From ec7d2f856cab6e93c525c01051d75d7dc94c2b9f Mon Sep 17 00:00:00 2001 From: chengyechun Date: Wed, 14 Dec 2022 16:35:40 +0800 Subject: [PATCH] nftables: add some patches from 22-03-LTS to 22-03-LTS-SP1 Signed-off-by: chengyechun --- ...pression-must-retain-original-length.patch | 42 +++++++++++++++ ...-libnftables-release-top-level-scope.patch | 54 +++++++++++++++++++ nftables.spec | 11 +++- 3 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 backport-evaluate-string-prefix-expression-must-retain-original-length.patch create mode 100644 backport-libnftables-release-top-level-scope.patch diff --git a/backport-evaluate-string-prefix-expression-must-retain-original-length.patch b/backport-evaluate-string-prefix-expression-must-retain-original-length.patch new file mode 100644 index 0000000..b351236 --- /dev/null +++ b/backport-evaluate-string-prefix-expression-must-retain-original-length.patch @@ -0,0 +1,42 @@ +From 403936c1ffa34bc597d7ee0792154fc6c6b483f2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 9 Apr 2022 15:58:27 +0200 +Subject: evaluate: string prefix expression must retain original length + +To make something like "eth*" work for interval sets (match +eth0, eth1, and so on...) we must treat the string as a 128 bit +integer. + +Without this, segtree will do the wrong thing when applying the prefix, +because we generate the prefix based on 'eth*' as input, with a length of 3. + +The correct import needs to be done on "eth\0\0\0\0\0\0\0...", i.e., if +the input buffer were an ipv6 address, it should look like "eth\0::", +not "::eth". + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index a20cc396..78862313 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -338,9 +338,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp) + *exprp = value; + return 0; + } ++ ++ data[datalen] = 0; + value = constant_expr_alloc(&expr->location, ctx->ectx.dtype, + BYTEORDER_HOST_ENDIAN, +- datalen * BITS_PER_BYTE, data); ++ expr->len, data); + + prefix = prefix_expr_alloc(&expr->location, value, + datalen * BITS_PER_BYTE); +-- +cgit v1.2.3 + diff --git a/backport-libnftables-release-top-level-scope.patch b/backport-libnftables-release-top-level-scope.patch new file mode 100644 index 0000000..2c832a2 --- /dev/null +++ b/backport-libnftables-release-top-level-scope.patch @@ -0,0 +1,54 @@ +From 12a223ced7f6b9d9555390c1922bb67133a35c5a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 17 Jun 2022 19:33:53 +0200 +Subject: libnftables: release top level scope + +Otherwise bogus variable redefinition are reported via -o/--optimize: + + redefinition.conf:5:8-21: Error: redefinition of symbol +'interface_inet' + define interface_inet = enp5s0 +^^^^^^^^^^^^^^ + +Signed-off-by: Pablo Neira Ayuso +--- + src/libnftables.c | 1 + + tests/shell/testcases/optimizations/variables | 15 +++++++++++++++ + 2 files changed, 16 insertions(+) + create mode 100644 tests/shell/testcases/optimizations/variables + +diff --git a/src/libnftables.c b/src/libnftables.c +index aa6493a..bec378d 100644 +--- a/src/libnftables.c ++++ b/src/libnftables.c +@@ -652,5 +652,6 @@ err: + json_print_echo(nft); + if (rc) + cache_release(&nft->cache); ++ scope_release(nft->state->scopes[0]); + return rc; + } +diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables +new file mode 100644 +index 0000000..fa98606 +--- /dev/null ++++ b/tests/shell/testcases/optimizations/variables +@@ -0,0 +1,15 @@ ++#!/bin/bash ++ ++set -e ++ ++RULESET="define addrv4_vpnnet = 10.1.0.0/16 ++ ++table ip nat { ++ chain postrouting { ++ type nat hook postrouting priority 0; policy accept; ++ ++ ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\" ++ } ++}" ++ ++$NFT -c -o -f - <<< $RULESET +-- +2.23.0 + diff --git a/nftables.spec b/nftables.spec index 9618c36..7269ac0 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 0.9.6 -Release: 4 +Release: 5 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -18,6 +18,8 @@ Patch6005: backport-json-Fix-memleak-in-set_dtype_json.patch Patch6006: backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch Patch6007: backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch Patch6008: backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch +Patch6009: backport-evaluate-string-prefix-expression-must-retain-original-length.patch +Patch6010: backport-libnftables-release-top-level-scope.patch BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel @@ -108,6 +110,13 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables %{python3_sitelib}/nftables/ %changelog +* Wed Dec 14 2022 huangyu - 1:0.9.6-5 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix string prefix expression must retain original length +fix release top level scope + * Fri Jul 30 2021 xiaqirong - 0.9.6-4 - Type:bugfix - CVE:NA -- Gitee