On Thu, Aug 18, 2022 at 9:32 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Can you explain what this is fixing?
See this example:
table t {
map foo {
type ipv4_addr : verdict
elements = {
192.168.0.1 : bar
}
}
chain output {
type filter hook output priority mangle;
ip daddr vmap @foo
}
}
Though "bar" is not a valid verdict (should be "jump bar" or
something), the string is taken as the element value. Then
NFTA_DATA_VALUE is sent to the kernel instead of NFTA_DATA_VERDICT.
Recent kernel checks the type and returns error, but olders (e.g.
v5.4.x) doesn't, causing a warning when the rule is hit:
[5120263.467627] WARNING: CPU: 12 PID: 303303 at
net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500
[nf_tables]
>
> This reverts the commit that adds support for defines as aliases:
>
> commit c64457cff9673fbb41f613a67e158b4d62235c09
> src: Allow goto and jump to a variable
>
This patch fixes it by parsing chain names as strings rather than
verdicts, i.e. "jump $var" is a verdict while "$var" is a string.
