rpms/nftables
5
0
Fork 0
Code Issues Pull Requests Releases Activity

nftables-1.0.4-1.el9

Browse Source 
- Review package dependencies
- new version 1.0.4

Resolves: rhbz#1917398
This commit is contained in:
Phil Sutter 2022-03-01 15:48:40 +01:00
parent 1606add35f
commit 98611e7b9d
31 changed files with 18 additions and 3222 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -20,3 +20,4 @@
/nftables-0.9.6.tar.bz2
/nftables-0.9.7.tar.bz2
/nftables-0.9.8.tar.bz2
/nftables-1.0.4.tar.bz2

122
0001-payload-check-icmp-dependency-before-removing-previo.patch
View File

@ -1,122 +0,0 @@
From 9230899c6d2be8913646ff1a3b560865c330de7b Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 1 Feb 2021 22:08:54 +0100
Subject: [PATCH] payload: check icmp dependency before removing previous icmp
expression
nft is too greedy when removing icmp dependencies.
'icmp code 1 type 2' did remove the type when printing.
Be more careful and check that the icmp type dependency of the
candidate expression (earlier icmp payload expression) has the same
type dependency as the new expression.
Reported-by: Eric Garver <eric@garver.life>
Reported-by: Michael Biebl <biebl@debian.org>
Tested-by: Eric Garver <eric@garver.life>
Fixes: d0f3b9eaab8d77e ("payload: auto-remove simple icmp/icmpv6 dependency expressions")
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 533565244d88a818d8828ebabd7625e5a8a4c374)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/payload.c | 63 ++++++++++++++++++++++++++++++++++-----------------
1 file changed, 42 insertions(+), 21 deletions(-)
diff --git a/src/payload.c b/src/payload.c
index 48529bcf5c514..a77ca55005509 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -627,6 +627,40 @@ void payload_dependency_release(struct payload_dep_ctx *ctx)
ctx->pdep = NULL;
}
+static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t)
+{
+ switch (t) {
+ case PROTO_ICMP_ANY:
+ BUG("Invalid map for simple dependency");
+ case PROTO_ICMP_ECHO: return ICMP_ECHO;
+ case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST;
+ case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH;
+ case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT;
+ case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG;
+ case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY;
+ case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB;
+ }
+
+ BUG("Missing icmp type mapping");
+}
+
+static bool payload_may_dependency_kill_icmp(struct payload_dep_ctx *ctx, struct expr *expr)
+{
+ const struct expr *dep = ctx->pdep->expr;
+ uint8_t icmp_type;
+
+ icmp_type = expr->payload.tmpl->icmp_dep;
+ if (icmp_type == PROTO_ICMP_ANY)
+ return false;
+
+ if (dep->left->payload.desc != expr->payload.desc)
+ return false;
+
+ icmp_type = icmp_dep_to_type(expr->payload.tmpl->icmp_dep);
+
+ return ctx->icmp_type == icmp_type;
+}
+
static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
unsigned int family, struct expr *expr)
{
@@ -661,6 +695,14 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
break;
}
+ if (expr->payload.base == PROTO_BASE_TRANSPORT_HDR &&
+ dep->left->payload.base == PROTO_BASE_TRANSPORT_HDR) {
+ if (dep->left->payload.desc == &proto_icmp)
+ return payload_may_dependency_kill_icmp(ctx, expr);
+ if (dep->left->payload.desc == &proto_icmp6)
+ return payload_may_dependency_kill_icmp(ctx, expr);
+ }
+
return true;
}
@@ -680,10 +722,6 @@ void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
if (payload_dependency_exists(ctx, expr->payload.base) &&
payload_may_dependency_kill(ctx, family, expr))
payload_dependency_release(ctx);
- else if (ctx->icmp_type && ctx->pdep) {
- fprintf(stderr, "Did not kill \n");
- payload_dependency_release(ctx);
- }
}
void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
@@ -707,23 +745,6 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
}
}
-static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t)
-{
- switch (t) {
- case PROTO_ICMP_ANY:
- BUG("Invalid map for simple dependency");
- case PROTO_ICMP_ECHO: return ICMP_ECHO;
- case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST;
- case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH;
- case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT;
- case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG;
- case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY;
- case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB;
- }
-
- BUG("Missing icmp type mapping");
-}
-
/**
* payload_expr_complete - fill in type information of a raw payload expr
*
--
2.31.1

165
0002-tests-add-icmp-6-test-where-dependency-should-be-lef.patch
View File

@ -1,165 +0,0 @@
From bcd7ef679ca12700970e84fdd8ed38d8f58557ea Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 1 Feb 2021 22:44:25 +0100
Subject: [PATCH] tests: add icmp/6 test where dependency should be left alone
These tests fail: nft should leave the type as-is.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 3eb14fd93093c5e084d3ac1c4b0171cf80fb264f)
Conflicts:
tests/py/ip/icmp.t.json
tests/py/ip6/icmpv6.t.json
-> Context change it seems.
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
tests/py/ip/icmp.t | 2 ++
tests/py/ip/icmp.t.json | 28 ++++++++++++++++++++
tests/py/ip/icmp.t.payload.ip | 6 +++++
tests/py/ip6/icmpv6.t | 2 ++
tests/py/ip6/icmpv6.t.json | 44 +++++++++++++++++++++++++++++++
tests/py/ip6/icmpv6.t.payload.ip6 | 7 +++++
6 files changed, 89 insertions(+)
diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
index c22b55eb1e3f4..11f3662e2b027 100644
--- a/tests/py/ip/icmp.t
+++ b/tests/py/ip/icmp.t
@@ -86,3 +86,5 @@ icmp gateway != { 33-55};ok
icmp gateway != 34;ok
icmp gateway != { 333, 334};ok
+icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable
+icmp code != 1 icmp type 2 icmp mtu 5;fail
diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json
index 965eb10be9edf..2ea5b1a3e5e02 100644
--- a/tests/py/ip/icmp.t.json
+++ b/tests/py/ip/icmp.t.json
@@ -1424,3 +1424,31 @@
}
]
+# icmp code 1 icmp type 2
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": 2
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmp"
+ }
+ },
+ "op": "==",
+ "right": "host-unreachable"
+ }
+ }
+]
+
diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
index d75d12a061252..97464a08379e3 100644
--- a/tests/py/ip/icmp.t.payload.ip
+++ b/tests/py/ip/icmp.t.payload.ip
@@ -787,3 +787,9 @@ ip test-ip4 input
[ lookup reg 1 set __set%d ]
[ immediate reg 0 accept ]
+# icmp code 1 icmp type 2
+ip
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000102 ]
diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
index 8b411a8bf4392..d07c34bd939dc 100644
--- a/tests/py/ip6/icmpv6.t
+++ b/tests/py/ip6/icmpv6.t
@@ -92,3 +92,5 @@ icmpv6 max-delay {33, 55, 67, 88};ok
icmpv6 max-delay != {33, 55, 67, 88};ok
icmpv6 max-delay {33-55};ok
icmpv6 max-delay != {33-55};ok
+
+icmpv6 type parameter-problem icmpv6 code no-route;ok
diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json
index f6cfbf172f562..be2f1b462bb18 100644
--- a/tests/py/ip6/icmpv6.t.json
+++ b/tests/py/ip6/icmpv6.t.json
@@ -1300,3 +1300,47 @@
}
]
+# icmpv6 type packet-too-big icmpv6 mtu 1280
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "mtu",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": 1280
+ }
+ }
+]
+
+# icmpv6 type parameter-problem icmpv6 code no-route
+[
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "type",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "parameter-problem"
+ }
+ },
+ {
+ "match": {
+ "left": {
+ "payload": {
+ "field": "code",
+ "protocol": "icmpv6"
+ }
+ },
+ "op": "==",
+ "right": "no-route"
+ }
+ }
+]
+
diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
index 171b7eade6d3e..448779d16922c 100644
--- a/tests/py/ip6/icmpv6.t.payload.ip6
+++ b/tests/py/ip6/icmpv6.t.payload.ip6
@@ -682,3 +682,10 @@ ip6 test-ip6 input
[ payload load 2b @ transport header + 4 => reg 1 ]
[ lookup reg 1 set __set%d 0x1 ]
+# icmpv6 type parameter-problem icmpv6 code no-route
+ip6
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x0000003a ]
+ [ payload load 2b @ transport header + 0 => reg 1 ]
+ [ cmp eq reg 1 0x00000004 ]
+
--
2.31.1

48
0003-main-fix-nft-help-output-fallout-from-719e4427.patch
View File

@ -1,48 +0,0 @@
From 5f91359f1bbcd73346e4469f0b5a30e04f107a06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
Date: Mon, 22 Feb 2021 13:03:19 +0100
Subject: [PATCH] main: fix nft --help output fallout from 719e4427
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Long options were missing the double dash.
Fixes: 719e44277f8e ("main: use one data-structure to initialize getopt_long(3) arguments and help.")
Cc: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b8c6dd1a9c0c6e937febc113e7ea89079aa945be)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/main.c b/src/main.c
index 80cf1acf0f7f4..8c47064459ecb 100644
--- a/src/main.c
+++ b/src/main.c
@@ -175,16 +175,17 @@ static const struct option *get_options(void)
static void print_option(const struct nft_opt *opt)
{
- char optbuf[33] = "";
+ char optbuf[35] = "";
int i;
i = snprintf(optbuf, sizeof(optbuf), " -%c", opt->val);
if (opt->name)
- i += snprintf(optbuf + i, sizeof(optbuf) - i, ", %s", opt->name);
+ i += snprintf(optbuf + i, sizeof(optbuf) - i, ", --%s",
+ opt->name);
if (opt->arg)
i += snprintf(optbuf + i, sizeof(optbuf) - i, " %s", opt->arg);
- printf("%-32s%s\n", optbuf, opt->help);
+ printf("%-34s%s\n", optbuf, opt->help);
}
static void show_help(const char *name)
--
2.31.1

30
0004-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch
View File

@ -1,30 +0,0 @@
From f09f39704d8bfa15d236b6891aabef270ec43d73 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 16:03:32 +0200
Subject: [PATCH] parser_bison: Fix for implicit declaration of isalnum
Have to include ctype.h to make it known.
Fixes: e76bb37940181 ("src: allow for variables in the log prefix string")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 7c3b2a7acbdc793b822a230ec0c28086c7d0365d)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/parser_bison.y | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 519e8efe5ab7e..8644f66106496 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -10,6 +10,7 @@
%{
+#include <ctype.h>
#include <stddef.h>
#include <stdio.h>
#include <inttypes.h>
--
2.31.1

39
0005-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch
View File

@ -1,39 +0,0 @@
From a79e92c0f6761a748ef3cbffd26a4f1db82b4b3e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 16:07:02 +0200
Subject: [PATCH] parser_json: Fix for memleak in tcp option error path
If 'kind' value is invalid, the function returned without freeing 'expr'
first. Fix this by performing the check before allocation.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit f7b0eef8391ae7f89a3a82f6eeecaebe199224d7)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/parser_json.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index f0486b77a225a..85d05ce27eef3 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -611,12 +611,12 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx,
"base", &kind, "offset", &offset, "len", &len)) {
uint32_t flag = 0;
- expr = tcpopt_expr_alloc(int_loc, kind,
- TCPOPT_COMMON_KIND);
-
if (kind < 0 || kind > 255)
return NULL;
+ expr = tcpopt_expr_alloc(int_loc, kind,
+ TCPOPT_COMMON_KIND);
+
if (offset == TCPOPT_COMMON_KIND && len == 8)
flag = NFT_EXTHDR_F_PRESENT;
--
2.31.1

30
0006-evaluate-Mark-fall-through-case-in-str2hooknum.patch
View File

@ -1,30 +0,0 @@
From 07ebd0fa9300176f818789fde2498422fa421090 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 16:19:18 +0200
Subject: [PATCH] evaluate: Mark fall through case in str2hooknum()
It is certainly intentional, so just mark it as such.
Fixes: b4775dec9f80b ("src: ingress inet support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c2e06beef3390867901080c0d789e3b6257e2b98)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/evaluate.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index c830dcdbd9651..2a897f469434a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4030,6 +4030,7 @@ static uint32_t str2hooknum(uint32_t family, const char *hook)
case NFPROTO_INET:
if (!strcmp(hook, "ingress"))
return NF_INET_INGRESS;
+ /* fall through */
case NFPROTO_IPV4:
case NFPROTO_BRIDGE:
case NFPROTO_IPV6:
--
2.31.1

