From 8b3d93fba8f0ed2b6d193b7a9a32d4fb29d4cd2f Mon Sep 17 00:00:00 2001 From: eaglegai Date: Tue, 25 Nov 2025 02:37:04 +0000 Subject: [PATCH] backport upstream patches --- ...llow-nat-map-with-specified-protocol.patch | 8 +- ...option-parsing-with-NUM-length-field.patch | 204 ++++++++++++++++ ...ests-py-remove-huge-limit-test-cases.patch | 221 ++++++++++++++++++ ...-reset_command_0-for-current-kernels.patch | 51 ++++ ...-Stabilize-sets-reset_command_0-test.patch | 160 +++++++++++++ ...s-shell-connect-chains-to-hook-point.patch | 14 ++ ...ets-reset_command_0-Fix-drop_seconds.patch | 35 +++ nftables.spec | 14 +- 8 files changed, 702 insertions(+), 5 deletions(-) create mode 100644 backport-parser-tcpopt-fix-tcp-option-parsing-with-NUM-length-field.patch create mode 100644 backport-tests-py-remove-huge-limit-test-cases.patch create mode 100644 backport-tests-shell-Fix-sets-reset_command_0-for-current-kernels.patch create mode 100644 backport-tests-shell-Stabilize-sets-reset_command_0-test.patch create mode 100644 backport-tests-shell-sets-reset_command_0-Fix-drop_seconds.patch diff --git a/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch b/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch index ac5c114..11938e4 100644 --- a/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch +++ b/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch @@ -21,9 +21,9 @@ Reference:https://git.netfilter.org/nftables/commit/?id=43cf4a2973ee9e3ab20edce4 --- src/evaluate.c | 4 ++++ - tests/shell/testcases/bogons/nat_map_and_protocol_assert | 5 +++++ + tests/shell/testcases/bogons/nft-f/nat_map_and_protocol_assert | 5 +++++ 2 files changed, 9 insertions(+) - create mode 100644 tests/shell/testcases/bogons/nat_map_and_protocol_assert + create mode 100644 tests/shell/testcases/bogons/nft-f/nat_map_and_protocol_assert diff --git a/src/evaluate.c b/src/evaluate.c index 95b9b3d5..3a453d01 100644 @@ -40,11 +40,11 @@ index 95b9b3d5..3a453d01 100644 if (stmt->nat.family == NFPROTO_INET) expr_family_infer(pctx, stmt->nat.addr, &stmt->nat.family); -diff --git a/tests/shell/testcases/bogons/nat_map_and_protocol_assert b/tests/shell/testcases/bogons/nat_map_and_protocol_assert +diff --git a/tests/shell/testcases/bogons/nft-f/nat_map_and_protocol_assert b/tests/shell/testcases/bogons/nft-j/nat_map_and_protocol_assert new file mode 100644 index 00000000..67f2ae87 --- /dev/null -+++ b/tests/shell/testcases/bogons/nat_map_and_protocol_assert ++++ b/tests/shell/testcases/bogons/nft-f/nat_map_and_protocol_assert @@ -0,0 +1,5 @@ +table t { + chain y { diff --git a/backport-parser-tcpopt-fix-tcp-option-parsing-with-NUM-length-field.patch b/backport-parser-tcpopt-fix-tcp-option-parsing-with-NUM-length-field.patch new file mode 100644 index 0000000..2f05c3f --- /dev/null +++ b/backport-parser-tcpopt-fix-tcp-option-parsing-with-NUM-length-field.patch @@ -0,0 +1,204 @@ +From 59a33d08ab3a75b2ae370b6816942793f49fa8db Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 5 Dec 2023 12:56:08 +0100 +Subject: parser: tcpopt: fix tcp option parsing with NUM + length field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tcp option 254 length ge 4 + +... will segfault. +The crash bug is that tcpopt_expr_alloc() can return NULL if we cannot +find a suitable template for the requested kind + field combination, +so add the needed error handling in the bison parser. + +However, we can handle this. NOP and EOL have templates, all other +options (known or unknown) must also have a length