From 92f7b04fbd1803783b3efe1f1de8e81b2bac15ac Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 17 Aug 2018 15:35:47 +0200 Subject: xtables: Fix for segfault in iptables-nft Trying to set a chain's policy in an invalid table resulted in a segfault. Reproducer was: | # iptables -t broute -P BROUTING ACCEPT Fix this by aborting in nft_chain_new() if nft_table_builtin_find() returned NULL for the given table name. For an illustrative error message, set errno to ENXIO in the above case and add an appropriate Mesage to nft_strerror(). While being at it, improve the error message if an invalid policy was given. Before: | # iptables-nft -t filter -P INPUT ACCEPTdf | iptables: Incompatible with this kernel. After: | # iptables-nft -t filter -P INPUT ACCEPTdf | iptables: Bad policy name. Run `dmesg' for more information. Third unrelated change in this patch: Drop error checking of nft_chain_set() in do_commandx(): The function never returns negative, so that check never yielded true. Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal --- iptables/xtables.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'iptables/xtables.c') diff --git a/iptables/xtables.c b/iptables/xtables.c index d9050b45..72f65962 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1266,9 +1266,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, break; case CMD_SET_POLICY: ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); - if (ret < 0) - xtables_error(PARAMETER_PROBLEM, "Wrong policy `%s'\n", - p.policy); break; default: /* We should never reach this... */ -- cgit v1.2.3