnl_ver} - -%description -Netfilter Tables userspace utilities. - -%package devel -Summary: Development library for nftables / libnftables -Group: Development/Libraries -Requires: %{name} = %{epoch}:%{version}-%{release} -Requires: pkgconfig - -%description devel -Development tools and static libraries and header files for the libnftables library. - -%package -n python3-nftables -Summary: Python module providing an interface to libnftables -Requires: %{name} = %{epoch}:%{version}-%{release} - -%description -n python3-nftables -The nftables python module provides an interface to libnftables via ctypes. - -%prep -%autosetup -p1 -cp -a %{SOURCE6} ./tests/py/ -cp -a %{SOURCE7} ./tests/shell/ -cp -a %{SOURCE8} ./tests/monitor/run-tests.stderr.expect - -%build -autoreconf -fi -rm -Rf autom4te*.cache config.h.in~ -%configure --disable-silent-rules --with-json --with-xtables \ - --enable-python --with-python-bin=%{__python3} --with-cli=readline -make %{?_smp_mflags} - -%install -%make_install -find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' - -# Don't ship static lib (for now at least) -rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a - -chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* - -mkdir -p $RPM_BUILD_ROOT/%{_unitdir} -cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ - -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig -cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ - -rm $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft -cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \ - $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ - -find $RPM_BUILD_ROOT/%{_sysconfdir} \ - \( -type d -exec chmod 0700 {} \; \) , \ - \( -type f -exec chmod 0600 {} \; \) - -# make nftables.py use the real library file name -# to avoid nftables-devel package dependency -sofile=$(readlink $RPM_BUILD_ROOT/%{_libdir}/libnftables.so) -sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ - $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py -touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py - -%post -%systemd_post nftables.service - -%preun -%systemd_preun nftables.service - -%postun -%systemd_postun_with_restart nftables.service - -%post devel -%ldconfig_post - -%postun devel -%ldconfig_postun - -%files -%license COPYING -%config(noreplace) %{_sysconfdir}/nftables/ -%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf -%{_sbindir}/nft -%{_libdir}/libnftables.so.* -%{_mandir}/man5/libnftables-json.5* -%{_mandir}/man8/nft* -%{_unitdir}/nftables.service -%{_docdir}/nftables/examples/*.nft - -%files devel -%{_libdir}/libnftables.so -%{_libdir}/pkgconfig/libnftables.pc -%{_includedir}/nftables/libnftables.h -%{_mandir}/man3/libnftables.3* - -%files -n python3-nftables -%{python3_sitelib}/nftables-*.egg-info -%{python3_sitelib}/nftables/ - -%changelog -* Wed Nov 15 2023 Phil Sutter [1.0.4-4.el8] -- parser_bison: Fix for broken compatibility with older dumps (Phil Sutter) [RHEL-2596] - -* Thu Sep 21 2023 Phil Sutter [1.0.4-3.el8] -- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL] -- rule: check address family in set collapse (Phil Sutter) [RHEL-5160] - -* Thu Jul 20 2023 Phil Sutter [1.0.4-2.el8] -- Add expected error records for testsuite runs (Phil Sutter) [2211076] -- tests: monitor: Summarize failures per test case (Phil Sutter) [2211076] - -* Tue May 30 2023 Phil Sutter [1.0.4-1.el8] -- Synchronize patch level with nftables-1.0.4-10.el9 (Phil Sutter) [2211076] -- Rebase onto version 1.0.4 (Phil Sutter) [2211076] - -* Thu Apr 28 2022 Phil Sutter [0.9.3-26.el8] -- libnftables: call nft_cmd_expand() only with CMD_ADD (Phil Sutter) [2073287] -- src: add CMD_OBJ_SETELEMS (Phil Sutter) [2073287] -- src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS (Phil Sutter) [2073287] -- rule: fix element cache update in __do_add_setelems() (Phil Sutter) [2073287] -- rule: memleak in __do_add_setelems() (Phil Sutter) [2073287] -- tests: shell: auto-removal of chain hook on netns removal (Phil Sutter) [2070924] -- mnl: do not use expr->identifier to fetch device name (Phil Sutter) [2070924] - -* Fri Feb 04 2022 Phil Sutter [0.9.3-25.el8] -- mnl: do not build nftnl_set element list (Phil Sutter) [2047821] -- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773] -- evaluate: fix inet nat with no layer 3 info (Phil Sutter) [2030773] -- evaluate: attempt to set_eval flag if dynamic updates requested (Phil Sutter) [2039594] -- src: support for restoring element counters (Phil Sutter) [2039594] -- netlink: remove unused parameter from netlink_gen_stmt_stateful() (Phil Sutter) [2039594] - -* Wed Dec 08 2021 Phil Sutter [0.9.3-24.el8] -- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127] -- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127] - -* Fri Nov 05 2021 Phil Sutter [0.9.3-23.el8] -- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127] -- segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127] - -* Wed Oct 06 2021 Phil Sutter [0.9.3-22.el8] -- json: Drop pointless assignment in exthdr_expr_json() (Phil Sutter) [1999059] -- parser_json: Fix for memleak in tcp option error path (Phil Sutter) [1999059] -- parser_bison: Fix for implicit declaration of isalnum (Phil Sutter) [1999059] -- parser_json: Fix error reporting for invalid syntax (Phil Sutter) [1994141] - -* Mon Aug 02 2021 Phil Sutter [0.9.3-21.el8] -- tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203] -- doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365] -- include: missing sctp_chunk.h in Makefile.am (Phil Sutter) [1979334] -- exthdr: Implement SCTP Chunk matching (Phil Sutter) [1979334] -- scanner: sctp: Move to own scope (Phil Sutter) [1979334] -- scanner: introduce start condition stack (Phil Sutter) [1979334] -- json: Simplify non-tcpopt exthdr printing a bit (Phil Sutter) [1979334] -- json: tcp: add raw tcp option match support (Phil Sutter) [1979334] -- tcp: add raw tcp option match support (Phil Sutter) [1979334] -- tcpopt: allow to check for presence of any tcp option (Phil Sutter) [1979334] -- tcpopt: split tcpopt_hdr_fields into per-option enum (Phil Sutter) [1979334] -- tcpopt: rename noop to nop (Phil Sutter) [1979334] -- tcpopts: clean up parser -> tcpopt.c plumbing (Phil Sutter) [1979334] -- parser: merge sack-perm/sack-permitted and maxseg/mss (Phil Sutter) [1979334] -- tests/py: Move tcpopt.t to any/ directory (Phil Sutter) [1979334] - -* Thu May 20 2021 Phil Sutter [0.9.3-20.el8] -- src: Optimize prefix matches on byte-boundaries (Phil Sutter) [1934926] -- src: Support odd-sized payload matches (Phil Sutter) [1934926] -- spec: Add an rpminspect.yaml file to steer rpminspect (Phil Sutter) [1962184] -- spec: Explicitly state dist string in Release tag (Phil Sutter) [1962184] - -* Wed May 19 2021 Phil Sutter [0.9.3-19.el8] -- evaluate: Reject quoted strings containing only wildcard (Phil Sutter) [1818117] -- tests: monitor: use correct $nft value in EXIT trap (Phil Sutter) [1919203] -- monitor: Fix for use after free when printing map elements (Phil Sutter) [1919203] -- tests: Disable tests known to fail on RHEL8 (Phil Sutter) [1919203] - -* Sat Feb 20 2021 Phil Sutter [0.9.3-18.el8] -- json: init parser state for every new buffer/file (Phil Sutter) [1930873] - -* Tue Jan 12 2021 Phil Sutter [0.9.3-17.el8] -- json: don't leave dangling pointers on hlist (Phil Sutter) [1900565] -- json: Fix seqnum_to_json() functionality (Phil Sutter) [1900565] -- json: echo: Speedup seqnum_to_json() (Phil Sutter) [1900565] -- proto: Fix ARP header field ordering (Phil Sutter) [1896334] -- proto: add sctp crc32 checksum fixup (Phil Sutter) [1895804] -- mergesort: unbreak listing with binops (Phil Sutter) [1891790] -- evaluate: missing datatype definition in implicit_set_declaration() (Phil Sutter) [1877022] -- evaluate: Perform set evaluation on implicitly declared (anonymous) sets (Phil Sutter) [1877022] -- src: store expr, not dtype to track data in sets (Phil Sutter) [1877022] - -* Sat Aug 08 2020 Phil Sutter [0.9.3-16.el8] -- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684] -- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684] - -* Tue Jun 30 2020 Phil Sutter [0.9.3-15.el8] -- segtree: Fix get element command with prefixes (Phil Sutter) [1832235] -- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235] -- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235] -- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235] -- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235] - -* Wed Jun 24 2020 Phil Sutter [0.9.3-14.el8] -- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300] -- doc: Document notrack statement (Phil Sutter) [1841292] - -* Wed May 27 2020 Phil Sutter [0.9.3-13.el8] -- parser_json: Support ranges in concat expressions (Phil Sutter) [1805798] - -* Thu Mar 26 2020 Phil Sutter [0.9.3-12.el8] -- Restore default config to be empty (Phil Sutter) [1694723] - -* Mon Feb 17 2020 Phil Sutter [0.9.3-11.el8] -- Package requires libnftnl-1.1.5-3 (Phil Sutter) [1795224] -- src: Add support for concatenated set ranges (Phil Sutter) [1795224] -- src: Add support for NFTNL_SET_DESC_CONCAT (Phil Sutter) [1795224] -- include: resync nf_tables.h cache copy (Phil Sutter) [1795224] -- parser: add a helper for concat expression handling (Phil Sutter) [1795224] - -* Wed Feb 12 2020 Phil Sutter [0.9.3-10.el8] -- scanner: Extend asteriskstring definition (Phil Sutter) [1763652] -- doc: nft.8: Mention wildcard interface matching (Phil Sutter) [1763652] -- tests: py: Support testing host binaries (Phil Sutter) [1754047] -- tests: monitor: Support testing host's nft binary (Phil Sutter) [1754047] -- tests: monitor: Support running individual test cases (Phil Sutter) [1754047] -- tests: json_echo: Support testing host binaries (Phil Sutter) [1754047] -- tests: json_echo: Fix for Python3 (Phil Sutter) [1754047] - -* Mon Jan 27 2020 Phil Sutter [0.9.3-9.el8] -- netlink: Avoid potential NULL-pointer deref in netlink_gen_payload_stmt() (Phil Sutter) [1793030] -- netlink: Fix leaks in netlink_parse_cmp() (Phil Sutter) [1793030] -- netlink: Fix leak in unterminated string deserializer (Phil Sutter) [1793030] - -* Fri Jan 17 2020 Phil Sutter [0.9.3-8.el8] -- cache: Fix for doubled output after reset command (Phil Sutter) [1790793] -- tests: shell: Search diff tool once and for all (Phil Sutter) [1790793] -- xfrm: spi is big-endian (Phil Sutter) [1790963] - -* Mon Jan 13 2020 Phil Sutter [0.9.3-7.el8] -- monitor: Fix output for ranges in anonymous sets (Phil Sutter) [1774742] - -* Fri Jan 10 2020 Phil Sutter [0.9.3-6.el8] -- monitor: Do not decompose non-anonymous sets (Phil Sutter) [1774742] -- main: restore --debug (Phil Sutter) [1778883] -- main: enforce options before commands (Phil Sutter) [1778883] - -* Fri Jan 10 2020 Phil Sutter [0.9.3-5.el8] -- Install an improved sample config (Phil Sutter) [1694723] - -* Wed Dec 04 2019 Phil Sutter [0.9.3-4.el8] -- Explicitly depend on newer libnftl version (Phil Sutter) [1643192] - -* Tue Dec 03 2019 Phil Sutter [0.9.3-3.el8] -- Fix permissions of osf-related configs (Phil Sutter) [1776462] - -* Tue Dec 03 2019 Phil Sutter [0.9.3-2.el8] -- Add example scripts to nftables package (Phil Sutter) [1643192] - -* Mon Dec 02 2019 Phil Sutter [0.9.3-1.el8] -- Rebase onto upstream release 0.9.3 (Phil Sutter) [1643192] - -* Mon Oct 21 2019 Phil Sutter [0.9.2-4.el8] -- tproxy: Add missing error checking when parsing from netlink (Phil Sutter) [1643192] -- parser_json: Fix checking of parse_policy() return code (Phil Sutter) [1643192] - -* Fri Oct 18 2019 Phil Sutter [0.9.2-3.el8] -- spec: Avoid multilib problems due to updated nftables.py (Phil Sutter) [1643192] - -* Fri Oct 18 2019 Phil Sutter [0.9.2-2.el8] -- rule: Fix for single line ct timeout printing (Phil Sutter) [1643192] -- tests/monitor: Fix for changed ct timeout format (Phil Sutter) [1643192] -- monitor: Add missing newline to error message (Phil Sutter) [1643192] -- src: restore --echo with anonymous sets (Phil Sutter) [1643192] - -* Tue Oct 15 2019 Phil Sutter [0.9.2-1.el8] -- src: obj: fix memleak in handle_free() (Phil Sutter) [1643192] -- libnftables: memleak when list of commands is empty (Phil Sutter) [1643192] -- mnl: do not cache sender buffer size (Phil Sutter) [1643192] -- src: meter: avoid double-space in list ruleset output (Phil Sutter) [1643192] -- src: parser_json: fix crash while restoring secmark object (Phil Sutter) [1643192] -- nftables: don't crash in 'list ruleset' if policy is not set (Phil Sutter) [1643192] -- json: tests: fix typo in ct expectation json test (Phil Sutter) [1643192] -- parser_bison: Fix 'exists' keyword on Big Endian (Phil Sutter) [1643192] -- json: fix type mismatch on "ct expect" json exporting (Phil Sutter) [1643192] -- libnftables: use-after-free in exit path (Phil Sutter) [1643192] -- netlink_delinearize: fix wrong conversion to "list" in ct mark (Phil Sutter) [1643192] -- mnl: fix --echo buffer size again (Phil Sutter) [1643192] -- parser_json: fix crash on insert rule to bad references (Phil Sutter) [1643192] -- evaluate: flag fwd and queue statements as terminal (Phil Sutter) [1643192] -- tests: shell: check that rule add with index works with echo (Phil Sutter) [1643192] -- cache: fix --echo with index/position (Phil Sutter) [1643192] -- src: secmark: fix brace indentation and missing quotes in selctx output (Phil Sutter) [1643192] -- Add python3-nftables sub-package (Phil Sutter) [1643192] -- Rebase onto upstream version 0.9.2 (Phil Sutter) [1643192] - -* Mon Aug 12 2019 Phil Sutter - 1:0.9.0-14 -- src: fix jumps on bigendian arches -- src: json: fix constant parsing on bigendian - -* Thu Aug 08 2019 Phil Sutter - 1:0.9.0-13 -- Fix for adding a rule with index and set reference - -* Wed Jul 31 2019 Phil Sutter - 1:0.9.0-12 -- Fix permissions of /etc/nftables directory - -* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-11 -- Fix segfault with xtables support - -* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-10 -- Fix typo in spec file - -* Wed Jun 26 2019 Phil Sutter - 1:0.9.0-9 -- Allow variables in jump statement -- Make example configs readable only by root -- Document nft list parameters -- Document vmap statement -- Install netdev-ingress.nft sample config in the right spot -- Backport upstream fixes since last release - -* Fri Mar 01 2019 Phil Sutter - 1:0.9.0-8 -- Add missing patch to spec file - -* Fri Dec 21 2018 Phil Sutter - 1:0.9.0-7 -- src: Reject 'export vm json' command - -* Tue Dec 18 2018 Phil Sutter - 1:0.9.0-6 -- Rebuild for updated libnftnl - -* Thu Dec 13 2018 Phil Sutter - 1:0.9.0-5 -- nft.8: Document log level audit -- nft.8: Clarify 'index' option of add rule command - -* Thu Oct 25 2018 Phil Sutter - 1:0.9.0-4 -- Add fixes for covscan report -- Fix for ECN keyword in LHS of relational -- Update meta pkt_type value description -- Fix for segfault with JSON output if xt expression is present -- Add missing nft suffix to files included from /etc/sysconfig/nftables.conf -- Use native JSON API in nft monitor - -* Thu Oct 11 2018 Phil Sutter - 1:0.9.0-3 -- Enable xtables support -- Enable JSON support - -* Mon Sep 10 2018 Phil Sutter - 1:0.9.0-2 -- Allow icmpx in inet/bridge families - -* Tue Aug 14 2018 Phil Sutter - 1:0.9.0-1 -- New version 0.9.0 -- Install libnftables -- Add devel sub-package -- Add gcc BuildRequires - -* Sat Mar 03 2018 Kevin Fenzi - 0.8.3-1 -- Update to 0.8.3. Fixes bug #1551207 - -* Thu Feb 08 2018 Fedora Release Engineering - 1:0.8.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Mon Feb 05 2018 Kevin Fenzi - 0.8.2-1 -- Update to 0.8.2. Fixes bug #1541582 - -* Tue Jan 16 2018 Kevin Fenzi - 0.8.1-1 -- Update to 0.8.1. Fixes bug #1534982 - -* Sun Oct 22 2017 Kevin Fenzi - 0.8-1 -- Update to 0.8. - -* Thu Aug 03 2017 Fedora Release Engineering - 1:0.7-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 1:0.7-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 1:0.7-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Jan 12 2017 Igor Gnatenko - 1:0.7-2 -- Rebuild for readline 7.x - -* Thu Dec 22 2016 Kevin Fenzi - 0.7-1 -- Update to 0.7 - -* Fri Jul 15 2016 Kevin Fenzi - 0.6-2 -- Rebuild for new glibc symbols - -* Thu Jun 02 2016 Kevin Fenzi - 0.6-1 -- Update to 0.6. - -* Sun Apr 10 2016 Kevin Fenzi - 0.5-4 -- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936 - -* Fri Mar 25 2016 Kevin Fenzi - 0.5-3 -- Add systemd unit file. Fixes bug #1313936 - -* Thu Feb 04 2016 Fedora Release Engineering - 1:0.5-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Sep 17 2015 Kevin Fenzi 0.5-1 -- Update to 0.5 - -* Wed Jun 17 2015 Fedora Release Engineering - 1:0.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Sat Jan 10 2015 Kevin Fenzi 0.4-2 -- Add patch to fix nft -f dep gen. - -* Fri Dec 26 2014 Kevin Fenzi 0.4-1 -- Update to 0.4 -- Add Epoch to fix versioning. - -* Wed Sep 03 2014 Kevin Fenzi 0.100-4.20140903git -- Update to 20140903 snapshot - -* Sun Aug 17 2014 Fedora Release Engineering - 0.100-4.20140704git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Jul 04 2014 Kevin Fenzi 0.100-3.20140704git -- Update to new snapshot - -* Sat Jun 07 2014 Fedora Release Engineering - 0.100-2.20140426git -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Apr 26 2014 Kevin Fenzi 0.100-1.20140426git -- Update t0 20140426 - -* Sun Mar 30 2014 Kevin Fenzi 0.100-1.20140330git -- Update to 20140330 snapshot -- Sync versions to be post 0.100 release. - -* Wed Mar 26 2014 Kevin Fenzi 0-0.7.20140326git -- Update to 20140326 snapshot -- Fix permissions on man pages. - -* Mon Mar 24 2014 Kevin Fenzi 0-0.6.20140324git -- Update to 20140324 snapshot - -* Fri Mar 07 2014 Kevin Fenzi 0-0.5.20140307git -- Update to 20140307 - -* Sat Jan 25 2014 Kevin Fenzi 0-0.4.20140125git -- Update to 20140125 snapshot - -* Sat Jan 18 2014 Kevin Fenzi 0-0.3.20140118git -- Update to 20140118 snapshot -- Fixed License tag to be correct -- Fixed changelog -- nft scripts now use full path for nft -- Fixed man page building -- Dropped unneeded rm in install -- Patched build to not be silent. - -* Tue Dec 03 2013 Kevin Fenzi 0-0.2.20131202git -- Use upstream snapshots for source. -- Use 0 for version. - -* Sat Nov 30 2013 Kevin Fenzi 0-0.1 -- initial version for Fedora review diff --git a/SOURCES/main.nft b/main.nft similarity index 100% rename from SOURCES/main.nft rename to main.nft diff --git a/SOURCES/nat.nft b/nat.nft similarity index 79% rename from SOURCES/nat.nft rename to nat.nft index 905179c..d8e152d 100644 --- a/SOURCES/nat.nft +++ b/nat.nft @@ -18,9 +18,10 @@ table ip nftables_svc { elements = { 192.168.122.0/24 } } - # force port randomization for non-locally originated connections using - # suspicious port values to prevent port-shadow attacks, i.e. - # accidental matching of new inbound connections vs. existing ones + # [CVE-2021-3773] force port randomization for non-locally originated + # connections using suspicious port values to prevent port-shadow + # attacks, i.e. accidental matching of new inbound connections vs. + # existing ones chain do_masquerade { meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random