From: Florian Westphal Date: Mon, 31 Mar 2025 15:23:20 +0000 (+0200) Subject: evaluate: only allow stateful statements in set and map definitions X-Git-Tag: v1.1.2~14 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=0acd81559ec9efe2cc3d869bfc8e5a0b4d888456;p=thirdparty%2Fnftables.git evaluate: only allow stateful statements in set and map definitions The bison parser doesn't allow this to happen due to grammar restrictions, but the json input has no such issues. The bogon input assigns 'notrack' which triggers: BUG: unknown stateful statement type 19 nft: src/netlink_linearize.c:1061: netlink_gen_stmt_stateful: Assertion `0' failed. After patch, we get: Error: map statement must be stateful Fixes: 07958ec53830 ("json: add set statement list support") Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso --- diff --git a/src/evaluate.c b/src/evaluate.c index 92bf47a3..a3c8f560 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -5151,8 +5151,11 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) if (set->timeout) set->flags |= NFT_SET_TIMEOUT; - list_for_each_entry(stmt, &set->stmt_list, list) + list_for_each_entry(stmt, &set->stmt_list, list) { + if (stmt_evaluate_stateful(ctx, stmt,type) < 0) + return -1; num_stmts++; + } if (num_stmts > 1) set->flags |= NFT_SET_EXPR; diff --git a/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert b/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert new file mode 100644 index 00000000..e8a0f768 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert @@ -0,0 +1,34 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "t", + "handle": 0 + } + }, + { + "map": { + "family": "ip", + "name": "m", + "table": "t", + "type": "ipv4_addr", + "handle": 0, + "map": "mark", + "stmt": [ + { + "notrack": null + } + ] + } + } + ] +} +