diff options
author | Florian Westphal <fw@strlen.de> | 2017-06-16 21:18:45 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-06-18 23:28:57 +0200 |
commit | fda79e96bcaa5fc927523b582bfc42c8ad22deca (patch) | |
tree | ac5060ff4c428e80a6b7e4bd430315a292e5ceb2 /src | |
parent | 7e1ff143442c6c9428f2a1cdb7c751216407437c (diff) |
evaluate: reject meta nfproto outside of inet family
meta nfproto loads the hook family type of the current rule context
in the kernel, i.e. it will be NFPROTO_IPV6 for ip6 family,
NFPROTO_BRIDGE for bridge and so on.
The only case where this is useful is the inet pseudo family,
where this is useful to determine the real hook family
(NFPROTO_IPV4 or NFPROTO_IPV6).
In all other families 'meta nfproto' is either always true or false.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 04367ced..cee99272 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1692,6 +1692,18 @@ static int expr_evaluate_fib(struct eval_ctx *ctx, struct expr **exprp) return expr_evaluate_primary(ctx, exprp); } +static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp) +{ + struct expr *meta = *exprp; + + if (ctx->pctx.family != NFPROTO_INET && + meta->flags & EXPR_F_PROTOCOL && + meta->meta.key == NFT_META_NFPROTO) + return expr_error(ctx->msgs, meta, + "meta nfproto is only useful in the inet family"); + return expr_evaluate_primary(ctx, exprp); +} + static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr) { #ifdef DEBUG @@ -1715,8 +1727,9 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr) case EXPR_EXTHDR: return expr_evaluate_exthdr(ctx, expr); case EXPR_VERDICT: - case EXPR_META: return expr_evaluate_primary(ctx, expr); + case EXPR_META: + return expr_evaluate_meta(ctx, expr); case EXPR_FIB: return expr_evaluate_fib(ctx, expr); case EXPR_PAYLOAD: |