nftables-0.9.8-10.el9

- tests: shell: better parameters for the interval stack overflow test
- tests: shell: $NFT needs to be invoked unquoted

Resolves: rhbz#2020668

0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch

@@ -0,0 +1,53 @@
+From 4bd60613ea60da4bf9da226be352dd47f585e8d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
+Date: Fri, 5 Nov 2021 12:39:11 +0100
+Subject: [PATCH] tests: shell: $NFT needs to be invoked unquoted
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The variable has to undergo word splitting, otherwise the shell tries
+to find the variable value as an executable, which breaks in cases that
+7c8a44b25c22 ("tests: shell: Allow wrappers to be passed as nft command")
+intends to support.
+
+Mention this in the shell tests README.
+
+Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
+Signed-off-by: Štěpán Němec <snemec@redhat.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit dad3338f1f76a4a5bd782bae9c6b48941dfb1e31)
+
+Conflicts:
+	tests/shell/README
+-> Context change due to missing other patches.
+---
+ tests/shell/README                                       | 3 +++
+ tests/shell/testcases/sets/0068interval_stack_overflow_0 | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tests/shell/README b/tests/shell/README
+index e0279bbdc30c3..aee50e3d668b1 100644
+--- a/tests/shell/README
++++ b/tests/shell/README
+@@ -25,4 +25,7 @@ path to the nftables binary being tested.
+ You can pass an arbitrary $NFT value as well:
+  # NFT=/usr/local/sbin/nft ./run-tests.sh
+ 
++Note that, to support usage such as NFT='valgrind nft', tests must
++invoke $NFT unquoted.
++
+ By default the tests are run with the nft binary at '../../src/nft'
+diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+index 134282de28268..6620572449c3c 100755
+--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+@@ -26,4 +26,4 @@ table inet test68_table {
+ }
+ EOF
+ 
+-( ulimit -s 128 && "$NFT" -f "$ruleset_file" )
++( ulimit -s 128 && $NFT -f "$ruleset_file" )
+-- 
+2.33.0
+

0020-tests-shell-better-parameters-for-the-interval-stack.patch

@@ -0,0 +1,51 @@
+From 0c34164a245bdd03085e906bc9b3327d559535a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
+Date: Wed, 1 Dec 2021 12:12:00 +0100
+Subject: [PATCH] tests: shell: better parameters for the interval stack
+ overflow test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Wider testing has shown that 128 kB stack is too low (e.g. for systems
+with 64 kB page size), leading to false failures in some environments.
+
+Based on results from a matrix of RHEL 8 and RHEL 9 systems across
+x86_64, aarch64, ppc64le and s390x architectures as well as some
+anecdotal testing of other Linux distros on x86_64 machines, 400 kB
+seems safe: the normal nft stack (which should stay constant during
+this test) on all tested systems doesn't exceed 200 kB (stays around
+100 kB on typical systems with 4 kB page size), while always growing
+beyond 500 kB in the failing case (nftables before baecd1cf2685) with
+the increased set size.
+
+Fixes: d8ccad2a2b73 ("tests: cover baecd1cf2685 ("segtree: Fix segfault when restoring a huge interval set")")
+Signed-off-by: Štěpán Němec <snemec@redhat.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 7b81d9cb094ffa96ad821528cf19269dc348f617)
+---
+ tests/shell/testcases/sets/0068interval_stack_overflow_0 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/shell/testcases/sets/0068interval_stack_overflow_0 b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+index 6620572449c3c..2cbc986802644 100755
+--- a/tests/shell/testcases/sets/0068interval_stack_overflow_0
++++ b/tests/shell/testcases/sets/0068interval_stack_overflow_0
+@@ -9,7 +9,7 @@ trap 'rm -f "$ruleset_file"' EXIT
+ {
+ 	echo 'define big_set = {'
+ 	for ((i = 1; i < 255; i++)); do
+-		for ((j = 1; j < 80; j++)); do
++		for ((j = 1; j < 255; j++)); do
+ 			echo "10.0.$i.$j,"
+ 		done
+ 	done
+@@ -26,4 +26,4 @@ table inet test68_table {
+ }
+ EOF
+ 
+-( ulimit -s 128 && $NFT -f "$ruleset_file" )
++( ulimit -s 400 && $NFT -f "$ruleset_file" )
+-- 
+2.33.0
+

nftables.spec

@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.8
-Release:        9%{?dist}
+Release:        10%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utillites
@@ -32,6 +32,8 @@ Patch15: 0015-json-init-parser-state-for-every-new-buffer-file.patch
 Patch16: 0016-segtree-Fix-segfault-when-restoring-a-huge-interval-.patch
 Patch17: 0017-tests-cover-baecd1cf2685-segtree-Fix-segfault-when-r.patch
 Patch18: 0018-doc-nft.8-Extend-monitor-description-by-trace.patch
+Patch19: 0019-tests-shell-NFT-needs-to-be-invoked-unquoted.patch
+Patch20: 0020-tests-shell-better-parameters-for-the-interval-stack.patch
 
 #BuildRequires: autogen
 #BuildRequires: autoconf
@@ -141,6 +143,10 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Wed Dec 08 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-10
+- tests: shell: better parameters for the interval stack overflow test
+- tests: shell: $NFT needs to be invoked unquoted
+
 * Thu Nov 11 2021 Phil Sutter <psutter@redhat.com> - 1:0.9.8-9
 - doc: nft.8: Extend monitor description by trace