nft can load but not list this:
table inet filter {
chain input {
ct original ip daddr {1.2.3.4} accept
}
}
Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/ct.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/ct.c b/src/ct.c
index 4f7807deea0f..14cc0e5e8a4e 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -292,13 +292,13 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
[NFT_CT_EVENTMASK] = CT_TEMPLATE("event", &ct_event_type,
BYTEORDER_HOST_ENDIAN, 32),
[NFT_CT_SRC_IP] = CT_TEMPLATE("ip saddr", &ipaddr_type,
- BYTEORDER_BIG_ENDIAN, 0),
+ BYTEORDER_BIG_ENDIAN, 32),
[NFT_CT_DST_IP] = CT_TEMPLATE("ip daddr", &ipaddr_type,
- BYTEORDER_BIG_ENDIAN, 0),
+ BYTEORDER_BIG_ENDIAN, 32),
[NFT_CT_SRC_IP6] = CT_TEMPLATE("ip6 saddr", &ip6addr_type,
- BYTEORDER_BIG_ENDIAN, 0),
+ BYTEORDER_BIG_ENDIAN, 128),
[NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
- BYTEORDER_BIG_ENDIAN, 0),
+ BYTEORDER_BIG_ENDIAN, 128),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
--
2.21.0
