import nftables-0.9.3-25.el8
This commit is contained in:
parent
d1de3e821a
commit
dee28686c1
@ -27,17 +27,17 @@ Date: Fri Dec 13 11:32:46 2019 +0100
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/main.c | 46 +++++++++++++++++++++-
|
||||
tests/shell/testcases/cache/0001_cache_handling_0 | 2 +-
|
||||
tests/shell/testcases/chains/0016delete_handle_0 | 4 +-
|
||||
.../shell/testcases/chains/0039negative_priority_0 | 8 ++++
|
||||
.../shell/testcases/flowtable/0010delete_handle_0 | 2 +-
|
||||
.../shell/testcases/maps/0008interval_map_delete_0 | 2 +-
|
||||
tests/shell/testcases/optionals/comments_0 | 2 +-
|
||||
tests/shell/testcases/optionals/comments_handles_0 | 2 +-
|
||||
.../testcases/optionals/delete_object_handles_0 | 4 +-
|
||||
tests/shell/testcases/optionals/handles_0 | 2 +-
|
||||
tests/shell/testcases/sets/0028delete_handle_0 | 2 +-
|
||||
src/main.c | 46 ++++++++++++++++++-
|
||||
.../testcases/cache/0001_cache_handling_0 | 2 +-
|
||||
.../testcases/chains/0016delete_handle_0 | 4 +-
|
||||
.../testcases/chains/0039negative_priority_0 | 8 ++++
|
||||
.../testcases/flowtable/0010delete_handle_0 | 2 +-
|
||||
.../testcases/maps/0008interval_map_delete_0 | 2 +-
|
||||
tests/shell/testcases/optionals/comments_0 | 2 +-
|
||||
.../testcases/optionals/comments_handles_0 | 2 +-
|
||||
.../optionals/delete_object_handles_0 | 4 +-
|
||||
tests/shell/testcases/optionals/handles_0 | 2 +-
|
||||
.../shell/testcases/sets/0028delete_handle_0 | 2 +-
|
||||
11 files changed, 64 insertions(+), 12 deletions(-)
|
||||
create mode 100755 tests/shell/testcases/chains/0039negative_priority_0
|
||||
|
||||
@ -240,5 +240,5 @@ index 4e8b322..5ad17c2 100755
|
||||
|
||||
EXPECTED="table ip test-ip {
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -46,5 +46,5 @@ index 74199f9..6ab1b89 100644
|
||||
!strcmp(argv[i], "--file")) {
|
||||
skip = true;
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -64,5 +64,5 @@ index 0000000..59930c5
|
||||
+O -
|
||||
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -76,5 +76,5 @@ index 59930c5..1fbcfe2 100644
|
||||
+O -
|
||||
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}}
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -47,5 +47,5 @@ index 6049c66..c46a226 100644
|
||||
[ cmp lte reg 1 0x31020000 ]
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -25,39 +25,39 @@ Date: Tue Jan 14 16:50:35 2020 +0100
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
tests/shell/run-tests.sh | 7 ++++++-
|
||||
tests/shell/testcases/flowtable/0010delete_handle_0 | 3 +--
|
||||
tests/shell/testcases/listing/0003table_0 | 6 ++----
|
||||
tests/shell/testcases/listing/0004table_0 | 3 +--
|
||||
tests/shell/testcases/listing/0005ruleset_ip_0 | 3 +--
|
||||
tests/shell/testcases/listing/0006ruleset_ip6_0 | 3 +--
|
||||
tests/shell/testcases/listing/0007ruleset_inet_0 | 3 +--
|
||||
tests/shell/testcases/listing/0008ruleset_arp_0 | 3 +--
|
||||
tests/shell/testcases/listing/0009ruleset_bridge_0 | 3 +--
|
||||
tests/shell/testcases/listing/0010sets_0 | 3 +--
|
||||
tests/shell/testcases/listing/0011sets_0 | 3 +--
|
||||
tests/shell/testcases/listing/0012sets_0 | 3 +--
|
||||
tests/shell/testcases/listing/0013objects_0 | 3 +--
|
||||
tests/shell/testcases/listing/0014objects_0 | 6 ++----
|
||||
tests/shell/testcases/listing/0015dynamic_0 | 3 +--
|
||||
tests/shell/testcases/listing/0017objects_0 | 3 +--
|
||||
tests/shell/testcases/listing/0018data_0 | 3 +--
|
||||
tests/shell/testcases/listing/0019set_0 | 3 +--
|
||||
tests/shell/testcases/listing/0020flowtable_0 | 3 +--
|
||||
tests/shell/testcases/maps/0003map_add_many_elements_0 | 3 +--
|
||||
tests/shell/testcases/maps/0004interval_map_create_once_0 | 3 +--
|
||||
tests/shell/testcases/maps/0008interval_map_delete_0 | 3 +--
|
||||
tests/shell/testcases/netns/0001nft-f_0 | 3 +--
|
||||
tests/shell/testcases/netns/0002loosecommands_0 | 3 +--
|
||||
tests/shell/testcases/netns/0003many_0 | 3 +--
|
||||
tests/shell/testcases/nft-f/0016redefines_1 | 3 +--
|
||||
tests/shell/testcases/optionals/delete_object_handles_0 | 3 +--
|
||||
tests/shell/testcases/optionals/update_object_handles_0 | 3 +--
|
||||
.../shell/testcases/rule_management/0001addinsertposition_0 | 12 ++++--------
|
||||
tests/shell/testcases/sets/0028delete_handle_0 | 3 +--
|
||||
tests/shell/testcases/sets/0036add_set_element_expiration_0 | 5 ++++-
|
||||
tests/shell/testcases/transactions/0003table_0 | 4 +---
|
||||
tests/shell/testcases/transactions/0040set_0 | 3 +--
|
||||
tests/shell/run-tests.sh | 7 ++++++-
|
||||
tests/shell/testcases/flowtable/0010delete_handle_0 | 3 +--
|
||||
tests/shell/testcases/listing/0003table_0 | 6 ++----
|
||||
tests/shell/testcases/listing/0004table_0 | 3 +--
|
||||
tests/shell/testcases/listing/0005ruleset_ip_0 | 3 +--
|
||||
tests/shell/testcases/listing/0006ruleset_ip6_0 | 3 +--
|
||||
tests/shell/testcases/listing/0007ruleset_inet_0 | 3 +--
|
||||
tests/shell/testcases/listing/0008ruleset_arp_0 | 3 +--
|
||||
tests/shell/testcases/listing/0009ruleset_bridge_0 | 3 +--
|
||||
tests/shell/testcases/listing/0010sets_0 | 3 +--
|
||||
tests/shell/testcases/listing/0011sets_0 | 3 +--
|
||||
tests/shell/testcases/listing/0012sets_0 | 3 +--
|
||||
tests/shell/testcases/listing/0013objects_0 | 3 +--
|
||||
tests/shell/testcases/listing/0014objects_0 | 6 ++----
|
||||
tests/shell/testcases/listing/0015dynamic_0 | 3 +--
|
||||
tests/shell/testcases/listing/0017objects_0 | 3 +--
|
||||
tests/shell/testcases/listing/0018data_0 | 3 +--
|
||||
tests/shell/testcases/listing/0019set_0 | 3 +--
|
||||
tests/shell/testcases/listing/0020flowtable_0 | 3 +--
|
||||
.../shell/testcases/maps/0003map_add_many_elements_0 | 3 +--
|
||||
.../testcases/maps/0004interval_map_create_once_0 | 3 +--
|
||||
tests/shell/testcases/maps/0008interval_map_delete_0 | 3 +--
|
||||
tests/shell/testcases/netns/0001nft-f_0 | 3 +--
|
||||
tests/shell/testcases/netns/0002loosecommands_0 | 3 +--
|
||||
tests/shell/testcases/netns/0003many_0 | 3 +--
|
||||
tests/shell/testcases/nft-f/0016redefines_1 | 3 +--
|
||||
.../testcases/optionals/delete_object_handles_0 | 3 +--
|
||||
.../testcases/optionals/update_object_handles_0 | 3 +--
|
||||
.../rule_management/0001addinsertposition_0 | 12 ++++--------
|
||||
tests/shell/testcases/sets/0028delete_handle_0 | 3 +--
|
||||
.../testcases/sets/0036add_set_element_expiration_0 | 5 ++++-
|
||||
tests/shell/testcases/transactions/0003table_0 | 4 +---
|
||||
tests/shell/testcases/transactions/0040set_0 | 3 +--
|
||||
33 files changed, 46 insertions(+), 75 deletions(-)
|
||||
|
||||
diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh
|
||||
@ -569,5 +569,5 @@ index a404abc..468816b 100755
|
||||
fi
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -81,5 +81,5 @@ index 3bd16f2..21200c3 100755
|
||||
+ exit 1
|
||||
+fi
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -47,5 +47,5 @@ index 154353b..06a0312 100644
|
||||
|
||||
static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -71,5 +71,5 @@ index 06a0312..88dbd5a 100644
|
||||
|
||||
static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -38,5 +38,5 @@ index 498326d..cb1b7fe 100644
|
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_PAYLOAD_FLAGS,
|
||||
NFT_PAYLOAD_L4CSUM_PSEUDOHDR);
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -35,5 +35,5 @@ index a636d5f..fa7d69a 100755
|
||||
if not k in data:
|
||||
continue
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -64,5 +64,5 @@ index fa7d69a..36a377a 100755
|
||||
|
||||
# various commands to work with
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -60,5 +60,5 @@ index 0478cf6..efacdaa 100755
|
||||
# files are like this:
|
||||
#
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -36,5 +36,5 @@ index efacdaa..ffb833a 100755
|
||||
testcases+=" $1"
|
||||
shift
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -72,5 +72,5 @@ index 6edca3c..01ee6c9 100755
|
||||
test_files = files_ok = run_total = 0
|
||||
tests = passed = warnings = errors = 0
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -39,5 +39,5 @@ index 5473d59..a5cab9d 100644
|
||||
[options="header"]
|
||||
|==================
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -35,5 +35,5 @@ index d32adf4..7daf5c1 100644
|
||||
slash \/
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -16,7 +16,7 @@ Date: Wed Dec 11 14:31:44 2019 +0100
|
||||
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
src/parser_bison.y | 99 ++++++++++++++++++++++++------------------------------
|
||||
src/parser_bison.y | 99 ++++++++++++++++++++--------------------------
|
||||
1 file changed, 43 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||
@ -158,5 +158,5 @@ index 707f467..0fd9b94 100644
|
||||
;
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -33,7 +33,7 @@ index ed8881a..1a99df3 100644
|
||||
|
||||
/**
|
||||
