packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync patches from upstream community

Browse Source
This commit is contained in:
zengwefeng 2021-07-28 11:54:19 +08:00
parent a184d5c088
commit 163a92cb3b
8 changed files with 389 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch Normal file
View File

@ -0,0 +1,45 @@
From d63064681a91fdfbd53e1ef07b6a8283f48fedb5 Mon Sep 17 00:00:00 2001
From: Gopal Yadav <gopunop@gmail.com>
Date: Wed, 7 Oct 2020 19:33:37 +0530
Subject: Solves Bug 1462 - `nft -j list set` does not show counters
Element counters reside in 'stmt' field as counter statement. Append
them to 'elem' object as additional 'counter' property, generated by
counter_stmt_json().
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Conflict:NA
Reference: http://git.netfilter.org/nftables/commit/?id=d63064681a91fdfbd53e1ef07b6a8283f48fedb5
---
src/json.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/json.c b/src/json.c
index 5856f9fc..121dfb24 100644
--- a/src/json.c
+++ b/src/json.c
@@ -589,7 +589,7 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx)
return NULL;
/* these element attributes require formal set elem syntax */
- if (expr->timeout || expr->expiration || expr->comment) {
+ if (expr->timeout || expr->expiration || expr->comment || expr->stmt) {
root = json_pack("{s:o}", "val", root);
if (expr->timeout) {
@@ -604,6 +604,12 @@ json_t *set_elem_expr_json(const struct expr *expr, struct output_ctx *octx)
tmp = json_string(expr->comment);
json_object_set_new(root, "comment", tmp);
}
+ if (expr->stmt) {
+ tmp = stmt_print_json(expr->stmt, octx);
+ /* XXX: detect and complain about clashes? */
+ json_object_update_missing(root, tmp);
+ json_decref(tmp);
+ }
return json_pack("{s:o}", "elem", root);
}
--
cgit v1.2.3

50
backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch Normal file
View File

@ -0,0 +1,50 @@
From 032c9f745c6daab8c27176a95963b1c32b0a5d12 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Sep 2020 17:38:45 +0200
Subject: evaluate: Reject quoted strings containing only wildcard
Fix for an assertion fail when trying to match against an all-wildcard
interface name:
| % nft add rule t c iifname '"*"'
| nft: expression.c:402: constant_expr_alloc: Assertion `(((len) + (8) - 1) / (8)) > 0' failed.
| zsh: abort nft add rule t c iifname '"*"'
Fix this by detecting the string in expr_evaluate_string() and returning
an error message:
| % nft add rule t c iifname '"*"'
| Error: All-wildcard strings are not supported
| add rule t c iifname "*"
| ^^^
While being at it, drop the 'datalen >= 1' clause from the following
conditional as together with the added check for 'datalen == 0', all
possible other values have been caught already.
Conflict: NA
Reference: http://git.netfilter.org/nftables/commit/?id=032c9f745c6daab8c27176a95963b1c32b0a5d12
---
src/evaluate.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index c8045e5d..5f17d750 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -324,8 +324,11 @@ static int expr_evaluate_string(struct eval_ctx *ctx, struct expr **exprp)
return 0;
}
- if (datalen >= 1 &&
- data[datalen - 1] == '\\') {
+ if (datalen == 0)
+ return expr_error(ctx->msgs, expr,
+ "All-wildcard strings are not supported");
+
+ if (data[datalen - 1] == '\\') {
char unescaped_str[data_len];
memset(unescaped_str, 0, sizeof(unescaped_str));
--
cgit v1.2.3

52
backport-json-Combining-terse-with-json-has-no-effect.patch Normal file
View File

@ -0,0 +1,52 @@
From f02aa3764a48c2afd17761a211f70da941c71d00 Mon Sep 17 00:00:00 2001
From: Gopal Yadav <gopunop@gmail.com>
Date: Tue, 22 Sep 2020 13:55:33 +0530
Subject: json: Combining --terse with --json has no effect
--terse with --json is ignored, fix this. This patch also includes a test.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1388
Signed-off-by: Gopal Yadav <gopunop@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflict: NA
Reference: http://git.netfilter.org/nftables/commit/?id=f02aa3764a48c2afd17761a211f70da941c71d00
---
src/json.c | 2 +-
tests/shell/testcases/listing/0021ruleset_json_terse_0 | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
create mode 100755 tests/shell/testcases/listing/0021ruleset_json_terse_0
diff --git a/src/json.c b/src/json.c
index a9f5000f..5856f9fc 100644
--- a/src/json.c
+++ b/src/json.c
@@ -140,7 +140,7 @@ static json_t *set_print_json(struct output_ctx *octx, const struct set *set)
json_object_set_new(root, "gc-interval", tmp);
}
- if (set->init && set->init->size > 0) {
+ if (!nft_output_terse(octx) && set->init && set->init->size > 0) {
json_t *array = json_array();
const struct expr *i;
diff --git a/tests/shell/testcases/listing/0021ruleset_json_terse_0 b/tests/shell/testcases/listing/0021ruleset_json_terse_0
new file mode 100755
index 00000000..c739ac3f
--- /dev/null
+++ b/tests/shell/testcases/listing/0021ruleset_json_terse_0
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+$NFT flush ruleset
+$NFT add table ip test
+$NFT add chain ip test c
+$NFT add set ip test s { type ipv4_addr\; }
+$NFT add element ip test s { 192.168.3.4, 192.168.3.5 }
+
+if $NFT -j -t list ruleset | grep '192'
+then
+ exit 1
+fi
--
cgit v1.2.3

33
backport-json-Fix-memleak-in-set_dtype_json.patch Normal file
View File

@ -0,0 +1,33 @@
From 88af46df5544d9a0b080f23fb2902c86659f0c86 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 8 Oct 2020 19:10:13 +0200
Subject: json: Fix memleak in set_dtype_json()
Turns out json_string() already dups the input, so the temporary dup
passed to it is lost.
Fixes: e70354f53e9f6 ("libnftables: Implement JSON output support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflict: NA
Reference: http://git.netfilter.org/nftables/commit/?id=88af46df5544d9a0b080f23fb2902c86659f0c86
---
src/json.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/json.c b/src/json.c
index 121dfb24..a8824d3f 100644
--- a/src/json.c
+++ b/src/json.c
@@ -62,7 +62,7 @@ static json_t *set_dtype_json(const struct expr *key)
tok = strtok(namedup, " .");
while (tok) {
- json_t *jtok = json_string(xstrdup(tok));
+ json_t *jtok = json_string(tok);
if (!root)
root = jtok;
else if (json_is_string(root))
--
cgit v1.2.3

79
backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch Normal file
View File

