packages/nftables
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nftables/backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch
eaglegai f0418b2273 backport patches from upstream
2021-08-03 15:19:59 +08:00

71 lines
2.4 KiB
Diff
Raw Blame History

From 93c192706eac3bbb017cfb5a8e1d56b81050ad3b Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 15 Jan 2021 18:40:11 +0100
Subject: [PATCH] evaluate: disallow ct original {s,d}ddr from maps
test.nft:6:55-71: Error: specify either ip or ip6 for address matching
add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
^^^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Conflict:NA
Reference:https://git.netfilter.org/nftables/commit/?id=8b043938e77b1f421beccff595117d6e4ff8eecc
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 6 ++++++
tests/py/ip/ct.t | 3 +++
tests/py/ip/ct.t.payload | 9 +++++++++
3 files changed, 18 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 303ae280..53806424 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1418,6 +1418,12 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
const struct datatype *dtype;
struct expr *key, *data;
+ if (map->map->etype == EXPR_CT &&
+ (map->map->ct.key == NFT_CT_SRC ||
+ map->map->ct.key == NFT_CT_DST))
+ return expr_error(ctx->msgs, map->map,
+ "specify either ip or ip6 for address matching");
+
expr_set_context(&ctx->ectx, NULL, 0);
if (expr_evaluate(ctx, &map->map) < 0)
return -1;
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index d3247f79..c5ce1274 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -21,3 +21,6 @@ ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-s
# wrong address family
ct reply ip daddr dead::beef;fail
+
+meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
+meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index d5faed4c..4f9e9809 100644
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -60,3 +60,12 @@ ip test-ip4 output
[ cmp eq reg 1 0x00000011 ]
[ ct load proto_src => reg 1 , dir reply ]
[ cmp eq reg 1 0x00003500 ]
+
+# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }
+__map%d test-ip4 b
+__map%d test-ip4 0
+ element 01010101 : 00000011 0 [end]
+ip
+ [ ct load dst_ip => reg 1 , dir original ]
+ [ lookup reg 1 set __map%d dreg 1 ]
+ [ meta set mark with reg 1 ]
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink