packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nftables/backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch
eaglegai f0418b2273 backport patches from upstream
2021-08-03 15:19:59 +08:00

107 lines
3.9 KiB
Diff
Raw Blame History

From 1c97bd67ee6c1097196ad12b36d011fbd3855f2d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 21 Jan 2021 16:41:35 +0100
Subject: [PATCH] evaluate: disallow ct original {s,d}ddr from
concatenations
Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from
maps") to cover concatenations too.
Error: specify either ip or ip6 for address matching
add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 }
^^^^^^^^^^^^^^^^^
The old syntax for ct original saddr without either ip or ip6 results
in unknown key size, which breaks the listing. The old syntax is only
allowed in simple rules for backward compatibility.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Conflict:NA
Reference:https://git.netfilter.org/nftables/commit/?id=7d3a0799cfd0a7dbd179f2742b6632e66d1e9b6a
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 17 +++++++++++++++++
tests/py/ip/ct.t | 4 ++++
tests/py/ip/ct.t.payload | 19 +++++++++++++++++++
3 files changed, 40 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 53806424..a2274445 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1241,6 +1241,12 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
list_for_each_entry_safe(i, next, &(*expr)->expressions, list) {
unsigned dsize_bytes;
+ if (i->etype == EXPR_CT &&
+ (i->ct.key == NFT_CT_SRC ||
+ i->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, i,
+ "specify either ip or ip6 for address matching");
+
if (expr_is_constant(*expr) && dtype && off == 0)
return expr_binary_error(ctx->msgs, i, *expr,
"unexpected concat component, "
@@ -1423,6 +1429,17 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
map->map->ct.key == NFT_CT_DST))
return expr_error(ctx->msgs, map->map,
"specify either ip or ip6 for address matching");
+ else if (map->map->etype == EXPR_CONCAT) {
+ struct expr *i;
+
+ list_for_each_entry(i, &map->map->expressions, list) {
+ if (i->etype == EXPR_CT &&
+ (i->ct.key == NFT_CT_SRC ||
+ i->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, i,
+ "specify either ip or ip6 for address matching");
+ }
+ }
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &map->map) < 0)
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index c5ce1274..a387863e 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -24,3 +24,7 @@ ct reply ip daddr dead::beef;fail
meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
+meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail
+meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok
+ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail
+ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index 4f9e9809..6e2f23a7 100644
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -69,3 +69,22 @@ ip
[ ct load dst_ip => reg 1 , dir original ]
[ lookup reg 1 set __map%d dreg 1 ]
[ meta set mark with reg 1 ]
+
+# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }
+__map%d test-ip4 b
+__map%d test-ip4 0
+ element 01010101 00000014 : 0000001e 0 [end]
+ip
+ [ ct load src_ip => reg 1 , dir original ]
+ [ meta load mark => reg 9 ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
+
+# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+ element 01010101 00000014 : 0 [end]
+ip
+ [ ct load src_ip => reg 1 , dir original ]
+ [ meta load mark => reg 9 ]
+ [ lookup reg 1 set __set%d ]
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink