summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Gilbert <floppym@gentoo.org>2022-06-17 12:16:41 -0400
committerMike Gilbert <floppym@gentoo.org>2022-06-17 12:16:41 -0400
commit8c7d289358511150d712e08b2cbb175b1374d9f7 (patch)
tree212db6e5a3b99d36e7d160a8dcbd50cc6cd66002 /net-firewall
parentnet-firewall/nftables: sync live ebuild (diff)
downloadgentoo-8c7d289358511150d712e08b2cbb175b1374d9f7.tar.gz
gentoo-8c7d289358511150d712e08b2cbb175b1374d9f7.tar.bz2
gentoo-8c7d289358511150d712e08b2cbb175b1374d9f7.zip
net-firewall/nftables: backport upstream revert
Closes: https://bugs.gentoo.org/852662 Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'net-firewall')
-rw-r--r--net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch252
-rw-r--r--net-firewall/nftables/nftables-1.0.4-r1.ebuild (renamed from net-firewall/nftables/nftables-1.0.4.ebuild)3
2 files changed, 255 insertions, 0 deletions
diff --git a/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch
new file mode 100644
index 000000000000..db58602bb4e6
--- /dev/null
+++ b/net-firewall/nftables/files/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch
@@ -0,0 +1,252 @@
+From 638af0ceb2b22307098bb2730822e148ef0b9424 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 10 Jun 2022 13:01:46 +0200
+Subject: Revert "scanner: flags: move to own scope"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Excess nesting of scanner scopes is very fragile and error prone:
+
+rule `iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop`
+fails with `Error: No symbol type information` hinting at `prefix`
+
+Problem is that we nest via:
+ counter
+ limit
+ log
+ flags
+
+By the time 'prefix' is scanned, state is still stuck in 'counter' due
+to this nesting. Working around "prefix" isn't enough, any other
+keyword, e.g. "level" in 'flags all level debug' will be parsed as 'string' too.
+
+So, revert this.
+
+Fixes: a16697097e2b ("scanner: flags: move to own scope")
+Reported-by: Christian Göttsche <cgzones@googlemail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ include/parser.h | 1 -
+ src/parser_bison.y | 29 ++++++++++++++---------------
+ src/scanner.l | 18 +++++++-----------
+ tests/shell/testcases/parsing/log | 10 ++++++++++
+ 4 files changed, 31 insertions(+), 27 deletions(-)
+ create mode 100755 tests/shell/testcases/parsing/log
+
+diff --git a/include/parser.h b/include/parser.h
+index f32154cc..d8d2eb11 100644
+--- a/include/parser.h
++++ b/include/parser.h
+@@ -35,7 +35,6 @@ enum startcond_type {
+ PARSER_SC_CT,
+ PARSER_SC_COUNTER,
+ PARSER_SC_ETH,
+- PARSER_SC_FLAGS,
+ PARSER_SC_ICMP,
+ PARSER_SC_IGMP,
+ PARSER_SC_IP,
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index ca5c488c..2a0240fb 100644
+--- a/src/parser_bison.y
++++ b/src/parser_bison.y
+@@ -942,7 +942,6 @@ close_scope_esp : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_ESP); }
+ close_scope_eth : { scanner_pop_start_cond(nft->scanner, PARSER_SC_ETH); };
+ close_scope_export : { scanner_pop_start_cond(nft->scanner, PARSER_SC_CMD_EXPORT); };
+ close_scope_fib : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FIB); };
+-close_scope_flags : { scanner_pop_start_cond(nft->scanner, PARSER_SC_FLAGS); };
+ close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); };
+ close_scope_fwd : { scanner_pop_start_cond(nft->scanner, PARSER_SC_STMT_FWD); };
+ close_scope_hash : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_HASH); };
+@@ -1679,7 +1678,7 @@ table_block_alloc : /* empty */
+ }
+ ;
+
+-table_options : FLAGS STRING close_scope_flags
++table_options : FLAGS STRING
+ {
+ if (strcmp($2, "dormant") == 0) {
+ $<table>0->flags |= TABLE_F_DORMANT;
+@@ -1946,7 +1945,7 @@ set_block : /* empty */ { $$ = $<set>-1; }
+ datatype_set($1->key, $3->dtype);
+ $$ = $1;
+ }
+- | set_block FLAGS set_flag_list stmt_separator close_scope_flags
++ | set_block FLAGS set_flag_list stmt_separator
+ {
+ $1->flags = $3;
+ $$ = $1;
+@@ -2080,7 +2079,7 @@ map_block : /* empty */ { $$ = $<set>-1; }
+ $1->flags |= NFT_SET_OBJECT;
+ $$ = $1;
+ }
+- | map_block FLAGS set_flag_list stmt_separator close_scope_flags
++ | map_block FLAGS set_flag_list stmt_separator
+ {
+ $1->flags |= $3;
+ $$ = $1;
+@@ -2153,7 +2152,7 @@ flowtable_block : /* empty */ { $$ = $<flowtable>-1; }
+ {
+ $$->flags |= NFT_FLOWTABLE_COUNTER;
+ }
+- | flowtable_block FLAGS OFFLOAD stmt_separator close_scope_flags
++ | flowtable_block FLAGS OFFLOAD stmt_separator
+ {
+ $$->flags |= FLOWTABLE_F_HW_OFFLOAD;
+ }
+@@ -2520,7 +2519,7 @@ dev_spec : DEVICE string
+ | /* empty */ { $$ = NULL; }
+ ;
+
+-flags_spec : FLAGS OFFLOAD close_scope_flags
++flags_spec : FLAGS OFFLOAD
+ {
+ $<chain>0->flags |= CHAIN_F_HW_OFFLOAD;
+ }
+@@ -3126,7 +3125,7 @@ log_arg : PREFIX string
+ $<stmt>0->log.level = $2;
+ $<stmt>0->log.flags |= STMT_LOG_LEVEL;
+ }
+- | FLAGS log_flags close_scope_flags
++ | FLAGS log_flags
+ {
+ $<stmt>0->log.logflags |= $2;
+ }
+@@ -3828,13 +3827,13 @@ queue_stmt : queue_stmt_compat close_scope_queue
+ {
+ $$ = queue_stmt_alloc(&@$, $3, 0);
+ }
+- | QUEUE FLAGS queue_stmt_flags close_scope_flags TO queue_stmt_expr close_scope_queue
++ | QUEUE FLAGS queue_stmt_flags TO queue_stmt_expr close_scope_queue
+ {
+- $$ = queue_stmt_alloc(&@$, $6, $3);
++ $$ = queue_stmt_alloc(&@$, $5, $3);
+ }
+- | QUEUE FLAGS queue_stmt_flags close_scope_flags QUEUENUM queue_stmt_expr_simple close_scope_queue
++ | QUEUE FLAGS queue_stmt_flags QUEUENUM queue_stmt_expr_simple close_scope_queue
+ {
+- $$ = queue_stmt_alloc(&@$, $6, $3);
++ $$ = queue_stmt_alloc(&@$, $5, $3);
+ }
+ ;
+
+@@ -5501,7 +5500,7 @@ comp_hdr_expr : COMP comp_hdr_field close_scope_comp
+ ;
+
+ comp_hdr_field : NEXTHDR { $$ = COMPHDR_NEXTHDR; }
+- | FLAGS close_scope_flags { $$ = COMPHDR_FLAGS; }
++ | FLAGS { $$ = COMPHDR_FLAGS; }
+ | CPI { $$ = COMPHDR_CPI; }
+ ;
+
+@@ -5562,7 +5561,7 @@ tcp_hdr_field : SPORT { $$ = TCPHDR_SPORT; }
+ | ACKSEQ { $$ = TCPHDR_ACKSEQ; }
+ | DOFF { $$ = TCPHDR_DOFF; }
+ | RESERVED { $$ = TCPHDR_RESERVED; }
+- | FLAGS close_scope_flags { $$ = TCPHDR_FLAGS; }
++ | FLAGS { $$ = TCPHDR_FLAGS; }
+ | WINDOW { $$ = TCPHDR_WINDOW; }
+ | CHECKSUM { $$ = TCPHDR_CHECKSUM; }
+ | URGPTR { $$ = TCPHDR_URGPTR; }
+@@ -5676,7 +5675,7 @@ sctp_chunk_type : DATA { $$ = SCTP_CHUNK_TYPE_DATA; }
+ ;
+
+ sctp_chunk_common_field : TYPE close_scope_type { $$ = SCTP_CHUNK_COMMON_TYPE; }
+- | FLAGS close_scope_flags { $$ = SCTP_CHUNK_COMMON_FLAGS; }
++ | FLAGS { $$ = SCTP_CHUNK_COMMON_FLAGS; }
+ | LENGTH { $$ = SCTP_CHUNK_COMMON_LENGTH; }
+ ;
+
+@@ -5844,7 +5843,7 @@ rt4_hdr_expr : RT4 rt4_hdr_field close_scope_rt
+ ;
+
+ rt4_hdr_field : LAST_ENT { $$ = RT4HDR_LASTENT; }
+- | FLAGS close_scope_flags { $$ = RT4HDR_FLAGS; }
