packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nftables/backport-evaluate-reject-set-in-concatenation.patch
lingsheng 862bf7d69a backport upstream patches 
Signed-off-by: lingsheng <860373352@qq.com>
2024-04-19 09:02:24 +00:00

53 lines
1.4 KiB
Diff
Raw Permalink Blame History

From 4b6a4ad9134fa71277c2ff7f92776e1faeb83000 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 25 Oct 2023 16:00:50 +0200
Subject: [PATCH] evaluate: reject set in concatenation
Consider the following ruleset.
define ext_if = { "eth0", "eth1" }
table ip filter {
chain c {
iifname . tcp dport { $ext_if . 22 } accept
}
}
Attempting to load this ruleset results in:
BUG: invalid expression type 'set' in setnft: netlink.c:304: __netlink_gen_concat_key: Assertion `0' failed.
Aborted (core dumped)
After this patch:
# nft -f ruleset.nft
ruleset.nft:1:17-40: Error: cannot use set in concatenation
define ext_if = { "eth0", "eth1" }
^^^^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1715
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 2196e928..894987df 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1511,6 +1511,12 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
if (list_member_evaluate(ctx, &i) < 0)
return -1;
+
+ if (i->etype == EXPR_SET)
+ return expr_error(ctx->msgs, i,
+ "cannot use %s in concatenation",
+ expr_name(i));
+
flags &= i->flags;
if (!key && i->dtype->type == TYPE_INTEGER) {
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink