Update to 1.1.1. Fixes rhbz#2024594

2021-11-28 12:13:54 -08:00 · 2021-11-28 12:13:54 -08:00 · b959ca7975
commit b959ca7975
parent 5a6a5816e7
3 changed files with 137 additions and 0 deletions
--- a/nftables-1.0.1-drop-historyh.patch
+++ b/nftables-1.0.1-drop-historyh.patch
@ -0,0 +1,29 @@
 From 3847fccf004525ceb97db6fbc681835b0ac9a61a Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Mon, 22 Nov 2021 18:01:52 +0100
 Subject: cli: remove #include <editline/history.h>
 This header is not required to compile nftables with editline, remove
 it, this unbreak compilation in several distros which have no symlink
 from history.h to editline.h
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/cli.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/cli.c b/src/cli.c
 index 4845e5cf..87291766 100644
 --- a/src/cli.c
 +++ b/src/cli.c
@@ -26,7 +26,6 @@
 #include <readline/history.h>
 #elif defined(HAVE_LIBEDIT)
 #include <editline/readline.h>
 -#include <editline/history.h>
 #else
 #include <linenoise.h>
 #endif
 -- 
 cgit v1.2.3
--- a/nftables-1.0.1-fix-terse.patch
+++ b/nftables-1.0.1-fix-terse.patch
@ -0,0 +1,101 @@
 From 8492878961248b4b53fa97383c7c1b15d7062947 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Thu, 18 Nov 2021 17:25:36 +0100
 Subject: cache: do not skip populating anonymous set with -t
 --terse does not apply to anonymous set, add a NFT_CACHE_TERSE bit
 to skip named sets only.
 Moreover, prioritize specific listing filter over --terse to avoid a
 bogus:
  netlink: Error: Unknown set '__set0' in lookup expression
 when invoking:
  # nft -ta list set inet filter example
 Extend existing test to improve coverage.
 Fixes: 9628d52e46ac ("cache: disable NFT_CACHE_SETELEM_BIT on --terse listing only")
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/cache.h                           |  1 +
 src/cache.c                               | 11 +++++++----
 tests/shell/testcases/listing/0022terse_0 |  4 ++--
 3 files changed, 10 insertions(+), 6 deletions(-)
 diff --git a/include/cache.h b/include/cache.h
 index e5c509e8..3a9a5e81 100644
 --- a/include/cache.h
 +++ b/include/cache.h
@@ -32,6 +32,7 @@ enum cache_level_flags {
 				  NFT_CACHE_CHAIN_BIT |
 				  NFT_CACHE_RULE_BIT,
 	NFT_CACHE_FULL		= __NFT_CACHE_MAX_BIT - 1,
 +	NFT_CACHE_TERSE		= (1 << 27),
 	NFT_CACHE_SETELEM_MAYBE	= (1 << 28),
 	NFT_CACHE_REFRESH	= (1 << 29),
 	NFT_CACHE_UPDATE	= (1 << 30),
 diff --git a/src/cache.c b/src/cache.c
 index fe31e3f0..6d20716d 100644
 --- a/src/cache.c
 +++ b/src/cache.c
@@ -215,10 +215,10 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 			filter->list.table = cmd->handle.table.name;
 			filter->list.set = cmd->handle.set.name;
 		}
 -		if (nft_output_terse(&nft->output))
 -			flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT);
 -		else if (filter->list.table && filter->list.set)
 +		if (filter->list.table && filter->list.set)
 			flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | NFT_CACHE_SETELEM;
 +		else if (nft_output_terse(&nft->output))
 +			flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
 		else
 			flags |= NFT_CACHE_FULL;
 		break;
@@ -234,7 +234,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 		break;
 	case CMD_OBJ_RULESET:
 		if (nft_output_terse(&nft->output))
 -			flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT);
 +			flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
 		else
 			flags |= NFT_CACHE_FULL;
 		break;
@@ -830,6 +830,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 			list_for_each_entry(set, &table->set_cache.list, cache.list) {
 				if (cache_filter_find(filter, &set->handle))
 					continue;
 +				if (!set_is_anonymous(set->flags) &&
 +				    flags & NFT_CACHE_TERSE)
 +					continue;
 				ret = netlink_list_setelems(ctx, &set->handle,
 							    set);
 diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0
 index 14d31875..4841771c 100755
 --- a/tests/shell/testcases/listing/0022terse_0
 +++ b/tests/shell/testcases/listing/0022terse_0
@@ -9,7 +9,7 @@ RULESET="table inet filter {
 	chain input {
 		type filter hook prerouting priority filter; policy accept;
 -		ip saddr @example drop
 +		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
 	}
 }"
@@ -31,7 +31,7 @@ EXPECTED="table inet filter {
 	chain input {
 		type filter hook prerouting priority filter; policy accept;
 -		ip saddr @example drop
 +		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
 	}
 }"
 -- 
 cgit v1.2.3
--- a/nftables.spec
+++ b/nftables.spec
@ -11,6 +11,11 @@ Source0:        %{url}/files/%{name}-%{version}.tar.bz2
 Source1:        nftables.service
 Source2:        nftables.conf
 # already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947
 Patch1:         nftables-1.0.1-drop-historyh.patch
 # already upstream at https://git.netfilter.org/nftables/commit/?id=3847fccf004525ceb97db6fbc681835b0ac9a61a
 Patch2:         nftables-1.0.1-fix-terse.patch
 #BuildRequires: autogen
 #BuildRequires: autoconf
 #BuildRequires: automake
@ -28,6 +33,8 @@ BuildRequires: asciidoc
 BuildRequires: iptables-devel
 BuildRequires: jansson-devel
 BuildRequires: python3-devel
 BuildRequires: readline-devel
 BuildRequires: libedit-devel
 %description
 Netfilter Tables userspace utilities.