evaluate: bail out if new flowtable does not specify hook and priority

If user forgets to specify the hook and priority and the flowtable does
not exist, then bail out:

 # cat flowtable-incomplete.nft
 table t {
  flowtable f {
   devices = { lo }
  }
 }
 # nft -f /tmp/k
 flowtable-incomplete.nft:2:12-12: Error: missing hook and priority in flowtable declaration
 flowtable f {
           ^

Update one existing tests/shell to specify a hook and priority.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 35910b03ba7c3d8f20f5294154ccedd1230647a0..a1c3895cfb02896ab8b4f00704d7b99cd65cf356 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4732,8 +4732,12 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
        if (table == NULL)
                return table_not_found(ctx);
 
-       if (!ft_cache_find(table, ft->handle.flowtable.name))
+       if (!ft_cache_find(table, ft->handle.flowtable.name)) {
+               if (!ft->hook.name)
+                       return chain_error(ctx, ft, "missing hook and priority in flowtable declaration");
+
                ft_cache_add(flowtable_get(ft), table);
+       }
 
        if (ft->hook.name) {
                ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);

diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf
index 4efbe75c390ff70fcaaeb08bf13f854d71d7ccad..8b7a551cc69e9af005a0a3a11b12a53114aa4760 100755 (executable)
--- a/tests/shell/testcases/owner/0001-flowtable-uaf
+++ b/tests/shell/testcases/owner/0001-flowtable-uaf
@@ -6,6 +6,7 @@ $NFT -f - <<EOF
 table t {
  flags owner
  flowtable f {
+  hook ingress priority 0
   devices = { lo }
  }
 }
@@ -16,6 +17,7 @@ $NFT -f - <<EOF
 table t {
  flags owner
  flowtable f {
+  hook ingress priority 0
   devices = { lo }
  }
 }