import CS nftables-1.0.9-3.el9

This commit is contained in:
eabdullin 2024-09-30 16:10:39 +00:00
parent 877ce90157
commit ee68924aa9
3 changed files with 411 additions and 1 deletions

View File

@ -0,0 +1,337 @@
From 450520649ac5ac6f983b40e15e54863aab9d5bd7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 14 Jun 2024 18:30:55 +0200
Subject: [PATCH] Add support for table's persist flag
JIRA: https://issues.redhat.com/browse/RHEL-32122
Upstream Status: nftables commit 4955ae1a81b73f9a61b7fbf1a73e11544513548e
Conflicts:
- Adjusted to missing commit ffd6b4790a728
("src: add free_const() and use it instead of xfree()")
commit 4955ae1a81b73f9a61b7fbf1a73e11544513548e
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Dec 15 01:10:39 2023 +0100
Add support for table's persist flag
Bison parser lacked support for passing multiple flags, JSON parser
did not support table flags at all.
Document also 'owner' flag (and describe their relationship in nft.8.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
doc/libnftables-json.adoc | 11 ++++-
doc/nft.txt | 9 ++++
include/rule.h | 4 +-
src/parser_bison.y | 35 +++++++++------
src/parser_json.c | 49 ++++++++++++++++++++-
src/rule.c | 12 +++++
tests/shell/features/table_flag_persist.nft | 3 ++
tests/shell/testcases/owner/0002-persist | 36 +++++++++++++++
8 files changed, 142 insertions(+), 17 deletions(-)
create mode 100644 tests/shell/features/table_flag_persist.nft
create mode 100755 tests/shell/testcases/owner/0002-persist
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc
index 3e6e1db..0e424c2 100644
--- a/doc/libnftables-json.adoc
+++ b/doc/libnftables-json.adoc
@@ -202,12 +202,19 @@ Rename a chain. The new name is expected in a dedicated property named
=== TABLE
[verse]
+____
*{ "table": {
"family":* 'STRING'*,
"name":* 'STRING'*,
- "handle":* 'NUMBER'
+ "handle":* 'NUMBER'*,
+ "flags":* 'TABLE_FLAGS'
*}}*
+'TABLE_FLAGS' := 'TABLE_FLAG' | *[* 'TABLE_FLAG_LIST' *]*
+'TABLE_FLAG_LIST' := 'TABLE_FLAG' [*,* 'TABLE_FLAG_LIST' ]
+'TABLE_FLAG' := *"dormant"* | *"owner"* | *"persist"*
+____
+
This object describes a table.
*family*::
@@ -217,6 +224,8 @@ This object describes a table.
*handle*::
The table's handle. In input, it is used only in *delete* command as
alternative to *name*.
+*flags*::
+ The table's flags.
=== CHAIN
[verse]
diff --git a/doc/nft.txt b/doc/nft.txt
index b08e32f..dba1b60 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -343,8 +343,17 @@ return an error.
|Flag | Description
|dormant |
table is not evaluated any more (base chains are unregistered).
+|owner |
+table is owned by the creating process.
+|persist |
+table shall outlive the owning process.
|=================
+Creating a table with flag *owner* excludes other processes from manipulating
+it or its contents. By default, it will be removed when the process exits.
+Setting flag *persist* will prevent this and the resulting orphaned table will
+accept a new owner, e.g. a restarting daemon maintaining the table.
+
.*Add, change, delete a table*
---------------------------------------
# start nft in interactive mode
diff --git a/include/rule.h b/include/rule.h
index 6236d29..a8bb11f 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -130,10 +130,12 @@ struct symbol *symbol_get(const struct scope *scope, const char *identifier);
enum table_flags {
TABLE_F_DORMANT = (1 << 0),
TABLE_F_OWNER = (1 << 1),
+ TABLE_F_PERSIST = (1 << 2),
};
-#define TABLE_FLAGS_MAX 2
+#define TABLE_FLAGS_MAX 3
const char *table_flag_name(uint32_t flag);
+unsigned int parse_table_flag(const char *name);
/**
* struct table - nftables table
diff --git a/src/parser_bison.y b/src/parser_bison.y
index c517dc3..5ced6e1 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -720,6 +720,8 @@ int nft_lex(void *, void *, void *);
%type <rule> rule rule_alloc
%destructor { rule_free($$); } rule
+%type <val> table_flags table_flag
+
%type <val> set_flag_list set_flag
%type <val> set_policy_spec
@@ -1874,20 +1876,9 @@ table_block_alloc : /* empty */
}
;
-table_options : FLAGS STRING
+table_options : FLAGS table_flags
{
- if (strcmp($2, "dormant") == 0) {
- $<table>0->flags |= TABLE_F_DORMANT;
- xfree($2);
- } else if (strcmp($2, "owner") == 0) {
- $<table>0->flags |= TABLE_F_OWNER;
- xfree($2);
- } else {
- erec_queue(error(&@2, "unknown table option %s", $2),
- state->msgs);
