expr: fix crash when listing non-verdict mappings

Fix regression introduced by commit 87c2a2205:

  netlink_delinearize: clone on netlink_get_register(), release previous on _set()

When using a non-verdict mapping, the set ref expression is assigned to the
destination register. The next get_register() will attempt to clone it and
crash because of the missing ->clone() callback.

# nft filter input meta mark set ip daddr map { 192.168.0.1 : 123 }
# nft list table filter
Segmentation fault (core dumped)

Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/src/expression.c b/src/expression.c
index 8ba2e8a1a28edd687c03789e9bf30fe9fda31abb..5b848da7a10d73d4909e7975a38d38db9064eef2 100644 (file)
--- a/src/expression.c
+++ b/src/expression.c
@@ -858,6 +858,11 @@ static void set_ref_expr_print(const struct expr *expr)
                printf("@%s", expr->set->handle.set);
 }
 
+static void set_ref_expr_clone(struct expr *new, const struct expr *expr)
+{
+       new->set = set_get(expr->set);
+}
+
 static void set_ref_expr_destroy(struct expr *expr)
 {
        set_free(expr->set);
@@ -867,6 +872,7 @@ static const struct expr_ops set_ref_expr_ops = {
        .type           = EXPR_SET_REF,
        .name           = "set reference",
        .print          = set_ref_expr_print,
+       .clone          = set_ref_expr_clone,
        .destroy        = set_ref_expr_destroy,
 };