import nftables-0.9.8-7.el9

.gitignore

@@ -0,0 +1 @@
+SOURCES/nftables-0.9.8.tar.bz2

.nftables.metadata

@@ -0,0 +1 @@
+c15ac5552959c8358975f6b3e15757841c6904c8 SOURCES/nftables-0.9.8.tar.bz2

SOURCES/0001-payload-check-icmp-dependency-before-removing-previo.patch

@@ -0,0 +1,122 @@
+From 9230899c6d2be8913646ff1a3b560865c330de7b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 1 Feb 2021 22:08:54 +0100
+Subject: [PATCH] payload: check icmp dependency before removing previous icmp
+ expression
+
+nft is too greedy when removing icmp dependencies.
+'icmp code 1 type 2' did remove the type when printing.
+
+Be more careful and check that the icmp type dependency of the
+candidate expression (earlier icmp payload expression) has the same
+type dependency as the new expression.
+
+Reported-by: Eric Garver <eric@garver.life>
+Reported-by: Michael Biebl <biebl@debian.org>
+Tested-by: Eric Garver <eric@garver.life>
+Fixes: d0f3b9eaab8d77e ("payload: auto-remove simple icmp/icmpv6 dependency expressions")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 533565244d88a818d8828ebabd7625e5a8a4c374)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/payload.c | 63 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 42 insertions(+), 21 deletions(-)
+
+diff --git a/src/payload.c b/src/payload.c
+index 48529bcf5c514..a77ca55005509 100644
+--- a/src/payload.c
++++ b/src/payload.c
+@@ -627,6 +627,40 @@ void payload_dependency_release(struct payload_dep_ctx *ctx)
+ 	ctx->pdep  = NULL;
+ }
+ 
++static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t)
++{
++	switch (t) {
++	case PROTO_ICMP_ANY:
++		BUG("Invalid map for simple dependency");
++	case PROTO_ICMP_ECHO: return ICMP_ECHO;
++	case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST;
++	case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH;
++	case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT;
++	case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG;
++	case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY;
++	case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB;
++	}
++
++	BUG("Missing icmp type mapping");
++}
++
++static bool payload_may_dependency_kill_icmp(struct payload_dep_ctx *ctx, struct expr *expr)
++{
++	const struct expr *dep = ctx->pdep->expr;
++	uint8_t icmp_type;
++
++	icmp_type = expr->payload.tmpl->icmp_dep;
++	if (icmp_type == PROTO_ICMP_ANY)
++		return false;
++
++	if (dep->left->payload.desc != expr->payload.desc)
++		return false;
++
++	icmp_type = icmp_dep_to_type(expr->payload.tmpl->icmp_dep);
++
++	return ctx->icmp_type == icmp_type;
++}
++
+ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
+ 					unsigned int family, struct expr *expr)
+ {
+@@ -661,6 +695,14 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
+ 		break;
+ 	}
+ 
++	if (expr->payload.base == PROTO_BASE_TRANSPORT_HDR &&
++	    dep->left->payload.base == PROTO_BASE_TRANSPORT_HDR) {
++		if (dep->left->payload.desc == &proto_icmp)
++			return payload_may_dependency_kill_icmp(ctx, expr);
++		if (dep->left->payload.desc == &proto_icmp6)
++			return payload_may_dependency_kill_icmp(ctx, expr);
++	}
++
+ 	return true;
+ }
+ 
+@@ -680,10 +722,6 @@ void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
+ 	if (payload_dependency_exists(ctx, expr->payload.base) &&
+ 	    payload_may_dependency_kill(ctx, family, expr))
+ 		payload_dependency_release(ctx);
+-	else if (ctx->icmp_type && ctx->pdep) {
+-		fprintf(stderr, "Did not kill \n");
+-		payload_dependency_release(ctx);
+-	}
+ }
+ 
+ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
+@@ -707,23 +745,6 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
+ 	}
+ }
+ 
+-static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t)
+-{
+-	switch (t) {
+-	case PROTO_ICMP_ANY:
+-		BUG("Invalid map for simple dependency");
+-	case PROTO_ICMP_ECHO: return ICMP_ECHO;
+-	case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST;
+-	case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH;
+-	case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT;
+-	case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG;
+-	case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY;
+-	case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB;
+-	}
+-
+-	BUG("Missing icmp type mapping");
+-}
+-
+ /**
+  * payload_expr_complete - fill in type information of a raw payload expr
+  *
+-- 
+2.31.1
+

SOURCES/0002-tests-add-icmp-6-test-where-dependency-should-be-lef.patch

@@ -0,0 +1,165 @@
+From bcd7ef679ca12700970e84fdd8ed38d8f58557ea Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 1 Feb 2021 22:44:25 +0100
+Subject: [PATCH] tests: add icmp/6 test where dependency should be left alone
+
+These tests fail: nft should leave the type as-is.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 3eb14fd93093c5e084d3ac1c4b0171cf80fb264f)
+
+Conflicts:
+	tests/py/ip/icmp.t.json
+	tests/py/ip6/icmpv6.t.json
+-> Context change it seems.
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ tests/py/ip/icmp.t                |  2 ++
+ tests/py/ip/icmp.t.json           | 28 ++++++++++++++++++++
+ tests/py/ip/icmp.t.payload.ip     |  6 +++++
+ tests/py/ip6/icmpv6.t             |  2 ++
+ tests/py/ip6/icmpv6.t.json        | 44 +++++++++++++++++++++++++++++++
+ tests/py/ip6/icmpv6.t.payload.ip6 |  7 +++++
+ 6 files changed, 89 insertions(+)
+
+diff --git a/tests/py/ip/icmp.t b/tests/py/ip/icmp.t
+index c22b55eb1e3f4..11f3662e2b027 100644
+--- a/tests/py/ip/icmp.t
++++ b/tests/py/ip/icmp.t
+@@ -86,3 +86,5 @@ icmp gateway != { 33-55};ok
+ icmp gateway != 34;ok
+ icmp gateway != { 333, 334};ok
+ 
++icmp code 1 icmp type 2;ok;icmp type 2 icmp code host-unreachable
++icmp code != 1 icmp type 2 icmp mtu 5;fail
+diff --git a/tests/py/ip/icmp.t.json b/tests/py/ip/icmp.t.json
+index 965eb10be9edf..2ea5b1a3e5e02 100644
+--- a/tests/py/ip/icmp.t.json
++++ b/tests/py/ip/icmp.t.json
+@@ -1424,3 +1424,31 @@
+     }
+ ]
+ 
++# icmp code 1 icmp type 2
++[
++    {
++        "match": {
++            "left": {
++                "payload": {
++                    "field": "type",
++                    "protocol": "icmp"
++                }
++            },
++            "op": "==",
++            "right": 2
++        }
++    },
++    {
++        "match": {
++            "left": {
++                "payload": {
++                    "field": "code",
++                    "protocol": "icmp"
++                }
++            },
++            "op": "==",
++            "right": "host-unreachable"
++        }
++    }
++]
++
+diff --git a/tests/py/ip/icmp.t.payload.ip b/tests/py/ip/icmp.t.payload.ip
+index d75d12a061252..97464a08379e3 100644
+--- a/tests/py/ip/icmp.t.payload.ip
++++ b/tests/py/ip/icmp.t.payload.ip
+@@ -787,3 +787,9 @@ ip test-ip4 input
+   [ lookup reg 1 set __set%d ]
+   [ immediate reg 0 accept ]
+ 
++# icmp code 1 icmp type 2
++ip 
++  [ meta load l4proto => reg 1 ]
++  [ cmp eq reg 1 0x00000001 ]
++  [ payload load 2b @ transport header + 0 => reg 1 ]
++  [ cmp eq reg 1 0x00000102 ]
+diff --git a/tests/py/ip6/icmpv6.t b/tests/py/ip6/icmpv6.t
+index 8b411a8bf4392..d07c34bd939dc 100644
+--- a/tests/py/ip6/icmpv6.t
++++ b/tests/py/ip6/icmpv6.t
+@@ -92,3 +92,5 @@ icmpv6 max-delay {33, 55, 67, 88};ok
+ icmpv6 max-delay != {33, 55, 67, 88};ok
+ icmpv6 max-delay {33-55};ok
+ icmpv6 max-delay != {33-55};ok
++
++icmpv6 type parameter-problem icmpv6 code no-route;ok
+diff --git a/tests/py/ip6/icmpv6.t.json b/tests/py/ip6/icmpv6.t.json
+index f6cfbf172f562..be2f1b462bb18 100644
+--- a/tests/py/ip6/icmpv6.t.json
++++ b/tests/py/ip6/icmpv6.t.json
+@@ -1300,3 +1300,47 @@
+     }
+ ]
+ 
++# icmpv6 type packet-too-big icmpv6 mtu 1280
++[
++    {
++        "match": {
++            "left": {
++                "payload": {
++                    "field": "mtu",
++                    "protocol": "icmpv6"
++                }
++            },
++            "op": "==",
++            "right": 1280
++        }
++    }
++]
++
++# icmpv6 type parameter-problem icmpv6 code no-route
++[
++    {
++        "match": {
++            "left": {
++                "payload": {
++                    "field": "type",
++                    "protocol": "icmpv6"
++                }
++            },
++            "op": "==",
++            "right": "parameter-problem"
++        }
++    },
++    {
++        "match": {
++            "left": {
++                "payload": {
++                    "field": "code",
++                    "protocol": "icmpv6"
++                }
++            },
++            "op": "==",
++            "right": "no-route"
++        }
++    }
++]
++
+diff --git a/tests/py/ip6/icmpv6.t.payload.ip6 b/tests/py/ip6/icmpv6.t.payload.ip6
+index 171b7eade6d3e..448779d16922c 100644
+--- a/tests/py/ip6/icmpv6.t.payload.ip6
++++ b/tests/py/ip6/icmpv6.t.payload.ip6
+@@ -682,3 +682,10 @@ ip6 test-ip6 input
+   [ payload load 2b @ transport header + 4 => reg 1 ]
+   [ lookup reg 1 set __set%d 0x1 ]
+ 
++# icmpv6 type parameter-problem icmpv6 code no-route
++ip6 
++  [ meta load l4proto => reg 1 ]
++  [ cmp eq reg 1 0x0000003a ]
++  [ payload load 2b @ transport header + 0 => reg 1 ]
++  [ cmp eq reg 1 0x00000004 ]
++
+-- 
+2.31.1
+