30
0007-json-Drop-pointless-assignment-in-exthdr_expr_json.patch
View File

@ -1,30 +0,0 @@
From a7da4f45cc1c8419b38e3e9adf0e15bedb8b0257 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 16:23:22 +0200
Subject: [PATCH] json: Drop pointless assignment in exthdr_expr_json()
The updated value of 'is_exists' is no longer read at this point.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c1616dfd1ce40bac197924c8947e1c646e915dca)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/json.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/json.c b/src/json.c
index 585d35326ac01..1fb5015124e16 100644
--- a/src/json.c
+++ b/src/json.c
@@ -692,7 +692,6 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
"base", expr->exthdr.raw_type,
"offset", expr->exthdr.offset,
"len", expr->len);
- is_exists = false;
}
return json_pack("{s:o}", "tcp option", root);
--
2.31.1

42
0008-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
View File

@ -1,42 +0,0 @@
From 2344a35f90ef4a467b6bb9779fc687b17f4a4b51 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 16:43:21 +0200
Subject: [PATCH] netlink: Avoid memleak in error path of
netlink_delinearize_set()
Duplicate string 'comment' later when the function does not fail
anymore.
Fixes: 0864c2d49ee8a ("src: add comment support for set declarations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit accd7a346fd19f1ffc503b3f681323abf1157c1a)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index ec2dad29ace1c..5c38a9f157d38 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -840,7 +840,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
if (ud[NFTNL_UDATA_SET_DATA_TYPEOF])
typeof_expr_data = set_make_key(ud[NFTNL_UDATA_SET_DATA_TYPEOF]);
if (ud[NFTNL_UDATA_SET_COMMENT])
- comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]));
+ comment = nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]);
}
key = nftnl_set_get_u32(nls, NFTNL_SET_KEY_TYPE);
@@ -878,7 +878,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
set->handle.set.name = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_NAME));
set->automerge = automerge;
if (comment)
- set->comment = comment;
+ set->comment = xstrdup(comment);
init_list_head(&set_parse_ctx.stmt_list);
--
2.31.1

32
0009-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
View File

@ -1,32 +0,0 @@
From 6cbc04136a91eca237476827b57e78ac29e00aeb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 18:32:13 +0200
Subject: [PATCH] netlink: Avoid memleak in error path of
netlink_delinearize_chain()
If parsing udata fails, 'chain' has to be freed before returning to
caller.
Fixes: 702ac2b72c0e8 ("src: add comment support for chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 04f7af9dd66d3a0f627f43bc4bf55bae9856efc8)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/netlink.c b/src/netlink.c
index 5c38a9f157d38..22140afc3fd7e 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -573,6 +573,7 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
udata = nftnl_chain_get_data(nlc, NFTNL_CHAIN_USERDATA, &ulen);
if (nftnl_udata_parse(udata, ulen, chain_parse_udata_cb, ud) < 0) {
netlink_io_error(ctx, NULL, "Cannot parse userdata");
+ chain_free(chain);
return NULL;
}
if (ud[NFTNL_UDATA_CHAIN_COMMENT])
--
2.31.1

32
0010-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
View File

@ -1,32 +0,0 @@
From c47e6d3b1ccb166b807d19fd585d6b5b3cd0b7f7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 18:33:44 +0200
Subject: [PATCH] netlink: Avoid memleak in error path of
netlink_delinearize_table()
If parsing udata fails, 'table' has to be freed before returning to
caller.
Fixes: c156232a530b3 ("src: add comment support when adding tables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 47640634cff9932784a1a96836d6c5809cc8264d)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/netlink.c b/src/netlink.c
index 22140afc3fd7e..fd82b16cb9f6e 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -620,6 +620,7 @@ struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
udata = nftnl_table_get_data(nlt, NFTNL_TABLE_USERDATA, &ulen);
if (nftnl_udata_parse(udata, ulen, table_parse_udata_cb, ud) < 0) {
netlink_io_error(ctx, NULL, "Cannot parse userdata");
+ table_free(table);
return NULL;
}
if (ud[NFTNL_UDATA_TABLE_COMMENT])
--
2.31.1

32
0011-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
View File

@ -1,32 +0,0 @@
From 3ec01f287b0b61c0e6d885a7e96dcfa5afa800b8 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 16:46:48 +0200
Subject: [PATCH] netlink: Avoid memleak in error path of
netlink_delinearize_obj()
If parsing udata fails, 'obj' has to be freed before returning to
caller.
Fixes: 293c9b114faef ("src: add comment support for objects")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 97b5d4bbcac4d3237f114c1c6a57c37968ebe0fc)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/netlink.c b/src/netlink.c
index fd82b16cb9f6e..4c03baeff5d66 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1445,6 +1445,7 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
udata = nftnl_obj_get_data(nlo, NFTNL_OBJ_USERDATA, &ulen);
if (nftnl_udata_parse(udata, ulen, obj_parse_udata_cb, ud) < 0) {
netlink_io_error(ctx, NULL, "Cannot parse userdata");
+ obj_free(obj);
return NULL;
}
if (ud[NFTNL_UDATA_OBJ_COMMENT])
--
2.31.1

35
0012-netlink_delinearize-Fix-suspicious-calloc-call.patch
View File

@ -1,35 +0,0 @@
From d8322b08998a6945b659078b5cc4bd7423194f70 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 17:02:01 +0200
Subject: [PATCH] netlink_delinearize: Fix suspicious calloc() call
Parameter passed to sizeof() was wrong. While being at it, replace the
whole call with xmalloc_array() which takes care of error checking.
Fixes: 913979f882d13 ("src: add expression handler hashtable")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit c4058f96c6a55e4fcd49d4380ac07b5466ec01c0)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/netlink_delinearize.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 7315072284119..152b3e6cf8c65 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1732,9 +1732,8 @@ void expr_handler_init(void)
unsigned int i;
uint32_t hash;
- expr_handle_ht = calloc(NFT_EXPR_HSIZE, sizeof(expr_handle_ht));
- if (!expr_handle_ht)
- memory_allocation_error();
+ expr_handle_ht = xmalloc_array(NFT_EXPR_HSIZE,
+ sizeof(expr_handle_ht[0]));
for (i = 0; i < array_size(netlink_parsers); i++) {
hash = djb_hash(netlink_parsers[i].name) % NFT_EXPR_HSIZE;
--
2.31.1

32
0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
View File

@ -1,32 +0,0 @@
From 5fbf4169fba1dfef0f461c4fe31bed70610ebce2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 11 Jun 2021 17:08:34 +0200
Subject: [PATCH] rule: Fix for potential off-by-one in cmd_add_loc()
Using num_attrs as index means it must be at max one less than the
array's size at function start.
Fixes: 27362a5bfa433 ("rule: larger number of error locations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/rule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rule.c b/src/rule.c
index e4bb6bae276a0..03422da3a7560 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1491,7 +1491,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
{
- if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
+ if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
return;
cmd->attr[cmd->num_attrs].offset = offset;
--
2.31.1

71
0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
View File

@ -1,71 +0,0 @@
From 6509f63cb68ea2dd737f9b52c146803402efcd7a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 14 Jun 2021 14:47:47 +0200
Subject: [PATCH] src: add xzalloc_array() and use it to allocate the
expression hashtable
Otherwise, assertion to ensure that no colission occur is hit due to
uninitialized hashtable memory area:
nft: netlink_delinearize.c:1741: expr_handler_init: Assertion `expr_handle_ht[hash] == NULL' failed.
Fixes: c4058f96c6a5 ("netlink_delinearize: Fix suspicious calloc() call")
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit b0e7b294224030abc534c396fffcab9fbce12b11)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/utils.h | 1 +
src/netlink_delinearize.c | 2 +-
src/utils.c | 10 ++++++++++
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/include/utils.h b/include/utils.h
index f45f25132d18d..ffbe2cbb75be5 100644
--- a/include/utils.h
+++ b/include/utils.h
@@ -133,6 +133,7 @@ extern void *xmalloc(size_t size);
extern void *xmalloc_array(size_t nmemb, size_t size);
extern void *xrealloc(void *ptr, size_t size);
extern void *xzalloc(size_t size);
+extern void *xzalloc_array(size_t nmemb, size_t size);
extern char *xstrdup(const char *s);
extern void xstrunescape(const char *in, char *out);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 152b3e6cf8c65..7665d6f29c602 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1732,7 +1732,7 @@ void expr_handler_init(void)
unsigned int i;
uint32_t hash;
- expr_handle_ht = xmalloc_array(NFT_EXPR_HSIZE,
+ expr_handle_ht = xzalloc_array(NFT_EXPR_HSIZE,
sizeof(expr_handle_ht[0]));
for (i = 0; i < array_size(netlink_parsers); i++) {
diff --git a/src/utils.c b/src/utils.c
index 47f5b791547b1..925841c571f5d 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -50,6 +50,16 @@ void *xmalloc_array(size_t nmemb, size_t size)
return xmalloc(nmemb * size);
}
+void *xzalloc_array(size_t nmemb, size_t size)
+{
+ void *ptr;
+
+ ptr = xmalloc_array(nmemb, size);
+ memset(ptr, 0, nmemb * size);
+
+ return ptr;
+}
+
void *xrealloc(void *ptr, size_t size)
{
ptr = realloc(ptr, size);
--
2.31.1

38
0015-json-init-parser-state-for-every-new-buffer-file.patch
View File

@ -1,38 +0,0 @@
From 27f931c935f27a00fe0ecbe8c4bcb3be6ba41096 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 19 Feb 2021 10:11:26 -0500
Subject: [PATCH] json: init parser state for every new buffer/file
Otherwise invalid error states cause subsequent json parsing to fail
when it should not.
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 267338ec392346ef55ed51509e5f8e8354d6c19a)
---
src/parser_json.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/parser_json.c b/src/parser_json.c
index 85d05ce27eef3..9bba77dad5f0d 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -3893,6 +3893,7 @@ int nft_parse_json_buffer(struct nft_ctx *nft, const char *buf,
};
int ret;
+ parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
nft->json_root = json_loads(buf, 0, NULL);
if (!nft->json_root)
return -EINVAL;
@@ -3921,6 +3922,7 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename,
json_error_t err;
int ret;
+ parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
nft->json_root = json_load_file(filename, 0, &err);
if (!nft->json_root)
return -EINVAL;
--
2.31.1

61
0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
View File

@ -1,61 +0,0 @@
From 24d7383ca9e7f056153cc305ee16fa9fd8580909 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 9 Jun 2021 15:49:52 +0200
Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
set_to_segtree() exhausts the stack. Prevent this by allocating the
pointer array on heap and make sure it is freed before returning to
caller.
With this patch in place, restoring said set succeeds with allocation of
about 3GB of memory, according to valgrind.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit baecd1cf26851a4c5b7d469206a488f14fe5b147)
---
src/segtree.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c
index 9aa39e52d8a09..163a7bb755f9c 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -429,10 +429,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
struct expr *init, struct seg_tree *tree,
bool add, bool merge)
{
- struct elementary_interval *intervals[init->size];
+ struct elementary_interval **intervals;
struct expr *i, *next;
unsigned int n;
- int err;
+ int err = 0;
/* We are updating an existing set with new elements, check if the new
* interval overlaps with any of the existing ones.
@@ -443,6 +443,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
return err;
}
+ intervals = xmalloc_array(init->size, sizeof(intervals[0]));
n = expr_to_intervals(init, tree->keylen, intervals);
list_for_each_entry_safe(i, next, &init->expressions, list) {
@@ -461,10 +462,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
for (n = 0; n < init->size; n++) {
err = ei_insert(msgs, tree, intervals[n], merge);
if (err < 0)
- return err;
+ break;
}
- return 0;
+ xfree(intervals);
+ return err;
}
static bool segtree_needs_first_segment(const struct set *set,
--
2.33.0

