import CS nftables-1.0.9-3.el9
This commit is contained in:
parent
877ce90157
commit
ee68924aa9
337
SOURCES/0001-Add-support-for-table-s-persist-flag.patch
Normal file
337
SOURCES/0001-Add-support-for-table-s-persist-flag.patch
Normal file
@ -0,0 +1,337 @@
|
|||||||
|
From 450520649ac5ac6f983b40e15e54863aab9d5bd7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Fri, 14 Jun 2024 18:30:55 +0200
|
||||||
|
Subject: [PATCH] Add support for table's persist flag
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-32122
|
||||||
|
Upstream Status: nftables commit 4955ae1a81b73f9a61b7fbf1a73e11544513548e
|
||||||
|
Conflicts:
|
||||||
|
- Adjusted to missing commit ffd6b4790a728
|
||||||
|
("src: add free_const() and use it instead of xfree()")
|
||||||
|
|
||||||
|
commit 4955ae1a81b73f9a61b7fbf1a73e11544513548e
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Fri Dec 15 01:10:39 2023 +0100
|
||||||
|
|
||||||
|
Add support for table's persist flag
|
||||||
|
|
||||||
|
Bison parser lacked support for passing multiple flags, JSON parser
|
||||||
|
did not support table flags at all.
|
||||||
|
|
||||||
|
Document also 'owner' flag (and describe their relationship in nft.8.
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
doc/libnftables-json.adoc | 11 ++++-
|
||||||
|
doc/nft.txt | 9 ++++
|
||||||
|
include/rule.h | 4 +-
|
||||||
|
src/parser_bison.y | 35 +++++++++------
|
||||||
|
src/parser_json.c | 49 ++++++++++++++++++++-
|
||||||
|
src/rule.c | 12 +++++
|
||||||
|
tests/shell/features/table_flag_persist.nft | 3 ++
|
||||||
|
tests/shell/testcases/owner/0002-persist | 36 +++++++++++++++
|
||||||
|
8 files changed, 142 insertions(+), 17 deletions(-)
|
||||||
|
create mode 100644 tests/shell/features/table_flag_persist.nft
|
||||||
|
create mode 100755 tests/shell/testcases/owner/0002-persist
|
||||||
|
|
||||||
|
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
|
||||||
|
index 3e6e1db..0e424c2 100644
|
||||||
|
--- a/doc/libnftables-json.adoc
|
||||||
|
+++ b/doc/libnftables-json.adoc
|
||||||
|
@@ -202,12 +202,19 @@ Rename a chain. The new name is expected in a dedicated property named
|
||||||
|
|
||||||
|
=== TABLE
|
||||||
|
[verse]
|
||||||
|
+____
|
||||||
|
*{ "table": {
|
||||||
|
"family":* 'STRING'*,
|
||||||
|
"name":* 'STRING'*,
|
||||||
|
- "handle":* 'NUMBER'
|
||||||
|
+ "handle":* 'NUMBER'*,
|
||||||
|
+ "flags":* 'TABLE_FLAGS'
|
||||||
|
*}}*
|
||||||
|
|
||||||
|
+'TABLE_FLAGS' := 'TABLE_FLAG' | *[* 'TABLE_FLAG_LIST' *]*
|
||||||
|
+'TABLE_FLAG_LIST' := 'TABLE_FLAG' [*,* 'TABLE_FLAG_LIST' ]
|
||||||
|
+'TABLE_FLAG' := *"dormant"* | *"owner"* | *"persist"*
|
||||||
|
+____
|
||||||
|
+
|
||||||
|
This object describes a table.
|
||||||
|
|
||||||
|
*family*::
|
||||||
|
@@ -217,6 +224,8 @@ This object describes a table.
|
||||||
|
*handle*::
|
||||||
|
The table's handle. In input, it is used only in *delete* command as
|
||||||
|
alternative to *name*.
|
||||||
|
+*flags*::
|
||||||
|
+ The table's flags.
|
||||||
|
|
||||||
|
=== CHAIN
|
||||||
|
[verse]
|
||||||
|
diff --git a/doc/nft.txt b/doc/nft.txt
|
||||||
|
index b08e32f..dba1b60 100644
|
||||||
|
--- a/doc/nft.txt
|
||||||
|
+++ b/doc/nft.txt
|
||||||
|
@@ -343,8 +343,17 @@ return an error.
|
||||||
|
|Flag | Description
|
||||||
|
|dormant |
|
||||||
|
table is not evaluated any more (base chains are unregistered).
|
||||||
|
+|owner |
|
||||||
|
+table is owned by the creating process.
|
||||||
|
+|persist |
|
||||||
|
+table shall outlive the owning process.
|
||||||
|
|=================
|
||||||
|
|
||||||
|
+Creating a table with flag *owner* excludes other processes from manipulating
|
||||||
|
+it or its contents. By default, it will be removed when the process exits.
|
||||||
|
+Setting flag *persist* will prevent this and the resulting orphaned table will
|
||||||
|
+accept a new owner, e.g. a restarting daemon maintaining the table.
|
||||||
|
+
|
||||||
|
.*Add, change, delete a table*
|
||||||
|
---------------------------------------
|
||||||
|
# start nft in interactive mode
|
||||||
|
diff --git a/include/rule.h b/include/rule.h
|
||||||
|
index 6236d29..a8bb11f 100644
|
||||||
|
--- a/include/rule.h
|
||||||
|
+++ b/include/rule.h
|
||||||
|
@@ -130,10 +130,12 @@ struct symbol *symbol_get(const struct scope *scope, const char *identifier);
|
||||||
|
enum table_flags {
|
||||||
|
TABLE_F_DORMANT = (1 << 0),
|
||||||
|
TABLE_F_OWNER = (1 << 1),
|
||||||
|
+ TABLE_F_PERSIST = (1 << 2),
|
||||||
|
};
|
||||||
|
-#define TABLE_FLAGS_MAX 2
|
||||||
|
+#define TABLE_FLAGS_MAX 3
|
||||||
|
|
||||||
|
const char *table_flag_name(uint32_t flag);
|
||||||
|
+unsigned int parse_table_flag(const char *name);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* struct table - nftables table
|
||||||
|
diff --git a/src/parser_bison.y b/src/parser_bison.y
|
||||||
|
index c517dc3..5ced6e1 100644
|
||||||
|
--- a/src/parser_bison.y
|
||||||
|
+++ b/src/parser_bison.y
|
||||||
|
@@ -720,6 +720,8 @@ int nft_lex(void *, void *, void *);
|
||||||
|
%type <rule> rule rule_alloc
|
||||||
|
%destructor { rule_free($$); } rule
|
||||||
|
|
||||||
|
+%type <val> table_flags table_flag
|
||||||
|
+
|
||||||
|
%type <val> set_flag_list set_flag
|
||||||
|
|
||||||
|
%type <val> set_policy_spec
|
||||||
|
@@ -1874,20 +1876,9 @@ table_block_alloc : /* empty */
|
||||||
|
}
|
||||||
|
;
|
||||||
|
|
||||||
|
-table_options : FLAGS STRING
|
||||||
|
+table_options : FLAGS table_flags
|
||||||
|
{
|
||||||
|
- if (strcmp($2, "dormant") == 0) {
|
||||||
|
- $<table>0->flags |= TABLE_F_DORMANT;
|
||||||
|
- xfree($2);
|
||||||
|
- } else if (strcmp($2, "owner") == 0) {
|
||||||
|
- $<table>0->flags |= TABLE_F_OWNER;
|
||||||
|
- xfree($2);
|
||||||
|
- } else {
|
||||||
|
- erec_queue(error(&@2, "unknown table option %s", $2),
|
||||||
|
- state->msgs);
|
||||||
|
- xfree($2);
|
||||||
|
- YYERROR;
|
||||||
|
- }
|
||||||
|
+ $<table>0->flags |= $2;
|
||||||
|
}
|
||||||
|
| comment_spec
|
||||||
|
{
|
||||||
|
@@ -1899,6 +1890,24 @@ table_options : FLAGS STRING
|
||||||
|
}
|
||||||
|
;
|
||||||
|
|
||||||
|
+table_flags : table_flag
|
||||||
|
+ | table_flags COMMA table_flag
|
||||||
|
+ {
|
||||||
|
+ $$ = $1 | $3;
|
||||||
|
+ }
|
||||||
|
+ ;
|
||||||
|
+table_flag : STRING
|
||||||
|
+ {
|
||||||
|
