optimize: ignore existing nat mapping

User might be already using a nat mapping in their ruleset, use the
unsupported statement when collecting statements in this case.

 # nft -c -o -f ruleset.nft
 nft: optimize.c:443: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed.
 Aborted

The -o/--optimize feature only cares about linear rulesets at this
stage, but do not hit assert() in this case.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1656
Fixes: 0a6dbfce6dc3 ("optimize: merge nat rules with same selectors into map")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/optimize.c b/src/optimize.c
index ff4f26278a6d4f1b97d019df10dc0b14ae97c6ea..d60aa8f22c07360f6b4f285929a6c1155cdf5297 100644 (file)
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -370,6 +370,13 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
                                clone->log.prefix = expr_get(stmt->log.prefix);
                        break;
                case STMT_NAT:
+                       if ((stmt->nat.addr &&
+                            stmt->nat.addr->etype == EXPR_MAP) ||
+                           (stmt->nat.proto &&
+                            stmt->nat.proto->etype == EXPR_MAP)) {
+                               clone->ops = &unsupported_stmt_ops;
+                               break;
+                       }
                        clone->nat.type = stmt->nat.type;
                        clone->nat.family = stmt->nat.family;
                        if (stmt->nat.addr)

diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
index 32423b220ed17ce1f8c1ebcb2f5bd57904b2b73b..96e38ccd798a9093dd8e1661d5c8c0b7cca8a449 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/merge_nat.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
@@ -14,6 +14,7 @@ table ip test3 {
        chain y {
                oif "lo" accept
                snat to ip saddr . tcp sport map { 1.1.1.1 . 1024-65535 : 3.3.3.3, 2.2.2.2 . 1024-65535 : 4.4.4.4 }
+               oifname "enp2s0" snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 }
        }
 }
 table ip test4 {

diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat
index ec9b239c6f487a5f96cdb1620d2aa893323bf3e0..1484b7d39d48e98af0700fbadc431bf407f842bf 100755 (executable)
--- a/tests/shell/testcases/optimizations/merge_nat
+++ b/tests/shell/testcases/optimizations/merge_nat
@@ -27,6 +27,7 @@ RULESET="table ip test3 {
                 oif lo accept
                 ip saddr 1.1.1.1 tcp sport 1024-65535 snat to 3.3.3.3
                 ip saddr 2.2.2.2 tcp sport 1024-65535 snat to 4.4.4.4
+                oifname enp2s0 snat ip to ip saddr map { 10.1.1.0/24 : 72.2.3.66-72.2.3.78 }
         }
 }"