[arch-commits] Commit in nftables/repos (18 files)

2016-06-17 Thread Sébastien Luttringer 
Date: Saturday, June 18, 2016 @ 01:22:21
  Author: seblu
Revision: 270171

archrelease: copy trunk to extra-i686, extra-x86_64

Added:
  
nftables/repos/extra-i686/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch
(from rev 270170, 
nftables/trunk/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch)
  nftables/repos/extra-i686/PKGBUILD
(from rev 270170, nftables/trunk/PKGBUILD)
  nftables/repos/extra-i686/nftables-reload
(from rev 270170, nftables/trunk/nftables-reload)
  nftables/repos/extra-i686/nftables.conf
(from rev 270170, nftables/trunk/nftables.conf)
  nftables/repos/extra-i686/nftables.service
(from rev 270170, nftables/trunk/nftables.service)
  
nftables/repos/extra-x86_64/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch
(from rev 270170, 
nftables/trunk/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch)
  nftables/repos/extra-x86_64/PKGBUILD
(from rev 270170, nftables/trunk/PKGBUILD)
  nftables/repos/extra-x86_64/nftables-reload
(from rev 270170, nftables/trunk/nftables-reload)
  nftables/repos/extra-x86_64/nftables.conf
(from rev 270170, nftables/trunk/nftables.conf)
  nftables/repos/extra-x86_64/nftables.service
(from rev 270170, nftables/trunk/nftables.service)
Deleted:
  nftables/repos/extra-i686/PKGBUILD
  nftables/repos/extra-i686/nftables-reload
  nftables/repos/extra-i686/nftables.conf
  nftables/repos/extra-i686/nftables.service
  nftables/repos/extra-x86_64/PKGBUILD
  nftables/repos/extra-x86_64/nftables-reload
  nftables/repos/extra-x86_64/nftables.conf
  nftables/repos/extra-x86_64/nftables.service

+
 /PKGBUILD  |  
124 ++
 /nftables-reload   |   
 6 
 /nftables.conf |   
76 ++
 /nftables.service  |   
30 ++
 extra-i686/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch   |  
108 
 extra-i686/PKGBUILD|   
60 
 extra-i686/nftables-reload |   
 3 
 extra-i686/nftables.conf   |   
38 ---
 extra-i686/nftables.service|   
15 -
 extra-x86_64/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch |  
108 
 extra-x86_64/PKGBUILD  |   
60 
 extra-x86_64/nftables-reload   |   
 3 
 extra-x86_64/nftables.conf |   
38 ---
 extra-x86_64/nftables.service  |   
15 -
 14 files changed, 452 insertions(+), 232 deletions(-)

Copied: 
nftables/repos/extra-i686/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch
 (from rev 270170, 
nftables/trunk/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch)
===
--- extra-i686/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch
(rev 0)
+++ extra-i686/01-payload-don-t-update-protocol-context-if-we-can-t-fi.patch
2016-06-18 01:22:21 UTC (rev 270171)
@@ -0,0 +1,108 @@
+From 3503738f77cdbe521da1054a37f59ac2e442b4cf Mon Sep 17 00:00:00 2001
+From: Florian Westphal 
+Date: Mon, 6 Jun 2016 21:52:28 +0200
+Subject: [PATCH 2/7] payload: don't update protocol context if we can't find a
+ description
+
+Since commit
+20b1131c07acd2fc ("payload: fix stacked headers protocol context tracking")
+we deref null pointer if we can't find a description for the desired
+protocol, so "ip protocol 254" crashes while testing protocols 6 or 17
+(tcp, udp) works.
+
+Also add a test case for this.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1072
+Signed-off-by: Florian Westphal 
+Acked-by: Pablo Neira Ayuso 
+---
+ src/payload.c   | 3 +++
+ tests/py/ip/ip.t| 3 +++
+ tests/py/ip/ip.t.payload| 5 +
+ tests/py/ip/ip.t.payload.inet   | 7 +++
+ tests/py/ip/ip.t.payload.netdev | 7 +++
+ 5 files changed, 25 insertions(+)
+
+diff --git a/src/payload.c b/src/payload.c
+index ac0e917..9ba980a 100644
+--- a/src/payload.c
 b/src/payload.c
+@@ -85,6 +85,9 @@ static void payload_expr_pctx_update(struct proto_ctx *ctx,
+   base = ctx->protocol[left->payload.base].desc;
+   desc = proto_find_upper(base, proto);
+ 
++  if (!desc)
++  return;
++
+   assert(desc->base <= PROTO_BASE_MAX);
+   if (desc->base == base->base) {
+   assert(base->length > 0);
+diff --git a/tests/py/ip/ip.t

[arch-commits] Commit in nftables/repos (18 files)

