set->data from implicit_set_declaration(), otherwise, set_evaluation() bails out with: # nft -f /etc/nftables/inet-filter.nft /etc/nftables/inet-filter.nft:8:32-54: Error: map definition does not specify mapping data type tcp dport vmap { 22 : jump ssh_input } ^^^^^^^^^^^^^^^^^^^^^^^ /etc/nftables/inet-filter.nft:13:26-52: Error: map definition does not specify mapping data type iif vmap { "eth0" : jump wan_input } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Add a test to cover this case. Fixes: 7aa08d45031e ("evaluate: Perform set evaluation on implicitly declared (anonymous) sets") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=208093 Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- v2: add test. src/evaluate.c | 22 +++++++++++---------- tests/shell/testcases/maps/0009vmap_0 | 19 ++++++++++++++++++ tests/shell/testcases/maps/dumps/0009vmap_0 | 13 ++++++++++++ 3 files changed, 44 insertions(+), 10 deletions(-) create mode 100755 tests/shell/testcases/maps/0009vmap_0 create mode 100644 tests/shell/testcases/maps/dumps/0009vmap_0 diff --git a/src/evaluate.c b/src/evaluate.c index fbc8f1fbd141..fb58c053d4ae 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -80,6 +80,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set); static struct expr *implicit_set_declaration(struct eval_ctx *ctx, const char *name, struct expr *key, + struct expr *data, struct expr *expr) { struct cmd *cmd; @@ -93,6 +94,7 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx, set->flags = NFT_SET_ANONYMOUS | expr->set_flags; set->handle.set.name = xstrdup(name); set->key = key; + set->data = data; set->init = expr; set->automerge = set->flags & NFT_SET_INTERVAL; @@ -1411,7 +1413,7 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) struct expr_ctx ectx = ctx->ectx; struct expr *map = *expr, *mappings; const struct datatype *dtype; - struct expr *key; + struct expr *key, *data; expr_set_context(&ctx->ectx, NULL, 0); if (expr_evaluate(ctx, &map->map) < 0) @@ -1430,15 +1432,14 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) ctx->ectx.byteorder, ctx->ectx.len, NULL); + dtype = set_datatype_alloc(ectx.dtype, ectx.byteorder); + data = constant_expr_alloc(&netlink_location, dtype, + dtype->byteorder, ectx.len, NULL); + mappings = implicit_set_declaration(ctx, "__map%d", - key, + key, data, mappings); - dtype = set_datatype_alloc(ectx.dtype, ectx.byteorder); - - mappings->set->data = constant_expr_alloc(&netlink_location, - dtype, dtype->byteorder, - ectx.len, NULL); if (ectx.len && mappings->set->data->len != ectx.len) BUG("%d vs %d\n", mappings->set->data->len, ectx.len); @@ -1898,7 +1899,8 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr) case EXPR_SET: right = rel->right = implicit_set_declaration(ctx, "__set%d", - expr_get(left), right); + expr_get(left), NULL, + right); /* fall through */ case EXPR_SET_REF: /* Data for range lookups needs to be in big endian order */ @@ -2389,7 +2391,7 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) set->set_flags |= NFT_SET_TIMEOUT; setref = implicit_set_declaration(ctx, stmt->meter.name, - expr_get(key), set); + expr_get(key), NULL, set); setref->set->desc.size = stmt->meter.size; stmt->meter.set = setref; @@ -3318,7 +3320,7 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt) ctx->ectx.len, NULL); mappings = implicit_set_declaration(ctx, "__objmap%d", - key, mappings); + key, NULL, mappings); mappings->set->objtype = stmt->objref.type; map->mappings = mappings; diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0 new file mode 100755 index 000000000000..7627c81d99e0 --- /dev/null +++ b/tests/shell/testcases/maps/0009vmap_0 @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +EXPECTED="table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" : jump wan_input } + } +}" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0 b/tests/shell/testcases/maps/dumps/0009vmap_0 new file mode 100644 index 000000000000..540a8af870e3 --- /dev/null +++ b/tests/shell/testcases/maps/dumps/0009vmap_0 @@ -0,0 +1,13 @@ +table inet filter { + chain ssh_input { + } + + chain wan_input { + tcp dport vmap { 22 : jump ssh_input } + } + + chain prerouting { + type filter hook prerouting priority -300; policy accept; + iif vmap { "lo" : jump wan_input } + } +} -- 2.20.1