powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

nftables package creation 

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
master
basebuilder_pel7x64builder0 2019-03-27 08:52:34 +01:00
parent 37c07dcb42
commit df32aa2621
20 changed files with 6481 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
SOURCES/0001-src-fix-protocol-context-update-on-big-endian-system.patch Normal file
View File

@ -0,0 +1,208 @@
From ae89c5b2865f77ac5e3f8e6c74c9b07296a1acdf Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 14 Dec 2017 14:17:27 +0100
Subject: [PATCH] src: fix protocol context update on big-endian systems

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1523016
Upstream Status: nftables commit a2c55e04d5a11

commit a2c55e04d5a1187914cba2c02810db94de499ace
Author: Phil Sutter <phil@nwl.cc>
Date: Sat Dec 9 16:52:29 2017 +0100

src: fix protocol context update on big-endian systems

There is an obscure bug on big-endian systems when trying to list a rule
containing the expression 'ct helper tftp' which triggers the assert()
call in mpz_get_type().

Florian identified the cause: ct_expr_pctx_update() is called for the
relational expression which calls mpz_get_uint32() to get RHS value
(assuming it is a protocol number). On big-endian systems, the
misinterpreted value exceeds UINT_MAX.

Expressions' pctx_update() callback should only be called for protocol
matches, so ct_meta_common_postprocess() lacked a check for 'left->flags
& EXPR_F_PROTOCOL' like the one already present in
payload_expr_pctx_update().

In order to fix this in a clean way, this patch introduces a wrapper
relational_expr_pctx_update() to be used instead of directly calling
LHS's pctx_update() callback which unifies the necessary checks (and
adds one more assert):

- assert(expr->ops->type == EXPR_RELATIONAL)
-> This is new, just to ensure the wrapper is called properly.
- assert(expr->op == OP_EQ)
-> This was moved from {ct,meta,payload}_expr_pctx_update().
- left->ops->pctx_update != NULL
-> This was taken from expr_evaluate_relational(), a necessary
requirement for the introduced wrapper to function at all.
- (left->flags & EXPR_F_PROTOCOL) != 0
-> The crucial missing check which led to the problem.

Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/expression.h | 3 +++
src/ct.c | 2 --
src/evaluate.c | 6 ++----
src/expression.c | 13 +++++++++++++
src/meta.c | 2 --
src/netlink.c | 2 +-
src/netlink_delinearize.c | 4 ++--
src/payload.c | 7 +------
8 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/include/expression.h b/include/expression.h
index 215cbc9..915ce0b 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -369,6 +369,9 @@ extern struct expr *binop_expr_alloc(const struct location *loc, enum ops op,
extern struct expr *relational_expr_alloc(const struct location *loc, enum ops op,
struct expr *left, struct expr *right);
+extern void relational_expr_pctx_update(struct proto_ctx *ctx,
+ const struct expr *expr);
+
extern struct expr *verdict_expr_alloc(const struct location *loc,
int verdict, const char *chain);
diff --git a/src/ct.c b/src/ct.c
index 58b873e..8ab32e9 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -327,8 +327,6 @@ static void ct_expr_pctx_update(struct proto_ctx *ctx, const struct expr *expr)
const struct proto_desc *base = NULL, *desc;
uint32_t nhproto;
- assert(expr->op == OP_EQ);
-
nhproto = mpz_get_uint32(right->value);
base = ctx->protocol[left->ct.base].desc;
diff --git a/src/evaluate.c b/src/evaluate.c
index 618e188..f16bb33 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -743,7 +743,7 @@ static int ct_gen_nh_dependency(struct eval_ctx *ctx, struct expr *ct)
constant_data_ptr(ct->ct.nfproto, left->len));
dep = relational_expr_alloc(&ct->location, OP_EQ, left, right);
- left->ops->pctx_update(&ctx->pctx, dep);
+ relational_expr_pctx_update(&ctx->pctx, dep);
nstmt = expr_stmt_alloc(&dep->location, dep);
@@ -1632,9 +1632,7 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
* Update protocol context for payload and meta iiftype
* equality expressions.
*/
- if (left->flags & EXPR_F_PROTOCOL &&
- left->ops->pctx_update)
- left->ops->pctx_update(&ctx->pctx, rel);
+ relational_expr_pctx_update(&ctx->pctx, rel);
if (left->ops->type == EXPR_CONCAT)
return 0;
diff --git a/src/expression.c b/src/expression.c
index fc1097a..f8b560c 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -600,6 +600,19 @@ struct expr *relational_expr_alloc(const struct location *loc, enum ops op,
return expr;
}
+void relational_expr_pctx_update(struct proto_ctx *ctx,
+ const struct expr *expr)
+{
+ const struct expr *left = expr->left;
+
+ assert(expr->ops->type == EXPR_RELATIONAL);
+ assert(expr->op == OP_EQ);
+
+ if (left->ops->pctx_update &&
+ (left->flags & EXPR_F_PROTOCOL))
+ left->ops->pctx_update(ctx, expr);
+}
+
static void range_expr_print(const struct expr *expr, struct output_ctx *octx)
{
octx->numeric += NUMERIC_ALL + 1;
diff --git a/src/meta.c b/src/meta.c
index 56b9e29..3c31174 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -482,8 +482,6 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx,
const struct proto_desc *desc;
uint8_t protonum;
- assert(expr->op == OP_EQ);
-
switch (left->meta.key) {
case NFT_META_IIFTYPE:
if (h->base < PROTO_BASE_NETWORK_HDR &&
diff --git a/src/netlink.c b/src/netlink.c
index d5d410a..5d6f5ce 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -2729,7 +2729,7 @@ restart:
list_add_tail(&stmt->list, &unordered);
desc = ctx->protocol[base].desc;
- lhs->ops->pctx_update(ctx, rel);
+ relational_expr_pctx_update(ctx, rel);
}
expr_free(rhs);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 4432887..11fd330 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1329,7 +1329,7 @@ static void payload_match_expand(struct rule_pp_ctx *ctx,
nexpr = relational_expr_alloc(&expr->location, expr->op,
left, tmp);
if (expr->op == OP_EQ)
- left->ops->pctx_update(&ctx->pctx, nexpr);
+ relational_expr_pctx_update(&ctx->pctx, nexpr);
nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr);
list_add_tail(&nstmt->list, &ctx->stmt->list);
@@ -1397,7 +1397,7 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx,
if (expr->right->ops->type == EXPR_RANGE)
break;
- expr->left->ops->pctx_update(&ctx->pctx, expr);
+ relational_expr_pctx_update(&ctx->pctx, expr);
if (ctx->pdctx.pbase == PROTO_BASE_INVALID &&
left->flags & EXPR_F_PROTOCOL) {
diff --git a/src/payload.c b/src/payload.c
index aa8a95a..60090ac 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -84,11 +84,6 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
const struct proto_desc *base, *desc;
unsigned int proto = 0;
- if (!(left->flags & EXPR_F_PROTOCOL))
- return;
-
- assert(expr->op == OP_EQ);
-
/* Export the data in the correct byte order */
assert(right->len / BITS_PER_BYTE <= sizeof(proto));
mpz_export_data(constant_data_ptr(proto, right->len), right->value,
@@ -240,7 +235,7 @@ static int payload_add_dependency(struct eval_ctx *ctx,
return expr_error(ctx->msgs, expr,
"dependency statement is invalid");
}
- left->ops->pctx_update(&ctx->pctx, dep);
+ relational_expr_pctx_update(&ctx->pctx, dep);
*res = stmt;
return 0;
}
--
1.8.3.1

48
SOURCES/0002-netlink_linearize-exthdr-op-must-be-u32.patch Normal file
View File

@ -0,0 +1,48 @@
From d0d83585f7f6a74ac02338a37c6860cd2f26b33b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 14 Dec 2017 14:18:17 +0100
Subject: [PATCH] netlink_linearize: exthdr op must be u32

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1524246
Upstream Status: nftables commit 80f5d7fd66895

commit 80f5d7fd66895c651c9d1e35b2353f3020ffb538
Author: Florian Westphal <fw@strlen.de>
Date: Mon Dec 11 10:06:55 2017 +0100

netlink_linearize: exthdr op must be u32

libnftnl casts this to u32. Broke exthdr expressions on bigendian.

Reported-by: Li Shuang <shuali@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_linearize.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index fb2d250..a268dcc 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -178,7 +178,7 @@ static void netlink_gen_exthdr(struct netlink_linearize_ctx *ctx,
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE);
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN,
div_round_up(expr->len, BITS_PER_BYTE));
- nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_FLAGS, expr->exthdr.flags);
nftnl_rule_add_expr(ctx->nlr, nle);
}
@@ -839,7 +839,7 @@ static void netlink_gen_exthdr_stmt(struct netlink_linearize_ctx *ctx,
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET, offset / BITS_PER_BYTE);
nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_LEN,
div_round_up(expr->len, BITS_PER_BYTE));
- nftnl_expr_set_u8(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_EXTHDR_OP, expr->exthdr.op);
nftnl_rule_add_expr(ctx->nlr, nle);
}
--
1.8.3.1

63
SOURCES/0003-src-avoid-errouneous-assert-with-map-concat.patch Normal file
View File

@ -0,0 +1,63 @@
From ed405d0eafc7b1f71013cf42f9ed550d64ec56c5 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 6 Jun 2018 10:44:43 +0200
Subject: [PATCH] src: avoid errouneous assert with map+concat

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1540917
Upstream Status: nftables commit 483e5ea7167e1

commit 483e5ea7167e1537accf4cb083b88a8beea8f834
Author: Florian Westphal <fw@strlen.de>
Date: Tue Mar 27 09:29:54 2018 +0200

src: avoid errouneous assert with map+concat

Phil reported following assert:

add rule ip6 f o mark set ip6 saddr . ip6 daddr . tcp dport \
map { dead::beef . f00::. 22 : 1 }
nft: netlink_linearize.c:655: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.

This happens because "mark set" will allocate one register (the dreg),
but netlink_gen_concat_expr will populate a lot more register space if
the concat expression strings a lot of expressions together.

As the assert is useful pseudo-reserve the register space as per
concat->len and undo after generating the expressions.

Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/netlink_linearize.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index a268dcc..e9a4515 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -243,6 +243,7 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx,
{
struct nftnl_expr *nle;
enum nft_registers sreg;
+ int regspace = 0;
assert(expr->mappings->ops->type == EXPR_SET_REF);
@@ -251,7 +252,14 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx,
else
sreg = dreg;
+ /* suppress assert in netlink_gen_expr */
+ if (expr->map->ops->type == EXPR_CONCAT) {
+ regspace = netlink_register_space(expr->map->len);
+ ctx->reg_low += regspace;
+ }
+
netlink_gen_expr(ctx, expr->map, sreg);
+ ctx->reg_low -= regspace;
nle = alloc_nft_expr("lookup");
netlink_put_register(nle, NFTNL_EXPR_LOOKUP_SREG, sreg);
--
1.8.3.1

121
SOURCES/0004-Review-switch-statements-for-unmarked-fall-through-c.patch Normal file
View File

@ -0,0 +1,121 @@
From 8a8b80fafcbf3843e1736daff707b7cb5b64f31f Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:00 +0200
Subject: [PATCH] Review switch statements for unmarked fall through cases

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 7f31d3191622b

commit 7f31d3191622b650521014e311ace96aa7c5522c
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Feb 28 16:06:16 2018 +0100

Review switch statements for unmarked fall through cases

While revisiting all of them, clear a few oddities as well:

- There's no point in marking empty fall through cases: They are easy to
spot and a common concept when using switch().

- Fix indenting of break statement in one occasion.

- Drop needless braces around one case which doesn't declare variables.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/ct.c | 2 +-
src/evaluate.c | 1 +
src/hash.c | 2 +-
src/netlink_delinearize.c | 1 +
src/rule.c | 5 +++--
5 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index 8ab32e9..1e06013 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -289,7 +289,7 @@ static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
}
switch (key) {
- case NFT_CT_SRC: /* fallthrough */
+ case NFT_CT_SRC:
case NFT_CT_DST:
desc = proto_find_upper(&proto_inet, nfproto);
if (desc)
diff --git a/src/evaluate.c b/src/evaluate.c
index f16bb33..25a7376 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2705,6 +2705,7 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt)
map->mappings->set->flags |=
map->mappings->set->init->set_flags;
+ /* fall through */
case EXPR_SYMBOL:
if (expr_evaluate(ctx, &map->mappings) < 0)
return -1;
diff --git a/src/hash.c b/src/hash.c
index 9cd3c8c..3355cad 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -20,7 +20,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx)
switch (expr->hash.type) {
case NFT_HASH_SYM:
nft_print(octx, "symhash");
- break;
+ break;
case NFT_HASH_JENKINS:
default:
nft_print(octx, "jhash ");
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 11fd330..61cba52 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1411,6 +1411,7 @@ static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx,
case OP_NEQ:
if (right->ops->type != EXPR_SET && right->ops->type != EXPR_SET_REF)
break;
+ /* fall through */
case OP_LOOKUP:
expr_set_type(right, left->dtype, left->byteorder);
break;
diff --git a/src/rule.c b/src/rule.c
index d744cf6..e7ccb2b 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1297,7 +1297,7 @@ static void obj_print_data(const struct obj *obj,
}
}
break;
- case NFT_OBJECT_CT_HELPER: {
+ case NFT_OBJECT_CT_HELPER:
nft_print(octx, "ct helper %s {\n", obj->handle.obj);
nft_print(octx, "\t\ttype \"%s\" protocol ",
obj->ct_helper.name);
@@ -1305,7 +1305,6 @@ static void obj_print_data(const struct obj *obj,
nft_print(octx, "\t\tl3proto %s",
family2str(obj->ct_helper.l3proto));
break;
- }
case NFT_OBJECT_LIMIT: {
bool inv = obj->limit.flags & NFT_LIMIT_F_INV;
const char *data_unit;
@@ -1617,11 +1616,13 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_COUNTERS:
dump = true;
+ /* fall through */
case CMD_OBJ_COUNTER:
type = NFT_OBJECT_COUNTER;
break;
case CMD_OBJ_QUOTAS:
dump = true;
+ /* fall through */
case CMD_OBJ_QUOTA:
type = NFT_OBJECT_QUOTA;
break;
--
1.8.3.1

