diff --git a/nftables-0.4-fix-dep-gen.patch b/nftables-0.4-fix-dep-gen.patch new file mode 100644 index 0000000..cca76e6 --- /dev/null +++ b/nftables-0.4-fix-dep-gen.patch @@ -0,0 +1,62 @@ +From 545c93d54d900e8e20071891b7e2bf3bb0e5fed2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 6 Jan 2015 21:28:53 +0100 +Subject: evaluate: reject: fix dependency generation from nft -f + +When nft -f is used, ctx->cmd points to the table object, which +contains the corresponding chain, set and rule lists. The reject +statement evaluator relies on ctx->cmd->rule to add the payload +dependencies, which is doesn't point to the rule in that case. + +This patch adds the rule context to the eval_ctx structure to update +the rule list of statements when generating dependencies, as the reject +statement needs. + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=993 +Reported-by: Ting-Wei Lan +Signed-off-by: Pablo Neira Ayuso + +diff --git a/include/rule.h b/include/rule.h +index 936177b..0c52315 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -344,6 +344,7 @@ extern void cmd_free(struct cmd *cmd); + * @msgs: message queue + * @cmd: current command + * @table: current table ++ * @rule: current rule + * @set: current set + * @stmt: current statement + * @ectx: expression context +@@ -353,6 +354,7 @@ struct eval_ctx { + struct list_head *msgs; + struct cmd *cmd; + struct table *table; ++ struct rule *rule; + struct set *set; + struct stmt *stmt; + struct expr_ctx ectx; +diff --git a/src/evaluate.c b/src/evaluate.c +index 8f0acf7..2c4e811 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1203,7 +1203,7 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt, + if (payload_gen_dependency(ctx, payload, &nstmt) < 0) + return -1; + +- list_add(&nstmt->list, &ctx->cmd->rule->stmts); ++ list_add(&nstmt->list, &ctx->rule->stmts); + return 0; + } + +@@ -1722,6 +1722,7 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule) + proto_ctx_init(&ctx->pctx, rule->handle.family); + memset(&ctx->ectx, 0, sizeof(ctx->ectx)); + ++ ctx->rule = rule; + list_for_each_entry(stmt, &rule->stmts, list) { + if (tstmt != NULL) + return stmt_binary_error(ctx, stmt, tstmt, +-- +cgit v0.10.2 + diff --git a/nftables.spec b/nftables.spec index cb8f83a..477c89e 100644 --- a/nftables.spec +++ b/nftables.spec @@ -3,7 +3,7 @@ Name: nftables Version: 0.4 #Release: 0.1.%{snapdate}git%{?dist} -Release: 1%{?dist} +Release: 2%{?dist} # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. Epoch: 1 Summary: Netfilter Tables userspace utillites @@ -12,6 +12,9 @@ License: GPLv2 URL: http://netfilter.org/projects/nftables/ #Source0: http://ftp.netfilter.org/pub/nftables/snapshot/nftables-%{snapdate}.tar.bz2 Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2 +# Already applied upstream +# http://git.netfilter.org/nftables/patch/?id=545c93d54d900e8e20071891b7e2bf3bb0e5fed2 +Patch0: nftables-0.4-fix-dep-gen.patch #BuildRequires: autogen #BuildRequires: autoconf @@ -32,6 +35,8 @@ Netfilter Tables userspace utilities. #setup -q -n nftables-%{snapdate} %setup -q +%patch0 -p1 + %build #./autogen.sh %configure --disable-silent-rules @@ -49,6 +54,9 @@ chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* %{_mandir}/man8/nft* %changelog +* Sat Jan 10 2015 Kevin Fenzi 0.4-2 +- Add patch to fix nft -f dep gen. + * Fri Dec 26 2014 Kevin Fenzi 0.4-1 - Update to 0.4 - Add Epoch to fix versioning.