masquerade diff --git a/SOURCES/nftables.conf b/nftables.conf similarity index 100% rename from SOURCES/nftables.conf rename to nftables.conf diff --git a/SOURCES/nftables.service b/nftables.service similarity index 100% rename from SOURCES/nftables.service rename to nftables.service diff --git a/nftables.spec b/nftables.spec new file mode 100644 index 0000000..3bdb3ba --- /dev/null +++ b/nftables.spec @@ -0,0 +1,389 @@ +Name: nftables +Version: 1.0.9 +Release: 4%{?dist} +# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. +Epoch: 1 +Summary: Netfilter Tables userspace utilites + +License: GPL-2.0-only +URL: https://netfilter.org/projects/nftables/ +Source0: %{url}/files/%{name}-%{version}.tar.xz +Source1: nftables.service +Source2: nftables.conf +Source3: main.nft +Source4: router.nft +Source5: nat.nft + +#BuildRequires: autogen +#BuildRequires: autoconf +#BuildRequires: automake +#BuildRequires: libtool +BuildRequires: make +BuildRequires: gcc +BuildRequires: flex +BuildRequires: bison +BuildRequires: pkgconfig(libmnl) >= 1.0.4 +BuildRequires: gmp-devel +BuildRequires: pkgconfig(libnftnl) >= 1.2.3 +BuildRequires: systemd +BuildRequires: asciidoc +BuildRequires: pkgconfig(xtables) >= 1.6.1 +BuildRequires: jansson-devel +BuildRequires: python3-devel +BuildRequires: readline-devel +BuildRequires: libedit-devel +BuildRequires: python3-setuptools + +%generate_buildrequires +cd py/ +%pyproject_buildrequires + +%description +Netfilter Tables userspace utilities. + +%package devel +Summary: Development library for nftables / libnftables +Requires: %{name} = %{epoch}:%{version}-%{release} +Requires: pkgconfig + +%description devel +Headers, man pages and other development files for the libnftables library. + +%package -n python3-nftables +Summary: Python module providing an interface to libnftables +Requires: %{name} = %{epoch}:%{version}-%{release} +%{?python_provide:%python_provide python3-nftables} + +%description -n python3-nftables +The nftables python module provides an interface to libnftables via ctypes. + +%prep +%autosetup -p1 + +%build +#./autogen.sh +%configure --disable-silent-rules --with-xtables --with-json +%make_build +cd py/ +%pyproject_wheel + +%install +%make_install +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +# Don't ship static lib (for now at least) +rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a + +# drop vendor-provided configs, they are not really useful +rm -f $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft + +chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* + +mkdir -p $RPM_BUILD_ROOT/%{_unitdir} +cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ + +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig +cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ + +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \ + $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ + +find $RPM_BUILD_ROOT/%{_sysconfdir} \ + \( -type d -exec chmod 0700 {} \; \) , \ + \( -type f -exec chmod 0600 {} \; \) + +cd py/ +%pyproject_install +%pyproject_save_files nftables + +%post +%systemd_post nftables.service +%ldconfig_post + +%preun +%systemd_preun nftables.service + +%postun +%systemd_postun_with_restart nftables.service +%ldconfig_postun + +%files +%license COPYING +%config(noreplace) %{_sysconfdir}/nftables/ +%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf +%{_sbindir}/nft +%{_libdir}/libnftables.so.