diff --git a/backport-datatype-Increase-symbolic-constant-printer-robustness.patch b/backport-datatype-Increase-symbolic-constant-printer-robustness.patch new file mode 100644 index 0000000000000000000000000000000000000000..71e0e7c8b233b6b157f3a19872861d8095600561 --- /dev/null +++ b/backport-datatype-Increase-symbolic-constant-printer-robustness.patch @@ -0,0 +1,47 @@ +From c2905cd4acdbbbacc0ce96c85309aa2c2878aed6 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 10 Oct 2025 14:14:29 +0200 +Subject: datatype: Increase symbolic constant printer robustness + +Do not segfault if passed symbol table is NULL. + +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=c2905cd4acdbbbacc0ce96c85309aa2c2878aed6 + +--- + src/datatype.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/datatype.c b/src/datatype.c +index 7effeb33..8e93ead0 100644 +--- a/src/datatype.c ++++ b/src/datatype.c +@@ -254,15 +254,19 @@ void symbolic_constant_print(const struct symbol_table *tbl, + mpz_export_data(constant_data_ptr(val, expr->len), expr->value, + expr->byteorder, len); + ++ if (nft_output_numeric_symbol(octx) || !tbl) ++ goto basetype_print; ++ + for (s = tbl->symbols; s->identifier != NULL; s++) { + if (val == s->value) + break; + } +- +- if (s->identifier == NULL || nft_output_numeric_symbol(octx)) +- return expr_basetype(expr)->print(expr, octx); +- +- nft_print(octx, quotes ? "\"%s\"" : "%s", s->identifier); ++ if (s->identifier) { ++ nft_print(octx, quotes ? "\"%s\"" : "%s", s->identifier); ++ return; ++ } ++basetype_print: ++ expr_basetype(expr)->print(expr, octx); + } + + static void switch_byteorder(void *data, unsigned int len) +-- +cgit v1.2.3 diff --git a/backport-evaluate-follow-prefix-expression-recursively-if-needed.patch b/backport-evaluate-follow-prefix-expression-recursively-if-needed.patch new file mode 100644 index 0000000000000000000000000000000000000000..64af9787f448e8ebdb74fe4975e746e915fee163 --- /dev/null +++ b/backport-evaluate-follow-prefix-expression-recursively-if-needed.patch @@ -0,0 +1,69 @@ +From 353140987c37540ed734f210d95d66b65caa5b47 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 17 Oct 2025 13:38:34 +0200 +Subject: evaluate: follow prefix expression recursively if needed + +Included bogons assert: +Assertion `!expr_is_constant(*expr) || expr_is_singleton(*expr)' failed + +This is because the "foo*" + prefix combination causes expr_evaluate +to replace the binop + string expression with another prefix that +gets allocated while handling "foo*" (wildcard). + +This causes expr_evaluate_prefix to build +a prefix -> prefix -> binop chain. + +After this, we get: + +Error: Right hand side of relational expression ((null)) must be constant +a b ct helper "2.2.2.2.3*1"/80 + ~~~~~~~~~~^^^^^^^^^^^^^^^^ +Error: Binary operation (&) is undefined for prefix expressions +a b ct helper "2.2.2.****02"/80 + ^^^^^^^^^^^^^^^^^ + +for those inputs rather than hitting assert() in byteorder_conversion() +later on. + +Signed-off-by: Florian Westphal + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=353140987c37540ed734f210d95d66b65caa5b47 + +--- + src/evaluate.c | 10 ++++++++++ + tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert | 2 ++ + 2 files changed, 12 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index ffd3ce62..b984ae4f 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1273,6 +1273,16 @@ static int expr_evaluate_prefix(struct eval_ctx *ctx, struct expr **expr) + if (expr_evaluate(ctx, &prefix->prefix) < 0) + return -1; + base = prefix->prefix; ++ ++ /* expr_evaluate may simplify EXPR_AND to another ++ * prefix expression for inputs like "2.2.2.2.3*1"/80. ++ * ++ * Recurse until all the expressions have been simplified. ++ * This also gets us the error checks for the expression ++ * chain. ++ */ ++ if (base->etype == EXPR_PREFIX) ++ return expr_evaluate_prefix(ctx, &prefix->prefix); + assert(expr_is_constant(base)); + + prefix->dtype = datatype_get(base->dtype); +diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert b/tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert +new file mode 100644 +index 00000000..26c8914e +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert +@@ -0,0 +1,2 @@ ++a b ct helper "2.2.2.2.3*1"/80 ++a b ct helper "2.2.2.