66
0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
View File

@ -1,66 +0,0 @@
From 2c4a6a4f1d51358a196a7039c41b7d50df656985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
Date: Wed, 20 Oct 2021 14:42:20 +0200
Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when
restoring a huge interval set")
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test inspired by [1] with both the set and stack size reduced by the
same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
hand, and make the test successfully complete (post-baecd1cf2685) in a
few seconds even on weaker hardware on the other.
(The reason I stopped at 128kB stack size is that with 64kB I was
getting segfaults even with baecd1cf2685 applied.)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Helped-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043)
---
.../sets/0068interval_stack_overflow_0 | 29 +++++++++++++++++++
1 file changed, 29 insertions(+)
create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
new file mode 100755
index 0000000000000..134282de28268
--- /dev/null
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+ruleset_file=$(mktemp)
+
+trap 'rm -f "$ruleset_file"' EXIT
+
+{
+ echo 'define big_set = {'
+ for ((i = 1; i < 255; i++)); do
+ for ((j = 1; j < 80; j++)); do
+ echo "10.0.$i.$j,"
+ done
+ done
+ echo '10.1.0.0/24 }'
+} >"$ruleset_file"
+
+cat >>"$ruleset_file" <<\EOF
+table inet test68_table {
+ set test68_set {
+ type ipv4_addr
+ flags interval
+ elements = { $big_set }
+ }
+}
+EOF
+
+( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
--
2.33.0

