From c5a54bc4d2474fbec0436f60412e997faf19d8ae Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 4 Nov 2025 16:29:36 +0100 Subject: [PATCH] nftables-1.1.1-9.el10 * Tue Nov 04 2025 Phil Sutter [1.1.1-9.el10] - fib: Fix for existence check on Big Endian (Phil Sutter) [RHEL-113851] Resolves: RHEL-113851 --- ...ix-for-existence-check-on-Big-Endian.patch | 67 +++++++++++++++++++ nftables.spec | 6 +- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0021-fib-Fix-for-existence-check-on-Big-Endian.patch diff --git a/0021-fib-Fix-for-existence-check-on-Big-Endian.patch b/0021-fib-Fix-for-existence-check-on-Big-Endian.patch new file mode 100644 index 0000000..4ee148d --- /dev/null +++ b/0021-fib-Fix-for-existence-check-on-Big-Endian.patch @@ -0,0 +1,67 @@ +From 5dafd1cfd00116d0c6f289a0dc32b8a10d7c4c06 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 4 Nov 2025 16:20:14 +0100 +Subject: [PATCH] fib: Fix for existence check on Big Endian + +JIRA: https://issues.redhat.com/browse/RHEL-113851 +Upstream Status: nftables commit 98e51e687616a4b54efa3b723917c292e3acc380 + +commit 98e51e687616a4b54efa3b723917c292e3acc380 +Author: Phil Sutter +Date: Tue Sep 9 22:27:19 2025 +0200 + + fib: Fix for existence check on Big Endian + + Adjust the expression size to 1B so cmp expression value is correct. + Without this, the rule 'fib saddr . iif check exists' generates + following byte code on BE: + + | [ fib saddr . iif oif present => reg 1 ] + | [ cmp eq reg 1 0x00000001 ] + + Though with NFTA_FIB_F_PRESENT flag set, nft_fib.ko writes to the first + byte of reg 1 only (using nft_reg_store8()). With this patch in place, + byte code is correct: + + | [ fib saddr . iif oif present => reg 1 ] + | [ cmp eq reg 1 0x01000000 ] + + Fixes: f686a17eafa0b ("fib: Support existence check") + Cc: Yi Chen + Signed-off-by: Phil Sutter + Reviewed-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/evaluate.c | 1 + + src/fib.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index c9cbaa6..474dc64 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2795,6 +2795,7 @@ static int expr_evaluate_fib(struct eval_ctx *ctx, struct expr **exprp) + if (expr->flags & EXPR_F_BOOLEAN) { + expr->fib.flags |= NFTA_FIB_F_PRESENT; + datatype_set(expr, &boolean_type); ++ expr->len = BITS_PER_BYTE; + } + return expr_evaluate_primary(ctx, exprp); + } +diff --git a/src/fib.c b/src/fib.c +index e95271c..0749007 100644 +--- a/src/fib.c ++++ b/src/fib.c +@@ -189,8 +189,10 @@ struct expr *fib_expr_alloc(const struct location *loc, + BUG("Unknown result %d\n", result); + } + +- if (flags & NFTA_FIB_F_PRESENT) ++ if (flags & NFTA_FIB_F_PRESENT) { + type = &boolean_type; ++ len = BITS_PER_BYTE; ++ } + + expr = expr_alloc(loc, EXPR_FIB, type, + BYTEORDER_HOST_ENDIAN, len); diff --git a/nftables.spec b/nftables.spec index 7c07536..2da9831 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.1.1 -Release: 8%{?dist} +Release: 9%{?dist} # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. Epoch: 1 Summary: Netfilter Tables userspace utilities @@ -36,6 +36,7 @@ Patch17: 0017-trace-Fix-for-memleak-in-trace_alloc_list-error-path.pa Patch18: 0018-doc-nft.8-Minor-NAT-STATEMENTS-section-review.patch Patch19: 0019-table-Embed-creating-nft-version-into-userdata.patch Patch20: 0020-Makefile-Fix-for-make-CFLAGS.patch +Patch21: 0021-fib-Fix-for-existence-check-on-Big-Endian.patch BuildRequires: autoconf BuildRequires: automake @@ -150,6 +151,9 @@ cd py/ %files -n python3-nftables -f %{pyproject_files} %changelog +* Tue Nov 04 2025 Phil Sutter [1.1.1-9.el10] +- fib: Fix for existence check on Big Endian (Phil Sutter) [RHEL-113851] + * Fri Oct 31 2025 Phil Sutter [1.1.1-8.el10] - Bump revision for a side-tag build (Phil Sutter) [RHEL-125122]