From 7951155a24de89366e9dd7c68d6d879c21acaaef Mon Sep 17 00:00:00 2001
From: yanan-rock <yanan@huawei.com>
Date: Tue, 27 Jul 2021 19:16:00 +0800
Subject: [PATCH] backport patches from upstream

---
 ...ft-j-list-set-does-not-show-counters.patch | 45 +++++++++++
 ...ted-strings-containing-only-wildcard.patch | 50 ++++++++++++
 ...bining-terse-with-json-has-no-effect.patch | 52 ++++++++++++
 ...t-json-Fix-memleak-in-set_dtype_json.patch | 33 ++++++++
 ...e-larger-than-MNL_SOCKET_BUFFER_SIZE.patch | 79 +++++++++++++++++++
 ...er_bison-memleak-symbol-redefinition.patch | 29 +++++++
 ...e-memleaks-in-interval_map_decompose.patch | 75 ++++++++++++++++++
 nftables.spec                                 | 28 ++++++-
 8 files changed, 389 insertions(+), 2 deletions(-)
 create mode 100644 backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
 create mode 100644 backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch
 create mode 100644 backport-json-Combining-terse-with-json-has-no-effect.patch
 create mode 100644 backport-json-Fix-memleak-in-set_dtype_json.patch
 create mode 100644 backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
 create mode 100644 backport-parser_bison-memleak-symbol-redefinition.patch
 create mode 100644 backport-segtree-memleaks-in-interval_map_decompose.patch

diff --git a/backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch b/backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
new file mode 100644
index 0000000..5a181d0
--- /dev/null
+++ b/backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
@@ -0,0 +1,45 @@
+From d63064681a91fdfbd53e1ef07b6a8283f48fedb5 Mon Sep 17 00:00:00 2001
+From: Gopal Yadav <gopunop@gmail.com>
+Date: Wed, 7 Oct 2020 19:33:37 +0530
+Subject: Solves Bug 1462 - `nft -j list set` does not show counters
+
+Element counters reside in 'stmt' field as counter statement. Append
+them to 'elem' object as additional 'counter' property, generated by
+counter_stmt_json().
+
+Signed-off-by: Gopal Yadav <gopunop@gmail.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Conflict:NA
+Reference: http://git.netfilter.org/nftables/commit/?id=d63064681a91fdfbd53e1ef07b6a8283f48fedb5
+---
+ src/json.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/json.c b/src/json.c
+index 5856f9fc..121dfb24 100644
+--- a/src/json.c
++++ b/src/json.c
+@@ -589,7 +589,7 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx)
+ 		return NULL;
+ 
+ 	/* these element attributes require formal set elem syntax */
+-	if (expr->timeout || expr->expiration || expr->comment) {
++	if (expr->timeout || expr->expiration || expr->comment || expr->stmt) {
+ 		root = json_pack("{s:o}", "val", root);
+ 
+ 		if (expr->timeout) {
+@@ -604,6 +604,12 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx)
+ 			tmp = json_string(expr->comment);
+ 			json_object_set_new(root, "comment", tmp);
+ 		}
++		if (expr->stmt) {
++			tmp = stmt_print_json(expr->stmt, octx);
++			/* XXX: detect and complain about clashes? */
++			json_object_update_missing(root, tmp);
++			json_decref(tmp);
++		}
+ 		return json_pack("{s:o}", "elem", root);
+ 	}
+ 
+-- 
+cgit v1.2.3
diff --git a/backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch b/backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch
new file mode 100644
index 0000000..1542470
--- /dev/null
+++ b/backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch
@@ -0,0 +1,50 @@
+From 032c9f745c6daab8c27176a95963b1c32b0a5d12 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 24 Sep 2020 17:38:45 +0200
+Subject: evaluate: Reject quoted strings containing only wildcard
+
+Fix for an assertion fail when trying to match against an all-wildcard
+interface name:
+
+| % nft add rule t c iifname '"*"'
+| nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed.
+| zsh: abort      nft add rule t c iifname '"*"'
+
+Fix this by detecting the string in expr_evaluate_string() and returning
+an error message:
+
+| % nft add rule t c iifname '"*"'
+| Error: All-wildcard strings are not supported
+| add rule t c iifname "*"
+|                      ^^^
+
+While being at it, drop the 'datalen >= 1' clause from the following
+conditional as together with the added check for 'datalen == 0', all
+possible other values have been caught already.
+Conflict: NA
+Reference: http://git.netfilter.org/nftables/commit/?id=032c9f745c6daab8c27176a95963b1c32b0a5d12
+
+---
+ src/evaluate.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index c8045e5d..5f17d750 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -324,8 +324,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
+ 		return 0;
+ 	}
+ 
+-	if (datalen >= 1 &&
+-	    data[datalen - 1] == '\\') {
++	if (datalen == 0)
++		return expr_error(ctx->msgs, expr,
++				  "All-wildcard strings are not supported");
++
++	if (data[datalen - 1] == '\\') {
+ 		char unescaped_str[data_len];
+ 
+ 		memset(unescaped_str, 0, sizeof(unescaped_str));
+-- 
+cgit v1.2.3
diff --git a/backport-json-Combining-terse-with-json-has-no-effect.patch b/backport-json-Combining-terse-with-json-has-no-effect.patch
new file mode 100644
index 0000000..3f424a9
--- /dev/null
+++ b/backport-json-Combining-terse-with-json-has-no-effect.patch
@@ -0,0 +1,52 @@
+From f02aa3764a48c2afd17761a211f70da941c71d00 Mon Sep 17 00:00:00 2001
+From: Gopal Yadav <gopunop@gmail.com>
+Date: Tue, 22 Sep 2020 13:55:33 +0530
+Subject: json: Combining --terse with --json has no effect
+
+--terse with --json is ignored, fix this. This patch also includes a test.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388
+Signed-off-by: Gopal Yadav <gopunop@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Conflict: NA
+Reference: http://git.netfilter.org/nftables/commit/?id=f02aa3764a48c2afd17761a211f70da941c71d00
+
+---
+ src/json.c                                             |  2 +-
+ tests/shell/testcases/listing/0021ruleset_json_terse_0 | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+ create mode 100755 tests/shell/testcases/listing/0021ruleset_json_terse_0
+
+diff --git a/src/json.c b/src/json.c
+index a9f5000f..5856f9fc 100644
+--- a/src/json.c
++++ b/src/json.c
+@@ -140,7 +140,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set)
+ 		json_object_set_new(root, "gc-interval", tmp);
+ 	}
+ 
+-	if (set->init && set->init->size > 0) {
++	if (!nft_output_terse(octx) && set->init && set->init->size > 0) {
+ 		json_t *array = json_array();
+ 		const struct expr *i;
+ 
+diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0
+new file mode 100755
+index 00000000..c739ac3f
+--- /dev/null
++++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0
+@@ -0,0 +1,12 @@
++#!/bin/bash
++
++$NFT flush ruleset
++$NFT add table ip test
++$NFT add chain ip test c
++$NFT add set ip test s { type ipv4_addr\; }
++$NFT add element ip test s { 192.168.3.4, 192.168.3.5 }
++
++if $NFT -j -t list ruleset | grep '192'
++then
++	exit 1
++fi
+-- 
+cgit v1.2.3
diff --git a/backport-json-Fix-memleak-in-set_dtype_json.patch b/backport-json-Fix-memleak-in-set_dtype_json.patch
new file mode 100644
index 0000000..b1c8daa
--- /dev/null
+++ b/backport-json-Fix-memleak-in-set_dtype_json.patch
@@ -0,0 +1,33 @@
+From 88af46df5544d9a0b080f23fb2902c86659f0c86 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 8 Oct 2020 19:10:13 +0200
+Subject: json: Fix memleak in set_dtype_json()
+
+Turns out json_string() already dups the input, so the temporary dup
+passed to it is lost.
+
+Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Conflict: NA
+Reference: http://git.netfilter.org/nftables/commit/?id=88af46df5544d9a0b080f23fb2902c86659f0c86
+
+---
+ src/json.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/json.c b/src/json.c
+index 121dfb24..a8824d3f 100644
+--- a/src/json.c
++++ b/src/json.c
+@@ -62,7 +62,7 @@ static json_t *set_dtype_json(const struct expr *key)
+ 
+ 	tok = strtok(namedup, " .");
+ 	while (tok) {
+-		json_t *jtok = json_string(xstrdup(tok));
++		json_t *jtok = json_string(tok);
+ 		if (!root)
+ 			root = jtok;
+ 		else if (json_is_string(root))
+-- 
+cgit v1.2.3
diff --git a/backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch b/backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
new file mode 100644
index 0000000..148e68e
--- /dev/null
+++ b/backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
@@ -0,0 +1,79 @@
+From 6975c6d39366e0a086a43fa984392e2231c1b193 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 2 Dec 2020 23:20:40 +0100
+Subject: mnl: reply netlink error message might be larger than
+ MNL_SOCKET_BUFFER_SIZE
+
+Netlink attribute maximum size is 65536 bytes (given nla_len is
+16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as
+possible that can fit into this netlink attribute.
+
+Netlink messages with NLMSG_ERROR type originating from the kernel
+contain the original netlink message as payload, they might be larger
+than 65536 bytes.
+
+Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header
+coming as (error) reply from the kernel. This estimate is based on the
+maximum netlink message size that nft sends from userspace.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Conflict: NA
+Reference: http://git.netfilter.org/nftables/commit/?id=6975c6d39366e0a086a43fa984392e2231c1b193
+---
+ src/mnl.c                                         |  5 ++++-
+ tests/shell/testcases/sets/0057set_create_fails_0 | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100755 tests/shell/testcases/sets/0057set_create_fails_0
+
+diff --git a/src/mnl.c b/src/mnl.c
+index ffa1e140..cd12309b 100644
+--- a/src/mnl.c
++++ b/src/mnl.c
+@@ -359,6 +359,9 @@ static int mnl_batch_extack_cb(const struct nlmsghdr *nlh, void *data)
+ }
+ 
+ #define NFT_MNL_ECHO_RCVBUFF_DEFAULT	(MNL_SOCKET_BUFFER_SIZE * 1024)
++#define NFT_MNL_ACK_MAXSIZE		((sizeof(struct nlmsghdr) + \
++					  sizeof(struct nfgenmsg) + (1 << 16)) + \
++					  MNL_SOCKET_BUFFER_SIZE)
+ 
+ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
+ 		   uint32_t num_cmds)
+@@ -366,7 +369,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
+ 	struct mnl_socket *nl = ctx->nft->nf_sock;
+ 	int ret, fd = mnl_socket_get_fd(nl), portid = mnl_socket_get_portid(nl);
+ 	uint32_t iov_len = nftnl_batch_iovec_len(ctx->batch);
+-	char rcv_buf[MNL_SOCKET_BUFFER_SIZE];
++	char rcv_buf[NFT_MNL_ACK_MAXSIZE];
+ 	const struct sockaddr_nl snl = {
+ 		.nl_family = AF_NETLINK
+ 	};
+diff --git a/tests/shell/testcases/sets/0057set_create_fails_0 b/tests/shell/testcases/sets/0057set_create_fails_0
+new file mode 100755
+index 00000000..5f0149a3
+--- /dev/null
