From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 24 Apr 2023 20:07:44 +0000 (+0200)
Subject: meta: skip protocol context update for nfproto with same table family
X-Git-Tag: v1.0.8~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c88494c5fb4dc275f94df27f1f68996fd3925680;p=thirdparty%2Fnftables.git

meta: skip protocol context update for nfproto with same table family

Inefficient bytecode crashes ruleset listing:

[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ] <-- this specifies NFPROTO_IPV4 but table family is IPv4!
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x1000000a ]
[ cmp lte reg 1 0x1f00000a ]
[ masq ]

This IPv4 table obviously only see IPv4 traffic, but bytecode specifies
a redundant match on NFPROTO_IPV4.

After this patch, listing works:

 # nft list ruleset
 table ip crash {
        chain crash {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.0.0.16-10.0.0.31 masquerade
        }
 }

Skip protocol context update in case that this information is redundant.

Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1562
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/meta.c b/src/meta.c
index dcf971a5..3be270a4 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -773,6 +773,11 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx,
 		break;
 	case NFT_META_NFPROTO:
 		protonum = mpz_get_uint8(right->value);
+		if (protonum == NFPROTO_IPV4 && h->desc == &proto_ip)
+			break;
+		else if (protonum == NFPROTO_IPV6 && h->desc == &proto_ip6)
+			break;
+
 		desc = proto_find_upper(h->desc, protonum);
 		if (desc == NULL) {
 			desc = &proto_unknown;