diff --git a/SOURCES/0005-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch b/SOURCES/0005-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch new file mode 100644 index 0000000..5febf2a --- /dev/null +++ b/SOURCES/0005-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch @@ -0,0 +1,56 @@ +From 1172955315cf4d14f0ddc53f26ff82447f0dadda Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 16 Oct 2025 16:12:09 +0200 +Subject: [PATCH] tests: shell: Fix sets/reset_command_0 for current kernels + +JIRA: https://issues.redhat.com/browse/RHEL-114095 +Upstream Status: nftables commit 7a6089a400a573b9a4fd92f29c00a6be7b8ef269 + +commit 7a6089a400a573b9a4fd92f29c00a6be7b8ef269 +Author: Phil Sutter +Date: Thu Nov 2 16:02:14 2023 +0100 + + tests: shell: Fix sets/reset_command_0 for current kernels + + Since kernel commit 4c90bba60c26 ("netfilter: nf_tables: do not refresh + timeout when resetting element"), element reset won't touch expiry + anymore. Invert the one check to make sure it remains unaltered, drop + the other testing behaviour for per-element timeouts. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + tests/shell/testcases/sets/reset_command_0 | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 +index e663dac..d38ddb3 100755 +--- a/tests/shell/testcases/sets/reset_command_0 ++++ b/tests/shell/testcases/sets/reset_command_0 +@@ -44,10 +44,10 @@ elem='element t s { 1.0.0.1 . udp . 53 }' + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] + echo OK + +-echo -n "counters and expiry are reset: " ++echo -n "counters are reset, expiry left alone: " + NEW=$($NFT "get $elem") + grep -q 'counter packets 0 bytes 0' <<< "$NEW" +-[[ $(expires_minutes <<< "$NEW") -gt 20 ]] ++[[ $(expires_minutes <<< "$NEW") -lt 20 ]] + echo OK + + echo -n "get map elem matches reset map elem: " +@@ -80,12 +80,6 @@ OUT=$($NFT reset map t m) + $DIFF -u <(echo "$EXP") <(echo "$OUT") + echo OK + +-echo -n "reset command respects per-element timeout: " +-VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes) +-[[ $VAL -lt 15 ]] # custom timeout applies +-[[ $VAL -gt 10 ]] # expires was reset +-echo OK +- + echo -n "remaining elements are reset: " + OUT=$($NFT list ruleset) + grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" diff --git a/SOURCES/0006-tests-shell-connect-chains-to-hook-point.patch b/SOURCES/0006-tests-shell-connect-chains-to-hook-point.patch new file mode 100644 index 0000000..bb8e36c --- /dev/null +++ b/SOURCES/0006-tests-shell-connect-chains-to-hook-point.patch @@ -0,0 +1,165 @@ +From 52f4e05d55ef0215dd7df050ff93270f185c07b0 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 16 Oct 2025 16:12:09 +0200 +Subject: [PATCH] tests: shell: connect chains to hook point + +JIRA: https://issues.redhat.com/browse/RHEL-114095 +Upstream Status: nftables commit 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 +Conflicts: Dropped changes to .json-nft files missing downstream + +commit 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 +Author: Florian Westphal +Date: Wed Jul 10 02:33:37 2024 +0200 + + tests: shell: connect chains to hook point + + These tests should fail because they contain a loop or exceed the jump stack. + + But this depends on the kernel validating chains that are not bound to any + basechain/hook point. + + Wire up the initial chain to filter type. + + Without this tests will start to fail when kernel stops validating + chains that are not reachable by any base chain. + + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + tests/shell/testcases/chains/0003jump_loop_1 | 3 ++- + tests/shell/testcases/chains/0010endless_jump_loop_1 | 2 +- + tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +- + tests/shell/testcases/chains/0018check_jump_loop_1 | 2 +- + tests/shell/testcases/chains/dumps/0003jump_loop_1.nft | 1 + + tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft | 1 + + tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft | 1 + + tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft | 1 + + tests/shell/testcases/transactions/0023rule_1 | 2 +- + tests/shell/testcases/transactions/anon_chain_loop | 2 +- + 10 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1 +index 80e243f..1a8eaf6 100755 +--- a/tests/shell/testcases/chains/0003jump_loop_1 ++++ b/tests/shell/testcases/chains/0003jump_loop_1 +@@ -5,8 +5,9 @@ set -e + MAX_JUMPS=16 + + $NFT add table t ++$NFT "add chain t c1 { type filter hook prerouting priority 0; }" + +-for i in $(seq 1 $MAX_JUMPS) ++for i in $(seq 2 $MAX_JUMPS) + do + $NFT add chain t c${i} + done +diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1 +index 5d3ef23..6000e5d 100755 +--- a/tests/shell/testcases/chains/0010endless_jump_loop_1 ++++ b/tests/shell/testcases/chains/0010endless_jump_loop_1 +@@ -3,7 +3,7 @@ + set -e + + $NFT add table t +-$NFT add chain t c ++$NFT add chain "t c { type filter hook input priority 0; }" + + # kernel should return ELOOP + $NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0 +diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1 +index d75932d..66abf8d 100755 +--- a/tests/shell/testcases/chains/0011endless_jump_loop_1 ++++ b/tests/shell/testcases/chains/0011endless_jump_loop_1 +@@ -3,7 +3,7 @@ + set -e + + $NFT add table t +-$NFT add chain t c1 ++$NFT add chain "t c1 { type filter hook forward priority 0; }" + $NFT add chain t c2 + $NFT add map t m {type inet_service : verdict \;} + $NFT add element t m {2 : jump c2} +diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1 +index b87520f..1e674d3 100755 +--- a/tests/shell/testcases/chains/0018check_jump_loop_1 ++++ b/tests/shell/testcases/chains/0018check_jump_loop_1 +@@ -3,7 +3,7 @@ + set -e + + $NFT add table ip filter +-$NFT add chain ip filter ap1 ++$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }" + $NFT add chain ip filter ap2 + $NFT add rule ip filter ap1 jump ap2 + +diff --git a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft +index 7054cde..8d89bc4 100644 +--- a/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft ++++ b/tests/shell/testcases/chains/dumps/0003jump_loop_1.nft +@@ -1,5 +1,6 @@ + table ip t { + chain c1 { ++ type filter hook prerouting priority filter; policy accept; + jump c2 + } + +diff --git a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft +index 1e0d1d6..62fefaf 100644 +--- a/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft ++++ b/tests/shell/testcases/chains/dumps/0010endless_jump_loop_1.nft +@@ -1,4 +1,5 @@ + table ip t { + chain c { ++ type filter hook input priority filter; policy accept; + } + } +diff --git a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft +index ca0a737..d35736e 100644 +--- a/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft ++++ b/tests/shell/testcases/chains/dumps/0011endless_jump_loop_1.nft +@@ -5,6 +5,7 @@ table ip t { + } + + chain c1 { ++ type filter hook forward priority filter; policy accept; + tcp dport vmap @m + } + +diff --git a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft +index 437900b..bdd0ead 100644 +--- a/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft ++++ b/tests/shell/testcases/chains/dumps/0018check_jump_loop_1.nft +@@ -1,5 +1,6 @@ + table ip filter { + chain ap1 { ++ type filter hook input priority filter; policy accept; + jump ap2 + } + +diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1 +index e58c088..863bcde 100755 +--- a/tests/shell/testcases/transactions/0023rule_1 ++++ b/tests/shell/testcases/transactions/0023rule_1 +@@ -1,7 +1,7 @@ + #!