Before this patch:
table ip x {
chain y {
ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 }
}
}
results in:
table ip x {
chain y {
ip saddr { 1.1.1.1 }
}
}
due to incorrect interval merge logic.
If the element 1.1.1.1 is already contained in an existing interval
1.1.1.1-1.1.1.2, release it.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1512
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
ei = lei;
goto err;
}
+ /* single element contained in an existing interval */
+ if (mpz_cmp(new->left, new->right) == 0) {
+ ei_destroy(new);
+ goto out;
+ }
+
/*
* The new interval is entirely contained in the same interval,
* split it into two parts:
}
__ei_insert(tree, new);
-
+out:
mpz_clear(p);
return 0;
--- /dev/null
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+ chain y {
+ ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.1 }
+ }
+}"
+
+$NFT -f - <<< $RULESET
--- /dev/null
+table ip x {
+ chain y {
+ ip saddr { 1.1.1.1-1.1.1.2 }
+ }
+}
projects / thirdparty / nftables.git / commitdiff