128
SOURCES/0005-monitor-Make-trace-events-respect-output_fp.patch Normal file
View File

@ -0,0 +1,128 @@
From 696fd8bbb2c654a1d16849fef0f0ae362739def4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:00 +0200
Subject: [PATCH] monitor: Make trace events respect output_fp

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 657472843e7a7

commit 657472843e7a7a4bc7f756356e6636b1f197b745
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Feb 28 16:04:27 2018 +0100

monitor: Make trace events respect output_fp

Seems like this was incompletely converted, part of the output went to
output_fp already.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink.c | 38 +++++++++++++++++++++-----------------
1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 5d6f5ce..d839ded 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -2587,14 +2587,18 @@ static void netlink_events_cache_update(struct netlink_mon_handler *monh,
}
}
-static void trace_print_hdr(const struct nftnl_trace *nlt)
+static void trace_print_hdr(const struct nftnl_trace *nlt,
+ struct output_ctx *octx)
{
- printf("trace id %08x ", nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID));
- printf("%s ", family2str(nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY)));
+ nft_print(octx, "trace id %08x %s ",
+ nftnl_trace_get_u32(nlt, NFTNL_TRACE_ID),
+ family2str(nftnl_trace_get_u32(nlt, NFTNL_TRACE_FAMILY)));
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_TABLE))
- printf("%s ", nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE));
+ nft_print(octx, "%s ",
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_TABLE));
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_CHAIN))
- printf("%s ", nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN));
+ nft_print(octx, "%s ",
+ nftnl_trace_get_str(nlt, NFTNL_TRACE_CHAIN));
}
static void trace_print_expr(const struct nftnl_trace *nlt, unsigned int attr,
@@ -2611,7 +2615,7 @@ static void trace_print_expr(const struct nftnl_trace *nlt, unsigned int attr,
rel = relational_expr_alloc(&netlink_location, OP_EQ, lhs, rhs);
expr_print(rel, octx);
- printf(" ");
+ nft_print(octx, " ");
expr_free(rel);
}
@@ -2661,12 +2665,12 @@ static void trace_print_rule(const struct nftnl_trace *nlt,
if (!rule)
return;
- trace_print_hdr(nlt);
- printf("rule ");
+ trace_print_hdr(nlt, octx);
+ nft_print(octx, "rule ");
rule_print(rule, octx);
- printf(" (");
+ nft_print(octx, " (");
trace_print_verdict(nlt, octx);
- printf(")\n");
+ nft_print(octx, ")\n");
}
static void trace_gen_stmts(struct list_head *stmts,
@@ -2775,9 +2779,9 @@ static void trace_print_packet(const struct nftnl_trace *nlt,
uint32_t nfproto;
struct stmt *stmt, *next;
- trace_print_hdr(nlt);
+ trace_print_hdr(nlt, octx);
- printf("packet: ");
+ nft_print(octx, "packet: ");
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_IIF))
trace_print_expr(nlt, NFTNL_TRACE_IIF,
meta_expr_alloc(&netlink_location,
@@ -2813,10 +2817,10 @@ static void trace_print_packet(const struct nftnl_trace *nlt,
list_for_each_entry_safe(stmt, next, &stmts, list) {
stmt_print(stmt, octx);
- printf(" ");
+ nft_print(octx, " ");
stmt_free(stmt);
}
- printf("\n");
+ nft_print(octx, "\n");
}
static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type,
@@ -2844,11 +2848,11 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type,
break;
case NFT_TRACETYPE_POLICY:
case NFT_TRACETYPE_RETURN:
- trace_print_hdr(nlt);
+ trace_print_hdr(nlt, monh->ctx->octx);
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_VERDICT)) {
trace_print_verdict(nlt, monh->ctx->octx);
- printf(" ");
+ nft_mon_print(monh, " ");
}
if (nftnl_trace_is_set(nlt, NFTNL_TRACE_MARK))
@@ -2856,7 +2860,7 @@ static int netlink_events_trace_cb(const struct nlmsghdr *nlh, int type,
meta_expr_alloc(&netlink_location,
NFT_META_MARK),
monh->ctx->octx);
- printf("\n");
+ nft_mon_print(monh, "\n");
break;
}
--
1.8.3.1

120
SOURCES/0006-monitor-Make-JSON-XML-output-respect-output_fp.patch Normal file
View File

@ -0,0 +1,120 @@
From fa5ccccd164b7285c4d105265ece4ea7ccdd996a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:00 +0200
Subject: [PATCH] monitor: Make JSON/XML output respect output_fp

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 59034b47590d7

commit 59034b47590d7cd19ba2fda24bf4426c355f95bc
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Feb 28 16:04:28 2018 +0100

monitor: Make JSON/XML output respect output_fp

Make sure events callbacks print to output_ctx-defined stream for any
type of output format.

