evaluate: disallow ct original {s,d}ddr from concatenations

Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from
maps") to cover concatenations too.

Error: specify either ip or ip6 for address matching
add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 }
                           ^^^^^^^^^^^^^^^^^

The old syntax for ct original saddr without either ip or ip6 results
in unknown key size, which breaks the listing. The old syntax is only
allowed in simple rules for backward compatibility.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index c830dcdbd9651b767ed8da94a05fb95791cd8323..53f636b7ebe794378198da030e516b017728aa59 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1266,6 +1266,12 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
        list_for_each_entry_safe(i, next, &(*expr)->expressions, list) {
                unsigned dsize_bytes;
 
+               if (i->etype == EXPR_CT &&
+                   (i->ct.key == NFT_CT_SRC ||
+                    i->ct.key == NFT_CT_DST))
+                       return expr_error(ctx->msgs, i,
+                                         "specify either ip or ip6 for address matching");
+
                if (expr_is_constant(*expr) && dtype && off == 0)
                        return expr_binary_error(ctx->msgs, i, *expr,
                                                 "unexpected concat component, "
@@ -1477,6 +1483,17 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
             map->map->ct.key == NFT_CT_DST))
                return expr_error(ctx->msgs, map->map,
                                  "specify either ip or ip6 for address matching");
+       else if (map->map->etype == EXPR_CONCAT) {
+               struct expr *i;
+
+               list_for_each_entry(i, &map->map->expressions, list) {
+                       if (i->etype == EXPR_CT &&
+                           (i->ct.key == NFT_CT_SRC ||
+                            i->ct.key == NFT_CT_DST))
+                               return expr_error(ctx->msgs, i,
+                                         "specify either ip or ip6 for address matching");
+               }
+       }
 
        expr_set_context(&ctx->ectx, NULL, 0);
        if (expr_evaluate(ctx, &map->map) < 0)

diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index c5ce12747d42fadefa3985a28e101dd944c0fba6..a387863e0d8ed13c3f2e809d582a8bbaf3a00d20 100644 (file)
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -24,3 +24,7 @@ ct reply ip daddr dead::beef;fail
 
 meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
 meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
+meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail
+meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok
+ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail
+ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok

diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index 3348d16ddc72a831429b2077dbec449907d66a32..49f06a8401f5f7c6988987c301ac3af56e7829f5 100644 (file)
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -65,3 +65,22 @@ ip
   [ ct load dst_ip => reg 1 , dir original ]
   [ lookup reg 1 set __map%d dreg 1 ]
   [ meta set mark with reg 1 ]
+
+# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }
+__map%d test-ip4 b
+__map%d test-ip4 0
+        element 01010101 00000014  : 0000001e 0 [end]
+ip
+  [ ct load src_ip => reg 1 , dir original ]
+  [ meta load mark => reg 9 ]
+  [ lookup reg 1 set __map%d dreg 1 ]
+  [ meta set mark with reg 1 ]
+
+# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }
+__set%d test-ip4 3
+__set%d test-ip4 0
+        element 01010101 00000014  : 0 [end]
+ip
+  [ ct load src_ip => reg 1 , dir original ]
+  [ meta load mark => reg 9 ]
+  [ lookup reg 1 set __set%d ]