]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 666018e)
evaluate: tproxy: move range error checks after arg evaluation
authorFlorian Westphal <fw@strlen.de>
Thu, 11 Jan 2024 17:14:15 +0000 (18:14 +0100)
committerFlorian Westphal <fw@strlen.de>
Thu, 11 Jan 2024 20:34:05 +0000 (21:34 +0100)
Testing for range before evaluation will still crash us later during
netlink linearization, prefixes turn into ranges, symbolic expression
might hide a range/prefix.

So move this after the argument has been evaluated.

Signed-off-by: Florian Westphal <fw@strlen.de>
src/evaluate.c patch | blob | blame | history
tests/shell/testcases/bogons/nft-f/tproxy_ranges [new file with mode: 0644] patch | blob

diff --git a/src/evaluate.c b/src/evaluate.c
index 197c82c2eaf9282a318920bd6c938c9e2e446157..d11bed0144ddfb786c1bfeb501a12a533285a2cd 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4132,22 +4132,22 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
                return err;
 
        if (stmt->tproxy.addr != NULL) {
-               if (stmt->tproxy.addr->etype == EXPR_RANGE)
-                       return stmt_error(ctx, stmt, "Address ranges are not supported for tproxy.");
-
                err = stmt_evaluate_addr(ctx, stmt, &stmt->tproxy.family,
                                         &stmt->tproxy.addr);
-
                if (err < 0)
                        return err;
+
+               if (stmt->tproxy.addr->etype == EXPR_RANGE)
+                       return stmt_error(ctx, stmt, "Address ranges are not supported for tproxy.");
        }
 
        if (stmt->tproxy.port != NULL) {
-               if (stmt->tproxy.port->etype == EXPR_RANGE)
-                       return stmt_error(ctx, stmt, "Port ranges are not supported for tproxy.");
                err = nat_evaluate_transport(ctx, stmt, &stmt->tproxy.port);
                if (err < 0)
                        return err;
+
+               if (stmt->tproxy.port->etype == EXPR_RANGE)
+                       return stmt_error(ctx, stmt, "Port ranges are not supported for tproxy.");
        }
 
        return 0;
diff --git a/tests/shell/testcases/bogons/nft-f/tproxy_ranges b/tests/shell/testcases/bogons/nft-f/tproxy_ranges
new file mode 100644 (file)
index 0000000..1230860
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/tproxy_ranges
@@ -0,0 +1,8 @@
+define range = 42-80
+
+table t {
+       chain c {
+               tcp dport 42 tproxy to 192.168.0.1:$range
+               tcp dport 42 tproxy to 192.168.0.0/16
+       }
+}
Mirror of git://git.netfilter.org/nftables