diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-18 16:19:28 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-19 19:40:39 +0200 |
commit | ca4096bf271999e0ce23d0aed83291c50c789239 (patch) | |
tree | 2ce380cb2f9e2a1fd35b3799abd94af5beda762b /src | |
parent | caf7db2cb8bac4981908c1d1917481f64a1046ff (diff) |
evaluate: do not allow to list/flush anonymous sets via list command
Don't allow this:
# nft list set x __set0
table ip x {
set __set0 {
type ipv4_addr
flags constant
elements = { 1.1.1.1 }
}
}
Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.
After this patch:
# nft list set x __set0
Error: No such file or directory
list set x __set0
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 07617a7c..dfdd3c24 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3587,9 +3587,12 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || set->flags & NFT_SET_MAP) + if (set == NULL) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); + else if (set->flags & (NFT_SET_MAP | NFT_SET_ANONYMOUS)) + return cmd_error(ctx, &ctx->cmd->handle.set.location, + "%s", strerror(ENOENT)); return 0; case CMD_OBJ_METER: @@ -3598,9 +3601,13 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_EVAL)) + if (set == NULL) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); + else if (!(set->flags & NFT_SET_EVAL) || + !(set->flags & NFT_SET_ANONYMOUS)) + return cmd_error(ctx, &ctx->cmd->handle.set.location, + "%s", strerror(ENOENT)); return 0; case CMD_OBJ_MAP: @@ -3609,9 +3616,13 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_MAP)) + if (set == NULL) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); + else if (!(set->flags & NFT_SET_MAP) || + set->flags & NFT_SET_ANONYMOUS) + return cmd_error(ctx, &ctx->cmd->handle.set.location, + "%s", strerror(ENOENT)); return 0; case CMD_OBJ_CHAIN: @@ -3698,9 +3709,12 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || set->flags & NFT_SET_MAP) + if (set == NULL) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); + else if (set->flags & (NFT_SET_MAP | NFT_SET_ANONYMOUS)) + return cmd_error(ctx, &ctx->cmd->handle.set.location, + "%s", strerror(ENOENT)); return 0; case CMD_OBJ_MAP: @@ -3709,9 +3723,13 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_MAP)) + if (set == NULL) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); + else if (!(set->flags & NFT_SET_MAP) || + set->flags & NFT_SET_ANONYMOUS) + return cmd_error(ctx, &ctx->cmd->handle.set.location, + "%s", strerror(ENOENT)); return 0; case CMD_OBJ_METER: @@ -3720,9 +3738,13 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_EVAL)) + if (set == NULL) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); + else if (!(set->flags & NFT_SET_EVAL) || + !(set->flags & NFT_SET_ANONYMOUS)) + return cmd_error(ctx, &ctx->cmd->handle.set.location, + "%s", strerror(ENOENT)); return 0; default: |