Restrict this, the brackets have explicit semantics since they tell the
kernel to represent this value as a set, which is too costly. Set for
one single element are overkill.
# nft add rule x y ct state { established } counter
Error: anonymous set with single element makes no sense, remove brackets
wrapping this value
add rule x y ct state { established } counter
^^^^^^^^^^^^^^^
Instead, the preferred way to express this is:
# nft add rule x y ct state established counter
Signed-off-by: Pablo Neira Ayuso <[email protected]>
---
I know this may break stuff outthere, but probably it's still early to
fix this. If we keep allowing this and transparently turn this into a
value, people will likely never understand the bracket semantics.
Brackets are not just syntaxic sugar.
src/evaluate.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 3a3f2468c826..aa42c69127a2 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1253,8 +1253,11 @@ static int expr_evaluate_set_elem(struct eval_ctx *ctx,
struct expr **expr)
static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
{
struct expr *set = *expr, *i, *next;
+ unsigned int count = 0;
list_for_each_entry_safe(i, next, &set->expressions, list) {
+ count++;
+
if (list_member_evaluate(ctx, &i) < 0)
return -1;
@@ -1288,6 +1291,11 @@ static int expr_evaluate_set(struct eval_ctx *ctx,
struct expr **expr)
set->set_flags |= NFT_SET_INTERVAL;
}
+ if (set->flags & NFT_SET_ANONYMOUS &&
+ count == 1)
+ return expr_error(ctx->msgs, set,
+ "anonymous set with one single element makes
no sense, remove brackets wrapping this value");
+
set->set_flags |= NFT_SET_CONSTANT;
set->dtype = ctx->ectx.dtype;
--
2.11.0
