Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-121194

Rebase nftables in c10s

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • CentOS Stream 10, rhel-10.2
    • nftables
    • nftables-1.1.5-3.el10
    • Moderate
    • 2
    • rhel-net-firewall
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • NST-firewall-25W44-47, NST-firewall-25W48-51
    • Rebase
    • Hide
      `nftables` rebased to version 1.1.5::
      +
      --
      The `nftables` package has been updated to upstream version 1.1.5.

      Notable enhancements:

      * The memory consumption with sets and maps was reduced.
      * Sets can now depend on specific protocols.
      * The auto-merge feature skips elements with timeout and expiration.
      * You can use the `typeof` keyword with queues.
      * The `nft monitor` command can monitor `flowtable` events.
      * For consistency with other commands, the `nft list sets inet _<set_name>_` command works without the `table` keyword.
      * You can use a range expression to represent a range instead of two comparisons.
      * The Multipath TCP support with symbol table for subtypes was improved.
      * Support for mangling `bitfield` headers was added.
      * Set elements with multi-word descriptions are now displayed in a single line.
      * The layer 4 protocol dependency when listing raw expressions is not longer removed.
      * The JSON output format supports the `typeof` keyword.
      * The bytecode generation for Virtual Local Area Network (VLAN) Priority Code Point (PCP) mangling in `netdev`-family chains was fixed.
      * An issue causing bogus elements in large concatenated set ranges was fixed.
      * A new check result was added to the Forwarding Information Base (FIB) expression to verify routes.
      * The total number of elements is now displayed when listing sets.
      * You can delete maps can by using their unique handle.
      * The JSON parser was hardened.

      Notable bug fixes:

      * Error messages for set or map re-declarations with conflicting types were improved.
      * The `optimize` parameter was fixed and improved.
      * Extended error reporting with large set elements was fixed.
      * The incorrect removal of `meta nfproto` settings in listings.
      * The `get` and `reset` commands with internal sets and maps were fixed.
      * Listings display now the number of set elements.
      * Device names in `basechain` and `flowtable` declarations are correctly quoted.
      * An misleading `No buffer space available" error message was corrected.
      --
      Show
      `nftables` rebased to version 1.1.5:: + -- The `nftables` package has been updated to upstream version 1.1.5. Notable enhancements: * The memory consumption with sets and maps was reduced. * Sets can now depend on specific protocols. * The auto-merge feature skips elements with timeout and expiration. * You can use the `typeof` keyword with queues. * The `nft monitor` command can monitor `flowtable` events. * For consistency with other commands, the `nft list sets inet _<set_name>_` command works without the `table` keyword. * You can use a range expression to represent a range instead of two comparisons. * The Multipath TCP support with symbol table for subtypes was improved. * Support for mangling `bitfield` headers was added. * Set elements with multi-word descriptions are now displayed in a single line. * The layer 4 protocol dependency when listing raw expressions is not longer removed. * The JSON output format supports the `typeof` keyword. * The bytecode generation for Virtual Local Area Network (VLAN) Priority Code Point (PCP) mangling in `netdev`-family chains was fixed. * An issue causing bogus elements in large concatenated set ranges was fixed. * A new check result was added to the Forwarding Information Base (FIB) expression to verify routes. * The total number of elements is now displayed when listing sets. * You can delete maps can by using their unique handle. * The JSON parser was hardened. Notable bug fixes: * Error messages for set or map re-declarations with conflicting types were improved. * The `optimize` parameter was fixed and improved. * Extended error reporting with large set elements was fixed. * The incorrect removal of `meta nfproto` settings in listings. * The `get` and `reset` commands with internal sets and maps were fixed. * Listings display now the number of set elements. * Device names in `basechain` and `flowtable` declarations are correctly quoted. * An misleading `No buffer space available" error message was corrected. --
    • In Progress
    • Required
    • Required
    • Not Required
    • None

      There are 283 commits (of which 123 carry a Fixes: tag) between v1.1.1 (base version in c10s) and v1.1.5 (current upstream release).

      While at it, backport fixes to v1.1.5 from upstream HEAD as identified by their Fixes: tag:

      7f37f3ca55810 ("parser_bison: remove leftover utf-8 character in error")
441ff666cb229 ("tools: gitignore nftables.service file")
ed1b5b672b2ee ("monitor: Quote device names in chain declarations, too")
419338d96bdb1 ("tests: monitor: Fix regex collecting expected echo output")
083c532a2e179 ("tests: shell: skip two bitwise tests if multi-register support isn't available")
6c04d24d16f1d ("monitor: Inform JSON printer when reporting an object delete event")
3af59817b8d39 ("libnftables: do not re-add default include directory in include search path")
b9516b0a4dfb6 ("doc: fix tcpdump example")
b30ad0c25b7b4 ("src: parser_json: fix format string bugs")
aec699af2a006 ("datatype: Fix boolean type on Big Endian")
695ee5a8b174f ("optimize: Fix verdict expression comparison")
4282c50e4986c ("tests: py: any/tcpopt.t.json: Fix JSON equivalent")
1801480314bf2 ("tests: py: any/ct.t.json.output: Drop leftover entry")
b028f8ce616bb ("tests: py: inet/osf.t: Fix element ordering in JSON equivalents")
b39ba950325bb ("tests: shell: fix typo in vmap_timeout test script")
31007975ccf5a ("build: don't install ancillary files without systemd service file")
35cd3e7cff079 ("doc: don't suggest to disable GSO")
454f361434522 ("doc: libnftables-json: Describe RULESET object")

              psutter@redhat.com Phil Sutter
              psutter@redhat.com Phil Sutter
              Phil Sutter
              Phil Sutter Phil Sutter
              Jiri Peska Jiri Peska
              Marc Muehlfeld Marc Muehlfeld
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: