From: Florian Westphal <fw@strlen.de>
Date: Tue, 25 Nov 2025 13:03:33 +0000 (+0100)
Subject: tests: shell: bad_rule_graphs: add chain linked from different hooks
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d181bb815117b6a9f42d965db15227135866830f;p=thirdparty%2Fnftables.git

tests: shell: bad_rule_graphs: add chain linked from different hooks

On a kernel with broken (never upstreamed) patch this fails with:

Accepted bad ruleset with jump from filter type to masquerade (3)
and
Accepted bad ruleset with jump from prerouting to masquerade

... because bogus optimisation suppresses re-validation of 'n2', even
though it becomes reachable from an invalid base chain (filter, but n2
has nat-only masquerade expression).

Another broken corner-case is validation of the different hook types:
When it becomes reachable from nat:prerouting in addition to the allowed
nat:postrouting the validation step must fail.

Improve test coverage to ensure future optimisations catch this.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/tests/shell/testcases/transactions/bad_rule_graphs b/tests/shell/testcases/transactions/bad_rule_graphs
index 53047c3c..1f36bad8 100755
--- a/tests/shell/testcases/transactions/bad_rule_graphs
+++ b/tests/shell/testcases/transactions/bad_rule_graphs
@@ -259,4 +259,72 @@ $NFT "add rule t c9 tcp dport 80 tproxy to :20000 meta mark set 1 accept"
 good_ruleset $? "add tproxy expression to c9"
 check_bad_expr
 
+$NFT -f - <<EOF
+table t {
+	chain n2 {
+		meta oifname "ppp*" masquerade
+	}
+
+	chain n1 {
+		ip saddr 192.168.0.0/16 jump n2
+	}
+
+	chain n0 { type nat hook postrouting priority 0;
+		jump n1
+	}
+}
+EOF
+good_ruleset $? "add nat skeleton"
+
+$NFT -f - <<EOF
+table t {
+	chain c2 {
+		jump n2
+	}
+}
+EOF
+bad_ruleset $? "jump from filter type to masquerade"
+
+$NFT flush chain t n2
+$NFT -f - <<EOF
+table t {
+	chain c2 {
+		jump n2
+	}
+
+	chain n2 { meta oifname "ppp0" masquerade; }
+}
+EOF
+bad_ruleset $? "jump from filter type to masquerade (2)"
+
+$NFT -f - <<EOF
+delete chain t c0
+delete chain t c1
+EOF
+good_ruleset $? "delete c1/c0"
+
+$NFT -f - <<EOF
+table t {
+	chain c1 { }
+
+	chain n2 { masquerade; }
+	chain n1 { goto n2; }
+
+	chain n0 { type nat hook postrouting priority 0;
+		goto n1
+	}
+
+	chain c0 { type filter hook input priority 0;
+		jump c1
+	}
+}
+EOF
+good_ruleset $? "add nat skeleton (2)"
+
+$NFT add rule t c1 goto n2
+bad_ruleset $? "jump from filter type to masquerade (3)"
+
+$NFT add chain 't invalid { type nat hook prerouting priority 0; goto n2; }'
+bad_ruleset $? "jump from prerouting to masquerade"
+
 exit $?
diff --git a/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft
index 30789211..7cc73148 100644
--- a/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft
+++ b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.json-nft
@@ -46,6 +46,34 @@
         "handle": 0
       }
     },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "t",
+        "name": "n2",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "t",
+        "name": "n1",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "t",
+        "name": "n0",
+        "handle": 0,
+        "type": "nat",
+        "hook": "postrouting",
+        "prio": 0,
+        "policy": "accept"
+      }
+    },
     {
       "chain": {
         "family": "ip",
@@ -150,13 +178,11 @@
       "rule": {
         "family": "ip",
         "table": "t",
-        "chain": "c1",
+        "chain": "n2",
         "handle": 0,
         "expr": [
           {
-            "jump": {
-              "target": "c2"
-            }
+            "masquerade": null
           }
         ]
       }
@@ -165,18 +191,74 @@
       "rule": {
         "family": "ip",
         "table": "t",
-        "chain": "c1",
+        "chain": "n1",
         "handle": 0,
         "expr": [
           {
-            "vmap": {
-              "key": {
+            "match": {
+              "op": "==",
+              "left": {
                 "payload": {
                   "protocol": "ip",
                   "field": "saddr"
                 }
               },
-              "data": "@m"
+              "right": {
+                "prefix": {
+                  "addr": "192.168.0.0",
+                  "len": 16
+                }
+              }
+            }
+          },
+          {
+            "jump": {
+              "target": "n2"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "t",
+        "chain": "n1",
+        "handle": 0,
+        "expr": [
+          {
+            "goto": {
+              "target": "n2"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "t",
+        "chain": "n0",
+        "handle": 0,
+        "expr": [
+          {
+            "jump": {
+              "target": "n1"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "t",
+        "chain": "n0",
+        "handle": 0,
+        "expr": [
+          {
+            "goto": {
+              "target": "n1"
             }
           }
         ]
diff --git a/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft
index 3a593650..314809c3 100644
--- a/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft
+++ b/tests/shell/testcases/transactions/dumps/bad_rule_graphs.nft
@@ -18,9 +18,22 @@ table ip t {
 	chain c2 {
 	}
 
+	chain n2 {
+		masquerade
+	}
+
+	chain n1 {
+		ip saddr 192.168.0.0/16 jump n2
+		goto n2
+	}
+
+	chain n0 {
+		type nat hook postrouting priority filter; policy accept;
+		jump n1
+		goto n1
+	}
+
 	chain c1 {
-		jump c2
-		ip saddr vmap @m
 	}
 
 	chain c0 {