import nftables-0.9.3-16.el8
This commit is contained in:
parent
9a8bfb4ad4
commit
50b5a160bf
@ -0,0 +1,119 @@
|
||||
From 68392da523f43b9ae09f824fa68b04b20c9c88f5 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 20 May 2020 11:12:37 +0200
|
||||
Subject: [PATCH] parser_json: Support ranges in concat expressions
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1805798
|
||||
Upstream Status: nftables commit 9475ca305a993
|
||||
|
||||
commit 9475ca305a993751b05cf26ef8e785a00de98b94
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri Mar 6 16:15:48 2020 +0100
|
||||
|
||||
parser_json: Support ranges in concat expressions
|
||||
|
||||
Duplicate commit 8ac2f3b2fca38's changes to bison parser into JSON
|
||||
parser by introducing a new context flag signalling we're parsing
|
||||
concatenated expressions.
|
||||
|
||||
Fixes: 8ac2f3b2fca38 ("src: Add support for concatenated set ranges")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Eric Garver <eric@garver.life>
|
||||
---
|
||||
src/parser_json.c | 51 +++++++++++++++++++++++++++++----------------------
|
||||
1 file changed, 29 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||
index 031930e..c48faa8 100644
|
||||
--- a/src/parser_json.c
|
||||
+++ b/src/parser_json.c
|
||||
@@ -40,6 +40,7 @@
|
||||
#define CTX_F_MANGLE (1 << 5)
|
||||
#define CTX_F_SES (1 << 6) /* set_elem_expr_stmt */
|
||||
#define CTX_F_MAP (1 << 7) /* LHS of map_expr */
|
||||
+#define CTX_F_CONCAT (1 << 8) /* inside concat_expr */
|
||||
|
||||
struct json_ctx {
|
||||
struct input_descriptor indesc;
|
||||
@@ -99,6 +100,7 @@ static struct expr *json_parse_primary_expr(struct json_ctx *ctx, json_t *root);
|
||||
static struct expr *json_parse_set_rhs_expr(struct json_ctx *ctx, json_t *root);
|
||||
static struct expr *json_parse_set_elem_expr_stmt(struct json_ctx *ctx, json_t *root);
|
||||
static struct expr *json_parse_map_lhs_expr(struct json_ctx *ctx, json_t *root);
|
||||
+static struct expr *json_parse_concat_elem_expr(struct json_ctx *ctx, json_t *root);
|
||||
static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root);
|
||||
|
||||
/* parsing helpers */
|
||||
@@ -1058,7 +1060,7 @@ static struct expr *json_parse_concat_expr(struct json_ctx *ctx,
|
||||
}
|
||||
|
||||
json_array_foreach(root, index, value) {
|
||||
- tmp = json_parse_primary_expr(ctx, value);
|
||||
+ tmp = json_parse_concat_elem_expr(ctx, value);
|
||||
if (!tmp) {
|
||||
json_error(ctx, "Parsing expr at index %zd failed.", index);
|
||||
expr_free(expr);
|
||||
@@ -1354,28 +1356,28 @@ static struct expr *json_parse_expr(struct json_ctx *ctx, json_t *root)
|
||||
{ "set", json_parse_set_expr, CTX_F_RHS | CTX_F_STMT }, /* allow this as stmt expr because that allows set references */
|
||||
{ "map", json_parse_map_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS },
|
||||
/* below three are multiton_rhs_expr */
|
||||
- { "prefix", json_parse_prefix_expr, CTX_F_RHS | CTX_F_STMT },
|
||||
- { "range", json_parse_range_expr, CTX_F_RHS | CTX_F_STMT },
|
||||
- { "payload", json_parse_payload_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP },
|
||||
- { "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES },
|
||||
- { "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES },
|
||||
- { "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP },
|
||||
- { "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP },
|
||||
- { "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP },
|
||||
- { "socket", json_parse_socket_expr, CTX_F_PRIMARY },
|
||||
- { "rt", json_parse_rt_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "ct", json_parse_ct_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP },
|
||||
- { "numgen", json_parse_numgen_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
+ { "prefix", json_parse_prefix_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_CONCAT },
|
||||
+ { "range", json_parse_range_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_CONCAT },
|
||||
+ { "payload", json_parse_payload_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "exthdr", json_parse_exthdr_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "tcp option", json_parse_tcp_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },
|
||||
+ { "ip option", json_parse_ip_option_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_CONCAT },
|
||||
+ { "meta", json_parse_meta_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "osf", json_parse_osf_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "ipsec", json_parse_xfrm_expr, CTX_F_PRIMARY | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "socket", json_parse_socket_expr, CTX_F_PRIMARY | CTX_F_CONCAT },
|
||||
+ { "rt", json_parse_rt_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "ct", json_parse_ct_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_MANGLE | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "numgen", json_parse_numgen_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
/* below two are hash expr */
|
||||
- { "jhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "symhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "fib", json_parse_fib_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "|", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "^", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "&", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { ">>", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
- { "<<", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP },
|
||||
+ { "jhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "symhash", json_parse_hash_expr, CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "fib", json_parse_fib_expr, CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "|", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "^", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "&", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { ">>", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
+ { "<<", json_parse_binop_expr, CTX_F_RHS | CTX_F_STMT | CTX_F_PRIMARY | CTX_F_SET_RHS | CTX_F_SES | CTX_F_MAP | CTX_F_CONCAT },
|
||||
{ "accept", json_parse_verdict_expr, CTX_F_RHS | CTX_F_SET_RHS },
|
||||
{ "drop", json_parse_verdict_expr, CTX_F_RHS | CTX_F_SET_RHS },
|
||||
{ "continue", json_parse_verdict_expr, CTX_F_RHS | CTX_F_SET_RHS },
|
||||
@@ -1500,6 +1502,11 @@ static struct expr *json_parse_map_lhs_expr(struct json_ctx *ctx, json_t *root)
|
||||
return json_parse_flagged_expr(ctx, CTX_F_MAP, root);
|
||||
}
|
||||
|
||||
+static struct expr *json_parse_concat_elem_expr(struct json_ctx *ctx, json_t *root)
|
||||
+{
|
||||
+ return json_parse_flagged_expr(ctx, CTX_F_CONCAT, root);
|
||||
+}
|
||||
+
|
||||
static struct expr *json_parse_dtype_expr(struct json_ctx *ctx, json_t *root)
|
||||
{
|
||||
if (json_is_string(root)) {
|
||||
--
|
||||
1.8.3.1
|
||||
|
51
SOURCES/0023-doc-Document-notrack-statement.patch
Normal file
51
SOURCES/0023-doc-Document-notrack-statement.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From f7a31d5c3277b29f104fd8ff48df24c8bc790f19 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 24 Jun 2020 18:46:39 +0200
|
||||
Subject: [PATCH] doc: Document notrack statement
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1841292
|
||||
Upstream Status: nftables commit f16fbe76f62dc
|
||||
|
||||
commit f16fbe76f62dcb9f7395d1837ad2d056463ba55f
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Mon Jun 22 15:07:40 2020 +0200
|
||||
|
||||
doc: Document notrack statement
|
||||
|
||||
Merely a stub, but better to mention it explicitly instead of having it
|
||||
appear in synproxy examples and letting users guess as to what it does.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Reviewed-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
doc/statements.txt | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/doc/statements.txt b/doc/statements.txt
|
||||
index 3b82436..749533a 100644
|
||||
--- a/doc/statements.txt
|
||||
+++ b/doc/statements.txt
|
||||
@@ -262,6 +262,20 @@ table inet raw {
|
||||
ct event set new,related,destroy
|
||||
--------------------------------------
|
||||
|
||||
+NOTRACK STATEMENT
|
||||
+~~~~~~~~~~~~~~~~~
|
||||
+The notrack statement allows to disable connection tracking for certain
|
||||
+packets.
|
||||
+
|
||||
+[verse]
|
||||
+*notrack*
|
||||
+
|
||||
+Note that for this statement to be effective, it has to be applied to packets
|
||||
+before a conntrack lookup happens. Therefore, it needs to sit in a chain with
|
||||
+either prerouting or output hook and a hook priority of -300 or less.
|
||||
+
|
||||
+See SYNPROXY STATEMENT for an example usage.