/bin/bash + + RULESET="add table x +-add chain x y ++add chain x y { type filter hook input priority 0; } + add rule x y jump y" + + # kernel must return ELOOP +diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop +index 2fd6181..3053d16 100755 +--- a/tests/shell/testcases/transactions/anon_chain_loop ++++ b/tests/shell/testcases/transactions/anon_chain_loop +@@ -3,7 +3,7 @@ + # anon chains with c1 -> c2 recursive jump, expect failure + $NFT -f - < +Date: Thu, 16 Oct 2025 16:12:50 +0200 +Subject: [PATCH] datatype: rt_symbol_table_init() to search for iproute2 + configs + +JIRA: https://issues.redhat.com/browse/RHEL-114095 +Upstream Status: nftables commit d0f70a1739b8e512986fb460a7fa7ff8a9300b68 + +commit d0f70a1739b8e512986fb460a7fa7ff8a9300b68 +Author: Phil Sutter +Date: Fri Dec 15 21:59:44 2023 +0100 + + datatype: rt_symbol_table_init() to search for iproute2 configs + + There is an ongoing effort among various distributions to tidy up in + /etc. The idea is to reduce contents to just what the admin manually + inserted to customize the system, anything else shall move out to /usr + (or so). The various files in /etc/iproute2 fall in that category as + they are seldomly modified. + + The crux is though that iproute2 project seems not quite sure yet where + the files should go. While v6.6.0 installs them into /usr/lib/iproute2, + current mast^Wmain branch uses /usr/share/iproute2. Assume this is going + to stay as /(usr/)lib does not seem right for such files. + + Note that rt_symbol_table_init() is not just used for + iproute2-maintained configs but also for connlabel.conf - so retain the + old behaviour when passed an absolute path. + + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/datatype.c | 38 ++++++++++++++++++++++++++++++++++---- + src/meta.c | 2 +- + src/rt.c | 2 +- + 3 files changed, 36 insertions(+), 6 deletions(-) + +diff --git a/src/datatype.c b/src/datatype.c +index 64e4647..9530ae7 100644 +--- a/src/datatype.c ++++ b/src/datatype.c +@@ -855,19 +855,47 @@ const struct datatype inet_service_type = { + + #define RT_SYM_TAB_INITIAL_SIZE 16 + ++static FILE *open_iproute2_db(const char *filename, char **path) ++{ ++ FILE *ret; ++ ++ if (filename[0] == '/') ++ return fopen(filename, "r"); ++ ++ if (asprintf(path, "/etc/iproute2/%s", filename) == -1) ++ goto fail; ++ ++ ret = fopen(*path, "r"); ++ if (ret) ++ return ret; ++ ++ free(*path); ++ if (asprintf(path, "/usr/share/iproute2/%s", filename) == -1) ++ goto fail; ++ ++ ret = fopen(*path, "r"); ++ if (ret) ++ return ret; ++ ++ free(*path); ++fail: ++ *path = NULL; ++ return NULL; ++} ++ + struct symbol_table *rt_symbol_table_init(const char *filename) + { ++ char buf[512], namebuf[512], *p, *path = NULL; + struct symbolic_constant s; + struct symbol_table *tbl; + unsigned int size, nelems, val; +- char buf[512], namebuf[512], *p; + FILE *f; + + size = RT_SYM_TAB_INITIAL_SIZE; + tbl = xmalloc(sizeof(*tbl) + size * sizeof(s)); + nelems = 0; + +- f = fopen(filename, "r"); ++ f = open_iproute2_db(filename, &path); + if (f == NULL) + goto out; + +@@ -882,7 +910,7 @@ struct symbol_table *rt_symbol_table_init(const char *filename) + sscanf(p, "%u %511s\n", &val, namebuf) != 2 && + sscanf(p, "%u %511s #", &val, namebuf) != 2) { + fprintf(stderr, "iproute database '%s' corrupted\n", +- filename); ++ path ?: filename); + break; + } + +@@ -899,6 +927,8 @@ struct symbol_table *rt_symbol_table_init(const char *filename) + + fclose(f); + out: ++ if (path) ++ free(path); + tbl->symbols[nelems] = SYMBOL_LIST_END; + return tbl; + } +@@ -914,7 +944,7 @@ void rt_symbol_table_free(const struct symbol_table *tbl) + + void mark_table_init(struct nft_ctx *ctx) + { +- ctx->output.tbl.mark = rt_symbol_table_init("/etc/iproute2/rt_marks"); ++ ctx->output.tbl.mark = rt_symbol_table_init("rt_marks"); + } + + void mark_table_exit(struct nft_ctx *ctx) +diff --git a/src/meta.c b/src/meta.c +index b578d5e..b69dca2 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -336,7 +336,7 @@ const struct datatype pkttype_type = { + + void devgroup_table_init(struct nft_ctx *ctx) + { +- ctx->output.tbl.devgroup = rt_symbol_table_init("/etc/iproute2/group"); ++ ctx->output.tbl.devgroup = rt_symbol_table_init("group"); + } + + void devgroup_table_exit(struct nft_ctx *ctx) +diff --git a/src/rt.c b/src/rt.c +index f5c8055..3ee710d 100644 +--- a/src/rt.c ++++ b/src/rt.c +@@ -25,7 +25,7 @@ + + void realm_table_rt_init(struct nft_ctx *ctx) + { +- ctx->output.tbl.realm = rt_symbol_table_init("/etc/iproute2/rt_realms"); ++ ctx->output.tbl.realm = rt_symbol_table_init("rt_realms"); + } + + void realm_table_rt_exit(struct nft_ctx *ctx) diff --git a/SOURCES/0008-tests-py-remove-huge-limit-test-cases.patch b/SOURCES/0008-tests-py-remove-huge-limit-test-cases.patch new file mode 100644 index 0000000..a5dcb1c --- /dev/null +++ b/SOURCES/0008-tests-py-remove-huge-limit-test-cases.patch @@ -0,0 +1,226 @@ +From a902fc33ebf202de6e8a7fa7cbd8ba840d80605c Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 16 Oct 2025 16:12:50 +0200 +Subject: [PATCH] tests: py: remove huge-limit test cases + +JIRA: https://issues.redhat.com/browse/RHEL-114095 +Upstream Status: nftables commit 1ee84db0360db0da336d5b1ee92807d29fcfbbe1 + +commit 1ee84db0360db0da336d5b1ee92807d29fcfbbe1 +Author: Florian Westphal +Date: Thu Jan 18 13:24:04 2024 +0100 + + tests: py: remove huge-limit test cases + + These tests will fail once the kernel checks for overflow + in the internal token bucken counter, so drop them. + + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + tests/py/any/limit.t | 4 --- + tests/py/any/limit.t.json | 51 -------------------------------- + tests/py/any/limit.t.json.output | 28 ------------------ + tests/py/any/limit.t.payload | 17 ----------- + 4 files changed, 100 deletions(-) + +diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t +index a04ef42..2a84e3f 100644 +--- a/tests/py/any/limit.t ++++ b/tests/py/any/limit.t +@@ -22,7 +22,6 @@ limit rate 2 kbytes/second;ok + limit rate 1025 kbytes/second;ok + limit rate 1023 mbytes/second;ok + limit rate 10230 mbytes/second;ok +-limit rate 1023000 mbytes/second;ok + limit rate 512 kbytes/second burst 5 packets;fail + + limit rate 1 bytes / second;ok;limit rate 1 bytes/second +@@ -33,7 +32,6 @@ limit rate 1 gbytes / second;fail + limit rate 1025 bytes/second burst 512 bytes;ok + limit rate 1025 kbytes/second burst 1023 kbytes;ok + limit rate 1025 mbytes/second burst 1025 kbytes;ok +-limit rate 1025000 mbytes/second burst 1023 mbytes;ok + + limit rate over 400/minute;ok;limit rate over 400/minute burst 5 packets + limit rate over 20/second;ok;limit rate over 20/second burst 5 packets +@@ -47,9 +45,7 @@ limit rate over 2 kbytes/second;ok + limit rate over 1025 kbytes/second;ok + limit rate over 1023 mbytes/second;ok + limit rate over 10230 mbytes/second;ok +-limit rate over 1023000 mbytes/second;ok + + limit rate over 1025 bytes/second burst 512 bytes;ok + limit rate over 1025 kbytes/second burst 1023 kbytes;ok + limit rate over 1025 mbytes/second burst 1025 kbytes;ok +-limit rate over 1025000 mbytes/second burst 1023 mbytes;ok +diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json +index e001ba0..73160b2 100644 +--- a/tests/py/any/limit.t.json ++++ b/tests/py/any/limit.t.json +@@ -114,17 +114,6 @@ + } + ] + +-# limit rate 1023000 mbytes/second +-[ +- { +- "limit": { +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate 1 bytes / second + [ + { +@@ -203,19 +192,6 @@ + } + ] + +-# limit rate 1025000 mbytes/second burst 1023 mbytes +-[ +- { +- "limit": { +- "burst": 1023, +- "burst_unit": "mbytes", +- "per": "second", +- "rate": 1025000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate over 400/minute + [ + { +@@ -343,18 +319,6 @@ + } + ] + +-# limit rate over 1023000 mbytes/second +-[ +- { +- "limit": { +- "inv": true, +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate over 1025 bytes/second burst 512 bytes + [ + { +@@ -396,18 +360,3 @@ + } + } + ] +- +-# limit rate over 1025000 mbytes/second burst 1023 mbytes +-[ +- { +- "limit": { +- "burst": 1023, +- "burst_unit": "mbytes", +- "inv": true, +- "per": "second", +- "rate": 1025000, +- "rate_unit": "mbytes" +- } +- } +-] +- +diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output +index 5a95f5e..2c94d2d 100644 +--- a/tests/py/any/limit.t.json.output ++++ b/tests/py/any/limit.t.json.output +@@ -118,19 +118,6 @@ + } + ] + +-# limit rate 1023000 mbytes/second +-[ +- { +- "limit": { +- "burst": 0, +- "burst_unit": "bytes", +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate over 400/minute + [ + { +@@ -260,18 +247,3 @@ + } + } + ] +- +-# limit rate over 1023000 mbytes/second +-[ +- { +- "limit": { +- "burst": 0, +- "burst_unit": "bytes", +- "inv": true, +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- +diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload +index 0c7ee94..dc6701b 100644 +--- a/tests/py/any/limit.t.payload ++++ b/tests/py/any/limit.t.payload +@@ -42,10 +42,6 @@ ip test-ip4 output + ip test-ip4 output + [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ] + +-# limit rate 1023000 mbytes/second +-ip test-ip4 output +- [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ] +- + # limit rate 1 bytes / second + ip + [ limit rate 1/second burst 0 type bytes flags 0x0 ] +@@ -71,10 +67,6 @@ ip test-ip4 output + ip test-ip4 output + [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ] + +-# limit rate 1025000 mbytes/second burst 1023 mbytes +-ip test-ip4 output +- [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ] +- + # limit rate over 400/minute + ip test-ip4 output + [ limit rate 400/minute burst 5 type packets flags 0x1 ] +@@ -119,10 +111,6 @@ ip test-ip4 output + ip test-ip4 output + [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ] + +-# limit rate over 1023000 mbytes/second +-ip test-ip4 output +- [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ] +- + # limit rate over 1025 bytes/second burst 512 bytes + ip test-ip4 output + [ limit rate 1025/second burst 512 type bytes flags 0x1 ] +@@ -134,8 +122,3 @@ ip test-ip4 output + # limit rate over 1025 mbytes/second burst 1025 kbytes + ip test-ip4 output + [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ] +- +-# limit rate over 1025000 mbytes/second burst 1023 mbytes +-ip test-ip4 output +- [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ] +- diff --git a/SOURCES/0009-tests-py-add-missing-json.output-data.patch b/SOURCES/0009-tests-py-add-missing-json.output-data.patch new file mode 100644 index 0000000..2a4f3d7 --- /dev/null +++ b/SOURCES/0009-tests-py-add-missing-json.output-data.patch @@ -0,0 +1,63 @@ +From 757dee30af84a3443c6eeb9a3cddf8a5e4f8928a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 16 Oct 2025 16:12:50 +0200 +Subject: [PATCH] tests: py: add missing json.output data + +JIRA: https://issues.redhat.com/browse/RHEL-114095 +Upstream Status: nftables commit f58e72a2f5aa134653e7ee8b5432b23eb0674c3c + +commit f58e72a2f5aa134653e7ee8b5432b23eb0674c3c +Author: Florian Westphal +Date: Mon Feb 26 09:45:43 2024 +0100 + + tests: py: add missing json.output data + + Fixes: bridge/vlan.t: WARNING: line 56: ... + + Fixes: 8b9ae77598b4 ("tests: never merge across non-expression statements redux 2") + Signed-off-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + tests/py/bridge/vlan.t.json.output | 31 ++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/py/bridge/vlan.t.json.output b/tests/py/bridge/vlan.t.json.output +index 2f90c8f..eea2d41 100644 +--- a/tests/py/bridge/vlan.t.json.output ++++ b/tests/py/bridge/vlan.t.json.output +@@ -202,3 +202,34 @@ + } + } + ] ++ ++# ether saddr 00:11:22:33:44:55 counter ether type 8021q ++[ ++ { ++ "match": { ++ "left": { ++ "payload": { ++ "field": "saddr", ++ "protocol": "ether" ++ } ++ }, ++ "op": "==", ++ "right": "00:11:22:33:44:55" ++ } ++ }, ++ { ++ "counter": null ++ }, ++ { ++ "match": { ++ "left": { ++ "payload": { ++ "field": "type", ++ "protocol": "ether" ++ } ++ }, ++ "op": "==", ++ "right": "8021q" ++ } ++ } ++] diff --git a/SOURCES/0010-tests-py-missing-json-output-in-never-merge-across-n.patch b/SOURCES/0010-tests-py-missing-json-output-in-never-merge-across-n.patch new file mode 100644 index 0000000..913f8b1 --- /dev/null +++ b/SOURCES/0010-tests-py-missing-json-output-in-never-merge-across-n.patch @@ -0,0 +1,64 @@ +From c970cef4925493bc7ef0064896d4b2486bb2fa6a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 16 Oct 2025 16:12:50 +0200 +Subject: [PATCH] tests: py: missing json output in never merge across + non-expression statements + +JIRA: https://issues.redhat.com/browse/RHEL-114095 +Upstream Status: nftables commit 94fd162ea4d25fe6b0b4d58dcb7ff66dc55f3247 + +commit 94fd162ea4d25fe6b0b4d58dcb7ff66dc55f3247 +Author: Pablo Neira Ayuso +Date: Wed Dec 6 19:30:44 2023 +0100 + + tests: py: missing json output in never merge across non-expression statements + + Add missing json output. + + Fixes: 99ab1b8feb16 ("rule: never merge across non-expression statements") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + tests/py/ip/ip.t.json.output | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/py/ip/ip.t.json.output b/tests/py/ip/ip.t.json.output +index b201cda..351ae93 100644 +--- a/tests/py/ip/ip.t.json.output ++++ b/tests/py/ip/ip.t.json.output +@@ -230,3 +230,34 @@ + } + ] + ++# ip saddr 1.2.3.4 counter ip daddr 3.4.5.6 ++[ ++ { ++ "match": { ++ "left": { ++ "payload": { ++ "field": "saddr", ++ "protocol": "ip" ++ } ++ }, ++ "op": "==", ++ "right": "1.2.3.4" ++ } ++ }, ++ { ++ "counter": null ++ }, ++ { ++ "match": { ++ "left": { ++ "payload": { ++ "field": "daddr", ++ "protocol": "ip" ++ } ++ }, ++ "op": "==", ++ "right": "3.4.5.6" ++ } ++ } ++] ++ diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index ce0b8d6..d13f4e3 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define nft_rpmversion 1.0.9 -%define nft_specrelease 4 +%define nft_specrelease 5 Name: nftables Version: %{nft_rpmversion} @@ -23,6 +23,12 @@ Patch1: 0001-Add-support-for-table-s-persist-flag.patch Patch2: 0002-cache-Always-set-NFT_CACHE_TERSE-for-list-cmd-with-t.patch Patch3: 0003-json-deal-appropriately-with-multidevice-in-chain.patch Patch4: 0004-parser_json-fix-handle-memleak-from-error-path.patch +Patch5: 0005-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch +Patch6: 0006-tests-shell-connect-chains-to-hook-point.patch +Patch7: 0007-datatype-rt_symbol_table_init-to-search-for-iproute2.patch +Patch8: 0008-tests-py-remove-huge-limit-test-cases.patch +Patch9: 0009-tests-py-add-missing-json.output-data.patch +Patch10: 0010-tests-py-missing-json-output-in-never-merge-across-n.patch BuildRequires: autoconf BuildRequires: automake @@ -135,6 +141,14 @@ cd py/ %files -n python3-nftables -f %{pyproject_files} %changelog +* Thu Oct 16 2025 Phil Sutter [1.0.9-5.el9] +- tests: py: missing json output in never merge across non-expression statements (Phil Sutter) [RHEL-114095] +- tests: py: add missing json.output data (Phil Sutter) [RHEL-114095] +- tests: py: remove huge-limit test cases (Phil Sutter) [RHEL-114095] +- datatype: rt_symbol_table_init() to search for iproute2 configs (Phil Sutter) [RHEL-114095] +- tests: shell: connect chains to hook point (Phil Sutter) [RHEL-114095] +- tests: shell: Fix sets/reset_command_0 for current kernels (Phil Sutter) [RHEL-114095] + * Wed Apr 23 2025 Phil Sutter [1.0.9-4.el9] - parser_json: fix handle memleak from error path (Phil Sutter) [RHEL-88181] - json: deal appropriately with multidevice in chain (Phil Sutter) [RHEL-88181]