nftables: Update to v1.0.9

Release Notes:
- [1.0.9](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.9.txt)
- [1.0.8](https://www.netfilter.org/projects/nftables/files/changes-nftables-1.0.8.txt)

Additional Changes:
- Subpackage python library
- Make stateless

Signed-off-by: Reilly Brogan <reilly@reillybrogan.com>

packages/n/nftables/abi_symbols

@@ -1,6 +1,3 @@
-libnftables.so.1:LIBNFTABLES_1
-libnftables.so.1:LIBNFTABLES_2
-libnftables.so.1:LIBNFTABLES_3
 libnftables.so.1:nft_ctx_add_include_path
 libnftables.so.1:nft_ctx_add_var
 libnftables.so.1:nft_ctx_buffer_error
@@ -12,6 +9,8 @@ libnftables.so.1:nft_ctx_get_dry_run
 libnftables.so.1:nft_ctx_get_error_buffer
 libnftables.so.1:nft_ctx_get_optimize
 libnftables.so.1:nft_ctx_get_output_buffer
+libnftables.so.1:nft_ctx_input_get_flags
+libnftables.so.1:nft_ctx_input_set_flags
 libnftables.so.1:nft_ctx_new
 libnftables.so.1:nft_ctx_output_get_debug
 libnftables.so.1:nft_ctx_output_get_flags

packages/n/nftables/abi_used_symbols

@@ -4,21 +4,28 @@ libc.so.6:__ctype_b_loc
 libc.so.6:__errno_location
 libc.so.6:__fdelt_chk
 libc.so.6:__fprintf_chk
+libc.so.6:__isoc23_fscanf
 libc.so.6:__isoc23_sscanf
 libc.so.6:__isoc23_strtol
-libc.so.6:__isoc99_fscanf
-libc.so.6:__isoc99_sscanf
+libc.so.6:__isoc23_strtoul
+libc.so.6:__isoc23_strtoull
+libc.so.6:__isoc23_strtoumax
 libc.so.6:__libc_start_main
 libc.so.6:__memcpy_chk
+libc.so.6:__memmove_chk
+libc.so.6:__memset_chk
 libc.so.6:__printf_chk
 libc.so.6:__snprintf_chk
 libc.so.6:__sprintf_chk
 libc.so.6:__stack_chk_fail
+libc.so.6:__strcat_chk
+libc.so.6:__strcpy_chk
 libc.so.6:__strncat_chk
 libc.so.6:__vasprintf_chk
 libc.so.6:__vfprintf_chk
 libc.so.6:_exit
 libc.so.6:abort
+libc.so.6:access
 libc.so.6:calloc
 libc.so.6:clearerr
 libc.so.6:closedir
@@ -34,12 +41,11 @@ libc.so.6:fmemopen
 libc.so.6:fopen
 libc.so.6:fopencookie
 libc.so.6:fputc
-libc.so.6:fputs
 libc.so.6:fread
 libc.so.6:free
 libc.so.6:freeaddrinfo
 libc.so.6:fseek
-libc.so.6:fwrite
+libc.so.6:fstat
 libc.so.6:gai_strerror
 libc.so.6:getaddrinfo
 libc.so.6:getenv
@@ -49,27 +55,25 @@ libc.so.6:getgrnam
 libc.so.6:getnameinfo
 libc.so.6:getopt_long
 libc.so.6:getpagesize
-libc.so.6:getprotobyname
-libc.so.6:getprotobynumber
+libc.so.6:getprotobyname_r
+libc.so.6:getprotobynumber_r
 libc.so.6:getpwnam
 libc.so.6:getpwuid
-libc.so.6:getservbyport
+libc.so.6:getservbyport_r
 libc.so.6:getsockopt
 libc.so.6:getuid
 libc.so.6:glob
 libc.so.6:globfree
-libc.so.6:gmtime
+libc.so.6:gmtime_r
+libc.so.6:inet_pton
 libc.so.6:isatty
-libc.so.6:localtime
+libc.so.6:localtime_r
 libc.so.6:malloc
 libc.so.6:memcpy
-libc.so.6:memmove
 libc.so.6:memset
 libc.so.6:opendir
 libc.so.6:optarg
 libc.so.6:optind
-libc.so.6:putchar
-libc.so.6:puts
 libc.so.6:qsort
 libc.so.6:read
 libc.so.6:readdir
@@ -78,15 +82,16 @@ libc.so.6:realloc
 libc.so.6:select
 libc.so.6:sendmsg
 libc.so.6:setsockopt
-libc.so.6:snprintf
 libc.so.6:stat
 libc.so.6:stderr
 libc.so.6:stdin
 libc.so.6:stdout
 libc.so.6:stpcpy
+libc.so.6:strcat
 libc.so.6:strchr
 libc.so.6:strchrnul
 libc.so.6:strcmp
+libc.so.6:strcpy
 libc.so.6:strdup
 libc.so.6:strerror
 libc.so.6:strftime
@@ -95,16 +100,12 @@ libc.so.6:strncmp
 libc.so.6:strncpy
 libc.so.6:strnlen
 libc.so.6:strptime
-libc.so.6:strtok
-libc.so.6:strtol
-libc.so.6:strtoul
+libc.so.6:strtok_r
 libc.so.6:strtoull
-libc.so.6:strtoumax
 libc.so.6:sysconf
 libc.so.6:time
 libc.so.6:timegm
 libgmp.so.10:__gmp_printf
-libgmp.so.10:__gmp_set_memory_functions
 libgmp.so.10:__gmp_vfprintf
 libgmp.so.10:__gmpn_popcount
 libgmp.so.10:__gmpz_add
@@ -229,7 +230,6 @@ libnftnl.so.11:nftnl_chain_list_free
 libnftnl.so.11:nftnl_chain_nlmsg_build_payload
 libnftnl.so.11:nftnl_chain_nlmsg_parse
 libnftnl.so.11:nftnl_chain_set_data
-libnftnl.so.11:nftnl_chain_set_s32
 libnftnl.so.11:nftnl_chain_set_str
 libnftnl.so.11:nftnl_chain_set_u32
 libnftnl.so.11:nftnl_chain_set_u64
@@ -272,7 +272,6 @@ libnftnl.so.11:nftnl_flowtable_list_foreach
 libnftnl.so.11:nftnl_flowtable_list_free
 libnftnl.so.11:nftnl_flowtable_nlmsg_build_payload
 libnftnl.so.11:nftnl_flowtable_nlmsg_parse
-libnftnl.so.11:nftnl_flowtable_set_data
 libnftnl.so.11:nftnl_flowtable_set_str
 libnftnl.so.11:nftnl_flowtable_set_u32
 libnftnl.so.11:nftnl_nlmsg_build_hdr

