From 818f7dded9c9e8a89a2de98801425536180ae307 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 1 Jun 2022 19:09:31 +0200 Subject: evaluate: reset ctx->set after set interval evaluation Otherwise bogus error reports on set datatype mismatch might occur, such as: Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 ~~~~~~~~~~~~ ^^^^^^^^^^^^ with an unrelated set declaration. table ip test { set set_with_interval { type ipv4_addr flags interval } chain prerouting { type nat hook prerouting priority dstnat; policy accept; meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1 } } This bug has been introduced in the evaluation step. Reported-by: Roman Petrov Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)" Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/evaluate.c b/src/evaluate.c index 1447a4c2..82bf1311 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -4005,8 +4005,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd) cmd->elem.set = set_get(set); if (set_is_interval(ctx->set->flags) && - !(set->flags & NFT_SET_CONCAT)) - return interval_set_eval(ctx, ctx->set, cmd->expr); + !(set->flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, cmd->expr) < 0) + return -1; ctx->set = NULL; @@ -4184,8 +4185,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) } if (set_is_interval(ctx->set->flags) && - !(ctx->set->flags & NFT_SET_CONCAT)) - return interval_set_eval(ctx, ctx->set, set->init); + !(ctx->set->flags & NFT_SET_CONCAT) && + interval_set_eval(ctx, ctx->set, set->init) < 0) + return -1; ctx->set = NULL; -- cgit v1.2.3