The following ruleset that uses raw expressions: table ip nftlb { map persistency { type inet_service : mark size 65535 timeout 1h elements = { 53 expires 59m55s864ms : 0x00000064, 80 expires 59m58s924ms : 0x00000065, 443 expires 59m56s220ms : 0x00000064 } } chain pre { type filter hook prerouting priority filter; policy accept; ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc mod 2 offset 100 } } } bogusly bails out with: /tmp/test:9:57-64: Error: datatype mismatch: expected internet network service, expression has type integer ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc mod 2 offset 100 } ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix the problem by evaluating expression basetype and length in this case. Reported-by: Laura Garcia <nevola@xxxxxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/evaluate.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/evaluate.c b/src/evaluate.c index db49a18d0150..19d4b65bfa78 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1854,7 +1854,16 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, if (expr_evaluate(ctx, expr) < 0) return -1; - if (!datatype_equal((*expr)->dtype, dtype)) + if ((*expr)->dtype->type == TYPE_INTEGER && + ((*expr)->dtype->type != dtype->basetype->type || + (*expr)->len != len)) + return stmt_binary_error(ctx, *expr, stmt, + "datatype mismatch: expected %s, " + "expression has type %s with length %d", + dtype->desc, (*expr)->dtype->desc, + (*expr)->len); + else if ((*expr)->dtype->type != TYPE_INTEGER && + !datatype_equal((*expr)->dtype, dtype)) return stmt_binary_error(ctx, *expr, stmt, "datatype mismatch: expected %s, " "expression has type %s", -- 2.11.0