|
 |
3730f4 |
From 13bd961c3ba83e4189dcffdcf570c5a4391fd5f9 Mon Sep 17 00:00:00 2001
|
|
|
3730f4 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
3730f4 |
Date: Fri, 10 Jan 2020 19:58:29 +0100
|
|
|
cc550a |
Subject: [PATCH] monitor: Do not decompose non-anonymous sets
|
|
|
cc550a |
|
|
|
3730f4 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1774742
|
|
|
3730f4 |
Upstream Status: nftables commit 5d57fa3e99bb9
|
|
|
cc550a |
|
|
|
3730f4 |
commit 5d57fa3e99bb9f2044e236d4ddb7d874cfefe1dd
|
|
|
3730f4 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
3730f4 |
Date: Thu Jan 9 13:34:20 2020 +0100
|
|
|
3730f4 |
|
|
|
3730f4 |
monitor: Do not decompose non-anonymous sets
|
|
|
3730f4 |
|
|
|
3730f4 |
They have been decomposed already, trying to do that again causes a
|
|
|
3730f4 |
segfault. This is a similar fix as in commit 8ecb885589591 ("src:
|
|
|
3730f4 |
restore --echo with anonymous sets").
|
|
|
3730f4 |
|
|
|
3730f4 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
3730f4 |
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
cc550a |
---
|
|
|
cc550a |
src/monitor.c | 2 +-
|
|
|
cc550a |
tests/monitor/testcases/set-interval.t | 20 ++++++++++++++++++++
|
|
|
cc550a |
2 files changed, 21 insertions(+), 1 deletion(-)
|
|
|
cc550a |
create mode 100644 tests/monitor/testcases/set-interval.t
|
|
|
cc550a |
|
|
|
cc550a |
diff --git a/src/monitor.c b/src/monitor.c
|
|
|
3730f4 |
index ea0393c..0da9858 100644
|
|
|
cc550a |
--- a/src/monitor.c
|
|
|
cc550a |
+++ b/src/monitor.c
|
|
|
cc550a |
@@ -500,7 +500,7 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type,
|
|
|
cc550a |
|
|
|
cc550a |
static void rule_map_decompose_cb(struct set *s, void *data)
|
|
|
cc550a |
{
|
|
|
cc550a |
- if (s->flags & NFT_SET_INTERVAL)
|
|
|
cc550a |
+ if (s->flags & (NFT_SET_INTERVAL & NFT_SET_ANONYMOUS))
|
|
|
cc550a |
interval_map_decompose(s->init);
|
|
|
cc550a |
}
|
|
|
cc550a |
|
|
|
cc550a |
diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t
|
|
|
cc550a |
new file mode 100644
|
|
|
3730f4 |
index 0000000..59930c5
|
|
|
cc550a |
--- /dev/null
|
|
|
cc550a |
+++ b/tests/monitor/testcases/set-interval.t
|
|
|
cc550a |
@@ -0,0 +1,20 @@
|
|
|
cc550a |
+# setup first
|
|
|
cc550a |
+I add table ip t
|
|
|
cc550a |
+I add chain ip t c
|
|
|
cc550a |
+O -
|
|
|
cc550a |
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
|
|
|
cc550a |
+J {"add": {"chain": {"family": "ip", "table": "t", "name": "c", "handle": 0}}}
|
|
|
cc550a |
+
|
|
|
cc550a |
+# add set with elements, monitor output expectedly differs
|
|
|
cc550a |
+I add set ip t s { type inet_service; flags interval; elements = { 20, 30-40 }; }
|
|
|
cc550a |
+O add set ip t s { type inet_service; flags interval; }
|
|
|
cc550a |
+O add element ip t s { 20 }
|
|
|
cc550a |
+O add element ip t s { 30-40 }
|
|
|
cc550a |
+J {"add": {"set": {"family": "ip", "name": "s", "table": "t", "type": "inet_service", "handle": 0, "flags": ["interval"]}}}
|
|
|
cc550a |
+J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [20]}}}}
|
|
|
cc550a |
+J {"add": {"element": {"family": "ip", "table": "t", "name": "s", "elem": {"set": [{"range": [30, 40]}]}}}}
|
|
|
cc550a |
+
|
|
|
cc550a |
+# this would crash nft
|
|
|
cc550a |
+I add rule ip t c tcp dport @s
|
|
|
cc550a |
+O -
|
|
|
cc550a |
+J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": "@s"}}]}}}
|
|
|
cc550a |
--
|
|
|
3730f4 |
1.8.3.1
|
|
|
cc550a |
|