[PATCH nft,v2] src: expand create commands

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



create commands also need to be expanded, otherwise elements are never
evaluated:

 # cat ruleset.nft
 define ip-block-4 = { 1.1.1.1 }
 create set netdev filter ip-block-4-test {
        type ipv4_addr
	flags interval
	auto-merge
	elements = $ip-block-4
 }
 # nft -f ruleset.nft
 BUG: unhandled expression type 0
 nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed.
 Aborted

Same applies to chains in the form of:

 create chain x y {
	counter
 }

which is also accepted by the parser.

Update tests/shell to improve coverage for these use cases.

Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/libnftables.c                                    |  3 ++-
 tests/shell/testcases/include/0020include_chain_0    |  7 +++++++
 .../testcases/include/dumps/0020include_chain_0.nft  |  5 +++++
 tests/shell/testcases/sets/0049set_define_0          | 12 ++++++++++++
 .../shell/testcases/sets/dumps/0049set_define_0.nft  |  7 +++++++
 5 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index ec902009e002..0dee1bacb0db 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -532,7 +532,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs,
 		collapsed = true;
 
 	list_for_each_entry(cmd, cmds, list) {
-		if (cmd->op != CMD_ADD)
+		if (cmd->op != CMD_ADD &&
+		    cmd->op != CMD_CREATE)
 			continue;
 
 		nft_cmd_expand(cmd);
diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0
index 8f78e8c606ec..49b6f76c6a8d 100755
--- a/tests/shell/testcases/include/0020include_chain_0
+++ b/tests/shell/testcases/include/0020include_chain_0
@@ -20,4 +20,11 @@ RULESET2="chain inet filter input2 {
 
 echo "$RULESET2" > $tmpfile1
 
+RULESET3="create chain inet filter output2 {
+	type filter hook output priority filter; policy accept;
+	ip daddr 1.2.3.4 tcp dport { 22, 443, 123 } drop
+}"
+
+echo "$RULESET3" >> $tmpfile1
+
 $NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft
index 3ad6db14d2f5..bf596ffb3067 100644
--- a/tests/shell/testcases/include/dumps/0020include_chain_0.nft
+++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft
@@ -3,4 +3,9 @@ table inet filter {
 		type filter hook input priority filter; policy accept;
 		ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop
 	}
+
+	chain output2 {
+		type filter hook output priority filter; policy accept;
+		ip daddr 1.2.3.4 tcp dport { 22, 123, 443 } drop
+	}
 }
diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0
index 1d512f7b5a54..756afdc1e965 100755
--- a/tests/shell/testcases/sets/0049set_define_0
+++ b/tests/shell/testcases/sets/0049set_define_0
@@ -14,3 +14,15 @@ table inet filter {
 "
 
 $NFT -f - <<< "$EXPECTED"
+
+EXPECTED="define ip-block-4 = { 1.1.1.1 }
+
+     create set inet filter ip-block-4-test {
+            type ipv4_addr
+            flags interval
+            auto-merge
+            elements = \$ip-block-4
+     }
+"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
index 998b387a8151..d654420c00a1 100644
--- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft
+++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
@@ -1,4 +1,11 @@
 table inet filter {
+	set ip-block-4-test {
+		type ipv4_addr
+		flags interval
+		auto-merge
+		elements = { 1.1.1.1 }
+	}
+
 	chain input {
 		type filter hook input priority filter; policy drop;
 		tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept
-- 
2.30.2




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux