[nft PATCH v2 0/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries

[nft PATCH v2 0/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries

[Phil Sutter]

Kernel's timezone is UTC, so 'meta hour' returns seconds since UTC start
of day. To mach against this, user space has to convert the RHS value
given in local timezone into UTC. With ranges (e.g. 9:00-17:00),
depending on the local timezone, these may span midnight in UTC (e.g.
23:00-7:00) and thus need to be converted into a proper range again
(e.g. 7:00-23:00, inverted). Since nftables commit 347039f64509e ("src:
add symbol range expression to further compact intervals"), this
conversion was broken.

Changes since v1:
- Apply the parser changes of commit 347039f64509e to JSON parser as
  well (new patches 1 and 2)
- Misc fixes in patch 3

Phil Sutter (3):
  expression: Introduce is_symbol_value_expr() macro
  parser_json: Parse into symbol range expression if possible
  evaluate: Fix for 'meta hour' ranges spanning date boundaries

 doc/primary-expression.txt              |   3 +-
 include/expression.h                    |   2 +
 src/evaluate.c                          |  25 +++-
 src/parser_bison.y                      |   6 +-
 src/parser_json.c                       |  12 +-
 tests/py/any/meta.t                     |   9 ++
 tests/py/any/meta.t.json                | 182 ++++++++++++++++++++++++
 tests/py/any/meta.t.json.output         |  18 +++
 tests/py/any/meta.t.payload             |  51 +++++++
 tests/shell/testcases/listing/meta_time |  11 ++
 10 files changed, 306 insertions(+), 13 deletions(-)

-- 
2.49.0

[nft PATCH v2 1/3] expression: Introduce is_symbol_value_expr() macro

[Phil Sutter]

Annotate and combine the 'etype' and 'symtype' checks done in bison
parser for readability and because JSON parser will start doing the same
in a follow-up patch.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 include/expression.h | 2 ++
 src/parser_bison.y   | 6 ++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/expression.h b/include/expression.h
index 5b60c1b0825e3..e483b7e76f4ca 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -470,6 +470,8 @@ extern struct expr *verdict_expr_alloc(const struct location *loc,
 extern struct expr *symbol_expr_alloc(const struct location *loc,
 				      enum symbol_types type, struct scope *scope,
 				      const char *identifier);
+#define is_symbol_value_expr(expr) \
+	((expr)->etype == EXPR_SYMBOL && (expr)->symtype == SYMBOL_VALUE)
 
 const char *expr_name(const struct expr *e);
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index c31fd05ec09cd..0b03e4dad1a3f 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4486,10 +4486,8 @@ prefix_rhs_expr		:	basic_rhs_expr	SLASH	NUM
 
 range_rhs_expr		:	basic_rhs_expr	DASH	basic_rhs_expr
 			{
-				if ($1->etype == EXPR_SYMBOL &&
-				    $1->symtype == SYMBOL_VALUE &&
-				    $3->etype == EXPR_SYMBOL &&
-				    $3->symtype == SYMBOL_VALUE) {
+				if (is_symbol_value_expr($1) &&
+				    is_symbol_value_expr($3)) {
 					$$ = symbol_range_expr_alloc(&@$, $1->symtype, $1->scope, $1->identifier, $3->identifier);
 					expr_free($1);
 					expr_free($3);
-- 
2.49.0

[nft PATCH v2 2/3] parser_json: Parse into symbol range expression if possible

[Phil Sutter]

Apply the bison parser changes in commit 347039f64509e ("src: add symbol
range expression to further compact intervals") to JSON parser as well.

Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 src/parser_json.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/parser_json.c b/src/parser_json.c
index bd865de59007a..120c814bc7a9b 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1353,7 +1353,7 @@ static struct expr *json_parse_prefix_expr(struct json_ctx *ctx,
 static struct expr *json_parse_range_expr(struct json_ctx *ctx,
 					  const char *type, json_t *root)
 {
-	struct expr *expr_low, *expr_high;
+	struct expr *expr_low, *expr_high, *tmp;
 	json_t *low, *high;
 
 	if (json_unpack_err(ctx, root, "[o, o!]", &low, &high))
@@ -1370,6 +1370,16 @@ static struct expr *json_parse_range_expr(struct json_ctx *ctx,
 		expr_free(expr_low);
 		return NULL;
 	}
+	if (is_symbol_value_expr(expr_low) && is_symbol_value_expr(expr_high)) {
+		tmp = symbol_range_expr_alloc(int_loc,
+					      SYMBOL_VALUE,
+					      expr_low->scope,
+					      expr_low->identifier,
+					      expr_high->identifier);
+		expr_free(expr_low);
+		expr_free(expr_high);
+		return tmp;
+	}
 	return range_expr_alloc(int_loc, expr_low, expr_high);
 }
 
-- 
2.49.0

[nft PATCH v2 3/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries

[Phil Sutter]

Introduction of EXPR_RANGE_SYMBOL type inadvertently disabled sanitizing
of meta hour ranges where the lower boundary has a higher value than the
upper boundary. This may happen outside of user control due to the fact
that given ranges are converted to UTC which is the kernel's native
timezone.

Restore the conditional match and op inversion by matching on the new
RHS expression type and also expand it so values are comparable. Since
this replaces the whole range expression, make it replace the
relational's RHS entirely.

While at it extend testsuites to cover these corner-cases.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1805
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Add BZ link
- Describe expected values in nft.8
- Add test cases for "24:00", "23:59:60" and a range where upper
  boundary becomes 0:00 after conversion
- Fix JSON equivalents in py testsuite and shell testsuite expected
  results - these were leftovers from an earlier attempt at a fix
---
 doc/primary-expression.txt              |   3 +-
 src/evaluate.c                          |  25 +++-
 tests/py/any/meta.t                     |   9 ++
 tests/py/any/meta.t.json                | 182 ++++++++++++++++++++++++
 tests/py/any/meta.t.json.output         |  18 +++
 tests/py/any/meta.t.payload             |  51 +++++++
 tests/shell/testcases/listing/meta_time |  11 ++
 7 files changed, 291 insertions(+), 8 deletions(-)

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 2266724e72598..d5495e2c86291 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -137,7 +137,8 @@ Day of week|
 Integer (8 bit) or string
 |hour|
 Hour of day|
-String
+String value in the form HH:MM or HH:MM:SS. Values are expected to be less than
+24:00, although for technical reasons, 23:59:60 is accepted, too.
 |====================
 
 .Meta expression specific types
diff --git a/src/evaluate.c b/src/evaluate.c
index 9c90590860585..b67c81f01c0e2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2421,10 +2421,9 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
 	return 0;
 }
 
-static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
+static struct expr *symbol_range_expand(struct expr *expr)
 {
-	struct expr *left, *right, *range, *constant_range;
-	struct expr *expr = *exprp;
+	struct expr *left, *right;
 
 	/* expand to symbol and range expressions to consolidate evaluation. */
 	left = symbol_expr_alloc(&expr->location, expr->symtype,
@@ -2433,7 +2432,16 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
 	right = symbol_expr_alloc(&expr->location, expr->symtype,
 				  (struct scope *)expr->scope,
 				  expr->identifier_range[1]);
-	range = range_expr_alloc(&expr->location, left, right);
+	return range_expr_alloc(&expr->location, left, right);
+}
+
+static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
+{
+	struct expr *left, *right, *range, *constant_range;
+	struct expr *expr = *exprp;
+
+	/* expand to symbol and range expressions to consolidate evaluation. */
+	range = symbol_range_expand(expr);
 
 	if (expr_evaluate(ctx, &range) < 0) {
 		expr_free(range);
@@ -2772,12 +2780,15 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
 
 	pctx = eval_proto_ctx(ctx);
 
