diff options
| author | Florian Westphal <fw@strlen.de> | 2025-03-20 09:34:45 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-06-19 00:01:13 +0200 |
| commit | 03f92014110323fcea3831438019a167c8f797cc (patch) | |
| tree | bcd3a83eb64b726117b209032baaf51f2714afeb | |
| parent | d81f5fe95b88c69bf23fa247dee4e22bc3c91320 (diff) | |
expression: tolerate named set protocol dependency
commit b00fc8cd1379f6e403538943d55d297b624f185b upstream.
Included test will fail with:
/dev/stdin:8:38-52: Error: Transparent proxy support requires transport protocol match
meta l4proto @protos tproxy to :1088
^^^^^^^^^^^^^^^
Tolerate a set reference too. Because the set can be empty (or there
can be removals later), add a fake 0-rhs value.
This will make pctx_update assign proto_unknown as the transport protocol
in use, Thats enough to avoid 'requires transport protocol' error.
v2: restrict it to meta lhs for now (Pablo Neira Ayuso)
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1686
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/expression.c | 11 | ||||
| -rw-r--r-- | tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft | 75 | ||||
| -rw-r--r-- | tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft | 11 | ||||
| -rwxr-xr-x | tests/shell/testcases/nft-f/named_set_as_protocol_dep | 5 |
4 files changed, 102 insertions, 0 deletions
diff --git a/src/expression.c b/src/expression.c index 9bd478e9..cfcf1ed9 100644 --- a/src/expression.c +++ b/src/expression.c @@ -832,6 +832,17 @@ void relational_expr_pctx_update(struct proto_ctx *ctx, i->key->etype == EXPR_VALUE) ops->pctx_update(ctx, &expr->location, left, i->key); } + } else if (ops == &meta_expr_ops && + right->etype == EXPR_SET_REF) { + const struct expr *key = right->set->key; + struct expr *tmp; + + tmp = constant_expr_alloc(&expr->location, key->dtype, + key->byteorder, key->len, + NULL); + + ops->pctx_update(ctx, &expr->location, left, tmp); + expr_free(tmp); } } } diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft new file mode 100644 index 00000000..4bc24aa3 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft @@ -0,0 +1,75 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "test", + "name": "prerouting", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -150, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "protos", + "table": "test", + "type": { + "typeof": { + "meta": { + "key": "l4proto" + } + } + }, + "handle": 0, + "elem": [ + "tcp", + "udp" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "test", + "chain": "prerouting", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": "@protos" + } + }, + { + "tproxy": { + "port": 1088 + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft new file mode 100644 index 00000000..2bc0c2ad --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft @@ -0,0 +1,11 @@ +table inet test { + set protos { + typeof meta l4proto + elements = { tcp, udp } + } + + chain prerouting { + type filter hook prerouting priority mangle; policy accept; + meta l4proto @protos tproxy to :1088 + } +} diff --git a/tests/shell/testcases/nft-f/named_set_as_protocol_dep b/tests/shell/testcases/nft-f/named_set_as_protocol_dep new file mode 100755 index 00000000..5c516e42 --- /dev/null +++ b/tests/shell/testcases/nft-f/named_set_as_protocol_dep @@ -0,0 +1,5 @@ +#!/bin/bash + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft + +$NFT -f "$dumpfile" || exit 1 |