|
||||
+
|
||||
META STATEMENT
|
||||
~~~~~~~~~~~~~~
|
||||
A meta statement sets the value of a meta expression. The existing meta fields
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,53 @@
|
||||
From 58d8baa70172bb9862276ac5f542248c88d3faf4 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 24 Jun 2020 18:48:14 +0200
|
||||
Subject: [PATCH] JSON: Improve performance of json_events_cb()
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1835300
|
||||
Upstream Status: nftables commit c96c7da272e33
|
||||
|
||||
commit c96c7da272e33a34770c4de4e3e50f7ed264672e
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed May 13 16:29:51 2020 +0200
|
||||
|
||||
JSON: Improve performance of json_events_cb()
|
||||
|
||||
The function tries to insert handles into JSON input for echo option.
|
||||
Yet there may be nothing to do if the given netlink message doesn't
|
||||
contain a handle, e.g. if it is an 'add element' command. Calling
|
||||
seqnum_to_json() is pointless overhead in that case, and if input is
|
||||
large this overhead is significant. Better wait with that call until
|
||||
after checking if the message is relevant at all.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Eric Garver <eric@garver.life>
|
||||
---
|
||||
src/parser_json.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||
index c48faa8..ce8e566 100644
|
||||
--- a/src/parser_json.c
|
||||
+++ b/src/parser_json.c
|
||||
@@ -3845,12 +3845,15 @@ static uint64_t handle_from_nlmsg(const struct nlmsghdr *nlh)
|
||||
}
|
||||
int json_events_cb(const struct nlmsghdr *nlh, struct netlink_mon_handler *monh)
|
||||
{
|
||||
- json_t *tmp, *json = seqnum_to_json(nlh->nlmsg_seq);
|
||||
uint64_t handle = handle_from_nlmsg(nlh);
|
||||
+ json_t *tmp, *json;
|
||||
void *iter;
|
||||
|
||||
- /* might be anonymous set, ignore message */
|
||||
- if (!json || !handle)
|
||||
+ if (!handle)
|
||||
+ return MNL_CB_OK;
|
||||
+
|
||||
+ json = seqnum_to_json(nlh->nlmsg_seq);
|
||||
+ if (!json)
|
||||
return MNL_CB_OK;
|
||||
|
||||
tmp = json_object_get(json, "add");
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,42 @@
|
||||
From ab62f33df5ef33f6eff8d88d9475a01822a2f625 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 30 Jun 2020 16:20:22 +0200
|
||||
Subject: [PATCH] segtree: Fix missing expires value in prefixes
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235
|
||||
Upstream Status: nftables commit 60ba9c22fecc0
|
||||
|
||||
commit 60ba9c22fecc0ca9bb2a61f6ad39bceed1aee38f
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue Apr 28 20:54:03 2020 +0200
|
||||
|
||||
segtree: Fix missing expires value in prefixes
|
||||
|
||||
This probable copy'n'paste bug prevented 'expiration' field from being
|
||||
populated when turning a range into a prefix in
|
||||
interval_map_decompose(). Consequently, interval sets with timeout did
|
||||
print expiry value for ranges (such as 10.0.0.1-10.0.0.5) but not
|
||||
prefixes (10.0.0.0/8, for instance).
|
||||
|
||||
Fixes: bb0e6d8a2851b ("segtree: incorrect handling of comments and timeouts with mapping")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
index e859f84..1ba4363 100644
|
||||
--- a/src/segtree.c
|
||||
+++ b/src/segtree.c
|
||||
@@ -1086,7 +1086,7 @@ void interval_map_decompose(struct expr *set)
|
||||
prefix->comment = xstrdup(low->comment);
|
||||
if (low->timeout)
|
||||
prefix->timeout = low->timeout;
|
||||
- if (low->left->expiration)
|
||||
+ if (low->expiration)
|
||||
prefix->expiration = low->expiration;
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,55 @@
|
||||
From 119fbcbd8c37aac314d6ffa6225ab24ee4b0e31e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 30 Jun 2020 16:20:23 +0200
|
||||
Subject: [PATCH] segtree: Use expr_clone in get_set_interval_*()
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235
|
||||
Upstream Status: nftables commit a2eedcc89d2ed
|
||||
|
||||
commit a2eedcc89d2ed40411c26d53579300c4f1ccb83d
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu Apr 30 13:45:40 2020 +0200
|
||||
|
||||
segtree: Use expr_clone in get_set_interval_*()
|
||||
|
||||
Both functions perform interval set lookups with either start and end or
|
||||
only start values as input. Interestingly, in practice they either see
|
||||
values which are not contained or which match an existing range exactly.
|
||||
|
||||
Make use of the above and just return a clone of the matching entry
|
||||
instead of creating a new one based on input data.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 8 ++------
|
||||
1 file changed, 2 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
index 1ba4363..dc4db6b 100644
|
||||
--- a/src/segtree.c
|
||||
+++ b/src/segtree.c
|
||||
@@ -695,9 +695,7 @@ static struct expr *get_set_interval_find(const struct table *table,
|
||||
range_expr_value_high(high, i);
|
||||
if (mpz_cmp(left->key->value, low) >= 0 &&
|
||||
mpz_cmp(right->key->value, high) <= 0) {
|
||||
- range = range_expr_alloc(&internal_location,
|
||||
- expr_clone(left->key),
|
||||
- expr_clone(right->key));
|
||||
+ range = expr_clone(i->key);
|
||||
goto out;
|
||||
}
|
||||
break;
|
||||
@@ -729,9 +727,7 @@ static struct expr *get_set_interval_end(const struct table *table,
|
||||
case EXPR_RANGE:
|
||||
range_expr_value_low(low, i);
|
||||
if (mpz_cmp(low, left->key->value) == 0) {
|
||||
- range = range_expr_alloc(&internal_location,
|
||||
- expr_clone(left->key),
|
||||
- expr_clone(i->key->right));
|
||||
+ range = expr_clone(i->key);
|
||||
goto out;
|
||||
}
|
||||
break;
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,131 @@
|
||||
From 40cdcccf0fc6f4d0d4c2248d4bd9bf3193a922e9 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 30 Jun 2020 16:20:23 +0200
|
||||
Subject: [PATCH] segtree: Merge get_set_interval_find() and
|
||||
get_set_interval_end()
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235
|
||||
Upstream Status: nftables commit f21e73d6700b8
|
||||
|
||||
commit f21e73d6700b873eb1a295f43bbad9caaca577e2
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu Apr 30 13:57:35 2020 +0200
|
||||
|
||||
segtree: Merge get_set_interval_find() and get_set_interval_end()
|
||||
|
||||
Both functions were very similar already. Under the assumption that they
|
||||
will always either see a range (or start of) that matches exactly or not
|
||||
at all, reduce complexity and make get_set_interval_find() accept NULL
|
||||
(left or) right values. This way it becomes a full replacement for
|
||||
get_set_interval_end().
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 63 +++++++++++++++--------------------------------------------
|
||||
1 file changed, 16 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
index dc4db6b..6e1f696 100644
|
||||
--- a/src/segtree.c
|
||||
+++ b/src/segtree.c
|
||||
@@ -681,63 +681,31 @@ static struct expr *get_set_interval_find(const struct table *table,
|
||||
{
|
||||
struct expr *range = NULL;
|
||||
struct set *set;
|
||||
- mpz_t low, high;
|
||||
struct expr *i;
|
||||
+ mpz_t val;
|
||||
|
||||
set = set_lookup(table, set_name);
|
||||
- mpz_init2(low, set->key->len);
|
||||
- mpz_init2(high, set->key->len);
|
||||
+ mpz_init2(val, set->key->len);
|
||||
|
||||
list_for_each_entry(i, &set->init->expressions, list) {
|
||||
switch (i->key->etype) {
|
||||
case EXPR_RANGE:
|
||||
- range_expr_value_low(low, i);
|
||||
- range_expr_value_high(high, i);
|
||||
- if (mpz_cmp(left->key->value, low) >= 0 &&
|
||||
- mpz_cmp(right->key->value, high) <= 0) {
|
||||
- range = expr_clone(i->key);
|
||||
- goto out;
|
||||
- }
|
||||
- break;
|
||||
- default:
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
-out:
|
||||
- mpz_clear(low);
|
||||
- mpz_clear(high);
|
||||
-
|
||||
- return range;
|
||||
-}
|
||||
-
|
||||
-static struct expr *get_set_interval_end(const struct table *table,
|
||||
- const char *set_name,
|
||||
- struct expr *left)
|
||||
-{
|
||||
- struct expr *i, *range = NULL;
|
||||
- struct set *set;
|
||||
- mpz_t low, high;
|
||||
+ range_expr_value_low(val, i);
|
||||
+ if (left && mpz_cmp(left->key->value, val))
|
||||
+ break;
|
||||
|
||||
- set = set_lookup(table, set_name);
|
||||
- mpz_init2(low, set->key->len);
