[nftables] bug: prefix masks applied to set lookup keys are decompiled as a prefix length applied to the set

Florian Zumbiehl <florz@xxxxxxxx> · Sun, 5 Jan 2020 01:41:22 +0100

Hi,

I stumbled upon another bug in the Debian buster backports version of nftables:

| # nft 'table ip foobartest { chain c { ip saddr & 0.0.0.0 { 0.0.0.0 }; }; }' 
| # nft list table ip foobartest
| table ip foobartest {
|         chain c {
|                 ip saddr { 0.0.0.0 }/0
|         }
| }

That prefix length suffix after the set both looks a bit strange and
doesn't seem to be valid nft input syntax, so I guess that makes it a bug?

My guess is that the cause is the second case in
relational_binop_postprocess(), which doesn't seem to check for the type of
the right operand?

Regards, Florian