nftables-1.0.4-7.el8

* Fri Nov 29 2024 Phil Sutter <psutter@redhat.com> [1.0.4-7.el8] - xt: Fix translation error path (Phil Sutter) [RHEL-5806] Resolves: RHEL-5806
2024-11-29 12:06:32 +01:00 · 2024-11-29 12:06:32 +01:00 · ca551b3c26
commit ca551b3c26
parent 810f4662e9
2 changed files with 75 additions and 1 deletions
--- a/0042-xt-Fix-translation-error-path.patch
+++ b/0042-xt-Fix-translation-error-path.patch
@ -0,0 +1,70 @@
 From 5e5919ad698c6edfd0c1bbbd47d97309c0cb7a83 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <psutter@redhat.com>
 Date: Fri, 29 Nov 2024 12:01:39 +0100
 Subject: [PATCH] xt: Fix translation error path
 JIRA: https://issues.redhat.com/browse/RHEL-5806
 Upstream Status: nftables commit ce3d71348ee77d2d7ffa6a825afbc7471e92bc89
 commit ce3d71348ee77d2d7ffa6a825afbc7471e92bc89
 Author: Phil Sutter <phil@nwl.cc>
 Date:   Tue Mar 28 13:46:10 2023 +0200
    xt: Fix translation error path
    If xtables support was compiled in but the required libxtables DSO is
    not found, nft prints an error message and leaks memory:
    | counter packets 0 bytes 0 XT target MASQUERADE not found
    This is not as bad as it seems, the output combines stdout and stderr.
    Dropping stderr produces an incomplete ruleset listing, though. While
    this seemingly inline output can't easily be avoided, fix a few things:
    * Respect octx->error_fp, libnftables might have been configured to
      redirect stderr somewhere else.
    * Align error message formatting with others.
    * Don't return immediately, but free allocated memory and fall back to
      printing the expression in "untranslated" form.
    Fixes: 5c30feeee5cfe ("xt: Delay libxtables access until translation")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 src/xt.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/src/xt.c b/src/xt.c
 index 31cf40e..6d5866d 100644
 --- a/src/xt.c
 +++ b/src/xt.c
@@ -56,9 +56,10 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
 	case NFT_XT_MATCH:
 		mt = xtables_find_match(stmt->xt.name, XTF_TRY_LOAD, NULL);
 		if (!mt) {
 -			fprintf(stderr, "XT match %s not found\n",
 +			fprintf(octx->error_fp,
 +				"# Warning: XT match %s not found\n",
 				stmt->xt.name);
 -			return;
 +			break;
 		}
 		size = XT_ALIGN(sizeof(*m)) + stmt->xt.infolen;
@@ -83,9 +84,10 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
 	case NFT_XT_TARGET:
 		tg = xtables_find_target(stmt->xt.name, XTF_TRY_LOAD);
 		if (!tg) {
 -			fprintf(stderr, "XT target %s not found\n",
 +			fprintf(octx->error_fp,
 +				"# Warning: XT target %s not found\n",
 				stmt->xt.name);
 -			return;
 +			break;
 		}
 		size = XT_ALIGN(sizeof(*t)) + stmt->xt.infolen;
 -- 
 2.46.2
--- a/nftables.spec
+++ b/nftables.spec
@ -1,5 +1,5 @@
 %define nft_rpmversion 1.0.4
-%define nft_specrelease 6
+%define nft_specrelease 7
 %define libnftnl_ver 1.2.2-1
 Name:           nftables
@ -62,6 +62,7 @@ Patch38:            0038-xt-Rewrite-unsupported-compat-expression-dumping.patch
 Patch39:            0039-xt-Fall-back-to-generic-printing-from-translation.patch
 Patch40:            0040-xt-Fix-fallback-printing-for-extensions-matching-key.patch
 Patch41:            0041-evaluate-un-break-rule-insert-with-intervals.patch
 Patch42:            0042-xt-Fix-translation-error-path.patch
 BuildRequires: autoconf
 BuildRequires: automake
@ -181,6 +182,9 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
 %{python3_sitelib}/nftables/
 %changelog
 * Fri Nov 29 2024 Phil Sutter <psutter@redhat.com> [1.0.4-7.el8]
 - xt: Fix translation error path (Phil Sutter) [RHEL-5806]
 * Tue Oct 29 2024 Phil Sutter <psutter@redhat.com> [1.0.4-6.el8]
 - evaluate: un-break rule insert with intervals (Phil Sutter) [RHEL-62895]