From 92a9e83b41dc0a1600aa0af63fe569fcb6277e56 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Mon, 29 Feb 2016 17:50:39 +0100
Subject: evaluate: reject set references in set elements

given

table filter {
  set local {
    type iface_index
    elements = { lo }
  }
  chain input {
    type filter hook input priority 0;
    iif { @lan, } accept;
  }
}

nft BUG()s.  I don't see how we could support sets-in-set; add a sanity
check and error out instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/evaluate.c')

diff --git a/src/evaluate.c b/src/evaluate.c
index ed78896a..a49cdd93 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
 		if (list_member_evaluate(ctx, &i) < 0)
 			return -1;
 
+		if (i->ops->type == EXPR_SET_ELEM &&
+		    i->key->ops->type == EXPR_SET_REF)
+			return expr_error(ctx->msgs, i,
+					  "Set reference cannot be part of another set");
+
 		if (!expr_is_constant(i))
 			return expr_error(ctx->msgs, i,
 					  "Set member is not constant");
-- 
cgit v1.2.3