Re: [PATCH nftables] evaluate: add support for variables in map expressions

Jeremy Sowden <jeremy@xxxxxxxxxx> · Wed, 3 Apr 2024 08:38:41 +0100

On 2024-04-03, at 00:42:59 +0200, Pablo Neira Ayuso wrote:
> On Sun, Mar 24, 2024 at 02:59:07PM +0000, Jeremy Sowden wrote:
> > It is possible to use a variable to initialize a map, which is then used in a
> > map statement:
> > 
> >   define m = { ::1234 : 5678 }
> > 
> >   table ip6 nat {
> >     map m {
> >       typeof ip6 daddr : tcp dport;
> >       elements = $m
> >     }
> >     chain prerouting {
> >       ip6 nexthdr tcp redirect to ip6 daddr map @m
> >     }
> >   }
> > 
> > However, if one tries to use the variable directly in the statement:
> > 
> >   define m = { ::1234 : 5678 }
> > 
> >   table ip6 nat {
> >     chain prerouting {
> >       ip6 nexthdr tcp redirect to ip6 daddr map $m
> >     }
> >   }
> > 
> > nft rejects it:
> > 
> >   /space/azazel/tmp/ruleset.1067161.nft:5:47-48: Error: invalid mapping expression variable
> >       ip6 nexthdr tcp redirect to ip6 daddr map $m
> >                                   ~~~~~~~~~     ^^
> > 
> > Extend `expr_evaluate_map` to allow it.
> > 
> > Add a test-case.
> 
> Thanks for your patch.
> 
> > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067161
> > Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx>
> > ---
> >  src/evaluate.c                                |  1 +
> >  .../shell/testcases/maps/anonymous_snat_map_1 | 16 +++++
> >  .../maps/dumps/anonymous_snat_map_1.json-nft  | 58 +++++++++++++++++++
> >  .../maps/dumps/anonymous_snat_map_1.nft       |  5 ++
> >  4 files changed, 80 insertions(+)
> >  create mode 100755 tests/shell/testcases/maps/anonymous_snat_map_1
> >  create mode 100644 tests/shell/testcases/maps/dumps/anonymous_snat_map_1.json-nft
> >  create mode 100644 tests/shell/testcases/maps/dumps/anonymous_snat_map_1.nft
> > 
> > diff --git a/src/evaluate.c b/src/evaluate.c
> > index 1682ba58989e..d49213f8d6bd 100644
> > --- a/src/evaluate.c
> > +++ b/src/evaluate.c
> > @@ -2061,6 +2061,7 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
> 
> expr_evaluate_objmap() also needs a similar fix.

Cool.  Will update and resend.

J.

> >  	mappings->set_flags |= NFT_SET_MAP;
> >  
> >  	switch (map->mappings->etype) {
> > +	case EXPR_VARIABLE:
> >  	case EXPR_SET:
> >  		if (ctx->ectx.key && ctx->ectx.key->etype == EXPR_CONCAT) {
> >  			key = expr_clone(ctx->ectx.key);
Attachment:
signature.asc

Description: PGP signature