From 291ec9dd5c417d20cea6feceec810e77d5d42d8a Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Tue, 13 Dec 2022 21:40:54 +0800 Subject: [PATCH] sync: fix some patches from commity --- ...pression-must-retain-original-length.patch | 42 ++++++++++ ...-crash-with-invalid-field-type-combo.patch | 78 +++++++++++++++++++ ...-libnftables-release-top-level-scope.patch | 54 +++++++++++++ nftables.spec | 20 ++++- 4 files changed, 192 insertions(+), 2 deletions(-) create mode 100644 backport-evaluate-string-prefix-expression-must-retain-original-length.patch create mode 100644 backport-iptopt-fix-crash-with-invalid-field-type-combo.patch create mode 100644 backport-libnftables-release-top-level-scope.patch diff --git a/backport-evaluate-string-prefix-expression-must-retain-original-length.patch b/backport-evaluate-string-prefix-expression-must-retain-original-length.patch new file mode 100644 index 0000000..b351236 --- /dev/null +++ b/backport-evaluate-string-prefix-expression-must-retain-original-length.patch @@ -0,0 +1,42 @@ +From 403936c1ffa34bc597d7ee0792154fc6c6b483f2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 9 Apr 2022 15:58:27 +0200 +Subject: evaluate: string prefix expression must retain original length + +To make something like "eth*" work for interval sets (match +eth0, eth1, and so on...) we must treat the string as a 128 bit +integer. + +Without this, segtree will do the wrong thing when applying the prefix, +because we generate the prefix based on 'eth*' as input, with a length of 3. + +The correct import needs to be done on "eth\0\0\0\0\0\0\0...", i.e., if +the input buffer were an ipv6 address, it should look like "eth\0::", +not "::eth". + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index a20cc396..78862313 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -338,9 +338,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) + *exprp = value; + return 0; + } ++ ++ data[datalen] = 0; + value = constant_expr_alloc(&expr->location, ctx->ectx.dtype, + BYTEORDER_HOST_ENDIAN, +- datalen * BITS_PER_BYTE, data); ++ expr->len, data); + + prefix = prefix_expr_alloc(&expr->location, value, + datalen * BITS_PER_BYTE); +-- +cgit v1.2.3 + diff --git a/backport-iptopt-fix-crash-with-invalid-field-type-combo.patch b/backport-iptopt-fix-crash-with-invalid-field-type-combo.patch new file mode 100644 index 0000000..516311e --- /dev/null +++ b/backport-iptopt-fix-crash-with-invalid-field-type-combo.patch @@ -0,0 +1,78 @@ +From 48aca2de80a7dd73f8f3a461c7f7ed47b6082766 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 3 Dec 2021 17:07:55 +0100 +Subject: iptopt: fix crash with invalid field/type combo + +% nft describe ip option rr value +segmentation fault + +after this fix, this exits with 'Error: unknown ip option type/field'. + +Problem is that 'rr' doesn't have a value template, so the template +struct is +all-zeroes, so we crash when trying to use tmpl->dtype (its NULL). + +Furthermore, expr_describe tries to print expr->identifier but expr is +exthdr, not symbol: ->identifier contains garbage. + +Conflict: NA +Reference: +https://git.netfilter.org/nftables/commit/?id=48aca2de80a7dd73f8f3a461c7f7ed47b6082766 +Signed-off-by: Florian Westphal +--- + src/expression.c | 7 +++---- + src/ipopt.c | 2 ++ + src/parser_bison.y | 4 ++++ + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/expression.c b/src/expression.c +index 4c0874f..1a88f08 100644 +--- a/src/expression.c ++++ b/src/expression.c +@@ -135,12 +135,11 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx) + nft_print(octx, "datatype %s (%s)", + dtype->name, dtype->desc); + len = dtype->size; +- } else if (dtype != &invalid_type) { ++ } else { + nft_print(octx, "%s expression, datatype %s (%s)", + expr_name(expr), dtype->name, dtype->desc); +- } else { +- nft_print(octx, "datatype %s is invalid\n", expr->identifier); +- return; ++ if (dtype == &invalid_type) ++ return; + } + + if (dtype->basetype != NULL) { +diff --git a/src/ipopt.c b/src/ipopt.c +index 5f9f908..fdd3f93 100644 +--- a/src/ipopt.c ++++ b/src/ipopt.c +@@ -97,6 +97,8 @@ struct expr *ipopt_expr_alloc(const struct location *loc, uint8_t type, + if (!tmpl) + return NULL; + ++ if (!tmpl->len) ++ return NULL; + expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype, + BYTEORDER_BIG_ENDIAN, tmpl->len); + expr->exthdr.desc = desc; +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 83f0250..65ba6a4 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -5296,6 +5296,10 @@ ip_hdr_expr : IP ip_hdr_field close_scope_ip + | IP OPTION ip_option_type ip_option_field close_scope_ip + { + $$ = ipopt_expr_alloc(&@$, $3, $4, 0); ++ if (!$$) { ++ erec_queue(error(&@1, "unknown ip option type/field"), state->msgs); ++ YYERROR; ++ } + } + | IP OPTION ip_option_type close_scope_ip + { +-- +2.23.0 + diff --git a/backport-libnftables-release-top-level-scope.patch b/backport-libnftables-release-top-level-scope.patch new file mode 100644 index 0000000..e099451 --- /dev/null +++ b/backport-libnftables-release-top-level-scope.patch @@ -0,0 +1,54 @@ +From 12a223ced7f6b9d9555390c1922bb67133a35c5a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 17 Jun 2022 19:33:53 +0200 +Subject: libnftables: release top level scope + +Otherwise bogus variable redefinition are reported via -o/--optimize: + + redefinition.conf:5:8-21: Error: redefinition of symbol +'interface_inet' + define interface_inet = enp5s0 +^^^^^^^^^^^^^^ + +Signed-off-by: Pablo Neira Ayuso +--- + src/libnftables.c | 1 + + tests/shell/testcases/optimizations/variables | 15 +++++++++++++++ + 2 files changed, 16 insertions(+) + create mode 100644 tests/shell/testcases/optimizations/variables + +diff --git a/src/libnftables.c b/src/libnftables.c +index aa6493a..bec378d 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -652,5 +652,6 @@ err: + json_print_echo(nft); + if (rc) + nft_cache_release(&nft->cache); ++ scope_release(nft->state->scopes[0]); + return rc; + } +diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables +new file mode 100644 +index 0000000..fa98606 +--- /dev/null ++++ b/tests/shell/testcases/optimizations/variables +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++set -e ++ ++RULESET="define addrv4_vpnnet = 10.1.0.0/16 ++ ++table ip nat { ++ chain postrouting { ++ type nat hook postrouting priority 0; policy accept; ++ ++ ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\" ++ } ++}" ++ ++$NFT -c -o -f - <<< $RULESET +-- +2.23.0 + diff --git a/nftables.spec b/nftables.spec index 380caed..61c4107 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 3 +Release: 5 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -16,6 +16,9 @@ Patch3: backport-segtree-add-string-range-reversal-support.patch Patch4: backport-segtree-fix-map-listing-with-interface-wildcard.patch Patch5: backport-src-Don-t-parse-string-as-verdict-in-map.patch Patch6: backport-parser_json-fix-device-parsing-in-netdev-family.patch +Patch7: backport-iptopt-fix-crash-with-invalid-field-type-combo.patch +Patch8: backport-evaluate-string-prefix-expression-must-retain-original-length.patch +Patch9: backport-libnftables-release-top-level-scope.patch BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel @@ -115,12 +118,25 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog -* Mon Nov 21 2022 huangyu - 1:1.0.0-3 +* Tue Dec 13 2022 huangyu - 1:1.0.0-5 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix string prefix expression must retain original length +fix release top level scope + +* Mon Nov 21 2022 huangyu - 1:1.0.0-4 - Type:feature - ID:NA - SUG:NA - DESC:enabled DT testcase +* Fri Sep 30 2022 huangyu - 1:1.0.0-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix nft desribe ip option rr value coredump + * Sat Sep 03 2022 xinghe - 1:1.0.0-2 - Type:bugfix - ID:NA