From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: fw@strlen.de, vaclav.zindulka@tlapnet.cz
Subject: [PATCH nft 2/2] segtree: add missing non-matching segment to set in flat representation
Date: Wed, 6 Mar 2019 02:09:38 +0100 [thread overview]
Message-ID: <20190306010938.23687-2-pablo@netfilter.org> (raw)
In-Reply-To: <20190306010938.23687-1-pablo@netfilter.org>
# cat test.nft
add set x y { type ipv4_addr; }
add element x y { 10.0.24.0/24 }
# nft -f test.nft
# nft delete element x y { 10.0.24.0/24 }
bogusly return -ENOENT. The closing segment (0.0.0.0 with end flag set
on ) is not added to the set in the example above.
This patch also adds a test to catch this case.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/segtree.c | 9 ++++++---
tests/shell/testcases/sets/0035add_set_elements_flat_0 | 10 ++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
create mode 100755 tests/shell/testcases/sets/0035add_set_elements_flat_0
diff --git a/src/segtree.c b/src/segtree.c
index ecf564e5fa07..8034525fb80b 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -430,16 +430,19 @@ static bool segtree_needs_first_segment(const struct set *set,
const struct expr *init, bool add)
{
if (add) {
- /* Add the first segment in three situations:
+ /* Add the first segment in four situations:
*
* 1) This is an anonymous set.
* 2) This set exists and it is empty.
- * 3) This set is created with a number of initial elements.
+ * 3) New empty set and, separately, new elements are added.
+ * 4) This set is created with a number of initial elements.
*/
if ((set->flags & NFT_SET_ANONYMOUS) ||
(set->init && set->init->size == 0) ||
- (set->init == init))
+ (set->init == NULL && init) ||
+ (set->init == init)) {
return true;
+ }
} else {
/* If the set is empty after the removal, we have to
* remove the first non-matching segment too.
diff --git a/tests/shell/testcases/sets/0035add_set_elements_flat_0 b/tests/shell/testcases/sets/0035add_set_elements_flat_0
new file mode 100755
index 000000000000..d914ba9846ca
--- /dev/null
+++ b/tests/shell/testcases/sets/0035add_set_elements_flat_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+RULESET="add table ip x
+add set x y {type ipv4_addr; flags interval;}
+add element x y { 10.0.24.0/24 }
+"
+
+set -e
+$NFT -f - <<< "$RULESET"
+$NFT delete element x y { 10.0.24.0/24 }
--
2.11.0
prev parent reply other threads:[~2019-03-06 1:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 1:09 [PATCH nft 1/2] segtree: remove dummy debug_octx Pablo Neira Ayuso
2019-03-06 1:09 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190306010938.23687-2-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=vaclav.zindulka@tlapnet.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).