From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH 2/3] meta: Reject nfproto value 0xffff
Date: Thu, 18 Jul 2019 05:39:39 +0200 [thread overview]
Message-ID: <20190718033940.12820-2-phil@nwl.cc> (raw)
In-Reply-To: <20190718033940.12820-1-phil@nwl.cc>
Since parsing of arphrd_type happens via sym_tbl, there is no dedicated
parser function to perform the check in. So instead make use of maxval
in expr_ctx to reject the value.
While being at it, introduce a switch() to check for meta.key value in a
single place.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/evaluate.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 55cd9d00d274c..ff52aefc669e0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -23,6 +23,7 @@
#include <netinet/icmp6.h>
#include <net/ethernet.h>
#include <net/if.h>
+#include <net/if_arp.h>
#include <errno.h>
#include <expression.h>
@@ -1795,14 +1796,25 @@ static int expr_evaluate_fib(struct eval_ctx *ctx, struct expr **exprp)
static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *meta = *exprp;
+ unsigned int maxval = 0;
- if (ctx->pctx.family != NFPROTO_INET &&
- meta->flags & EXPR_F_PROTOCOL &&
- meta->meta.key == NFT_META_NFPROTO)
+ switch (meta->meta.key) {
+ case NFT_META_NFPROTO:
+ if (ctx->pctx.family == NFPROTO_INET ||
+ !(meta->flags & EXPR_F_PROTOCOL))
+ break;
return expr_error(ctx->msgs, meta,
- "meta nfproto is only useful in the inet family");
-
- return expr_evaluate_primary(ctx, exprp);
+ "meta nfproto is only useful in the inet family");
+ case NFT_META_IIFTYPE:
+ case NFT_META_OIFTYPE:
+ maxval = ARPHRD_VOID - 1;
+ break;
+ default:
+ break;
+ }
+ __expr_set_context(&ctx->ectx, (*exprp)->dtype, (*exprp)->byteorder,
+ (*exprp)->len, maxval);
+ return 0;
}
static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
--
2.22.0
next prev parent reply other threads:[~2019-07-18 3:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 3:39 [nft PATCH 1/3] meta: Reject zero ifindex values Phil Sutter
2019-07-18 3:39 ` Phil Sutter [this message]
2019-07-18 3:39 ` [nft PATCH 3/3] tests/py: Add missing meta tests Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718033940.12820-2-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).