diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-09-16 15:42:48 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-09-19 17:26:27 +0200 |
commit | 56c90a2dd2eb9cb63a6d74d0f5ce8075bef3895b (patch) | |
tree | 9ec5ba55d639c19356771d38926fbff45c20484d /tests | |
parent | fe727d5da18c40cb9f002eeaf0116f59e9600659 (diff) |
evaluate: expand sets and maps before evaluation
3975430b12d9 ("src: expand table command before evaluation") moved
ruleset expansion before evaluation, except for sets and maps. For
sets and maps there is still a post_expand() phase.
This patch moves sets and map expansion to allocate an independent
CMD_OBJ_SETELEMS command to add elements to named set and maps which is
evaluated, this consolidates the ruleset expansion to happen always
before the evaluation step for all objects, except for anonymous sets
and maps.
This approach avoids an interference with the set interval code which
detects overlaps and merges of adjacents ranges. This set interval
routine uses set->init to maintain a cache of existing elements. Then,
the post_expand() phase incorrectly expands set->init cache and it
triggers a bogus ENOENT errors due to incorrect bytecode (placing
element addition before set creation) in combination with user declared
sets using the flat syntax notation.
Since the evaluation step (coming after the expansion) creates
implicit/anonymous sets and maps, those are not expanded anymore. These
anonymous sets still need to be evaluated from set_evaluate() path and
the netlink bytecode generation path, ie. do_add_set(), needs to deal
with anonymous sets.
Note that, for named sets, do_add_set() does not use set->init. Such
content is part of the existing cache, and the CMD_OBJ_SETELEMS command
is responsible for adding elements to named sets.
Fixes: 3975430b12d9 ("src: expand table command before evaluation")
Reported-by: Jann Haber <jannh@selfnet.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
4 files changed, 39 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/0073flat_interval_set b/tests/shell/testcases/sets/0073flat_interval_set new file mode 100755 index 00000000..0630595f --- /dev/null +++ b/tests/shell/testcases/sets/0073flat_interval_set @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +EXPECTED="flush ruleset +add table inet filter +add map inet filter testmap { type ipv4_addr : counter; flags interval;} +add counter inet filter TEST +add element inet filter testmap { 192.168.0.0/24 : \"TEST\" }" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/0074nested_interval_set b/tests/shell/testcases/sets/0074nested_interval_set new file mode 100755 index 00000000..e7f65fc5 --- /dev/null +++ b/tests/shell/testcases/sets/0074nested_interval_set @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +dumpfile=$(dirname $0)/dumps/$(basename $0).nft +$NFT -f "$dumpfile" diff --git a/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0073flat_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} diff --git a/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft new file mode 100644 index 00000000..20f53741 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/0074nested_interval_set.nft @@ -0,0 +1,11 @@ +table inet filter { + counter TEST { + packets 0 bytes 0 + } + + map testmap { + type ipv4_addr : counter + flags interval + elements = { 192.168.0.0/24 : "TEST" } + } +} |