2016-06-05 Thread Sébastien Luttringer 
Date: Sunday, June 5, 2016 @ 23:11:58
  Author: seblu
Revision: 269064

archrelease: copy trunk to extra-i686, extra-x86_64

Added:
  nftables/repos/extra-i686/PKGBUILD
(from rev 269063, nftables/trunk/PKGBUILD)
  nftables/repos/extra-i686/nftables-reload
(from rev 269063, nftables/trunk/nftables-reload)
  nftables/repos/extra-i686/nftables.conf
(from rev 269063, nftables/trunk/nftables.conf)
  nftables/repos/extra-i686/nftables.service
(from rev 269063, nftables/trunk/nftables.service)
  nftables/repos/extra-x86_64/PKGBUILD
(from rev 269063, nftables/trunk/PKGBUILD)
  nftables/repos/extra-x86_64/nftables-reload
(from rev 269063, nftables/trunk/nftables-reload)
  nftables/repos/extra-x86_64/nftables.conf
(from rev 269063, nftables/trunk/nftables.conf)
  nftables/repos/extra-x86_64/nftables.service
(from rev 269063, nftables/trunk/nftables.service)
Deleted:
  nftables/repos/extra-i686/001-fix-FS#47289.patch
  nftables/repos/extra-i686/PKGBUILD
  nftables/repos/extra-i686/nftables-reload
  nftables/repos/extra-i686/nftables.conf
  nftables/repos/extra-i686/nftables.service
  nftables/repos/extra-x86_64/001-fix-FS#47289.patch
  nftables/repos/extra-x86_64/PKGBUILD
  nftables/repos/extra-x86_64/nftables-reload
  nftables/repos/extra-x86_64/nftables.conf
  nftables/repos/extra-x86_64/nftables.service

-+
 /PKGBUILD   |  120 ++
 /nftables-reload|6 +
 /nftables.conf  |   76 +
 /nftables.service   |   30 
 extra-i686/001-fix-FS#47289.patch   |   49 -
 extra-i686/PKGBUILD |   56 ---
 extra-i686/nftables-reload  |3 
 extra-i686/nftables.conf|   38 --
 extra-i686/nftables.service |   15 
 extra-x86_64/001-fix-FS#47289.patch |   49 -
 extra-x86_64/PKGBUILD   |   56 ---
 extra-x86_64/nftables-reload|3 
 extra-x86_64/nftables.conf  |   38 --
 extra-x86_64/nftables.service   |   15 
 14 files changed, 232 insertions(+), 322 deletions(-)

Deleted: extra-i686/001-fix-FS#47289.patch
===
--- extra-i686/001-fix-FS#47289.patch   2016-06-05 21:07:42 UTC (rev 269063)
+++ extra-i686/001-fix-FS#47289.patch   2016-06-05 21:11:58 UTC (rev 269064)
@@ -1,49 +0,0 @@
-From e6c83f45f522283c7afff4de7a71113116352dbf Mon Sep 17 00:00:00 2001
-From: Florian Westphal 
-Date: Thu, 1 Oct 2015 00:13:02 +0200
-Subject: expression: provide clone operation for set element ops
-
-define addrs={ 1.2.3.4 }
-table ip filter {
-   chain input {
-   type filter hook input priority 0;
-   ip saddr $addrs accept
-   }
-}
-
-segfaults. Using saddr { 1.2.3.4 } instead of $addrs works.
-
-Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801087
-Tested-by: Arturo Borrero Gonzalez 
-Signed-off-by: Florian Westphal 

- src/expression.c | 10 ++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/expression.c b/src/expression.c
-index 3edc550..ab195e5 100644
 a/src/expression.c
-+++ b/src/expression.c
-@@ -907,9 +907,19 @@ static void set_elem_expr_destroy(struct expr *expr)
-   expr_free(expr->key);
- }
- 
-+static void set_elem_expr_clone(struct expr *new, const struct expr *expr)
-+{
-+  new->key = expr_clone(expr->key);
-+  new->expiration = expr->expiration;
-+  new->timeout = expr->timeout;
-+  if (expr->comment)
-+  new->comment = xstrdup(expr->comment);
-+}
-+
- static const struct expr_ops set_elem_expr_ops = {
-   .type   = EXPR_SET_ELEM,
-   .name   = "set element",
-+  .clone  = set_elem_expr_clone,
-   .print  = set_elem_expr_print,
-   .destroy= set_elem_expr_destroy,
- };
--- 
-cgit v0.11.2
-

Deleted: extra-i686/PKGBUILD
===
--- extra-i686/PKGBUILD 2016-06-05 21:07:42 UTC (rev 269063)
+++ extra-i686/PKGBUILD 2016-06-05 21:11:58 UTC (rev 269064)
@@ -1,56 +0,0 @@
-# $Id$
-# Maintainer: Sébastien "Seblu" Luttringer 
-
-pkgname=nftables
-epoch=1
-pkgver=0.5
-pkgrel=2
-pkgdesc='Netfilter tables userspace tools'
-arch=('i686' 'x86_64')
-url='http://netfilter.org/projects/nftables/'
-license=('GPL2')
-depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses')
-makedepends=('docbook2x')
-backup=('etc/nftables.conf')
-validpgpkeys=('57FF5E9C9AA67A860B557AF7A4111F89BB5F58CC') # Netfilter Core Team
-source=("http://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2"{,.sig}
-'001-fix-FS#47289.patch'
-'nftables.conf'
-'nftables.service'
-'nftables-reload')