* +%{_mandir}/man5/libnftables-json.5* +%{_mandir}/man8/nft* +%{_unitdir}/nftables.service +%{_docdir}/nftables/examples/*.nft + +%files devel +%{_libdir}/libnftables.so +%{_libdir}/pkgconfig/libnftables.pc +%{_includedir}/nftables/libnftables.h +%{_mandir}/man3/libnftables.3* + +%files -n python3-nftables -f %{pyproject_files} + +%changelog +* Mon Jun 24 2024 Troy Dawson - 1:1.0.9-4 +- Bump release for June 2024 mass rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 1:1.0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1:1.0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Oct 19 2023 Phil Sutter - 1:1.0.9-1 +- Fix devel sub-package description +- Utilize pyproject-rpm-macros for the python sub-package +- new version 1.0.9 + +* Fri Aug 11 2023 Phil Sutter - 1:1.0.7-4 +- Convert license to SPDX format + +* Thu Jul 20 2023 Fedora Release Engineering - 1:1.0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 15 2023 Python Maint - 1:1.0.7-2 +- Rebuilt for Python 3.12 + +* Sat Apr 01 2023 Kevin Fenzi - 1.0.7-1 +- Update to 1.0.7. Fixes rhbz#2155658 +- Build the package with setuptools instead of distutils. Fixes: rhbz#2154872 + +* Thu Jan 19 2023 Fedora Release Engineering - 1:1.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Aug 10 2022 Phil Sutter - 1:1.0.5-1 +- New version 1.0.5 + +* Fri Jul 22 2022 Fedora Release Engineering - 1:1.0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 1:1.0.4-2 +- Rebuilt for Python 3.11 + +* Fri Jun 10 2022 Phil Sutter - 1:1.0.4-1 +- Review package dependencies +- Update to 1.0.4. Fixes rhbz#2056594 + +* Tue Mar 08 2022 Phil Sutter - 1:1.0.1-4 +- Prevent port-shadow attacks in sample nat config. Fixes rhbz#2061917 + +* Thu Feb 03 2022 Phil Sutter - 1:1.0.1-3 +- Ship a more advanced default config. Fixes rhbz#1999596 + +* Thu Jan 20 2022 Fedora Release Engineering - 1:1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Sat Nov 27 2021 Kevin Fenzi - 1.0.1-1 +- Update to 1.1.1. Fixes rhbz#2024594 + +* Fri Aug 27 2021 Kevin Fenzi - 1.0.0-1 +- Update to 1.1.0. Fixes rhbz#1995737 + +* Thu Jul 22 2021 Fedora Release Engineering - 1:0.9.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 1:0.9.9-2 +- Rebuilt for Python 3.10 + +* Wed Jun 02 2021 Phil Sutter - 1:0.9.9-1 +- Update to 0.9.9. Fixes rhbz#1964718 + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1:0.9.8-3 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 1:0.9.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Jan 16 2021 Kevin Fenzi - 0.9.8-1 +- Update to 0.9.8. Fixes rhbz#1916940 + +* Sat Oct 31 2020 Kevin Fenzi - 0.9.7-1 +- Update to 0.9.7. Fixes bug #1891769 + +* Thu Oct 29 2020 Stephen Gallagher - 1:0.9.6-2 +- Drop upstreamed patch + +* Sat Sep 05 2020 Neal Gompa - 1:0.9.6-1 +- Update to 0.9.6 (RH#1846663) + +* Tue Jul 28 2020 Fedora Release Engineering - 1:0.9.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1:0.9.3-5 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Tue May 26 2020 Miro Hrončok - 1:0.9.3-4 +- Rebuilt for Python 3.9 + +* Fri May 15 2020 Richard Shaw - 1:0.9.3-3 +- Add patch for json performance with ipsets, fixes RHBZ#1834853. + +* Wed Jan 29 2020 Fedora Release Engineering - 1:0.9.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Dec 04 2019 Phil Sutter - 1:0.9.3-1 +- Update to 0.9.3. Fixes bug #1778959 + +* Tue Oct 01 2019 Phil Sutter - 1:0.9.2-3 +- Drop unneeded docbook2X build dependency +- Add python3-nftables sub-package + +* Fri Aug 23 2019 Kevin Fenzi - 0.9.2-2 +- Move libnftables section 3 man page to devel package. + +* Fri Aug 23 2019 Kevin Fenzi - 0.9.2-1 +- Update to 0.9.2. Fixes bug #1743223 + +* Thu Jul 25 2019 Fedora Release Engineering - 1:0.9.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 28 2019 Kevin Fenzi - 0.9.1-2 +- Add some filters to nftables.conf + +* Tue Jun 25 2019 Kevin Fenzi - 0.9.1-1 +- Update to 0.9.1. Fixes bug #1723515 + +* Mon Jun 17 2019 Kevin Fenzi - 0.9.0-7 +- Rebuild for new libnftnl. + +* Sat Mar 16 2019 Kevin Fenzi - 1:0.9.0-6 +- Fix permissions. Bug #1685242 + +* Sun Feb 17 2019 Igor Gnatenko - 1:0.9.0-5 +- Rebuild for readline 8.0 + +* Fri Feb 01 2019 Fedora Release Engineering - 1:0.9.