Abort the program when encountering rules with unsupported matches. While nft_is_table_compatible() tries to catch this situation, it boils down to merely accepting or rejecting expressions based on type. Yet these may still be used in incompatible ways. Patch 1 fixes for payload matches on ICMP(v6) headers and is almost independent of the rest. Patch 2 prepares arptables rule parsing for the error message added by patch 3. Patch 3 makes various situations complain by emitting error messages. It was compiled after reviewing all callees of rule_to_cs callback for unhandled unexpected input. Patch 5 then finally does it's thing. Phil Sutter (4): nft: Parse icmp header matches arptables: Check the mandatory ar_pln match nft: Increase rule parser strictness nft: Make rule parsing errors fatal iptables/nft-arp.c | 9 +- iptables/nft-bridge.c | 4 + iptables/nft-ipv4.c | 4 +- iptables/nft-ipv6.c | 4 +- iptables/nft-shared.c | 113 ++++++++++++++++-- .../nft-only/0010-iptables-nft-save.txt | 6 +- 6 files changed, 123 insertions(+), 17 deletions(-) -- 2.38.0
