given
table filter {
set local {
type iface_index
elements = { lo }
}
chain input {
type filter hook input priority 0;
iif { @lan, } accept;
}
}
nft BUG()s. I don't see how we could support sets-in-set; add a sanity
check and error out instead.
Signed-off-by: Florian Westphal <[email protected]>
---
src/evaluate.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index ed78896..a49cdd9 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -920,6 +920,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct
expr **expr)
if (list_member_evaluate(ctx, &i) < 0)
return -1;
+ if (i->ops->type == EXPR_SET_ELEM &&
+ i->key->ops->type == EXPR_SET_REF)
+ return expr_error(ctx->msgs, i,
+ "Set reference cannot be part of
another set");
+
if (!expr_is_constant(i))
return expr_error(ctx->msgs, i,
"Set member is not constant");
--
2.4.10
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