* enum nft_verdicts - nf_tables internal verdicts
|
||||
@@ -299,15 +300,29 @@ enum nft_set_policies {
|
||||
@@ -299,14 +300,28 @@ enum nft_set_policies {
|
||||
* enum nft_set_desc_attributes - set element description
|
||||
*
|
||||
* @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
|
||||
@ -47,7 +47,7 @@ index ed8881a..1a99df3 100644
|
||||
};
|
||||
#define NFTA_SET_DESC_MAX (__NFTA_SET_DESC_MAX - 1)
|
||||
|
||||
/**
|
||||
+/**
|
||||
+ * enum nft_set_field_attributes - attributes of concatenated fields
|
||||
+ *
|
||||
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
|
||||
@ -59,10 +59,9 @@ index ed8881a..1a99df3 100644
|
||||
+};
|
||||
+#define NFTA_SET_FIELD_MAX (__NFTA_SET_FIELD_MAX - 1)
|
||||
+
|
||||
+/**
|
||||
/**
|
||||
* enum nft_set_attributes - nf_tables set netlink attributes
|
||||
*
|
||||
* @NFTA_SET_TABLE: table name (NLA_STRING)
|
||||
@@ -368,6 +383,7 @@ enum nft_set_elem_flags {
|
||||
* @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
|
||||
* @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
|
||||
@ -80,5 +79,5 @@ index ed8881a..1a99df3 100644
|
||||
};
|
||||
#define NFTA_SET_ELEM_MAX (__NFTA_SET_ELEM_MAX - 1)
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -177,5 +177,5 @@ index 3ca1805..4669577 100644
|
||||
return new_set;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -82,12 +82,12 @@ Date: Thu Jan 30 01:16:57 2020 +0100
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
include/expression.h | 1 +
|
||||
include/rule.h | 5 +++
|
||||
src/evaluate.c | 5 +++
|
||||
src/netlink.c | 109 +++++++++++++++++++++++++++++++++++------------
|
||||
src/parser_bison.y | 17 ++++++--
|
||||
src/rule.c | 13 +++---
|
||||
src/segtree.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
include/rule.h | 5 ++
|
||||
src/evaluate.c | 5 ++
|
||||
src/netlink.c | 109 +++++++++++++++++++++++++++++-----------
|
||||
src/parser_bison.y | 17 +++++--
|
||||
src/rule.c | 13 ++---
|
||||
src/segtree.c | 117 +++++++++++++++++++++++++++++++++++++++++++
|
||||
7 files changed, 229 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/include/expression.h b/include/expression.h
|
||||
@ -573,5 +573,5 @@ index 7217dbc..e859f84 100644
|
||||
{
|
||||
struct expr **elements, **ranges;
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -20,7 +20,7 @@ Date: Fri Mar 6 16:15:48 2020 +0100
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
Acked-by: Eric Garver <eric@garver.life>
|
||||
---
|
||||
src/parser_json.c | 51 +++++++++++++++++++++++++++++----------------------
|
||||
src/parser_json.c | 51 +++++++++++++++++++++++++++--------------------
|
||||
1 file changed, 29 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||
@ -115,5 +115,5 @@ index 031930e..c48faa8 100644
|
||||
{
|
||||
if (json_is_string(root)) {
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -47,5 +47,5 @@ index 3b82436..749533a 100644
|
||||
~~~~~~~~~~~~~~
|
||||
A meta statement sets the value of a meta expression. The existing meta fields
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -49,5 +49,5 @@ index c48faa8..ce8e566 100644
|
||||
|
||||
tmp = json_object_get(json, "add");
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -38,5 +38,5 @@ index e859f84..1ba4363 100644
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -51,5 +51,5 @@ index 1ba4363..dc4db6b 100644
|
||||
}
|
||||
break;
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -21,7 +21,7 @@ Date: Thu Apr 30 13:57:35 2020 +0200
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 63 +++++++++++++++--------------------------------------------
|
||||
src/segtree.c | 63 +++++++++++++--------------------------------------
|
||||
1 file changed, 16 insertions(+), 47 deletions(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
@ -127,5 +127,5 @@ index dc4db6b..6e1f696 100644
|
||||
compound_expr_add(new_init, range);
|
||||
else
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -37,5 +37,5 @@ index c7e7298..e23dbda 100755
|
||||
out="${out#* \{ }"
|
||||
out="${out% \}}"
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -23,7 +23,7 @@ Date: Thu Apr 30 14:02:44 2020 +0200
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 1 +
|
||||
tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++++++++--------
|
||||
tests/shell/testcases/sets/0034get_element_0 | 62 ++++++++++++++------
|
||||
2 files changed, 45 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
@ -131,5 +131,5 @@ index e23dbda..3343529 100755
|
||||
|
||||
exit $RC
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -41,5 +41,5 @@ index 1a99df3..9b54a86 100644
|
||||
|
||||
/**
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -68,5 +68,5 @@ index 0c84816..f66251b 100644
|
||||
|
||||
if (set_is_datamap(set->flags)) {
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -46,18 +46,18 @@ Date: Tue Jul 16 19:03:55 2019 +0200
|
||||
---
|
||||
include/datatype.h | 1 -
|
||||
include/netlink.h | 1 -
|
||||
include/rule.h | 6 ++----
|
||||
src/datatype.c | 5 -----
|
||||
src/evaluate.c | 58 +++++++++++++++++++++++++++++++++++++-----------------
|
||||
include/rule.h | 6 ++---
|
||||
src/datatype.c | 5 ----
|
||||
src/evaluate.c | 58 ++++++++++++++++++++++++++++++++--------------
|
||||
src/expression.c | 2 +-
|
||||
src/json.c | 4 ++--
|
||||
src/mnl.c | 6 +++---
|
||||
src/mnl.c | 6 ++---
|
||||
src/monitor.c | 2 +-
|
||||
src/netlink.c | 32 ++++++++++++++----------------
|
||||
src/netlink.c | 32 ++++++++++++-------------
|
||||
src/parser_bison.y | 3 +--
|
||||
src/parser_json.c | 8 ++++++--
|
||||
src/rule.c | 8 ++++----
|
||||
src/segtree.c | 8 ++++++--
|
||||
src/parser_json.c | 8 +++++--
|
||||
src/rule.c | 8 +++----
|
||||
src/segtree.c | 8 +++++--
|
||||
14 files changed, 81 insertions(+), 63 deletions(-)
|
||||
|
||||
diff --git a/include/datatype.h b/include/datatype.h
|
||||
@ -499,5 +499,5 @@ index 073c6ec..d6e3ce2 100644
|
||||
tree->debug_mask = debug_mask;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -116,5 +116,5 @@ index 578dcae..fc45cef 100644
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -33,9 +33,9 @@ Date: Sun Jun 7 15:23:21 2020 +0200
|
||||
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/evaluate.c | 22 ++++++++++++----------
|
||||
tests/shell/testcases/maps/0009vmap_0 | 19 +++++++++++++++++++
|
||||
tests/shell/testcases/maps/dumps/0009vmap_0 | 13 +++++++++++++
|
||||
src/evaluate.c | 22 +++++++++++----------
|
||||
tests/shell/testcases/maps/0009vmap_0 | 19 ++++++++++++++++++
|
||||
tests/shell/testcases/maps/dumps/0009vmap_0 | 13 ++++++++++++
|
||||
3 files changed, 44 insertions(+), 10 deletions(-)
|
||||
create mode 100755 tests/shell/testcases/maps/0009vmap_0
|
||||
create mode 100644 tests/shell/testcases/maps/dumps/0009vmap_0
|
||||
@ -163,5 +163,5 @@ index 0000000..540a8af
|
||||
+ }
|
||||
+}
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -84,5 +84,5 @@ index 55f1bc2..076e562 100644
|
||||
+ [ lookup reg 1 set __set%d ]
|
||||
+
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -130,5 +130,5 @@ index 40ce590..8360abf 100644
|
||||
[ICMP6HDR_TYPE] = ICMP6HDR_TYPE("type", &icmp6_type_type, icmp6_type),
|
||||
[ICMP6HDR_CODE] = ICMP6HDR_TYPE("code", &icmpv6_code_type, icmp6_code),
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -35,11 +35,11 @@ Date: Tue Nov 10 13:07:49 2020 +0100
|
||||
---
|
||||
include/proto.h | 2 +-
|
||||
src/proto.c | 2 +-
|
||||
tests/py/arp/arp.t | 3 +++
|
||||
tests/py/arp/arp.t.json | 56 +++++++++++++++++++++++++++++++++++++++
|
||||
tests/py/arp/arp.t.json.output | 28 ++++++++++++++++++++
|
||||
tests/py/arp/arp.t.payload | 10 +++++++
|
||||
tests/py/arp/arp.t.payload.netdev | 14 ++++++++++
|
||||
tests/py/arp/arp.t | 3 ++
|
||||
tests/py/arp/arp.t.json | 56 +++++++++++++++++++++++++++++++
|
||||
tests/py/arp/arp.t.json.output | 28 ++++++++++++++++
|
||||
tests/py/arp/arp.t.payload | 10 ++++++
|
||||
tests/py/arp/arp.t.payload.netdev | 14 ++++++++
|
||||
7 files changed, 113 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/include/proto.h b/include/proto.h
|
||||
@ -229,5 +229,5 @@ index 667691f..f57610c 100644
|
||||
+ [ cmp eq reg 1 0x0101a8c0 0xc000edfe 0x0000eeff ]
|
||||
+
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -104,5 +104,5 @@ index ddc694f..107dc38 100644
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -112,5 +112,5 @@ index 107dc38..785f0e7 100644
|
||||
tmp = json_object_get(json, "add");
|
||||
if (!tmp)
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -43,5 +43,5 @@ index 785f0e7..986f128 100644
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -42,5 +42,5 @@ index 986f128..662bb4b 100644
|
||||
if (!nft->json_root)
|
||||
return -EINVAL;
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -23,32 +23,30 @@ RHEL8 kernel does not support:
|
||||
|
||||
Disable all related tests to make the testsuites pass.
