mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2024-09-20 11:23:16 +00:00
main/nftables: fix firewalld (and more)
Closes https://gitlab.alpinelinux.org/alpine/aports/-/issues/16316
This commit is contained in:
fossdd
J0WI
parent
e9240e6fab
commit
5bb85d05f6
2 changed files with 68 additions and 1 deletions
|
|
@ -3,7 +3,7 @@
|
|||
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
|
||||
pkgname=nftables
|
||||
pkgver=1.1.0
|
||||
pkgrel=0
|
||||
pkgrel=1
|
||||
pkgdesc="Netfilter tables userspace tools"
|
||||
url="https://netfilter.org/projects/nftables"
|
||||
arch="all"
|
||||
|
|
@ -36,6 +36,7 @@ source="https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz
|
|||
nftables.confd
|
||||
nftables.initd
|
||||
nftables.nft
|
||||
Revert-cache-recycle-existing-cache-with-incremental.patch
|
||||
"
|
||||
options="!check"
|
||||
|
||||
|
|
@ -90,4 +91,5 @@ sha512sums="
|
|||
5a298ea01df60b434791fea94306d5b14f7ce684329e4122cc78bb52d1c272fcc48b06eaae154fd082c05f7030792fe42e73814caf3c7be3c446bb265fe25642 nftables.confd
|
||||
93a4d3109e3b7d36bcd0901755e1ee4dba3b5555deddc5eecdee2ccbcce15c08f122bf8f1c879c3f696f6a5a13d283536a0ff5e1af82289c3263b6aeb9d116d0 nftables.initd
|
||||
b524c124a11f870ae789d5ad05de8a49d365d6c2cb3cd94c21669c5ae0e453481c671a1700ee6518372b10c491b50c5d81ea59fa941092a9161d1b13be7a13b6 nftables.nft
|
||||
16b777d9608e3778ff92ce51f274df3a6f25fbee6bc718be21aa90524e1291c993c4522c70ae30d90c3631059bf4b43538c23df59899f43e403267a5e7b5c71b Revert-cache-recycle-existing-cache-with-incremental.patch
|
||||
"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,65 @@
|
|||
From 93560d0117639c8685fc287128ab06dec9950fbd Mon Sep 17 00:00:00 2001
|
||||
From: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
Date: Wed, 24 Jul 2024 09:38:33 +0200
|
||||
Subject: Revert "cache: recycle existing cache with incremental updates"
|
||||
|
||||
This reverts commit e791dbe109b6dd891a63a4236df5dc29d7a4b863.
|
||||
|
||||
Eric Garver reported two issues:
|
||||
|
||||
- index with rule breaks, because NFT_CACHE_REFRESH is missing.
|
||||
- simple set updates.
|
||||
|
||||
Moreover, the current process could populate the cache with objects for
|
||||
listing commands (no generation ID is bumped), while another process
|
||||
could update the ruleset. Leading to a inconsistent cache due to the
|
||||
genid + 1 check.
|
||||
|
||||
This optimization needs more work and more tests for -i/--interactive,
|
||||
revert it.
|
||||
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
src/cache.c | 18 +++---------------
|
||||
1 file changed, 3 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/cache.c b/src/cache.c
|
||||
index 4b797ec7..e88cbae2 100644
|
||||
--- a/src/cache.c
|
||||
+++ b/src/cache.c
|
||||
@@ -1184,21 +1184,9 @@ static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags)
|
||||
(flags & NFT_CACHE_REFRESH);
|
||||
}
|
||||
|
||||
-static bool nft_cache_is_updated(struct nft_cache *cache, unsigned int flags,
|
||||
- uint16_t genid)
|
||||
+static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid)
|
||||
{
|
||||
- if (!genid)
|
||||
- return false;
|
||||
-
|
||||
- if (genid == cache->genid)
|
||||
- return true;
|
||||
-
|
||||
- if (genid == cache->genid + 1) {
|
||||
- cache->genid++;
|
||||
- return true;
|
||||
- }
|
||||
-
|
||||
- return false;
|
||||
+ return genid && genid == cache->genid;
|
||||
}
|
||||
|
||||
bool nft_cache_needs_update(struct nft_cache *cache)
|
||||
@@ -1223,7 +1211,7 @@ replay:
|
||||
genid = mnl_genid_get(&ctx);
|
||||
if (!nft_cache_needs_refresh(cache, flags) &&
|
||||
nft_cache_is_complete(cache, flags) &&
|
||||
- nft_cache_is_updated(cache, flags, genid))
|
||||
+ nft_cache_is_updated(cache, genid))
|
||||
return 0;
|
||||
|
||||
if (cache->genid)
|
||||
--
|
||||
cgit v1.2.3
|
||||
|
||||
Loading…
Reference in a new issue