rpms/nftables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import nftables-0.9.3-25.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:14:00 -04:00 committed by Stepan Oksanichenko
parent d1de3e821a
commit dee28686c1
62 changed files with 1428 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
SOURCES/0001-main-enforce-options-before-commands.patch
View File

@ -27,17 +27,17 @@ Date: Fri Dec 13 11:32:46 2019 +0100
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
--- ---
src/main.c | 46 +++++++++++++++++++++- src/main.c | 46 ++++++++++++++++++-
tests/shell/testcases/cache/0001_cache_handling_0 | 2 +- .../testcases/cache/0001_cache_handling_0 | 2 +-
tests/shell/testcases/chains/0016delete_handle_0 | 4 +- .../testcases/chains/0016delete_handle_0 | 4 +-
.../shell/testcases/chains/0039negative_priority_0 | 8 ++++ .../testcases/chains/0039negative_priority_0 | 8 ++++
.../shell/testcases/flowtable/0010delete_handle_0 | 2 +- .../testcases/flowtable/0010delete_handle_0 | 2 +-
.../shell/testcases/maps/0008interval_map_delete_0 | 2 +- .../testcases/maps/0008interval_map_delete_0 | 2 +-
tests/shell/testcases/optionals/comments_0 | 2 +- tests/shell/testcases/optionals/comments_0 | 2 +-
tests/shell/testcases/optionals/comments_handles_0 | 2 +- .../testcases/optionals/comments_handles_0 | 2 +-
.../testcases/optionals/delete_object_handles_0 | 4 +- .../optionals/delete_object_handles_0 | 4 +-
tests/shell/testcases/optionals/handles_0 | 2 +- tests/shell/testcases/optionals/handles_0 | 2 +-
tests/shell/testcases/sets/0028delete_handle_0 | 2 +- .../shell/testcases/sets/0028delete_handle_0 | 2 +-
11 files changed, 64 insertions(+), 12 deletions(-) 11 files changed, 64 insertions(+), 12 deletions(-)
create mode 100755 tests/shell/testcases/chains/0039negative_priority_0 create mode 100755 tests/shell/testcases/chains/0039negative_priority_0
@ -240,5 +240,5 @@ index 4e8b322..5ad17c2 100755
EXPECTED="table ip test-ip { EXPECTED="table ip test-ip {
-- --
1.8.3.1 2.31.1

2
SOURCES/0002-main-restore-debug.patch
View File

@ -46,5 +46,5 @@ index 74199f9..6ab1b89 100644
!strcmp(argv[i], "--file")) { !strcmp(argv[i], "--file")) {
skip = true; skip = true;
-- --
1.8.3.1 2.31.1

2
SOURCES/0003-monitor-Do-not-decompose-non-anonymous-sets.patch
View File

@ -64,5 +64,5 @@ index 0000000..59930c5
+O - +O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}} +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
-- --
1.8.3.1 2.31.1

2
SOURCES/0004-monitor-Fix-output-for-ranges-in-anonymous-sets.patch
View File

@ -76,5 +76,5 @@ index 59930c5..1fbcfe2 100644
+O - +O -
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}} +J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}}
-- --
1.8.3.1 2.31.1

2
SOURCES/0005-xfrm-spi-is-big-endian.patch
View File

@ -47,5 +47,5 @@ index 6049c66..c46a226 100644
[ cmp lte reg 1 0x31020000 ] [ cmp lte reg 1 0x31020000 ]
-- --
1.8.3.1 2.31.1

14
SOURCES/0006-tests-shell-Search-diff-tool-once-and-for-all.patch
View File

@ -44,18 +44,18 @@ Date: Tue Jan 14 16:50:35 2020 +0100
tests/shell/testcases/listing/0018data_0 | 3 +-- tests/shell/testcases/listing/0018data_0 | 3 +--
tests/shell/testcases/listing/0019set_0 | 3 +-- tests/shell/testcases/listing/0019set_0 | 3 +--
tests/shell/testcases/listing/0020flowtable_0 | 3 +-- tests/shell/testcases/listing/0020flowtable_0 | 3 +--
tests/shell/testcases/maps/0003map_add_many_elements_0 | 3 +-- .../shell/testcases/maps/0003map_add_many_elements_0 | 3 +--
tests/shell/testcases/maps/0004interval_map_create_once_0 | 3 +-- .../testcases/maps/0004interval_map_create_once_0 | 3 +--
tests/shell/testcases/maps/0008interval_map_delete_0 | 3 +-- tests/shell/testcases/maps/0008interval_map_delete_0 | 3 +--
tests/shell/testcases/netns/0001nft-f_0 | 3 +-- tests/shell/testcases/netns/0001nft-f_0 | 3 +--
tests/shell/testcases/netns/0002loosecommands_0 | 3 +-- tests/shell/testcases/netns/0002loosecommands_0 | 3 +--
tests/shell/testcases/netns/0003many_0 | 3 +-- tests/shell/testcases/netns/0003many_0 | 3 +--
tests/shell/testcases/nft-f/0016redefines_1 | 3 +-- tests/shell/testcases/nft-f/0016redefines_1 | 3 +--
tests/shell/testcases/optionals/delete_object_handles_0 | 3 +-- .../testcases/optionals/delete_object_handles_0 | 3 +--
tests/shell/testcases/optionals/update_object_handles_0 | 3 +-- .../testcases/optionals/update_object_handles_0 | 3 +--
.../shell/testcases/rule_management/0001addinsertposition_0 | 12 ++++-------- .../rule_management/0001addinsertposition_0 | 12 ++++--------
tests/shell/testcases/sets/0028delete_handle_0 | 3 +-- tests/shell/testcases/sets/0028delete_handle_0 | 3 +--
tests/shell/testcases/sets/0036add_set_element_expiration_0 | 5 ++++- .../testcases/sets/0036add_set_element_expiration_0 | 5 ++++-
tests/shell/testcases/transactions/0003table_0 | 4 +--- tests/shell/testcases/transactions/0003table_0 | 4 +---
tests/shell/testcases/transactions/0040set_0 | 3 +-- tests/shell/testcases/transactions/0040set_0 | 3 +--
33 files changed, 46 insertions(+), 75 deletions(-) 33 files changed, 46 insertions(+), 75 deletions(-)
@ -569,5 +569,5 @@ index a404abc..468816b 100755
fi fi
-- --
1.8.3.1 2.31.1

2
SOURCES/0007-cache-Fix-for-doubled-output-after-reset-command.patch
View File

@ -81,5 +81,5 @@ index 3bd16f2..21200c3 100755
+ exit 1 + exit 1
+fi +fi
-- --
1.8.3.1 2.31.1

2
SOURCES/0008-netlink-Fix-leak-in-unterminated-string-deserializer.patch
View File

@ -47,5 +47,5 @@ index 154353b..06a0312 100644
static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
-- --
1.8.3.1 2.31.1

2
SOURCES/0009-netlink-Fix-leaks-in-netlink_parse_cmp.patch
View File

@ -71,5 +71,5 @@ index 06a0312..88dbd5a 100644
static void netlink_parse_lookup(struct netlink_parse_ctx *ctx, static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
-- --
1.8.3.1 2.31.1

2
SOURCES/0010-netlink-Avoid-potential-NULL-pointer-deref-in-netlin.patch
View File

@ -38,5 +38,5 @@ index 498326d..cb1b7fe 100644
nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS, nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS,
NFT_PAYLOAD_L4CSUM_PSEUDOHDR); NFT_PAYLOAD_L4CSUM_PSEUDOHDR);
-- --
1.8.3.1 2.31.1

2
SOURCES/0011-tests-json_echo-Fix-for-Python3.patch
View File

@ -35,5 +35,5 @@ index a636d5f..fa7d69a 100755
if not k in data: if not k in data:
continue continue
-- --
1.8.3.1 2.31.1

2
SOURCES/0012-tests-json_echo-Support-testing-host-binaries.patch
View File

@ -64,5 +64,5 @@ index fa7d69a..36a377a 100755
# various commands to work with # various commands to work with
-- --
1.8.3.1 2.31.1

2
SOURCES/0013-tests-monitor-Support-running-individual-test-cases.patch
View File

@ -60,5 +60,5 @@ index 0478cf6..efacdaa 100755
# files are like this: # files are like this:
# #
-- --
1.8.3.1 2.31.1

2
SOURCES/0014-tests-monitor-Support-testing-host-s-nft-binary.patch
View File

@ -36,5 +36,5 @@ index efacdaa..ffb833a 100755
testcases+=" $1" testcases+=" $1"
shift shift
-- --
1.8.3.1 2.31.1

2
SOURCES/0015-tests-py-Support-testing-host-binaries.patch
View File

@ -72,5 +72,5 @@ index 6edca3c..01ee6c9 100755
test_files = files_ok = run_total = 0 test_files = files_ok = run_total = 0
tests = passed = warnings = errors = 0 tests = passed = warnings = errors = 0
-- --
1.8.3.1 2.31.1

2
SOURCES/0016-doc-nft.8-Mention-wildcard-interface-matching.patch
View File

@ -39,5 +39,5 @@ index 5473d59..a5cab9d 100644
[options="header"] [options="header"]
|================== |==================
-- --
1.8.3.1 2.31.1

2
SOURCES/0017-scanner-Extend-asteriskstring-definition.patch
View File

@ -35,5 +35,5 @@ index d32adf4..7daf5c1 100644
slash \/ slash \/
-- --
1.8.3.1 2.31.1

4
SOURCES/0018-parser-add-a-helper-for-concat-expression-handling.patch
View File

@ -16,7 +16,7 @@ Date: Wed Dec 11 14:31:44 2019 +0100
Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Florian Westphal <fw@strlen.de>
--- ---
src/parser_bison.y | 99 ++++++++++++++++++++++++------------------------------ src/parser_bison.y | 99 ++++++++++++++++++++--------------------------
1 file changed, 43 insertions(+), 56 deletions(-) 1 file changed, 43 insertions(+), 56 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y diff --git a/src/parser_bison.y b/src/parser_bison.y
@ -158,5 +158,5 @@ index 707f467..0fd9b94 100644
; ;
-- --
1.8.3.1 2.31.1

9
SOURCES/0019-include-resync-nf_tables.h-cache-copy.patch
View File

@ -33,7 +33,7 @@ index ed8881a..1a99df3 100644
/** /**
* enum nft_verdicts - nf_tables internal verdicts * enum nft_verdicts - nf_tables internal verdicts
@@ -299,15 +300,29 @@ enum nft_set_policies { @@ -299,14 +300,28 @@ enum nft_set_policies {
* enum nft_set_desc_attributes - set element description * enum nft_set_desc_attributes - set element description
* *
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32) * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
@ -47,7 +47,7 @@ index ed8881a..1a99df3 100644
}; };
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1) #define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
/** +/**
+ * enum nft_set_field_attributes - attributes of concatenated fields + * enum nft_set_field_attributes - attributes of concatenated fields
+ * + *
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32) + * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
@ -59,10 +59,9 @@ index ed8881a..1a99df3 100644
+}; +};
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1) +#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
+ +
+/** /**
* enum nft_set_attributes - nf_tables set netlink attributes * enum nft_set_attributes - nf_tables set netlink attributes
* *
* @NFTA_SET_TABLE: table name (NLA_STRING)
@@ -368,6 +383,7 @@ enum nft_set_elem_flags { @@ -368,6 +383,7 @@ enum nft_set_elem_flags {
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY) * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes) * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
@ -80,5 +79,5 @@ index ed8881a..1a99df3 100644
}; };
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1) #define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
-- --
1.8.3.1 2.31.1

2
SOURCES/0020-src-Add-support-for-NFTNL_SET_DESC_CONCAT.patch
View File

@ -177,5 +177,5 @@ index 3ca1805..4669577 100644
return new_set; return new_set;
} }
-- --
1.8.3.1 2.31.1

14
SOURCES/0021-src-Add-support-for-concatenated-set-ranges.patch
View File

@ -82,12 +82,12 @@ Date: Thu Jan 30 01:16:57 2020 +0100
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
--- ---
include/expression.h | 1 + include/expression.h | 1 +
include/rule.h | 5 +++ include/rule.h | 5 ++
src/evaluate.c | 5 +++ src/evaluate.c | 5 ++
src/netlink.c | 109 +++++++++++++++++++++++++++++++++++------------ src/netlink.c | 109 +++++++++++++++++++++++++++++-----------
src/parser_bison.y | 17 ++++++-- src/parser_bison.y | 17 +++++--
src/rule.c | 13 +++--- src/rule.c | 13 ++---
src/segtree.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/segtree.c | 117 +++++++++++++++++++++++++++++++++++++++++++
7 files changed, 229 insertions(+), 38 deletions(-) 7 files changed, 229 insertions(+), 38 deletions(-)
diff --git a/include/expression.h b/include/expression.h diff --git a/include/expression.h b/include/expression.h
@ -573,5 +573,5 @@ index 7217dbc..e859f84 100644
{ {
struct expr **elements, **ranges; struct expr **elements, **ranges;
-- --
1.8.3.1 2.31.1

4
SOURCES/0022-parser_json-Support-ranges-in-concat-expressions.patch
View File

@ -20,7 +20,7 @@ Date: Fri Mar 6 16:15:48 2020 +0100
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Eric Garver <eric@garver.life> Acked-by: Eric Garver <eric@garver.life>
--- ---
src/parser_json.c | 51 +++++++++++++++++++++++++++++---------------------- src/parser_json.c | 51 +++++++++++++++++++++++++++--------------------
1 file changed, 29 insertions(+), 22 deletions(-) 1 file changed, 29 insertions(+), 22 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c diff --git a/src/parser_json.c b/src/parser_json.c
@ -115,5 +115,5 @@ index 031930e..c48faa8 100644
{ {
if (json_is_string(root)) { if (json_is_string(root)) {
-- --
1.8.3.1 2.31.1

2
SOURCES/0023-doc-Document-notrack-statement.patch
View File

@ -47,5 +47,5 @@ index 3b82436..749533a 100644
~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~
A meta statement sets the value of a meta expression. The existing meta fields A meta statement sets the value of a meta expression. The existing meta fields
-- --
1.8.3.1 2.31.1

2
SOURCES/0024-JSON-Improve-performance-of-json_events_cb.patch
View File

@ -49,5 +49,5 @@ index c48faa8..ce8e566 100644
tmp = json_object_get(json, "add"); tmp = json_object_get(json, "add");
-- --
1.8.3.1 2.31.1

2
SOURCES/0025-segtree-Fix-missing-expires-value-in-prefixes.patch
View File

@ -38,5 +38,5 @@ index e859f84..1ba4363 100644
} }
-- --
1.8.3.1 2.31.1

2
SOURCES/0026-segtree-Use-expr_clone-in-get_set_interval_.patch
View File

@ -51,5 +51,5 @@ index 1ba4363..dc4db6b 100644
} }
break; break;
-- --
1.8.3.1 2.31.1

4
SOURCES/0027-segtree-Merge-get_set_interval_find-and-get_set_inte.patch
View File

@ -21,7 +21,7 @@ Date: Thu Apr 30 13:57:35 2020 +0200
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
--- ---
src/segtree.c | 63 +++++++++++++++-------------------------------------------- src/segtree.c | 63 +++++++++++++--------------------------------------
1 file changed, 16 insertions(+), 47 deletions(-) 1 file changed, 16 insertions(+), 47 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c diff --git a/src/segtree.c b/src/segtree.c
@ -127,5 +127,5 @@ index dc4db6b..6e1f696 100644
compound_expr_add(new_init, range); compound_expr_add(new_init, range);
else else
-- --
1.8.3.1 2.31.1

2
SOURCES/0028-tests-0034get_element_0-do-not-discard-stderr.patch
View File

@ -37,5 +37,5 @@ index c7e7298..e23dbda 100755
out="${out#* \{ }" out="${out#* \{ }"
out="${out% \}}" out="${out% \}}"
-- --
1.8.3.1 2.31.1

4
SOURCES/0029-segtree-Fix-get-element-command-with-prefixes.patch
View File

@ -23,7 +23,7 @@ Date: Thu Apr 30 14:02:44 2020 +0200
Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Phil Sutter <phil@nwl.cc>
--- ---
src/segtree.c | 1 + src/segtree.c | 1 +
tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++++++++-------- tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++------
2 files changed, 45 insertions(+), 18 deletions(-) 2 files changed, 45 insertions(+), 18 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c diff --git a/src/segtree.c b/src/segtree.c
@ -131,5 +131,5 @@ index e23dbda..3343529 100755
exit $RC exit $RC
-- --
1.8.3.1 2.31.1

2
SOURCES/0030-include-Resync-nf_tables.h-cache-copy.patch
View File

@ -41,5 +41,5 @@ index 1a99df3..9b54a86 100644
/** /**
-- --
1.8.3.1 2.31.1

2
SOURCES/0031-src-Set-NFT_SET_CONCAT-flag-for-sets-with-concatenat.patch
View File

@ -68,5 +68,5 @@ index 0c84816..f66251b 100644
if (set_is_datamap(set->flags)) { if (set_is_datamap(set->flags)) {
-- --
1.8.3.1 2.31.1

18
SOURCES/0032-src-store-expr-not-dtype-to-track-data-in-sets.patch
View File

@ -46,18 +46,18 @@ Date: Tue Jul 16 19:03:55 2019 +0200
--- ---
include/datatype.h | 1 - include/datatype.h | 1 -
include/netlink.h | 1 - include/netlink.h | 1 -
include/rule.h | 6 ++---- include/rule.h | 6 ++---
src/datatype.c | 5 ----- src/datatype.c | 5 ----
src/evaluate.c | 58 +++++++++++++++++++++++++++++++++++++----------------- src/evaluate.c | 58 ++++++++++++++++++++++++++++++++--------------
src/expression.c | 2 +- src/expression.c | 2 +-
src/json.c | 4 ++-- src/json.c | 4 ++--
src/mnl.c | 6 +++--- src/mnl.c | 6 ++---
src/monitor.c | 2 +- src/monitor.c | 2 +-
src/netlink.c | 32 ++++++++++++++---------------- src/netlink.c | 32 ++++++++++++-------------
src/parser_bison.y | 3 +-- src/parser_bison.y | 3 +--
src/parser_json.c | 8 ++++++-- src/parser_json.c | 8 +++++--
src/rule.c | 8 ++++---- src/rule.c | 8 +++----
src/segtree.c | 8 ++++++-- src/segtree.c | 8 +++++--
14 files changed, 81 insertions(+), 63 deletions(-) 14 files changed, 81 insertions(+), 63 deletions(-)
diff --git a/include/datatype.h b/include/datatype.h diff --git a/include/datatype.h b/include/datatype.h
@ -499,5 +499,5 @@ index 073c6ec..d6e3ce2 100644
tree->debug_mask = debug_mask; tree->debug_mask = debug_mask;
} }
-- --
1.8.3.1 2.31.1

2
SOURCES/0033-evaluate-Perform-set-evaluation-on-implicitly-declar.patch
View File

@ -116,5 +116,5 @@ index 578dcae..fc45cef 100644
} }
-- --
1.8.3.1 2.31.1

8
SOURCES/0034-evaluate-missing-datatype-definition-in-implicit_set.patch
View File

@ -33,9 +33,9 @@ Date: Sun Jun 7 15:23:21 2020 +0200
Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
--- ---
src/evaluate.c | 22 ++++++++++++---------- src/evaluate.c | 22 +++++++++++----------
tests/shell/testcases/maps/0009vmap_0 | 19 +++++++++++++++++++ tests/shell/testcases/maps/0009vmap_0 | 19 ++++++++++++++++++
tests/shell/testcases/maps/dumps/0009vmap_0 | 13 +++++++++++++ tests/shell/testcases/maps/dumps/0009vmap_0 | 13 ++++++++++++
3 files changed, 44 insertions(+), 10 deletions(-) 3 files changed, 44 insertions(+), 10 deletions(-)
create mode 100755 tests/shell/testcases/maps/0009vmap_0 create mode 100755 tests/shell/testcases/maps/0009vmap_0
create mode 100644 tests/shell/testcases/maps/dumps/0009vmap_0 create mode 100644 tests/shell/testcases/maps/dumps/0009vmap_0
@ -163,5 +163,5 @@ index 0000000..540a8af
+ } + }
+} +}
-- --
1.8.3.1 2.31.1

2
SOURCES/0035-mergesort-unbreak-listing-with-binops.patch
View File

@ -84,5 +84,5 @@ index 55f1bc2..076e562 100644
+ [ lookup reg 1 set __set%d ] + [ lookup reg 1 set __set%d ]
+ +
-- --
1.8.3.1 2.31.1

2
SOURCES/0036-proto-add-sctp-crc32-checksum-fixup.patch
View File

@ -130,5 +130,5 @@ index 40ce590..8360abf 100644
[ICMP6HDR_TYPE] = ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type), [ICMP6HDR_TYPE] = ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type),
[ICMP6HDR_CODE] = ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code), [ICMP6HDR_CODE] = ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code),
-- --
1.8.3.1 2.31.1

12
SOURCES/0037-proto-Fix-ARP-header-field-ordering.patch
View File

@ -35,11 +35,11 @@ Date: Tue Nov 10 13:07:49 2020 +0100
--- ---
include/proto.h | 2 +- include/proto.h | 2 +-
src/proto.c | 2 +- src/proto.c | 2 +-
tests/py/arp/arp.t | 3 +++ tests/py/arp/arp.t | 3 ++
tests/py/arp/arp.t.json | 56 +++++++++++++++++++++++++++++++++++++++ tests/py/arp/arp.t.json | 56 +++++++++++++++++++++++++++++++
tests/py/arp/arp.t.json.output | 28 ++++++++++++++++++++ tests/py/arp/arp.t.json.output | 28 ++++++++++++++++
tests/py/arp/arp.t.payload | 10 +++++++ tests/py/arp/arp.t.payload | 10 ++++++
tests/py/arp/arp.t.payload.netdev | 14 ++++++++++ tests/py/arp/arp.t.payload.netdev | 14 ++++++++
7 files changed, 113 insertions(+), 2 deletions(-) 7 files changed, 113 insertions(+), 2 deletions(-)
diff --git a/include/proto.h b/include/proto.h diff --git a/include/proto.h b/include/proto.h
@ -229,5 +229,5 @@ index 667691f..f57610c 100644
+ [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ] + [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ]
+ +
-- --
1.8.3.1 2.31.1

2
SOURCES/0038-json-echo-Speedup-seqnum_to_json.patch
View File

@ -104,5 +104,5 @@ index ddc694f..107dc38 100644
} }
-- --
1.8.3.1 2.31.1

2
SOURCES/0039-json-Fix-seqnum_to_json-functionality.patch
View File

@ -112,5 +112,5 @@ index 107dc38..785f0e7 100644
tmp = json_object_get(json, "add"); tmp = json_object_get(json, "add");
if (!tmp) if (!tmp)
-- --
1.8.3.1 2.31.1

2
SOURCES/0040-json-don-t-leave-dangling-pointers-on-hlist.patch
View File

@ -43,5 +43,5 @@ index 785f0e7..986f128 100644
} }
-- --
1.8.3.1 2.31.1

2
SOURCES/0041-json-init-parser-state-for-every-new-buffer-file.patch
View File

@ -42,5 +42,5 @@ index 986f128..662bb4b 100644
if (!nft->json_root) if (!nft->json_root)
return -EINVAL; return -EINVAL;
-- --
1.8.3.1 2.31.1

