From b959ca79751967441a6b41a157ea1cbb5bf9b64f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Sun, 28 Nov 2021 12:13:54 -0800 Subject: [PATCH] Update to 1.1.1. Fixes rhbz#2024594 --- nftables-1.0.1-drop-historyh.patch | 29 +++++++++ nftables-1.0.1-fix-terse.patch | 101 +++++++++++++++++++++++++++++ nftables.spec | 7 ++ 3 files changed, 137 insertions(+) create mode 100644 nftables-1.0.1-drop-historyh.patch create mode 100644 nftables-1.0.1-fix-terse.patch diff --git a/nftables-1.0.1-drop-historyh.patch b/nftables-1.0.1-drop-historyh.patch new file mode 100644 index 0000000..e5bacca --- /dev/null +++ b/nftables-1.0.1-drop-historyh.patch @@ -0,0 +1,29 @@ +From 3847fccf004525ceb97db6fbc681835b0ac9a61a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 22 Nov 2021 18:01:52 +0100 +Subject: cli: remove #include + +This header is not required to compile nftables with editline, remove +it, this unbreak compilation in several distros which have no symlink +from history.h to editline.h + +Signed-off-by: Pablo Neira Ayuso +--- + src/cli.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/cli.c b/src/cli.c +index 4845e5cf..87291766 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -26,7 +26,6 @@ + #include + #elif defined(HAVE_LIBEDIT) + #include +-#include + #else + #include + #endif +-- +cgit v1.2.3 + diff --git a/nftables-1.0.1-fix-terse.patch b/nftables-1.0.1-fix-terse.patch new file mode 100644 index 0000000..571f40b --- /dev/null +++ b/nftables-1.0.1-fix-terse.patch @@ -0,0 +1,101 @@ +From 8492878961248b4b53fa97383c7c1b15d7062947 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 18 Nov 2021 17:25:36 +0100 +Subject: cache: do not skip populating anonymous set with -t + +--terse does not apply to anonymous set, add a NFT_CACHE_TERSE bit +to skip named sets only. + +Moreover, prioritize specific listing filter over --terse to avoid a +bogus: + + netlink: Error: Unknown set '__set0' in lookup expression + +when invoking: + + # nft -ta list set inet filter example + +Extend existing test to improve coverage. + +Fixes: 9628d52e46ac ("cache: disable NFT_CACHE_SETELEM_BIT on --terse listing only") +Signed-off-by: Pablo Neira Ayuso +--- + include/cache.h | 1 + + src/cache.c | 11 +++++++---- + tests/shell/testcases/listing/0022terse_0 | 4 ++-- + 3 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/include/cache.h b/include/cache.h +index e5c509e8..3a9a5e81 100644 +--- a/include/cache.h ++++ b/include/cache.h +@@ -32,6 +32,7 @@ enum cache_level_flags { + NFT_CACHE_CHAIN_BIT | + NFT_CACHE_RULE_BIT, + NFT_CACHE_FULL = __NFT_CACHE_MAX_BIT - 1, ++ NFT_CACHE_TERSE = (1 << 27), + NFT_CACHE_SETELEM_MAYBE = (1 << 28), + NFT_CACHE_REFRESH = (1 << 29), + NFT_CACHE_UPDATE = (1 << 30), +diff --git a/src/cache.c b/src/cache.c +index fe31e3f0..6d20716d 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -215,10 +215,10 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, + filter->list.table = cmd->handle.table.name; + filter->list.set = cmd->handle.set.name; + } +- if (nft_output_terse(&nft->output)) +- flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT); +- else if (filter->list.table && filter->list.set) ++ if (filter->list.table && filter->list.set) + flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | NFT_CACHE_SETELEM; ++ else if (nft_output_terse(&nft->output)) ++ flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE; + else + flags |= NFT_CACHE_FULL; + break; +@@ -234,7 +234,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, + break; + case CMD_OBJ_RULESET: + if (nft_output_terse(&nft->output)) +- flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT); ++ flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE; + else + flags |= NFT_CACHE_FULL; + break; +@@ -830,6 +830,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags, + list_for_each_entry(set, &table->set_cache.list, cache.list) { + if (cache_filter_find(filter, &set->handle)) + continue; ++ if (!set_is_anonymous(set->flags) && ++ flags & NFT_CACHE_TERSE) ++ continue; + + ret = netlink_list_setelems(ctx, &set->handle, + set); +diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0 +index 14d31875..4841771c 100755 +--- a/tests/shell/testcases/listing/0022terse_0 ++++ b/tests/shell/testcases/listing/0022terse_0 +@@ -9,7 +9,7 @@ RULESET="table inet filter { + + chain input { + type filter hook prerouting priority filter; policy accept; +- ip saddr @example drop ++ ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } + }" + +@@ -31,7 +31,7 @@ EXPECTED="table inet filter { + + chain input { + type filter hook prerouting priority filter; policy accept; +- ip saddr @example drop ++ ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop + } + }" + +-- +cgit v1.2.3 + diff --git a/nftables.spec b/nftables.spec index 0d5fc3a..8688d87 100644 --- a/nftables.spec +++ b/nftables.spec @@ -11,6 +11,11 @@ Source0: %{url}/files/%{name}-%{version}.tar.bz2 Source1: nftables.service Source2: nftables.conf +# already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947 +Patch1: nftables-1.0.1-drop-historyh.patch +# already upstream at https://git.netfilter.org/nftables/commit/?id=3847fccf004525ceb97db6fbc681835b0ac9a61a +Patch2: nftables-1.0.1-fix-terse.patch + #BuildRequires: autogen #BuildRequires: autoconf #BuildRequires: automake @@ -28,6 +33,8 @@ BuildRequires: asciidoc BuildRequires: iptables-devel BuildRequires: jansson-devel BuildRequires: python3-devel +BuildRequires: readline-devel +BuildRequires: libedit-devel %description Netfilter Tables userspace utilities.