The code which decomposes unclosed intervals in sets doesn't check for
prefixes. This means that a set containing such a prefix (e.g.,
ff00::/8 or 192.0.0.0/2) is incorrectly listed:
# nft list table ip6 t
table ip6 t {
chain c {
ip6 saddr ff00::/8 drop
ip6 saddr fe80::/10 drop
ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop
}
}
# nft list table ip t
table ip t {
chain c {
ip saddr 192.0.0.0/2 drop
ip saddr 10.0.0.0/8 drop
ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop
}
}
This patch-set refactors `interval_map_decompose` to use the same code
to handle unclosed intervals that is used for closed ones.
Jeremy Sowden (2):
segtree: refactor decomposition of closed intervals
segtree: fix decomposition of unclosed intervals containing address
prefixes
src/segtree.c | 90 +++++++++----------
.../sets/0071unclosed_prefix_interval_0 | 23 +++++
.../dumps/0071unclosed_prefix_interval_0.nft | 19 ++++
3 files changed, 85 insertions(+), 47 deletions(-)
create mode 100755 tests/shell/testcases/sets/0071unclosed_prefix_interval_0
create mode 100644 tests/shell/testcases/sets/dumps/0071unclosed_prefix_interval_0.nft
--
2.35.1
