evaluate: reject set definition with no key

 tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert
 BUG: unhandled key type 2
 nft: src/intervals.c:59: setelem_expr_to_range: Assertion `0' failed.

This patch adds a new unit tests/shell courtesy of Florian Westphal.

Fixes: 3975430b12d9 ("src: expand table command before evaluation")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 58cc811aca9a718361cdd1ab209bf9f80c0d5a58..c32857c755651849fc78881008577ee9ef198038 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4693,6 +4693,12 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
        struct stmt *stmt;
        const char *type;
 
+       type = set_is_map(set->flags) ? "map" : "set";
+
+       if (set->key == NULL)
+               return set_error(ctx, set, "%s definition does not specify key",
+                                type);
+
        if (!set_is_anonymous(set->flags)) {
                table = table_cache_find(&ctx->nft->cache.table_cache,
                                         set->handle.table.name,
@@ -4716,8 +4722,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
        if (!(set->flags & NFT_SET_INTERVAL) && set->automerge)
                return set_error(ctx, set, "auto-merge only works with interval sets");
 
-       type = set_is_map(set->flags) ? "map" : "set";
-
        if (set->key == NULL)
                return set_error(ctx, set, "%s definition does not specify key",
                                 type);