evaluate: do not abort when prefix map has non-map element

Before:
nft: evaluate.c:1849: __mapping_expr_expand: Assertion `i->etype == EXPR_MAPPING' failed.

after:
Error: expected mapping, not set element
   snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 }

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/src/evaluate.c b/src/evaluate.c
index 00bb8988bd4c92cb57e2ea44666ac5886c1cbd4f..efab28952e32e0dcd3d9c2be32e7d47788299521 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1869,12 +1869,21 @@ static void __mapping_expr_expand(struct expr *i)
        }
 }
 
-static void mapping_expr_expand(struct expr *init)
+static int mapping_expr_expand(struct eval_ctx *ctx)
 {
        struct expr *i;
 
-       list_for_each_entry(i, &init->expressions, list)
+       if (!set_is_anonymous(ctx->set->flags))
+               return 0;
+
+       list_for_each_entry(i, &ctx->set->init->expressions, list) {
+               if (i->etype != EXPR_MAPPING)
+                       return expr_error(ctx->msgs, i,
+                                         "expected mapping, not %s", expr_name(i));
                __mapping_expr_expand(i);
+       }
+
+       return 0;
 }
 
 static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
@@ -1955,8 +1964,8 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
                if (ctx->set->data->flags & EXPR_F_INTERVAL) {
                        ctx->set->data->len *= 2;
 
-                       if (set_is_anonymous(ctx->set->flags))
-                               mapping_expr_expand(ctx->set->init);
+                       if (mapping_expr_expand(ctx))
+                               return -1;
                }
 
                ctx->set->key->len = ctx->ectx.len;

diff --git a/tests/shell/testcases/bogons/assert_failures b/tests/shell/testcases/bogons/assert_failures
new file mode 100755 (executable)
index 0000000..7909942
--- /dev/null
+++ b/tests/shell/testcases/bogons/assert_failures
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+dir=$(dirname $0)/nft-f/
+
+for f in $dir/*; do
+       $NFT --check -f "$f"
+
+       if [ $? -ne 1 ]; then
+               echo "Bogus input file $f did not cause expected error code" 1>&2
+               exit 111
+       fi
+done

diff --git a/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert
new file mode 100644 (file)
index 0000000..18c7edd
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/nat_prefix_map_with_set_element_assert
@@ -0,0 +1,7 @@
+table ip x {
+       chain y {
+       type nat hook postrouting priority srcnat; policy accept;
+               snat ip prefix to ip saddr map { 10.141.11.0/24 : 192.168.2.0/24, 10.141.12.1 }
+       }
+}
+