packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix coredumps

Browse Source 
(cherry picked from commit 131dbe0e2ca6a4113cd8a5d5cd814f344aa5f041)
This commit is contained in:
eaglegai 2024-12-10 03:02:02 +00:00 committed by openeuler-sync-bot
parent 8d7f52497d
commit 99891aed17
3 changed files with 196 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch Normal file
View File

@ -0,0 +1,88 @@
From a8ff324dc64fd76f7d218d3d94c5885250951258 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 28 Jul 2023 21:04:13 +0200
Subject: ct expectation: fix 'list object x' vs. 'list objects in table'
confusion
Just like "ct timeout", "ct expectation" is in need of the same fix,
we get segfault on "nft list ct expectation table t", if table t exists.
This is the exact same pattern as resolved for "ct timeout" in commit
1d2e22fc0521 ("ct timeout: fix 'list object x' vs. 'list objects in table' confusion").
Signed-off-by: Florian Westphal <fw@strlen.de>
Conflict:NA
Reference:https://git.netfilter.org/nftables/commit/?id=a8ff324dc64fd76f7d218d3d94c5885250951258
---
include/rule.h | 1 +
src/cache.c | 1 +
src/evaluate.c | 1 +
src/parser_bison.y | 2 +-
src/rule.c | 1 +
5 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/rule.h b/include/rule.h
index 5cb549c2..13ab1bf3 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -649,6 +649,7 @@ enum cmd_obj {
CMD_OBJ_SECMARK,
CMD_OBJ_SECMARKS,
CMD_OBJ_CT_EXPECT,
+ CMD_OBJ_CT_EXPECTATIONS,
CMD_OBJ_SYNPROXY,
CMD_OBJ_SYNPROXYS,
CMD_OBJ_HOOKS,
diff --git a/src/cache.c b/src/cache.c
index 5cab2622..b6a7e194 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -377,6 +377,7 @@ static int nft_handle_validate(const struct cmd *cmd, struct list_head *msgs)
case CMD_OBJ_CT_TIMEOUT:
case CMD_OBJ_CT_TIMEOUTS:
case CMD_OBJ_CT_EXPECT:
+ case CMD_OBJ_CT_EXPECTATIONS:
if (h->table.name &&
strlen(h->table.name) > NFT_NAME_MAXLEN) {
loc = &h->table.location;
diff --git a/src/evaluate.c b/src/evaluate.c
index 33e4ac93..8fc1ca7e 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -5425,6 +5425,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_SECMARKS:
case CMD_OBJ_SYNPROXYS:
case CMD_OBJ_CT_TIMEOUTS:
+ case CMD_OBJ_CT_EXPECTATIONS:
if (cmd->handle.table.name == NULL)
return 0;
if (!table_cache_find(&ctx->nft->cache.table_cache,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 553ddf97..ef5011c1 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4770,7 +4770,7 @@ ct_obj_type : HELPER { $$ = NFT_OBJECT_CT_HELPER; }
ct_cmd_type : HELPERS { $$ = CMD_OBJ_CT_HELPERS; }
| TIMEOUT { $$ = CMD_OBJ_CT_TIMEOUTS; }
- | EXPECTATION { $$ = CMD_OBJ_CT_EXPECT; }
+ | EXPECTATION { $$ = CMD_OBJ_CT_EXPECTATIONS; }
;
ct_l4protoname : TCP close_scope_tcp { $$ = IPPROTO_TCP; }
diff --git a/src/rule.c b/src/rule.c
index f4d00a8d..4e60c1e6 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2360,6 +2360,7 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_CT_TIMEOUTS:
return do_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT);
case CMD_OBJ_CT_EXPECT:
+ case CMD_OBJ_CT_EXPECTATIONS:
return do_list_obj(ctx, cmd, NFT_OBJECT_CT_EXPECT);
case CMD_OBJ_LIMIT:
case CMD_OBJ_LIMITS:
--
cgit v1.2.3

