Without this, included bogon asserts with:
BUG: unhandled key type 13
nft: src/intervals.c:73: setelem_expr_to_range: Assertion `0' failed.
... because we no longer evaluate set->key/data.
Move the check to the tail of the function, right before assiging
set->existing_set, so that set->key has been evaluated.
Fixes: ceab53cee499 ("evaluate: don't allow merging interval set/map with non-interval one")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
if (existing_flags == new_flags)
set->flags |= NFT_SET_EVAL;
}
-
- if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
- return set_error(ctx, set, "existing %s lacks interval flag", type);
} else {
set_cache_add(set_get(set), table);
}
return 0;
}
+ if (existing_set && set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
+ return set_error(ctx, set, "existing %s lacks interval flag", type);
+
set->existing_set = existing_set;
return 0;
--- /dev/null
+table inet t {
+ map m2 {
+ typeof udp length . @ih,32,32 : verdict
+ elements = {
+ 1-10 . 0xa : drop }
+ }
+
+ map m2 {
+ typeof udp length . @ih,32,32 : verdict
+ flags interval
+ elements = { 20-80 . 0x14 : accept }
+ }
+}
projects / thirdparty / nftables.git / commitdiff
