[nft] expression: tolerate named set protocol dependency

Message ID	20250313163955.13487-1-fw@strlen.de
State	Changes Requested, archived
Headers	show Return-Path: <netfilter-devel+bounces-6372-incoming=patchwork.ozlabs.org@vger.kernel.org> From: Florian Westphal <fw@strlen.de> To: <netfilter-devel@vger.kernel.org> Cc: Florian Westphal <fw@strlen.de> Subject: [PATCH nft] expression: tolerate named set protocol dependency Date: Thu, 13 Mar 2025 17:39:51 +0100 Message-ID: <20250313163955.13487-1-fw@strlen.de> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[nft] expression: tolerate named set protocol dependency \| expand [nft] expression: tolerate named set protocol dependency

Message ID

20250313163955.13487-1-fw@strlen.de

State

Changes Requested, archived

Headers

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH nft] expression: tolerate named set protocol dependency
Date: Thu, 13 Mar 2025 17:39:51 +0100
Message-ID: <20250313163955.13487-1-fw@strlen.de>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[nft] expression: tolerate named set protocol dependency | expand

Commit Message

Florian Westphal March 13, 2025, 4:39 p.m. UTC

Included test will fail with:
/dev/stdin:8:38-52: Error: Transparent proxy support requires transport protocol match
   meta l4proto @protos tproxy to :1088
                        ^^^^^^^^^^^^^^^
Tolerate a set reference too.  Because the set can be empty (or there
can be removals later), add a fake 0-rhs value.

This will make pctx_update assign proto_unknown as the transport protocol
in use, Thats enough to avoid 'requires transport protocol' error.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1686
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/expression.c                              | 10 +++
 .../dumps/named_set_as_protocol_dep.json-nft  | 75 +++++++++++++++++++
 .../nft-f/dumps/named_set_as_protocol_dep.nft | 11 +++
 .../testcases/nft-f/named_set_as_protocol_dep |  5 ++
 4 files changed, 101 insertions(+)
 create mode 100644 tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
 create mode 100644 tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
 create mode 100755 tests/shell/testcases/nft-f/named_set_as_protocol_dep

Comments

Pablo Neira Ayuso March 20, 2025, 12:18 a.m. UTC | #1

On Thu, Mar 13, 2025 at 05:39:51PM +0100, Florian Westphal wrote:
> Included test will fail with:
> /dev/stdin:8:38-52: Error: Transparent proxy support requires transport protocol match
>    meta l4proto @protos tproxy to :1088
>                         ^^^^^^^^^^^^^^^
> Tolerate a set reference too.  Because the set can be empty (or there
> can be removals later), add a fake 0-rhs value.
> 
> This will make pctx_update assign proto_unknown as the transport protocol

this is correct for meta, so...

> in use, Thats enough to avoid 'requires transport protocol' error.
> 
> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1686
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  src/expression.c                              | 10 +++
>  .../dumps/named_set_as_protocol_dep.json-nft  | 75 +++++++++++++++++++
>  .../nft-f/dumps/named_set_as_protocol_dep.nft | 11 +++
>  .../testcases/nft-f/named_set_as_protocol_dep |  5 ++
>  4 files changed, 101 insertions(+)
>  create mode 100644 tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
>  create mode 100644 tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
>  create mode 100755 tests/shell/testcases/nft-f/named_set_as_protocol_dep
> 
> diff --git a/src/expression.c b/src/expression.c
> index 8a90e09dd1c5..38d3ad6d6a4b 100644
> --- a/src/expression.c
> +++ b/src/expression.c
> @@ -945,6 +945,16 @@ void relational_expr_pctx_update(struct proto_ctx *ctx,
>  				    i->key->etype == EXPR_VALUE)
>  					ops->pctx_update(ctx, &expr->location, left, i->key);
>  			}
> +		} else if (right->etype == EXPR_SET_REF) {
> +			const struct expr *key = right->set->key;
> +			struct expr *tmp;
> +
> +			tmp = constant_expr_alloc(&expr->location, key->dtype,
> +						  key->byteorder, key->len,
> +						  NULL);
> +
> +			ops->pctx_update(ctx, &expr->location, left, tmp);
> +			expr_free(tmp);

maybe narrow down this to meta on the lhs? I am not sure of the effect
of this update for payload and ct, they also provide .pctx_update.

If there is a use-case for these two other expression, this can be
revisited.

Thanks.