SOURCES/0003-main-fix-nft-help-output-fallout-from-719e4427.patch

@@ -0,0 +1,48 @@
+From 5f91359f1bbcd73346e4469f0b5a30e04f107a06 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
+Date: Mon, 22 Feb 2021 13:03:19 +0100
+Subject: [PATCH] main: fix nft --help output fallout from 719e4427
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Long options were missing the double dash.
+
+Fixes: 719e44277f8e ("main: use one data-structure to initialize getopt_long(3) arguments and help.")
+Cc: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Štěpán Němec <snemec@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit b8c6dd1a9c0c6e937febc113e7ea89079aa945be)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index 80cf1acf0f7f4..8c47064459ecb 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -175,16 +175,17 @@ static const struct option *get_options(void)
+ 
+ static void print_option(const struct nft_opt *opt)
+ {
+-	char optbuf[33] = "";
++	char optbuf[35] = "";
+ 	int i;
+ 
+ 	i = snprintf(optbuf, sizeof(optbuf), "  -%c", opt->val);
+ 	if (opt->name)
+-		i += snprintf(optbuf + i, sizeof(optbuf) - i, ", %s", opt->name);
++		i += snprintf(optbuf + i, sizeof(optbuf) - i, ", --%s",
++			      opt->name);
+ 	if (opt->arg)
+ 		i += snprintf(optbuf + i, sizeof(optbuf) - i, " %s", opt->arg);
+ 
+-	printf("%-32s%s\n", optbuf, opt->help);
++	printf("%-34s%s\n", optbuf, opt->help);
+ }
+ 
+ static void show_help(const char *name)
+-- 
+2.31.1
+

SOURCES/0004-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch

@@ -0,0 +1,30 @@
+From f09f39704d8bfa15d236b6891aabef270ec43d73 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 16:03:32 +0200
+Subject: [PATCH] parser_bison: Fix for implicit declaration of isalnum
+
+Have to include ctype.h to make it known.
+
+Fixes: e76bb37940181 ("src: allow for variables in the log prefix string")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 7c3b2a7acbdc793b822a230ec0c28086c7d0365d)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/parser_bison.y | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index 519e8efe5ab7e..8644f66106496 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -10,6 +10,7 @@
+ 
+ %{
+ 
++#include <ctype.h>
+ #include <stddef.h>
+ #include <stdio.h>
+ #include <inttypes.h>
+-- 
+2.31.1
+

SOURCES/0005-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch

@@ -0,0 +1,39 @@
+From a79e92c0f6761a748ef3cbffd26a4f1db82b4b3e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 16:07:02 +0200
+Subject: [PATCH] parser_json: Fix for memleak in tcp option error path
+
+If 'kind' value is invalid, the function returned without freeing 'expr'
+first. Fix this by performing the check before allocation.
+
+Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit f7b0eef8391ae7f89a3a82f6eeecaebe199224d7)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/parser_json.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/parser_json.c b/src/parser_json.c
+index f0486b77a225a..85d05ce27eef3 100644
+--- a/src/parser_json.c
++++ b/src/parser_json.c
+@@ -611,12 +611,12 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx,
+ 			"base", &kind, "offset", &offset, "len", &len)) {
+ 		uint32_t flag = 0;
+ 
+-		expr = tcpopt_expr_alloc(int_loc, kind,
+-					 TCPOPT_COMMON_KIND);
+-
+ 		if (kind < 0 || kind > 255)
+ 			return NULL;
+ 
++		expr = tcpopt_expr_alloc(int_loc, kind,
++					 TCPOPT_COMMON_KIND);
++
+ 		if (offset == TCPOPT_COMMON_KIND && len == 8)
+ 			flag = NFT_EXTHDR_F_PRESENT;
+ 
+-- 
+2.31.1
+

SOURCES/0006-evaluate-Mark-fall-through-case-in-str2hooknum.patch

@@ -0,0 +1,30 @@
+From 07ebd0fa9300176f818789fde2498422fa421090 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 16:19:18 +0200
+Subject: [PATCH] evaluate: Mark fall through case in str2hooknum()
+
+It is certainly intentional, so just mark it as such.
+
+Fixes: b4775dec9f80b ("src: ingress inet support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit c2e06beef3390867901080c0d789e3b6257e2b98)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/evaluate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index c830dcdbd9651..2a897f469434a 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -4030,6 +4030,7 @@ static uint32_t str2hooknum(uint32_t family, const char *hook)
+ 	case NFPROTO_INET:
+ 		if (!strcmp(hook, "ingress"))
+ 			return NF_INET_INGRESS;
++		/* fall through */
+ 	case NFPROTO_IPV4:
+ 	case NFPROTO_BRIDGE:
+ 	case NFPROTO_IPV6:
+-- 
+2.31.1
+

SOURCES/0007-json-Drop-pointless-assignment-in-exthdr_expr_json.patch

@@ -0,0 +1,30 @@
+From a7da4f45cc1c8419b38e3e9adf0e15bedb8b0257 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 16:23:22 +0200
+Subject: [PATCH] json: Drop pointless assignment in exthdr_expr_json()
+
+The updated value of 'is_exists' is no longer read at this point.
+
+Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit c1616dfd1ce40bac197924c8947e1c646e915dca)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/json.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/json.c b/src/json.c
+index 585d35326ac01..1fb5015124e16 100644
+--- a/src/json.c
++++ b/src/json.c
+@@ -692,7 +692,6 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
+ 					 "base", expr->exthdr.raw_type,
+ 					 "offset", expr->exthdr.offset,
+ 					 "len", expr->len);
+-			is_exists = false;
+ 		}
+ 
+ 		return json_pack("{s:o}", "tcp option", root);
+-- 
+2.31.1
+

SOURCES/0008-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch

@@ -0,0 +1,42 @@
+From 2344a35f90ef4a467b6bb9779fc687b17f4a4b51 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 16:43:21 +0200
+Subject: [PATCH] netlink: Avoid memleak in error path of
+ netlink_delinearize_set()
+
+Duplicate string 'comment' later when the function does not fail
+anymore.
+
+Fixes: 0864c2d49ee8a ("src: add comment support for set declarations")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit accd7a346fd19f1ffc503b3f681323abf1157c1a)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index ec2dad29ace1c..5c38a9f157d38 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -840,7 +840,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
+ 		if (ud[NFTNL_UDATA_SET_DATA_TYPEOF])
+ 			typeof_expr_data = set_make_key(ud[NFTNL_UDATA_SET_DATA_TYPEOF]);
+ 		if (ud[NFTNL_UDATA_SET_COMMENT])
+-			comment = xstrdup(nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]));
++			comment = nftnl_udata_get(ud[NFTNL_UDATA_SET_COMMENT]);
+ 	}
+ 
+ 	key = nftnl_set_get_u32(nls, NFTNL_SET_KEY_TYPE);
+@@ -878,7 +878,7 @@ struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
+ 	set->handle.set.name = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_NAME));
+ 	set->automerge	   = automerge;
+ 	if (comment)
+-		set->comment = comment;
++		set->comment = xstrdup(comment);
+ 
+ 	init_list_head(&set_parse_ctx.stmt_list);
+ 
+-- 
+2.31.1
+

SOURCES/0009-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch

@@ -0,0 +1,32 @@
+From 6cbc04136a91eca237476827b57e78ac29e00aeb Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 18:32:13 +0200
+Subject: [PATCH] netlink: Avoid memleak in error path of
+ netlink_delinearize_chain()
+
+If parsing udata fails, 'chain' has to be freed before returning to
+caller.
+
+Fixes: 702ac2b72c0e8 ("src: add comment support for chains")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 04f7af9dd66d3a0f627f43bc4bf55bae9856efc8)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index 5c38a9f157d38..22140afc3fd7e 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -573,6 +573,7 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
+ 		udata = nftnl_chain_get_data(nlc, NFTNL_CHAIN_USERDATA, &ulen);
+ 		if (nftnl_udata_parse(udata, ulen, chain_parse_udata_cb, ud) < 0) {
+ 			netlink_io_error(ctx, NULL, "Cannot parse userdata");
++			chain_free(chain);
+ 			return NULL;
+ 		}
+ 		if (ud[NFTNL_UDATA_CHAIN_COMMENT])
+-- 
+2.31.1
+

SOURCES/0010-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch

@@ -0,0 +1,32 @@
+From c47e6d3b1ccb166b807d19fd585d6b5b3cd0b7f7 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 18:33:44 +0200
+Subject: [PATCH] netlink: Avoid memleak in error path of
+ netlink_delinearize_table()
+
+If parsing udata fails, 'table' has to be freed before returning to
+caller.
+
+Fixes: c156232a530b3 ("src: add comment support when adding tables")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 47640634cff9932784a1a96836d6c5809cc8264d)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index 22140afc3fd7e..fd82b16cb9f6e 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -620,6 +620,7 @@ struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
+ 		udata = nftnl_table_get_data(nlt, NFTNL_TABLE_USERDATA, &ulen);
+ 		if (nftnl_udata_parse(udata, ulen, table_parse_udata_cb, ud) < 0) {
+ 			netlink_io_error(ctx, NULL, "Cannot parse userdata");
++			table_free(table);
+ 			return NULL;
+ 		}
+ 		if (ud[NFTNL_UDATA_TABLE_COMMENT])
+-- 
+2.31.1
+

SOURCES/0011-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch

@@ -0,0 +1,32 @@
+From 3ec01f287b0b61c0e6d885a7e96dcfa5afa800b8 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 16:46:48 +0200
+Subject: [PATCH] netlink: Avoid memleak in error path of
+ netlink_delinearize_obj()
+
+If parsing udata fails, 'obj' has to be freed before returning to
+caller.
+
+Fixes: 293c9b114faef ("src: add comment support for objects")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 97b5d4bbcac4d3237f114c1c6a57c37968ebe0fc)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index fd82b16cb9f6e..4c03baeff5d66 100644
+--- a/src/netlink.c
++++ b/src/netlink.c
+@@ -1445,6 +1445,7 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx,
+ 		udata = nftnl_obj_get_data(nlo, NFTNL_OBJ_USERDATA, &ulen);
+ 		if (nftnl_udata_parse(udata, ulen, obj_parse_udata_cb, ud) < 0) {
+ 			netlink_io_error(ctx, NULL, "Cannot parse userdata");
++			obj_free(obj);
+ 			return NULL;
+ 		}
+ 		if (ud[NFTNL_UDATA_OBJ_COMMENT])
+-- 
+2.31.1
+

SOURCES/0012-netlink_delinearize-Fix-suspicious-calloc-call.patch

@@ -0,0 +1,35 @@
+From d8322b08998a6945b659078b5cc4bd7423194f70 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 17:02:01 +0200
+Subject: [PATCH] netlink_delinearize: Fix suspicious calloc() call
+
+Parameter passed to sizeof() was wrong. While being at it, replace the
+whole call with xmalloc_array() which takes care of error checking.
+
+Fixes: 913979f882d13 ("src: add expression handler hashtable")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit c4058f96c6a55e4fcd49d4380ac07b5466ec01c0)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/netlink_delinearize.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 7315072284119..152b3e6cf8c65 100644
+--- a/src/netlink_delinearize.c
++++ b/src/netlink_delinearize.c
+@@ -1732,9 +1732,8 @@ void expr_handler_init(void)
+ 	unsigned int i;
+ 	uint32_t hash;
+ 
+-	expr_handle_ht = calloc(NFT_EXPR_HSIZE, sizeof(expr_handle_ht));
+-	if (!expr_handle_ht)
+-		memory_allocation_error();
++	expr_handle_ht = xmalloc_array(NFT_EXPR_HSIZE,
++				       sizeof(expr_handle_ht[0]));
+ 
+ 	for (i = 0; i < array_size(netlink_parsers); i++) {
+ 		hash = djb_hash(netlink_parsers[i].name) % NFT_EXPR_HSIZE;
+-- 
+2.31.1
+

SOURCES/0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch

@@ -0,0 +1,32 @@
+From 5fbf4169fba1dfef0f461c4fe31bed70610ebce2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 11 Jun 2021 17:08:34 +0200
+Subject: [PATCH] rule: Fix for potential off-by-one in cmd_add_loc()
+
+Using num_attrs as index means it must be at max one less than the
+array's size at function start.
+
+Fixes: 27362a5bfa433 ("rule: larger number of error locations")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 2d0a7a9adeb30708d6fbbee57476c0d4b9214dbd)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/rule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rule.c b/src/rule.c
+index e4bb6bae276a0..03422da3a7560 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1491,7 +1491,7 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
+ 
+ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc)
+ {
+-	if (cmd->num_attrs > NFT_NLATTR_LOC_MAX)
++	if (cmd->num_attrs >= NFT_NLATTR_LOC_MAX)
+ 		return;
+ 
+ 	cmd->attr[cmd->num_attrs].offset = offset;
+-- 
+2.31.1
+

SOURCES/0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch

@@ -0,0 +1,71 @@
+From 6509f63cb68ea2dd737f9b52c146803402efcd7a Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 14 Jun 2021 14:47:47 +0200
+Subject: [PATCH] src: add xzalloc_array() and use it to allocate the
+ expression hashtable
+
+Otherwise, assertion to ensure that no colission occur is hit due to
+uninitialized hashtable memory area:
+
+nft: netlink_delinearize.c:1741: expr_handler_init: Assertion `expr_handle_ht[hash] == NULL' failed.
+
+Fixes: c4058f96c6a5 ("netlink_delinearize: Fix suspicious calloc() call")
+Acked-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit b0e7b294224030abc534c396fffcab9fbce12b11)
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ include/utils.h           |  1 +
+ src/netlink_delinearize.c |  2 +-
+ src/utils.c               | 10 ++++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/include/utils.h b/include/utils.h
+index f45f25132d18d..ffbe2cbb75be5 100644
+--- a/include/utils.h
++++ b/include/utils.h
+@@ -133,6 +133,7 @@ extern void *xmalloc(size_t size);
+ extern void *xmalloc_array(size_t nmemb, size_t size);
+ extern void *xrealloc(void *ptr, size_t size);
+ extern void *xzalloc(size_t size);
++extern void *xzalloc_array(size_t nmemb, size_t size);
+ extern char *xstrdup(const char *s);
+ extern void xstrunescape(const char *in, char *out);
+ 
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 152b3e6cf8c65..7665d6f29c602 100644
+--- a/src/netlink_delinearize.c
++++ b/src/netlink_delinearize.c
+@@ -1732,7 +1732,7 @@ void expr_handler_init(void)
+ 	unsigned int i;
+ 	uint32_t hash;
+ 
+-	expr_handle_ht = xmalloc_array(NFT_EXPR_HSIZE,
++	expr_handle_ht = xzalloc_array(NFT_EXPR_HSIZE,
+ 				       sizeof(expr_handle_ht[0]));
+ 
+ 	for (i = 0; i < array_size(netlink_parsers); i++) {
+diff --git a/src/utils.c b/src/utils.c
+index 47f5b791547b1..925841c571f5d 100644
+--- a/src/utils.c
++++ b/src/utils.c
+@@ -50,6 +50,16 @@ void *xmalloc_array(size_t nmemb, size_t size)
+ 	return xmalloc(nmemb * size);
+ }
+ 
++void *xzalloc_array(size_t nmemb, size_t size)
++{
++	void *ptr;
++
++	ptr = xmalloc_array(nmemb, size);
++	memset(ptr, 0, nmemb * size);
++
++	return ptr;
++}
++
+ void *xrealloc(void *ptr, size_t size)
+ {
+ 	ptr = realloc(ptr, size);
+-- 
+2.31.1
+

SOURCES/0015-json-init-parser-state-for-every-new-buffer-file.patch

@@ -0,0 +1,38 @@
+From 27f931c935f27a00fe0ecbe8c4bcb3be6ba41096 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 19 Feb 2021 10:11:26 -0500
+Subject: [PATCH] json: init parser state for every new buffer/file
+
+Otherwise invalid error states cause subsequent json parsing to fail
+when it should not.
+
+Signed-off-by: Eric Garver <eric@garver.life>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 267338ec392346ef55ed51509e5f8e8354d6c19a)
+---
+ src/parser_json.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/parser_json.c b/src/parser_json.c
+index 85d05ce27eef3..9bba77dad5f0d 100644
+--- a/src/parser_json.c
++++ b/src/parser_json.c
+@@ -3893,6 +3893,7 @@ int nft_parse_json_buffer(struct nft_ctx *nft, const char *buf,
+ 	};
+ 	int ret;
+ 
++	parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
+ 	nft->json_root = json_loads(buf, 0, NULL);
+ 	if (!nft->json_root)
+ 		return -EINVAL;
+@@ -3921,6 +3922,7 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename,
+ 	json_error_t err;
+ 	int ret;
+ 
++	parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
+ 	nft->json_root = json_load_file(filename, 0, &err);
+ 	if (!nft->json_root)
+ 		return -EINVAL;
+-- 
+2.31.1
+

