From: Pablo Neira Ayuso Date: Wed, 12 Oct 2022 10:50:26 +0000 (+0200) Subject: netlink_delinearize: do not transfer binary operation to non-anonymous sets X-Git-Tag: v1.0.6~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4dbfa17097512b6b88805299223f93e90a072ea6;p=thirdparty%2Fnftables.git netlink_delinearize: do not transfer binary operation to non-anonymous sets Michael Braun says: This results for nft list ruleset in nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed. This is due to binop_adjust_one setting value->len to left->len, which is shorther than right->len. Additionally, it does not seem correct to alter set elements from parsing a rule, so remove that part all together. Reported-by: Michael Braun Signed-off-by: Pablo Neira Ayuso --- diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index e8b9724c..828ad12d 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -2228,6 +2228,9 @@ static void binop_adjust(const struct expr *binop, struct expr *right, binop_adjust_one(binop, right, shift); break; case EXPR_SET_REF: + if (!set_is_anonymous(right->set->flags)) + break; + list_for_each_entry(i, &right->set->init->expressions, list) { switch (i->key->etype) { case EXPR_VALUE: diff --git a/tests/shell/testcases/sets/dumps/typeof_sets_1.nft b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft new file mode 100644 index 00000000..89cbc835 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/typeof_sets_1.nft @@ -0,0 +1,15 @@ +table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +} diff --git a/tests/shell/testcases/sets/typeof_sets_1 b/tests/shell/testcases/sets/typeof_sets_1 new file mode 100755 index 00000000..e520270c --- /dev/null +++ b/tests/shell/testcases/sets/typeof_sets_1 @@ -0,0 +1,22 @@ +#!/bin/bash + +# regression test for corner case in netlink_delinearize + +EXPECTED="table bridge t { + set nodhcpvlan { + typeof vlan id + elements = { 1 } + } + + chain c1 { + vlan id != @nodhcpvlan vlan type arp counter packets 0 bytes 0 jump c2 + vlan id != @nodhcpvlan vlan type ip counter packets 0 bytes 0 jump c2 + vlan id != { 1, 2 } vlan type ip6 counter packets 0 bytes 0 jump c2 + } + + chain c2 { + } +}" + +set -e +$NFT -f - <<< $EXPECTED