[arch-commits] Commit in nftables/trunk (3 files)

Sébastien Luttringer seblu at archlinux.org
Mon Dec 7 22:39:21 UTC 2015 

    Date: Monday, December 7, 2015 @ 23:39:21
  Author: seblu
Revision: 253586

upgpkg: nftables 1:0.5-2

- FS#47289

Added:
  nftables/trunk/001-fix-FS#47289.patch
Modified:
  nftables/trunk/PKGBUILD
Deleted:
  nftables/trunk/01-fix-object-order-via-nft--f.patch

--------------------------------------+
 001-fix-FS#47289.patch               |   49 ++++++++++++++++++++++++++++++++
 01-fix-object-order-via-nft--f.patch |   50 ---------------------------------
 PKGBUILD                             |   11 ++++++-
 3 files changed, 59 insertions(+), 51 deletions(-)

Added: 001-fix-FS#47289.patch
===================================================================
--- 001-fix-FS#47289.patch	                        (rev 0)
+++ 001-fix-FS#47289.patch	2015-12-07 22:39:21 UTC (rev 253586)
@@ -0,0 +1,49 @@
+From e6c83f45f522283c7afff4de7a71113116352dbf Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw at strlen.de>
+Date: Thu, 1 Oct 2015 00:13:02 +0200
+Subject: expression: provide clone operation for set element ops
+
+define addrs={ 1.2.3.4 }
+table ip filter {
+	chain input {
+		type filter hook input priority 0;
+		ip saddr $addrs accept
+	}
+}
+
+segfaults. Using saddr { 1.2.3.4 } instead of $addrs works.
+
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=801087
+Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez at gmail.com>
+Signed-off-by: Florian Westphal <fw at strlen.de>
+---
+ src/expression.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/expression.c b/src/expression.c
+index 3edc550..ab195e5 100644
+--- a/src/expression.c
++++ b/src/expression.c
+@@ -907,9 +907,19 @@ static void set_elem_expr_destroy(struct expr *expr)
+ 	expr_free(expr->key);
+ }
+ 
++static void set_elem_expr_clone(struct expr *new, const struct expr *expr)
++{
++	new->key = expr_clone(expr->key);
++	new->expiration = expr->expiration;
++	new->timeout = expr->timeout;
++	if (expr->comment)
++		new->comment = xstrdup(expr->comment);
++}
++
+ static const struct expr_ops set_elem_expr_ops = {
+ 	.type		= EXPR_SET_ELEM,
+ 	.name		= "set element",
++	.clone		= set_elem_expr_clone,
+ 	.print		= set_elem_expr_print,
+ 	.destroy	= set_elem_expr_destroy,
+ };
+-- 
+cgit v0.11.2
+

Deleted: 01-fix-object-order-via-nft--f.patch
===================================================================
--- 01-fix-object-order-via-nft--f.patch	2015-12-07 22:07:39 UTC (rev 253585)
+++ 01-fix-object-order-via-nft--f.patch	2015-12-07 22:39:21 UTC (rev 253586)
@@ -1,50 +0,0 @@
-From 454ffab9cc695b9618324a6a0a4dead6d5289f8d Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo at netfilter.org>
-Date: Sat, 14 Feb 2015 21:41:23 +0100
-Subject: rule: fix object order via nft -f
-
-The objects need to be loaded in the following order:
-
-	#1 tables
-	#2 chains
-	#3 sets
-	#4 rules
-
-We have to make sure that chains are in place by when we add rules with
-jumps/gotos. Similarly, we have to make sure that the sets are in place
-by when rules reference them.
-
-Without this patch, you may hit ENOENT errors depending on your ruleset
-configuration.
-
-Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-
-diff --git a/src/rule.c b/src/rule.c
-index feafe26..8d76fd0 100644
---- a/src/rule.c
-+++ b/src/rule.c
-@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h,
- 	if (netlink_add_table(ctx, h, loc, table, excl) < 0)
- 		return -1;
- 	if (table != NULL) {
-+		list_for_each_entry(chain, &table->chains, list) {
-+			if (netlink_add_chain(ctx, &chain->handle,
-+					      &chain->location, chain,
-+					      excl) < 0)
-+				return -1;
-+		}
- 		list_for_each_entry(set, &table->sets, list) {
- 			handle_merge(&set->handle, &table->handle);
- 			if (do_add_set(ctx, &set->handle, set) < 0)
- 				return -1;
- 		}
- 		list_for_each_entry(chain, &table->chains, list) {
--			if (do_add_chain(ctx, &chain->handle, &chain->location,
--					 chain, excl) < 0)
-+			if (netlink_add_rule_list(ctx, h, &chain->rules) < 0)
- 				return -1;
- 		}
- 	}
--- 
-cgit v0.10.2
-

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2015-12-07 22:07:39 UTC (rev 253585)
+++ PKGBUILD	2015-12-07 22:39:21 UTC (rev 253586)
@@ -4,7 +4,7 @@
 pkgname=nftables
 epoch=1
 pkgver=0.5
-pkgrel=1
+pkgrel=2
 pkgdesc='Netfilter tables userspace tools'
 arch=('i686' 'x86_64')
 url='http://netfilter.org/projects/nftables/'
@@ -14,15 +14,24 @@
 backup=('etc/nftables.conf')
 validpgpkeys=('57FF5E9C9AA67A860B557AF7A4111F89BB5F58CC') # Netfilter Core Team
 source=("http://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2"{,.sig}
+        '001-fix-FS#47289.patch'
         'nftables.conf'
         'nftables.service'
         'nftables-reload')
 sha1sums=('34cfe1daa33d7fd7087dd63199f64854dfb54064'
           'SKIP'
+          '0e6df120039d71c4dbd6af36f38ab981926839e8'
           'a7146fad414f9e827e2e83b630308890c876b80d'
           '65833b9c5b777cfb3a0776060c569a727ce6f460'
           'd9f40e751b44dd9dc9fdb3b7eba3cc0a9b7e1b01')
 
+prepare() {
+  for _f in "${source[@]}"; do
+    [[ "$_f" =~ \.patch$ ]] && { msg2 "$_f"; patch -p1 -d $pkgname-$pkgver < "$_f"; }
+  done
+  :
+}
+
 build() {
   cd $pkgname-$pkgver
   ./configure \

More information about the arch-commits mailing list