packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nftables/backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch
eaglegai a750fa148f backport upstream patches
2024-09-25 06:40:55 +00:00

78 lines
2.7 KiB
Diff
Raw Permalink Blame History

From 0693edb9eb01fa5a479dcca7d30b06f52806d22a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 16 Sep 2021 13:51:23 +0200
Subject: [PATCH] netlink: reset temporary set element stmt list after list
splice
Reset temporary stmt list to deal with the key_end case which might
result in a jump backward to handle the rhs of the interval.
Reported-by: Martin Zatloukal <slezi2@pvfree.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflict: NA
Reference:https://git.netfilter.org/nftables/commit/?id=0693edb9eb01fa5a479dcca7d30b06f52806d22a
---
src/netlink.c | 2 +-
tests/shell/testcases/maps/0013map_0 | 14 ++++++++++++++
tests/shell/testcases/maps/dumps/0013map_0.nft | 13 +++++++++++++
3 files changed, 28 insertions(+), 1 deletion(-)
create mode 100755 tests/shell/testcases/maps/0013map_0
create mode 100644 tests/shell/testcases/maps/dumps/0013map_0.nft
diff --git a/src/netlink.c b/src/netlink.c
index 9a0d96f0..28a5514a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1324,7 +1324,7 @@ key_end:
nftnl_set_elem_expr_foreach(nlse, set_elem_parse_expressions,
&setelem_parse_ctx);
}
- list_splice_tail(&setelem_parse_ctx.stmt_list, &expr->stmt_list);
+ list_splice_tail_init(&setelem_parse_ctx.stmt_list, &expr->stmt_list);
if (flags & NFT_SET_ELEM_INTERVAL_END) {
expr->flags |= EXPR_F_INTERVAL_END;
diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0
new file mode 100755
index 00000000..70d7fd3b
--- /dev/null
+++ b/tests/shell/testcases/maps/0013map_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="
+flush ruleset
+
+add table ip filter
+add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
+add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; }
+add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter
+add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }"
+
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft
new file mode 100644
index 00000000..1455877d
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/0013map_0.nft
@@ -0,0 +1,13 @@
+table ip filter {
+ map forwport {
+ type ipv4_addr . inet_proto . inet_service : verdict
+ flags interval
+ counter
+ elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept }
+ }
+
+ chain FORWARD {
+ type filter hook forward priority filter; policy drop;
+ iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0
+ }
+}
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink