Update nftables to 1.0.1 (#2153)

2022-02-09 12:15:56 -08:00 · 2022-02-09 12:15:56 -08:00 · 9cb331b1f6
parent e64a028242
commit 9cb331b1f6
24 changed files with 281 additions and 943 deletions
--- a/SPECS/nftables/0001-tests-json_echo-Fix-for-Python3.patch
+++ b/SPECS/nftables/0001-tests-json_echo-Fix-for-Python3.patch
@ -1,32 +0,0 @@
 From 4aaee340b00a586b2b745dda3a4b9e9c4c7a7ce6 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 6 Feb 2020 01:21:30 +0100
 Subject: [PATCH] tests: json_echo: Fix for Python3
 The keys() method returns an object which does not support indexing, so
 convert it to a list prior to doing so.
 Fixes: a35e3a0cdc63a ("tests: json_echo: convert to py3")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 582f142b1578b6036707242bfe874bcefc002ac2)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 tests/json_echo/run-test.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/json_echo/run-test.py b/tests/json_echo/run-test.py
 index a636d5f247702..fa7d69ab75645 100755
 --- a/tests/json_echo/run-test.py
 +++ b/tests/json_echo/run-test.py
@@ -119,7 +119,7 @@ def get_handle(output, search):
             else:
                 data = item
 -            k = search.keys()[0]
 +            k = list(search.keys())[0]
             if not k in data:
                 continue
 -- 
 2.28.0
--- a/SPECS/nftables/0002-tests-json_echo-Support-testing-host-binaries.patch
+++ b/SPECS/nftables/0002-tests-json_echo-Support-testing-host-binaries.patch
@ -1,61 +0,0 @@
 From a25914f8de7c0047201019c1717638c569b5b96c Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Fri, 10 Jan 2020 11:19:42 +0100
 Subject: [PATCH] tests: json_echo: Support testing host binaries
 Support -H/--host option to use host's libnftables.so.1. Alternatively
 users may specify a custom library path via -l/--library option.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 106b1f2b93f82784c18dd5e312bbf88e6c02a5b8)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 tests/json_echo/run-test.py | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)
 diff --git a/tests/json_echo/run-test.py b/tests/json_echo/run-test.py
 index fa7d69ab75645..36a377ac95eec 100755
 --- a/tests/json_echo/run-test.py
 +++ b/tests/json_echo/run-test.py
@@ -4,6 +4,7 @@ from __future__ import print_function
 import sys
 import os
 import json
 +import argparse
 TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
 sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/'))
@@ -13,12 +14,26 @@ from nftables import Nftables
 # Change working directory to repository root
 os.chdir(TESTS_PATH + "/../..")
 -if not os.path.exists('src/.libs/libnftables.so'):
 -    print("The nftables library does not exist. "
 -          "You need to build the project.")
 +parser = argparse.ArgumentParser(description='Run JSON echo tests')
 +parser.add_argument('-H', '--host', action='store_true',
 +                    help='Run tests against installed libnftables.so.1')
 +parser.add_argument('-l', '--library', default=None,
 +                    help='Path to libntables.so, overrides --host')
 +args = parser.parse_args()
 +
 +check_lib_path = True
 +if args.library is None:
 +    if args.host:
 +        args.library = 'libnftables.so.1'
 +        check_lib_path = False
 +    else:
 +        args.library = 'src/.libs/libnftables.so.1'
 +
 +if check_lib_path and not os.path.exists(args.library):
 +    print("Library not found at '%s'." % args.library)
     sys.exit(1)
 -nftables = Nftables(sofile = 'src/.libs/libnftables.so')
 +nftables = Nftables(sofile = args.library)
 nftables.set_echo_output(True)
 # various commands to work with
 -- 
 2.28.0
--- a/SPECS/nftables/0003-tests-monitor-Support-running-individual-test-cases.patch
+++ b/SPECS/nftables/0003-tests-monitor-Support-running-individual-test-cases.patch
@ -1,57 +0,0 @@
 From 7a33b2706595ee23178088bdab80577d8dfabc3a Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Fri, 10 Jan 2020 11:15:45 +0100
 Subject: [PATCH] tests: monitor: Support running individual test cases
 Recognize testcase paths on command line and limit testing on those
 only.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit eb5034108cdc60341b2d61599077db935b6bbc4f)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 tests/monitor/run-tests.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
 index 0478cf60c0dfe..efacdaaab952b 100755
 --- a/tests/monitor/run-tests.sh
 +++ b/tests/monitor/run-tests.sh
@@ -108,6 +108,7 @@ echo_run_test() {
 	touch $output_file
 }
 +testcases=""
 while [ -n "$1" ]; do
 	case "$1" in
 	-d|--debug)
@@ -118,11 +119,15 @@ while [ -n "$1" ]; do
 		test_json=true
 		shift
 		;;
 +	testcases/*.t)
 +		testcases+=" $1"
 +		shift
 +		;;
 	*)
 		echo "unknown option '$1'"
 		;&
 	-h|--help)
 -		echo "Usage: $(basename $0) [-j|--json] [-d|--debug]"
 +		echo "Usage: $(basename $0) [-j|--json] [-d|--debug] [testcase ...]"
 		exit 1
 		;;
 	esac
@@ -138,7 +143,7 @@ for variant in $variants; do
 	run_test=${variant}_run_test
 	output_append=${variant}_output_append
 -	for testcase in testcases/*.t; do
 +	for testcase in ${testcases:-testcases/*.t}; do
 		echo "$variant: running tests from file $(basename $testcase)"
 		# files are like this:
 		#
 -- 
 2.28.0
--- a/SPECS/nftables/0004-tests-monitor-Support-testing-host-s-nft-binary.patch
+++ b/SPECS/nftables/0004-tests-monitor-Support-testing-host-s-nft-binary.patch
@ -1,33 +0,0 @@
 From 429a2dba91252984c4d75b84cbdb3abc4dbfaac0 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Wed, 5 Feb 2020 19:48:53 +0100
 Subject: [PATCH] tests: monitor: Support testing host's nft binary
 Add support for -H/--host flag to use 'nft' tool from $PATH instead of
 the local one.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 15ede6857c8c578ec6211c8b68424183ba1baf1a)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 tests/monitor/run-tests.sh | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
 index efacdaaab952b..ffb833a7f86f0 100755
 --- a/tests/monitor/run-tests.sh
 +++ b/tests/monitor/run-tests.sh
@@ -119,6 +119,10 @@ while [ -n "$1" ]; do
 		test_json=true
 		shift
 		;;
 +	-H|--host)
 +		nft=nft
 +		shift
 +		;;
 	testcases/*.t)
 		testcases+=" $1"
 		shift
 -- 
 2.28.0
--- a/SPECS/nftables/0005-tests-py-Support-testing-host-binaries.patch
+++ b/SPECS/nftables/0005-tests-py-Support-testing-host-binaries.patch
@ -1,69 +0,0 @@
 From 6096c50caaf1322a572efb88d76872bb3bc2242f Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 6 Feb 2020 01:36:01 +0100
 Subject: [PATCH] tests: py: Support testing host binaries
 Support -H/--host option to use host's libnftables.so.1. Alternatively
 users may specify a custom library path via -l/--library option.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 5f2746205e50c77295d0f84f8178ee3a1ce15407)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 tests/py/nft-test.py | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)
 diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
 index 6edca3c6a5a2f..01ee6c980ad4a 100755
 --- a/tests/py/nft-test.py
 +++ b/tests/py/nft-test.py
@@ -1357,10 +1357,16 @@ def main():
                         dest='force_all_family',
                         help='keep testing all families on error')
 +    parser.add_argument('-H', '--host', action='store_true',
 +                        help='run tests against installed libnftables.so.1')
 +
     parser.add_argument('-j', '--enable-json', action='store_true',
                         dest='enable_json',
                         help='test JSON functionality as well')
 +    parser.add_argument('-l', '--library', default=None,
 +                        help='path to libntables.so.1, overrides --host')
 +
     parser.add_argument('-s', '--schema', action='store_true',
                         dest='enable_schema',
                         help='verify json input/output against schema')
@@ -1388,9 +1394,17 @@ def main():
     # Change working directory to repository root
     os.chdir(TESTS_PATH + "/../..")
 -    if not os.path.exists('src/.libs/libnftables.so'):
 -        print("The nftables library does not exist. "
 -              "You need to build the project.")
 +    check_lib_path = True
 +    if args.library is None:
 +        if args.host:
 +            args.library = 'libnftables.so.1'
 +            check_lib_path = False
 +        else:
 +            args.library = 'src/.libs/libnftables.so.1'
 +
 +    if check_lib_path and not os.path.exists(args.library):
 +        print("The nftables library at '%s' does not exist. "
 +              "You need to build the project." % args.library)
         return
     if args.enable_schema and not args.enable_json:
@@ -1398,7 +1412,7 @@ def main():
         return
     global nftables
 -    nftables = Nftables(sofile = 'src/.libs/libnftables.so')
 +    nftables = Nftables(sofile = args.library)
     test_files = files_ok = run_total = 0
     tests = passed = warnings = errors = 0
 -- 
 2.28.0
--- a/SPECS/nftables/0006-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch
+++ b/SPECS/nftables/0006-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch
@ -1,37 +0,0 @@
 From 0f54c2ba52184db9a3e91f3595cad6b6055340fd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= <snemec@redhat.com>
 Date: Wed, 27 Jan 2021 15:02:03 +0100
 Subject: [PATCH] tests: monitor: use correct $nft value in EXIT trap
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 With double quotes, $nft was being expanded to the default value even
 in presence of the -H option.
 Signed-off-by: Štěpán Němec <snemec@redhat.com>
 Helped-by: Tomáš Doležal <todoleza@redhat.com>
 Acked-by: Phil Sutter <phil@nwl.cc>
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 (cherry picked from commit 990cbbf75c40b92e6d6dc66721dfbedf33cacf8f)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 tests/monitor/run-tests.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/monitor/run-tests.sh b/tests/monitor/run-tests.sh
 index ffb833a7f86f0..c1cacb46fa655 100755
 --- a/tests/monitor/run-tests.sh
 +++ b/tests/monitor/run-tests.sh
@@ -19,7 +19,7 @@ if [ ! -d $testdir ]; then
 	echo "Failed to create test directory" >&2
 	exit 1
 fi
 -trap "rm -rf $testdir; $nft flush ruleset" EXIT
 +trap 'rm -rf $testdir; $nft flush ruleset' EXIT
 command_file=$(mktemp -p $testdir)
 output_file=$(mktemp -p $testdir)
 -- 
 2.28.0
--- a/SPECS/nftables/0007-scanner-incorrect-error-reporting-after-file-inclusi.patch
+++ b/SPECS/nftables/0007-scanner-incorrect-error-reporting-after-file-inclusi.patch
@ -1,67 +0,0 @@
 From deb82693c3173f2088ac2a24218085b0b2dc573d Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Thu, 2 Jan 2020 16:37:31 +0100
 Subject: [PATCH] scanner: incorrect error reporting after file inclusion
 scanner_pop_buffer() incorrectly sets the current input descriptor. The
 state->indesc_idx field actually stores the number of input descriptors
 in the stack, decrement it and then update the current input descriptor
 accordingly.
 Fixes: 60e917fa7cb5 ("src: dynamic input_descriptor allocation")
 Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1383
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 4441c0233cbcb74b08a53720557e76bf0b26c998)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 src/scanner.l | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)
 diff --git a/src/scanner.l b/src/scanner.l
 index d32adf4897ae1..25db4d3f24eec 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -664,12 +664,29 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 %%
 +static void scanner_push_indesc(struct parser_state *state,
 +				struct input_descriptor *indesc)
 +{
 +	state->indescs[state->indesc_idx] = indesc;
 +	state->indesc = state->indescs[state->indesc_idx++];
 +}
 +
 +static void scanner_pop_indesc(struct parser_state *state)
 +{
 +	state->indesc_idx--;
 +
 +	if (state->indesc_idx > 0)
 +		state->indesc = state->indescs[state->indesc_idx - 1];
 +	else
 +		state->indesc = NULL;
 +}
 +
 static void scanner_pop_buffer(yyscan_t scanner)
 {
 	struct parser_state *state = yyget_extra(scanner);
 	yypop_buffer_state(scanner);
 -	state->indesc = state->indescs[--state->indesc_idx];
 +	scanner_pop_indesc(state);
 }
 static void scanner_push_file(struct nft_ctx *nft, void *scanner,
@@ -690,8 +707,7 @@ static void scanner_push_file(struct nft_ctx *nft, void *scanner,
 	indesc->name	= xstrdup(filename);
 	init_pos(indesc);
 -	state->indescs[state->indesc_idx] = indesc;
 -	state->indesc = state->indescs[state->indesc_idx++];
 +	scanner_push_indesc(state, indesc);
 	list_add_tail(&indesc->list, &state->indesc_list);
 }
 -- 
 2.28.0
--- a/SPECS/nftables/0008-scanner-move-the-file-descriptor-to-be-in-the-input_.patch
+++ b/SPECS/nftables/0008-scanner-move-the-file-descriptor-to-be-in-the-input_.patch
@ -1,111 +0,0 @@
 From 1af5611a69b9d7e62018fbcbcadd35f5d8eca050 Mon Sep 17 00:00:00 2001
 From: Laurent Fasnacht <fasnacht@protonmail.ch>
 Date: Mon, 10 Feb 2020 10:17:21 +0000
 Subject: [PATCH] scanner: move the file descriptor to be in the
 input_descriptor structure
 This prevents a static allocation of file descriptors array, thus allows
 more flexibility.
 Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 209c4d901e90e46faa14d1f38cb000f79514b3b2)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 include/nftables.h |  3 ++-
 src/scanner.l      | 18 +++++++++---------
 2 files changed, 11 insertions(+), 10 deletions(-)
 diff --git a/include/nftables.h b/include/nftables.h
 index 90d331960ef29..07726e4dd5a40 100644
 --- a/include/nftables.h
 +++ b/include/nftables.h
@@ -122,7 +122,6 @@ struct nft_ctx {
 	void			*scanner;
 	struct scope		*top_scope;
 	void			*json_root;
 -	FILE			*f[MAX_INCLUDE_DEPTH];
 };
 enum nftables_exit_codes {
@@ -176,6 +175,7 @@ enum input_descriptor_types {
  * struct input_descriptor
  *
  * @location:		location, used for include statements
 + * @f:			file descriptor
  * @type:		input descriptor type
  * @name:		name describing the input
  * @union:		buffer or file descriptor, depending on type
@@ -186,6 +186,7 @@ enum input_descriptor_types {
  */
 struct input_descriptor {
 	struct list_head		list;
 +	FILE				*f;
 	struct location			location;
 	enum input_descriptor_types	type;
 	const char			*name;
 diff --git a/src/scanner.l b/src/scanner.l
 index 25db4d3f24eec..d1d1154a8c811 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -690,13 +690,14 @@ static void scanner_pop_buffer(yyscan_t scanner)
 }
 static void scanner_push_file(struct nft_ctx *nft, void *scanner,
 -			      const char *filename, const struct location *loc)
 +			      FILE *f, const char *filename,
 +			      const struct location *loc)
 {
 	struct parser_state *state = yyget_extra(scanner);
 	struct input_descriptor *indesc;
 	YY_BUFFER_STATE b;
 -	b = yy_create_buffer(nft->f[state->indesc_idx], YY_BUF_SIZE, scanner);
 +	b = yy_create_buffer(f, YY_BUF_SIZE, scanner);
 	yypush_buffer_state(b, scanner);
 	indesc = xzalloc(sizeof(struct input_descriptor));
@@ -705,6 +706,7 @@ static void scanner_push_file(struct nft_ctx *nft, void *scanner,
 		indesc->location = *loc;
 	indesc->type	= INDESC_FILE;
 	indesc->name	= xstrdup(filename);
 +	indesc->f	= f;
 	init_pos(indesc);
 	scanner_push_indesc(state, indesc);
@@ -730,8 +732,7 @@ static int include_file(struct nft_ctx *nft, void *scanner,
 			     filename, strerror(errno));
 		goto err;
 	}
 -	nft->f[state->indesc_idx] = f;
 -	scanner_push_file(nft, scanner, filename, loc);
 +	scanner_push_file(nft, scanner, f, filename, loc);
 	return 0;
 err:
 	erec_queue(erec, state->msgs);
@@ -943,6 +944,10 @@ static void input_descriptor_list_destroy(struct parser_state *state)
 	struct input_descriptor *indesc, *next;
 	list_for_each_entry_safe(indesc, next, &state->indesc_list, list) {
 +		if (indesc->f) {
 +			fclose(indesc->f);
 +			indesc->f = NULL;
 +		}
 		list_del(&indesc->list);
 		input_descriptor_destroy(indesc);
 	}
@@ -954,11 +959,6 @@ void scanner_destroy(struct nft_ctx *nft)
 	do {
 		yypop_buffer_state(nft->scanner);
 -
 -		if (nft->f[state->indesc_idx]) {
 -			fclose(nft->f[state->indesc_idx]);
 -			nft->f[state->indesc_idx] = NULL;
 -		}
 	} while (state->indesc_idx--);
 	input_descriptor_list_destroy(state);
 -- 
 2.28.0
--- a/SPECS/nftables/0009-scanner-move-indesc-list-append-in-scanner_push_inde.patch
+++ b/SPECS/nftables/0009-scanner-move-indesc-list-append-in-scanner_push_inde.patch
@ -1,61 +0,0 @@
 From b580969270c57a7d0b92221a9100d990ab2f3e72 Mon Sep 17 00:00:00 2001
 From: Laurent Fasnacht <fasnacht@protonmail.ch>
 Date: Mon, 10 Feb 2020 10:17:22 +0000
 Subject: [PATCH] scanner: move indesc list append in scanner_push_indesc
 Having a single point makes refactoring easier.
 Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 35adaa2741414551ffbc3970cb2dd1704cce1179)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 src/scanner.l | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)
 diff --git a/src/scanner.l b/src/scanner.l
 index d1d1154a8c811..4b7ea06261b55 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -669,6 +669,7 @@ static void scanner_push_indesc(struct parser_state *state,
 {
 	state->indescs[state->indesc_idx] = indesc;
 	state->indesc = state->indescs[state->indesc_idx++];
 +	list_add_tail(&indesc->list, &state->indesc_list);
 }
 static void scanner_pop_indesc(struct parser_state *state)
@@ -710,7 +711,6 @@ static void scanner_push_file(struct nft_ctx *nft, void *scanner,
 	init_pos(indesc);
 	scanner_push_indesc(state, indesc);
 -	list_add_tail(&indesc->list, &state->indesc_list);
 }
 static int include_file(struct nft_ctx *nft, void *scanner,
@@ -906,16 +906,14 @@ void scanner_push_buffer(void *scanner, const struct input_descriptor *indesc,
 			 const char *buffer)
 {
 	struct parser_state *state = yyget_extra(scanner);
 +	struct input_descriptor *new_indesc;
 	YY_BUFFER_STATE b;
 -	state->indesc = xzalloc(sizeof(struct input_descriptor));
 -	state->indescs[state->indesc_idx] = state->indesc;
 -	state->indesc_idx++;
 -
 -	memcpy(state->indesc, indesc, sizeof(*state->indesc));
 -	state->indesc->data = buffer;
 -	state->indesc->name = NULL;
 -	list_add_tail(&state->indesc->list, &state->indesc_list);
 +	new_indesc = xzalloc(sizeof(struct input_descriptor));
 +	memcpy(new_indesc, indesc, sizeof(*new_indesc));
 +	new_indesc->data = buffer;
 +	new_indesc->name = NULL;
 +	scanner_push_indesc(state, new_indesc);
 	b = yy_scan_string(buffer, scanner);
 	assert(b != NULL);
 -- 
 2.28.0
--- a/SPECS/nftables/0010-scanner-remove-parser_state-indescs-static-array.patch
+++ b/SPECS/nftables/0010-scanner-remove-parser_state-indescs-static-array.patch
@ -1,63 +0,0 @@
 From 75288914c30f4014a85840a153e36ef0a30a5bb4 Mon Sep 17 00:00:00 2001
 From: Laurent Fasnacht <fasnacht@protonmail.ch>
 Date: Mon, 10 Feb 2020 10:17:24 +0000
 Subject: [PATCH] scanner: remove parser_state->indescs static array
 This static array is redundant with the indesc_list structure, but
 is less flexible.
 Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit ad63cde708fd7a79332b09ae4a06b8a4b345aa72)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 include/parser.h |  1 -
 src/scanner.l    | 13 +++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)
 diff --git a/include/parser.h b/include/parser.h
 index 949284d9466c6..66db92d8d7720 100644
 --- a/include/parser.h
 +++ b/include/parser.h
@@ -15,7 +15,6 @@
 struct parser_state {
 	struct input_descriptor		*indesc;
 -	struct input_descriptor		*indescs[MAX_INCLUDE_DEPTH];
 	unsigned int			indesc_idx;
 	struct list_head		indesc_list;
 diff --git a/src/scanner.l b/src/scanner.l
 index 4b7ea06261b55..998ebff389451 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -667,19 +667,20 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 static void scanner_push_indesc(struct parser_state *state,
 				struct input_descriptor *indesc)
 {
 -	state->indescs[state->indesc_idx] = indesc;
 -	state->indesc = state->indescs[state->indesc_idx++];
 	list_add_tail(&indesc->list, &state->indesc_list);
 +	state->indesc = indesc;
 +	state->indesc_idx++;
 }
 static void scanner_pop_indesc(struct parser_state *state)
 {
 	state->indesc_idx--;
 -
 -	if (state->indesc_idx > 0)
 -		state->indesc = state->indescs[state->indesc_idx - 1];
 -	else
 +	if (!list_empty(&state->indesc_list)) {
 +		state->indesc = list_entry(state->indesc->list.prev,
 +					   struct input_descriptor, list);
 +	} else {
 		state->indesc = NULL;
 +	}
 }
 static void scanner_pop_buffer(yyscan_t scanner)
 -- 
 2.28.0
--- a/SPECS/nftables/0011-Inclusion-depth-was-computed-incorrectly-for-glob-in.patch
+++ b/SPECS/nftables/0011-Inclusion-depth-was-computed-incorrectly-for-glob-in.patch
@ -1,114 +0,0 @@
 From 0b525f027dea51037ac2d8ddb8e67c365c4f199f Mon Sep 17 00:00:00 2001
 From: Laurent Fasnacht <fasnacht@protonmail.ch>
 Date: Mon, 10 Feb 2020 05:17:35 -0500
 Subject: [PATCH] Inclusion depth was computed incorrectly for glob includes.
 Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 6a28519008b239ac6985f8df46427459f6b5c624)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 include/nftables.h |  2 ++
 src/scanner.l      | 20 ++++++++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)
 diff --git a/include/nftables.h b/include/nftables.h
 index 07726e4dd5a40..3556728de6f9b 100644
 --- a/include/nftables.h
 +++ b/include/nftables.h
@@ -176,6 +176,7 @@ enum input_descriptor_types {
  *
  * @location:		location, used for include statements
  * @f:			file descriptor
 + * @depth:		include depth of the descriptor
  * @type:		input descriptor type
  * @name:		name describing the input
  * @union:		buffer or file descriptor, depending on type
@@ -187,6 +188,7 @@ enum input_descriptor_types {
 struct input_descriptor {
 	struct list_head		list;
 	FILE				*f;
 +	unsigned int			depth;
 	struct location			location;
 	enum input_descriptor_types	type;
 	const char			*name;
 diff --git a/src/scanner.l b/src/scanner.l
 index 998ebff389451..dc20cd3d79d43 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -693,7 +693,8 @@ static void scanner_pop_buffer(yyscan_t scanner)
 static void scanner_push_file(struct nft_ctx *nft, void *scanner,
 			      FILE *f, const char *filename,
 -			      const struct location *loc)
 +			      const struct location *loc,
 +			      const struct input_descriptor *parent_indesc)
 {
 	struct parser_state *state = yyget_extra(scanner);
 	struct input_descriptor *indesc;
@@ -709,19 +710,25 @@ static void scanner_push_file(struct nft_ctx *nft, void *scanner,
 	indesc->type	= INDESC_FILE;
 	indesc->name	= xstrdup(filename);
 	indesc->f	= f;
 +	if (!parent_indesc) {
 +		indesc->depth = 1;
 +	} else {
 +		indesc->depth = parent_indesc->depth + 1;
 +	}
 	init_pos(indesc);
 	scanner_push_indesc(state, indesc);
 }
 static int include_file(struct nft_ctx *nft, void *scanner,
 -			const char *filename, const struct location *loc)
 +			const char *filename, const struct location *loc,
 +			const struct input_descriptor *parent_indesc)
