[nft,2/4] evaluate: bogus missing transport protocol

Message ID	20230404143437.133493-3-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Subject: [PATCH nft 2/4] evaluate: bogus missing transport protocol Date: Tue, 4 Apr 2023 16:34:35 +0200 Message-Id: <20230404143437.133493-3-pablo@netfilter.org> In-Reply-To: <20230404143437.133493-1-pablo@netfilter.org> References: <20230404143437.133493-1-pablo@netfilter.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	revisit NAT redirect support \| expand [nft,0/4] revisit NAT redirect support [nft,1/4] optimize: assert nat type on nat statement helper [nft,2/4] evaluate: bogus missing transport protocol [nft,3/4] netlink_delinearize: do not reset protocol context for nat protocol expression [nft,4/4] optimize: support for redirect and masquerade

Message ID

20230404143437.133493-3-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nft 2/4] evaluate: bogus missing transport protocol
Date: Tue,  4 Apr 2023 16:34:35 +0200
Message-Id: <20230404143437.133493-3-pablo@netfilter.org>
In-Reply-To: <20230404143437.133493-1-pablo@netfilter.org>
References: <20230404143437.133493-1-pablo@netfilter.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

revisit NAT redirect support | expand

Commit Message

Pablo Neira Ayuso April 4, 2023, 2:34 p.m. UTC

Users have to specify a transport protocol match such as

	meta protocol tcp

before the redirect statement, even if the redirect statement already
implicitly refers to the transport protocol, for instance:

test.nft:3:16-53: Error: transport protocol mapping is only valid after transport protocol match
                redirect to :tcp dport map { 83 : 8083, 84 : 8084 }
                ~~~~~~~~     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Evaluate the redirect expression before the mandatory check for the
transport protocol match, so protocol context already provides a
transport protocol.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index c4ddb007ef44..fe15d7ace5dd 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3569,6 +3569,13 @@  static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
 				  struct expr **expr)
 {
 	struct proto_ctx *pctx = eval_proto_ctx(ctx);
+	int err;
+
+	err = stmt_evaluate_arg(ctx, stmt,
+				&inet_service_type, 2 * BITS_PER_BYTE,
+				BYTEORDER_BIG_ENDIAN, expr);
+	if (err < 0)
+		return err;
 
 	if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL &&
 	    !nat_evaluate_addr_has_th_expr(stmt->nat.addr))
@@ -3576,9 +3583,7 @@  static int nat_evaluate_transport(struct eval_ctx *ctx, struct stmt *stmt,
 					 "transport protocol mapping is only "
 					 "valid after transport protocol match");
 
-	return stmt_evaluate_arg(ctx, stmt,
-				 &inet_service_type, 2 * BITS_PER_BYTE,
-				 BYTEORDER_BIG_ENDIAN, expr);
+	return 0;
 }
 
 static const char *stmt_name(const struct stmt *stmt)

[nft,2/4] evaluate: bogus missing transport protocol

Commit Message

Patch