From b3d463ceafdc86255aea0b38d32a0dbe72e25651 Mon Sep 17 00:00:00 2001 From: Jeremy Sowden Date: Sat, 4 Oct 2025 20:38:07 +0100 Subject: [PATCH] d/patches: add upstream commit to fix rpfilter tests Closes: #1117505 Signed-off-by: Jeremy Sowden --- debian/patches/Fix-rpfilter-tests.patch | 79 +++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 80 insertions(+) create mode 100644 debian/patches/Fix-rpfilter-tests.patch diff --git a/debian/patches/Fix-rpfilter-tests.patch b/debian/patches/Fix-rpfilter-tests.patch new file mode 100644 index 000000000000..6e1ac044da84 --- /dev/null +++ b/debian/patches/Fix-rpfilter-tests.patch @@ -0,0 +1,79 @@ +Author: Eric Garver +Last-Update: 2025-06-30 +Applied-upstream: commit:cc1c78b7343dc5f198f76c31c3e6f4934ab0b183 +Description: work around nftables CLI output change in rpfilter tests + Since nftables commit f4b646032acf ("fib: allow to check if route exists + in maps") the fib match now displays using the "check" keyword. + Normalize older nftables versions to the new output and update all the + tests. + +diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at +index a0771ff4ef14..d0b4b220d4dd 100644 +--- a/src/tests/features/rpfilter.at ++++ b/src/tests/features/rpfilter.at +@@ -9,7 +9,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl + table inet firewalld { + chain filter_PREROUTING { + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept +- meta nfproto ipv6 fib saddr . mark . iif oif missing drop ++ meta nfproto ipv6 fib saddr . mark . iif check missing drop + } + } + ]) +@@ -35,7 +35,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl + table inet firewalld { + chain filter_PREROUTING { + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept +- meta nfproto ipv6 fib saddr . mark oif missing drop ++ meta nfproto ipv6 fib saddr . mark check missing drop + } + } + ]) +@@ -65,7 +65,7 @@ FWD_RELOAD() + NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl + table inet firewalld { + chain filter_FORWARD { +- meta nfproto ipv6 fib saddr . mark . iif oif missing drop ++ meta nfproto ipv6 fib saddr . mark . iif check missing drop + ct state established,related accept + ct status dnat accept + iifname "lo" accept +@@ -101,7 +101,7 @@ FWD_RELOAD() + NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl + table inet firewalld { + chain filter_FORWARD { +- meta nfproto ipv6 fib saddr . mark oif missing drop ++ meta nfproto ipv6 fib saddr . mark check missing drop + ct state established,related accept + ct status dnat accept + iifname "lo" accept +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 3f487f5c0a31..07d8482efa42 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -478,6 +478,9 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl + dnl newer nft replace ICMP reject aliases with code values + dnl nftables commit 5fecd2a6ef61 ("src: disentangle ICMP code types") + -e ['s/\(icmp\|icmpv6\|icmpx\) code no-route/\1 code 0/g'] dnl ++ dnl nftables commit f4b646032acf ("fib: allow to check if route exists in maps") ++ dnl changed the fib output. Now uses "check" keyword. ++ -e ['s/oif missing/check missing/g'] dnl + ]) + + m4_define([NFT_LIST_RULES_ALWAYS], [ +diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at +index 72e352aa72a7..a6ee2cd74263 100644 +--- a/src/tests/regression/gh258.at ++++ b/src/tests/regression/gh258.at +@@ -114,7 +114,7 @@ IF_HOST_SUPPORTS_NFT_FIB([ + table inet firewalld { + chain filter_PREROUTING { + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept +- meta nfproto ipv6 fib saddr . mark . iif oif missing drop ++ meta nfproto ipv6 fib saddr . mark . iif check missing drop + } + } + ]) +-- +2.51.0 + diff --git a/debian/patches/series b/debian/patches/series index 8c262ab835c2..56f45b01563d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ Remove-etc-sysconfig-firewalld-support.patch Switch-to-python3.patch +Fix-rpfilter-tests.patch -- 2.51.0