git.ipfire.org Git - thirdparty/nftables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Fri, 25 Jul 2025 15:28:29 +0000 (17:28 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Thu, 31 Jul 2025 11:27:11 +0000 (13:27 +0200)
commit	a6717ae094db29d1f4607107a2be0fa8042f7fe6
tree	48d0601d9be64741b26613fb23d1a79330497e0a	tree
parent	9b2b1614093aa1cdd1d5e5dc575a6009650cd3e8	commit \| diff

evaluate: Fix for 'meta hour' ranges spanning date boundaries

Introduction of EXPR_RANGE_SYMBOL type inadvertently disabled sanitizing
of meta hour ranges where the lower boundary has a higher value than the
upper boundary. This may happen outside of user control due to the fact
that given ranges are converted to UTC which is the kernel's native
timezone.

Perform the conditional match and op inversion with the new RHS
expression type as well after expanding it so values are comparable.
Since this replaces the whole range expression, make it replace the
relational's RHS entirely.

While at it extend testsuites to cover these corner-cases.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1805
Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

doc/primary-expression.txt		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
tests/py/any/meta.t		diff \| blob \| blame \| history
tests/py/any/meta.t.json		diff \| blob \| blame \| history
tests/py/any/meta.t.json.output		diff \| blob \| blame \| history
tests/py/any/meta.t.payload		diff \| blob \| blame \| history
tests/shell/testcases/listing/meta_time		diff \| blob \| blame \| history