diff options
| author | Florian Westphal <fw@strlen.de> | 2025-03-13 10:38:25 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2025-07-27 20:07:06 +0200 |
| commit | 3bb26189d1b9d0969900e486bbade27b7b9dac12 (patch) | |
| tree | d35bde4981dd5c15c8fd7e0b1b3f7163ecbbd3c9 | |
| parent | 9fefb46f537fc10cb8e8a85c20aff187c0e30b5b (diff) | |
evaluate: don't allow merging interval set/map with non-interval one
commit ceab53cee4999debd64ab29414b918746209ba7b upstream.
Included bogon asserts with:
BUG: invalid data expression type range_value
Pablo says: "Reject because flags interval is lacking".
Make it so.
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | src/evaluate.c | 18 | ||||
| -rw-r--r-- | tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert | 12 |
2 files changed, 23 insertions, 7 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index d4ca8dd1..b15d6c8d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4796,15 +4796,19 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) return table_not_found(ctx); existing_set = set_cache_find(table, set->handle.set.name); - if (!existing_set) - set_cache_add(set_get(set), table); + if (existing_set) { + if (existing_set->flags & NFT_SET_EVAL) { + uint32_t existing_flags = existing_set->flags & ~NFT_SET_EVAL; + uint32_t new_flags = set->flags & ~NFT_SET_EVAL; - if (existing_set && existing_set->flags & NFT_SET_EVAL) { - uint32_t existing_flags = existing_set->flags & ~NFT_SET_EVAL; - uint32_t new_flags = set->flags & ~NFT_SET_EVAL; + if (existing_flags == new_flags) + set->flags |= NFT_SET_EVAL; + } - if (existing_flags == new_flags) - set->flags |= NFT_SET_EVAL; + if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags)) + return set_error(ctx, set, "existing %s lacks interval flag", type); + } else { + set_cache_add(set_get(set), table); } } diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert new file mode 100644 index 00000000..4637a4f9 --- /dev/null +++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert @@ -0,0 +1,12 @@ +table ip x { + map y { + type ipv4_addr : ipv4_addr + elements = { 1.168.0.4 } + } + + map y { + type ipv4_addr : ipv4_addr + flags interval + elements = { 10.141.3.0/24 : 192.8.0.3 } + } +} |