import nftables-0.9.3-26.el8
This commit is contained in:
		
							parent
							
								
									dee28686c1
								
							
						
					
					
						commit
						c642b18e0d
					
				| @ -0,0 +1,130 @@ | ||||
| From 2747cab9c49b570347c86ff59daec93a1432b0bc Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 14:37:00 +0200 | ||||
| Subject: [PATCH] mnl: do not use expr->identifier to fetch device name | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2070924 | ||||
| Upstream Status: nftables commit 78bbe7f7a55be | ||||
| 
 | ||||
| commit 78bbe7f7a55be48909067e25900de27623d8fa6a | ||||
| Author: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| Date:   Wed Feb 19 21:05:26 2020 +0100 | ||||
| 
 | ||||
|     mnl: do not use expr->identifier to fetch device name | ||||
| 
 | ||||
|     This string might not be nul-terminated, resulting in spurious errors | ||||
|     when adding netdev chains. | ||||
| 
 | ||||
|     Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain") | ||||
|     Fixes: 92911b362e90 ("src: add support to add flowtables") | ||||
|     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| ---
 | ||||
|  src/mnl.c          | 33 +++++++++++++++++++++++++++++---- | ||||
|  src/parser_bison.y |  6 +++--- | ||||
|  2 files changed, 32 insertions(+), 7 deletions(-) | ||||
| 
 | ||||
| diff --git a/src/mnl.c b/src/mnl.c
 | ||||
| index 44cf1a4..f881d97 100644
 | ||||
| --- a/src/mnl.c
 | ||||
| +++ b/src/mnl.c
 | ||||
| @@ -26,6 +26,7 @@
 | ||||
|   | ||||
|  #include <mnl.h> | ||||
|  #include <string.h> | ||||
| +#include <net/if.h>
 | ||||
|  #include <sys/socket.h> | ||||
|  #include <arpa/inet.h> | ||||
|  #include <fcntl.h> | ||||
| @@ -529,7 +530,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
 | ||||
|  { | ||||
|  	int priority, policy, i = 0; | ||||
|  	struct nftnl_chain *nlc; | ||||
| +	unsigned int ifname_len;
 | ||||
|  	const char **dev_array; | ||||
| +	char ifname[IFNAMSIZ];
 | ||||
|  	struct nlmsghdr *nlh; | ||||
|  	struct expr *expr; | ||||
|  	int dev_array_len; | ||||
| @@ -562,7 +565,12 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
 | ||||
|  			dev_array = xmalloc(sizeof(char *) * 8); | ||||
|  			dev_array_len = 8; | ||||
|  			list_for_each_entry(expr, &cmd->chain->dev_expr->expressions, list) { | ||||
| -				dev_array[i++] = expr->identifier;
 | ||||
| +				ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
 | ||||
| +				memset(ifname, 0, sizeof(ifname));
 | ||||
| +				mpz_export_data(ifname, expr->value,
 | ||||
| +						BYTEORDER_HOST_ENDIAN,
 | ||||
| +						ifname_len);
 | ||||
| +				dev_array[i++] = xstrdup(ifname);
 | ||||
|  				if (i == dev_array_len) { | ||||
|  					dev_array_len *= 2; | ||||
|  					dev_array = xrealloc(dev_array, | ||||
| @@ -577,6 +585,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, const struct cmd *cmd,
 | ||||
|  				nftnl_chain_set_data(nlc, NFTNL_CHAIN_DEVICES, dev_array, | ||||
|  						     sizeof(char *) * dev_array_len); | ||||
|   | ||||
| +			i = 0;
 | ||||
| +			while (dev_array[i] != NULL)
 | ||||
| +				xfree(dev_array[i++]);
 | ||||
| +
 | ||||
|  			xfree(dev_array); | ||||
|  		} | ||||
|  	} | ||||
| @@ -1488,7 +1500,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
 | ||||
|  			  unsigned int flags) | ||||
|  { | ||||
|  	struct nftnl_flowtable *flo; | ||||
| +	unsigned int ifname_len;
 | ||||
|  	const char **dev_array; | ||||
| +	char ifname[IFNAMSIZ];
 | ||||
|  	struct nlmsghdr *nlh; | ||||
|  	int i = 0, len = 1; | ||||
|  	struct expr *expr; | ||||
| @@ -1513,13 +1527,24 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, const struct cmd *cmd,
 | ||||
|  	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) | ||||
|  		len++; | ||||
