From 79eb9602288ba05a9ecf9435f44a2ffb2e176be5 Mon Sep 17 00:00:00 2001
From: chengyechun <chengyechun1@huawei.com>
Date: Thu, 15 Dec 2022 10:40:26 +0800
Subject: [PATCH] nftables:Rolled the nftables community patch to 20.03.LTS.sp3

Signed-off-by: huangyu <huangyu106@huawei.com>
---
 ...-fix-device-parsing-in-netdev-family.patch |  61 +++++++++
 ...Don-t-parse-string-as-verdict-in-map.patch | 120 ++++++++++++++++++
 nftables.spec                                 |  11 +-
 3 files changed, 191 insertions(+), 1 deletion(-)
 create mode 100644 backport-parser_json-fix-device-parsing-in-netdev-family.patch
 create mode 100644 backport-src-Don-t-parse-string-as-verdict-in-map.patch

diff --git a/backport-parser_json-fix-device-parsing-in-netdev-family.patch b/backport-parser_json-fix-device-parsing-in-netdev-family.patch
new file mode 100644
index 0000000..b891355
--- /dev/null
+++ b/backport-parser_json-fix-device-parsing-in-netdev-family.patch
@@ -0,0 +1,61 @@
+From 8efab5527cbcb15cd9bff462b7549c0d6181c003 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 1 Aug 2022 16:15:08 +0200
+Subject: [PATCH] parser_json: fix device parsing in netdev family
+
+json_unpack() function is not designed to take a pre-allocated buffer.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=8efab5527cbcb15cd9bff462b7549c0d6181c003
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1612
+Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/parser_json.c                 |  3 +--
+ tests/shell/testcases/json/netdev | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+ create mode 100755 tests/shell/testcases/json/netdev
+
+diff --git a/src/parser_json.c b/src/parser_json.c
+index 666aa2f..d434839 100644
+--- a/src/parser_json.c
++++ b/src/parser_json.c
+@@ -2746,8 +2746,7 @@ static struct cmd *json_parse_cmd_add_chain(struct json_ctx *ctx, json_t *root,
+ 	struct handle h = {
+ 		.table.location = *int_loc,
+ 	};
+-	const char *family = "", *policy = "", *type, *hookstr;
+-	const char name[IFNAMSIZ];
++	const char *family = "", *policy = "", *type, *hookstr, *name;
+ 	struct chain *chain;
+ 	int prio;
+ 
+diff --git a/tests/shell/testcases/json/netdev b/tests/shell/testcases/json/netdev
+new file mode 100755
+index 0000000..a16a4f5
+--- /dev/null
++++ b/tests/shell/testcases/json/netdev
+@@ -0,0 +1,19 @@
++#!/bin/bash
++
++ip link add d0 type dummy || {
++        echo "Skipping, no dummy interface available"
++        exit 0
++}
++trap "ip link del d0" EXIT
++
++set -e
++
++$NFT flush ruleset
++$NFT add table inet test
++$NFT add chain inet test c
++
++$NFT flush ruleset
++
++RULESET='{"nftables":[{"flush":{"ruleset":null}},{"add":{"table":{"family":"netdev","name":"test_table"}}},{"add":{"chain":{"family":"netdev","table":"test_table","name":"test_chain","type":"filter","hook":"ingress","prio":0,"dev":"d0","policy":"accept"}}}]}'
++
++$NFT -j -f - <<< $RULESET
+-- 
+2.33.0
+
diff --git a/backport-src-Don-t-parse-string-as-verdict-in-map.patch b/backport-src-Don-t-parse-string-as-verdict-in-map.patch
new file mode 100644
index 0000000..c8264ee
--- /dev/null
+++ b/backport-src-Don-t-parse-string-as-verdict-in-map.patch
@@ -0,0 +1,120 @@
+From 9a20f17a7a82ce5ba47047e6c3d2fc921cc1087d Mon Sep 17 00:00:00 2001
+From: Xiao Liang <shaw.leon@gmail.com>
+Date: Fri, 19 Aug 2022 10:40:23 +0800
+Subject: [PATCH] src: Don't parse string as verdict in map
+
+In verdict map, string values are accidentally treated as verdicts.
+
+For example:
+
+table t {
+    map foo {
+        type ipv4_addr : verdict
+        elements = {
+            192.168.0.1 : bar
+        }
+    }
+    chain output {
+        type filter hook output priority mangle;
+        ip daddr vmap @foo
+    }
+}
+
+Though "bar" is not a valid verdict (should be "jump bar" or something),
+the string is taken as the element value. Then NFTA_DATA_VALUE is sent
+to the kernel instead of NFTA_DATA_VERDICT. This would be rejected by
+recent kernels. On older ones (e.g. v5.4.x) that don't validate the
