]> git.ipfire.org Git - thirdparty/nftables.git/commit
projects / thirdparty / nftables.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: caf7db2) | patch
evaluate: do not allow to list/flush anonymous sets via list command
authorPablo Neira Ayuso <pablo@netfilter.org>
Tue, 18 Jun 2019 14:19:28 +0000 (16:19 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 19 Jun 2019 17:40:39 +0000 (19:40 +0200)
commitca4096bf271999e0ce23d0aed83291c50c789239
tree2ce380cb2f9e2a1fd35b3799abd94af5beda762btree | snapshot
parentcaf7db2cb8bac4981908c1d1917481f64a1046ffcommit | diff
evaluate: do not allow to list/flush anonymous sets via list command

Don't allow this:

 # nft list set x __set0
 table ip x {
        set __set0 {
                type ipv4_addr
                flags constant
                elements = { 1.1.1.1 }
        }
 }

Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.

After this patch:

 # nft list set x __set0
 Error: No such file or directory
 list set x __set0
            ^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/evaluate.c diff | blob | blame | history
tests/shell/testcases/listing/0016anonymous_0 [new file with mode: 0755] blob
Mirror of git://git.netfilter.org/nftables