summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2016-02-29 17:50:39 +0100
committerFlorian Westphal <fw@strlen.de>2016-03-02 09:32:37 +0100
commit92a9e83b41dc0a1600aa0af63fe569fcb6277e56 (patch)
tree81ed9464ee4409d4bca1eebf915a3e56baf8d550 /src
parente195ca5187d10eabe1f7786f2fefa1df26c7a203 (diff)
evaluate: reject set references in set elements
given table filter { set local { type iface_index elements = { lo } } chain input { type filter hook input priority 0; iif { @lan, } accept; } } nft BUG()s. I don't see how we could support sets-in-set; add a sanity check and error out instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r--src/evaluate.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index ed78896a..a49cdd93 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
if (list_member_evaluate(ctx, &i) < 0)
return -1;
+ if (i->ops->type == EXPR_SET_ELEM &&
+ i->key->ops->type == EXPR_SET_REF)
+ return expr_error(ctx->msgs, i,
+ "Set reference cannot be part of another set");
+
if (!expr_is_constant(i))
return expr_error(ctx->msgs, i,
"Set member is not constant");