At present, nft accepts out of range port values such as in this example:

    nft add rule ip filter input tcp dport 123456 accept 

Attached patch adds checks for both integer overflow and 16 bit overflow,
and avoids getaddrinfo call in the (common) case of digit input. Example
above now produces this output:

    <cmdline>:1:36-41: Error: Service out of range
    add rule ip filter input tcp dport 123456 accept
                                       ^^^^^^

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>