diff -Nru nftables-0.9.8/debian/changelog nftables-0.9.8/debian/changelog --- nftables-0.9.8/debian/changelog 2021-02-02 17:25:57.000000000 +0100 +++ nftables-0.9.8/debian/changelog 2021-07-20 10:01:47.000000000 +0200 @@ -1,3 +1,11 @@ +nftables (0.9.8-3ubuntu1) impish; urgency=medium + + * d/p/lp-1936902-payload-check-icmp-dependency-before-removing-previo.patch + Fix a regression in nftables 0.9.8 that made nftables too greedy + in removing icmp dependencies (LP: #1936902). + + -- Christian Ehrhardt Tue, 20 Jul 2021 10:01:47 +0200 + nftables (0.9.8-3) unstable; urgency=medium * [94a6c9b] src:nftables: add docbook-xsl again as build-dep. diff -Nru nftables-0.9.8/debian/control nftables-0.9.8/debian/control --- nftables-0.9.8/debian/control 2021-02-02 17:23:27.000000000 +0100 +++ nftables-0.9.8/debian/control 2021-07-20 10:01:47.000000000 +0200 @@ -1,7 +1,8 @@ Source: nftables Section: net Priority: important -Maintainer: Debian Netfilter Packaging Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Netfilter Packaging Team Uploaders: Arturo Borrero Gonzalez Build-Depends: asciidoc-base, automake, diff -Nru nftables-0.9.8/debian/patches/lp-1936902-payload-check-icmp-dependency-before-removing-previo.patch nftables-0.9.8/debian/patches/lp-1936902-payload-check-icmp-dependency-before-removing-previo.patch --- nftables-0.9.8/debian/patches/lp-1936902-payload-check-icmp-dependency-before-removing-previo.patch 1970-01-01 01:00:00.000000000 +0100 +++ nftables-0.9.8/debian/patches/lp-1936902-payload-check-icmp-dependency-before-removing-previo.patch 2021-07-20 10:00:06.000000000 +0200 @@ -0,0 +1,125 @@ +From 533565244d88a818d8828ebabd7625e5a8a4c374 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 1 Feb 2021 22:08:54 +0100 +Subject: [PATCH] payload: check icmp dependency before removing previous icmp + expression + +nft is too greedy when removing icmp dependencies. +'icmp code 1 type 2' did remove the type when printing. + +Be more careful and check that the icmp type dependency of the +candidate expression (earlier icmp payload expression) has the same +type dependency as the new expression. + +Reported-by: Eric Garver +Reported-by: Michael Biebl +Tested-by: Eric Garver +Fixes: d0f3b9eaab8d77e ("payload: auto-remove simple icmp/icmpv6 dependency expressions") +Signed-off-by: Florian Westphal + +Origin: upstream, https://git.netfilter.org/nftables/commit/?533565244d88 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1936902 +Last-Update: 2021-07-20 + +--- + src/payload.c | 63 ++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 42 insertions(+), 21 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 48529bcf..a77ca550 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -627,6 +627,40 @@ void payload_dependency_release(struct payload_dep_ctx *ctx) + ctx->pdep = NULL; + } + ++static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t) ++{ ++ switch (t) { ++ case PROTO_ICMP_ANY: ++ BUG("Invalid map for simple dependency"); ++ case PROTO_ICMP_ECHO: return ICMP_ECHO; ++ case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST; ++ case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH; ++ case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT; ++ case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG; ++ case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY; ++ case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB; ++ } ++ ++ BUG("Missing icmp type mapping"); ++} ++ ++static bool payload_may_dependency_kill_icmp(struct payload_dep_ctx *ctx, struct expr *expr) ++{ ++ const struct expr *dep = ctx->pdep->expr; ++ uint8_t icmp_type; ++ ++ icmp_type = expr->payload.tmpl->icmp_dep; ++ if (icmp_type == PROTO_ICMP_ANY) ++ return false; ++ ++ if (dep->left->payload.desc != expr->payload.desc) ++ return false; ++ ++ icmp_type = icmp_dep_to_type(expr->payload.tmpl->icmp_dep); ++ ++ return ctx->icmp_type == icmp_type; ++} ++ + static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx, + unsigned int family, struct expr *expr) + { +@@ -661,6 +695,14 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx, + break; + } + ++ if (expr->payload.base == PROTO_BASE_TRANSPORT_HDR && ++ dep->left->payload.base == PROTO_BASE_TRANSPORT_HDR) { ++ if (dep->left->payload.desc == &proto_icmp) ++ return payload_may_dependency_kill_icmp(ctx, expr); ++ if (dep->left->payload.desc == &proto_icmp6) ++ return payload_may_dependency_kill_icmp(ctx, expr); ++ } ++ + return true; + } + +@@ -680,10 +722,6 @@ void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + if (payload_dependency_exists(ctx, expr->payload.base) && + payload_may_dependency_kill(ctx, family, expr)) + payload_dependency_release(ctx); +- else if (ctx->icmp_type && ctx->pdep) { +- fprintf(stderr, "Did not kill \n"); +- payload_dependency_release(ctx); +- } + } + + void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, +@@ -707,23 +745,6 @@ void exthdr_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + } + } + +-static uint8_t icmp_dep_to_type(enum icmp_hdr_field_type t) +-{ +- switch (t) { +- case PROTO_ICMP_ANY: +- BUG("Invalid map for simple dependency"); +- case PROTO_ICMP_ECHO: return ICMP_ECHO; +- case PROTO_ICMP6_ECHO: return ICMP6_ECHO_REQUEST; +- case PROTO_ICMP_MTU: return ICMP_DEST_UNREACH; +- case PROTO_ICMP_ADDRESS: return ICMP_REDIRECT; +- case PROTO_ICMP6_MTU: return ICMP6_PACKET_TOO_BIG; +- case PROTO_ICMP6_MGMQ: return MLD_LISTENER_QUERY; +- case PROTO_ICMP6_PPTR: return ICMP6_PARAM_PROB; +- } +- +- BUG("Missing icmp type mapping"); +-} +- + /** + * payload_expr_complete - fill in type information of a raw payload expr + * +-- +2.32.0 + diff -Nru nftables-0.9.8/debian/patches/series nftables-0.9.8/debian/patches/series --- nftables-0.9.8/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ nftables-0.9.8/debian/patches/series 2021-07-20 10:00:06.000000000 +0200 @@ -0,0 +1 @@ +lp-1936902-payload-check-icmp-dependency-before-removing-previo.patch