72
SOURCES/0042-tests-Disable-tests-known-to-fail-on-RHEL8.patch
View File

@ -23,32 +23,30 @@ RHEL8 kernel does not support:
Disable all related tests to make the testsuites pass. Disable all related tests to make the testsuites pass.
--- ---
tests/monitor/testcases/object.t | 14 +++---- tests/monitor/testcases/object.t | 14 +++---
tests/py/any/meta.t | 36 ++++++++--------- tests/py/any/meta.t | 36 +++++++--------
tests/py/bridge/meta.t | 8 ++-- tests/py/bridge/meta.t | 8 ++--
tests/py/inet/osf.t | 24 +++++------ tests/py/inet/osf.t | 24 +++++-----
tests/py/inet/socket.t | 2 +- tests/py/inet/socket.t | 2 +-
tests/py/inet/synproxy.t | 12 +++--- tests/py/inet/synproxy.t | 12 ++---
tests/py/ip/objects.t | 46 +++++++++++----------- tests/py/ip/objects.t | 46 +++++++++----------
tests/py/ip6/sets.t | 2 +- tests/py/ip6/sets.t | 2 +-
.../testcases/flowtable/0002create_flowtable_0 | 8 ++-- .../flowtable/0002create_flowtable_0 | 8 ++--
.../testcases/flowtable/0003add_after_flush_0 | 8 ++-- .../testcases/flowtable/0003add_after_flush_0 | 8 ++--
.../testcases/flowtable/0004delete_after_add_0 | 6 +-- .../flowtable/0004delete_after_add_0 | 6 +--
.../shell/testcases/flowtable/0005delete_in_use_1 | 10 ++--- .../testcases/flowtable/0005delete_in_use_1 | 10 ++--
tests/shell/testcases/flowtable/0007prio_0 | 6 +-- tests/shell/testcases/flowtable/0007prio_0 | 6 +--
tests/shell/testcases/flowtable/0008prio_1 | 4 +- tests/shell/testcases/flowtable/0008prio_1 | 4 +-
.../testcases/flowtable/0009deleteafterflush_0 | 12 +++--- .../flowtable/0009deleteafterflush_0 | 12 ++---
tests/shell/testcases/listing/0013objects_0 | 2 + tests/shell/testcases/listing/0013objects_0 | 2 +
tests/shell/testcases/nft-f/0017ct_timeout_obj_0 | 2 + .../testcases/nft-f/0017ct_timeout_obj_0 | 2 +
.../shell/testcases/nft-f/0018ct_expectation_obj_0 | 2 + .../testcases/nft-f/0018ct_expectation_obj_0 | 2 +
.../testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 11 ------ ....nft => 0017ct_timeout_obj_0.nft.disabled} | 0
.../nft-f/dumps/0017ct_timeout_obj_0.nft.disabled | 11 ++++++ .../optionals/update_object_handles_0 | 2 +
.../testcases/optionals/update_object_handles_0 | 2 +
.../sets/0036add_set_element_expiration_0 | 2 + .../sets/0036add_set_element_expiration_0 | 2 +
tests/shell/testcases/transactions/0046set_0 | 2 + tests/shell/testcases/transactions/0046set_0 | 2 +
23 files changed, 122 insertions(+), 110 deletions(-) 22 files changed, 111 insertions(+), 99 deletions(-)
delete mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft rename tests/shell/testcases/nft-f/dumps/{0017ct_timeout_obj_0.nft => 0017ct_timeout_obj_0.nft.disabled} (100%)
create mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t
index 2afe33c..1b30384 100644 index 2afe33c..1b30384 100644
@ -422,40 +420,10 @@ index 4f9872f..f518cf7 100755
EXPECTED='table ip filter { EXPECTED='table ip filter {
ct expectation ctexpect{ ct expectation ctexpect{
protocol tcp protocol tcp
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
deleted file mode 100644 similarity index 100%
index 7cff1ed..0000000 rename from tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft rename to tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
+++ /dev/null
@@ -1,11 +0,0 @@
-table ip filter {
- ct timeout cttime {
- protocol tcp
- l3proto ip
- policy = { established : 123, close : 12 }
- }
-
- chain c {
- ct timeout set "cttime"
- }
-}
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
new file mode 100644
index 0000000..7cff1ed
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
@@ -0,0 +1,11 @@
+table ip filter {
+ ct timeout cttime {
+ protocol tcp
+ l3proto ip
+ policy = { established : 123, close : 12 }
+ }
+
+ chain c {
+ ct timeout set "cttime"
+ }
+}
diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0 diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0
index 8b12b8c..e11b4e7 100755 index 8b12b8c..e11b4e7 100755
--- a/tests/shell/testcases/optionals/update_object_handles_0 --- a/tests/shell/testcases/optionals/update_object_handles_0
@ -493,5 +461,5 @@ index 172e24d..1b24964 100755
add chain ip filter group_7933 add chain ip filter group_7933
add map ip filter group_7933 { type ipv4_addr : classid; flags interval; } add map ip filter group_7933 { type ipv4_addr : classid; flags interval; }
-- --
1.8.3.1 2.31.1

2
SOURCES/0043-monitor-Fix-for-use-after-free-when-printing-map-ele.patch
View File

@ -37,5 +37,5 @@ index 7927b6f..142cc92 100644
dummyset->init = set_expr_alloc(monh->loc, set); dummyset->init = set_expr_alloc(monh->loc, set);
-- --
1.8.3.1 2.31.1

2
SOURCES/0044-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch
View File

@ -40,5 +40,5 @@ index ffb833a..c1cacb4 100755
command_file=$(mktemp -p $testdir) command_file=$(mktemp -p $testdir)
output_file=$(mktemp -p $testdir) output_file=$(mktemp -p $testdir)
-- --
1.8.3.1 2.31.1

2
SOURCES/0045-evaluate-Reject-quoted-strings-containing-only-wildc.patch
View File

@ -53,5 +53,5 @@ index a966ed4..0181750 100644
memset(unescaped_str, 0, sizeof(unescaped_str)); memset(unescaped_str, 0, sizeof(unescaped_str));
-- --
1.8.3.1 2.31.1

2
SOURCES/0046-src-Support-odd-sized-payload-matches.patch
View File

@ -60,5 +60,5 @@ index 3576400..45280ef 100644
break; break;
} }
-- --
1.8.3.1 2.31.1

2
SOURCES/0047-src-Optimize-prefix-matches-on-byte-boundaries.patch
View File

@ -237,5 +237,5 @@ index b2e8363..18b8bcb 100644
# ip6 saddr ::1 ip6 daddr ::2 # ip6 saddr ::1 ip6 daddr ::2
ip6 test-ip6 input ip6 test-ip6 input
-- --
1.8.3.1 2.31.1

100
SOURCES/0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch Normal file
View File

@ -0,0 +1,100 @@
From 8cb078a2f9f69259325c10f479c198349ef01ef2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 6 Oct 2021 17:24:44 +0200
Subject: [PATCH] parser_json: Fix error reporting for invalid syntax
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994141
Upstream Status: nftables commit 9fe5d1bc18cfa
commit 9fe5d1bc18cfaed2ecf717e3dd9a97ff5b0e183c
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 1 16:41:44 2021 +0200
parser_json: Fix error reporting for invalid syntax
Errors emitted by the JSON parser caused BUG() in erec_print() due to
input descriptor values being bogus.
Due to lack of 'include' support, JSON parser uses a single input
descriptor only and it lived inside the json_ctx object on stack of
nft_parse_json_*() functions.
By the time errors are printed though, that scope is not valid anymore.
Move the static input descriptor object to avoid this.
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_json.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index a069a89..ef4d4fb 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -44,7 +44,6 @@
#define CTX_F_CONCAT (1 << 8) /* inside concat_expr */
struct json_ctx {
- struct input_descriptor indesc;
struct nft_ctx *nft;
struct list_head *msgs;
struct list_head *cmds;
@@ -107,11 +106,12 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root);
/* parsing helpers */
const struct location *int_loc = &internal_location;
+static struct input_descriptor json_indesc;
static void json_lib_error(struct json_ctx *ctx, json_error_t *err)
{
struct location loc = {
- .indesc = &ctx->indesc,
+ .indesc = &json_indesc,
.line_offset = err->position - err->column,
.first_line = err->line,
.last_line = err->line,
@@ -3864,16 +3864,15 @@ int nft_parse_json_buffer(struct nft_ctx *nft, const char *buf,
struct list_head *msgs, struct list_head *cmds)
{
struct json_ctx ctx = {
- .indesc = {
- .type = INDESC_BUFFER,
- .data = buf,
- },
.nft = nft,
.msgs = msgs,
.cmds = cmds,
};
int ret;
+ json_indesc.type = INDESC_BUFFER;
+ json_indesc.data = buf;
+
parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
nft->json_root = json_loads(buf, 0, NULL);
if (!nft->json_root)
@@ -3892,10 +3891,6 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename,
struct list_head *msgs, struct list_head *cmds)
{
struct json_ctx ctx = {
- .indesc = {
- .type = INDESC_FILE,
- .name = filename,
- },
.nft = nft,
.msgs = msgs,
.cmds = cmds,
@@ -3903,6 +3898,9 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename,
json_error_t err;
int ret;
+ json_indesc.type = INDESC_FILE;
+ json_indesc.name = filename;
+
parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
nft->json_root = json_load_file(filename, 0, &err);
if (!nft->json_root)
--
2.31.1

37
SOURCES/0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch Normal file
View File

@ -0,0 +1,37 @@
From bb4718fa421938c4a501b9a55df68de16a572f23 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 6 Oct 2021 17:32:04 +0200
Subject: [PATCH] parser_bison: Fix for implicit declaration of isalnum
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059
Upstream Status: nftables commit 7c3b2a7acbdc7
commit 7c3b2a7acbdc793b822a230ec0c28086c7d0365d
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Jun 11 16:03:32 2021 +0200
parser_bison: Fix for implicit declaration of isalnum
Have to include ctype.h to make it known.
Fixes: e76bb37940181 ("src: allow for variables in the log prefix string")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_bison.y | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 5ab5744..d38ec30 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -10,6 +10,7 @@
%{
+#include <ctype.h>
#include <stddef.h>
#include <stdio.h>
#include <inttypes.h>
--
2.31.1