packages/n/nftables/files/0001-Stateless.patch

@@ -0,0 +1,96 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Reilly Brogan <reilly@reillybrogan.com>
+Date: Sat, 20 Apr 2024 15:44:38 -0500
+Subject: [PATCH] Stateless
+
+---
+ files/osf/Makefile.am |  2 +-
+ src/ct.c              |  9 ++++++++-
+ src/libnftables.c     |  2 ++
+ src/nfnl_osf.c        | 14 +++++++++++++-
+ 4 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/files/osf/Makefile.am b/files/osf/Makefile.am
+index d80196dd..b7f4c8ff 100644
+--- a/files/osf/Makefile.am
++++ b/files/osf/Makefile.am
+@@ -1,2 +1,2 @@
+-pkgsysconfdir = ${sysconfdir}/nftables/osf
++pkgsysconfdir = /usr/share/defaults/etc/nftables/osf
+ dist_pkgsysconf_DATA = pf.os
+diff --git a/src/ct.c b/src/ct.c
+index 1dda799d..48237b82 100644
+--- a/src/ct.c
++++ b/src/ct.c
+@@ -28,10 +28,12 @@
+ #include <datatype.h>
+ #include <ct.h>
+ #include <gmputil.h>
++#include <unistd.h>
+ #include <utils.h>
+ #include <statement.h>
+
+ #define CONNLABEL_CONF	DEFAULT_INCLUDE_PATH "/connlabel.conf"
++#define CONNLABEL_CONF_VENDOR  "/usr/share/defaults/etc/connlabel.conf"
+
+ static const struct symbol_table ct_state_tbl = {
+ 	.base		= BASE_HEXADECIMAL,
+@@ -230,7 +232,12 @@ const struct datatype ct_label_type = {
+
+ void ct_label_table_init(struct nft_ctx *ctx)
+ {
+-	ctx->output.tbl.ct_label = rt_symbol_table_init(CONNLABEL_CONF);
++    if (access(CONNLABEL_CONF, F_OK) == 0) {
++        ctx->output.tbl.ct_label = rt_symbol_table_init(CONNLABEL_CONF);
++	}
++    else {
++        ctx->output.tbl.ct_label = rt_symbol_table_init(CONNLABEL_CONF_VENDOR);
++	}
+ }
+
+ void ct_label_table_exit(struct nft_ctx *ctx)
+diff --git a/src/libnftables.c b/src/libnftables.c
+index 41f54c0c..3fba8286 100644
+--- a/src/libnftables.c
++++ b/src/libnftables.c
+@@ -202,6 +202,8 @@ struct nft_ctx *nft_ctx_new(uint32_t flags)
+
+ 	ctx->state = xzalloc(sizeof(struct parser_state));
+ 	nft_ctx_add_include_path(ctx, DEFAULT_INCLUDE_PATH);
++	// Add the Solus stateless path
++	nft_ctx_add_include_path(ctx, "/usr/share/defaults/etc");
+ 	ctx->parser_max_errors	= 10;
+ 	cache_init(&ctx->cache.table_cache);
+ 	ctx->top_scope = scope_alloc();
+diff --git a/src/nfnl_osf.c b/src/nfnl_osf.c
+index 20a1bfe7..793d3f5b 100644
+--- a/src/nfnl_osf.c
++++ b/src/nfnl_osf.c
+@@ -351,6 +351,7 @@ static int osf_load_line(char *buffer, int len, int del,
+ }
+
+ #define OS_SIGNATURES DEFAULT_INCLUDE_PATH "/nftables/osf/pf.os"
++#define OS_SIGNATURES_VENDOR "/usr/share/defaults/etc/nftables/osf/pf.os"
+
+ int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del)
+ {
+@@ -368,7 +369,18 @@ int nfnl_osf_load_fingerprints(struct netlink_ctx *ctx, int del)
+ 			nft_print(&ctx->nft->output, "Failed to open file '%s'\n",
+ 				  OS_SIGNATURES);
+
+-		return -1;
++		if (ctx->nft->debug_mask & NFT_DEBUG_MNL)
++			nft_print(&ctx->nft->output, "Opening OS Vendor signature file '%s'\n",
++				OS_SIGNATURES_VENDOR);
++		// Try to open the vendor one
++		inf = fopen(OS_SIGNATURES_VENDOR, "r");
++		if (!inf) {
++			if (ctx->nft->debug_mask & NFT_DEBUG_MNL)
++				nft_print(&ctx->nft->output, "Failed to open vendor file '%s'\n",
++					OS_SIGNATURES_VENDOR);
++
++			return -1;
++		}
+ 	}
+
+ 	while (fgets(buf, sizeof(buf), inf)) {

