From: Phil Sutter <phil@nwl.cc>
To: Fernando Fernandez Mancera <ffmancera@riseup.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2 nft] jump: Allow goto and jump to a variable using nft input files
Date: Wed, 15 May 2019 22:31:49 +0200 [thread overview]
Message-ID: <20190515203149.GD4851@orbyte.nwl.cc> (raw)
In-Reply-To: <902d698b-a25c-0567-1338-b2d8c0bd91cb@riseup.net>
Hi,
On Wed, May 15, 2019 at 09:56:11PM +0200, Fernando Fernandez Mancera wrote:
> Hi Phil,
>
> On 5/15/19 9:26 PM, Phil Sutter wrote:
> > Hi Pablo,
> >
> > On Wed, May 15, 2019 at 05:21:32PM +0200, Pablo Neira Ayuso wrote:
> >> On Wed, May 15, 2019 at 01:46:17PM +0200, Phil Sutter wrote>> [...]
> >> '@<something>' is currently allowed, as any arbitrary string can be
> >> placed in between strings - although in some way this is taking us
> >> back to the quote debate that needs to be addressed. If we want to
> >> disallow something enclosed in quotes then we'll have to apply this
> >> function everywhere we allow variables.
> >
> > Oh, sorry. I put those ticks in there just to quote the value, not as
> > part of the value. The intention was to point out that something like:
> >
> > | define foo = @set1
> > | add rule ip t c jump $foo
> >
> > Might pass evaluation stage and since there is a special case for things
> > starting with '@' in symbol_expr, the added rule would turn into
> >
> > | add rule ip t c jump set1
> >
> > We could detect this situation by checking expr->symtype.
> >
>
> I agree about that. We could check if the symbol type is SYMBOL_VALUE.
> But I am not sure about where should we do it, maybe in the parser?
>
> > On the other hand, can we maybe check if given string points to an
> > *existing* chain in verdict_type_parse()? Or will that happen later
> > anyway?
> >
>
> It happens later, right now if the given string does not point to an
> existing chain it returns the usual error for this situation. e.g
I just played around a bit and could provoke some segfaults:
* define foo = @set1 (a set named 'set1' must exist)
* define foo = { 1024 }
* define foo = *
I didn't check how we could avoid those. Maybe this is even follow-up
work, but we should definitely try to address those eventually.
Cheers, Phil
next prev parent reply other threads:[~2019-05-15 20:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-14 21:13 [PATCH 1/2 nft] jump: Introduce chain_expr in jump and goto statements Fernando Fernandez Mancera
2019-05-14 21:13 ` [PATCH 2/2 nft] jump: Allow goto and jump to a variable using nft input files Fernando Fernandez Mancera
2019-05-14 22:55 ` Pablo Neira Ayuso
2019-05-15 10:46 ` Phil Sutter
2019-05-15 10:49 ` Fernando Fernandez Mancera
2019-05-15 10:58 ` Phil Sutter
2019-05-15 11:02 ` Fernando Fernandez Mancera
2019-05-15 11:12 ` Pablo Neira Ayuso
2019-05-15 11:46 ` Phil Sutter
2019-05-15 15:21 ` Pablo Neira Ayuso
2019-05-15 19:26 ` Phil Sutter
2019-05-15 19:56 ` Fernando Fernandez Mancera
2019-05-15 20:31 ` Phil Sutter [this message]
2019-05-16 11:58 ` Fernando Fernandez Mancera
2019-05-16 14:39 ` Pablo Neira Ayuso
2019-05-16 14:42 ` Fernando Fernandez Mancera
2019-05-14 22:54 ` [PATCH 1/2 nft] jump: Introduce chain_expr in jump and goto statements Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515203149.GD4851@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=ffmancera@riseup.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).