 {
 	struct parser_state *state = yyget_extra(scanner);
 	struct error_record *erec;
 	FILE *f;
 -	if (state->indesc_idx == MAX_INCLUDE_DEPTH) {
 +	if (parent_indesc && parent_indesc->depth == MAX_INCLUDE_DEPTH) {
 		erec = error(loc, "Include nested too deeply, max %u levels",
 			     MAX_INCLUDE_DEPTH);
 		goto err;
@@ -733,7 +740,7 @@ static int include_file(struct nft_ctx *nft, void *scanner,
 			     filename, strerror(errno));
 		goto err;
 	}
 -	scanner_push_file(nft, scanner, f, filename, loc);
 +	scanner_push_file(nft, scanner, f, filename, loc, parent_indesc);
 	return 0;
 err:
 	erec_queue(erec, state->msgs);
@@ -744,6 +751,7 @@ static int include_glob(struct nft_ctx *nft, void *scanner, const char *pattern,
 			const struct location *loc)
 {
 	struct parser_state *state = yyget_extra(scanner);
 +	struct input_descriptor *indesc = state->indesc;
 	struct error_record *erec = NULL;
 	bool wildcard = false;
 	glob_t glob_data;
@@ -804,7 +812,7 @@ static int include_glob(struct nft_ctx *nft, void *scanner, const char *pattern,
 			if (len == 0 || path[len - 1] == '/')
 				continue;
 -			ret = include_file(nft, scanner, path, loc);
 +			ret = include_file(nft, scanner, path, loc, indesc);
 			if (ret != 0)
 				goto err;
 		}
@@ -841,7 +849,7 @@ err:
 int scanner_read_file(struct nft_ctx *nft, const char *filename,
 		      const struct location *loc)
 {
 -	return include_file(nft, nft->scanner, filename, loc);
 +	return include_file(nft, nft->scanner, filename, loc, NULL);
 }
 static bool search_in_include_path(const char *filename)
 -- 
 2.28.0
--- a/SPECS/nftables/0012-scanner-fix-indesc_list-stack-to-be-in-the-correct-o.patch
+++ b/SPECS/nftables/0012-scanner-fix-indesc_list-stack-to-be-in-the-correct-o.patch
@ -1,35 +0,0 @@
 From abd09a616fa7a0ce9000ced3d33d1ea83567e86e Mon Sep 17 00:00:00 2001
 From: Laurent Fasnacht <fasnacht@protonmail.ch>
 Date: Mon, 10 Feb 2020 10:17:27 +0000
 Subject: [PATCH] scanner: fix indesc_list stack to be in the correct order
 This fixes the location displayed in error messages.
 Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 10aaa1130c2a574c8eebb0593651a9ee54db1021)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 src/scanner.l | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/scanner.l b/src/scanner.l
 index dc20cd3d79d43..6852c19c4179b 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -667,7 +667,11 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 static void scanner_push_indesc(struct parser_state *state,
 				struct input_descriptor *indesc)
 {
 -	list_add_tail(&indesc->list, &state->indesc_list);
 +	if (!state->indesc)
 +		list_add_tail(&indesc->list, &state->indesc_list);
 +	else
 +		list_add(&indesc->list, &state->indesc->list);
 +
 	state->indesc = indesc;
 	state->indesc_idx++;
 }
 -- 
 2.28.0
--- a/SPECS/nftables/0013-scanner-remove-parser_state-indesc_idx.patch
+++ b/SPECS/nftables/0013-scanner-remove-parser_state-indesc_idx.patch
@ -1,60 +0,0 @@
 From 4b0bda894a39df53d4369bab5d9e8799788d6047 Mon Sep 17 00:00:00 2001
 From: Laurent Fasnacht <fasnacht@protonmail.ch>
 Date: Mon, 10 Feb 2020 10:17:28 +0000
 Subject: [PATCH] scanner: remove parser_state->indesc_idx
 Now that we have a proper stack implementation, we don't need an
 additional counter for the number of buffer state pushed.
 Signed-off-by: Laurent Fasnacht <fasnacht@protonmail.ch>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit 4a7a152105be6513a096f6a502b6eabe4d9befc3)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 include/parser.h | 1 -
 src/scanner.l    | 6 ------
 2 files changed, 7 deletions(-)
 diff --git a/include/parser.h b/include/parser.h
 index 66db92d8d7720..636d1c8810e48 100644
 --- a/include/parser.h
 +++ b/include/parser.h
@@ -15,7 +15,6 @@
 struct parser_state {
 	struct input_descriptor		*indesc;
 -	unsigned int			indesc_idx;
 	struct list_head		indesc_list;
 	struct list_head		*msgs;
 diff --git a/src/scanner.l b/src/scanner.l
 index 6852c19c4179b..b0545a9a63f30 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -673,12 +673,10 @@ static void scanner_push_indesc(struct parser_state *state,
 		list_add(&indesc->list, &state->indesc->list);
 	state->indesc = indesc;
 -	state->indesc_idx++;
 }
 static void scanner_pop_indesc(struct parser_state *state)
 {
 -	state->indesc_idx--;
 	if (!list_empty(&state->indesc_list)) {
 		state->indesc = list_entry(state->indesc->list.prev,
 					   struct input_descriptor, list);
@@ -968,10 +966,6 @@ void scanner_destroy(struct nft_ctx *nft)
 {
 	struct parser_state *state = yyget_extra(nft->scanner);
 -	do {
 -		yypop_buffer_state(nft->scanner);
 -	} while (state->indesc_idx--);
 -
 	input_descriptor_list_destroy(state);
 	yylex_destroy(nft->scanner);
 }
 -- 
 2.28.0
--- a/SPECS/nftables/0014-scanner-use-list_is_first-from-scanner_pop_indesc.patch
+++ b/SPECS/nftables/0014-scanner-use-list_is_first-from-scanner_pop_indesc.patch
@ -1,57 +0,0 @@
 From 720cec7b60777c63c5683fb7d24dc442853f2c35 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Thu, 13 Feb 2020 13:27:18 +0100
 Subject: [PATCH] scanner: use list_is_first() from scanner_pop_indesc()
 !list_empty() always stands true since the list is never empty
 when calling scanner_pop_indesc().
 Check for list_is_first() which actually tells us this is the
 initial input file, hence, state->indesc is set to NULL.
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 (cherry picked from commit f391fdd8e0fbaf3749819cfa0cd9b478f3630a7d)
 Signed-off-by: Phil Sutter <psutter@redhat.com>
 ---
 include/list.h | 11 +++++++++++
 src/scanner.l  |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)
 diff --git a/include/list.h b/include/list.h
 index 75d2921240101..9c4da81749ded 100644
 --- a/include/list.h
 +++ b/include/list.h
@@ -33,6 +33,17 @@ static inline void init_list_head(struct list_head *list)
 	list->prev = list;
 }
 +/**
 + * list_is_first -- tests whether @list is the first entry in list @head
 + * @list: the entry to test
 + * @head: the head of the list
 + */
 +static inline int list_is_first(const struct list_head *list,
 +				const struct list_head *head)
 +{
 +	return list->prev == head;
 +}
 +
 /*
  * Insert a new entry between two known consecutive entries.
