git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 22 Dec 2023 14:30:09 +0000 (15:30 +0100)
committer	Florian Westphal <fw@strlen.de>
	Mon, 8 Jan 2024 12:23:41 +0000 (13:23 +0100)
commit	a852022d719e5a414df41a10c331f4492e9d3073
tree	b093acfb7d9449d7357661a683a2cc00aecb3b96	tree
parent	8440983b7671feb3bb86c4c148af743addf3e00b	commit \| diff

datatype: do not assert when value exceeds expected width

Inputs:
ip protocol . th dport { tcp / 22,  }'
or
th dport . ip protocol { tcp / 22,  }'

are not rejected at this time. 'list ruleset' yields:
ip protocol & nft: src/gmputil.c:77: mpz_get_uint8: Assertion `cnt <= 1' failed.
or
th dport & nft: src/gmputil.c:87: mpz_get_be16: Assertion `cnt <= 1' failed.

While this should be caught at input too, the print path should be more
robust, e.g. when there are direct nfnetlink users.

After this patch, the print functions fall back to
'integer_type_print' which can handle large numbers too.

Note that the output printed this way cannot be read back by nft;
it will dump something like:

  tcp dport & 18446739675663040512 . ip protocol 0 . 0

but thats better than assert().

v2: same problem exists for service too.

Signed-off-by: Florian Westphal <fw@strlen.de>