|
 |
acfc56 |
From 5566405cc171c8fa84e0a13ea96b89245a3fb512 Mon Sep 17 00:00:00 2001
|
|
|
acfc56 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
acfc56 |
Date: Sat, 8 Aug 2020 00:05:48 +0200
|
|
|
acfc56 |
Subject: [PATCH] src: Set NFT_SET_CONCAT flag for sets with concatenated
|
|
|
acfc56 |
ranges
|
|
|
acfc56 |
|
|
|
acfc56 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1820684
|
|
|
acfc56 |
Upstream Status: nftables commit 09441b5e92cee
|
|
|
acfc56 |
|
|
|
acfc56 |
commit 09441b5e92ceea60198a35cd657904fa7a10ee54
|
|
|
acfc56 |
Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
acfc56 |
Date: Mon Apr 13 21:48:03 2020 +0200
|
|
|
acfc56 |
|
|
|
acfc56 |
src: Set NFT_SET_CONCAT flag for sets with concatenated ranges
|
|
|
acfc56 |
|
|
|
acfc56 |
Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support
|
|
|
acfc56 |
for concatenated set ranges"), crashes with older kernels (< 5.6)
|
|
|
acfc56 |
without support for concatenated set ranges: those sets will be sent
|
|
|
acfc56 |
to the kernel, which adds them without notion of the fact that
|
|
|
acfc56 |
different concatenated fields are actually included, and nft crashes
|
|
|
acfc56 |
while trying to list this kind of malformed concatenation.
|
|
|
acfc56 |
|
|
|
acfc56 |
Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd
|
|
|
acfc56 |
("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when
|
|
|
acfc56 |
sets including concatenated ranges are sent to the kernel, so that
|
|
|
acfc56 |
older kernels (with no knowledge of this flag itself) will refuse set
|
|
|
acfc56 |
creation.
|
|
|
acfc56 |
|
|
|
acfc56 |
Note that, in expr_evaluate_set(), we have to check for the presence
|
|
|
acfc56 |
of the flag, also on empty sets that might carry it in context data,
|
|
|
acfc56 |
and actually set it in the actual set flags.
|
|
|
acfc56 |
|
|
|
acfc56 |
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
acfc56 |
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
|
|
|
acfc56 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
acfc56 |
---
|
|
|
acfc56 |
src/evaluate.c | 9 ++++++++-
|
|
|
acfc56 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
acfc56 |
|
|
|
acfc56 |
diff --git a/src/evaluate.c b/src/evaluate.c
|
|
|
acfc56 |
index 0c84816..f66251b 100644
|
|
|
acfc56 |
--- a/src/evaluate.c
|
|
|
acfc56 |
+++ b/src/evaluate.c
|
|
|
acfc56 |
@@ -1360,10 +1360,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
|
|
|
acfc56 |
set->size += i->size - 1;
|
|
|
acfc56 |
set->set_flags |= i->set_flags;
|
|
|
acfc56 |
expr_free(i);
|
|
|
acfc56 |
- } else if (!expr_is_singleton(i))
|
|
|
acfc56 |
+ } else if (!expr_is_singleton(i)) {
|
|
|
acfc56 |
set->set_flags |= NFT_SET_INTERVAL;
|
|
|
acfc56 |
+ if (i->key->etype == EXPR_CONCAT)
|
|
|
acfc56 |
+ set->set_flags |= NFT_SET_CONCAT;
|
|
|
acfc56 |
+ }
|
|
|
acfc56 |
}
|
|
|
acfc56 |
|
|
|
acfc56 |
+ if (ctx->set && (ctx->set->flags & NFT_SET_CONCAT))
|
|
|
acfc56 |
+ set->set_flags |= NFT_SET_CONCAT;
|
|
|
acfc56 |
+
|
|
|
acfc56 |
set->set_flags |= NFT_SET_CONSTANT;
|
|
|
acfc56 |
|
|
|
acfc56 |
datatype_set(set, ctx->ectx.dtype);
|
|
|
acfc56 |
@@ -3336,6 +3342,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
|
|
|
acfc56 |
memcpy(&set->desc.field_len, &set->key->field_len,
|
|
|
acfc56 |
sizeof(set->desc.field_len));
|
|
|
acfc56 |
set->desc.field_count = set->key->field_count;
|
|
|
acfc56 |
+ set->flags |= NFT_SET_CONCAT;
|
|
|
acfc56 |
}
|
|
|
acfc56 |
|
|
|
acfc56 |
if (set_is_datamap(set->flags)) {
|
|
|
acfc56 |
--
|
|
|
8ff5ad |
2.31.1
|
|
|
acfc56 |
|