rpms/nftables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI nftables-1.0.9-5.el9_7

Browse Source
This commit is contained in:
eabdullin 2025-11-11 16:15:17 +00:00
parent 6302f7dc2a
commit 64d193530f
7 changed files with 735 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
SOURCES/0005-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch Normal file
View File

@ -0,0 +1,56 @@
From 1172955315cf4d14f0ddc53f26ff82447f0dadda Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Oct 2025 16:12:09 +0200
Subject: [PATCH] tests: shell: Fix sets/reset_command_0 for current kernels
JIRA: https://issues.redhat.com/browse/RHEL-114095
Upstream Status: nftables commit 7a6089a400a573b9a4fd92f29c00a6be7b8ef269
commit 7a6089a400a573b9a4fd92f29c00a6be7b8ef269
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Nov 2 16:02:14 2023 +0100
tests: shell: Fix sets/reset_command_0 for current kernels
Since kernel commit 4c90bba60c26 ("netfilter: nf_tables: do not refresh
timeout when resetting element"), element reset won't touch expiry
anymore. Invert the one check to make sure it remains unaltered, drop
the other testing behaviour for per-element timeouts.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/shell/testcases/sets/reset_command_0 | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0
index e663dac..d38ddb3 100755
--- a/tests/shell/testcases/sets/reset_command_0
+++ b/tests/shell/testcases/sets/reset_command_0
@@ -44,10 +44,10 @@ elem='element t s { 1.0.0.1 . udp . 53 }'
grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]]
echo OK
-echo -n "counters and expiry are reset: "
+echo -n "counters are reset, expiry left alone: "
NEW=$($NFT "get $elem")
grep -q 'counter packets 0 bytes 0' <<< "$NEW"
-[[ $(expires_minutes <<< "$NEW") -gt 20 ]]
+[[ $(expires_minutes <<< "$NEW") -lt 20 ]]
echo OK
echo -n "get map elem matches reset map elem: "
@@ -80,12 +80,6 @@ OUT=$($NFT reset map t m)
$DIFF -u <(echo "$EXP") <(echo "$OUT")
echo OK
-echo -n "reset command respects per-element timeout: "
-VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes)
-[[ $VAL -lt 15 ]] # custom timeout applies
-[[ $VAL -gt 10 ]] # expires was reset
-echo OK
-
echo -n "remaining elements are reset: "
OUT=$($NFT list ruleset)
grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT"

