From 7ccce2f9669b6b9b736ab74727b021ff5c69fe77 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 18 Jul 2024 09:24:42 +0800 Subject: nftables: upgrade 1.0.9 -> 1.1.0 ChangeLog: https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt * Drop backport patches. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- ...-Fix-sets-reset_command_0-for-current-ker.patch | 53 ----------- ...-skip-secmark-tests-if-kernel-does-not-su.patch | 46 --------- .../recipes-filter/nftables/nftables_1.0.9.bb | 106 --------------------- .../recipes-filter/nftables/nftables_1.1.0.bb | 104 ++++++++++++++++++++ 4 files changed, 104 insertions(+), 205 deletions(-) delete mode 100644 meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch delete mode 100644 meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch delete mode 100644 meta-networking/recipes-filter/nftables/nftables_1.0.9.bb create mode 100644 meta-networking/recipes-filter/nftables/nftables_1.1.0.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch b/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch deleted file mode 100644 index 164182bb1e..0000000000 --- a/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 7a6089a400a573b9a4fd92f29c00a6be7b8ef269 Mon Sep 17 00:00:00 2001 -From: Phil Sutter -Date: Thu, 2 Nov 2023 16:02:14 +0100 -Subject: [PATCH] tests: shell: Fix sets/reset_command_0 for current kernels - -Since kernel commit 4c90bba60c26 ("netfilter: nf_tables: do not refresh -timeout when resetting element"), element reset won't touch expiry -anymore. Invert the one check to make sure it remains unaltered, drop -the other testing behaviour for per-element timeouts. - -Signed-off-by: Phil Sutter - -Upstream-Status: Backport -[https://git.netfilter.org/nftables/commit/?id=7a6089a400a573b9a4fd92f29c00a6be7b8ef269] - -Signed-off-by: William Lyu ---- - tests/shell/testcases/sets/reset_command_0 | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0 -index e663dac8..d38ddb3f 100755 ---- a/tests/shell/testcases/sets/reset_command_0 -+++ b/tests/shell/testcases/sets/reset_command_0 -@@ -44,10 +44,10 @@ elem='element t s { 1.0.0.1 . udp . 53 }' - grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]] - echo OK - --echo -n "counters and expiry are reset: " -+echo -n "counters are reset, expiry left alone: " - NEW=$($NFT "get $elem") - grep -q 'counter packets 0 bytes 0' <<< "$NEW" --[[ $(expires_minutes <<< "$NEW") -gt 20 ]] -+[[ $(expires_minutes <<< "$NEW") -lt 20 ]] - echo OK - - echo -n "get map elem matches reset map elem: " -@@ -80,12 +80,6 @@ OUT=$($NFT reset map t m) - $DIFF -u <(echo "$EXP") <(echo "$OUT") - echo OK - --echo -n "reset command respects per-element timeout: " --VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes) --[[ $VAL -lt 15 ]] # custom timeout applies --[[ $VAL -gt 10 ]] # expires was reset --echo OK -- - echo -n "remaining elements are reset: " - OUT=$($NFT list ruleset) - grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT" --- -2.43.0 - diff --git a/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch b/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch deleted file mode 100644 index 2a966ab443..0000000000 --- a/meta-networking/recipes-filter/nftables/nftables/0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch +++ /dev/null @@ -1,46 +0,0 @@ -From fff913c1eefbc84eb2d9c52038ef29fe881e9ee9 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso -Date: Tue, 21 Nov 2023 21:16:38 +0100 -Subject: [PATCH] tests: shell: skip secmark tests if kernel does not support - it - -Signed-off-by: Pablo Neira Ayuso - -Upstream-Status: Backport -[https://git.netfilter.org/nftables/commit/?id=fff913c1eefbc84eb2d9c52038ef29fe881e9ee9] - -Signed-off-by: William Lyu ---- - tests/shell/features/secmark.nft | 7 +++++++ - tests/shell/testcases/json/0005secmark_objref_0 | 1 + - 2 files changed, 8 insertions(+) - create mode 100644 tests/shell/features/secmark.nft - -diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft -new file mode 100644 -index 00000000..ccbb572f ---- /dev/null -+++ b/tests/shell/features/secmark.nft -@@ -0,0 +1,7 @@ -+# fb961945457f ("netfilter: nf_tables: add SECMARK support") -+# v4.20-rc1~14^2~125^2~5 -+table inet x { -+ secmark ssh_server { -+ "system_u:object_r:ssh_server_packet_t:s0" -+ } -+} -diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 -index 992d1b00..5c44f093 100755 ---- a/tests/shell/testcases/json/0005secmark_objref_0 -+++ b/tests/shell/testcases/json/0005secmark_objref_0 -@@ -1,6 +1,7 @@ - #!