46
SOURCES/0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch Normal file
View File

@ -0,0 +1,46 @@
From 99d51194569f2784261f452ee821c42c3a7a6808 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 6 Oct 2021 17:32:04 +0200
Subject: [PATCH] parser_json: Fix for memleak in tcp option error path
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059
Upstream Status: nftables commit f7b0eef8391ae
commit f7b0eef8391ae7f89a3a82f6eeecaebe199224d7
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Jun 11 16:07:02 2021 +0200
parser_json: Fix for memleak in tcp option error path
If 'kind' value is invalid, the function returned without freeing 'expr'
first. Fix this by performing the check before allocation.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_json.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index ef4d4fb..2250be9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -610,12 +610,12 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx,
"base", &kind, "offset", &offset, "len", &len)) {
uint32_t flag = 0;
- expr = tcpopt_expr_alloc(int_loc, kind,
- TCPOPT_COMMON_KIND);
-
if (kind < 0 || kind > 255)
return NULL;
+ expr = tcpopt_expr_alloc(int_loc, kind,
+ TCPOPT_COMMON_KIND);
+
if (offset == TCPOPT_COMMON_KIND && len == 8)
flag = NFT_EXTHDR_F_PRESENT;
--
2.31.1

37
SOURCES/0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch Normal file
View File

@ -0,0 +1,37 @@
From 5f30a3447d28381fdf534ff4ed90167455d1283b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 6 Oct 2021 17:32:04 +0200
Subject: [PATCH] json: Drop pointless assignment in exthdr_expr_json()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059
Upstream Status: nftables commit c1616dfd1ce40
commit c1616dfd1ce40bac197924c8947e1c646e915dca
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Jun 11 16:23:22 2021 +0200
json: Drop pointless assignment in exthdr_expr_json()
The updated value of 'is_exists' is no longer read at this point.
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/json.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/json.c b/src/json.c
index dfc9031..ecec51c 100644
--- a/src/json.c
+++ b/src/json.c
@@ -679,7 +679,6 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
"base", expr->exthdr.raw_type,
"offset", expr->exthdr.offset,
"len", expr->len);
- is_exists = false;
}
return json_pack("{s:o}", "tcp option", root);
--
2.31.1

69
SOURCES/0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch Normal file
View File

@ -0,0 +1,69 @@
From 36cf5177c724540aea5a42f9dc6ef5476f86179a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 5 Nov 2021 16:06:45 +0100
Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Upstream Status: nftables commit baecd1cf26851
commit baecd1cf26851a4c5b7d469206a488f14fe5b147
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Jun 9 15:49:52 2021 +0200
segtree: Fix segfault when restoring a huge interval set
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
set_to_segtree() exhausts the stack. Prevent this by allocating the
pointer array on heap and make sure it is freed before returning to
caller.
With this patch in place, restoring said set succeeds with allocation of
about 3GB of memory, according to valgrind.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/segtree.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c
index d6e3ce2..b852961 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -414,10 +414,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
struct expr *init, struct seg_tree *tree,
bool add, bool merge)
{
- struct elementary_interval *intervals[init->size];
+ struct elementary_interval **intervals;
struct expr *i, *next;
unsigned int n;
- int err;
+ int err = 0;
/* We are updating an existing set with new elements, check if the new
* interval overlaps with any of the existing ones.
@@ -428,6 +428,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
return err;
}
+ intervals = xmalloc_array(init->size, sizeof(intervals[0]));
n = expr_to_intervals(init, tree->keylen, intervals);
list_for_each_entry_safe(i, next, &init->expressions, list) {
@@ -446,10 +447,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
for (n = 0; n < init->size; n++) {
err = ei_insert(msgs, tree, intervals[n], merge);
if (err < 0)
- return err;
+ break;
}
- return 0;
+ xfree(intervals);
+ return err;
}
static bool segtree_needs_first_segment(const struct set *set,
--
2.31.1

74
SOURCES/0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch Normal file
View File

@ -0,0 +1,74 @@
From cc6c59e683c503b461b4a80526f4bc9cbb0660bf Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 5 Nov 2021 16:06:45 +0100
Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when
restoring a huge interval set")
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Upstream Status: nftables commit d8ccad2a2b73c
commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043
Author: Štěpán Němec <snemec@redhat.com>
Date: Wed Oct 20 14:42:20 2021 +0200
tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
Test inspired by [1] with both the set and stack size reduced by the
same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
hand, and make the test successfully complete (post-baecd1cf2685) in a
few seconds even on weaker hardware on the other.
(The reason I stopped at 128kB stack size is that with 64kB I was
getting segfaults even with baecd1cf2685 applied.)
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Helped-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
.../sets/0068interval_stack_overflow_0 | 29 +++++++++++++++++++
1 file changed, 29 insertions(+)
create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
new file mode 100755
index 0000000..134282d
--- /dev/null
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+ruleset_file=$(mktemp)
+
+trap 'rm -f "$ruleset_file"' EXIT
+
+{
+ echo 'define big_set = {'
+ for ((i = 1; i < 255; i++)); do
+ for ((j = 1; j < 80; j++)); do
+ echo "10.0.$i.$j,"
+ done
+ done
+ echo '10.1.0.0/24 }'
+} >"$ruleset_file"
+
+cat >>"$ruleset_file" <<\EOF
+table inet test68_table {
+ set test68_set {
+ type ipv4_addr
+ flags interval
+ elements = { $big_set }
+ }
+}
+EOF
+
+( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
--
2.31.1

58
SOURCES/0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch Normal file
View File

@ -0,0 +1,58 @@
From ea4457d5c329c8930c610ef3002cfe42bf8a263f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 Dec 2021 14:10:31 +0100
Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Upstream Status: nftables commit dad3338f1f76a
Conflicts: Context change in README due to missing other commits.
commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31
Author: Štěpán Němec <snemec@redhat.com>
Date: Fri Nov 5 12:39:11 2021 +0100
tests: shell: $NFT needs to be invoked unquoted
The variable has to undergo word splitting, otherwise the shell tries
to find the variable value as an executable, which breaks in cases that
7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
intends to support.
Mention this in the shell tests README.
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/shell/README | 3 +++
tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/tests/shell/README b/tests/shell/README
index e0279bb..aee50e3 100644
--- a/tests/shell/README
+++ b/tests/shell/README
@@ -25,4 +25,7 @@ path to the nftables binary being tested.
You can pass an arbitrary $NFT value as well:
# NFT=/usr/local/sbin/nft ./run-tests.sh
+Note that, to support usage such as NFT='valgrind nft', tests must
+invoke $NFT unquoted.
+
By default the tests are run with the nft binary at '../../src/nft'
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
index 134282d..6620572 100755
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -26,4 +26,4 @@ table inet test68_table {
}
EOF
-( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
+( ulimit -s 128 && $NFT -f "$ruleset_file" )
--
2.31.1

59
SOURCES/0070-tests-shell-better-parameters-for-the-interval-stack.patch Normal file
View File

@ -0,0 +1,59 @@
From b297f75275737de3e16b5d14916efe35535b6279 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 Dec 2021 14:10:54 +0100
Subject: [PATCH] tests: shell: better parameters for the interval stack
overflow test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
Upstream Status: nftables commit 7b81d9cb094ff
commit 7b81d9cb094ffa96ad821528cf19269dc348f617
Author: Štěpán Němec <snemec@redhat.com>
Date: Wed Dec 1 12:12:00 2021 +0100
tests: shell: better parameters for the interval stack overflow test
Wider testing has shown that 128 kB stack is too low (e.g. for systems
with 64 kB page size), leading to false failures in some environments.
Based on results from a matrix of RHEL 8 and RHEL 9 systems across
x86_64, aarch64, ppc64le and s390x architectures as well as some
anecdotal testing of other Linux distros on x86_64 machines, 400 kB
seems safe: the normal nft stack (which should stay constant during
this test) on all tested systems doesn't exceed 200 kB (stays around
100 kB on typical systems with 4 kB page size), while always growing
beyond 500 kB in the failing case (nftables before baecd1cf2685) with
the increased set size.
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
Signed-off-by: Štěpán Němec <snemec@redhat.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
index 6620572..2cbc986 100755
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT
{
echo 'define big_set = {'
for ((i = 1; i < 255; i++)); do
- for ((j = 1; j < 80; j++)); do
+ for ((j = 1; j < 255; j++)); do
echo "10.0.$i.$j,"
done
done
@@ -26,4 +26,4 @@ table inet test68_table {
}
EOF
-( ulimit -s 128 && $NFT -f "$ruleset_file" )
+( ulimit -s 400 && $NFT -f "$ruleset_file" )
--
2.31.1

