]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0583bac)
evaluate: allow stateful statements with anonymous verdict maps
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 7 May 2023 17:30:46 +0000 (19:30 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 10 May 2023 06:05:50 +0000 (08:05 +0200)
Evaluation fails to accept stateful statements in verdict maps, relax
the following check for anonymous sets:

test.nft:4:29-35: Error: missing statement in map declaration
                ip saddr vmap { 127.0.0.1 counter : drop, * counter : accept }
                                          ^^^^^^^

The existing code generates correctly the counter in the anonymous
verdict map.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/evaluate.c patch | blob | blame | history
tests/shell/testcases/maps/0009vmap_0 patch | blob | blame | history
tests/shell/testcases/maps/dumps/0009vmap_0.nft patch | blob | blame | history

diff --git a/src/evaluate.c b/src/evaluate.c
index a1c3895cfb02896ab8b4f00704d7b99cd65cf356..bc8f437ee7eacdde91a3c9924aa5772bd334b420 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1604,7 +1604,8 @@ static int __expr_evaluate_set_elem(struct eval_ctx *ctx, struct expr *elem)
                                          "but element has %d", num_set_exprs,
                                          num_elem_exprs);
                } else if (num_set_exprs == 0) {
-                       if (!(set->flags & NFT_SET_EVAL)) {
+                       if (!(set->flags & NFT_SET_ANONYMOUS) &&
+                           !(set->flags & NFT_SET_EVAL)) {
                                elem_stmt = list_first_entry(&elem->stmt_list, struct stmt, list);
                                return stmt_error(ctx, elem_stmt,
                                                  "missing statement in %s declaration",
diff --git a/tests/shell/testcases/maps/0009vmap_0 b/tests/shell/testcases/maps/0009vmap_0
index 7627c81d99e003e27510a6ca56348c50cccd6d72..d31e1608f792c91b41388d4bf1600031de96f9e0 100755 (executable)
--- a/tests/shell/testcases/maps/0009vmap_0
+++ b/tests/shell/testcases/maps/0009vmap_0
@@ -12,7 +12,7 @@ EXPECTED="table inet filter {
 
         chain prerouting {
                 type filter hook prerouting priority -300; policy accept;
-                iif vmap { "lo" : jump wan_input }
+                iif vmap { "lo" counter : jump wan_input }
         }
 }"
 
diff --git a/tests/shell/testcases/maps/dumps/0009vmap_0.nft b/tests/shell/testcases/maps/dumps/0009vmap_0.nft
index c556feceb1aae71171824907dd12b6e7bcfb6efa..c37574ad5fad18fbb29fdd00771d9b8dad0e015b 100644 (file)
--- a/tests/shell/testcases/maps/dumps/0009vmap_0.nft
+++ b/tests/shell/testcases/maps/dumps/0009vmap_0.nft
@@ -8,6 +8,6 @@ table inet filter {
 
        chain prerouting {
                type filter hook prerouting priority raw; policy accept;
-               iif vmap { "lo" : jump wan_input }
+               iif vmap { "lo" counter packets 0 bytes 0 : jump wan_input }
        }
 }
Mirror of git://git.netfilter.org/nftables