* [nft PATCH v2 2/3] parser_json: Parse into symbol range expression if possible
2025-07-29 16:18 [nft PATCH v2 0/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries Phil Sutter
2025-07-29 16:18 ` [nft PATCH v2 1/3] expression: Introduce is_symbol_value_expr() macro Phil Sutter
@ 2025-07-29 16:18 ` Phil Sutter
2025-07-29 16:18 ` [nft PATCH v2 3/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries Phil Sutter
2025-07-30 16:38 ` [nft PATCH v2 0/3] " Pablo Neira Ayuso
3 siblings, 0 replies; 7+ messages in thread
From: Phil Sutter @ 2025-07-29 16:18 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Apply the bison parser changes in commit 347039f64509e ("src: add symbol
range expression to further compact intervals") to JSON parser as well.
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
src/parser_json.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/parser_json.c b/src/parser_json.c
index bd865de59007a..120c814bc7a9b 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1353,7 +1353,7 @@ static struct expr *json_parse_prefix_expr(struct json_ctx *ctx,
static struct expr *json_parse_range_expr(struct json_ctx *ctx,
const char *type, json_t *root)
{
- struct expr *expr_low, *expr_high;
+ struct expr *expr_low, *expr_high, *tmp;
json_t *low, *high;
if (json_unpack_err(ctx, root, "[o, o!]", &low, &high))
@@ -1370,6 +1370,16 @@ static struct expr *json_parse_range_expr(struct json_ctx *ctx,
expr_free(expr_low);
return NULL;
}
+ if (is_symbol_value_expr(expr_low) && is_symbol_value_expr(expr_high)) {
+ tmp = symbol_range_expr_alloc(int_loc,
+ SYMBOL_VALUE,
+ expr_low->scope,
+ expr_low->identifier,
+ expr_high->identifier);
+ expr_free(expr_low);
+ expr_free(expr_high);
+ return tmp;
+ }
return range_expr_alloc(int_loc, expr_low, expr_high);
}
--
2.49.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [nft PATCH v2 3/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries
2025-07-29 16:18 [nft PATCH v2 0/3] evaluate: Fix for 'meta hour' ranges spanning date boundaries Phil Sutter
2025-07-29 16:18 ` [nft PATCH v2 1/3] expression: Introduce is_symbol_value_expr() macro Phil Sutter
2025-07-29 16:18 ` [nft PATCH v2 2/3] parser_json: Parse into symbol range expression if possible Phil Sutter
@ 2025-07-29 16:18 ` Phil Sutter
2025-07-30 17:26 ` Pablo Neira Ayuso
2025-07-30 16:38 ` [nft PATCH v2 0/3] " Pablo Neira Ayuso
3 siblings, 1 reply; 7+ messages in thread
From: Phil Sutter @ 2025-07-29 16:18 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Introduction of EXPR_RANGE_SYMBOL type inadvertently disabled sanitizing
of meta hour ranges where the lower boundary has a higher value than the
upper boundary. This may happen outside of user control due to the fact
that given ranges are converted to UTC which is the kernel's native
timezone.
Restore the conditional match and op inversion by matching on the new
RHS expression type and also expand it so values are comparable. Since
this replaces the whole range expression, make it replace the
relational's RHS entirely.
While at it extend testsuites to cover these corner-cases.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1805
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Add BZ link
- Describe expected values in nft.8
- Add test cases for "24:00", "23:59:60" and a range where upper
boundary becomes 0:00 after conversion
- Fix JSON equivalents in py testsuite and shell testsuite expected
results - these were leftovers from an earlier attempt at a fix
---
doc/primary-expression.txt | 3 +-
src/evaluate.c | 25 +++-
tests/py/any/meta.t | 9 ++
tests/py/any/meta.t.json | 182 ++++++++++++++++++++++++
tests/py/any/meta.t.json.output | 18 +++
tests/py/any/meta.t.payload | 51 +++++++
tests/shell/testcases/listing/meta_time | 11 ++
7 files changed, 291 insertions(+), 8 deletions(-)
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 2266724e72598..d5495e2c86291 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -137,7 +137,8 @@ Day of week|
Integer (8 bit) or string
|hour|
Hour of day|
-String
+String value in the form HH:MM or HH:MM:SS. Values are expected to be less than
+24:00, although for technical reasons, 23:59:60 is accepted, too.
|====================
.Meta expression specific types
diff --git a/src/evaluate.c b/src/evaluate.c
index 9c90590860585..b67c81f01c0e2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2421,10 +2421,9 @@ static int expr_evaluate_mapping(struct eval_ctx *ctx, struct expr **expr)
return 0;
}
-static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
+static struct expr *symbol_range_expand(struct expr *expr)
{
- struct expr *left, *right, *range, *constant_range;
- struct expr *expr = *exprp;
+ struct expr *left, *right;
/* expand to symbol and range expressions to consolidate evaluation. */
left = symbol_expr_alloc(&expr->location, expr->symtype,
@@ -2433,7 +2432,16 @@ static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
right = symbol_expr_alloc(&expr->location, expr->symtype,
(struct scope *)expr->scope,
expr->identifier_range[1]);
- range = range_expr_alloc(&expr->location, left, right);
+ return range_expr_alloc(&expr->location, left, right);
+}
+
+static int expr_evaluate_symbol_range(struct eval_ctx *ctx, struct expr **exprp)
+{
+ struct expr *left, *right, *range, *constant_range;
+ struct expr *expr = *exprp;
+
+ /* expand to symbol and range expressions to consolidate evaluation. */
+ range = symbol_range_expand(expr);
if (expr_evaluate(ctx, &range) < 0) {
expr_free(range);
@@ -2772,12 +2780,15 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
pctx = eval_proto_ctx(ctx);
- if (rel->right->etype == EXPR_RANGE && lhs_is_meta_hour(rel->left)) {
- ret = __expr_evaluate_range(ctx, &rel->right);
+ if (lhs_is_meta_hour(rel->left) &&
+ rel->right->etype == EXPR_RANGE_SYMBOL) {
+ range = symbol_range_expand(rel->right);
+ ret = __expr_evaluate_range(ctx, &range);
if (ret)
return ret;
- range = rel->right;
+ expr_free(rel->right);
+ rel->right = range;
/*
* We may need to do this for proper cross-day ranges,
diff --git a/tests/py/any/meta.t b/tests/py/any/meta.t
index 3f0ef121a8c03..74e4ba28343d9 100644
--- a/tests/py/any/meta.t
+++ b/tests/py/any/meta.t
@@ -218,6 +218,15 @@ meta hour "17:00:00" drop;ok;meta hour "17:00" drop
meta hour "17:00:01" drop;ok
meta hour "00:00" drop;ok
meta hour "00:01" drop;ok
+meta hour "01:01" drop;ok
+meta hour "02:02" drop;ok
+meta hour "03:03" drop;ok
+meta hour "24:00" drop;fail
+meta hour "23:59:60" drop;ok;meta hour "00:00" drop
+meta hour "00:00"-"02:02" drop;ok
+meta hour "01:01"-"03:03" drop;ok
+meta hour "02:02"-"04:04" drop;ok
+meta hour "21:00"-"02:00" drop;ok
time < "2022-07-01 11:00:00" accept;ok;meta time < "2022-07-01 11:00:00" accept
time > "2022-07-01 11:00:00" accept;ok;meta time > "2022-07-01 11:00:00" accept
diff --git a/tests/py/any/meta.t.json b/tests/py/any/meta.t.json
index 65590388bb80d..8dcd1e13243de 100644
--- a/tests/py/any/meta.t.json
+++ b/tests/py/any/meta.t.json
@@ -2723,6 +2723,188 @@
}
]
+# meta hour "01:01" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": "01:01"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "02:02" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": "02:02"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "03:03" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": "03:03"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "24:00" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": "24:00"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "23:59:60" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": "23:59:60"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "00:00"-"02:02" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "in",
+ "right": {
+ "range": [
+ "00:00",
+ "02:02"
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "01:01"-"03:03" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "in",
+ "right": {
+ "range": [
+ "01:01",
+ "03:03"
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "02:02"-"04:04" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": {
+ "range": [
+ "02:02",
+ "04:04"
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
+# meta hour "21:00"-"02:00" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "in",
+ "right": {
+ "range": [
+ "21:00",
+ "02:00"
+ ]
+ }
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
# time < "2022-07-01 11:00:00" accept
[
{
diff --git a/tests/py/any/meta.t.json.output b/tests/py/any/meta.t.json.output
index d46935dee513d..8f4d597a5034e 100644
--- a/tests/py/any/meta.t.json.output
+++ b/tests/py/any/meta.t.json.output
@@ -646,3 +646,21 @@
}
]
+# meta hour "23:59:60" drop
+[
+ {
+ "match": {
+ "left": {
+ "meta": {
+ "key": "hour"
+ }
+ },
+ "op": "==",
+ "right": "00:00"
+ }
+ },
+ {
+ "drop": null
+ }
+]
+
diff --git a/tests/py/any/meta.t.payload b/tests/py/any/meta.t.payload
index 52c3efa84eb5d..3f9f3f22aecf9 100644
--- a/tests/py/any/meta.t.payload
+++ b/tests/py/any/meta.t.payload
@@ -1052,6 +1052,57 @@ ip meta-test input
[ cmp eq reg 1 0x0001359c ]
[ immediate reg 0 drop ]
+# meta hour "01:01" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ cmp eq reg 1 0x000143ac ]
+ [ immediate reg 0 drop ]
+
+# meta hour "02:02" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ cmp eq reg 1 0x00000078 ]
+ [ immediate reg 0 drop ]
+
+# meta hour "03:03" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ cmp eq reg 1 0x00000ec4 ]
+ [ immediate reg 0 drop ]
+
+# meta hour "23:59:60" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ cmp eq reg 1 0x00013560 ]
+ [ immediate reg 0 drop ]
+
+# meta hour "00:00"-"02:02" drop
+ [ meta load hour => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ range neq reg 1 0x78000000 0x60350100 ]
+ [ immediate reg 0 drop ]
+
+# meta hour "01:01"-"03:03" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ range neq reg 1 0xc40e0000 0xac430100 ]
+ [ immediate reg 0 drop ]
+
+# meta hour "02:02"-"04:04" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ range eq reg 1 0x78000000 0x101d0000 ]
+ [ immediate reg 0 drop ]
+
+# meta hour "21:00"-"02:00" drop
+ip test-ip4 input
+ [ meta load hour => reg 1 ]
+ [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+ [ range neq reg 1 0x00000000 0x300b0100 ]
+ [ immediate reg 0 drop ]
+
# time < "2022-07-01 11:00:00" accept
ip test-ip4 input
[ meta load time => reg 1 ]
diff --git a/tests/shell/testcases/listing/meta_time b/tests/shell/testcases/listing/meta_time
index 96a9d5570fd14..0f5bdec942f0a 100755
--- a/tests/shell/testcases/listing/meta_time
+++ b/tests/shell/testcases/listing/meta_time
@@ -65,3 +65,14 @@ printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 5 0 16 0 >> "$TMP1"
printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 6 0 17 0 >> "$TMP1"
check_decode EADT
+
+$NFT flush chain t c
+TZ=UTC-2 $NFT add rule t c meta hour "00:00"-"01:00"
+TZ=UTC-2 $NFT add rule t c meta hour "00:00"-"03:00"
+TZ=UTC-2 $NFT add rule t c meta hour "01:00"-"04:00"
+
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 1 0 > "$TMP1"
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 0 0 3 0 >> "$TMP1"
+printf "\t\tmeta hour \"%02d:%02d\"-\"%02d:%02d\"\n" 1 0 4 0 >> "$TMP1"
+
+check_decode UTC-2
--
2.49.0
^ permalink raw reply related [flat|nested] 7+ messages in thread