diff options
| author | Florian Westphal <fw@strlen.de> | 2019-07-12 12:29:31 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2019-07-12 17:04:31 +0200 |
| commit | 87c0bee7f04917623c35e850ad223222a93520d1 (patch) | |
| tree | 9faed64fa79129f5c55f6ab53d464aebbcfc2c7c | |
| parent | aad1a9199d6d54d1ba71fe825110abac07d9b323 (diff) | |
src/ct: provide fixed data lengh sizes for ip/ip6 keys
nft can load but not list this:
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/ct.c | 8 | ||||
| -rw-r--r-- | tests/py/inet/ct.t | 2 | ||||
| -rw-r--r-- | tests/py/inet/ct.t.payload | 8 |
3 files changed, 14 insertions, 4 deletions
@@ -292,13 +292,13 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = { [NFT_CT_EVENTMASK] = CT_TEMPLATE("event", &ct_event_type, BYTEORDER_HOST_ENDIAN, 32), [NFT_CT_SRC_IP] = CT_TEMPLATE("ip saddr", &ipaddr_type, - BYTEORDER_BIG_ENDIAN, 0), + BYTEORDER_BIG_ENDIAN, 32), [NFT_CT_DST_IP] = CT_TEMPLATE("ip daddr", &ipaddr_type, - BYTEORDER_BIG_ENDIAN, 0), + BYTEORDER_BIG_ENDIAN, 32), [NFT_CT_SRC_IP6] = CT_TEMPLATE("ip6 saddr", &ip6addr_type, - BYTEORDER_BIG_ENDIAN, 0), + BYTEORDER_BIG_ENDIAN, 128), [NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type, - BYTEORDER_BIG_ENDIAN, 0), + BYTEORDER_BIG_ENDIAN, 128), }; static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t index 1a656aa4..3d0dffad 100644 --- a/tests/py/inet/ct.t +++ b/tests/py/inet/ct.t @@ -6,6 +6,8 @@ meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4 ct original ip6 saddr ::1;ok +ct original ip daddr {1.2.3.4} accept;ok + # missing protocol context ct original saddr ::1;fail diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload index 83146869..3b274f8c 100644 --- a/tests/py/inet/ct.t.payload +++ b/tests/py/inet/ct.t.payload @@ -10,3 +10,11 @@ inet test-inet input [ ct load src_ip6 => reg 1 , dir original ] [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ] +# ct original ip daddr {1.2.3.4} accept +__set%d test-inet 3 size 1 +__set%d test-inet 0 + element 04030201 : 0 [end] +inet test-inet input + [ ct load dst_ip => reg 1 , dir original ] + [ lookup reg 1 set __set%d ] + [ immediate reg 0 accept ] |