|
||||
- mpz_init2(high, set->key->len);
|
||||
+ range_expr_value_high(val, i);
|
||||
+ if (right && mpz_cmp(right->key->value, val))
|
||||
+ break;
|
||||
|
||||
- list_for_each_entry(i, &set->init->expressions, list) {
|
||||
- switch (i->key->etype) {
|
||||
- case EXPR_RANGE:
|
||||
- range_expr_value_low(low, i);
|
||||
- if (mpz_cmp(low, left->key->value) == 0) {
|
||||
- range = expr_clone(i->key);
|
||||
- goto out;
|
||||
- }
|
||||
- break;
|
||||
+ range = expr_clone(i->key);
|
||||
+ goto out;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
out:
|
||||
- mpz_clear(low);
|
||||
- mpz_clear(high);
|
||||
+ mpz_clear(val);
|
||||
|
||||
return range;
|
||||
}
|
||||
@@ -767,9 +735,9 @@ int get_set_decompose(struct table *table, struct set *set)
|
||||
left = NULL;
|
||||
} else {
|
||||
if (left) {
|
||||
- range = get_set_interval_end(table,
|
||||
- set->handle.set.name,
|
||||
- left);
|
||||
+ range = get_set_interval_find(table,
|
||||
+ set->handle.set.name,
|
||||
+ left, NULL);
|
||||
if (range)
|
||||
compound_expr_add(new_init, range);
|
||||
else
|
||||
@@ -780,7 +748,8 @@ int get_set_decompose(struct table *table, struct set *set)
|
||||
}
|
||||
}
|
||||
if (left) {
|
||||
- range = get_set_interval_end(table, set->handle.set.name, left);
|
||||
+ range = get_set_interval_find(table, set->handle.set.name,
|
||||
+ left, NULL);
|
||||
if (range)
|
||||
compound_expr_add(new_init, range);
|
||||
else
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 4337d4eafe66b594b56b43261c8742d6b65d5ee8 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 30 Jun 2020 16:20:23 +0200
|
||||
Subject: [PATCH] tests: 0034get_element_0: do not discard stderr
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235
|
||||
Upstream Status: nftables commit ff29e6c09aed9
|
||||
|
||||
commit ff29e6c09aed922a42e0e0551c34dd5d87067512
|
||||
Author: Florian Westphal <fw@strlen.de>
|
||||
Date: Sat Feb 22 00:02:25 2020 +0100
|
||||
|
||||
tests: 0034get_element_0: do not discard stderr
|
||||
|
||||
run_tests.sh alreadty discards stderr by default, but will show it in
|
||||
case the test script is run directly (passed as argument).
|
||||
|
||||
Discarding stderr also in the script prevents one from seeing
|
||||
BUG() assertions and the like.
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
tests/shell/testcases/sets/0034get_element_0 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0
|
||||
index c7e7298..e23dbda 100755
|
||||
--- a/tests/shell/testcases/sets/0034get_element_0
|
||||
+++ b/tests/shell/testcases/sets/0034get_element_0
|
||||
@@ -3,7 +3,7 @@
|
||||
RC=0
|
||||
|
||||
check() { # (elems, expected)
|
||||
- out=$($NFT get element ip t s "{ $1 }" 2>/dev/null)
|
||||
+ out=$($NFT get element ip t s "{ $1 }")
|
||||
out=$(grep "elements =" <<< "$out")
|
||||
out="${out#* \{ }"
|
||||
out="${out% \}}"
|
||||
--
|
||||
1.8.3.1
|
||||
|
135
SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch
Normal file
135
SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch
Normal file
@ -0,0 +1,135 @@
|
||||
From 3a2016f539e46183965bada40946e259c33158d9 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Tue, 30 Jun 2020 16:20:23 +0200
|
||||
Subject: [PATCH] segtree: Fix get element command with prefixes
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1832235
|
||||
Upstream Status: nftables commit 506fb113f7ca4
|
||||
|
||||
commit 506fb113f7ca4fbb3d6da09ef6f9dc2b31f54a1f
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Thu Apr 30 14:02:44 2020 +0200
|
||||
|
||||
segtree: Fix get element command with prefixes
|
||||
|
||||
Code wasn't aware of prefix elements in interval sets. With previous
|
||||
changes in place, they merely need to be accepted in
|
||||
get_set_interval_find() - value comparison and expression duplication is
|
||||
identical to ranges.
|
||||
|
||||
Extend sets/0034get_element_0 test to cover prefixes as well. While
|
||||
being at it, also cover concatenated ranges.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 1 +
|
||||
tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++++++++--------
|
||||
2 files changed, 45 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
index 6e1f696..073c6ec 100644
|
||||
--- a/src/segtree.c
|
||||
+++ b/src/segtree.c
|
||||
@@ -689,6 +689,7 @@ static struct expr *get_set_interval_find(const struct table *table,
|
||||
|
||||
list_for_each_entry(i, &set->init->expressions, list) {
|
||||
switch (i->key->etype) {
|
||||
+ case EXPR_PREFIX:
|
||||
case EXPR_RANGE:
|
||||
range_expr_value_low(val, i);
|
||||
if (left && mpz_cmp(left->key->value, val))
|
||||
diff --git a/tests/shell/testcases/sets/0034get_element_0 b/tests/shell/testcases/sets/0034get_element_0
|
||||
index e23dbda..3343529 100755
|
||||
--- a/tests/shell/testcases/sets/0034get_element_0
|
||||
+++ b/tests/shell/testcases/sets/0034get_element_0
|
||||
@@ -2,43 +2,69 @@
|
||||
|
||||
RC=0
|
||||
|
||||
-check() { # (elems, expected)
|
||||
- out=$($NFT get element ip t s "{ $1 }")
|
||||
+check() { # (set, elems, expected)
|
||||
+ out=$($NFT get element ip t $1 "{ $2 }")
|
||||
out=$(grep "elements =" <<< "$out")
|
||||
out="${out#* \{ }"
|
||||
out="${out% \}}"
|
||||
- [[ "$out" == "$2" ]] && return
|
||||
- echo "ERROR: asked for '$1', expecting '$2' but got '$out'"
|
||||
+ [[ "$out" == "$3" ]] && return
|
||||
+ echo "ERROR: asked for '$2' in set $1, expecting '$3' but got '$out'"
|
||||
((RC++))
|
||||
}
|
||||
|
||||
RULESET="add table ip t
|
||||
add set ip t s { type inet_service; flags interval; }
|
||||
add element ip t s { 10, 20-30, 40, 50-60 }
|
||||
+add set ip t ips { type ipv4_addr; flags interval; }
|
||||
+add element ip t ips { 10.0.0.1, 10.0.0.5-10.0.0.8 }
|
||||
+add element ip t ips { 10.0.0.128/25, 10.0.1.0/24, 10.0.2.3-10.0.2.12 }
|
||||
+add set ip t cs { type ipv4_addr . inet_service; flags interval; }
|
||||
+add element ip t cs { 10.0.0.1 . 22, 10.1.0.0/16 . 1-1024 }
|
||||
+add element ip t cs { 10.2.0.1-10.2.0.8 . 1024-65535 }
|
||||
"
|
||||
|
||||
$NFT -f - <<< "$RULESET"
|
||||
|
||||
# simple cases, (non-)existing values and ranges
|
||||
-check 10 10
|
||||
-check 11 ""
|
||||
-check 20-30 20-30
|
||||
-check 15-18 ""
|
||||
+check s 10 10
|
||||
+check s 11 ""
|
||||
+check s 20-30 20-30
|
||||
+check s 15-18 ""
|
||||
|
||||
# multiple single elements, ranges smaller than present
|
||||
-check "10, 40" "10, 40"
|
||||
-check "22-24, 26-28" "20-30, 20-30"
|
||||
-check 21-29 20-30
|
||||
+check s "10, 40" "10, 40"
|
||||
+check s "22-24, 26-28" "20-30, 20-30"
|
||||
+check s 21-29 20-30
|
||||
|
||||
# mixed single elements and ranges
|
||||
-check "10, 20" "10, 20-30"
|
||||
-check "10, 22" "10, 20-30"
|
||||
-check "10, 22-24" "10, 20-30"
|
||||
+check s "10, 20" "10, 20-30"
|
||||
+check s "10, 22" "10, 20-30"
|
||||
+check s "10, 22-24" "10, 20-30"
|
||||
|
||||
# non-existing ranges matching elements
|
||||
-check 10-40 ""
|
||||
-check 10-20 ""
|
||||
-check 10-25 ""
|
