optimize: skip variables in nat statements

commit bc1f910f502701f1a1d28c7bd723e4be3bac1d8c upstream.

Do not hit assert():

  nft: optimize.c:486: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed.

variables are not supported by -o/--optimize at this stage.

Fixes: 9be404a153bc ("optimize: ignore existing nat mapping")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/optimize.c b/src/optimize.c
index 5aee74b703549915d92a95287c89c22be09ae9e7..dd7385bae31adf9a82aac42cde4459b1adba505a 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -407,9 +407,11 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
                        break;
                case STMT_NAT:
                        if ((stmt->nat.addr &&
-                            stmt->nat.addr->etype == EXPR_MAP) ||
+                            (stmt->nat.addr->etype == EXPR_MAP ||
+                             stmt->nat.addr->etype == EXPR_VARIABLE)) ||
                            (stmt->nat.proto &&
-                            stmt->nat.proto->etype == EXPR_MAP)) {
+                            (stmt->nat.proto->etype == EXPR_MAP ||
+                             stmt->nat.proto->etype == EXPR_VARIABLE))) {
                                clone->ops = &unsupported_stmt_ops;
                                break;
                        }

diff --git a/tests/shell/testcases/optimizations/variables b/tests/shell/testcases/optimizations/variables
index fa986065006b6d7c40c04d63d1a7c7a16e37ae23..4cb322dbc73ca2870ffed3aabc6aeab5a2978784 100755 (executable)
--- a/tests/shell/testcases/optimizations/variables
+++ b/tests/shell/testcases/optimizations/variables
@@ -2,14 +2,52 @@
 
 set -e
 
-RULESET="define addrv4_vpnnet = 10.1.0.0/16
+RULESET='define addrv4_vpnnet = 10.1.0.0/16
+define wan = "eth0"
+define lan = "eth1"
+define vpn = "tun0"
+define server = "10.10.10.1"
 
-table ip nat {
-    chain postrouting {
-        type nat hook postrouting priority 0; policy accept;
+table inet filter {
+       chain input {
+               type filter hook input priority 0; policy drop;
+       }
+       chain forward {
+               type filter hook forward priority 1; policy drop;
 
-        ip saddr \$addrv4_vpnnet counter masquerade fully-random comment \"masquerade ipv4\"
-    }
-}"
+               iifname $lan oifname $lan accept;
+
+               iifname $lan oifname $wan ct state new accept
+               iifname $lan oifname $wan ct state {established, related} accept
+
+               iifname $wan oifname $lan ct state {established, related} accept
+
+               iifname $vpn oifname $wan accept
+               iifname $wan oifname $vpn accept
+               iifname $lan oifname $vpn accept
+               iifname $vpn oifname $lan accept
+
+               iifname $lan oifname $server accept
+               iifname $server oifname $lan accept
+               iifname $server oifname $wan accept
+               iifname $wan oifname $server accept
+       }
+       chain output {
+               type filter hook output priority 0; policy drop;
+       }
+}
+
+table nat {
+       chain prerouting {
+               type nat hook prerouting priority -100; policy accept;
+               iifname $wan tcp dport 10000 dnat to $server:10000;
+       }
+       chain postrouting {
+               type nat hook postrouting priority 100; policy accept;
+               ip saddr $addrv4_vpnnet counter masquerade fully-random comment "masquerade ipv4"
+               oifname $vpn masquerade
+               oifname $wan masquerade
+       }
+}'
 
 $NFT -c -o -f - <<< $RULESET