diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-28 19:32:44 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-29 23:40:58 +0200 |
commit | 7840b9224d5b84c41a8f5a5ddd919c7f7614901f (patch) | |
tree | e5bc163dceb70623cbaa0a86f96cc117e90a2514 /tests/shell | |
parent | ac4b25b3ca045fbbed86773a91da52d9d7ee3091 (diff) |
evaluate: remove table from cache on delete table
The following ruleset crashes nft if loaded twice, via nft -ef:
add table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname { "eth0" } counter accept
}
}
If the table contains anonymous sets, such as __set0, then delete + add
table might result in nft reusing the existing stale __set0 in the cache.
The problem is that nft gets confused and it reuses the existing stale
__set0 instead of the new anonymous set __set0 with the same name.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
-rwxr-xr-x | tests/shell/testcases/sets/0053echo_0 | 16 | ||||
-rw-r--r-- | tests/shell/testcases/sets/dumps/0053echo_0.nft | 6 |
2 files changed, 22 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/0053echo_0 b/tests/shell/testcases/sets/0053echo_0 new file mode 100755 index 00000000..6bb03c28 --- /dev/null +++ b/tests/shell/testcases/sets/0053echo_0 @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +EXPECTED="add table inet filter +delete table inet filter + +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { lo } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter accept + } +} +" + +$NFT -ef - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/dumps/0053echo_0.nft b/tests/shell/testcases/sets/dumps/0053echo_0.nft new file mode 100644 index 00000000..6a816636 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0053echo_0.nft @@ -0,0 +1,6 @@ +table inet filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { "lo" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.100.62 } tcp dport { 2001 } counter packets 0 bytes 0 accept + } +} |