From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 31 Jan 2025 11:54:32 +0000 (+0100)
Subject: datatype: clamp boolean value to 0 and 1
X-Git-Tag: v1.1.2~87
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afb6a8e66a11178cbdbfc152c4aa9dda961b2140;p=thirdparty%2Fnftables.git

datatype: clamp boolean value to 0 and 1

If user provides a numeric value larger than 0 or 1, match never
happens:

 # nft --debug=netlink add rule x y tcp option sack-perm 4
 ip x y
  [ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ]
  [ cmp eq reg 1 0x00000004 ]

After this update:

 # nft --debug=netlink add rule x y tcp option sack-perm 4
 ip x y
  [ exthdr load tcpopt 1b @ 4 + 0 present => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]

This is to address a rare corner case, in case user specifies the
boolean value through the integer base type.

Fixes: 9fd9baba43c8 ("Introduce boolean datatype and boolean expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/datatype.c b/src/datatype.c
index 0c13bbd4..f347010f 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -1554,11 +1554,35 @@ static const struct symbol_table boolean_tbl = {
 	},
 };
 
+static struct error_record *boolean_type_parse(struct parse_ctx *ctx,
+					       const struct expr *sym,
+					       struct expr **res)
+{
+	struct error_record *erec;
+	int num;
+
+	erec = integer_type_parse(ctx, sym, res);
+	if (erec)
+		return erec;
+
+	if (mpz_cmp_ui((*res)->value, 0))
+		num = 1;
+	else
+		num = 0;
+
+	expr_free(*res);
+
+	*res = constant_expr_alloc(&sym->location, &boolean_type,
+				   BYTEORDER_HOST_ENDIAN, 1, &num);
+	return NULL;
+}
+
 const struct datatype boolean_type = {
 	.type		= TYPE_BOOLEAN,
 	.name		= "boolean",
 	.desc		= "boolean type",
 	.size		= 1,
+	.parse		= boolean_type_parse,
 	.basetype	= &integer_type,
 	.sym_tbl	= &boolean_tbl,
 	.json		= boolean_type_json,