97
backport-tests-shell-connect-chains-to-hook-point.patch Normal file
View File

@ -0,0 +1,97 @@
From 1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 10 Jul 2024 02:33:37 +0200
Subject: tests: shell: connect chains to hook point
These tests should fail because they contain a loop or exceed the jump stack.
But this depends on the kernel validating chains that are not bound to any
basechain/hook point.
Wire up the initial chain to filter type.
Without this tests will start to fail when kernel stops validating
chains that are not reachable by any base chain.
Signed-off-by: Florian Westphal <fw@strlen.de>
Conflict:delete the file that we don't have
Reference:https://git.netfilter.org/nftables/commit/?id=1fc78397e9a1fb5e41841b8b4e92a9eb9536c6f1
---
tests/shell/testcases/chains/0003jump_loop_1 | 3 ++-
tests/shell/testcases/chains/0010endless_jump_loop_1 | 2 +-
tests/shell/testcases/chains/0011endless_jump_loop_1 | 2 +-
tests/shell/testcases/chains/0018check_jump_loop_1 | 2 +-
tests/shell/testcases/transactions/0023rule_1 | 2 +-
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/tests/shell/testcases/chains/0003jump_loop_1 b/tests/shell/testcases/chains/0003jump_loop_1
index 80e243f0..1a8eaf68 100755
--- a/tests/shell/testcases/chains/0003jump_loop_1
+++ b/tests/shell/testcases/chains/0003jump_loop_1
@@ -5,8 +5,9 @@ set -e
MAX_JUMPS=16
$NFT add table t
+$NFT "add chain t c1 { type filter hook prerouting priority 0; }"
-for i in $(seq 1 $MAX_JUMPS)
+for i in $(seq 2 $MAX_JUMPS)
do
$NFT add chain t c${i}
done
diff --git a/tests/shell/testcases/chains/0010endless_jump_loop_1 b/tests/shell/testcases/chains/0010endless_jump_loop_1
index 5d3ef239..6000e5d7 100755
--- a/tests/shell/testcases/chains/0010endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0010endless_jump_loop_1
@@ -3,7 +3,7 @@
set -e
$NFT add table t
-$NFT add chain t c
+$NFT add chain "t c { type filter hook input priority 0; }"
# kernel should return ELOOP
$NFT add rule t c tcp dport vmap {1 : jump c} 2>/dev/null || exit 0
diff --git a/tests/shell/testcases/chains/0011endless_jump_loop_1 b/tests/shell/testcases/chains/0011endless_jump_loop_1
index d75932d7..66abf8d0 100755
--- a/tests/shell/testcases/chains/0011endless_jump_loop_1
+++ b/tests/shell/testcases/chains/0011endless_jump_loop_1
@@ -3,7 +3,7 @@
set -e
$NFT add table t
-$NFT add chain t c1
+$NFT add chain "t c1 { type filter hook forward priority 0; }"
$NFT add chain t c2
$NFT add map t m {type inet_service : verdict \;}
$NFT add element t m {2 : jump c2}
diff --git a/tests/shell/testcases/chains/0018check_jump_loop_1 b/tests/shell/testcases/chains/0018check_jump_loop_1
index b87520f2..1e674d3d 100755
--- a/tests/shell/testcases/chains/0018check_jump_loop_1
+++ b/tests/shell/testcases/chains/0018check_jump_loop_1
@@ -3,7 +3,7 @@
set -e
$NFT add table ip filter
-$NFT add chain ip filter ap1
+$NFT add chain ip filter ap1 "{ type filter hook input priority 0; }"
$NFT add chain ip filter ap2
$NFT add rule ip filter ap1 jump ap2
diff --git a/tests/shell/testcases/transactions/0023rule_1 b/tests/shell/testcases/transactions/0023rule_1
index e58c088c..863bcde4 100755
--- a/tests/shell/testcases/transactions/0023rule_1
+++ b/tests/shell/testcases/transactions/0023rule_1
@@ -1,7 +1,7 @@
#!/bin/bash
RULESET="add table x
-add chain x y
+add chain x y { type filter hook input priority 0; }
add rule x y jump y"
# kernel must return ELOOP
--
cgit v1.2.3

12
nftables.spec
View File

@ -1,6 +1,6 @@
Name: nftables
Version: 1.0.8
Release: 5
Release: 6
Epoch: 1
Summary: A subsystem of the Linux kernel processing network data
License: GPLv2
@ -65,6 +65,9 @@ Patch0052: backport-tests-shell-add-regression-test-for-double-free-crash-b
Patch0053: backport-evaluate-handle-invalid-mapping-expressions-in-stateful-object-statements-gracefully.patch
Patch0054: backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch
Patch0055: backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch
Patch0056: backport-tests-shell-connect-chains-to-hook-point.patch
BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
BuildRequires: iptables-devel jansson-devel python3-devel
BuildRequires: chrpath libedit-devel
@ -163,6 +166,13 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%{python3_sitelib}/nftables/
%changelog
* Tue Dec 10 2024 gaihuiying <eaglegai@163.com> - 1:1.0.8-6
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:ct expectation: fix 'list object x' vs. 'list objects in table' confusion
tests: shell: connect chains to hook point
* Wed Sep 25 2024 gaihuiying <eaglegai@163.com> - 1:1.0.8-5
- Type:bugfix
- CVE:NA