SOURCES/main.nft

@@ -0,0 +1,64 @@
+# Sample configuration for nftables service.
+# Load this by calling 'nft -f /etc/nftables/main.nft'.
+
+# Note about base chain priorities:
+# The priority values used in these sample configs are
+# offset by 20 in order to avoid ambiguity when firewalld
+# is also running which uses an offset of 10. This means
+# that packets will traverse firewalld first and if not
+# dropped/rejected there will hit the chains defined here.
+# Chains created by iptables, ebtables and arptables tools
+# do not use an offset, so those chains are traversed first
+# in any case.
+
+# drop any existing nftables ruleset
+flush ruleset
+
+# a common table for both IPv4 and IPv6
+table inet nftables_svc {
+
+	# protocols to allow
+	set allowed_protocols {
+		type inet_proto
+		elements = { icmp, icmpv6 }
+	}
+
+	# interfaces to accept any traffic on
+	set allowed_interfaces {
+		type ifname
+		elements = { "lo" }
+	}
+
+	# services to allow
+	set allowed_tcp_dports {
+		type inet_service
+		elements = { ssh, 9090 }
+	}
+
+	# this chain gathers all accept conditions
+	chain allow {
+		ct state established,related accept
+
+		meta l4proto @allowed_protocols accept
+		iifname @allowed_interfaces accept
+		tcp dport @allowed_tcp_dports accept
+	}
+
+	# base-chain for traffic to this host
+	chain INPUT {
+		type filter hook input priority filter + 20
+		policy accept
+
+		jump allow
+		reject with icmpx type port-unreachable
+	}
+}
+
+# By default, any forwarding traffic is allowed.
+# Uncomment the following line to filter it based
+# on the same criteria as input traffic.
+#include "/etc/nftables/router.nft"
+
+# Uncomment the following line to enable masquerading of
+# forwarded traffic. May be used with or without router.nft.
+#include "/etc/nftables/nat.nft"

SOURCES/nat.nft

@@ -0,0 +1,30 @@
+# Sample configuration snippet for nftables service.
+# Meant to be included by main.nft, not for direct use.
+
+# dedicated table for IPv4
+table ip nftables_svc {
+
+	# interfaces to masquerade traffic from
+	set masq_interfaces {
+		type ifname
+		elements = { "virbr0" }
+	}
+
+	# networks to masquerade traffic from
+	# 'interval' flag is required to support subnets
+	set masq_ips {
+		type ipv4_addr
+		flags interval
+		elements = { 192.168.122.0/24 }
+	}
+
+	# base-chain to manipulate conntrack in postrouting,
+	# will see packets for new or related traffic only
+	chain POSTROUTING {
+		type nat hook postrouting priority srcnat + 20
+		policy accept
+
+		iifname @masq_interfaces oifname != @masq_interfaces masquerade
+		ip saddr @masq_ips masquerade
+	}
+}

SOURCES/nftables.conf

@@ -0,0 +1,8 @@
+# Uncomment the include statement here to load the default config sample
+# in /etc/nftables for nftables service.
+
+#include "/etc/nftables/main.nft"
+
+# To customize, either edit the samples in /etc/nftables, append further
+# commands to the end of this file or overwrite it after first service
+# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.

SOURCES/nftables.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Netfilter Tables
+Documentation=man:nft(8)
+Wants=network-pre.target
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
+ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
+ExecStop=/sbin/nft flush ruleset
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

SOURCES/router.nft

@@ -0,0 +1,16 @@
+# Sample configuration snippet for nftables service.
+# Meant to be included by main.nft, not for direct use.
+
+# a common table for both IPv4 and IPv6
+table inet nftables_svc {
+
+	# base-chain for traffic forwarded by this host
+	# re-uses 'allow' chain from main.nft
+	chain FORWARD {
+		type filter hook forward priority filter + 20
+		policy accept
+
+		jump allow
+		reject with icmpx type host-unreachable
+	}
+}

SPECS/nftables.spec

@@ -0,0 +1,359 @@
+Name:           nftables
+Version:        0.9.8
+Release:        7%{?dist}
+# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
+Epoch:          1
+Summary:        Netfilter Tables userspace utillites
+
+License:        GPLv2
+URL:            https://netfilter.org/projects/nftables/
+Source0:        %{url}/files/%{name}-%{version}.tar.bz2
+Source1:        nftables.service
+Source2:        nftables.conf
+Source3:        main.nft
+Source4:        router.nft
+Source5:        nat.nft
+
+Patch01: 0001-payload-check-icmp-dependency-before-removing-previo.patch
+Patch02: 0002-tests-add-icmp-6-test-where-dependency-should-be-lef.patch
+Patch03: 0003-main-fix-nft-help-output-fallout-from-719e4427.patch
+Patch04: 0004-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch
+Patch05: 0005-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch
+Patch06: 0006-evaluate-Mark-fall-through-case-in-str2hooknum.patch
+Patch07: 0007-json-Drop-pointless-assignment-in-exthdr_expr_json.patch
+Patch08: 0008-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
+Patch09: 0009-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
+Patch10: 0010-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
+Patch11: 0011-netlink-Avoid-memleak-in-error-path-of-netlink_delin.patch
+Patch12: 0012-netlink_delinearize-Fix-suspicious-calloc-call.patch
+Patch13: 0013-rule-Fix-for-potential-off-by-one-in-cmd_add_loc.patch
+Patch14: 0014-src-add-xzalloc_array-and-use-it-to-allocate-the-exp.patch
+Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
+
+#BuildRequires: autogen
+#BuildRequires: autoconf
+#BuildRequires: automake
+#BuildRequires: libtool
+BuildRequires: make
+BuildRequires:  gcc
+BuildRequires: flex
+BuildRequires: bison
+BuildRequires: libmnl-devel
+BuildRequires: gmp-devel
+BuildRequires: readline-devel
+BuildRequires: libnftnl-devel
+BuildRequires: systemd
+BuildRequires: asciidoc
+BuildRequires: iptables-devel
+BuildRequires: jansson-devel
+BuildRequires: python3-devel
+
+%description
+Netfilter Tables userspace utilities.
+
+%package        devel
+Summary:        Development library for nftables / libnftables
+Requires:       %{name} = %{epoch}:%{version}-%{release}
+Requires:       pkgconfig
+
+%description devel
+Development tools and static libraries and header files for the libnftables library.
+
+%package -n     python3-nftables
+Summary:        Python module providing an interface to libnftables
+Requires:       %{name} = %{epoch}:%{version}-%{release}
+%{?python_provide:%python_provide python3-nftables}
+
+%description -n python3-nftables
+The nftables python module provides an interface to libnftables via ctypes.
+
+%prep
+%autosetup -p1
+
+%build
+#./autogen.sh
+%configure --disable-silent-rules --with-xtables --with-json \
+	--enable-python --with-python-bin=%{__python3}
+%make_build
+
+%install
+%make_install
+find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+
+# Don't ship static lib (for now at least)
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a
+
+chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
+
+mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
+cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
+
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
+cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
+
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
+	$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
+
+find $RPM_BUILD_ROOT/%{_sysconfdir} \
+	\( -type d -exec chmod 0700 {} \; \) , \
+	\( -type f -exec chmod 0600 {} \; \)
+
+# make nftables.py use the real library file name
+# to avoid nftables-devel package dependency
+sofile=$(readlink $RPM_BUILD_ROOT/%{_libdir}/libnftables.so)
+sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
+	$RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
+
+%post
+%systemd_post nftables.service
+%ldconfig_post
+
+%preun
+%systemd_preun nftables.service
+
+%postun
+%systemd_postun_with_restart nftables.service
+%ldconfig_postun
+
+%files
+%license COPYING
+%config(noreplace) %{_sysconfdir}/nftables/
+%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf
+%{_sbindir}/nft
+%{_libdir}/libnftables.so.*
+%{_mandir}/man5/libnftables-json.5*
+%{_mandir}/man8/nft*
+%{_unitdir}/nftables.service
+%{_docdir}/nftables/examples/*.nft
+
+%files devel
+%{_libdir}/libnftables.so
+%{_libdir}/pkgconfig/libnftables.pc
+%{_includedir}/nftables/libnftables.h
+%{_mandir}/man3/libnftables.3*
+
+%files -n python3-nftables
+%{python3_sitelib}/nftables-*.egg-info
+%{python3_sitelib}/nftables/
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.9.8-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Jun 18 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-6
+- json: init parser state for every new buffer/file
+
+* Tue Jun 15 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-5
+- src: add xzalloc_array() and use it to allocate the expression hashtable
+
+* Mon Jun 14 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-4
+- Install an improved sample config
+- Fix permissions of osf-related configs
+- rule: Fix for potential off-by-one in cmd_add_loc()
+- netlink_delinearize: Fix suspicious calloc() call
+- netlink: Avoid memleak in error path of netlink_delinearize_obj()
+- netlink: Avoid memleak in error path of netlink_delinearize_table()
+- netlink: Avoid memleak in error path of netlink_delinearize_chain()
+- netlink: Avoid memleak in error path of netlink_delinearize_set()
+- json: Drop pointless assignment in exthdr_expr_json()
+- evaluate: Mark fall through case in str2hooknum()
+- parser_json: Fix for memleak in tcp option error path
+- parser_bison: Fix for implicit declaration of isalnum
+- main: fix nft --help output fallout from 719e4427
+- tests: add icmp/6 test where dependency should be left alone
