src: allow flowtable definitions with no devices

The listing shows no devices:

 # nft list ruleset
 table ip x {
        flowtable y {
                hook ingress priority filter
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/mnl.c b/src/mnl.c
index 759ae41ceb0162603e3d5cff21b741f767f15da1..19f6664169096f44fbafa0c4df6cd464d8546966 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1652,10 +1652,12 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
                nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
        }
 
-       dev_array = nft_flowtable_dev_array(cmd);
-       nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
-                                dev_array, 0);
-       nft_flowtable_dev_array_free(dev_array);
+       if (cmd->flowtable->dev_expr) {
+               dev_array = nft_flowtable_dev_array(cmd);
+               nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
+                                        dev_array, 0);
+               nft_flowtable_dev_array_free(dev_array);
+       }
 
        nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
                                cmd->flowtable->flags);

diff --git a/src/rule.c b/src/rule.c
index 1f56faeb5c3cf03484e783eac4c8cb5c2055b713..21a52157391dc546dae3b358170e92221b790cee 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -2272,13 +2272,15 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
                           flowtable->hook.num, flowtable->priority.expr),
                  opts->stmt_separator);
 
-       nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab);
-       for (i = 0; i < flowtable->dev_array_len; i++) {
-               nft_print(octx, "%s", flowtable->dev_array[i]);
-               if (i + 1 != flowtable->dev_array_len)
-                       nft_print(octx, ", ");
+       if (flowtable->dev_array_len > 0) {
+               nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab);
+               for (i = 0; i < flowtable->dev_array_len; i++) {
+                       nft_print(octx, "%s", flowtable->dev_array[i]);
+                       if (i + 1 != flowtable->dev_array_len)
+                               nft_print(octx, ", ");
+               }
+               nft_print(octx, " }%s", opts->stmt_separator);
        }
-       nft_print(octx, " }%s", opts->stmt_separator);
 
        if (flowtable->flags & NFT_FLOWTABLE_COUNTER)
                nft_print(octx, "%s%scounter%s", opts->tab, opts->tab,

diff --git a/tests/shell/testcases/flowtable/0006segfault_0 b/tests/shell/testcases/flowtable/0006segfault_0
index de590b77de89fbcca05d2ed7ce3c94d59688934b..fb7c52feb4cec16952fcd56279a202817eef2733 100755 (executable)
--- a/tests/shell/testcases/flowtable/0006segfault_0
+++ b/tests/shell/testcases/flowtable/0006segfault_0
@@ -9,6 +9,3 @@ $NFT add flowtable ip t f { hook ingress priority 10\; devices = { lo } }
 
 $NFT add flowtable ip t f { hook ingress\; priority 10\; }
 [[ $? -eq 1 ]] || exit 1
-
-$NFT add flowtable ip t f { hook ingress priority 10\; }
-[[ $? -eq 1 ]] || exit 1