diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-22 09:43:04 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-22 10:14:10 +0100 |
| commit | 59d304f47a121afda867d792c709bc2c81946979 (patch) | |
| tree | e61d3f0fbd59b4b00664dc8dbb99794a3b978faf | |
| parent | bab3ede002da778e18fa5f30ac7b05c4de5e1de8 (diff) | |
evaluate: bogus error when adding devices to flowtable
Bail out if flowtable declaration is missing and no devices are
specified.
Otherwise, this reports a bogus error when adding new devices to an
existing flowtable.
# nft -v
nftables v1.0.9 (Old Doc Yak #3)
# ip link add dummy1 type dummy
# ip link set dummy1 up
# nft 'create flowtable inet filter f1 { hook ingress priority 0; counter }'
# nft 'add flowtable inet filter f1 { devices = { dummy1 } ; }'
Error: missing hook and priority in flowtable declaration
add flowtable inet filter f1 { devices = { dummy1 } ; }
^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: 5ad475fce5a1 ("evaluate: bail out if new flowtable does not specify hook and priority")
Reported-by: Martin Gignac <martin.gignac@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/evaluate.c | 2 | ||||
| -rwxr-xr-x | tests/shell/testcases/flowtable/0015destroy_0 | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 13b6a603..bcf83d80 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4867,7 +4867,7 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft) return table_not_found(ctx); if (!ft_cache_find(table, ft->handle.flowtable.name)) { - if (!ft->hook.name) + if (!ft->hook.name && !ft->dev_expr) return chain_error(ctx, ft, "missing hook and priority in flowtable declaration"); ft_cache_add(flowtable_get(ft), table); diff --git a/tests/shell/testcases/flowtable/0015destroy_0 b/tests/shell/testcases/flowtable/0015destroy_0 index d2a87da0..cea33524 100755 --- a/tests/shell/testcases/flowtable/0015destroy_0 +++ b/tests/shell/testcases/flowtable/0015destroy_0 @@ -2,6 +2,11 @@ # NFT_TEST_REQUIRES(NFT_TEST_HAVE_destroy) +trap "ip link del dummy1" EXIT + +ip link add dummy1 type dummy +ip link set dummy1 up + $NFT add table t # pass for non-existent flowtable @@ -9,4 +14,7 @@ $NFT destroy flowtable t f # successfully delete existing flowtable $NFT add flowtable t f '{ hook ingress priority 10; devices = { lo }; }' + +$NFT 'add flowtable t f { devices = { dummy1 } ; }' + $NFT destroy flowtable t f |