diff options
author | Florian Westphal <fw@strlen.de> | 2016-02-29 17:50:39 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2016-03-02 09:32:37 +0100 |
commit | 92a9e83b41dc0a1600aa0af63fe569fcb6277e56 (patch) | |
tree | 81ed9464ee4409d4bca1eebf915a3e56baf8d550 /src | |
parent | e195ca5187d10eabe1f7786f2fefa1df26c7a203 (diff) |
evaluate: reject set references in set elements
given
table filter {
set local {
type iface_index
elements = { lo }
}
chain input {
type filter hook input priority 0;
iif { @lan, } accept;
}
}
nft BUG()s. I don't see how we could support sets-in-set; add a sanity
check and error out instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index ed78896a..a49cdd93 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) if (list_member_evaluate(ctx, &i) < 0) return -1; + if (i->ops->type == EXPR_SET_ELEM && + i->key->ops->type == EXPR_SET_REF) + return expr_error(ctx->msgs, i, + "Set reference cannot be part of another set"); + if (!expr_is_constant(i)) return expr_error(ctx->msgs, i, "Set member is not constant"); |