From 4efd91eab240ac562b141b4161661320dd4e8a8f Mon Sep 17 00:00:00 2001 From: zhanghao Date: Sat, 6 Jan 2024 19:42:16 +0800 Subject: [PATCH] sync some patches from community --- ...add-secmark-object-reference-support.patch | 100 +++++++++ ...-json-add-set-statement-list-support.patch | 138 +++++++++++++ ...json-add-table-map-statement-support.patch | 192 ++++++++++++++++++ ...atement-list-output-in-sets-and-maps.patch | 114 +++++++++++ ...fix-json-schema-version-verification.patch | 93 +++++++++ nftables.spec | 18 +- 6 files changed, 654 insertions(+), 1 deletion(-) create mode 100644 backport-json-add-secmark-object-reference-support.patch create mode 100644 backport-json-add-set-statement-list-support.patch create mode 100644 backport-json-add-table-map-statement-support.patch create mode 100644 backport-json-fix-empty-statement-list-output-in-sets-and-maps.patch create mode 100644 backport-json-fix-json-schema-version-verification.patch diff --git a/backport-json-add-secmark-object-reference-support.patch b/backport-json-add-secmark-object-reference-support.patch new file mode 100644 index 0000000..27e716f --- /dev/null +++ b/backport-json-add-secmark-object-reference-support.patch @@ -0,0 +1,100 @@ +From a7d2a042442494abae2970db53fa21bbef1a280a Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Sat, 10 Sep 2022 09:59:48 +0200 +Subject: [PATCH] json: add secmark object reference support + +The secmark object reference requires a json parser function and it was +missing. In addition, extends the shell testcases. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=a7d2a042442494abae2970db53fa21bbef1a280a + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +--- + src/parser_json.c | 18 ++++++++++++++++++ + .../shell/testcases/json/0005secmark_objref_0 | 9 +++++++++ + .../json/dumps/0005secmark_objref_0.nft | 18 ++++++++++++++++++ + 3 files changed, 45 insertions(+) + create mode 100755 tests/shell/testcases/json/0005secmark_objref_0 + create mode 100644 tests/shell/testcases/json/dumps/0005secmark_objref_0.nft + +diff --git a/src/parser_json.c b/src/parser_json.c +index e5e3731..db6c0a3 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -1938,6 +1938,23 @@ static struct stmt *json_parse_dup_stmt(struct json_ctx *ctx, + stmt->dup.dev = expr; + return stmt; + } ++ ++static struct stmt *json_parse_secmark_stmt(struct json_ctx *ctx, ++ const char *key, json_t *value) ++{ ++ struct stmt *stmt; ++ ++ stmt = objref_stmt_alloc(int_loc); ++ stmt->objref.type = NFT_OBJECT_SECMARK; ++ stmt->objref.expr = json_parse_stmt_expr(ctx, value); ++ if (!stmt->objref.expr) { ++ json_error(ctx, "Invalid secmark reference."); ++ stmt_free(stmt); ++ return NULL; ++ } ++ ++ return stmt; ++} + + static int json_parse_nat_flag(struct json_ctx *ctx, + json_t *root, int *flags) +@@ -2690,6 +2707,7 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) + { "ct count", json_parse_connlimit_stmt }, + { "tproxy", json_parse_tproxy_stmt }, + { "synproxy", json_parse_synproxy_stmt }, ++ { "secmark", json_parse_secmark_stmt }, + }; + const char *type; + unsigned int i; +diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 +new file mode 100755 +index 0000000..ae96743 +--- /dev/null ++++ b/tests/shell/testcases/json/0005secmark_objref_0 +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++set -e ++ ++$NFT flush ruleset ++ ++RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 4}}, {"secmark": {"family": "inet", "name": "ssh_server", "table": "x", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0"}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 2, "type": "filter", "hook": "input", "prio": -225, "policy": "accept"}}, {"chain": {"family": "inet", "table": "x", "name": "z", "handle": 3, "type": "filter", "hook": "output", "prio": 225, "policy": "accept"}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 4, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 2222}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"secmark": "ssh_server"}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 5, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 6, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 7, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 8, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}]}' ++ ++$NFT -j -f - <<< $RULESET +diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft +new file mode 100644 +index 0000000..4c218e9 +--- /dev/null ++++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft +@@ -0,0 +1,18 @@ ++table inet x { ++ secmark ssh_server { ++ "system_u:object_r:ssh_server_packet_t:s0" ++ } ++ ++ chain y { ++ type filter hook input priority -225; policy accept; ++ tcp dport 2222 ct state new meta secmark set "ssh_server" ++ ct state new ct secmark set meta secmark ++ ct state established,related meta secmark set ct secmark ++ } ++ ++ chain z { ++ type filter hook output priority 225; policy accept; ++ ct state new ct secmark set meta secmark ++ ct state established,related meta secmark set ct secmark ++ } ++} +-- +2.33.0 + diff --git a/backport-json-add-set-statement-list-support.patch b/backport-json-add-set-statement-list-support.patch new file mode 100644 index 0000000..f9e5204 --- /dev/null +++ b/backport-json-add-set-statement-list-support.patch @@ -0,0 +1,138 @@ +From 07958ec53830d4c14b65fa4115c02715dc9c0d47 Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Thu, 1 Sep 2022 12:31:43 +0200 +Subject: [PATCH] json: add set statement list support + +When listing a set with statements with JSON support, the statements were +ignored. + +Output example: + +{ + "set": { + "op": "add", + "elem": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "stmt": [ + { + "limit": { + "rate": 10, + "burst": 5, + "per": "second" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ], + "set": "@my_ssh_meter" + } +} + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=07958ec53830d4c14b65fa4115c02715dc9c0d47 + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1495 +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +--- + src/json.c | 19 +++++++++++- + src/parser_json.c | 29 ++++++++++++++++++- + 2 files changed, 48 insertions(+), 2 deletions(-) + +diff --git a/src/json.c b/src/json.c +index a525fd1b..55959eea 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -1439,11 +1439,28 @@ json_t *counter_stmt_json(const struct stmt *stmt, struct output_ctx *octx) + "bytes", stmt->counter.bytes); + } + ++static json_t *set_stmt_list_json(const struct list_head *stmt_list, ++ struct output_ctx *octx) ++{ ++ json_t *root, *tmp; ++ struct stmt *i; ++ ++ root = json_array(); ++ ++ list_for_each_entry(i, stmt_list, list) { ++ tmp = stmt_print_json(i, octx); ++ json_array_append_new(root, tmp); ++ } ++ ++ return root; ++} ++ + json_t *set_stmt_json(const struct stmt *stmt, struct output_ctx *octx) + { +- return json_pack("{s:{s:s, s:o, s:s+}}", "set", ++ return json_pack("{s:{s:s, s:o, s:o, s:s+}}", "set", + "op", set_stmt_op_names[stmt->set.op], + "elem", expr_print_json(stmt->set.key, octx), ++ "stmt", set_stmt_list_json(&stmt->set.stmt_list, octx), + "set", "@", stmt->set.set->set->handle.set.name); + } + +diff --git a/src/parser_json.c b/src/parser_json.c +index 2437b1ba..fc72c25f 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -2230,13 +2230,36 @@ static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx, + return