diff mbox

[nft] src: check if the set name is too long

Message ID 1395332403-3823-1-git-send-email-giuseppelng@gmail.com
State Superseded
Headers show

Commit Message

Giuseppe Longo March 20, 2014, 4:20 p.m. UTC 
checks if the name of set is larger than 15 chars
before to add it.
If so, the set is not added and an error message is printed.

I didn't figure out why, but another error message is printed, see below:

nft add set ip test thenameofthissetistoolooong { type ipv4_address\; }
<cmdline>:1:17-43: Error: set name is too long (> 16)
add set ip test thenameofthissetistoolooong { type ipv4_address; }
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
<cmdline>:1:66-66: Error: syntax error, unexpected '}'
add set ip test thenameofthissetistoolooong { type ipv4_address; }

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
 src/parser.y | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Tomasz Bursztyka March 21, 2014, 7:24 a.m. UTC | #1 
Hi Giuseppe,

> checks if the name of set is larger than 15 chars

You mean 16 characters

Btw, have you tested 16 chars length name: when listing the set back,
is such name cut to 15 chars?

That sounds to be an issue from kernel side, at least looking quickly,
I could not find any code shortening this in  libmnl, libnftnl or nftables.

Tomasz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso March 21, 2014, 9:56 a.m. UTC | #2 
On Fri, Mar 21, 2014 at 09:24:47AM +0200, Tomasz Bursztyka wrote:
> Hi Giuseppe,
> 
> >checks if the name of set is larger than 15 chars
> 
> You mean 16 characters
> 
> Btw, have you tested 16 chars length name: when listing the set back,
> is such name cut to 15 chars?
> 
> That sounds to be an issue from kernel side, at least looking quickly,
> I could not find any code shortening this in  libmnl, libnftnl or nftables.

The kernel is indeed limiting the name length in nf_tables_newset, see
nla_strcpy there.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Tomasz Bursztyka March 21, 2014, 10:43 a.m. UTC | #3 
Hi Wei,

I don't know how you ended up finding a relation between nftables API 
and genetlink, but it's bogus.

The set name has a fixed size of 16 characters (IFNAMSIZ), not 15.
And its netlink policy has nothing to do with genetlink.

Have a look at include/net/netfilter/nf_tables.h in kernel tree, there 
struct  nft_set is declared.
Its netlink related policy is in net/netfilter/nf_tables_api.c 
(nft_set_policy)

Br,

Tomasz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/src/parser.y b/src/parser.y
index db6f493..17fbd5e 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -15,6 +15,7 @@ 
 #include <inttypes.h>
 #include <netinet/ip.h>
 #include <netinet/if_ether.h>
+#include <net/if.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
@@ -986,6 +987,11 @@  chain_identifier	:	identifier
 
 set_spec		:	table_spec	identifier
 			{
+				if (strlen($2) > IFNAMSIZ) {
+					erec_queue(error(&@2, "set name too long (> %d)", IFNAMSIZ),
+						   state->msgs);
+					YYERROR;
+				}
 				$$		= $1;
 				$$.set		= $2;
 			}
@@ -993,6 +999,12 @@  set_spec		:	table_spec	identifier
 
 set_identifier		:	identifier
 			{
+				if (strlen($1) > IFNAMSIZ) {
+					erec_queue(error(&@1, "set name too long (> %d", IFNAMSIZ),
+						   state->msgs);
+					YYERROR;
+				}
+
 				memset(&$$, 0, sizeof($$));
 				$$.set		= $1;
 			}