evaluate: auto-merge is only available for singleton interval sets

commit 65382b888e266e2e3d49a418073fd76dcc4815a7 upstream.

auto-merge is only available to interval sets with one value only,
untoggle this flag for concatenation with intervals.

Later, this can be hardened to reject it.

Fixes: 30f667920601 ("src: add 'auto-merge' option to sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index 217c69289548c23ba785b50ae679b45c116f0d78..1578d440a767641dbbd3da7c569e9a24dfc5a83f 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4785,6 +4785,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
                       sizeof(set->desc.field_len));
                set->desc.field_count = set->key->field_count;
                set->flags |= NFT_SET_CONCAT;
+
+               if (set->automerge)
+                       set->automerge = false;
        }
 
        if (set_is_anonymous(set->flags) && set->key->etype == EXPR_CONCAT) {