diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-13 14:39:23 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-21 15:55:56 +0100 |
| commit | 5b7747c3fe4ec0ab326a26ff4b171fdc1cd566b8 (patch) | |
| tree | b1cf80308b3850d1376ae638adcdb4be1c3da03e /src/libnftables.c | |
| parent | ee54e5fe938f809ab99f4343f0f7dc1199204e46 (diff) | |
src: expand create commands
commit 04a1ddc2012964c0a00350973328f5954887cedb upstream.
create commands also need to be expanded, otherwise elements are never
evaluated:
# cat ruleset.nft
define ip-block-4 = { 1.1.1.1 }
create set netdev filter ip-block-4-test {
type ipv4_addr
flags interval
auto-merge
elements = $ip-block-4
}
# nft -f ruleset.nft
BUG: unhandled expression type 0
nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed.
Aborted
Same applies to chains in the form of:
create chain x y {
counter
}
which is also accepted by the parser.
Update tests/shell to improve coverage for these use cases.
Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/libnftables.c')
| -rw-r--r-- | src/libnftables.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/libnftables.c b/src/libnftables.c index b74429d5..a0e24887 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -522,7 +522,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, collapsed = true; list_for_each_entry(cmd, cmds, list) { - if (cmd->op != CMD_ADD) + if (cmd->op != CMD_ADD && + cmd->op != CMD_CREATE) continue; nft_cmd_expand(cmd); |