diff options
-rw-r--r-- | tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump | 0 | ||||
-rwxr-xr-x | tests/shell/testcases/transactions/validation_recursion.sh | 39 |
2 files changed, 39 insertions, 0 deletions
diff --git a/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump diff --git a/tests/shell/testcases/transactions/validation_recursion.sh b/tests/shell/testcases/transactions/validation_recursion.sh new file mode 100755 index 00000000..bc3ebcc1 --- /dev/null +++ b/tests/shell/testcases/transactions/validation_recursion.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# regression check for kernel commit +# cff3bd012a95 ("netfilter: nf_tables: prefer nft_chain_validate") + +chains=100 + +# first create skeleton, linear list +# of 1k jumps, c1 -> c2 .. -> c100. +# +# not caught, commit phase validation doesn't care about +# non-base chains. +( + echo add table ip t + + for i in $(seq 1 $chains);do + echo add chain t c$i + done + + for i in $(seq 1 $((chains-1)) );do + echo add rule t c$i jump c$((i+1)) + done +) | $NFT -f - + +# now link up c0 to c1. This triggers register-store validation for +# c1. Old algorithm is recursive and will blindly chase the entire +# list of chains created above. On older kernels, this will cause kernel +# stack overflow/guard page crash. +$NFT -f - <<EOF +add chain t c0 { type filter hook input priority 0; } +add rule t c0 jump c1 +EOF + +if [ $? -eq 0 ] ; then + echo "E: loaded bogus ruleset" >&2 + exit 1 +fi + +$NFT delete table ip t |