nftables-1.1.1-9.el10

* Tue Nov 04 2025 Phil Sutter <psutter@redhat.com> [1.1.1-9.el10]
- fib: Fix for existence check on Big Endian (Phil Sutter) [RHEL-113851]
Resolves: RHEL-113851

0021-fib-Fix-for-existence-check-on-Big-Endian.patch

@@ -0,0 +1,67 @@
+From 5dafd1cfd00116d0c6f289a0dc32b8a10d7c4c06 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 4 Nov 2025 16:20:14 +0100
+Subject: [PATCH] fib: Fix for existence check on Big Endian
+
+JIRA: https://issues.redhat.com/browse/RHEL-113851
+Upstream Status: nftables commit 98e51e687616a4b54efa3b723917c292e3acc380
+
+commit 98e51e687616a4b54efa3b723917c292e3acc380
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Sep 9 22:27:19 2025 +0200
+
+    fib: Fix for existence check on Big Endian
+
+    Adjust the expression size to 1B so cmp expression value is correct.
+    Without this, the rule 'fib saddr . iif check exists' generates
+    following byte code on BE:
+
+    |  [ fib saddr . iif oif present => reg 1 ]
+    |  [ cmp eq reg 1 0x00000001 ]
+
+    Though with NFTA_FIB_F_PRESENT flag set, nft_fib.ko writes to the first
+    byte of reg 1 only (using nft_reg_store8()). With this patch in place,
+    byte code is correct:
+
+    |  [ fib saddr . iif oif present => reg 1 ]
+    |  [ cmp eq reg 1 0x01000000 ]
+
+    Fixes: f686a17eafa0b ("fib: Support existence check")
+    Cc: Yi Chen <yiche@redhat.com>
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/evaluate.c | 1 +
+ src/fib.c      | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index c9cbaa6..474dc64 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -2795,6 +2795,7 @@ static int expr_evaluate_fib(struct eval_ctx *ctx, struct expr **exprp)
+ 	if (expr->flags & EXPR_F_BOOLEAN) {
+ 		expr->fib.flags |= NFTA_FIB_F_PRESENT;
+ 		datatype_set(expr, &boolean_type);
++		expr->len = BITS_PER_BYTE;
+ 	}
+ 	return expr_evaluate_primary(ctx, exprp);
+ }
+diff --git a/src/fib.c b/src/fib.c
+index e95271c..0749007 100644
+--- a/src/fib.c
++++ b/src/fib.c
+@@ -189,8 +189,10 @@ struct expr *fib_expr_alloc(const struct location *loc,
+ 		BUG("Unknown result %d\n", result);
+ 	}
+ 
+-	if (flags & NFTA_FIB_F_PRESENT)
++	if (flags & NFTA_FIB_F_PRESENT) {
+ 		type = &boolean_type;
++		len = BITS_PER_BYTE;
++	}
+ 
+ 	expr = expr_alloc(loc, EXPR_FIB, type,
+ 			  BYTEORDER_HOST_ENDIAN, len);

nftables.spec

@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.1.1
-Release:        8%{?dist}
+Release:        9%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utilities
@@ -36,6 +36,7 @@ Patch17:            0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.pa
 Patch18:            0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch
 Patch19:            0019-table-Embed-creating-nft-version-into-userdata.patch
 Patch20:            0020-Makefile-Fix-for-make-CFLAGS.patch
+Patch21:            0021-fib-Fix-for-existence-check-on-Big-Endian.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -150,6 +151,9 @@ cd py/
 %files -n python3-nftables -f %{pyproject_files}
 
 %changelog
+* Tue Nov 04 2025 Phil Sutter <psutter@redhat.com> [1.1.1-9.el10]
+- fib: Fix for existence check on Big Endian (Phil Sutter) [RHEL-113851]
+
 * Fri Oct 31 2025 Phil Sutter <psutter@redhat.com> [1.1.1-8.el10]
 - Bump revision for a side-tag build (Phil Sutter) [RHEL-125122]