tproxy: Drop artificial port printing restriction

It does not make much sense to omit printing the port expression if it's
not a value expression: On one hand, input allows for more advanced
uses. On the other, if it is in-kernel, best nft can do is to try and
print it no matter what. Just ignoring ruleset elements can't be
correct.

Fixes: 2be1d52644cf7 ("src: Add tproxy support")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1721
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/statement.c b/src/statement.c
index 475611664946a955b20407bec978bf01187fdca4..f5176e6d87f954f9c6806ecf032241afd7d613dd 100644 (file)
--- a/src/statement.c
+++ b/src/statement.c
@@ -989,7 +989,7 @@ static void tproxy_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
                        expr_print(stmt->tproxy.addr, octx);
                }
        }
-       if (stmt->tproxy.port && stmt->tproxy.port->etype == EXPR_VALUE) {
+       if (stmt->tproxy.port) {
                if (!stmt->tproxy.addr)
                        nft_print(octx, " ");
                nft_print(octx, ":");

diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
index d23bbcb56cdcded17bc1bde6954840d21922e355..9901df75a91a8e40fc9b23be2d4d1000145d7d4a 100644 (file)
--- a/tests/py/inet/tproxy.t
+++ b/tests/py/inet/tproxy.t
@@ -19,3 +19,5 @@ meta l4proto 17 tproxy ip to :50080;ok
 meta l4proto 17 tproxy ip6 to :50080;ok
 meta l4proto 17 tproxy to :50080;ok
 ip daddr 0.0.0.0/0 meta l4proto 6 tproxy ip to :2000;ok
+
+meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 };ok

diff --git a/tests/py/inet/tproxy.t.json b/tests/py/inet/tproxy.t.json
index 7b3b11c49205ab2c4983f9d62567c37069de5b58..71b6fd2f678dd123d621ed0f0329879d774be524 100644 (file)
--- a/tests/py/inet/tproxy.t.json
+++ b/tests/py/inet/tproxy.t.json
@@ -183,3 +183,38 @@
         }
     }
 ]
+
+# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 }
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "l4proto"
+                }
+            },
+            "op": "==",
+            "right": 6
+        }
+    },
+    {
+        "tproxy": {
+            "addr": "127.0.0.1",
+            "family": "ip",
+            "port": {
+                "map": {
+                    "data": {
+                        "set": [
+                            [ 0, 23 ],
+                            [ 1, 42 ]
+                        ]
+                    },
+                    "key": {
+                        "symhash": { "mod": 2 }
+                    }
+                }
+            }
+        }
+    }
+]
+

diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
index 24bf8f6002f8fb815212b226f83e36ad250fd1e2..2f41904261144ba721729b65a00fb6bd9132e44e 100644 (file)
--- a/tests/py/inet/tproxy.t.payload
+++ b/tests/py/inet/tproxy.t.payload
@@ -61,3 +61,15 @@ inet x y
   [ immediate reg 1 0x0000d007 ]
   [ tproxy ip port reg 1 ]
 
+# meta l4proto 6 tproxy ip to 127.0.0.1:symhash mod 2 map { 0 : 23, 1 : 42 }
+__map%d x b size 2
+__map%d x 0
+       element 00000000  : 00001700 0 [end]    element 00000001  : 00002a00 0 [end]
+inet x y
+  [ meta load l4proto => reg 1 ]
+  [ cmp eq reg 1 0x00000006 ]
+  [ immediate reg 1 0x0100007f ]
+  [ hash reg 2 = symhash() % mod 2 ]
+  [ lookup reg 2 set __map%d dreg 2 ]
+  [ tproxy ip addr reg 1 port reg 2 ]
+