Skip to content

Commit 55956a5

Browse files
authored
systemd: fix unnecessary nftables initialization by backporting upstream (#16994)
1 parent 2b752ec commit 55956a5

3 files changed

Lines changed: 40 additions & 2 deletions

File tree

SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ Version: 255
2020
# determine the build information from local checkout
2121
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
2222
%endif
23-
Release: 28%{?dist}
23+
Release: 29%{?dist}
2424
License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
2525
Vendor: Microsoft Corporation
2626
Distribution: Azure Linux
@@ -98,6 +98,9 @@ popd
9898
/boot/efi/EFI/BOOT/%{grubefiname}
9999

100100
%changelog
101+
* Thu May 28 2026 Nikola Bojanic <nbojanic@microsoft.com> - 255-29
102+
- Bump release to match systemd spec
103+
101104
* Tue Apr 21 2026 Akhila Guruju <v-guakhila@microsoft.com> - 255-28
102105
- Bump release to match systemd spec
103106

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
From 0d7bbcef27b8f435640427ae1f28627e46fe514d Mon Sep 17 00:00:00 2001
2+
From: Topi Miettinen <toiwoton@gmail.com>
3+
Date: Mon, 4 Dec 2023 21:49:12 +0200
4+
Subject: [PATCH] network/networkd-address: don't set up firewall rules here
5+
6+
Don't set up firewall rules when we're just initializing the firewall context
7+
for NFT sets.
8+
9+
Fixes: #30257
10+
(cherry picked from commit 58c6e75f263a1562f5550221af1ec1a9b6046143)
11+
---
12+
src/network/networkd-address.c | 2 +-
13+
1 file changed, 1 insertion(+), 1 deletion(-)
14+
15+
diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
16+
index c1a8cd884a..7071137676 100644
17+
--- a/src/network/networkd-address.c
18+
+++ b/src/network/networkd-address.c
19+
@@ -645,7 +645,7 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
20+
assert(nft_set_context);
21+
22+
if (!address->link->manager->fw_ctx) {
23+
- r = fw_ctx_new(&address->link->manager->fw_ctx);
24+
+ r = fw_ctx_new_full(&address->link->manager->fw_ctx, /* init_tables= */ false);
25+
if (r < 0)
26+
return;
27+
}
28+
--
29+
2.45.4
30+

SPECS/systemd/systemd.spec

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ Version: 255
5050
# determine the build information from local checkout
5151
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
5252
%endif
53-
Release: 28%{?dist}
53+
Release: 29%{?dist}
5454

5555
# FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
5656
%global stable 1
@@ -152,6 +152,7 @@ Patch0908: ipc-call-0004-core-validate-input-cgroup-path-more-prudently.pat
152152
Patch0909: fix-pcrlock-hyperv-hash-algorithm-ordering.patch
153153
Patch0910: CVE-2026-40226.patch
154154
Patch0911: CVE-2026-40225.patch
155+
Patch0912: networkd-address-skip-firewall-init.patch
155156

156157
%ifarch %{ix86} x86_64 aarch64
157158
%global want_bootloader 1
@@ -1237,6 +1238,10 @@ rm -f %{name}.lang
12371238
# %autochangelog. So we need to continue manually maintaining the
12381239
# changelog here.
12391240
%changelog
1241+
* Thu May 28 2026 Nikola Bojanic <nbojanic@microsoft.com> - 255-29
1242+
- Fix unwanted nftables initialization in systemd-networkd by backporting
1243+
upstream commit 58c6e75 from systemd v256 (PR #30318).
1244+
12401245
* Tue Apr 21 2026 Akhila Guruju <v-guakhila@microsoft.com> - 255-28
12411246
- Patch CVE-2026-40226, CVE-2026-40225
12421247

0 commit comments

Comments
 (0)