diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-13 14:39:23 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-11-15 11:01:08 +0100 |
| commit | 04a1ddc2012964c0a00350973328f5954887cedb (patch) | |
| tree | 6b2fb26f7014b538d345b8e5c6652cabb5498302 /tests | |
| parent | e80e3bb88ebc9485d1b26eadee2579dbee1903ba (diff) | |
src: expand create commands
create commands also need to be expanded, otherwise elements are never
evaluated:
# cat ruleset.nft
define ip-block-4 = { 1.1.1.1 }
create set netdev filter ip-block-4-test {
type ipv4_addr
flags interval
auto-merge
elements = $ip-block-4
}
# nft -f ruleset.nft
BUG: unhandled expression type 0
nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed.
Aborted
Same applies to chains in the form of:
create chain x y {
counter
}
which is also accepted by the parser.
Update tests/shell to improve coverage for these use cases.
Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests')
4 files changed, 31 insertions, 0 deletions
diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0 index 8f78e8c6..49b6f76c 100755 --- a/tests/shell/testcases/include/0020include_chain_0 +++ b/tests/shell/testcases/include/0020include_chain_0 @@ -20,4 +20,11 @@ RULESET2="chain inet filter input2 { echo "$RULESET2" > $tmpfile1 +RULESET3="create chain inet filter output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 443, 123 } drop +}" + +echo "$RULESET3" >> $tmpfile1 + $NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft index 3ad6db14..bf596ffb 100644 --- a/tests/shell/testcases/include/dumps/0020include_chain_0.nft +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft @@ -3,4 +3,9 @@ table inet filter { type filter hook input priority filter; policy accept; ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop } + + chain output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 123, 443 } drop + } } diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0 index 1d512f7b..756afdc1 100755 --- a/tests/shell/testcases/sets/0049set_define_0 +++ b/tests/shell/testcases/sets/0049set_define_0 @@ -14,3 +14,15 @@ table inet filter { " $NFT -f - <<< "$EXPECTED" + +EXPECTED="define ip-block-4 = { 1.1.1.1 } + + create set inet filter ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = \$ip-block-4 + } +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft index 998b387a..d654420c 100644 --- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -1,4 +1,11 @@ table inet filter { + set ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = { 1.1.1.1 } + } + chain input { type filter hook input priority filter; policy drop; tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept |