sync: fix some patches from commity

backport-evaluate-string-prefix-expression-must-retain-original-length.patch

@@ -0,0 +1,42 @@
+From 403936c1ffa34bc597d7ee0792154fc6c6b483f2 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 9 Apr 2022 15:58:27 +0200
+Subject: evaluate: string prefix expression must retain original length
+
+To make something like "eth*" work for interval sets (match
+eth0, eth1, and so on...) we must treat the string as a 128 bit
+integer.
+
+Without this, segtree will do the wrong thing when applying the prefix,
+because we generate the prefix based on 'eth*' as input, with a length of 3.
+
+The correct import needs to be done on "eth\0\0\0\0\0\0\0...", i.e., if
+the input buffer were an ipv6 address, it should look like "eth\0::",
+not "::eth".
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/evaluate.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index a20cc396..78862313 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -338,9 +338,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
+ 		*exprp = value;
+ 		return 0;
+ 	}
++
++	data[datalen] = 0;
+ 	value = constant_expr_alloc(&expr->location, ctx->ectx.dtype,
+ 				    BYTEORDER_HOST_ENDIAN,
+-				    datalen * BITS_PER_BYTE, data);
++				    expr->len, data);
+ 
+ 	prefix = prefix_expr_alloc(&expr->location, value,
+ 				   datalen * BITS_PER_BYTE);
+-- 
+cgit v1.2.3
+

backport-iptopt-fix-crash-with-invalid-field-type-combo.patch

@@ -0,0 +1,78 @@
+From 48aca2de80a7dd73f8f3a461c7f7ed47b6082766 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 3 Dec 2021 17:07:55 +0100
+Subject: iptopt: fix crash with invalid field/type combo
+
+% nft describe ip option rr value
+segmentation fault
+
+after this fix, this exits with 'Error: unknown ip option type/field'.
+
+Problem is that 'rr' doesn't have a value template, so the template
+struct is
+all-zeroes, so we crash when trying to use tmpl->dtype (its NULL).
+
+Furthermore, expr_describe tries to print expr->identifier but expr is
+exthdr, not symbol: ->identifier contains garbage.
+
+Conflict: NA
+Reference:
+https://git.netfilter.org/nftables/commit/?id=48aca2de80a7dd73f8f3a461c7f7ed47b6082766
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ src/expression.c   | 7 +++----
+ src/ipopt.c        | 2 ++
+ src/parser_bison.y | 4 ++++
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/expression.c b/src/expression.c
+index 4c0874f..1a88f08 100644
+--- a/src/expression.c
++++ b/src/expression.c
+@@ -135,12 +135,11 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx)
+ 		nft_print(octx, "datatype %s (%s)",
+ 			  dtype->name, dtype->desc);
+ 		len = dtype->size;
+-	} else if (dtype != &invalid_type) {
++	} else {
+ 		nft_print(octx, "%s expression, datatype %s (%s)",
+ 			  expr_name(expr), dtype->name, dtype->desc);
+-	} else {
+-		nft_print(octx, "datatype %s is invalid\n", expr->identifier);
+-		return;
++               if (dtype == &invalid_type)
++                       return;
+ 	}
+ 
+ 	if (dtype->basetype != NULL) {
+diff --git a/src/ipopt.c b/src/ipopt.c
+index 5f9f908..fdd3f93 100644
+--- a/src/ipopt.c
++++ b/src/ipopt.c
+@@ -97,6 +97,8 @@ struct expr *ipopt_expr_alloc(const struct location *loc, uint8_t type,
+ 	if (!tmpl)
+ 		return NULL;
+ 
++       if (!tmpl->len)
++               return NULL;
+ 	expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype,
+ 			  BYTEORDER_BIG_ENDIAN, tmpl->len);
+ 	expr->exthdr.desc   = desc;
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index 83f0250..65ba6a4 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -5296,6 +5296,10 @@ ip_hdr_expr		:	IP	ip_hdr_field	close_scope_ip
+ 			|	IP	OPTION	ip_option_type ip_option_field	close_scope_ip
+ 			{
+ 				$$ = ipopt_expr_alloc(&@$, $3, $4, 0);
++                               if (!$$) {
++                                       erec_queue(error(&@1, "unknown ip option type/field"), state->msgs);
++                                       YYERROR;
++                       }
+ 			}
+ 			|	IP	OPTION	ip_option_type close_scope_ip
+ 			{
+-- 
+2.23.0
+

backport-libnftables-release-top-level-scope.patch

@@ -0,0 +1,54 @@
+From 12a223ced7f6b9d9555390c1922bb67133a35c5a Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 17 Jun 2022 19:33:53 +0200
+Subject: libnftables: release top level scope
+
+Otherwise bogus variable redefinition are reported via -o/--optimize:
+
+  redefinition.conf:5:8-21: Error: redefinition of symbol
+'interface_inet'
+  define interface_inet = enp5s0
+^^^^^^^^^^^^^^
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/libnftables.c                             |  1 +
+ tests/shell/testcases/optimizations/variables | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+)
+ create mode 100644 tests/shell/testcases/optimizations/variables
+
+diff --git a/src/libnftables.c b/src/libnftables.c
+index aa6493a..bec378d 100644
+--- a/src/libnftables.c
++++ b/src/libnftables.c
+@@ -652,5 +652,6 @@ err:
+ 		json_print_echo(nft);
+ 	if (rc)
+ 		nft_cache_release(&nft->cache);
++       scope_release(nft->state->scopes[0]);
+ 	return rc;
+ }
+diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables
+new file mode 100644
+index 0000000..fa98606
+--- /dev/null
++++ b/tests/shell/testcases/optimizations/variables
+@@ -0,0 +1,15 @@
++#!/bin/bash
++
++set -e
++
++RULESET="define addrv4_vpnnet = 10.1.0.0/16
++
++table ip nat {
++    chain postrouting {
++        type nat hook postrouting priority 0; policy accept;
++
++        ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\"
++    }
++}"
++
++$NFT -c -o -f - <<< $RULESET
+-- 
+2.23.0
+

nftables.spec

@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.0
-Release:        3
+Release:        5
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@@ -16,6 +16,9 @@ Patch3:         backport-segtree-add-string-range-reversal-support.patch
 Patch4:         backport-segtree-fix-map-listing-with-interface-wildcard.patch
 Patch5:         backport-src-Don-t-parse-string-as-verdict-in-map.patch
 Patch6:         backport-parser_json-fix-device-parsing-in-netdev-family.patch
+Patch7:         backport-iptopt-fix-crash-with-invalid-field-type-combo.patch
+Patch8:         backport-evaluate-string-prefix-expression-must-retain-original-length.patch
+Patch9:         backport-libnftables-release-top-level-scope.patch
 
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
@@ -115,12 +118,25 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{python3_sitelib}/nftables/
 
 %changelog
-* Mon Nov 21 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-3
+* Tue Dec 13 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix string prefix expression must retain original length
+fix release top level scope
+
+* Mon Nov 21 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-4
 - Type:feature
 - ID:NA
 - SUG:NA
 - DESC:enabled DT testcase
 
+* Fri Sep 30 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix nft desribe ip option rr value coredump
+
 * Sat Sep 03 2022 xinghe <xinghe2@h-partners.com> - 1:1.0.0-2
 - Type:bugfix
 - ID:NA