||||
-check 25-55 ""
|
||||
+check s 10-40 ""
|
||||
+check s 10-20 ""
|
||||
+check s 10-25 ""
|
||||
+check s 25-55 ""
|
||||
+
|
||||
+# playing with IPs, ranges and prefixes
|
||||
+check ips 10.0.0.1 10.0.0.1
|
||||
+check ips 10.0.0.2 ""
|
||||
+check ips 10.0.1.0/24 10.0.1.0/24
|
||||
+check ips 10.0.1.2/31 10.0.1.0/24
|
||||
+check ips 10.0.1.0 10.0.1.0/24
|
||||
+check ips 10.0.1.3 10.0.1.0/24
|
||||
+check ips 10.0.1.255 10.0.1.0/24
|
||||
+check ips 10.0.2.3-10.0.2.12 10.0.2.3-10.0.2.12
|
||||
+check ips 10.0.2.10 10.0.2.3-10.0.2.12
|
||||
+check ips 10.0.2.12 10.0.2.3-10.0.2.12
|
||||
+
|
||||
+# test concatenated ranges, i.e. Pi, Pa and Po
|
||||
+check cs "10.0.0.1 . 22" "10.0.0.1 . 22"
|
||||
+check cs "10.0.0.1 . 23" ""
|
||||
+check cs "10.0.0.2 . 22" ""
|
||||
+check cs "10.1.0.1 . 42" "10.1.0.0/16 . 1-1024"
|
||||
+check cs "10.1.1.0/24 . 10-20" "10.1.0.0/16 . 1-1024"
|
||||
+check cs "10.2.0.3 . 20000" "10.2.0.1-10.2.0.8 . 1024-65535"
|
||||
|
||||
exit $RC
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,9 +1,9 @@
|
||||
From aa456490794b5498ef9429481bb0f7ae6b3650ac Mon Sep 17 00:00:00 2001
|
||||
From 77a93baa622f8aa33fa6182d72b380d980e39574 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Sat, 8 Aug 2020 00:09:06 +0200
|
||||
Subject: [PATCH] include: Resync nf_tables.h cache copy
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684
|
||||
Upstream Status: nftables commit f1e5a0499c077
|
||||
|
||||
commit f1e5a0499c0773f18bc592dd0da0340120daa482
|
||||
@ -16,14 +16,12 @@ Date: Mon Apr 13 21:48:02 2020 +0200
|
||||
|
||||
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
include/linux/netfilter/nf_tables.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
|
||||
index 1a99df3348b5c..9b54a86bc5169 100644
|
||||
index 1a99df3..9b54a86 100644
|
||||
--- a/include/linux/netfilter/nf_tables.h
|
||||
+++ b/include/linux/netfilter/nf_tables.h
|
||||
@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes {
|
||||
@ -43,5 +41,5 @@ index 1a99df3348b5c..9b54a86bc5169 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.27.0
|
||||
1.8.3.1
|
||||
|
@ -1,10 +1,10 @@
|
||||
From c69d7c3c5c1805e41f679487310044f518859214 Mon Sep 17 00:00:00 2001
|
||||
From 5566405cc171c8fa84e0a13ea96b89245a3fb512 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Sat, 8 Aug 2020 00:05:48 +0200
|
||||
Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated
|
||||
ranges
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684
|
||||
Upstream Status: nftables commit 09441b5e92cee
|
||||
|
||||
commit 09441b5e92ceea60198a35cd657904fa7a10ee54
|
||||
@ -33,14 +33,12 @@ Date: Mon Apr 13 21:48:03 2020 +0200
|
||||
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
|
||||
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||
---
|
||||
src/evaluate.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||
index 0c848166409f4..f66251b41c058 100644
|
||||
index 0c84816..f66251b 100644
|
||||
--- a/src/evaluate.c
|
||||
+++ b/src/evaluate.c
|
||||
@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
|
||||
@ -70,5 +68,5 @@ index 0c848166409f4..f66251b41c058 100644
|
||||
|
||||
