rule: do not crash if to-be-printed flowtable lacks priority

Print an empty flowtable rather than crashing when dereferencing
flowtable->priority.expr (its NULL).

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/rule.c b/src/rule.c
index 65ff0fbbe21f1fc49149686eb85bdaee1f373d47..545f9b2b54631120213159a3b1f2cb932c1adf21 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -2107,12 +2107,15 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
        if (nft_output_handle(octx))
                nft_print(octx, " # handle %" PRIu64, flowtable->handle.handle.id);
        nft_print(octx, "%s", opts->nl);
-       nft_print(octx, "%s%shook %s priority %s%s",
-                 opts->tab, opts->tab,
-                 hooknum2str(NFPROTO_NETDEV, flowtable->hook.num),
-                 prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV,
-                          flowtable->hook.num, flowtable->priority.expr),
-                 opts->stmt_separator);
+
+       if (flowtable->priority.expr) {
+               nft_print(octx, "%s%shook %s priority %s%s",
+                         opts->tab, opts->tab,
+                         hooknum2str(NFPROTO_NETDEV, flowtable->hook.num),
+                         prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV,
+                                  flowtable->hook.num, flowtable->priority.expr),
+                         opts->stmt_separator);
+       }
 
        if (flowtable->dev_array_len > 0) {
                nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab);

diff --git a/tests/shell/testcases/bogons/flowtable-no-priority-crash b/tests/shell/testcases/bogons/flowtable-no-priority-crash
new file mode 100644 (file)
index 0000000..b327a2b
--- /dev/null
+++ b/tests/shell/testcases/bogons/flowtable-no-priority-crash
@@ -0,0 +1,6 @@
+reset rules
+table inet filter {
+       flowtable f {
+               devices = { lo }
+       }
+}