On Sun, May 24, 2020 at 03:00:26PM +0200, Stefano Brivio wrote:
> If a set is implicitly declared, set_evaluate() is not called as a
> result of cmd_evaluate_add(), because we're adding in fact something
> else (e.g. a rule). Expression-wise, evaluation still happens as the
> implicit set expression is eventually found in the tree and handled
> by expr_evaluate_set(), but context-wise evaluation (set_evaluate())
> is skipped, and this might be relevant instead.
>
> This is visible in the reported case of an anonymous set including
> concatenated ranges:
>
> # nft add rule t c ip saddr . tcp dport { 192.0.2.1 . 20-30 } accept
> BUG: invalid range expression type concat
> nft: expression.c:1160: range_expr_value_low: Assertion `0' failed.
> Aborted
>
> because we reach do_add_set() without properly evaluated flags and
> set description, and eventually end up in expr_to_intervals(), which
> can't handle that expression.
>
> Explicitly call set_evaluate() as we add anonymous sets into the
> context, and instruct the same function to skip expression-wise set
> evaluation if the set is anonymous, as that happens later anyway as
> part of the general tree evaluation.
>
> Reported-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Reported-by: Phil Sutter <phil@xxxxxx>
> Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
Acked-by: Phil Sutter <phil@xxxxxx>
