diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-11 18:51:08 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-11 19:55:46 +0200 |
commit | bbcc5eda7e5880cf605ff470d5830dfae5da925b (patch) | |
tree | 2f76688c818ba40c1a6867f445d0a2dc498d186a /src/evaluate.c | |
parent | d2fba515ff94b4a8fb507ac8ca4c45ed25371c47 (diff) |
evaluate: restore interval + concatenation in anonymous set
Perform the table and set lookup only for non-anonymous sets, where the
incremental cache update is required.
The problem fixed by 7aa08d45031e ("evaluate: Perform set evaluation on
implicitly declared (anonymous) sets") resurrected after the cache
rework.
# nft add rule x y tcp sport . tcp dport vmap { ssh . 0-65535 : accept, 0-65535 . ssh : accept }
BUG: invalid range expression type concat
nft: expression.c:1422: range_expr_value_low: Assertion `0' failed.
Abort
Add a test case to make sure this does not happen again.
Fixes: 5ec5c706d993 ("cache: add hashtable cache for table")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 43f1f8a3..5311963a 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3781,15 +3781,16 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) struct stmt *stmt; const char *type; - table = table_cache_find(&ctx->nft->cache.table_cache, - ctx->cmd->handle.table.name, - ctx->cmd->handle.family); - if (table == NULL) - return table_not_found(ctx); + if (!(set->flags & NFT_SET_ANONYMOUS)) { + table = table_cache_find(&ctx->nft->cache.table_cache, + set->handle.table.name, + set->handle.family); + if (table == NULL) + return table_not_found(ctx); - if (!(set->flags & NFT_SET_ANONYMOUS) && - !set_cache_find(table, set->handle.set.name)) - set_cache_add(set_get(set), table); + if (!set_cache_find(table, set->handle.set.name)) + set_cache_add(set_get(set), table); + } if (!(set->flags & NFT_SET_INTERVAL) && set->automerge) return set_error(ctx, set, "auto-merge only works with interval sets"); |