Xiao Liang <shaw.leon@xxxxxxxxx> wrote:
> On Thu, Aug 18, 2022 at 9:32 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> >
> > Can you explain what this is fixing?
>
> See this example:
> table t {
> map foo {
> type ipv4_addr : verdict
> elements = {
> 192.168.0.1 : bar
> }
> }
> chain output {
> type filter hook output priority mangle;
> ip daddr vmap @foo
> }
> }
>
> Though "bar" is not a valid verdict (should be "jump bar" or
> something), the string is taken as the element value. Then
> NFTA_DATA_VALUE is sent to the kernel instead of NFTA_DATA_VERDICT.
> Recent kernel checks the type and returns error, but olders (e.g.
> v5.4.x) doesn't, causing a warning when the rule is hit:
>
> [5120263.467627] WARNING: CPU: 12 PID: 303303 at
> net/netfilter/nf_tables_core.c:229 nft_do_chain+0x394/0x500
> [nf_tables]
Thanks. All of this info should be included in the commit message.
Perhaps adding a test case is warrented as well.