-	if (rel->right->etype == EXPR_RANGE && lhs_is_meta_hour(rel->left)) {
-		ret = __expr_evaluate_range(ctx, &rel->right);
+	if (lhs_is_meta_hour(rel->left) &&
+	    rel->right->etype == EXPR_RANGE_SYMBOL) {
+		range = symbol_range_expand(rel->right);
+		ret = __expr_evaluate_range(ctx, &range);
 		if (ret)
 			return ret;
 
-		range = rel->right;
+		expr_free(rel->right);
+		rel->right = range;
 
 		/*
 		 * We may need to do this for proper cross-day ranges,
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 3f0ef121a8c03..74e4ba28343d9 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -218,6 +218,15 @@ meta hour "17:00:00" drop;ok;meta hour "17:00" drop
 meta hour "17:00:01" drop;ok
 meta hour "00:00" drop;ok
 meta hour "00:01" drop;ok
+meta hour "01:01" drop;ok
+meta hour "02:02" drop;ok
+meta hour "03:03" drop;ok
+meta hour "24:00" drop;fail
+meta hour "23:59:60" drop;ok;meta hour "00:00" drop
+meta hour "00:00"-"02:02" drop;ok
+meta hour "01:01"-"03:03" drop;ok
+meta hour "02:02"-"04:04" drop;ok
+meta hour "21:00"-"02:00" drop;ok
 time < "2022-07-01 11:00:00" accept;ok;meta time < "2022-07-01 11:00:00" accept
 time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept
 
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
index 65590388bb80d..8dcd1e13243de 100644
--- a/tests/py/any/meta.t.json
+++ b/tests/py/any/meta.t.json
@@ -2723,6 +2723,188 @@
     }
 ]
 
+# meta hour "01:01" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "01:01"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "02:02" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "02:02"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "03:03" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "03:03"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "24:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "24:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "23:59:60" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "23:59:60"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "00:00"-"02:02" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "in",
+            "right": {
+		"range": [
+		    "00:00",
+		    "02:02"
+		]
+	    }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "01:01"-"03:03" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "in",
+            "right": {
+		"range": [
+		    "01:01",
+		    "03:03"
+		]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "02:02"-"04:04" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    "02:02",
+                    "04:04"
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
+# meta hour "21:00"-"02:00" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "in",
+            "right": {
+                "range": [
+                    "21:00",
+                    "02:00"
+                ]
+            }
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
 # time < "2022-07-01 11:00:00" accept
 [
     {
diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output
index d46935dee513d..8f4d597a5034e 100644
--- a/tests/py/any/meta.t.json.output
+++ b/tests/py/any/meta.t.json.output
@@ -646,3 +646,21 @@
     }
 ]
 
+# meta hour "23:59:60" drop
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "hour"
+                }
+            },
+            "op": "==",
+            "right": "00:00"
+        }
+    },
+    {
+        "drop": null
+    }
+]
+
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index 52c3efa84eb5d..3f9f3f22aecf9 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -1052,6 +1052,57 @@ ip meta-test input
   [ cmp eq reg 1 0x0001359c ]
   [ immediate reg 0 drop ]
 
+# meta hour "01:01" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x000143ac ]
+  [ immediate reg 0 drop ]
+
+# meta hour "02:02" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x00000078 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "03:03" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x00000ec4 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "23:59:60" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ cmp eq reg 1 0x00013560 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "00:00"-"02:02" drop
+  [ meta load hour => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0x78000000 0x60350100 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "01:01"-"03:03" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0xc40e0000 0xac430100 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "02:02"-"04:04" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range eq reg 1 0x78000000 0x101d0000 ]
+  [ immediate reg 0 drop ]
+
+# meta hour "21:00"-"02:00" drop
+ip test-ip4 input
+  [ meta load hour => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ range neq reg 1 0x00000000 0x300b0100 ]
+  [ immediate reg 0 drop ]
+
 # time < "2022-07-01 11:00:00" accept
 ip test-ip4 input
   [ meta load time => reg 1 ]
diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time
index 96a9d5570fd14..0f5bdec942f0a 100755
--- a/tests/shell/testcases/listing/meta_time
+++ b/tests/shell/testcases/listing/meta_time
@@ -65,3 +65,14 @@ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1"
 printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1"
 
