import nftables-0.9.8-9.el9

SOURCES/0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch

@@ -0,0 +1,61 @@
+From 24d7383ca9e7f056153cc305ee16fa9fd8580909 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 9 Jun 2021 15:49:52 +0200
+Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set
+
+Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
+set_to_segtree() exhausts the stack. Prevent this by allocating the
+pointer array on heap and make sure it is freed before returning to
+caller.
+
+With this patch in place, restoring said set succeeds with allocation of
+about 3GB of memory, according to valgrind.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit baecd1cf26851a4c5b7d469206a488f14fe5b147)
+---
+ src/segtree.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/segtree.c b/src/segtree.c
+index 9aa39e52d8a09..163a7bb755f9c 100644
+--- a/src/segtree.c
++++ b/src/segtree.c
+@@ -429,10 +429,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
+ 			  struct expr *init, struct seg_tree *tree,
+ 			  bool add, bool merge)
+ {
+-	struct elementary_interval *intervals[init->size];
++	struct elementary_interval **intervals;
+ 	struct expr *i, *next;
+ 	unsigned int n;
+-	int err;
++	int err = 0;
+ 
+ 	/* We are updating an existing set with new elements, check if the new
+ 	 * interval overlaps with any of the existing ones.
+@@ -443,6 +443,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
+ 			return err;
+ 	}
+ 
++	intervals = xmalloc_array(init->size, sizeof(intervals[0]));
+ 	n = expr_to_intervals(init, tree->keylen, intervals);
+ 
+ 	list_for_each_entry_safe(i, next, &init->expressions, list) {
+@@ -461,10 +462,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
+ 	for (n = 0; n < init->size; n++) {
+ 		err = ei_insert(msgs, tree, intervals[n], merge);
+ 		if (err < 0)
+-			return err;
++			break;
+ 	}
+ 
+-	return 0;
++	xfree(intervals);
++	return err;
+ }
+ 
+ static bool segtree_needs_first_segment(const struct set *set,
+-- 
+2.33.0
+

SOURCES/0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch

@@ -0,0 +1,66 @@
+From 2c4a6a4f1d51358a196a7039c41b7d50df656985 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
+Date: Wed, 20 Oct 2021 14:42:20 +0200
+Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when
+ restoring a huge interval set")
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Test inspired by [1] with both the set and stack size reduced by the
+same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
+hand, and make the test successfully complete (post-baecd1cf2685) in a
+few seconds even on weaker hardware on the other.
+
+(The reason I stopped at 128kB stack size is that with 64kB I was
+getting segfaults even with baecd1cf2685 applied.)
+
+[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
+
+Signed-off-by: Štěpán Němec <snemec@redhat.com>
+Helped-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043)
+---
+ .../sets/0068interval_stack_overflow_0        | 29 +++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+ create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0
+
+diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+new file mode 100755
+index 0000000000000..134282de28268
+--- /dev/null
++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+@@ -0,0 +1,29 @@
++#!/bin/bash
++
++set -e
++
++ruleset_file=$(mktemp)
++
++trap 'rm -f "$ruleset_file"' EXIT
++
++{
++	echo 'define big_set = {'
++	for ((i = 1; i < 255; i++)); do
++		for ((j = 1; j < 80; j++)); do
++			echo "10.0.$i.$j,"
++		done
++	done
++	echo '10.1.0.0/24 }'
++} >"$ruleset_file"
++
++cat >>"$ruleset_file" <<\EOF
++table inet test68_table {
++	set test68_set {
++		type ipv4_addr
++		flags interval
++		elements = { $big_set }
++	}
++}
++EOF
++
++( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
+-- 
+2.33.0
+

SOURCES/0018-doc-nft.8-Extend-monitor-description-by-trace.patch

@@ -0,0 +1,63 @@
+From 7f5707d93a62cf7474d94e038188a0a8ae2924e7 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 19 May 2021 13:12:48 +0200
+Subject: [PATCH] doc: nft.8: Extend monitor description by trace
+
+Briefly describe 'nft monitor trace' command functionality.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 2acf8b2caea19d8abd46d475a908f8d6afb33aa0)
+---
+ doc/nft.txt | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/doc/nft.txt b/doc/nft.txt
+index 2642d8903787f..7b3c70d82a127 100644
+--- a/doc/nft.txt
++++ b/doc/nft.txt
+@@ -805,13 +805,26 @@ These are some additional commands included in nft.
+ MONITOR
+ ~~~~~~~~
+ The monitor command allows you to listen to Netlink events produced by the
+-nf_tables subsystem, related to creation and deletion of objects. When they
++nf_tables subsystem. These are either related to creation and deletion of
++objects or to packets for which *meta nftrace* was enabled. When they
+ occur, nft will print to stdout the monitored events in either JSON or
+ native nft format. +
+ 
+-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. +
++[verse]
++____
++*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
++*monitor* *trace*
++
++'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
++____
+ 
+-To filter events related to a concrete action, use keyword 'new' or 'destroy'.
++To filter events related to a concrete object, use one of the keywords in
++'MONITOR_OBJECT'.
++
++To filter events related to a concrete action, use keyword *new* or *destroy*.
++
++The second form of invocation takes no further options and exclusively prints
++events generated for packets with *nftrace* enabled.
+ 
+ Hit ^C to finish the monitor operation.
+ 
+@@ -835,6 +848,12 @@ Hit ^C to finish the monitor operation.
+ % nft monitor ruleset
+ ---------------------
+ 
++.Trace incoming packets from host 10.0.0.1
++------------------------------------------
++% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
++% nft monitor trace
++------------------------------------------
++
+ ERROR REPORTING
+ ---------------
+ When an error is detected, nft shows the line(s) containing the error, the
+-- 
+2.33.0
+

SPECS/nftables.spec

@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.8
-Release:        7%{?dist}
+Release:        9%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utillites
@@ -29,6 +29,9 @@ Patch12: 0012-netlink_delinearize-Fix-suspicious-calloc-call.patch
 Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
 Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
 Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
+Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
+Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
+Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch
 
 #BuildRequires: autogen
 #BuildRequires: autoconf
@@ -138,6 +141,13 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Thu Nov 11 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-9
+- doc: nft.8: Extend monitor description by trace
+
+* Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-8
+- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
+- segtree: Fix segfault when restoring a huge interval set
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.9.8-7
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688