All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nft] evaluate: postpone transport protocol match check after nat expression evaluation
@ 2021-11-02 10:35 Pablo Neira Ayuso
  0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-11-02 10:35 UTC (permalink / raw)
  To: netfilter-devel

Fix bogus error report when using transport protocol as map key.

Fixes: 50780456a01a ("evaluate: check for missing transport protocol match in nat map with concatenations")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c                | 13 +++++++------
 tests/py/ip/dnat.t            |  1 +
 tests/py/ip/dnat.t.payload.ip | 13 +++++++++++++
 tests/py/ip/snat.t.payload    | 13 +++++++++++++
 4 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 609e171d8993..6a8c396f33c4 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3170,12 +3170,6 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
 	const struct datatype *dtype;
 	int addr_type, err;
 
-	if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
-	    !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
-		return stmt_binary_error(ctx, stmt->nat.addr, stmt,
-					 "transport protocol mapping is only "
-					 "valid after transport protocol match");
-
 	switch (stmt->nat.family) {
 	case NFPROTO_IPV4:
 		addr_type = TYPE_IPADDR;
@@ -3192,6 +3186,13 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt)
 	if (expr_evaluate(ctx, &stmt->nat.addr))
 		return -1;
 
+	if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
+	    !nat_evaluate_addr_has_th_expr(stmt->nat.addr)) {
+		return stmt_binary_error(ctx, stmt->nat.addr, stmt,
+					 "transport protocol mapping is only "
+					 "valid after transport protocol match");
+	}
+
 	if (stmt->nat.addr->etype != EXPR_MAP)
 		return 0;
 
diff --git a/tests/py/ip/dnat.t b/tests/py/ip/dnat.t
index c5ca4c40db1b..889f0fd7bf6c 100644
--- a/tests/py/ip/dnat.t
+++ b/tests/py/ip/dnat.t
@@ -18,3 +18,4 @@ dnat to ct mark . ip daddr map { 0x00000014 . 1.1.1.1 : 1.2.3.4};ok
 dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 8888 - 8999 };ok
 dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.0/24  . 80 };ok
 dnat ip to ip saddr . tcp dport map { 192.168.1.2 . 80 : 10.141.10.2 . 8888 - 8999 };ok
+ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 };ok
diff --git a/tests/py/ip/dnat.t.payload.ip b/tests/py/ip/dnat.t.payload.ip
index 4872545a85a1..e53838a32262 100644
--- a/tests/py/ip/dnat.t.payload.ip
+++ b/tests/py/ip/dnat.t.payload.ip
@@ -167,3 +167,16 @@ ip
   [ immediate reg 4 0x00002723 ]
   [ nat dnat ip addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 flags 0x2 ]
 
+# ip daddr 192.168.0.1 dnat ip to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 }
+__map%d test-ip4 b size 2
+__map%d test-ip4 0
+        element 0000bb01  : 040a8d0a 0000fb20 0 [end]   element 00005000  : 040a8d0a 0000901f 0 [end]
+ip
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 9 ]
+
diff --git a/tests/py/ip/snat.t.payload b/tests/py/ip/snat.t.payload
index 48ae46b31121..71a5e2f1a54e 100644
--- a/tests/py/ip/snat.t.payload
+++ b/tests/py/ip/snat.t.payload
@@ -139,3 +139,16 @@ ip
   [ lookup reg 1 set __map%d dreg 1 ]
   [ nat snat ip addr_min reg 1 proto_min reg 9 ]
 
+# ip daddr 192.168.0.1 dnat to tcp dport map { 443 : 10.141.10.4 . 8443, 80 : 10.141.10.4 . 8080 }
+__map%d x b size 2
+__map%d x 0
+        element 0000bb01  : 040a8d0a 0000fb20 0 [end]   element 00005000  : 040a8d0a 0000901f 0 [end]
+ip
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ cmp eq reg 1 0x0100a8c0 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ payload load 2b @ transport header + 2 => reg 1 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ nat dnat ip addr_min reg 1 proto_min reg 9 ]
+
-- 
2.30.2


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-11-02 10:35 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-02 10:35 [PATCH nft] evaluate: postpone transport protocol match check after nat expression evaluation Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.