src: expand create commands

create commands also need to be expanded, otherwise elements are never evaluated: # cat ruleset.nft define ip-block-4 = { 1.1.1.1 } create set netdev filter ip-block-4-test { type ipv4_addr flags interval auto-merge elements = $ip-block-4 } # nft -f ruleset.nft BUG: unhandled expression type 0 nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed. Aborted Same applies to chains in the form of: create chain x y { counter } which is also accepted by the parser. Update tests/shell to improve coverage for these use cases. Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-11-13 14:39:23 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2023-11-15 11:01:08 +0100
commit: 04a1ddc2012964c0a00350973328f5954887cedb (patch)
tree: 6b2fb26f7014b538d345b8e5c6652cabb5498302 /src/libnftables.c
parent: e80e3bb88ebc9485d1b26eadee2579dbee1903ba (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/libnftables.c b/src/libnftables.c
index ec902009..0dee1bac 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -532,7 +532,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
 		collapsed = true;
 
 	list_for_each_entry(cmd, cmds, list) {
-		if (cmd->op != CMD_ADD)
+		if (cmd->op != CMD_ADD &&
+		    cmd->op != CMD_CREATE)
 			continue;
 
 		nft_cmd_expand(cmd);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-11-13 14:39:23 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2023-11-15 11:01:08 +0100
commit	04a1ddc2012964c0a00350973328f5954887cedb (patch)
tree	6b2fb26f7014b538d345b8e5c6652cabb5498302 /src/libnftables.c
parent	e80e3bb88ebc9485d1b26eadee2579dbee1903ba (diff)