git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 29 Aug 2016 11:20:08 +0000 (13:20 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 29 Aug 2016 18:30:29 +0000 (20:30 +0200)
commit	06c8f6fccc689cae71cc84d4d6d27098c9e15089
tree	1a6ac94ee167c56b15522fdfd5dab94a86ba509f	tree
parent	cb7cb885d65ec02aa33872b4bd382ef8a692113a	commit \| diff

evaluate: validate maximum hash and numgen value

We can validate that values don't get over the maximum datatype
length, this is expressed in number of bits, so the maximum value
is always power of 2.

However, since we got the hash and numgen expressions, the user should
not set a value higher that what the specified modulus option, which
may not be power of 2. This patch extends the expression context with
a new optional field to store the maximum value.

After this patch, nft bails out if the user specifies non-sense rules
like those below:

# nft add rule x y jhash ip saddr mod 10 seed 0xa 10
<cmdline>:1:45-46: Error: Value 10 exceeds valid range 0-9
add rule x y jhash ip saddr mod 10 seed 0xa 10
^^

The modulus sets a valid value range of [0, n), so n is out of the valid
value range.

# nft add rule x y numgen inc mod 10 eq 12
<cmdline>:1:35-36: Error: Value 12 exceeds valid range 0-9
add rule x y numgen inc mod 10 eq 12
^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/expression.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history