****02"/80 +-- +cgit v1.2.3 diff --git a/backport-mnl-silence-compiler-warning.patch b/backport-mnl-silence-compiler-warning.patch new file mode 100644 index 0000000000000000000000000000000000000000..a14a2612060bc4a982aecab306f1210209d78c9e --- /dev/null +++ b/backport-mnl-silence-compiler-warning.patch @@ -0,0 +1,50 @@ +From cd9f168875aca72caacdcfb552c15b6484a82bd5 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 20 Aug 2025 14:44:43 +0200 +Subject: mnl: silence compiler warning + +gcc 14.3.0 reports this: + +src/mnl.c: In function 'mnl_nft_chain_add': +src/mnl.c:916:25: warning: 'nest' may be used uninitialized [-Wmaybe-uninitialized] + 916 | mnl_attr_nest_end(nlh, nest); + +I guess its because compiler can't know that the conditions cannot change +in-between and assumes nest_end() can be called without nest_start(). + +Fixes: 01277922fede ("src: ensure chain policy evaluation when specified") +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:change context about mnl_nft_chain_add in mnl.c +Reference:https://git.netfilter.org/nftables/commit/?id=cd9f168875aca72caacdcfb552c15b6484a82bd5 + +--- + src/mnl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/mnl.c b/src/mnl.c +index ceb43b06..66840296 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -890,7 +890,7 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + nftnl_chain_nlmsg_build_payload(nlh, nlc); + + if (cmd->chain && cmd->chain->flags & CHAIN_F_BASECHAIN) { +- struct nlattr *nest; ++ struct nlattr *nest = NULL; + + if (cmd->chain->type.str) { + cmd_add_loc(cmd, nlh->nlmsg_len, &cmd->chain->type.loc); +@@ -911,8 +911,7 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + if (cmd->chain && cmd->chain->dev_expr) + mnl_nft_chain_devs_build(nlh, cmd); + +- if (cmd->chain->type.str || +- (cmd->chain && cmd->chain->dev_expr)) ++ if (nest) + mnl_attr_nest_end(nlh, nest); + } + +-- +cgit v1.2.3 diff --git a/backport-segtree-fix-string-data-initialisation.patch b/backport-segtree-fix-string-data-initialisation.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6ba1738c71597847660bb585cfcbbf9a02c7f03 --- /dev/null +++ b/backport-segtree-fix-string-data-initialisation.patch @@ -0,0 +1,131 @@ +From 63e3d5953c144abbc4ead2665ad7cec799c4cb64 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 5 Mar 2025 16:01:48 +0100 +Subject: segtree: fix string data initialisation + +This uses the wrong length. This must re-use the length of the datatype, +not the string length. + +The added test cases will fail without the fix due to erroneous +overlap detection, which in itself is due to incorrect sorting of +the elements. + +Example error: + netlink: Error: interval overlaps with an existing one + add element inet testifsets simple_wild { "2-1" } failed. + table inet testifsets { + ... elements = { "1-1", "abcdef*", "othername", "ppp0" } + +... but clearly "2-1" doesn't overlap with any existing members. +The false detection is because of the "acvdef*" wildcard getting sorted +at the beginning of the list which is because its erronously initialised +as a 64bit number instead of 128 bits (16 bytes / IFNAMSIZ). + +Fixes: 5e393ea1fc0a ("segtree: add string "range" reversal support") +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=63e3d5953c144abbc4ead2665ad7cec799c4cb64 + +--- + src/segtree.c | 2 +- + tests/shell/testcases/sets/sets_with_ifnames | 62 ++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/src/segtree.c b/src/segtree.c +index 2e32a329..11cf27c5 100644 +--- a/src/segtree.c ++++ b/src/segtree.c +@@ -471,7 +471,7 @@ static struct expr *interval_to_string(struct expr *low, struct expr *i, const m + + expr = constant_expr_alloc(&low->location, low->dtype, + BYTEORDER_HOST_ENDIAN, +- (str_len + 1) * BITS_PER_BYTE, data); ++ len * BITS_PER_BYTE, data); + + return __expr_to_set_elem(low, expr); + } +diff --git a/tests/shell/testcases/sets/sets_with_ifnames b/tests/shell/testcases/sets/sets_with_ifnames +index a4bc5072..c65499b7 100755 +--- a/tests/shell/testcases/sets/sets_with_ifnames ++++ b/tests/shell/testcases/sets/sets_with_ifnames +@@ -105,10 +105,67 @@ check_matching_icmp_ppp() + fi + } + ++check_add_del_ifnames() ++{ ++ local what="$1" ++ local setname="$2" ++ local prefix="$3" ++ local data="$4" ++ local i=0 ++ ++ for i in $(seq 1 5);do ++ local cmd="element inet testifsets $setname { " ++ local to_batch=16 ++ ++ for j in $(seq 1 $to_batch);do ++ local name=$(printf '"%x-%d"' $i $j) ++ ++ [ -n "$prefix" ] && cmd="$cmd $prefix . " ++ ++ cmd="$cmd $name" ++ ++ [ -n "$data" ] && cmd="$cmd : $data" ++ ++ if [ $j -lt $to_batch ] ; then ++ cmd="$cmd, " ++ fi ++ done ++ ++ cmd="$cmd }" ++ ++ if ! $NFT "$what" "$cmd"; then ++ echo "$what $cmd failed." ++ $NFT list set inet testifsets $setname ++ exit 1 ++ fi ++ ++ if ! ip netns exec "$ns1" $NFT "$what" "$cmd"; then ++ echo "$ns1 $what $cmd failed." ++ ip netns exec "$ns1" $NFT list set inet testifsets $setname ++ exit 1 ++ fi ++ done ++} ++ ++check_add_ifnames() ++{ ++ check_add_del_ifnames "add" "$1" "$2" "$3" ++} ++ ++check_del_ifnames() ++{ ++ check_add_del_ifnames "delete" "$1" "$2" "$3" ++} ++ + ip netns add "$ns1" || exit 111 + ip netns add "$ns2" || exit 111 + ip netns exec "$ns1" $NFT -f "$dumpfile" || exit 3 + ++check_add_ifnames "simple" "" "" ++check_add_ifnames "simple_wild" "" "" ++check_add_ifnames "concat" "10.1.2.2" "" ++check_add_ifnames "map_wild" "" "drop" ++ + for n in abcdef0 abcdef1 othername;do + check_elem simple $n + done +@@ -150,3 +207,8 @@ ip -net "$ns2" addr add 10.1.2.2/24 dev veth0 + ip -net "$ns2" addr add 10.2.2.2/24 dev veth1 + + check_matching_icmp_ppp ++ ++check_del_ifnames "simple" "" "" ++check_del_ifnames "simple_wild" "" "" ++check_del_ifnames "concat" "10.1.2.2" "" ++check_del_ifnames "map_wild" "" "drop" +-- +cgit v1.2.3 diff --git a/backport-src-ensure-chain-policy-evaluation-when-specified.patch b/backport-src-ensure-chain-policy-evaluation-when-specified.patch new file mode 100644 index 0000000000000000000000000000000000000000..a481f3150b7bc6c96affd4946bfe02969d703f59 --- /dev/null +++ b/backport-src-ensure-chain-policy-evaluation-when-specified.patch @@ -0,0 +1,149 @@ +From 01277922fede9fef8aacf5cc871bfbd55bbd78ef Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 17 Aug 2025 21:01:30 +0200 +Subject: src: ensure chain policy evaluation when specified + +Set on CHAIN_F_BASECHAIN when policy is specified in chain, otherwise +chain priority is not evaluated. + +Toggling this flag requires needs three adjustments to work though: + +1) chain_evaluate() needs skip evaluation of hook name and priority if + not specified to allow for updating the default chain policy, e.g. + + chain ip x y { policy accept; } + +2) update netlink bytecode generation for chain to skip NFTA_CHAIN_HOOK + so update path is exercised in the kernel. + +3) error reporting needs to check if basechain priority and type is + set on, otherwise skip further hints. + +Fixes: acdfae9c3126 ("src: allow to specify the default policy for base chains") +Signed-off-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=01277922fede9fef8aacf5cc871bfbd55bbd78ef + +--- + src/cmd.c | 3 +++ + src/evaluate.c | 27 ++++++++++++---------- + src/mnl.c | 8 +++++-- + src/parser_bison.y | 1 + + .../testcases/bogons/nft-f/basechain_bad_policy | 2 ++ + .../bogons/nft-f/unexisting_chain_set_policy | 5 ++++ + 6 files changed, 32 insertions(+), 14 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/basechain_bad_policy + create mode 100644 tests/shell/testcases/bogons/nft-f/unexisting_chain_set_policy + +diff --git a/src/cmd.c b/src/cmd.c +index ff634af2..9d5544f0 100644 +--- a/src/cmd.c ++++ b/src/cmd.c +@@ -282,6 +282,9 @@ static int nft_cmd_chain_error(struct netlink_ctx *ctx, struct cmd *cmd, + if (!