If user forgets to specify the hook and priority and the flowtable does
not exist, then bail out:
# cat flowtable-incomplete.nft
table t {
flowtable f {
devices = { lo }
}
}
# nft -f /tmp/k
flowtable-incomplete.nft:2:12-12: Error: missing hook and priority in flowtable declaration
flowtable f {
^
Update one existing tests/shell to specify a hook and priority.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/evaluate.c | 6 +++++-
tests/shell/testcases/owner/0001-flowtable-uaf | 2 ++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 35910b03ba7c..a1c3895cfb02 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4732,8 +4732,12 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
if (table == NULL)
return table_not_found(ctx);
- if (!ft_cache_find(table, ft->handle.flowtable.name))
+ if (!ft_cache_find(table, ft->handle.flowtable.name)) {
+ if (!ft->hook.name)
+ return chain_error(ctx, ft, "missing hook and priority in flowtable declaration");
+
ft_cache_add(flowtable_get(ft), table);
+ }
if (ft->hook.name) {
ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf
index 4efbe75c390f..8b7a551cc69e 100755
--- a/tests/shell/testcases/owner/0001-flowtable-uaf
+++ b/tests/shell/testcases/owner/0001-flowtable-uaf
@@ -6,6 +6,7 @@ $NFT -f - <<EOF
table t {
flags owner
flowtable f {
+ hook ingress priority 0
devices = { lo }
}
}
@@ -16,6 +17,7 @@ $NFT -f - <<EOF
table t {
flags owner
flowtable f {
+ hook ingress priority 0
devices = { lo }
}
}
--
2.30.2
