From 7f62a054c888af06c96f0b1788d22ee32e12aab5 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Tue, 10 Dec 2024 01:36:07 +0000 Subject: [PATCH] fix coredumps --- ...e-nft_cache_evaluate-to-return-error.patch | 75 ++++++++ ...-cache-validate-handle-string-length.patch | 5 +- ...x-vs-list-objects-in-table-confusion.patch | 88 ++++++++++ ...x-vs-list-objects-in-table-confusion.patch | 106 +++++++++++ backport-parser-split-tcp-option-rules.patch | 164 ++++++++++++++++++ ...s-shell-connect-chains-to-hook-point.patch | 97 +++++++++++ nftables.spec | 18 +- 7 files changed, 548 insertions(+), 5 deletions(-) create mode 100644 backport-cache-prepare-nft_cache_evaluate-to-return-error.patch create mode 100644 backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch create mode 100644 backport-ct-timeout-fix-list-object-x-vs-list-objects-in-table-confusion.patch create mode 100644 backport-parser-split-tcp-option-rules.patch create mode 100644 backport-tests-shell-connect-chains-to-hook-point.patch diff --git a/backport-cache-prepare-nft_cache_evaluate-to-return-error.patch b/backport-cache-prepare-nft_cache_evaluate-to-return-error.patch new file mode 100644 index 0000000..e904c09 --- /dev/null +++ b/backport-cache-prepare-nft_cache_evaluate-to-return-error.patch @@ -0,0 +1,75 @@ +From 64c74ba5795bbdd8c8080380bc1e66dec55cde65 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 18 Jul 2022 15:56:00 +0200 +Subject: cache: prepare nft_cache_evaluate() to return error + +Move flags as parameter reference and add list of error messages to prepare +for sanity checks. + +Signed-off-by: Pablo Neira Ayuso + +Conflict:remove change about filter,we don't have +Reference:https://git.netfilter.org/nftables/commit/?id=64c74ba5795bbdd8c8080380bc1e66dec55cde65 + +--- + include/cache.h | 5 +++-- + src/cache.c | 8 +++++--- + src/libnftables.c | 5 ++++- + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/include/cache.h b/include/cache.h +index b6c7d48b..575381ef 100644 +--- a/include/cache.h ++++ b/include/cache.h +@@ -65,7 +65,8 @@ struct nft_cache_filter { + struct nft_cache; + enum cmd_ops; + +-unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds); ++int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, ++ struct list_head *msgs, unsigned int *flags); + int nft_cache_update(struct nft_ctx *ctx, enum cmd_ops cmd, + struct list_head *msgs); + bool nft_cache_needs_update(struct nft_cache *cache); +diff --git a/src/cache.c b/src/cache.c +index b6ae2310..9e2fe950 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -262,7 +262,8 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd, + return flags; + } + +-unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds) ++int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, ++ struct list_head *msgs, unsigned int *pflags) + { + unsigned int flags = NFT_CACHE_EMPTY; + struct cmd *cmd; +@@ -318,8 +319,9 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds, + break; + } + } ++ *pflags = flags; + +- return flags; ++ return 0; + } + + void table_cache_add(struct table *table, struct nft_cache *cache) +diff --git a/src/libnftables.c b/src/libnftables.c +index f2a1ef04..a376825d 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -506,7 +506,9 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, + unsigned int flags; + struct cmd *cmd; + +- flags = nft_cache_evaluate(nft, cmds); ++ if (nft_cache_evaluate(nft, cmds, msgs, &flags) < 0) { ++ return -1; ++ } + if (nft_cache_update(nft, flags, msgs) < 0) + return -1; + +-- +cgit v1.2.3 diff --git a/backport-cache-validate-handle-string-length.patch b/backport-cache-validate-handle-string-length.patch index 90b05fe..68f8095 100644 --- a/backport-cache-validate-handle-string-length.patch +++ b/backport-cache-validate-handle-string-length.patch @@ -139,11 +139,8 @@ index c1f0972..828e4cc 100644 static unsigned int evaluate_cache_del(struct cmd *cmd, unsigned int flags) { switch (cmd->obj) { -@@ -121,8 +225,12 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds) - { - unsigned int flags = NFT_CACHE_EMPTY; +@@ -121,6 +225,9 @@ unsigned int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds) struct cmd *cmd; -+ struct list_head *msgs; list_for_each_entry(cmd, cmds, list) { + if (nft_handle_validate(cmd, msgs) < 0) diff --git a/backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch b/backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch new file mode 100644 index 0000000..dfe0273 --- /dev/null +++ b/backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch @@ -0,0 +1,88 @@ +From a8ff324dc64fd76f7d218d3d94c5885250951258 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 28 Jul 2023 21:04:13 +0200 +Subject: ct expectation: fix 'list object x' vs. 'list objects in table' + confusion + +Just like "ct timeout", "ct expectation" is in need of the same fix, +we get segfault on "nft list ct expectation table t", if table t exists. + +This is the exact same pattern as resolved for "ct timeout" in commit +1d2e22fc0521 ("ct timeout: fix 'list object x' vs. 'list objects in table' confusion"). + +Signed-off-by: Florian Westphal + +Conflict:change context in parser_bison.y +Reference:https://git.netfilter.org/nftables/commit/?id=a8ff324dc64fd76f7d218d3d94c5885250951258 + +--- + include/rule.h | 1 + + src/cache.c | 1 + + src/evaluate.c | 1 + + src/parser_bison.y | 2 +- + src/rule.c | 1 + + 5 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/rule.h b/include/rule.h +index 5cb549c2..13ab1bf3 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -649,6 +649,7 @@ enum cmd_obj { + CMD_OBJ_SECMARK, + CMD_OBJ_SECMARKS, + CMD_OBJ_CT_EXPECT, ++ CMD_OBJ_CT_EXPECTATIONS, + CMD_OBJ_SYNPROXY, + CMD_OBJ_SYNPROXYS, + CMD_OBJ_HOOKS, +diff --git a/src/cache.c b/src/cache.c +index 5cab2622..b6a7e194 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -377,6 +377,7 @@ static int nft_handle_validate(const struct cmd *cmd, struct list_head *msgs) + case CMD_OBJ_CT_TIMEOUT: + case CMD_OBJ_CT_TIMEOUTS: + case CMD_OBJ_CT_EXPECT: ++ case CMD_OBJ_CT_EXPECTATIONS: + if (h->table.name && + strlen(h->table.name) > NFT_NAME_MAXLEN) { + loc = &h->table.location; +diff --git a/src/evaluate.c b/src/evaluate.c +index 33e4ac93..8fc1ca7e 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -5425,6 +5425,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) + case CMD_OBJ_SECMARKS: + case CMD_OBJ_SYNPROXYS: + case CMD_OBJ_CT_TIMEOUTS: ++ case CMD_OBJ_CT_EXPECTATIONS: + if (cmd->handle.table.name == NULL) + return 0; + if (!table_cache_find(&ctx->nft->cache.table_cache, +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 553ddf97..ef5011c1 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -4770,7 +4770,7 @@ ct_obj_type : HELPER { $$ = NFT_OBJECT_CT_HELPER; } + + ct_cmd_type : HELPERS { $$ = CMD_OBJ_CT_HELPERS; } + | TIMEOUT { $$ = CMD_OBJ_CT_TIMEOUTS; } +- | EXPECTATION { $$ = CMD_OBJ_CT_EXPECT; } ++ | EXPECTATION { $$ = CMD_OBJ_CT_EXPECTATIONS; } + ; + + ct_l4protoname : TCP { $$ = IPPROTO_TCP; } +diff --git a/src/rule.c b/src/rule.c +index f4d00a8d..4e60c1e6 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -2360,6 +2360,7 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) + case CMD_OBJ_CT_TIMEOUTS: + return do_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT); + case CMD_OBJ_CT_EXPECT: ++ case CMD_OBJ_CT_EXPECTATIONS: + return do_list_obj(ctx, cmd, NFT_OBJECT_CT_EXPECT); + case CMD_OBJ_LIMIT: + case CMD_OBJ_LIMITS: +-- +cgit v1.2.3 diff --git a/backport-ct-timeout-fix-list-object-x-vs-list-objects-in-table-confusion.patch b/backport-ct-timeout-fix-list-object-x-vs-list-objects-in-table-confusion.patch new file mode 100644 index 0000000..e1f51b7 --- /dev/null +++ b/backport-ct-timeout-fix-list-object-x-vs-list-objects-in-table-confusion.patch @@ -0,0 +1,106 @@ +From 1d2e22fc0521bcf73ee1f891c291dc1bde47a6bb Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 19 Jun 2023 22:43:06 +0200 +Subject: ct timeout: fix 'list object x' vs. 'list objects in table' confusion + + +$ nft list ct timeout table t +Error: No such file or directory +list ct timeout table t + ^ +This is expected to list all 'ct timeout' objects. +The failure is correct, the table 't' does not exist. + +But now lets add one: +$ nft add table t +$ nft list ct timeout table t +Segmentation fault (core dumped) + +... and thats not expected, nothing should be shown +and nft should exit normally. + +Because of missing TIMEOUTS command enum, the backend thinks +it should do an object lookup, but as frontend asked for +'list of objects' rather than 'show this object', +handle.obj.name is NULL, which then results in this crash. + +Update the command enums so that backend knows what the +frontend asked for. + +Signed-off-by: Florian Westphal + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=1d2e22fc0521bcf73ee1f891c291dc1bde47a6bb + +--- + include/rule.h | 1 + + src/cache.c | 1 + + src/evaluate.c | 1 + + src/parser_bison.y | 2 +- + src/rule.c | 1 + + 5 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/rule.h b/include/rule.h +index fa391529..b360e261 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -645,6 +645,7 @@ enum cmd_obj { + CMD_OBJ_FLOWTABLE, + CMD_OBJ_FLOWTABLES, + CMD_OBJ_CT_TIMEOUT, ++ CMD_OBJ_CT_TIMEOUTS, + CMD_OBJ_SECMARK, + CMD_OBJ_SECMARKS, + CMD_OBJ_CT_EXPECT, +diff --git a/src/cache.c b/src/cache.c +index becfa57f..d908ae0a 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -370,6 +370,7 @@ static int nft_handle_validate(const struct cmd *cmd, struct list_head *msgs) + case CMD_OBJ_CT_HELPER: + case CMD_OBJ_CT_HELPERS: + case CMD_OBJ_CT_TIMEOUT: ++ case CMD_OBJ_CT_TIMEOUTS: + case CMD_OBJ_CT_EXPECT: + if (h->table.name && + strlen(h->table.name) > NFT_NAME_MAXLEN) { +diff --git a/src/evaluate.c b/src/evaluate.c +index efab2895..687f9a7b 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -5441,6 +5441,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) + case CMD_OBJ_FLOWTABLES: + case CMD_OBJ_SECMARKS: + case CMD_OBJ_SYNPROXYS: ++ case CMD_OBJ_CT_TIMEOUTS: + if (cmd->handle.table.name == NULL) + return 0; + if (!table_cache_find(&ctx->nft->cache.table_cache, +diff --git a/src/parser_bison.y b/src/parser_bison.y +index e7ee56c1..beb277b6 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -4757,7 +4757,7 @@ ct_obj_type : HELPER { $$ = NFT_OBJECT_CT_HELPER; } + ; + + ct_cmd_type : HELPERS { $$ = CMD_OBJ_CT_HELPERS; } +- | TIMEOUT { $$ = CMD_OBJ_CT_TIMEOUT; } ++ | TIMEOUT { $$ = CMD_OBJ_CT_TIMEOUTS; } + | EXPECTATION { $$ = CMD_OBJ_CT_EXPECT; } + ; + +diff --git a/src/rule.c b/src/rule.c +index 1faa1a27..3704600a 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -2351,6 +2351,7 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) + case CMD_OBJ_CT_HELPERS: + return do_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER); + case CMD_OBJ_CT_TIMEOUT: ++ case CMD_OBJ_CT_TIMEOUTS: + return do_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT); + case CMD_OBJ_CT_EXPECT: + return do_list_obj(ctx, cmd, NFT_OBJECT_CT_EXPECT); +-- +cgit v1.2.3 + diff --git a/backport-parser-split-tcp-option-rules.patch b/backport-parser-split-tcp-option-rules.patch new file mode 100644 index 0000000..fc1a982 --- /dev/null +++ b/backport-parser-split-tcp-option-rules.patch @@ -0,0 +1,164 @@ +From c009df1fded60c64075493c875873f05606f17ef Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sun, 21 Nov 2021 23:33:09 +0100 +Subject: parser: split tcp option rules + +At this time the parser will accept nonsensical input like + + tcp option mss left 2 + +which will be treated as 'tcp option maxseg size 2'. +This is because the enum space overlaps. + +Split the rules so that 'tcp option mss' will only +accept field names specific to the mss/maxseg option kind. + +Signed-off-by: Florian Westphal +(cherry picked from commit 46168852c03d73c29b557c93029dc512ca6e233a) + +Conflict:change context and add KIND type in parser_bison.y +Reference:https://git.netfilter.org/nftables/commit/?id=c009df1fded60c64075493c875873f05606f17ef + +--- + src/parser_bison.y | 80 +++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 61 insertions(+), 19 deletions(-) + +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 26060985..fca79132 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -187,6 +187,10 @@ int nft_lex(void *, void *, void *); + struct handle_spec handle_spec; + struct position_spec position_spec; + struct prio_spec prio_spec; ++ struct tcp_kind_field { ++ uint16_t kind; /* must allow > 255 for SACK1, 2.. hack */ ++ uint8_t field; ++ } tcp_kind_field; + } + + %token TOKEN_EOF 0 "end of file" +@@ -873,7 +877,10 @@ int nft_lex(void *, void *, void *); + %type tcp_hdr_expr + %destructor { expr_free($$); } tcp_hdr_expr + %type tcp_hdr_field +-%type tcp_hdr_option_type tcp_hdr_option_field ++%type tcp_hdr_option_type ++%type tcp_hdr_option_sack ++%type tcpopt_field_maxseg tcpopt_field_sack tcpopt_field_tsopt tcpopt_field_window ++%type tcp_hdr_option_kind_and_field + + %type boolean_expr + %destructor { expr_free($$); } boolean_expr +@@ -5477,15 +5484,15 @@ tcp_hdr_expr : TCP tcp_hdr_field + { + $$ = payload_expr_alloc(&@$, &proto_tcp, $2); + } +- | TCP OPTION tcp_hdr_option_type tcp_hdr_option_field +- { +- $$ = tcpopt_expr_alloc(&@$, $3, $4); +- } + | TCP OPTION tcp_hdr_option_type + { + $$ = tcpopt_expr_alloc(&@$, $3, TCPOPT_COMMON_KIND); + $$->exthdr.flags = NFT_EXTHDR_F_PRESENT; + } ++ | TCP OPTION tcp_hdr_option_kind_and_field ++ { ++ $$ = tcpopt_expr_alloc(&@$, $3.kind, $3.field); ++ } + | TCP OPTION AT tcp_hdr_option_type COMMA NUM COMMA NUM + { + $$ = tcpopt_expr_alloc(&@$, $4, 0); +@@ -5505,19 +5512,53 @@ tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; } + | URGPTR { $$ = TCPHDR_URGPTR; } + ; + +-tcp_hdr_option_type : EOL { $$ = TCPOPT_KIND_EOL; } +- | NOP { $$ = TCPOPT_KIND_NOP; } +- | MSS { $$ = TCPOPT_KIND_MAXSEG; } +- | WINDOW { $$ = TCPOPT_KIND_WINDOW; } +- | SACK_PERM { $$ = TCPOPT_KIND_SACK_PERMITTED; } +- | SACK { $$ = TCPOPT_KIND_SACK; } ++tcp_hdr_option_kind_and_field : MSS tcpopt_field_maxseg ++ { ++ struct tcp_kind_field kind_field = { .kind = TCPOPT_KIND_MAXSEG, .field = $2 }; ++ $$ = kind_field; ++ } ++ | tcp_hdr_option_sack tcpopt_field_sack ++ { ++ struct tcp_kind_field kind_field = { .kind = $1, .field = $2 }; ++ $$ = kind_field; ++ } ++ | WINDOW tcpopt_field_window ++ { ++ struct tcp_kind_field kind_field = { .kind = TCPOPT_KIND_WINDOW, .field = $2 }; ++ $$ = kind_field; ++ } ++ | TIMESTAMP tcpopt_field_tsopt ++ { ++ struct tcp_kind_field kind_field = { .kind = TCPOPT_KIND_TIMESTAMP, .field = $2 }; ++ $$ = kind_field; ++ } ++ | tcp_hdr_option_type LENGTH ++ { ++ struct tcp_kind_field kind_field = { .kind = $1, .field = TCPOPT_COMMON_LENGTH }; ++ $$ = kind_field; ++ } ++ | tcp_hdr_option_type KIND ++ { struct tcp_kind_field kind_field = { .kind = $1, .field = TCPOPT_COMMON_KIND }; ++ $$ = kind_field; ++ } ++ ; ++ ++tcp_hdr_option_sack : SACK { $$ = TCPOPT_KIND_SACK; } + | SACK0 { $$ = TCPOPT_KIND_SACK; } + | SACK1 { $$ = TCPOPT_KIND_SACK1; } + | SACK2 { $$ = TCPOPT_KIND_SACK2; } + | SACK3 { $$ = TCPOPT_KIND_SACK3; } +- | ECHO { $$ = TCPOPT_KIND_ECHO; } +- | TIMESTAMP { $$ = TCPOPT_KIND_TIMESTAMP; } +- | NUM { ++ ; ++ ++tcp_hdr_option_type : ECHO { $$ = TCPOPT_KIND_ECHO; } ++ | EOL { $$ = TCPOPT_KIND_EOL; } ++ | MSS { $$ = TCPOPT_KIND_MAXSEG; } ++ | NOP { $$ = TCPOPT_KIND_NOP; } ++ | SACK_PERM { $$ = TCPOPT_KIND_SACK_PERMITTED; } ++ | TIMESTAMP { $$ = TCPOPT_KIND_TIMESTAMP; } ++ | WINDOW { $$ = TCPOPT_KIND_WINDOW; } ++ | tcp_hdr_option_sack { $$ = $1; } ++ | NUM { + if ($1 > 255) { + erec_queue(error(&@1, "value too large"), state->msgs); + YYERROR; +@@ -5526,16 +5563,20 @@ tcp_hdr_option_type : EOL { $$ = TCPOPT_KIND_EOL; } + } + ; + +-tcp_hdr_option_field : KIND { $$ = TCPOPT_COMMON_KIND; } +- | LENGTH { $$ = TCPOPT_COMMON_LENGTH; } +- | SIZE { $$ = TCPOPT_MAXSEG_SIZE; } +- | COUNT { $$ = TCPOPT_WINDOW_COUNT; } +- | LEFT { $$ = TCPOPT_SACK_LEFT; } ++tcpopt_field_sack : LEFT { $$ = TCPOPT_SACK_LEFT; } + | RIGHT { $$ = TCPOPT_SACK_RIGHT; } +- | TSVAL { $$ = TCPOPT_TS_TSVAL; } ++ ; ++ ++tcpopt_field_window : COUNT { $$ = TCPOPT_WINDOW_COUNT; } ++ ; ++ ++tcpopt_field_tsopt : TSVAL { $$ = TCPOPT_TS_TSVAL; } + | TSECR { $$ = TCPOPT_TS_TSECR; } + ; + ++tcpopt_field_maxseg : SIZE { $$ = TCPOPT_MAXSEG_SIZE; } ++ ; ++ + dccp_hdr_expr : DCCP dccp_hdr_field + { + $$ = payload_expr_alloc(&@$, &proto_dccp, $2); +-- +cgit v1.2.3 diff --git a/backport-tests-shell-connect-chains-to-hook-point.patch b/backport-tests-shell-connect-chains-to-hook-point.patch new file mode 100644 index 0000000..9236733 --- /dev/null +++ b/backport-tests-shell-connect-chains-to-hook-point.patch @@ -0,0 +1,97 @@ +From 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 10 Jul 2024 02:33:37 +0200 +Subject: tests: shell: connect chains to hook point + +These tests should fail because they contain a loop or exceed the jump stack. + +But this depends on the kernel validating chains that are not bound to any +basechain/hook point. + +Wire up the initial chain to filter type. + +Without this tests will start to fail when kernel stops validating +chains that are not reachable by any base chain. + +Signed-off-by: Florian Westphal + +Conflict:delete the file that we don't have +Reference:https://git.netfilter.org/nftables/commit/?id=1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 + +--- + tests/shell/testcases/chains/0003jump_loop_1 | 3 ++- + tests/shell/testcases/chains/0010endless_jump_loop_1 | 2 +- + tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +- + tests/shell/testcases/chains/0018check_jump_loop_1 | 2 +- + tests/shell/testcases/transactions/0023rule_1 | 2 +- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1 +index 80e243f0..1a8eaf68 100755 +--- a/tests/shell/testcases/chains/0003jump_loop_1 ++++ b/tests/shell/testcases/chains/0003jump_loop_1 +@@ -5,8 +5,9 @@ set -e + MAX_JUMPS=16 + + $NFT add table t ++$NFT "add chain t c1 { type filter hook prerouting priority 0; }" + +-for i in $(seq 1 $MAX_JUMPS) ++for i in $(seq 2 $MAX_JUMPS) + do + $NFT add chain t c${i} + done +diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1 +index 5d3ef239..6000e5d7 100755 +--- a/tests/shell/testcases/chains/0010endless_jump_loop_1 ++++ b/tests/shell/testcases/chains/0010endless_jump_loop_1 +@@ -3,7 +3,7 @@ + set -e + + $NFT add table t +-$NFT add chain t c ++$NFT add chain "t c { type filter hook input priority 0; }" + + # kernel should return ELOOP + $NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0 +diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1 +index d75932d7..66abf8d0 100755 +--- a/tests/shell/testcases/chains/0011endless_jump_loop_1 ++++ b/tests/shell/testcases/chains/0011endless_jump_loop_1 +@@ -3,7 +3,7 @@ + set -e + + $NFT add table t +-$NFT add chain t c1 ++$NFT add chain "t c1 { type filter hook forward priority 0; }" + $NFT add chain t c2 + $NFT add map t m {type inet_service : verdict \;} + $NFT add element t m {2 : jump c2} +diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1 +index b87520f2..1e674d3d 100755 +--- a/tests/shell/testcases/chains/0018check_jump_loop_1 ++++ b/tests/shell/testcases/chains/0018check_jump_loop_1 +@@ -3,7 +3,7 @@ + set -e + + $NFT add table ip filter +-$NFT add chain ip filter ap1 ++$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }" + $NFT add chain ip filter ap2 + $NFT add rule ip filter ap1 jump ap2 + +diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1 +index e58c088c..863bcde4 100755 +--- a/tests/shell/testcases/transactions/0023rule_1 ++++ b/tests/shell/testcases/transactions/0023rule_1 +@@ -1,7 +1,7 @@ + #!/bin/bash + + RULESET="add table x +-add chain x y ++add chain x y { type filter hook input priority 0; } + add rule x y jump y" + + # kernel must return ELOOP +-- +cgit v1.2.3 diff --git a/nftables.spec b/nftables.spec index 5d997b0..d9ccde7 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 12 +Release: 13 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -93,6 +93,12 @@ Patch75: backport-evaluate-handle-invalid-mapping-expressions-in-stateful Patch76: backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch Patch77: backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch +Patch78: backport-parser-split-tcp-option-rules.patch +Patch79: backport-cache-prepare-nft_cache_evaluate-to-return-error.patch +Patch80: backport-ct-timeout-fix-list-object-x-vs-list-objects-in-table-confusion.patch +Patch81: backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch +Patch82: backport-tests-shell-connect-chains-to-hook-point.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -191,6 +197,16 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Tue Dec 10 2024 gaihuiying - 1:1.0.0-13 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:parser: split tcp option rules + cache: prepare nft_cache_evaluate() to return error + ct timeout: fix 'list object x' vs. 'list objects in table' confusion + ct expectation: fix 'list object x' vs. 'list objects in table' confusion + tests: shell: connect chains to hook point + * Wed Sep 25 2024 gaihuiying - 1:1.0.0-12 - Type:bugfix - CVE:NA -- Gitee