7a10caa70e
Signed-off-by: lingsheng <860373352@qq.com> (cherry picked from commit 757a6bc4a7db26ad71cdecec0548ca6250ceaffc)
310 lines
12 KiB
RPMSpec
310 lines
12 KiB
RPMSpec
Name: nftables
|
|
Version: 1.0.0
|
|
Release: 10
|
|
Epoch: 1
|
|
Summary: A subsystem of the Linux kernel processing network data
|
|
License: GPLv2
|
|
URL: https://netfilter.org/projects/nftables/
|
|
Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2
|
|
Source1: nftables.service
|
|
Source2: nftables.conf
|
|
|
|
Patch0: backport-cache-validate-handle-string-length.patch
|
|
Patch1: backport-evaluate-fix-segfault-when-adding-elements-to-invalid-set.patch
|
|
Patch2: backport-segtree-split-prefix-and-range-creation-to-a-helper-function.patch
|
|
Patch3: backport-segtree-add-string-range-reversal-support.patch
|
|
Patch4: backport-segtree-fix-map-listing-with-interface-wildcard.patch
|
|
Patch5: backport-src-Don-t-parse-string-as-verdict-in-map.patch
|
|
Patch6: backport-parser_json-fix-device-parsing-in-netdev-family.patch
|
|
Patch7: backport-iptopt-fix-crash-with-invalid-field-type-combo.patch
|
|
Patch8: backport-evaluate-string-prefix-expression-must-retain-original-length.patch
|
|
Patch9: backport-libnftables-release-top-level-scope.patch
|
|
Patch10: backport-dump-locations-expressions-only-if-set.patch
|
|
|
|
Patch11: backport-evaluate-allow-implicit-ether-vlan-dep.patch
|
|
Patch12: backport-evaluate-datatype-memleak-after-binop-transfer.patch
|
|
Patch13: backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch
|
|
Patch14: backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch
|
|
Patch15: backport-payload-do-not-kill-dependency-for-proto_unknown.patch
|
|
Patch16: backport-monitor-missing-cache-and-set-handle-initialization.patch
|
|
Patch17: backport-netlink_linearize-fix-timeout-with-map-updates.patch
|
|
|
|
Patch18: backport-owner-Fix-potential-array-out-of-bounds-access.patch
|
|
Patch19: backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch
|
|
Patch20: backport-netlink-Fix-for-potential-NULL-pointer-deref.patch
|
|
Patch21: backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch
|
|
|
|
Patch22: backport-netlink_linearize-use-div_round_up-in-byteorder-length.patch
|
|
Patch23: backport-exthdr-fix-tcpopt_find_template-to-use-length-after-.patch
|
|
Patch24: backport-exthdr-prefer-raw_type-instead-of-desc-type.patch
|
|
Patch25: backport-libnftables-Drop-cache-in-c-check-mode.patch
|
|
Patch26: backport-py-fix-exception-during-cleanup-of-half-initialized-.patch
|
|
Patch27: backport-evaluate-fix-check-for-truncation-in-stmt_evaluate_l.patch
|
|
Patch28: backport-evaluate-do-not-remove-anonymous-set-with-protocol-f.patch
|
|
Patch29: backport-evaluate-revisit-anonymous-set-with-single-element-o.patch
|
|
Patch30: backport-evaluate-skip-anonymous-set-optimization-for-concate.patch
|
|
Patch31: backport-datatype-fix-leak-and-cleanup-reference-counting-for.patch
|
|
Patch32: backport-evaluate-fix-memleak-in-prefix-evaluation-with-wildc.patch
|
|
Patch33: backport-netlink-fix-leaking-typeof_expr_data-typeof_expr_key.patch
