[PATCH nft] evaluate: reject set references in set elements

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

given

table filter {
  set local {
    type iface_index
    elements = { lo }
  }
  chain input {
    type filter hook input priority 0;
    iif { @lan, } accept;
  }
}

nft BUG()s.  I don't see how we could support sets-in-set; add a sanity
check and error out instead.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/evaluate.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index ed78896..a49cdd9 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
 		if (list_member_evaluate(ctx, &i) < 0)
 			return -1;
 
+		if (i->ops->type == EXPR_SET_ELEM &&
+		    i->key->ops->type == EXPR_SET_REF)
+			return expr_error(ctx->msgs, i,
+					  "Set reference cannot be part of another set");
+
 		if (!expr_is_constant(i))
 			return expr_error(ctx->msgs, i,
 					  "Set member is not constant");
-- 
2.4.10

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux