ahill/nftables
1
0
Fork 0
mirror of https://git.netfilter.org/nftables synced 2026-01-26 10:34:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

ct: use inet_service_type for proto-src and proto-dst

Browse Source 
Instead of using the invalid type.

Problem was uncovered by this ruleset:

 table ip foo {
        map pinned {
                typeof ip daddr . ct original proto-dst : ip daddr . tcp dport
                size 65535
                flags dynamic,timeout
                timeout 6m
        }

        chain pr {
                meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
        }
 }

resulting in the following misleading error:

map-broken.nft:10:51-82: Error: datatype mismatch: expected concatenation of (IPv4 address), expression has type concatenation of (IPv4 address, internet network service)
                meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
                                 ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2022-12-22 12:49:59 +01:00
parent 0fe79458cb
commit f470e181d8
3 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ct.c
View File

@ -271,10 +271,10 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
[NFT_CT_PROTOCOL] = CT_TEMPLATE("protocol", &inet_protocol_type,
BYTEORDER_BIG_ENDIAN,
BITS_PER_BYTE),
[NFT_CT_PROTO_SRC] = CT_TEMPLATE("proto-src", &invalid_type,
[NFT_CT_PROTO_SRC] = CT_TEMPLATE("proto-src", &inet_service_type,
BYTEORDER_BIG_ENDIAN,
2 * BITS_PER_BYTE),
[NFT_CT_PROTO_DST] = CT_TEMPLATE("proto-dst", &invalid_type,
[NFT_CT_PROTO_DST] = CT_TEMPLATE("proto-dst", &inet_service_type,
BYTEORDER_BIG_ENDIAN,
2 * BITS_PER_BYTE),
[NFT_CT_LABELS] = CT_TEMPLATE("label", &ct_label_type,

1
tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
View File

@ -8,5 +8,6 @@ table ip foo {
chain pr {
update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
}
}

1
tests/shell/testcases/maps/typeof_maps_concat_update_0
View File

@ -11,6 +11,7 @@ EXPECTED="table ip foo {
}
chain pr {
update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
}
}"