  *
 diff --git a/src/scanner.l b/src/scanner.l
 index b0545a9a63f30..d4d816fe66972 100644
 --- a/src/scanner.l
 +++ b/src/scanner.l
@@ -677,7 +677,7 @@ static void scanner_push_indesc(struct parser_state *state,
 static void scanner_pop_indesc(struct parser_state *state)
 {
 -	if (!list_empty(&state->indesc_list)) {
 +	if (!list_is_first(&state->indesc->list, &state->indesc_list)) {
 		state->indesc = list_entry(state->indesc->list.prev,
 					   struct input_descriptor, list);
 	} else {
 -- 
 2.28.0
--- a/SPECS/nftables/main.nft
+++ b/SPECS/nftables/main.nft
@ -0,0 +1,64 @@
 # Sample configuration for nftables service.
 # Load this by calling 'nft -f /etc/nftables/main.nft'.
 # Note about base chain priorities:
 # The priority values used in these sample configs are
 # offset by 20 in order to avoid ambiguity when firewalld
 # is also running which uses an offset of 10. This means
 # that packets will traverse firewalld first and if not
 # dropped/rejected there will hit the chains defined here.
 # Chains created by iptables, ebtables and arptables tools
 # do not use an offset, so those chains are traversed first
 # in any case.
 # drop any existing nftables ruleset
 flush ruleset
 # a common table for both IPv4 and IPv6
 table inet nftables_svc {
 	# protocols to allow
 	set allowed_protocols {
 		type inet_proto
 		elements = { icmp, icmpv6 }
 	}
 	# interfaces to accept any traffic on
 	set allowed_interfaces {
 		type ifname
 		elements = { "lo" }
 	}
 	# services to allow
 	set allowed_tcp_dports {
 		type inet_service
 		elements = { ssh, 9090 }
 	}
 	# this chain gathers all accept conditions
 	chain allow {
 		ct state established,related accept
 		meta l4proto @allowed_protocols accept
 		iifname @allowed_interfaces accept
 		tcp dport @allowed_tcp_dports accept
 	}
 	# base-chain for traffic to this host
 	chain INPUT {
 		type filter hook input priority filter + 20
 		policy accept
 		jump allow
 		reject with icmpx type port-unreachable
 	}
 }
 # By default, any forwarding traffic is allowed.
 # Uncomment the following line to filter it based
 # on the same criteria as input traffic.
 #include "/etc/nftables/router.nft"
 # Uncomment the following line to enable masquerading of
 # forwarded traffic. May be used with or without router.nft.
 #include "/etc/nftables/nat.nft"
--- a/SPECS/nftables/nat.nft
+++ b/SPECS/nftables/nat.nft
@ -0,0 +1,30 @@
 # Sample configuration snippet for nftables service.
 # Meant to be included by main.nft, not for direct use.
 # dedicated table for IPv4
 table ip nftables_svc {
 	# interfaces to masquerade traffic from
 	set masq_interfaces {
 		type ifname
 		elements = { "virbr0" }
 	}
 	# networks to masquerade traffic from
 	# 'interval' flag is required to support subnets
 	set masq_ips {
 		type ipv4_addr
 		flags interval
 		elements = { 192.168.122.0/24 }
 	}
 	# base-chain to manipulate conntrack in postrouting,
 	# will see packets for new or related traffic only
 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat + 20
 		policy accept
 		iifname @masq_interfaces oifname != @masq_interfaces masquerade
 		ip saddr @masq_ips masquerade
 	}
 }
--- a/SPECS/nftables/nftables-1.0.1-drop-historyh.patch
+++ b/SPECS/nftables/nftables-1.0.1-drop-historyh.patch
@ -0,0 +1,28 @@
 From 3847fccf004525ceb97db6fbc681835b0ac9a61a Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Mon, 22 Nov 2021 18:01:52 +0100
 Subject: cli: remove #include <editline/history.h>
 This header is not required to compile nftables with editline, remove
 it, this unbreak compilation in several distros which have no symlink
 from history.h to editline.h
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 src/cli.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/cli.c b/src/cli.c
 index 4845e5cf..87291766 100644
 --- a/src/cli.c
 +++ b/src/cli.c
@@ -26,7 +26,6 @@
 #include <readline/history.h>
 #elif defined(HAVE_LIBEDIT)
 #include <editline/readline.h>
 -#include <editline/history.h>
 #else
 #include <linenoise.h>
 #endif
 -- 
 cgit v1.2.3
--- a/SPECS/nftables/nftables-1.0.1-fix-terse.patch
+++ b/SPECS/nftables/nftables-1.0.1-fix-terse.patch
@ -0,0 +1,100 @@
 From 8492878961248b4b53fa97383c7c1b15d7062947 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Thu, 18 Nov 2021 17:25:36 +0100
 Subject: cache: do not skip populating anonymous set with -t
 --terse does not apply to anonymous set, add a NFT_CACHE_TERSE bit
 to skip named sets only.
 Moreover, prioritize specific listing filter over --terse to avoid a
 bogus:
  netlink: Error: Unknown set '__set0' in lookup expression
 when invoking:
  # nft -ta list set inet filter example
 Extend existing test to improve coverage.
