summaryrefslogtreecommitdiffstats
path: root/src/segtree.c
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2019-12-05 19:07:16 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2019-12-09 13:56:11 +0100
commitfbae632804554aa39abb8f76fbca5935cdd7e620 (patch)
treec161a16410b51ea04c49ceee1562f71a0091f4b7 /src/segtree.c
parent940b93a5c63d16ee21b5879f530876941ba04759 (diff)
segtree: don't remove nul-root element from interval set
Check from the delinearize set element path if the nul-root element already exists in the interval set. Hence, the element insertion path skips the implicit nul-root interval insertion. Under some circunstances, nft bogusly fails to delete the last element of the interval set and to create an element in an existing empty internal set. This patch includes a test that reproduces the issue. Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/segtree.c')
-rw-r--r--src/segtree.c8
1 files changed, 1 insertions, 7 deletions
diff --git a/src/segtree.c b/src/segtree.c
index 7217dbca..d1dbe10c 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -451,7 +451,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set,
static bool segtree_needs_first_segment(const struct set *set,
const struct expr *init, bool add)
{
- if (add) {
+ if (add && !set->root) {
/* Add the first segment in four situations:
*
* 1) This is an anonymous set.
@@ -465,12 +465,6 @@ static bool segtree_needs_first_segment(const struct set *set,
(set->init == init)) {
return true;
}
- } else {
- /* If the set is empty after the removal, we have to
- * remove the first non-matching segment too.
- */
- if (set->init && set->init->size - init->size == 0)
- return true;
}
/* This is an update for a set that already contains elements, so don't
* add the first non-matching elements otherwise we hit EEXIST.