diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-03-06 00:51:03 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-03-06 11:12:41 +0100 |
| commit | b1436403417697b8647956ff91d40a5982aba477 (patch) | |
| tree | 9f1d1a9eb61f752d0a4ce2f479cc07a72fc0828e /src | |
| parent | 2277a8cf318359885be67aad566c70f497551cca (diff) | |
segtree: add missing non-matching segment to set in flat representation
# cat test.nft
add set x y { type ipv4_addr; }
add element x y { 10.0.24.0/24 }
# nft -f test.nft
# nft delete element x y { 10.0.24.0/24 }
bogusly returns -ENOENT. The non-matching segment (0.0.0.0 with end-flag
set on) is not added to the set in the example above.
This patch also adds a test to cover this case.
Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/segtree.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/segtree.c b/src/segtree.c index 939c30d2..6ee65523 100644 --- a/src/segtree.c +++ b/src/segtree.c @@ -431,16 +431,19 @@ static bool segtree_needs_first_segment(const struct set *set, const struct expr *init, bool add) { if (add) { - /* Add the first segment in three situations: + /* Add the first segment in four situations: * * 1) This is an anonymous set. * 2) This set exists and it is empty. - * 3) This set is created with a number of initial elements. + * 3) New empty set and, separately, new elements are added. + * 4) This set is created with a number of initial elements. */ if ((set->flags & NFT_SET_ANONYMOUS) || (set->init && set->init->size == 0) || - (set->init == init)) + (set->init == NULL && init) || + (set->init == init)) { return true; + } } else { /* If the set is empty after the removal, we have to * remove the first non-matching segment too. |