++++ b/tests/shell/testcases/sets/0057set_create_fails_0
+@@ -0,0 +1,18 @@
++#!/bin/bash
++
++RULESET="table inet filter {
++        set test {
++                type ipv4_addr
++                size 65535
++		elements = { 1.1.1.1 }
++        }
++}"
++
++$NFT -f - <<< $RULESET
++
++CMD="create element inet filter test { 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 1.1.1.9, 1.1.1.10, 1.1.1.11, 1.1.1.12, 1.1.1.13, 1.1.1.14, 1.1.1.15, 1.1.1.16, 1.1.1.17, 1.1.1.18, 1.1.1.19, 1.1.1.20, 1.1.1.21, 1.1.1.22, 1.1.1.23, 1.1.1.24, 1.1.1.25, 1.1.1.26, 1.1.1.27, 1.1.1.28, 1.1.1.29, 1.1.1.30, 1.1.1.31, 1.1.1.32, 1.1.1.33, 1.1.1.34, 1.1.1.35, 1.1.1.36, 1.1.1.37, 1.1.1.38, 1.1.1.39, 1.1.1.40, 1.1.1.41, 1.1.1.42, 1.1.1.43, 1.1.1.44, 1.1.1.45, 1.1.1.46, 1.1.1.47, 1.1.1.48, 1.1.1.49, 1.1.1.50, 1.1.1.51, 1.1.1.52, 1.1.1.53, 1.1.1.54, 1.1.1.55, 1.1.1.56, 1.1.1.57, 1.1.1.58, 1.1.1.59, 1.1.1.60, 1.1.1.61, 1.1.1.62, 1.1.1.63, 1.1.1.64, 1.1.1.65, 1.1.1.66, 1.1.1.67, 1.1.1.68, 1.1.1.69, 1.1.1.70, 1.1.1.71, 1.1.1.72, 1.1.1.73, 1.1.1.74, 1.1.1.75, 1.1.1.76, 1.1.1.77, 1.1.1.78, 1.1.1.79, 1.1.1.80, 1.1.1.81, 1.1.1.82, 1.1.1.83, 1.1.1.84, 1.1.1.85, 1.1.1.86, 1.1.1.87, 1.1.1.88, 1.1.1.89, 1.1.1.90, 1.1.1.91, 1.1.1.92, 1.1.1.93, 1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.1.98, 1.1.1.99, 1.1.1.100, 1.1.1.101, 1.1.1.102, 1.1.1.103, 1.1.1.104, 1.1.1.105, 1.1.1.106, 1.1.1.107, 1.1.1.108, 1.1.1.109, 1.1.1.110, 1.1.1.111, 1.1.1.112, 1.1.1.113, 1.1.1.114, 1.1.1.115, 1.1.1.116, 1.1.1.117, 1.1.1.118, 1.1.1.119, 1.1.1.120, 1.1.1.121, 1.1.1.122, 1.1.1.123, 1.1.1.124, 1.1.1.125, 1.1.1.126, 1.1.1.127, 1.1.1.128, 1.1.1.129, 1.1.1.130, 1.1.1.131, 1.1.1.132, 1.1.1.133, 1.1.1.134, 1.1.1.135, 1.1.1.136, 1.1.1.137, 1.1.1.138, 1.1.1.139, 1.1.1.140, 1.1.1.141, 1.1.1.142, 1.1.1.143, 1.1.1.144, 1.1.1.145, 1.1.1.146, 1.1.1.147, 1.1.1.148, 1.1.1.149, 1.1.1.150, 1.1.1.151, 1.1.1.152, 1.1.1.153, 1.1.1.154, 1.1.1.155, 1.1.1.156, 1.1.1.157, 1.1.1.158, 1.1.1.159, 1.1.1.160, 1.1.1.161, 1.1.1.162, 1.1.1.163, 1.1.1.164, 1.1.1.165, 1.1.1.166, 1.1.1.167, 1.1.1.168, 1.1.1.169, 1.1.1.170, 1.1.1.171, 1.1.1.172, 1.1.1.173, 1.1.1.174, 1.1.1.175, 1.1.1.176, 1.1.1.177, 1.1.1.178, 1.1.1.179, 1.1.1.180, 1.1.1.181, 1.1.1.182, 1.1.1.183, 1.1.1.184, 1.1.1.185, 1.1.1.186, 1.1.1.187, 1.1.1.188, 1.1.1.189, 1.1.1.190, 1.1.1.191, 1.1.1.192, 1.1.1.193, 1.1.1.194, 1.1.1.195, 1.1.1.196, 1.1.1.197, 1.1.1.198, 1.1.1.199, 1.1.1.200, 1.1.1.201, 1.1.1.202, 1.1.1.203, 1.1.1.204, 1.1.1.205, 1.1.1.206, 1.1.1.207, 1.1.1.208, 1.1.1.209, 1.1.1.210, 1.1.1.211, 1.1.1.212, 1.1.1.213, 1.1.1.214, 1.1.1.215, 1.1.1.216, 1.1.1.217, 1.1.1.218, 1.1.1.219, 1.1.1.220, 1.1.1.221, 1.1.1.222, 1.1.1.223, 1.1.1.224, 1.1.1.225, 1.1.1.226, 1.1.1.227, 1.1.1.228, 1.1.1.229, 1.1.1.230, 1.1.1.231, 1.1.1.232, 1.1.1.233, 1.1.1.234, 1.1.1.235, 1.1.1.236, 1.1.1.237, 1.1.1.238, 1.1.1.239, 1.1.1.240, 1.1.1.241, 1.1.1.242, 1.1.1.243, 1.1.1.244, 1.1.1.245, 1.1.1.246, 1.1.1.247, 1.1.1.248, 1.1.1.249, 1.1.1.250, 1.1.1.251, 1.1.1.252, 1.1.1.253 }"
++
++# If this returns ENOSPC, then nft is sending a netlink message that is larger
++# than NFT_MNL_ACK_MAXSIZE. Make sure this returns EEXIST.
++$NFT -f - <<< $CMD 2>&1 >/dev/null | grep "File exists"
++[ "$?" -eq 0 ] && exit 0
+-- 
+cgit v1.2.3
+
diff --git a/backport-parser_bison-memleak-symbol-redefinition.patch b/backport-parser_bison-memleak-symbol-redefinition.patch
new file mode 100644
index 0000000..fddb967
--- /dev/null
+++ b/backport-parser_bison-memleak-symbol-redefinition.patch
@@ -0,0 +1,29 @@
+From a2fb19736bf6879146dba5cd40a3265cb1c9671b Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 28 Jul 2020 19:36:57 +0200
+Subject: parser_bison: memleak symbol redefinition
+
+Missing expr_free() from the error path.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Conflict: NA
+Reference: http://git.netfilter.org/nftables/commit/?id=a2fb19736bf6879146dba5cd40a3265cb1c9671b
+
+---
+ src/parser_bison.y | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index f0cca641..167c3158 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -862,6 +862,7 @@ common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
+ 				if (symbol_lookup(scope, $2) != NULL) {
+ 					erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
+ 						   state->msgs);
++					expr_free($4);
+ 					xfree($2);
+ 					YYERROR;
+ 				}
+-- 
+cgit v1.2.3
diff --git a/backport-segtree-memleaks-in-interval_map_decompose.patch b/backport-segtree-memleaks-in-interval_map_decompose.patch
new file mode 100644
index 0000000..df9f80b
--- /dev/null
+++ b/backport-segtree-memleaks-in-interval_map_decompose.patch
@@ -0,0 +1,75 @@
+From 455709effa095c6e986385974a0cf702dad8491c Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 4 Aug 2020 22:12:12 +0200
+Subject: segtree: memleaks in interval_map_decompose()
+
+mpz_init_bitmask() overrides the existing memory area:
+
+==19179== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
+==19179==    at 0x483577F: malloc (vg_replace_malloc.c:299)
+==19179==    by 0x489C718: xmalloc (utils.c:36)
+==19179==    by 0x4B825C5: __gmpz_init2 (in /usr/lib/x86_64-linux-g nu/libgmp.so.10.3.2)                                               f
+==19179==    by 0x4880239: constant_expr_alloc (expression.c:400)
+==19179==    by 0x489B8A1: interval_map_decompose (segtree.c:1098)
+==19179==    by 0x489017D: netlink_list_setelems (netlink.c:1220)
+==19179==    by 0x48779AC: cache_init_objects (rule.c:170)         5
+==19179==    by 0x48779AC: cache_init (rule.c:228)
+==19179==    by 0x48779AC: cache_update (rule.c:279)
+==19179==    by 0x48A21AE: nft_evaluate (libnftables.c:406)
+
+left-hand side of the interval is leaked when building the range:
+
+==25835== 368 (128 direct, 240 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
+==25835==    at 0x483577F: malloc (vg_replace_malloc.c:299)
+==25835==    by 0x489B628: xmalloc (utils.c:36)
+==25835==    by 0x489B6F8: xzalloc (utils.c:65)
+==25835==    by 0x487E176: expr_alloc (expression.c:45)
+==25835==    by 0x487F960: mapping_expr_alloc (expression.c:1149)
+==25835==    by 0x488EC84: netlink_delinearize_setelem (netlink.c:1166)
+==25835==    by 0x4DC6928: nftnl_set_elem_foreach (set_elem.c:725)
+==25835==    by 0x488F0D5: netlink_list_setelems (netlink.c:1215)
+==25835==    by 0x487695C: cache_init_objects (rule.c:170)
+==25835==    by 0x487695C: cache_init (rule.c:228)
+==25835==    by 0x487695C: cache_update (rule.c:279)
+==25835==    by 0x48A10BE: nft_evaluate (libnftables.c:406)
+==25835==    by 0x48A19B6: nft_run_cmd_from_buffer (libnftables.c:451)
+==25835==    by 0x10A8E1: main (main.c:487)
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Conflict: NA
+Reference: http://git.netfilter.org/nftables/commit/?id=455709effa095c6e986385974a0cf702dad8491c
+
+---
+ src/segtree.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/segtree.c b/src/segtree.c
+index a9b4b1bd..3a641bc5 100644
+--- a/src/segtree.c
++++ b/src/segtree.c
+@@ -925,16 +925,20 @@ void interval_map_decompose(struct expr *set)
+ 
+ 	i = constant_expr_alloc(&low->location, low->dtype,
+ 				low->byteorder, expr_value(low)->len, NULL);
+-	mpz_init_bitmask(i->value, i->len);
++	mpz_bitmask(i->value, i->len);
+ 
+ 	if (!mpz_cmp(i->value, expr_value(low)->value)) {
+ 		expr_free(i);
+ 		i = low;
+ 	} else {
+-		i = range_expr_alloc(&low->location, expr_value(low), i);
++		i = range_expr_alloc(&low->location,
++				     expr_clone(expr_value(low)), i);
+ 		i = set_elem_expr_alloc(&low->location, i);
+ 		if (low->etype == EXPR_MAPPING)
+-			i = mapping_expr_alloc(&i->location, i, low->right);
++			i = mapping_expr_alloc(&i->location, i,
++					       expr_clone(low->right));
++
++		expr_free(low);
+ 	}
+ 
+ 	compound_expr_add(set, i);
+-- 
+cgit v1.2.3
diff --git a/nftables.spec b/nftables.spec
index b82a557..dea5bfc 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.6
-Release:        2
+Release:        3
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@@ -9,6 +9,14 @@ Source0:        http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz
 Source1:        nftables.service
 Source2:        nftables.conf
 
+Patch6000:      backport-parser_bison-memleak-symbol-redefinition.patch
+Patch6001:      backport-segtree-memleaks-in-interval_map_decompose.patch
+Patch6002:      backport-json-Combining-terse-with-json-has-no-effect.patch
+Patch6003:      backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch
+Patch6004:      backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
+Patch6005:      backport-json-Fix-memleak-in-set_dtype_json.patch
+Patch6006:      backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
+
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
 Requires:       %{name}-help
@@ -35,13 +43,16 @@ Requires:       %{name} = %{epoch}:%{version}-%{release}
 The nftables python module providing an interface to libnftables via ctypes.
 
 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1
 
 %build
 %configure --disable-silent-rules --with-xtables --with-json \
         --enable-python --with-python-bin=%{__python3}
 %make_build
 
+%check
+make check
+
 %install
 %make_install
 %delete_la
@@ -95,6 +106,19 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
 %{python3_sitelib}/nftables/
 
 %changelog
+* Tue Jul 27 2021 yanan <yanan@huawei.com> - 0.9.6-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:enable check while building
+       parser_bison memleak symbol redefinition
+       segtree memleaks in interval_map_decompose
+       json Combining terse with json has no effect
+       evaluate Reject quoted strings containing only wildcard
+       Solves Bug 1462 nft j list set does not show counters
+       json Fix memleak in set_dtype_json
+       mnl reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZE
+
 * Mon Nov 09 2020 xihaochen <xihaochen@huawei.com> - 0.9.6-2
 - Type:requirement
 - CVE:NA
-- 
Gitee