sys,fw: check for errors when adding ports rules

Verify that ports are correctly converted to int, for single and range ports.
2025-03-04 08:34:40 +01:00 · 2023-07-06 17:58:17 +02:00 · 2023-07-06 17:58:17 +02:00 · 28fab440da
commit 28fab440da
parent 84df5135ff
2 changed files with 28 additions and 10 deletions
--- a/daemon/firewall/nftables/exprs/port.go
+++ b/daemon/firewall/nftables/exprs/port.go
@ -11,22 +11,31 @@ import (
 )

 // NewExprPort returns a new port expression with the given matching operator.
-func NewExprPort(port string, op *expr.CmpOp) *[]expr.Any {
-	eport, _ := strconv.Atoi(port)
+func NewExprPort(port string, op *expr.CmpOp) (*[]expr.Any, error) {
+	eport, err := strconv.Atoi(port)
+	fmt.Printf("%s, %d", err, eport)
+	if err != nil {
+		return nil, err
+	}
 	return &[]expr.Any{
 		&expr.Cmp{
 			Register: 1,
 			Op:       *op,
 			Data:     binaryutil.BigEndian.PutUint16(uint16(eport))},
-	}
-
+	}, nil
 }

 // NewExprPortRange returns a new port range expression.
-func NewExprPortRange(sport string, cmpOp *expr.CmpOp) *[]expr.Any {
+func NewExprPortRange(sport string, cmpOp *expr.CmpOp) (*[]expr.Any, error) {
 	ports := strings.Split(sport, "-")
-	iport, _ := strconv.Atoi(ports[0])
-	eport, _ := strconv.Atoi(ports[1])
+	iport, err := strconv.Atoi(ports[0])
+	if err != nil {
+		return nil, err
+	}
+	eport, err := strconv.Atoi(ports[1])
+	if err != nil {
+		return nil, err
+	}
 	return &[]expr.Any{
 		&expr.Range{
 			Op:       *cmpOp,
@ -34,7 +43,7 @@ func NewExprPortRange(sport string, cmpOp *expr.CmpOp) *[]expr.Any {
 			FromData: binaryutil.BigEndian.PutUint16(uint16(iport)),
 			ToData:   binaryutil.BigEndian.PutUint16(uint16(eport)),
 		},
-	}
+	}, nil

 }

--- a/daemon/firewall/nftables/rule_helpers.go
+++ b/daemon/firewall/nftables/rule_helpers.go
@ -210,9 +210,18 @@ func (n *Nft) buildPortsRule(table, family, ports string, cmpOp *expr.CmpOp) (*[
 		})
 		sysSets = append(sysSets, []*nftables.Set{set}...)
 	} else if strings.Index(ports, "-") != -1 {
-		exprList = append(exprList, *exprs.NewExprPortRange(ports, cmpOp)...)
+		portRange, err := exprs.NewExprPortRange(ports, cmpOp)
+		if err != nil {
+			log.Warning("%s invalid portRange: %s, %s", logTag, ports, err)
+			return nil, err
+		}
+		exprList = append(exprList, *portRange...)
 	} else {
-		exprList = append(exprList, *exprs.NewExprPort(ports, cmpOp)...)
+		exprPort, err := exprs.NewExprPort(ports, cmpOp)
+		if err != nil {
+			return nil, err
+		}
+		exprList = append(exprList, *exprPort...)
 	}

 	return &exprList, nil