Since all of them use nft_print() as last call (if anything is printed
at all), the final call to fflush() in netlink_events_cb() can be
dropped.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink.c | 37 ++++++++++++++++++-------------------
1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index d839ded..ca0e207 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -2015,9 +2015,9 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type,
break;
case NFTNL_OUTPUT_XML:
case NFTNL_OUTPUT_JSON:
- nftnl_table_fprintf(stdout, nlt, monh->format,
- netlink_msg2nftnl_of(type));
- fprintf(stdout, "\n");
+ nftnl_table_fprintf(monh->ctx->octx->output_fp, nlt,
+ monh->format, netlink_msg2nftnl_of(type));
+ nft_mon_print(monh, "\n");
break;
}
@@ -2057,9 +2057,9 @@ static int netlink_events_chain_cb(const struct nlmsghdr *nlh, int type,
break;
case NFTNL_OUTPUT_XML:
case NFTNL_OUTPUT_JSON:
- nftnl_chain_fprintf(stdout, nlc, monh->format,
- netlink_msg2nftnl_of(type));
- fprintf(stdout, "\n");
+ nftnl_chain_fprintf(monh->ctx->octx->output_fp, nlc,
+ monh->format, netlink_msg2nftnl_of(type));
+ nft_mon_print(monh, "\n");
break;
}
@@ -2104,9 +2104,9 @@ static int netlink_events_set_cb(const struct nlmsghdr *nlh, int type,
break;
case NFTNL_OUTPUT_XML:
case NFTNL_OUTPUT_JSON:
- nftnl_set_fprintf(stdout, nls, monh->format,
- netlink_msg2nftnl_of(type));
- fprintf(stdout, "\n");
+ nftnl_set_fprintf(monh->ctx->octx->output_fp, nls,
+ monh->format, netlink_msg2nftnl_of(type));
+ nft_mon_print(monh, "\n");
break;
}
out:
@@ -2253,9 +2253,9 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
break;
case NFTNL_OUTPUT_XML:
case NFTNL_OUTPUT_JSON:
- nftnl_set_fprintf(stdout, nls, monh->format,
- netlink_msg2nftnl_of(type));
- fprintf(stdout, "\n");
+ nftnl_set_fprintf(monh->ctx->octx->output_fp, nls,
+ monh->format, netlink_msg2nftnl_of(type));
+ nft_mon_print(monh, "\n");
break;
}
out:
@@ -2298,9 +2298,9 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type,
break;
case NFTNL_OUTPUT_XML:
case NFTNL_OUTPUT_JSON:
- nftnl_obj_fprintf(stdout, nlo, monh->format,
- netlink_msg2nftnl_of(type));
- fprintf(stdout, "\n");
+ nftnl_obj_fprintf(monh->ctx->octx->output_fp, nlo,
+ monh->format, netlink_msg2nftnl_of(type));
+ nft_mon_print(monh, "\n");
break;
}
@@ -2354,9 +2354,9 @@ static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type,
break;
case NFTNL_OUTPUT_XML:
case NFTNL_OUTPUT_JSON:
- nftnl_rule_fprintf(stdout, nlr, monh->format,
- netlink_msg2nftnl_of(type));
- fprintf(stdout, "\n");
+ nftnl_rule_fprintf(monh->ctx->octx->output_fp, nlr,
+ monh->format, netlink_msg2nftnl_of(type));
+ nft_mon_print(monh, "\n");
break;
}
@@ -2985,7 +2985,6 @@ static int netlink_events_cb(const struct nlmsghdr *nlh, void *data)
ret = netlink_events_newgen_cb(nlh, type, monh);
break;
}
- fflush(stdout);
return ret;
}
--
1.8.3.1

69
SOURCES/0007-cli-Drop-pointless-check-in-cli_append_multiline.patch Normal file
View File

@ -0,0 +1,69 @@
From a5e89843a77c234f1f858737b676161ff8ee0227 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:00 +0200
Subject: [PATCH] cli: Drop pointless check in cli_append_multiline()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit f51ed1db70abd
Conflicts: Context change due to missing commit
4c15b4008c249 ("cli: Use nft_run_cmd_from_buffer()")

commit f51ed1db70abdbb909e81bc670ffdfa05f421257
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 1 15:00:27 2018 +0100

cli: Drop pointless check in cli_append_multiline()

The function is called from cli_complete after it has checked for line
to be != NULL. The other part of the conditional, namely multiline being
NULL, is perfectly valid (if the last read line didn't end with
backslash. Hence drop the conditional completely.

Since variable eof is not used anywhere outside of the dropped
conditional, get rid of it completely.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/cli.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/src/cli.c b/src/cli.c
index cadc3af..53427a0 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -46,21 +46,13 @@ static struct mnl_socket *cli_nf_sock;
static void *scanner;
static char histfile[PATH_MAX];
static char *multiline;
-static bool eof;
static char *cli_append_multiline(char *line)
{
+ size_t len = strlen(line);
bool complete = false;
- size_t len;
char *s;
- if (line == NULL && multiline == NULL) {
- eof = true;
- return NULL;
- }
-
- len = strlen(line);
-
if (len == 0)
return NULL;
@@ -174,7 +166,7 @@ int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
state = _state;
scanner = scanner_init(state);
- while (!eof)
+ while (true)
rl_callback_read_char();
return 0;
}
--
1.8.3.1

56
SOURCES/0008-erec-Avoid-passing-negative-offset-to-fseek.patch Normal file
View File

@ -0,0 +1,56 @@
From 76bfabfffc6d10f3b55c896dc7afc24fa3a71fc9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:47 +0200
Subject: [PATCH] erec: Avoid passing negative offset to fseek()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 3570b6bc8b4f1

commit 3570b6bc8b4f136d07121b28cd79b6356e8e969b
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 1 15:00:28 2018 +0100

erec: Avoid passing negative offset to fseek()

If the initial call to ftell() fails, variable orig_offset is set to -1.
Avoid passing this to fseek() later on.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/erec.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/erec.c b/src/erec.c
index 80806ff..8de249d 100644
--- a/src/erec.c
+++ b/src/erec.c
@@ -121,7 +121,7 @@ void erec_print(struct output_ctx *octx, const struct error_record *erec,
char buf[1024] = {};
char *pbuf = NULL;
unsigned int i, end;
- int l, ret;
+ int l;
off_t orig_offset = 0;
FILE *f = octx->output_fp;
@@ -136,12 +136,12 @@ void erec_print(struct output_ctx *octx, const struct error_record *erec,
break;
case INDESC_FILE:
orig_offset = ftell(indesc->fp);
- fseek(indesc->fp, loc->line_offset, SEEK_SET);
- ret = fread(buf, 1, sizeof(buf) - 1, indesc->fp);
- if (ret > 0)
+ if (orig_offset >= 0 &&
+ !fseek(indesc->fp, loc->line_offset, SEEK_SET) &&
+ fread(buf, 1, sizeof(buf) - 1, indesc->fp) > 0 &&
+ !fseek(indesc->fp, orig_offset, SEEK_SET))
*strchrnul(buf, '\n') = '\0';
line = buf;
- fseek(indesc->fp, orig_offset, SEEK_SET);
break;
case INDESC_INTERNAL:
case INDESC_NETLINK:
--
1.8.3.1

60
SOURCES/0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch Normal file
View File

@ -0,0 +1,60 @@
From 56d8528fdd3c3f7db138622d94d2a6bac6b46e4e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:47 +0200
Subject: [PATCH] evaluate: Fix memleak in stmt_reject_gen_dependency()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit edcf3adcf4c4c

commit edcf3adcf4c4cf58cb0b965b984a512b12181a58
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 1 15:00:29 2018 +0100

evaluate: Fix memleak in stmt_reject_gen_dependency()

The allocated payload expression is not used after returning from that
function, so it needs to be freed again.

Simple test case:

| nft add rule inet t c reject with tcp reset

Valgrind reports definitely lost 144 bytes.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 25a7376..8552e4a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2136,8 +2136,10 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
if (ret <= 0)
return ret;
- if (payload_gen_dependency(ctx, payload, &nstmt) < 0)
- return -1;
+ if (payload_gen_dependency(ctx, payload, &nstmt) < 0) {
+ ret = -1;
+ goto out;
+ }
/*
* Unlike payload deps this adds the dependency at the beginning, i.e.
@@ -2148,7 +2150,9 @@ static int stmt_reject_gen_dependency(struct eval_ctx *ctx, struct stmt *stmt,
* Otherwise we'd log things that won't be rejected.
*/
list_add(&nstmt->list, &ctx->rule->stmts);
- return 0;
+out:
+ xfree(payload);
+ return ret;
}
static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
--
1.8.3.1

49
SOURCES/0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch Normal file
View File

@ -0,0 +1,49 @@
From 76a8ca39b3f95b898cd92546fb87ccaa2d1922c7 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:47 +0200
Subject: [PATCH] hash: Fix potential null-pointer dereference in
hash_expr_cmp()

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 5043a1e4847c0

commit 5043a1e4847c0149dabaf0b529a14a43b957e5e4
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 1 15:00:30 2018 +0100

hash: Fix potential null-pointer dereference in hash_expr_cmp()

The first part of the conditional:

| (e1->hash.expr || expr_cmp(e1->hash.expr, e2->hash.expr))

will call expr_cmp() in case e1->hash.expr is NULL, causing null-pointer
dereference. This is probably a typo, the intention when introducing
this was to avoid the call to expr_cmp() for symmetric hash expressions
which don't use expr->hash.expr. Inverting the existence check should
fix this.