|
|
Patch34: backport-datatype-initialize-TYPE_CT_LABEL-slot-in-datatype-a.patch
|
|
Patch35: backport-datatype-initialize-TYPE_CT_EVENTBIT-slot-in-datatyp.patch
|
|
Patch36: backport-netlink-handle-invalid-etype-in-set_make_key.patch
|
|
Patch37: backport-parser_json-Default-meter-size-to-zero.patch
|
|
Patch38: backport-parser_json-Fix-flowtable-prio-value-parsing.patch
|
|
Patch39: backport-parser_json-Proper-ct-expectation-attribute-parsing.patch
|
|
Patch40: backport-parser_json-Fix-synproxy-object-mss-wscale-parsing.patch
|
|
Patch41: backport-parser_json-Fix-typo-in-json_parse_cmd_add_object.patch
|
|
Patch42: backport-parser_json-Wrong-check-in-json_parse_ct_timeout_pol.patch
|
|
Patch43: backport-parser_json-Catch-nonsense-ops-in-match-statement.patch
|
|
Patch44: backport-json-expose-dynamic-flag.patch
|
|
Patch45: backport-evaluate-validate-maximum-log-statement-prefix-lengt.patch
|
|
Patch46: backport-evaluate-reject-set-in-concatenation.patch
|
|
Patch47: backport-datatype-don-t-return-a-const-string-from-cgroupv2_g.patch
|
|
Patch48: backport-json-fix-use-after-free-in-table_flags_json.patch
|
|
Patch49: backport-evaluate-fix-double-free-on-dtype-release.patch
|
|
Patch50: backport-evaluate-validate-chain-max-length.patch
|
|
Patch51: backport-parser_bison-fix-memleak-in-meta-set-error-handling.patch
|
|
Patch52: backport-parser_bison-make-sure-obj_free-releases-timeout-pol.patch
|
|
Patch53: backport-parser_bison-fix-ct-scope-underflow-if-ct-helper-sec.patch
|
|
Patch54: backport-evaluate-stmt_nat-set-reference-must-point-to-a-map.patch
|
|
Patch55: backport-meta-fix-tc-classid-parsing-out-of-bounds-access.patch
|
|
Patch56: backport-netlink-don-t-crash-if-prefix-for-byte-is-requested.patch
|
|
Patch57: backport-evaluate-don-t-crash-if-object-map-does-not-refer-to.patch
|
|
Patch58: backport-evaluate-error-out-when-expression-has-no-datatype.patch
|
|
Patch59: backport-evaluate-tproxy-move-range-error-checks-after-arg-ev.patch
|
|
Patch60: backport-evaluate-error-out-when-store-needs-more-than-one-12.patch
|
|
Patch61: backport-rule-fix-sym-refcount-assertion.patch
|
|
|
|
BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
|
|
BuildRequires: iptables-devel jansson-devel python3-devel
|
|
BuildRequires: chrpath
|
|
|
|
%description
|
|
nftables is a subsystem of the Linux kernel providing filtering and classification of\
|
|
network packets/datagrams/frames.
|
|
|
|
%package devel
|
|
Summary: Development library for nftables / libnftables
|
|
Requires: %{name} = %{epoch}:%{version}-%{release} pkgconfig
|
|
|
|
%description devel
|
|
Development tools and static libraries and header files for the libnftables library.
|
|
|
|
%package_help
|
|
|
|
%package -n python3-nftables
|
|
Summary: Python module providing an interface to libnftables
|
|
Requires: %{name} = %{epoch}:%{version}-%{release}
|
|
%{?python_provide:%python_provide python3-nftables}
|
|
|
|
%description -n python3-nftables
|
|
The nftables python module providing an interface to libnftables via ctypes.