+type, a warning can be seen when the rule is hit, because of the
+corrupted verdict value:
+
+[5120263.467627] WARNING: CPU: 12 PID: 303303 at net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500 [nf_tables]
+
+Indeed, we don't parse verdicts during evaluation, but only chain names,
+which is of type string rather than verdict. For example, "jump $var" is
+a verdict while "$var" is a string.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=9a20f17a7a82ce5ba47047e6c3d2fc921cc1087d
+
+Fixes: c64457cff967 ("src: Allow goto and jump to a variable")
+Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ src/datatype.c                                | 12 -----------
+ src/evaluate.c                                |  3 ++-
+ tests/shell/testcases/nft-f/0031vmap_string_0 | 21 +++++++++++++++++++
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+ create mode 100755 tests/shell/testcases/nft-f/0031vmap_string_0
+
+diff --git a/src/datatype.c b/src/datatype.c
+index 7267d60..120da6d 100644
+--- a/src/datatype.c
++++ b/src/datatype.c
+@@ -321,23 +321,11 @@ static void verdict_type_print(const struct expr *expr, struct output_ctx *octx)
+ 	}
+ }
+ 
+-static struct error_record *verdict_type_parse(struct parse_ctx *ctx,
+-					       const struct expr *sym,
+-					       struct expr **res)
+-{
+-	*res = constant_expr_alloc(&sym->location, &string_type,
+-				   BYTEORDER_HOST_ENDIAN,
+-				   (strlen(sym->identifier) + 1) * BITS_PER_BYTE,
+-				   sym->identifier);
+-	return NULL;
+-}
+-
+ const struct datatype verdict_type = {
+ 	.type		= TYPE_VERDICT,
+ 	.name		= "verdict",
+ 	.desc		= "netfilter verdict",
+ 	.print		= verdict_type_print,
+-	.parse		= verdict_type_parse,
+ };
+ 
+ static const struct symbol_table nfproto_tbl = {
+diff --git a/src/evaluate.c b/src/evaluate.c
+index c6332a1..66ba6a4 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -2426,7 +2426,8 @@ static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
+ 		if (stmt->expr->verdict != NFT_CONTINUE)
+ 			stmt->flags |= STMT_F_TERMINAL;
+ 		if (stmt->expr->chain != NULL) {
+-			if (expr_evaluate(ctx, &stmt->expr->chain) < 0)
++			if (stmt_evaluate_arg(ctx, stmt, &string_type, 0, 0,
++					      &stmt->expr->chain) < 0)
+ 				return -1;
+ 			if (stmt->expr->chain->etype != EXPR_VALUE) {
+ 				return expr_error(ctx->msgs, stmt->expr->chain,
+diff --git a/tests/shell/testcases/nft-f/0031vmap_string_0 b/tests/shell/testcases/nft-f/0031vmap_string_0
+new file mode 100755
+index 0000000..2af846a
+--- /dev/null
++++ b/tests/shell/testcases/nft-f/0031vmap_string_0
+@@ -0,0 +1,21 @@
++#!/bin/bash
++
++# Tests parse of corrupted verdicts
++
++set -e
++
++RULESET="
++table ip foo {
++	map bar {
++		type ipv4_addr : verdict
++		elements = {
++			192.168.0.1 : ber
++		}
++	}
++
++	chain ber {
++	}
++}"
++
++$NFT -f - <<< "$RULESET" && exit 1
++exit 0
+-- 
+2.33.0
+
diff --git a/nftables.spec b/nftables.spec
index 46c298b..5720070 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.6
-Release:        4
+Release:        5
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@@ -18,6 +18,8 @@ Patch6005:      backport-json-Fix-memleak-in-set_dtype_json.patch
 Patch6006:      backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
 Patch6007:      backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch
 Patch6008:      backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch
+Patch6009:      backport-parser_json-fix-device-parsing-in-netdev-family.patch
+Patch6010:      backport-src-Don-t-parse-string-as-verdict-in-map.patch
 
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
@@ -108,6 +110,13 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
 %{python3_sitelib}/nftables/
 
 %changelog
+* Thu Dec 15 2022 huangyu <huangyu106@huawei.com> - 1:0.9.6-5
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:parser_json fix device parsing in netdev family
+src don't parse string as verdict in map
+
 * Tue Aug 03 2021 gaihuiying <gaihuiying1@huawei.com> - 0.9.6-4
 - Type:bugfix
 - CVE:NA