evaluate: reject set definition with no key

commit 1949a63215b423b914d3a7a9de7511cb48af3c09 upstream.

 tests/shell/testcases/bogons/nft-f/set_definition_with_no_key_assert
 BUG: unhandled key type 2
 nft: src/intervals.c:59: setelem_expr_to_range: Assertion `0' failed.

This patch adds a new unit tests/shell courtesy of Florian Westphal.

Fixes: 3975430b12d9 ("src: expand table command before evaluation")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index fbba4be2d755828e88022f729e1f9c49ec4efa96..124b23e56ab69574b3ca852d3e0a297498f7a2f5 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4411,6 +4411,12 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
        struct stmt *stmt;
        const char *type;
 
+       type = set_is_map(set->flags) ? "map" : "set";
+
+       if (set->key == NULL)
+               return set_error(ctx, set, "%s definition does not specify key",
+                                type);
+
        if (!set_is_anonymous(set->flags)) {
                table = table_cache_find(&ctx->nft->cache.table_cache,
                                         set->handle.table.name,
@@ -4434,8 +4440,6 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
        if (!(set->flags & NFT_SET_INTERVAL) && set->automerge)
                return set_error(ctx, set, "auto-merge only works with interval sets");
 
-       type = set_is_map(set->flags) ? "map" : "set";
-
        if (set->key == NULL)
                return set_error(ctx, set, "%s definition does not specify key",
                                 type);