Before:
nft list ruleset
chain c {
ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed.
Aborted (core dumped)
After:
table ip t {
chain c {
ip protocol & 18446739675663040512 . th dport 0 . 0
}
}
Note that nft should not have allowed to add such rule in the first
place, input is:
ip protocol . th dport { tcp / 22, }'
... which should be rejected, but is currently allowed.
The decoding is incorrect too (as seen by 0 . 0).
But technically a 'direct nfnetlink user' could create this too
and decoding should work in all cases.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/datatype.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/datatype.c b/src/datatype.c
index 86d55a524269..5abfd978a39b 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -715,7 +715,8 @@ const struct datatype ip6addr_type = {
static void inet_protocol_type_print(const struct expr *expr,
struct output_ctx *octx)
{
- if (!nft_output_numeric_proto(octx)) {
+ if (!nft_output_numeric_proto(octx) &&
+ mpz_cmp_ui(expr->value, UINT_MAX) <= 0) {
char name[NFT_PROTONAME_MAXSIZE];
if (nft_getprotobynumber(mpz_get_uint8(expr->value), name, sizeof(name))) {
--
2.41.0