>  		}
>  	}
>  }
> diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
> new file mode 100644
> index 000000000000..4bc24aa319ab
> --- /dev/null
> +++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
> @@ -0,0 +1,75 @@
> +{
> +  "nftables": [
> +    {
> +      "metainfo": {
> +        "version": "VERSION",
> +        "release_name": "RELEASE_NAME",
> +        "json_schema_version": 1
> +      }
> +    },
> +    {
> +      "table": {
> +        "family": "inet",
> +        "name": "test",
> +        "handle": 0
> +      }
> +    },
> +    {
> +      "chain": {
> +        "family": "inet",
> +        "table": "test",
> +        "name": "prerouting",
> +        "handle": 0,
> +        "type": "filter",
> +        "hook": "prerouting",
> +        "prio": -150,
> +        "policy": "accept"
> +      }
> +    },
> +    {
> +      "set": {
> +        "family": "inet",
> +        "name": "protos",
> +        "table": "test",
> +        "type": {
> +          "typeof": {
> +            "meta": {
> +              "key": "l4proto"
> +            }
> +          }
> +        },
> +        "handle": 0,
> +        "elem": [
> +          "tcp",
> +          "udp"
> +        ]
> +      }
> +    },
> +    {
> +      "rule": {
> +        "family": "inet",
> +        "table": "test",
> +        "chain": "prerouting",
> +        "handle": 0,
> +        "expr": [
> +          {
> +            "match": {
> +              "op": "==",
> +              "left": {
> +                "meta": {
> +                  "key": "l4proto"
> +                }
> +              },
> +              "right": "@protos"
> +            }
> +          },
> +          {
> +            "tproxy": {
> +              "port": 1088
> +            }
> +          }
> +        ]
> +      }
> +    }
> +  ]
> +}
> diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
> new file mode 100644
> index 000000000000..2bc0c2adb38c
> --- /dev/null
> +++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
> @@ -0,0 +1,11 @@
> +table inet test {
> +	set protos {
> +		typeof meta l4proto
> +		elements = { tcp, udp }
> +	}
> +
> +	chain prerouting {
> +		type filter hook prerouting priority mangle; policy accept;
> +		meta l4proto @protos tproxy to :1088
> +	}
> +}
> diff --git a/tests/shell/testcases/nft-f/named_set_as_protocol_dep b/tests/shell/testcases/nft-f/named_set_as_protocol_dep
> new file mode 100755
> index 000000000000..5c516e421cd6
> --- /dev/null
> +++ b/tests/shell/testcases/nft-f/named_set_as_protocol_dep
> @@ -0,0 +1,5 @@
> +#!/bin/bash
> +
> +dumpfile=$(dirname $0)/dumps/$(basename $0).nft
> +
> +$NFT -f "$dumpfile" || exit 1
> -- 
> 2.45.3
> 
>

Florian Westphal March 20, 2025, 8:30 a.m. UTC | #2

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > +			const struct expr *key = right->set->key;
> > +			struct expr *tmp;
> > +
> > +			tmp = constant_expr_alloc(&expr->location, key->dtype,
> > +						  key->byteorder, key->len,
> > +						  NULL);
> > +
> > +			ops->pctx_update(ctx, &expr->location, left, tmp);
> > +			expr_free(tmp);
> 
> maybe narrow down this to meta on the lhs? I am not sure of the effect
> of this update for payload and ct, they also provide .pctx_update.

Sure, I can amend it accordingly.

> If there is a use-case for these two other expression, this can be
> revisited.

Agreed, lets restrict it for meta for now.

Thanks for reviewing.

diff --git a/src/expression.c b/src/expression.c
index 8a90e09dd1c5..38d3ad6d6a4b 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -945,6 +945,16 @@  void relational_expr_pctx_update(struct proto_ctx *ctx,
 				    i->key->etype == EXPR_VALUE)
 					ops->pctx_update(ctx, &expr->location, left, i->key);
 			}
+		} else if (right->etype == EXPR_SET_REF) {
+			const struct expr *key = right->set->key;
+			struct expr *tmp;
+
+			tmp = constant_expr_alloc(&expr->location, key->dtype,
+						  key->byteorder, key->len,
+						  NULL);
+
+			ops->pctx_update(ctx, &expr->location, left, tmp);
+			expr_free(tmp);
 		}
 	}
 }
diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
new file mode 100644
index 000000000000..4bc24aa319ab
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.json-nft
@@ -0,0 +1,75 @@ 
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "inet",
+        "name": "test",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "inet",
+        "table": "test",
+        "name": "prerouting",
+        "handle": 0,
+        "type": "filter",
+        "hook": "prerouting",
+        "prio": -150,
+        "policy": "accept"
+      }
+    },
+    {
+      "set": {
+        "family": "inet",
+        "name": "protos",
+        "table": "test",
+        "type": {
+          "typeof": {
+            "meta": {
+              "key": "l4proto"
+            }
+          }
+        },
+        "handle": 0,
+        "elem": [
+          "tcp",
+          "udp"
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "inet",
+        "table": "test",
+        "chain": "prerouting",
+        "handle": 0,
+        "expr": [
+          {
+            "match": {
+              "op": "==",
+              "left": {
+                "meta": {
+                  "key": "l4proto"
+                }
+              },
+              "right": "@protos"
+            }
+          },
+          {
+            "tproxy": {
+              "port": 1088
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
new file mode 100644
index 000000000000..2bc0c2adb38c
--- /dev/null
+++ b/tests/shell/testcases/nft-f/dumps/named_set_as_protocol_dep.nft
@@ -0,0 +1,11 @@ 
+table inet test {
+	set protos {
+		typeof meta l4proto
+		elements = { tcp, udp }
+	}
+
+	chain prerouting {
+		type filter hook prerouting priority mangle; policy accept;
+		meta l4proto @protos tproxy to :1088
+	}
+}
diff --git a/tests/shell/testcases/nft-f/named_set_as_protocol_dep b/tests/shell/testcases/nft-f/named_set_as_protocol_dep
new file mode 100755
index 000000000000..5c516e421cd6
--- /dev/null
+++ b/tests/shell/testcases/nft-f/named_set_as_protocol_dep
@@ -0,0 +1,5 @@ 
+#!/bin/bash
+
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile" || exit 1

[nft] expression: tolerate named set protocol dependency

Commit Message

Comments

Patch