create commands also need to be expanded, otherwise elements are never evaluated: # cat ruleset.nft define ip-block-4 = { 1.1.1.1 } create set netdev filter ip-block-4-test { type ipv4_addr flags interval auto-merge elements = $ip-block-4 } # nft -f ruleset.nft BUG: unhandled expression type 0 nft: src/intervals.c:211: interval_expr_key: Assertion `0' failed. Aborted Same applies to chains in the form of: create chain x y { counter } which is also accepted by the parser. Update tests/shell to improve coverage for these use cases. Fixes: 56c90a2dd2eb ("evaluate: expand sets and maps before evaluation") Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- src/libnftables.c | 3 ++- tests/shell/testcases/include/0020include_chain_0 | 7 +++++++ .../testcases/include/dumps/0020include_chain_0.nft | 5 +++++ tests/shell/testcases/sets/0049set_define_0 | 12 ++++++++++++ .../shell/testcases/sets/dumps/0049set_define_0.nft | 7 +++++++ 5 files changed, 33 insertions(+), 1 deletion(-) diff --git a/src/libnftables.c b/src/libnftables.c index ec902009e002..0dee1bacb0db 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -532,7 +532,8 @@ static int nft_evaluate(struct nft_ctx *nft, struct list_head *msgs, collapsed = true; list_for_each_entry(cmd, cmds, list) { - if (cmd->op != CMD_ADD) + if (cmd->op != CMD_ADD && + cmd->op != CMD_CREATE) continue; nft_cmd_expand(cmd); diff --git a/tests/shell/testcases/include/0020include_chain_0 b/tests/shell/testcases/include/0020include_chain_0 index 8f78e8c606ec..49b6f76c6a8d 100755 --- a/tests/shell/testcases/include/0020include_chain_0 +++ b/tests/shell/testcases/include/0020include_chain_0 @@ -20,4 +20,11 @@ RULESET2="chain inet filter input2 { echo "$RULESET2" > $tmpfile1 +RULESET3="create chain inet filter output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 443, 123 } drop +}" + +echo "$RULESET3" >> $tmpfile1 + $NFT -o -f - <<< $RULESET diff --git a/tests/shell/testcases/include/dumps/0020include_chain_0.nft b/tests/shell/testcases/include/dumps/0020include_chain_0.nft index 3ad6db14d2f5..bf596ffb3067 100644 --- a/tests/shell/testcases/include/dumps/0020include_chain_0.nft +++ b/tests/shell/testcases/include/dumps/0020include_chain_0.nft @@ -3,4 +3,9 @@ table inet filter { type filter hook input priority filter; policy accept; ip saddr 1.2.3.4 tcp dport { 22, 123, 443 } drop } + + chain output2 { + type filter hook output priority filter; policy accept; + ip daddr 1.2.3.4 tcp dport { 22, 123, 443 } drop + } } diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0 index 1d512f7b5a54..756afdc1e965 100755 --- a/tests/shell/testcases/sets/0049set_define_0 +++ b/tests/shell/testcases/sets/0049set_define_0 @@ -14,3 +14,15 @@ table inet filter { " $NFT -f - <<< "$EXPECTED" + +EXPECTED="define ip-block-4 = { 1.1.1.1 } + + create set inet filter ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = \$ip-block-4 + } +" + +$NFT -f - <<< "$EXPECTED" diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft index 998b387a8151..d654420c00a1 100644 --- a/tests/shell/testcases/sets/dumps/0049set_define_0.nft +++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft @@ -1,4 +1,11 @@ table inet filter { + set ip-block-4-test { + type ipv4_addr + flags interval + auto-merge + elements = { 1.1.1.1 } + } + chain input { type filter hook input priority filter; policy drop; tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept -- 2.30.2