nftables-1.0.4-9.el9
* Fri Feb 17 2023 Phil Sutter <psutter@redhat.com> [1.0.4-9.el9] - tests: add a test case for map update from packet path with concat (Phil Sutter) [2094894] - netlink_linearize: fix timeout with map updates (Phil Sutter) [2094894] - netlink_delinearize: fix decoding of concat data element (Phil Sutter) [2094894] Resolves: rhbz#2094894
This commit is contained in:
parent
552075b562
commit
4a82b86805
@ -0,0 +1,53 @@
|
|||||||
|
From b34a2b24c107a63183726333388e7946a36f2ea1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
||||||
|
Subject: [PATCH] netlink_delinearize: fix decoding of concat data element
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
|
||||||
|
Upstream Status: nftables commit db59a5c1204c9
|
||||||
|
|
||||||
|
commit db59a5c1204c9246a82a115a8761f15809578479
|
||||||
|
Author: Florian Westphal <fw@strlen.de>
|
||||||
|
Date: Mon Dec 12 11:04:34 2022 +0100
|
||||||
|
|
||||||
|
netlink_delinearize: fix decoding of concat data element
|
||||||
|
|
||||||
|
Its possible to use update as follows:
|
||||||
|
|
||||||
|
meta l4proto tcp update @pinned { ip saddr . ct original proto-src : ip daddr . ct original proto-dst }
|
||||||
|
|
||||||
|
... but when listing, only the first element of the concatenation is
|
||||||
|
shown.
|
||||||
|
|
||||||
|
Check if the element size is too small and parse subsequent registers as
|
||||||
|
well.
|
||||||
|
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
src/netlink_delinearize.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
|
||||||
|
index 1d47c74..e9e0845 100644
|
||||||
|
--- a/src/netlink_delinearize.c
|
||||||
|
+++ b/src/netlink_delinearize.c
|
||||||
|
@@ -1659,6 +1659,14 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
|
||||||
|
if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) {
|
||||||
|
sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);
|
||||||
|
expr_data = netlink_get_register(ctx, loc, sreg_data);
|
||||||
|
+
|
||||||
|
+ if (expr_data->len < set->data->len) {
|
||||||
|
+ expr_free(expr_data);
|
||||||
|
+ expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);
|
||||||
|
+ if (expr_data == NULL)
|
||||||
|
+ netlink_error(ctx, loc,
|
||||||
|
+ "Could not parse dynset map data expressions");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (expr_data != NULL) {
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
66
0023-netlink_linearize-fix-timeout-with-map-updates.patch
Normal file
66
0023-netlink_linearize-fix-timeout-with-map-updates.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
From 7cb1f51b1791434fa513b516e416a18d27ad1eb9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
||||||
|
Subject: [PATCH] netlink_linearize: fix timeout with map updates
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
|
||||||
|
Upstream Status: nftables commit 284c038ef4c69
|
||||||
|
|
||||||
|
commit 284c038ef4c69d042ef91272d90c143019ecea1f
|
||||||
|
Author: Florian Westphal <fw@strlen.de>
|
||||||
|
Date: Mon Dec 12 11:04:35 2022 +0100
|
||||||
|
|
||||||
|
netlink_linearize: fix timeout with map updates
|
||||||
|
|
||||||
|
Map updates can use timeouts, just like with sets, but the
|
||||||
|
linearization step did not pass this info to the kernel.
|
||||||
|
|
||||||
|
meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport
|
||||||
|
|
||||||
|
Listing this won't show the "timeout 90s" because kernel never saw it to
|
||||||
|
begin with.
|
||||||
|
|
||||||
|
Also update evaluation step to reject a timeout that was set on
|
||||||
|
the data part: Timeouts are only allowed for the key-value pair
|
||||||
|
as a whole.
|
||||||
|
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
src/evaluate.c | 3 +++
|
||||||
|
src/netlink_linearize.c | 4 ++++
|
||||||
|
2 files changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||||
|
index 7f81411..6d0a0f5 100644
|
||||||
|
--- a/src/evaluate.c
|
||||||
|
+++ b/src/evaluate.c
|
||||||
|
@@ -3858,6 +3858,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
|
||||||
|
if (stmt->map.data->comment != NULL)
|
||||||
|
return expr_error(ctx->msgs, stmt->map.data,
|
||||||
|
"Data expression comments are not supported");
|
||||||
|
+ if (stmt->map.data->timeout > 0)
|
||||||
|
+ return expr_error(ctx->msgs, stmt->map.data,
|
||||||
|
+ "Data expression timeouts are not supported");
|
||||||
|
|
||||||
|
list_for_each_entry(this, &stmt->map.stmt_list, list) {
|
||||||
|
if (stmt_evaluate(ctx, this) < 0)
|
||||||
|
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
||||||
|
index c8bbcb7..6de0a96 100644
|
||||||
|
--- a/src/netlink_linearize.c
|
||||||
|
+++ b/src/netlink_linearize.c
|
||||||
|
@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
|
||||||
|
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
|
||||||
|
nft_rule_add_expr(ctx, nle, &stmt->location);
|
||||||
|
|
||||||
|
+ if (stmt->map.key->timeout > 0)
|
||||||
|
+ nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT,
|
||||||
|
+ stmt->map.key->timeout);
|
||||||
|
+
|
||||||
|
list_for_each_entry(this, &stmt->map.stmt_list, list)
|
||||||
|
num_stmts++;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -0,0 +1,73 @@
|
|||||||
|
From 1bbcacb6445bda10aa0a82b12329116b56ea44e3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Fri, 17 Feb 2023 17:52:16 +0100
|
||||||
|
Subject: [PATCH] tests: add a test case for map update from packet path with
|
||||||
|
concat
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2094894
|
||||||
|
Upstream Status: nftables commit b8e1940aa1907
|
||||||
|
|
||||||
|
commit b8e1940aa190773b23b3ee9349beb20c31f42bdb
|
||||||
|
Author: Florian Westphal <fw@strlen.de>
|
||||||
|
Date: Mon Dec 12 11:04:36 2022 +0100
|
||||||
|
|
||||||
|
tests: add a test case for map update from packet path with concat
|
||||||
|
|
||||||
|
add a second test case for map updates, this time with both
|
||||||
|
a timeout and a data element that consists of a concatenation.
