File: validation_recursion.sh

package info (click to toggle)
nftables 1.1.6-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 15,384 kB
  • sloc: ansic: 50,901; sh: 20,277; yacc: 5,861; python: 1,746; lex: 1,367; makefile: 392
file content (39 lines) | stat: -rwxr-xr-x 910 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/bin/bash

# regression check for kernel commit
# cff3bd012a95 ("netfilter: nf_tables: prefer nft_chain_validate")

chains=100

# first create skeleton, linear list
# of 1k jumps, c1 -> c2 .. -> c100.
#
# not caught, commit phase validation doesn't care about
# non-base chains.
(
	echo add table ip t

	for i in $(seq 1 $chains);do
		echo add chain t c$i
	done

	for i in $(seq 1 $((chains-1)) );do
		echo add rule t c$i jump c$((i+1))
	done
) | $NFT -f -

# now link up c0 to c1.  This triggers register-store validation for
# c1. Old algorithm is recursive and will blindly chase the entire
# list of chains created above.  On older kernels, this will cause kernel
# stack overflow/guard page crash.
$NFT -f - <<EOF
add chain t c0 { type filter hook input priority 0; }
add rule t c0 jump c1
EOF

if [ $? -eq 0 ] ; then
        echo "E: loaded bogus ruleset" >&2
        exit 1
fi

$NFT delete table ip t