From 4dbfa17097512b6b88805299223f93e90a072ea6 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 12 Oct 2022 12:50:26 +0200
Subject: netlink_delinearize: do not transfer binary operation to
 non-anonymous sets

Michael Braun says:

This results for nft list ruleset in
  nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed.

This is due to binop_adjust_one setting value->len to left->len, which
is shorther than right->len.

Additionally, it does not seem correct to alter set elements from parsing a
rule, so remove that part all together.

Reported-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/sets/dumps/typeof_sets_1.nft | 15 +++++++++++++++
 tests/shell/testcases/sets/typeof_sets_1           | 22 ++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 tests/shell/testcases/sets/dumps/typeof_sets_1.nft
 create mode 100755 tests/shell/testcases/sets/typeof_sets_1

(limited to 'tests/shell/testcases/sets')

diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft
new file mode 100644
index 00000000..89cbc835
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft
@@ -0,0 +1,15 @@
+table bridge t {
+	set nodhcpvlan {
+		typeof vlan id
+		elements = { 1 }
+	}
+
+	chain c1 {
+		vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2
+		vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2
+		vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2
+	}
+
+	chain c2 {
+	}
+}
diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1
new file mode 100755
index 00000000..e520270c
--- /dev/null
+++ b/tests/shell/testcases/sets/typeof_sets_1
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# regression test for corner case in netlink_delinearize
+
+EXPECTED="table bridge t {
+	set nodhcpvlan {
+		typeof vlan id
+		elements = { 1 }
+	}
+
+	chain c1 {
+		vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2
+		vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2
+		vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2
+	}
+
+	chain c2 {
+	}
+}"
+
+set -e
+$NFT -f - <<< $EXPECTED
-- 
cgit v1.2.3