[PATCH v2 nft] src: move BASECHAIN flag toggle to netlink linearize code for device update

Florian Westphal <fw@xxxxxxxxx> · Thu, 12 Jun 2025 20:17:15 +0200

The included bogon will crash nft because print side assumes that
a BASECHAIN flag presence also means that priority expression is
available.

Make the print side conditional.

Fixes: a66b5ad9540d ("src: allow for updating devices on existing netdev chain")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/rule.c                                       | 16 ++++++++++------
 .../bogons/nft-f/null_ingress_type_crash         |  6 ++++++
 2 files changed, 16 insertions(+), 6 deletions(-)
 create mode 100644 tests/shell/testcases/bogons/nft-f/null_ingress_type_crash

diff --git a/src/rule.c b/src/rule.c
index 264a2a44147d..661673e58eb7 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1067,8 +1067,10 @@ static void chain_print_declaration(const struct chain *chain,
 		nft_print(octx, "\n\t\tcomment \"%s\"", chain->comment);
 	nft_print(octx, "\n");
 	if (chain->flags & CHAIN_F_BASECHAIN) {
-		nft_print(octx, "\t\ttype %s hook %s", chain->type.str,
-			  hooknum2str(chain->handle.family, chain->hook.num));
+		if (chain->type.str)
+			nft_print(octx, "\t\ttype %s hook %s", chain->type.str,
+				  hooknum2str(chain->handle.family, chain->hook.num));
+
 		if (chain->dev_array_len == 1) {
 			nft_print(octx, " device \"%s\"", chain->dev_array[0]);
 		} else if (chain->dev_array_len > 1) {
@@ -1080,10 +1082,12 @@ static void chain_print_declaration(const struct chain *chain,
 			}
 			nft_print(octx, " }");
 		}
-		nft_print(octx, " priority %s;",
-			  prio2str(octx, priobuf, sizeof(priobuf),
-				   chain->handle.family, chain->hook.num,
-				   chain->priority.expr));
+
+		if (chain->priority.expr)
+			nft_print(octx, " priority %s;",
+				  prio2str(octx, priobuf, sizeof(priobuf),
+					   chain->handle.family, chain->hook.num,
+					   chain->priority.expr));
 		if (chain->policy) {
 			mpz_export_data(&policy, chain->policy->value,
 					BYTEORDER_HOST_ENDIAN, sizeof(int));
diff --git a/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash b/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash
new file mode 100644
index 000000000000..2ed88af24c56
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/null_ingress_type_crash
@@ -0,0 +1,6 @@
+table netdev filter1 {
+	chain c {
+		devices = { lo }
+	}
+}
+list ruleset
-- 
2.49.0








