import nftables-0.9.3-26.el8
This commit is contained in:
parent
e21e258d34
commit
53e7e44417
@ -0,0 +1,130 @@
|
|||||||
|
From 2747cab9c49b570347c86ff59daec93a1432b0bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 14:37:00 +0200
|
||||||
|
Subject: [PATCH] mnl: do not use expr->identifier to fetch device name
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2070924
|
||||||
|
Upstream Status: nftables commit 78bbe7f7a55be
|
||||||
|
|
||||||
|
commit 78bbe7f7a55be48909067e25900de27623d8fa6a
|
||||||
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Wed Feb 19 21:05:26 2020 +0100
|
||||||
|
|
||||||
|
mnl: do not use expr->identifier to fetch device name
|
||||||
|
|
||||||
|
This string might not be nul-terminated, resulting in spurious errors
|
||||||
|
when adding netdev chains.
|
||||||
|
|
||||||
|
Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain")
|
||||||
|
Fixes: 92911b362e90 ("src: add support to add flowtables")
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
---
|
||||||
|
src/mnl.c | 33 +++++++++++++++++++++++++++++----
|
||||||
|
src/parser_bison.y | 6 +++---
|
||||||
|
2 files changed, 32 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mnl.c b/src/mnl.c
|
||||||
|
index 44cf1a4..f881d97 100644
|
||||||
|
--- a/src/mnl.c
|
||||||
|
+++ b/src/mnl.c
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
|
||||||
|
#include <mnl.h>
|
||||||
|
#include <string.h>
|
||||||
|
+#include <net/if.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
#include <arpa/inet.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
@@ -529,7 +530,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
{
|
||||||
|
int priority, policy, i = 0;
|
||||||
|
struct nftnl_chain *nlc;
|
||||||
|
+ unsigned int ifname_len;
|
||||||
|
const char **dev_array;
|
||||||
|
+ char ifname[IFNAMSIZ];
|
||||||
|
struct nlmsghdr *nlh;
|
||||||
|
struct expr *expr;
|
||||||
|
int dev_array_len;
|
||||||
|
@@ -562,7 +565,12 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
dev_array = xmalloc(sizeof(char *) * 8);
|
||||||
|
dev_array_len = 8;
|
||||||
|
list_for_each_entry(expr, &cmd->chain->dev_expr->expressions, list) {
|
||||||
|
- dev_array[i++] = expr->identifier;
|
||||||
|
+ ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
|
||||||
|
+ memset(ifname, 0, sizeof(ifname));
|
||||||
|
+ mpz_export_data(ifname, expr->value,
|
||||||
|
+ BYTEORDER_HOST_ENDIAN,
|
||||||
|
+ ifname_len);
|
||||||
|
+ dev_array[i++] = xstrdup(ifname);
|
||||||
|
if (i == dev_array_len) {
|
||||||
|
dev_array_len *= 2;
|
||||||
|
dev_array = xrealloc(dev_array,
|
||||||
|
@@ -577,6 +585,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
nftnl_chain_set_data(nlc, NFTNL_CHAIN_DEVICES, dev_array,
|
||||||
|
sizeof(char *) * dev_array_len);
|
||||||
|
|
||||||
|
+ i = 0;
|
||||||
|
+ while (dev_array[i] != NULL)
|
||||||
|
+ xfree(dev_array[i++]);
|
||||||
|
+
|
||||||
|
xfree(dev_array);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1488,7 +1500,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
unsigned int flags)
|
||||||
|
{
|
||||||
|
struct nftnl_flowtable *flo;
|
||||||
|
+ unsigned int ifname_len;
|
||||||
|
const char **dev_array;
|
||||||
|
+ char ifname[IFNAMSIZ];
|
||||||
|
struct nlmsghdr *nlh;
|
||||||
|
int i = 0, len = 1;
|
||||||
|
struct expr *expr;
|
||||||
|
@@ -1513,13 +1527,24 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
|
||||||
|
len++;
|
||||||
|
|
||||||
|
- dev_array = calloc(len, sizeof(char *));
|
||||||
|
- list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
|
||||||
|
- dev_array[i++] = expr->identifier;
|
||||||
|
+ dev_array = xmalloc(sizeof(char *) * len);
|
||||||
|
+
|
||||||
|
+ list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) {
|
||||||
|
+ ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
|
||||||
|
+ memset(ifname, 0, sizeof(ifname));
|
||||||
|
+ mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN,
|
||||||
|
+ ifname_len);
|
||||||
|
+ dev_array[i++] = xstrdup(ifname);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
dev_array[i] = NULL;
|
||||||
|
nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
|
||||||
|
dev_array, sizeof(char *) * len);
|
||||||
|
+
|
||||||
|
+ i = 0;
|
||||||
|
+ while (dev_array[i] != NULL)
|
||||||
|
+ xfree(dev_array[i++]);
|
||||||
|
+
|
||||||
|
free(dev_array);
|
||||||
|
|
||||||
|
netlink_dump_flowtable(flo, ctx);
|
||||||
|
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||||
|
index 2cdf8ec..dc87571 100644
|
||||||
|
--- a/src/parser_bison.y
|
||||||
|
+++ b/src/parser_bison.y
|
||||||
|
@@ -1909,9 +1909,9 @@ flowtable_list_expr : flowtable_expr_member
|
||||||
|
|
||||||
|
flowtable_expr_member : STRING
|
||||||
|
{
|
||||||
|
- $$ = symbol_expr_alloc(&@$, SYMBOL_VALUE,
|
||||||
|
- current_scope(state),
|
||||||
|
- $1);
|
||||||
|
+ $$ = constant_expr_alloc(&@$, &string_type,
|
||||||
|
+ BYTEORDER_HOST_ENDIAN,
|
||||||
|
+ strlen($1) * BITS_PER_BYTE, $1);
|
||||||
|
xfree($1);
|
||||||
|
}
|
||||||
|
;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,47 @@
|
|||||||
|
From 66369d42095a214672c1f935eed91902d4cca8d5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 14:37:00 +0200
|
||||||
|
Subject: [PATCH] tests: shell: auto-removal of chain hook on netns removal
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2070924
|
||||||
|
Upstream Status: nftables commit e632eea21f4b3
|
||||||
|
Conflicts: Commit b4775dec9f80b ("src: ingress inet support") creating
|
||||||
|
the test not backported, RHEL8 does not support inet ingress.
|
||||||
|
Script adjusted accordingly.
|
||||||
|
|
||||||
|
commit e632eea21f4b3d03b629a5c1ac7e776d65785873
|
||||||
|
Author: Florian Westphal <fw@strlen.de>
|
||||||
|
Date: Tue Oct 19 14:07:25 2021 +0200
|
||||||
|
|
||||||
|
tests: shell: auto-removal of chain hook on netns removal
|
||||||
|
|
||||||
|
This is the nft equivalent of the syzbot report that lead to
|
||||||
|
kernel commit 68a3765c659f8
|
||||||
|
("netfilter: nf_tables: skip netdev events generated on netns removal").
|
||||||
|
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
---
|
||||||
|
tests/shell/testcases/chains/0043chain_ingress_0 | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
create mode 100755 tests/shell/testcases/chains/0043chain_ingress_0
|
||||||
|
|
||||||
|
diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..09d6907
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/shell/testcases/chains/0043chain_ingress_0
|
||||||
|
@@ -0,0 +1,11 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+# Test auto-removal of chain hook on netns removal
|
||||||
|
+unshare -n bash -c "ip link add br0 type bridge; \
|
||||||
|
+ $NFT add table netdev test; \
|
||||||
|
+ $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \
|
||||||
|
+" || exit 1
|
||||||
|
+
|
||||||
|
+exit 0
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
53
SOURCES/0079-rule-memleak-in-__do_add_setelems.patch
Normal file
53
SOURCES/0079-rule-memleak-in-__do_add_setelems.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From bc2bfe4b68d213c74c634e87dee0116c066209e4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 14:46:47 +0200
|
||||||
|
Subject: [PATCH] rule: memleak in __do_add_setelems()
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287
|
||||||
|
Upstream Status: nftables commit b6d50bfde21b5
|
||||||
|
|
||||||
|
commit b6d50bfde21b5a24a606cbf22137e04e8e0f195d
|
||||||
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Thu Apr 30 14:18:45 2020 +0200
|
||||||
|
|
||||||
|
rule: memleak in __do_add_setelems()
|
||||||
|
|
||||||
|
This patch invokes interval_map_decompose() with named sets:
|
||||||
|
|
||||||
|
==3402== 2,352 (128 direct, 2,224 indirect) bytes in 1 blocks are definitely lost in loss record 9 of 9
|
||||||
|
==3402== at 0x483577F: malloc (vg_replace_malloc.c:299)
|
||||||
|
==3402== by 0x48996A8: xmalloc (utils.c:36)
|
||||||
|
==3402== by 0x4899778: xzalloc (utils.c:65)
|
||||||
|
==3402== by 0x487CB46: expr_alloc (expression.c:45)
|
||||||
|
==3402== by 0x487E2A0: mapping_expr_alloc (expression.c:1140)
|
||||||
|
==3402== by 0x4898AA8: interval_map_decompose (segtree.c:1095)
|
||||||
|
==3402== by 0x4872BDF: __do_add_setelems (rule.c:1569)
|
||||||
|
==3402== by 0x4872BDF: __do_add_setelems (rule.c:1559)
|
||||||
|
==3402== by 0x4877936: do_command (rule.c:2710)
|
||||||
|
==3402== by 0x489F1CB: nft_netlink.isra.5 (libnftables.c:42)
|
||||||
|
==3402== by 0x489FB07: nft_run_cmd_from_filename (libnftables.c:508)
|
||||||
|
==3402== by 0x10A9AA: main (main.c:455)
|
||||||
|
|
||||||
|
Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch")
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
---
|
||||||
|
src/rule.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/rule.c b/src/rule.c
|
||||||
|
index f7d888b..b2aa1d7 100644
|
||||||
|
--- a/src/rule.c
|
||||||
|
+++ b/src/rule.c
|
||||||
|
@@ -1511,7 +1511,8 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
|
||||||
|
if (mnl_nft_setelem_add(ctx, set, expr, flags) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
- if (set->init != NULL &&
|
||||||
|
+ if (!set_is_anonymous(set->flags) &&
|
||||||
|
+ set->init != NULL &&
|
||||||
|
set->flags & NFT_SET_INTERVAL &&
|
||||||
|
set->desc.field_count <= 1) {
|
||||||
|
interval_map_decompose(expr);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,43 @@
|
|||||||
|
From 0e284af80adefc8d8738c7191eff0ca7c6ad64a6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 14:46:47 +0200
|
||||||
|
Subject: [PATCH] rule: fix element cache update in __do_add_setelems()
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287
|
||||||
|
Upstream Status: nftables commit e68938f2bf89f
|
||||||
|
|
||||||
|
commit e68938f2bf89fcc9a99e12c9b7a10c1838f2a133
|
||||||
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Thu Apr 30 16:30:15 2020 +0200
|
||||||
|
|
||||||
|
rule: fix element cache update in __do_add_setelems()
|
||||||
|
|
||||||
|
The set->init and expr arguments might actually refer to the same list
|
||||||
|
of elements. Skip set element cache update introduced by dd44081d91ce
|
||||||
|
("segtree: Fix add and delete of element in same batch") otherwise
|
||||||
|
list_splice_tail_init() actually operates with the same list as
|
||||||
|
arguments. Valgrind reports this problem as a memleak since the result
|
||||||
|
of this operation was an empty set element list.
|
||||||
|
|
||||||
|
Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch")
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
---
|
||||||
|
src/rule.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/rule.c b/src/rule.c
|
||||||
|
index b2aa1d7..9ae6d19 100644
|
||||||
|
--- a/src/rule.c
|
||||||
|
+++ b/src/rule.c
|
||||||
|
@@ -1512,7 +1512,7 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (!set_is_anonymous(set->flags) &&
|
||||||
|
- set->init != NULL &&
|
||||||
|
+ set->init != NULL && set->init != expr &&
|
||||||
|
set->flags & NFT_SET_INTERVAL &&
|
||||||
|
set->desc.field_count <= 1) {
|
||||||
|
interval_map_decompose(expr);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,208 @@
|
|||||||
|
From 43d5837615201d68108151e70c06cc0e90622fcc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 14:46:47 +0200
|
||||||
|
Subject: [PATCH] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287
|
||||||
|
Upstream Status: nftables commit 9ed076c6f5abc
|
||||||
|
|
||||||
|
commit 9ed076c6f5abcbbad1b6b721dca29f87963f0ecc
|
||||||
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Fri May 8 14:44:01 2020 +0200
|
||||||
|
|
||||||
|
src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS
|
||||||
|
|
||||||
|
The CMD_OBJ_ELEMENTS provides an expression that contains the list of
|
||||||
|
set elements. This leaves room to introduce CMD_OBJ_SETELEMS in a follow
|
||||||
|
up patch.
|
||||||
|
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
---
|
||||||
|
include/rule.h | 4 ++--
|
||||||
|
src/cache.c | 6 +++---
|
||||||
|
src/evaluate.c | 6 +++---
|
||||||
|
src/parser_bison.y | 8 ++++----
|
||||||
|
src/parser_json.c | 2 +-
|
||||||
|
src/rule.c | 8 ++++----
|
||||||
|
6 files changed, 17 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/rule.h b/include/rule.h
|
||||||
|
index 3637462..7fe607f 100644
|
||||||
|
--- a/include/rule.h
|
||||||
|
+++ b/include/rule.h
|
||||||
|
@@ -542,7 +542,7 @@ enum cmd_ops {
|
||||||
|
* enum cmd_obj - command objects
|
||||||
|
*
|
||||||
|
* @CMD_OBJ_INVALID: invalid
|
||||||
|
- * @CMD_OBJ_SETELEM: set element(s)
|
||||||
|
+ * @CMD_OBJ_ELEMENTS: set element(s)
|
||||||
|
* @CMD_OBJ_SET: set
|
||||||
|
* @CMD_OBJ_SETS: multiple sets
|
||||||
|
* @CMD_OBJ_RULE: rule
|
||||||
|
@@ -570,7 +570,7 @@ enum cmd_ops {
|
||||||
|
*/
|
||||||
|
enum cmd_obj {
|
||||||
|
CMD_OBJ_INVALID,
|
||||||
|
- CMD_OBJ_SETELEM,
|
||||||
|
+ CMD_OBJ_ELEMENTS,
|
||||||
|
CMD_OBJ_SET,
|
||||||
|
CMD_OBJ_SETS,
|
||||||
|
CMD_OBJ_RULE,
|
||||||
|
diff --git a/src/cache.c b/src/cache.c
|
||||||
|
index 05f0d68..a45111a 100644
|
||||||
|
--- a/src/cache.c
|
||||||
|
+++ b/src/cache.c
|
||||||
|
@@ -25,7 +25,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
|
||||||
|
case CMD_OBJ_FLOWTABLE:
|
||||||
|
flags |= NFT_CACHE_TABLE;
|
||||||
|
break;
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
flags |= NFT_CACHE_TABLE |
|
||||||
|
NFT_CACHE_CHAIN |
|
||||||
|
NFT_CACHE_SET |
|
||||||
|
@@ -53,7 +53,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
|
||||||
|
static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags)
|
||||||
|
{
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
flags |= NFT_CACHE_SETELEM;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
@@ -66,7 +66,7 @@ static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags)
|
||||||
|
static unsigned int evaluate_cache_get(struct cmd *cmd, unsigned int flags)
|
||||||
|
{
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
flags |= NFT_CACHE_TABLE |
|
||||||
|
NFT_CACHE_SET |
|
||||||
|
NFT_CACHE_SETELEM;
|
||||||
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||||
|
index e495faf..fd6db8a 100644
|
||||||
|
--- a/src/evaluate.c
|
||||||
|
+++ b/src/evaluate.c
|
||||||
|
@@ -3815,7 +3815,7 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table)
|
||||||
|
static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
|
||||||
|
{
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
return setelem_evaluate(ctx, &cmd->expr);
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
handle_merge(&cmd->set->handle, &cmd->handle);
|
||||||
|
@@ -3847,7 +3847,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
|
||||||
|
static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
|
||||||
|
{
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
return setelem_evaluate(ctx, &cmd->expr);
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
case CMD_OBJ_RULE:
|
||||||
|
@@ -3874,7 +3874,7 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd)
|
||||||
|
struct set *set;
|
||||||
|
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
table = table_lookup(&cmd->handle, &ctx->nft->cache);
|
||||||
|
if (table == NULL)
|
||||||
|
return table_not_found(ctx);
|
||||||
|
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||||
|
index dc87571..96f0a4c 100644
|
||||||
|
--- a/src/parser_bison.y
|
||||||
|
+++ b/src/parser_bison.y
|
||||||
|
@@ -1019,7 +1019,7 @@ add_cmd : TABLE table_spec
|
||||||
|
}
|
||||||
|
| ELEMENT set_spec set_block_expr
|
||||||
|
{
|
||||||
|
- $$ = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEM, &$2, &@$, $3);
|
||||||
|
+ $$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
|
||||||
|
}
|
||||||
|
| FLOWTABLE flowtable_spec flowtable_block_alloc
|
||||||
|
'{' flowtable_block '}'
|
||||||
|
@@ -1116,7 +1116,7 @@ create_cmd : TABLE table_spec
|
||||||
|
}
|
||||||
|
| ELEMENT set_spec set_block_expr
|
||||||
|
{
|
||||||
|
- $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SETELEM, &$2, &@$, $3);
|
||||||
|
+ $$ = cmd_alloc(CMD_CREATE, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
|
||||||
|
}
|
||||||
|
| FLOWTABLE flowtable_spec flowtable_block_alloc
|
||||||
|
'{' flowtable_block '}'
|
||||||
|
@@ -1208,7 +1208,7 @@ delete_cmd : TABLE table_spec
|
||||||
|
}
|
||||||
|
| ELEMENT set_spec set_block_expr
|
||||||
|
{
|
||||||
|
- $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SETELEM, &$2, &@$, $3);
|
||||||
|
+ $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
|
||||||
|
}
|
||||||
|
| FLOWTABLE flowtable_spec
|
||||||
|
{
|
||||||
|
@@ -1266,7 +1266,7 @@ delete_cmd : TABLE table_spec
|
||||||
|
|
||||||
|
get_cmd : ELEMENT set_spec set_block_expr
|
||||||
|
{
|
||||||
|
- $$ = cmd_alloc(CMD_GET, CMD_OBJ_SETELEM, &$2, &@$, $3);
|
||||||
|
+ $$ = cmd_alloc(CMD_GET, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
|
||||||
|
}
|
||||||
|
;
|
||||||
|
|
||||||
|
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||||
|
index 2250be9..15902a8 100644
|
||||||
|
--- a/src/parser_json.c
|
||||||
|
+++ b/src/parser_json.c
|
||||||
|
@@ -3391,7 +3391,7 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx,
|
||||||
|
{ "rule", CMD_OBJ_RULE, json_parse_cmd_add_rule },
|
||||||
|
{ "set", CMD_OBJ_SET, json_parse_cmd_add_set },
|
||||||
|
{ "map", CMD_OBJ_SET, json_parse_cmd_add_set },
|
||||||
|
- { "element", CMD_OBJ_SETELEM, json_parse_cmd_add_element },
|
||||||
|
+ { "element", CMD_OBJ_ELEMENTS, json_parse_cmd_add_element },
|
||||||
|
{ "flowtable", CMD_OBJ_FLOWTABLE, json_parse_cmd_add_flowtable },
|
||||||
|
{ "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object },
|
||||||
|
{ "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object },
|
||||||
|
diff --git a/src/rule.c b/src/rule.c
|
||||||
|
index 9ae6d19..afb6dc9 100644
|
||||||
|
--- a/src/rule.c
|
||||||
|
+++ b/src/rule.c
|
||||||
|
@@ -1456,7 +1456,7 @@ void cmd_free(struct cmd *cmd)
|
||||||
|
handle_free(&cmd->handle);
|
||||||
|
if (cmd->data != NULL) {
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
expr_free(cmd->expr);
|
||||||
|
break;
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
@@ -1580,7 +1580,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
|
||||||
|
return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND);
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
return do_add_set(ctx, cmd, flags);
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
return do_add_setelems(ctx, cmd, flags);
|
||||||
|
case CMD_OBJ_COUNTER:
|
||||||
|
case CMD_OBJ_QUOTA:
|
||||||
|
@@ -1659,7 +1659,7 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd)
|
||||||
|
return mnl_nft_rule_del(ctx, cmd);
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
return mnl_nft_set_del(ctx, cmd);
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
return do_delete_setelems(ctx, cmd);
|
||||||
|
case CMD_OBJ_COUNTER:
|
||||||
|
return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_COUNTER);
|
||||||
|
@@ -2519,7 +2519,7 @@ static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd)
|
||||||
|
table = table_lookup(&cmd->handle, &ctx->nft->cache);
|
||||||
|
|
||||||
|
switch (cmd->obj) {
|
||||||
|
- case CMD_OBJ_SETELEM:
|
||||||
|
+ case CMD_OBJ_ELEMENTS:
|
||||||
|
return do_get_setelems(ctx, cmd, table);
|
||||||
|
default:
|
||||||
|
BUG("invalid command object type %u\n", cmd->obj);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
125
SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch
Normal file
125
SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
From 61c295c9dec447239ed2c84b0073594ffecf7554 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 14:46:47 +0200
|
||||||
|
Subject: [PATCH] src: add CMD_OBJ_SETELEMS
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287
|
||||||
|
Upstream Status: nftables commit c9eae091983ae
|
||||||
|
Conflicts: Context change due to missing commit 086ec6f30c96e
|
||||||
|
("mnl: extended error support for create command").
|
||||||
|
|
||||||
|
commit c9eae091983ae9ffcf2ca5b666bc03d5a1916c2f
|
||||||
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Fri May 8 14:44:03 2020 +0200
|
||||||
|
|
||||||
|
src: add CMD_OBJ_SETELEMS
|
||||||
|
|
||||||
|
This new command type results from expanding the set definition in two
|
||||||
|
commands: One to add the set and another to add the elements. This
|
||||||
|
results in 1:1 mapping between the command object to the netlink API.
|
||||||
|
The command is then translated into a netlink message which gets a
|
||||||
|
unique sequence number. This sequence number allows to correlate the
|
||||||
|
netlink extended error reporting with the corresponding command.
|
||||||
|
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
---
|
||||||
|
include/rule.h | 2 ++
|
||||||
|
src/rule.c | 23 +++++++++++++++++++----
|
||||||
|
2 files changed, 21 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/include/rule.h b/include/rule.h
|
||||||
|
index 7fe607f..1efd4fb 100644
|
||||||
|
--- a/include/rule.h
|
||||||
|
+++ b/include/rule.h
|
||||||
|
@@ -545,6 +545,7 @@ enum cmd_ops {
|
||||||
|
* @CMD_OBJ_ELEMENTS: set element(s)
|
||||||
|
* @CMD_OBJ_SET: set
|
||||||
|
* @CMD_OBJ_SETS: multiple sets
|
||||||
|
+ * @CMD_OBJ_SETELEMS: set elements
|
||||||
|
* @CMD_OBJ_RULE: rule
|
||||||
|
* @CMD_OBJ_CHAIN: chain
|
||||||
|
* @CMD_OBJ_CHAINS: multiple chains
|
||||||
|
@@ -572,6 +573,7 @@ enum cmd_obj {
|
||||||
|
CMD_OBJ_INVALID,
|
||||||
|
CMD_OBJ_ELEMENTS,
|
||||||
|
CMD_OBJ_SET,
|
||||||
|
+ CMD_OBJ_SETELEMS,
|
||||||
|
CMD_OBJ_SETS,
|
||||||
|
CMD_OBJ_RULE,
|
||||||
|
CMD_OBJ_CHAIN,
|
||||||
|
diff --git a/src/rule.c b/src/rule.c
|
||||||
|
index afb6dc9..c43e0cd 100644
|
||||||
|
--- a/src/rule.c
|
||||||
|
+++ b/src/rule.c
|
||||||
|
@@ -1352,11 +1352,11 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
|
||||||
|
void nft_cmd_expand(struct cmd *cmd)
|
||||||
|
{
|
||||||
|
struct list_head new_cmds;
|
||||||
|
+ struct set *set, *newset;
|
||||||
|
struct flowtable *ft;
|
||||||
|
struct table *table;
|
||||||
|
struct chain *chain;
|
||||||
|
struct rule *rule;
|
||||||
|
- struct set *set;
|
||||||
|
struct obj *obj;
|
||||||
|
struct cmd *new;
|
||||||
|
struct handle h;
|
||||||
|
@@ -1412,6 +1412,18 @@ void nft_cmd_expand(struct cmd *cmd)
|
||||||
|
}
|
||||||
|
list_splice(&new_cmds, &cmd->list);
|
||||||
|
break;
|
||||||
|
+ case CMD_OBJ_SET:
|
||||||
|
+ set = cmd->set;
|
||||||
|
+ memset(&h, 0, sizeof(h));
|
||||||
|
+ handle_merge(&h, &set->handle);
|
||||||
|
+ newset = set_clone(set);
|
||||||
|
+ newset->handle.set_id = set->handle.set_id;
|
||||||
|
+ newset->init = set->init;
|
||||||
|
+ set->init = NULL;
|
||||||
|
+ new = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEMS, &h,
|
||||||
|
+ &set->location, newset);
|
||||||
|
+ list_add(&new->list, &cmd->list);
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -1460,6 +1472,7 @@ void cmd_free(struct cmd *cmd)
|
||||||
|
expr_free(cmd->expr);
|
||||||
|
break;
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
+ case CMD_OBJ_SETELEMS:
|
||||||
|
set_free(cmd->set);
|
||||||
|
break;
|
||||||
|
case CMD_OBJ_RULE:
|
||||||
|
@@ -1545,7 +1558,7 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
|
||||||
|
}
|
||||||
|
|
||||||
|
static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
- uint32_t flags)
|
||||||
|
+ uint32_t flags, bool add)
|
||||||
|
{
|
||||||
|
struct set *set = cmd->set;
|
||||||
|
|
||||||
|
@@ -1556,7 +1569,7 @@ static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd,
|
||||||
|
&ctx->nft->output) < 0)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- if (mnl_nft_set_add(ctx, cmd, flags) < 0)
|
||||||
|
+ if (add && mnl_nft_set_add(ctx, cmd, flags) < 0)
|
||||||
|
return -1;
|
||||||
|
if (set->init != NULL) {
|
||||||
|
return __do_add_setelems(ctx, set, set->init, flags);
|
||||||
|
@@ -1579,7 +1592,9 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
|
||||||
|
case CMD_OBJ_RULE:
|
||||||
|
return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND);
|
||||||
|
case CMD_OBJ_SET:
|
||||||
|
- return do_add_set(ctx, cmd, flags);
|
||||||
|
+ return do_add_set(ctx, cmd, flags, true);
|
||||||
|
+ case CMD_OBJ_SETELEMS:
|
||||||
|
+ return do_add_set(ctx, cmd, flags, false);
|
||||||
|
case CMD_OBJ_ELEMENTS:
|
||||||
|
return do_add_setelems(ctx, cmd, flags);
|
||||||
|
case CMD_OBJ_COUNTER:
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,43 @@
|
|||||||
|
From 34a7632a4d72c16d2a087fcc6450d1a783858124 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Thu, 28 Apr 2022 14:14:39 +0200
|
||||||
|
Subject: [PATCH] libnftables: call nft_cmd_expand() only with CMD_ADD
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287
|
||||||
|
Upstream Status: nftables commit b81519f1641b5
|
||||||
|
|
||||||
|
commit b81519f1641b508c289ddfefc800b2c20ab243e6
|
||||||
|
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Date: Fri May 8 14:44:02 2020 +0200
|
||||||
|
|
||||||
|
libnftables: call nft_cmd_expand() only with CMD_ADD
|
||||||
|
|
||||||
|
Restrict the expansion logic to the CMD_ADD command which is where this
|
||||||
|
is only required.