|
||||||
|
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
.../maps/dumps/typeof_maps_concat_update_0.nft | 12 ++++++++++++
|
||||||
|
.../testcases/maps/typeof_maps_concat_update_0 | 18 ++++++++++++++++++
|
||||||
|
2 files changed, 30 insertions(+)
|
||||||
|
create mode 100644 tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
|
||||||
|
create mode 100755 tests/shell/testcases/maps/typeof_maps_concat_update_0
|
||||||
|
|
||||||
|
diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..d91b795
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
|
||||||
|
@@ -0,0 +1,12 @@
|
||||||
|
+table ip foo {
|
||||||
|
+ map pinned {
|
||||||
|
+ typeof ip daddr . tcp dport : ip daddr . tcp dport
|
||||||
|
+ size 65535
|
||||||
|
+ flags dynamic,timeout
|
||||||
|
+ timeout 6m
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ chain pr {
|
||||||
|
+ update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..645ae14
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0
|
||||||
|
@@ -0,0 +1,18 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# check update statement does print both concatentations (key and data).
|
||||||
|
+
|
||||||
|
+EXPECTED="table ip foo {
|
||||||
|
+ map pinned {
|
||||||
|
+ typeof ip daddr . tcp dport : ip daddr . tcp dport
|
||||||
|
+ size 65535
|
||||||
|
+ flags dynamic,timeout
|
||||||
|
+ timeout 6m
|
||||||
|
+ }
|
||||||
|
+ chain pr {
|
||||||
|
+ meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
|
||||||
|
+ }
|
||||||
|
+}"
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+$NFT -f - <<< $EXPECTED
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
%define rpmversion 1.0.4
|
%define rpmversion 1.0.4
|
||||||
%define specrelease 8
|
%define specrelease 9
|
||||||
|
|
||||||
Name: nftables
|
Name: nftables
|
||||||
Version: %{rpmversion}
|
Version: %{rpmversion}
|
||||||
@ -40,6 +40,9 @@ Patch18: 0018-evaluate-search-stacked-header-list-for-matching-pay.pa
|
|||||||
Patch19: 0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch
|
Patch19: 0019-src-allow-anon-set-concatenation-with-ether-and-vlan.patch
|
||||||
Patch20: 0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch
|
Patch20: 0020-evaluate-set-eval-ctx-for-add-update-statements-with.patch
|
||||||
Patch21: 0021-monitor-Sanitize-startup-race-condition.patch
|
Patch21: 0021-monitor-Sanitize-startup-race-condition.patch
|
||||||
|
Patch22: 0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch
|
||||||
|
Patch23: 0023-netlink_linearize-fix-timeout-with-map-updates.patch
|
||||||
|
Patch24: 0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -151,6 +154,11 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
|
|||||||
%{python3_sitelib}/nftables/
|
%{python3_sitelib}/nftables/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 17 2023 Phil Sutter <psutter@redhat.com> [1.0.4-9.el9]
|
||||||
|
- tests: add a test case for map update from packet path with concat (Phil Sutter) [2094894]
|
||||||
|
- netlink_linearize: fix timeout with map updates (Phil Sutter) [2094894]
|
||||||
|
- netlink_delinearize: fix decoding of concat data element (Phil Sutter) [2094894]
|
||||||
|
|
||||||
* Thu Feb 09 2023 Phil Sutter <psutter@redhat.com> [1.0.4-8.el9]
|
* Thu Feb 09 2023 Phil Sutter <psutter@redhat.com> [1.0.4-8.el9]
|
||||||
- monitor: Sanitize startup race condition (Phil Sutter) [2130721]
|
- monitor: Sanitize startup race condition (Phil Sutter) [2130721]
|
||||||
- evaluate: set eval ctx for add/update statements with integer constants (Phil Sutter) [2094894]
|
- evaluate: set eval ctx for add/update statements with integer constants (Phil Sutter) [2094894]
|
||||||
|
@ -2,6 +2,5 @@ W: [FAILED] ././tests/shell/testcases/cache/0010_implicit_chain_0
|
|||||||
W: [FAILED] ././tests/shell/testcases/chains/0021prio_0
|
W: [FAILED] ././tests/shell/testcases/chains/0021prio_0
|
||||||
W: [FAILED] ././tests/shell/testcases/chains/0041chain_binding_0
|
W: [FAILED] ././tests/shell/testcases/chains/0041chain_binding_0
|
||||||
W: [FAILED] ././tests/shell/testcases/maps/typeof_integer_0
|
W: [FAILED] ././tests/shell/testcases/maps/typeof_integer_0
|
||||||
W: [DUMP FAIL] ././tests/shell/testcases/maps/typeof_maps_concat
|
|
||||||
W: [FAILED] ././tests/shell/testcases/maps/typeof_raw_0
|
W: [FAILED] ././tests/shell/testcases/maps/typeof_raw_0
|
||||||
W: [FAILED] ././tests/shell/testcases/sets/typeof_raw_0
|
W: [FAILED] ././tests/shell/testcases/sets/typeof_raw_0
|
||||||
|
Loading…
Reference in New Issue
Block a user