From a817ea9655dee1915423a802c0133e3611e02b3a Mon Sep 17 00:00:00 2001
From: Derek Hageman <hageman@inthat.cloud>
Date: Thu, 1 Sep 2022 10:10:41 -0600
Subject: rule: check address family in set collapse

498a5f0c219d added collapsing of set operations in different commands.
However, the logic is currently too relaxed.  It is valid to have a
table and set with identical names on different address families.
For example:

  table ip a {
    set x {
      type inet_service;
    }
  }
  table ip6 a {
      set x {
        type inet_service;
      }
  }
  add element ip a x { 1 }
  add element ip a x { 2 }
  add element ip6 a x { 2 }

The above currently results in nothing being added to the ip6 family
table due to being collapsed into the ip table add. Prior to
498a5f0c219d the set add would work. The fix is simply to check the
family in addition to the table and set names before allowing a
collapse.

[ Add testcase to tests/shell --pablo ]

Fixes: 498a5f0c219d ("rule: collapse set element commands")
Signed-off-by: Derek Hageman <hageman@inthat.cloud>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/sets/collapse_elem_0           | 19 +++++++++++++++++++
 tests/shell/testcases/sets/dumps/collapse_elem_0.nft | 12 ++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 tests/shell/testcases/sets/collapse_elem_0
 create mode 100644 tests/shell/testcases/sets/dumps/collapse_elem_0.nft

(limited to 'tests/shell')

diff --git a/tests/shell/testcases/sets/collapse_elem_0 b/tests/shell/testcases/sets/collapse_elem_0
new file mode 100755
index 00000000..7699e9da
--- /dev/null
+++ b/tests/shell/testcases/sets/collapse_elem_0
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip a {
+	set x {
+		type inet_service;
+	}
+}
+table ip6 a {
+	set x {
+		type inet_service;
+	}
+}
+add element ip a x { 1 }
+add element ip a x { 2 }
+add element ip6 a x { 2 }"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/sets/dumps/collapse_elem_0.nft b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
new file mode 100644
index 00000000..a3244fc6
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/collapse_elem_0.nft
@@ -0,0 +1,12 @@
+table ip a {
+	set x {
+		type inet_service
+		elements = { 1, 2 }
+	}
+}
+table ip6 a {
+	set x {
+		type inet_service
+		elements = { 2 }
+	}
+}
-- 
cgit v1.2.3