[PATCH nft] evaluate: disallow anonymous set with empty elements

[Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>]

Restrict this, the brackets have explicit semantics since they tell the
kernel to represent this value as a set, which is too costly. Set for
one single element are overkill.

 # nft add rule x y ct state { established } counter
 Error: anonymous set with single element makes no sense, remove brackets wrapping this value
 add rule x y ct state { established } counter
                       ^^^^^^^^^^^^^^^

Instead, the preferred way to express this is:

 # nft add rule x y ct state established counter

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
I know this may break stuff outthere, but probably it's still early to
fix this. If we keep allowing this and transparently turn this into a
value, people will likely never understand the bracket semantics.
Brackets are not just syntaxic sugar.

 src/evaluate.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 3a3f2468c826..aa42c69127a2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1253,8 +1253,11 @@ static int expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr **expr)
 static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
 {
 	struct expr *set = *expr, *i, *next;
+	unsigned int count = 0;
 
 	list_for_each_entry_safe(i, next, &set->expressions, list) {
+		count++;
+
 		if (list_member_evaluate(ctx, &i) < 0)
 			return -1;
 
@@ -1288,6 +1291,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
 			set->set_flags |= NFT_SET_INTERVAL;
 	}
 
+	if (set->flags & NFT_SET_ANONYMOUS &&
+	    count == 1)
+		return expr_error(ctx->msgs, set,
+				  "anonymous set with one single element makes no sense, remove brackets wrapping this value");
+
 	set->set_flags |= NFT_SET_CONSTANT;
 
 	set->dtype = ctx->ectx.dtype;
-- 
2.11.0