intervals: check for EXPR_F_REMOVE in case of element mismatch

If auto-merge is disable and element to be deleted finds no exact
matching, then bail out.

Fixes: 3e8d934e4f72 ("intervals: support to partial deletion with automerge")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/intervals.c b/src/intervals.c
index c21b3ee0ad60d01be676e2b52a3f19f9d9d305cd..13009ca1b888e8b36672c20fec9a1be074d7cce9 100644 (file)
--- a/src/intervals.c
+++ b/src/intervals.c
@@ -421,6 +421,10 @@ static int setelem_delete(struct list_head *msgs, struct set *set,
                        expr_error(msgs, i, "element does not exist");
                        err = -1;
                        goto err;
+               } else if (i->flags & EXPR_F_REMOVE) {
+                       expr_error(msgs, i, "element does not exist");
+                       err = -1;
+                       goto err;
                }
                prev = NULL;
        }

diff --git a/tests/shell/testcases/sets/errors_0 b/tests/shell/testcases/sets/errors_0
index 2960b694c67cdc939db1b2e9e5dca5ba0fefedd3..a676ac7331c8b943decf21d440eddd2c03f56879 100755 (executable)
--- a/tests/shell/testcases/sets/errors_0
+++ b/tests/shell/testcases/sets/errors_0
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-set -e
-
 RULESET="table ip x {
        set y {
                type ipv4_addr
@@ -11,4 +9,22 @@ RULESET="table ip x {
 
 delete element ip x y { 2.3.4.5 }"
 
+$NFT -f - <<< $RULESET
+if [ $? -eq 0 ]
+then
+       exit 1
+fi
+
+RULESET="table ip x {
+        set y {
+                type ipv4_addr
+                flags interval
+        }
+}
+
+add element x y { 1.1.1.1/24 }
+delete element x y { 1.1.1.1/24 }
+add element x y { 1.1.1.1/24 }
+delete element x y { 2.2.2.2/24 }"
+
 $NFT -f - <<< $RULESET || exit 0