stmt; + } + ++static void json_parse_set_stmt_list(struct json_ctx *ctx, ++ struct list_head *stmt_list, ++ json_t *stmt_json) ++{ ++ struct list_head *head; ++ struct stmt *tmp; ++ json_t *value; ++ size_t index; ++ ++ if (!stmt_json) ++ return; ++ ++ if (!json_is_array(stmt_json)) ++ json_error(ctx, "Unexpected object type in stmt"); ++ ++ head = stmt_list; ++ json_array_foreach(stmt_json, index, value) { ++ tmp = json_parse_stmt(ctx, value); ++ list_add(&tmp->list, head); ++ head = &tmp->list; ++ } ++} ++ + static struct stmt *json_parse_set_stmt(struct json_ctx *ctx, + const char *key, json_t *value) + { + const char *opstr, *set; + struct expr *expr, *expr2; ++ json_t *elem, *stmt_json; + struct stmt *stmt; +- json_t *elem; + int op; + + if (json_unpack_err(ctx, value, "{s:s, s:o, s:s}", +@@ -2271,6 +2294,10 @@ static struct stmt *json_parse_set_stmt(struct json_ctx *ctx, + stmt->set.op = op; + stmt->set.key = expr; + stmt->set.set = expr2; ++ ++ if (!json_unpack(value, "{s:o}", "stmt", &stmt_json)) ++ json_parse_set_stmt_list(ctx, &stmt->set.stmt_list, stmt_json); ++ + return stmt; + } + +-- +2.23.0 \ No newline at end of file diff --git a/backport-json-add-table-map-statement-support.patch b/backport-json-add-table-map-statement-support.patch new file mode 100644 index 0000000..0df9282 --- /dev/null +++ b/backport-json-add-table-map-statement-support.patch @@ -0,0 +1,192 @@ +From e66f3187d891a7b2f7212f33ab7501d5ee6c3b2f Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Fri, 2 Sep 2022 12:52:04 +0200 +Subject: [PATCH] json: add table map statement support + +When listing a map with statements with JSON support, the statement list were +ignored. + +Output example: + +{ + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 1, + "map": "mark", + "stmt": [ + { + "counter": { + "packets": 0, + "bytes": 0 + } + } + ] + } +} + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=e66f3187d891a7b2f7212f33ab7501d5ee6c3b2f + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1588 +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +--- + src/json.c | 70 +++++++++++-------- + src/parser_json.c | 5 +- + tests/shell/testcases/json/0002table_map_0 | 9 +++ + .../testcases/json/dumps/0002table_map_0.nft | 6 ++ + 4 files changed, 61 insertions(+), 29 deletions(-) + create mode 100755 tests/shell/testcases/json/0002table_map_0 + create mode 100644 tests/shell/testcases/json/dumps/0002table_map_0.nft + +diff --git a/src/json.c b/src/json.c +index 55959eea..1f2889c6 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -77,6 +77,34 @@ static json_t *set_dtype_json(const struct expr *key) + return root; + } + ++static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) ++{ ++ char buf[1024]; ++ FILE *fp; ++ ++ /* XXX: Can't be supported at this point: ++ * xt_stmt_xlate() ignores output_fp. ++ */ ++ if (stmt->ops->type == STMT_XT) ++ return json_pack("{s:n}", "xt"); ++ ++ if (stmt->ops->json) ++ return stmt->ops->json(stmt, octx); ++ ++ fprintf(stderr, "warning: stmt ops %s have no json callback\n", ++ stmt->ops->name); ++ ++ fp = octx->output_fp; ++ octx->output_fp = fmemopen(buf, 1024, "w"); ++ ++ stmt->ops->print(stmt, octx); ++ ++ fclose(octx->output_fp); ++ octx->output_fp = fp; ++ ++ return json_pack("s", buf); ++} ++ + static json_t *set_print_json(struct output_ctx *octx, const struct set *set) + { + json_t *root, *tmp; +@@ -152,6 +180,20 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) + json_object_set_new(root, "elem", array); + } + ++ if (!list_empty(&set->stmt_list)) { ++ json_t *array, *tmp; ++ struct stmt *stmt; ++ ++ array = json_array(); ++ ++ list_for_each_entry(stmt, &set->stmt_list, list) { ++ tmp = stmt_print_json(stmt, octx); ++ json_array_append_new(array, tmp); ++ } ++ ++ json_object_set_new(root, "stmt", array); ++ } ++ + return json_pack("{s:o}", type, root); + } + +@@ -168,34 +210,6 @@ static json_t *element_print_json(struct output_ctx *octx, + "elem", root); + } + +-static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) +-{ +- char buf[1024]; +- FILE *fp; +- +- /* XXX: Can't be supported at this point: +- * xt_stmt_xlate() ignores output_fp. +- */ +- if (stmt->ops->type == STMT_XT) +- return json_pack("{s:n}", "xt"); +- +- if (stmt->ops->json) +- return stmt->ops->json(stmt, octx); +- +- fprintf(stderr, "warning: stmt ops %s have no json callback\n", +- stmt->ops->name); +- +- fp = octx->output_fp; +- octx->output_fp = fmemopen(buf, 1024, "w"); +- +- stmt->ops->print(stmt, octx); +- +- fclose(octx->output_fp); +- octx->output_fp = fp; +- +- return json_pack("s", buf); +-} +- + static json_t *rule_print_json(struct output_ctx *octx, + const struct rule *rule) + { +diff --git a/src/parser_json.c b/src/parser_json.c +index fc72c25f..7180474e 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -3002,8 +3002,8 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, + { + struct handle h = { 0 }; + const char *family = "", *policy, *dtype_ext = NULL; ++ json_t *tmp, *stmt_json; + struct set *set; +- json_t *tmp; + + if (json_unpack_err(ctx, root, "{s:s, s:s}", + "family", &family, +@@ -3114,6 +3114,9 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, + set->gc_int *= 1000; + json_unpack(root, "{s:i}", "size", &set->desc.size); + ++ if (!json_unpack(root, "{s:o}", "stmt", &stmt_json)) ++ json_parse_set_stmt_list(ctx, &set->stmt_list, stmt_json); ++ + handle_merge(&set->handle, &h); + + if (op == CMD_ADD) +diff --git a/tests/shell/testcases/json/0002table_map_0 b/tests/shell/testcases/json/0002table_map_0 +new file mode 100755 +index 00000000..4b54527b +--- /dev/null ++++ b/tests/shell/testcases/json/0002table_map_0 +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++set -e ++ ++$NFT flush ruleset ++ ++RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "t", "handle": 4}}, {"map": {"family": "ip", "name": "m", "table": "t", "type": "ipv4_addr", "handle": 1, "map": "mark", "stmt": [{"counter": {"packets": 0, "bytes": 0}}]}}]}' ++ ++$NFT -j -f - <<< $RULESET +diff --git a/tests/shell/testcases/json/dumps/0002table_map_0.nft b/tests/shell/testcases/json/dumps/0002table_map_0.nft +new file mode 100644 +index 00000000..357e92cc +--- /dev/null ++++ b/tests/shell/testcases/json/dumps/0002table_map_0.nft +@@ -0,0 +1,6 @@ ++table ip t { ++ map m { ++ type ipv4_addr : mark ++ counter ++ } ++} +-- +2.23.0 \ No newline at end of file diff --git a/backport-json-fix-empty-statement-list-output-in-sets-and-maps.patch b/backport-json-fix-empty-statement-list-output-in-sets-and-maps.patch new file mode 100644 index 0000000..84b9525 --- /dev/null +++ b/backport-json-fix-empty-statement-list-output-in-sets-and-maps.patch @@ -0,0 +1,114 @@ +From 9a879f675f383ef6d7fcaa7817eb048f90b35b9b Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Sun, 4 Sep 2022 19:18:26 +0200 +Subject: [PATCH] json: fix empty statement list output in sets and maps + +JSON output of sets and map should not include the statements list if is +empty. The statement output should be stateless also. + +In addition, removes duplicated code. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=9a879f675f383ef6d7fcaa7817eb048f90b35b9b + +Fixes: 07958ec53830 ("json: add set statement list support") +Fixes: e66f3187d891 ("json: add table map statement support") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +--- + src/json.c | 61 ++++++++++++++++++++++++++++-------------------------- + 1 file changed, 32 insertions(+), 29 deletions(-) + +diff --git a/src/json.c b/src/json.c +index 1f2889c6..6598863e 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -105,6 +105,25 @@ static json_t *stmt_print_json(const struct stmt *stmt, struct output_ctx *octx) + return json_pack("s", buf); + } + ++static json_t *set_stmt_list_json(const struct list_head *stmt_list, ++ struct output_ctx *octx) ++{ ++ unsigned int flags = octx->flags; ++ json_t *root, *tmp; ++ struct stmt *i; ++ ++ root = json_array(); ++ octx->flags |= NFT_CTX_OUTPUT_STATELESS; ++ ++ list_for_each_entry(i, stmt_list, list) { ++ tmp = stmt_print_json(i, octx); ++ json_array_append_new(root, tmp); ++ } ++ octx->flags = flags; ++ ++ return root; ++} ++ + static json_t *set_print_json(struct output_ctx *octx, const struct set *set) + { + json_t *root, *tmp; +@@ -181,17 +200,8 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set) + } + + if (!list_empty(&set->stmt_list)) { +- json_t *array, *tmp; +- struct stmt *stmt; +- +- array = json_array(); +- +- list_for_each_entry(stmt, &set->stmt_list, list) { +- tmp = stmt_print_json(stmt, octx); +- json_array_append_new(array, tmp); +- } +- +- json_object_set_new(root, "stmt", array); ++ json_object_set_new(root, "stmt", ++ set_stmt_list_json(&set->stmt_list, octx)); + } + + return json_pack("{s:o}", type, root); +@@ -1453,29 +1463,22 @@ json_t *counter_stmt_json(const struct stmt *stmt, struct output_ctx *octx) + "bytes", stmt->counter.bytes); + } + +-static json_t *set_stmt_list_json(const struct list_head *stmt_list, +- struct output_ctx *octx) +-{ +- json_t *root, *tmp; +- struct stmt *i; +- +- root = json_array(); +- +- list_for_each_entry(i, stmt_list, list) { +- tmp = stmt_print_json(i, octx); +- json_array_append_new(root, tmp); +- } +- +- return root; +-} +- + json_t *set_stmt_json(const struct stmt *stmt, struct output_ctx *octx) + { +- return json_pack("{s:{s:s, s:o, s:o, s:s+}}", "set", ++ json_t *root; ++ ++ root = json_pack("{s:s, s:o, s:s+}", + "op", set_stmt_op_names[stmt->set.op], + "elem", expr_print_json(stmt->set.key, octx), +- "stmt", set_stmt_list_json(&stmt->set.stmt_list, octx), + "set", "@", stmt->set.set->set->handle.set.name); ++ ++ if (!list_empty(&stmt->set.stmt_list)) { ++ json_object_set_new(root, "stmt", ++ set_stmt_list_json(&stmt->set.stmt_list, ++ octx)); ++ } ++ ++ return json_pack("{s:o}", "set", root); + } + + json_t *objref_stmt_json(const struct stmt *stmt, struct output_ctx *octx) +-- +2.23.0 \ No newline at end of file diff --git a/backport-json-fix-json-schema-version-verification.patch b/backport-json-fix-json-schema-version-verification.patch new file mode 100644 index 0000000..da1899b --- /dev/null +++ b/backport-json-fix-json-schema-version-verification.patch @@ -0,0 +1,93 @@ +From 482fc1f21a40b7f2e11ddfc73e0b82027e68d345 Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Fri, 2 Sep 2022 15:35:06 +0200 +Subject: [PATCH] json: fix json schema version verification + +nft should ignore malformed or missing entries of `json_schema_version` but +check the value when it is integer. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=482fc1f21a40b7f2e11ddfc73e0b82027e68d345 + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1490 +Fixes: 49e0f1dc6e52 ("JSON: Add metainfo object to all output") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +--- + src/parser_json.c | 15 ++++++++------- + .../testcases/json/0003json_schema_version_0 | 9 +++++++++ + .../testcases/json/0004json_schema_version_1 | 11 +++++++++++ + .../json/dumps/0003json_schema_version_0.nft | 0 + .../json/dumps/0004json_schema_version_1.nft | 0 + 5 files changed, 28 insertions(+), 7 deletions(-) + create mode 100755 tests/shell/testcases/json/0003json_schema_version_0 + create mode 100755 tests/shell/testcases/json/0004json_schema_version_1 + create mode 100644 tests/shell/testcases/json/dumps/0003json_schema_version_0.nft + create mode 100644 tests/shell/testcases/json/dumps/0004json_schema_version_1.nft + +diff --git a/src/parser_json.c b/src/parser_json.c +index 7180474e..46dca9fd 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -3862,13 +3862,14 @@ static int json_verify_metainfo(struct json_ctx *ctx, json_t *root) + { + int schema_version; + +- if (!json_unpack(root, "{s:i}", "json_schema_version", &schema_version)) +- return 0; +- +- if (schema_version > JSON_SCHEMA_VERSION) { +- json_error(ctx, "Schema version %d not supported, maximum supported version is %d\n", +- schema_version, JSON_SCHEMA_VERSION); +- return 1; ++ if (!json_unpack(root, "{s:i}", "json_schema_version", &schema_version)) { ++ if (schema_version > JSON_SCHEMA_VERSION) { ++ json_error(ctx, ++ "Schema version %d not supported, maximum" ++ " supported version is %d\n", ++ schema_version, JSON_SCHEMA_VERSION); ++ return 1; ++ } + } + + return 0; +diff --git a/tests/shell/testcases/json/0003json_schema_version_0 b/tests/shell/testcases/json/0003json_schema_version_0 +new file mode 100755 +index 00000000..0ccf94c8 +--- /dev/null ++++ b/tests/shell/testcases/json/0003json_schema_version_0 +@@ -0,0 +1,9 @@ ++#!/bin/bash ++ ++set -e ++ ++$NFT flush ruleset ++ ++RULESET='{"nftables": [{"metainfo": {"json_schema_version": 1}}]}' ++ ++$NFT -j -f - <<< $RULESET +diff --git a/tests/shell/testcases/json/0004json_schema_version_1 b/tests/shell/testcases/json/0004json_schema_version_1 +new file mode 100755 +index 00000000..bc451ae7 +--- /dev/null ++++ b/tests/shell/testcases/json/0004json_schema_version_1 +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++set -e ++ ++$NFT flush ruleset ++ ++RULESET='{"nftables": [{"metainfo": {"json_schema_version": 999}}]}' ++ ++$NFT -j -f - <<< $RULESET && exit 1 ++ ++exit 0 +diff --git a/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft b/tests/shell/testcases/json/dumps/0003json_schema_version_0.nft +new file mode 100644 +index 00000000..e69de29b +diff --git a/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft b/tests/shell/testcases/json/dumps/0004json_schema_version_1.nft +new file mode 100644 +index 00000000..e69de29b +-- +2.23.0 \ No newline at end of file diff --git a/nftables.spec b/nftables.spec index a39e403..98e9c12 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 9 +Release: 10 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -36,6 +36,12 @@ Patch21: backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch Patch22: backport-netlink_linearize-use-div_round_up-in-byteorder-length.patch +Patch23: backport-json-add-secmark-object-reference-support.patch +Patch24: backport-json-add-set-statement-list-support.patch +Patch25: backport-json-add-table-map-statement-support.patch +Patch26: backport-json-fix-empty-statement-list-output-in-sets-and-maps.patch +Patch27: backport-json-fix-json-schema-version-verification.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -134,6 +140,16 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Sat Jan 06 2024 zhanghao - 1:1.0.0-10 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:json add secmark object reference support +json add set statement list support +json add table map statement support +json fix empty statement list output in sets and maps +json fix json schema version verification + * Mon Aug 14 2023 zhanghao - 1:1.0.0-9 - Type:bugfix - CVE:NA -- Gitee