evaluate: don't allow merging interval set/map with non-interval one

author Florian Westphal <fw@strlen.de>

Thu, 13 Mar 2025 09:38:25 +0000 (10:38 +0100)

committer Florian Westphal <fw@strlen.de>

Thu, 13 Mar 2025 12:40:49 +0000 (13:40 +0100)
author Florian Westphal <fw@strlen.de>
Thu, 13 Mar 2025 09:38:25 +0000 (10:38 +0100)
committer Florian Westphal <fw@strlen.de>
Thu, 13 Mar 2025 12:40:49 +0000 (13:40 +0100)
diff --git a/src/evaluate.c b/src/evaluate.c

index 7fc210fd3b12200f3cc9a53e87c4bc808b8765a3..d59993dcdd4e9b5ef73d9b42ad9060f57901333f 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -5080,15 +5080,19 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
                         return table_not_found(ctx);
  
                 existing_set = set_cache_find(table, set->handle.set.name);
-               if (!existing_set)
-                       set_cache_add(set_get(set), table);
+               if (existing_set) {
+                       if (existing_set->flags & NFT_SET_EVAL) {
+                               uint32_t existing_flags = existing_set->flags & ~NFT_SET_EVAL;
+                               uint32_t new_flags = set->flags & ~NFT_SET_EVAL;
  
-               if (existing_set && existing_set->flags & NFT_SET_EVAL) {
-                       uint32_t existing_flags = existing_set->flags & ~NFT_SET_EVAL;
-                       uint32_t new_flags = set->flags & ~NFT_SET_EVAL;
+                               if (existing_flags == new_flags)
+                                       set->flags |= NFT_SET_EVAL;
+                       }
  
-                       if (existing_flags == new_flags)
-                               set->flags |= NFT_SET_EVAL;
+                       if (set_is_interval(set->flags) && !set_is_interval(existing_set->flags))
+                               return set_error(ctx, set, "existing %s lacks interval flag", type);
+               } else {
+                       set_cache_add(set_get(set), table);
                 }
         }
  
diff --git a/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert

new file mode 100644 (file)

index 0000000..4637a4f
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert
@@ -0,0 +1,12 @@
+table ip x {
+       map y {
+               type ipv4_addr : ipv4_addr
+               elements = { 1.168.0.4 }
+       }
+
+        map y {
+               type ipv4_addr : ipv4_addr
+               flags interval
+               elements = { 10.141.3.0/24 : 192.8.0.3 }
+       }
+}
author	Florian Westphal <fw@strlen.de>
	Thu, 13 Mar 2025 09:38:25 +0000 (10:38 +0100)
committer	Florian Westphal <fw@strlen.de>
	Thu, 13 Mar 2025 12:40:49 +0000 (13:40 +0100)
src/evaluate.c		patch \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/invalid_data_expr_type_range_value_assert	[new file with mode: 0644]	patch \| blob