diff options
| author | Jeremy Sowden <jeremy@azazel.net> | 2022-09-18 18:22:12 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2022-09-21 13:57:09 +0200 |
| commit | 7e6be917987c3ab0261bf543eb307cbb2679294f (patch) | |
| tree | 34d83ccfceb653b19ed762ebdee18cd66fef71fd /tests/shell/testcases/optimizations | |
| parent | d899df24826c268c764edb07c3a3ed3f2c90b253 (diff) | |
segtree: fix decomposition of unclosed intervals containing address prefixes
The code which decomposes unclosed intervals doesn't check for prefixes. This
leads to incorrect output for sets which contain these. For example,
# nft -f - <<END
table ip t {
chain c {
ip saddr 192.0.0.0/2 drop
ip saddr 10.0.0.0/8 drop
ip saddr { 192.0.0.0/2, 10.0.0.0/8 } drop
}
}
table ip6 t {
chain c {
ip6 saddr ff00::/8 drop
ip6 saddr fe80::/10 drop
ip6 saddr { ff00::/8, fe80::/10 } drop
}
}
END
# nft list table ip6 t
table ip6 t {
chain c {
ip6 saddr ff00::/8 drop
ip6 saddr fe80::/10 drop
ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop
}
}
# nft list table ip t
table ip t {
chain c {
ip saddr 192.0.0.0/2 drop
ip saddr 10.0.0.0/8 drop
ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop
}
}
Instead of treating the final unclosed interval as a special case, reuse the
code which correctly handles closed intervals.
Add a shell test-case.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018156
Fixes: 86b965bdab8d ("segtree: fix decomposition of unclosed intervals")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/shell/testcases/optimizations')
0 files changed, 0 insertions, 0 deletions