evaluate: only allow stateful statements in set and map definitions

commit 0acd81559ec9efe2cc3d869bfc8e5a0b4d888456 upstream.

The bison parser doesn't allow this to happen due to grammar
restrictions, but the json input has no such issues.

The bogon input assigns 'notrack' which triggers:
BUG: unknown stateful statement type 19
nft: src/netlink_linearize.c:1061: netlink_gen_stmt_stateful: Assertion `0' failed.

After patch, we get:
Error: map statement must be stateful

Fixes: 07958ec53830 ("json: add set statement list support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index f61c272c7f8eaaa51795c65c2b9d5680df60fb25..2b344abe8b674d17f0d84cae02629e90d25c3689 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -4899,8 +4899,11 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
        if (set->timeout)
                set->flags |= NFT_SET_TIMEOUT;
 
-       list_for_each_entry(stmt, &set->stmt_list, list)
+       list_for_each_entry(stmt, &set->stmt_list, list) {
+               if (stmt_evaluate_stateful(ctx, stmt,type) < 0)
+                       return -1;
                num_stmts++;
+       }
 
        if (num_stmts > 1)
                set->flags |= NFT_SET_EXPR;