* [PATCH nft] evaluate: reset ctx->set after set interval evaluation
@ 2022-06-01 17:17 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2022-06-01 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: nwhisper
Otherwise bogus error reports on set datatype mismatch might occur, such as:
Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
^^^^^^^^^^^^
with an unrelated set declaration.
table ip test {
set set_with_interval {
type ipv4_addr
flags interval
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
}
}
This bug has been introduced in the evaluation step.
Reported-by: Roman Petrov <nwhisper@gmail.com>
Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 10 ++++++----
tests/shell/testcases/sets/dumps/set_eval_0.nft | 11 +++++++++++
tests/shell/testcases/sets/set_eval_0 | 17 +++++++++++++++++
3 files changed, 34 insertions(+), 4 deletions(-)
create mode 100644 tests/shell/testcases/sets/dumps/set_eval_0.nft
create mode 100755 tests/shell/testcases/sets/set_eval_0
diff --git a/src/evaluate.c b/src/evaluate.c
index 1447a4c28aee..82bf1311fa53 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4005,8 +4005,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
cmd->elem.set = set_get(set);
if (set_is_interval(ctx->set->flags) &&
- !(set->flags & NFT_SET_CONCAT))
- return interval_set_eval(ctx, ctx->set, cmd->expr);
+ !(set->flags & NFT_SET_CONCAT) &&
+ interval_set_eval(ctx, ctx->set, cmd->expr) < 0)
+ return -1;
ctx->set = NULL;
@@ -4184,8 +4185,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
}
if (set_is_interval(ctx->set->flags) &&
- !(ctx->set->flags & NFT_SET_CONCAT))
- return interval_set_eval(ctx, ctx->set, set->init);
+ !(ctx->set->flags & NFT_SET_CONCAT) &&
+ interval_set_eval(ctx, ctx->set, set->init) < 0)
+ return -1;
ctx->set = NULL;
diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft
new file mode 100644
index 000000000000..a45462b8adbf
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft
@@ -0,0 +1,11 @@
+table ip nat {
+ set set_with_interval {
+ type ipv4_addr
+ flags interval
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
+ }
+}
diff --git a/tests/shell/testcases/sets/set_eval_0 b/tests/shell/testcases/sets/set_eval_0
new file mode 100755
index 000000000000..82b6d3bc69a7
--- /dev/null
+++ b/tests/shell/testcases/sets/set_eval_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip nat {
+ set set_with_interval {
+ type ipv4_addr
+ flags interval
+ }
+
+ chain prerouting {
+ type nat hook prerouting priority dstnat; policy accept;
+ meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
+ }
+}"
+
+$NFT -f - <<< $RULESET
--
2.30.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-01 17:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-01 17:17 [PATCH nft] evaluate: reset ctx->set after set interval evaluation Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).