@ -0,0 +1,79 @@
From 6975c6d39366e0a086a43fa984392e2231c1b193 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 2 Dec 2020 23:20:40 +0100
Subject: mnl: reply netlink error message might be larger than
MNL_SOCKET_BUFFER_SIZE
Netlink attribute maximum size is 65536 bytes (given nla_len is
16-bits). NFTA_SET_ELEM_LIST_ELEMENTS stores as many set elements as
possible that can fit into this netlink attribute.
Netlink messages with NLMSG_ERROR type originating from the kernel
contain the original netlink message as payload, they might be larger
than 65536 bytes.
Add NFT_MNL_ACK_MAXSIZE which estimates the maximum Netlink header
coming as (error) reply from the kernel. This estimate is based on the
maximum netlink message size that nft sends from userspace.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1464
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflict: NA
Reference: http://git.netfilter.org/nftables/commit/?id=6975c6d39366e0a086a43fa984392e2231c1b193
---
src/mnl.c | 5 ++++-
tests/shell/testcases/sets/0057set_create_fails_0 | 18 ++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
create mode 100755 tests/shell/testcases/sets/0057set_create_fails_0
diff --git a/src/mnl.c b/src/mnl.c
index ffa1e140..cd12309b 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -359,6 +359,9 @@ static int mnl_batch_extack_cb(const struct nlmsghdr *nlh, void *data)
}
#define NFT_MNL_ECHO_RCVBUFF_DEFAULT (MNL_SOCKET_BUFFER_SIZE * 1024)
+#define NFT_MNL_ACK_MAXSIZE ((sizeof(struct nlmsghdr) + \
+ sizeof(struct nfgenmsg) + (1 << 16)) + \
+ MNL_SOCKET_BUFFER_SIZE)
int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
uint32_t num_cmds)
@@ -366,7 +369,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list,
struct mnl_socket *nl = ctx->nft->nf_sock;
int ret, fd = mnl_socket_get_fd(nl), portid = mnl_socket_get_portid(nl);
uint32_t iov_len = nftnl_batch_iovec_len(ctx->batch);
- char rcv_buf[MNL_SOCKET_BUFFER_SIZE];
+ char rcv_buf[NFT_MNL_ACK_MAXSIZE];
const struct sockaddr_nl snl = {
.nl_family = AF_NETLINK
};
diff --git a/tests/shell/testcases/sets/0057set_create_fails_0 b/tests/shell/testcases/sets/0057set_create_fails_0
new file mode 100755
index 00000000..5f0149a3
--- /dev/null
+++ b/tests/shell/testcases/sets/0057set_create_fails_0
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+RULESET="table inet filter {
+ set test {
+ type ipv4_addr
+ size 65535
+ elements = { 1.1.1.1 }
+ }
+}"
+
+$NFT -f - <<< $RULESET
+
+CMD="create element inet filter test { 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.1.1.6, 1.1.1.7, 1.1.1.8, 1.1.1.9, 1.1.1.10, 1.1.1.11, 1.1.1.12, 1.1.1.13, 1.1.1.14, 1.1.1.15, 1.1.1.16, 1.1.1.17, 1.1.1.18, 1.1.1.19, 1.1.1.20, 1.1.1.21, 1.1.1.22, 1.1.1.23, 1.1.1.24, 1.1.1.25, 1.1.1.26, 1.1.1.27, 1.1.1.28, 1.1.1.29, 1.1.1.30, 1.1.1.31, 1.1.1.32, 1.1.1.33, 1.1.1.34, 1.1.1.35, 1.1.1.36, 1.1.1.37, 1.1.1.38, 1.1.1.39, 1.1.1.40, 1.1.1.41, 1.1.1.42, 1.1.1.43, 1.1.1.44, 1.1.1.45, 1.1.1.46, 1.1.1.47, 1.1.1.48, 1.1.1.49, 1.1.1.50, 1.1.1.51, 1.1.1.52, 1.1.1.53, 1.1.1.54, 1.1.1.55, 1.1.1.56, 1.1.1.57, 1.1.1.58, 1.1.1.59, 1.1.1.60, 1.1.1.61, 1.1.1.62, 1.1.1.63, 1.1.1.64, 1.1.1.65, 1.1.1.66, 1.1.1.67, 1.1.1.68, 1.1.1.69, 1.1.1.70, 1.1.1.71, 1.1.1.72, 1.1.1.73, 1.1.1.74, 1.1.1.75, 1.1.1.76, 1.1.1.77, 1.1.1.78, 1.1.1.79, 1.1.1.80, 1.1.1.81, 1.1.1.82, 1.1.1.83, 1.1.1.84, 1.1.1.85, 1.1.1.86, 1.1.1.87, 1.1.1.88, 1.1.1.89, 1.1.1.90, 1.1.1.91, 1.1.1.92, 1.1.1.93, 1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.1.98, 1.1.1.99, 1.1.1.100, 1.1.1.101, 1.1.1.102, 1.1.1.103, 1.1.1.104, 1.1.1.105, 1.1.1.106, 1.1.1.107, 1.1.1.108, 1.1.1.109, 1.1.1.110, 1.1.1.111, 1.1.1.112, 1.1.1.113, 1.1.1.114, 1.1.1.115, 1.1.1.116, 1.1.1.117, 1.1.1.118, 1.1.1.119, 1.1.1.120, 1.1.1.121, 1.1.1.122, 1.1.1.123, 1.1.1.124, 1.1.1.125, 1.1.1.126, 1.1.1.127, 1.1.1.128, 1.1.1.129, 1.1.1.130, 1.1.1.131, 1.1.1.132, 1.1.1.133, 1.1.1.134, 1.1.1.135, 1.1.1.136, 1.1.1.137, 1.1.1.138, 1.1.1.139, 1.1.1.140, 1.1.1.141, 1.1.1.142, 1.1.1.143, 1.1.1.144, 1.1.1.145, 1.1.1.146, 1.1.1.147, 1.1.1.148, 1.1.1.149, 1.1.1.150, 1.1.1.151, 1.1.1.152, 1.1.1.153, 1.1.1.154, 1.1.1.155, 1.1.1.156, 1.1.1.157, 1.1.1.158, 1.1.1.159, 1.1.1.160, 1.1.1.161, 1.1.1.162, 1.1.1.163, 1.1.1.164, 1.1.1.165, 1.1.1.166, 1.1.1.167, 1.1.1.168, 1.1.1.169, 1.1.1.170, 1.1.1.171, 1.1.1.172, 1.1.1.173, 1.1.1.174, 1.1.1.175, 1.1.1.176, 1.1.1.177, 1.1.1.178, 1.1.1.179, 1.1.1.180, 1.1.1.181, 1.1.1.182, 1.1.1.183, 1.1.1.184, 1.1.1.185, 1.1.1.186, 1.1.1.187, 1.1.1.188, 1.1.1.189, 1.1.1.190, 1.1.1.191, 1.1.1.192, 1.1.1.193, 1.1.1.194, 1.1.1.195, 1.1.1.196, 1.1.1.197, 1.1.1.198, 1.1.1.199, 1.1.1.200, 1.1.1.201, 1.1.1.202, 1.1.1.203, 1.1.1.204, 1.1.1.205, 1.1.1.206, 1.1.1.207, 1.1.1.208, 1.1.1.209, 1.1.1.210, 1.1.1.211, 1.1.1.212, 1.1.1.213, 1.1.1.214, 1.1.1.215, 1.1.1.216, 1.1.1.217, 1.1.1.218, 1.1.1.219, 1.1.1.220, 1.1.1.221, 1.1.1.222, 1.1.1.223, 1.1.1.224, 1.1.1.225, 1.1.1.226, 1.1.1.227, 1.1.1.228, 1.1.1.229, 1.1.1.230, 1.1.1.231, 1.1.1.232, 1.1.1.233, 1.1.1.234, 1.1.1.235, 1.1.1.236, 1.1.1.237, 1.1.1.238, 1.1.1.239, 1.1.1.240, 1.1.1.241, 1.1.1.242, 1.1.1.243, 1.1.1.244, 1.1.1.245, 1.1.1.246, 1.1.1.247, 1.1.1.248, 1.1.1.249, 1.1.1.250, 1.1.1.251, 1.1.1.252, 1.1.1.253 }"
+
+# If this returns ENOSPC, then nft is sending a netlink message that is larger
+# than NFT_MNL_ACK_MAXSIZE. Make sure this returns EEXIST.
+$NFT -f - <<< $CMD 2>&1 >/dev/null | grep "File exists"
+[ "$?" -eq 0 ] && exit 0
--
cgit v1.2.3