/bin/bash - - # NFT_TEST_REQUIRES(NFT_TEST_HAVE_json) -+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark) - - set -e - --- -2.43.0 - diff --git a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb deleted file mode 100644 index 17f00ffd42..0000000000 --- a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb +++ /dev/null @@ -1,106 +0,0 @@ -SUMMARY = "Netfilter Tables userspace utillites" -DESCRIPTION = "nftables replaces the popular {ip,ip6,arp,eb}tables. \ - This software provides an in-kernel packet classification framework \ - that is based on a network-specific Virtual Machine (VM), \ - nft, a userspace command line tool and libnftables, a high-level userspace library." -HOMEPAGE = "https://netfilter.org/projects/nftables" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=81ec33bb3e47b460fc993ac768c74b62" - -DEPENDS = "libmnl libnftnl bison-native \ - ${@bb.utils.contains('PACKAGECONFIG', 'mini-gmp', '', 'gmp', d)}" - -SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.xz \ - file://0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch \ - file://0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch \ - file://run-ptest \ - " -SRC_URI[sha256sum] = "a3c304cd9ba061239ee0474f9afb938a9bb99d89b960246f66f0c3a0a85e14cd" - -inherit autotools manpages pkgconfig ptest - -PACKAGECONFIG ?= "python readline json" -PACKAGECONFIG[editline] = "--with-cli=editline, , libedit, , , linenoise readline" -PACKAGECONFIG[json] = "--with-json, --without-json, jansson" -PACKAGECONFIG[linenoise] = "--with-cli=linenoise, , linenoise, , , editline readline" -PACKAGECONFIG[manpages] = "--enable-man-doc, --disable-man-doc, asciidoc-native" -PACKAGECONFIG[mini-gmp] = "--with-mini-gmp, --without-mini-gmp" -PACKAGECONFIG[python] = ",, python3-setuptools-native" -PACKAGECONFIG[readline] = "--with-cli=readline, , readline, , , editline linenoise" -PACKAGECONFIG[xtables] = "--with-xtables, --without-xtables, iptables" - -EXTRA_OECONF = " \ - ${@bb.utils.contains_any('PACKAGECONFIG', 'editline linenoise readline', '', '--without-cli', d)}" - -SETUPTOOLS_SETUP_PATH = "${S}/py" - -inherit_defer ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} - -PACKAGES =+ "${@bb.utils.contains('PACKAGECONFIG', 'python', '${PN}-python', '', d)}" -FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" -RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" - -# Explicitly define do_configure, do_compile and do_install because both autotools and setuptools3 -# have EXPORT_FUNCTIONS do_configure do_compile do_install -do_configure() { - autotools_do_configure - if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then - setuptools3_do_configure - fi -} - -do_compile() { - autotools_do_compile - if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then - setuptools3_do_compile - fi -} - -do_install() { - autotools_do_install - if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then - setuptools3_do_install - fi -} - -RDEPENDS:${PN}-ptest += " ${PN}-python bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux" - -RRECOMMENDS:${PN}-ptest += "\ -kernel-module-nft-chain-nat kernel-module-nft-queue \ -kernel-module-nft-compat kernel-module-nft-quota \ -kernel-module-nft-connlimit kernel-module-nft-redir \ -kernel-module-nft-ct kernel-module-nft-reject \ -kernel-module-nft-flow-offload kernel-module-nft-reject-inet \ -kernel-module-nft-hash kernel-module-nft-reject-ipv4 \ -kernel-module-nft-limit kernel-module-nft-reject-ipv6 \ -kernel-module-nft-log kernel-module-nft-socket \ -kernel-module-nft-masq kernel-module-nft-synproxy \ -kernel-module-nft-nat kernel-module-nft-tunnel \ -kernel-module-nft-numgen kernel-module-nft-xfrm \ -kernel-module-nft-osf \ -kernel-module-nf-flow-table \ -kernel-module-nf-flow-table-inet \ -kernel-module-nf-nat \ -kernel-module-nf-log-syslog \ -kernel-module-nf-nat-ftp \ -kernel-module-nf-nat-sip \ -kernel-module-8021q \ -kernel-module-dummy" - -TESTDIR = "tests" - -PRIVATE_LIBS:${PN}-ptest:append = " libnftables.so.1" - -do_install_ptest() { - cp -rf ${S}/build-aux ${D}${PTEST_PATH} - cp -rf ${S}/src ${D}${PTEST_PATH} - mkdir -p ${D}${PTEST_PATH}/src/.libs - cp -rf ${B}/src/.libs/* ${D}${PTEST_PATH}/src/.libs - cp -rf ${B}/src/.libs/nft ${D}${PTEST_PATH}/src/ - cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}/${TESTDIR} - sed -i 's#/usr/bin/python#/usr/bin/python3#' ${D}${PTEST_PATH}/${TESTDIR}/json_echo/run-test.py - sed -i 's#/usr/bin/env python#/usr/bin/env python3#' ${D}${PTEST_PATH}/${TESTDIR}/py/nft-test.py - # handle multilib - sed -i s:@libdir@:${libdir}:g ${D}${PTEST_PATH}/run-ptest -} diff --git a/meta-networking/recipes-filter/nftables/nftables_1.1.0.bb b/meta-networking/recipes-filter/nftables/nftables_1.1.0.bb new file mode 100644 index 0000000000..1dfaad494b --- /dev/null +++ b/meta-networking/recipes-filter/nftables/nftables_1.1.0.bb @@ -0,0 +1,104 @@ +SUMMARY = "Netfilter Tables userspace utillites" +DESCRIPTION = "nftables replaces the popular {ip,ip6,arp,eb}tables. \ + This software provides an in-kernel packet classification framework \ + that is based on a network-specific Virtual Machine (VM), \ + nft, a userspace command line tool and libnftables, a high-level userspace library." +HOMEPAGE = "https://netfilter.org/projects/nftables" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=81ec33bb3e47b460fc993ac768c74b62" + +DEPENDS = "libmnl libnftnl bison-native \ + ${@bb.utils.contains('PACKAGECONFIG', 'mini-gmp', '', 'gmp', d)}" + +SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.xz \ + file://run-ptest \ + " +SRC_URI[sha256sum] = "ef3373294886c5b607ee7be82c56a25bc04e75f802f8e8adcd55aac91eb0aa24" + +inherit autotools manpages pkgconfig ptest + +PACKAGECONFIG ?= "python readline json" +PACKAGECONFIG[editline] = "--with-cli=editline, , libedit, , , linenoise readline" +PACKAGECONFIG[json] = "--with-json, --without-json, jansson" +PACKAGECONFIG[linenoise] = "--with-cli=linenoise, , linenoise, , , editline readline" +PACKAGECONFIG[manpages] = "--enable-man-doc, --disable-man-doc, asciidoc-native" +PACKAGECONFIG[mini-gmp] = "--with-mini-gmp, --without-mini-gmp" +PACKAGECONFIG[python] = ",, python3-setuptools-native" +PACKAGECONFIG[readline] = "--with-cli=readline, , readline, , , editline linenoise" +PACKAGECONFIG[xtables] = "--with-xtables, --without-xtables, iptables" + +EXTRA_OECONF = " \ + ${@bb.utils.contains_any('PACKAGECONFIG', 'editline linenoise readline', '', '--without-cli', d)}" + +SETUPTOOLS_SETUP_PATH = "${S}/py" + +inherit_defer ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} + +PACKAGES =+ "${@bb.utils.contains('PACKAGECONFIG', 'python', '${PN}-python', '', d)}" +FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" +RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" + +# Explicitly define do_configure, do_compile and do_install because both autotools and setuptools3 +# have EXPORT_FUNCTIONS do_configure do_compile do_install +do_configure() { + autotools_do_configure + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + setuptools3_do_configure + fi +} + +do_compile() { + autotools_do_compile + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + setuptools3_do_compile + fi +} + +do_install() { + autotools_do_install + if ${@bb.utils.contains('PACKAGECONFIG', 'python', 'true', 'false', d)}; then + setuptools3_do_install + fi +} + +RDEPENDS:${PN}-ptest += " ${PN}-python bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux" + +RRECOMMENDS:${PN}-ptest += "\ +kernel-module-nft-chain-nat kernel-module-nft-queue \ +kernel-module-nft-compat kernel-module-nft-quota \ +kernel-module-nft-connlimit kernel-module-nft-redir \ +kernel-module-nft-ct kernel-module-nft-reject \ +kernel-module-nft-flow-offload kernel-module-nft-reject-inet \ +kernel-module-nft-hash kernel-module-nft-reject-ipv4 \ +kernel-module-nft-limit kernel-module-nft-reject-ipv6 \ +kernel-module-nft-log kernel-module-nft-socket \ +kernel-module-nft-masq kernel-module-nft-synproxy \ +kernel-module-nft-nat kernel-module-nft-tunnel \ +kernel-module-nft-numgen kernel-module-nft-xfrm \ +kernel-module-nft-osf \ +kernel-module-nf-flow-table \ +kernel-module-nf-flow-table-inet \ +kernel-module-nf-nat \ +kernel-module-nf-log-syslog \ +kernel-module-nf-nat-ftp \ +kernel-module-nf-nat-sip \ +kernel-module-8021q \ +kernel-module-dummy" + +TESTDIR = "tests" + +PRIVATE_LIBS:${PN}-ptest:append = " libnftables.so.1" + +do_install_ptest() { + cp -rf ${S}/build-aux ${D}${PTEST_PATH} + cp -rf ${S}/src ${D}${PTEST_PATH} + mkdir -p ${D}${PTEST_PATH}/src/.libs + cp -rf ${B}/src/.libs/* ${D}${PTEST_PATH}/src/.libs + cp -rf ${B}/src/.libs/nft ${D}${PTEST_PATH}/src/ + cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}/${TESTDIR} + sed -i 's#/usr/bin/python#/usr/bin/python3#' ${D}${PTEST_PATH}/${TESTDIR}/json_echo/run-test.py + sed -i 's#/usr/bin/env python#/usr/bin/env python3#' ${D}${PTEST_PATH}/${TESTDIR}/py/nft-test.py + # handle multilib + sed -i s:@libdir@:${libdir}:g ${D}${PTEST_PATH}/run-ptest +} -- cgit v1.2.3-54-g00ecf