Re: [PATCH nft 1/2] evaluate: Perform set evaluation on implicitly declared (anonymous) sets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, May 24, 2020 at 03:00:26PM +0200, Stefano Brivio wrote:
> If a set is implicitly declared, set_evaluate() is not called as a
> result of cmd_evaluate_add(), because we're adding in fact something
> else (e.g. a rule). Expression-wise, evaluation still happens as the
> implicit set expression is eventually found in the tree and handled
> by expr_evaluate_set(), but context-wise evaluation (set_evaluate())
> is skipped, and this might be relevant instead.
> 
> This is visible in the reported case of an anonymous set including
> concatenated ranges:
> 
>   # nft add rule t c ip saddr . tcp dport { 192.0.2.1 . 20-30 } accept
>   BUG: invalid range expression type concat
>   nft: expression.c:1160: range_expr_value_low: Assertion `0' failed.
>   Aborted
> 
> because we reach do_add_set() without properly evaluated flags and
> set description, and eventually end up in expr_to_intervals(), which
> can't handle that expression.
> 
> Explicitly call set_evaluate() as we add anonymous sets into the
> context, and instruct the same function to skip expression-wise set
> evaluation if the set is anonymous, as that happens later anyway as
> part of the general tree evaluation.
> 
> Reported-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Reported-by: Phil Sutter <phil@xxxxxx>
> Signed-off-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
> ---
>  src/evaluate.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 506f2c6a257e..ee019bc98480 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -76,6 +76,7 @@ static void key_fix_dtype_byteorder(struct expr *key)
>  	datatype_set(key, set_datatype_alloc(dtype, key->byteorder));
>  }
>  
> +static int set_evaluate(struct eval_ctx *ctx, struct set *set);
>  static struct expr *implicit_set_declaration(struct eval_ctx *ctx,
>  					     const char *name,
>  					     struct expr *key,
> @@ -107,6 +108,8 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx,
>  		list_add_tail(&cmd->list, &ctx->cmd->list);
>  	}
>  
> +	set_evaluate(ctx, set);

Hm, set_evaluate() populates the cache with the anonymous set in this
case, see set_lookup() + sed_add_hash().
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux