evaluate: reject set references in set elements

given

table filter {
  set local {
    type iface_index
    elements = { lo }
  }
  chain input {
    type filter hook input priority 0;
    iif { @lan, } accept;
  }
}

nft BUG()s.  I don't see how we could support sets-in-set; add a sanity
check and error out instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index ed78896a093ea55d326ef4c99bb1a11a6c78dce0..a49cdd9337e1b3b603cc0f8f0ac9c5d65f8a23a6 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
                if (list_member_evaluate(ctx, &i) < 0)
                        return -1;
 
+               if (i->ops->type == EXPR_SET_ELEM &&
+                   i->key->ops->type == EXPR_SET_REF)
+                       return expr_error(ctx->msgs, i,
+                                         "Set reference cannot be part of another set");
+
                if (!expr_is_constant(i))
                        return expr_error(ctx->msgs, i,
                                          "Set member is not constant");