evaluate: unbreak verdict maps with implicit map with interval concatenations

Verdict maps in combination with interval concatenations are broken, e.g. # nft add rule x y tcp dport . ip saddr vmap { 1025-65535 . 192.168.10.2 : accept } Retrieve the concatenation field length and count from the map->map expressions that represents the key of the implicit map. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-16 13:49:08 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-18 09:40:20 +0200
commit: a5674886b45c9b3489aef8cc7435dd85afa9494a (patch)
tree: 476ff27ba9faacfa1e217f643ff87f143cea9208 /src/evaluate.c
parent: bd51f04f73bd585f6e3f9ed82a5db7d9640198b8 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index d220c8e3..77fb2459 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1564,6 +1564,14 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 		ctx->set = NULL;
 		map = *expr;
 		map->mappings->set->flags |= map->mappings->set->init->set_flags;
+
+		if (map->mappings->set->flags & NFT_SET_INTERVAL &&
+		    map->map->etype == EXPR_CONCAT) {
+			memcpy(&map->mappings->set->desc.field_len, &map->map->field_len,
+			       sizeof(map->mappings->set->desc.field_len));
+			map->mappings->set->desc.field_count = map->map->field_count;
+			map->mappings->flags |= NFT_SET_CONCAT;
+		}
 		break;
 	case EXPR_SYMBOL:
 		if (expr_evaluate(ctx, &map->mappings) < 0)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-16 13:49:08 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2021-06-18 09:40:20 +0200
commit	a5674886b45c9b3489aef8cc7435dd85afa9494a (patch)
tree	476ff27ba9faacfa1e217f643ff87f143cea9208 /src/evaluate.c
parent	bd51f04f73bd585f6e3f9ed82a5db7d9640198b8 (diff)