From 7fb6387b3c00346a429d291dd057e47c9354e263 Mon Sep 17 00:00:00 2001

From: Timothy Redaelli <tredaelli@redhat.com>

Date: Fri, 24 Feb 2017 11:58:57 +0100

Subject: [PATCH] evaluate: reject: Have a generic fix for missing network

 context

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1360354

Upstream Status: nftables commit 7241af3

commit 7241af302bbe56908fa87b17799048bfe884e35f

Author: Phil Sutter <phil@nwl.cc>

Date:   Tue Aug 30 19:39:51 2016 +0200

    evaluate: reject: Have a generic fix for missing network context

    Commit 17b495957b29e ("evaluate: reject: fix crash if we have transport

    protocol conflict from inet") took care of a crash when using inet or

    bridge families, but since then netdev family has been added which also

    does not implicitly define the network context. Therefore the crash can

    be reproduced again using the following example:

    nft add rule netdev filter e1000-ingress \

                    meta l4proto udp reject with tcp reset

    In order to fix this in a more generic way, have stmt_evaluate_reset()

    fall back to the generic proto_inet_service irrespective of the actual

    proto context.

    Signed-off-by: Phil Sutter <phil@nwl.cc>

    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>

---

 src/evaluate.c | 4 +---

 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c

index 5e3c158..1b8d565 100644

--- a/src/evaluate.c

+++ b/src/evaluate.c

@@ -2014,9 +2014,7 @@ static int stmt_evaluate_reset(struct eval_ctx *ctx, struct stmt *stmt)

 		return 0;

 	base = pctx->protocol[PROTO_BASE_NETWORK_HDR].desc;

-	if (base == NULL &&

-	    (ctx->pctx.family == NFPROTO_INET ||

-	     ctx->pctx.family == NFPROTO_BRIDGE))

+	if (base == NULL)

 		base = &proto_inet_service;

 	protonum = proto_find_num(base, desc);

-- 

1.8.3.1