[arch-commits] Commit in nftables/repos (18 files)

2015-02-24 Thread Sébastien Luttringer 
Date: Wednesday, February 25, 2015 @ 05:23:38
  Author: seblu
Revision: 231966

archrelease: copy trunk to extra-i686, extra-x86_64

Added:
  nftables/repos/extra-i686/01-fix-object-order-via-nft--f.patch
(from rev 231965, nftables/trunk/01-fix-object-order-via-nft--f.patch)
  nftables/repos/extra-i686/PKGBUILD
(from rev 231965, nftables/trunk/PKGBUILD)
  nftables/repos/extra-i686/nftables-reload
(from rev 231965, nftables/trunk/nftables-reload)
  nftables/repos/extra-i686/nftables.conf
(from rev 231965, nftables/trunk/nftables.conf)
  nftables/repos/extra-i686/nftables.service
(from rev 231965, nftables/trunk/nftables.service)
  nftables/repos/extra-x86_64/01-fix-object-order-via-nft--f.patch
(from rev 231965, nftables/trunk/01-fix-object-order-via-nft--f.patch)
  nftables/repos/extra-x86_64/PKGBUILD
(from rev 231965, nftables/trunk/PKGBUILD)
  nftables/repos/extra-x86_64/nftables-reload
(from rev 231965, nftables/trunk/nftables-reload)
  nftables/repos/extra-x86_64/nftables.conf
(from rev 231965, nftables/trunk/nftables.conf)
  nftables/repos/extra-x86_64/nftables.service
(from rev 231965, nftables/trunk/nftables.service)
Deleted:
  nftables/repos/extra-i686/PKGBUILD
  nftables/repos/extra-i686/nftables-reload
  nftables/repos/extra-i686/nftables.conf
  nftables/repos/extra-i686/nftables.service
  nftables/repos/extra-x86_64/PKGBUILD
  nftables/repos/extra-x86_64/nftables-reload
  nftables/repos/extra-x86_64/nftables.conf
  nftables/repos/extra-x86_64/nftables.service

---+
 /PKGBUILD |  106 
 /nftables-reload  |6 +
 /nftables.conf|   76 ++
 /nftables.service |   30 +
 extra-i686/01-fix-object-order-via-nft--f.patch   |   50 +
 extra-i686/PKGBUILD   |   47 
 extra-i686/nftables-reload|3 
 extra-i686/nftables.conf  |   38 ---
 extra-i686/nftables.service   |   15 --
 extra-x86_64/01-fix-object-order-via-nft--f.patch |   50 +
 extra-x86_64/PKGBUILD |   47 
 extra-x86_64/nftables-reload  |3 
 extra-x86_64/nftables.conf|   38 ---
 extra-x86_64/nftables.service |   15 --
 14 files changed, 318 insertions(+), 206 deletions(-)

Copied: nftables/repos/extra-i686/01-fix-object-order-via-nft--f.patch (from 
rev 231965, nftables/trunk/01-fix-object-order-via-nft--f.patch)
===
--- extra-i686/01-fix-object-order-via-nft--f.patch 
(rev 0)
+++ extra-i686/01-fix-object-order-via-nft--f.patch 2015-02-25 04:23:38 UTC 
(rev 231966)
@@ -0,0 +1,50 @@
+From 454ffab9cc695b9618324a6a0a4dead6d5289f8d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso pa...@netfilter.org
+Date: Sat, 14 Feb 2015 21:41:23 +0100
+Subject: rule: fix object order via nft -f
+
+The objects need to be loaded in the following order:
+
+   #1 tables
+   #2 chains
+   #3 sets
+   #4 rules
+
+We have to make sure that chains are in place by when we add rules with
+jumps/gotos. Similarly, we have to make sure that the sets are in place
+by when rules reference them.
+
+Without this patch, you may hit ENOENT errors depending on your ruleset
+configuration.
+
+Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
+
+diff --git a/src/rule.c b/src/rule.c
+index feafe26..8d76fd0 100644
+--- a/src/rule.c
 b/src/rule.c
+@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const 
struct handle *h,
+   if (netlink_add_table(ctx, h, loc, table, excl)  0)
+   return -1;
+   if (table != NULL) {
++  list_for_each_entry(chain, table-chains, list) {
++  if (netlink_add_chain(ctx, chain-handle,
++chain-location, chain,
++excl)  0)
++  return -1;
++  }
+   list_for_each_entry(set, table-sets, list) {
+   handle_merge(set-handle, table-handle);
+   if (do_add_set(ctx, set-handle, set)  0)
+   return -1;
+   }
+   list_for_each_entry(chain, table-chains, list) {
+-  if (do_add_chain(ctx, chain-handle, chain-location,
+-   chain, excl)  0)
++  if (netlink_add_rule_list(ctx, h, chain-rules)  0)
+   return -1;
+   }
+   }
+-- 
+cgit v0.10.2
+

Deleted: extra-i686/PKGBUILD
===
---