diff options
| author | Florian Westphal <fw@strlen.de> | 2025-06-12 20:17:15 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-08-13 20:43:14 +0200 |
| commit | 10da83c6d02318160ac561dd08fbf153d19cc407 (patch) | |
| tree | e4c8bf102c0d07ba41ec3e07f16101ab3f6785b5 | |
| parent | df6f2d9308762e4c14612dc83240de551ea97fd1 (diff) | |
src: BASECHAIN flag no longer implies presence of priority expression
commit 44ea1936463728475768861073ca4ba34a5c2f75 upstream.
The included bogon will crash nft because print side assumes that BASECHAIN
flag presence also means that priority expression is available.
Make the print side conditional.
Fixes: a66b5ad9540d ("src: allow for updating devices on existing netdev chain")
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | src/rule.c | 16 | ||||
| -rw-r--r-- | tests/shell/testcases/bogons/nft-f/null_ingress_type_crash | 6 |
2 files changed, 16 insertions, 6 deletions
@@ -1032,8 +1032,10 @@ static void chain_print_declaration(const struct chain *chain, nft_print(octx, "\n\t\tcomment \"%s\"", chain->comment); nft_print(octx, "\n"); if (chain->flags & CHAIN_F_BASECHAIN) { - nft_print(octx, "\t\ttype %s hook %s", chain->type.str, - hooknum2str(chain->handle.family, chain->hook.num)); + if (chain->type.str) + nft_print(octx, "\t\ttype %s hook %s", chain->type.str, + hooknum2str(chain->handle.family, chain->hook.num)); + if (chain->dev_array_len == 1) { nft_print(octx, " device \"%s\"", chain->dev_array[0]); } else if (chain->dev_array_len > 1) { @@ -1045,10 +1047,12 @@ static void chain_print_declaration(const struct chain *chain, } nft_print(octx, " }"); } - nft_print(octx, " priority %s;", - prio2str(octx, priobuf, sizeof(priobuf), - chain->handle.family, chain->hook.num, - chain->priority.expr)); + + if (chain->priority.expr) + nft_print(octx, " priority %s;", + prio2str(octx, priobuf, sizeof(priobuf), + chain->handle.family, chain->hook.num, + chain->priority.expr)); if (chain->policy) { mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); diff --git a/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash b/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash new file mode 100644 index 00000000..2ed88af2 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash @@ -0,0 +1,6 @@ +table netdev filter1 { + chain c { + devices = { lo } + } +} +list ruleset |