evaluate: bail out with concatenations and singleton values

The rule:

 # nft add rule x y iifname . oifname p . q

is equivalent to:

 # nft add rule x y iifname p oifname q

Bail out with:

 Error: Use concatenations with sets and maps, not singleton values
 add rule x y iifname . oifname p . q
              ^^^^^^^^^^^^^^^^^ ~~~~~

instead of:

 BUG: invalid expression type concat
 nft: evaluate.c:1916: expr_evaluate_relational: Assertion `0' failed.
 Aborted

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 9290c6ff39ef4caeb5e67dd3f3a90b6cc33671c4..1f56dae5ec139447ef4372b030cfdf6d5e3a8dec 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1912,6 +1912,10 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
                            byteorder_conversion(ctx, &rel->left, BYTEORDER_BIG_ENDIAN) < 0)
                                return -1;
                        break;
+               case EXPR_CONCAT:
+                       return expr_binary_error(ctx->msgs, left, right,
+                                                "Use concatenations with sets and maps, not singleton values");
+                       break;
                default:
                        BUG("invalid expression type %s\n", expr_name(right));
                }