* [PATCH nft] evaluate: bail out if ct saddr/daddr dependency cannot be inserted
@ 2025-04-02 23:09 Florian Westphal
2025-04-07 13:52 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2025-04-02 23:09 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
If we have an incomplete rule like "ct original saddr" in inet
family, this function generates an error because it can't determine the required protocol
dependency, hinting at missing ip/ip6 keyword.
We should not go on in this case to avoid a redundant followup error:
nft add rule inet f c ct original saddr 1.2.3.4
Error: cannot determine ip protocol version, use "ip saddr" or "ip6 saddr" instead
add rule inet f c ct original saddr 1.2.3.4
^^^^^^^^^^^^^^^^^
Error: Could not parse symbolic invalid expression
add rule inet f c ct original saddr 1.2.3.4
After this change only the first error is shown.
Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/evaluate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 0c8af09492d1..d6bb18ba2aa0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1190,7 +1190,8 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
switch (ct->ct.key) {
case NFT_CT_SRC:
case NFT_CT_DST:
- ct_gen_nh_dependency(ctx, ct);
+ if (ct_gen_nh_dependency(ctx, ct) < 0)
+ return -1;
break;
case NFT_CT_SRC_IP:
case NFT_CT_DST_IP:
--
2.49.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nft] evaluate: bail out if ct saddr/daddr dependency cannot be inserted
2025-04-02 23:09 [PATCH nft] evaluate: bail out if ct saddr/daddr dependency cannot be inserted Florian Westphal
@ 2025-04-07 13:52 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2025-04-07 13:52 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Thu, Apr 03, 2025 at 01:09:22AM +0200, Florian Westphal wrote:
> If we have an incomplete rule like "ct original saddr" in inet
> family, this function generates an error because it can't determine the required protocol
> dependency, hinting at missing ip/ip6 keyword.
>
> We should not go on in this case to avoid a redundant followup error:
>
> nft add rule inet f c ct original saddr 1.2.3.4
> Error: cannot determine ip protocol version, use "ip saddr" or "ip6 saddr" instead
> add rule inet f c ct original saddr 1.2.3.4
> ^^^^^^^^^^^^^^^^^
> Error: Could not parse symbolic invalid expression
> add rule inet f c ct original saddr 1.2.3.4
>
> After this change only the first error is shown.
>
> Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr")
> Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Thanks Florian
> ---
> src/evaluate.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 0c8af09492d1..d6bb18ba2aa0 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1190,7 +1190,8 @@ static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
> switch (ct->ct.key) {
> case NFT_CT_SRC:
> case NFT_CT_DST:
> - ct_gen_nh_dependency(ctx, ct);
> + if (ct_gen_nh_dependency(ctx, ct) < 0)
> + return -1;
> break;
> case NFT_CT_SRC_IP:
> case NFT_CT_DST_IP:
> --
> 2.49.0
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-04-07 13:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-02 23:09 [PATCH nft] evaluate: bail out if ct saddr/daddr dependency cannot be inserted Florian Westphal
2025-04-07 13:52 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.