import nftables-0.9.8-9.el9
This commit is contained in:
parent
db3c09113c
commit
cfe40e5371
@ -0,0 +1,61 @@
|
|||||||
|
From 24d7383ca9e7f056153cc305ee16fa9fd8580909 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 9 Jun 2021 15:49:52 +0200
|
||||||
|
Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set
|
||||||
|
|
||||||
|
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
|
||||||
|
set_to_segtree() exhausts the stack. Prevent this by allocating the
|
||||||
|
pointer array on heap and make sure it is freed before returning to
|
||||||
|
caller.
|
||||||
|
|
||||||
|
With this patch in place, restoring said set succeeds with allocation of
|
||||||
|
about 3GB of memory, according to valgrind.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit baecd1cf26851a4c5b7d469206a488f14fe5b147)
|
||||||
|
---
|
||||||
|
src/segtree.c | 10 ++++++----
|
||||||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/segtree.c b/src/segtree.c
|
||||||
|
index 9aa39e52d8a09..163a7bb755f9c 100644
|
||||||
|
--- a/src/segtree.c
|
||||||
|
+++ b/src/segtree.c
|
||||||
|
@@ -429,10 +429,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
|
||||||
|
struct expr *init, struct seg_tree *tree,
|
||||||
|
bool add, bool merge)
|
||||||
|
{
|
||||||
|
- struct elementary_interval *intervals[init->size];
|
||||||
|
+ struct elementary_interval **intervals;
|
||||||
|
struct expr *i, *next;
|
||||||
|
unsigned int n;
|
||||||
|
- int err;
|
||||||
|
+ int err = 0;
|
||||||
|
|
||||||
|
/* We are updating an existing set with new elements, check if the new
|
||||||
|
* interval overlaps with any of the existing ones.
|
||||||
|
@@ -443,6 +443,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ intervals = xmalloc_array(init->size, sizeof(intervals[0]));
|
||||||
|
n = expr_to_intervals(init, tree->keylen, intervals);
|
||||||
|
|
||||||
|
list_for_each_entry_safe(i, next, &init->expressions, list) {
|
||||||
|
@@ -461,10 +462,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
|
||||||
|
for (n = 0; n < init->size; n++) {
|
||||||
|
err = ei_insert(msgs, tree, intervals[n], merge);
|
||||||
|
if (err < 0)
|
||||||
|
- return err;
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+ xfree(intervals);
|
||||||
|
+ return err;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool segtree_needs_first_segment(const struct set *set,
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
@ -0,0 +1,66 @@
|
|||||||
|
From 2c4a6a4f1d51358a196a7039c41b7d50df656985 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
|
||||||
|
Date: Wed, 20 Oct 2021 14:42:20 +0200
|
||||||
|
Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when
|
||||||
|
restoring a huge interval set")
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Test inspired by [1] with both the set and stack size reduced by the
|
||||||
|
same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
|
||||||
|
hand, and make the test successfully complete (post-baecd1cf2685) in a
|
||||||
|
few seconds even on weaker hardware on the other.
|
||||||
|
|
||||||
|
(The reason I stopped at 128kB stack size is that with 64kB I was
|
||||||
|
getting segfaults even with baecd1cf2685 applied.)
|
||||||
|
|
||||||
|
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
|
||||||
|
|
||||||
|
Signed-off-by: Štěpán Němec <snemec@redhat.com>
|
||||||
|
Helped-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043)
|
||||||
|
---
|
||||||
|
.../sets/0068interval_stack_overflow_0 | 29 +++++++++++++++++++
|
||||||
|
1 file changed, 29 insertions(+)
|
||||||
|
create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||||
|
|
||||||
|
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000000000..134282de28268
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||||
|
@@ -0,0 +1,29 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+set -e
|
||||||
|
+
|
||||||
|
+ruleset_file=$(mktemp)
|
||||||
|
+
|
||||||
|
+trap 'rm -f "$ruleset_file"' EXIT
|
||||||
|
+
|
||||||
|
+{
|
||||||
|
+ echo 'define big_set = {'
|
||||||
|
+ for ((i = 1; i < 255; i++)); do
|
||||||
|
+ for ((j = 1; j < 80; j++)); do
|
||||||
|
+ echo "10.0.$i.$j,"
|
||||||
|
+ done
|
||||||
|
+ done
|
||||||
|
+ echo '10.1.0.0/24 }'
|
||||||
|
+} >"$ruleset_file"
|
||||||
|
+
|
||||||
|
+cat >>"$ruleset_file" <<\EOF
|
||||||
|
+table inet test68_table {
|
||||||
|
+ set test68_set {
|
||||||
|
+ type ipv4_addr
|
||||||
|
+ flags interval
|
||||||
|
+ elements = { $big_set }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
@ -0,0 +1,63 @@
|
|||||||
|
From 7f5707d93a62cf7474d94e038188a0a8ae2924e7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Wed, 19 May 2021 13:12:48 +0200
|
||||||
|
Subject: [PATCH] doc: nft.8: Extend monitor description by trace
|
||||||
|
|
||||||
|
Briefly describe 'nft monitor trace' command functionality.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
(cherry picked from commit 2acf8b2caea19d8abd46d475a908f8d6afb33aa0)
|
||||||
|
---
|
||||||
|
doc/nft.txt | 25 ++++++++++++++++++++++---
|
||||||
|
1 file changed, 22 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/nft.txt b/doc/nft.txt
|
||||||
|
index 2642d8903787f..7b3c70d82a127 100644
|
||||||
|
--- a/doc/nft.txt
|
||||||
|
+++ b/doc/nft.txt
|
||||||
|
@@ -805,13 +805,26 @@ These are some additional commands included in nft.