|   | ||||
| -	dev_array = calloc(len, sizeof(char *));
 | ||||
| -	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
 | ||||
| -		dev_array[i++] = expr->identifier;
 | ||||
| +	dev_array = xmalloc(sizeof(char *) * len);
 | ||||
| +
 | ||||
| +	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) {
 | ||||
| +		ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
 | ||||
| +		memset(ifname, 0, sizeof(ifname));
 | ||||
| +		mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN,
 | ||||
| +				ifname_len);
 | ||||
| +		dev_array[i++] = xstrdup(ifname);
 | ||||
| +	}
 | ||||
|   | ||||
|  	dev_array[i] = NULL; | ||||
|  	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES, | ||||
|  				 dev_array, sizeof(char *) * len); | ||||
| +
 | ||||
| +	i = 0;
 | ||||
| +	while (dev_array[i] != NULL)
 | ||||
| +		xfree(dev_array[i++]);
 | ||||
| +
 | ||||
|  	free(dev_array); | ||||
|   | ||||
|  	netlink_dump_flowtable(flo, ctx); | ||||
| diff --git a/src/parser_bison.y b/src/parser_bison.y
 | ||||
| index 2cdf8ec..dc87571 100644
 | ||||
| --- a/src/parser_bison.y
 | ||||
| +++ b/src/parser_bison.y
 | ||||
| @@ -1909,9 +1909,9 @@ flowtable_list_expr	:	flowtable_expr_member
 | ||||
|   | ||||
|  flowtable_expr_member	:	STRING | ||||
|  			{ | ||||
| -				$$ = symbol_expr_alloc(&@$, SYMBOL_VALUE,
 | ||||
| -						       current_scope(state),
 | ||||
| -						       $1);
 | ||||
| +				$$ = constant_expr_alloc(&@$, &string_type,
 | ||||
| +							 BYTEORDER_HOST_ENDIAN,
 | ||||
| +							 strlen($1) * BITS_PER_BYTE, $1);
 | ||||
|  				xfree($1); | ||||
|  			} | ||||
|  			; | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
| @ -0,0 +1,47 @@ | ||||
| From 66369d42095a214672c1f935eed91902d4cca8d5 Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 14:37:00 +0200 | ||||
| Subject: [PATCH] tests: shell: auto-removal of chain hook on netns removal | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2070924 | ||||
| Upstream Status: nftables commit e632eea21f4b3 | ||||
| Conflicts: Commit b4775dec9f80b ("src: ingress inet support") creating | ||||
| 	   the test not backported, RHEL8 does not support inet ingress. | ||||
| 	   Script adjusted accordingly. | ||||
| 
 | ||||
| commit e632eea21f4b3d03b629a5c1ac7e776d65785873 | ||||
| Author: Florian Westphal <fw@strlen.de> | ||||
| Date:   Tue Oct 19 14:07:25 2021 +0200 | ||||
| 
 | ||||
|     tests: shell: auto-removal of chain hook on netns removal | ||||
| 
 | ||||
|     This is the nft equivalent of the syzbot report that lead to | ||||
|     kernel commit 68a3765c659f8 | ||||
|     ("netfilter: nf_tables: skip netdev events generated on netns removal"). | ||||
| 
 | ||||
|     Signed-off-by: Florian Westphal <fw@strlen.de> | ||||
| ---
 | ||||
|  tests/shell/testcases/chains/0043chain_ingress_0 | 11 +++++++++++ | ||||
|  1 file changed, 11 insertions(+) | ||||
|  create mode 100755 tests/shell/testcases/chains/0043chain_ingress_0 | ||||
| 
 | ||||
| diff --git a/tests/shell/testcases/chains/0043chain_ingress_0 b/tests/shell/testcases/chains/0043chain_ingress_0
 | ||||
| new file mode 100755 | ||||
| index 0000000..09d6907
 | ||||
| --- /dev/null
 | ||||
| +++ b/tests/shell/testcases/chains/0043chain_ingress_0
 | ||||
| @@ -0,0 +1,11 @@
 | ||||
| +#!/bin/bash
 | ||||
| +
 | ||||
| +set -e
 | ||||
| +
 | ||||
| +# Test auto-removal of chain hook on netns removal
 | ||||
| +unshare -n bash -c "ip link add br0 type bridge; \
 | ||||
| + $NFT add table netdev test; \
 | ||||
| + $NFT add chain netdev test ingress { type filter hook ingress device \"br0\" priority 0\; policy drop\; } ; \
 | ||||
| +" || exit 1
 | ||||
| +
 | ||||
| +exit 0
 | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
							
								
								
									
										53
									
								
								SOURCES/0079-rule-memleak-in-__do_add_setelems.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								SOURCES/0079-rule-memleak-in-__do_add_setelems.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,53 @@ | ||||
| From bc2bfe4b68d213c74c634e87dee0116c066209e4 Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 14:46:47 +0200 | ||||
| Subject: [PATCH] rule: memleak in __do_add_setelems() | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 | ||||
| Upstream Status: nftables commit b6d50bfde21b5 | ||||
| 
 | ||||
| commit b6d50bfde21b5a24a606cbf22137e04e8e0f195d | ||||
| Author: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| Date:   Thu Apr 30 14:18:45 2020 +0200 | ||||
| 
 | ||||
|     rule: memleak in __do_add_setelems() | ||||
| 
 | ||||
|     This patch invokes interval_map_decompose() with named sets: | ||||
| 
 | ||||
|     ==3402== 2,352 (128 direct, 2,224 indirect) bytes in 1 blocks are definitely lost in loss record 9 of 9 | ||||
|     ==3402==    at 0x483577F: malloc (vg_replace_malloc.c:299) | ||||
|     ==3402==    by 0x48996A8: xmalloc (utils.c:36) | ||||
|     ==3402==    by 0x4899778: xzalloc (utils.c:65) | ||||
|     ==3402==    by 0x487CB46: expr_alloc (expression.c:45) | ||||
|     ==3402==    by 0x487E2A0: mapping_expr_alloc (expression.c:1140) | ||||
|     ==3402==    by 0x4898AA8: interval_map_decompose (segtree.c:1095) | ||||
|     ==3402==    by 0x4872BDF: __do_add_setelems (rule.c:1569) | ||||
|     ==3402==    by 0x4872BDF: __do_add_setelems (rule.c:1559) | ||||
|     ==3402==    by 0x4877936: do_command (rule.c:2710) | ||||
|     ==3402==    by 0x489F1CB: nft_netlink.isra.5 (libnftables.c:42) | ||||
|     ==3402==    by 0x489FB07: nft_run_cmd_from_filename (libnftables.c:508) | ||||
|     ==3402==    by 0x10A9AA: main (main.c:455) | ||||
| 
 | ||||
|     Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch") | ||||
|     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| ---
 | ||||
|  src/rule.c | 3 ++- | ||||
|  1 file changed, 2 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/src/rule.c b/src/rule.c
 | ||||
| index f7d888b..b2aa1d7 100644
 | ||||
| --- a/src/rule.c
 | ||||
| +++ b/src/rule.c
 | ||||
| @@ -1511,7 +1511,8 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
 | ||||
|  	if (mnl_nft_setelem_add(ctx, set, expr, flags) < 0) | ||||
|  		return -1; | ||||
|   | ||||
| -	if (set->init != NULL &&
 | ||||
| +	if (!set_is_anonymous(set->flags) &&
 | ||||
| +	    set->init != NULL &&
 | ||||
|  	    set->flags & NFT_SET_INTERVAL && | ||||
|  	    set->desc.field_count <= 1) { | ||||
|  		interval_map_decompose(expr); | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
| @ -0,0 +1,43 @@ | ||||
| From 0e284af80adefc8d8738c7191eff0ca7c6ad64a6 Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 14:46:47 +0200 | ||||
| Subject: [PATCH] rule: fix element cache update in __do_add_setelems() | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 | ||||
| Upstream Status: nftables commit e68938f2bf89f | ||||
| 
 | ||||
| commit e68938f2bf89fcc9a99e12c9b7a10c1838f2a133 | ||||
| Author: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| Date:   Thu Apr 30 16:30:15 2020 +0200 | ||||
| 
 | ||||
|     rule: fix element cache update in __do_add_setelems() | ||||
| 
 | ||||
|     The set->init and expr arguments might actually refer to the same list | ||||
|     of elements. Skip set element cache update introduced by dd44081d91ce | ||||
|     ("segtree: Fix add and delete of element in same batch") otherwise | ||||
|     list_splice_tail_init() actually operates with the same list as | ||||
|     arguments. Valgrind reports this problem as a memleak since the result | ||||
