From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 20 Feb 2025 16:55:15 +0000 (+0100)
Subject: evaluate: auto-merge is only available for singleton interval sets
X-Git-Tag: v1.1.2~81
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=65382b888e266e2e3d49a418073fd76dcc4815a7;p=thirdparty%2Fnftables.git

evaluate: auto-merge is only available for singleton interval sets

auto-merge is only available to interval sets with one value only,
untoggle this flag for concatenation with intervals.

Later, this can be hardened to reject it.

Fixes: 30f667920601 ("src: add 'auto-merge' option to sets")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index 3cf58d85..ddc46754 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -5041,6 +5041,9 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 		       sizeof(set->desc.field_len));
 		set->desc.field_count = set->key->field_count;
 		set->flags |= NFT_SET_CONCAT;
+
+		if (set->automerge)
+			set->automerge = false;
 	}
 
 	if (set_is_anonymous(set->flags) && set->key->etype == EXPR_CONCAT) {