diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-18 16:19:28 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-19 19:40:39 +0200 |
commit | ca4096bf271999e0ce23d0aed83291c50c789239 (patch) | |
tree | 2ce380cb2f9e2a1fd35b3799abd94af5beda762b /tests/shell/testcases | |
parent | caf7db2cb8bac4981908c1d1917481f64a1046ff (diff) |
evaluate: do not allow to list/flush anonymous sets via list command
Don't allow this:
# nft list set x __set0
table ip x {
set __set0 {
type ipv4_addr
flags constant
elements = { 1.1.1.1 }
}
}
Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.
After this patch:
# nft list set x __set0
Error: No such file or directory
list set x __set0
^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell/testcases')
-rwxr-xr-x | tests/shell/testcases/listing/0016anonymous_0 | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/tests/shell/testcases/listing/0016anonymous_0 b/tests/shell/testcases/listing/0016anonymous_0 new file mode 100755 index 00000000..83acbcca --- /dev/null +++ b/tests/shell/testcases/listing/0016anonymous_0 @@ -0,0 +1,33 @@ +#!/bin/bash + +$NFT add table x +$NFT add chain x y +$NFT add rule x y ip saddr { 1.1.1.1 } +$NFT add rule x y meta mark set ip saddr map { 1.1.1.1 : 2 } + +$NFT list set x __set0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi + +$NFT flush set x __set0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi + +$NFT list map x __map0 &>/dev/null +if [ $ret -eq 0 ] +then + exit 1 +fi + +$NFT flush map x __map0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi |