| Message ID | 1456764639-28299-1-git-send-email-fw@strlen.de |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Mon, Feb 29, 2016 at 05:50:39PM +0100, Florian Westphal wrote: > given > > table filter { > set local { > type iface_index > elements = { lo } > } > chain input { > type filter hook input priority 0; > iif { @lan, } accept; > } > } > > nft BUG()s. I don't see how we could support sets-in-set; add a sanity > check and error out instead. > > Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/evaluate.c b/src/evaluate.c index ed78896..a49cdd9 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr) if (list_member_evaluate(ctx, &i) < 0) return -1; + if (i->ops->type == EXPR_SET_ELEM && + i->key->ops->type == EXPR_SET_REF) + return expr_error(ctx->msgs, i, + "Set reference cannot be part of another set"); + if (!expr_is_constant(i)) return expr_error(ctx->msgs, i, "Set member is not constant");
given table filter { set local { type iface_index elements = { lo } } chain input { type filter hook input priority 0; iif { @lan, } accept; } } nft BUG()s. I don't see how we could support sets-in-set; add a sanity check and error out instead. Signed-off-by: Florian Westphal <fw@strlen.de> --- src/evaluate.c | 5 +++++ 1 file changed, 5 insertions(+)