nftables-1.0.4-11.el9

* Thu Sep 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-11.el9]
- rule: check address family in set collapse (Phil Sutter) [RHEL-5908]
- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL]
Resolves: RHEL-5908
This commit is contained in:
Phil Sutter 2023-09-21 17:30:57 +02:00
parent 859c03055c
commit d3aed7241a
2 changed files with 123 additions and 4 deletions

View File

@ -0,0 +1,114 @@
From cd38d8b8d34685d6bcbce4ac259a42c47ff67580 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 21 Sep 2023 17:27:22 +0200
Subject: [PATCH] rule: check address family in set collapse
JIRA: https://issues.redhat.com/browse/RHEL-5908
Upstream Status: nftables commit a817ea9655dee
commit a817ea9655dee1915423a802c0133e3611e02b3a
Author: Derek Hageman <hageman@inthat.cloud>
Date: Thu Sep 1 10:10:41 2022 -0600
rule: check address family in set collapse
498a5f0c219d added collapsing of set operations in different commands.
However, the logic is currently too relaxed. It is valid to have a
table and set with identical names on different address families.
For example:
table ip a {
set x {
type inet_service;
}
}
table ip6 a {
set x {
type inet_service;
}
}
add element ip a x { 1 }
add element ip a x { 2 }
add element ip6 a x { 2 }
The above currently results in nothing being added to the ip6 family
table due to being collapsed into the ip table add. Prior to
498a5f0c219d the set add would work. The fix is simply to check the
family in addition to the table and set names before allowing a
collapse.
[ Add testcase to tests/shell --pablo ]
Fixes: 498a5f0c219d ("rule: collapse set element commands")
Signed-off-by: Derek Hageman <hageman@inthat.cloud>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/rule.c | 3 ++-
tests/shell/testcases/sets/collapse_elem_0 | 19 +++++++++++++++++++
.../testcases/sets/dumps/collapse_elem_0.nft | 12 ++++++++++++
3 files changed, 33 insertions(+), 1 deletion(-)
create mode 100755 tests/shell/testcases/sets/collapse_elem_0
create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft
diff --git a/src/rule.c b/src/rule.c
index 0526a14..3b60cca 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1409,7 +1409,8 @@ bool nft_cmd_collapse(struct list_head *cmds)
continue;
}
- if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+ if (elems->handle.family != cmd->handle.family ||
+ strcmp(elems->handle.table.name, cmd->handle.table.name) ||
strcmp(elems->handle.set.name, cmd->handle.set.name)) {
elems = cmd;
continue;
diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
new file mode 100755
index 0000000..7699e9d
--- /dev/null
+++ b/tests/shell/testcases/sets/collapse_elem_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip a {
+ set x {
+ type inet_service;
+ }
+}
+table ip6 a {
+ set x {
+ type inet_service;
+ }
+}
+add element ip a x { 1 }
+add element ip a x { 2 }
+add element ip6 a x { 2 }"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
new file mode 100644
index 0000000..a3244fc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
@@ -0,0 +1,12 @@
+table ip a {
+ set x {
+ type inet_service
+ elements = { 1, 2 }
+ }
+}
+table ip6 a {
+ set x {
+ type inet_service
+ elements = { 2 }
+ }
+}
--
2.41.0

View File

@ -1,9 +1,9 @@
%define rpmversion 1.0.4
%define specrelease 10
%define nft_rpmversion 1.0.4
%define nft_specrelease 11
Name: nftables
Version: %{rpmversion}
Release: %{specrelease}%{?dist}%{?buildid}
Version: %{nft_rpmversion}
Release: %{nft_specrelease}%{?dist}%{?buildid}
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
Epoch: 1
Summary: Netfilter Tables userspace utillites
@ -50,6 +50,7 @@ Patch28: 0028-netlink-Fix-for-potential-NULL-pointer-deref.patch
Patch29: 0029-optimize-Do-not-return-garbage-from-stack.patch
Patch30: 0030-optimize-Clarify-chain_optimize-array-allocations.patch
Patch31: 0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch
Patch32: 0032-rule-check-address-family-in-set-collapse.patch
BuildRequires: autoconf
BuildRequires: automake
@ -161,6 +162,10 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
%{python3_sitelib}/nftables/
%changelog
* Thu Sep 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-11.el9]
- rule: check address family in set collapse (Phil Sutter) [RHEL-5908]
- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL]
* Tue Feb 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-10.el9]
- netlink_delinearize: Sanitize concat data element decoding (Phil Sutter) [2160049]
- optimize: Clarify chain_optimize() array allocations (Phil Sutter) [2160049]