|
||||
---
|
||||
tests/monitor/testcases/object.t | 14 +++----
|
||||
tests/py/any/meta.t | 36 ++++++++---------
|
||||
tests/py/bridge/meta.t | 8 ++--
|
||||
tests/py/inet/osf.t | 24 +++++------
|
||||
tests/py/inet/socket.t | 2 +-
|
||||
tests/py/inet/synproxy.t | 12 +++---
|
||||
tests/py/ip/objects.t | 46 +++++++++++-----------
|
||||
tests/py/ip6/sets.t | 2 +-
|
||||
.../testcases/flowtable/0002create_flowtable_0 | 8 ++--
|
||||
.../testcases/flowtable/0003add_after_flush_0 | 8 ++--
|
||||
.../testcases/flowtable/0004delete_after_add_0 | 6 +--
|
||||
.../shell/testcases/flowtable/0005delete_in_use_1 | 10 ++---
|
||||
tests/shell/testcases/flowtable/0007prio_0 | 6 +--
|
||||
tests/shell/testcases/flowtable/0008prio_1 | 4 +-
|
||||
.../testcases/flowtable/0009deleteafterflush_0 | 12 +++---
|
||||
tests/shell/testcases/listing/0013objects_0 | 2 +
|
||||
tests/shell/testcases/nft-f/0017ct_timeout_obj_0 | 2 +
|
||||
.../shell/testcases/nft-f/0018ct_expectation_obj_0 | 2 +
|
||||
.../testcases/nft-f/dumps/0017ct_timeout_obj_0.nft | 11 ------
|
||||
.../nft-f/dumps/0017ct_timeout_obj_0.nft.disabled | 11 ++++++
|
||||
.../testcases/optionals/update_object_handles_0 | 2 +
|
||||
.../sets/0036add_set_element_expiration_0 | 2 +
|
||||
tests/shell/testcases/transactions/0046set_0 | 2 +
|
||||
23 files changed, 122 insertions(+), 110 deletions(-)
|
||||
delete mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
create mode 100644 tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
tests/monitor/testcases/object.t | 14 +++---
|
||||
tests/py/any/meta.t | 36 +++++++--------
|
||||
tests/py/bridge/meta.t | 8 ++--
|
||||
tests/py/inet/osf.t | 24 +++++-----
|
||||
tests/py/inet/socket.t | 2 +-
|
||||
tests/py/inet/synproxy.t | 12 ++---
|
||||
tests/py/ip/objects.t | 46 +++++++++----------
|
||||
tests/py/ip6/sets.t | 2 +-
|
||||
.../flowtable/0002create_flowtable_0 | 8 ++--
|
||||
.../testcases/flowtable/0003add_after_flush_0 | 8 ++--
|
||||
.../flowtable/0004delete_after_add_0 | 6 +--
|
||||
.../testcases/flowtable/0005delete_in_use_1 | 10 ++--
|
||||
tests/shell/testcases/flowtable/0007prio_0 | 6 +--
|
||||
tests/shell/testcases/flowtable/0008prio_1 | 4 +-
|
||||
.../flowtable/0009deleteafterflush_0 | 12 ++---
|
||||
tests/shell/testcases/listing/0013objects_0 | 2 +
|
||||
.../testcases/nft-f/0017ct_timeout_obj_0 | 2 +
|
||||
.../testcases/nft-f/0018ct_expectation_obj_0 | 2 +
|
||||
....nft => 0017ct_timeout_obj_0.nft.disabled} | 0
|
||||
.../optionals/update_object_handles_0 | 2 +
|
||||
.../sets/0036add_set_element_expiration_0 | 2 +
|
||||
tests/shell/testcases/transactions/0046set_0 | 2 +
|
||||
22 files changed, 111 insertions(+), 99 deletions(-)
|
||||
rename tests/shell/testcases/nft-f/dumps/{0017ct_timeout_obj_0.nft => 0017ct_timeout_obj_0.nft.disabled} (100%)
|
||||
|
||||
diff --git a/tests/monitor/testcases/object.t b/tests/monitor/testcases/object.t
|
||||
index 2afe33c..1b30384 100644
|
||||
@ -422,40 +420,10 @@ index 4f9872f..f518cf7 100755
|
||||
EXPECTED='table ip filter {
|
||||
ct expectation ctexpect{
|
||||
protocol tcp
|
||||
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
deleted file mode 100644
|
||||
index 7cff1ed..0000000
|
||||
--- a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
+++ /dev/null
|
||||
@@ -1,11 +0,0 @@
|
||||
-table ip filter {
|
||||
- ct timeout cttime {
|
||||
- protocol tcp
|
||||
- l3proto ip
|
||||
- policy = { established : 123, close : 12 }
|
||||
- }
|
||||
-
|
||||
- chain c {
|
||||
- ct timeout set "cttime"
|
||||
- }
|
||||
-}
|
||||
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
new file mode 100644
|
||||
index 0000000..7cff1ed
|
||||
--- /dev/null
|
||||
+++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
@@ -0,0 +1,11 @@
|
||||
+table ip filter {
|
||||
+ ct timeout cttime {
|
||||
+ protocol tcp
|
||||
+ l3proto ip
|
||||
+ policy = { established : 123, close : 12 }
|
||||
+ }
|
||||
+
|
||||
+ chain c {
|
||||
+ ct timeout set "cttime"
|
||||
+ }
|
||||
+}
|
||||
diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
similarity index 100%
|
||||
rename from tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft
|
||||
rename to tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft.disabled
|
||||
diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0
|
||||
index 8b12b8c..e11b4e7 100755
|
||||
--- a/tests/shell/testcases/optionals/update_object_handles_0
|
||||
@ -493,5 +461,5 @@ index 172e24d..1b24964 100755
|
||||
add chain ip filter group_7933
|
||||
add map ip filter group_7933 { type ipv4_addr : classid; flags interval; }
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -37,5 +37,5 @@ index 7927b6f..142cc92 100644
|
||||
dummyset->init = set_expr_alloc(monh->loc, set);
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -40,5 +40,5 @@ index ffb833a..c1cacb4 100755
|
||||
command_file=$(mktemp -p $testdir)
|
||||
output_file=$(mktemp -p $testdir)
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -53,5 +53,5 @@ index a966ed4..0181750 100644
|
||||
|
||||
memset(unescaped_str, 0, sizeof(unescaped_str));
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -60,5 +60,5 @@ index 3576400..45280ef 100644
|
||||
break;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -237,5 +237,5 @@ index b2e8363..18b8bcb 100644
|
||||
# ip6 saddr ::1 ip6 daddr ::2
|
||||
ip6 test-ip6 input
|
||||
--
|
||||
1.8.3.1
|
||||
2.31.1
|
||||
|
||||
|
@ -0,0 +1,100 @@
|
||||
From 8cb078a2f9f69259325c10f479c198349ef01ef2 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 6 Oct 2021 17:24:44 +0200
|
||||
Subject: [PATCH] parser_json: Fix error reporting for invalid syntax
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994141
|
||||
Upstream Status: nftables commit 9fe5d1bc18cfa
|
||||
|
||||
commit 9fe5d1bc18cfaed2ecf717e3dd9a97ff5b0e183c
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Sep 1 16:41:44 2021 +0200
|
||||
|
||||
parser_json: Fix error reporting for invalid syntax
|
||||
|
||||
Errors emitted by the JSON parser caused BUG() in erec_print() due to
|
||||
input descriptor values being bogus.
|
||||
|
||||
Due to lack of 'include' support, JSON parser uses a single input
|
||||
descriptor only and it lived inside the json_ctx object on stack of
|
||||
nft_parse_json_*() functions.
|
||||
|
||||
By the time errors are printed though, that scope is not valid anymore.
|
||||
Move the static input descriptor object to avoid this.
|
||||
|
||||
Fixes: 586ad210368b7 ("libnftables: Implement JSON parser")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/parser_json.c | 18 ++++++++----------
|
||||
1 file changed, 8 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||
index a069a89..ef4d4fb 100644
|
||||
--- a/src/parser_json.c
|
||||
+++ b/src/parser_json.c
|
||||
@@ -44,7 +44,6 @@
|
||||
#define CTX_F_CONCAT (1 << 8) /* inside concat_expr */
|
||||
|
||||
struct json_ctx {
|
||||
- struct input_descriptor indesc;
|
||||
struct nft_ctx *nft;
|
||||
struct list_head *msgs;
|
||||
struct list_head *cmds;
|
||||
@@ -107,11 +106,12 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root);
|
||||
/* parsing helpers */
|
||||
|
||||
const struct location *int_loc = &internal_location;
|
||||
+static struct input_descriptor json_indesc;
|
||||
|
||||
static void json_lib_error(struct json_ctx *ctx, json_error_t *err)
|
||||
{
|
||||
struct location loc = {
|
||||
- .indesc = &ctx->indesc,
|
||||
+ .indesc = &json_indesc,
|
||||
.line_offset = err->position - err->column,
|
||||
.first_line = err->line,
|
||||
.last_line = err->line,
|
||||
@@ -3864,16 +3864,15 @@ int nft_parse_json_buffer(struct nft_ctx *nft, const char *buf,
|
||||
struct list_head *msgs, struct list_head *cmds)
|
||||
{
|
||||
struct json_ctx ctx = {
|
||||
- .indesc = {
|
||||
- .type = INDESC_BUFFER,
|
||||
- .data = buf,
|
||||
- },
|
||||
.nft = nft,
|
||||
.msgs = msgs,
|
||||
.cmds = cmds,
|
||||
};
|
||||
int ret;
|
||||
|
||||
+ json_indesc.type = INDESC_BUFFER;
|
||||
+ json_indesc.data = buf;
|
||||
+
|
||||
parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
|
||||
nft->json_root = json_loads(buf, 0, NULL);
|
||||
if (!nft->json_root)
|
||||
@@ -3892,10 +3891,6 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename,
|
||||
struct list_head *msgs, struct list_head *cmds)
|
||||
{
|
||||
struct json_ctx ctx = {
|
||||
- .indesc = {
|
||||
- .type = INDESC_FILE,
|
||||
- .name = filename,
|
||||
- },
|
||||
.nft = nft,
|
||||
.msgs = msgs,
|
||||
.cmds = cmds,
|
||||
@@ -3903,6 +3898,9 @@ int nft_parse_json_filename(struct nft_ctx *nft, const char *filename,
|
||||
json_error_t err;
|
||||
int ret;
|
||||
|
||||
+ json_indesc.type = INDESC_FILE;
|
||||
+ json_indesc.name = filename;
|
||||
+
|
||||
parser_init(nft, nft->state, msgs, cmds, nft->top_scope);
|
||||
nft->json_root = json_load_file(filename, 0, &err);
|
||||
if (!nft->json_root)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,37 @@
|
||||
From bb4718fa421938c4a501b9a55df68de16a572f23 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 6 Oct 2021 17:32:04 +0200
|
||||
Subject: [PATCH] parser_bison: Fix for implicit declaration of isalnum
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059
|
||||
Upstream Status: nftables commit 7c3b2a7acbdc7
|
||||
|
||||
commit 7c3b2a7acbdc793b822a230ec0c28086c7d0365d
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri Jun 11 16:03:32 2021 +0200
|
||||
|
||||
parser_bison: Fix for implicit declaration of isalnum
|
||||
|
||||
Have to include ctype.h to make it known.
|
||||
|
||||
Fixes: e76bb37940181 ("src: allow for variables in the log prefix string")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/parser_bison.y | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||
index 5ab5744..d38ec30 100644
|
||||
--- a/src/parser_bison.y
|
||||
+++ b/src/parser_bison.y
|
||||
@@ -10,6 +10,7 @@
|
||||
|
||||
%{
|
||||
|
||||
+#include <ctype.h>
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
#include <inttypes.h>
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,46 @@
|
||||
From 99d51194569f2784261f452ee821c42c3a7a6808 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 6 Oct 2021 17:32:04 +0200
|
||||
Subject: [PATCH] parser_json: Fix for memleak in tcp option error path
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059
|
||||
Upstream Status: nftables commit f7b0eef8391ae
|
||||
|
||||
commit f7b0eef8391ae7f89a3a82f6eeecaebe199224d7
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri Jun 11 16:07:02 2021 +0200
|
||||
|
||||
parser_json: Fix for memleak in tcp option error path
|
||||
|
||||
If 'kind' value is invalid, the function returned without freeing 'expr'
|
||||
first. Fix this by performing the check before allocation.
|
||||
|
||||
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/parser_json.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||
index ef4d4fb..2250be9 100644
|
||||
--- a/src/parser_json.c
|
||||
+++ b/src/parser_json.c
|
||||
@@ -610,12 +610,12 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx,
|
||||
"base", &kind, "offset", &offset, "len", &len)) {
|
||||
uint32_t flag = 0;
|
||||
|
||||
- expr = tcpopt_expr_alloc(int_loc, kind,
|
||||
- TCPOPT_COMMON_KIND);
|
||||
-
|
||||
if (kind < 0 || kind > 255)
|
||||
return NULL;
|
||||
|
||||
+ expr = tcpopt_expr_alloc(int_loc, kind,
|
||||
+ TCPOPT_COMMON_KIND);
|
||||
+
|
||||
if (offset == TCPOPT_COMMON_KIND && len == 8)
|
||||
flag = NFT_EXTHDR_F_PRESENT;
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 5f30a3447d28381fdf534ff4ed90167455d1283b Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 6 Oct 2021 17:32:04 +0200
|
||||
Subject: [PATCH] json: Drop pointless assignment in exthdr_expr_json()
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999059
|
||||
Upstream Status: nftables commit c1616dfd1ce40
|
||||
|
||||
commit c1616dfd1ce40bac197924c8947e1c646e915dca
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Fri Jun 11 16:23:22 2021 +0200
|
||||
|
||||
json: Drop pointless assignment in exthdr_expr_json()
|
||||
|
||||
The updated value of 'is_exists' is no longer read at this point.
|
||||
|
||||
Fixes: cb21869649208 ("json: tcp: add raw tcp option match support")
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/json.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/json.c b/src/json.c
|
||||
index dfc9031..ecec51c 100644
|
||||
--- a/src/json.c
|
||||
+++ b/src/json.c
|
||||
@@ -679,7 +679,6 @@ json_t *exthdr_expr_json(const struct expr *expr, struct output_ctx *octx)
|
||||
"base", expr->exthdr.raw_type,
|
||||
"offset", expr->exthdr.offset,
|
||||
"len", expr->len);
|
||||
- is_exists = false;
|
||||
}
|
||||
|
||||
return json_pack("{s:o}", "tcp option", root);
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,69 @@
|
||||
From 36cf5177c724540aea5a42f9dc6ef5476f86179a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 5 Nov 2021 16:06:45 +0100
|
||||
Subject: [PATCH] segtree: Fix segfault when restoring a huge interval set
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
|
||||
Upstream Status: nftables commit baecd1cf26851
|
||||
|
||||
commit baecd1cf26851a4c5b7d469206a488f14fe5b147
|
||||
Author: Phil Sutter <phil@nwl.cc>
|
||||
Date: Wed Jun 9 15:49:52 2021 +0200
|
||||
|
||||
segtree: Fix segfault when restoring a huge interval set
|
||||
|
||||
Restoring a set of IPv4 prefixes with about 1.1M elements crashes nft as
|
||||
set_to_segtree() exhausts the stack. Prevent this by allocating the
|
||||
pointer array on heap and make sure it is freed before returning to
|
||||
caller.
|
||||
|
||||
With this patch in place, restoring said set succeeds with allocation of
|
||||
about 3GB of memory, according to valgrind.
|
||||
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
src/segtree.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/segtree.c b/src/segtree.c
|
||||
index d6e3ce2..b852961 100644
|
||||
--- a/src/segtree.c
|
||||
+++ b/src/segtree.c
|
||||
@@ -414,10 +414,10 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
|
||||
struct expr *init, struct seg_tree *tree,
|
||||
bool add, bool merge)
|
||||
{
|
||||
- struct elementary_interval *intervals[init->size];
|
||||
+ struct elementary_interval **intervals;
|
||||
struct expr *i, *next;
|
||||
unsigned int n;
|
||||
- int err;
|
||||
+ int err = 0;
|
||||
|
||||
/* We are updating an existing set with new elements, check if the new
|
||||
* interval overlaps with any of the existing ones.
|
||||
@@ -428,6 +428,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
|
||||
return err;
|
||||
}
|
||||
|
||||
+ intervals = xmalloc_array(init->size, sizeof(intervals[0]));
|
||||
n = expr_to_intervals(init, tree->keylen, intervals);
|
||||
|
||||
list_for_each_entry_safe(i, next, &init->expressions, list) {
|
||||
@@ -446,10 +447,11 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
|
||||
for (n = 0; n < init->size; n++) {
|
||||
err = ei_insert(msgs, tree, intervals[n], merge);
|
||||
if (err < 0)
|
||||
- return err;
|
||||
+ break;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ xfree(intervals);
|
||||
+ return err;
|
||||
}
|
||||
|
||||
static bool segtree_needs_first_segment(const struct set *set,
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,74 @@
|
||||
From cc6c59e683c503b461b4a80526f4bc9cbb0660bf Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 5 Nov 2021 16:06:45 +0100
|
||||
Subject: [PATCH] tests: cover baecd1cf2685 ("segtree: Fix segfault when
|
||||
restoring a huge interval set")
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
|
||||
Upstream Status: nftables commit d8ccad2a2b73c
|
||||
|
||||
commit d8ccad2a2b73c4189934eb5fd0e3d096699b5043
|
||||
Author: Štěpán Němec <snemec@redhat.com>
|
||||
Date: Wed Oct 20 14:42:20 2021 +0200
|
||||
|
||||
tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")
|
||||
|
||||
Test inspired by [1] with both the set and stack size reduced by the
|
||||
same power of 2, to preserve the (pre-baecd1cf2685) segfault on one
|
||||
hand, and make the test successfully complete (post-baecd1cf2685) in a
|
||||
few seconds even on weaker hardware on the other.
|
||||
|
||||
(The reason I stopped at 128kB stack size is that with 64kB I was
|
||||
getting segfaults even with baecd1cf2685 applied.)
|
||||
|
||||
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1908127
|
||||
|
||||
Signed-off-by: Štěpán Němec <snemec@redhat.com>
|
||||
Helped-by: Phil Sutter <phil@nwl.cc>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
.../sets/0068interval_stack_overflow_0 | 29 +++++++++++++++++++
|
||||
1 file changed, 29 insertions(+)
|
||||
create mode 100755 tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
|
||||
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
new file mode 100755
|
||||
index 0000000..134282d
|
||||
--- /dev/null
|
||||
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
@@ -0,0 +1,29 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+ruleset_file=$(mktemp)
|
||||
+
|
||||
+trap 'rm -f "$ruleset_file"' EXIT
|
||||
+
|
||||
+{
|
||||
+ echo 'define big_set = {'
|
||||
+ for ((i = 1; i < 255; i++)); do
|
||||
+ for ((j = 1; j < 80; j++)); do
|
||||
+ echo "10.0.$i.$j,"
|
||||
+ done
|
||||
+ done
|
||||
+ echo '10.1.0.0/24 }'
|
||||
+} >"$ruleset_file"
|
||||
+
|
||||
+cat >>"$ruleset_file" <<\EOF
|
||||
+table inet test68_table {
|
||||
+ set test68_set {
|
||||
+ type ipv4_addr
|
||||
+ flags interval
|
||||
+ elements = { $big_set }
|
||||
+ }
|
||||
+}
|
||||
+EOF
|
||||
+
|
||||
+( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,58 @@
|
||||
From ea4457d5c329c8930c610ef3002cfe42bf8a263f Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 8 Dec 2021 14:10:31 +0100
|
||||
Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
|
||||
Upstream Status: nftables commit dad3338f1f76a
|
||||
Conflicts: Context change in README due to missing other commits.
|
||||
|
||||
commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31
|
||||
Author: Štěpán Němec <snemec@redhat.com>
|
||||
Date: Fri Nov 5 12:39:11 2021 +0100
|
||||
|
||||
tests: shell: $NFT needs to be invoked unquoted
|
||||
|
||||
The variable has to undergo word splitting, otherwise the shell tries
|
||||
to find the variable value as an executable, which breaks in cases that
|
||||
7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
|
||||
intends to support.
|
||||
|
||||
Mention this in the shell tests README.
|
||||
|
||||
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
|
||||
Signed-off-by: Štěpán Němec <snemec@redhat.com>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
tests/shell/README | 3 +++
|
||||
tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +-
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/shell/README b/tests/shell/README
|
||||
index e0279bb..aee50e3 100644
|
||||
--- a/tests/shell/README
|
||||
+++ b/tests/shell/README
|
||||
@@ -25,4 +25,7 @@ path to the nftables binary being tested.
|
||||
You can pass an arbitrary $NFT value as well:
|
||||
# NFT=/usr/local/sbin/nft ./run-tests.sh
|
||||
|
||||
+Note that, to support usage such as NFT='valgrind nft', tests must
|
||||
+invoke $NFT unquoted.
|
||||
+
|
||||
By default the tests are run with the nft binary at '../../src/nft'
|
||||
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
index 134282d..6620572 100755
|
||||
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
@@ -26,4 +26,4 @@ table inet test68_table {
|
||||
}
|
||||
EOF
|
||||
|
||||
-( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
|
||||
+( ulimit -s 128 && $NFT -f "$ruleset_file" )
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,59 @@
|
||||
From b297f75275737de3e16b5d14916efe35535b6279 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 8 Dec 2021 14:10:54 +0100
|
||||
Subject: [PATCH] tests: shell: better parameters for the interval stack
|
||||
overflow test
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1908127
|
||||
Upstream Status: nftables commit 7b81d9cb094ff
|
||||
|
||||
commit 7b81d9cb094ffa96ad821528cf19269dc348f617
|
||||
Author: Štěpán Němec <snemec@redhat.com>
|
||||
Date: Wed Dec 1 12:12:00 2021 +0100
|
||||
|
||||
tests: shell: better parameters for the interval stack overflow test
|
||||
|
||||
Wider testing has shown that 128 kB stack is too low (e.g. for systems
|
||||
with 64 kB page size), leading to false failures in some environments.
|
||||
|
||||
Based on results from a matrix of RHEL 8 and RHEL 9 systems across
|
||||
x86_64, aarch64, ppc64le and s390x architectures as well as some
|
||||
anecdotal testing of other Linux distros on x86_64 machines, 400 kB
|
||||
seems safe: the normal nft stack (which should stay constant during
|
||||
this test) on all tested systems doesn't exceed 200 kB (stays around
|
||||
100 kB on typical systems with 4 kB page size), while always growing
|
||||
beyond 500 kB in the failing case (nftables before baecd1cf2685) with
|
||||
the increased set size.
|
||||
|
||||
Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
|
||||
Signed-off-by: Štěpán Němec <snemec@redhat.com>
|
||||
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||
---
|
||||
tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
index 6620572..2cbc986 100755
|
||||
--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
+++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
|
||||
@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT
|
||||
{
|
||||
echo 'define big_set = {'
|
||||
for ((i = 1; i < 255; i++)); do
|
||||
- for ((j = 1; j < 80; j++)); do
|
||||
+ for ((j = 1; j < 255; j++)); do
|
||||
echo "10.0.$i.$j,"
|
||||
done
|
||||
done
|
||||
@@ -26,4 +26,4 @@ table inet test68_table {
|
||||
}
|
||||
EOF
|
||||
|
||||
-( ulimit -s 128 && $NFT -f "$ruleset_file" )
|
||||
+( ulimit -s 400 && $NFT -f "$ruleset_file" )
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,134 @@
|
||||
From cf85778a263a34aa2aeee565f3e046693164a097 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 20:37:56 +0100
|
||||
Subject: [PATCH] netlink: remove unused parameter from
|
||||
netlink_gen_stmt_stateful()
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
|
||||
Upstream Status: nftables commit 3f3e897f42965
|
||||
|
||||
commit 3f3e897f429659ff6c8387245d0d4115952a6c31
|
||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Wed Mar 11 13:02:26 2020 +0100
|
||||
|
||||
netlink: remove unused parameter from netlink_gen_stmt_stateful()
|
||||
|
||||
Remove context from netlink_gen_stmt_stateful().
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/netlink_linearize.c | 36 +++++++++++++-----------------------
|
||||
1 file changed, 13 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
||||
index 28b0e6a..f5c6116 100644
|
||||
--- a/src/netlink_linearize.c
|
||||
+++ b/src/netlink_linearize.c
|
||||
@@ -780,9 +780,7 @@ static void netlink_gen_objref_stmt(struct netlink_linearize_ctx *ctx,
|
||||
nftnl_rule_add_expr(ctx->nlr, nle);
|
||||
}
|
||||
|
||||
-static struct nftnl_expr *
|
||||
-netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx,
|
||||
- const struct stmt *stmt)
|
||||
+static struct nftnl_expr *netlink_gen_connlimit_stmt(const struct stmt *stmt)
|
||||
{
|
||||
struct nftnl_expr *nle;
|
||||
|
||||
@@ -795,9 +793,7 @@ netlink_gen_connlimit_stmt(struct netlink_linearize_ctx *ctx,
|
||||
return nle;
|
||||
}
|
||||
|
||||
-static struct nftnl_expr *
|
||||
-netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx,
|
||||
- const struct stmt *stmt)
|
||||
+static struct nftnl_expr *netlink_gen_counter_stmt(const struct stmt *stmt)
|
||||
{
|
||||
struct nftnl_expr *nle;
|
||||
|
||||
@@ -814,9 +810,7 @@ netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx,
|
||||
return nle;
|
||||
}
|
||||
|
||||
-static struct nftnl_expr *
|
||||
-netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx,
|
||||
- const struct stmt *stmt)
|
||||
+static struct nftnl_expr *netlink_gen_limit_stmt(const struct stmt *stmt)
|
||||
{
|
||||
struct nftnl_expr *nle;
|
||||
|
||||
@@ -832,9 +826,7 @@ netlink_gen_limit_stmt(struct netlink_linearize_ctx *ctx,
|
||||
return nle;
|
||||
}
|
||||
|
||||
-static struct nftnl_expr *
|
||||
-netlink_gen_quota_stmt(struct netlink_linearize_ctx *ctx,
|
||||
- const struct stmt *stmt)
|
||||
+static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt)
|
||||
{
|
||||
struct nftnl_expr *nle;
|
||||
|
||||
@@ -846,19 +838,17 @@ netlink_gen_quota_stmt(struct netlink_linearize_ctx *ctx,
|
||||
return nle;
|
||||
}
|
||||
|
||||
-static struct nftnl_expr *
|
||||
-netlink_gen_stmt_stateful(struct netlink_linearize_ctx *ctx,
|
||||
- const struct stmt *stmt)
|
||||
+static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
|
||||
{
|
||||
switch (stmt->ops->type) {
|
||||
case STMT_CONNLIMIT:
|
||||
- return netlink_gen_connlimit_stmt(ctx, stmt);
|
||||
+ return netlink_gen_connlimit_stmt(stmt);
|
||||
case STMT_COUNTER:
|
||||
- return netlink_gen_counter_stmt(ctx, stmt);
|
||||
+ return netlink_gen_counter_stmt(stmt);
|
||||
case STMT_LIMIT:
|
||||
- return netlink_gen_limit_stmt(ctx, stmt);
|
||||
+ return netlink_gen_limit_stmt(stmt);
|
||||
case STMT_QUOTA:
|
||||
- return netlink_gen_quota_stmt(ctx, stmt);
|
||||
+ return netlink_gen_quota_stmt(stmt);
|
||||
default:
|
||||
BUG("unknown stateful statement type %s\n", stmt->ops->name);
|
||||
}
|
||||
@@ -1307,7 +1297,7 @@ static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
|
||||
|
||||
if (stmt->set.stmt)
|
||||
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
|
||||
- netlink_gen_stmt_stateful(ctx, stmt->set.stmt), 0);
|
||||
+ netlink_gen_stmt_stateful(stmt->set.stmt), 0);
|
||||
}
|
||||
|
||||
static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
|
||||
@@ -1337,7 +1327,7 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
|
||||
|
||||
if (stmt->map.stmt)
|
||||
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
|
||||
- netlink_gen_stmt_stateful(ctx, stmt->map.stmt), 0);
|
||||
+ netlink_gen_stmt_stateful(stmt->map.stmt), 0);
|
||||
|
||||
nftnl_rule_add_expr(ctx->nlr, nle);
|
||||
}
|
||||
@@ -1369,7 +1359,7 @@ static void netlink_gen_meter_stmt(struct netlink_linearize_ctx *ctx,
|
||||
nftnl_expr_set_str(nle, NFTNL_EXPR_DYNSET_SET_NAME, set->handle.set.name);
|
||||
nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
|
||||
nftnl_expr_set(nle, NFTNL_EXPR_DYNSET_EXPR,
|
||||
- netlink_gen_stmt_stateful(ctx, stmt->meter.stmt), 0);
|
||||
+ netlink_gen_stmt_stateful(stmt->meter.stmt), 0);
|
||||
nftnl_rule_add_expr(ctx->nlr, nle);
|
||||
}
|
||||
|
||||
@@ -1415,7 +1405,7 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
|
||||
case STMT_COUNTER:
|
||||
case STMT_LIMIT:
|
||||
case STMT_QUOTA:
|
||||
- nle = netlink_gen_stmt_stateful(ctx, stmt);
|
||||
+ nle = netlink_gen_stmt_stateful(stmt);
|
||||
nftnl_rule_add_expr(ctx->nlr, nle);
|
||||
break;
|
||||
case STMT_NOTRACK:
|
||||
--
|
||||
2.31.1
|
||||
|
150
SOURCES/0072-src-support-for-restoring-element-counters.patch
Normal file
150
SOURCES/0072-src-support-for-restoring-element-counters.patch
Normal file
@ -0,0 +1,150 @@
|
||||
From 0db42cc2d2647ec61441e29445c9f6e0f8946613 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 20:37:56 +0100
|
||||
Subject: [PATCH] src: support for restoring element counters
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
|
||||
Upstream Status: nftables commit 1fe6089ddd87e
|
||||
|
||||
commit 1fe6089ddd87ee7869d24c0f8849951220cc9b85
|
||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Wed Mar 11 13:00:01 2020 +0100
|
||||
|
||||
src: support for restoring element counters
|
||||
|
||||
This patch allows you to restore counters in dynamic sets:
|
||||
|
||||
table ip test {
|
||||
set test {
|
||||
type ipv4_addr
|
||||
size 65535
|
||||
flags dynamic,timeout
|
||||
timeout 30d
|
||||
gc-interval 1d
|
||||
elements = { 192.168.10.13 expires 19d23h52m27s576ms counter packets 51 bytes 17265 }
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority 0;
|
||||
update @test { ip saddr }
|
||||
}
|
||||
}
|
||||
|
||||
You can also add counters to elements from the control place, ie.
