Re: [PATCH nft] evaluate: disable ct set with ranges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi Florian,

On Thu, Jan 11, 2024 at 02:16:51PM +0100, Florian Westphal wrote:
> Florian Westphal <fw@xxxxxxxxx> wrote:
> > ... this will cause an assertion in netlink linearization, catch this
> > at eval stage instead.
> > 
> > before:
> > BUG: unknown expression type range
> > nft: netlink_linearize.c:908: netlink_gen_expr: Assertion `0' failed.
> > 
> > after:
> > /unknown_expr_type_range_assert:3:31-40: Error: ct expression cannot be a range
> > ct mark set 0x001-3434
> >             ^^^^^^^^^^
> This isn't enough, we have a truckload of bugs like this.
> e.g. 'tproxy to'.  This passes EXPR_RANGE check,
> but we still hit the assertion because prefix is translated to a range
> later on.

I am going to take a look at this one.

> dup and fwd also have this issue, probably a lot more.

I believe we have to go the extra mile and sanitize this, to avoid
non-sensical transformations which leads to hit BUG.

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux