import CS nftables-1.0.4-4.el8

SOURCES/0033-rule-check-address-family-in-set-collapse.patch

@@ -0,0 +1,114 @@
+From 955758b3ef4772bb92fc63a8f6d424f93ebb7a2f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 21 Sep 2023 15:24:03 +0200
+Subject: [PATCH] rule: check address family in set collapse
+
+JIRA: https://issues.redhat.com/browse/RHEL-5160
+Upstream Status: nftables commit a817ea9655dee
+
+commit a817ea9655dee1915423a802c0133e3611e02b3a
+Author: Derek Hageman <hageman@inthat.cloud>
+Date:   Thu Sep 1 10:10:41 2022 -0600
+
+    rule: check address family in set collapse
+
+    498a5f0c219d added collapsing of set operations in different commands.
+    However, the logic is currently too relaxed.  It is valid to have a
+    table and set with identical names on different address families.
+    For example:
+
+      table ip a {
+        set x {
+          type inet_service;
+        }
+      }
+      table ip6 a {
+          set x {
+            type inet_service;
+          }
+      }
+      add element ip a x { 1 }
+      add element ip a x { 2 }
+      add element ip6 a x { 2 }
+
+    The above currently results in nothing being added to the ip6 family
+    table due to being collapsed into the ip table add. Prior to
+    498a5f0c219d the set add would work. The fix is simply to check the
+    family in addition to the table and set names before allowing a
+    collapse.
+
+    [ Add testcase to tests/shell --pablo ]
+
+    Fixes: 498a5f0c219d ("rule: collapse set element commands")
+    Signed-off-by: Derek Hageman <hageman@inthat.cloud>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/rule.c                                    |  3 ++-
+ tests/shell/testcases/sets/collapse_elem_0    | 19 +++++++++++++++++++
+ .../testcases/sets/dumps/collapse_elem_0.nft  | 12 ++++++++++++
+ 3 files changed, 33 insertions(+), 1 deletion(-)
+ create mode 100755 tests/shell/testcases/sets/collapse_elem_0
+ create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft
+
+diff --git a/src/rule.c b/src/rule.c
+index 0526a14..3b60cca 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1409,7 +1409,8 @@ bool nft_cmd_collapse(struct list_head *cmds)
+ 			continue;
+ 		}
+ 
+-		if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
++		if (elems->handle.family != cmd->handle.family ||
++		    strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+ 		    strcmp(elems->handle.set.name, cmd->handle.set.name)) {
+ 			elems = cmd;
+ 			continue;
+diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
+new file mode 100755
+index 0000000..7699e9d
+--- /dev/null
++++ b/tests/shell/testcases/sets/collapse_elem_0
+@@ -0,0 +1,19 @@
++#!/bin/bash
++
++set -e
++
++RULESET="table ip a {
++	set x {
++		type inet_service;
++	}
++}
++table ip6 a {
++	set x {
++		type inet_service;
++	}
++}
++add element ip a x { 1 }
++add element ip a x { 2 }
++add element ip6 a x { 2 }"
++
++$NFT -f - <<< $RULESET
+diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
+new file mode 100644
+index 0000000..a3244fc
+--- /dev/null
++++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
+@@ -0,0 +1,12 @@
++table ip a {
++	set x {
++		type inet_service
++		elements = { 1, 2 }
++	}
++}
++table ip6 a {
++	set x {
++		type inet_service
++		elements = { 2 }
++	}
++}
+-- 
+2.41.0
+

SOURCES/0034-parser_bison-Fix-for-broken-compatibility-with-older.patch

@@ -0,0 +1,86 @@
+From fa2b3f20274f5e66b67e2c3d2b7d957b9200473e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 15 Nov 2023 17:06:19 +0100
+Subject: [PATCH] parser_bison: Fix for broken compatibility with older dumps
+
+JIRA: https://issues.redhat.com/browse/RHEL-2596
+Upstream Status: nftables commit 22fab8681a50014174cdd02ace90f74b9e9eefe9
+
+commit 22fab8681a50014174cdd02ace90f74b9e9eefe9
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Thu Oct 19 18:40:04 2023 +0200
+
+    parser_bison: Fix for broken compatibility with older dumps
+
+    Commit e6d1d0d611958 ("src: add set element multi-statement
+    support") changed the order of expressions and other state attached to set
+    elements are expected in input. This broke parsing of ruleset dumps
+    created by nft commands prior to that commit.
+
+    Restore compatibility by also accepting the old ordering.
+
+    Fixes: e6d1d0d611958 ("src: add set element multi-statement support")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ src/parser_bison.y                            |  6 ++++
+ tests/shell/testcases/sets/elem_opts_compat_0 | 29 +++++++++++++++++++
+ 2 files changed, 35 insertions(+)
+ create mode 100755 tests/shell/testcases/sets/elem_opts_compat_0
+
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index b548d5b..b882f3b 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -4283,6 +4283,12 @@ meter_key_expr_alloc	:	concat_expr
+ 
+ set_elem_expr		:	set_elem_expr_alloc
+ 			|	set_elem_expr_alloc		set_elem_expr_options
++			|	set_elem_expr_alloc		set_elem_expr_options	set_elem_stmt_list
++			{
++				$$ = $1;
++				list_splice_tail($3, &$$->stmt_list);
++				xfree($3);
++			}
+ 			;
+ 
+ set_elem_key_expr	:	set_lhs_expr		{ $$ = $1; }
+diff --git a/tests/shell/testcases/sets/elem_opts_compat_0 b/tests/shell/testcases/sets/elem_opts_compat_0
+new file mode 100755
+index 0000000..e012953
+--- /dev/null
++++ b/tests/shell/testcases/sets/elem_opts_compat_0
+@@ -0,0 +1,29 @@
++#!/bin/sh
++
++# ordering of element options and expressions has changed, make sure parser
++# accepts both ways
++
++set -e
++
++$NFT -f - <<EOF
++table t {
++	set s {
++		type inet_service
++		counter;
++		timeout 30s;
++	}
++}
++EOF
++
++check() {
++	out=$($NFT list ruleset)
++	secs=$(sed -n 's/.*expires \([0-9]\+\)s.*/\1/p' <<< "$out")
++	[[ $secs -lt 11 ]]
++	grep -q 'counter packets 10 bytes 20' <<< "$out"
++}
++
++$NFT add element t s '{ 23 counter packets 10 bytes 20 expires 10s }'
++check
++$NFT flush set t s
++$NFT add element t s '{ 42 expires 10s counter packets 10 bytes 20 }'
++check
+-- 
+2.41.0
+

SPECS/nftables.spec

@@ -1,10 +1,10 @@
-%define rpmversion 1.0.4
+%define nft_rpmversion 1.0.4
-%define specrelease 2
+%define nft_specrelease 4
 %define libnftnl_ver 1.2.2-1
 
 Name:           nftables
-Version:        %{rpmversion}
+Version:        %{nft_rpmversion}
-Release:        %{specrelease}%{?dist}%{?buildid}
+Release:        %{nft_specrelease}%{?dist}%{?buildid}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utillites
@@ -53,6 +53,8 @@ Patch29:            0029-optimize-Do-not-return-garbage-from-stack.patch
 Patch30:            0030-optimize-Clarify-chain_optimize-array-allocations.patch
 Patch31:            0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch
 Patch32:            0032-tests-monitor-Summarize-failures-per-test-case.patch
+Patch33:            0033-rule-check-address-family-in-set-collapse.patch
+Patch34:            0034-parser_bison-Fix-for-broken-compatibility-with-older.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -172,6 +174,13 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT/%{python3_sitelib}/nftables/nftables.py
 %{python3_sitelib}/nftables/
 
 %changelog
+* Wed Nov 15 2023 Phil Sutter <psutter@redhat.com> [1.0.4-4.el8]
+- parser_bison: Fix for broken compatibility with older dumps (Phil Sutter) [RHEL-2596]
+
+* Thu Sep 21 2023 Phil Sutter <psutter@redhat.com> [1.0.4-3.el8]
+- spec: Rename variables to avoid a clash (Phil Sutter) [INTERNAL]
+- rule: check address family in set collapse (Phil Sutter) [RHEL-5160]
+
 * Thu Jul 20 2023 Phil Sutter <psutter@redhat.com> [1.0.4-2.el8]
 - Add expected error records for testsuite runs (Phil Sutter) [2211076]
 - tests: monitor: Summarize failures per test case (Phil Sutter) [2211076]