|
|
|
|
%prep
|
|
%autosetup -n %{name}-%{version} -p1
|
|
|
|
%build
|
|
%configure --disable-silent-rules --with-xtables --with-json \
|
|
--enable-python --with-python-bin=%{__python3}
|
|
%make_build
|
|
|
|
%check
|
|
make check
|
|
|
|
%install
|
|
%make_install
|
|
%delete_la
|
|
|
|
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
|
|
|
|
install -d $RPM_BUILD_ROOT/%{_unitdir}
|
|
cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
|
|
|
|
install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
|
|
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
|
|
|
|
install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
|
|
mv $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
|
|
|
|
chrpath -d %{buildroot}%{_sbindir}/nft
|
|
|
|
mkdir -p %{buildroot}/etc/ld.so.conf.d
|
|
echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
|
|
|
|
%post
|
|
%systemd_post nftables.service
|
|
/sbin/ldconfig
|
|
|
|
%preun
|
|
%systemd_preun nftables.service
|
|
|
|
%postun
|
|
%systemd_postun_with_restart nftables.service
|
|
/sbin/ldconfig
|
|
|
|
%ldconfig_scriptlets devel
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%license COPYING
|
|
%config(noreplace) %{_sysconfdir}/nftables/
|
|
%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf
|
|
%config(noreplace) /etc/ld.so.conf.d/*
|
|
%{_sbindir}/nft
|
|
%{_libdir}/*.so.*
|
|
%{_unitdir}/nftables.service
|
|
%{_docdir}/nftables/examples/*.nft
|
|
|
|
%files devel
|
|
%defattr(-,root,root)
|
|
%{_includedir}/nftables/libnftables.h
|
|
%{_libdir}/*.a
|
|
%{_libdir}/*.so
|
|
%{_libdir}/pkgconfig/*.pc
|
|
|
|
%files help
|
|
%defattr(-,root,root)
|
|
%{_mandir}/man8/nft*
|
|
%{_mandir}/man3/libnftables.3*
|
|
%{_mandir}/man5/libnftables-json*
|
|
|
|
%files -n python3-nftables
|
|
%{python3_sitelib}/nftables-*.egg-info
|
|
%{python3_sitelib}/nftables/
|
|
|
|
%changelog
|
|
Thu Apr 18 2024 lingsheng <lingsheng1@h-partners.com> - 1:1.0.0-10
|
|
- Type:bugfix
|
|
- CVE:NA
|
|
- SUG:NA
|
|
- DESC:datatype: don't return a const string from cgroupv2_get_path()
|
|
datatype: fix leak and cleanup reference counting for struct datatype
|
|
datatype: initialize TYPE_CT_EVENTBIT slot in datatype array
|
|
datatype: initialize TYPE_CT_LABEL slot in datatype array
|
|
evaluate: do not remove anonymous set with protocol flags and single element
|
|
evaluate: don't crash if object map does not refer to a value
|
|
evaluate: error out when expression has no datatype
|
|
evaluate: error out when store needs more than one 128bit register of align fixup
|
|
evaluate: fix check for truncation in stmt_evaluate_log_prefix()
|
|
evaluate: fix double free on dtype release
|
|
evaluate: fix memleak in prefix evaluation with wildcard interface name
|
|
evaluate: reject set in concatenation
|
|
evaluate: revisit anonymous set with single element optimization
|
|
evaluate: skip anonymous set optimization for concatenations
|
|
evaluate: stmt_nat: set reference must point to a map
|
|
evaluate: tproxy: move range error checks after arg evaluation
|
|
evaluate: validate chain max length
|
|
evaluate: validate maximum log statement prefix length
|
|
exthdr: fix tcpopt_find_template to use length after mask adjustment
|
|
exthdr: prefer raw_type instead of desc->type
|
|
json: expose dynamic flag
|
|
json: fix use after free in table_flags_json()
|
|
libnftables: Drop cache in -c/--check mode
|
|
meta: fix tc classid parsing out-of-bounds access
|
|
netlink: don't crash if prefix for < byte is requested
|
|
netlink: fix leaking typeof_expr_data/typeof_expr_key in netlink_delinearize_set()
|
|
netlink: handle invalid etype in set_make_key()
|
|
parser_bison: fix ct scope underflow if ct helper section is duplicated
