Hi!
There's a typo in subject: s/disscect/dissect/
Other than that:
On Fri, Oct 21, 2022 at 12:02:08PM +0200, Florian Westphal wrote:
[...]
> +static void nft_parse_icmp(struct nft_xt_ctx *ctx,
> + struct nft_xt_ctx_reg *sreg,
> + struct nftnl_expr *e,
> + struct iptables_command_state *cs,
> + const char *name)
> +{
> + struct xtables_rule_match *m;
> + struct xtables_match *match;
> + struct ipt_icmp *icmp;
> + const uint8_t *v;
> + unsigned int len;
> + int op;
> +
> + v = nftnl_expr_get(e, NFTNL_EXPR_CMP_DATA, &len);
> + switch (sreg->payload.offset) {
> + case 0:
> + if (len == 1 || len == 2)
> + break;
> + return;
At this point the match is ignored and the rule "loaded" without it. Not
that we don't lack error handling in other spots, so this is fine for
now. We should really fix it, though and mark the whole rule as
incompatible. Maybe even a replacement for the overly simple
nft_is_expr_compatible() (and callers)?
Cheers, Phil