(chain->flags & CHAIN_F_BASECHAIN)) + break; + ++ if (!chain->priority.expr || !chain->type.str) ++ break; ++ + mpz_export_data(&priority, chain->priority.expr->value, + BYTEORDER_HOST_ENDIAN, sizeof(int)); + if (priority <= -200 && !strcmp(chain->type.str, "nat")) +diff --git a/src/evaluate.c b/src/evaluate.c +index 0a430c82..1696f2b8 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -5776,18 +5776,21 @@ static int chain_evaluate(struct eval_ctx *ctx, struct chain *chain) + } + + if (chain->flags & CHAIN_F_BASECHAIN) { +- chain->hook.num = str2hooknum(chain->handle.family, +- chain->hook.name); +- if (chain->hook.num == NF_INET_NUMHOOKS) +- return __stmt_binary_error(ctx, &chain->hook.loc, NULL, +- "The %s family does not support this hook", +- family2str(chain->handle.family)); +- +- if (!evaluate_priority(ctx, &chain->priority, +- chain->handle.family, chain->hook.num)) +- return __stmt_binary_error(ctx, &chain->priority.loc, NULL, +- "invalid priority expression %s in this context.", +- expr_name(chain->priority.expr)); ++ if (chain->hook.name) { ++ chain->hook.num = str2hooknum(chain->handle.family, ++ chain->hook.name); ++ if (chain->hook.num == NF_INET_NUMHOOKS) ++ return __stmt_binary_error(ctx, &chain->hook.loc, NULL, ++ "The %s family does not support this hook", ++ family2str(chain->handle.family)); ++ } ++ if (chain->priority.expr) { ++ if (!evaluate_priority(ctx, &chain->priority, ++ chain->handle.family, chain->hook.num)) ++ return __stmt_binary_error(ctx, &chain->priority.loc, NULL, ++ "invalid priority expression %s in this context.", ++ expr_name(chain->priority.expr)); ++ } + if (chain->policy) { + expr_set_context(&ctx->ectx, &policy_type, + NFT_NAME_MAXLEN * BITS_PER_BYTE); +diff --git a/src/mnl.c b/src/mnl.c +index 43229f24..ceb43b06 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -897,7 +897,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + mnl_attr_put_strz(nlh, NFTA_CHAIN_TYPE, cmd->chain->type.str); + } + +- nest = mnl_attr_nest_start(nlh, NFTA_CHAIN_HOOK); ++ if (cmd->chain->type.str || ++ (cmd->chain && cmd->chain->dev_expr)) ++ nest = mnl_attr_nest_start(nlh, NFTA_CHAIN_HOOK); + + if (cmd->chain->type.str) { + mnl_attr_put_u32(nlh, NFTA_HOOK_HOOKNUM, htonl(cmd->chain->hook.num)); +@@ -909,7 +911,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, + if (cmd->chain && cmd->chain->dev_expr) + mnl_nft_chain_devs_build(nlh, cmd); + +- mnl_attr_nest_end(nlh, nest); ++ if (cmd->chain->type.str || ++ (cmd->chain && cmd->chain->dev_expr)) ++ mnl_attr_nest_end(nlh, nest); + } + + nftnl_chain_free(nlc); +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 0b1ea699..1e4b3f8a 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -2834,6 +2834,7 @@ policy_spec : POLICY policy_expr close_scope_policy + } + $0->policy = $2; + $0->policy->location = @$; ++ $0->flags |= CHAIN_F_BASECHAIN; + } + ; + +diff --git a/tests/shell/testcases/bogons/nft-f/basechain_bad_policy b/tests/shell/testcases/bogons/nft-f/basechain_bad_policy +new file mode 100644 +index 00000000..998e423c +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/basechain_bad_policy +@@ -0,0 +1,2 @@ ++define MY_POLICY = deny ++table T { chain C { policy $MY_POLICY; };}; +diff --git a/tests/shell/testcases/bogons/nft-f/unexisting_chain_set_policy