[PATCH nft 1/1] evaluate: reset eval context when evaluating set definitions

Florian Westphal <fw@xxxxxxxxx> · Wed, 18 Apr 2018 14:07:09 +0200

David reported nft chokes on this:
nft -f /tmp/A
/tmp/A:9:22-45: Error: datatype mismatch, expected concatenation of (IPv4 address, internet network service, IPv4 address), expression has type concatenation of (IPv4 address, internet network service)
cat /tmp/A
flush ruleset;
table ip filter {
	set setA {
		type ipv4_addr . inet_service . ipv4_addr
		flags timeout
	}
	set setB {
		type ipv4_addr . inet_service
		flags timeout
	}
}

Problem is we leak set definition details of setA to setB via eval
context, so reset this.

Also add test case for this.

Reported-by: David Fabian <david.fabian@xxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 src/evaluate.c                                                |  1 +
 tests/shell/testcases/sets/0032restore_set_simple_0           |  6 ++++++
 tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft | 11 +++++++++++
 3 files changed, 18 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0032restore_set_simple_0
 create mode 100644 tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft

diff --git a/src/evaluate.c b/src/evaluate.c
index db63494ce2f3..aee5b1c15c7a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2974,6 +2974,7 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table)
 
 	ctx->table = table;
 	list_for_each_entry(set, &table->sets, list) {
+		expr_set_context(&ctx->ectx, NULL, 0);
 		handle_merge(&set->handle, &table->handle);
 		if (set_evaluate(ctx, set) < 0)
 			return -1;
diff --git a/tests/shell/testcases/sets/0032restore_set_simple_0 b/tests/shell/testcases/sets/0032restore_set_simple_0
new file mode 100755
index 000000000000..07820b7c4fdd
--- /dev/null
+++ b/tests/shell/testcases/sets/0032restore_set_simple_0
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+dumpfile=$(dirname $0)/dumps/$(basename $0).nft
+
+$NFT -f "$dumpfile"
diff --git a/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft
new file mode 100644
index 000000000000..86c55491b277
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0032restore_set_simple_0.nft
@@ -0,0 +1,11 @@
+table ip filter {
+	set setA {
+		type ipv4_addr . inet_service . ipv4_addr
+		flags timeout
+	}
+
+	set setB {
+		type ipv4_addr . inet_service
+		flags timeout
+	}
+}
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