29
backport-parser_bison-memleak-symbol-redefinition.patch Normal file
View File

@ -0,0 +1,29 @@
From a2fb19736bf6879146dba5cd40a3265cb1c9671b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 28 Jul 2020 19:36:57 +0200
Subject: parser_bison: memleak symbol redefinition
Missing expr_free() from the error path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflict: NA
Reference: http://git.netfilter.org/nftables/commit/?id=a2fb19736bf6879146dba5cd40a3265cb1c9671b
---
src/parser_bison.y | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index f0cca641..167c3158 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ common_block : INCLUDE QUOTED_STRING stmt_separator
if (symbol_lookup(scope, $2) != NULL) {
erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
state->msgs);
+ expr_free($4);
xfree($2);
YYERROR;
}
--
cgit v1.2.3

75
backport-segtree-memleaks-in-interval_map_decompose.patch Normal file
View File

@ -0,0 +1,75 @@
From 455709effa095c6e986385974a0cf702dad8491c Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 4 Aug 2020 22:12:12 +0200
Subject: segtree: memleaks in interval_map_decompose()
mpz_init_bitmask() overrides the existing memory area:
==19179== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==19179== at 0x483577F: malloc (vg_replace_malloc.c:299)
==19179== by 0x489C718: xmalloc (utils.c:36)
==19179== by 0x4B825C5: __gmpz_init2 (in /usr/lib/x86_64-linux-g nu/libgmp.so.10.3.2) f
==19179== by 0x4880239: constant_expr_alloc (expression.c:400)
==19179== by 0x489B8A1: interval_map_decompose (segtree.c:1098)
==19179== by 0x489017D: netlink_list_setelems (netlink.c:1220)
==19179== by 0x48779AC: cache_init_objects (rule.c:170) 5
==19179== by 0x48779AC: cache_init (rule.c:228)
==19179== by 0x48779AC: cache_update (rule.c:279)
==19179== by 0x48A21AE: nft_evaluate (libnftables.c:406)
left-hand side of the interval is leaked when building the range:
==25835== 368 (128 direct, 240 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 5
==25835== at 0x483577F: malloc (vg_replace_malloc.c:299)
==25835== by 0x489B628: xmalloc (utils.c:36)
==25835== by 0x489B6F8: xzalloc (utils.c:65)
==25835== by 0x487E176: expr_alloc (expression.c:45)
==25835== by 0x487F960: mapping_expr_alloc (expression.c:1149)
==25835== by 0x488EC84: netlink_delinearize_setelem (netlink.c:1166)
==25835== by 0x4DC6928: nftnl_set_elem_foreach (set_elem.c:725)
==25835== by 0x488F0D5: netlink_list_setelems (netlink.c:1215)
==25835== by 0x487695C: cache_init_objects (rule.c:170)
==25835== by 0x487695C: cache_init (rule.c:228)
==25835== by 0x487695C: cache_update (rule.c:279)
==25835== by 0x48A10BE: nft_evaluate (libnftables.c:406)
==25835== by 0x48A19B6: nft_run_cmd_from_buffer (libnftables.c:451)
==25835== by 0x10A8E1: main (main.c:487)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflict: NA
Reference: http://git.netfilter.org/nftables/commit/?id=455709effa095c6e986385974a0cf702dad8491c
---
src/segtree.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/segtree.c b/src/segtree.c
index a9b4b1bd..3a641bc5 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -925,16 +925,20 @@ void interval_map_decompose(struct expr *set)
i = constant_expr_alloc(&low->location, low->dtype,
low->byteorder, expr_value(low)->len, NULL);
- mpz_init_bitmask(i->value, i->len);
+ mpz_bitmask(i->value, i->len);
if (!mpz_cmp(i->value, expr_value(low)->value)) {
expr_free(i);
i = low;
} else {
- i = range_expr_alloc(&low->location, expr_value(low), i);
+ i = range_expr_alloc(&low->location,
+ expr_clone(expr_value(low)), i);
i = set_elem_expr_alloc(&low->location, i);
if (low->etype == EXPR_MAPPING)
- i = mapping_expr_alloc(&i->location, i, low->right);
+ i = mapping_expr_alloc(&i->location, i,
+ expr_clone(low->right));
+
+ expr_free(low);
}
compound_expr_add(set, i);
--
cgit v1.2.3

28
nftables.spec
View File

@ -1,6 +1,6 @@
Name: nftables
Version: 0.9.6
Release: 2
Release: 3
Epoch: 1
Summary: A subsystem of the Linux kernel processing network data
License: GPLv2
@ -9,6 +9,14 @@ Source0: http://ftp.netfilter.org/pub/nftables/nftables-%{version}.tar.bz
Source1: nftables.service
Source2: nftables.conf
Patch6000: backport-parser_bison-memleak-symbol-redefinition.patch
Patch6001: backport-segtree-memleaks-in-interval_map_decompose.patch
Patch6002: backport-json-Combining-terse-with-json-has-no-effect.patch
Patch6003: backport-evaluate-Reject-quoted-strings-containing-only-wildcard.patch
Patch6004: backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
Patch6005: backport-json-Fix-memleak-in-set_dtype_json.patch
Patch6006: backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
BuildRequires: iptables-devel jansson-devel python3-devel
Requires: %{name}-help
@ -35,13 +43,16 @@ Requires: %{name} = %{epoch}:%{version}-%{release}
The nftables python module providing an interface to libnftables via ctypes.
%prep
%autosetup -n %{name}-%{version}
%autosetup -n %{name}-%{version} -p1
%build
%configure --disable-silent-rules --with-xtables --with-json \
--enable-python --with-python-bin=%{__python3}
%make_build
%check
make check
%install
%make_install
%delete_la
@ -95,6 +106,19 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
%{python3_sitelib}/nftables/
%changelog
* Tue Jul 28 2021 zengwefeng<zwfeng@huawei.com> - 0.9.6-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:enable check while building
parser_bison memleak symbol redefinition
segtree memleaks in interval_map_decompose
json Combining terse with json has no effect
evaluate Reject quoted strings containing only wildcard
Solves Bug 1462 nft j list set does not show counters
json Fix memleak in set_dtype_json
mnl reply netlink error message might be larger than MNL_SOCKET_BUFFER_SIZE
* Mon Nov 09 2020 xihaochen <xihaochen@huawei.com> - 0.9.6-2
- Type:requirement
- CVE:NA