diff options
author | Phil Sutter <phil@nwl.cc> | 2023-12-15 16:30:52 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2024-03-06 15:40:37 +0100 |
commit | cdde5a8c5a8734f2d540a0ab52c32d41d4d18127 (patch) | |
tree | a1641dedae09aa9b6e069d66b4e3212fe3525972 /src/expr/immediate.c | |
parent | 9da7658c6e25b02f7eeef936835469f4174cbfec (diff) |
expr: Introduce struct expr_ops::attr_policy
Similar to kernel's nla_policy, enable expressions to inform about
restrictions on attribute use. This allows the generic expression code
to perform sanity checks before dispatching to expression ops.
For now, this holds only the maximum data len which may be passed to
nftnl_expr_set().
While one may debate whether accepting e.g. uint32_t for sreg/dreg
attributes is correct, it is necessary to not break nftables.
Note that this introduces artificial restrictions on name lengths which
were caught by the kernel (if nftables didn't).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'src/expr/immediate.c')
-rw-r--r-- | src/expr/immediate.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/expr/immediate.c b/src/expr/immediate.c index 67e4902..b77ccea 100644 --- a/src/expr/immediate.c +++ b/src/expr/immediate.c @@ -216,10 +216,19 @@ static void nftnl_expr_immediate_free(const struct nftnl_expr *e) xfree(imm->data.chain); } +static struct attr_policy immediate_attr_policy[__NFTNL_EXPR_IMM_MAX] = { + [NFTNL_EXPR_IMM_DREG] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_IMM_DATA] = { .maxlen = NFT_DATA_VALUE_MAXLEN }, + [NFTNL_EXPR_IMM_VERDICT] = { .maxlen = sizeof(uint32_t) }, + [NFTNL_EXPR_IMM_CHAIN] = { .maxlen = NFT_CHAIN_MAXNAMELEN }, + [NFTNL_EXPR_IMM_CHAIN_ID] = { .maxlen = sizeof(uint32_t) }, +}; + struct expr_ops expr_ops_immediate = { .name = "immediate", .alloc_len = sizeof(struct nftnl_expr_immediate), .nftnl_max_attr = __NFTNL_EXPR_IMM_MAX - 1, + .attr_policy = immediate_attr_policy, .free = nftnl_expr_immediate_free, .set = nftnl_expr_immediate_set, .get = nftnl_expr_immediate_get, |