summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--packages/netfilter/.gitignore4
-rw-r--r--packages/netfilter/Jenkinsfile6
-rwxr-xr-xpackages/netfilter/build.py55
-rw-r--r--packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch118
4 files changed, 178 insertions, 5 deletions
diff --git a/packages/netfilter/.gitignore b/packages/netfilter/.gitignore
index 9ee5ff40..8518afb9 100644
--- a/packages/netfilter/.gitignore
+++ b/packages/netfilter/.gitignore
@@ -1,3 +1,3 @@
-pkg-libnftnl/
-pkg-nftables/
+/pkg-libnftnl/
+/pkg-nftables/
diff --git a/packages/netfilter/Jenkinsfile b/packages/netfilter/Jenkinsfile
index 9578180d..45fc6ed8 100644
--- a/packages/netfilter/Jenkinsfile
+++ b/packages/netfilter/Jenkinsfile
@@ -22,17 +22,17 @@
def pkgList = [
// libnftnl
['name': 'pkg-libnftnl',
- 'scmCommit': 'debian/1.2.6-1',
+ 'scmCommit': 'debian/1.2.6-2',
'scmUrl': 'https://salsa.debian.org/pkg-netfilter-team/pkg-libnftnl.git',
'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; dpkg-buildpackage -uc -us -tc -b'],
// nftables
['name': 'pkg-nftables',
- 'scmCommit': 'debian/1.0.8-1',
+ 'scmCommit': 'debian/1.0.9-1',
'scmUrl': 'https://salsa.debian.org/pkg-netfilter-team/pkg-nftables.git',
'buildCmd': '''sudo dpkg -i ../libnftnl*.deb;
sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends";
- dpkg-buildpackage -uc -us -tc -b'''],
+ ../build.py'''],
]
// Start package build using library function from https://github.com/vyos/vyos-build
diff --git a/packages/netfilter/build.py b/packages/netfilter/build.py
new file mode 100755
index 00000000..2851a679
--- /dev/null
+++ b/packages/netfilter/build.py
@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+from pathlib import Path
+from shutil import copy as copy_file
+from subprocess import run
+
+
+# copy patches
+def apply_deb_patches() -> None:
+ """Apply patches to sources directory
+ """
+ package_dir: str = Path.cwd().name
+ current_dir: str = Path.cwd().as_posix()
+ patches_dir = Path(f'../patches/{package_dir}')
+ patches_dir_dst = Path(f'{current_dir}/debian/patches')
+ if not patches_dir_dst.exists():
+ patches_dir_dst.mkdir(parents = True)
+ if patches_dir.exists():
+ patches_list = list(patches_dir.iterdir())
+ patches_list.sort()
+ series_file = Path(f'{patches_dir_dst.as_posix()}/series')
+ if series_file.exists():
+ series_data: str = series_file.read_text()
+ else:
+
+ series_data = ''
+ for patch_file in patches_list:
+ print(f'Applying patch: {patch_file.name}')
+ copy_file(patch_file, f'{patches_dir_dst.as_posix()}')
+ series_data = f'{series_data}\n{patch_file.name}'
+ series_file.write_text(series_data)
+
+
+def build_package() -> bool:
+ """Build a package
+ Returns:
+ bool: build status
+ """
+ build_cmd: list[str] = ['dpkg-buildpackage', '-uc', '-us', '-tc', '-b']
+ build_status: int = run(build_cmd).returncode
+
+ if build_status:
+ return False
+ return True
+
+
+# build a package
+if __name__ == '__main__':
+ apply_deb_patches()
+
+ if not build_package():
+ exit(1)
+
+ exit()
+
diff --git a/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch b/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch
new file mode 100644
index 00000000..dd466f1a
--- /dev/null
+++ b/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch
@@ -0,0 +1,118 @@
+From d392ddf243dcbf8a34726c777d2c669b1e8bfa85 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 2 Nov 2023 15:34:13 +0100
+Subject: meta: fix hour decoding when timezone offset is negative
+
+Brian Davidson says:
+
+ meta hour rules don't display properly after being created when the
+ hour is on or after 00:00 UTC. The netlink debug looks correct for
+ seconds past midnight UTC, but displaying the rules looks like an
+ overflow or a byte order problem. I am in UTC-0400, so today, 20:00
+ and later exhibits the problem, while 19:00 and earlier hours are
+ fine.
+
+meta.c only ever worked when the delta to UTC is positive.
+We need to add in case the second counter turns negative after
+offset adjustment.
+
+Also add a test case for this.
+
+Fixes: f8f32deda31d ("meta: Introduce new conditions 'time', 'day' and 'hour'")
+Reported-by: Brian Davidson <davidson.brian@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ src/meta.c | 11 ++++-
+ .../shell/testcases/listing/dumps/meta_time.nodump | 0
+ tests/shell/testcases/listing/meta_time | 52 ++++++++++++++++++++++
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+ create mode 100644 tests/shell/testcases/listing/dumps/meta_time.nodump
+ create mode 100755 tests/shell/testcases/listing/meta_time
+
+diff --git a/src/meta.c b/src/meta.c
+index b578d5e2..7846aefe 100644
+--- a/src/meta.c
++++ b/src/meta.c
+@@ -495,9 +495,16 @@ static void hour_type_print(const struct expr *expr, struct output_ctx *octx)
+
+ /* Obtain current tm, so that we can add tm_gmtoff */
+ ts = time(NULL);
+- if (ts != ((time_t) -1) && localtime_r(&ts, &cur_tm))
+- seconds = (seconds + cur_tm.tm_gmtoff) % SECONDS_PER_DAY;
++ if (ts != ((time_t) -1) && localtime_r(&ts, &cur_tm)) {
++ int32_t adj = seconds + cur_tm.tm_gmtoff;
+
++ if (adj < 0)
++ adj += SECONDS_PER_DAY;
++ else if (adj >= SECONDS_PER_DAY)
++ adj -= SECONDS_PER_DAY;
++
++ seconds = adj;
++ }
+ minutes = seconds / 60;
+ seconds %= 60;
+ hours = minutes / 60;
+diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time
+new file mode 100755
+index 00000000..a9761998
+--- /dev/null
++++ b/tests/shell/testcases/listing/meta_time
+@@ -0,0 +1,52 @@
++#!/bin/bash
++
++set -e
++
++TMP1=$(mktemp)
++TMP2=$(mktemp)
++
++cleanup()
++{
++ rm -f "$TMP1"
++ rm -f "$TMP2"
++}
++
++check_decode()
++{
++ TZ=$1 $NFT list chain t c | grep meta > "$TMP2"
++ diff -u "$TMP1" "$TMP2"
++}
++
++trap cleanup EXIT
++
++$NFT -f - <<EOF
++table t {
++ chain c {
++ }
++}
++EOF
++
++for i in $(seq -w 0 23); do
++ TZ=UTC $NFT add rule t c meta hour "$i:00"-"$i:59"
++done
++
++# Check decoding in UTC, this mirrors 1:1 what should have been added.
++for i in $(seq 0 23); do
++ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1"
++done
++
++check_decode UTC
++
++printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 23 0 23 59 > "$TMP1"
++for i in $(seq 0 22); do
++ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1"
++done
++check_decode UTC+1
++
++printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 1 59 > "$TMP1"
++for i in $(seq 2 23); do
++ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1"
++done
++printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1"
++
++check_decode UTC-1
+--
+cgit v1.2.3
+