Inefficient bytecode crashes ruleset listing:
[ meta load nfproto => reg 1 ]
[ cmp eq reg 1 0x00000002 ] <-- this specifies NFPROTO_IPV4 but table family is IPv4!
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp gte reg 1 0x1000000a ]
[ cmp lte reg 1 0x1f00000a ]
[ masq ]
This IPv4 table obviously only see IPv4 traffic, but bytecode specifies
a redundant match on NFPROTO_IPV4.
After this patch, listing works:
# nft list ruleset
table ip crash {
chain crash {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.0.0.16-10.0.0.31 masquerade
}
}
Skip protocol context update in case that this information is redundant.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1562
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/meta.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/meta.c b/src/meta.c
index dcf971a5dd62..3be270a4253c 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -773,6 +773,11 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx,
break;
case NFT_META_NFPROTO:
protonum = mpz_get_uint8(right->value);
+ if (protonum == NFPROTO_IPV4 && h->desc == &proto_ip)
+ break;
+ else if (protonum == NFPROTO_IPV6 && h->desc == &proto_ip6)
+ break;
+
desc = proto_find_upper(h->desc, protonum);
if (desc == NULL) {
desc = &proto_unknown;
--
2.30.2
