git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 26 Jun 2025 00:52:48 +0000 (02:52 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 13 Aug 2025 18:48:16 +0000 (20:48 +0200)
commit	3f8446d30c61de7909001e88784de5a315cd06a2
tree	6dc156734ceaaa1fd0aed6b5ee6357eb786c15a4	tree \| snapshot
parent	e1fc80df0be96b84ce1096cf51b4a98c26c0d578	commit \| diff

evaluate: prevent merge of sets with incompatible keys

commit c9d6f089f0eb2cb615cbca3e4c99b07c5639960f upstream.

Its not enough to check for interval flag, this would assert in interval
code due to concat being passed to the interval code:
BUG: unhandled key type 13

After fix:
same_set_name_but_different_keys_assert:8:6-7: Error: set already exists with
different datatype (concatenation of (IPv4 address, network interface index) vs
network interface index)
set s4 {
^^

This also improves error verbosity when mixing datamap and objref maps:

invalid_transcation_merge_map_and_objref_map:9:13-13:
Error: map already exists with different datatype (IPv4 address vs string)

.. instead of 'Cannot merge map with incompatible existing map of same name'.
The 'Cannot merge map with incompatible existing map of same name' check
is kept in place to catch when ruleset contains a set and map with same name
and same key definition.

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/evaluate.c		diff \| blob \| blame \| history
src/intervals.c		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/same_set_name_but_different_keys_assert	[new file with mode: 0644]	blob