|     of this operation was an empty set element list. | ||||
| 
 | ||||
|     Fixes: dd44081d91ce ("segtree: Fix add and delete of element in same batch") | ||||
|     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| ---
 | ||||
|  src/rule.c | 2 +- | ||||
|  1 file changed, 1 insertion(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/src/rule.c b/src/rule.c
 | ||||
| index b2aa1d7..9ae6d19 100644
 | ||||
| --- a/src/rule.c
 | ||||
| +++ b/src/rule.c
 | ||||
| @@ -1512,7 +1512,7 @@ static int __do_add_setelems(struct netlink_ctx *ctx, struct set *set,
 | ||||
|  		return -1; | ||||
|   | ||||
|  	if (!set_is_anonymous(set->flags) && | ||||
| -	    set->init != NULL &&
 | ||||
| +	    set->init != NULL && set->init != expr &&
 | ||||
|  	    set->flags & NFT_SET_INTERVAL && | ||||
|  	    set->desc.field_count <= 1) { | ||||
|  		interval_map_decompose(expr); | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
| @ -0,0 +1,208 @@ | ||||
| From 43d5837615201d68108151e70c06cc0e90622fcc Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 14:46:47 +0200 | ||||
| Subject: [PATCH] src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 | ||||
| Upstream Status: nftables commit 9ed076c6f5abc | ||||
| 
 | ||||
| commit 9ed076c6f5abcbbad1b6b721dca29f87963f0ecc | ||||
| Author: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| Date:   Fri May 8 14:44:01 2020 +0200 | ||||
| 
 | ||||
|     src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS | ||||
| 
 | ||||
|     The CMD_OBJ_ELEMENTS provides an expression that contains the list of | ||||
|     set elements. This leaves room to introduce CMD_OBJ_SETELEMS in a follow | ||||
|     up patch. | ||||
| 
 | ||||
|     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| ---
 | ||||
|  include/rule.h     | 4 ++-- | ||||
|  src/cache.c        | 6 +++--- | ||||
|  src/evaluate.c     | 6 +++--- | ||||
|  src/parser_bison.y | 8 ++++---- | ||||
|  src/parser_json.c  | 2 +- | ||||
|  src/rule.c         | 8 ++++---- | ||||
|  6 files changed, 17 insertions(+), 17 deletions(-) | ||||
| 
 | ||||
| diff --git a/include/rule.h b/include/rule.h
 | ||||
| index 3637462..7fe607f 100644
 | ||||
| --- a/include/rule.h
 | ||||
| +++ b/include/rule.h
 | ||||
| @@ -542,7 +542,7 @@ enum cmd_ops {
 | ||||
|   * enum cmd_obj - command objects | ||||
|   * | ||||
|   * @CMD_OBJ_INVALID:	invalid | ||||
| - * @CMD_OBJ_SETELEM:	set element(s)
 | ||||
| + * @CMD_OBJ_ELEMENTS:	set element(s)
 | ||||
|   * @CMD_OBJ_SET:	set | ||||
|   * @CMD_OBJ_SETS:	multiple sets | ||||
|   * @CMD_OBJ_RULE:	rule | ||||
| @@ -570,7 +570,7 @@ enum cmd_ops {
 | ||||
|   */ | ||||
|  enum cmd_obj { | ||||
|  	CMD_OBJ_INVALID, | ||||
| -	CMD_OBJ_SETELEM,
 | ||||
| +	CMD_OBJ_ELEMENTS,
 | ||||
|  	CMD_OBJ_SET, | ||||
|  	CMD_OBJ_SETS, | ||||
|  	CMD_OBJ_RULE, | ||||
| diff --git a/src/cache.c b/src/cache.c
 | ||||
| index 05f0d68..a45111a 100644
 | ||||
| --- a/src/cache.c
 | ||||
| +++ b/src/cache.c
 | ||||
| @@ -25,7 +25,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
 | ||||
|  	case CMD_OBJ_FLOWTABLE: | ||||
|  		flags |= NFT_CACHE_TABLE; | ||||
|  		break; | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		flags |= NFT_CACHE_TABLE | | ||||
|  			 NFT_CACHE_CHAIN | | ||||
|  			 NFT_CACHE_SET | | ||||
| @@ -53,7 +53,7 @@ static unsigned int evaluate_cache_add(struct cmd *cmd, unsigned int flags)
 | ||||
|  static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags) | ||||
|  { | ||||
|  	switch (cmd->obj) { | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		flags |= NFT_CACHE_SETELEM; | ||||
|  		break; | ||||
|  	default: | ||||
| @@ -66,7 +66,7 @@ static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags)
 | ||||
|  static unsigned int evaluate_cache_get(struct cmd *cmd, unsigned int flags) | ||||
|  { | ||||
|  	switch (cmd->obj) { | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		flags |= NFT_CACHE_TABLE | | ||||
|  			 NFT_CACHE_SET | | ||||
|  			 NFT_CACHE_SETELEM; | ||||
| diff --git a/src/evaluate.c b/src/evaluate.c
 | ||||
| index e495faf..fd6db8a 100644
 | ||||
| --- a/src/evaluate.c
 | ||||
| +++ b/src/evaluate.c
 | ||||
| @@ -3815,7 +3815,7 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table)
 | ||||
|  static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd) | ||||
|  { | ||||
|  	switch (cmd->obj) { | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		return setelem_evaluate(ctx, &cmd->expr); | ||||
|  	case CMD_OBJ_SET: | ||||
|  		handle_merge(&cmd->set->handle, &cmd->handle); | ||||
| @@ -3847,7 +3847,7 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
 | ||||
|  static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd) | ||||
|  { | ||||
|  	switch (cmd->obj) { | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		return setelem_evaluate(ctx, &cmd->expr); | ||||
|  	case CMD_OBJ_SET: | ||||
|  	case CMD_OBJ_RULE: | ||||
| @@ -3874,7 +3874,7 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd)
 | ||||
|  	struct set *set; | ||||
|   | ||||
|  	switch (cmd->obj) { | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		table = table_lookup(&cmd->handle, &ctx->nft->cache); | ||||
|  		if (table == NULL) | ||||
|  			return table_not_found(ctx); | ||||
| diff --git a/src/parser_bison.y b/src/parser_bison.y
 | ||||
| index dc87571..96f0a4c 100644
 | ||||
| --- a/src/parser_bison.y
 | ||||
| +++ b/src/parser_bison.y
 | ||||
| @@ -1019,7 +1019,7 @@ add_cmd			:	TABLE		table_spec
 | ||||
|  			} | ||||
|  			|	ELEMENT		set_spec	set_block_expr | ||||
|  			{ | ||||
| -				$$ = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEM, &$2, &@$, $3);
 | ||||
| +				$$ = cmd_alloc(CMD_ADD, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
 | ||||
|  			} | ||||
|  			|	FLOWTABLE	flowtable_spec	flowtable_block_alloc | ||||
|  						'{'	flowtable_block	'}' | ||||
| @@ -1116,7 +1116,7 @@ create_cmd		:	TABLE		table_spec
 | ||||
|  			} | ||||
|  			|	ELEMENT		set_spec	set_block_expr | ||||
|  			{ | ||||
| -				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SETELEM, &$2, &@$, $3);
 | ||||
| +				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
 | ||||
|  			} | ||||
|  			|	FLOWTABLE	flowtable_spec	flowtable_block_alloc | ||||
|  						'{'	flowtable_block	'}' | ||||
| @@ -1208,7 +1208,7 @@ delete_cmd		:	TABLE		table_spec
 | ||||
|  			} | ||||
|  			|	ELEMENT		set_spec	set_block_expr | ||||
|  			{ | ||||
| -				$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SETELEM, &$2, &@$, $3);
 | ||||
| +				$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
 | ||||
|  			} | ||||
|  			|	FLOWTABLE	flowtable_spec | ||||
|  			{ | ||||
| @@ -1266,7 +1266,7 @@ delete_cmd		:	TABLE		table_spec
 | ||||
|   | ||||
|  get_cmd			:	ELEMENT		set_spec	set_block_expr | ||||
|  			{ | ||||
| -				$$ = cmd_alloc(CMD_GET, CMD_OBJ_SETELEM, &$2, &@$, $3);
 | ||||
| +				$$ = cmd_alloc(CMD_GET, CMD_OBJ_ELEMENTS, &$2, &@$, $3);
 | ||||
|  			} | ||||
|  			; | ||||
|   | ||||
| diff --git a/src/parser_json.c b/src/parser_json.c
 | ||||
| index 2250be9..15902a8 100644
 | ||||
| --- a/src/parser_json.c
 | ||||
| +++ b/src/parser_json.c
 | ||||
| @@ -3391,7 +3391,7 @@ static struct cmd *json_parse_cmd_add(struct json_ctx *ctx,
 | ||||
|  		{ "rule", CMD_OBJ_RULE, json_parse_cmd_add_rule }, | ||||
|  		{ "set", CMD_OBJ_SET, json_parse_cmd_add_set }, | ||||
|  		{ "map", CMD_OBJ_SET, json_parse_cmd_add_set }, | ||||
| -		{ "element", CMD_OBJ_SETELEM, json_parse_cmd_add_element },
 | ||||
| +		{ "element", CMD_OBJ_ELEMENTS, json_parse_cmd_add_element },
 | ||||
|  		{ "flowtable", CMD_OBJ_FLOWTABLE, json_parse_cmd_add_flowtable }, | ||||
|  		{ "counter", CMD_OBJ_COUNTER, json_parse_cmd_add_object }, | ||||
|  		{ "quota", CMD_OBJ_QUOTA, json_parse_cmd_add_object }, | ||||
| diff --git a/src/rule.c b/src/rule.c
 | ||||
| index 9ae6d19..afb6dc9 100644
 | ||||
| --- a/src/rule.c
 | ||||
| +++ b/src/rule.c
 | ||||
| @@ -1456,7 +1456,7 @@ void cmd_free(struct cmd *cmd)
 | ||||
|  	handle_free(&cmd->handle); | ||||
|  	if (cmd->data != NULL) { | ||||
|  		switch (cmd->obj) { | ||||
| -		case CMD_OBJ_SETELEM:
 | ||||
| +		case CMD_OBJ_ELEMENTS:
 | ||||
|  			expr_free(cmd->expr); | ||||
|  			break; | ||||
|  		case CMD_OBJ_SET: | ||||
| @@ -1580,7 +1580,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
 | ||||
|  		return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND); | ||||
|  	case CMD_OBJ_SET: | ||||
|  		return do_add_set(ctx, cmd, flags); | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		return do_add_setelems(ctx, cmd, flags); | ||||
|  	case CMD_OBJ_COUNTER: | ||||
|  	case CMD_OBJ_QUOTA: | ||||
| @@ -1659,7 +1659,7 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd)
 | ||||
|  		return mnl_nft_rule_del(ctx, cmd); | ||||
|  	case CMD_OBJ_SET: | ||||
|  		return mnl_nft_set_del(ctx, cmd); | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		return do_delete_setelems(ctx, cmd); | ||||
|  	case CMD_OBJ_COUNTER: | ||||
|  		return mnl_nft_obj_del(ctx, cmd, NFT_OBJECT_COUNTER); | ||||
| @@ -2519,7 +2519,7 @@ static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd)
 | ||||
|  		table = table_lookup(&cmd->handle, &ctx->nft->cache); | ||||
|   | ||||
|  	switch (cmd->obj) { | ||||
| -	case CMD_OBJ_SETELEM:
 | ||||
| +	case CMD_OBJ_ELEMENTS:
 | ||||
|  		return do_get_setelems(ctx, cmd, table); | ||||
|  	default: | ||||
|  		BUG("invalid command object type %u\n", cmd->obj); | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
							
								
								
									
										125
									
								
								SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										125
									
								
								SOURCES/0082-src-add-CMD_OBJ_SETELEMS.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,125 @@ | ||||
| From 61c295c9dec447239ed2c84b0073594ffecf7554 Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Wed, 27 Apr 2022 14:46:47 +0200 | ||||
| Subject: [PATCH] src: add CMD_OBJ_SETELEMS | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 | ||||
| Upstream Status: nftables commit c9eae091983ae | ||||
| Conflicts: Context change due to missing commit 086ec6f30c96e | ||||
|            ("mnl: extended error support for create command"). | ||||
| 
 | ||||
| commit c9eae091983ae9ffcf2ca5b666bc03d5a1916c2f | ||||
| Author: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| Date:   Fri May 8 14:44:03 2020 +0200 | ||||
| 
 | ||||
|     src: add CMD_OBJ_SETELEMS | ||||
| 
 | ||||
|     This new command type results from expanding the set definition in two | ||||
|     commands: One to add the set and another to add the elements. This | ||||
|     results in 1:1 mapping between the command object to the netlink API. | ||||
|     The command is then translated into a netlink message which gets a | ||||
|     unique sequence number. This sequence number allows to correlate the | ||||
|     netlink extended error reporting with the corresponding command. | ||||
| 
 | ||||
|     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| ---
 | ||||
|  include/rule.h |  2 ++ | ||||
|  src/rule.c     | 23 +++++++++++++++++++---- | ||||
|  2 files changed, 21 insertions(+), 4 deletions(-) | ||||
| 
 | ||||