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Nov 04 2018 Kevin Fenzi - 0.9.0-3 +- Fix config file to have correct include names. Fixes bug #1642103 + +* Fri Jul 13 2018 Fedora Release Engineering - 1:0.9.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sat Jun 09 2018 Kevin Fenzi - 0.9.0-1 +- Update to 0.9.0. Fixes bug #1589404 + +* Fri May 11 2018 Kevin Fenzi - 0.8.5-1 +- Update to 0.8.5. Fixes bug #1576802 + +* Sun May 06 2018 Kevin Fenzi - 0.8.4-2 +- Fix devel package to require the Epoch too. +- Fix libraries split + +* Fri May 04 2018 Kevin Fenzi - 0.8.4-1 +- Update to 0.8.4. Fixes bug #1574096 + +* Sat Mar 03 2018 Kevin Fenzi - 0.8.3-1 +- Update to 0.8.3. Fixes bug #1551207 + +* Thu Feb 08 2018 Fedora Release Engineering - 1:0.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Feb 05 2018 Kevin Fenzi - 0.8.2-1 +- Update to 0.8.2. Fixes bug #1541582 + +* Tue Jan 16 2018 Kevin Fenzi - 0.8.1-1 +- Update to 0.8.1. Fixes bug #1534982 + +* Sun Oct 22 2017 Kevin Fenzi - 0.8-1 +- Update to 0.8. + +* Thu Aug 03 2017 Fedora Release Engineering - 1:0.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:0.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 1:0.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 12 2017 Igor Gnatenko - 1:0.7-2 +- Rebuild for readline 7.x + +* Thu Dec 22 2016 Kevin Fenzi - 0.7-1 +- Update to 0.7 + +* Fri Jul 15 2016 Kevin Fenzi - 0.6-2 +- Rebuild for new glibc symbols + +* Thu Jun 02 2016 Kevin Fenzi - 0.6-1 +- Update to 0.6. + +* Sun Apr 10 2016 Kevin Fenzi - 0.5-4 +- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936 + +* Fri Mar 25 2016 Kevin Fenzi - 0.5-3 +- Add systemd unit file. Fixes bug #1313936 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Sep 17 2015 Kevin Fenzi 0.5-1 +- Update to 0.5 + +* Wed Jun 17 2015 Fedora Release Engineering - 1:0.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jan 10 2015 Kevin Fenzi 0.4-2 +- Add patch to fix nft -f dep gen. + +* Fri Dec 26 2014 Kevin Fenzi 0.4-1 +- Update to 0.4 +- Add Epoch to fix versioning. + +* Wed Sep 03 2014 Kevin Fenzi 0.100-4.20140903git +- Update to 20140903 snapshot + +* Sun Aug 17 2014 Fedora Release Engineering - 0.100-4.20140704git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 04 2014 Kevin Fenzi 0.100-3.20140704git +- Update to new snapshot + +* Sat Jun 07 2014 Fedora Release Engineering - 0.100-2.20140426git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Apr 26 2014 Kevin Fenzi 0.100-1.20140426git +- Update t0 20140426 + +* Sun Mar 30 2014 Kevin Fenzi 0.100-1.20140330git +- Update to 20140330 snapshot +- Sync versions to be post 0.100 release. + +* Wed Mar 26 2014 Kevin Fenzi 0-0.7.20140326git +- Update to 20140326 snapshot +- Fix permissions on man pages. + +* Mon Mar 24 2014 Kevin Fenzi 0-0.6.20140324git +- Update to 20140324 snapshot + +* Fri Mar 07 2014 Kevin Fenzi 0-0.5.20140307git +- Update to 20140307 + +* Sat Jan 25 2014 Kevin Fenzi 0-0.4.20140125git +- Update to 20140125 snapshot + +* Sat Jan 18 2014 Kevin Fenzi 0-0.3.20140118git +- Update to 20140118 snapshot +- Fixed License tag to be correct +- Fixed changelog +- nft scripts now use full path for nft +- Fixed man page building +- Dropped unneeded rm in install +- Patched build to not be silent. + +* Tue Dec 03 2013 Kevin Fenzi 0-0.2.20131202git +- Use upstream snapshots for source. +- Use 0 for version. + +* Sat Nov 30 2013 Kevin Fenzi 0-0.1 +- initial version for Fedora review diff --git a/SOURCES/router.nft b/router.nft similarity index 100% rename from SOURCES/router.nft rename to router.nft diff --git a/sources b/sources new file mode 100644 index 0000000..32558f8 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (nftables-1.0.9.tar.xz) = dc34099658e283d9fd4d06264b593710121074558305ea23ab298c5f6a6b564a826f186241b6e106fbaa4e11160cf77e68bb52b4ce401b28d8d2e403cd4b88e8