From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 27 Feb 2025 17:28:41 +0000 (+0900)
Subject: parse-util: extend the maximum length of nftable identifiers
X-Git-Tag: v258-rc1~1228
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78f2c1745403e125ce93740da2fe94335cf14156;p=thirdparty%2Fsystemd.git

parse-util: extend the maximum length of nftable identifiers

Since kernel v4.14, more specifically, after the following four commits,
https://github.com/torvalds/linux/commit/e46abbcc05aa8a16b0e7f5c94e86d11af9aa2770
https://github.com/torvalds/linux/commit/b7263e071aba736cea9e71cdf2e76dfa7aebd039
https://github.com/torvalds/linux/commit/387454901bd62022ac1b04e15bd8d4fcc60bbed4
https://github.com/torvalds/linux/commit/615095752100748e221028fc96163c2b78185ae4
the maximum length of nftable identifiers are extended to 255.

Now, our kernel baseline is 5.4, hence we can freely use the extended
name length.

This also modernizes code a bit, and adds test cases.

Closes #36542.
---

diff --git a/src/basic/parse-util.c b/src/basic/parse-util.c
index faa5344921c..2869a51aaa8 100644
--- a/src/basic/parse-util.c
+++ b/src/basic/parse-util.c
@@ -3,6 +3,7 @@
 #include <errno.h>
 #include <inttypes.h>
 #include <linux/ipv6.h>
+#include <linux/netfilter/nf_tables.h>
 #include <net/if.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -777,18 +778,14 @@ int parse_loadavg_fixed_point(const char *s, loadavg_t *ret) {
 /* Limitations are described in https://www.netfilter.org/projects/nftables/manpage.html and
  * https://bugzilla.netfilter.org/show_bug.cgi?id=1175 */
 bool nft_identifier_valid(const char *id) {
-        if (!id)
+        if (isempty(id))
                 return false;
 
-        size_t len = strlen(id);
-        if (len == 0 || len > 31)
+        if (strlen(id) >= NFT_NAME_MAXLEN)
                 return false;
 
         if (!ascii_isalpha(id[0]))
                 return false;
 
-        for (size_t i = 1; i < len; i++)
-                if (!ascii_isalpha(id[i]) && !ascii_isdigit(id[i]) && !IN_SET(id[i], '/', '\\', '_', '.'))
-                        return false;
-        return true;
+        return in_charset(id + 1, ALPHANUMERICAL "/\\_.");
 }
diff --git a/src/test/test-parse-util.c b/src/test/test-parse-util.c
index 10297ae0535..a2bb8cf3c3c 100644
--- a/src/test/test-parse-util.c
+++ b/src/test/test-parse-util.c
@@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include <errno.h>
+#include <linux/netfilter/nf_tables.h>
 #include <locale.h>
 #include <math.h>
 #include <sys/socket.h>
@@ -896,4 +897,21 @@ TEST(parse_loadavg_fixed_point) {
         ASSERT_ERROR(parse_loadavg_fixed_point("", &fp), EINVAL);
 }
 
+TEST(nft_identifier_valid) {
+        ASSERT_TRUE(nft_identifier_valid("a"));
+        ASSERT_TRUE(nft_identifier_valid("abc"));
+        ASSERT_TRUE(nft_identifier_valid("abc"));
+        ASSERT_TRUE(nft_identifier_valid("a012/_\\."));
+
+        ASSERT_FALSE(nft_identifier_valid(NULL));
+        ASSERT_FALSE(nft_identifier_valid(""));
+        ASSERT_FALSE(nft_identifier_valid("1234"));
+        ASSERT_FALSE(nft_identifier_valid("1xyz"));
+        ASSERT_FALSE(nft_identifier_valid("abc?&*"));
+
+        char s[NFT_NAME_MAXLEN+1];
+        *(char*) mempset(s, 'a', NFT_NAME_MAXLEN) = '\0';
+        ASSERT_FALSE(nft_identifier_valid(s));
+}
+
 DEFINE_TEST_MAIN(LOG_INFO);