| diff --git a/include/rule.h b/include/rule.h
 | ||||
| index 7fe607f..1efd4fb 100644
 | ||||
| --- a/include/rule.h
 | ||||
| +++ b/include/rule.h
 | ||||
| @@ -545,6 +545,7 @@ enum cmd_ops {
 | ||||
|   * @CMD_OBJ_ELEMENTS:	set element(s) | ||||
|   * @CMD_OBJ_SET:	set | ||||
|   * @CMD_OBJ_SETS:	multiple sets | ||||
| + * @CMD_OBJ_SETELEMS:	set elements
 | ||||
|   * @CMD_OBJ_RULE:	rule | ||||
|   * @CMD_OBJ_CHAIN:	chain | ||||
|   * @CMD_OBJ_CHAINS:	multiple chains | ||||
| @@ -572,6 +573,7 @@ enum cmd_obj {
 | ||||
|  	CMD_OBJ_INVALID, | ||||
|  	CMD_OBJ_ELEMENTS, | ||||
|  	CMD_OBJ_SET, | ||||
| +	CMD_OBJ_SETELEMS,
 | ||||
|  	CMD_OBJ_SETS, | ||||
|  	CMD_OBJ_RULE, | ||||
|  	CMD_OBJ_CHAIN, | ||||
| diff --git a/src/rule.c b/src/rule.c
 | ||||
| index afb6dc9..c43e0cd 100644
 | ||||
| --- a/src/rule.c
 | ||||
| +++ b/src/rule.c
 | ||||
| @@ -1352,11 +1352,11 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
 | ||||
|  void nft_cmd_expand(struct cmd *cmd) | ||||
|  { | ||||
|  	struct list_head new_cmds; | ||||
| +	struct set *set, *newset;
 | ||||
|  	struct flowtable *ft; | ||||
|  	struct table *table; | ||||
|  	struct chain *chain; | ||||
|  	struct rule *rule; | ||||
| -	struct set *set;
 | ||||
|  	struct obj *obj; | ||||
|  	struct cmd *new; | ||||
|  	struct handle h; | ||||
| @@ -1412,6 +1412,18 @@ void nft_cmd_expand(struct cmd *cmd)
 | ||||
|  		} | ||||
|  		list_splice(&new_cmds, &cmd->list); | ||||
|  		break; | ||||
| +	case CMD_OBJ_SET:
 | ||||
| +		set = cmd->set;
 | ||||
| +		memset(&h, 0, sizeof(h));
 | ||||
| +		handle_merge(&h, &set->handle);
 | ||||
| +		newset = set_clone(set);
 | ||||
| +		newset->handle.set_id = set->handle.set_id;
 | ||||
| +		newset->init = set->init;
 | ||||
| +		set->init = NULL;
 | ||||
| +		new = cmd_alloc(CMD_ADD, CMD_OBJ_SETELEMS, &h,
 | ||||
| +				&set->location, newset);
 | ||||
| +		list_add(&new->list, &cmd->list);
 | ||||
| +		break;
 | ||||
|  	default: | ||||
|  		break; | ||||
|  	} | ||||
| @@ -1460,6 +1472,7 @@ void cmd_free(struct cmd *cmd)
 | ||||
|  			expr_free(cmd->expr); | ||||
|  			break; | ||||
|  		case CMD_OBJ_SET: | ||||
| +		case CMD_OBJ_SETELEMS:
 | ||||
|  			set_free(cmd->set); | ||||
|  			break; | ||||
|  		case CMD_OBJ_RULE: | ||||
| @@ -1545,7 +1558,7 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
 | ||||
|  } | ||||
|   | ||||
|  static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd, | ||||
| -		      uint32_t flags)
 | ||||
| +		      uint32_t flags, bool add)
 | ||||
|  { | ||||
|  	struct set *set = cmd->set; | ||||
|   | ||||
| @@ -1556,7 +1569,7 @@ static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd,
 | ||||
|  				     &ctx->nft->output) < 0) | ||||
|  			return -1; | ||||
|  	} | ||||
| -	if (mnl_nft_set_add(ctx, cmd, flags) < 0)
 | ||||
| +	if (add && mnl_nft_set_add(ctx, cmd, flags) < 0)
 | ||||
|  		return -1; | ||||
|  	if (set->init != NULL) { | ||||
|  		return __do_add_setelems(ctx, set, set->init, flags); | ||||
| @@ -1579,7 +1592,9 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
 | ||||
|  	case CMD_OBJ_RULE: | ||||
|  		return mnl_nft_rule_add(ctx, cmd, flags | NLM_F_APPEND); | ||||
|  	case CMD_OBJ_SET: | ||||
| -		return do_add_set(ctx, cmd, flags);
 | ||||
| +		return do_add_set(ctx, cmd, flags, true);
 | ||||
| +	case CMD_OBJ_SETELEMS:
 | ||||
| +		return do_add_set(ctx, cmd, flags, false);
 | ||||
|  	case CMD_OBJ_ELEMENTS: | ||||
|  		return do_add_setelems(ctx, cmd, flags); | ||||
|  	case CMD_OBJ_COUNTER: | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
| @ -0,0 +1,43 @@ | ||||
| From 34a7632a4d72c16d2a087fcc6450d1a783858124 Mon Sep 17 00:00:00 2001 | ||||
| From: Phil Sutter <psutter@redhat.com> | ||||
| Date: Thu, 28 Apr 2022 14:14:39 +0200 | ||||
| Subject: [PATCH] libnftables: call nft_cmd_expand() only with CMD_ADD | ||||
| 
 | ||||
| Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2073287 | ||||
| Upstream Status: nftables commit b81519f1641b5 | ||||
| 
 | ||||
| commit b81519f1641b508c289ddfefc800b2c20ab243e6 | ||||
| Author: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| Date:   Fri May 8 14:44:02 2020 +0200 | ||||
| 
 | ||||
|     libnftables: call nft_cmd_expand() only with CMD_ADD | ||||
| 
 | ||||
|     Restrict the expansion logic to the CMD_ADD command which is where this | ||||
|     is only required. | ||||
| 
 | ||||
|     Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| ---
 | ||||
|  src/libnftables.c | 6 +++++- | ||||
|  1 file changed, 5 insertions(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/src/libnftables.c b/src/libnftables.c
 | ||||
| index cd2fcf2..ab01909 100644
 | ||||
| --- a/src/libnftables.c
 | ||||
| +++ b/src/libnftables.c
 | ||||
| @@ -421,8 +421,12 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
 | ||||
|  	if (nft->state->nerrs) | ||||
|  		return -1; | ||||
|   | ||||
| -	list_for_each_entry(cmd, cmds, list)
 | ||||
| +	list_for_each_entry(cmd, cmds, list) {
 | ||||
| +		if (cmd->op != CMD_ADD)
 | ||||
| +			continue;
 | ||||
| +
 | ||||
|  		nft_cmd_expand(cmd); | ||||
| +	}
 | ||||
|   | ||||
|  	return 0; | ||||
|  } | ||||
| -- 
 | ||||
| 2.34.1 | ||||
| 
 | ||||
| @ -1,5 +1,5 @@ | ||||
| %define rpmversion 0.9.3 | ||||
| %define specrelease 25 | ||||
| %define specrelease 26 | ||||
| %define libnftnl_ver 1.1.5-5 | ||||
| 
 | ||||
| Name:           nftables | ||||
| @ -94,6 +94,13 @@ Patch73:            0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.pa | ||||
| Patch74:            0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch | ||||
| Patch75:            0075-tests-py-add-dnat-to-port-without-defining-destinati.patch | ||||
| Patch76:            0076-mnl-do-not-build-nftnl_set-element-list.patch | ||||
| Patch77:            0077-mnl-do-not-use-expr-identifier-to-fetch-device-name.patch | ||||
| Patch78:            0078-tests-shell-auto-removal-of-chain-hook-on-netns-remo.patch | ||||
| Patch79:            0079-rule-memleak-in-__do_add_setelems.patch | ||||
| Patch80:            0080-rule-fix-element-cache-update-in-__do_add_setelems.patch | ||||
| Patch81:            0081-src-rename-CMD_OBJ_SETELEM-to-CMD_OBJ_ELEMENTS.patch | ||||
| Patch82:            0082-src-add-CMD_OBJ_SETELEMS.patch | ||||
| Patch83:            0083-libnftables-call-nft_cmd_expand-only-with-CMD_ADD.patch | ||||
| 
 | ||||
| BuildRequires: autogen | ||||
| BuildRequires: autoconf | ||||
| @ -210,6 +217,15 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py | ||||
| %{python3_sitelib}/nftables/ | ||||
| 
 | ||||
| %changelog | ||||
| * Thu Apr 28 2022 Phil Sutter <psutter@redhat.com> [0.9.3-26.el8] | ||||
| - libnftables: call nft_cmd_expand() only with CMD_ADD (Phil Sutter) [2073287] | ||||
| - src: add CMD_OBJ_SETELEMS (Phil Sutter) [2073287] | ||||
| - src: rename CMD_OBJ_SETELEM to CMD_OBJ_ELEMENTS (Phil Sutter) [2073287] | ||||
| - rule: fix element cache update in __do_add_setelems() (Phil Sutter) [2073287] | ||||
| - rule: memleak in __do_add_setelems() (Phil Sutter) [2073287] | ||||
| - tests: shell: auto-removal of chain hook on netns removal (Phil Sutter) [2070924] | ||||
| - mnl: do not use expr->identifier to fetch device name (Phil Sutter) [2070924] | ||||
| 
 | ||||
| * Fri Feb 04 2022 Phil Sutter <psutter@redhat.com> [0.9.3-25.el8] | ||||
| - mnl: do not build nftnl_set element list (Phil Sutter) [2047821] | ||||
| - tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773] | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user