diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-24 22:07:44 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-04-24 22:48:42 +0200 |
commit | c88494c5fb4dc275f94df27f1f68996fd3925680 (patch) | |
tree | 0526f15f26814722888f7e3bc858be332594b52d /src/mnl.c | |
parent | 5ad475fce5a138d3a8b58bde4a41b0537d15b952 (diff) |
meta: skip protocol context update for nfproto with same table family
Inefficient bytecode crashes ruleset listing:
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ] <-- this specifies NFPROTO_IPV4 but table family is IPv4!
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x1000000a ]
[ cmp lte reg 1 0x1f00000a ]
[ masq ]
This IPv4 table obviously only see IPv4 traffic, but bytecode specifies
a redundant match on NFPROTO_IPV4.
After this patch, listing works:
# nft list ruleset
table ip crash {
chain crash {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.0.0.16-10.0.0.31 masquerade
}
}
Skip protocol context update in case that this information is redundant.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1562
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/mnl.c')
0 files changed, 0 insertions, 0 deletions