|
||||||
|
MONITOR
|
||||||
|
~~~~~~~~
|
||||||
|
The monitor command allows you to listen to Netlink events produced by the
|
||||||
|
-nf_tables subsystem, related to creation and deletion of objects. When they
|
||||||
|
+nf_tables subsystem. These are either related to creation and deletion of
|
||||||
|
+objects or to packets for which *meta nftrace* was enabled. When they
|
||||||
|
occur, nft will print to stdout the monitored events in either JSON or
|
||||||
|
native nft format. +
|
||||||
|
|
||||||
|
-To filter events related to a concrete object, use one of the keywords 'tables', 'chains', 'sets', 'rules', 'elements', 'ruleset'. +
|
||||||
|
+[verse]
|
||||||
|
+____
|
||||||
|
+*monitor* [*new* | *destroy*] 'MONITOR_OBJECT'
|
||||||
|
+*monitor* *trace*
|
||||||
|
+
|
||||||
|
+'MONITOR_OBJECT' := *tables* | *chains* | *sets* | *rules* | *elements* | *ruleset*
|
||||||
|
+____
|
||||||
|
|
||||||
|
-To filter events related to a concrete action, use keyword 'new' or 'destroy'.
|
||||||
|
+To filter events related to a concrete object, use one of the keywords in
|
||||||
|
+'MONITOR_OBJECT'.
|
||||||
|
+
|
||||||
|
+To filter events related to a concrete action, use keyword *new* or *destroy*.
|
||||||
|
+
|
||||||
|
+The second form of invocation takes no further options and exclusively prints
|
||||||
|
+events generated for packets with *nftrace* enabled.
|
||||||
|
|
||||||
|
Hit ^C to finish the monitor operation.
|
||||||
|
|
||||||
|
@@ -835,6 +848,12 @@ Hit ^C to finish the monitor operation.
|
||||||
|
% nft monitor ruleset
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
+.Trace incoming packets from host 10.0.0.1
|
||||||
|
+------------------------------------------
|
||||||
|
+% nft add rule filter input ip saddr 10.0.0.1 meta nftrace set 1
|
||||||
|
+% nft monitor trace
|
||||||
|
+------------------------------------------
|
||||||
|
+
|
||||||
|
ERROR REPORTING
|
||||||
|
---------------
|
||||||
|
When an error is detected, nft shows the line(s) containing the error, the
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: nftables
|
Name: nftables
|
||||||
Version: 0.9.8
|
Version: 0.9.8
|
||||||
Release: 7%{?dist}
|
Release: 9%{?dist}
|
||||||
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Summary: Netfilter Tables userspace utillites
|
Summary: Netfilter Tables userspace utillites
|
||||||
@ -29,6 +29,9 @@ Patch12: 0012-netlink_delinearize-Fix-suspicious-calloc-call.patch
|
|||||||
Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
|
Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
|
||||||
Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
|
Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
|
||||||
Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
|
Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
|
||||||
|
Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
|
||||||
|
Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
|
||||||
|
Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch
|
||||||
|
|
||||||
#BuildRequires: autogen
|
#BuildRequires: autogen
|
||||||
#BuildRequires: autoconf
|
#BuildRequires: autoconf
|
||||||
@ -138,6 +141,13 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
|
|||||||
%{python3_sitelib}/nftables/
|
%{python3_sitelib}/nftables/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 11 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-9
|
||||||
|
- doc: nft.8: Extend monitor description by trace
|
||||||
|
|
||||||
|
* Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-8
|
||||||
|
- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
|
||||||
|
- segtree: Fix segfault when restoring a huge interval set
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.9.8-7
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.9.8-7
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
Related: rhbz#1991688
|
Related: rhbz#1991688
|
||||||
|
Loading…
Reference in New Issue
Block a user