 Fixes: 9628d52e46ac ("cache: disable NFT_CACHE_SETELEM_BIT on --terse listing only")
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 ---
 include/cache.h                           |  1 +
 src/cache.c                               | 11 +++++++----
 tests/shell/testcases/listing/0022terse_0 |  4 ++--
 3 files changed, 10 insertions(+), 6 deletions(-)
 diff --git a/include/cache.h b/include/cache.h
 index e5c509e8..3a9a5e81 100644
 --- a/include/cache.h
 +++ b/include/cache.h
@@ -32,6 +32,7 @@ enum cache_level_flags {
 				  NFT_CACHE_CHAIN_BIT |
 				  NFT_CACHE_RULE_BIT,
 	NFT_CACHE_FULL		= __NFT_CACHE_MAX_BIT - 1,
 +	NFT_CACHE_TERSE		= (1 << 27),
 	NFT_CACHE_SETELEM_MAYBE	= (1 << 28),
 	NFT_CACHE_REFRESH	= (1 << 29),
 	NFT_CACHE_UPDATE	= (1 << 30),
 diff --git a/src/cache.c b/src/cache.c
 index fe31e3f0..6d20716d 100644
 --- a/src/cache.c
 +++ b/src/cache.c
@@ -215,10 +215,10 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 			filter->list.table = cmd->handle.table.name;
 			filter->list.set = cmd->handle.set.name;
 		}
 -		if (nft_output_terse(&nft->output))
 -			flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT);
 -		else if (filter->list.table && filter->list.set)
 +		if (filter->list.table && filter->list.set)
 			flags |= NFT_CACHE_TABLE | NFT_CACHE_SET | NFT_CACHE_SETELEM;
 +		else if (nft_output_terse(&nft->output))
 +			flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
 		else
 			flags |= NFT_CACHE_FULL;
 		break;
@@ -234,7 +234,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 		break;
 	case CMD_OBJ_RULESET:
 		if (nft_output_terse(&nft->output))
 -			flags |= (NFT_CACHE_FULL & ~NFT_CACHE_SETELEM_BIT);
 +			flags |= NFT_CACHE_FULL | NFT_CACHE_TERSE;
 		else
 			flags |= NFT_CACHE_FULL;
 		break;
@@ -830,6 +830,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, unsigned int flags,
 			list_for_each_entry(set, &table->set_cache.list, cache.list) {
 				if (cache_filter_find(filter, &set->handle))
 					continue;
 +				if (!set_is_anonymous(set->flags) &&
 +				    flags & NFT_CACHE_TERSE)
 +					continue;
 				ret = netlink_list_setelems(ctx, &set->handle,
 							    set);
 diff --git a/tests/shell/testcases/listing/0022terse_0 b/tests/shell/testcases/listing/0022terse_0
 index 14d31875..4841771c 100755
 --- a/tests/shell/testcases/listing/0022terse_0
 +++ b/tests/shell/testcases/listing/0022terse_0
@@ -9,7 +9,7 @@ RULESET="table inet filter {
 	chain input {
 		type filter hook prerouting priority filter; policy accept;
 -		ip saddr @example drop
 +		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
 	}
 }"
@@ -31,7 +31,7 @@ EXPECTED="table inet filter {
 	chain input {
 		type filter hook prerouting priority filter; policy accept;
 -		ip saddr @example drop
 +		ip saddr != { 10.10.10.100, 10.10.10.111 } ip saddr @example drop
 	}
 }"
 -- 
 cgit v1.2.3
--- a/SPECS/nftables/nftables-fix_json_events.patch
+++ b/SPECS/nftables/nftables-fix_json_events.patch
@ -1,41 +0,0 @@
 From c96c7da272e33a34770c4de4e3e50f7ed264672e Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Wed, 13 May 2020 16:29:51 +0200
 Subject: JSON: Improve performance of json_events_cb()
 The function tries to insert handles into JSON input for echo option.
 Yet there may be nothing to do if the given netlink message doesn't
 contain a handle, e.g. if it is an 'add element' command. Calling
 seqnum_to_json() is pointless overhead in that case, and if input is
 large this overhead is significant. Better wait with that call until
 after checking if the message is relevant at all.
 Signed-off-by: Phil Sutter <phil@nwl.cc>
 Acked-by: Eric Garver <eric@garver.life>
 ---
 src/parser_json.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 Index: nftables-0.9.3/src/parser_json.c
 ===================================================================
 --- nftables-0.9.3.orig/src/parser_json.c
 +++ nftables-0.9.3/src/parser_json.c
@@ -3838,12 +3838,15 @@ static uint64_t handle_from_nlmsg(const
 }
 int json_events_cb(const struct nlmsghdr *nlh, struct netlink_mon_handler *monh)
 {
 -	json_t *tmp, *json = seqnum_to_json(nlh->nlmsg_seq);
 	uint64_t handle = handle_from_nlmsg(nlh);
 +	json_t *tmp, *json;
 	void *iter;
 -	/* might be anonymous set, ignore message */
 -	if (!json || !handle)
 +	if (!handle)
 +		return MNL_CB_OK;
 +
 +	json = seqnum_to_json(nlh->nlmsg_seq);
 +	if (!json)
 		return MNL_CB_OK;
 	tmp = json_object_get(json, "add");
--- a/SPECS/nftables/nftables.conf
+++ b/SPECS/nftables/nftables.conf
@ -1,17 +1,8 @@
-#
+# Uncomment the include statement here to load the default config sample
-# This file will contain your nftables rules and
+# in /etc/nftables for nftables service.
