evaluate: bail out if new flowtable does not specify hook and priority

commit 5ad475fce5a138d3a8b58bde4a41b0537d15b952 upstream.

If user forgets to specify the hook and priority and the flowtable does
not exist, then bail out:

 # cat flowtable-incomplete.nft
 table t {
  flowtable f {
   devices = { lo }
  }
 }
 # nft -f /tmp/k
 flowtable-incomplete.nft:2:12-12: Error: missing hook and priority in flowtable declaration
 flowtable f {
           ^

Update one existing tests/shell to specify a hook and priority.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 54b69a871ae4dbfb4965d8665d7185e4d5ede53d..3724509ee9bd13e7cdd47392239d7dca34beb919 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4718,8 +4718,12 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
        if (table == NULL)
                return table_not_found(ctx);
 
-       if (!ft_cache_find(table, ft->handle.flowtable.name))
+       if (!ft_cache_find(table, ft->handle.flowtable.name)) {
+               if (!ft->hook.name)
+                       return chain_error(ctx, ft, "missing hook and priority in flowtable declaration");
+
                ft_cache_add(flowtable_get(ft), table);
+       }
 
        if (ft->hook.name) {
                ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);

diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf
index 4efbe75c390ff70fcaaeb08bf13f854d71d7ccad..8b7a551cc69e9af005a0a3a11b12a53114aa4760 100755 (executable)
--- a/tests/shell/testcases/owner/0001-flowtable-uaf
+++ b/tests/shell/testcases/owner/0001-flowtable-uaf
@@ -6,6 +6,7 @@ $NFT -f - <<EOF
 table t {
  flags owner
  flowtable f {
+  hook ingress priority 0
   devices = { lo }
  }
 }
@@ -16,6 +17,7 @@ $NFT -f - <<EOF
 table t {
  flags owner
  flowtable f {
+  hook ingress priority 0
   devices = { lo }
  }
 }