Re: [PATCH nft] evaluate: don't allow merging interval set/map with non-interval one

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Mar 13, 2025 at 10:38:25AM +0100, Florian Westphal wrote:
> Included bogon asserts with:
> BUG: invalid data expression type range_value
> 
> Pablo says: "Reject because flags interval is lacking".
> Make it so.
> 
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>

Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

thanks

> ---
>  src/evaluate.c                                 | 18 +++++++++++-------
>  .../invalid_data_expr_type_range_value_assert  | 12 ++++++++++++
>  2 files changed, 23 insertions(+), 7 deletions(-)
>  create mode 100644 tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 7fc210fd3b12..d59993dcdd4e 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -5080,15 +5080,19 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
>  			return table_not_found(ctx);
>  
>  		existing_set = set_cache_find(table, set->handle.set.name);
> -		if (!existing_set)
> -			set_cache_add(set_get(set), table);
> +		if (existing_set) {
> +			if (existing_set->flags & NFT_SET_EVAL) {
> +				uint32_t existing_flags = existing_set->flags & ~NFT_SET_EVAL;
> +				uint32_t new_flags = set->flags & ~NFT_SET_EVAL;
>  
> -		if (existing_set && existing_set->flags & NFT_SET_EVAL) {
> -			uint32_t existing_flags = existing_set->flags & ~NFT_SET_EVAL;
> -			uint32_t new_flags = set->flags & ~NFT_SET_EVAL;
> +				if (existing_flags == new_flags)
> +					set->flags |= NFT_SET_EVAL;
> +			}
>  
> -			if (existing_flags == new_flags)
> -				set->flags |= NFT_SET_EVAL;
> +			if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
> +				return set_error(ctx, set, "existing %s lacks interval flag", type);
> +		} else {
> +			set_cache_add(set_get(set), table);
>  		}
>  	}
>  
> diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert
> new file mode 100644
> index 000000000000..4637a4f9b9df
> --- /dev/null
> +++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert
> @@ -0,0 +1,12 @@
> +table ip x {
> +	map y {
> +		type ipv4_addr : ipv4_addr
> +		elements = { 1.168.0.4 }
> +	}
> +
> +        map y {
> +		type ipv4_addr : ipv4_addr
> +		flags interval
> +		elements = { 10.141.3.0/24 : 192.8.0.3 }
> +	}
> +}
> -- 
> 2.45.3
> 
>
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux