94 lines
2.9 KiB
Diff
94 lines
2.9 KiB
Diff
|
|
m 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <phil@nwl.cc>
|
|
Date: Fri, 17 Aug 2018 15:35:47 +0200
|
|
Subject: xtables: Fix for segfault in iptables-nft
|
|
|
|
Trying to set a chain's policy in an invalid table resulted in a
|
|
segfault. Reproducer was:
|
|
|
|
| # iptables -t broute -P BROUTING ACCEPT
|
|
|
|
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
|
|
returned NULL for the given table name.
|
|
|
|
For an illustrative error message, set errno to ENXIO in the above case
|
|
and add an appropriate Mesage to nft_strerror().
|
|
|
|
While being at it, improve the error message if an invalid policy was
|
|
given. Before:
|
|
|
|
| # iptables-nft -t filter -P INPUT ACCEPTdf
|
|
| iptables: Incompatible with this kernel.
|
|
|
|
After:
|
|
|
|
| # iptables-nft -t filter -P INPUT ACCEPTdf
|
|
| iptables: Bad policy name. Run `dmesg' for more information.
|
|
|
|
Third unrelated change in this patch: Drop error checking of
|
|
nft_chain_set() in do_commandx(): The function never returns negative,
|
|
so that check never yielded true.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
---
|
|
iptables/nft.c | 11 +++++++++--
|
|
iptables/xtables.c | 3 ---
|
|
2 files changed, 9 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
index 0b29caeb..dd8469a9 100644
|
|
--- a/iptables/nft.c
|
|
+++ b/iptables/nft.c
|
|
@@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
|
|
struct builtin_chain *_c;
|
|
|
|
_t = nft_table_builtin_find(h, table);
|
|
+ if (!_t) {
|
|
+ errno = ENXIO;
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
/* if this built-in table does not exists, create it */
|
|
- if (_t != NULL)
|
|
- nft_table_builtin_add(h, _t);
|
|
+ nft_table_builtin_add(h, _t);
|
|
|
|
_c = nft_chain_builtin_find(_t, chain);
|
|
if (_c != NULL) {
|
|
@@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
|
|
c = nft_chain_new(h, table, chain, NF_DROP, counters);
|
|
else if (strcmp(policy, "ACCEPT") == 0)
|
|
c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
|
|
+ else
|
|
+ errno = EINVAL;
|
|
|
|
if (c == NULL)
|
|
return 0;
|
|
@@ -2828,6 +2834,7 @@ const char *nft_strerror(int err)
|
|
"Bad rule (does a matching rule exist in that chain?)" },
|
|
{ nft_chain_set, ENOENT, "Bad built-in chain name" },
|
|
{ nft_chain_set, EINVAL, "Bad policy name" },
|
|
+ { nft_chain_set, ENXIO, "Bad table name" },
|
|
{ NULL, ELOOP, "Loop found in table" },
|
|
{ NULL, EPERM, "Permission denied (you must be root)" },
|
|
{ NULL, 0, "Incompatible with this kernel" },
|
|
diff --git a/iptables/xtables.c b/iptables/xtables.c
|
|
index d9050b45..72f65962 100644
|
|
--- a/iptables/xtables.c
|
|
+++ b/iptables/xtables.c
|
|
@@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
|
|
break;
|
|
case CMD_SET_POLICY:
|
|
ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
|
|
- if (ret < 0)
|
|
- xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n",
|
|
- p.policy);
|
|
break;
|
|
default:
|
|
/* We should never reach this... */
|
|
--
|
|
cgit v1.2.1
|
|
|