Name: nftables Version: 1.0.0 Release: 15 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 URL: https://netfilter.org/projects/nftables/ Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz2 Source1: nftables.service Source2: nftables.conf Patch0: backport-cache-validate-handle-string-length.patch Patch1: backport-evaluate-fix-segfault-when-adding-elements-to-invalid-set.patch Patch2: backport-segtree-split-prefix-and-range-creation-to-a-helper-function.patch Patch3: backport-segtree-add-string-range-reversal-support.patch Patch4: backport-segtree-fix-map-listing-with-interface-wildcard.patch Patch5: backport-src-Don-t-parse-string-as-verdict-in-map.patch Patch6: backport-parser_json-fix-device-parsing-in-netdev-family.patch Patch7: backport-iptopt-fix-crash-with-invalid-field-type-combo.patch Patch8: backport-evaluate-string-prefix-expression-must-retain-original-length.patch Patch9: backport-libnftables-release-top-level-scope.patch Patch10: backport-dump-locations-expressions-only-if-set.patch Patch11: backport-evaluate-allow-implicit-ether-vlan-dep.patch Patch12: backport-evaluate-datatype-memleak-after-binop-transfer.patch Patch13: backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch Patch14: backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch Patch15: backport-payload-do-not-kill-dependency-for-proto_unknown.patch Patch16: backport-monitor-missing-cache-and-set-handle-initialization.patch Patch17: backport-netlink_linearize-fix-timeout-with-map-updates.patch Patch18: backport-owner-Fix-potential-array-out-of-bounds-access.patch Patch19: backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch Patch20: backport-netlink-Fix-for-potential-NULL-pointer-deref.patch Patch21: backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch Patch22: backport-netlink_linearize-use-div_round_up-in-byteorder-length.patch Patch23: backport-exthdr-fix-tcpopt_find_template-to-use-length-after-.patch Patch24: backport-exthdr-prefer-raw_type-instead-of-desc-type.patch Patch25: backport-libnftables-Drop-cache-in-c-check-mode.patch Patch26: backport-py-fix-exception-during-cleanup-of-half-initialized-.patch Patch27: backport-evaluate-fix-check-for-truncation-in-stmt_evaluate_l.patch Patch28: backport-evaluate-do-not-remove-anonymous-set-with-protocol-f.patch Patch29: backport-evaluate-revisit-anonymous-set-with-single-element-o.patch Patch30: backport-evaluate-skip-anonymous-set-optimization-for-concate.patch Patch31: backport-datatype-fix-leak-and-cleanup-reference-counting-for.patch Patch32: backport-evaluate-fix-memleak-in-prefix-evaluation-with-wildc.patch Patch33: backport-netlink-fix-leaking-typeof_expr_data-typeof_expr_key.patch Patch34: backport-datatype-initialize-TYPE_CT_LABEL-slot-in-datatype-a.patch Patch35: backport-datatype-initialize-TYPE_CT_EVENTBIT-slot-in-datatyp.patch Patch36: backport-netlink-handle-invalid-etype-in-set_make_key.patch Patch37: backport-parser_json-Default-meter-size-to-zero.patch Patch38: backport-parser_json-Fix-flowtable-prio-value-parsing.patch Patch39: backport-parser_json-Proper-ct-expectation-attribute-parsing.patch Patch40: backport-parser_json-Fix-synproxy-object-mss-wscale-parsing.patch Patch41: backport-parser_json-Fix-typo-in-json_parse_cmd_add_object.patch Patch42: backport-parser_json-Wrong-check-in-json_parse_ct_timeout_pol.patch Patch43: backport-parser_json-Catch-nonsense-ops-in-match-statement.patch Patch44: backport-json-expose-dynamic-flag.patch Patch45: backport-evaluate-validate-maximum-log-statement-prefix-lengt.patch Patch46: backport-evaluate-reject-set-in-concatenation.patch Patch47: backport-datatype-don-t-return-a-const-string-from-cgroupv2_g.patch Patch48: backport-json-fix-use-after-free-in-table_flags_json.patch Patch49: backport-evaluate-fix-double-free-on-dtype-release.patch Patch50: backport-evaluate-validate-chain-max-length.patch Patch51: backport-parser_bison-fix-memleak-in-meta-set-error-handling.patch Patch52: backport-parser_bison-make-sure-obj_free-releases-timeout-pol.patch Patch53: backport-parser_bison-fix-ct-scope-underflow-if-ct-helper-sec.patch Patch54: backport-evaluate-stmt_nat-set-reference-must-point-to-a-map.patch Patch55: backport-meta-fix-tc-classid-parsing-out-of-bounds-access.patch Patch56: backport-netlink-don-t-crash-if-prefix-for-byte-is-requested.patch Patch57: backport-evaluate-don-t-crash-if-object-map-does-not-refer-to.patch Patch58: backport-evaluate-error-out-when-expression-has-no-datatype.patch Patch59: backport-evaluate-tproxy-move-range-error-checks-after-arg-ev.patch Patch60: backport-evaluate-error-out-when-store-needs-more-than-one-12.patch Patch61: backport-rule-fix-sym-refcount-assertion.patch Patch62: backport-evaluate-handle-invalid-mapping-expressions-gracefully.patch Patch63: backport-evaluate-error-out-if-basetypes-are-different.patch Patch64: backport-evaluate-reject-attempt-to-update-a-set.patch Patch65: backport-evaluate-guard-against-NULL-basetype.patch Patch66: backport-evaluate-release-mpz-type-in-expr_evaluate_list-error-path.patch Patch67: backport-expression-missing-line-in-describe-command-with-invalid-expression.patch Patch68: backport-evaluate-disable-meta-set-with-ranges.patch Patch69: backport-src-reject-large-raw-payload-and-concat-expressions.patch Patch70: backport-evaluate-fix-stack-overflow-with-huge-priority-string.patch Patch71: backport-tcpopt-don-t-create-exthdr-expression-without-datatype.patch Patch72: backport-src-do-not-allow-to-chain-more-than-16-binops.patch Patch73: backport-rule-fix-ASAN-errors-in-chain-priority-to-textual-names.patch Patch74: backport-tests-shell-add-regression-test-for-double-free-crash-bug.patch Patch75: backport-evaluate-handle-invalid-mapping-expressions-in-stateful-object-statements-gracefully.patch Patch76: backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch Patch77: backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch Patch78: backport-parser-split-tcp-option-rules.patch Patch79: backport-cache-prepare-nft_cache_evaluate-to-return-error.patch Patch80: backport-ct-timeout-fix-list-object-x-vs-list-objects-in-table-confusion.patch Patch81: backport-ct-expectation-fix-list-object-x-vs-list-objects-in-table-confusion.patch Patch82: backport-tests-shell-connect-chains-to-hook-point.patch Patch83: backport-parser_json-release-buffer-returned-by-json_dumps.patch Patch84: backport-parser_json-fix-handle-memleak-from-error-path.patch Patch85: backport-parser_json-fix-several-expression-memleaks-from-error-path.patch Patch86: backport-libnftables-Zero-ctx-vars-after-freeing-it.patch Patch87: backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch Patch88: backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath %description nftables is a subsystem of the Linux kernel providing filtering and classification of\ network packets/datagrams/frames. %package devel Summary: Development library for nftables / libnftables Requires: %{name} = %{epoch}:%{version}-%{release} pkgconfig %description devel Development tools and static libraries and header files for the libnftables library. %package_help %package -n python3-nftables Summary: Python module providing an interface to libnftables Requires: %{name} = %{epoch}:%{version}-%{release} %{?python_provide:%python_provide python3-nftables} %description -n python3-nftables The nftables python module providing an interface to libnftables via ctypes. %prep %autosetup -n %{name}-%{version} -p1 %build %configure --disable-silent-rules --with-xtables --with-json \ --enable-python --with-python-bin=%{__python3} %make_build %check make check %install %make_install %delete_la chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* install -d $RPM_BUILD_ROOT/%{_unitdir} cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables mv $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ chrpath -d %{buildroot}%{_sbindir}/nft mkdir -p %{buildroot}/etc/ld.so.conf.d echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %post %systemd_post nftables.service /sbin/ldconfig %preun %systemd_preun nftables.service %postun %systemd_postun_with_restart nftables.service /sbin/ldconfig %ldconfig_scriptlets devel %files %defattr(-,root,root) %license COPYING %config(noreplace) %{_sysconfdir}/nftables/ %config(noreplace) %{_sysconfdir}/sysconfig/nftables.conf %config(noreplace) /etc/ld.so.conf.d/* %{_sbindir}/nft %{_libdir}/*.so.* %{_unitdir}/nftables.service %{_docdir}/nftables/examples/*.nft %files devel %defattr(-,root,root) %{_includedir}/nftables/libnftables.h %{_libdir}/*.a %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %files help %defattr(-,root,root) %{_mandir}/man8/nft* %{_mandir}/man3/libnftables.3* %{_mandir}/man5/libnftables-json* %files -n python3-nftables %{python3_sitelib}/nftables-*.egg-info %{python3_sitelib}/nftables/ %changelog * Mon Jan 27 2025 yanglu - 1:1.0.0-15 - Type:bugfix - CVE:NA - SUG:NA - DESC:Optimize the cache to fix firewalld * Wed Dec 11 2024 gaihuiying - 1:1.0.0-14 - Type:bugfix - CVE:NA - SUG:NA - DESC:backport upstream patches parser_json: release buffer returned by json_dumps parser_json: fix handle memleak from error path parser_json: fix several expression memleaks from error path libnftables: Zero ctx->vars after freeing it * Tue Dec 10 2024 gaihuiying - 1:1.0.0-13 - Type:bugfix - CVE:NA - SUG:NA - DESC:parser: split tcp option rules cache: prepare nft_cache_evaluate() to return error ct timeout: fix 'list object x' vs. 'list objects in table' confusion ct expectation: fix 'list object x' vs. 'list objects in table' confusion tests: shell: connect chains to hook point * Wed Sep 25 2024 gaihuiying - 1:1.0.0-12 - Type:bugfix - CVE:NA - SUG:NA - DESC:backport upstream patches evaluate: disable meta set with ranges src: reject large raw payload and concat expressions evaluate: fix stack overflow with huge priority string tcpopt: don't create exthdr expression without datatype src: do not allow to chain more than 16 binops rule: fix ASAN errors in chain priority to textual names tests: shell: add regression test for double-free crash bug evaluate: handle invalid mapping expressions in stateful object evaluate: Fix incorrect checking the `base` variable in case of IPV6 netlink: reset temporary set element stmt list after list splice * Wed Jun 26 2024 gaihuiying - 1:1.0.0-11 - Type:bugfix - CVE:NA - SUG:NA - DESC:backport upstream patches evaluate: error out if basetypes are different evaluate: guard against NULL basetype evaluate: handle invalid mapping expressions gracefully evaluate: reject attempt to update a set evaluate: release mpz type in expr_evaluate_list() error path expression: missing line in describe command with invalid expression Thu Apr 18 2024 lingsheng - 1:1.0.0-10 - Type:bugfix - CVE:NA - SUG:NA - DESC:datatype: don't return a const string from cgroupv2_get_path() datatype: fix leak and cleanup reference counting for struct datatype datatype: initialize TYPE_CT_EVENTBIT slot in datatype array datatype: initialize TYPE_CT_LABEL slot in datatype array evaluate: do not remove anonymous set with protocol flags and single element evaluate: don't crash if object map does not refer to a value evaluate: error out when expression has no datatype evaluate: error out when store needs more than one 128bit register of align fixup evaluate: fix check for truncation in stmt_evaluate_log_prefix() evaluate: fix double free on dtype release evaluate: fix memleak in prefix evaluation with wildcard interface name evaluate: reject set in concatenation evaluate: revisit anonymous set with single element optimization evaluate: skip anonymous set optimization for concatenations evaluate: stmt_nat: set reference must point to a map evaluate: tproxy: move range error checks after arg evaluation evaluate: validate chain max length evaluate: validate maximum log statement prefix length exthdr: fix tcpopt_find_template to use length after mask adjustment exthdr: prefer raw_type instead of desc->type json: expose dynamic flag json: fix use after free in table_flags_json() libnftables: Drop cache in -c/--check mode meta: fix tc classid parsing out-of-bounds access netlink: don't crash if prefix for < byte is requested netlink: fix leaking typeof_expr_data/typeof_expr_key in netlink_delinearize_set() netlink: handle invalid etype in set_make_key() parser_bison: fix ct scope underflow if ct helper section is duplicated parser_bison: fix memleak in meta set error handling parser_bison: make sure obj_free releases timeout policies parser_json: Catch nonsense ops in match statement parser_json: Default meter size to zero parser_json: Fix flowtable prio value parsing parser_json: Fix synproxy object mss/wscale parsing parser_json: Fix typo in json_parse_cmd_add_object() parser_json: Proper ct expectation attribute parsing parser_json: Wrong check in json_parse_ct_timeout_policy() py: fix exception during cleanup of half-initialized Nftables rule: fix sym refcount assertion * Mon Aug 14 2023 zhanghao - 1:1.0.0-9 - Type:bugfix - CVE:NA - SUG:NA - DESC:netlink_linearize: use div_round_up in byteorder length * Thu Apr 06 2023 zhanghao - 1:1.0.0-8 - Type:bugfix - CVE:NA - SUG:NA - DESC:Fix potential array out of bounds access evaluate: fix shift exponent underflow in concatenation evaluation netlink: Fix for potential NULL-pointer deref mnl: dump_nf_hooks() leaks memory in error path * Tue Mar 21 2023 zhanghao - 1:1.0.0-7 - Type:bugfix - CVE:NA - SUG:NA - DESC:evaluate allow implicit ether vlan dep evaluate datatype memleak after binop transfer evaluate bogus datatype assertion in binary operation evaluation netlink delinearize do not transfer binary operation to non anonymous sets payload do not kill dependency for proto unknown monitor missing cache and set handle initialization netlink linearize fix timeout with map updates * Thu Dec 15 2022 huangyu - 1:1.0.0-6 - Type:bugfix - ID:NA - SUG:NA - DESC:fix dump locations expressions only if set * Tue Dec 13 2022 huangyu - 1:1.0.0-5 - Type:bugfix - ID:NA - SUG:NA - DESC:fix string prefix expression must retain original length fix release top level scope * Mon Nov 21 2022 huangyu - 1:1.0.0-4 - Type:feature - ID:NA - SUG:NA - DESC:enabled DT testcase * Fri Sep 30 2022 huangyu - 1:1.0.0-3 - Type:bugfix - ID:NA - SUG:NA - DESC:fix nft desribe ip option rr value coredump * Sat Sep 03 2022 xinghe - 1:1.0.0-2 - Type:bugfix - ID:NA - SUG:NA - DESC:fix cache prepare nft_cache evaluate to return error fix cache validate handle string length add src support for implicit chain bindings fix cache release pending rules fix segtree map listing parser_json fix device parsing in netdev family fix src Don't parse string as verdict in map * Sat Dec 04 2021 yanglu - 1:1.0.0-1 - Type:requirement - ID:NA - SUG:NA - DESC:update nftables to 1.0.0 * Tue Sep 07 2021 gaihuiying - 1:0.9.9-3 - Type:requirement - ID:NA - SUG:NA - DESC:remove rpath of nft * Tue Aug 24 2021 gaihuiying - 1:0.9.9-2 - json: fix base chain output * Fri Jul 23 2021 gaihuiying - 1:0.9.9-1 - update to 0.9.9 * Thu Jul 30 2020 cuibaobao - 1:0.9.6-2 - Add python3-nftables sub-package * Thu Jul 23 2020 cuibaobao - 1:0.9.6-1 - update to 0.9.6 * Tue Sep 17 2019 openEuler Buildteam - 1:0.9.0-3 - Package init