From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft] expression: tolerate named set protocol dependency
Date: Thu, 13 Mar 2025 17:39:51 +0100 [thread overview]
Message-ID: <20250313163955.13487-1-fw@strlen.de> (raw)
Included test will fail with:
/dev/stdin:8:38-52: Error: Transparent proxy support requires transport protocol match
meta l4proto @protos tproxy to :1088
^^^^^^^^^^^^^^^
Tolerate a set reference too. Because the set can be empty (or there
can be removals later), add a fake 0-rhs value.
This will make pctx_update assign proto_unknown as the transport protocol
in use, Thats enough to avoid 'requires transport protocol' error.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1686
Signed-off-by: Florian Westphal <fw@strlen.de>
---
src/expression.c | 10 +++
.../dumps/named_set_as_protocol_dep.json-nft | 75 +++++++++++++++++++
.../nft-f/dumps/named_set_as_protocol_dep.nft | 11 +++
.../testcases/nft-f/named_set_as_protocol_dep | 5 ++
4 files changed, 101 insertions(+)
create mode 100644 tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
create mode 100644 tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
create mode 100755 tests/shell/testcases/nft-f/named_set_as_protocol_dep
diff --git a/src/expression.c b/src/expression.c
index 8a90e09dd1c5..38d3ad6d6a4b 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -945,6 +945,16 @@ void relational_expr_pctx_update(struct proto_ctx *ctx,
i->key->etype == EXPR_VALUE)
ops->pctx_update(ctx, &expr->location, left, i->key);
}
+ } else if (right->etype == EXPR_SET_REF) {
+ const struct expr *key = right->set->key;
+ struct expr *tmp;
+
+ tmp = constant_expr_alloc(&expr->location, key->dtype,
+ key->byteorder, key->len,
+ NULL);
+
+ ops->pctx_update(ctx, &expr->location, left, tmp);
+ expr_free(tmp);
}
}
}
diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
new file mode 100644
index 000000000000..4bc24aa319ab
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
@@ -0,0 +1,75 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "inet",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "inet",
+ "table": "test",
+ "name": "prerouting",
+ "handle": 0,
+ "type": "filter",
+ "hook": "prerouting",
+ "prio": -150,
+ "policy": "accept"
+ }
+ },
+ {
+ "set": {
+ "family": "inet",
+ "name": "protos",
+ "table": "test",
+ "type": {
+ "typeof": {
+ "meta": {
+ "key": "l4proto"
+ }
+ }
+ },
+ "handle": 0,
+ "elem": [
+ "tcp",
+ "udp"
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "inet",
+ "table": "test",
+ "chain": "prerouting",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "meta": {
+ "key": "l4proto"
+ }
+ },
+ "right": "@protos"
+ }
+ },
+ {
+ "tproxy": {
+ "port": 1088
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
new file mode 100644
index 000000000000..2bc0c2adb38c
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
@@ -0,0 +1,11 @@
+table inet test {
+ set protos {
+ typeof meta l4proto
+ elements = { tcp, udp }
+ }
+
+ chain prerouting {
+ type filter hook prerouting priority mangle; policy accept;
+ meta l4proto @protos tproxy to :1088
+ }
+}
diff --git a/tests/shell/testcases/nft-f/named_set_as_protocol_dep b/tests/shell/testcases/nft-f/named_set_as_protocol_dep
new file mode 100755
index 000000000000..5c516e421cd6
--- /dev/null
+++ b/tests/shell/testcases/nft-f/named_set_as_protocol_dep
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile" || exit 1
--
2.45.3
next reply other threads:[~2025-03-13 16:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 16:39 Florian Westphal [this message]
2025-03-20 0:18 ` [PATCH nft] expression: tolerate named set protocol dependency Pablo Neira Ayuso
2025-03-20 8:30 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250313163955.13487-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).