src: Allow for empty set variable definition

author Pablo Neira Ayuso <pablo@netfilter.org>

Fri, 3 Jul 2020 11:24:59 +0000 (13:24 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Fri, 3 Jul 2020 22:06:46 +0000 (00:06 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Fri, 3 Jul 2020 11:24:59 +0000 (13:24 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Fri, 3 Jul 2020 22:06:46 +0000 (00:06 +0200)
diff --git a/src/evaluate.c b/src/evaluate.c

index 42040b6efe0215deaf5cd55b8a662b73ff00cfed..640a7d465bae08fa83f33d4f04cf668c8b9df2f6 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1897,6 +1897,9 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
                                 return -1;
                         break;
                 case EXPR_SET:
+                       if (right->size == 0)
+                               return expr_error(ctx->msgs, right, "Set is empty");
+
                         right = rel->right =
                                 implicit_set_declaration(ctx, "__set%d",
                                                          expr_get(left), NULL,
diff --git a/src/parser_bison.y b/src/parser_bison.y

index 461d9bf24d95ad38191fd3a24e1139bff8c7ad89..72e67186c91348a92a3901b69e49f5fde659afd1 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -3820,6 +3820,7 @@ set_rhs_expr              :       concat_rhs_expr
  
  initializer_expr       :       rhs_expr
                         |       list_rhs_expr
+                       |       '{' '}'         { $$ = compound_expr_alloc(&@$, EXPR_SET); }
                         ;
  
  counter_config         :       PACKETS         NUM     BYTES   NUM
diff --git a/tests/shell/testcases/sets/0049set_define_0 b/tests/shell/testcases/sets/0049set_define_0

new file mode 100755 (executable)

index 0000000..1d512f7
--- /dev/null
+++ b/tests/shell/testcases/sets/0049set_define_0
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
+define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
+
+table inet filter {
+       chain input {
+               type filter hook input priority 0; policy drop;
+               tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS, \$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
+       }
+}
+"
+
+$NFT -f - <<< "$EXPECTED"
diff --git a/tests/shell/testcases/sets/0050set_define_1 b/tests/shell/testcases/sets/0050set_define_1

new file mode 100755 (executable)

index 0000000..c12de17
--- /dev/null
+++ b/tests/shell/testcases/sets/0050set_define_1
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+EXPECTED="define BASE_ALLOWED_INCOMING_TCP_PORTS = {}
+
+table inet filter {
+       chain input {
+               type filter hook input priority 0; policy drop;
+               tcp dport {\$BASE_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
+       }
+}
+"
+
+$NFT -f - <<< "$EXPECTED" &> /dev/null || exit 0
+echo "E: Accepted empty set" 1>&2
+exit 1
diff --git a/tests/shell/testcases/sets/dumps/0049set_define_0.nft b/tests/shell/testcases/sets/dumps/0049set_define_0.nft

new file mode 100644 (file)

index 0000000..998b387
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0049set_define_0.nft
@@ -0,0 +1,6 @@
+table inet filter {
+       chain input {
+               type filter hook input priority filter; policy drop;
+               tcp dport { 22, 80, 443 } ct state new counter packets 0 bytes 0 accept
+       }
+}
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 3 Jul 2020 11:24:59 +0000 (13:24 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 3 Jul 2020 22:06:46 +0000 (00:06 +0200)
src/evaluate.c		patch \| blob \| blame \| history
src/parser_bison.y		patch \| blob \| blame \| history
tests/shell/testcases/sets/0049set_define_0	[new file with mode: 0755]	patch \| blob
tests/shell/testcases/sets/0050set_define_1	[new file with mode: 0755]	patch \| blob
tests/shell/testcases/sets/dumps/0049set_define_0.nft	[new file with mode: 0644]	patch \| blob