nftables-0.9.8-11.el9
- tests: py: add dnat to port without defining destination address - evaluate: fix inet nat with no layer 3 info - include: missing sctp_chunk.h in Makefile.am - exthdr: Implement SCTP Chunk matching - scanner: sctp: Move to own scope - scanner: introduce start condition stack - json: Simplify non-tcpopt exthdr printing a bit Resolves: rhbz#2018023, rhbz#2030314
This commit is contained in:
parent
f5f9d2bc8f
commit
946bb34b50
49
0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch
Normal file
49
0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 92f73f85dbd6559905679133cdf61e70004c805d Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 4 May 2021 13:18:11 +0200
|
||||
Subject: [PATCH] json: Simplify non-tcpopt exthdr printing a bit
|
||||
|
||||
This was just duplicate code apart from the object's name.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
(cherry picked from commit fd81d3ec3ae8b8d1d54a708d63b2dab2c8508c90)
|
||||
---
|
||||
src/json.c | 18 +++++++-----------
|
||||
1 file changed, 7 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/json.c b/src/json.c
|
||||
index 1fb5015124e16..6607d83f4e8f8 100644
|
||||
--- a/src/json.c
|
||||
+++ b/src/json.c
|
||||
@@ -696,21 +696,17 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
|
||||
|
||||
return json_pack("{s:o}", "tcp option", root);
|
||||
}
|
||||
- if (expr->exthdr.op == NFT_EXTHDR_OP_IPV4) {
|
||||
- root = json_pack("{s:s}", "name", desc);
|
||||
|
||||
- if (!is_exists)
|
||||
- json_object_set_new(root, "field", json_string(field));
|
||||
-
|
||||
- return json_pack("{s:o}", "ip option", root);
|
||||
- }
|
||||
-
|
||||
- root = json_pack("{s:s}",
|
||||
- "name", desc);
|
||||
+ root = json_pack("{s:s}", "name", desc);
|
||||
if (!is_exists)
|
||||
json_object_set_new(root, "field", json_string(field));
|
||||
|
||||
- return json_pack("{s:o}", "exthdr", root);
|
||||
+ switch (expr->exthdr.op) {
|
||||
+ case NFT_EXTHDR_OP_IPV4:
|
||||
+ return json_pack("{s:o}", "ip option", root);
|
||||
+ default:
|
||||
+ return json_pack("{s:o}", "exthdr", root);
|
||||
+ }
|
||||
}
|
||||
|
||||
json_t *verdict_expr_json(const struct expr *expr, struct output_ctx *octx)
|
||||
--
|
||||
2.33.0
|
||||
|
167
0022-scanner-introduce-start-condition-stack.patch
Normal file
167
0022-scanner-introduce-start-condition-stack.patch
Normal file
@ -0,0 +1,167 @@
|
||||
From 80f3c19bc1b989ab7ba2b917193e8bd3f998ba39 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Mon, 8 Mar 2021 18:18:33 +0100
|
||||
Subject: [PATCH] scanner: introduce start condition stack
|
||||
|
||||
Add a small initial chunk of flex start conditionals.
|
||||
|
||||
This starts with two low-hanging fruits, numgen and j/symhash.
|
||||
|
||||
NUMGEN and HASH start conditions are entered from flex when
|
||||
the corresponding expression token is encountered.
|
||||
|
||||
Flex returns to the INIT condition when the bison parser
|
||||
has seen a complete numgen/hash statement.
|
||||
|
||||
This intentionally uses a stack rather than BEGIN()
|
||||
to eventually support nested states.
|
||||
|
||||
The scanner_pop_start_cond() function argument is not used yet, but
|
||||
will need to be used later to deal with nesting.
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 5896772fe3c5f01696188ea04957a825ee601b12)
|
||||
---
|
||||
include/parser.h | 8 ++++++++
|
||||
src/parser_bison.y | 11 +++++++----
|
||||
src/scanner.l | 36 +++++++++++++++++++++++++++++-------
|
||||
3 files changed, 44 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/include/parser.h b/include/parser.h
|
||||
index 9baa3a4db789f..b2ebd7aa226c5 100644
|
||||
--- a/include/parser.h
|
||||
+++ b/include/parser.h
|
||||
@@ -26,6 +26,12 @@ struct parser_state {
|
||||
struct list_head *cmds;
|
||||
};
|
||||
|
||||
+enum startcond_type {
|
||||
+ PARSER_SC_BEGIN,
|
||||
+ PARSER_SC_EXPR_HASH,
|
||||
+ PARSER_SC_EXPR_NUMGEN,
|
||||
+};
|
||||
+
|
||||
struct mnl_socket;
|
||||
|
||||
extern void parser_init(struct nft_ctx *nft, struct parser_state *state,
|
||||
@@ -45,4 +51,6 @@ extern void scanner_push_buffer(void *scanner,
|
||||
const struct input_descriptor *indesc,
|
||||
const char *buffer);
|
||||
|
||||
+extern void scanner_pop_start_cond(void *scanner, enum startcond_type sc);
|
||||
+
|
||||
#endif /* NFTABLES_PARSER_H */
|
||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||
index 8644f66106496..da3fafcd1eeb1 100644
|
||||
--- a/src/parser_bison.y
|
||||
+++ b/src/parser_bison.y
|
||||
@@ -857,6 +857,9 @@ opt_newline : NEWLINE
|
||||
| /* empty */
|
||||
;
|
||||
|
||||
+close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
|
||||
+close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
|
||||
+
|
||||
common_block : INCLUDE QUOTED_STRING stmt_separator
|
||||
{
|
||||
if (scanner_include_file(nft, scanner, $2, &@$) < 0) {
|
||||
@@ -4811,7 +4814,7 @@ numgen_type : INC { $$ = NFT_NG_INCREMENTAL; }
|
||||
| RANDOM { $$ = NFT_NG_RANDOM; }
|
||||
;
|
||||
|
||||
-numgen_expr : NUMGEN numgen_type MOD NUM offset_opt
|
||||
+numgen_expr : NUMGEN numgen_type MOD NUM offset_opt close_scope_numgen
|
||||
{
|
||||
$$ = numgen_expr_alloc(&@$, $2, $4, $5);
|
||||
}
|
||||
@@ -4868,17 +4871,17 @@ xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
|
||||
}
|
||||
;
|
||||
|
||||
-hash_expr : JHASH expr MOD NUM SEED NUM offset_opt
|
||||
+hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
|
||||
{
|
||||
$$ = hash_expr_alloc(&@$, $4, true, $6, $7, NFT_HASH_JENKINS);
|
||||
$$->hash.expr = $2;
|
||||
}
|
||||
- | JHASH expr MOD NUM offset_opt
|
||||
+ | JHASH expr MOD NUM offset_opt close_scope_hash
|
||||
{
|
||||
$$ = hash_expr_alloc(&@$, $4, false, 0, $5, NFT_HASH_JENKINS);
|
||||
$$->hash.expr = $2;
|
||||
}
|
||||
- | SYMHASH MOD NUM offset_opt
|
||||
+ | SYMHASH MOD NUM offset_opt close_scope_hash
|
||||
{
|
||||
$$ = hash_expr_alloc(&@$, $3, false, 0, $4, NFT_HASH_SYM);
|
||||
}
|
||||
diff --git a/src/scanner.l b/src/scanner.l
|
||||
index 8bde1fbe912d8..ec8f252fbc8c8 100644
|
||||
--- a/src/scanner.l
|
||||
+++ b/src/scanner.l
|
||||
@@ -98,6 +98,8 @@ static void reset_pos(struct parser_state *state, struct location *loc)
|
||||
state->indesc->column = 1;
|
||||
}
|
||||
|
||||
+static void scanner_push_start_cond(void *scanner, enum startcond_type type);
|
||||
+
|
||||
#define YY_USER_ACTION { \
|
||||
update_pos(yyget_extra(yyscanner), yylloc, yyleng); \
|
||||
update_offset(yyget_extra(yyscanner), yylloc, yyleng); \
|
||||
@@ -193,6 +195,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
|
||||
%option yylineno
|
||||
%option nodefault
|
||||
%option warn
|
||||
+%option stack
|
||||
+%s SCANSTATE_EXPR_HASH
|
||||
+%s SCANSTATE_EXPR_NUMGEN
|
||||
|
||||
%%
|
||||
|
||||
@@ -551,15 +556,21 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
|
||||
"state" { return STATE; }
|
||||
"status" { return STATUS; }
|
||||
|
||||
-"numgen" { return NUMGEN; }
|
||||
-"inc" { return INC; }
|
||||
-"mod" { return MOD; }
|
||||
-"offset" { return OFFSET; }
|
||||
+"numgen" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
|
||||
+<SCANSTATE_EXPR_NUMGEN>{
|
||||
+ "inc" { return INC; }
|
||||
+}
|
||||
|
||||
-"jhash" { return JHASH; }
|
||||
-"symhash" { return SYMHASH; }
|
||||
-"seed" { return SEED; }
|
||||
+"jhash" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return JHASH; }
|
||||
+"symhash" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return SYMHASH; }
|
||||
|
||||
+<SCANSTATE_EXPR_HASH>{
|
||||
+ "seed" { return SEED; }
|
||||
+}
|
||||
+<SCANSTATE_EXPR_HASH,SCANSTATE_EXPR_NUMGEN>{
|
||||
+ "mod" { return MOD; }
|
||||
+ "offset" { return OFFSET; }
|
||||
+}
|
||||
"dup" { return DUP; }
|
||||
"fwd" { return FWD; }
|
||||
|
||||
@@ -973,3 +984,14 @@ void scanner_destroy(struct nft_ctx *nft)
|
||||
input_descriptor_list_destroy(state);
|
||||
yylex_destroy(nft->scanner);
|
||||
}
|
||||
+
|
||||
+static void scanner_push_start_cond(void *scanner, enum startcond_type type)
|
||||
+{
|
||||
+ yy_push_state((int)type, scanner);
|
||||
+}
|
||||
+
|
||||
+void scanner_pop_start_cond(void *scanner, enum startcond_type t)
|
||||
+{
|
||||
+ yy_pop_state(scanner);
|
||||
+ (void)yy_top_state(scanner); /* suppress gcc warning wrt. unused function */
|
||||
+}
|
||||
--
|
||||
2.33.0
|
||||
|
93
0023-scanner-sctp-Move-to-own-scope.patch
Normal file
93
0023-scanner-sctp-Move-to-own-scope.patch
Normal file
@ -0,0 +1,93 @@
|
||||
From 5009b467a06a86f5dcc3218fb860cd81bc5e067f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <phil@nwl.cc>
|
||||
Date: Tue, 4 May 2021 13:06:32 +0200
|
||||
Subject: [PATCH] scanner: sctp: Move to own scope
|
||||
|
||||
This isolates only "vtag" token for now.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Reviewed-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 0925d7e214825628e7db4a86d5ebbad578ab0777)
|
||||
|
||||
Conflicts:
|
||||
include/parser.h
|
||||
src/parser_bison.y
|
||||
src/scanner.l
|
||||
-> Context changes due to missing other scopes.
|
||||
---
|
||||
include/parser.h | 1 +
|
||||
src/parser_bison.y | 5 +++--
|
||||
src/scanner.l | 8 ++++++--
|
||||
3 files changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/include/parser.h b/include/parser.h
|
||||
index b2ebd7aa226c5..4e7b4ef430966 100644
|
||||
--- a/include/parser.h
|
||||
+++ b/include/parser.h
|
||||
@@ -28,6 +28,7 @@ struct parser_state {
|
||||
|
||||
enum startcond_type {
|
||||
PARSER_SC_BEGIN,
|
||||
+ PARSER_SC_SCTP,
|
||||
PARSER_SC_EXPR_HASH,
|
||||
PARSER_SC_EXPR_NUMGEN,
|
||||
};
|
||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||
index da3fafcd1eeb1..383908fa3742f 100644
|
||||
--- a/src/parser_bison.y
|
||||
+++ b/src/parser_bison.y
|
||||
@@ -859,6 +859,7 @@ opt_newline : NEWLINE
|
||||
|
||||
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
|
||||
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
|
||||
+close_scope_sctp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
|
||||
|
||||
common_block : INCLUDE QUOTED_STRING stmt_separator
|
||||
{
|
||||
@@ -4620,7 +4621,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
|
||||
BYTEORDER_HOST_ENDIAN,
|
||||
sizeof(data) * BITS_PER_BYTE, &data);
|
||||
}
|
||||
- | SCTP
|
||||
+ | SCTP close_scope_sctp
|
||||
{
|
||||
uint8_t data = IPPROTO_SCTP;
|
||||
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
|
||||
@@ -5345,7 +5346,7 @@ dccp_hdr_field : SPORT { $$ = DCCPHDR_SPORT; }
|
||||
| TYPE { $$ = DCCPHDR_TYPE; }
|
||||
;
|
||||
|
||||
-sctp_hdr_expr : SCTP sctp_hdr_field
|
||||
+sctp_hdr_expr : SCTP sctp_hdr_field close_scope_sctp
|
||||
{
|
||||
$$ = payload_expr_alloc(&@$, &proto_sctp, $2);
|
||||
}
|
||||
diff --git a/src/scanner.l b/src/scanner.l
|
||||
index ec8f252fbc8c8..c8e74e685f3d7 100644
|
||||
--- a/src/scanner.l
|
||||
+++ b/src/scanner.l
|
||||
@@ -196,6 +196,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
|
||||
%option nodefault
|
||||
%option warn
|
||||
%option stack
|
||||
+%s SCANSTATE_SCTP
|
||||
