[PATCH nftables] rule: check address family in set collapse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



498a5f0c added collapsing of set operations in different commands.
However, the logic is currently too relaxed.  It is valid to have a
table and set with identical names on different address families.
For example:

  table ip a {
    set x {
      type inet_service;
    }
  }
  table ip6 a {
      set x {
        type inet_service;
      }
  }
  add element ip a x { 1 }
  add element ip a x { 2 }
  add element ip6 a x { 2 }

The above currently results in nothing being added to the ip6 family
table due to being collapsed into the ip table add.  Prior to 498a5f0c
the set add would work.  The fix is simply to check the family in
addition to the table and set names before allowing a collapse.

Fixes: 498a5f0c ("rule: collapse set element commands")
Signed-off-by: Derek Hageman <hageman@inthat.cloud>
---
 src/rule.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/rule.c b/src/rule.c
index 9c9eaec0..1caee58f 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1414,7 +1414,8 @@ bool nft_cmd_collapse(struct list_head *cmds)
 			continue;
 		}
 
-		if (strcmp(elems->handle.table.name, cmd->handle.table.name) ||
+		if (elems->handle.family != cmd->handle.family ||
+		    strcmp(elems->handle.table.name, cmd->handle.table.name) ||
 		    strcmp(elems->handle.set.name, cmd->handle.set.name)) {
 			elems = cmd;
 			continue;
-- 
2.37.2




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux