| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | src: expand create commands | Pablo Neira Ayuso | 2023-11-15 | 1 | -0/+12 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | create commands also need to be expanded, otherwise elements are never evaluated: # cat ruleset.nft define ip-block-4 = { 1.1.1.1 } create set netdev filter ip-block-4-test { type ipv4_addr flags interval auto-merge elements = $ip-block-4 } # nft -f ruleset.nft BUG: unhandled expression type 0 nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed. Aborted Same applies to chains in the form of: create chain x y { counter } which is also accepted by the parser. Update tests/shell to improve coverage for these use cases. Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||||
| * | src: Allow for empty set variable definition | Pablo Neira Ayuso | 2020-07-04 | 1 | -0/+16 |
| Allow for empty set definition in variables if they are merged to non-empty set definition: define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443} define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS, $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } However, disallow this: define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {} table inet filter { chain input { type filter hook input priority 0; policy drop; tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept } } # nft -f x.nft /tmp/x.nft:6:18-52: Error: Set is empty tcp dport {$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | |||||
 |
index : nftables | |
| nft command line tool | pablo@netfilter.org |
| summaryrefslogtreecommitdiffstats |