]>
git.ipfire.org Git - thirdparty/nftables.git/commit
meta: skip protocol context update for nfproto with same table family
Inefficient bytecode crashes ruleset listing:
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ] <-- this specifies NFPROTO_IPV4 but table family is IPv4!
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x1000000a ]
[ cmp lte reg 1 0x1f00000a ]
[ masq ]
This IPv4 table obviously only see IPv4 traffic, but bytecode specifies
a redundant match on NFPROTO_IPV4.
After this patch, listing works:
# nft list ruleset
table ip crash {
chain crash {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.0.0.16-10.0.0.31 masquerade
}
}
Skip protocol context update in case that this information is redundant.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1562
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
projects / thirdparty / nftables.git / commit