Fixes: 3a86406729782 ("src: hash: support of symmetric hash")
Cc: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hash.c b/src/hash.c
index 3355cad..e699963 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -36,7 +36,7 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx)
static bool hash_expr_cmp(const struct expr *e1, const struct expr *e2)
{
- return (e1->hash.expr ||
+ return (!e1->hash.expr ||
expr_cmp(e1->hash.expr, e2->hash.expr)) &&
e1->hash.mod == e2->hash.mod &&
e1->hash.seed_set == e2->hash.seed_set &&
--
1.8.3.1

41
SOURCES/0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch Normal file
View File

@ -0,0 +1,41 @@
From 094f7dd2dce0c449313f1f1ea69dc849fc89b62a Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:47 +0200
Subject: [PATCH] netlink: Complain if setting O_NONBLOCK fails

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 4342fcbd40534

commit 4342fcbd40534158107ebe6a10e5f7886b3e8ced
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 1 15:00:31 2018 +0100

netlink: Complain if setting O_NONBLOCK fails

Assuming that code is not aware that reads from netlink socket may
block, treat inability to set O_NONBLOCK flag as fatal initialization
error aborting program execution.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/netlink.c b/src/netlink.c
index ca0e207..ebfad18 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -58,7 +58,8 @@ struct mnl_socket *netlink_open_sock(void)
if (nf_sock == NULL)
netlink_init_error();
- fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK);
+ if (fcntl(mnl_socket_get_fd(nf_sock), F_SETFL, O_NONBLOCK))
+ netlink_init_error();
return nf_sock;
}
--
1.8.3.1

351
SOURCES/0012-netlink_delinearize-Fix-resource-leaks.patch Normal file
View File

@ -0,0 +1,351 @@
From 5e9e2dc7e972f6bbbc0156ad97b4ee9d11fcb837 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:22:47 +0200
Subject: [PATCH] netlink_delinearize: Fix resource leaks

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1504157
Upstream Status: nftables commit 671851617c8d8

commit 671851617c8d8c1dfe9822eee8dcc7b827fff850
Author: Phil Sutter <phil@nwl.cc>
Date: Thu Mar 1 15:00:32 2018 +0100

netlink_delinearize: Fix resource leaks

Most of the cases are basically the same: Error path fails to free the
previously allocated statement or expression. A few cases received
special treatment though:

- In netlink_parse_payload_stmt(), the leak is easily avoided by code
reordering.

- In netlink_parse_exthdr(), there's no point in introducing a goto
label since there is but a single affected error check.

- In netlink_parse_hash() non-error path leaked as well if sreg
contained a concatenated expression.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/netlink_delinearize.c | 144 +++++++++++++++++++++++++++++-----------------
1 file changed, 92 insertions(+), 52 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 61cba52..e25160a 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -470,15 +470,15 @@ static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx,
offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_OFFSET) * BITS_PER_BYTE;
len = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_LEN) * BITS_PER_BYTE;
- expr = payload_expr_alloc(loc, NULL, 0);
- payload_init_raw(expr, base, offset, len);
-
sreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_SREG);
val = netlink_get_register(ctx, loc, sreg);
if (val == NULL)
return netlink_error(ctx, loc,
"payload statement has no expression");
+ expr = payload_expr_alloc(loc, NULL, 0);
+ payload_init_raw(expr, base, offset, len);
+
stmt = payload_stmt_alloc(loc, expr, val);
list_add_tail(&stmt->list, &ctx->rule->stmts);
@@ -523,9 +523,11 @@ static void netlink_parse_exthdr(struct netlink_parse_ctx *ctx,
sreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_SREG);
val = netlink_get_register(ctx, loc, sreg);
- if (val == NULL)
+ if (val == NULL) {
+ xfree(expr);
return netlink_error(ctx, loc,
"exthdr statement has no expression");
+ }
expr_set_type(val, expr->dtype, expr->byteorder);
@@ -556,22 +558,27 @@ static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
sreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_SREG);
hexpr = netlink_get_register(ctx, loc, sreg);
- if (hexpr == NULL)
- return
+ if (hexpr == NULL) {
netlink_error(ctx, loc,
"hash statement has no expression");
+ goto out_err;
+ }
len = nftnl_expr_get_u32(nle,
NFTNL_EXPR_HASH_LEN) * BITS_PER_BYTE;
if (hexpr->len < len) {
+ xfree(hexpr);
hexpr = netlink_parse_concat_expr(ctx, loc, sreg, len);
if (hexpr == NULL)
- return;
+ goto out_err;
}
expr->hash.expr = hexpr;
}
dreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_DREG);
netlink_set_register(ctx, dreg, expr);
+ return;
+out_err:
+ xfree(expr);
}
static void netlink_parse_fib(struct netlink_parse_ctx *ctx,
@@ -853,10 +860,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MIN);
if (reg1) {
addr = netlink_get_register(ctx, loc, reg1);
- if (addr == NULL)
- return netlink_error(ctx, loc,
- "NAT statement has no address "
- "expression");
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no address expression");
+ goto out_err;
+ }
if (family == AF_INET)
expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
@@ -869,10 +877,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX);
if (reg2 && reg2 != reg1) {
addr = netlink_get_register(ctx, loc, reg2);
- if (addr == NULL)
- return netlink_error(ctx, loc,
- "NAT statement has no address "
- "expression");
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no address expression");
+ goto out_err;
+ }
if (family == AF_INET)
expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
@@ -887,10 +896,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN);
if (reg1) {
proto = netlink_get_register(ctx, loc, reg1);
- if (proto == NULL)
- return netlink_error(ctx, loc,
- "NAT statement has no proto "
- "expression");
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no proto expression");
+ goto out_err;
+ }
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
stmt->nat.proto = proto;
@@ -899,10 +909,11 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MAX);
if (reg2 && reg2 != reg1) {
proto = netlink_get_register(ctx, loc, reg2);
- if (proto == NULL)
- return netlink_error(ctx, loc,
- "NAT statement has no proto "
- "expression");
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no proto expression");
+ goto out_err;
+ }
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
if (stmt->nat.proto != NULL)
@@ -911,6 +922,9 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
}
ctx->stmt = stmt;
+ return;
+out_err:
+ xfree(stmt);
}
static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
@@ -931,10 +945,11 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN);
if (reg1) {
proto = netlink_get_register(ctx, loc, reg1);
- if (proto == NULL)
- return netlink_error(ctx, loc,
- "MASQUERADE statement"
- "has no proto expression");
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "MASQUERADE statement has no proto expression");
+ goto out_err;
+ }
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
stmt->masq.proto = proto;
}
@@ -942,10 +957,11 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX);
if (reg2 && reg2 != reg1) {
proto = netlink_get_register(ctx, loc, reg2);
- if (proto == NULL)
- return netlink_error(ctx, loc,
- "MASQUERADE statement"
- "has no proto expression");
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "MASQUERADE statement has no proto expression");
+ goto out_err;
+ }
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
if (stmt->masq.proto != NULL)
proto = range_expr_alloc(loc, stmt->masq.proto, proto);
@@ -953,6 +969,9 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
}
ctx->stmt = stmt;
+ return;
+out_err:
+ xfree(stmt);
}
static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
@@ -974,10 +993,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
reg1 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MIN);
if (reg1) {
proto = netlink_get_register(ctx, loc, reg1);
- if (proto == NULL)
- return netlink_error(ctx, loc,
- "redirect statement has no proto "
- "expression");
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "redirect statement has no proto expression");
+ goto out_err;
+ }
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
stmt->redir.proto = proto;
@@ -986,10 +1006,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
reg2 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MAX);
if (reg2 && reg2 != reg1) {
proto = netlink_get_register(ctx, loc, reg2);
- if (proto == NULL)
- return netlink_error(ctx, loc,
- "redirect statement has no proto "
- "expression");
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "redirect statement has no proto expression");
+ goto out_err;
+ }
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
if (stmt->redir.proto != NULL)
@@ -999,6 +1020,9 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
}
ctx->stmt = stmt;
+ return;
+out_err:
+ xfree(stmt);
}
static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
@@ -1014,9 +1038,11 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
reg1 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_ADDR);
if (reg1) {
addr = netlink_get_register(ctx, loc, reg1);
- if (addr == NULL)
- return netlink_error(ctx, loc,
- "DUP statement has no destination expression");
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "DUP statement has no destination expression");
+ goto out_err;
+ }
switch (ctx->table->handle.family) {
case NFPROTO_IPV4:
@@ -1033,9 +1059,11 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
reg2 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_DEV);
if (reg2) {
dev = netlink_get_register(ctx, loc, reg2);
- if (dev == NULL)
- return netlink_error(ctx, loc,
- "DUP statement has no output expression");
+ if (dev == NULL) {
+ netlink_error(ctx, loc,
+ "DUP statement has no output expression");
+ goto out_err;
+ }
expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN);
if (stmt->dup.to == NULL)
@@ -1045,6 +1073,9 @@ static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
}
ctx->stmt = stmt;
+ return;
+out_err:
+ xfree(stmt);
}
static void netlink_parse_fwd(struct netlink_parse_ctx *ctx,
@@ -1060,15 +1091,20 @@ static void netlink_parse_fwd(struct netlink_parse_ctx *ctx,
reg1 = netlink_parse_register(nle, NFTNL_EXPR_FWD_SREG_DEV);
if (reg1) {
dev = netlink_get_register(ctx, loc, reg1);
- if (dev == NULL)
- return netlink_error(ctx, loc,
- "fwd statement has no output expression");
+ if (dev == NULL) {
+ netlink_error(ctx, loc,
+ "fwd statement has no output expression");
+ goto out_err;
+ }
expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN);
stmt->fwd.to = dev;
}
ctx->stmt = stmt;
+ return;
+out_err:
+ xfree(stmt);
}
static void netlink_parse_queue(struct netlink_parse_ctx *ctx,
@@ -1135,10 +1171,11 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL);
if (dnle != NULL) {
if (netlink_parse_expr(dnle, ctx) < 0)
- return;
- if (ctx->stmt == NULL)
- return netlink_error(ctx, loc,
- "Could not parse dynset stmt");
+ goto out_err;
+ if (ctx->stmt == NULL) {
+ netlink_error(ctx, loc, "Could not parse dynset stmt");
+ goto out_err;
+ }
dstmt = ctx->stmt;
}
@@ -1155,6 +1192,9 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
}
ctx->stmt = stmt;
+ return;
+out_err:
+ xfree(expr);
}
static void netlink_parse_objref(struct netlink_parse_ctx *ctx,
--
1.8.3.1

60
SOURCES/0013-nft.8-Fix-reject-statement-documentation.patch Normal file
View File

@ -0,0 +1,60 @@
From c2e843f9386bfa01bfbdd2742ce89f6c474ac0ee Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:23:54 +0200
Subject: [PATCH] nft.8: Fix reject statement documentation

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571938
Upstream Status: nftables commit 9b3036bb9f00d

commit 9b3036bb9f00d6e244ed92e0e782c5617ae40b84
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Jun 6 10:56:26 2018 +0200

nft.8: Fix reject statement documentation

First of all, 'with icmp6' is invalid, expected is 'with icmpv6'. In
addition to that, parameter 'type' expects an icmp*_code type, not
icmp*_type. The respective table column was already correct, but in
synopsis it was wrong.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
doc/nft.xml | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index c7e12c9..3da5fda 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -4472,14 +4472,14 @@ ip6 filter output log flags all
<arg choice="none">with</arg>
<group choice="req">
<arg>icmp</arg>
- <arg>icmp6</arg>
+ <arg>icmpv6</arg>
<arg>icmpx</arg>
</group>
<arg choice="none">type</arg>
<group choice="req">
- <arg>icmp_type</arg>
- <arg>icmp6_type</arg>
- <arg>icmpx_type</arg>
+ <arg>icmp_code</arg>
+ <arg>icmpv6_code</arg>
+ <arg>icmpx_code</arg>
</group>
</arg>
</cmdsynopsis>
@@ -4516,7 +4516,7 @@ ip6 filter output log flags all
<entry>icmp_code</entry>
</row>
<row>
- <entry>icmp6</entry>
+ <entry>icmpv6</entry>
<entry>ip6</entry>
<entry>icmpv6_code</entry>
</row>
--
1.8.3.1

56
SOURCES/0014-doc-reword-insert-position-this-expects-rule-handle-.patch Normal file
View File

@ -0,0 +1,56 @@
From 9abe6ef333d4d1f7c83e10ee73bca70f64b9fdba Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:36:59 +0200
Subject: [PATCH] doc: reword insert position, this expects rule handle to
insert, not a relative postition

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571968
Upstream Status: nftables commit 45172efadbede
Conflicts: Context change due to missing commit f9cb9580b924f
("doc: nft.8 aim for consistent synopses throughout")

commit 45172efadbedee2b2dedc1e771046cca7edb0111
Author: Florian Westphal <fw@strlen.de>
Date: Tue Apr 24 16:54:52 2018 +0200

doc: reword insert position, this expects rule handle to insert, not a relative postition

