From: Florian Westphal <fw@strlen.de>
Date: Fri, 17 Oct 2025 11:38:34 +0000 (+0200)
Subject: evaluate: follow prefix expression recursively if needed
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=353140987c37540ed734f210d95d66b65caa5b47;p=thirdparty%2Fnftables.git

evaluate: follow prefix expression recursively if needed

Included bogons assert:
Assertion `!expr_is_constant(*expr) || expr_is_singleton(*expr)' failed

This is because the "foo*" + prefix combination causes expr_evaluate
to replace the binop + string expression with another prefix that
gets allocated while handling "foo*" (wildcard).

This causes expr_evaluate_prefix to build
a prefix -> prefix -> binop chain.

After this, we get:

Error: Right hand side of relational expression ((null)) must be constant
a b ct helper "2.2.2.2.3*1"/80
    ~~~~~~~~~~^^^^^^^^^^^^^^^^
Error: Binary operation (&) is undefined for prefix expressions
a b ct helper "2.2.2.****02"/80
              ^^^^^^^^^^^^^^^^^

for those inputs rather than hitting assert() in byteorder_conversion()
later on.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index ffd3ce62..b984ae4f 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1273,6 +1273,16 @@ static int expr_evaluate_prefix(struct eval_ctx *ctx, struct expr **expr)
 	if (expr_evaluate(ctx, &prefix->prefix) < 0)
 		return -1;
 	base = prefix->prefix;
+
+	/* expr_evaluate may simplify EXPR_AND to another
+	 * prefix expression for inputs like "2.2.2.2.3*1"/80.
+	 *
+	 * Recurse until all the expressions have been simplified.
+	 * This also gets us the error checks for the expression
+	 * chain.
+	 */
+	if (base->etype == EXPR_PREFIX)
+		return expr_evaluate_prefix(ctx, &prefix->prefix);
 	assert(expr_is_constant(base));
 
 	prefix->dtype	  = datatype_get(base->dtype);
diff --git a/tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert b/tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert
new file mode 100644
index 00000000..26c8914e
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/byteorder_conversion_assert
@@ -0,0 +1,2 @@
+a b ct helper "2.2.2.2.3*1"/80
+a b ct helper "2.2.2.****02"/80