diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-10-23 13:52:13 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-10-23 14:09:19 +0200 |
| commit | 44d7b90f6e473be3ce4425d41d80df43f319d951 (patch) | |
| tree | 0a94bf522e925d65733f5fd264eac7a3455ce973 /src | |
| parent | 90f97f1c9a3a6d3b1a25ce12b75b08399490369a (diff) | |
evaluate: fix mapping evaluation
# cat ruleset.file
table ip mangle {
map CLASS05 {
type ipv4_addr : mark
elements = { 192.168.0.10 : 0x00000001}
}
chain OUTPUT {
type route hook output priority 0; policy accept;
mark set ip saddr map @CLASS05
}
}
# nft -f ruleset.file
ruleset.file:4:28-54: Error: mapping outside of map context
elements = { 192.168.0.10 : 0x00000001}
^^^^^^^^^^^^^^^^^^^^^^^^^^^
This actually is fixing two problems:
1) Validate datatype of the rhs before evaluating the map definition,
this is also setting set->datalen which is needed for the element
evaluation.
2) Add missing set context.
Reported-by: Andreas Schultz <aschultz@tpip.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/evaluate.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index ccbe8b37..ea43fc1b 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1883,28 +1883,29 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) return set_error(ctx, set, "unqualified key data type " "specified in %s definition", type); + if (set->flags & SET_F_MAP) { + if (set->datatype == NULL) + return set_error(ctx, set, "map definition does not " + "specify mapping data type"); + + set->datalen = set->datatype->size; + if (set->datalen == 0 && set->datatype->type != TYPE_VERDICT) + return set_error(ctx, set, "unqualified mapping data " + "type specified in map definition"); + } + + ctx->set = set; if (set->init != NULL) { expr_set_context(&ctx->ectx, set->keytype, set->keylen); if (expr_evaluate(ctx, &set->init) < 0) return -1; } + ctx->set = NULL; /* Default timeout value implies timeout support */ if (set->timeout) set->flags |= SET_F_TIMEOUT; - if (!(set->flags & SET_F_MAP)) - return 0; - - if (set->datatype == NULL) - return set_error(ctx, set, "map definition does not specify " - "mapping data type"); - - set->datalen = set->datatype->size; - if (set->datalen == 0 && set->datatype->type != TYPE_VERDICT) - return set_error(ctx, set, "unqualified mapping data type " - "specified in map definition"); - return 0; } |