evaluate: tproxy: move range error checks after arg evaluation

commit 1d03ab5267bdbc7c0bcb041efaad42a462fdeb5f upstream.

Testing for range before evaluation will still crash us later during
netlink linearization, prefixes turn into ranges, symbolic expression
might hide a range/prefix.

So move this after the argument has been evaluated.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/evaluate.c b/src/evaluate.c
index 2a22f6a0d3b12873226face50d67fe963cad0f21..1e7ee9f47324d0e813f45092ceaffbeb1628a790 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3915,22 +3915,22 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
                return err;
 
        if (stmt->tproxy.addr != NULL) {
-               if (stmt->tproxy.addr->etype == EXPR_RANGE)
-                       return stmt_error(ctx, stmt, "Address ranges are not supported for tproxy.");
-
                err = stmt_evaluate_addr(ctx, stmt, &stmt->tproxy.family,
                                         &stmt->tproxy.addr);
-
                if (err < 0)
                        return err;
+
+               if (stmt->tproxy.addr->etype == EXPR_RANGE)
+                       return stmt_error(ctx, stmt, "Address ranges are not supported for tproxy.");
        }
 
        if (stmt->tproxy.port != NULL) {
-               if (stmt->tproxy.port->etype == EXPR_RANGE)
-                       return stmt_error(ctx, stmt, "Port ranges are not supported for tproxy.");
                err = nat_evaluate_transport(ctx, stmt, &stmt->tproxy.port);
                if (err < 0)
                        return err;
+
+               if (stmt->tproxy.port->etype == EXPR_RANGE)
+                       return stmt_error(ctx, stmt, "Port ranges are not supported for tproxy.");
        }
 
        return 0;

diff --git a/tests/shell/testcases/bogons/nft-f/tproxy_ranges b/tests/shell/testcases/bogons/nft-f/tproxy_ranges
new file mode 100644 (file)
index 0000000..1230860
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/tproxy_ranges
@@ -0,0 +1,8 @@
+define range = 42-80
+
+table t {
+       chain c {
+               tcp dport 42 tproxy to 192.168.0.1:$range
+               tcp dport 42 tproxy to 192.168.0.0/16
+       }
+}