ct: add maximum helper length value

The current kernel restricts ct helper names to 16 bytes length. Specify
this limit in the ct expression table to catch oversized strings in userspace.
Since older versions of nft didn't support larger values, this does not
negatively affect interaction with old kernel versions.

Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/src/ct.c b/src/ct.c
index 2eb85eaf323b10a8db75d3d4b7e3e5299182ab74..aa801388b615e242ff8eb4c08cd2e8ab9e3f4bd3 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -161,6 +161,10 @@ static void __init ct_label_table_init(void)
        ct_label_tbl = rt_symbol_table_init("/etc/xtables/connlabel.conf");
 }
 
+#ifndef NF_CT_HELPER_NAME_LEN
+#define NF_CT_HELPER_NAME_LEN  16
+#endif
+
 static const struct ct_template ct_templates[] = {
        [NFT_CT_STATE]          = CT_TEMPLATE("state",      &ct_state_type,
                                              BYTEORDER_HOST_ENDIAN,
@@ -178,7 +182,8 @@ static const struct ct_template ct_templates[] = {
                                              BYTEORDER_HOST_ENDIAN,
                                              4 * BITS_PER_BYTE),
        [NFT_CT_HELPER]         = CT_TEMPLATE("helper",     &string_type,
-                                             BYTEORDER_HOST_ENDIAN, 0),
+                                             BYTEORDER_HOST_ENDIAN,
+                                             NF_CT_HELPER_NAME_LEN * BITS_PER_BYTE),
        [NFT_CT_L3PROTOCOL]     = CT_TEMPLATE("l3proto",    &invalid_type,
                                              BYTEORDER_INVALID,
                                              BITS_PER_BYTE),