Date: Monday, December 7, 2015 @ 23:39:21 Author: seblu Revision: 253586
upgpkg: nftables 1:0.5-2 - FS#47289 Added: nftables/trunk/001-fix-FS#47289.patch Modified: nftables/trunk/PKGBUILD Deleted: nftables/trunk/01-fix-object-order-via-nft--f.patch --------------------------------------+ 001-fix-FS#47289.patch | 49 ++++++++++++++++++++++++++++++++ 01-fix-object-order-via-nft--f.patch | 50 --------------------------------- PKGBUILD | 11 ++++++- 3 files changed, 59 insertions(+), 51 deletions(-) Added: 001-fix-FS#47289.patch =================================================================== --- 001-fix-FS#47289.patch (rev 0) +++ 001-fix-FS#47289.patch 2015-12-07 22:39:21 UTC (rev 253586) @@ -0,0 +1,49 @@ +From e6c83f45f522283c7afff4de7a71113116352dbf Mon Sep 17 00:00:00 2001 +From: Florian Westphal <[email protected]> +Date: Thu, 1 Oct 2015 00:13:02 +0200 +Subject: expression: provide clone operation for set element ops + +define addrs={ 1.2.3.4 } +table ip filter { + chain input { + type filter hook input priority 0; + ip saddr $addrs accept + } +} + +segfaults. Using saddr { 1.2.3.4 } instead of $addrs works. + +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801087 +Tested-by: Arturo Borrero Gonzalez <[email protected]> +Signed-off-by: Florian Westphal <[email protected]> +--- + src/expression.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/expression.c b/src/expression.c +index 3edc550..ab195e5 100644 +--- a/src/expression.c ++++ b/src/expression.c +@@ -907,9 +907,19 @@ static void set_elem_expr_destroy(struct expr *expr) + expr_free(expr->key); + } + ++static void set_elem_expr_clone(struct expr *new, const struct expr *expr) ++{ ++ new->key = expr_clone(expr->key); ++ new->expiration = expr->expiration; ++ new->timeout = expr->timeout; ++ if (expr->comment) ++ new->comment = xstrdup(expr->comment); ++} ++ + static const struct expr_ops set_elem_expr_ops = { + .type = EXPR_SET_ELEM, + .name = "set element", ++ .clone = set_elem_expr_clone, + .print = set_elem_expr_print, + .destroy = set_elem_expr_destroy, + }; +-- +cgit v0.11.2 + Deleted: 01-fix-object-order-via-nft--f.patch =================================================================== --- 01-fix-object-order-via-nft--f.patch 2015-12-07 22:07:39 UTC (rev 253585) +++ 01-fix-object-order-via-nft--f.patch 2015-12-07 22:39:21 UTC (rev 253586) @@ -1,50 +0,0 @@ -From 454ffab9cc695b9618324a6a0a4dead6d5289f8d Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <[email protected]> -Date: Sat, 14 Feb 2015 21:41:23 +0100 -Subject: rule: fix object order via nft -f - -The objects need to be loaded in the following order: - - #1 tables - #2 chains - #3 sets - #4 rules - -We have to make sure that chains are in place by when we add rules with -jumps/gotos. Similarly, we have to make sure that the sets are in place -by when rules reference them. - -Without this patch, you may hit ENOENT errors depending on your ruleset -configuration. - -Signed-off-by: Pablo Neira Ayuso <[email protected]> - -diff --git a/src/rule.c b/src/rule.c -index feafe26..8d76fd0 100644 ---- a/src/rule.c -+++ b/src/rule.c -@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h, - if (netlink_add_table(ctx, h, loc, table, excl) < 0) - return -1; - if (table != NULL) { -+ list_for_each_entry(chain, &table->chains, list) { -+ if (netlink_add_chain(ctx, &chain->handle, -+ &chain->location, chain, -+ excl) < 0) -+ return -1; -+ } - list_for_each_entry(set, &table->sets, list) { - handle_merge(&set->handle, &table->handle); - if (do_add_set(ctx, &set->handle, set) < 0) - return -1; - } - list_for_each_entry(chain, &table->chains, list) { -- if (do_add_chain(ctx, &chain->handle, &chain->location, -- chain, excl) < 0) -+ if (netlink_add_rule_list(ctx, h, &chain->rules) < 0) - return -1; - } - } --- -cgit v0.10.2 - Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-12-07 22:07:39 UTC (rev 253585) +++ PKGBUILD 2015-12-07 22:39:21 UTC (rev 253586) @@ -4,7 +4,7 @@ pkgname=nftables epoch=1 pkgver=0.5 -pkgrel=1 +pkgrel=2 pkgdesc='Netfilter tables userspace tools' arch=('i686' 'x86_64') url='http://netfilter.org/projects/nftables/' @@ -14,15 +14,24 @@ backup=('etc/nftables.conf') validpgpkeys=('57FF5E9C9AA67A860B557AF7A4111F89BB5F58CC') # Netfilter Core Team source=("http://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2"{,.sig} + '001-fix-FS#47289.patch' 'nftables.conf' 'nftables.service' 'nftables-reload') sha1sums=('34cfe1daa33d7fd7087dd63199f64854dfb54064' 'SKIP' + '0e6df120039d71c4dbd6af36f38ab981926839e8' 'a7146fad414f9e827e2e83b630308890c876b80d' '65833b9c5b777cfb3a0776060c569a727ce6f460' 'd9f40e751b44dd9dc9fdb3b7eba3cc0a9b7e1b01') +prepare() { + for _f in "${source[@]}"; do + [[ "$_f" =~ \.patch$ ]] && { msg2 "$_f"; patch -p1 -d $pkgname-$pkgver < "$_f"; } + done + : +} + build() { cd $pkgname-$pkgver ./configure \
