[PATCH nft] src/ct: provide fixed data lengh sizes for ip/ip6 keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



nft can load but not list this:

table inet filter {
 chain input {
  ct original ip daddr {1.2.3.4} accept
 }
}

Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/ct.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index 4f7807deea0f..14cc0e5e8a4e 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -292,13 +292,13 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
 	[NFT_CT_EVENTMASK]	= CT_TEMPLATE("event", &ct_event_type,
 					      BYTEORDER_HOST_ENDIAN, 32),
 	[NFT_CT_SRC_IP]		= CT_TEMPLATE("ip saddr", &ipaddr_type,
-					      BYTEORDER_BIG_ENDIAN, 0),
+					      BYTEORDER_BIG_ENDIAN, 32),
 	[NFT_CT_DST_IP]		= CT_TEMPLATE("ip daddr", &ipaddr_type,
-					      BYTEORDER_BIG_ENDIAN, 0),
+					      BYTEORDER_BIG_ENDIAN, 32),
 	[NFT_CT_SRC_IP6]	= CT_TEMPLATE("ip6 saddr", &ip6addr_type,
-					      BYTEORDER_BIG_ENDIAN, 0),
+					      BYTEORDER_BIG_ENDIAN, 128),
 	[NFT_CT_DST_IP6]	= CT_TEMPLATE("ip6 daddr", &ip6addr_type,
-					      BYTEORDER_BIG_ENDIAN, 0),
+					      BYTEORDER_BIG_ENDIAN, 128),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
-- 
2.21.0




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux