Date: Wednesday, February 25, 2015 @ 05:23:05 Author: seblu Revision: 231965
upgpkg: nftables 1:0.4-4 - fix FS#43939 Added: nftables/trunk/01-fix-object-order-via-nft--f.patch Modified: nftables/trunk/PKGBUILD --------------------------------------+ 01-fix-object-order-via-nft--f.patch | 50 +++++++++++++++++++++++++++++++++ PKGBUILD | 12 +++++-- 2 files changed, 59 insertions(+), 3 deletions(-) Added: 01-fix-object-order-via-nft--f.patch =================================================================== --- 01-fix-object-order-via-nft--f.patch (rev 0) +++ 01-fix-object-order-via-nft--f.patch 2015-02-25 04:23:05 UTC (rev 231965) @@ -0,0 +1,50 @@ +From 454ffab9cc695b9618324a6a0a4dead6d5289f8d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <[email protected]> +Date: Sat, 14 Feb 2015 21:41:23 +0100 +Subject: rule: fix object order via nft -f + +The objects need to be loaded in the following order: + + #1 tables + #2 chains + #3 sets + #4 rules + +We have to make sure that chains are in place by when we add rules with +jumps/gotos. Similarly, we have to make sure that the sets are in place +by when rules reference them. + +Without this patch, you may hit ENOENT errors depending on your ruleset +configuration. + +Signed-off-by: Pablo Neira Ayuso <[email protected]> + +diff --git a/src/rule.c b/src/rule.c +index feafe26..8d76fd0 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h, + if (netlink_add_table(ctx, h, loc, table, excl) < 0) + return -1; + if (table != NULL) { ++ list_for_each_entry(chain, &table->chains, list) { ++ if (netlink_add_chain(ctx, &chain->handle, ++ &chain->location, chain, ++ excl) < 0) ++ return -1; ++ } + list_for_each_entry(set, &table->sets, list) { + handle_merge(&set->handle, &table->handle); + if (do_add_set(ctx, &set->handle, set) < 0) + return -1; + } + list_for_each_entry(chain, &table->chains, list) { +- if (do_add_chain(ctx, &chain->handle, &chain->location, +- chain, excl) < 0) ++ if (netlink_add_rule_list(ctx, h, &chain->rules) < 0) + return -1; + } + } +-- +cgit v0.10.2 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-02-25 04:04:04 UTC (rev 231964) +++ PKGBUILD 2015-02-25 04:23:05 UTC (rev 231965) @@ -4,7 +4,7 @@ pkgname=nftables epoch=1 pkgver=0.4 -pkgrel=3 +pkgrel=4 pkgdesc='Netfilter tables userspace tools' arch=('i686' 'x86_64') url='http://netfilter.org/projects/nftables/' @@ -16,13 +16,19 @@ source=("http://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2"{,.sig} 'nftables.conf' 'nftables.service' - 'nftables-reload') + 'nftables-reload' + '01-fix-object-order-via-nft--f.patch') sha1sums=('c557c710510c59e4280d271e5b7232af7ba3fbb7' 'SKIP' 'a7146fad414f9e827e2e83b630308890c876b80d' '65833b9c5b777cfb3a0776060c569a727ce6f460' - 'd9f40e751b44dd9dc9fdb3b7eba3cc0a9b7e1b01') + 'd9f40e751b44dd9dc9fdb3b7eba3cc0a9b7e1b01' + '90e40bc1f17963428d7d65dc8efa697d9ed9eec4') +prepare() { + patch -p1 -d $pkgname-$pkgver < '01-fix-object-order-via-nft--f.patch' +} + build() { cd $pkgname-$pkgver ./configure \
