main/nftables: fix firewalld (and more)

Closes alpine/aports#16316

main/nftables: fix firewalld (and more)
5bb85d05 · achill (fossdd) · J0WI · e9240e6f · 5bb85d05 · 5bb85d05
Commit 5bb85d05 authored 8 months ago by achill (fossdd) Committed by J0WI 7 months ago
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=nftables
 pkgver=1.1.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Netfilter tables userspace tools"
 url="https://netfilter.org/projects/nftables"
 arch="all"
@@ -36,6 +36,7 @@ source="https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.xz
 	nftables.confd
 	nftables.initd
 	nftables.nft
+	Revert-cache-recycle-existing-cache-with-incremental.patch
 	"
 options="!check"
@@ -90,4 +91,5 @@ sha512sums="
 5a298ea01df60b434791fea94306d5b14f7ce684329e4122cc78bb52d1c272fcc48b06eaae154fd082c05f7030792fe42e73814caf3c7be3c446bb265fe25642  nftables.confd
 93a4d3109e3b7d36bcd0901755e1ee4dba3b5555deddc5eecdee2ccbcce15c08f122bf8f1c879c3f696f6a5a13d283536a0ff5e1af82289c3263b6aeb9d116d0  nftables.initd
 b524c124a11f870ae789d5ad05de8a49d365d6c2cb3cd94c21669c5ae0e453481c671a1700ee6518372b10c491b50c5d81ea59fa941092a9161d1b13be7a13b6  nftables.nft
+16b777d9608e3778ff92ce51f274df3a6f25fbee6bc718be21aa90524e1291c993c4522c70ae30d90c3631059bf4b43538c23df59899f43e403267a5e7b5c71b  Revert-cache-recycle-existing-cache-with-incremental.patch
 "
--- a/main/nftables/Revert-cache-recycle-existing-cache-with-incremental.patch
+++ b/main/nftables/Revert-cache-recycle-existing-cache-with-incremental.patch
+From 93560d0117639c8685fc287128ab06dec9950fbd Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 24 Jul 2024 09:38:33 +0200
+Subject: Revert "cache: recycle existing cache with incremental updates"
+This reverts commit e791dbe109b6dd891a63a4236df5dc29d7a4b863.
+Eric Garver reported two issues:
+- index with rule breaks, because NFT_CACHE_REFRESH is missing.
+- simple set updates.
+Moreover, the current process could populate the cache with objects for
+listing commands (no generation ID is bumped), while another process
+could update the ruleset. Leading to a inconsistent cache due to the
+genid + 1 check.
+This optimization needs more work and more tests for -i/--interactive,
+revert it.
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/cache.c | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+diff --git a/src/cache.c b/src/cache.c
+index 4b797ec7..e88cbae2 100644
+--- a/src/cache.c
+++ b/src/cache.c
+@@ -1184,21 +1184,9 @@ static bool nft_cache_needs_refresh(struct nft_cache *cache, unsigned int flags)
+ 	       (flags & NFT_CACHE_REFRESH);
+ }
+-static bool nft_cache_is_updated(struct nft_cache *cache, unsigned int flags,
+-				 uint16_t genid)
+static bool nft_cache_is_updated(struct nft_cache *cache, uint16_t genid)
+ {
+-	if (!genid)
+-		return false;
+-
+-	if (genid == cache->genid)
+-		return true;
+-
+-	if (genid == cache->genid + 1) {
+-		cache->genid++;
+-		return true;
+-	}
+-
+-	return false;
+	return genid && genid == cache->genid;
+ }
+ bool nft_cache_needs_update(struct nft_cache *cache)
+@@ -1223,7 +1211,7 @@ replay:
+ 	genid = mnl_genid_get(&ctx);
+ 	if (!nft_cache_needs_refresh(cache, flags) &&
+ 	    nft_cache_is_complete(cache, flags) &&
+-	    nft_cache_is_updated(cache, flags, genid))
+	    nft_cache_is_updated(cache, genid))
+ 		return 0;
+ 	if (cache->genid)
+-- 
+cgit v1.2.3