Bug#1038727: bookworm-pu: package nftables/1.0.6-2+deb12u1

[Arturo Borrero Gonzalez]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: nftab...@packages.debian.org
Control: affects -1 + src:nftables

There has been a behavior regression reported in nftables when
upgrading from Debian 11 Bullseye to Debian 12 Bookworm.

The change is in how nftables prints the set definitions, with
or without set elements by default.

Some user tools relying on 'nft -j list sets' fail after upgrading
to Debian Bookworm from Debian Bullseye because the behavior change.

The small upstream fix makes the behavior coherent and predictable for the
set listing action.

There is not much risk in this update:
* The fix patch has been provided directly by upstream
* The fix has been applied to upstream main branch already
* The fix is already in Debian Sid

Find debdiff attached against the current Debian stable package.

See also:
 * https://marc.info/?l=netfilter&m=168704941828372&w=2 (original report)
 * https://bugs.debian.org/1038724 (debian bug)
 * 
https://git.netfilter.org/nftables/commit/?id=29bed4fa594c3f6e343a8b5669d61e20c7129cca
 (upstream fix)

diff -Nru nftables-1.0.6/debian/changelog nftables-1.0.6/debian/changelog
--- nftables-1.0.6/debian/changelog     2023-01-29 12:33:00.000000000 +0100
+++ nftables-1.0.6/debian/changelog     2023-06-20 16:55:52.000000000 +0200
@@ -1,3 +1,9 @@
+nftables (1.0.6-2+deb12u1) bookworm; urgency=medium
+
+  * [7edf72e] d/patches: add 0001-debian-bug-1038724.patch (Closes: #1038724)
+
+ -- Arturo Borrero Gonzalez <art...@debian.org>  Tue, 20 Jun 2023 16:55:52 
+0200
+
 nftables (1.0.6-2) unstable; urgency=medium
 
   [ Jeremy Sowden ]
diff -Nru nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch 
nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch
--- nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch 1970-01-01 
01:00:00.000000000 +0100
+++ nftables-1.0.6/debian/patches/0001-debian-bug-1038724.patch 2023-06-20 
16:55:52.000000000 +0200
@@ -0,0 +1,66 @@
+From 29bed4fa594c3f6e343a8b5669d61e20c7129cca Mon Sep 17 00:00:00 2001
+From: Florian Westphal <f...@strlen.de>
+Date: Sun, 18 Jun 2023 18:39:45 +0200
+Subject: cache: include set elements in "nft set list"
+
+Make "nft list sets" include set elements in listing by default.
+In nftables 1.0.0, "nft list sets" did not include the set elements,
+but with "--json" they were included.
+
+1.0.1 and newer never include them.
+This causes a problem for people updating from 1.0.0 and relying
+on the presence of the set elements.
+
+Change nftables to always include the set elements.
+The "--terse" option is honored to get the "no elements" behaviour.
+
+Fixes: a1a6b0a5c3c4 ("cache: finer grain cache population for list commands")
+Link: https://marc.info/?l=netfilter&m=168704941828372&w=2
+Signed-off-by: Florian Westphal <f...@strlen.de>
+---
+ src/cache.c | 2 ++
+ src/rule.c  | 8 +-------
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/cache.c b/src/cache.c
+index 95adee7f..becfa57f 100644
+--- a/src/cache.c
++++ b/src/cache.c
+@@ -235,6 +235,8 @@ static unsigned int evaluate_cache_list(struct nft_ctx 
*nft, struct cmd *cmd,
+       case CMD_OBJ_SETS:
+       case CMD_OBJ_MAPS:
+               flags |= NFT_CACHE_TABLE | NFT_CACHE_SET;
++              if (!nft_output_terse(&nft->output))
++                      flags |= NFT_CACHE_SETELEM;
+               break;
+       case CMD_OBJ_FLOWTABLE:
+               if (filter &&
+diff --git a/src/rule.c b/src/rule.c
+index 633a5a12..1faa1a27 100644
+--- a/src/rule.c
++++ b/src/rule.c
+@@ -1574,11 +1574,6 @@ static int do_list_table(struct netlink_ctx *ctx, 
struct table *table)
+ 
+ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
+ {
+-      struct print_fmt_options opts = {
+-              .tab            = "\t",
+-              .nl             = "\n",
+-              .stmt_separator = "\n",
+-      };
+       struct table *table;
+       struct set *set;
+ 
+@@ -1601,8 +1596,7 @@ static int do_list_sets(struct netlink_ctx *ctx, struct 
cmd *cmd)
+                       if (cmd->obj == CMD_OBJ_MAPS &&
+                           !map_is_literal(set->flags))
+                               continue;
+-                      set_print_declaration(set, &opts, &ctx->nft->output);
+-                      nft_print(&ctx->nft->output, "%s}%s", opts.tab, 
opts.nl);
++                      set_print(set, &ctx->nft->output);
+               }
+ 
+               nft_print(&ctx->nft->output, "}\n");
+-- 
+cgit v1.2.3
+
diff -Nru nftables-1.0.6/debian/patches/series 
nftables-1.0.6/debian/patches/series
--- nftables-1.0.6/debian/patches/series        2023-01-29 12:33:00.000000000 
+0100
+++ nftables-1.0.6/debian/patches/series        2023-06-20 16:55:52.000000000 
+0200
@@ -1 +1,2 @@
+0001-debian-bug-1038724.patch
 invalid-octal-fix.patch