b/tests/shell/testcases/bogons/nft-f/unexisting_chain_set_policy +new file mode 100644 +index 00000000..08895599 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/unexisting_chain_set_policy +@@ -0,0 +1,5 @@ ++table ip x { ++ chain y { ++ policy drop; ++ } ++} +-- +cgit v1.2.3 diff --git a/backport-src-fix-memory-leak-in-anon-chain-error-handling.patch b/backport-src-fix-memory-leak-in-anon-chain-error-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..5063087d5099a3e5e44bcc507ed49511c5f7a07b --- /dev/null +++ b/backport-src-fix-memory-leak-in-anon-chain-error-handling.patch @@ -0,0 +1,105 @@ +From f8701ae760c9d188dec3cda92efa61a9c32ac823 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 24 Jul 2025 12:22:02 +0200 +Subject: src: fix memory leak in anon chain error handling + +chain_stmt_destroy is called from bison destructor, but it turns out +this function won't free the associated chain. + +There is no memory leak when bison can parse the input because the chain +statement evaluation step queues the embedded anon chain via cmd_alloc. +Then, a later cmd_free() releases the chain and the embedded statements. + +In case of a parser error, the evaluation step is never reached and the +chain object leaks, e.g. in + + foo bar jump { return } + +Bison calls the right destructor but the anonon chain and all +statements/expressions in it are not released: + +HEAP SUMMARY: + in use at exit: 1,136 bytes in 4 blocks + total heap usage: 98 allocs, 94 frees, 840,255 bytes allocated + +1,136 (568 direct, 568 indirect) bytes in 1 blocks are definitely lost in loss record 4 of 4 + at: calloc (vg_replace_malloc.c:1675) + by: xzalloc (in libnftables.so.1.1.0) + by: chain_alloc (in libnftables.so.1.1.0) + by: nft_parse (in libnftables.so.1.1.0) + by: __nft_run_cmd_from_filename (in libnftables.so.1.1.0) + by: nft_run_cmd_from_filename (in libnftables.so.1.1.0) + +To resolve this, make chain_stmt_destroy also release the embedded +chain. This in turn requires chain refcount increases whenever a chain +is assocated with a chain statement, else we get double-free of the +chain. + +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=f8701ae760c9d188dec3cda92efa61a9c32ac823 + +--- + src/evaluate.c | 2 +- + src/netlink_delinearize.c | 2 +- + src/statement.c | 1 + + .../testcases/bogons/nft-f/rule-parse-error-with-anon-chain-leak | 8 ++++++++ + 4 files changed, 11 insertions(+), 2 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/rule-parse-error-with-anon-chain-leak + +diff --git a/src/evaluate.c b/src/evaluate.c +index 1696f2b8..aaeb7b4e 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -4596,7 +4596,7 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule, + + static int stmt_evaluate_chain(struct eval_ctx *ctx, struct stmt *stmt) + { +- struct chain *chain = stmt->chain.chain; ++ struct chain *chain = chain_get(stmt->chain.chain); + struct cmd *cmd; + + chain->flags |= CHAIN_F_BINDING; +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index b4d4a3da..b97962a3 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -235,7 +235,7 @@ static void netlink_parse_chain_verdict(struct netlink_parse_ctx *ctx, + } + + if (chain) { +- ctx->stmt = chain_stmt_alloc(loc, chain, verdict); ++ ctx->stmt = chain_stmt_alloc(loc, chain_get(chain), verdict); + expr_free(expr); + } else { + ctx->stmt = verdict_stmt_alloc(loc, expr); +diff --git a/src/statement.c b/src/statement.c +index 695b57a6..2bfed4ac 100644 +--- a/src/statement.c ++++ b/src/statement.c +@@ -140,6 +140,7 @@ static void chain_stmt_print(const struct stmt *stmt, struct output_ctx *octx) + static void chain_stmt_destroy(struct stmt *stmt) + { + expr_free(stmt->chain.expr); ++ chain_free(stmt->chain.chain); + } + + static const struct stmt_ops chain_stmt_ops = { +diff --git a/tests/shell/testcases/bogons/nft-f/rule-parse-error-with-anon-chain-leak b/tests/shell/testcases/bogons/nft-f/rule-parse-error-with-anon-chain-leak +new file mode 100644 +index 00000000..03a0df37 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/rule-parse-error-with-anon-chain-leak +@@ -0,0 +1,8 @@ ++table inet x { ++ chain c { ++ type filter hook input priority filter; policy accept; ++ foo bar jump { ++ return ++ } ++ } ++} +-- +cgit v1.2.3 diff --git a/backport-src-netlink-netlink_delinearize_table-may-return-NULL.patch b/backport-src-netlink-netlink_delinearize_table-may-return-NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae1c9c3f90ae76203563ccded7f74fdfed7fa4cb --- /dev/null +++ b/backport-src-netlink-netlink_delinearize_table-may-return-NULL.patch @@ -0,0 +1,49 @@ +From a69d552a005ba467d37e225032e35d01d9491241 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 8 Aug 2025 14:21:41 +0200 +Subject: src: netlink: netlink_delinearize_table() may return NULL + +Catch the error condition in callers to avoid crashes. + +Fixes: c156232a530b3 ("src: add comment support when adding tables") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=a69d552a005ba467d37e225032e35d01d9491241 + +--- + src/monitor.c | 4 ++++ + src/netlink.c | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/monitor.c b/src/monitor.c +index e0f97b4a..da1ad880 100644 +--- a/src/monitor.c ++++ b/src/monitor.c +@@ -237,6 +237,10 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type, + + nlt = netlink_table_alloc(nlh); + t = netlink_delinearize_table(monh->ctx, nlt); ++ if (!t) { ++ nftnl_table_free(nlt); ++ return MNL_CB_ERROR; ++ } + cmd = netlink_msg2cmd(type, nlh->nlmsg_flags); + + switch (monh->format) { +diff --git a/src/netlink.c b/src/netlink.c +index f2f4c5ea..94cbcbfc 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -841,7 +841,8 @@ static int list_table_cb(struct nftnl_table *nlt, void *arg) + struct table *table; + + table = netlink_delinearize_table(ctx, nlt); +- list_add_tail(&table->list, &ctx->list); ++ if (table) ++ list_add_tail(&table->list, &ctx->list); + + return 0; + } +-- +cgit v1.2.3 diff --git a/nftables.spec b/nftables.spec index 31d14c5fb1e1b00d72425e0902949afee9f6910a..9c3e33619e9a9d30da6417af1a47febe2f90dd74 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.8 -Release: 10 +Release: 11 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -100,6 +100,14 @@ Patch0083: backport-tests-shell-Stabilize-sets-reset_command_0-test.patch Patch0084: backport-tests-shell-sets-reset_command_0-Fix-drop_seconds.patch Patch0085: backport-tests-shell-Fix-sets-reset_command_0-for-current-kernels.patch +Patch0086: backport-segtree-fix-string-data-initialisation.patch +Patch0087: backport-src-netlink-netlink_delinearize_table-may-return-NULL.patch +Patch0088: backport-src-ensure-chain-policy-evaluation-when-specified.patch +Patch0089: backport-src-fix-memory-leak-in-anon-chain-error-handling.patch +Patch0090: backport-mnl-silence-compiler-warning.patch +Patch0091: backport-datatype-Increase-symbolic-constant-printer-robustness.patch +Patch0092: backport-evaluate-follow-prefix-expression-recursively-if-needed.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath libedit-devel @@ -198,6 +206,19 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Mon Dec 01 2025 gaihuiying - 1:1.0.8-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + segtree: fix string data initialisation + src: netlink: netlink_delinearize_table() may return NULL + src: ensure chain policy evaluation when specified + src: fix memory leak in anon chain error handling + mnl: silence compiler warning + datatype: Increase symbolic constant printer robustness + evaluate: follow prefix expression recursively if needed + * Tue Nov 25 2025 eaglegai - 1:1.0.8-10 - Type:bugfix - CVE:NA