From 8b7a533f8f8b276bfa71dcb306d6857e54015234 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 20 Nov 2025 00:41:13 +0100
Subject: [PATCH] rule: skip CMD_OBJ_SETELEMS with no elements after set flush

Set declaration + set flush results in a crash because CMD_OBJ_SETELEMS
does not expect no elements. This internal command only shows up if set
contains elements, however, evaluation flushes set content after the set
expansion. Skip this command CMD_OBJ_SETELEMS if set is empty.

Fixes: d3c8051cb767 ("rule: rework CMD_OBJ_SETELEMS logic")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index bb6f62c8..8f8b77f1 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1499,6 +1499,9 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
 {
 	struct set *set = cmd->set;
 
+	if (!set->init)
+		return 0;
+
 	return __do_add_elements(ctx, cmd, set, set->init, flags);
 }
 
-- 
2.47.3