ct: use inet_service_type for proto-src and proto-dst

Instead of using the invalid type.

Problem was uncovered by this ruleset:

 table ip foo {
        map pinned {
                typeof ip daddr . ct original proto-dst : ip daddr . tcp dport
                size 65535
                flags dynamic,timeout
                timeout 6m
        }

        chain pr {
                meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
        }
 }

resulting in the following misleading error:

map-broken.nft:10:51-82: Error: datatype mismatch: expected concatenation of (IPv4 address), expression has type concatenation of (IPv4 address, internet network service)
                meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
                                 ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/ct.c b/src/ct.c
index e246d30392407c917c89a9324466c049a679d992..64327561d08920490c1972edc5a346f8eca5f586 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -271,10 +271,10 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
        [NFT_CT_PROTOCOL]       = CT_TEMPLATE("protocol",   &inet_protocol_type,
                                              BYTEORDER_BIG_ENDIAN,
                                              BITS_PER_BYTE),
-       [NFT_CT_PROTO_SRC]      = CT_TEMPLATE("proto-src",  &invalid_type,
+       [NFT_CT_PROTO_SRC]      = CT_TEMPLATE("proto-src",  &inet_service_type,
                                              BYTEORDER_BIG_ENDIAN,
                                              2 * BITS_PER_BYTE),
-       [NFT_CT_PROTO_DST]      = CT_TEMPLATE("proto-dst",  &invalid_type,
+       [NFT_CT_PROTO_DST]      = CT_TEMPLATE("proto-dst",  &inet_service_type,
                                              BYTEORDER_BIG_ENDIAN,
                                              2 * BITS_PER_BYTE),
        [NFT_CT_LABELS]         = CT_TEMPLATE("label", &ct_label_type,

diff --git a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
index a2c3c139936b5266209a5dea10bfa21f074469a9..f8b574f4e0cbd628d2c125fa82491c4c415816fc 100644 (file)
--- a/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
+++ b/tests/shell/testcases/maps/dumps/typeof_maps_concat_update_0.nft
@@ -8,5 +8,6 @@ table ip foo {
 
        chain pr {
                update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
+               update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
        }
 }

diff --git a/tests/shell/testcases/maps/typeof_maps_concat_update_0 b/tests/shell/testcases/maps/typeof_maps_concat_update_0
index e996f14e1830ceefb657f935cd3e05f315f7dddd..2a52ea0e3220d79b18476efae8693048663d3d9a 100755 (executable)
--- a/tests/shell/testcases/maps/typeof_maps_concat_update_0
+++ b/tests/shell/testcases/maps/typeof_maps_concat_update_0
@@ -11,6 +11,7 @@ EXPECTED="table ip foo {
   }
   chain pr {
      update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
+     meta l4proto tcp update @pinned { ip saddr . ct original proto-dst timeout 1m30s : ip daddr . tcp dport }
   }
 }"