-# is read by the systemd service when restarting
+
-#
+#include "/etc/nftables/main.nft"
-# These provide an iptables like set of filters
+
-# (uncomment to include)
+# To customize, either edit the samples in /etc/nftables, append further
-# include "/etc/nftables/arp-filter.nft"
+# commands to the end of this file or overwrite it after first service
-# include "/etc/nftables/bridge-filter.nft"
+# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
 # include "/etc/nftables/inet-filter.nft"
 # include "/etc/nftables/ipv4-filter.nft"
 # include "/etc/nftables/ipv4-mangle.nft"
 # include "/etc/nftables/ipv4-nat.nft"
 # include "/etc/nftables/ipv4-raw.nft"
 # include "/etc/nftables/ipv6-filter.nft"
 # include "/etc/nftables/ipv6-mangle.nft"
 # include "/etc/nftables/ipv6-nat.nft"
 # include "/etc/nftables/ipv6-raw.nft"
--- a/SPECS/nftables/nftables.signatures.json
+++ b/SPECS/nftables/nftables.signatures.json
@ -1,7 +1,10 @@
 {
 "Signatures": {
-  "nftables-0.9.3.tar.bz2": "956b915ce2a7aeaff123e49006be7a0690a0964e96c062703181a36e2e5edb78",
+  "nftables-1.0.1.tar.bz2": "3ceeba625818e81a0be293e9dd486c3ef799ebd92165270f1e57e9a201efa423",
-  "nftables.conf": "0f50a7e6957b016cd40ba984548f2d9a7520b76ff3bb171f328c728e85114f6d",
+  "nftables.conf": "9b56e8d1f029b03d85f15f4b308e3d86ee77800d4f622b500de8338b5e2033e9",
-  "nftables.service": "d47968b6e62e545602b0a18d60abb79a22cd375b09b51e0f629b392ec35e065b"
+  "nftables.service": "d47968b6e62e545602b0a18d60abb79a22cd375b09b51e0f629b392ec35e065b",
  "main.nft": "5dfe9fe76d08ed867b9e142e39c9883da07c2c9f4096db8f94113e1925296f22",
  "router.nft": "01de1a823f0ff0708b3c7866930706f61a88f9e3a432c8e7421e320f529d347a",
  "nat.nft": "5c47011ea82b5dd44a06b6d2a4f3f24aa32608e0c0014050502e95d6898b688d"
 }
 }
--- a/SPECS/nftables/nftables.spec
+++ b/SPECS/nftables/nftables.spec
@ -1,7 +1,7 @@
 Summary:        Netfilter Tables userspace utillites
 Name:           nftables
-Version:        0.9.3
+Version:        1.0.1
-Release:        5%{?dist}
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -9,22 +9,14 @@ URL:            https://netfilter.org/projects/nftables/
 Source0:        %{url}/files/%{name}-%{version}.tar.bz2
 Source1:        nftables.service
 Source2:        nftables.conf
-# https://bugzilla.redhat.com/show_bug.cgi?id=1834853
+Source3:        main.nft
-Patch0:         nftables-fix_json_events.patch
+Source4:        router.nft
-Patch1:         0001-tests-json_echo-Fix-for-Python3.patch
+Source5:        nat.nft
-Patch2:         0002-tests-json_echo-Support-testing-host-binaries.patch
+
-Patch3:         0003-tests-monitor-Support-running-individual-test-cases.patch
+# already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947
-Patch4:         0004-tests-monitor-Support-testing-host-s-nft-binary.patch
+Patch1:         nftables-1.0.1-drop-historyh.patch
-Patch5:         0005-tests-py-Support-testing-host-binaries.patch
+# already upstream at https://git.netfilter.org/nftables/commit/?id=3847fccf004525ceb97db6fbc681835b0ac9a61a
-Patch6:         0006-tests-monitor-use-correct-nft-value-in-EXIT-trap.patch
+Patch2:         nftables-1.0.1-fix-terse.patch
 Patch7:         0007-scanner-incorrect-error-reporting-after-file-inclusi.patch
 Patch8:         0008-scanner-move-the-file-descriptor-to-be-in-the-input_.patch
 Patch9:         0009-scanner-move-indesc-list-append-in-scanner_push_inde.patch
 Patch10:        0010-scanner-remove-parser_state-indescs-static-array.patch
 Patch11:        0011-Inclusion-depth-was-computed-incorrectly-for-glob-in.patch
 Patch12:        0012-scanner-fix-indesc_list-stack-to-be-in-the-correct-o.patch
 Patch13:        0013-scanner-remove-parser_state-indesc_idx.patch
 Patch14:        0014-scanner-use-list_is_first-from-scanner_pop_indesc.patch
 BuildRequires:  asciidoc
 BuildRequires:  bison
@ -33,8 +25,10 @@ BuildRequires:  gcc
 BuildRequires:  gmp-devel
 BuildRequires:  iptables-devel
 BuildRequires:  jansson-devel
 BuildRequires:  libedit-devel
 BuildRequires:  libmnl-devel
 BuildRequires:  libnftnl-devel
 BuildRequires:  make
 BuildRequires:  python3-devel
 BuildRequires:  readline-devel
 BuildRequires:  systemd
@ -66,7 +60,7 @@ The nftables python module provides an interface to libnftables via ctypes.
 %build
 #./autogen.sh
 %configure --disable-silent-rules --with-xtables --with-json \
-	--enable-python --with-python-bin=python3
+	--enable-python --with-python-bin=%{__python3}
 %make_build
 %install
@ -76,6 +70,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 # Don't ship static lib (for now at least)
 rm -f %{buildroot}/%{_libdir}/libnftables.a
 # drop vendor-provided configs, they are not really useful
 rm -f %{buildroot}/%{_datadir}/nftables/*.nft
 chmod 644 %{buildroot}/%{_mandir}/man8/nft*
 mkdir -p %{buildroot}/%{_unitdir}
@ -83,11 +80,14 @@ cp -a %{SOURCE1} %{buildroot}/%{_unitdir}/
 mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig
 cp -a %{SOURCE2} %{buildroot}/%{_sysconfdir}/sysconfig/
 chmod 600 %{buildroot}/%{_sysconfdir}/sysconfig/nftables.conf
-mkdir -m 700 -p %{buildroot}/%{_sysconfdir}/nftables
+
-chmod 600 %{buildroot}/%{_sysconfdir}/nftables/*.nft
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
-chmod 700 %{buildroot}/%{_sysconfdir}/nftables
+	%{buildroot}/%{_sysconfdir}/nftables/
 find %{buildroot}/%{_sysconfdir} \
 	\( -type d -exec chmod 0700 {} \; \) , \
 	\( -type f -exec chmod 0600 {} \; \)
 # make nftables.py use the real library file name
 # to avoid nftables-devel package dependency
@ -128,6 +128,10 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 %changelog
 * Tue Feb 08 2022 Rachel Menge <rachelmenge@microsoft.com> - 1.0.1-1
 - CBL-Mariner import from Fedora 36 (license: MIT).
 - License verified.
 * Fri Jul 16 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.9.3-5
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 - Dropped the epoch number.
--- a/SPECS/nftables/router.nft
+++ b/SPECS/nftables/router.nft
@ -0,0 +1,16 @@
 # Sample configuration snippet for nftables service.
 # Meant to be included by main.nft, not for direct use.
 # a common table for both IPv4 and IPv6
 table inet nftables_svc {
 	# base-chain for traffic forwarded by this host
 	# re-uses 'allow' chain from main.nft
 	chain FORWARD {
 		type filter hook forward priority filter + 20
 		policy accept
 		jump allow
 		reject with icmpx type host-unreachable
 	}
 }
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -14593,8 +14593,8 @@
        "type": "other",
        "other": {
          "name": "nftables",
-          "version": "0.9.3",
+          "version": "1.0.1",
-          "downloadUrl": "https://netfilter.org/projects/nftables//files/nftables-0.9.3.tar.bz2"
+          "downloadUrl": "https://netfilter.org/projects/nftables/files/nftables-1.0.1.tar.bz2"
        }
      }
    },