import nftables-0.9.3-12.el8_2.1
This commit is contained in:
parent
dda3b7ced2
commit
9a8bfb4ad4
47
SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch
Normal file
47
SOURCES/0022-include-Resync-nf_tables.h-cache-copy.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From aa456490794b5498ef9429481bb0f7ae6b3650ac Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Sat, 8 Aug 2020 00:09:06 +0200
|
||||||
|
Subject: [PATCH] include: Resync nf_tables.h cache copy
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532
|
||||||
|
Upstream Status: nftables commit f1e5a0499c077
|
||||||
|
|
||||||
|
commit f1e5a0499c0773f18bc592dd0da0340120daa482
|
||||||
|
Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
Date: Mon Apr 13 21:48:02 2020 +0200
|
||||||
|
|
||||||
|
include: Resync nf_tables.h cache copy
|
||||||
|
|
||||||
|
Get this header in sync with nf.git as of commit ef516e8625dd.
|
||||||
|
|
||||||
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
include/linux/netfilter/nf_tables.h | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
|
||||||
|
index 1a99df3348b5c..9b54a86bc5169 100644
|
||||||
|
--- a/include/linux/netfilter/nf_tables.h
|
||||||
|
+++ b/include/linux/netfilter/nf_tables.h
|
||||||
|
@@ -274,6 +274,7 @@ enum nft_rule_compat_attributes {
|
||||||
|
* @NFT_SET_TIMEOUT: set uses timeouts
|
||||||
|
* @NFT_SET_EVAL: set can be updated from the evaluation path
|
||||||
|
* @NFT_SET_OBJECT: set contains stateful objects
|
||||||
|
+ * @NFT_SET_CONCAT: set contains a concatenation
|
||||||
|
*/
|
||||||
|
enum nft_set_flags {
|
||||||
|
NFT_SET_ANONYMOUS = 0x1,
|
||||||
|
@@ -283,6 +284,7 @@ enum nft_set_flags {
|
||||||
|
NFT_SET_TIMEOUT = 0x10,
|
||||||
|
NFT_SET_EVAL = 0x20,
|
||||||
|
NFT_SET_OBJECT = 0x40,
|
||||||
|
+ NFT_SET_CONCAT = 0x80,
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,74 @@
|
|||||||
|
From c69d7c3c5c1805e41f679487310044f518859214 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Sat, 8 Aug 2020 00:05:48 +0200
|
||||||
|
Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated
|
||||||
|
ranges
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1854532
|
||||||
|
Upstream Status: nftables commit 09441b5e92cee
|
||||||
|
|
||||||
|
commit 09441b5e92ceea60198a35cd657904fa7a10ee54
|
||||||
|
Author: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
Date: Mon Apr 13 21:48:03 2020 +0200
|
||||||
|
|
||||||
|
src: Set NFT_SET_CONCAT flag for sets with concatenated ranges
|
||||||
|
|
||||||
|
Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support
|
||||||
|
for concatenated set ranges"), crashes with older kernels (< 5.6)
|
||||||
|
without support for concatenated set ranges: those sets will be sent
|
||||||
|
to the kernel, which adds them without notion of the fact that
|
||||||
|
different concatenated fields are actually included, and nft crashes
|
||||||
|
while trying to list this kind of malformed concatenation.
|
||||||
|
|
||||||
|
Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd
|
||||||
|
("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when
|
||||||
|
sets including concatenated ranges are sent to the kernel, so that
|
||||||
|
older kernels (with no knowledge of this flag itself) will refuse set
|
||||||
|
creation.
|
||||||
|
|
||||||
|
Note that, in expr_evaluate_set(), we have to check for the presence
|
||||||
|
of the flag, also on empty sets that might carry it in context data,
|
||||||
|
and actually set it in the actual set flags.
|
||||||
|
|
||||||
|
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
src/evaluate.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||||
|
index 0c848166409f4..f66251b41c058 100644
|
||||||
|
--- a/src/evaluate.c
|
||||||
|
+++ b/src/evaluate.c
|
||||||
|
@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
|
||||||
|
set->size += i->size - 1;
|
||||||
|
set->set_flags |= i->set_flags;
|
||||||
|
expr_free(i);
|
||||||
|
- } else if (!expr_is_singleton(i))
|
||||||
|
+ } else if (!expr_is_singleton(i)) {
|
||||||
|
set->set_flags |= NFT_SET_INTERVAL;
|
||||||
|
+ if (i->key->etype == EXPR_CONCAT)
|
||||||
|
+ set->set_flags |= NFT_SET_CONCAT;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT))
|
||||||
|
+ set->set_flags |= NFT_SET_CONCAT;
|
||||||
|
+
|
||||||
|
set->set_flags |= NFT_SET_CONSTANT;
|
||||||
|
|
||||||
|
datatype_set(set, ctx->ectx.dtype);
|
||||||
|
@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
|
||||||
|
memcpy(&set->desc.field_len, &set->key->field_len,
|
||||||
|
sizeof(set->desc.field_len));
|
||||||
|
set->desc.field_count = set->key->field_count;
|
||||||
|
+ set->flags |= NFT_SET_CONCAT;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (set_is_datamap(set->flags)) {
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
%define rpmversion 0.9.3
|
%define rpmversion 0.9.3
|
||||||
%define specrelease 12%{?dist}
|
%define specrelease 12%{?dist}.1
|
||||||
|
|
||||||
Name: nftables
|
Name: nftables
|
||||||
Version: %{rpmversion}
|
Version: %{rpmversion}
|
||||||
@ -38,6 +38,8 @@ Patch18: 0018-parser-add-a-helper-for-concat-expression-handling.patc
|
|||||||
Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch
|
Patch19: 0019-include-resync-nf_tables.h-cache-copy.patch
|
||||||
Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch
|
Patch20: 0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch
|
||||||
Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch
|
Patch21: 0021-src-Add-support-for-concatenated-set-ranges.patch
|
||||||
|
Patch22: 0022-include-Resync-nf_tables.h-cache-copy.patch
|
||||||
|
Patch23: 0023-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch
|
||||||
|
|
||||||
BuildRequires: autogen
|
BuildRequires: autogen
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
@ -154,6 +156,10 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
|||||||
%{python3_sitelib}/nftables/
|
%{python3_sitelib}/nftables/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 20 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8.1]
|
||||||
|
- src: Set NFT_SET_CONCAT flag for sets with concatenated ranges (Phil Sutter) [1854532]
|
||||||
|
- include: Resync nf_tables.h cache copy (Phil Sutter) [1854532]
|
||||||
|
|
||||||
* Thu Mar 26 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8]
|
* Thu Mar 26 2020 Phil Sutter <psutter@redhat.com> [0.9.3-12.el8]
|
||||||
- Restore default config to be empty (Phil Sutter) [1694723]
|
- Restore default config to be empty (Phil Sutter) [1694723]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user