diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2023-08-10 20:23:33 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2023-08-10 22:58:39 +0200 |
commit | 0cf6293129665a135dbd856c8919b912e9ba041c (patch) | |
tree | 2036266202f400b9b1541e3af0caed0b6f0cdb34 /source/n | |
parent | 19e7ff8c7f3129e87cc2b771d47267c547bada6d (diff) | |
download | current-0cf6293129665a135dbd856c8919b912e9ba041c.tar.gz current-0cf6293129665a135dbd856c8919b912e9ba041c.tar.xz |
Thu Aug 10 20:23:33 UTC 202320230810202333
Thanks to Heinz Wiesinger for these added python packages to implement
PEP 427 and PEP 517! Python modules are phasing out setup.py in favor of
building wheels, and then using python-installer to install them. These
are the bits needed to make that happen.
l/python-build-0.10.0-x86_64-1.txz: Added.
l/python-flit-core-3.9.0-x86_64-1.txz: Added.
l/python-glad2-2.0.4-x86_64-1.txz: Added.
l/python-installer-0.7.0-x86_64-1.txz: Added.
l/python-lxml-4.9.3-x86_64-1.txz: Added.
l/python-pyproject-hooks-1.0.0-x86_64-1.txz: Added.
l/python-tomli-w-1.0.0-x86_64-1.txz: Added.
l/python-wheel-0.41.1-x86_64-1.txz: Added.
n/nftables-1.0.8-x86_64-2.txz: Rebuilt.
Correctly generate nftables Python module using PEP 427/517 method.
Thanks to marav.
n/openssh-9.4p1-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/n')
-rw-r--r-- | source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch | 248 | ||||
-rwxr-xr-x | source/n/nftables/nftables.SlackBuild | 16 |
2 files changed, 260 insertions, 4 deletions
diff --git a/source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch b/source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch new file mode 100644 index 000000000..26eb9b2fc --- /dev/null +++ b/source/n/nftables/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch @@ -0,0 +1,248 @@ +From 5f1676ac9f1aeb36d7695c3c354dade013a1e4f3 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Tue, 18 Jul 2023 23:10:01 +0200 +Subject: meta: stash context statement length when generating payload/meta + dependency + +... meta mark set ip dscp + +generates an implicit dependency from the inet family to match on meta +nfproto ip. + +The length of this implicit expression is incorrectly adjusted to the +statement length, ie. relational to compare meta nfproto takes 4 bytes +instead of 1 byte. The evaluation of 'ip dscp' under the meta mark +statement triggers this implicit dependency which should not consider +the context statement length since it is added before the statement +itself. + +This problem shows when listing the ruleset, since netlink_parse_cmp() +where left->len < right->len, hence handling the implicit dependency as +a concatenation, but it is actually a bug in the evaluation step that +leads to incorrect bytecode. + +Fixes: 3c64ea7995cb ("evaluate: honor statement length in integer evaluation") +Fixes: edecd58755a8 ("evaluate: support shifts larger than the width of the left operand") +Tested-by: Brian Davidson <davidson.brian@gmail.com> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + src/payload.c | 13 +++++++ + tests/py/inet/meta.t | 5 +++ + tests/py/inet/meta.t.json | 86 ++++++++++++++++++++++++++++++++++++++++++++ + tests/py/inet/meta.t.payload | 40 +++++++++++++++++++++ + 4 files changed, 144 insertions(+) + +diff --git a/src/payload.c b/src/payload.c +index f67b5407..7862745b 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -409,6 +409,7 @@ static int payload_add_dependency(struct eval_ctx *ctx, + const struct proto_hdr_template *tmpl; + struct expr *dep, *left, *right; + struct proto_ctx *pctx; ++ unsigned int stmt_len; + struct stmt *stmt; + int protocol; + +@@ -429,11 +430,16 @@ static int payload_add_dependency(struct eval_ctx *ctx, + constant_data_ptr(protocol, tmpl->len)); + + dep = relational_expr_alloc(&expr->location, OP_EQ, left, right); ++ ++ stmt_len = ctx->stmt_len; ++ ctx->stmt_len = 0; ++ + stmt = expr_stmt_alloc(&dep->location, dep); + if (stmt_evaluate(ctx, stmt) < 0) { + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } ++ ctx->stmt_len = stmt_len; + + if (ctx->inner_desc) { + if (tmpl->meta_key) +@@ -543,6 +549,7 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + const struct hook_proto_desc *h; + const struct proto_desc *desc; + struct proto_ctx *pctx; ++ unsigned int stmt_len; + struct stmt *stmt; + uint16_t type; + +@@ -559,12 +566,18 @@ int payload_gen_dependency(struct eval_ctx *ctx, const struct expr *expr, + "protocol specification is invalid " + "for this family"); + ++ stmt_len = ctx->stmt_len; ++ ctx->stmt_len = 0; ++ + stmt = meta_stmt_meta_iiftype(&expr->location, type); + if (stmt_evaluate(ctx, stmt) < 0) { + return expr_error(ctx->msgs, expr, + "dependency statement is invalid"); + } + *res = stmt; ++ ++ ctx->stmt_len = stmt_len; ++ + return 0; + } + +diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t +index 374738a7..5c062b39 100644 +--- a/tests/py/inet/meta.t ++++ b/tests/py/inet/meta.t +@@ -25,3 +25,8 @@ meta mark set ct mark >> 8;ok + meta mark . tcp dport { 0x0000000a-0x00000014 . 