 check_decode EADT
+
+$NFT flush chain t c
+TZ=UTC-2 $NFT add rule t c meta hour "00:00"-"01:00"
+TZ=UTC-2 $NFT add rule t c meta hour "00:00"-"03:00"
+TZ=UTC-2 $NFT add rule t c meta hour "01:00"-"04:00"
+
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 1 0 > "$TMP1"
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 3 0 >> "$TMP1"
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 4 0 >> "$TMP1"
+
+check_decode UTC-2
-- 
2.49.0

Re: [nft PATCH v2 0/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries

[Pablo Neira Ayuso]

On Tue, Jul 29, 2025 at 06:18:29PM +0200, Phil Sutter wrote:
> Kernel's timezone is UTC, so 'meta hour' returns seconds since UTC start
> of day. To mach against this, user space has to convert the RHS value
> given in local timezone into UTC. With ranges (e.g. 9:00-17:00),
> depending on the local timezone, these may span midnight in UTC (e.g.
> 23:00-7:00) and thus need to be converted into a proper range again
> (e.g. 7:00-23:00, inverted). Since nftables commit 347039f64509e ("src:
> add symbol range expression to further compact intervals"), this
> conversion was broken.

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Re: [nft PATCH v2 3/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries

[Pablo Neira Ayuso]

Hi Phil,

On Tue, Jul 29, 2025 at 06:18:32PM +0200, Phil Sutter wrote:
> @@ -2772,12 +2780,15 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
>  
>  	pctx = eval_proto_ctx(ctx);
>  
> -	if (rel->right->etype == EXPR_RANGE && lhs_is_meta_hour(rel->left)) {
> -		ret = __expr_evaluate_range(ctx, &rel->right);
> +	if (lhs_is_meta_hour(rel->left) &&
> +	    rel->right->etype == EXPR_RANGE_SYMBOL) {

I just realised that we cannot just replace one expression type by
another.

For relational, this needs to handle EXPR_RANGE too, because this
generates a range expression, for instance:

define end="14:00"

table ip x {
        chain y {
                meta hour "13:00"-$end
        }
}

this code is a bit special, it happens before the range evaluation.
For relational expressions, this is translated to EXPR_RANGE. Only
sets are using EXPR_RANGE_VALUE, relational expressions still use
EXPR_RANGE.

So this special case can see either EXPR_RANGE and EXPR_RANGE_SYMBOL.

> +		range = symbol_range_expand(rel->right);

Then, this conversion above only need to happen for EXPR_RANGE_SYMBOL.

> +		ret = __expr_evaluate_range(ctx, &range);
>  		if (ret)
>  			return ret;
>  
> -		range = rel->right;
> +		expr_free(rel->right);
> +		rel->right = range;
>  
>  		/*
>  		 * We may need to do this for proper cross-day ranges,

Re: [nft PATCH v2 0/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries

[Pablo Neira Ayuso]

On Wed, Jul 30, 2025 at 06:38:54PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jul 29, 2025 at 06:18:29PM +0200, Phil Sutter wrote:
> > Kernel's timezone is UTC, so 'meta hour' returns seconds since UTC start
> > of day. To mach against this, user space has to convert the RHS value
> > given in local timezone into UTC. With ranges (e.g. 9:00-17:00),
> > depending on the local timezone, these may span midnight in UTC (e.g.
> > 23:00-7:00) and thus need to be converted into a proper range again
> > (e.g. 7:00-23:00, inverted). Since nftables commit 347039f64509e ("src:
> > add symbol range expression to further compact intervals"), this
> > conversion was broken.
> 
> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

Sorry, I found an issue in 3/3.