165
SOURCES/0006-tests-shell-connect-chains-to-hook-point.patch Normal file
View File

@ -0,0 +1,165 @@
From 52f4e05d55ef0215dd7df050ff93270f185c07b0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Oct 2025 16:12:09 +0200
Subject: [PATCH] tests: shell: connect chains to hook point
JIRA: https://issues.redhat.com/browse/RHEL-114095
Upstream Status: nftables commit 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
Conflicts: Dropped changes to .json-nft files missing downstream
commit 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
Author: Florian Westphal <fw@strlen.de>
Date: Wed Jul 10 02:33:37 2024 +0200
tests: shell: connect chains to hook point
These tests should fail because they contain a loop or exceed the jump stack.
But this depends on the kernel validating chains that are not bound to any
basechain/hook point.
Wire up the initial chain to filter type.
Without this tests will start to fail when kernel stops validating
chains that are not reachable by any base chain.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/shell/testcases/chains/0003jump_loop_1 | 3 ++-
tests/shell/testcases/chains/0010endless_jump_loop_1 | 2 +-
tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +-
tests/shell/testcases/chains/0018check_jump_loop_1 | 2 +-
tests/shell/testcases/chains/dumps/0003jump_loop_1.nft | 1 +
tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft | 1 +
tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft | 1 +
tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft | 1 +
tests/shell/testcases/transactions/0023rule_1 | 2 +-
tests/shell/testcases/transactions/anon_chain_loop | 2 +-
10 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
index 80e243f..1a8eaf6 100755
--- a/tests/shell/testcases/chains/0003jump_loop_1
+++ b/tests/shell/testcases/chains/0003jump_loop_1
@@ -5,8 +5,9 @@ set -e
MAX_JUMPS=16
$NFT add table t
+$NFT "add chain t c1 { type filter hook prerouting priority 0; }"
-for i in $(seq 1 $MAX_JUMPS)
+for i in $(seq 2 $MAX_JUMPS)
do
$NFT add chain t c${i}
done
diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
index 5d3ef23..6000e5d 100755
--- a/tests/shell/testcases/chains/0010endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
@@ -3,7 +3,7 @@
set -e
$NFT add table t
-$NFT add chain t c
+$NFT add chain "t c { type filter hook input priority 0; }"
# kernel should return ELOOP
$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
index d75932d..66abf8d 100755
--- a/tests/shell/testcases/chains/0011endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
@@ -3,7 +3,7 @@
set -e
$NFT add table t
-$NFT add chain t c1
+$NFT add chain "t c1 { type filter hook forward priority 0; }"
$NFT add chain t c2
$NFT add map t m {type inet_service : verdict \;}
$NFT add element t m {2 : jump c2}
diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
index b87520f..1e674d3 100755
--- a/tests/shell/testcases/chains/0018check_jump_loop_1
+++ b/tests/shell/testcases/chains/0018check_jump_loop_1
@@ -3,7 +3,7 @@
set -e
$NFT add table ip filter
-$NFT add chain ip filter ap1
+$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }"
$NFT add chain ip filter ap2
$NFT add rule ip filter ap1 jump ap2
diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
index 7054cde..8d89bc4 100644
--- a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft
@@ -1,5 +1,6 @@
table ip t {
chain c1 {
+ type filter hook prerouting priority filter; policy accept;
jump c2
}
diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
index 1e0d1d6..62fefaf 100644
--- a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft
@@ -1,4 +1,5 @@
table ip t {
chain c {
+ type filter hook input priority filter; policy accept;
}
}
diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
index ca0a737..d35736e 100644
--- a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft
@@ -5,6 +5,7 @@ table ip t {
}
chain c1 {
+ type filter hook forward priority filter; policy accept;
tcp dport vmap @m
}
diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
index 437900b..bdd0ead 100644
--- a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
+++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft
@@ -1,5 +1,6 @@
table ip filter {
chain ap1 {
+ type filter hook input priority filter; policy accept;
jump ap2
}
diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
index e58c088..863bcde 100755
--- a/tests/shell/testcases/transactions/0023rule_1
+++ b/tests/shell/testcases/transactions/0023rule_1
@@ -1,7 +1,7 @@
#!/bin/bash
RULESET="add table x
-add chain x y
+add chain x y { type filter hook input priority 0; }
add rule x y jump y"
# kernel must return ELOOP
diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop
index 2fd6181..3053d16 100755
--- a/tests/shell/testcases/transactions/anon_chain_loop
+++ b/tests/shell/testcases/transactions/anon_chain_loop
@@ -3,7 +3,7 @@
# anon chains with c1 -> c2 recursive jump, expect failure
$NFT -f - <<EOF
table ip t {
- chain c2 { }
+ chain c2 { type filter hook input priority 0; }
chain c1 { }
}

