rpms
/
nftables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS nftables-1.0.4-4.el8

This commit is contained in:
eabdullin 2024-03-29 12:49:58 +00:00
parent c44c7b45ef
commit ff4098256f
3 changed files with 213 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
SOURCES/0033-rule-check-address-family-in-set-collapse.patch Normal file
View File

@ -0,0 +1,114 @@
From 955758b3ef4772bb92fc63a8f6d424f93ebb7a2f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 21 Sep 2023 15:24:03 +0200
Subject: [PATCH] rule: check address family in set collapse
JIRA: https://issues.redhat.com/browse/RHEL-5160
Upstream Status: nftables commit a817ea9655dee
commit a817ea9655dee1915423a802c0133e3611e02b3a
Author: Derek Hageman <hageman@inthat.cloud>
Date: Thu Sep 1 10:10:41 2022 -0600
rule: check address family in set collapse
498a5f0c219d added collapsing of set operations in different commands.
However, the logic is currently too relaxed. It is valid to have a
table and set with identical names on different address families.
For example:
table ip a {
set x {
type inet_service;
}
}
table ip6 a {
set x {
type inet_service;
}
}
add element ip a x { 1 }
add element ip a x { 2 }
add element ip6 a x { 2 }
The above currently results in nothing being added to the ip6 family
table due to being collapsed into the ip table add. Prior to
498a5f0c219d the set add would work. The fix is simply to check the
family in addition to the table and set names before allowing a
collapse.
[ Add testcase to tests/shell --pablo ]
Fixes: 498a5f0c219d ("rule: collapse set element commands")
Signed-off-by: Derek Hageman <hageman@inthat.cloud>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/rule.c | 3 ++-
tests/shell/testcases/sets/collapse_elem_0 | 19 +++++++++++++++++++
.../testcases/sets/dumps/collapse_elem_0.nft | 12 ++++++++++++
3 files changed, 33 insertions(+), 1 deletion(-)
create mode 100755 tests/shell/testcases/sets/collapse_elem_0
create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft
diff --git a/src/rule.c b/src/rule.c
index 0526a14..3b60cca 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1409,7 +1409,8 @@ bool nft_cmd_collapse(struct list_head *cmds)
continue;
}
- if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+ if (elems->handle.family != cmd->handle.family ||
+ strcmp(elems->handle.table.name, cmd->handle.table.name) ||
strcmp(elems->handle.set.name, cmd->handle.set.name)) {
elems = cmd;
continue;
diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
new file mode 100755
index 0000000..7699e9d
--- /dev/null
+++ b/tests/shell/testcases/sets/collapse_elem_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip a {
+ set x {
+ type inet_service;
+ }
+}
+table ip6 a {
+ set x {
+ type inet_service;
+ }
+}
+add element ip a x { 1 }
+add element ip a x { 2 }
+add element ip6 a x { 2 }"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
new file mode 100644
index 0000000..a3244fc
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
@@ -0,0 +1,12 @@
+table ip a {
+ set x {
+ type inet_service
+ elements = { 1, 2 }
+ }
+}
+table ip6 a {
+ set x {
+ type inet_service
+ elements = { 2 }
+ }
+}
--
2.41.0

86
SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch Normal file
View File

@ -0,0 +1,86 @@
From fa2b3f20274f5e66b67e2c3d2b7d957b9200473e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 15 Nov 2023 17:06:19 +0100
Subject: [PATCH] parser_bison: Fix for broken compatibility with older dumps
JIRA: https://issues.redhat.com/browse/RHEL-2596
Upstream Status: nftables commit 22fab8681a50014174cdd02ace90f74b9e9eefe9
commit 22fab8681a50014174cdd02ace90f74b9e9eefe9
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Oct 19 18:40:04 2023 +0200
parser_bison: Fix for broken compatibility with older dumps
Commit e6d1d0d611958 ("src: add set element multi-statement
support") changed the order of expressions and other state attached to set
elements are expected in input. This broke parsing of ruleset dumps
created by nft commands prior to that commit.
Restore compatibility by also accepting the old ordering.
Fixes: e6d1d0d611958 ("src: add set element multi-statement support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
src/parser_bison.y | 6 ++++
tests/shell/testcases/sets/elem_opts_compat_0 | 29 +++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100755 tests/shell/testcases/sets/elem_opts_compat_0
diff --git a/src/parser_bison.y b/src/parser_bison.y
index b548d5b..b882f3b 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4283,6 +4283,12 @@ meter_key_expr_alloc : concat_expr
set_elem_expr : set_elem_expr_alloc
| set_elem_expr_alloc set_elem_expr_options
+ | set_elem_expr_alloc set_elem_expr_options set_elem_stmt_list
+ {
+ $$ = $1;
+ list_splice_tail($3, &$$->stmt_list);
+ xfree($3);
+ }
;
set_elem_key_expr : set_lhs_expr { $$ = $1; }
diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0
new file mode 100755
index 0000000..e012953
--- /dev/null
+++ b/tests/shell/testcases/sets/elem_opts_compat_0
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# ordering of element options and expressions has changed, make sure parser
+# accepts both ways
+
+set -e
+
+$NFT -f - <<EOF
+table t {
+ set s {
+ type inet_service
+ counter;
+ timeout 30s;
+ }
+}
+EOF
+
+check() {
+ out=$($NFT list ruleset)
+ secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out")
+ [[ $secs -lt 11 ]]
+ grep -q 'counter packets 10 bytes 20' <<< "$out"
+}
+
+$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }'
+check
+$NFT flush set t s
+$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }'
+check
--
2.41.0

17
SPECS/nftables.spec
View File

@ -1,10 +1,10 @@
%define rpmversion 1.0.4
%define specrelease 2
%define nft_rpmversion 1.0.4
%define nft_specrelease 4
%define libnftnl_ver 1.2.2-1
Name: nftables
Version: %{rpmversion}
Release: %{specrelease}%{?dist}%{?buildid}
Version: %{nft_rpmversion}
Release: %{nft_specrelease}%{?dist}%{?buildid}
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
Epoch: 1
Summary: Netfilter Tables userspace utillites
@ -53,6 +53,8 @@ Patch29: 0029-optimize-Do-not-return-garbage-from-stack.patch
Patch30: 0030-optimize-Clarify-chain_optimize-array-allocations.patch
Patch31: 0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch
Patch32: 0032-tests-monitor-Summarize-failures-per-test-case.patch
Patch33: 0033-rule-check-address-family-in-set-collapse.patch
Patch34: 0034-parser_bison-Fix-for-broken-compatibility-with-older.patch
BuildRequires: autoconf
BuildRequires: automake
@ -172,6 +174,13 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
%{python3_sitelib}/nftables/
%changelog
* Wed Nov 15 2023 Phil Sutter <psutter@redhat.com> [1.0.4-4.el8]
- parser_bison: Fix for broken compatibility with older dumps (Phil Sutter) [RHEL-2596]
* Thu Sep 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-3.el8]
- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL]
- rule: check address family in set collapse (Phil Sutter) [RHEL-5160]
* Thu Jul 20 2023 Phil Sutter <psutter@redhat.com> [1.0.4-2.el8]
- Add expected error records for testsuite runs (Phil Sutter) [2211076]
- tests: monitor: Summarize failures per test case (Phil Sutter) [2211076]