|
|
parser_bison: fix memleak in meta set error handling
|
|
parser_bison: make sure obj_free releases timeout policies
|
|
parser_json: Catch nonsense ops in match statement
|
|
parser_json: Default meter size to zero
|
|
parser_json: Fix flowtable prio value parsing
|
|
parser_json: Fix synproxy object mss/wscale parsing
|
|
parser_json: Fix typo in json_parse_cmd_add_object()
|
|
parser_json: Proper ct expectation attribute parsing
|
|
parser_json: Wrong check in json_parse_ct_timeout_policy()
|
|
py: fix exception during cleanup of half-initialized Nftables
|
|
rule: fix sym refcount assertion
|
|
|
|
* Mon Aug 14 2023 zhanghao <zhanghao383@huawei.com> - 1:1.0.0-9
|
|
- Type:bugfix
|
|
- CVE:NA
|
|
- SUG:NA
|
|
- DESC:netlink_linearize: use div_round_up in byteorder length
|
|
|
|
* Thu Apr 06 2023 zhanghao <zhanghao383@huawei.com> - 1:1.0.0-8
|
|
- Type:bugfix
|
|
- CVE:NA
|
|
- SUG:NA
|
|
- DESC:Fix potential array out of bounds access
|
|
evaluate: fix shift exponent underflow in concatenation evaluation
|
|
netlink: Fix for potential NULL-pointer deref
|
|
mnl: dump_nf_hooks() leaks memory in error path
|
|
|
|
* Tue Mar 21 2023 zhanghao <zhanghao383@huawei.com> - 1:1.0.0-7
|
|
- Type:bugfix
|
|
- CVE:NA
|
|
- SUG:NA
|
|
- DESC:evaluate allow implicit ether vlan dep
|
|
evaluate datatype memleak after binop transfer
|
|
evaluate bogus datatype assertion in binary operation evaluation
|
|
netlink delinearize do not transfer binary operation to non anonymous sets
|
|
payload do not kill dependency for proto unknown
|
|
monitor missing cache and set handle initialization
|
|
netlink linearize fix timeout with map updates
|
|
|
|
* Thu Dec 15 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-6
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:fix dump locations expressions only if set
|
|
|
|
* Tue Dec 13 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-5
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:fix string prefix expression must retain original length
|
|
fix release top level scope
|
|
|
|
* Mon Nov 21 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-4
|
|
- Type:feature
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:enabled DT testcase
|
|
|
|
* Fri Sep 30 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-3
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:fix nft desribe ip option rr value coredump
|
|
|
|
* Sat Sep 03 2022 xinghe <xinghe2@h-partners.com> - 1:1.0.0-2
|
|
- Type:bugfix
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:fix cache prepare nft_cache evaluate to return error
|
|
fix cache validate handle string length
|
|
add src support for implicit chain bindings
|
|
fix cache release pending rules
|
|
fix segtree map listing
|
|
parser_json fix device parsing in netdev family
|
|
fix src Don't parse string as verdict in map
|
|
|
|
* Sat Dec 04 2021 yanglu <yanglu72@huawei.com> - 1:1.0.0-1
|
|
- Type:requirement
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:update nftables to 1.0.0
|
|
|
|
* Tue Sep 07 2021 gaihuiying <gaihuiying1@huawei.com> - 1:0.9.9-3
|
|
- Type:requirement
|
|
- ID:NA
|
|
- SUG:NA
|
|
- DESC:remove rpath of nft
|
|
|
|
* Tue Aug 24 2021 gaihuiying <gaihuiying1@huawei.com> - 1:0.9.9-2
|
|
- json: fix base chain output
|
|
|
|
* Fri Jul 23 2021 gaihuiying <gaihuiying1@huawei.com> - 1:0.9.9-1
|
|
- update to 0.9.9
|
|
|
|
* Thu Jul 30 2020 cuibaobao <buildteam@openeuler.org> - 1:0.9.6-2
|
|
- Add python3-nftables sub-package
|
|
|
|
* Thu Jul 23 2020 cuibaobao <buildteam@openeuler.org> - 1:0.9.6-1
|
|
- update to 0.9.6
|
|
|
|
* Tue Sep 17 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:0.9.0-3
|
|
- Package init
|