++ | FLAGS { $$ = RT4HDR_FLAGS; }
+ | TAG { $$ = RT4HDR_TAG; }
+ | SID '[' NUM ']'
+ {
+diff --git a/src/scanner.l b/src/scanner.l
+index 2154281e..7eb74020 100644
+--- a/src/scanner.l
++++ b/src/scanner.l
+@@ -201,7 +201,6 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
+ %s SCANSTATE_CT
+ %s SCANSTATE_COUNTER
+ %s SCANSTATE_ETH
+-%s SCANSTATE_FLAGS
+ %s SCANSTATE_ICMP
+ %s SCANSTATE_IGMP
+ %s SCANSTATE_IP
+@@ -339,7 +338,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
+ "jump" { return JUMP; }
+ "goto" { return GOTO; }
+ "return" { return RETURN; }
+-<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_FLAGS,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_FLAGS and SCANSTATE_IP here are workarounds */
++<SCANSTATE_EXPR_QUEUE,SCANSTATE_STMT_DUP,SCANSTATE_STMT_FWD,SCANSTATE_STMT_NAT,SCANSTATE_STMT_TPROXY,SCANSTATE_IP,SCANSTATE_IP6>"to" { return TO; } /* XXX: SCANSTATE_IP is a workaround */
+
+ "inet" { return INET; }
+ "netdev" { return NETDEV; }
+@@ -363,14 +362,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
+ "index" { return INDEX; }
+ "comment" { return COMMENT; }
+
+-<SCANSTATE_FLAGS>{
+- "constant" { return CONSTANT; }
+- "dynamic" { return DYNAMIC; }
+-
+- /* log flags */
+- "all" { return ALL; }
+-}
++"constant" { return CONSTANT; }
+ "interval" { return INTERVAL; }
++"dynamic" { return DYNAMIC; }
+ "auto-merge" { return AUTOMERGE; }
+ "timeout" { return TIMEOUT; }
+ "gc-interval" { return GC_INTERVAL; }
+@@ -418,7 +412,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
+ }
+
+ "queue" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_QUEUE); return QUEUE;}
+-<SCANSTATE_FLAGS,SCANSTATE_EXPR_QUEUE>{
++<SCANSTATE_EXPR_QUEUE>{
+ "num" { return QUEUENUM;}
+ "bypass" { return BYPASS;}
+ "fanout" { return FANOUT;}
+@@ -612,7 +606,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
+ <SCANSTATE_EXPR_COMP>{
+ "cpi" { return CPI; }
+ }
+-"flags" { scanner_push_start_cond(yyscanner, SCANSTATE_FLAGS); return FLAGS; }
++"flags" { return FLAGS; }
+
+ "udp" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDP); return UDP; }
+ "udplite" { scanner_push_start_cond(yyscanner, SCANSTATE_EXPR_UDPLITE); return UDPLITE; }
+@@ -781,6 +775,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
+
+ "notrack" { return NOTRACK; }
+
++"all" { return ALL; }
++
+ <SCANSTATE_CMD_EXPORT,SCANSTATE_CMD_IMPORT,SCANSTATE_CMD_MONITOR>{
+ "xml" { return XML; }
+ "json" { return JSON; }
+diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log
+new file mode 100755
+index 00000000..0b89d589
+--- /dev/null
++++ b/tests/shell/testcases/parsing/log
+@@ -0,0 +1,10 @@
++#!/bin/bash
++
++$NFT add table t || exit 1
++$NFT add chain t c || exit 1
++$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1
++$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1
++$NFT delete table t || exit 1
++
++exit 0
++
+--
+cgit v1.2.3
+
diff --git a/net-firewall/nftables/nftables-1.0.4.ebuild b/net-firewall/nftables/nftables-1.0.4-r1.ebuild
index d3b5ea2ddc40..0bab2b816c54 100644
--- a/net-firewall/nftables/nftables-1.0.4.ebuild
+++ b/net-firewall/nftables/nftables-1.0.4-r1.ebuild
@@ -70,6 +70,9 @@ pkg_setup() {
}
src_prepare() {
+ local PATCHES=(
+ "${FILESDIR}/nftables-1.0.4-revert-scanner-flags-move-to-own-scope.patch"
+ )
default
if [[ ${PV} =~ ^[9]{4,}$ ]] ; then