optimize: ignore existing nat mapping

User might be already using a nat mapping in their ruleset, use the unsupported statement when collecting statements in this case. # nft -c -o -f ruleset.nft nft: optimize.c:443: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed. Aborted The -o/--optimize feature only cares about linear rulesets at this stage, but do not hit assert() in this case. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1656 Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-02-07 10:53:41 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-02-07 11:39:16 +0100
commit: 9be404a153bc9525d52afabed622843717c37851 (patch)
tree: dcae66af68d20766a9508186c97b594557366323 /src/optimize.c
parent: 27c753e4a8d4744f479345e3f5e34cafef751602 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/optimize.c b/src/optimize.c
index ff4f2627..d60aa8f2 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -370,6 +370,13 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
 				clone->log.prefix = expr_get(stmt->log.prefix);
 			break;
 		case STMT_NAT:
+			if ((stmt->nat.addr &&
+			     stmt->nat.addr->etype == EXPR_MAP) ||
+			    (stmt->nat.proto &&
+			     stmt->nat.proto->etype == EXPR_MAP)) {
+				clone->ops = &unsupported_stmt_ops;
+				break;
+			}
 			clone->nat.type = stmt->nat.type;
 			clone->nat.family = stmt->nat.family;
 			if (stmt->nat.addr)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-02-07 10:53:41 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-02-07 11:39:16 +0100
commit	9be404a153bc9525d52afabed622843717c37851 (patch)
tree	dcae66af68d20766a9508186c97b594557366323 /src/optimize.c
parent	27c753e4a8d4744f479345e3f5e34cafef751602 (diff)