Prevent this assert:
% nft [..] tcp dport set { 0 , 1 }
BUG: unknown expression type set reference
nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed.
Aborted
We can't use a set here because we will not known what value to use.
With this patch, this is produced:
% nft [..] tcp dport set {1, 2 }
<cmdline>:1:19-27: Error: you cannot use a set here
add rule ip nat c tcp dport set {1, 2 }
^^^^^^^^^~~~~~~~~~~~~
% nft [..] tcp dport set @s
<cmdline>:1:19-27: Error: you cannot reference a set here
add rule ip nat c tcp dport set @s
^^^^^^^^^~~~~~~~
Using maps is still allowed:
% nft [..] tcp dport set numgen inc mod 2 map { 0 : 4040 , 1 : 4050 }
Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxx>
---
0 files changed
diff --git a/src/evaluate.c b/src/evaluate.c
index 27cee98..f307f64 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1807,6 +1807,17 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt)
payload->byteorder, &stmt->payload.val) < 0)
return -1;
+ switch (stmt->payload.val->ops->type) {
+ case EXPR_SET:
+ return stmt_binary_error(ctx, stmt->payload.expr, stmt,
+ "you cannot use a set here");
+ case EXPR_SET_REF:
+ return stmt_binary_error(ctx, stmt->payload.expr, stmt,
+ "you cannot reference a set here");
+ default:
+ break;
+ }
+
need_csum = stmt_evaluate_payload_need_csum(payload);
if (!payload_needs_adjustment(payload)) {
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
