summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorDerek Hageman <hageman@inthat.cloud>2022-09-01 10:10:41 -0600
committerPablo Neira Ayuso <pablo@netfilter.org>2022-09-01 22:27:58 +0200
commita817ea9655dee1915423a802c0133e3611e02b3a (patch)
tree49f42e250de02f0ba405361276217dc5739acc99 /src
parent07958ec53830d4c14b65fa4115c02715dc9c0d47 (diff)
rule: check address family in set collapse
498a5f0c219d added collapsing of set operations in different commands. However, the logic is currently too relaxed. It is valid to have a table and set with identical names on different address families. For example: table ip a { set x { type inet_service; } } table ip6 a { set x { type inet_service; } } add element ip a x { 1 } add element ip a x { 2 } add element ip6 a x { 2 } The above currently results in nothing being added to the ip6 family table due to being collapsed into the ip table add. Prior to 498a5f0c219d the set add would work. The fix is simply to check the family in addition to the table and set names before allowing a collapse. [ Add testcase to tests/shell --pablo ] Fixes: 498a5f0c219d ("rule: collapse set element commands") Signed-off-by: Derek Hageman <hageman@inthat.cloud> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/rule.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/rule.c b/src/rule.c
index 9c9eaec0..1caee58f 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1414,7 +1414,8 @@ bool nft_cmd_collapse(struct list_head *cmds)
continue;
}
- if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+ if (elems->handle.family != cmd->handle.family ||
+ strcmp(elems->handle.table.name, cmd->handle.table.name) ||
strcmp(elems->handle.set.name, cmd->handle.set.name)) {
elems = cmd;
continue;