summaryrefslogtreecommitdiffstats
path: root/tests/shell
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2020-07-28 19:32:44 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2020-07-29 23:40:58 +0200
commit7840b9224d5b84c41a8f5a5ddd919c7f7614901f (patch)
treee5bc163dceb70623cbaa0a86f96cc117e90a2514 /tests/shell
parentac4b25b3ca045fbbed86773a91da52d9d7ee3091 (diff)
evaluate: remove table from cache on delete table
The following ruleset crashes nft if loaded twice, via nft -ef: add table inet filter delete table inet filter table inet filter { chain input { type filter hook input priority filter; policy drop; iifname { "eth0" } counter accept } } If the table contains anonymous sets, such as __set0, then delete + add table might result in nft reusing the existing stale __set0 in the cache. The problem is that nft gets confused and it reuses the existing stale __set0 instead of the new anonymous set __set0 with the same name. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
-rwxr-xr-xtests/shell/testcases/sets/0053echo_016
-rw-r--r--tests/shell/testcases/sets/dumps/0053echo_0.nft6
2 files changed, 22 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/0053echo_0 b/tests/shell/testcases/sets/0053echo_0
new file mode 100755
index 00000000..6bb03c28
--- /dev/null
+++ b/tests/shell/testcases/sets/0053echo_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="add table inet filter
+delete table inet filter
+
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy drop;
+ iifname { lo } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter accept
+ }
+}
+"
+
+$NFT -ef - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft
new file mode 100644
index 00000000..6a816636
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+ chain input {
+ type filter hook input priority filter; policy drop;
+ iifname { "lo" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter packets 0 bytes 0 accept
+ }
+}