Message ID | 1395332403-3823-1-git-send-email-giuseppelng@gmail.com |
---|---|
State | Superseded |
Headers | show |
Hi Giuseppe,
> checks if the name of set is larger than 15 chars
You mean 16 characters
Btw, have you tested 16 chars length name: when listing the set back,
is such name cut to 15 chars?
That sounds to be an issue from kernel side, at least looking quickly,
I could not find any code shortening this in libmnl, libnftnl or nftables.
Tomasz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Mar 21, 2014 at 09:24:47AM +0200, Tomasz Bursztyka wrote: > Hi Giuseppe, > > >checks if the name of set is larger than 15 chars > > You mean 16 characters > > Btw, have you tested 16 chars length name: when listing the set back, > is such name cut to 15 chars? > > That sounds to be an issue from kernel side, at least looking quickly, > I could not find any code shortening this in libmnl, libnftnl or nftables. The kernel is indeed limiting the name length in nf_tables_newset, see nla_strcpy there. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Wei, I don't know how you ended up finding a relation between nftables API and genetlink, but it's bogus. The set name has a fixed size of 16 characters (IFNAMSIZ), not 15. And its netlink policy has nothing to do with genetlink. Have a look at include/net/netfilter/nf_tables.h in kernel tree, there struct nft_set is declared. Its netlink related policy is in net/netfilter/nf_tables_api.c (nft_set_policy) Br, Tomasz -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/parser.y b/src/parser.y index db6f493..17fbd5e 100644 --- a/src/parser.y +++ b/src/parser.y @@ -15,6 +15,7 @@ #include <inttypes.h> #include <netinet/ip.h> #include <netinet/if_ether.h> +#include <net/if.h> #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> @@ -986,6 +987,11 @@ chain_identifier : identifier set_spec : table_spec identifier { + if (strlen($2) > IFNAMSIZ) { + erec_queue(error(&@2, "set name too long (> %d)", IFNAMSIZ), + state->msgs); + YYERROR; + } $$ = $1; $$.set = $2; } @@ -993,6 +999,12 @@ set_spec : table_spec identifier set_identifier : identifier { + if (strlen($1) > IFNAMSIZ) { + erec_queue(error(&@1, "set name too long (> %d", IFNAMSIZ), + state->msgs); + YYERROR; + } + memset(&$$, 0, sizeof($$)); $$.set = $1; }
checks if the name of set is larger than 15 chars before to add it. If so, the set is not added and an error message is printed. I didn't figure out why, but another error message is printed, see below: nft add set ip test thenameofthissetistoolooong { type ipv4_address\; } <cmdline>:1:17-43: Error: set name is too long (> 16) add set ip test thenameofthissetistoolooong { type ipv4_address; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ <cmdline>:1:66-66: Error: syntax error, unexpected '}' add set ip test thenameofthissetistoolooong { type ipv4_address; } Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> --- src/parser.y | 12 ++++++++++++ 1 file changed, 12 insertions(+)