src: context tracking for multiple transport protocols

This patch extends the protocol context infrastructure to track multiple
transport protocols when they are specified from sets.

This removes errors like:

 "transport protocol mapping is only valid after transport protocol match"

when invoking:

 # nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80

This patch also catches conflicts like:

 # nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
 Error: conflicting protocols specified: udp vs. tcp
 add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
                                       ^^^^^^^^^
and:

 # nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
 Error: conflicting protocols specified: udp vs. tcp
 add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
                                        ^^^^^^^^^
Note that:

- the singleton protocol context tracker is left in place until the
  existing users are updated to use this new multiprotocol tracker.
  Moving forward, it would be good to consolidate things around this new
  multiprotocol context tracker infrastructure.

- link and network layers are not updated to use this infrastructure
  yet. The code that deals with vlan conflicts relies on forcing
  protocol context updates to the singleton protocol base.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 30 insertions, 0 deletions

diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t
index fcdf9436..a2661008 100644
--- a/tests/py/inet/dnat.t
+++ b/tests/py/inet/dnat.t
@@ -14,3 +14,8 @@ dnat ip6 to 1.2.3.4;fail
 dnat to 1.2.3.4;fail
 dnat ip6 to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};fail
 ip6 daddr dead::beef dnat to 10.1.2.3;fail
+
+meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok
+ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok
+meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail
+ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail
diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload
index 75cf1b77..a741b9cb 100644
--- a/tests/py/inet/dnat.t.payload
+++ b/tests/py/inet/dnat.t.payload
@@ -52,3 +52,28 @@ inet test-inet prerouting
   [ payload load 4b @ network header + 16 => reg 9 ]
   [ lookup reg 1 set __map%d dreg 1 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 0 ]
+
+# meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000006  : 0 [end]     element 00000011  : 0 [end]
+inet
+  [ meta load l4proto => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 1 0x01010101 ]
+  [ immediate reg 2 0x00005000 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ]
+
+# ip protocol { tcp, udp } dnat ip to 1.1.1.1:80
+__set%d test-inet 3
+__set%d test-inet 0
+        element 00000006  : 0 [end]     element 00000011  : 0 [end]
+inet
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+  [ immediate reg 1 0x01010101 ]
+  [ immediate reg 2 0x00005000 ]
+  [ nat dnat ip addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 flags 0x2 ]
+