parser_bison: missing tproxy syntax with port only for inet family

 # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
 Error: syntax error, unexpected colon
 add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
                                                                              ^

Syntax with no protocol for tproxy complains with:

 # nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
 Error: Conflicting network layer protocols.
 add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
                                                                 ^^^^^^^^^^^^^^^

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 65b3fb3ebac24351a499cf5cd9992412370880fe..50642b4e02f45a685ac32e81bdab101b7ce340ad 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2687,6 +2687,12 @@ tproxy_stmt              :       TPROXY TO stmt_expr
                                $$->tproxy.addr = $4;
                                $$->tproxy.port = $6;
                        }
+                       |       TPROXY nf_key_proto     TO COLON stmt_expr
+                       {
+                               $$ = tproxy_stmt_alloc(&@$);
+                               $$->tproxy.family = $2;
+                               $$->tproxy.port = $5;
+                       }
                        ;
 
 primary_stmt_expr      :       symbol_expr             { $$ = $1; }

diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
index f80f77347b864db3ad02d9cd99299836c7a889be..0ba78ef1826a24ecb6b289fca3d4a3ee9a43146d 100644 (file)
--- a/tests/py/inet/tproxy.t
+++ b/tests/py/inet/tproxy.t
@@ -15,6 +15,7 @@ meta l4proto 6 tproxy ip6 to [2001:db8::1];ok
 meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok
 ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail
 
-meta l4proto 17 tproxy ip to :50080;fail
-meta l4proto 17 tproxy ip6 to :50080;fail
+meta l4proto 17 tproxy ip to :50080;ok
+meta l4proto 17 tproxy ip6 to :50080;ok
 meta l4proto 17 tproxy to :50080;ok
+ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000;ok

diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
index 4b18460d8b8d3dfa38f31edee5b590b68f2d0567..8a6ba03656059eb18fe8839714dfeee4193c6114 100644 (file)
--- a/tests/py/inet/tproxy.t.payload
+++ b/tests/py/inet/tproxy.t.payload
@@ -35,3 +35,29 @@ inet x y
   [ immediate reg 1 0x0000a0c3 ]
   [ tproxy port reg 1 ]
 
+# meta l4proto 17 tproxy ip to :50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip port reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to :50080
+inet x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000011 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip6 port reg 1 ]
+
+# ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
+inet x y 
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ payload load 4b @ network header + 16 => reg 1 ]
+  [ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ]
+  [ cmp eq reg 1 0x00000000 ]
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000d007 ]
+  [ tproxy ip port reg 1 ]
+

diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t
index dbd8f5e90a04b7669106ae359e05cb1ec458ceeb..966898c037b26658ada1edd7a60a106049a977f6 100644 (file)
--- a/tests/py/ip/tproxy.t
+++ b/tests/py/ip/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 6 tproxy to 192.0.2.1:50080;ok
 ip protocol 6 tproxy to :50080;ok
 meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1
 meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080
-ip protocol 6 tproxy ip to :50080;fail
+ip protocol 6 tproxy ip to :50080;ok

diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload
index 035651f48cb3068962ff8b830b6bff647939e1b1..dfe830ec3715274fd58091bff89746d2f3ff0ae3 100644 (file)
--- a/tests/py/ip/tproxy.t.payload
+++ b/tests/py/ip/tproxy.t.payload
@@ -34,3 +34,11 @@ ip x y
   [ immediate reg 1 0x010200c0 ]
   [ immediate reg 2 0x0000a0c3 ]
   [ tproxy ip addr reg 1 port reg 2 ]
+
+# ip protocol 6 tproxy ip to :50080
+ip x y 
+  [ payload load 1b @ network header + 9 => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip port reg 1 ]
+

diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t
index 4e48d81f13cc98f5a8346a23660d13111d48daaa..48fe4ca76505239aed833c1d83ddd60d836e8e6f 100644 (file)
--- a/tests/py/ip6/tproxy.t
+++ b/tests/py/ip6/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 17 tproxy to [2001:db8::1]:50080;ok
 meta l4proto 6 tproxy to :50080;ok
 meta l4proto 6 tproxy ip6 to [2001:db8::1];ok;meta l4proto 6 tproxy to [2001:db8::1]
 meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok;meta l4proto 17 tproxy to [2001:db8::1]:50080
-meta l4proto 6 tproxy ip6 to :50080;fail
+meta l4proto 6 tproxy ip6 to :50080;ok

diff --git a/tests/py/ip6/tproxy.t.payload b/tests/py/ip6/tproxy.t.payload
index c78c8a1dd20a740b80f4451cf90a7bda3a2f4ec9..9f28e80b4142cc6d40f6751e00bf185eed9e2894 100644 (file)
--- a/tests/py/ip6/tproxy.t.payload
+++ b/tests/py/ip6/tproxy.t.payload
@@ -35,3 +35,10 @@ ip6 x y
   [ immediate reg 2 0x0000a0c3 ]
   [ tproxy ip6 addr reg 1 port reg 2 ]
 
+# meta l4proto 6 tproxy ip6 to :50080
+ip6 x y 
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0000a0c3 ]
+  [ tproxy ip6 port reg 1 ]
+