146
SOURCES/0007-datatype-rt_symbol_table_init-to-search-for-iproute2.patch Normal file
View File

@ -0,0 +1,146 @@
From 5cf419d1ee6579ca404c4e0778713a65fd473a50 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Oct 2025 16:12:50 +0200
Subject: [PATCH] datatype: rt_symbol_table_init() to search for iproute2
configs
JIRA: https://issues.redhat.com/browse/RHEL-114095
Upstream Status: nftables commit d0f70a1739b8e512986fb460a7fa7ff8a9300b68
commit d0f70a1739b8e512986fb460a7fa7ff8a9300b68
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Dec 15 21:59:44 2023 +0100
datatype: rt_symbol_table_init() to search for iproute2 configs
There is an ongoing effort among various distributions to tidy up in
/etc. The idea is to reduce contents to just what the admin manually
inserted to customize the system, anything else shall move out to /usr
(or so). The various files in /etc/iproute2 fall in that category as
they are seldomly modified.
The crux is though that iproute2 project seems not quite sure yet where
the files should go. While v6.6.0 installs them into /usr/lib/iproute2,
current mast^Wmain branch uses /usr/share/iproute2. Assume this is going
to stay as /(usr/)lib does not seem right for such files.
Note that rt_symbol_table_init() is not just used for
iproute2-maintained configs but also for connlabel.conf - so retain the
old behaviour when passed an absolute path.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/datatype.c | 38 ++++++++++++++++++++++++++++++++++----
src/meta.c | 2 +-
src/rt.c | 2 +-
3 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/src/datatype.c b/src/datatype.c
index 64e4647..9530ae7 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -855,19 +855,47 @@ const struct datatype inet_service_type = {
#define RT_SYM_TAB_INITIAL_SIZE 16
+static FILE *open_iproute2_db(const char *filename, char **path)
+{
+ FILE *ret;
+
+ if (filename[0] == '/')
+ return fopen(filename, "r");
+
+ if (asprintf(path, "/etc/iproute2/%s", filename) == -1)
+ goto fail;
+
+ ret = fopen(*path, "r");
+ if (ret)
+ return ret;
+
+ free(*path);
+ if (asprintf(path, "/usr/share/iproute2/%s", filename) == -1)
+ goto fail;
+
+ ret = fopen(*path, "r");
+ if (ret)
+ return ret;
+
+ free(*path);
+fail:
+ *path = NULL;
+ return NULL;
+}
+
struct symbol_table *rt_symbol_table_init(const char *filename)
{
+ char buf[512], namebuf[512], *p, *path = NULL;
struct symbolic_constant s;
struct symbol_table *tbl;
unsigned int size, nelems, val;
- char buf[512], namebuf[512], *p;
FILE *f;
size = RT_SYM_TAB_INITIAL_SIZE;
tbl = xmalloc(sizeof(*tbl) + size * sizeof(s));
nelems = 0;
- f = fopen(filename, "r");
+ f = open_iproute2_db(filename, &path);
if (f == NULL)
goto out;
@@ -882,7 +910,7 @@ struct symbol_table *rt_symbol_table_init(const char *filename)
sscanf(p, "%u %511s\n", &val, namebuf) != 2 &&
sscanf(p, "%u %511s #", &val, namebuf) != 2) {
fprintf(stderr, "iproute database '%s' corrupted\n",
- filename);
+ path ?: filename);
break;
}
@@ -899,6 +927,8 @@ struct symbol_table *rt_symbol_table_init(const char *filename)
fclose(f);
out:
+ if (path)
+ free(path);
tbl->symbols[nelems] = SYMBOL_LIST_END;
return tbl;
}
@@ -914,7 +944,7 @@ void rt_symbol_table_free(const struct symbol_table *tbl)
void mark_table_init(struct nft_ctx *ctx)
{
- ctx->output.tbl.mark = rt_symbol_table_init("/etc/iproute2/rt_marks");
+ ctx->output.tbl.mark = rt_symbol_table_init("rt_marks");
}
void mark_table_exit(struct nft_ctx *ctx)
diff --git a/src/meta.c b/src/meta.c
index b578d5e..b69dca2 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -336,7 +336,7 @@ const struct datatype pkttype_type = {
void devgroup_table_init(struct nft_ctx *ctx)
{
- ctx->output.tbl.devgroup = rt_symbol_table_init("/etc/iproute2/group");
+ ctx->output.tbl.devgroup = rt_symbol_table_init("group");
}
void devgroup_table_exit(struct nft_ctx *ctx)
diff --git a/src/rt.c b/src/rt.c
index f5c8055..3ee710d 100644
--- a/src/rt.c
+++ b/src/rt.c
@@ -25,7 +25,7 @@
void realm_table_rt_init(struct nft_ctx *ctx)
{
- ctx->output.tbl.realm = rt_symbol_table_init("/etc/iproute2/rt_realms");
+ ctx->output.tbl.realm = rt_symbol_table_init("rt_realms");
}
void realm_table_rt_exit(struct nft_ctx *ctx)

226
SOURCES/0008-tests-py-remove-huge-limit-test-cases.patch Normal file
View File

@ -0,0 +1,226 @@
From a902fc33ebf202de6e8a7fa7cbd8ba840d80605c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Oct 2025 16:12:50 +0200
Subject: [PATCH] tests: py: remove huge-limit test cases
JIRA: https://issues.redhat.com/browse/RHEL-114095
Upstream Status: nftables commit 1ee84db0360db0da336d5b1ee92807d29fcfbbe1
commit 1ee84db0360db0da336d5b1ee92807d29fcfbbe1
Author: Florian Westphal <fw@strlen.de>
Date: Thu Jan 18 13:24:04 2024 +0100
tests: py: remove huge-limit test cases
These tests will fail once the kernel checks for overflow
in the internal token bucken counter, so drop them.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/py/any/limit.t | 4 ---
tests/py/any/limit.t.json | 51 --------------------------------
tests/py/any/limit.t.json.output | 28 ------------------
tests/py/any/limit.t.payload | 17 -----------
4 files changed, 100 deletions(-)
diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t
index a04ef42..2a84e3f 100644
--- a/tests/py/any/limit.t
+++ b/tests/py/any/limit.t
@@ -22,7 +22,6 @@ limit rate 2 kbytes/second;ok
limit rate 1025 kbytes/second;ok
limit rate 1023 mbytes/second;ok
limit rate 10230 mbytes/second;ok
-limit rate 1023000 mbytes/second;ok
limit rate 512 kbytes/second burst 5 packets;fail
limit rate 1 bytes / second;ok;limit rate 1 bytes/second
@@ -33,7 +32,6 @@ limit rate 1 gbytes / second;fail
limit rate 1025 bytes/second burst 512 bytes;ok
limit rate 1025 kbytes/second burst 1023 kbytes;ok
limit rate 1025 mbytes/second burst 1025 kbytes;ok
-limit rate 1025000 mbytes/second burst 1023 mbytes;ok
limit rate over 400/minute;ok;limit rate over 400/minute burst 5 packets
limit rate over 20/second;ok;limit rate over 20/second burst 5 packets
@@ -47,9 +45,7 @@ limit rate over 2 kbytes/second;ok
limit rate over 1025 kbytes/second;ok
limit rate over 1023 mbytes/second;ok
limit rate over 10230 mbytes/second;ok
-limit rate over 1023000 mbytes/second;ok
limit rate over 1025 bytes/second burst 512 bytes;ok
limit rate over 1025 kbytes/second burst 1023 kbytes;ok
limit rate over 1025 mbytes/second burst 1025 kbytes;ok
-limit rate over 1025000 mbytes/second burst 1023 mbytes;ok
diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json
index e001ba0..73160b2 100644
--- a/tests/py/any/limit.t.json
+++ b/tests/py/any/limit.t.json
@@ -114,17 +114,6 @@
}
]
-# limit rate 1023000 mbytes/second
-[
- {
- "limit": {
- "per": "second",
- "rate": 1023000,
- "rate_unit": "mbytes"
- }
- }
-]
-
# limit rate 1 bytes / second
[
{
@@ -203,19 +192,6 @@
}
]
-# limit rate 1025000 mbytes/second burst 1023 mbytes
-[
- {
- "limit": {
- "burst": 1023,
- "burst_unit": "mbytes",
- "per": "second",
- "rate": 1025000,
- "rate_unit": "mbytes"
- }
- }
-]
-
# limit rate over 400/minute
[
{
@@ -343,18 +319,6 @@
}
]
-# limit rate over 1023000 mbytes/second
-[
- {
- "limit": {
- "inv": true,
- "per": "second",
- "rate": 1023000,
- "rate_unit": "mbytes"
- }
- }
-]
-
# limit rate over 1025 bytes/second burst 512 bytes
[
{
@@ -396,18 +360,3 @@
}
}
]
-
-# limit rate over 1025000 mbytes/second burst 1023 mbytes
-[
- {
- "limit": {
- "burst": 1023,
- "burst_unit": "mbytes",
- "inv": true,
- "per": "second",
- "rate": 1025000,
- "rate_unit": "mbytes"
- }
- }
-]
-
diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output
index 5a95f5e..2c94d2d 100644
--- a/tests/py/any/limit.t.json.output
+++ b/tests/py/any/limit.t.json.output
@@ -118,19 +118,6 @@
}
]
-# limit rate 1023000 mbytes/second
-[
- {
- "limit": {
- "burst": 0,
- "burst_unit": "bytes",
- "per": "second",
- "rate": 1023000,
- "rate_unit": "mbytes"
- }
- }
-]
-
# limit rate over 400/minute
[
{
@@ -260,18 +247,3 @@
}
}
]
-
-# limit rate over 1023000 mbytes/second
-[
- {
- "limit": {
- "burst": 0,
- "burst_unit": "bytes",
- "inv": true,
- "per": "second",
- "rate": 1023000,
- "rate_unit": "mbytes"
- }
- }
-]
-
diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload
index 0c7ee94..dc6701b 100644
--- a/tests/py/any/limit.t.payload
+++ b/tests/py/any/limit.t.payload
@@ -42,10 +42,6 @@ ip test-ip4 output
ip test-ip4 output
[ limit rate 10726932480/second burst 0 type bytes flags 0x0 ]
-# limit rate 1023000 mbytes/second
-ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ]
-
# limit rate 1 bytes / second
ip
[ limit rate 1/second burst 0 type bytes flags 0x0 ]
@@ -71,10 +67,6 @@ ip test-ip4 output
ip test-ip4 output
[ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ]
-# limit rate 1025000 mbytes/second burst 1023 mbytes
-ip test-ip4 output
- [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ]
-
# limit rate over 400/minute
ip test-ip4 output
[ limit rate 400/minute burst 5 type packets flags 0x1 ]
@@ -119,10 +111,6 @@ ip test-ip4 output
ip test-ip4 output
[ limit rate 10726932480/second burst 0 type bytes flags 0x1 ]
-# limit rate over 1023000 mbytes/second
-ip test-ip4 output
- [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ]
-
# limit rate over 1025 bytes/second burst 512 bytes
ip test-ip4 output
[ limit rate 1025/second burst 512 type bytes flags 0x1 ]
@@ -134,8 +122,3 @@ ip test-ip4 output
# limit rate over 1025 mbytes/second burst 1025 kbytes
ip test-ip4 output
[ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ]
-
-# limit rate over 1025000 mbytes/second burst 1023 mbytes
-ip test-ip4 output
- [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ]
-

63
SOURCES/0009-tests-py-add-missing-json.output-data.patch Normal file
View File

@ -0,0 +1,63 @@
From 757dee30af84a3443c6eeb9a3cddf8a5e4f8928a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Oct 2025 16:12:50 +0200
Subject: [PATCH] tests: py: add missing json.output data
JIRA: https://issues.redhat.com/browse/RHEL-114095
Upstream Status: nftables commit f58e72a2f5aa134653e7ee8b5432b23eb0674c3c
commit f58e72a2f5aa134653e7ee8b5432b23eb0674c3c
Author: Florian Westphal <fw@strlen.de>
Date: Mon Feb 26 09:45:43 2024 +0100
tests: py: add missing json.output data
Fixes: bridge/vlan.t: WARNING: line 56: ...
Fixes: 8b9ae77598b4 ("tests: never merge across non-expression statements redux 2")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/py/bridge/vlan.t.json.output | 31 ++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output
index 2f90c8f..eea2d41 100644
--- a/tests/py/bridge/vlan.t.json.output
+++ b/tests/py/bridge/vlan.t.json.output
@@ -202,3 +202,34 @@
}
}
]
+
+# ether saddr 00:11:22:33:44:55 counter ether type 8021q
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "00:11:22:33:44:55"
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "ether"
+ }
+ },
+ "op": "==",
+ "right": "8021q"
+ }
+ }
+]

64
SOURCES/0010-tests-py-missing-json-output-in-never-merge-across-n.patch Normal file
View File

@ -0,0 +1,64 @@
From c970cef4925493bc7ef0064896d4b2486bb2fa6a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Oct 2025 16:12:50 +0200
Subject: [PATCH] tests: py: missing json output in never merge across
non-expression statements
JIRA: https://issues.redhat.com/browse/RHEL-114095
Upstream Status: nftables commit 94fd162ea4d25fe6b0b4d58dcb7ff66dc55f3247
commit 94fd162ea4d25fe6b0b4d58dcb7ff66dc55f3247
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed Dec 6 19:30:44 2023 +0100
tests: py: missing json output in never merge across non-expression statements
Add missing json output.
Fixes: 99ab1b8feb16 ("rule: never merge across non-expression statements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/py/ip/ip.t.json.output | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output
index b201cda..351ae93 100644
--- a/tests/py/ip/ip.t.json.output
+++ b/tests/py/ip/ip.t.json.output
@@ -230,3 +230,34 @@
}
]
+# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "saddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "1.2.3.4"
+ }
+ },
+ {
+ "counter": null
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "daddr",
+ "protocol": "ip"
+ }
+ },
+ "op": "==",
+ "right": "3.4.5.6"
+ }
+ }
+]
+

16
SPECS/nftables.spec
View File

@ -1,5 +1,5 @@
%define nft_rpmversion 1.0.9
%define nft_specrelease 4
%define nft_specrelease 5
Name: nftables
Version: %{nft_rpmversion}
@ -23,6 +23,12 @@ Patch1: 0001-Add-support-for-table-s-persist-flag.patch
Patch2: 0002-cache-Always-set-NFT_CACHE_TERSE-for-list-cmd-with-t.patch
Patch3: 0003-json-deal-appropriately-with-multidevice-in-chain.patch
Patch4: 0004-parser_json-fix-handle-memleak-from-error-path.patch
Patch5: 0005-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch
Patch6: 0006-tests-shell-connect-chains-to-hook-point.patch
Patch7: 0007-datatype-rt_symbol_table_init-to-search-for-iproute2.patch
Patch8: 0008-tests-py-remove-huge-limit-test-cases.patch
Patch9: 0009-tests-py-add-missing-json.output-data.patch
Patch10: 0010-tests-py-missing-json-output-in-never-merge-across-n.patch
BuildRequires: autoconf
BuildRequires: automake
@ -135,6 +141,14 @@ cd py/
%files -n python3-nftables -f %{pyproject_files}
%changelog
* Thu Oct 16 2025 Phil Sutter <psutter@redhat.com> [1.0.9-5.el9]
- tests: py: missing json output in never merge across non-expression statements (Phil Sutter) [RHEL-114095]
- tests: py: add missing json.output data (Phil Sutter) [RHEL-114095]
- tests: py: remove huge-limit test cases (Phil Sutter) [RHEL-114095]
- datatype: rt_symbol_table_init() to search for iproute2 configs (Phil Sutter) [RHEL-114095]
- tests: shell: connect chains to hook point (Phil Sutter) [RHEL-114095]
- tests: shell: Fix sets/reset_command_0 for current kernels (Phil Sutter) [RHEL-114095]
* Wed Apr 23 2025 Phil Sutter <psutter@redhat.com> [1.0.9-4.el9]
- parser_json: fix handle memleak from error path (Phil Sutter) [RHEL-88181]
- json: deal appropriately with multidevice in chain (Phil Sutter) [RHEL-88181]