diff options
author | Phil Sutter <phil@nwl.cc> | 2018-08-17 15:35:47 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-08-17 16:15:23 +0200 |
commit | 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac (patch) | |
tree | a6bf5852c800e3e9d52f993269ad66fbcb120184 /iptables/nft.c | |
parent | 294f9ef5ee354ff902dfdc091a604f93083c248d (diff) |
xtables: Fix for segfault in iptables-nft
Trying to set a chain's policy in an invalid table resulted in a
segfault. Reproducer was:
| # iptables -t broute -P BROUTING ACCEPT
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
returned NULL for the given table name.
For an illustrative error message, set errno to ENXIO in the above case
and add an appropriate Mesage to nft_strerror().
While being at it, improve the error message if an invalid policy was
given. Before:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Incompatible with this kernel.
After:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Bad policy name. Run `dmesg' for more information.
Third unrelated change in this patch: Drop error checking of
nft_chain_set() in do_commandx(): The function never returns negative,
so that check never yielded true.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 0b29caeb..dd8469a9 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, struct builtin_chain *_c; _t = nft_table_builtin_find(h, table); + if (!_t) { + errno = ENXIO; + return NULL; + } + /* if this built-in table does not exists, create it */ - if (_t != NULL) - nft_table_builtin_add(h, _t); + nft_table_builtin_add(h, _t); _c = nft_chain_builtin_find(_t, chain); if (_c != NULL) { @@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table, c = nft_chain_new(h, table, chain, NF_DROP, counters); else if (strcmp(policy, "ACCEPT") == 0) c = nft_chain_new(h, table, chain, NF_ACCEPT, counters); + else + errno = EINVAL; if (c == NULL) return 0; @@ -2828,6 +2834,7 @@ const char *nft_strerror(int err) "Bad rule (does a matching rule exist in that chain?)" }, { nft_chain_set, ENOENT, "Bad built-in chain name" }, { nft_chain_set, EINVAL, "Bad policy name" }, + { nft_chain_set, ENXIO, "Bad table name" }, { NULL, ELOOP, "Loop found in table" }, { NULL, EPERM, "Permission denied (you must be root)" }, { NULL, 0, "Incompatible with this kernel" }, |