From bbcc5eda7e5880cf605ff470d5830dfae5da925b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 11 Jun 2021 18:51:08 +0200 Subject: evaluate: restore interval + concatenation in anonymous set Perform the table and set lookup only for non-anonymous sets, where the incremental cache update is required. The problem fixed by 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") resurrected after the cache rework. # nft add rule x y tcp sport . tcp dport vmap { ssh . 0-65535 : accept, 0-65535 . ssh : accept } BUG: invalid range expression type concat nft: expression.c:1422: range_expr_value_low: Assertion `0' failed. Abort Add a test case to make sure this does not happen again. Fixes: 5ec5c706d993 ("cache: add hashtable cache for table") Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 17 +++++++++-------- tests/py/ip/ip.t | 2 ++ tests/py/ip/ip.t.payload | 9 +++++++++ tests/py/ip/ip.t.payload.bridge | 11 +++++++++++ tests/py/ip/ip.t.payload.inet | 11 +++++++++++ tests/py/ip/ip.t.payload.netdev | 11 +++++++++++ 6 files changed, 53 insertions(+), 8 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 43f1f8a3..5311963a 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3781,15 +3781,16 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) struct stmt *stmt; const char *type; - table = table_cache_find(&ctx->nft->cache.table_cache, - ctx->cmd->handle.table.name, - ctx->cmd->handle.family); - if (table == NULL) - return table_not_found(ctx); + if (!(set->flags & NFT_SET_ANONYMOUS)) { + table = table_cache_find(&ctx->nft->cache.table_cache, + set->handle.table.name, + set->handle.family); + if (table == NULL) + return table_not_found(ctx); - if (!(set->flags & NFT_SET_ANONYMOUS) && - !set_cache_find(table, set->handle.set.name)) - set_cache_add(set_get(set), table); + if (!set_cache_find(table, set->handle.set.name)) + set_cache_add(set_get(set), table); + } if (!(set->flags & NFT_SET_INTERVAL) && set->automerge) return set_error(ctx, set, "auto-merge only works with interval sets"); diff --git a/tests/py/ip/ip.t b/tests/py/ip/ip.t index 43c345cf..b74d465f 100644 --- a/tests/py/ip/ip.t +++ b/tests/py/ip/ip.t @@ -123,3 +123,5 @@ iif "lo" ip protocol set 1;ok iif "lo" ip dscp set af23;ok iif "lo" ip dscp set cs0;ok + +ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 };ok diff --git a/tests/py/ip/ip.t.payload b/tests/py/ip/ip.t.payload index 5ba7d6e9..4bb17752 100644 --- a/tests/py/ip/ip.t.payload +++ b/tests/py/ip/ip.t.payload @@ -506,3 +506,12 @@ ip test-ip4 input [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-ip4 87 size 1 +__set%d test-ip4 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +ip + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/ip/ip.t.payload.bridge b/tests/py/ip/ip.t.payload.bridge index ead3156b..c8c1dbad 100644 --- a/tests/py/ip/ip.t.payload.bridge +++ b/tests/py/ip/ip.t.payload.bridge @@ -662,3 +662,14 @@ bridge test-bridge input [ bitwise reg 1 = ( reg 1 & 0x000003ff ) ^ 0x00000000 ] [ payload write reg 1 => 2b @ network header + 0 csum_type 1 csum_off 10 csum_flags 0x0 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-bridge 87 size 1 +__set%d test-bridge 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +bridge + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/ip/ip.t.payload.inet b/tests/py/ip/ip.t.payload.inet index 0b08e0bf..55304fc9 100644 --- a/tests/py/ip/ip.t.payload.inet +++ b/tests/py/ip/ip.t.payload.inet @@ -662,3 +662,14 @@ inet test-inet input [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-inet 87 size 1 +__set%d test-inet 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +inet + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + diff --git a/tests/py/ip/ip.t.payload.netdev b/tests/py/ip/ip.t.payload.netdev index a4f56103..712cb375 100644 --- a/tests/py/ip/ip.t.payload.netdev +++ b/tests/py/ip/ip.t.payload.netdev @@ -662,3 +662,14 @@ netdev test-netdev ingress [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000100 ] [ payload write reg 1 => 2b @ network header + 8 csum_type 1 csum_off 10 csum_flags 0x1 ] +# ip saddr . ip daddr { 192.0.2.1 . 10.0.0.1-10.0.0.2 } +__set%d test-netdev 87 size 1 +__set%d test-netdev 0 + element 010200c0 0100000a - 010200c0 0200000a : 0 [end] +netdev + [ meta load protocol => reg 1 ] + [ cmp eq reg 1 0x00000008 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ payload load 4b @ network header + 16 => reg 9 ] + [ lookup reg 1 set __set%d ] + -- cgit v1.2.3