diff --git a/backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch b/backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch new file mode 100644 index 0000000000000000000000000000000000000000..a834e34382172a11daa412a880a67ad0926039ca --- /dev/null +++ b/backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch @@ -0,0 +1,84 @@ +From e3d00ed1f657d5ce989a780990c6fb0097368d1e Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 12 Jan 2022 01:34:00 +0100 +Subject: cache: add helper function to fill up the rule cache + +Add a helper function to dump the rules and add them to the +corresponding chain. + +Signed-off-by: Pablo Neira Ayuso + +Conflict:change about netlink_list_rules and rule_cache_init +Reference:https://git.netfilter.org/nftables/commit/?id=e3d00ed1f657d5ce989a780990c6fb0097368d1e + +--- + src/cache.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 24 insertions(+), 15 deletions(-) + +diff --git a/src/cache.c b/src/cache.c +index 0e9e7fe5..14957f2d 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -811,6 +811,28 @@ static int cache_init_tables(struct netlink_ctx *ctx, struct handle *h, + return 0; + } + ++static int rule_init_cache(struct netlink_ctx *ctx, struct table *table) ++{ ++ struct rule *rule, *nrule; ++ struct chain *chain; ++ int ret; ++ ++ ret = netlink_list_rules(ctx, &table->handle); ++ ++ list_for_each_entry_safe(rule, nrule, &ctx->list, list) { ++ chain = chain_cache_find(table, rule->handle.chain.name); ++ if (!chain) ++ chain = chain_binding_lookup(table, ++ rule->handle.chain.name); ++ if (!chain) ++ return -1; ++ ++ list_move_tail(&rule->list, &chain->rules); ++ } ++ ++ return ret; ++} ++ + static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags) + { + struct nftnl_flowtable_list *ft_list = NULL; +@@ -818,9 +841,7 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags, + struct nftnl_chain_list *chain_list = NULL; + struct nftnl_set_list *set_list = NULL; + struct nftnl_obj_list *obj_list; +- struct rule *rule, *nrule; + struct table *table; +- struct chain *chain; + struct set *set; + int ret = 0; + +@@ -902,19 +923,7 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags, + } + + if (flags & NFT_CACHE_RULE_BIT) { +- ret = netlink_list_rules(ctx, &table->handle); +- list_for_each_entry_safe(rule, nrule, &ctx->list, list) { +- chain = chain_cache_find(table, rule->handle.chain.name); +- if (!chain) +- chain = chain_binding_lookup(table, +- rule->handle.chain.name); +- if (!chain) { +- ret = -1; +- goto cache_fails; +- } +- +- list_move_tail(&rule->list, &chain->rules); +- } ++ ret = rule_init_cache(ctx, table); + if (ret < 0) { + ret = -1; + goto cache_fails; +-- +cgit v1.2.3 + diff --git a/backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch b/backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..19cc1375704660d0d1f4a3e31d6269f8fb4e4b02 --- /dev/null +++ b/backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch @@ -0,0 +1,49 @@ +From 8a6cdfaff058412b3d0efec45541cd7d610aeefa Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 6 Jul 2022 13:21:34 +0200 +Subject: cache: release pending rules when chain binding lookup fails + +If the implicit chain is not in the cache, release pending rules in +ctx->list and report EINTR to let the cache core retry to populate a +consistent cache. + +Fixes: c330152b7f77 ("src: support for implicit chain bindings") +Signed-off-by: Pablo Neira Ayuso + +Conflict:change context +Reference:https://git.netfilter.org/nftables/commit/?id=8a6cdfaff058412b3d0efec45541cd7d610aeefa + +--- + src/cache.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cache.c b/src/cache.c +index fd8df884..b6ae2310 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -847,12 +847,21 @@ static int rule_init_cache(struct netlink_ctx *ctx, struct table *table, + chain = chain_binding_lookup(table, + rule->handle.chain.name); + if (!chain) +- return -1; ++ goto err_ctx_list; + + list_move_tail(&rule->list, &chain->rules); + } + + return ret; ++ ++err_ctx_list: ++ list_for_each_entry_safe(rule, nrule, &ctx->list, list) { ++ list_del(&rule->list); ++ rule_free(rule); ++ } ++ errno = EINTR; ++ ++ return -1; + } + + static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags) +-- +cgit v1.2.3 + diff --git a/nftables.spec b/nftables.spec index 8e5cbf32d66ee315984e3d2ddfc3def3598e766c..3ac6817c408a5c449b54f66ca2a6a863705a1357 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 14 +Release: 15 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -104,6 +104,9 @@ Patch84: backport-parser_json-fix-handle-memleak-from-error-path.patch Patch85: backport-parser_json-fix-several-expression-memleaks-from-error-path.patch Patch86: backport-libnftables-Zero-ctx-vars-after-freeing-it.patch +Patch87: backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch +Patch88: backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -202,6 +205,12 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Mon Jan 27 2025 yanglu - 1:1.0.0-15 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:Optimize the cache to fix firewalld + * Wed Dec 11 2024 gaihuiying - 1:1.0.0-14 - Type:bugfix - CVE:NA