Florian Westphal <fw@xxxxxxxxx> wrote:
> else, next payload is stacked via 'CTX_PREV_PAYLOAD'.
>
> Example breakage:
>
> ip saddr 1.2.3.4 meta l4proto tcp
> ... is dumped as
> -s 6.0.0.0 -p tcp
>
> iptables-nft -s 1.2.3.4 -p tcp is dumped correctly, because
> the expressions are ordered like:
> meta l4proto tcp ip saddr 1.2.3.4
>
> ... and 'meta l4proto' will clear the PAYLOAD flag.
>
> Fixes: 250dce876d92 ("nft-shared: support native tcp port delinearize")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> iptables/nft-shared.c | 2 ++
> .../ipt-restore/0018-multi-payload_0 | 27 +++++++++++++++++++
> 2 files changed, 29 insertions(+)
> create mode 100755 iptables/tests/shell/testcases/ipt-restore/0018-multi-payload_0
>
> diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
> index 71e2f18dab92..66e09e8fd533 100644
> --- a/iptables/nft-shared.c
> +++ b/iptables/nft-shared.c
> @@ -986,6 +986,8 @@ static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
> nft_parse_transport(ctx, e, ctx->cs);
> break;
> }
> +
> + ctx->flags &= ~NFT_XT_CTX_PAYLOAD;
> }
This isn't ideal either since this breaks dissection of '1-42' ranges
that use two compare operands, i.e.:
cmp reg1 gte 1
cmp reg1 lte 42
...as first cmp 'hides' reg1 again.
I'd propose to rework this context stuff:
no more payload/meta/whatever flags, instead 'mirror' the raw data
registers.
Other ideas/suggestions?