+ $$ = parse_table_flag($1);
|
||||||
|
+ xfree($1);
|
||||||
|
+ if ($$ == 0) {
|
||||||
|
+ erec_queue(error(&@1, "unknown table option %s", $1),
|
||||||
|
+ state->msgs);
|
||||||
|
+ YYERROR;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ ;
|
||||||
|
+
|
||||||
|
table_block : /* empty */ { $$ = $<table>-1; }
|
||||||
|
| table_block common_block
|
||||||
|
| table_block stmt_separator
|
||||||
|
diff --git a/src/parser_json.c b/src/parser_json.c
|
||||||
|
index 199241a..9e5b656 100644
|
||||||
|
--- a/src/parser_json.c
|
||||||
|
+++ b/src/parser_json.c
|
||||||
|
@@ -2941,6 +2941,45 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int json_parse_table_flags(struct json_ctx *ctx, json_t *root,
|
||||||
|
+ enum table_flags *flags)
|
||||||
|
+{
|
||||||
|
+ json_t *tmp, *tmp2;
|
||||||
|
+ size_t index;
|
||||||
|
+ int flag;
|
||||||
|
+
|
||||||
|
+ if (json_unpack(root, "{s:o}", "flags", &tmp))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (json_is_string(tmp)) {
|
||||||
|
+ flag = parse_table_flag(json_string_value(tmp));
|
||||||
|
+ if (flag) {
|
||||||
|
+ *flags = flag;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ json_error(ctx, "Invalid table flag '%s'.",
|
||||||
|
+ json_string_value(tmp));
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ if (!json_is_array(tmp)) {
|
||||||
|
+ json_error(ctx, "Unexpected table flags value.");
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ json_array_foreach(tmp, index, tmp2) {
|
||||||
|
+ if (json_is_string(tmp2)) {
|
||||||
|
+ flag = parse_table_flag(json_string_value(tmp2));
|
||||||
|
+
|
||||||
|
+ if (flag) {
|
||||||
|
+ *flags |= flag;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ json_error(ctx, "Invalid table flag at index %zu.", index);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
|
||||||
|
enum cmd_ops op, enum cmd_obj obj)
|
||||||
|
{
|
||||||
|
@@ -2949,6 +2988,7 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
|
||||||
|
.table.location = *int_loc,
|
||||||
|
};
|
||||||
|
struct table *table = NULL;
|
||||||
|
+ enum table_flags flags = 0;
|
||||||
|
|
||||||
|
if (json_unpack_err(ctx, root, "{s:s}",
|
||||||
|
"family", &family))
|
||||||
|
@@ -2959,6 +2999,9 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
json_unpack(root, "{s:s}", "comment", &comment);
|
||||||
|
+ if (json_parse_table_flags(ctx, root, &flags))
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
} else if (op == CMD_DELETE &&
|
||||||
|
json_unpack(root, "{s:s}", "name", &h.table.name) &&
|
||||||
|
json_unpack(root, "{s:I}", "handle", &h.handle.id)) {
|
||||||
|
@@ -2972,10 +3015,12 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
|
||||||
|
if (h.table.name)
|
||||||
|
h.table.name = xstrdup(h.table.name);
|
||||||
|
|
||||||
|
- if (comment) {
|
||||||
|
+ if (comment || flags) {
|
||||||
|
table = table_alloc();
|
||||||
|
handle_merge(&table->handle, &h);
|
||||||
|
- table->comment = xstrdup(comment);
|
||||||
|
+ if (comment)
|
||||||
|
+ table->comment = xstrdup(comment);
|
||||||
|
+ table->flags = flags;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (op == CMD_ADD)
|
||||||
|
diff --git a/src/rule.c b/src/rule.c
|
||||||
|
index 739b7a5..a0e151d 100644
|
||||||
|
--- a/src/rule.c
|
||||||
|
+++ b/src/rule.c
|
||||||
|
@@ -1208,6 +1208,7 @@ struct table *table_lookup_fuzzy(const struct handle *h,
|
||||||
|
static const char *table_flags_name[TABLE_FLAGS_MAX] = {
|
||||||
|
"dormant",
|
||||||
|
"owner",
|
||||||
|
+ "persist",
|
||||||
|
};
|
||||||
|
|
||||||
|
const char *table_flag_name(uint32_t flag)
|
||||||
|
@@ -1218,6 +1219,17 @@ const char *table_flag_name(uint32_t flag)
|
||||||
|
return table_flags_name[flag];
|
||||||
|
}
|
||||||
|
|
||||||
|
+unsigned int parse_table_flag(const char *name)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < TABLE_FLAGS_MAX; i++) {
|
||||||
|
+ if (!strcmp(name, table_flags_name[i]))
|
||||||
|
+ return 1 << i;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void table_print_flags(const struct table *table, const char **delim,
|
||||||
|
struct output_ctx *octx)
|
||||||
|
{
|
||||||
|
diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..0da3e6d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/shell/features/table_flag_persist.nft
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+table t {
|
||||||
|
+ flags persist;
|
||||||
|
+}
|
||||||
|
diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..cf4b8f1
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/shell/testcases/owner/0002-persist
|
||||||
|
@@ -0,0 +1,36 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner)
|
||||||
|
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist)
|
||||||
|
+
|
||||||
|
+die() {
|
||||||
|
+ echo "$@"
|
||||||
|
+ exit 1
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+$NFT -f - <<EOF
|
||||||
|
+table ip t {
|
||||||
|
+ flags owner, persist
|
||||||
|
+}
|
||||||
|
+EOF
|
||||||
|
+[[ $? -eq 0 ]] || {
|
||||||
|
+ die "table add failed"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+$NFT list ruleset | grep -q 'table ip t' || {
|
||||||
|
+ die "table does not persist"
|
||||||
|
+}
|
||||||
|
+$NFT list ruleset | grep -q 'flags persist$' || {
|
||||||
|
+ die "unexpected flags in orphaned table"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+$NFT -f - <<EOF
|
||||||
|
+table ip t {
|
||||||
|
+ flags owner, persist
|
||||||
|
+}
|
||||||
|
+EOF
|
||||||
|
+[[ $? -eq 0 ]] || {
|
||||||
|
+ die "retake ownership failed"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+exit 0
|
@ -0,0 +1,65 @@
|
|||||||
|
From 2ef49849b901184c3d97c98c05ffa6418b50af1e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Phil Sutter <psutter@redhat.com>
|
||||||
|
Date: Tue, 2 Jul 2024 16:41:22 +0200
|
||||||
|
Subject: [PATCH] cache: Always set NFT_CACHE_TERSE for list cmd with --terse
|
||||||
|
|
||||||
|
JIRA: https://issues.redhat.com/browse/RHEL-45633
|
||||||
|
Upstream Status: nftables commit cd4e947032a57a585b1a457ce03f546afc7ba033
|
||||||
|
|
||||||
|
commit cd4e947032a57a585b1a457ce03f546afc7ba033
|
||||||
|
Author: Phil Sutter <phil@nwl.cc>
|
||||||
|
Date: Thu Feb 8 02:10:48 2024 +0100
|
||||||
|
|
||||||
|
cache: Always set NFT_CACHE_TERSE for list cmd with --terse
|
||||||
|
|
||||||
|
This fixes at least 'nft -t list table ...' and 'nft -t list set ...'.
|
||||||
|
|
||||||
|
Note how --terse handling for 'list sets/maps' remains in place since
|
||||||
|
setting NFT_CACHE_TERSE does not fully undo NFT_CACHE_SETELEM: setting
|
||||||
|
both enables fetching of anonymous sets which is pointless for that
|
||||||
|
command.
