diff options
author | Liping Zhang <zlpnobody@gmail.com> | 2017-01-22 22:10:32 +0800 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2017-03-16 02:27:05 +0000 |
commit | f338af4fd5c70299dd38eca5fe8a7381b1f26111 (patch) | |
tree | 52fca5f94facce5375f178a09db6e828a6ca5e39 /include | |
parent | 929d9d799e2a01e1919250ee5c18929fb35bc0a7 (diff) | |
download | linux-stable-f338af4fd5c70299dd38eca5fe8a7381b1f26111.tar.gz linux-stable-f338af4fd5c70299dd38eca5fe8a7381b1f26111.tar.bz2 linux-stable-f338af4fd5c70299dd38eca5fe8a7381b1f26111.zip |
netfilter: nft_log: restrict the log prefix length to 127
commit 5ce6b04ce96896e8a79e6f60740ced911eaac7a4 upstream.
First, log prefix will be truncated to NF_LOG_PREFIXLEN-1, i.e. 127,
at nf_log_packet(), so the extra part is useless.
Second, after adding a log rule with a very very long prefix, we will
fail to dump the nft rules after this _special_ one, but acctually,
they do exist. For example:
# name_65000=$(printf "%0.sQ" {1..65000})
# nft add rule filter output log prefix "$name_65000"
# nft add rule filter output counter
# nft add rule filter output counter
# nft list chain filter output
table ip filter {
chain output {
type filter hook output priority 0; policy accept;
}
}
So now, restrict the log prefix length to NF_LOG_PREFIXLEN-1.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/netfilter/nf_log.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h index 99eac12d040b..6e11c346137d 100644 --- a/include/net/netfilter/nf_log.h +++ b/include/net/netfilter/nf_log.h @@ -12,6 +12,8 @@ #define NF_LOG_UID 0x08 /* Log UID owning local socket */ #define NF_LOG_MASK 0x0f +#define NF_LOG_PREFIXLEN 128 + #define NF_LOG_TYPE_LOG 0x01 #define NF_LOG_TYPE_ULOG 0x02 |