Signed-off-by: Florian Westphal <fw@strlen.de>
---
doc/nft.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 3da5fda..45a392f 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -835,7 +835,7 @@ filter input iif $int_ifs accept
<arg choice="opt"><replaceable>family</replaceable></arg>
<arg choice="req"><replaceable>table</replaceable></arg>
<arg choice="req"><replaceable>chain</replaceable></arg>
- <arg choice="opt">position <replaceable>position</replaceable></arg>
+ <arg choice="opt">position <replaceable>handle</replaceable></arg>
<arg choice="req" rep="repeat"><replaceable>statement</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
@@ -868,7 +868,7 @@ filter input iif $int_ifs accept
<para>
Add a new rule described by the list of statements. The rule is appended to the
given chain unless a position is specified, in which case the rule is appended to
- the rule given by the position.
+ the rule given by the handle.
</para>
</listitem>
</varlistentry>
@@ -877,7 +877,7 @@ filter input iif $int_ifs accept
<listitem>
<para>
Similar to the <command>add</command> command, but the rule is prepended to the
- beginning of the chain or before the rule at the given position.
+ beginning of the chain or before the rule with the given handle.
</para>
</listitem>
</varlistentry>
--
1.8.3.1

92
SOURCES/0015-Deprecate-add-insert-rule-position-argument.patch Normal file
View File

@ -0,0 +1,92 @@
From 197711f42a7580918c99536ff891eef7dd040c6b Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:37:57 +0200
Subject: [PATCH] Deprecate add/insert rule 'position' argument

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1571968
Upstream Status: nftables commit effb881c9cef2
Conflicts: Context change due to missing commit f9cb9580b924f
("doc: nft.8 aim for consistent synopses throughout")

commit effb881c9cef28aca47adeec5014e0457507539e
Author: Phil Sutter <phil@nwl.cc>
Date: Wed May 9 16:03:40 2018 +0200

Deprecate add/insert rule 'position' argument

Instead, use 'handle' keyword for the same effect since that is more
consistent with respect to replace/delete commands. The old keyword is
still supported for backwards compatibility and also listed in man page
along with a hint that it shouldn't be used anymore.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
doc/nft.xml | 17 +++++++++++++----
src/parser_bison.y | 8 ++++++++
2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 45a392f..e6cfb78 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -835,7 +835,13 @@ filter input iif $int_ifs accept
<arg choice="opt"><replaceable>family</replaceable></arg>
<arg choice="req"><replaceable>table</replaceable></arg>
<arg choice="req"><replaceable>chain</replaceable></arg>
- <arg choice="opt">position <replaceable>handle</replaceable></arg>
+ <arg choice="opt">
+ <group choice="req">
+ <arg>handle</arg>
+ <arg>position</arg>
+ </group>
+ <replaceable>handle</replaceable>
+ </arg>
<arg choice="req" rep="repeat"><replaceable>statement</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
@@ -867,8 +873,10 @@ filter input iif $int_ifs accept
<listitem>
<para>
Add a new rule described by the list of statements. The rule is appended to the
- given chain unless a position is specified, in which case the rule is appended to
- the rule given by the handle.
+ given chain unless a <literal>handle</literal> is specified, in which case the
+ rule is appended to the rule given by the <replaceable>handle</replaceable>.
+ The alternative name <literal>position</literal> is deprecated and should not be
+ used anymore.
</para>
</listitem>
</varlistentry>
@@ -877,7 +885,8 @@ filter input iif $int_ifs accept
<listitem>
<para>
Similar to the <command>add</command> command, but the rule is prepended to the
- beginning of the chain or before the rule with the given handle.
+ beginning of the chain or before the rule with the given
+ <replaceable>handle</replaceable>.
</para>
</listitem>
</varlistentry>
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 7016f5b..f9878ba 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1708,6 +1708,14 @@ rule_position : chain_spec
handle_merge(&$1, &$2);
$$ = $1;
}
+ | chain_spec handle_spec
+ {
+ $2.position.location = $2.handle.location;
+ $2.position.id = $2.handle.id;
+ $2.handle.id = 0;
+ handle_merge(&$1, &$2);
+ $$ = $1;
+ }
;
ruleid_spec : chain_spec handle_spec
--
1.8.3.1

54
SOURCES/0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch Normal file
View File

@ -0,0 +1,54 @@
From d8f1860f72840104bff3742f477c572b57a9c3c1 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 20 Jun 2018 09:38:55 +0200
Subject: [PATCH] evaluate: explicitly deny concatenated types in interval sets

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1576426
Upstream Status: nftables commit 9a3d80172a61e

commit 9a3d80172a61e89c2862bcf41cb58313c236b308
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Jun 6 13:21:49 2018 +0200

evaluate: explicitly deny concatenated types in interval sets

Previously, this triggered a program abort:

| # nft add table ip t
| # nft add set ip t my_set '{ type ipv4_addr . inet_service ; flags interval ; }'
| # nft add element ip t my_set '{10.0.0.1 . tcp }'
| BUG: invalid range expression type concat
| nft: expression.c:1085: range_expr_value_low: Assertion `0' failed.

With this patch in place, the 'add set' command above gives an error
message:

| # nft add set ip t my_set3 '{ type ipv4_addr . inet_service ; flags interval ; }'
| Error: concatenated types not supported in interval sets
| add set ip t my_set3 { type ipv4_addr . inet_service ; flags interval ; }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/evaluate.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 8552e4a..ab1347f 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2865,6 +2865,10 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
"specified in %s definition",
set->key->dtype->name, type);
}
+ if (set->flags & NFT_SET_INTERVAL &&
+ set->key->ops->type == EXPR_CONCAT)
+ return set_error(ctx, set, "concatenated types not supported in interval sets");
+
if (set->flags & NFT_SET_MAP) {
if (set->datatype == NULL)
return set_error(ctx, set, "map definition does not "
--
1.8.3.1

4727
SOURCES/nft.8 Normal file
View File

File diff suppressed because it is too large Load Diff

6
SOURCES/nftables.conf Normal file
View File

@ -0,0 +1,6 @@
#
# This this will contain your nftables rules and
# is read by the systemd service when restarting
#
# These provide an iptables like set of filters
# (uncomment to include)

17
SOURCES/nftables.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

155
SPECS/nftables.spec Normal file
View File

@ -0,0 +1,155 @@
%define rpmversion 0.8
%define specrelease 10%{?dist}
%define libnftnlversion 1.0.8-1