field. + +So also add a fallback template to handle both kind and length, even +if only a numeric option is given that nft doesn't recognize. + +Don't bother with output, above will be printed via raw syntax, i.e. +tcp option @254,8,8 >= 4. + +Fixes: 24d8da308342 ("tcpopt: allow to check for presence of any tcp option") +Reported-by: Maciej Żenczykowski +Signed-off-by: Florian Westphal + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=59a33d08ab3a75b2ae370b6816942793f49fa8db + +--- + src/parser_bison.y | 4 ++ + src/tcpopt.c | 44 +++++++++++++---- + .../testcases/packetpath/dumps/tcp_options.nodump | 0 + tests/shell/testcases/packetpath/tcp_options | 55 ++++++++++++++++++++++ + 4 files changed, 93 insertions(+), 10 deletions(-) + create mode 100644 tests/shell/testcases/packetpath/dumps/tcp_options.nodump + create mode 100755 tests/shell/testcases/packetpath/tcp_options + +diff --git a/src/parser_bison.y b/src/parser_bison.y +index ee7e9e14..1a3d64f7 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -5828,6 +5828,10 @@ tcp_hdr_expr : TCP tcp_hdr_field + | TCP OPTION tcp_hdr_option_kind_and_field + { + $$ = tcpopt_expr_alloc(&@$, $3.kind, $3.field); ++ if ($$ == NULL) { ++ erec_queue(error(&@1, "Could not find a tcp option template"), state->msgs); ++ YYERROR; ++ } + } + | TCP OPTION AT close_scope_at tcp_hdr_option_type COMMA NUM COMMA NUM + { +diff --git a/src/tcpopt.c b/src/tcpopt.c +index 3fcb2731..8111a507 100644 +--- a/src/tcpopt.c ++++ b/src/tcpopt.c +@@ -118,6 +118,13 @@ static const struct exthdr_desc tcpopt_mptcp = { + [TCPOPT_MPTCP_SUBTYPE] = PHT("subtype", 16, 4), + }, + }; ++ ++static const struct exthdr_desc tcpopt_fallback = { ++ .templates = { ++ [TCPOPT_COMMON_KIND] = PHT("kind", 0, 8), ++ [TCPOPT_COMMON_LENGTH] = PHT("length", 8, 8), ++ }, ++}; + #undef PHT + + const struct exthdr_desc *tcpopt_protocols[] = { +@@ -133,6 +140,17 @@ const struct exthdr_desc *tcpopt_protocols[] = { + [TCPOPT_KIND_FASTOPEN] = &tcpopt_fastopen, + }; + ++static void tcpopt_assign_tmpl(struct expr *expr, ++ const struct proto_hdr_template *tmpl, ++ const struct exthdr_desc *desc) ++{ ++ expr->exthdr.op = NFT_EXTHDR_OP_TCPOPT; ++ ++ expr->exthdr.desc = desc; ++ expr->exthdr.tmpl = tmpl; ++ expr->exthdr.offset = tmpl->offset; ++} ++ + /** + * tcpopt_expr_alloc - allocate tcp option extension expression + * +@@ -182,18 +200,26 @@ struct expr *tcpopt_expr_alloc(const struct location *loc, + desc = tcpopt_protocols[kind]; + + if (!desc) { +- if (field != TCPOPT_COMMON_KIND || kind > 255) ++ if (kind > 255) + return NULL; + ++ desc = &tcpopt_fallback; ++ ++ switch (field) { ++ case TCPOPT_COMMON_KIND: ++ case TCPOPT_COMMON_LENGTH: ++ tmpl = &desc->templates[field]; ++ break; ++ default: ++ tmpl = &tcpopt_unknown_template; ++ break; ++ } ++ + expr = expr_alloc(loc, EXPR_EXTHDR, &integer_type, + BYTEORDER_BIG_ENDIAN, 8); + +- desc = tcpopt_protocols[TCPOPT_NOP]; +- tmpl = &desc->templates[field]; +- expr->exthdr.desc = desc; +- expr->exthdr.tmpl = tmpl; +- expr->exthdr.op = NFT_EXTHDR_OP_TCPOPT; + expr->exthdr.raw_type = kind; ++ tcpopt_assign_tmpl(expr, tmpl, desc); + return expr; + } + +@@ -203,11 +229,9 @@ struct expr *tcpopt_expr_alloc(const struct location *loc, + + expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype, + BYTEORDER_BIG_ENDIAN, tmpl->len); +- expr->exthdr.desc = desc; +- expr->exthdr.tmpl = tmpl; +- expr->exthdr.op = NFT_EXTHDR_OP_TCPOPT; ++ + expr->exthdr.raw_type = desc->type; +- expr->exthdr.offset = tmpl->offset; ++ tcpopt_assign_tmpl(expr, tmpl, desc); + + return expr; + } +diff --git a/tests/shell/testcases/packetpath/dumps/tcp_options.nodump b/tests/shell/testcases/packetpath/dumps/tcp_options.nodump +new file mode 100644 +index 00000000..e69de29b +diff --git a/tests/shell/testcases/packetpath/tcp_options b/tests/shell/testcases/packetpath/tcp_options +new file mode 100755 +index 00000000..1c9ee532 +--- /dev/null ++++ b/tests/shell/testcases/packetpath/tcp_options +@@ -0,0 +1,55 @@ ++#!/bin/bash ++ ++have_socat="no" ++socat -h > /dev/null && have_socat="yes" ++ ++ip link set lo up ++ ++$NFT -f /dev/stdin < connect fails with eperm) ++socat -u STDIN TCP:127.0.0.1:22345,connect-timeout=1 < /dev/null > /dev/null ++ ++# can't validate via dump file, syn rexmit can cause counters to be > 1 in rare cases. ++ ++$NFT list counter inet t nomatchc ++ ++# nomatchc must be 0. ++$NFT list counter inet t nomatchc | grep -q "packets 0" || exit 1 ++ ++# these counters must not be 0. ++for nz in sackpermc maxsegc nopc; do ++ $NFT list counter inet t $nz ++ $NFT list counter inet t $nz | grep -q "packets 0" && exit 1 ++done ++ ++exit 0 +-- +cgit v1.2.3 diff --git a/backport-tests-py-remove-huge-limit-test-cases.patch b/backport-tests-py-remove-huge-limit-test-cases.patch new file mode 100644 index 0000000..41e485d --- /dev/null +++ b/backport-tests-py-remove-huge-limit-test-cases.patch @@ -0,0 +1,221 @@ +From 1ee84db0360db0da336d5b1ee92807d29fcfbbe1 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 18 Jan 2024 13:24:04 +0100 +Subject: tests: py: remove huge-limit test cases + +These tests will fail once the kernel checks for overflow +in the internal token bucken counter, so drop them. + +Signed-off-by: Florian Westphal + +Conflict:change modify about limit.t +Reference:https://git.netfilter.org/nftables/commit/?id=1ee84db0360db0da336d5b1ee92807d29fcfbbe1 + +--- + tests/py/any/limit.t | 4 ---- + tests/py/any/limit.t.json | 51 ---------------------------------------- + tests/py/any/limit.t.json.output | 28 ---------------------- + tests/py/any/limit.t.payload | 17 -------------- + 4 files changed, 100 deletions(-) + +diff --git a/tests/py/any/limit.t b/tests/py/any/limit.t +index a04ef42a..2a84e3f5 100644 +--- a/tests/py/any/limit.t ++++ b/tests/py/any/limit.t +@@ -22,7 +22,6 @@ limit rate 2 kbytes/second;ok + limit rate 1025 kbytes/second;ok + limit rate 1023 mbytes/second;ok + limit rate 10230 mbytes/second;ok +-limit rate 1023000 mbytes/second;ok + limit rate 512 kbytes/second burst 5 packets;fail + + limit rate 1 bytes / second;ok;limit rate 1 bytes/second +@@ -33,7 +32,6 @@ limit rate 1 gbytes / second;fail + limit rate 1025 bytes/second burst 512 bytes;ok + limit rate 1025 kbytes/second burst 1023 kbytes;ok + limit rate 1025 mbytes/second burst 1025 kbytes;ok +-limit rate 1025000 mbytes/second burst 1023 mbytes;ok + + limit rate over 400/minute;ok + limit rate over 20/second;ok +@@ -47,9 +45,7 @@ limit rate over 2 kbytes/second;ok + limit rate over 1025 kbytes/second;ok + limit rate over 1023 mbytes/second;ok + limit rate over 10230 mbytes/second;ok +-limit rate over 1023000 mbytes/second;ok + + limit rate over 1025 bytes/second burst 512 bytes;ok + limit rate over 1025 kbytes/second burst 1023 kbytes;ok + limit rate over 1025 mbytes/second burst 1025 kbytes;ok +-limit rate over 1025000 mbytes/second burst 1023 mbytes;ok +diff --git a/tests/py/any/limit.t.json b/tests/py/any/limit.t.json +index e001ba0f..73160b27 100644 +--- a/tests/py/any/limit.t.json ++++ b/tests/py/any/limit.t.json +@@ -114,17 +114,6 @@ + } + ] + +-# limit rate 1023000 mbytes/second +-[ +- { +- "limit": { +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate 1 bytes / second + [ + { +@@ -203,19 +192,6 @@ + } + ] + +-# limit rate 1025000 mbytes/second burst 1023 mbytes +-[ +- { +- "limit": { +- "burst": 1023, +- "burst_unit": "mbytes", +- "per": "second", +- "rate": 1025000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate over 400/minute + [ + { +@@ -343,18 +319,6 @@ + } + ] + +-# limit rate over 1023000 mbytes/second +-[ +- { +- "limit": { +- "inv": true, +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate over 1025 bytes/second burst 512 bytes + [ + { +@@ -396,18 +360,3 @@ + } + } + ] +- +-# limit rate over 1025000 mbytes/second burst 1023 mbytes +-[ +- { +- "limit": { +- "burst": 1023, +- "burst_unit": "mbytes", +- "inv": true, +- "per": "second", +- "rate": 1025000, +- "rate_unit": "mbytes" +- } +- } +-] +- +diff --git a/tests/py/any/limit.t.json.output b/tests/py/any/limit.t.json.output +index 5a95f5e1..2c94d2de 100644 +--- a/tests/py/any/limit.t.json.output ++++ b/tests/py/any/limit.t.json.output +@@ -118,19 +118,6 @@ + } + ] + +-# limit rate 1023000 mbytes/second +-[ +- { +- "limit": { +- "burst": 0, +- "burst_unit": "bytes", +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- + # limit rate over 400/minute + [ + { +@@ -260,18 +247,3 @@ + } + } + ] +- +-# limit rate over 1023000 mbytes/second +-[ +- { +- "limit": { +- "burst": 0, +- "burst_unit": "bytes", +- "inv": true, +- "per": "second", +- "rate": 1023000, +- "rate_unit": "mbytes" +- } +- } +-] +- +diff --git a/tests/py/any/limit.t.payload b/tests/py/any/limit.t.payload +index 0c7ee942..dc6701b3 100644 +--- a/tests/py/any/limit.t.payload ++++ b/tests/py/any/limit.t.payload +@@ -42,10 +42,6 @@ ip test-ip4 output + ip test-ip4 output + [ limit rate 10726932480/second burst 0 type bytes flags 0x0 ] + +-# limit rate 1023000 mbytes/second +-ip test-ip4 output +- [ limit rate 1072693248000/second burst 0 type bytes flags 0x0 ] +- + # limit rate 1 bytes / second + ip + [ limit rate 1/second burst 0 type bytes flags 0x0 ] +@@ -71,10 +67,6 @@ ip test-ip4 output + ip test-ip4 output + [ limit rate 1074790400/second burst 1049600 type bytes flags 0x0 ] + +-# limit rate 1025000 mbytes/second burst 1023 mbytes +-ip test-ip4 output +- [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x0 ] +- + # limit rate over 400/minute + ip test-ip4 output + [ limit rate 400/minute burst 5 type packets flags 0x1 ] +@@ -119,10 +111,6 @@ ip test-ip4 output + ip test-ip4 output + [ limit rate 10726932480/second burst 0 type bytes flags 0x1 ] + +-# limit rate over 1023000 mbytes/second +-ip test-ip4 output +- [ limit rate 1072693248000/second burst 0 type bytes flags 0x1 ] +- + # limit rate over 1025 bytes/second burst 512 bytes + ip test-ip4 output + [ limit rate 1025/second burst 512 type bytes flags 0x1 ] +@@ -134,8 +122,3 @@ ip test-ip4 output + # limit rate over 1025 mbytes/second burst 1025 kbytes + ip test-ip4 output + [ limit rate 1074790400/second burst 1049600 type bytes flags 0x1 ] +- +-# limit rate over 1025000 mbytes/second burst 1023 mbytes +-ip test-ip4 output +- [ limit rate 1074790400000/second burst 1072693248 type bytes flags 0x1 ] +- +-- +cgit v1.2.3 diff --git a/backport-tests-shell-Fix-sets-reset_command_0-for-current-kernels.patch b/backport-tests-shell-Fix-sets-reset_command_0-for-current-kernels.patch new file mode 100644 index 0000000..2f69589 --- /dev/null +++ b/backport-tests-shell-Fix-sets-reset_command_0-for-current-kernels.patch @@ -0,0 +1,51 @@ +From 7a6089a400a573b9a4fd92f29c00a6be7b8ef269 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 2 Nov 2023 16:02:14 +0100 +Subject: tests: shell: Fix sets/reset_command_0 for current kernels + +Since kernel commit 4c90bba60c26 ("netfilter: nf_tables: do not refresh +timeout when resetting element"), element reset won't touch expiry +anymore. Invert the one check to make sure it remains unaltered, drop +the other testing behaviour for per-element timeouts. + +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=7a6089a400a573b9a4fd92f29c00a6be7b8ef269 + +--- + tests/shell/testcases/sets/reset_command_0 | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 +index e663dac8..d38ddb3f 100755 +--- a/tests/shell/testcases/sets/reset_command_0 ++++ b/tests/shell/testcases/sets/reset_command_0 +@@ -44,10 +44,10 @@ elem='element t s { 1.0.0.1 . udp . 53 }' + grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] + echo OK + +-echo -n "counters and expiry are reset: " ++echo -n "counters are reset, expiry left alone: " + NEW=$($NFT "get $elem") + grep -q 'counter packets 0 bytes 0' <<< "$NEW" +-[[ $(expires_minutes <<< "$NEW") -gt 20 ]] ++[[ $(expires_minutes <<< "$NEW") -lt 20 ]] + echo OK + + echo -n "get map elem matches reset map elem: " +@@ -80,12 +80,6 @@ OUT=$($NFT reset map t m) + $DIFF -u <(echo "$EXP") <(echo "$OUT") + echo OK + +-echo -n "reset command respects per-element timeout: " +-VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes) +-[[ $VAL -lt 15 ]] # custom timeout applies +-[[ $VAL -gt 10 ]] # expires was reset +-echo OK +- + echo -n "remaining elements are reset: " + OUT=$($NFT list ruleset) + grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" +-- +cgit v1.2.3 diff --git a/backport-tests-shell-Stabilize-sets-reset_command_0-test.patch b/backport-tests-shell-Stabilize-sets-reset_command_0-test.patch new file mode 100644 index 0000000..d1fb06c --- /dev/null +++ b/backport-tests-shell-Stabilize-sets-reset_command_0-test.patch @@ -0,0 +1,160 @@ +From 255ec36a115257f0f63304b33423d9e268af998b Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 23 Aug 2023 11:18:53 +0200 +Subject: tests: shell: Stabilize sets/reset_command_0 test + +Timeout/expiry value testing based on seconds is way too fragile, +especially with slow debug kernels. Rewrite the unit to test +minute-based values. This means it is no longer feasible to wait for +values to sufficiently change, so instead specify an 'expires' value +when creating the ruleset and drop the 'sleep' call. + +While being at it: + +- Combine 'get element' and 'reset element' calls into one, assert the + relevant (sanitized) line appears twice in output instead of comparing + with 'diff'. +- Turn comments into 'echo' calls to help debugging if the test fails. + +Reported-by: Florian Westphal +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=255ec36a115257f0f63304b33423d9e268af998b + +--- + tests/shell/testcases/sets/reset_command_0 | 87 ++++++++++++++++-------------- + 1 file changed, 48 insertions(+), 39 deletions(-) + +diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 +index 7a088aea..ad2e16a7 100755 +--- a/tests/shell/testcases/sets/reset_command_0 ++++ b/tests/shell/testcases/sets/reset_command_0 +@@ -1,17 +1,18 @@ + #!/bin/bash + + set -e +-set -x ++ ++trap '[[ $? -eq 0 ]] || echo FAIL' EXIT + + RULESET="table t { + set s { + type ipv4_addr . inet_proto . inet_service + flags interval, timeout + counter +- timeout 30s ++ timeout 30m + elements = { +- 1.0.0.1 . udp . 