create commands also need to be expanded, otherwise elements are never
evaluated:
# cat ruleset.nft
define ip-block-4 = { 1.1.1.1 }
create set netdev filter ip-block-4-test {
type ipv4_addr
flags interval
auto-merge
elements = $ip-block-4
}
# nft -f ruleset.nft
BUG: unhandled expression type 0
nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed.
Aborted
Same applies to chains in the form of:
create chain x y {
counter
}
which is also accepted by the parser.
Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
I will post a v2 includes tests.
src/libnftables.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/libnftables.c b/src/libnftables.c
index ec902009e002..0dee1bacb0db 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -532,7 +532,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
collapsed = true;
list_for_each_entry(cmd, cmds, list) {
- if (cmd->op != CMD_ADD)
+ if (cmd->op != CMD_ADD &&
+ cmd->op != CMD_CREATE)
continue;
nft_cmd_expand(cmd);
--
2.30.2
