git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 20 Mar 2025 08:34:45 +0000 (09:34 +0100)
committer	Florian Westphal <fw@strlen.de>
	Thu, 20 Mar 2025 10:42:45 +0000 (11:42 +0100)
commit	b00fc8cd1379f6e403538943d55d297b624f185b
tree	c273e780f07182a3ec2a77337e8d357a2efbf2b1	tree
parent	7b3ee497040ff8efb131c566e1c6b466e16f45cc	commit \| diff

expression: tolerate named set protocol dependency

Included test will fail with:
/dev/stdin:8:38-52: Error: Transparent proxy support requires transport protocol match
   meta l4proto @protos tproxy to :1088
                        ^^^^^^^^^^^^^^^
Tolerate a set reference too.  Because the set can be empty (or there
can be removals later), add a fake 0-rhs value.

This will make pctx_update assign proto_unknown as the transport protocol
in use, Thats enough to avoid 'requires transport protocol' error.

v2: restrict it to meta lhs for now (Pablo Neira Ayuso)

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1686
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/expression.c		diff \| blob \| blame \| history
tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft	[new file with mode: 0644]	blob
tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft	[new file with mode: 0644]	blob
tests/shell/testcases/nft-f/named_set_as_protocol_dep	[new file with mode: 0755]	blob