53 counter packets 5 bytes 30, +- 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15s ++ 1.0.0.1 . udp . 53 counter packets 5 bytes 30 expires 20m, ++ 2.0.0.2 . tcp . 22 counter packets 10 bytes 100 timeout 15m expires 10m + } + } + map m { +@@ -24,59 +25,67 @@ RULESET="table t { + } + }" + ++echo -n "applying test ruleset: " + $NFT -f - <<< "$RULESET" ++echo OK + +-sleep 2 +- +-drop_ms() { +- sed 's/s[0-9]*ms/s/g' ++drop_seconds() { ++ sed 's/m[0-9]*s[0-9]*ms/m/g' + } +-expires_seconds() { +- sed -n 's/.*expires \([0-9]*\)s.*/\1/p' ++expires_minutes() { ++ sed -n 's/.*expires \([0-9]*\)m.*/\1/p' + } + +-# 'reset element' output is supposed to match 'get element' one +-# apart from changing expires ms value +-EXP=$($NFT get element t s '{ 1.0.0.1 . udp . 53 }' | drop_ms) +-OUT=$($NFT reset element t s '{ 1.0.0.1 . udp . 53 }' | drop_ms) +-$DIFF -u <(echo "$EXP") <(echo "$OUT") +- +-EXP=$($NFT get element t m '{ 1.2.3.4 }') +-OUT=$($NFT reset element t m '{ 1.2.3.4 }') +-$DIFF -u <(echo "$EXP") <(echo "$OUT") ++echo -n "get set elem matches reset set elem: " ++elem='element t s { 1.0.0.1 . udp . 53 }' ++[[ $($NFT "get $elem ; reset $elem" | \ ++ grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] ++echo OK + +-# assert counter value is zeroed +-$NFT get element t s '{ 1.0.0.1 . udp . 53 }' | grep -q 'counter packets 0 bytes 0' ++echo -n "counters and expiry are reset: " ++NEW=$($NFT "get $elem") ++grep -q 'counter packets 0 bytes 0' <<< "$NEW" ++[[ $(expires_minutes <<< "$NEW") -gt 20 ]] ++echo OK + +-# assert expiry is reset +-VAL=$($NFT get element t s '{ 1.0.0.1 . udp . 53 }' | expires_seconds) +-[[ $VAL -gt 28 ]] ++echo -n "get map elem matches reset map elem: " ++elem='element t m { 1.2.3.4 }' ++[[ $($NFT "get $elem ; reset $elem" | \ ++ grep 'elements = ' | uniq | wc -l) == 1 ]] ++echo OK + +-# assert quota value is reset ++echo -n "quota value is reset: " + $NFT get element t m '{ 1.2.3.4 }' | grep -q 'quota 50 bytes : 10.2.3.4' ++echo OK + +-# assert other elements remain unchanged +-$NFT get element t s '{ 2.0.0.2 . tcp . 22 }' ++echo -n "other elements remain the same: " + OUT=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }') +-grep -q 'counter packets 10 bytes 100 timeout 15s' <<< "$OUT" +-VAL=$(expires_seconds <<< "$OUT") +-[[ $val -lt 14 ]] ++grep -q 'counter packets 10 bytes 100 timeout 15m' <<< "$OUT" ++VAL=$(expires_minutes <<< "$OUT") ++[[ $val -lt 10 ]] + $NFT get element t m '{ 5.6.7.8 }' | grep -q 'quota 100 bytes used 50 bytes' ++echo OK + +-# 'reset set' output is supposed to match 'list set' one, again strip the ms values +-EXP=$($NFT list set t s | drop_ms) +-OUT=$($NFT reset set t s | drop_ms) ++echo -n "list set matches reset set: " ++EXP=$($NFT list set t s | drop_seconds) ++OUT=$($NFT reset set t s | drop_seconds) + $DIFF -u <(echo "$EXP") <(echo "$OUT") ++echo OK + +-EXP=$($NFT list map t m | drop_ms) +-OUT=$($NFT reset map t m | drop_ms) ++echo -n "list map matches reset map: " ++EXP=$($NFT list map t m) ++OUT=$($NFT reset map t m) + $DIFF -u <(echo "$EXP") <(echo "$OUT") ++echo OK + +-# assert expiry of element with custom timeout is correct +-VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_seconds) +-[[ $VAL -lt 15 ]] ++echo -n "reset command respects per-element timeout: " ++VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes) ++[[ $VAL -lt 15 ]] # custom timeout applies ++[[ $VAL -gt 10 ]] # expires was reset ++echo OK + +-# assert remaining elements are now all reset ++echo -n "remaining elements are reset: " + OUT=$($NFT list ruleset) + grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" + grep -q '5.6.7.8 quota 100 bytes : 50.6.7.8' <<< "$OUT" ++echo OK +-- +cgit v1.2.3 diff --git a/backport-tests-shell-connect-chains-to-hook-point.patch b/backport-tests-shell-connect-chains-to-hook-point.patch index 9236733..13c45b6 100644 --- a/backport-tests-shell-connect-chains-to-hook-point.patch +++ b/backport-tests-shell-connect-chains-to-hook-point.patch @@ -24,6 +24,7 @@ Reference:https://git.netfilter.org/nftables/commit/?id=1fc78397e9a1fb5e41841b8b tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +- tests/shell/testcases/chains/0018check_jump_loop_1 | 2 +- tests/shell/testcases/transactions/0023rule_1 | 2 +- + tests/shell/testcases/transactions/anon_chain_loop | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1 @@ -93,5 +94,18 @@ index e58c088c..863bcde4 100755 add rule x y jump y" # kernel must return ELOOP +diff --git a/tests/shell/testcases/transactions/anon_chain_loop b/tests/shell/testcases/transactions/anon_chain_loop +index 2fd61810..3053d166 100755 +--- a/tests/shell/testcases/transactions/anon_chain_loop ++++ b/tests/shell/testcases/transactions/anon_chain_loop +@@ -3,7 +3,7 @@ + # anon chains with c1 -> c2 recursive jump, expect failure + $NFT -f - < +Date: Fri, 29 Sep 2023 19:59:12 +0200 +Subject: tests: shell: sets/reset_command_0: Fix drop_seconds() + +The function print_times() skips any time elements which are zero, so +output may lack the ms part. Adjust the sed call dropping anything but +the minutes value to not fail in that case. + +Reported-by: Pablo Neira Ayuso +Fixes: 255ec36a11525 ("tests: shell: Stabilize sets/reset_command_0 test") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=4a3dcbb44389edc5aba8dbc9317e8c6293263a66 + +--- + tests/shell/testcases/sets/reset_command_0 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 +index 5e769fe6..e663dac8 100755 +--- a/tests/shell/testcases/sets/reset_command_0 ++++ b/tests/shell/testcases/sets/reset_command_0 +@@ -32,7 +32,7 @@ $NFT -f - <<< "$RULESET" + echo OK + + drop_seconds() { +- sed 's/m[0-9]*s[0-9]*ms/m/g' ++ sed 's/[0-9]\+m\?s//g' + } + expires_minutes() { + sed -n 's/.*expires \([0-9]*\)m.*/\1/p' +-- +cgit v1.2.3 diff --git a/nftables.spec b/nftables.spec index dc39ac3..8c9e08b 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.8 -Release: 9 +Release: 10 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -94,6 +94,12 @@ Patch0078: backport-evaluate-dont-BUG-on-unexpected-base-datatype.patch Patch0079: backport-src-BASECHAIN-flag-no-longer-implies-presence-of-priority-expression.patch Patch0080: backport-parser_bison-only-reset-by-name-is-supported-by-now.patch +Patch0081: backport-parser-tcpopt-fix-tcp-option-parsing-with-NUM-length-field.patch +Patch0082: backport-tests-py-remove-huge-limit-test-cases.patch +Patch0083: backport-tests-shell-Stabilize-sets-reset_command_0-test.patch +Patch0084: backport-tests-shell-sets-reset_command_0-Fix-drop_seconds.patch +Patch0085: backport-tests-shell-Fix-sets-reset_command_0-for-current-kernels.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath libedit-devel @@ -192,6 +198,12 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Tue Nov 25 2025 eaglegai - 1:1.0.8-10 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + * Fri Oct 10 2025 eaglegai - 1:1.0.8-9 - Type:bugfix - CVE:NA -- Gitee