* [PATCH 1/4] evaluate: verify named map is actually a map @ 2015-01-12 13:30 Patrick McHardy 2015-01-12 13:30 ` [PATCH 2/4] evaluate: properly set datatype of map expression Patrick McHardy ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: Patrick McHardy @ 2015-01-12 13:30 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel # nft add set filter test { type ipv4_addr; } # nft filter input ip daddr vmap @test Before: <cmdline>:0:0-32: Error: Could not process rule: Invalid argument filter input ip daddr vmap @test ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ After: <cmdline>:1:28-32: Error: Expression is not a map filter input ip daddr vmap @test ^^^^^ Signed-off-by: Patrick McHardy <kaber@trash.net> --- src/evaluate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c index d24d4cc..651465a 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -738,7 +738,8 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) case EXPR_SYMBOL: if (expr_evaluate(ctx, &map->mappings) < 0) return -1; - if (map->mappings->ops->type != EXPR_SET_REF) + if (map->mappings->ops->type != EXPR_SET_REF || + !(map->mappings->set->flags & NFT_SET_MAP)) return expr_error(ctx->msgs, map->mappings, "Expression is not a map"); break; -- 2.1.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/4] evaluate: properly set datatype of map expression 2015-01-12 13:30 [PATCH 1/4] evaluate: verify named map is actually a map Patrick McHardy @ 2015-01-12 13:30 ` Patrick McHardy 2015-01-12 13:30 ` [PATCH 3/4] evaluate: check that map expressions' datatype matches mappings Patrick McHardy 2015-01-12 13:30 ` [PATCH 4/4] evaluate: use stmt_evaluate_arg() in all cases Patrick McHardy 2 siblings, 0 replies; 4+ messages in thread From: Patrick McHardy @ 2015-01-12 13:30 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel The datatype of the map expression is the datatype of the mappings. # nft add map filter test { type ipv4_addr : inet_service; } # nft filter output mark set ip daddr map @test Before: <cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type IPv4 address filter output mark set ip daddr map @test ~~~~~~~~~^^^^^^^^^^^^^^^^^^ After: <cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type internet network service filter output mark set ip daddr map @test ~~~~~~~~~^^^^^^^^^^^^^^^^^^ Signed-off-by: Patrick McHardy <kaber@trash.net> --- src/evaluate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c index 651465a..2067a01 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -748,7 +748,7 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) map->mappings->ops->name); } - map->dtype = ctx->ectx.dtype; + map->dtype = map->mappings->set->datatype; map->flags |= EXPR_F_CONSTANT; /* Data for range lookups needs to be in big endian order */ -- 2.1.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/4] evaluate: check that map expressions' datatype matches mappings 2015-01-12 13:30 [PATCH 1/4] evaluate: verify named map is actually a map Patrick McHardy 2015-01-12 13:30 ` [PATCH 2/4] evaluate: properly set datatype of map expression Patrick McHardy @ 2015-01-12 13:30 ` Patrick McHardy 2015-01-12 13:30 ` [PATCH 4/4] evaluate: use stmt_evaluate_arg() in all cases Patrick McHardy 2 siblings, 0 replies; 4+ messages in thread From: Patrick McHardy @ 2015-01-12 13:30 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel Catch type errors in map expressions using named maps: # nft add map filter test { type ipv4_addr : inet_service; } # nft filter output mark set tcp dport map @test <cmdline>:1:38-42: Error: datatype mismatch, map expects IPv4 address, mapping expression has type internet network service filter output mark set tcp dport map @test ~~~~~~~~~ ^^^^^ Signed-off-by: Patrick McHardy <kaber@trash.net> --- src/evaluate.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 2067a01..90c87d0 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -748,6 +748,13 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) map->mappings->ops->name); } + if (!datatype_equal(map->map->dtype, map->mappings->set->keytype)) + return expr_binary_error(ctx->msgs, map->mappings, map->map, + "datatype mismatch, map expects %s, " + "mapping expression has type %s", + map->mappings->set->keytype->desc, + map->map->dtype->desc); + map->dtype = map->mappings->set->datatype; map->flags |= EXPR_F_CONSTANT; -- 2.1.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 4/4] evaluate: use stmt_evaluate_arg() in all cases 2015-01-12 13:30 [PATCH 1/4] evaluate: verify named map is actually a map Patrick McHardy 2015-01-12 13:30 ` [PATCH 2/4] evaluate: properly set datatype of map expression Patrick McHardy 2015-01-12 13:30 ` [PATCH 3/4] evaluate: check that map expressions' datatype matches mappings Patrick McHardy @ 2015-01-12 13:30 ` Patrick McHardy 2 siblings, 0 replies; 4+ messages in thread From: Patrick McHardy @ 2015-01-12 13:30 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel When using a symbolic vmap expression, we fail to verify that the map actually contains verdicts. Use stmt_evaluate_arg() everywhere to fix this. Signed-off-by: Patrick McHardy <kaber@trash.net> --- src/evaluate.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 90c87d0..a3484c6 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1135,8 +1135,7 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt) { - expr_set_context(&ctx->ectx, &verdict_type, 0); - if (expr_evaluate(ctx, &stmt->expr) < 0) + if (stmt_evaluate_arg(ctx, stmt, &verdict_type, 0, &stmt->expr) < 0) return -1; switch (stmt->expr->ops->type) { @@ -1625,8 +1624,8 @@ static int stmt_evaluate_redir(struct eval_ctx *ctx, struct stmt *stmt) static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt) { if (stmt->queue.queue != NULL) { - expr_set_context(&ctx->ectx, &integer_type, 16); - if (expr_evaluate(ctx, &stmt->queue.queue) < 0) + if (stmt_evaluate_arg(ctx, stmt, &integer_type, 16, + &stmt->queue.queue) < 0) return -1; if (!expr_is_constant(stmt->queue.queue)) return expr_error(ctx->msgs, stmt->queue.queue, -- 2.1.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-12 13:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-01-12 13:30 [PATCH 1/4] evaluate: verify named map is actually a map Patrick McHardy 2015-01-12 13:30 ` [PATCH 2/4] evaluate: properly set datatype of map expression Patrick McHardy 2015-01-12 13:30 ` [PATCH 3/4] evaluate: check that map expressions' datatype matches mappings Patrick McHardy 2015-01-12 13:30 ` [PATCH 4/4] evaluate: use stmt_evaluate_arg() in all cases Patrick McHardy
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.