evaluate: attempt to set_eval flag if dynamic updates requested

When passing no upper size limit, the dynset expression forces an internal 64k upperlimit. In some cases, this can result in 'nft -f' to restore the ruleset. Avoid this by always setting the EVAL flag on a set definition when we encounter packet-path update attempt in the batch. Reported-by: Yi Chen <yiche@redhat.com> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2022-01-11 12:08:59 +0100
committer: Florian Westphal <fw@strlen.de> 2022-01-11 12:35:07 +0100
commit: 8d443adfcc8c19effd6be9a9c903ee96e374f2e8 (patch)
tree: 16363b80397ce8e13873983f44896621497a3312 /src/evaluate.c
parent: 07af4429241c9832a613cb8620331ac54257d9df (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 8edefbd1..437eacb8 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3621,6 +3621,7 @@ static int stmt_evaluate_log(struct eval_ctx *ctx, struct stmt *stmt)
 
 static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
 {
+	struct set *this_set;
 	struct stmt *this;
 
 	expr_set_context(&ctx->ectx, NULL, 0);
@@ -3650,6 +3651,15 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt)
 					  "statement must be stateful");
 	}
 
+	this_set = stmt->set.set->set;
+
+	/* Make sure EVAL flag is set on set definition so that kernel
+	 * picks a set that allows updates from the packet path.
+	 *
+	 * Alternatively we could error out in case 'flags dynamic' was
+	 * not given, but we can repair this here.
+	 */
+	this_set->flags |= NFT_SET_EVAL;
 	return 0;
 }
author	Florian Westphal <fw@strlen.de>	2022-01-11 12:08:59 +0100
committer	Florian Westphal <fw@strlen.de>	2022-01-11 12:35:07 +0100
commit	8d443adfcc8c19effd6be9a9c903ee96e374f2e8 (patch)
tree	16363b80397ce8e13873983f44896621497a3312 /src/evaluate.c
parent	07af4429241c9832a613cb8620331ac54257d9df (diff)