diff options
-rw-r--r-- | packages/netfilter/.gitignore | 4 | ||||
-rw-r--r-- | packages/netfilter/Jenkinsfile | 6 | ||||
-rwxr-xr-x | packages/netfilter/build.py | 55 | ||||
-rw-r--r-- | packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch | 118 |
4 files changed, 178 insertions, 5 deletions
diff --git a/packages/netfilter/.gitignore b/packages/netfilter/.gitignore index 9ee5ff40..8518afb9 100644 --- a/packages/netfilter/.gitignore +++ b/packages/netfilter/.gitignore @@ -1,3 +1,3 @@ -pkg-libnftnl/ -pkg-nftables/ +/pkg-libnftnl/ +/pkg-nftables/ diff --git a/packages/netfilter/Jenkinsfile b/packages/netfilter/Jenkinsfile index 9578180d..45fc6ed8 100644 --- a/packages/netfilter/Jenkinsfile +++ b/packages/netfilter/Jenkinsfile @@ -22,17 +22,17 @@ def pkgList = [ // libnftnl ['name': 'pkg-libnftnl', - 'scmCommit': 'debian/1.2.6-1', + 'scmCommit': 'debian/1.2.6-2', 'scmUrl': 'https://salsa.debian.org/pkg-netfilter-team/pkg-libnftnl.git', 'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; dpkg-buildpackage -uc -us -tc -b'], // nftables ['name': 'pkg-nftables', - 'scmCommit': 'debian/1.0.8-1', + 'scmCommit': 'debian/1.0.9-1', 'scmUrl': 'https://salsa.debian.org/pkg-netfilter-team/pkg-nftables.git', 'buildCmd': '''sudo dpkg -i ../libnftnl*.deb; sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; - dpkg-buildpackage -uc -us -tc -b'''], + ../build.py'''], ] // Start package build using library function from https://github.com/vyos/vyos-build diff --git a/packages/netfilter/build.py b/packages/netfilter/build.py new file mode 100755 index 00000000..2851a679 --- /dev/null +++ b/packages/netfilter/build.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 + +from pathlib import Path +from shutil import copy as copy_file +from subprocess import run + + +# copy patches +def apply_deb_patches() -> None: + """Apply patches to sources directory + """ + package_dir: str = Path.cwd().name + current_dir: str = Path.cwd().as_posix() + patches_dir = Path(f'../patches/{package_dir}') + patches_dir_dst = Path(f'{current_dir}/debian/patches') + if not patches_dir_dst.exists(): + patches_dir_dst.mkdir(parents = True) + if patches_dir.exists(): + patches_list = list(patches_dir.iterdir()) + patches_list.sort() + series_file = Path(f'{patches_dir_dst.as_posix()}/series') + if series_file.exists(): + series_data: str = series_file.read_text() + else: + + series_data = '' + for patch_file in patches_list: + print(f'Applying patch: {patch_file.name}') + copy_file(patch_file, f'{patches_dir_dst.as_posix()}') + series_data = f'{series_data}\n{patch_file.name}' + series_file.write_text(series_data) + + +def build_package() -> bool: + """Build a package + Returns: + bool: build status + """ + build_cmd: list[str] = ['dpkg-buildpackage', '-uc', '-us', '-tc', '-b'] + build_status: int = run(build_cmd).returncode + + if build_status: + return False + return True + + +# build a package +if __name__ == '__main__': + apply_deb_patches() + + if not build_package(): + exit(1) + + exit() + diff --git a/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch b/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch new file mode 100644 index 00000000..dd466f1a --- /dev/null +++ b/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch @@ -0,0 +1,118 @@ +From d392ddf243dcbf8a34726c777d2c669b1e8bfa85 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Thu, 2 Nov 2023 15:34:13 +0100 +Subject: meta: fix hour decoding when timezone offset is negative + +Brian Davidson says: + + meta hour rules don't display properly after being created when the + hour is on or after 00:00 UTC. The netlink debug looks correct for + seconds past midnight UTC, but displaying the rules looks like an + overflow or a byte order problem. I am in UTC-0400, so today, 20:00 + and later exhibits the problem, while 19:00 and earlier hours are + fine. + +meta.c only ever worked when the delta to UTC is positive. +We need to add in case the second counter turns negative after +offset adjustment. + +Also add a test case for this. + +Fixes: f8f32deda31d ("meta: Introduce new conditions 'time', 'day' and 'hour'") +Reported-by: Brian Davidson <davidson.brian@gmail.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + src/meta.c | 11 ++++- + .../shell/testcases/listing/dumps/meta_time.nodump | 0 + tests/shell/testcases/listing/meta_time | 52 ++++++++++++++++++++++ + 3 files changed, 61 insertions(+), 2 deletions(-) + create mode 100644 tests/shell/testcases/listing/dumps/meta_time.nodump + create mode 100755 tests/shell/testcases/listing/meta_time + +diff --git a/src/meta.c b/src/meta.c +index b578d5e2..7846aefe 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -495,9 +495,16 @@ static void hour_type_print(const struct expr *expr, struct output_ctx *octx) + + /* Obtain current tm, so that we can add tm_gmtoff */ + ts = time(NULL); +- if (ts != ((time_t) -1) && localtime_r(&ts, &cur_tm)) +- seconds = (seconds + cur_tm.tm_gmtoff) % SECONDS_PER_DAY; ++ if (ts != ((time_t) -1) && localtime_r(&ts, &cur_tm)) { ++ int32_t adj = seconds + cur_tm.tm_gmtoff; + ++ if (adj < 0) ++ adj += SECONDS_PER_DAY; ++ else if (adj >= SECONDS_PER_DAY) ++ adj -= SECONDS_PER_DAY; ++ ++ seconds = adj; ++ } + minutes = seconds / 60; + seconds %= 60; + hours = minutes / 60; +diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump +new file mode 100644 +index 00000000..e69de29b +diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time +new file mode 100755 +index 00000000..a9761998 +--- /dev/null ++++ b/tests/shell/testcases/listing/meta_time +@@ -0,0 +1,52 @@ ++#!/bin/bash ++ ++set -e ++ ++TMP1=$(mktemp) ++TMP2=$(mktemp) ++ ++cleanup() ++{ ++ rm -f "$TMP1" ++ rm -f "$TMP2" ++} ++ ++check_decode() ++{ ++ TZ=$1 $NFT list chain t c | grep meta > "$TMP2" ++ diff -u "$TMP1" "$TMP2" ++} ++ ++trap cleanup EXIT ++ ++$NFT -f - <<EOF ++table t { ++ chain c { ++ } ++} ++EOF ++ ++for i in $(seq -w 0 23); do ++ TZ=UTC $NFT add rule t c meta hour "$i:00"-"$i:59" ++done ++ ++# Check decoding in UTC, this mirrors 1:1 what should have been added. ++for i in $(seq 0 23); do ++ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" ++done ++ ++check_decode UTC ++ ++printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 23 0 23 59 > "$TMP1" ++for i in $(seq 0 22); do ++ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" ++done ++check_decode UTC+1 ++ ++printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 1 59 > "$TMP1" ++for i in $(seq 2 23); do ++ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1" ++done ++printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1" ++ ++check_decode UTC-1 +-- +cgit v1.2.3 + |