src/ct: provide fixed data lengh sizes for ip/ip6 keys

nft can load but not list this:

table inet filter {
 chain input {
  ct original ip daddr {1.2.3.4} accept
 }
}

Problem is that the ct template length is 0, so we believe the right hand
side is a concatenation because left->len < set->key->len is true.
nft then calls abort() during concatenation parsing.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1222
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/ct.c b/src/ct.c
index 4f7807deea0f6f90cf205a4e92cba8426700d42d..14cc0e5e8a4e6d821475a009b9ed6a83f50ef750 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -292,13 +292,13 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
        [NFT_CT_EVENTMASK]      = CT_TEMPLATE("event", &ct_event_type,
                                              BYTEORDER_HOST_ENDIAN, 32),
        [NFT_CT_SRC_IP]         = CT_TEMPLATE("ip saddr", &ipaddr_type,
-                                             BYTEORDER_BIG_ENDIAN, 0),
+                                             BYTEORDER_BIG_ENDIAN, 32),
        [NFT_CT_DST_IP]         = CT_TEMPLATE("ip daddr", &ipaddr_type,
-                                             BYTEORDER_BIG_ENDIAN, 0),
+                                             BYTEORDER_BIG_ENDIAN, 32),
        [NFT_CT_SRC_IP6]        = CT_TEMPLATE("ip6 saddr", &ip6addr_type,
-                                             BYTEORDER_BIG_ENDIAN, 0),
+                                             BYTEORDER_BIG_ENDIAN, 128),
        [NFT_CT_DST_IP6]        = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
-                                             BYTEORDER_BIG_ENDIAN, 0),
+                                             BYTEORDER_BIG_ENDIAN, 128),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,

diff --git a/tests/py/inet/ct.t b/tests/py/inet/ct.t
index 1a656aa4375fb2e95dc0f647dc5331733c881d8b..3d0dffad2819ad96044767c5491aa20720977ae6 100644 (file)
--- a/tests/py/inet/ct.t
+++ b/tests/py/inet/ct.t
@@ -6,6 +6,8 @@
 meta nfproto ipv4 ct original saddr 1.2.3.4;ok;ct original ip saddr 1.2.3.4
 ct original ip6 saddr ::1;ok
 
+ct original ip daddr {1.2.3.4} accept;ok
+
 # missing protocol context
 ct original saddr ::1;fail
 

diff --git a/tests/py/inet/ct.t.payload b/tests/py/inet/ct.t.payload
index 83146869e56ccb1701357b46bb1b9b37ab094cff..3b274f8c64c4a837200082f1e1e79f1271b0b849 100644 (file)
--- a/tests/py/inet/ct.t.payload
+++ b/tests/py/inet/ct.t.payload
@@ -10,3 +10,11 @@ inet test-inet input
   [ ct load src_ip6 => reg 1 , dir original ]
   [ cmp eq reg 1 0x00000000 0x00000000 0x00000000 0x01000000 ]
 
+# ct original ip daddr {1.2.3.4} accept
+__set%d test-inet 3 size 1
+__set%d test-inet 0
+       element 04030201  : 0 [end]
+inet test-inet input
+  [ ct load dst_ip => reg 1 , dir original ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 0 accept ]