%s SCANSTATE_EXPR_HASH
|
||||
%s SCANSTATE_EXPR_NUMGEN
|
||||
|
||||
@@ -491,8 +492,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
|
||||
|
||||
"dccp" { return DCCP; }
|
||||
|
||||
-"sctp" { return SCTP; }
|
||||
-"vtag" { return VTAG; }
|
||||
+"sctp" { scanner_push_start_cond(yyscanner, SCANSTATE_SCTP); return SCTP; }
|
||||
+
|
||||
+<SCANSTATE_SCTP>{
|
||||
+ "vtag" { return VTAG; }
|
||||
+}
|
||||
|
||||
"rt" { return RT; }
|
||||
"rt0" { return RT0; }
|
||||
--
|
||||
2.33.0
|
||||
|
1622
0024-exthdr-Implement-SCTP-Chunk-matching.patch
Normal file
1622
0024-exthdr-Implement-SCTP-Chunk-matching.patch
Normal file
File diff suppressed because it is too large
Load Diff
29
0025-include-missing-sctp_chunk.h-in-Makefile.am.patch
Normal file
29
0025-include-missing-sctp_chunk.h-in-Makefile.am.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From fe19063ce09d40ea94bf57c4af8b6c121aaf89e8 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Tue, 25 May 2021 14:04:36 +0200
|
||||
Subject: [PATCH] include: missing sctp_chunk.h in Makefile.am
|
||||
|
||||
Fix make distcheck.
|
||||
|
||||
Fixes: 0e3871cfd9a1 ("exthdr: Implement SCTP Chunk matching")
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 117ceb4f527119a6d44bf5e23f2ff7a8d116658a)
|
||||
---
|
||||
include/Makefile.am | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/include/Makefile.am b/include/Makefile.am
|
||||
index 42f24f35ce7a5..4cd907380ebaa 100644
|
||||
--- a/include/Makefile.am
|
||||
+++ b/include/Makefile.am
|
||||
@@ -31,6 +31,7 @@ noinst_HEADERS = cli.h \
|
||||
osf.h \
|
||||
parser.h \
|
||||
proto.h \
|
||||
+ sctp_chunk.h \
|
||||
socket.h \
|
||||
rule.h \
|
||||
rt.h \
|
||||
--
|
||||
2.33.0
|
||||
|
41
0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch
Normal file
41
0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 0c371aeab906b6e65c4c86174cbe2fbca02891d1 Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Tue, 20 Jul 2021 18:59:44 +0200
|
||||
Subject: [PATCH] evaluate: fix inet nat with no layer 3 info
|
||||
|
||||
nft currently reports:
|
||||
|
||||
Error: Could not process rule: Protocol error
|
||||
add rule inet x y meta l4proto tcp dnat to :80
|
||||
^^^^
|
||||
|
||||
default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
|
||||
trying to load the conntrack helper.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 9a36033ce50638a403d1421935cdd1287ee5de6b)
|
||||
---
|
||||
src/evaluate.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||
index bba685af720ed..73d6fd0e89bc2 100644
|
||||
--- a/src/evaluate.c
|
||||
+++ b/src/evaluate.c
|
||||
@@ -2896,9 +2896,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
|
||||
stmt->nat.family = ctx->pctx.family;
|
||||
return 0;
|
||||
case NFPROTO_INET:
|
||||
- if (!stmt->nat.addr)
|
||||
+ if (!stmt->nat.addr) {
|
||||
+ stmt->nat.family = NFPROTO_INET;
|
||||
return 0;
|
||||
-
|
||||
+ }
|
||||
if (stmt->nat.family != NFPROTO_UNSPEC)
|
||||
return 0;
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,75 @@
|
||||
From 00d3745306aa87eeb2466dbb5e6958225de3354f Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Thu, 22 Jul 2021 17:43:56 +0200
|
||||
Subject: [PATCH] tests: py: add dnat to port without defining destination
|
||||
address
|
||||
|
||||
Add a test to cover dnat to port without destination address.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit 0f27e258b37a592233d6ad5381cd1fae65e57514)
|
||||
---
|
||||
tests/py/inet/dnat.t | 1 +
|
||||
tests/py/inet/dnat.t.json | 20 ++++++++++++++++++++
|
||||
tests/py/inet/dnat.t.payload | 7 +++++++
|
||||
3 files changed, 28 insertions(+)
|
||||
|
||||
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
|
||||
index b460af3925570..e4e169f2bc3ec 100644
|
||||
--- a/tests/py/inet/dnat.t
|
||||
+++ b/tests/py/inet/dnat.t
|
||||
@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok
|
||||
|
||||
iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
|
||||
iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
|
||||
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
|
||||
|
||||
dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
|
||||
dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
|
||||
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
|
||||
index 1b8aba6297d36..c341a0455fea1 100644
|
||||
--- a/tests/py/inet/dnat.t.json
|
||||
+++ b/tests/py/inet/dnat.t.json
|
||||
@@ -219,3 +219,23 @@
|
||||
}
|
||||
]
|
||||
|
||||
+# meta l4proto tcp dnat to :80
|
||||
+[
|
||||
+ {
|
||||
+ "match": {
|
||||
+ "left": {
|
||||
+ "meta": {
|
||||
+ "key": "l4proto"
|
||||
+ }
|
||||
+ },
|
||||
+ "op": "==",
|
||||
+ "right": 6
|
||||
+ }
|
||||
+ },
|
||||
+ {
|
||||
+ "dnat": {
|
||||
+ "port": 80
|
||||
+ }
|
||||
+ }
|
||||
+]
|
||||
+
|
||||
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
|
||||
index a741b9cbdb8d7..be5baf8fd4b47 100644
|
||||
--- a/tests/py/inet/dnat.t.payload
|
||||
+++ b/tests/py/inet/dnat.t.payload
|
||||
@@ -77,3 +77,10 @@ inet
|
||||
[ immediate reg 2 0x00005000 ]
|
||||
[ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ]
|
||||
|
||||
+# meta l4proto tcp dnat to :80
|
||||
+inet
|
||||
+ [ meta load l4proto => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x00000006 ]
|
||||
+ [ immediate reg 1 0x00005000 ]
|
||||
+ [ nat dnat inet proto_min reg 1 flags 0x2 ]
|
||||
+
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,6 +1,6 @@
|
||||
Name: nftables
|
||||
Version: 0.9.8
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
||||
Epoch: 1
|
||||
Summary: Netfilter Tables userspace utillites
|
||||
@ -34,11 +34,17 @@ Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
|
||||
Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch
|
||||
Patch19: 0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
|
||||
Patch20: 0020-tests-shell-better-parameters-for-the-interval-stack.patch
|
||||
Patch21: 0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch
|
||||
Patch22: 0022-scanner-introduce-start-condition-stack.patch
|
||||
Patch23: 0023-scanner-sctp-Move-to-own-scope.patch
|
||||
Patch24: 0024-exthdr-Implement-SCTP-Chunk-matching.patch
|
||||
Patch25: 0025-include-missing-sctp_chunk.h-in-Makefile.am.patch
|
||||
Patch26: 0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch
|
||||
Patch27: 0027-tests-py-add-dnat-to-port-without-defining-destinati.patch
|
||||
|
||||
#BuildRequires: autogen
|
||||
#BuildRequires: autoconf
|
||||
#BuildRequires: automake
|
||||
#BuildRequires: libtool
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: flex
|
||||
@ -76,7 +82,8 @@ The nftables python module provides an interface to libnftables via ctypes.
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
#./autogen.sh
|
||||
autoreconf -fi
|
||||
rm -Rf autom4te*.cache config.h.in~
|
||||
%configure --disable-silent-rules --with-xtables --with-json \
|
||||
--enable-python --with-python-bin=%{__python3}
|
||||
%make_build
|
||||
@ -143,6 +150,15 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
|
||||
%{python3_sitelib}/nftables/
|
||||
|
||||
%changelog
|
||||
* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-11
|
||||
- tests: py: add dnat to port without defining destination address
|
||||
- evaluate: fix inet nat with no layer 3 info
|
||||
- include: missing sctp_chunk.h in Makefile.am
|
||||
- exthdr: Implement SCTP Chunk matching
|
||||
- scanner: sctp: Move to own scope
|
||||
- scanner: introduce start condition stack
|
||||
- json: Simplify non-tcpopt exthdr printing a bit
|
||||
|
||||
* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-10
|
||||
- tests: shell: better parameters for the interval stack overflow test
|
||||
- tests: shell: $NFT needs to be invoked unquoted
|
||||
|
Loading…
Reference in New Issue
Block a user