80-90, 0x00100000-0x00100123 . 100-120 };ok + ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 1.2.3.6-1.2.3.8 . 0x00000200-0x00000300 };ok + ip saddr . meta mark { 1.2.3.4 . 0x00000100 , 5.6.7.8 . 0x00000200 };ok ++ ++meta mark set ip dscp;ok ++meta mark set ip dscp | 0x40;ok ++meta mark set ip6 dscp;ok ++meta mark set ip6 dscp | 0x40;ok +diff --git a/tests/py/inet/meta.t.json b/tests/py/inet/meta.t.json +index 92a1f9bf..3ba0fd1d 100644 +--- a/tests/py/inet/meta.t.json ++++ b/tests/py/inet/meta.t.json +@@ -440,3 +440,89 @@ + } + ] + ++# meta mark set ip dscp ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip" ++ } ++ } ++ } ++ } ++] ++ ++# meta mark set ip dscp | 0x40 ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "|": [ ++ { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip" ++ } ++ }, ++ 64 ++ ] ++ } ++ } ++ } ++] ++ ++# meta mark set ip6 dscp ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip6" ++ } ++ } ++ } ++ } ++] ++ ++# meta mark set ip6 dscp | 0x40 ++[ ++ { ++ "mangle": { ++ "key": { ++ "meta": { ++ "key": "mark" ++ } ++ }, ++ "value": { ++ "|": [ ++ { ++ "payload": { ++ "field": "dscp", ++ "protocol": "ip6" ++ } ++ }, ++ 64 ++ ] ++ } ++ } ++ } ++] ++ +diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload +index ea540907..c53b5077 100644 +--- a/tests/py/inet/meta.t.payload ++++ b/tests/py/inet/meta.t.payload +@@ -133,3 +133,43 @@ inet test-inet input + [ meta load mark => reg 9 ] + [ lookup reg 1 set __set%d ] + ++# meta mark set ip dscp ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 1 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip dscp | 0x40 ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x00000002 ] ++ [ payload load 1b @ network header + 1 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x000000fc ) ^ 0x00000000 ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000002 ) ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip6 dscp ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 2b @ network header + 0 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] ++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] ++ [ meta set mark with reg 1 ] ++ ++# meta mark set ip6 dscp | 0x40 ++inet test-inet input ++ [ meta load nfproto => reg 1 ] ++ [ cmp eq reg 1 0x0000000a ] ++ [ payload load 2b @ network header + 0 => reg 1 ] ++ [ bitwise reg 1 = ( reg 1 & 0x0000c00f ) ^ 0x00000000 ] ++ [ byteorder reg 1 = ntoh(reg 1, 2, 2) ] ++ [ bitwise reg 1 = ( reg 1 >> 0x00000006 ) ] ++ [ bitwise reg 1 = ( reg 1 & 0xffffffbf ) ^ 0x00000040 ] ++ [ meta set mark with reg 1 ] ++ +-- +cgit v1.2.3 + diff --git a/source/n/nftables/nftables.SlackBuild b/source/n/nftables/nftables.SlackBuild index d6bed8a4d..f7129abf8 100755 --- a/source/n/nftables/nftables.SlackBuild +++ b/source/n/nftables/nftables.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2014, 2018 Patrick J. Volkerding, Sebeka, Minnesota, USA +# Copyright 2014, 2018, 2023 Patrick J. Volkerding, Sebeka, Minnesota, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=nftables VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} @@ -78,6 +78,9 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \+ +# Upstream patch: +cat $CWD/5f1676ac9f1aeb36d7695c3c354dade013a1e4f3.patch | patch -p1 --verbose || exit 1 + CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ LIBS="-lncursesw" \ @@ -88,17 +91,22 @@ LIBS="-lncursesw" \ --localstatedir=/var \ --mandir=/usr/man \ --docdir=/usr/doc/$PKGNAM-$VERSION \ - --with-python-bin=python3 \ --with-xtables \ --disable-static \ + --disable-python \ --with-json \ - --enable-python \ --with-cli=readline \ --build=$ARCH-slackware-linux || exit 1 make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG || exit 1 +# Build python module: +( cd py + python3 -m build --wheel --no-isolation + python3 -m installer --destdir="$PKG" dist/*.whl +) + rm -f $PKG/usr/lib${LIBDIRSUFFIX}/*.la find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | \ |