From be92ab50e882fcc7b80781d3199a5473a486b3ed Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Tue, 10 Dec 2024 03:02:02 +0000
Subject: [PATCH] fix coredumps

(cherry picked from commit 131dbe0e2ca6a4113cd8a5d5cd814f344aa5f041)
---
 ...x-vs-list-objects-in-table-confusion.patch | 88 +++++++++++++++++
 ...s-shell-connect-chains-to-hook-point.patch | 97 +++++++++++++++++++
 nftables.spec                                 | 12 ++-
 3 files changed, 196 insertions(+), 1 deletion(-)
 create mode 100644 backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch
 create mode 100644 backport-tests-shell-connect-chains-to-hook-point.patch

diff --git a/backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch b/backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch
new file mode 100644
index 0000000..6b97c9e
--- /dev/null
+++ b/backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch
@@ -0,0 +1,88 @@
+From a8ff324dc64fd76f7d218d3d94c5885250951258 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 28 Jul 2023 21:04:13 +0200
+Subject: ct expectation: fix 'list object x' vs. 'list objects in table'
+ confusion
+
+Just like "ct timeout", "ct expectation" is in need of the same fix,
+we get segfault on "nft list ct expectation table t", if table t exists.
+
+This is the exact same pattern as resolved for "ct timeout" in commit
+1d2e22fc0521 ("ct timeout: fix 'list object x' vs. 'list objects in table' confusion").
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+
+Conflict:NA
+Reference:https://git.netfilter.org/nftables/commit/?id=a8ff324dc64fd76f7d218d3d94c5885250951258
+
+---
+ include/rule.h     | 1 +
+ src/cache.c        | 1 +
+ src/evaluate.c     | 1 +
+ src/parser_bison.y | 2 +-
+ src/rule.c         | 1 +
+ 5 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/include/rule.h b/include/rule.h
+index 5cb549c2..13ab1bf3 100644
+--- a/include/rule.h
++++ b/include/rule.h
+@@ -649,6 +649,7 @@ enum cmd_obj {
+ 	CMD_OBJ_SECMARK,
+ 	CMD_OBJ_SECMARKS,
+ 	CMD_OBJ_CT_EXPECT,
++	CMD_OBJ_CT_EXPECTATIONS,
+ 	CMD_OBJ_SYNPROXY,
+ 	CMD_OBJ_SYNPROXYS,
+ 	CMD_OBJ_HOOKS,
+diff --git a/src/cache.c b/src/cache.c
+index 5cab2622..b6a7e194 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -377,6 +377,7 @@ static int nft_handle_validate(const struct cmd *cmd, struct list_head *msgs)
+ 	case CMD_OBJ_CT_TIMEOUT:
+ 	case CMD_OBJ_CT_TIMEOUTS:
+ 	case CMD_OBJ_CT_EXPECT:
++	case CMD_OBJ_CT_EXPECTATIONS:
+ 		if (h->table.name &&
+ 		    strlen(h->table.name) > NFT_NAME_MAXLEN) {
+ 			loc = &h->table.location;
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 33e4ac93..8fc1ca7e 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -5425,6 +5425,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
+ 	case CMD_OBJ_SECMARKS:
+ 	case CMD_OBJ_SYNPROXYS:
+ 	case CMD_OBJ_CT_TIMEOUTS:
++	case CMD_OBJ_CT_EXPECTATIONS:
+ 		if (cmd->handle.table.name == NULL)
+ 			return 0;
+ 		if (!table_cache_find(&ctx->nft->cache.table_cache,
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index 553ddf97..ef5011c1 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -4770,7 +4770,7 @@ ct_obj_type		:	HELPER		{ $$ = NFT_OBJECT_CT_HELPER; }
+ 
+ ct_cmd_type		:	HELPERS		{ $$ = CMD_OBJ_CT_HELPERS; }
+ 			|	TIMEOUT		{ $$ = CMD_OBJ_CT_TIMEOUTS; }
+-			|	EXPECTATION	{ $$ = CMD_OBJ_CT_EXPECT; }
++			|	EXPECTATION	{ $$ = CMD_OBJ_CT_EXPECTATIONS; }
+ 			;
+ 
+ ct_l4protoname		:	TCP	close_scope_tcp	{ $$ = IPPROTO_TCP; }
+diff --git a/src/rule.c b/src/rule.c
+index f4d00a8d..4e60c1e6 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -2360,6 +2360,7 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
+ 	case CMD_OBJ_CT_TIMEOUTS:
+ 		return do_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT);
+ 	case CMD_OBJ_CT_EXPECT:
++	case CMD_OBJ_CT_EXPECTATIONS:
+ 		return do_list_obj(ctx, cmd, NFT_OBJECT_CT_EXPECT);
+ 	case CMD_OBJ_LIMIT:
+ 	case CMD_OBJ_LIMITS:
+-- 
+cgit v1.2.3
diff --git a/backport-tests-shell-connect-chains-to-hook-point.patch b/backport-tests-shell-connect-chains-to-hook-point.patch
new file mode 100644
index 0000000..9236733
--- /dev/null
+++ b/backport-tests-shell-connect-chains-to-hook-point.patch
@@ -0,0 +1,97 @@
+From 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 10 Jul 2024 02:33:37 +0200
+Subject: tests: shell: connect chains to hook point
+
+These tests should fail because they contain a loop or exceed the jump stack.
+
+But this depends on the kernel validating chains that are not bound to any
+basechain/hook point.
+
+Wire up the initial chain to filter type.
+
+Without this tests will start to fail when kernel stops validating
+chains that are not reachable by any base chain.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+
+Conflict:delete the file that we don't have
+Reference:https://git.netfilter.org/nftables/commit/?id=1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
+
+---
+ tests/shell/testcases/chains/0003jump_loop_1                        | 3 ++-
+ tests/shell/testcases/chains/0010endless_jump_loop_1                | 2 +-
+ tests/shell/testcases/chains/0011endless_jump_loop_1                | 2 +-
+ tests/shell/testcases/chains/0018check_jump_loop_1                  | 2 +-
+ tests/shell/testcases/transactions/0023rule_1                       | 2 +-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
+index 80e243f0..1a8eaf68 100755
+--- a/tests/shell/testcases/chains/0003jump_loop_1
++++ b/tests/shell/testcases/chains/0003jump_loop_1
+@@ -5,8 +5,9 @@ set -e
+ MAX_JUMPS=16
+ 
+ $NFT add table t
++$NFT "add chain t c1 { type filter hook prerouting priority 0; }"
+ 
+-for i in $(seq 1 $MAX_JUMPS)
++for i in $(seq 2 $MAX_JUMPS)
+ do
+ 	$NFT add chain t c${i}
+ done
+diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
+index 5d3ef239..6000e5d7 100755
+--- a/tests/shell/testcases/chains/0010endless_jump_loop_1
++++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
+@@ -3,7 +3,7 @@
+ set -e
+ 
+ $NFT add table t
+-$NFT add chain t c
++$NFT add chain "t c { type filter hook input priority 0; }"
+ 
+ # kernel should return ELOOP
+ $NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
+diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
+index d75932d7..66abf8d0 100755
+--- a/tests/shell/testcases/chains/0011endless_jump_loop_1
++++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
+@@ -3,7 +3,7 @@
+ set -e
+ 
+ $NFT add table t
+-$NFT add chain t c1
++$NFT add chain "t c1 { type filter hook forward priority 0; }"
+ $NFT add chain t c2
+ $NFT add map t m {type inet_service : verdict \;}
+ $NFT add element t m {2 : jump c2}
+diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
+index b87520f2..1e674d3d 100755
+--- a/tests/shell/testcases/chains/0018check_jump_loop_1
++++ b/tests/shell/testcases/chains/0018check_jump_loop_1
+@@ -3,7 +3,7 @@
+ set -e
+ 
+ $NFT add table ip filter
+-$NFT add chain ip filter ap1
++$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }"
+ $NFT add chain ip filter ap2
+ $NFT add rule ip filter ap1 jump ap2
+ 
+diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
+index e58c088c..863bcde4 100755
+--- a/tests/shell/testcases/transactions/0023rule_1
++++ b/tests/shell/testcases/transactions/0023rule_1
+@@ -1,7 +1,7 @@
+ #!/bin/bash
+ 
+ RULESET="add table x
+-add chain x y
++add chain x y { type filter hook input priority 0; }
+ add rule x y jump y"
+ 
+ # kernel must return ELOOP
+-- 
+cgit v1.2.3
diff --git a/nftables.spec b/nftables.spec
index b3561d4..182cf60 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.8
-Release:        5
+Release:        6
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@@ -65,6 +65,9 @@ Patch0052:      backport-tests-shell-add-regression-test-for-double-free-crash-b
 Patch0053:      backport-evaluate-handle-invalid-mapping-expressions-in-stateful-object-statements-gracefully.patch
 Patch0054:      backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch
 
+Patch0055:      backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch
+Patch0056:      backport-tests-shell-connect-chains-to-hook-point.patch
+
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
 BuildRequires:  chrpath libedit-devel
@@ -163,6 +166,13 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{python3_sitelib}/nftables/
 
 %changelog
+* Tue Dec 10 2024 gaihuiying <eaglegai@163.com> - 1:1.0.8-6
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:ct expectation: fix 'list object x' vs. 'list objects in table' confusion
+       tests: shell: connect chains to hook point
+
 * Wed Sep 25 2024 gaihuiying <eaglegai@163.com> - 1:1.0.8-5
 - Type:bugfix
 - CVE:NA
-- 
Gitee