63
0018-doc-nft.8-Extend-monitor-description-by-trace.patch
View File

@ -1,63 +0,0 @@
From 7f5707d93a62cf7474d94e038188a0a8ae2924e7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 19 May 2021 13:12:48 +0200
Subject: [PATCH] doc: nft.8: Extend monitor description by trace
Briefly describe 'nft monitor trace' command functionality.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 2acf8b2caea19d8abd46d475a908f8d6afb33aa0)
---
doc/nft.txt | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index 2642d8903787f..7b3c70d82a127 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -805,13 +805,26 @@ These are some additional commands included in nft.
MONITOR
~~~~~~~~
The monitor command allows you to listen to Netlink events produced by the
-nf_tables subsystem, related to creation and deletion of objects. When they
+nf_tables subsystem. These are either related to creation and deletion of
+objects or to packets for which *meta nftrace* was enabled. When they
occur, nft will print to stdout the monitored events in either JSON or
native nft format. +
-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. +
+[verse]
+____
+*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
+*monitor* *trace*
+
+'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
+____
-To filter events related to a concrete action, use keyword 'new' or 'destroy'.
+To filter events related to a concrete object, use one of the keywords in
+'MONITOR_OBJECT'.
+
+To filter events related to a concrete action, use keyword *new* or *destroy*.
+
+The second form of invocation takes no further options and exclusively prints
+events generated for packets with *nftrace* enabled.
Hit ^C to finish the monitor operation.
@@ -835,6 +848,12 @@ Hit ^C to finish the monitor operation.
% nft monitor ruleset
---------------------
+.Trace incoming packets from host 10.0.0.1
+------------------------------------------
+% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
+% nft monitor trace
+------------------------------------------
+
ERROR REPORTING
---------------
When an error is detected, nft shows the line(s) containing the error, the
--
2.33.0

53
0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
View File

@ -1,53 +0,0 @@
From 4bd60613ea60da4bf9da226be352dd47f585e8d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
Date: Fri, 5 Nov 2021 12:39:11 +0100
Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The variable has to undergo word splitting, otherwise the shell tries
to find the variable value as an executable, which breaks in cases that
7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
intends to support.
Mention this in the shell tests README.
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31)
Conflicts:
tests/shell/README
-> Context change due to missing other patches.
---
tests/shell/README | 3 +++
tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/tests/shell/README b/tests/shell/README
index e0279bbdc30c3..aee50e3d668b1 100644
--- a/tests/shell/README
+++ b/tests/shell/README
@@ -25,4 +25,7 @@ path to the nftables binary being tested.
You can pass an arbitrary $NFT value as well:
# NFT=/usr/local/sbin/nft ./run-tests.sh
+Note that, to support usage such as NFT='valgrind nft', tests must
+invoke $NFT unquoted.
+
By default the tests are run with the nft binary at '../../src/nft'
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
index 134282de28268..6620572449c3c 100755
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -26,4 +26,4 @@ table inet test68_table {
}
EOF
-( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
+( ulimit -s 128 && $NFT -f "$ruleset_file" )
--
2.33.0

51
0020-tests-shell-better-parameters-for-the-interval-stack.patch
View File

@ -1,51 +0,0 @@
From 0c34164a245bdd03085e906bc9b3327d559535a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
Date: Wed, 1 Dec 2021 12:12:00 +0100
Subject: [PATCH] tests: shell: better parameters for the interval stack
overflow test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Wider testing has shown that 128 kB stack is too low (e.g. for systems
with 64 kB page size), leading to false failures in some environments.
Based on results from a matrix of RHEL 8 and RHEL 9 systems across
x86_64, aarch64, ppc64le and s390x architectures as well as some
anecdotal testing of other Linux distros on x86_64 machines, 400 kB
seems safe: the normal nft stack (which should stay constant during
this test) on all tested systems doesn't exceed 200 kB (stays around
100 kB on typical systems with 4 kB page size), while always growing
beyond 500 kB in the failing case (nftables before baecd1cf2685) with
the increased set size.
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 7b81d9cb094ffa96ad821528cf19269dc348f617)
---
tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
index 6620572449c3c..2cbc986802644 100755
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT
{
echo 'define big_set = {'
for ((i = 1; i < 255; i++)); do
- for ((j = 1; j < 80; j++)); do
+ for ((j = 1; j < 255; j++)); do
echo "10.0.$i.$j,"
done
done
@@ -26,4 +26,4 @@ table inet test68_table {
}
EOF
-( ulimit -s 128 && $NFT -f "$ruleset_file" )
+( ulimit -s 400 && $NFT -f "$ruleset_file" )
--
2.33.0

49
0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch
View File

@ -1,49 +0,0 @@
From 92f73f85dbd6559905679133cdf61e70004c805d Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 May 2021 13:18:11 +0200
Subject: [PATCH] json: Simplify non-tcpopt exthdr printing a bit
This was just duplicate code apart from the object's name.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit fd81d3ec3ae8b8d1d54a708d63b2dab2c8508c90)
---
src/json.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/src/json.c b/src/json.c
index 1fb5015124e16..6607d83f4e8f8 100644
--- a/src/json.c
+++ b/src/json.c
@@ -696,21 +696,17 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
return json_pack("{s:o}", "tcp option", root);
}
- if (expr->exthdr.op == NFT_EXTHDR_OP_IPV4) {
- root = json_pack("{s:s}", "name", desc);
- if (!is_exists)
- json_object_set_new(root, "field", json_string(field));
-
- return json_pack("{s:o}", "ip option", root);
- }
-
- root = json_pack("{s:s}",
- "name", desc);
+ root = json_pack("{s:s}", "name", desc);
if (!is_exists)
json_object_set_new(root, "field", json_string(field));
- return json_pack("{s:o}", "exthdr", root);
+ switch (expr->exthdr.op) {
+ case NFT_EXTHDR_OP_IPV4:
+ return json_pack("{s:o}", "ip option", root);
+ default:
+ return json_pack("{s:o}", "exthdr", root);
+ }
}
json_t *verdict_expr_json(const struct expr *expr, struct output_ctx *octx)
--
2.33.0

167
0022-scanner-introduce-start-condition-stack.patch
View File

@ -1,167 +0,0 @@
From 80f3c19bc1b989ab7ba2b917193e8bd3f998ba39 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 8 Mar 2021 18:18:33 +0100
Subject: [PATCH] scanner: introduce start condition stack
Add a small initial chunk of flex start conditionals.
This starts with two low-hanging fruits, numgen and j/symhash.
NUMGEN and HASH start conditions are entered from flex when
the corresponding expression token is encountered.
Flex returns to the INIT condition when the bison parser
has seen a complete numgen/hash statement.
This intentionally uses a stack rather than BEGIN()
to eventually support nested states.
The scanner_pop_start_cond() function argument is not used yet, but
will need to be used later to deal with nesting.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 5896772fe3c5f01696188ea04957a825ee601b12)
---
include/parser.h | 8 ++++++++
src/parser_bison.y | 11 +++++++----
src/scanner.l | 36 +++++++++++++++++++++++++++++-------
3 files changed, 44 insertions(+), 11 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index 9baa3a4db789f..b2ebd7aa226c5 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -26,6 +26,12 @@ struct parser_state {
struct list_head *cmds;
};
+enum startcond_type {
+ PARSER_SC_BEGIN,
+ PARSER_SC_EXPR_HASH,
+ PARSER_SC_EXPR_NUMGEN,
+};
+
struct mnl_socket;
extern void parser_init(struct nft_ctx *nft, struct parser_state *state,
@@ -45,4 +51,6 @@ extern void scanner_push_buffer(void *scanner,
const struct input_descriptor *indesc,
const char *buffer);
+extern void scanner_pop_start_cond(void *scanner, enum startcond_type sc);
+
#endif /* NFTABLES_PARSER_H */
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 8644f66106496..da3fafcd1eeb1 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -857,6 +857,9 @@ opt_newline : NEWLINE
| /* empty */
;
+close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+
common_block : INCLUDE QUOTED_STRING stmt_separator
{
if (scanner_include_file(nft, scanner, $2, &@$) < 0) {
@@ -4811,7 +4814,7 @@ numgen_type : INC { $$ = NFT_NG_INCREMENTAL; }
| RANDOM { $$ = NFT_NG_RANDOM; }
;
-numgen_expr : NUMGEN numgen_type MOD NUM offset_opt
+numgen_expr : NUMGEN numgen_type MOD NUM offset_opt close_scope_numgen
{
$$ = numgen_expr_alloc(&@$, $2, $4, $5);
}
@@ -4868,17 +4871,17 @@ xfrm_expr : IPSEC xfrm_dir xfrm_spnum xfrm_state_key
}
;
-hash_expr : JHASH expr MOD NUM SEED NUM offset_opt
+hash_expr : JHASH expr MOD NUM SEED NUM offset_opt close_scope_hash
{
$$ = hash_expr_alloc(&@$, $4, true, $6, $7, NFT_HASH_JENKINS);
$$->hash.expr = $2;
}
- | JHASH expr MOD NUM offset_opt
+ | JHASH expr MOD NUM offset_opt close_scope_hash
{
$$ = hash_expr_alloc(&@$, $4, false, 0, $5, NFT_HASH_JENKINS);
$$->hash.expr = $2;
}
- | SYMHASH MOD NUM offset_opt
+ | SYMHASH MOD NUM offset_opt close_scope_hash
{
$$ = hash_expr_alloc(&@$, $3, false, 0, $4, NFT_HASH_SYM);
}
diff --git a/src/scanner.l b/src/scanner.l
index 8bde1fbe912d8..ec8f252fbc8c8 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -98,6 +98,8 @@ static void reset_pos(struct parser_state *state, struct location *loc)
state->indesc->column = 1;
}
+static void scanner_push_start_cond(void *scanner, enum startcond_type type);
+
#define YY_USER_ACTION { \
update_pos(yyget_extra(yyscanner), yylloc, yyleng); \
update_offset(yyget_extra(yyscanner), yylloc, yyleng); \
@@ -193,6 +195,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option yylineno
%option nodefault
%option warn
+%option stack
+%s SCANSTATE_EXPR_HASH
+%s SCANSTATE_EXPR_NUMGEN
%%
@@ -551,15 +556,21 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"state" { return STATE; }
"status" { return STATUS; }
-"numgen" { return NUMGEN; }
-"inc" { return INC; }
-"mod" { return MOD; }
-"offset" { return OFFSET; }
+"numgen" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_NUMGEN); return NUMGEN; }
+<SCANSTATE_EXPR_NUMGEN>{
+ "inc" { return INC; }
+}
-"jhash" { return JHASH; }
-"symhash" { return SYMHASH; }
-"seed" { return SEED; }
+"jhash" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return JHASH; }
+"symhash" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_HASH); return SYMHASH; }
+<SCANSTATE_EXPR_HASH>{
+ "seed" { return SEED; }
+}
+<SCANSTATE_EXPR_HASH,SCANSTATE_EXPR_NUMGEN>{
+ "mod" { return MOD; }
+ "offset" { return OFFSET; }
+}
"dup" { return DUP; }
"fwd" { return FWD; }
@@ -973,3 +984,14 @@ void scanner_destroy(struct nft_ctx *nft)
input_descriptor_list_destroy(state);
yylex_destroy(nft->scanner);
}
+
+static void scanner_push_start_cond(void *scanner, enum startcond_type type)
+{
+ yy_push_state((int)type, scanner);
+}
+
+void scanner_pop_start_cond(void *scanner, enum startcond_type t)
+{
+ yy_pop_state(scanner);
+ (void)yy_top_state(scanner); /* suppress gcc warning wrt. unused function */
+}
--
2.33.0

93
0023-scanner-sctp-Move-to-own-scope.patch
View File

@ -1,93 +0,0 @@
From 5009b467a06a86f5dcc3218fb860cd81bc5e067f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 May 2021 13:06:32 +0200
Subject: [PATCH] scanner: sctp: Move to own scope
This isolates only "vtag" token for now.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 0925d7e214825628e7db4a86d5ebbad578ab0777)
Conflicts:
include/parser.h
src/parser_bison.y
src/scanner.l
-> Context changes due to missing other scopes.
---
include/parser.h | 1 +
src/parser_bison.y | 5 +++--
src/scanner.l | 8 ++++++--
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/parser.h b/include/parser.h
index b2ebd7aa226c5..4e7b4ef430966 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -28,6 +28,7 @@ struct parser_state {
enum startcond_type {
PARSER_SC_BEGIN,
+ PARSER_SC_SCTP,
PARSER_SC_EXPR_HASH,
PARSER_SC_EXPR_NUMGEN,
};
diff --git a/src/parser_bison.y b/src/parser_bison.y
index da3fafcd1eeb1..383908fa3742f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -859,6 +859,7 @@ opt_newline : NEWLINE
close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
close_scope_numgen : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_NUMGEN); };
+close_scope_sctp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_SCTP); };
common_block : INCLUDE QUOTED_STRING stmt_separator
{
@@ -4620,7 +4621,7 @@ primary_rhs_expr : symbol_expr { $$ = $1; }
BYTEORDER_HOST_ENDIAN,
sizeof(data) * BITS_PER_BYTE, &data);
}
- | SCTP
+ | SCTP close_scope_sctp
{
uint8_t data = IPPROTO_SCTP;
$$ = constant_expr_alloc(&@$, &inet_protocol_type,
@@ -5345,7 +5346,7 @@ dccp_hdr_field : SPORT { $$ = DCCPHDR_SPORT; }
| TYPE { $$ = DCCPHDR_TYPE; }
;
-sctp_hdr_expr : SCTP sctp_hdr_field
+sctp_hdr_expr : SCTP sctp_hdr_field close_scope_sctp
{
$$ = payload_expr_alloc(&@$, &proto_sctp, $2);
}
diff --git a/src/scanner.l b/src/scanner.l
index ec8f252fbc8c8..c8e74e685f3d7 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -196,6 +196,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
%option nodefault
%option warn
%option stack
+%s SCANSTATE_SCTP
%s SCANSTATE_EXPR_HASH
%s SCANSTATE_EXPR_NUMGEN
@@ -491,8 +492,11 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dccp" { return DCCP; }
-"sctp" { return SCTP; }
-"vtag" { return VTAG; }
+"sctp" { scanner_push_start_cond(yyscanner, SCANSTATE_SCTP); return SCTP; }
+
+<SCANSTATE_SCTP>{
+ "vtag" { return VTAG; }
+}
"rt" { return RT; }
"rt0" { return RT0; }
--
2.33.0

1622
0024-exthdr-Implement-SCTP-Chunk-matching.patch
View File

File diff suppressed because it is too large Load Diff

29
0025-include-missing-sctp_chunk.h-in-Makefile.am.patch
View File

@ -1,29 +0,0 @@
From fe19063ce09d40ea94bf57c4af8b6c121aaf89e8 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 25 May 2021 14:04:36 +0200
Subject: [PATCH] include: missing sctp_chunk.h in Makefile.am
Fix make distcheck.
Fixes: 0e3871cfd9a1 ("exthdr: Implement SCTP Chunk matching")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 117ceb4f527119a6d44bf5e23f2ff7a8d116658a)
---
include/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/Makefile.am b/include/Makefile.am
index 42f24f35ce7a5..4cd907380ebaa 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -31,6 +31,7 @@ noinst_HEADERS = cli.h \
osf.h \
parser.h \
proto.h \
+ sctp_chunk.h \
socket.h \
rule.h \
rt.h \
--
2.33.0

41
0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch
View File

@ -1,41 +0,0 @@
From 0c371aeab906b6e65c4c86174cbe2fbca02891d1 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 Jul 2021 18:59:44 +0200
Subject: [PATCH] evaluate: fix inet nat with no layer 3 info
nft currently reports:
Error: Could not process rule: Protocol error
add rule inet x y meta l4proto tcp dnat to :80
^^^^
default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
trying to load the conntrack helper.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 9a36033ce50638a403d1421935cdd1287ee5de6b)
---
src/evaluate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index bba685af720ed..73d6fd0e89bc2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2896,9 +2896,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
stmt->nat.family = ctx->pctx.family;
return 0;
case NFPROTO_INET:
- if (!stmt->nat.addr)
+ if (!stmt->nat.addr) {
+ stmt->nat.family = NFPROTO_INET;
return 0;
-
+ }
if (stmt->nat.family != NFPROTO_UNSPEC)
return 0;
--
2.34.1

75
0027-tests-py-add-dnat-to-port-without-defining-destinati.patch
View File

@ -1,75 +0,0 @@
From 00d3745306aa87eeb2466dbb5e6958225de3354f Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 22 Jul 2021 17:43:56 +0200
Subject: [PATCH] tests: py: add dnat to port without defining destination
address
Add a test to cover dnat to port without destination address.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 0f27e258b37a592233d6ad5381cd1fae65e57514)
---
tests/py/inet/dnat.t | 1 +
tests/py/inet/dnat.t.json | 20 ++++++++++++++++++++
tests/py/inet/dnat.t.payload | 7 +++++++
3 files changed, 28 insertions(+)
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
index b460af3925570..e4e169f2bc3ec 100644
--- a/tests/py/inet/dnat.t
+++ b/tests/py/inet/dnat.t
@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok
iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
index 1b8aba6297d36..c341a0455fea1 100644
--- a/tests/py/inet/dnat.t.json
+++ b/tests/py/inet/dnat.t.json
@@ -219,3 +219,23 @@
}
]
+# meta l4proto tcp dnat to :80
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "dnat": {
+ "port": 80
+ }
+ }
+]
+
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
index a741b9cbdb8d7..be5baf8fd4b47 100644
--- a/tests/py/inet/dnat.t.payload
+++ b/tests/py/inet/dnat.t.payload
@@ -77,3 +77,10 @@ inet
[ immediate reg 2 0x00005000 ]
[ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ]
+# meta l4proto tcp dnat to :80
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x00005000 ]
+ [ nat dnat inet proto_min reg 1 flags 0x2 ]
+
--
2.34.1

36
0028-evaluate-pick-data-element-byte-order-not-dtype-one.patch
View File

@ -1,36 +0,0 @@
From d5525024223f324c71edb9135f1938745d45acee Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 3 Feb 2021 17:57:06 +0100
Subject: [PATCH] evaluate: pick data element byte order, not dtype one
Some expressions have integer base type, not a specific one, e.g. 'ct zone'.
In that case nft used the wrong byte order.
Without this, nft adds
elements = { "eth0" : 256, "eth1" : 512, "veth4" : 256 }
instead of 1, 2, 3.
This is not a 'display bug', the added elements have wrong byte order.
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 84b1d078e86dea25c93e15c3e5a3160bbf77e4e7)
---
src/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 73d6fd0e89bc2..0543190fe777a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1583,7 +1583,7 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
else
datalen = set->data->len;
- expr_set_context(&ctx->ectx, set->data->dtype, datalen);
+ __expr_set_context(&ctx->ectx, set->data->dtype, set->data->byteorder, datalen, 0);
} else {
assert((set->flags & NFT_SET_MAP) == 0);
}
--
2.34.1

53
nftables.spec
View File

@ -1,6 +1,6 @@
Name: nftables
Version: 0.9.8
Release: 12%{?dist}
Version: 1.0.4
Release: 1%{?dist}
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
Epoch: 1
Summary: Netfilter Tables userspace utillites
@ -14,49 +14,20 @@ Source3: main.nft
Source4: router.nft
Source5: nat.nft
Patch01: 0001-payload-check-icmp-dependency-before-removing-previo.patch
Patch02: 0002-tests-add-icmp-6-test-where-dependency-should-be-lef.patch
Patch03: 0003-main-fix-nft-help-output-fallout-from-719e4427.patch
Patch04: 0004-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch
Patch05: 0005-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch
Patch06: 0006-evaluate-Mark-fall-through-case-in-str2hooknum.patch
Patch07: 0007-json-Drop-pointless-assignment-in-exthdr_expr_json.patch
Patch08: 0008-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
Patch09: 0009-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
Patch10: 0010-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
Patch11: 0011-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
Patch12: 0012-netlink_delinearize-Fix-suspicious-calloc-call.patch
Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch
Patch19: 0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
Patch20: 0020-tests-shell-better-parameters-for-the-interval-stack.patch
Patch21: 0021-json-Simplify-non-tcpopt-exthdr-printing-a-bit.patch
Patch22: 0022-scanner-introduce-start-condition-stack.patch
Patch23: 0023-scanner-sctp-Move-to-own-scope.patch
Patch24: 0024-exthdr-Implement-SCTP-Chunk-matching.patch
Patch25: 0025-include-missing-sctp_chunk.h-in-Makefile.am.patch
Patch26: 0026-evaluate-fix-inet-nat-with-no-layer-3-info.patch
Patch27: 0027-tests-py-add-dnat-to-port-without-defining-destinati.patch
Patch28: 0028-evaluate-pick-data-element-byte-order-not-dtype-one.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: make
BuildRequires: gcc
BuildRequires: gcc
BuildRequires: flex
BuildRequires: bison
BuildRequires: libmnl-devel
BuildRequires: pkgconfig(libmnl) >= 1.0.4
BuildRequires: gmp-devel
BuildRequires: readline-devel
BuildRequires: libnftnl-devel
BuildRequires: pkgconfig(libnftnl) >= 1.2.2
BuildRequires: systemd
BuildRequires: asciidoc
BuildRequires: iptables-devel
BuildRequires: pkgconfig(xtables) >= 1.6.1
BuildRequires: jansson-devel
BuildRequires: python3-devel
@ -86,7 +57,7 @@ The nftables python module provides an interface to libnftables via ctypes.
autoreconf -fi
rm -Rf autom4te*.cache config.h.in~
%configure --disable-silent-rules --with-xtables --with-json \
--enable-python --with-python-bin=%{__python3}
--enable-python --with-python-bin=%{__python3} --with-cli=readline
%make_build
%install
@ -104,7 +75,7 @@ cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
rm $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft
rm $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
@ -151,6 +122,14 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
%{python3_sitelib}/nftables/
%changelog
* Thu Jun 09 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.4-1
- Review package dependencies
- new version 1.0.4
* Tue Mar 01 2022 Phil Sutter <psutter@redhat.com> - 1:0.9.8-13
- tests: extend dtype test case to cover expression with integer type
- evaluate: set evaluation context for set elements
* Fri Jan 14 2022 Phil Sutter <psutter@redhat.com> - 1:0.9.8-12
- evaluate: pick data element byte order, not dtype one

2
sources
View File

@ -1 +1 @@
SHA512 (nftables-0.9.8.tar.bz2) = 1c5709825c8b2c13cbed0310658959ecee164c930bc9e2447618a0894598138b9a549d20509c32a5c23ce99e40438df38f9e170cf656ce993d819f365490a180
SHA512 (nftables-1.0.4.tar.bz2) = 7d96c791365d399b3b930a1f9d6c6aa4a8c2180c258bb5163d9d62ea4d094857e2ebb20fc3ef13b89f449f216d0a291d3bcf288704f1e3bd3ceb51b6cadf8215