src: BASECHAIN flag no longer implies presence of priority expression

The included bogon will crash nft because print side assumes that BASECHAIN
flag presence also means that priority expression is available.

Make the print side conditional.

Fixes: a66b5ad9540d ("src: allow for updating devices on existing netdev chain")
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/rule.c b/src/rule.c
index 80315837baf067b421f1480632b4660eba56cfbe..e2fe0979da3060a722314c31c697ba2b4851931b 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1047,8 +1047,10 @@ static void chain_print_declaration(const struct chain *chain,
                nft_print(octx, "\n\t\tcomment \"%s\"", chain->comment);
        nft_print(octx, "\n");
        if (chain->flags & CHAIN_F_BASECHAIN) {
-               nft_print(octx, "\t\ttype %s hook %s", chain->type.str,
-                         hooknum2str(chain->handle.family, chain->hook.num));
+               if (chain->type.str)
+                       nft_print(octx, "\t\ttype %s hook %s", chain->type.str,
+                                 hooknum2str(chain->handle.family, chain->hook.num));
+
                if (chain->dev_array_len == 1) {
                        nft_print(octx, " device \"%s\"", chain->dev_array[0]);
                } else if (chain->dev_array_len > 1) {
@@ -1060,10 +1062,12 @@ static void chain_print_declaration(const struct chain *chain,
                        }
                        nft_print(octx, " }");
                }
-               nft_print(octx, " priority %s;",
-                         prio2str(octx, priobuf, sizeof(priobuf),
-                                  chain->handle.family, chain->hook.num,
-                                  chain->priority.expr));
+
+               if (chain->priority.expr)
+                       nft_print(octx, " priority %s;",
+                                 prio2str(octx, priobuf, sizeof(priobuf),
+                                          chain->handle.family, chain->hook.num,
+                                          chain->priority.expr));
                if (chain->policy) {
                        mpz_export_data(&policy, chain->policy->value,
                                        BYTEORDER_HOST_ENDIAN, sizeof(int));

diff --git a/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash b/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash
new file mode 100644 (file)
index 0000000..2ed88af
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash
@@ -0,0 +1,6 @@
+table netdev filter1 {
+       chain c {
+               devices = { lo }
+       }
+}
+list ruleset