meta: skip protocol context update for nfproto with same table family

Inefficient bytecode crashes ruleset listing:

[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ] <-- this specifies NFPROTO_IPV4 but table family is IPv4!
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x1000000a ]
[ cmp lte reg 1 0x1f00000a ]
[ masq ]

This IPv4 table obviously only see IPv4 traffic, but bytecode specifies
a redundant match on NFPROTO_IPV4.

After this patch, listing works:

 # nft list ruleset
 table ip crash {
        chain crash {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.0.0.16-10.0.0.31 masquerade
        }
 }

Skip protocol context update in case that this information is redundant.

Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1562
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/meta.c b/src/meta.c
index dcf971a5dd6274328ce6e624313c1da1faef4605..3be270a4253cf7dbac5df1efb4d16b9c185714be 100644 (file)
--- a/src/meta.c
+++ b/src/meta.c
@@ -773,6 +773,11 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx,
                break;
        case NFT_META_NFPROTO:
                protonum = mpz_get_uint8(right->value);
+               if (protonum == NFPROTO_IPV4 && h->desc == &proto_ip)
+                       break;
+               else if (protonum == NFPROTO_IPV6 && h->desc == &proto_ip6)
+                       break;
+
                desc = proto_find_upper(h->desc, protonum);
                if (desc == NULL) {
                        desc = &proto_unknown;