|
||||
|
||||
table ip test {
|
||||
set test {
|
||||
type ipv4_addr
|
||||
size 65535
|
||||
elements = { 192.168.2.1 counter packets 75 bytes 19043 }
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority filter; policy accept;
|
||||
ip daddr @test
|
||||
}
|
||||
}
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
include/netlink.h | 1 +
|
||||
src/netlink.c | 3 +++
|
||||
src/netlink_linearize.c | 2 +-
|
||||
src/parser_bison.y | 36 +++++++++++++++++++++++++++++++++++-
|
||||
4 files changed, 40 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/include/netlink.h b/include/netlink.h
|
||||
index 88d12ba..059092e 100644
|
||||
--- a/include/netlink.h
|
||||
+++ b/include/netlink.h
|
||||
@@ -97,6 +97,7 @@ extern void netlink_gen_data(const struct expr *expr,
|
||||
extern void netlink_gen_raw_data(const mpz_t value, enum byteorder byteorder,
|
||||
unsigned int len,
|
||||
struct nft_data_linearize *data);
|
||||
+extern struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt);
|
||||
|
||||
extern struct expr *netlink_alloc_value(const struct location *loc,
|
||||
const struct nft_data_delinearize *nld);
|
||||
diff --git a/src/netlink.c b/src/netlink.c
|
||||
index 64e51e5..825c2cc 100644
|
||||
--- a/src/netlink.c
|
||||
+++ b/src/netlink.c
|
||||
@@ -136,6 +136,9 @@ static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
|
||||
if (elem->expiration)
|
||||
nftnl_set_elem_set_u64(nlse, NFTNL_SET_ELEM_EXPIRATION,
|
||||
elem->expiration);
|
||||
+ if (elem->stmt)
|
||||
+ nftnl_set_elem_set(nlse, NFTNL_SET_ELEM_EXPR,
|
||||
+ netlink_gen_stmt_stateful(elem->stmt), 0);
|
||||
if (elem->comment || expr->elem_flags) {
|
||||
udbuf = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
|
||||
if (!udbuf)
|
||||
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
|
||||
index f5c6116..3fa1339 100644
|
||||
--- a/src/netlink_linearize.c
|
||||
+++ b/src/netlink_linearize.c
|
||||
@@ -838,7 +838,7 @@ static struct nftnl_expr *netlink_gen_quota_stmt(const struct stmt *stmt)
|
||||
return nle;
|
||||
}
|
||||
|
||||
-static struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
|
||||
+struct nftnl_expr *netlink_gen_stmt_stateful(const struct stmt *stmt)
|
||||
{
|
||||
switch (stmt->ops->type) {
|
||||
case STMT_CONNLIMIT:
|
||||
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||
index d38ec30..2cdf8ec 100644
|
||||
--- a/src/parser_bison.y
|
||||
+++ b/src/parser_bison.y
|
||||
@@ -3654,7 +3654,7 @@ meter_key_expr_alloc : concat_expr
|
||||
;
|
||||
|
||||
set_elem_expr : set_elem_expr_alloc
|
||||
- | set_elem_expr_alloc set_elem_options
|
||||
+ | set_elem_expr_alloc set_elem_expr_options
|
||||
;
|
||||
|
||||
set_elem_expr_alloc : set_lhs_expr
|
||||
@@ -3684,6 +3684,40 @@ set_elem_option : TIMEOUT time_spec
|
||||
}
|
||||
;
|
||||
|
||||
+set_elem_expr_options : set_elem_expr_option
|
||||
+ {
|
||||
+ $<expr>$ = $<expr>0;
|
||||
+ }
|
||||
+ | set_elem_expr_options set_elem_expr_option
|
||||
+ ;
|
||||
+
|
||||
+set_elem_expr_option : TIMEOUT time_spec
|
||||
+ {
|
||||
+ $<expr>0->timeout = $2;
|
||||
+ }
|
||||
+ | EXPIRES time_spec
|
||||
+ {
|
||||
+ $<expr>0->expiration = $2;
|
||||
+ }
|
||||
+ | COUNTER
|
||||
+ {
|
||||
+ $<expr>0->stmt = counter_stmt_alloc(&@$);
|
||||
+ }
|
||||
+ | COUNTER PACKETS NUM BYTES NUM
|
||||
+ {
|
||||
+ struct stmt *stmt;
|
||||
+
|
||||
+ stmt = counter_stmt_alloc(&@$);
|
||||
+ stmt->counter.packets = $3;
|
||||
+ stmt->counter.bytes = $5;
|
||||
+ $<expr>0->stmt = stmt;
|
||||
+ }
|
||||
+ | comment_spec
|
||||
+ {
|
||||
+ $<expr>0->comment = $1;
|
||||
+ }
|
||||
+ ;
|
||||
+
|
||||
set_lhs_expr : concat_rhs_expr
|
||||
| wildcard_expr
|
||||
;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,127 @@
|
||||
From 48021b277a1ab92480c43e1fa7573b00e33f5212 Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 14 Jan 2022 11:39:17 +0100
|
||||
Subject: [PATCH] evaluate: attempt to set_eval flag if dynamic updates
|
||||
requested
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2039594
|
||||
Upstream Status: nftables commit 8d443adfcc8c1
|
||||
Conflicts:
|
||||
* Context change due to missing commit 242965f452e64
|
||||
("src: add support for multi-statement in dynamic sets and maps")
|
||||
* Adjusted test-case: Due to missing kernel commit 7b1394892de8d
|
||||
("netfilter: nft_dynset: relax superfluous check on set updates"),
|
||||
'update' statement is allowed only if timeout flag is present
|
||||
|
||||
commit 8d443adfcc8c19effd6be9a9c903ee96e374f2e8
|
||||
Author: Florian Westphal <fw@strlen.de>
|
||||
Date: Tue Jan 11 12:08:59 2022 +0100
|
||||
|
||||
evaluate: attempt to set_eval flag if dynamic updates requested
|
||||
|
||||
When passing no upper size limit, the dynset expression forces
|
||||
an internal 64k upperlimit.
|
||||
|
||||
In some cases, this can result in 'nft -f' to restore the ruleset.
|
||||
Avoid this by always setting the EVAL flag on a set definition when
|
||||
we encounter packet-path update attempt in the batch.
|
||||
|
||||
Reported-by: Yi Chen <yiche@redhat.com>
|
||||
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
src/evaluate.c | 11 +++++++
|
||||
.../testcases/sets/dumps/dynset_missing.nft | 12 +++++++
|
||||
tests/shell/testcases/sets/dynset_missing | 32 +++++++++++++++++++
|
||||
3 files changed, 55 insertions(+)
|
||||
create mode 100644 tests/shell/testcases/sets/dumps/dynset_missing.nft
|
||||
create mode 100755 tests/shell/testcases/sets/dynset_missing
|
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||
index 00ec20b..9381f23 100644
|
||||
--- a/src/evaluate.c
|
||||
+++ b/src/evaluate.c
|
||||
@@ -3076,6 +3076,8 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
|
||||
|
||||
static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
|
||||
{
|
||||
+ struct set *this_set;
|
||||
+
|
||||
expr_set_context(&ctx->ectx, NULL, 0);
|
||||
if (expr_evaluate(ctx, &stmt->set.set) < 0)
|
||||
return -1;
|
||||
@@ -3103,6 +3105,15 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
|
||||
"meter statement must be stateful");
|
||||
}
|
||||
|
||||
+ this_set = stmt->set.set->set;
|
||||
+
|
||||
+ /* Make sure EVAL flag is set on set definition so that kernel
|
||||
+ * picks a set that allows updates from the packet path.
|
||||
+ *
|
||||
+ * Alternatively we could error out in case 'flags dynamic' was
|
||||
+ * not given, but we can repair this here.
|
||||
+ */
|
||||
+ this_set->flags |= NFT_SET_EVAL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft
|
||||
new file mode 100644
|
||||
index 0000000..fdb1b97
|
||||
--- /dev/null
|
||||
+++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft
|
||||
@@ -0,0 +1,12 @@
|
||||
+table ip test {
|
||||
+ set dlist {
|
||||
+ type ipv4_addr
|
||||
+ size 65535
|
||||
+ flags dynamic,timeout
|
||||
+ }
|
||||
+
|
||||
+ chain output {
|
||||
+ type filter hook output priority filter; policy accept;
|
||||
+ udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0
|
||||
+ }
|
||||
+}
|
||||
diff --git a/tests/shell/testcases/sets/dynset_missing b/tests/shell/testcases/sets/dynset_missing
|
||||
new file mode 100755
|
||||
index 0000000..89afcd5
|
||||
--- /dev/null
|
||||
+++ b/tests/shell/testcases/sets/dynset_missing
|
||||
@@ -0,0 +1,32 @@
|
||||
+#!/bin/bash
|
||||
+
|
||||
+set -e
|
||||
+
|
||||
+$NFT -f /dev/stdin <<EOF
|
||||
+table ip test {
|
||||
+ chain output { type filter hook output priority 0;
|
||||
+ }
|
||||
+}
|
||||
+EOF
|
||||
+
|
||||
+# misses 'flags dynamic'
|
||||
+$NFT 'add set ip test dlist {type ipv4_addr; flags timeout; }'
|
||||
+
|
||||
+# picks rhash backend because 'size' was also missing.
|
||||
+$NFT 'add rule ip test output udp dport 1234 update @dlist { ip daddr } counter'
|
||||
+
|
||||
+tmpfile=$(mktemp)
|
||||
+
|
||||
+trap "rm -rf $tmpfile" EXIT
|
||||
+
|
||||
+# kernel has forced an 64k upper size, i.e. this restore file
|
||||
+# has 'size 65536' but no 'flags dynamic'.
|
||||
+$NFT list ruleset > $tmpfile
|
||||
+
|
||||
+# this restore works, because set is still the rhash backend.
|
||||
+$NFT -f $tmpfile # success
|
||||
+$NFT flush ruleset
|
||||
+
|
||||
+# fails without commit 'attempt to set_eval flag if dynamic updates requested',
|
||||
+# because set in $tmpfile has 'size x' but no 'flags dynamic'.