- xfree($2);
- YYERROR;
- }
+ $<table>0->flags |= $2;
}
| comment_spec
{
@@ -1899,6 +1890,24 @@ table_options : FLAGS STRING
}
;
+table_flags : table_flag
+ | table_flags COMMA table_flag
+ {
+ $$ = $1 | $3;
+ }
+ ;
+table_flag : STRING
+ {
+ $$ = parse_table_flag($1);
+ xfree($1);
+ if ($$ == 0) {
+ erec_queue(error(&@1, "unknown table option %s", $1),
+ state->msgs);
+ YYERROR;
+ }
+ }
+ ;
+
table_block : /* empty */ { $$ = $<table>-1; }
| table_block common_block
| table_block stmt_separator
diff --git a/src/parser_json.c b/src/parser_json.c
index 199241a..9e5b656 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -2941,6 +2941,45 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root)
return NULL;
}
+static int json_parse_table_flags(struct json_ctx *ctx, json_t *root,
+ enum table_flags *flags)
+{
+ json_t *tmp, *tmp2;
+ size_t index;
+ int flag;
+
+ if (json_unpack(root, "{s:o}", "flags", &tmp))
+ return 0;
+
+ if (json_is_string(tmp)) {
+ flag = parse_table_flag(json_string_value(tmp));
+ if (flag) {
+ *flags = flag;
+ return 0;
+ }
+ json_error(ctx, "Invalid table flag '%s'.",
+ json_string_value(tmp));
+ return 1;
+ }
+ if (!json_is_array(tmp)) {
+ json_error(ctx, "Unexpected table flags value.");
+ return 1;
+ }
+ json_array_foreach(tmp, index, tmp2) {
+ if (json_is_string(tmp2)) {
+ flag = parse_table_flag(json_string_value(tmp2));
+
+ if (flag) {
+ *flags |= flag;
+ continue;
+ }
+ }
+ json_error(ctx, "Invalid table flag at index %zu.", index);
+ return 1;
+ }
+ return 0;
+}
+
static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
enum cmd_ops op, enum cmd_obj obj)
{
@@ -2949,6 +2988,7 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
.table.location = *int_loc,
};
struct table *table = NULL;
+ enum table_flags flags = 0;
if (json_unpack_err(ctx, root, "{s:s}",
"family", &family))
@@ -2959,6 +2999,9 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
return NULL;
json_unpack(root, "{s:s}", "comment", &comment);
+ if (json_parse_table_flags(ctx, root, &flags))
+ return NULL;
+
} else if (op == CMD_DELETE &&
json_unpack(root, "{s:s}", "name", &h.table.name) &&
json_unpack(root, "{s:I}", "handle", &h.handle.id)) {
@@ -2972,10 +3015,12 @@ static struct cmd *json_parse_cmd_add_table(struct json_ctx *ctx, json_t *root,
if (h.table.name)
h.table.name = xstrdup(h.table.name);
- if (comment) {
+ if (comment || flags) {
table = table_alloc();
handle_merge(&table->handle, &h);
- table->comment = xstrdup(comment);
+ if (comment)
+ table->comment = xstrdup(comment);
+ table->flags = flags;
}
if (op == CMD_ADD)
diff --git a/src/rule.c b/src/rule.c
index 739b7a5..a0e151d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1208,6 +1208,7 @@ struct table *table_lookup_fuzzy(const struct handle *h,
static const char *table_flags_name[TABLE_FLAGS_MAX] = {
"dormant",
"owner",
+ "persist",
};
const char *table_flag_name(uint32_t flag)
@@ -1218,6 +1219,17 @@ const char *table_flag_name(uint32_t flag)
return table_flags_name[flag];
}
+unsigned int parse_table_flag(const char *name)
+{
+ int i;
+
+ for (i = 0; i < TABLE_FLAGS_MAX; i++) {
+ if (!strcmp(name, table_flags_name[i]))
+ return 1 << i;
+ }
+ return 0;
+}
+
static void table_print_flags(const struct table *table, const char **delim,
struct output_ctx *octx)
{
diff --git a/tests/shell/features/table_flag_persist.nft b/tests/shell/features/table_flag_persist.nft
new file mode 100644
index 0000000..0da3e6d
--- /dev/null
+++ b/tests/shell/features/table_flag_persist.nft
@@ -0,0 +1,3 @@
+table t {
+ flags persist;
+}
diff --git a/tests/shell/testcases/owner/0002-persist b/tests/shell/testcases/owner/0002-persist
new file mode 100755
index 0000000..cf4b8f1
--- /dev/null
+++ b/tests/shell/testcases/owner/0002-persist
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_owner)
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_table_flag_persist)
+
+die() {
+ echo "$@"
+ exit 1
+}
+
+$NFT -f - <<EOF
+table ip t {
+ flags owner, persist
+}
+EOF
+[[ $? -eq 0 ]] || {
+ die "table add failed"
+}
+
+$NFT list ruleset | grep -q 'table ip t' || {
+ die "table does not persist"
+}
+$NFT list ruleset | grep -q 'flags persist$' || {
+ die "unexpected flags in orphaned table"
+}
+
+$NFT -f - <<EOF
+table ip t {
+ flags owner, persist
+}
+EOF
+[[ $? -eq 0 ]] || {
+ die "retake ownership failed"
+}
+
+exit 0

View File

@ -0,0 +1,65 @@
From 2ef49849b901184c3d97c98c05ffa6418b50af1e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Tue, 2 Jul 2024 16:41:22 +0200
Subject: [PATCH] cache: Always set NFT_CACHE_TERSE for list cmd with --terse
JIRA: https://issues.redhat.com/browse/RHEL-45633
Upstream Status: nftables commit cd4e947032a57a585b1a457ce03f546afc7ba033
commit cd4e947032a57a585b1a457ce03f546afc7ba033
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Feb 8 02:10:48 2024 +0100
cache: Always set NFT_CACHE_TERSE for list cmd with --terse
This fixes at least 'nft -t list table ...' and 'nft -t list set ...'.
Note how --terse handling for 'list sets/maps' remains in place since
setting NFT_CACHE_TERSE does not fully undo NFT_CACHE_SETELEM: setting
both enables fetching of anonymous sets which is pointless for that
command.
Reported-by: anton.khazan@gmail.com
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1735
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/cache.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index 4e89fe1..0ac0f7c 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -230,8 +230,6 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
}
if (filter->list.table && filter->list.set)
flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | NFT_CACHE_SETELEM;
- else if (nft_output_terse(&nft->output))
- flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
else
flags |= NFT_CACHE_FULL;
break;
@@ -257,17 +255,15 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
flags |= NFT_CACHE_TABLE | NFT_CACHE_FLOWTABLE;
break;
case CMD_OBJ_RULESET:
- if (nft_output_terse(&nft->output))
- flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
- else
- flags |= NFT_CACHE_FULL;
- break;
default:
flags |= NFT_CACHE_FULL;
break;
}
flags |= NFT_CACHE_REFRESH;
+ if (nft_output_terse(&nft->output))
+ flags |= NFT_CACHE_TERSE;
+
return flags;
}

View File

@ -1,5 +1,5 @@
%define nft_rpmversion 1.0.9
%define nft_specrelease 1
%define nft_specrelease 3
Name: nftables
Version: %{nft_rpmversion}
@ -19,6 +19,8 @@ Source5: nat.nft
Source6: nft-test.stderr.expect
Source7: run-tests.stderr.expect
Patch1: 0001-Add-support-for-table-s-persist-flag.patch
Patch2: 0002-cache-Always-set-NFT_CACHE_TERSE-for-list-cmd-with-t.patch
BuildRequires: autoconf
BuildRequires: automake
@ -131,6 +133,12 @@ cd py/
%files -n python3-nftables -f %{pyproject_files}
%changelog
* Tue Jul 02 2024 Phil Sutter <psutter@redhat.com> [1.0.9-3.el9]
- cache: Always set NFT_CACHE_TERSE for list cmd with --terse (Phil Sutter) [RHEL-45633]
* Fri Jun 14 2024 Phil Sutter <psutter@redhat.com> [1.0.9-2.el9]
- Add support for table's persist flag (Phil Sutter) [RHEL-32122]
* Fri Oct 27 2023 Phil Sutter <psutter@redhat.com> [1.0.9-1.el9]
- spec: Utilize pyproject-rpm-macros for the python sub-package (Phil Sutter) [RHEL-14191]
- Rebase onto version 1.0.9 (Phil Sutter) [RHEL-14191]