Don't allow this: # nft list set x __set0 table ip x { set __set0 { type ipv4_addr flags constant elements = { 1.1.1.1 } } } Anonymous sets never change and they are attached to a rule, do not list their content. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/evaluate.c | 19 ++++++++++++------- tests/shell/testcases/listing/0016anonymous_0 | 11 +++++++++++ 2 files changed, 23 insertions(+), 7 deletions(-) create mode 100755 tests/shell/testcases/listing/0016anonymous_0 diff --git a/src/evaluate.c b/src/evaluate.c index 07617a7c94cb..5b1946a1fd09 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3587,7 +3587,8 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || set->flags & NFT_SET_MAP) + if (set == NULL || + set->flags & (NFT_SET_MAP | NFT_SET_ANONYMOUS)) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); @@ -3598,7 +3599,8 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_EVAL)) + if (set == NULL || !(set->flags & NFT_SET_EVAL) || + !(set->flags & NFT_SET_ANONYMOUS)) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); @@ -3609,7 +3611,8 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_MAP)) + if (set == NULL || !(set->flags & NFT_SET_MAP) || + set->flags & NFT_SET_ANONYMOUS) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); @@ -3698,10 +3701,10 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || set->flags & NFT_SET_MAP) + if (set == NULL || + (set->flags & (NFT_SET_MAP | NFT_SET_ANONYMOUS))) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); - return 0; case CMD_OBJ_MAP: table = table_lookup(&cmd->handle, &ctx->nft->cache); @@ -3709,7 +3712,8 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_MAP)) + if (set == NULL || !(set->flags & NFT_SET_MAP) || + set->flags & NFT_SET_ANONYMOUS) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); @@ -3720,7 +3724,8 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd) return table_not_found(ctx); set = set_lookup(table, cmd->handle.set.name); - if (set == NULL || !(set->flags & NFT_SET_EVAL)) + if (set == NULL || !(set->flags & NFT_SET_EVAL) || + !(set->flags & NFT_SET_ANONYMOUS)) return set_not_found(ctx, &ctx->cmd->handle.set.location, ctx->cmd->handle.set.name); diff --git a/tests/shell/testcases/listing/0016anonymous_0 b/tests/shell/testcases/listing/0016anonymous_0 new file mode 100755 index 000000000000..98add3456d37 --- /dev/null +++ b/tests/shell/testcases/listing/0016anonymous_0 @@ -0,0 +1,11 @@ +#!/bin/bash + +$NFT add table x +$NFT add chain x y +$NFT add rule x y ip saddr { 1.1.1.1 } +$NFT list set x __set0 &>/dev/null +ret=$? +if [ $ret -eq 0 ] +then + exit 1 +fi -- 2.11.0