Package: nftables / 0.9.8-3.1+deb11u2

Metadata

Package Version Patches format
nftables 0.9.8-3.1+deb11u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
payload check icmp dependency before removing previo.patch | (download)

src/payload.c | 63 42 + 21 - 0 !
1 file changed, 42 insertions(+), 21 deletions(-)

 
 [patch] payload: check icmp dependency before removing previous icmp
 expression

nft is too greedy when removing icmp dependencies.
'icmp code 1 type 2' did remove the type when printing.

Be more careful and check that the icmp type dependency of the
candidate expression (earlier icmp payload expression) has the same
type dependency as the new expression.

Reported-by: Eric Garver <eric@garver.life>
Reported-by: Michael Biebl <biebl@debian.org>
Tested-by: Eric Garver <eric@garver.life>
Fixes: d0f3b9eaab8d77e ("payload: auto-remove simple icmp/icmpv6 dependency expressions")
Signed-off-by: Florian Westphal <fw@strlen.de>
rule_fix_for_potential_off by one_in_cmd_add_loc.patch | (download)

src/rule.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 rule: fix for potential off-by-one in cmd_add_loc()

Using num_attrs as index means it must be at max one less than the
array's size at function start.

Fixes: 27362a5bfa433 ("rule: larger number of error locations")
Signed-off-by: Phil Sutter <phil@nwl.cc>
cache rename chain_htable to cache_chain_ht.patch | (download)

include/rule.h | 4 2 + 2 - 0 !
src/cache.c | 6 3 + 3 - 0 !
src/rule.c | 6 3 + 3 - 0 !
3 files changed, 8 insertions(+), 8 deletions(-)

 
 [patch nft 0.9.8] cache: rename chain_htable to cache_chain_ht

upstream 3542e49cf539ecfcef6ef7c2d4befb7896ade2cd commit.

Rename the hashtable chain that is used for fast cache lookups.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src split chain list in table.patch | (download)

include/rule.h | 2 2 + 0 - 0 !
src/cache.c | 6 3 + 3 - 0 !
src/json.c | 6 3 + 3 - 0 !
src/rule.c | 18 11 + 7 - 0 !
4 files changed, 19 insertions(+), 13 deletions(-)

 
 [patch nft 0.9.8] src: split chain list in table

upstream a3ac2527724dd27628e12caaa55f731b109e4586 commit.

This patch splits table->lists in two:

- Chains that reside in the cache are stored in the new
  tables->cache_chain and tables->cache_chain_ht. The hashtable chain
  cache allows for fast chain lookups.

- Chains that defined via command line / ruleset file reside in
  tables->chains.

Note that chains in the cache (already in the kernel) are not placed in
the table->chains.

By keeping separated lists, chains defined via command line / ruleset
file can be added to cache.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
evaluate init cmd pointer for new on stack context.patch | (download)

src/evaluate.c | 1 1 + 0 - 0 !
tests/shell/testcases/chains/0041chain_binding_0 | 6 6 + 0 - 0 !
2 files changed, 7 insertions(+)

 
 [patch nft 0.9.8] evaluate: init cmd pointer for new on-stack
 context

upstream 4e718641397c876315a87db441afc53139863122 commit

else, this will segfault when trying to print the
"table 'x' doesn't exist" error message.

Signed-off-by: Florian Westphal <fw@strlen.de>
rule add helper function to expand chain rules into .patch | (download)

src/rule.c | 39 22 + 17 - 0 !
1 file changed, 22 insertions(+), 17 deletions(-)

 
 [patch nft 0.9.8] rule: add helper function to expand chain rules
 into commands

upstream 784597a4ed63b9decb10d74fdb49a1b021e22728 commit.

This patch adds a helper function to expand chain rules into commands.
This comes in preparation for the follow up patch.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
rule expand standalone chain that contains rules.patch | (download)

src/rule.c | 15 12 + 3 - 0 !
tests/shell/testcases/include/0020include_chain_0 | 23 23 + 0 - 0 !
tests/shell/testcases/include/dumps/0020include_chain_0.nft | 6 6 + 0 - 0 !
3 files changed, 41 insertions(+), 3 deletions(-)

 
 [patch nft 0.9.8] rule: expand standalone chain that contains
 rules

upstream 27c753e4a8d4744f479345e3f5e34cafef751602 commit.

Otherwise rules that this chain contains are ignored when expressed
using the following syntax:

chain inet filter input2 {
       type filter hook input priority filter; policy accept;
       ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop
}

When expanding the chain, remove the rule so the new CMD_OBJ_CHAIN
case does not expand it again.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1655
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src expand table command before evaluation.patch | (download)

include/rule.h | 1 1 + 0 - 0 !
src/evaluate.c | 39 0 + 39 - 0 !
src/libnftables.c | 9 8 + 1 - 0 !
src/rule.c | 21 19 + 2 - 0 !
4 files changed, 28 insertions(+), 42 deletions(-)

 
 [patch nft 0.9.8] src: expand table command before evaluation

upstream 3975430b12d97c92cdf03753342f2269153d5624 commit.

The nested syntax notation results in one single table command which