Re: [PATCH nft] monitor: do not call interval_map_decompose() for concat intervals

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 17 Nov 2021 16:36:23 +0100

On Wed, Nov 17, 2021 at 03:25:31PM +0100, Florian Westphal wrote:
> Without this, nft monitor will either print garbage or even segfault
> when encountering a concat set because we pass expr->value to libgmp
> helpers for concat (non-value) expressions.
> 
> Also, for concat case, we need to call concat_range_aggregate() helper.
> Add a test case for this.  Without this patch, it gives:
> 
> tests/monitor/run-tests.sh: line 98: 1163 Segmentation fault
> (core dumped) $nft -nn -e -f $command_file > $echo_output

LGTM.

> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
>  src/monitor.c                          | 7 ++++++-
>  tests/monitor/testcases/set-interval.t | 5 +++++
>  2 files changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/src/monitor.c b/src/monitor.c
> index 8ecb7d199505..7fa92ebfb0f3 100644
> --- a/src/monitor.c
> +++ b/src/monitor.c
> @@ -533,8 +533,13 @@ static int netlink_events_obj_cb(const struct nlmsghdr *nlh, int type,
>  
>  static void rule_map_decompose_cb(struct set *s, void *data)
>  {
> -	if (set_is_interval(s->flags) && set_is_anonymous(s->flags))
> +	if (!set_is_anonymous(s->flags))
> +		return;
> +
> +	if (set_is_non_concat_range(s))
>  		interval_map_decompose(s->init);
> +	else if (set_is_interval(s->flags))
> +		concat_range_aggregate(s->init);
>  }
>  
>  static int netlink_events_rule_cb(const struct nlmsghdr *nlh, int type,
> diff --git a/tests/monitor/testcases/set-interval.t b/tests/monitor/testcases/set-interval.t
> index 1fbcfe222a2b..b0649cdfe01e 100644
> --- a/tests/monitor/testcases/set-interval.t
> +++ b/tests/monitor/testcases/set-interval.t
> @@ -23,3 +23,8 @@ J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "ex
>  I add rule ip t c tcp dport { 20, 30-40 }
>  O -
>  J {"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [20, {"range": [30, 40]}]}}}]}}}
> +
> +# ... and anon concat range
> +I add rule ip t c ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10-192.168.56.12 }
> +O -
> +{"add": {"rule": {"family": "ip", "table": "t", "chain": "c", "handle": 0, "expr": [{"match": {"op": "==", "left": {"concat": [{"payload": {"protocol": "ether", "field": "saddr"}}, {"payload": {"protocol": "ip", "field": "saddr"}}]}, "right": {"set": [{"concat": ["08:00:27:40:f7:09", {"range": ["192.168.56.10", "192.168.56.12"]}]}]}}}]}}}
> -- 
> 2.32.0
> 