diff options
-rw-r--r-- | debian/changelog | 22 | ||||
-rw-r--r-- | debian/control | 5 | ||||
-rw-r--r-- | debian/copyright | 4 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | debian/patches/variables-in-map-statements-fix.patch | 97 | ||||
-rwxr-xr-x | debian/rules | 23 | ||||
-rw-r--r-- | debian/tests/control | 7 | ||||
-rw-r--r-- | debian/tests/internaltest-py.sh | 2 |
8 files changed, 142 insertions, 19 deletions
diff --git a/debian/changelog b/debian/changelog index d1acb70..d4cd408 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,25 @@ +nftables (1.0.9-2) unstable; urgency=medium + + [ Jeremy Sowden ] + * [48ba574] d/rules: make build more verbose unless the `terse` build option + is used + * [be37204] d/tests: re-enable Python test-suite + + [ Helmut Grohne ] + * [c40559d] src:nftables: fix missing Build-Depends: libpython3-all-dev + (Closes: #1057189) + + [ Arturo Borrero Gonzalez ] + * [aa38904] d/copyright: drop superfluous file pattern + + [ Jeremy Sowden ] + * [c2663f1] d/control: use tracker.d.o address for `Maintainer:` + * [679f5d8] d/control: update my e-mail address + * [e7fdd2c] d/patches: add patch to support map variables in statements + (Closes: #1067161) + + -- Jeremy Sowden <azazel@debian.org> Thu, 23 May 2024 20:21:53 +0100 + nftables (1.0.9-1) unstable; urgency=medium [ Jeremy Sowden ] diff --git a/debian/control b/debian/control index 716fd8d..c3b894f 100644 --- a/debian/control +++ b/debian/control @@ -1,9 +1,9 @@ Source: nftables Section: net Priority: important -Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org> +Maintainer: Debian Netfilter Packaging Team <team+pkg-netfilter-team@tracker.debian.org> Uploaders: Arturo Borrero Gonzalez <arturo@debian.org>, - Jeremy Sowden <jeremy@azazel.net> + Jeremy Sowden <azazel@debian.org> Build-Depends: automake, debhelper-compat (= 13), dh-python, @@ -12,6 +12,7 @@ Build-Depends: automake, libjansson-dev, libmnl-dev, libnftnl-dev (>= 1.2.6), + libpython3-all-dev, libtool, libxtables-dev, pybuild-plugin-pyproject, diff --git a/debian/copyright b/debian/copyright index c6b8917..b720eb9 100644 --- a/debian/copyright +++ b/debian/copyright @@ -14,10 +14,6 @@ Files: src/nfnl_osf.c Copyright: 2005 Evgeniy Polyakov <johnpol@2ka.mxt.ru> License: GPL-2+ -Files: py/nftables.py -Copyright: 2018 Phil Sutter <phil@nwl.cc> -License: GPL-2 - Files: src/libnftables.c include/nftables/libnftables.h Copyright: 2017 Eric Leblond <eric@regit.org> License: GPL-2 diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..c92164d --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +variables-in-map-statements-fix.patch diff --git a/debian/patches/variables-in-map-statements-fix.patch b/debian/patches/variables-in-map-statements-fix.patch new file mode 100644 index 0000000..2445256 --- /dev/null +++ b/debian/patches/variables-in-map-statements-fix.patch @@ -0,0 +1,97 @@ +Description: add support for variables in map expressions + It is possible to use a variable to initialize a map, which is then used + in a map statement: + . + define dst_map = { ::1234 : 5678 } + . + table ip6 nat { + map dst_map { + typeof ip6 daddr : tcp dport; + elements = $dst_map + } + chain prerouting { + ip6 nexthdr tcp redirect to ip6 daddr map @dst_map + } + } + . + However, if one tries to use the variable directly in the statement: + . + define dst_map = { ::1234 : 5678 } + . + table ip6 nat { + chain prerouting { + ip6 nexthdr tcp redirect to ip6 daddr map $dst_map + } + } + . + nft rejects it: + . + /space/azazel/tmp/ruleset.1067161.nft:5:47-54: Error: invalid mapping expression variable + ip6 nexthdr tcp redirect to ip6 daddr map $dst_map + ~~~~~~~~~ ^^^^^^^^ + . + It also rejects variables in stateful object statements: + . + define quota_map = { 192.168.10.123 : "user123", 192.168.10.124 : "user124" } + . + table ip nat { + quota user123 { over 20 mbytes } + quota user124 { over 20 mbytes } + chain prerouting { + quota name ip saddr map $quota_map + } + } + . + thus: + . + /space/azazel/tmp/ruleset.1067161.nft:15:29-38: Error: invalid mapping expression variable + quota name ip saddr map $quota_map + ~~~~~~~~ ^^^^^^^^^^ +Author: Jeremy Sowden <azazel@debian.org> +Last-Update: 2024-05-23 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067161 +Forwarded: https://lore.kernel.org/netfilter-devel/20240429192756.1347369-3-jeremy@azazel.net/ +Applied-Upstream: commit:c6127ff0c4480ccefc5c29548409898fb315a2ca + +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1923,6 +1923,7 @@ + mappings->set_flags |= NFT_SET_MAP; + + switch (map->mappings->etype) { ++ case EXPR_VARIABLE: + case EXPR_SET: + if (ctx->ectx.key && ctx->ectx.key->etype == EXPR_CONCAT) { + key = expr_clone(ctx->ectx.key); +@@ -1957,6 +1958,11 @@ + if (expr_evaluate(ctx, &map->mappings->set->init) < 0) + return -1; + ++ if (map->mappings->set->init->etype != EXPR_SET) { ++ return expr_error(ctx->msgs, map->mappings->set->init, ++ "Expression is not a map"); ++ } ++ + if (set_is_interval(map->mappings->set->init->set_flags) && + !(map->mappings->set->init->set_flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, map->mappings->set->init) < 0) +@@ -4352,6 +4358,7 @@ + mappings->set_flags |= NFT_SET_OBJECT; + + switch (map->mappings->etype) { ++ case EXPR_VARIABLE: + case EXPR_SET: + key = constant_expr_alloc(&stmt->location, + ctx->ectx.dtype, +@@ -4368,6 +4375,11 @@ + if (expr_evaluate(ctx, &map->mappings->set->init) < 0) + return -1; + ++ if (map->mappings->set->init->etype != EXPR_SET) { ++ return expr_error(ctx->msgs, map->mappings->set->init, ++ "Expression is not a map"); ++ } ++ + if (set_is_interval(map->mappings->set->init->set_flags) && + !(map->mappings->set->init->set_flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, map->mappings->set->init) < 0) diff --git a/debian/rules b/debian/rules index e004562..40a4831 100755 --- a/debian/rules +++ b/debian/rules @@ -9,8 +9,20 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all include /usr/share/dpkg/architecture.mk include /usr/share/dpkg/pkg-info.mk -pybuild_pkg := python3-$(PYBUILD_NAME) -pybuild_opts := --buildsystem=pybuild -- --dir $(CURDIR)/py +configure_opts := --with-xtables \ + --with-json \ + --with-python-bin=/usr/bin/python3 \ + --with-cli=editline +pybuild_opts := --buildsystem=pybuild -- --dir $(CURDIR)/py +pybuild_pkg := python3-$(PYBUILD_NAME) + +ifeq (,$(filter terse,$(DEB_BUILD_OPTIONS))) +configure_opts += --disable-silent-rules +pybuild_opts += --verbose +else +configure_opts += --enable-silent-rules +pybuild_opts += --quiet +endif %: dh $@ --with python3 @@ -20,12 +32,7 @@ override_dh_auto_clean: dh_auto_clean -p$(pybuild_pkg) $(pybuild_opts) override_dh_auto_configure: - dh_auto_configure -N$(pybuild_pkg) -- \ - --with-xtables \ - --with-json \ - --with-python-bin=/usr/bin/python3 \ - --with-cli=editline \ - -- + dh_auto_configure -N$(pybuild_pkg) -- $(configure_opts) dh_auto_configure -p$(pybuild_pkg) $(pybuild_opts) override_dh_auto_build: diff --git a/debian/tests/control b/debian/tests/control index 9b40f99..8ec5461 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -10,10 +10,9 @@ Tests: internaltest-monitor.sh Depends: @ Restrictions: needs-root, allow-stderr, isolation-container, flaky -# Disable test until we decide what to do with the nftables python module -#Tests: internaltest-py.sh -#Depends: @, python -#Restrictions: needs-root, allow-stderr, isolation-container, build-needed +Tests: internaltest-py.sh +Depends: @, python3 +Restrictions: needs-root, allow-stderr, isolation-container, flaky Tests: systemd-service-test.sh Depends: systemd, @ diff --git a/debian/tests/internaltest-py.sh b/debian/tests/internaltest-py.sh index f8e7627..2b898b9 100644 --- a/debian/tests/internaltest-py.sh +++ b/debian/tests/internaltest-py.sh @@ -9,4 +9,4 @@ fi set -e cd tests/py -NFT=$(which nft) ./nft-test.py +NFT=$(which nft) python3 ./nft-test.py |