packages/n/nftables/files/nftables.service

@@ -6,7 +6,7 @@ Before=network-pre.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/nft -f /etc/sysconfig/nftables.conf
+ExecStart=/usr/sbin/nft -f /usr/share/defaults/etc/nftables.conf
 
 [Install]
 WantedBy=multi-user.target

packages/n/nftables/monitoring.yml

@@ -0,0 +1,6 @@
+releases:
+  id: 2082
+  rss: ~
+security:
+  # No known CPE, last checked 2024-04-20
+  cpe: ~

packages/n/nftables/package.yml

@@ -1,10 +1,12 @@
 name       : nftables
-version    : 1.0.7
-release    : 7
+version    : 1.0.9
+release    : 8
 source     :
-    - https://www.netfilter.org/projects/nftables/files/nftables-1.0.7.tar.xz : c12ac941fff9adaedf17367d5ce213789b98a0d314277bc22b3d71e10891f412
+    - https://www.netfilter.org/projects/nftables/files/nftables-1.0.9.tar.xz : a3c304cd9ba061239ee0474f9afb938a9bb99d89b960246f66f0c3a0a85e14cd
 license    : GPL-2.0-only
-component  : security
+component  :
+    - security
+    - ^python-nftables : programming.python
 homepage   : https://www.nftables.org/
 summary    : nftables replaces the popular iptables/ebtables
 description: |
@@ -14,23 +16,34 @@ builddeps  :
     - pkgconfig(libmnl)
     - pkgconfig(libnftnl)
     - pkgconfig(python3)
-    - pkgconfig(xtables)
     - docbook2x
+    - python-build
+    - python-installer
+    - python-wheel
+rundeps    :
+    - ^python-nftables:
+        - nftables
+clang      : yes
+optimize   : thin-lto
 setup      : |
-    %patch -p1 -i $pkgfiles/0001-Replace-distutils-with-setuptools.patch
-    %configure \
-        --disable-static \
-        --with-json \
-        --disable-debug \
-        --with-cli=readline \
-        --with-python-bin=/usr/bin/python3
+    %patch -p1 -i $pkgfiles/0001-Stateless.patch
+    %reconfigure \
+                 --disable-debug \
+                 --disable-python \
+                 --disable-static \
+                 --with-json \
+                 --with-cli=readline
 build      : |
-    # Prevent setuptools from installing an egg
-    sed -i 's/--prefix $(DESTDIR)$(prefix)/--root $(DESTDIR) --prefix $(prefix)/' py/Makefile*
-
     %make
+
+    cd py
+    python3 -m build --wheel --no-isolation
 install    : |
     %make_install
 
-    install -Dm00644 $pkgfiles/nftables.conf $installdir/etc/sysconfig/nftables.conf
+    python3 -m installer --destdir="$installdir" py/dist/*.whl
+
+    install -Dm00644 $pkgfiles/nftables.conf $installdir/usr/share/defaults/etc/nftables.conf
     install -Dm00644 $pkgfiles/nftables.service $installdir/usr/lib/systemd/system/nftables.service
+patterns   :
+    - ^python-nftables : /usr/lib/python*