* [PATCH nft 1/2] evaluate: check for concatenation in set data datatype
@ 2021-09-28 20:55 Pablo Neira Ayuso
2021-09-28 20:55 ` [PATCH nft 2/2] evaluate: check for missing transport protocol match in nat map with concatenations Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-28 20:55 UTC (permalink / raw)
To: netfilter-devel
When adding this rule with an existing map:
add rule nat x y meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
reports a bogus:
Error: datatype mismatch: expected IPv4 address, expression has type
concatenation of (IPv4 address, internet network service)
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 3 ++-
tests/shell/testcases/sets/0067nat_concat_interval_0 | 11 +++++++++++
.../sets/dumps/0067nat_concat_interval_0.nft | 7 +++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index a0c67fb0e213..1737ca0854cd 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3243,7 +3243,8 @@ static bool nat_concat_map(struct eval_ctx *ctx, struct stmt *stmt)
if (expr_evaluate(ctx, &stmt->nat.addr->mappings))
return false;
- if (stmt->nat.addr->mappings->set->data->etype == EXPR_CONCAT) {
+ if (stmt->nat.addr->mappings->set->data->etype == EXPR_CONCAT ||
+ stmt->nat.addr->mappings->set->data->dtype->subtypes) {
stmt->nat.type_flags |= STMT_NAT_F_CONCAT;
return true;
}
diff --git a/tests/shell/testcases/sets/0067nat_concat_interval_0 b/tests/shell/testcases/sets/0067nat_concat_interval_0
index 3d1b62d69b26..530771b0016c 100755
--- a/tests/shell/testcases/sets/0067nat_concat_interval_0
+++ b/tests/shell/testcases/sets/0067nat_concat_interval_0
@@ -31,3 +31,14 @@ EXPECTED="table ip nat {
}"
$NFT -f - <<< $EXPECTED
+
+EXPECTED="table ip nat {
+ map fwdtoip_th {
+ type ipv4_addr . inet_service : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
+ }
+}"
+
+$NFT -f - <<< $EXPECTED
+$NFT add rule ip nat prerouting meta l4proto { tcp, udp } dnat to ip daddr . th dport map @fwdtoip_th
diff --git a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
index c565d21f8acc..3226da157272 100644
--- a/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
+++ b/tests/shell/testcases/sets/dumps/0067nat_concat_interval_0.nft
@@ -11,9 +11,16 @@ table ip nat {
elements = { 192.168.1.2 . 192.168.2.2 : 127.0.0.0/8 . 42-43 }
}
+ map fwdtoip_th {
+ type ipv4_addr . inet_service : interval ipv4_addr . inet_service
+ flags interval
+ elements = { 1.2.3.4 . 10000-20000 : 192.168.3.4 . 30000-40000 }
+ }
+
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip protocol tcp dnat ip to ip saddr map @ipportmap
ip protocol tcp dnat ip to ip saddr . ip daddr map @ipportmap2
+ meta l4proto { tcp, udp } dnat ip to ip daddr . th dport map @fwdtoip_th
}
}
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread* [PATCH nft 2/2] evaluate: check for missing transport protocol match in nat map with concatenations
2021-09-28 20:55 [PATCH nft 1/2] evaluate: check for concatenation in set data datatype Pablo Neira Ayuso
@ 2021-09-28 20:55 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-09-28 20:55 UTC (permalink / raw)
To: netfilter-devel
Restore this error with NAT maps:
# nft add rule 'ip ipfoo c dnat to ip daddr map @y'
Error: transport protocol mapping is only valid after transport protocol match
add rule ip ipfoo c dnat to ip daddr map @y
~~~~ ^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 1737ca0854cd..161372397bcc 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3159,10 +3159,17 @@ static int stmt_evaluate_addr(struct eval_ctx *ctx, struct stmt *stmt,
static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
{
+ struct proto_ctx *pctx = &ctx->pctx;
struct expr *one, *two, *data, *tmp;
const struct datatype *dtype;
int addr_type, err;
+ if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
+ !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
+ return stmt_binary_error(ctx, stmt->nat.addr, stmt,
+ "transport protocol mapping is only "
+ "valid after transport protocol match");
+
switch (stmt->nat.family) {
case NFPROTO_IPV4:
addr_type = TYPE_IPADDR;
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-28 20:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-28 20:55 [PATCH nft 1/2] evaluate: check for concatenation in set data datatype Pablo Neira Ayuso
2021-09-28 20:55 ` [PATCH nft 2/2] evaluate: check for missing transport protocol match in nat map with concatenations Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.