From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 1 Jun 2022 17:09:31 +0000 (+0200)
Subject: evaluate: reset ctx->set after set interval evaluation
X-Git-Tag: v1.0.4~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=818f7dded9c9e8a89a2de98801425536180ae307;p=thirdparty%2Fnftables.git

evaluate: reset ctx->set after set interval evaluation

Otherwise bogus error reports on set datatype mismatch might occur, such as:

Error: datatype mismatch, expected Internet protocol, expression has type IPv4 address
    meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
    ~~~~~~~~~~~~ ^^^^^^^^^^^^

with an unrelated set declaration.

table ip test {
       set set_with_interval {
               type ipv4_addr
               flags interval
       }

       chain prerouting {
               type nat hook prerouting priority dstnat; policy accept;
               meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
       }
}

This bug has been introduced in the evaluation step.

Reported-by: Roman Petrov <nwhisper@gmail.com>
Fixes: 81e36530fcac ("src: replace interval segment tree overlap and automerge)"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index 1447a4c2..82bf1311 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4005,8 +4005,9 @@ static int setelem_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
 	cmd->elem.set = set_get(set);
 
 	if (set_is_interval(ctx->set->flags) &&
-	    !(set->flags & NFT_SET_CONCAT))
-		return interval_set_eval(ctx, ctx->set, cmd->expr);
+	    !(set->flags & NFT_SET_CONCAT) &&
+	    interval_set_eval(ctx, ctx->set, cmd->expr) < 0)
+		return -1;
 
 	ctx->set = NULL;
 
@@ -4184,8 +4185,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 	}
 
 	if (set_is_interval(ctx->set->flags) &&
-	    !(ctx->set->flags & NFT_SET_CONCAT))
-		return interval_set_eval(ctx, ctx->set, set->init);
+	    !(ctx->set->flags & NFT_SET_CONCAT) &&
+	    interval_set_eval(ctx, ctx->set, set->init) < 0)
+		return -1;
 
 	ctx->set = NULL;
 
diff --git a/tests/shell/testcases/sets/dumps/set_eval_0.nft b/tests/shell/testcases/sets/dumps/set_eval_0.nft
new file mode 100644
index 00000000..a45462b8
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/set_eval_0.nft
@@ -0,0 +1,11 @@
+table ip nat {
+	set set_with_interval {
+		type ipv4_addr
+		flags interval
+	}
+
+	chain prerouting {
+		type nat hook prerouting priority dstnat; policy accept;
+		meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
+	}
+}
diff --git a/tests/shell/testcases/sets/set_eval_0 b/tests/shell/testcases/sets/set_eval_0
new file mode 100755
index 00000000..82b6d3bc
--- /dev/null
+++ b/tests/shell/testcases/sets/set_eval_0
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip nat {
+        set set_with_interval {
+                type ipv4_addr
+                flags interval
+        }
+
+        chain prerouting {
+                type nat hook prerouting priority dstnat; policy accept;
+                meta l4proto { tcp, udp } th dport 443 dnat to 10.0.0.1
+        }
+}"
+
+$NFT -f - <<< $RULESET