Optimize the cache to fix firewalld

backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch

@@ -0,0 +1,84 @@
+From e3d00ed1f657d5ce989a780990c6fb0097368d1e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 12 Jan 2022 01:34:00 +0100
+Subject: cache: add helper function to fill up the rule cache
+
+Add a helper function to dump the rules and add them to the
+corresponding chain.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Conflict:change about netlink_list_rules and rule_cache_init
+Reference:https://git.netfilter.org/nftables/commit/?id=e3d00ed1f657d5ce989a780990c6fb0097368d1e
+
+---
+ src/cache.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 15 deletions(-)
+
+diff --git a/src/cache.c b/src/cache.c
+index 0e9e7fe5..14957f2d 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -811,6 +811,28 @@ static int cache_init_tables(struct netlink_ctx *ctx, struct handle *h,
+ 	return 0;
+ }
+ 
++static int rule_init_cache(struct netlink_ctx *ctx, struct table *table)
++{
++	struct rule *rule, *nrule;
++	struct chain *chain;
++	int ret;
++
++	ret = netlink_list_rules(ctx, &table->handle);
++
++	list_for_each_entry_safe(rule, nrule, &ctx->list, list) {
++		chain = chain_cache_find(table, rule->handle.chain.name);
++		if (!chain)
++			chain = chain_binding_lookup(table,
++						     rule->handle.chain.name);
++		if (!chain)
++			return -1;
++
++		list_move_tail(&rule->list, &chain->rules);
++	}
++
++	return ret;
++}
++
+ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags)
+ {
+ 	struct nftnl_flowtable_list *ft_list = NULL;
+@@ -818,9 +841,7 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
+ 	struct nftnl_chain_list *chain_list = NULL;
+ 	struct nftnl_set_list *set_list = NULL;
+ 	struct nftnl_obj_list *obj_list;
+-	struct rule *rule, *nrule;
+ 	struct table *table;
+-	struct chain *chain;
+ 	struct set *set;
+ 	int ret = 0;
+ 
+@@ -902,19 +923,7 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
+ 		}
+ 
+ 		if (flags & NFT_CACHE_RULE_BIT) {
+-			ret = netlink_list_rules(ctx, &table->handle);
+-			list_for_each_entry_safe(rule, nrule, &ctx->list, list) {
+-				chain = chain_cache_find(table, rule->handle.chain.name);
+-				if (!chain)
+-					chain = chain_binding_lookup(table,
+-							rule->handle.chain.name);
+-				if (!chain) {
+-					ret = -1;
+-					goto cache_fails;
+-				}
+-
+-				list_move_tail(&rule->list, &chain->rules);
+-			}
++			ret = rule_init_cache(ctx, table);
+ 			if (ret < 0) {
+ 				ret = -1;
+ 				goto cache_fails;
+-- 
+cgit v1.2.3
+

backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch

@@ -0,0 +1,49 @@
+From 8a6cdfaff058412b3d0efec45541cd7d610aeefa Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 6 Jul 2022 13:21:34 +0200
+Subject: cache: release pending rules when chain binding lookup fails
+
+If the implicit chain is not in the cache, release pending rules in
+ctx->list and report EINTR to let the cache core retry to populate a
+consistent cache.
+
+Fixes: c330152b7f77 ("src: support for implicit chain bindings")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Conflict:change context
+Reference:https://git.netfilter.org/nftables/commit/?id=8a6cdfaff058412b3d0efec45541cd7d610aeefa
+
+---
+ src/cache.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cache.c b/src/cache.c
+index fd8df884..b6ae2310 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -847,12 +847,21 @@ static int rule_init_cache(struct netlink_ctx *ctx, struct table *table,
+ 			chain = chain_binding_lookup(table,
+ 						     rule->handle.chain.name);
+ 		if (!chain)
+-			return -1;
++			goto err_ctx_list;
+ 
+ 		list_move_tail(&rule->list, &chain->rules);
+ 	}
+ 
+ 	return ret;
++
++err_ctx_list:
++	list_for_each_entry_safe(rule, nrule, &ctx->list, list) {
++		list_del(&rule->list);
++		rule_free(rule);
++	}
++	errno = EINTR;
++
++	return -1;
+ }
+ 
+ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags)
+-- 
+cgit v1.2.3
+

nftables.spec

@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.0
-Release:        14
+Release:        15
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@@ -104,6 +104,9 @@ Patch84:        backport-parser_json-fix-handle-memleak-from-error-path.patch
 Patch85:        backport-parser_json-fix-several-expression-memleaks-from-error-path.patch
 Patch86:        backport-libnftables-Zero-ctx-vars-after-freeing-it.patch
 
+Patch87:        backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch
+Patch88:        backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch
+
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
 BuildRequires:  chrpath
@@ -202,6 +205,12 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{python3_sitelib}/nftables/
 
 %changelog
+* Mon Jan 27 2025 yanglu <yanglu72@h-partners.com> - 1:1.0.0-15
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Optimize the cache to fix firewalld
+
 * Wed Dec 11 2024 gaihuiying <eaglegai@163.com> - 1:1.0.0-14
 - Type:bugfix
 - CVE:NA