Package: nftables / 1.0.6-2+deb12u2

Metadata

Package Version Patches format
nftables 1.0.6-2+deb12u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 debian bug 1038724.patch | (download)

src/cache.c | 2 2 + 0 - 0 !
src/rule.c | 8 1 + 7 - 0 !
2 files changed, 3 insertions(+), 7 deletions(-)

 
 cache: include set elements in "nft set list"

Make "nft list sets" include set elements in listing by default.
In nftables 1.0.0, "nft list sets" did not include the set elements,
but with "--json" they were included.

1.0.1 and newer never include them.
This causes a problem for people updating from 1.0.0 and relying
on the presence of the set elements.

Change nftables to always include the set elements.
The "--terse" option is honored to get the "no elements" behaviour.

Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")
Link: https://marc.info/?l=netfilter&m=168704941828372&w=2
Signed-off-by: Florian Westphal <fw@strlen.de>
invalid octal fix.patch | (download)

src/scanner.l | 18 15 + 3 - 0 !
1 file changed, 15 insertions(+), 3 deletions(-)

 
 fix handling of invalid octal strings
 .
 nft treats numeric strings beginning with a leading zero as octal, even if they
 contain non-octal digits (8 or 9), truncating the string as soon as one of
 these is reached.  Thus the string "0308" will be incorrectly parsed as 24.
 This patch causes nft to reject such strings instead.
rule add helper function to expand chain rules into .patch | (download)

src/rule.c | 39 22 + 17 - 0 !
1 file changed, 22 insertions(+), 17 deletions(-)

 
 [patch 1/3,nft] rule: add helper function to expand chain rules intoi
 commands

[ upstream commit 784597a4ed63b9decb10d74fdb49a1b021e22728 ]

This patch adds a helper function to expand chain rules into commands.
This comes in preparation for the follow up patch.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
rule expand standalone chain that contains rules.patch | (download)

src/rule.c | 15 12 + 3 - 0 !
tests/shell/testcases/include/0020include_chain_0 | 23 23 + 0 - 0 !
tests/shell/testcases/include/dumps/0020include_chain_0.nft | 6 6 + 0 - 0 !
3 files changed, 41 insertions(+), 3 deletions(-)

 
 [patch 2/3,nft] rule: expand standalone chain that contains rules

[ upstream 27c753e4a8d4744f479345e3f5e34cafef751602 commit ]

Otherwise rules that this chain contains are ignored when expressed
using the following syntax:

chain inet filter input2 {
       type filter hook input priority filter; policy accept;
       ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop
}

When expanding the chain, remove the rule so the new CMD_OBJ_CHAIN
case does not expand it again.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1655
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src expand table command before evaluation.patch | (download)

include/rule.h | 1 1 + 0 - 0 !
src/evaluate.c | 39 0 + 39 - 0 !
src/libnftables.c | 9 8 + 1 - 0 !
src/rule.c | 19 18 + 1 - 0 !
4 files changed, 27 insertions(+), 41 deletions(-)

 
 [patch 3/3,nft] src: expand table command before evaluation

[ upstream 3975430b12d97c92cdf03753342f2269153d5624 commit ]

The nested syntax notation results in one single table command which