diff options
author | Xiao Liang <shaw.leon@gmail.com> | 2022-08-19 10:40:23 +0800 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2022-08-19 08:10:06 +0200 |
commit | 9a20f17a7a82ce5ba47047e6c3d2fc921cc1087d (patch) | |
tree | 900a1c2cc23915acba34842bb3a5c6d28a50ef9b /tests/shell/testcases | |
parent | 7526881a6bbf874c0998fc9cea1646b5354596ce (diff) |
src: Don't parse string as verdict in map
In verdict map, string values are accidentally treated as verdicts.
For example:
table t {
map foo {
type ipv4_addr : verdict
elements = {
192.168.0.1 : bar
}
}
chain output {
type filter hook output priority mangle;
ip daddr vmap @foo
}
}
Though "bar" is not a valid verdict (should be "jump bar" or something),
the string is taken as the element value. Then NFTA_DATA_VALUE is sent
to the kernel instead of NFTA_DATA_VERDICT. This would be rejected by
recent kernels. On older ones (e.g. v5.4.x) that don't validate the
type, a warning can be seen when the rule is hit, because of the
corrupted verdict value:
[5120263.467627] WARNING: CPU: 12 PID: 303303 at net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500 [nf_tables]
Indeed, we don't parse verdicts during evaluation, but only chain names,
which is of type string rather than verdict. For example, "jump $var" is
a verdict while "$var" is a string.
Fixes: c64457cff967 ("src: Allow goto and jump to a variable")
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/shell/testcases')
-rwxr-xr-x | tests/shell/testcases/nft-f/0031vmap_string_0 | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/tests/shell/testcases/nft-f/0031vmap_string_0 b/tests/shell/testcases/nft-f/0031vmap_string_0 new file mode 100755 index 00000000..2af846a4 --- /dev/null +++ b/tests/shell/testcases/nft-f/0031vmap_string_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +# Tests parse of corrupted verdicts + +set -e + +RULESET=" +table ip foo { + map bar { + type ipv4_addr : verdict + elements = { + 192.168.0.1 : ber + } + } + + chain ber { + } +}" + +$NFT -f - <<< "$RULESET" && exit 1 +exit 0 |