Merge pull request #501 from nicolas-fort/T6009-T6019

T6009-6019: fix hour decoding when timezone offset is negative; bump libnftnl and nftables version.
2025-10-01 20:28:40 +02:00 · 2024-02-12 16:51:43 +01:00 · 2024-02-12 16:51:43 +01:00 · 2ae9dce6d5
commit 2ae9dce6d5
parent 8c5299e1cf b31f5fe934
4 changed files with 178 additions and 5 deletions
--- a/packages/netfilter/.gitignore
+++ b/packages/netfilter/.gitignore
@ -1,3 +1,3 @@
-pkg-libnftnl/
-pkg-nftables/
+/pkg-libnftnl/
+/pkg-nftables/

--- a/packages/netfilter/Jenkinsfile
+++ b/packages/netfilter/Jenkinsfile
@ -22,17 +22,17 @@
 def pkgList = [
    // libnftnl
    ['name': 'pkg-libnftnl',
-     'scmCommit': 'debian/1.2.6-1',
+     'scmCommit': 'debian/1.2.6-2',
     'scmUrl': 'https://salsa.debian.org/pkg-netfilter-team/pkg-libnftnl.git',
     'buildCmd': 'sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends"; dpkg-buildpackage -uc -us -tc -b'],

    // nftables
    ['name': 'pkg-nftables',
-     'scmCommit': 'debian/1.0.8-1',
+     'scmCommit': 'debian/1.0.9-1',
     'scmUrl': 'https://salsa.debian.org/pkg-netfilter-team/pkg-nftables.git',
     'buildCmd': '''sudo dpkg -i ../libnftnl*.deb;
                    sudo mk-build-deps --install --tool "apt-get --yes --no-install-recommends";
-                    dpkg-buildpackage -uc -us -tc -b'''],
+                    ../build.py'''],
 ]

 // Start package build using library function from https://github.com/vyos/vyos-build
--- a/packages/netfilter/build.py
+++ b/packages/netfilter/build.py
@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+from pathlib import Path
+from shutil import copy as copy_file
+from subprocess import run
+
+
+# copy patches
+def apply_deb_patches() -> None:
+    """Apply patches to sources directory
+    """
+    package_dir: str = Path.cwd().name
+    current_dir: str = Path.cwd().as_posix()
+    patches_dir = Path(f'../patches/{package_dir}')
+    patches_dir_dst = Path(f'{current_dir}/debian/patches')
+    if not patches_dir_dst.exists():
+        patches_dir_dst.mkdir(parents = True)
+    if patches_dir.exists():
+        patches_list = list(patches_dir.iterdir())
+        patches_list.sort()
+        series_file = Path(f'{patches_dir_dst.as_posix()}/series')
+        if series_file.exists():
+            series_data: str = series_file.read_text()
+        else:
+
+            series_data = ''
+        for patch_file in patches_list:
+            print(f'Applying patch: {patch_file.name}')
+            copy_file(patch_file, f'{patches_dir_dst.as_posix()}')
+            series_data = f'{series_data}\n{patch_file.name}'
+        series_file.write_text(series_data)
+
+
+def build_package() -> bool:
+    """Build a package
+    Returns:
+        bool: build status
+    """
+    build_cmd: list[str] = ['dpkg-buildpackage', '-uc', '-us', '-tc', '-b']
+    build_status: int = run(build_cmd).returncode
+
+    if build_status:
+        return False
+    return True
+
+
+# build a package
+if __name__ == '__main__':
+    apply_deb_patches()
+
+    if not build_package():
+        exit(1)
+
+    exit()
+
--- a/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch
+++ b/packages/netfilter/patches/pkg-nftables/0001-meta-fix-hour-decoding.patch
@ -0,0 +1,118 @@
+From d392ddf243dcbf8a34726c777d2c669b1e8bfa85 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 2 Nov 2023 15:34:13 +0100
+Subject: meta: fix hour decoding when timezone offset is negative
+
+Brian Davidson says:
+
+ meta hour rules don't display properly after being created when the
+ hour is on or after 00:00 UTC. The netlink debug looks correct for
+ seconds past midnight UTC, but displaying the rules looks like an
+ overflow or a byte order problem. I am in UTC-0400, so today, 20:00
+ and later exhibits the problem, while 19:00 and earlier hours are
+ fine.
+
+meta.c only ever worked when the delta to UTC is positive.
+We need to add in case the second counter turns negative after
+offset adjustment.
+
+Also add a test case for this.
+
+Fixes: f8f32deda31d ("meta: Introduce new conditions 'time', 'day' and 'hour'")
+Reported-by: Brian Davidson <davidson.brian@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ src/meta.c                                         | 11 ++++-
+ .../shell/testcases/listing/dumps/meta_time.nodump |  0
+ tests/shell/testcases/listing/meta_time            | 52 ++++++++++++++++++++++
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+ create mode 100644 tests/shell/testcases/listing/dumps/meta_time.nodump
+ create mode 100755 tests/shell/testcases/listing/meta_time
+
+diff --git a/src/meta.c b/src/meta.c
+index b578d5e2..7846aefe 100644
+--- a/src/meta.c
+++ b/src/meta.c
+@@ -495,9 +495,16 @@ static void hour_type_print(const struct expr *expr, struct output_ctx *octx)
+
+ 	/* Obtain current tm, so that we can add tm_gmtoff */
+ 	ts = time(NULL);
+-	if (ts != ((time_t) -1) && localtime_r(&ts, &cur_tm))
+-		seconds = (seconds + cur_tm.tm_gmtoff) % SECONDS_PER_DAY;
+	if (ts != ((time_t) -1) && localtime_r(&ts, &cur_tm)) {
+		int32_t adj = seconds + cur_tm.tm_gmtoff;
+
+		if (adj < 0)
+			adj += SECONDS_PER_DAY;
+		else if (adj >= SECONDS_PER_DAY)
+			adj -= SECONDS_PER_DAY;
+
+		seconds = adj;
+	}
+ 	minutes = seconds / 60;
+ 	seconds %= 60;
+ 	hours = minutes / 60;
+diff --git a/tests/shell/testcases/listing/dumps/meta_time.nodump b/tests/shell/testcases/listing/dumps/meta_time.nodump
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time
+new file mode 100755
+index 00000000..a9761998
+--- /dev/null
+++ b/tests/shell/testcases/listing/meta_time
+@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -e
+
+TMP1=$(mktemp)
+TMP2=$(mktemp)
+
+cleanup()
+{
+	rm -f "$TMP1"
+	rm -f "$TMP2"
+}
+
+check_decode()
+{
+	TZ=$1 $NFT list chain t c | grep meta > "$TMP2"
+	diff -u "$TMP1" "$TMP2"
+}
+
+trap cleanup EXIT
+
+$NFT -f - <<EOF
+table t {
+	chain c {
+	}
+}
+EOF
+
+for i in $(seq -w 0 23); do
+	TZ=UTC $NFT add rule t c meta hour "$i:00"-"$i:59"
+done
+
+# Check decoding in UTC, this mirrors 1:1 what should have been added.
+for i in $(seq 0 23); do
+	printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1"
+done
+
+check_decode UTC
+
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 23 0 23 59 > "$TMP1"
+for i in $(seq 0 22); do
+	printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1"
+done
+check_decode UTC+1
+
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 1 59 > "$TMP1"
+for i in $(seq 2 23); do
+	printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" $i 0 $i 59 >> "$TMP1"
+done
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 0 59 >> "$TMP1"
+
+check_decode UTC-1
+-- 
+cgit v1.2.3
+