134
SOURCES/0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch Normal file
View File

@ -0,0 +1,134 @@
From cf85778a263a34aa2aeee565f3e046693164a097 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 13 Jan 2022 20:37:56 +0100
Subject: [PATCH] netlink: remove unused parameter from
netlink_gen_stmt_stateful()
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
Upstream Status: nftables commit 3f3e897f42965
commit 3f3e897f429659ff6c8387245d0d4115952a6c31
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed Mar 11 13:02:26 2020 +0100
netlink: remove unused parameter from netlink_gen_stmt_stateful()
Remove context from netlink_gen_stmt_stateful().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_linearize.c | 36 +++++++++++++-----------------------
1 file changed, 13 insertions(+), 23 deletions(-)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 28b0e6a..f5c6116 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -780,9 +780,7 @@ static void netlink_gen_objref_stmt(struct netlink_linearize_ctx *ctx,
nftnl_rule_add_expr(ctx->nlr, nle);
}
-static struct nftnl_expr *
-netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+static struct nftnl_expr *netlink_gen_connlimit_stmt(const struct stmt *stmt)
{
struct nftnl_expr *nle;
@@ -795,9 +793,7 @@ netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx,
return nle;
}
-static struct nftnl_expr *
-netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+static struct nftnl_expr *netlink_gen_counter_stmt(const struct stmt *stmt)
{
struct nftnl_expr *nle;
@@ -814,9 +810,7 @@ netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx,
return nle;
}
-static struct nftnl_expr *
-netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+static struct nftnl_expr *netlink_gen_limit_stmt(const struct stmt *stmt)
{
struct nftnl_expr *nle;
@@ -832,9 +826,7 @@ netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx,
return nle;
}
-static struct nftnl_expr *
-netlink_gen_quota_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt)
{
struct nftnl_expr *nle;
@@ -846,19 +838,17 @@ netlink_gen_quota_stmt(struct netlink_linearize_ctx *ctx,
return nle;
}
-static struct nftnl_expr *
-netlink_gen_stmt_stateful(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
+static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
{
switch (stmt->ops->type) {
case STMT_CONNLIMIT:
- return netlink_gen_connlimit_stmt(ctx, stmt);
+ return netlink_gen_connlimit_stmt(stmt);
case STMT_COUNTER:
- return netlink_gen_counter_stmt(ctx, stmt);
+ return netlink_gen_counter_stmt(stmt);
case STMT_LIMIT:
- return netlink_gen_limit_stmt(ctx, stmt);
+ return netlink_gen_limit_stmt(stmt);
case STMT_QUOTA:
- return netlink_gen_quota_stmt(ctx, stmt);
+ return netlink_gen_quota_stmt(stmt);
default:
BUG("unknown stateful statement type %s\n", stmt->ops->name);
}
@@ -1307,7 +1297,7 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
if (stmt->set.stmt)
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
- netlink_gen_stmt_stateful(ctx, stmt->set.stmt), 0);
+ netlink_gen_stmt_stateful(stmt->set.stmt), 0);
}
static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
@@ -1337,7 +1327,7 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
if (stmt->map.stmt)
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
- netlink_gen_stmt_stateful(ctx, stmt->map.stmt), 0);
+ netlink_gen_stmt_stateful(stmt->map.stmt), 0);
nftnl_rule_add_expr(ctx->nlr, nle);
}
@@ -1369,7 +1359,7 @@ static void netlink_gen_meter_stmt(struct netlink_linearize_ctx *ctx,
nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
- netlink_gen_stmt_stateful(ctx, stmt->meter.stmt), 0);
+ netlink_gen_stmt_stateful(stmt->meter.stmt), 0);
nftnl_rule_add_expr(ctx->nlr, nle);
}
@@ -1415,7 +1405,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
case STMT_COUNTER:
case STMT_LIMIT:
case STMT_QUOTA:
- nle = netlink_gen_stmt_stateful(ctx, stmt);
+ nle = netlink_gen_stmt_stateful(stmt);
nftnl_rule_add_expr(ctx->nlr, nle);
break;
case STMT_NOTRACK:
--
2.31.1

150
SOURCES/0072-src-support-for-restoring-element-counters.patch Normal file
View File

@ -0,0 +1,150 @@
From 0db42cc2d2647ec61441e29445c9f6e0f8946613 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 13 Jan 2022 20:37:56 +0100
Subject: [PATCH] src: support for restoring element counters
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
Upstream Status: nftables commit 1fe6089ddd87e
commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed Mar 11 13:00:01 2020 +0100
src: support for restoring element counters
This patch allows you to restore counters in dynamic sets:
table ip test {
set test {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 30d
gc-interval 1d
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
}
chain output {
type filter hook output priority 0;
update @test { ip saddr }
}
}
You can also add counters to elements from the control place, ie.
table ip test {
set test {
type ipv4_addr
size 65535
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
}
chain output {
type filter hook output priority filter; policy accept;
ip daddr @test
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/netlink.h | 1 +
src/netlink.c | 3 +++
src/netlink_linearize.c | 2 +-
src/parser_bison.y | 36 +++++++++++++++++++++++++++++++++++-
4 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index 88d12ba..059092e 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -97,6 +97,7 @@ extern void netlink_gen_data(const struct expr *expr,
extern void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder,
unsigned int len,
struct nft_data_linearize *data);
+extern struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt);
extern struct expr *netlink_alloc_value(const struct location *loc,
const struct nft_data_delinearize *nld);
diff --git a/src/netlink.c b/src/netlink.c
index 64e51e5..825c2cc 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -136,6 +136,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
if (elem->expiration)
nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION,
elem->expiration);
+ if (elem->stmt)
+ nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR,
+ netlink_gen_stmt_stateful(elem->stmt), 0);
if (elem->comment || expr->elem_flags) {
udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
if (!udbuf)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index f5c6116..3fa1339 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -838,7 +838,7 @@ static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt)
return nle;
}
-static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
+struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
{
switch (stmt->ops->type) {
case STMT_CONNLIMIT:
diff --git a/src/parser_bison.y b/src/parser_bison.y
index d38ec30..2cdf8ec 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3654,7 +3654,7 @@ meter_key_expr_alloc : concat_expr
;
set_elem_expr : set_elem_expr_alloc
- | set_elem_expr_alloc set_elem_options
+ | set_elem_expr_alloc set_elem_expr_options
;
set_elem_expr_alloc : set_lhs_expr
@@ -3684,6 +3684,40 @@ set_elem_option : TIMEOUT time_spec
}
;
+set_elem_expr_options : set_elem_expr_option
+ {
+ $<expr>$ = $<expr>0;
+ }
+ | set_elem_expr_options set_elem_expr_option
+ ;
+
+set_elem_expr_option : TIMEOUT time_spec
+ {
+ $<expr>0->timeout = $2;
+ }
+ | EXPIRES time_spec
+ {
+ $<expr>0->expiration = $2;
+ }
+ | COUNTER
+ {
+ $<expr>0->stmt = counter_stmt_alloc(&@$);
+ }
+ | COUNTER PACKETS NUM BYTES NUM
+ {
+ struct stmt *stmt;
+
+ stmt = counter_stmt_alloc(&@$);
+ stmt->counter.packets = $3;
+ stmt->counter.bytes = $5;
+ $<expr>0->stmt = stmt;
+ }
+ | comment_spec
+ {
+ $<expr>0->comment = $1;
+ }
+ ;
+
set_lhs_expr : concat_rhs_expr
| wildcard_expr
;
--
2.31.1

127
SOURCES/0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch Normal file
View File

@ -0,0 +1,127 @@
From 48021b277a1ab92480c43e1fa7573b00e33f5212 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 14 Jan 2022 11:39:17 +0100
Subject: [PATCH] evaluate: attempt to set_eval flag if dynamic updates
requested
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
Upstream Status: nftables commit 8d443adfcc8c1
Conflicts:
* Context change due to missing commit 242965f452e64
("src: add support for multi-statement in dynamic sets and maps")
* Adjusted test-case: Due to missing kernel commit 7b1394892de8d
("netfilter: nft_dynset: relax superfluous check on set updates"),
'update' statement is allowed only if timeout flag is present
commit 8d443adfcc8c19effd6be9a9c903ee96e374f2e8
Author: Florian Westphal <fw@strlen.de>
Date: Tue Jan 11 12:08:59 2022 +0100
evaluate: attempt to set_eval flag if dynamic updates requested
When passing no upper size limit, the dynset expression forces
an internal 64k upperlimit.
In some cases, this can result in 'nft -f' to restore the ruleset.
Avoid this by always setting the EVAL flag on a set definition when
we encounter packet-path update attempt in the batch.
Reported-by: Yi Chen <yiche@redhat.com>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/evaluate.c | 11 +++++++
.../testcases/sets/dumps/dynset_missing.nft | 12 +++++++
tests/shell/testcases/sets/dynset_missing | 32 +++++++++++++++++++
3 files changed, 55 insertions(+)
create mode 100644 tests/shell/testcases/sets/dumps/dynset_missing.nft
create mode 100755 tests/shell/testcases/sets/dynset_missing
diff --git a/src/evaluate.c b/src/evaluate.c
index 00ec20b..9381f23 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3076,6 +3076,8 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
{
+ struct set *this_set;
+
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &stmt->set.set) < 0)
return -1;
@@ -3103,6 +3105,15 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
"meter statement must be stateful");
}
+ this_set = stmt->set.set->set;
+
+ /* Make sure EVAL flag is set on set definition so that kernel
+ * picks a set that allows updates from the packet path.
+ *
+ * Alternatively we could error out in case 'flags dynamic' was
+ * not given, but we can repair this here.
+ */
+ this_set->flags |= NFT_SET_EVAL;
return 0;
}
diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft
new file mode 100644
index 0000000..fdb1b97
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft
@@ -0,0 +1,12 @@
+table ip test {
+ set dlist {
+ type ipv4_addr
+ size 65535
+ flags dynamic,timeout
+ }
+
+ chain output {
+ type filter hook output priority filter; policy accept;
+ udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0
+ }
+}
diff --git a/tests/shell/testcases/sets/dynset_missing b/tests/shell/testcases/sets/dynset_missing
new file mode 100755
index 0000000..89afcd5
--- /dev/null
+++ b/tests/shell/testcases/sets/dynset_missing
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -e
+
+$NFT -f /dev/stdin <<EOF
+table ip test {
+ chain output { type filter hook output priority 0;
+ }
+}
+EOF
+
+# misses 'flags dynamic'
+$NFT 'add set ip test dlist {type ipv4_addr; flags timeout; }'
+
+# picks rhash backend because 'size' was also missing.
+$NFT 'add rule ip test output udp dport 1234 update @dlist { ip daddr } counter'
+
+tmpfile=$(mktemp)
+
+trap "rm -rf $tmpfile" EXIT
+
+# kernel has forced an 64k upper size, i.e. this restore file
+# has 'size 65536' but no 'flags dynamic'.
+$NFT list ruleset > $tmpfile
+
+# this restore works, because set is still the rhash backend.
+$NFT -f $tmpfile # success
+$NFT flush ruleset
+
+# fails without commit 'attempt to set_eval flag if dynamic updates requested',
+# because set in $tmpfile has 'size x' but no 'flags dynamic'.
+$NFT -f $tmpfile
--
2.31.1

49
SOURCES/0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch Normal file
View File

@ -0,0 +1,49 @@
From 1fe92af5a03608b94e8e1e2ff26e24adfe2ea09a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 21 Jan 2022 12:35:39 +0100
Subject: [PATCH] evaluate: fix inet nat with no layer 3 info
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2030773
Upstream Status: nftables commit 9a36033ce5063
commit 9a36033ce50638a403d1421935cdd1287ee5de6b
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue Jul 20 18:59:44 2021 +0200
evaluate: fix inet nat with no layer 3 info
nft currently reports:
Error: Could not process rule: Protocol error
add rule inet x y meta l4proto tcp dnat to :80
^^^^
default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
trying to load the conntrack helper.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 9381f23..e495faf 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2757,9 +2757,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
stmt->nat.family = ctx->pctx.family;
return 0;
case NFPROTO_INET:
- if (!stmt->nat.addr)
+ if (!stmt->nat.addr) {
+ stmt->nat.family = NFPROTO_INET;
return 0;
-
+ }
if (stmt->nat.family != NFPROTO_UNSPEC)
return 0;
--
2.31.1

86
SOURCES/0075-tests-py-add-dnat-to-port-without-defining-destinati.patch Normal file
View File

@ -0,0 +1,86 @@
From eeba2cd956485d3059dabf86a7ad8dd59ee682dd Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 4 Feb 2022 14:18:44 +0100
Subject: [PATCH] tests: py: add dnat to port without defining destination
address
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2030773
Upstream Status: nftables commit 0f27e258b37a5
Conflicts: Context changes due to missing commit ae1d822630e6d
("src: context tracking for multiple transport protocols")
commit 0f27e258b37a592233d6ad5381cd1fae65e57514
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu Jul 22 17:43:56 2021 +0200
tests: py: add dnat to port without defining destination address
Add a test to cover dnat to port without destination address.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tests/py/inet/dnat.t | 1 +
tests/py/inet/dnat.t.json | 20 ++++++++++++++++++++
tests/py/inet/dnat.t.payload | 8 ++++++++
3 files changed, 29 insertions(+)
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
index fcdf943..6beceda 100644
--- a/tests/py/inet/dnat.t
+++ b/tests/py/inet/dnat.t
@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok
iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
index ac6dac6..f88e9cf 100644
--- a/tests/py/inet/dnat.t.json
+++ b/tests/py/inet/dnat.t.json
@@ -164,3 +164,23 @@
}
]
+# meta l4proto tcp dnat to :80
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "op": "==",
+ "right": 6
+ }
+ },
+ {
+ "dnat": {
+ "port": 80
+ }
+ }
+]
+
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
index b81caf7..6d8569d 100644
--- a/tests/py/inet/dnat.t.payload
+++ b/tests/py/inet/dnat.t.payload
@@ -52,3 +52,11 @@ inet test-inet prerouting
[ payload load 4b @ network header + 16 => reg 9 ]
[ lookup reg 1 set __map%d dreg 1 ]
[ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# meta l4proto tcp dnat to :80
+inet
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x00005000 ]
+ [ nat dnat inet proto_min reg 1 flags 0x2 ]
+
--
2.31.1

214
SOURCES/0076-mnl-do-not-build-nftnl_set-element-list.patch Normal file
View File

@ -0,0 +1,214 @@
From bd940a4efd2b5897f8a8e58ec7733417b3710e1e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 8 Dec 2021 13:28:49 +0100
Subject: [PATCH] mnl: do not build nftnl_set element list
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047821
Upstream Status: nftables commit b4b234f5a29e8
Conflicts: Context change due to missing commit 66746e7dedeb0
("src: support for nat with interval concatenation").
commit b4b234f5a29e819045679acd95820a7457d4d7de
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu Nov 4 12:53:11 2021 +0100
mnl: do not build nftnl_set element list
Do not call alloc_setelem_cache() to build the set element list in
nftnl_set. Instead, translate one single set element expression to
nftnl_set_elem object at a time and use this object to build the netlink
header.
Using a huge test set containing 1.1 million element blocklist, this
patch is reducing userspace memory consumption by 40%.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/netlink.h | 2 +
src/mnl.c | 112 ++++++++++++++++++++++++++++++++++++----------
src/netlink.c | 4 +-
3 files changed, 93 insertions(+), 25 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index 059092e..3443582 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -56,6 +56,8 @@ struct netlink_ctx {
extern struct nftnl_expr *alloc_nft_expr(const char *name);
extern void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls);
+struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
+ const struct expr *expr);
extern struct nftnl_table *netlink_table_alloc(const struct nlmsghdr *nlh);
extern struct nftnl_chain *netlink_chain_alloc(const struct nlmsghdr *nlh);
diff --git a/src/mnl.c b/src/mnl.c
index 23341e6..44cf1a4 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1201,33 +1201,102 @@ static int set_elem_cb(const struct nlmsghdr *nlh, void *data)
return MNL_CB_OK;
}
-static int mnl_nft_setelem_batch(struct nftnl_set *nls,
+static bool mnl_nft_attr_nest_overflow(struct nlmsghdr *nlh,
+ const struct nlattr *from,
+ const struct nlattr *to)
+{
+ int len = (void *)to + to->nla_len - (void *)from;
+
+ /* The attribute length field is 16 bits long, thus the maximum payload
+ * that an attribute can convey is UINT16_MAX. In case of overflow,
+ * discard the last attribute that did not fit into the nest.
+ */
+ if (len > UINT16_MAX) {
+ nlh->nlmsg_len -= to->nla_len;
+ return true;
+ }
+ return false;
+}
+
+static void netlink_dump_setelem(const struct nftnl_set_elem *nlse,
+ struct netlink_ctx *ctx)
+{
+ FILE *fp = ctx->nft->output.output_fp;
+ char buf[4096];
+
+ if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp)
+ return;
+
+ nftnl_set_elem_snprintf(buf, sizeof(buf), nlse, NFTNL_OUTPUT_DEFAULT, 0);
+ fprintf(fp, "\t%s", buf);
+}
+
+static void netlink_dump_setelem_done(struct netlink_ctx *ctx)
+{
+ FILE *fp = ctx->nft->output.output_fp;
+
+ if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp)
+ return;
+
+ fprintf(fp, "\n");
+}
+
+static int mnl_nft_setelem_batch(const struct nftnl_set *nls,
struct nftnl_batch *batch,
enum nf_tables_msg_types cmd,
- unsigned int flags, uint32_t seqnum)
+ unsigned int flags, uint32_t seqnum,
+ const struct expr *set,
+ struct netlink_ctx *ctx)
{
+ struct nlattr *nest1, *nest2;
+ struct nftnl_set_elem *nlse;
struct nlmsghdr *nlh;
- struct nftnl_set_elems_iter *iter;
- int ret;
-
- iter = nftnl_set_elems_iter_create(nls);
- if (iter == NULL)
- memory_allocation_error();
+ struct expr *expr = NULL;
+ int i = 0;
if (cmd == NFT_MSG_NEWSETELEM)
flags |= NLM_F_CREATE;
- while (nftnl_set_elems_iter_cur(iter)) {
- nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), cmd,
- nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
- flags, seqnum);
- ret = nftnl_set_elems_nlmsg_build_payload_iter(nlh, iter);
- mnl_nft_batch_continue(batch);
- if (ret <= 0)
- break;
+ if (set)
+ expr = list_first_entry(&set->expressions, struct expr, list);
+
+next:
+ nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), cmd,
+ nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
+ flags, seqnum);
+
+ if (nftnl_set_is_set(nls, NFTNL_SET_TABLE)) {
+ mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_TABLE,
+ nftnl_set_get_str(nls, NFTNL_SET_TABLE));
+ }
+ if (nftnl_set_is_set(nls, NFTNL_SET_NAME)) {
+ mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_SET,
+ nftnl_set_get_str(nls, NFTNL_SET_NAME));
}
+ if (nftnl_set_is_set(nls, NFTNL_SET_ID)) {
+ mnl_attr_put_u32(nlh, NFTA_SET_ELEM_LIST_SET_ID,
+ htonl(nftnl_set_get_u32(nls, NFTNL_SET_ID)));
+ }
+
+ if (!set || list_empty(&set->expressions))
+ return 0;
- nftnl_set_elems_iter_destroy(iter);
+ assert(expr);
+ nest1 = mnl_attr_nest_start(nlh, NFTA_SET_ELEM_LIST_ELEMENTS);
+ list_for_each_entry_from(expr, &set->expressions, list) {
+ nlse = alloc_nftnl_setelem(set, expr);
+ nest2 = nftnl_set_elem_nlmsg_build(nlh, nlse, ++i);
+ netlink_dump_setelem(nlse, ctx);
+ nftnl_set_elem_free(nlse);
+ if (mnl_nft_attr_nest_overflow(nlh, nest1, nest2)) {
+ mnl_attr_nest_end(nlh, nest1);
+ mnl_nft_batch_continue(batch);
+ goto next;
+ }
+ }
+ mnl_attr_nest_end(nlh, nest1);
+ mnl_nft_batch_continue(batch);
+ netlink_dump_setelem_done(ctx);
return 0;
}
@@ -1249,11 +1318,10 @@ int mnl_nft_setelem_add(struct netlink_ctx *ctx, const struct set *set,
if (h->set_id)
nftnl_set_set_u32(nls, NFTNL_SET_ID, h->set_id);
- alloc_setelem_cache(expr, nls);
netlink_dump_set(nls, ctx);
- err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_NEWSETELEM, flags,
- ctx->seqnum);
+ err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_NEWSETELEM,
+ flags, ctx->seqnum, expr, ctx);
nftnl_set_free(nls);
return err;
@@ -1306,12 +1374,10 @@ int mnl_nft_setelem_del(struct netlink_ctx *ctx, const struct cmd *cmd)
else if (h->handle.id)
nftnl_set_set_u64(nls, NFTNL_SET_HANDLE, h->handle.id);
- if (cmd->expr)
- alloc_setelem_cache(cmd->expr, nls);
netlink_dump_set(nls, ctx);
err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_DELSETELEM, 0,
- ctx->seqnum);
+ ctx->seqnum, cmd->expr, ctx);
nftnl_set_free(nls);
return err;
diff --git a/src/netlink.c b/src/netlink.c
index 825c2cc..f8c97d0 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -95,8 +95,8 @@ struct nftnl_expr *alloc_nft_expr(const char *name)
return nle;
}
-static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
- const struct expr *expr)
+struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
+ const struct expr *expr)
{
const struct expr *elem, *data;
struct nftnl_set_elem *nlse;
--
2.31.1

43
SPECS/nftables.spec
View File

@ -1,5 +1,6 @@
%define rpmversion 0.9.3 %define rpmversion 0.9.3
%define specrelease 21 %define specrelease 25
%define libnftnl_ver 1.1.5-5
Name: nftables Name: nftables
Version: %{rpmversion} Version: %{rpmversion}
@ -79,6 +80,20 @@ Patch59: 0059-exthdr-Implement-SCTP-Chunk-matching.patch
Patch60: 0060-include-missing-sctp_chunk.h-in-Makefile.am.patch Patch60: 0060-include-missing-sctp_chunk.h-in-Makefile.am.patch
Patch61: 0061-doc-nft.8-Extend-monitor-description-by-trace.patch Patch61: 0061-doc-nft.8-Extend-monitor-description-by-trace.patch
Patch62: 0062-tests-shell-Fix-bogus-testsuite-failure-with-100Hz.patch Patch62: 0062-tests-shell-Fix-bogus-testsuite-failure-with-100Hz.patch
Patch63: 0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch
Patch64: 0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch
Patch65: 0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch
Patch66: 0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch
Patch67: 0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
Patch68: 0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
Patch69: 0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
Patch70: 0070-tests-shell-better-parameters-for-the-interval-stack.patch
Patch71: 0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch
Patch72: 0072-src-support-for-restoring-element-counters.patch
Patch73: 0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch
Patch74: 0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch
Patch75: 0075-tests-py-add-dnat-to-port-without-defining-destinati.patch
Patch76: 0076-mnl-do-not-build-nftnl_set-element-list.patch
BuildRequires: autogen BuildRequires: autogen
BuildRequires: autoconf BuildRequires: autoconf
@ -90,14 +105,14 @@ BuildRequires: bison
BuildRequires: libmnl-devel BuildRequires: libmnl-devel
BuildRequires: gmp-devel BuildRequires: gmp-devel
BuildRequires: readline-devel BuildRequires: readline-devel
BuildRequires: pkgconfig(libnftnl) >= 1.1.5-3 BuildRequires: pkgconfig(libnftnl) >= %{libnftnl_ver}
BuildRequires: systemd BuildRequires: systemd
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: iptables-devel BuildRequires: iptables-devel
BuildRequires: jansson-devel BuildRequires: jansson-devel
BuildRequires: python3-devel BuildRequires: python3-devel
Requires: libnftnl >= 1.1.5-3 Requires: libnftnl >= %{libnftnl_ver}
%description %description
Netfilter Tables userspace utilities. Netfilter Tables userspace utilities.
@ -195,6 +210,28 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
%{python3_sitelib}/nftables/ %{python3_sitelib}/nftables/
%changelog %changelog
* Fri Feb 04 2022 Phil Sutter <psutter@redhat.com> [0.9.3-25.el8]
- mnl: do not build nftnl_set element list (Phil Sutter) [2047821]
- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773]
- evaluate: fix inet nat with no layer 3 info (Phil Sutter) [2030773]
- evaluate: attempt to set_eval flag if dynamic updates requested (Phil Sutter) [2039594]
- src: support for restoring element counters (Phil Sutter) [2039594]
- netlink: remove unused parameter from netlink_gen_stmt_stateful() (Phil Sutter) [2039594]
* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> [0.9.3-24.el8]
- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127]
- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127]
* Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> [0.9.3-23.el8]
- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127]
- segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127]
* Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> [0.9.3-22.el8]
- json: Drop pointless assignment in exthdr_expr_json() (Phil Sutter) [1999059]
- parser_json: Fix for memleak in tcp option error path (Phil Sutter) [1999059]
- parser_bison: Fix for implicit declaration of isalnum (Phil Sutter) [1999059]
- parser_json: Fix error reporting for invalid syntax (Phil Sutter) [1994141]
* Mon Aug 02 2021 Phil Sutter <psutter@redhat.com> [0.9.3-21.el8] * Mon Aug 02 2021 Phil Sutter <psutter@redhat.com> [0.9.3-21.el8]
- tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203] - tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203]
- doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365] - doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365]