|
||||||
|
|
||||||
|
Reported-by: anton.khazan@gmail.com
|
||||||
|
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1735
|
||||||
|
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||||||
|
|
||||||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||||||
|
---
|
||||||
|
src/cache.c | 10 +++-------
|
||||||
|
1 file changed, 3 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cache.c b/src/cache.c
|
||||||
|
index 4e89fe1..0ac0f7c 100644
|
||||||
|
--- a/src/cache.c
|
||||||
|
+++ b/src/cache.c
|
||||||
|
@@ -230,8 +230,6 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
|
||||||
|
}
|
||||||
|
if (filter->list.table && filter->list.set)
|
||||||
|
flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | NFT_CACHE_SETELEM;
|
||||||
|
- else if (nft_output_terse(&nft->output))
|
||||||
|
- flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
|
||||||
|
else
|
||||||
|
flags |= NFT_CACHE_FULL;
|
||||||
|
break;
|
||||||
|
@@ -257,17 +255,15 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
|
||||||
|
flags |= NFT_CACHE_TABLE | NFT_CACHE_FLOWTABLE;
|
||||||
|
break;
|
||||||
|
case CMD_OBJ_RULESET:
|
||||||
|
- if (nft_output_terse(&nft->output))
|
||||||
|
- flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
|
||||||
|
- else
|
||||||
|
- flags |= NFT_CACHE_FULL;
|
||||||
|
- break;
|
||||||
|
default:
|
||||||
|
flags |= NFT_CACHE_FULL;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
flags |= NFT_CACHE_REFRESH;
|
||||||
|
|
||||||
|
+ if (nft_output_terse(&nft->output))
|
||||||
|
+ flags |= NFT_CACHE_TERSE;
|
||||||
|
+
|
||||||
|
return flags;
|
||||||
|
}
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
%define nft_rpmversion 1.0.9
|
%define nft_rpmversion 1.0.9
|
||||||
%define nft_specrelease 1
|
%define nft_specrelease 3
|
||||||
|
|
||||||
Name: nftables
|
Name: nftables
|
||||||
Version: %{nft_rpmversion}
|
Version: %{nft_rpmversion}
|
||||||
@ -19,6 +19,8 @@ Source5: nat.nft
|
|||||||
Source6: nft-test.stderr.expect
|
Source6: nft-test.stderr.expect
|
||||||
Source7: run-tests.stderr.expect
|
Source7: run-tests.stderr.expect
|
||||||
|
|
||||||
|
Patch1: 0001-Add-support-for-table-s-persist-flag.patch
|
||||||
|
Patch2: 0002-cache-Always-set-NFT_CACHE_TERSE-for-list-cmd-with-t.patch
|
||||||
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
@ -131,6 +133,12 @@ cd py/
|
|||||||
%files -n python3-nftables -f %{pyproject_files}
|
%files -n python3-nftables -f %{pyproject_files}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 02 2024 Phil Sutter <psutter@redhat.com> [1.0.9-3.el9]
|
||||||
|
- cache: Always set NFT_CACHE_TERSE for list cmd with --terse (Phil Sutter) [RHEL-45633]
|
||||||
|
|
||||||
|
* Fri Jun 14 2024 Phil Sutter <psutter@redhat.com> [1.0.9-2.el9]
|
||||||
|
- Add support for table's persist flag (Phil Sutter) [RHEL-32122]
|
||||||
|
|
||||||
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.0.9-1.el9]
|
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.0.9-1.el9]
|
||||||
- spec: Utilize pyproject-rpm-macros for the python sub-package (Phil Sutter) [RHEL-14191]
|
- spec: Utilize pyproject-rpm-macros for the python sub-package (Phil Sutter) [RHEL-14191]
|
||||||
- Rebase onto version 1.0.9 (Phil Sutter) [RHEL-14191]
|
- Rebase onto version 1.0.9 (Phil Sutter) [RHEL-14191]
|
||||||
|
Loading…
Reference in New Issue
Block a user