|
||||||
|
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
---
|
||||||
|
src/libnftables.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libnftables.c b/src/libnftables.c
|
||||||
|
index cd2fcf2..ab01909 100644
|
||||||
|
--- a/src/libnftables.c
|
||||||
|
+++ b/src/libnftables.c
|
||||||
|
@@ -421,8 +421,12 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
|
||||||
|
if (nft->state->nerrs)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
- list_for_each_entry(cmd, cmds, list)
|
||||||
|
+ list_for_each_entry(cmd, cmds, list) {
|
||||||
|
+ if (cmd->op != CMD_ADD)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
nft_cmd_expand(cmd);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
%define rpmversion 0.9.3
|
%define rpmversion 0.9.3
|
||||||
%define specrelease 25
|
%define specrelease 26
|
||||||
%define libnftnl_ver 1.1.5-5
|
%define libnftnl_ver 1.1.5-5
|
||||||
|
|
||||||
Name: nftables
|
Name: nftables
|
||||||
@ -94,6 +94,13 @@ Patch73: 0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.pa
|
|||||||
Patch74: 0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch
|
Patch74: 0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch
|
||||||
Patch75: 0075-tests-py-add-dnat-to-port-without-defining-destinati.patch
|
Patch75: 0075-tests-py-add-dnat-to-port-without-defining-destinati.patch
|
||||||
Patch76: 0076-mnl-do-not-build-nftnl_set-element-list.patch
|
Patch76: 0076-mnl-do-not-build-nftnl_set-element-list.patch
|
||||||
|
Patch77: 0077-mnl-do-not-use-expr-identifier-to-fetch-device-name.patch
|
||||||
|
Patch78: 0078-tests-shell-auto-removal-of-chain-hook-on-netns-remo.patch
|
||||||
|
Patch79: 0079-rule-memleak-in-__do_add_setelems.patch
|
||||||
|
Patch80: 0080-rule-fix-element-cache-update-in-__do_add_setelems.patch
|
||||||
|
Patch81: 0081-src-rename-CMD_OBJ_SETELEM-to-CMD_OBJ_ELEMENTS.patch
|
||||||
|
Patch82: 0082-src-add-CMD_OBJ_SETELEMS.patch
|
||||||
|
Patch83: 0083-libnftables-call-nft_cmd_expand-only-with-CMD_ADD.patch
|
||||||
|
|
||||||
BuildRequires: autogen
|
BuildRequires: autogen
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
@ -210,6 +217,15 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
|||||||
%{python3_sitelib}/nftables/
|
%{python3_sitelib}/nftables/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 28 2022 Phil Sutter <psutter@redhat.com> [0.9.3-26.el8]
|
||||||
|
- libnftables: call nft_cmd_expand() only with CMD_ADD (Phil Sutter) [2073287]
|
||||||
|
- src: add CMD_OBJ_SETELEMS (Phil Sutter) [2073287]
|
||||||
|
- src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS (Phil Sutter) [2073287]
|
||||||
|
- rule: fix element cache update in __do_add_setelems() (Phil Sutter) [2073287]
|
||||||
|
- rule: memleak in __do_add_setelems() (Phil Sutter) [2073287]
|
||||||
|
- tests: shell: auto-removal of chain hook on netns removal (Phil Sutter) [2070924]
|
||||||
|
- mnl: do not use expr->identifier to fetch device name (Phil Sutter) [2070924]
|
||||||
|
|
||||||
* Fri Feb 04 2022 Phil Sutter <psutter@redhat.com> [0.9.3-25.el8]
|
* Fri Feb 04 2022 Phil Sutter <psutter@redhat.com> [0.9.3-25.el8]
|
||||||
- mnl: do not build nftnl_set element list (Phil Sutter) [2047821]
|
- mnl: do not build nftnl_set element list (Phil Sutter) [2047821]
|
||||||
- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773]
|
- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773]
|
||||||
|
Loading…
Reference in New Issue
Block a user