import nftables-0.9.3-12.el8_2.1

SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch

@@ -0,0 +1,47 @@
+From aa456490794b5498ef9429481bb0f7ae6b3650ac Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Sat, 8 Aug 2020 00:09:06 +0200
+Subject: [PATCH] include: Resync nf_tables.h cache copy
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532
+Upstream Status: nftables commit f1e5a0499c077
+
+commit f1e5a0499c0773f18bc592dd0da0340120daa482
+Author: Stefano Brivio <sbrivio@redhat.com>
+Date:   Mon Apr 13 21:48:02 2020 +0200
+
+    include: Resync nf_tables.h cache copy
+
+    Get this header in sync with nf.git as of commit ef516e8625dd.
+
+    Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ include/linux/netfilter/nf_tables.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 1a99df3348b5c..9b54a86bc5169 100644
+--- a/include/linux/netfilter/nf_tables.h
++++ b/include/linux/netfilter/nf_tables.h
+@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes {
+  * @NFT_SET_TIMEOUT: set uses timeouts
+  * @NFT_SET_EVAL: set can be updated from the evaluation path
+  * @NFT_SET_OBJECT: set contains stateful objects
++ * @NFT_SET_CONCAT: set contains a concatenation
+  */
+ enum nft_set_flags {
+ 	NFT_SET_ANONYMOUS		= 0x1,
+@@ -283,6 +284,7 @@ enum nft_set_flags {
+ 	NFT_SET_TIMEOUT			= 0x10,
+ 	NFT_SET_EVAL			= 0x20,
+ 	NFT_SET_OBJECT			= 0x40,
++	NFT_SET_CONCAT			= 0x80,
+ };
+ 
+ /**
+-- 
+2.27.0
+

SOURCES/0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch

@@ -0,0 +1,74 @@
+From c69d7c3c5c1805e41f679487310044f518859214 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Sat, 8 Aug 2020 00:05:48 +0200
+Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated
+ ranges
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532
+Upstream Status: nftables commit 09441b5e92cee
+
+commit 09441b5e92ceea60198a35cd657904fa7a10ee54
+Author: Stefano Brivio <sbrivio@redhat.com>
+Date:   Mon Apr 13 21:48:03 2020 +0200
+
+    src: Set NFT_SET_CONCAT flag for sets with concatenated ranges
+
+    Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support
+    for concatenated set ranges"), crashes with older kernels (< 5.6)
+    without support for concatenated set ranges: those sets will be sent
+    to the kernel, which adds them without notion of the fact that
+    different concatenated fields are actually included, and nft crashes
+    while trying to list this kind of malformed concatenation.
+
+    Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd
+    ("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when
+    sets including concatenated ranges are sent to the kernel, so that
+    older kernels (with no knowledge of this flag itself) will refuse set
+    creation.
+
+    Note that, in expr_evaluate_set(), we have to check for the presence
+    of the flag, also on empty sets that might carry it in context data,
+    and actually set it in the actual set flags.
+
+    Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
+    Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/evaluate.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 0c848166409f4..f66251b41c058 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
+ 			set->size      += i->size - 1;
+ 			set->set_flags |= i->set_flags;
+ 			expr_free(i);
+-		} else if (!expr_is_singleton(i))
++		} else if (!expr_is_singleton(i)) {
+ 			set->set_flags |= NFT_SET_INTERVAL;
++			if (i->key->etype == EXPR_CONCAT)
++				set->set_flags |= NFT_SET_CONCAT;
++		}
+ 	}
+ 
++	if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT))
++		set->set_flags |= NFT_SET_CONCAT;
++
+ 	set->set_flags |= NFT_SET_CONSTANT;
+ 
+ 	datatype_set(set, ctx->ectx.dtype);
+@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
+ 		memcpy(&set->desc.field_len, &set->key->field_len,
+ 		       sizeof(set->desc.field_len));
+ 		set->desc.field_count = set->key->field_count;
++		set->flags |= NFT_SET_CONCAT;
+ 	}
+ 
+ 	if (set_is_datamap(set->flags)) {
+-- 
+2.27.0
+

SPECS/nftables.spec

@@ -1,5 +1,5 @@
 %define rpmversion 0.9.3
-%define specrelease 12%{?dist}
+%define specrelease 12%{?dist}.1
 
 Name:           nftables
 Version:        %{rpmversion}
@@ -38,6 +38,8 @@ Patch18:            0018-parser-add-a-helper-for-concat-expression-handling.patc
 Patch19:            0019-include-resync-nf_tables.h-cache-copy.patch
 Patch20:            0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch
 Patch21:            0021-src-Add-support-for-concatenated-set-ranges.patch
+Patch22:            0022-include-Resync-nf_tables.h-cache-copy.patch
+Patch23:            0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch
 
 BuildRequires: autogen
 BuildRequires: autoconf
@@ -154,6 +156,10 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
 %{python3_sitelib}/nftables/
 
 %changelog
+* Thu Aug 20 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8.1]
+- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1854532]
+- include: Resync nf_tables.h cache copy (Phil Sutter) [1854532]
+
 * Thu Mar 26 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8]
 - Restore default config to be empty (Phil Sutter) [1694723]