summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2023-05-07 19:30:46 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2023-05-10 08:05:50 +0200
commitaceea86de797bcc315d3e759a44b97cbfb724435 (patch)
treeea05149c15af3661b0b543608bcd9927c5b30756
parent0583bac241ea18c9d7f61cb20ca04faa1e043b78 (diff)
evaluate: allow stateful statements with anonymous verdict maps
Evaluation fails to accept stateful statements in verdict maps, relax the following check for anonymous sets: test.nft:4:29-35: Error: missing statement in map declaration ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept } ^^^^^^^ The existing code generates correctly the counter in the anonymous verdict map. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/evaluate.c3
-rwxr-xr-xtests/shell/testcases/maps/0009vmap_02
-rw-r--r--tests/shell/testcases/maps/dumps/0009vmap_0.nft2
3 files changed, 4 insertions, 3 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index a1c3895c..bc8f437e 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1604,7 +1604,8 @@ static int __expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *elem)
"but element has %d", num_set_exprs,
num_elem_exprs);
} else if (num_set_exprs == 0) {
- if (!(set->flags & NFT_SET_EVAL)) {
+ if (!(set->flags & NFT_SET_ANONYMOUS) &&
+ !(set->flags & NFT_SET_EVAL)) {
elem_stmt = list_first_entry(&elem->stmt_list, struct stmt, list);
return stmt_error(ctx, elem_stmt,
"missing statement in %s declaration",
diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0
index 7627c81d..d31e1608 100755
--- a/tests/shell/testcases/maps/0009vmap_0
+++ b/tests/shell/testcases/maps/0009vmap_0
@@ -12,7 +12,7 @@ EXPECTED="table inet filter {
chain prerouting {
type filter hook prerouting priority -300; policy accept;
- iif vmap { "lo" : jump wan_input }
+ iif vmap { "lo" counter : jump wan_input }
}
}"
diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft
index c556fece..c37574ad 100644
--- a/tests/shell/testcases/maps/dumps/0009vmap_0.nft
+++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft
@@ -8,6 +8,6 @@ table inet filter {
chain prerouting {
type filter hook prerouting priority raw; policy accept;
- iif vmap { "lo" : jump wan_input }
+ iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input }
}
}