On Tue, Jul 29, 2025 at 01:36:08AM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 25, 2025 at 11:26:40PM +0200, Phil Sutter wrote: > > Introduction of EXPR_RANGE_SYMBOL type inadvertently disabled sanitizing > > of meta hour ranges where the lower boundary has a higher value than the > > upper boundary. This may happen outside of user control due to the fact > > that given ranges are converted to UTC which is the kernel's native > > timezone. > > > > Restore the conditional match and op inversion by matching on the new > > RHS expression type and also expand it so values are comparable. Since > > this replaces the whole range expression, make it replace the > > relational's RHS entirely. > > Thanks, I suspect this bug is related to this recent ticket: > > https://bugzilla.netfilter.org/show_bug.cgi?id=1805 Ah yes, I forgot the "Closes:" tag, sorry! > > While at it extend testsuites to cover these corner-cases. > > Thanks for improving coverage for this. Above ticket also mentions how "23:59:60" is accepted when "24:00" is not. I'll send a v2 which describes the expected values in nft.8 to cover for this oddity in strptime() implementation. > > Fixes: 347039f64509e ("src: add symbol range expression to further compact intervals") > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > > @@ -2772,12 +2780,15 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) > > > > pctx = eval_proto_ctx(ctx); > > > > - if (rel->right->etype == EXPR_RANGE && lhs_is_meta_hour(rel->left)) { > > - ret = __expr_evaluate_range(ctx, &rel->right); > > + if (lhs_is_meta_hour(rel->left) && > > + rel->right->etype == EXPR_RANGE_SYMBOL) { > > Side note, thanks for reversing this check. I did it merely because consecutive lines being longer than the former ones seem more readable to me. What do you like about it? :) Thanks, Phil
