diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-01 19:09:31 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-06-01 19:21:10 +0200 |
commit | 818f7dded9c9e8a89a2de98801425536180ae307 (patch) | |
tree | 602ef65d5cd1b19e9b9777b9dbbd6c7acdacb0a5 /src | |
parent | 3835de19fe5773baac5b79f35484d0f0e99bcfe1 (diff) |
evaluate: reset ctx->set after set interval evaluation
Otherwise bogus error reports on set datatype mismatch might occur, such as:
Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
~~~~~~~~~~~~ ^^^^^^^^^^^^
with an unrelated set declaration.
table ip test {
set set_with_interval {
type ipv4_addr
flags interval
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
}
}
This bug has been introduced in the evaluation step.
Reported-by: Roman Petrov <nwhisper@gmail.com>
Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 1447a4c2..82bf1311 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4005,8 +4005,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd) cmd->elem.set = set_get(set); if (set_is_interval(ctx->set->flags) && - !(set->flags & NFT_SET_CONCAT)) - return interval_set_eval(ctx, ctx->set, cmd->expr); + !(set->flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, cmd->expr) < 0) + return -1; ctx->set = NULL; @@ -4184,8 +4185,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) } if (set_is_interval(ctx->set->flags) && - !(ctx->set->flags & NFT_SET_CONCAT)) - return interval_set_eval(ctx, ctx->set, set->init); + !(ctx->set->flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, set->init) < 0) + return -1; ctx->set = NULL; |