summaryrefslogtreecommitdiffstats
path: root/src/evaluate.c
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2017-05-29 19:25:38 +0200
committerFlorian Westphal <fw@strlen.de>2017-06-06 20:53:03 +0200
commit8786dc5f30db5a686c25de7cc80da1fd21082683 (patch)
tree706e4dbc79ecb6f69c5a7764216c691780a16869 /src/evaluate.c
parent37988cf255e51efba0d81dbc43eb4f0a41e99813 (diff)
ct: fix inet/bridge/netdev family handling for saddr/daddr
"ct orignal saddr" has an invalid data type, as the address can be either ipv4 or ipv6. For some cases we could infer it from the rhs, but there are cases where we don't have any information, e.g. when passing ct original saddr to jhash expression. So do the same thing that we do for "rt nexthop" -- error out and hint to user they need to specifiy the desired address type with "meta nfproto". Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r--src/evaluate.c27
1 files changed, 20 insertions, 7 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 4ca14842..311c86c5 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -649,6 +649,13 @@ static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **exprp)
return 0;
}
+static int expr_error_base(struct list_head *msgs, const struct expr *e)
+{
+ return expr_error(msgs, e,
+ "meta nfproto ipv4 or ipv6 must be specified "
+ "before %s expression", e->ops->name);
+}
+
/*
* RT expression: validate protocol dependencies.
*/
@@ -663,22 +670,17 @@ static int expr_evaluate_rt(struct eval_ctx *ctx, struct expr **expr)
switch (rt->rt.key) {
case NFT_RT_NEXTHOP4:
if (base != &proto_ip)
- goto err;
+ return expr_error_base(ctx->msgs, rt);
break;
case NFT_RT_NEXTHOP6:
if (base != &proto_ip6)
- goto err;
+ return expr_error_base(ctx->msgs, rt);
break;
default:
break;
}
return expr_evaluate_primary(ctx, expr);
-
-err:
- return expr_error(ctx->msgs, rt,
- "meta nfproto ipv4 or ipv6 must be specified "
- "before routing expression");
}
/*
@@ -687,10 +689,21 @@ err:
*/
static int expr_evaluate_ct(struct eval_ctx *ctx, struct expr **expr)
{
+ const struct proto_desc *base;
struct expr *ct = *expr;
ct_expr_update_type(&ctx->pctx, ct);
+ base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+ switch (ct->ct.key) {
+ case NFT_CT_SRC:
+ case NFT_CT_DST:
+ if (base != &proto_ip && base != &proto_ip6)
+ return expr_error_base(ctx->msgs, ct);
+ default:
+ break;
+ }
+
return expr_evaluate_primary(ctx, expr);
}