[PATCH nft 1/2] parser_bison: display too many levels of nesting error

[PATCH nft 1/2] parser_bison: display too many levels of nesting error

[Pablo Neira Ayuso]

Instead of hitting this assertion:

 nft: parser_bison.y:70: open_scope: Assertion `state->scope < array_size(state->scopes) - 1' failed.
 Aborted

this is easier to trigger with implicit chains where one level of
nesting from the existing chain scope is supported.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1615
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/parser.h   |  1 +
 src/parser_bison.y | 27 +++++++++++++++++++++++----
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/include/parser.h b/include/parser.h
index 2fb037cb8470..f55da0fd47bf 100644
--- a/include/parser.h
+++ b/include/parser.h
@@ -22,6 +22,7 @@ struct parser_state {
 
 	struct scope			*scopes[SCOPE_NEST_MAX];
 	unsigned int			scope;
+	bool				scope_err;
 
 	unsigned int			flex_state_pop;
 	unsigned int			startcond_type;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 0266819a779b..760c23cf3322 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -65,15 +65,26 @@ static struct scope *current_scope(const struct parser_state *state)
 	return state->scopes[state->scope];
 }
 
-static void open_scope(struct parser_state *state, struct scope *scope)
+static int open_scope(struct parser_state *state, struct scope *scope)
 {
-	assert(state->scope < array_size(state->scopes) - 1);
+	if (state->scope >= array_size(state->scopes) - 1) {
+		state->scope_err = true;
+		return -1;
+	}
+
 	scope_init(scope, current_scope(state));
 	state->scopes[++state->scope] = scope;
+
+	return 0;
 }
 
 static void close_scope(struct parser_state *state)
 {
+	if (state->scope_err) {
+		state->scope_err = false;
+		return;
+	}
+
 	assert(state->scope > 0);
 	state->scope--;
 }
@@ -1674,7 +1685,11 @@ describe_cmd		:	primary_expr
 table_block_alloc	:	/* empty */
 			{
 				$$ = table_alloc();
-				open_scope(state, &$$->scope);
+				if (open_scope(state, &$$->scope) < 0) {
+					erec_queue(error(&@$, "too many levels of nesting"),
+						   state->msgs);
+					state->nerrs++;
+				}
 			}
 			;
 
@@ -1836,7 +1851,11 @@ table_block		:	/* empty */	{ $$ = $<table>-1; }
 chain_block_alloc	:	/* empty */
 			{
 				$$ = chain_alloc(NULL);
-				open_scope(state, &$$->scope);
+				if (open_scope(state, &$$->scope) < 0) {
+					erec_queue(error(&@$, "too many levels of nesting"),
+						   state->msgs);
+					state->nerrs++;
+				}
 			}
 			;
 
-- 
2.30.2

[PATCH nft 2/2] rule: do not display handle for implicit chain

[Pablo Neira Ayuso]

Implicit chain do not allow for incremental updates, do not display rule
handle since kernel refuses to update an implicit chain which is already
bound.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1615
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index 1caee58fb762..d1ee6c2ee067 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1058,13 +1058,19 @@ static void chain_print_declaration(const struct chain *chain,
 void chain_rules_print(const struct chain *chain, struct output_ctx *octx,
 		       const char *indent)
 {
+	unsigned int flags = octx->flags;
 	struct rule *rule;
 
+	if (chain->flags & CHAIN_F_BINDING)
+		octx->flags &= ~NFT_CTX_OUTPUT_HANDLE;
+
 	list_for_each_entry(rule, &chain->rules, list) {
 		nft_print(octx, "\t\t%s", indent ? : "");
 		rule_print(rule, octx);
 		nft_print(octx, "\n");
 	}
+
+	octx->flags = flags;
 }
 
 static void chain_print(const struct chain *chain, struct output_ctx *octx)
-- 
2.30.2