Name: nftables
Version: %{rpmversion}
Release: %{specrelease}
Epoch: 1
Summary: Netfilter Tables userspace utillites
License: GPLv2
URL: http://netfilter.org/projects/nftables/
Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2
Source1: nftables.service
Source2: nftables.conf
Source3: nft.8
BuildRequires: flex
BuildRequires: bison
BuildRequires: libmnl-devel
BuildRequires: gmp-devel
BuildRequires: readline-devel
BuildRequires: libnftnl-devel >= %{libnftnlversion}
# docbook2X is available in EPEL repo only, which is not included in Brew
#BuildRequires: docbook2X
#BuildRequires: docbook-dtds
BuildRequires: systemd
Patch0: 0001-src-fix-protocol-context-update-on-big-endian-system.patch
Patch1: 0002-netlink_linearize-exthdr-op-must-be-u32.patch
Patch2: 0003-src-avoid-errouneous-assert-with-map-concat.patch
Patch3: 0004-Review-switch-statements-for-unmarked-fall-through-c.patch
Patch4: 0005-monitor-Make-trace-events-respect-output_fp.patch
Patch5: 0006-monitor-Make-JSON-XML-output-respect-output_fp.patch
Patch6: 0007-cli-Drop-pointless-check-in-cli_append_multiline.patch
Patch7: 0008-erec-Avoid-passing-negative-offset-to-fseek.patch
Patch8: 0009-evaluate-Fix-memleak-in-stmt_reject_gen_dependency.patch
Patch9: 0010-hash-Fix-potential-null-pointer-dereference-in-hash_.patch
Patch10: 0011-netlink-Complain-if-setting-O_NONBLOCK-fails.patch
Patch11: 0012-netlink_delinearize-Fix-resource-leaks.patch
Patch12: 0013-nft.8-Fix-reject-statement-documentation.patch
Patch13: 0014-doc-reword-insert-position-this-expects-rule-handle-.patch
Patch14: 0015-Deprecate-add-insert-rule-position-argument.patch
Patch15: 0016-evaluate-explicitly-deny-concatenated-types-in-inter.patch

%description
Netfilter Tables userspace utilities.

%prep
%autosetup -p1

%build
%configure --disable-silent-rules DOCBOOK2X_MAN="no" DOCBOOK2MAN="no" DB2X_DOCBOOK2MAN="no"
make %{?_smp_mflags}

%install
%make_install
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
cp -a %{SOURCE3} $RPM_BUILD_ROOT/%{_mandir}/man8/
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*

mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/

mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
for f in $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*; do
echo "# include \"%{_sysconfdir}/nftables/$(basename $f)\""
done >> $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf
chmod 750 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*

%post
%systemd_post nftables.service

%preun
%systemd_preun nftables.service

%postun
%systemd_postun_with_restart nftables.service

%files
%doc COPYING TODO
%config(noreplace) %{_sysconfdir}/nftables/
%config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf
%{_sbindir}/nft
%{_mandir}/man8/nft*
%{_unitdir}/nftables.service

%changelog
* Wed Jun 20 2018 Phil Sutter <psutter@redhat.com> [0.8-10.el7]
- Bump epoch to allow upgrading from EPEL (Phil Sutter) [1575059]

* Wed Jun 20 2018 Phil Sutter <psutter@redhat.com> [0.8-9.el7]
- evaluate: explicitly deny concatenated types in interval sets (Phil Sutter) [1576426]
- Deprecate add/insert rule 'position' argument (Phil Sutter) [1571968]
- doc: reword insert position, this expects rule handle to insert, not a relative postition (Phil Sutter) [1571968]
- nft.8: Fix reject statement documentation (Phil Sutter) [1571938]
- netlink_delinearize: Fix resource leaks (Phil Sutter) [1504157]
- netlink: Complain if setting O_NONBLOCK fails (Phil Sutter) [1504157]
- hash: Fix potential null-pointer dereference in hash_expr_cmp() (Phil Sutter) [1504157]
- evaluate: Fix memleak in stmt_reject_gen_dependency() (Phil Sutter) [1504157]
- erec: Avoid passing negative offset to fseek() (Phil Sutter) [1504157]
- cli: Drop pointless check in cli_append_multiline() (Phil Sutter) [1504157]
- monitor: Make JSON/XML output respect output_fp (Phil Sutter) [1504157]
- monitor: Make trace events respect output_fp (Phil Sutter) [1504157]
- Review switch statements for unmarked fall through cases (Phil Sutter) [1504157]

* Wed Jun 06 2018 Phil Sutter <psutter@redhat.com> [0.8-8.el7]
- src: avoid errouneous assert with map+concat (Phil Sutter) [1540917]

* Mon Dec 18 2017 Phil Sutter <psutter@redhat.com> [0.8-7.el7]
- A proper fix for incompatible docbook2man (Phil Sutter) [1523239]

* Thu Dec 14 2017 Phil Sutter <psutter@redhat.com> [0.8-6.el7]
- netlink_linearize: exthdr op must be u32 (Phil Sutter) [1524246]
- src: fix protocol context update on big-endian systems (Phil Sutter) [1523016]

* Fri Dec 08 2017 Phil Sutter <psutter@redhat.com> [0.8-5.el7]
- Prevent build failure due to incompatible docbook2man (Phil Sutter) [1523239]

* Sat Oct 14 2017 Phil Sutter <psutter@redhat.com> [0.8-4.el7]
- Update /etc/sysconfig/nftables.conf with new config samples (Phil Sutter) [1472261]

* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [0.8-3.el7]
- Fix typo in spec file (Phil Sutter) [1451404]

* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [0.8-2.el7]
- Fix permissions of installed config files (Phil Sutter) [1451404]

* Fri Oct 13 2017 Phil Sutter <psutter@redhat.com> [0.8-1.el7]
- Rebase onto upstream version 0.8 (Phil Sutter) [1472261]

* Fri May 12 2017 Phil Sutter <psutter@redhat.com> [0.6-4.el7]
- evaluate: Avoid undefined behaviour in concat_subtype_id() (Phil Sutter) [1360789]
- src: Interpret OP_NEQ against a set as OP_LOOKUP (Phil Sutter) [1440011]
- include: refresh uapi/linux/netfilter/nf_tables.h copy (Phil Sutter) [1440011]
- datatype: time_type should send milliseconds to userspace (Phil Sutter) [1427114]
- meta: fix memory leak in tc classid parser (Phil Sutter) [1380326]
- src: meta priority support using tc classid (Phil Sutter) [1380326]
- src: simplify classid printing using x instead of 04x (Phil Sutter) [1380326]
- src: rename datatype name from tc_handle to classid (Phil Sutter) [1380326]
- payload: don't update protocol context if we can't find a description (Timothy Redaelli) [1446534 1399764]
- evaluate: reject: Have a generic fix for missing network context (Timothy Redaelli) [1360354]

* Mon Mar 06 2017 Phil Sutter <psutter@redhat.com> [0.6-3.el7]
- nftables.spec: Require at least libnftnl-1.0.6-4 (Phil Sutter) [1358705]
- evaluate: Fix datalen checks in expr_evaluate_string() (Phil Sutter) [1360240]
- netlink_delinearize: Avoid potential null pointer deref (Timothy Redaelli) [1360257]
- src: use new range expression for != [a,b] intervals (Phil Sutter) [1358705]

* Tue Jul 19 2016 Phil Sutter <psutter@redhat.com> 0.6-2
- Add pre-generated nft.8 to overcome missing docbook2X package.

* Wed Jun 29 2016 Phil Sutter <psutter@redhat.com> 0.6-1
- Rebased from Fedora Rawhide and adjusted for RHEL review.