evaluate: do not allow to list/flush anonymous sets via list command

Don't allow this:

 # nft list set x __set0
 table ip x {
        set __set0 {
                type ipv4_addr
                flags constant
                elements = { 1.1.1.1 }
        }
 }

Constant sets never change and they are attached to a rule (anonymous
flag is set on), do not list their content through this command. Do not
allow flush operation either.

After this patch:

 # nft list set x __set0
 Error: No such file or directory
 list set x __set0
            ^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 28 insertions, 6 deletions

diff --git a/src/evaluate.c b/src/evaluate.c
index 07617a7c..dfdd3c24 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3587,9 +3587,12 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 			return table_not_found(ctx);
 
 		set = set_lookup(table, cmd->handle.set.name);
-		if (set == NULL || set->flags & NFT_SET_MAP)
+		if (set == NULL)
 			return set_not_found(ctx, &ctx->cmd->handle.set.location,
 					     ctx->cmd->handle.set.name);
+		else if (set->flags & (NFT_SET_MAP | NFT_SET_ANONYMOUS))
+			return cmd_error(ctx,  &ctx->cmd->handle.set.location,
+					 "%s", strerror(ENOENT));
 
 		return 0;
 	case CMD_OBJ_METER:
@@ -3598,9 +3601,13 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 			return table_not_found(ctx);
 
 		set = set_lookup(table, cmd->handle.set.name);
-		if (set == NULL || !(set->flags & NFT_SET_EVAL))
+		if (set == NULL)
 			return set_not_found(ctx, &ctx->cmd->handle.set.location,
 					     ctx->cmd->handle.set.name);
+		else if (!(set->flags & NFT_SET_EVAL) ||
+			 !(set->flags & NFT_SET_ANONYMOUS))
+			return cmd_error(ctx, &ctx->cmd->handle.set.location,
+					 "%s", strerror(ENOENT));
 
 		return 0;
 	case CMD_OBJ_MAP:
@@ -3609,9 +3616,13 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 			return table_not_found(ctx);
 
 		set = set_lookup(table, cmd->handle.set.name);
-		if (set == NULL || !(set->flags & NFT_SET_MAP))
+		if (set == NULL)
 			return set_not_found(ctx, &ctx->cmd->handle.set.location,
 					     ctx->cmd->handle.set.name);
+		else if (!(set->flags & NFT_SET_MAP) ||
+			 set->flags & NFT_SET_ANONYMOUS)
+			return cmd_error(ctx, &ctx->cmd->handle.set.location,
+					 "%s", strerror(ENOENT));
 
 		return 0;
 	case CMD_OBJ_CHAIN:
@@ -3698,9 +3709,12 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
 			return table_not_found(ctx);
 
 		set = set_lookup(table, cmd->handle.set.name);
-		if (set == NULL || set->flags & NFT_SET_MAP)
+		if (set == NULL)
 			return set_not_found(ctx, &ctx->cmd->handle.set.location,
 					     ctx->cmd->handle.set.name);
+		else if (set->flags & (NFT_SET_MAP | NFT_SET_ANONYMOUS))
+			return cmd_error(ctx, &ctx->cmd->handle.set.location,
+					 "%s", strerror(ENOENT));
 
 		return 0;
 	case CMD_OBJ_MAP:
@@ -3709,9 +3723,13 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
 			return table_not_found(ctx);
 
 		set = set_lookup(table, cmd->handle.set.name);
-		if (set == NULL || !(set->flags & NFT_SET_MAP))
+		if (set == NULL)
 			return set_not_found(ctx, &ctx->cmd->handle.set.location,
 					     ctx->cmd->handle.set.name);
+		else if (!(set->flags & NFT_SET_MAP) ||
+			 set->flags & NFT_SET_ANONYMOUS)
+			return cmd_error(ctx, &ctx->cmd->handle.set.location,
+					 "%s", strerror(ENOENT));
 
 		return 0;
 	case CMD_OBJ_METER:
@@ -3720,9 +3738,13 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
 			return table_not_found(ctx);
 
 		set = set_lookup(table, cmd->handle.set.name);
-		if (set == NULL || !(set->flags & NFT_SET_EVAL))
+		if (set == NULL)
 			return set_not_found(ctx, &ctx->cmd->handle.set.location,
 					     ctx->cmd->handle.set.name);
+		else if (!(set->flags & NFT_SET_EVAL) ||
+			 !(set->flags & NFT_SET_ANONYMOUS))
+			return cmd_error(ctx, &ctx->cmd->handle.set.location,
+					 "%s", strerror(ENOENT));
 
 		return 0;
 	default: