diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-05-07 19:30:46 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-05-10 08:05:50 +0200 |
commit | aceea86de797bcc315d3e759a44b97cbfb724435 (patch) | |
tree | ea05149c15af3661b0b543608bcd9927c5b30756 | |
parent | 0583bac241ea18c9d7f61cb20ca04faa1e043b78 (diff) |
evaluate: allow stateful statements with anonymous verdict maps
Evaluation fails to accept stateful statements in verdict maps, relax
the following check for anonymous sets:
test.nft:4:29-35: Error: missing statement in map declaration
ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept }
^^^^^^^
The existing code generates correctly the counter in the anonymous
verdict map.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 3 | ||||
-rwxr-xr-x | tests/shell/testcases/maps/0009vmap_0 | 2 | ||||
-rw-r--r-- | tests/shell/testcases/maps/dumps/0009vmap_0.nft | 2 |
3 files changed, 4 insertions, 3 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index a1c3895c..bc8f437e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1604,7 +1604,8 @@ static int __expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *elem) "but element has %d", num_set_exprs, num_elem_exprs); } else if (num_set_exprs == 0) { - if (!(set->flags & NFT_SET_EVAL)) { + if (!(set->flags & NFT_SET_ANONYMOUS) && + !(set->flags & NFT_SET_EVAL)) { elem_stmt = list_first_entry(&elem->stmt_list, struct stmt, list); return stmt_error(ctx, elem_stmt, "missing statement in %s declaration", diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0 index 7627c81d..d31e1608 100755 --- a/tests/shell/testcases/maps/0009vmap_0 +++ b/tests/shell/testcases/maps/0009vmap_0 @@ -12,7 +12,7 @@ EXPECTED="table inet filter { chain prerouting { type filter hook prerouting priority -300; policy accept; - iif vmap { "lo" : jump wan_input } + iif vmap { "lo" counter : jump wan_input } } }" diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft index c556fece..c37574ad 100644 --- a/tests/shell/testcases/maps/dumps/0009vmap_0.nft +++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft @@ -8,6 +8,6 @@ table inet filter { chain prerouting { type filter hook prerouting priority raw; policy accept; - iif vmap { "lo" : jump wan_input } + iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input } } } |