if (set_is_datamap(set->flags)) {
|
||||
--
|
||||
2.27.0
|
||||
1.8.3.1
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define rpmversion 0.9.3
|
||||
%define specrelease 12%{?dist}.1
|
||||
%define specrelease 16%{?dist}
|
||||
|
||||
Name: nftables
|
||||
Version: %{rpmversion}
|
||||
@ -38,8 +38,16 @@ Patch18: 0018-parser-add-a-helper-for-concat-expression-handling.patc
|
||||
Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch
|
||||
Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch
|
||||
Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch
|
||||
Patch22: 0022-include-Resync-nf_tables.h-cache-copy.patch
|
||||
Patch23: 0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch
|
||||
Patch22: 0022-parser_json-Support-ranges-in-concat-expressions.patch
|
||||
Patch23: 0023-doc-Document-notrack-statement.patch
|
||||
Patch24: 0024-JSON-Improve-performance-of-json_events_cb.patch
|
||||
Patch25: 0025-segtree-Fix-missing-expires-value-in-prefixes.patch
|
||||
Patch26: 0026-segtree-Use-expr_clone-in-get_set_interval_.patch
|
||||
Patch27: 0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch
|
||||
Patch28: 0028-tests-0034get_element_0-do-not-discard-stderr.patch
|
||||
Patch29: 0029-segtree-Fix-get-element-command-with-prefixes.patch
|
||||
Patch30: 0030-include-Resync-nf_tables.h-cache-copy.patch
|
||||
Patch31: 0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch
|
||||
|
||||
BuildRequires: autogen
|
||||
BuildRequires: autoconf
|
||||
@ -156,9 +164,23 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
||||
%{python3_sitelib}/nftables/
|
||||
|
||||
%changelog
|
||||
* Thu Aug 20 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8.1]
|
||||
- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1854532]
|
||||
- include: Resync nf_tables.h cache copy (Phil Sutter) [1854532]
|
||||
* Sat Aug 08 2020 Phil Sutter <psutter@redhat.com> [0.9.3-16.el8]
|
||||
- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1820684]
|
||||
- include: Resync nf_tables.h cache copy (Phil Sutter) [1820684]
|
||||
|
||||
* Tue Jun 30 2020 Phil Sutter <psutter@redhat.com> [0.9.3-15.el8]
|
||||
- segtree: Fix get element command with prefixes (Phil Sutter) [1832235]
|
||||
- tests: 0034get_element_0: do not discard stderr (Phil Sutter) [1832235]
|
||||
- segtree: Merge get_set_interval_find() and get_set_interval_end() (Phil Sutter) [1832235]
|
||||
- segtree: Use expr_clone in get_set_interval_*() (Phil Sutter) [1832235]
|
||||
- segtree: Fix missing expires value in prefixes (Phil Sutter) [1832235]
|
||||
|
||||
* Wed Jun 24 2020 Phil Sutter <psutter@redhat.com> [0.9.3-14.el8]
|
||||
- JSON: Improve performance of json_events_cb() (Phil Sutter) [1835300]
|
||||
- doc: Document notrack statement (Phil Sutter) [1841292]
|
||||
|
||||
* Wed May 27 2020 Phil Sutter <psutter@redhat.com> [0.9.3-13.el8]
|
||||
- parser_json: Support ranges in concat expressions (Phil Sutter) [1805798]
|
||||
|
||||
* Thu Mar 26 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8]
|
||||
- Restore default config to be empty (Phil Sutter) [1694723]
|
||||
|
Loading…
Reference in New Issue
Block a user