From: Florian Westphal <fw@strlen.de>
Date: Thu, 11 Jan 2024 17:14:15 +0000 (+0100)
Subject: evaluate: tproxy: move range error checks after arg evaluation
X-Git-Tag: v1.0.6.1~259
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84b3e55df10c1efa25e99a1142ae8985787012fe;p=thirdparty%2Fnftables.git

evaluate: tproxy: move range error checks after arg evaluation

commit 1d03ab5267bdbc7c0bcb041efaad42a462fdeb5f upstream.

Testing for range before evaluation will still crash us later during
netlink linearization, prefixes turn into ranges, symbolic expression
might hide a range/prefix.

So move this after the argument has been evaluated.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index 2a22f6a0..1e7ee9f4 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3915,22 +3915,22 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
 		return err;
 
 	if (stmt->tproxy.addr != NULL) {
-		if (stmt->tproxy.addr->etype == EXPR_RANGE)
-			return stmt_error(ctx, stmt, "Address ranges are not supported for tproxy.");
-
 		err = stmt_evaluate_addr(ctx, stmt, &stmt->tproxy.family,
 					 &stmt->tproxy.addr);
-
 		if (err < 0)
 			return err;
+
+		if (stmt->tproxy.addr->etype == EXPR_RANGE)
+			return stmt_error(ctx, stmt, "Address ranges are not supported for tproxy.");
 	}
 
 	if (stmt->tproxy.port != NULL) {
-		if (stmt->tproxy.port->etype == EXPR_RANGE)
-			return stmt_error(ctx, stmt, "Port ranges are not supported for tproxy.");
 		err = nat_evaluate_transport(ctx, stmt, &stmt->tproxy.port);
 		if (err < 0)
 			return err;
+
+		if (stmt->tproxy.port->etype == EXPR_RANGE)
+			return stmt_error(ctx, stmt, "Port ranges are not supported for tproxy.");
 	}
 
 	return 0;
diff --git a/tests/shell/testcases/bogons/nft-f/tproxy_ranges b/tests/shell/testcases/bogons/nft-f/tproxy_ranges
new file mode 100644
index 00000000..1230860e
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/tproxy_ranges
@@ -0,0 +1,8 @@
+define range = 42-80
+
+table t {
+	chain c {
+		tcp dport 42 tproxy to 192.168.0.1:$range
+		tcp dport 42 tproxy to 192.168.0.0/16
+	}
+}