+- payload: check icmp dependency before removing previous icmp expression
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.9.8-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Jan 16 2021 Kevin Fenzi <kevin@scrye.com> - 0.9.8-1
+- Update to 0.9.8. Fixes rhbz#1916940
+
+* Sat Oct 31 2020 Kevin Fenzi <kevin@scrye.com> - 0.9.7-1
+- Update to 0.9.7. Fixes bug #1891769
+
+* Thu Oct 29 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:0.9.6-2
+- Drop upstreamed patch
+
+* Sat Sep 05 2020 Neal Gompa <ngompa13@gmail.com> - 1:0.9.6-1
+- Update to 0.9.6 (RH#1846663)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1:0.9.3-5
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1:0.9.3-4
+- Rebuilt for Python 3.9
+
+* Fri May 15 2020 Richard Shaw <hobbes1069@gmail.com> - 1:0.9.3-3
+- Add patch for json performance with ipsets, fixes RHBZ#1834853.
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Dec 04 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.3-1
+- Update to 0.9.3. Fixes bug #1778959
+
+* Tue Oct 01 2019 Phil Sutter <psutter@redhat.com> - 1:0.9.2-3
+- Drop unneeded docbook2X build dependency
+- Add python3-nftables sub-package
+
+* Fri Aug 23 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.2-2
+- Move libnftables section 3 man page to devel package.
+
+* Fri Aug 23 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.2-1
+- Update to 0.9.2. Fixes bug #1743223
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jun 28 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.1-2
+- Add some filters to nftables.conf
+
+* Tue Jun 25 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.1-1
+- Update to 0.9.1. Fixes bug #1723515
+
+* Mon Jun 17 2019 Kevin Fenzi <kevin@scrye.com> - 0.9.0-7
+- Rebuild for new libnftnl.
+
+* Sat Mar 16 2019 Kevin Fenzi <kevin@scrye.com> - 1:0.9.0-6
+- Fix permissions. Bug #1685242
+
+* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:0.9.0-5
+- Rebuild for readline 8.0
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Nov 04 2018 Kevin Fenzi <kevin@scrye.com> - 0.9.0-3
+- Fix config file to have correct include names. Fixes bug #1642103
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.9.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Sat Jun 09 2018 Kevin Fenzi <kevin@scrye.com> - 0.9.0-1
+- Update to 0.9.0. Fixes bug #1589404
+
+* Fri May 11 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.5-1
+- Update to 0.8.5. Fixes bug #1576802
+
+* Sun May 06 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.4-2
+- Fix devel package to require the Epoch too.
+- Fix libraries split
+
+* Fri May 04 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.4-1
+- Update to 0.8.4. Fixes bug #1574096
+
+* Sat Mar 03 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.3-1
+- Update to 0.8.3. Fixes bug #1551207
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.8.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Feb 05 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.2-1
+- Update to 0.8.2. Fixes bug #1541582
+
+* Tue Jan 16 2018 Kevin Fenzi <kevin@scrye.com> - 0.8.1-1
+- Update to 0.8.1. Fixes bug #1534982
+
+* Sun Oct 22 2017 Kevin Fenzi <kevin@scrye.com> - 0.8-1
+- Update to 0.8. 
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 1:0.7-2
+- Rebuild for readline 7.x
+
+* Thu Dec 22 2016 Kevin Fenzi <kevin@scrye.com> - 0.7-1
+- Update to 0.7
+
+* Fri Jul 15 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-2
+- Rebuild for new glibc symbols
+
+* Thu Jun 02 2016 Kevin Fenzi <kevin@scrye.com> - 0.6-1
+- Update to 0.6.
+
+* Sun Apr 10 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-4
+- Add example config files and move config to /etc/sysconfig. Fixes bug #1313936
+
+* Fri Mar 25 2016 Kevin Fenzi <kevin@scrye.com> - 0.5-3
+- Add systemd unit file. Fixes bug #1313936
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Sep 17 2015 Kevin Fenzi <kevin@scrye.com> 0.5-1
+- Update to 0.5
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:0.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Jan 10 2015 Kevin Fenzi <kevin@scrye.com> 0.4-2
+- Add patch to fix nft -f dep gen.
+
+* Fri Dec 26 2014 Kevin Fenzi <kevin@scrye.com> 0.4-1
+- Update to 0.4
+- Add Epoch to fix versioning. 
+
+* Wed Sep 03 2014 Kevin Fenzi <kevin@scrye.com> 0.100-4.20140903git
+- Update to 20140903 snapshot
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-4.20140704git
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 04 2014 Kevin Fenzi <kevin@scrye.com> 0.100-3.20140704git
+- Update to new snapshot
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.100-2.20140426git
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Apr 26 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140426git
+- Update t0 20140426
+
+* Sun Mar 30 2014 Kevin Fenzi <kevin@scrye.com> 0.100-1.20140330git
+- Update to 20140330 snapshot
+- Sync versions to be post 0.100 release.
+
+* Wed Mar 26 2014 Kevin Fenzi <kevin@scrye.com> 0-0.7.20140326git
+- Update to 20140326 snapshot
+- Fix permissions on man pages. 
+
+* Mon Mar 24 2014 Kevin Fenzi <kevin@scrye.com> 0-0.6.20140324git
+- Update to 20140324 snapshot
+
+* Fri Mar 07 2014 Kevin Fenzi <kevin@scrye.com> 0-0.5.20140307git
+- Update to 20140307
+
+* Sat Jan 25 2014 Kevin Fenzi <kevin@scrye.com> 0-0.4.20140125git
+- Update to 20140125 snapshot
+
+* Sat Jan 18 2014 Kevin Fenzi <kevin@scrye.com> 0-0.3.20140118git
+- Update to 20140118 snapshot
+- Fixed License tag to be correct
+- Fixed changelog
+- nft scripts now use full path for nft
+- Fixed man page building
+- Dropped unneeded rm in install
+- Patched build to not be silent. 
+
+* Tue Dec 03 2013 Kevin Fenzi <kevin@scrye.com> 0-0.2.20131202git
+- Use upstream snapshots for source.
+- Use 0 for version. 
+
+* Sat Nov 30 2013 Kevin Fenzi <kevin@scrye.com> 0-0.1
+- initial version for Fedora review