|
||||
+$NFT -f $tmpfile
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 1fe92af5a03608b94e8e1e2ff26e24adfe2ea09a Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 21 Jan 2022 12:35:39 +0100
|
||||
Subject: [PATCH] evaluate: fix inet nat with no layer 3 info
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2030773
|
||||
Upstream Status: nftables commit 9a36033ce5063
|
||||
|
||||
commit 9a36033ce50638a403d1421935cdd1287ee5de6b
|
||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Tue Jul 20 18:59:44 2021 +0200
|
||||
|
||||
evaluate: fix inet nat with no layer 3 info
|
||||
|
||||
nft currently reports:
|
||||
|
||||
Error: Could not process rule: Protocol error
|
||||
add rule inet x y meta l4proto tcp dnat to :80
|
||||
^^^^
|
||||
|
||||
default to NFPROTO_INET family, otherwise kernel bails out EPROTO when
|
||||
trying to load the conntrack helper.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/evaluate.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/evaluate.c b/src/evaluate.c
|
||||
index 9381f23..e495faf 100644
|
||||
--- a/src/evaluate.c
|
||||
+++ b/src/evaluate.c
|
||||
@@ -2757,9 +2757,10 @@ static int nat_evaluate_family(struct eval_ctx *ctx, struct stmt *stmt)
|
||||
stmt->nat.family = ctx->pctx.family;
|
||||
return 0;
|
||||
case NFPROTO_INET:
|
||||
- if (!stmt->nat.addr)
|
||||
+ if (!stmt->nat.addr) {
|
||||
+ stmt->nat.family = NFPROTO_INET;
|
||||
return 0;
|
||||
-
|
||||
+ }
|
||||
if (stmt->nat.family != NFPROTO_UNSPEC)
|
||||
return 0;
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,86 @@
|
||||
From eeba2cd956485d3059dabf86a7ad8dd59ee682dd Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Fri, 4 Feb 2022 14:18:44 +0100
|
||||
Subject: [PATCH] tests: py: add dnat to port without defining destination
|
||||
address
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2030773
|
||||
Upstream Status: nftables commit 0f27e258b37a5
|
||||
Conflicts: Context changes due to missing commit ae1d822630e6d
|
||||
("src: context tracking for multiple transport protocols")
|
||||
|
||||
commit 0f27e258b37a592233d6ad5381cd1fae65e57514
|
||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Thu Jul 22 17:43:56 2021 +0200
|
||||
|
||||
tests: py: add dnat to port without defining destination address
|
||||
|
||||
Add a test to cover dnat to port without destination address.
|
||||
|
||||
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1428
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
tests/py/inet/dnat.t | 1 +
|
||||
tests/py/inet/dnat.t.json | 20 ++++++++++++++++++++
|
||||
tests/py/inet/dnat.t.payload | 8 ++++++++
|
||||
3 files changed, 29 insertions(+)
|
||||
|
||||
diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
|
||||
index fcdf943..6beceda 100644
|
||||
--- a/tests/py/inet/dnat.t
|
||||
+++ b/tests/py/inet/dnat.t
|
||||
@@ -6,6 +6,7 @@ iifname "foo" tcp dport 80 redirect to :8080;ok
|
||||
|
||||
iifname "eth0" tcp dport 443 dnat ip to 192.168.3.2;ok
|
||||
iifname "eth0" tcp dport 443 dnat ip6 to [dead::beef]:4443;ok
|
||||
+meta l4proto tcp dnat to :80;ok;meta l4proto 6 dnat to :80
|
||||
|
||||
dnat ip to ct mark map { 0x00000014 : 1.2.3.4};ok
|
||||
dnat ip to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
|
||||
diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json
|
||||
index ac6dac6..f88e9cf 100644
|
||||
--- a/tests/py/inet/dnat.t.json
|
||||
+++ b/tests/py/inet/dnat.t.json
|
||||
@@ -164,3 +164,23 @@
|
||||
}
|
||||
]
|
||||
|
||||
+# meta l4proto tcp dnat to :80
|
||||
+[
|
||||
+ {
|
||||
+ "match": {
|
||||
+ "left": {
|
||||
+ "meta": {
|
||||
+ "key": "l4proto"
|
||||
+ }
|
||||
+ },
|
||||
+ "op": "==",
|
||||
+ "right": 6
|
||||
+ }
|
||||
+ },
|
||||
+ {
|
||||
+ "dnat": {
|
||||
+ "port": 80
|
||||
+ }
|
||||
+ }
|
||||
+]
|
||||
+
|
||||
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
|
||||
index b81caf7..6d8569d 100644
|
||||
--- a/tests/py/inet/dnat.t.payload
|
||||
+++ b/tests/py/inet/dnat.t.payload
|
||||
@@ -52,3 +52,11 @@ inet test-inet prerouting
|
||||
[ payload load 4b @ network header + 16 => reg 9 ]
|
||||
[ lookup reg 1 set __map%d dreg 1 ]
|
||||
[ nat dnat ip addr_min reg 1 addr_max reg 0 ]
|
||||
+
|
||||
+# meta l4proto tcp dnat to :80
|
||||
+inet
|
||||
+ [ meta load l4proto => reg 1 ]
|
||||
+ [ cmp eq reg 1 0x00000006 ]
|
||||
+ [ immediate reg 1 0x00005000 ]
|
||||
+ [ nat dnat inet proto_min reg 1 flags 0x2 ]
|
||||
+
|
||||
--
|
||||
2.31.1
|
||||
|
214
SOURCES/0076-mnl-do-not-build-nftnl_set-element-list.patch
Normal file
214
SOURCES/0076-mnl-do-not-build-nftnl_set-element-list.patch
Normal file
@ -0,0 +1,214 @@
|
||||
From bd940a4efd2b5897f8a8e58ec7733417b3710e1e Mon Sep 17 00:00:00 2001
|
||||
From: Phil Sutter <psutter@redhat.com>
|
||||
Date: Wed, 8 Dec 2021 13:28:49 +0100
|
||||
Subject: [PATCH] mnl: do not build nftnl_set element list
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2047821
|
||||
Upstream Status: nftables commit b4b234f5a29e8
|
||||
Conflicts: Context change due to missing commit 66746e7dedeb0
|
||||
("src: support for nat with interval concatenation").
|
||||
|
||||
commit b4b234f5a29e819045679acd95820a7457d4d7de
|
||||
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Thu Nov 4 12:53:11 2021 +0100
|
||||
|
||||
mnl: do not build nftnl_set element list
|
||||
|
||||
Do not call alloc_setelem_cache() to build the set element list in
|
||||
nftnl_set. Instead, translate one single set element expression to
|
||||
nftnl_set_elem object at a time and use this object to build the netlink
|
||||
header.
|
||||
|
||||
Using a huge test set containing 1.1 million element blocklist, this
|
||||
patch is reducing userspace memory consumption by 40%.
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
include/netlink.h | 2 +
|
||||
src/mnl.c | 112 ++++++++++++++++++++++++++++++++++++----------
|
||||
src/netlink.c | 4 +-
|
||||
3 files changed, 93 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/include/netlink.h b/include/netlink.h
|
||||
index 059092e..3443582 100644
|
||||
--- a/include/netlink.h
|
||||
+++ b/include/netlink.h
|
||||
@@ -56,6 +56,8 @@ struct netlink_ctx {
|
||||
|
||||
extern struct nftnl_expr *alloc_nft_expr(const char *name);
|
||||
extern void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls);
|
||||
+struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
|
||||
+ const struct expr *expr);
|
||||
|
||||
extern struct nftnl_table *netlink_table_alloc(const struct nlmsghdr *nlh);
|
||||
extern struct nftnl_chain *netlink_chain_alloc(const struct nlmsghdr *nlh);
|
||||
diff --git a/src/mnl.c b/src/mnl.c
|
||||
index 23341e6..44cf1a4 100644
|
||||
--- a/src/mnl.c
|
||||
+++ b/src/mnl.c
|
||||
@@ -1201,33 +1201,102 @@ static int set_elem_cb(const struct nlmsghdr *nlh, void *data)
|
||||
return MNL_CB_OK;
|
||||
}
|
||||
|
||||
-static int mnl_nft_setelem_batch(struct nftnl_set *nls,
|
||||
+static bool mnl_nft_attr_nest_overflow(struct nlmsghdr *nlh,
|
||||
+ const struct nlattr *from,
|
||||
+ const struct nlattr *to)
|
||||
+{
|
||||
+ int len = (void *)to + to->nla_len - (void *)from;
|
||||
+
|
||||
+ /* The attribute length field is 16 bits long, thus the maximum payload
|
||||
+ * that an attribute can convey is UINT16_MAX. In case of overflow,
|
||||
+ * discard the last attribute that did not fit into the nest.
|
||||
+ */
|
||||
+ if (len > UINT16_MAX) {
|
||||
+ nlh->nlmsg_len -= to->nla_len;
|
||||
+ return true;
|
||||
+ }
|
||||
+ return false;
|
||||
+}
|
||||
+
|
||||
+static void netlink_dump_setelem(const struct nftnl_set_elem *nlse,
|
||||
+ struct netlink_ctx *ctx)
|
||||
+{
|
||||
+ FILE *fp = ctx->nft->output.output_fp;
|
||||
+ char buf[4096];
|
||||
+
|
||||
+ if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp)
|
||||
+ return;
|
||||
+
|
||||
+ nftnl_set_elem_snprintf(buf, sizeof(buf), nlse, NFTNL_OUTPUT_DEFAULT, 0);
|
||||
+ fprintf(fp, "\t%s", buf);
|
||||
+}
|
||||
+
|
||||
+static void netlink_dump_setelem_done(struct netlink_ctx *ctx)
|
||||
+{
|
||||
+ FILE *fp = ctx->nft->output.output_fp;
|
||||
+
|
||||
+ if (!(ctx->nft->debug_mask & NFT_DEBUG_NETLINK) || !fp)
|
||||
+ return;
|
||||
+
|
||||
+ fprintf(fp, "\n");
|
||||
+}
|
||||
+
|
||||
+static int mnl_nft_setelem_batch(const struct nftnl_set *nls,
|
||||
struct nftnl_batch *batch,
|
||||
enum nf_tables_msg_types cmd,
|
||||
- unsigned int flags, uint32_t seqnum)
|
||||
+ unsigned int flags, uint32_t seqnum,
|
||||
+ const struct expr *set,
|
||||
+ struct netlink_ctx *ctx)
|
||||
{
|
||||
+ struct nlattr *nest1, *nest2;
|
||||
+ struct nftnl_set_elem *nlse;
|
||||
struct nlmsghdr *nlh;
|
||||
- struct nftnl_set_elems_iter *iter;
|
||||
- int ret;
|
||||
-
|
||||
- iter = nftnl_set_elems_iter_create(nls);
|
||||
- if (iter == NULL)
|
||||
- memory_allocation_error();
|
||||
+ struct expr *expr = NULL;
|
||||
+ int i = 0;
|
||||
|
||||
if (cmd == NFT_MSG_NEWSETELEM)
|
||||
flags |= NLM_F_CREATE;
|
||||
|
||||
- while (nftnl_set_elems_iter_cur(iter)) {
|
||||
- nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), cmd,
|
||||
- nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
|
||||
- flags, seqnum);
|
||||
- ret = nftnl_set_elems_nlmsg_build_payload_iter(nlh, iter);
|
||||
- mnl_nft_batch_continue(batch);
|
||||
- if (ret <= 0)
|
||||
- break;
|
||||
+ if (set)
|
||||
+ expr = list_first_entry(&set->expressions, struct expr, list);
|
||||
+
|
||||
+next:
|
||||
+ nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(batch), cmd,
|
||||
+ nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
|
||||
+ flags, seqnum);
|
||||
+
|
||||
+ if (nftnl_set_is_set(nls, NFTNL_SET_TABLE)) {
|
||||
+ mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_TABLE,
|
||||
+ nftnl_set_get_str(nls, NFTNL_SET_TABLE));
|
||||
+ }
|
||||
+ if (nftnl_set_is_set(nls, NFTNL_SET_NAME)) {
|
||||
+ mnl_attr_put_strz(nlh, NFTA_SET_ELEM_LIST_SET,
|
||||
+ nftnl_set_get_str(nls, NFTNL_SET_NAME));
|
||||
}
|
||||
+ if (nftnl_set_is_set(nls, NFTNL_SET_ID)) {
|
||||
+ mnl_attr_put_u32(nlh, NFTA_SET_ELEM_LIST_SET_ID,
|
||||
+ htonl(nftnl_set_get_u32(nls, NFTNL_SET_ID)));
|
||||
+ }
|
||||
+
|
||||
+ if (!set || list_empty(&set->expressions))
|
||||
+ return 0;
|
||||
|
||||
- nftnl_set_elems_iter_destroy(iter);
|
||||
+ assert(expr);
|
||||
+ nest1 = mnl_attr_nest_start(nlh, NFTA_SET_ELEM_LIST_ELEMENTS);
|
||||
+ list_for_each_entry_from(expr, &set->expressions, list) {
|
||||
+ nlse = alloc_nftnl_setelem(set, expr);
|
||||
+ nest2 = nftnl_set_elem_nlmsg_build(nlh, nlse, ++i);
|
||||
+ netlink_dump_setelem(nlse, ctx);
|
||||
+ nftnl_set_elem_free(nlse);
|
||||
+ if (mnl_nft_attr_nest_overflow(nlh, nest1, nest2)) {
|
||||
+ mnl_attr_nest_end(nlh, nest1);
|
||||
+ mnl_nft_batch_continue(batch);
|
||||
+ goto next;
|
||||
+ }
|
||||
+ }
|
||||
+ mnl_attr_nest_end(nlh, nest1);
|
||||
+ mnl_nft_batch_continue(batch);
|
||||
+ netlink_dump_setelem_done(ctx);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1249,11 +1318,10 @@ int mnl_nft_setelem_add(struct netlink_ctx *ctx, const struct set *set,
|
||||
if (h->set_id)
|
||||
nftnl_set_set_u32(nls, NFTNL_SET_ID, h->set_id);
|
||||
|
||||
- alloc_setelem_cache(expr, nls);
|
||||
netlink_dump_set(nls, ctx);
|
||||
|
||||
- err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_NEWSETELEM, flags,
|
||||
- ctx->seqnum);
|
||||
+ err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_NEWSETELEM,
|
||||
+ flags, ctx->seqnum, expr, ctx);
|
||||
nftnl_set_free(nls);
|
||||
|
||||
return err;
|
||||
@@ -1306,12 +1374,10 @@ int mnl_nft_setelem_del(struct netlink_ctx *ctx, const struct cmd *cmd)
|
||||
else if (h->handle.id)
|
||||
nftnl_set_set_u64(nls, NFTNL_SET_HANDLE, h->handle.id);
|
||||
|
||||
- if (cmd->expr)
|
||||
- alloc_setelem_cache(cmd->expr, nls);
|
||||
netlink_dump_set(nls, ctx);
|
||||
|
||||
err = mnl_nft_setelem_batch(nls, ctx->batch, NFT_MSG_DELSETELEM, 0,
|
||||
- ctx->seqnum);
|
||||
+ ctx->seqnum, cmd->expr, ctx);
|
||||
nftnl_set_free(nls);
|
||||
|
||||
return err;
|
||||
diff --git a/src/netlink.c b/src/netlink.c
|
||||
index 825c2cc..f8c97d0 100644
|
||||
--- a/src/netlink.c
|
||||
+++ b/src/netlink.c
|
||||
@@ -95,8 +95,8 @@ struct nftnl_expr *alloc_nft_expr(const char *name)
|
||||
return nle;
|
||||
}
|
||||
|
||||
-static struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
|
||||
- const struct expr *expr)
|
||||
+struct nftnl_set_elem *alloc_nftnl_setelem(const struct expr *set,
|
||||
+ const struct expr *expr)
|
||||
{
|
||||
const struct expr *elem, *data;
|
||||
struct nftnl_set_elem *nlse;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,5 +1,6 @@
|
||||
%define rpmversion 0.9.3
|
||||
%define specrelease 21
|
||||
%define specrelease 25
|
||||
%define libnftnl_ver 1.1.5-5
|
||||
|
||||
Name: nftables
|
||||
Version: %{rpmversion}
|
||||
@ -79,6 +80,20 @@ Patch59: 0059-exthdr-Implement-SCTP-Chunk-matching.patch
|
||||
Patch60: 0060-include-missing-sctp_chunk.h-in-Makefile.am.patch
|
||||
Patch61: 0061-doc-nft.8-Extend-monitor-description-by-trace.patch
|
||||
Patch62: 0062-tests-shell-Fix-bogus-testsuite-failure-with-100Hz.patch
|
||||
Patch63: 0063-parser_json-Fix-error-reporting-for-invalid-syntax.patch
|
||||
Patch64: 0064-parser_bison-Fix-for-implicit-declaration-of-isalnum.patch
|
||||
Patch65: 0065-parser_json-Fix-for-memleak-in-tcp-option-error-path.patch
|
||||
Patch66: 0066-json-Drop-pointless-assignment-in-exthdr_expr_json.patch
|
||||
Patch67: 0067-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
|
||||
Patch68: 0068-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
|
||||
Patch69: 0069-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
|
||||
Patch70: 0070-tests-shell-better-parameters-for-the-interval-stack.patch
|
||||
Patch71: 0071-netlink-remove-unused-parameter-from-netlink_gen_stm.patch
|
||||
Patch72: 0072-src-support-for-restoring-element-counters.patch
|
||||
Patch73: 0073-evaluate-attempt-to-set_eval-flag-if-dynamic-updates.patch
|
||||
Patch74: 0074-evaluate-fix-inet-nat-with-no-layer-3-info.patch
|
||||
Patch75: 0075-tests-py-add-dnat-to-port-without-defining-destinati.patch
|
||||
Patch76: 0076-mnl-do-not-build-nftnl_set-element-list.patch
|
||||
|
||||
BuildRequires: autogen
|
||||
BuildRequires: autoconf
|
||||
@ -90,14 +105,14 @@ BuildRequires: bison
|
||||
BuildRequires: libmnl-devel
|
||||
BuildRequires: gmp-devel
|
||||
BuildRequires: readline-devel
|
||||
BuildRequires: pkgconfig(libnftnl) >= 1.1.5-3
|
||||
BuildRequires: pkgconfig(libnftnl) >= %{libnftnl_ver}
|
||||
BuildRequires: systemd
|
||||
BuildRequires: asciidoc
|
||||
BuildRequires: iptables-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: python3-devel
|
||||
|
||||
Requires: libnftnl >= 1.1.5-3
|
||||
Requires: libnftnl >= %{libnftnl_ver}
|
||||
|
||||
%description
|
||||
Netfilter Tables userspace utilities.
|
||||
@ -195,6 +210,28 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
|
||||
%{python3_sitelib}/nftables/
|
||||
|
||||
%changelog
|
||||
* Fri Feb 04 2022 Phil Sutter <psutter@redhat.com> [0.9.3-25.el8]
|
||||
- mnl: do not build nftnl_set element list (Phil Sutter) [2047821]
|
||||
- tests: py: add dnat to port without defining destination address (Phil Sutter) [2030773]
|
||||
- evaluate: fix inet nat with no layer 3 info (Phil Sutter) [2030773]
|
||||
- evaluate: attempt to set_eval flag if dynamic updates requested (Phil Sutter) [2039594]
|
||||
- src: support for restoring element counters (Phil Sutter) [2039594]
|
||||
- netlink: remove unused parameter from netlink_gen_stmt_stateful() (Phil Sutter) [2039594]
|
||||
|
||||
* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> [0.9.3-24.el8]
|
||||
- tests: shell: better parameters for the interval stack overflow test (Phil Sutter) [1908127]
|
||||
- tests: shell: $NFT needs to be invoked unquoted (Phil Sutter) [1908127]
|
||||
|
||||
* Fri Nov 05 2021 Phil Sutter <psutter@redhat.com> [0.9.3-23.el8]
|
||||
- tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set") (Phil Sutter) [1908127]
|
||||
- segtree: Fix segfault when restoring a huge interval set (Phil Sutter) [1908127]
|
||||
|
||||
* Wed Oct 06 2021 Phil Sutter <psutter@redhat.com> [0.9.3-22.el8]
|
||||
- json: Drop pointless assignment in exthdr_expr_json() (Phil Sutter) [1999059]
|
||||
- parser_json: Fix for memleak in tcp option error path (Phil Sutter) [1999059]
|
||||
- parser_bison: Fix for implicit declaration of isalnum (Phil Sutter) [1999059]
|
||||
- parser_json: Fix error reporting for invalid syntax (Phil Sutter) [1994141]
|
||||
|
||||
* Mon Aug 02 2021 Phil Sutter <psutter@redhat.com> [0.9.3-21.el8]
|
||||
- tests: shell: Fix bogus testsuite failure with 100Hz (Phil Sutter) [1919203]
|
||||
- doc: nft.8: Extend monitor description by trace (Phil Sutter) [1820365]
|
||||
|
Loading…
Reference in New Issue
Block a user