diff options
author | Phil Sutter <phil@nwl.cc> | 2018-08-17 15:35:47 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-08-17 16:15:23 +0200 |
commit | 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac (patch) | |
tree | a6bf5852c800e3e9d52f993269ad66fbcb120184 | |
parent | 294f9ef5ee354ff902dfdc091a604f93083c248d (diff) |
xtables: Fix for segfault in iptables-nft
Trying to set a chain's policy in an invalid table resulted in a
segfault. Reproducer was:
| # iptables -t broute -P BROUTING ACCEPT
Fix this by aborting in nft_chain_new() if nft_table_builtin_find()
returned NULL for the given table name.
For an illustrative error message, set errno to ENXIO in the above case
and add an appropriate Mesage to nft_strerror().
While being at it, improve the error message if an invalid policy was
given. Before:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Incompatible with this kernel.
After:
| # iptables-nft -t filter -P INPUT ACCEPTdf
| iptables: Bad policy name. Run `dmesg' for more information.
Third unrelated change in this patch: Drop error checking of
nft_chain_set() in do_commandx(): The function never returns negative,
so that check never yielded true.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | iptables/nft.c | 11 | ||||
-rw-r--r-- | iptables/xtables.c | 3 |
2 files changed, 9 insertions, 5 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 0b29caeb..dd8469a9 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -833,9 +833,13 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, struct builtin_chain *_c; _t = nft_table_builtin_find(h, table); + if (!_t) { + errno = ENXIO; + return NULL; + } + /* if this built-in table does not exists, create it */ - if (_t != NULL) - nft_table_builtin_add(h, _t); + nft_table_builtin_add(h, _t); _c = nft_chain_builtin_find(_t, chain); if (_c != NULL) { @@ -871,6 +875,8 @@ int nft_chain_set(struct nft_handle *h, const char *table, c = nft_chain_new(h, table, chain, NF_DROP, counters); else if (strcmp(policy, "ACCEPT") == 0) c = nft_chain_new(h, table, chain, NF_ACCEPT, counters); + else + errno = EINVAL; if (c == NULL) return 0; @@ -2828,6 +2834,7 @@ const char *nft_strerror(int err) "Bad rule (does a matching rule exist in that chain?)" }, { nft_chain_set, ENOENT, "Bad built-in chain name" }, { nft_chain_set, EINVAL, "Bad policy name" }, + { nft_chain_set, ENXIO, "Bad table name" }, { NULL, ELOOP, "Loop found in table" }, { NULL, EPERM, "Permission denied (you must be root)" }, { NULL, 0, "Incompatible with this kernel" }, diff --git a/iptables/xtables.c b/iptables/xtables.c index d9050b45..72f65962 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, break; case CMD_SET_POLICY: ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", - p.policy); break; default: /* We should never reach this... */ |