Message ID | 149579635553.24003.5991119396424133127.stgit@nfdev2.cica.es |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On Fri, May 26, 2017 at 01:00:21PM +0200, Arturo Borrero Gonzalez wrote: > Prevent this assert: > > % nft [..] tcp dport set { 0 , 1 } > BUG: unknown expression type set reference > nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. > Aborted > > We can't use a set here because we will not known which value to use. > > With this patch, a proper error message is reported to users: > > % nft add rule t c tcp dport set {1, 2, 3, 4, 5} > <cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use > add rule t c tcp dport set {1, 2, 3, 4, 5} > ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^ > > % nft add rule t c tcp dport set @s > <cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use > add rule t c tcp dport set @s > ~~~~~~~~~~~~~~^^ > > This error is reported to all statements which set values. Applied, thanks Arturo. Probably you can add a test for this? It would be good to know what error nft reports in case of BUG: message, so we can distinguish between command error and assertion/bug. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/evaluate.c b/src/evaluate.c index 27cee98..095d3fa 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1759,6 +1759,21 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt, "datatype mismatch: expected %s, " "expression has type %s", dtype->desc, (*expr)->dtype->desc); + + /* we are setting a value, we can't use a set */ + switch ((*expr)->ops->type) { + case EXPR_SET: + return stmt_binary_error(ctx, (*expr), stmt, + "you cannot use a set here, unknown " + "value to use"); + case EXPR_SET_REF: + return stmt_binary_error(ctx, (*expr), stmt, + "you cannot reference a set here, " + "unknown value to use"); + default: + break; + } + return 0; }
Prevent this assert: % nft [..] tcp dport set { 0 , 1 } BUG: unknown expression type set reference nft: netlink_linearize.c:696: netlink_gen_expr: Assertion `0' failed. Aborted We can't use a set here because we will not known which value to use. With this patch, a proper error message is reported to users: % nft add rule t c tcp dport set {1, 2, 3, 4, 5} <cmdline>:1:28-42: Error: you cannot use a set here, unknown value to use add rule t c tcp dport set {1, 2, 3, 4, 5} ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^ % nft add rule t c tcp dport set @s <cmdline>:1:28-29: Error: you cannot reference a set here, unknown value to use add rule t c tcp dport set @s ~~~~~~~~~~~~~~^^ This error is reported to all statements which set values. Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org> --- v2: check all statements which set values as well src/evaluate.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html