nftables/backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch

From 0693edb9eb01fa5a479dcca7d30b06f52806d22a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 16 Sep 2021 13:51:23 +0200
Subject: [PATCH] netlink: reset temporary set element stmt list after list
 splice

Reset temporary stmt list to deal with the key_end case which might
result in a jump backward to handle the rhs of the interval.

Reported-by: Martin Zatloukal <slezi2@pvfree.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Conflict: NA
Reference:https://git.netfilter.org/nftables/commit/?id=0693edb9eb01fa5a479dcca7d30b06f52806d22a
---
 src/netlink.c                                  |  2 +-
 tests/shell/testcases/maps/0013map_0           | 14 ++++++++++++++
 tests/shell/testcases/maps/dumps/0013map_0.nft | 13 +++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100755 tests/shell/testcases/maps/0013map_0
 create mode 100644 tests/shell/testcases/maps/dumps/0013map_0.nft

diff --git a/src/netlink.c b/src/netlink.c
index 9a0d96f0..28a5514a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1324,7 +1324,7 @@ key_end:
 		nftnl_set_elem_expr_foreach(nlse, set_elem_parse_expressions,
 					    &setelem_parse_ctx);
 	}
-	list_splice_tail(&setelem_parse_ctx.stmt_list, &expr->stmt_list);
+	list_splice_tail_init(&setelem_parse_ctx.stmt_list, &expr->stmt_list);
 
 	if (flags & NFT_SET_ELEM_INTERVAL_END) {
 		expr->flags |= EXPR_F_INTERVAL_END;
diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0
new file mode 100755
index 00000000..70d7fd3b
--- /dev/null
+++ b/tests/shell/testcases/maps/0013map_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+flush ruleset
+
+add table ip filter
+add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
+add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; }
+add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol  . th dport vmap @forwport counter
+add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft
new file mode 100644
index 00000000..1455877d
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0013map_0.nft
@@ -0,0 +1,13 @@
+table ip filter {
+	map forwport {
+		type ipv4_addr . inet_proto . inet_service : verdict
+		flags interval
+		counter
+		elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+		iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0
+	}
+}
-- 
2.33.0