diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-12-05 19:07:16 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-12-09 13:56:11 +0100 |
commit | fbae632804554aa39abb8f76fbca5935cdd7e620 (patch) | |
tree | c161a16410b51ea04c49ceee1562f71a0091f4b7 /src/segtree.c | |
parent | 940b93a5c63d16ee21b5879f530876941ba04759 (diff) |
segtree: don't remove nul-root element from interval set
Check from the delinearize set element path if the nul-root element
already exists in the interval set. Hence, the element insertion path
skips the implicit nul-root interval insertion.
Under some circunstances, nft bogusly fails to delete the last element
of the interval set and to create an element in an existing empty
internal set. This patch includes a test that reproduces the issue.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/segtree.c')
-rw-r--r-- | src/segtree.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/src/segtree.c b/src/segtree.c index 7217dbca..d1dbe10c 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -451,7 +451,7 @@ static int set_to_segtree(struct list_head *msgs, struct set *set, static bool segtree_needs_first_segment(const struct set *set, const struct expr *init, bool add) { - if (add) { + if (add && !set->root) { /* Add the first segment in four situations: * * 1) This is an anonymous set. @@ -465,12 +465,6 @@ static bool segtree_needs_first_segment(const struct set *set, (set->init == init)) { return true; } - } else { - /* If the set is empty after the removal, we have to - * remove the first non-matching segment too. - */ - if (set->init && set->init->size - init->size == 0) - return true; } /* This is an update for a set that already contains elements, so don't * add the first non-matching elements otherwise we hit EEXIST. |