The following ruleset that uses raw expressions:
table ip nftlb {
map persistency {
type inet_service : mark
size 65535
timeout 1h
elements = { 53 expires 59m55s864ms : 0x00000064, 80 expires
59m58s924ms : 0x00000065, 443 expires 59m56s220ms : 0x00000064 }
}
chain pre {
type filter hook prerouting priority filter; policy accept;
ip protocol { tcp, udp } update @persistencia { @th,0,16 :
numgen inc mod 2 offset 100 }
}
}
bogusly bails out with:
/tmp/test:9:57-64: Error: datatype mismatch: expected internet network
service, expression has type integer
ip protocol { tcp, udp } update @persistencia { @th,0,16 : numgen inc
mod 2 offset 100 }
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix the problem by evaluating expression basetype and length in this case.
Reported-by: Laura Garcia <nev...@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
---
src/evaluate.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index db49a18d0150..19d4b65bfa78 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1854,7 +1854,16 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx,
struct stmt *stmt,
if (expr_evaluate(ctx, expr) < 0)
return -1;
- if (!datatype_equal((*expr)->dtype, dtype))
+ if ((*expr)->dtype->type == TYPE_INTEGER &&
+ ((*expr)->dtype->type != dtype->basetype->type ||
+ (*expr)->len != len))
+ return stmt_binary_error(ctx, *expr, stmt,
+ "datatype mismatch: expected %s, "
+ "expression has type %s with length
%d",
+ dtype->desc, (*expr)->dtype->desc,
+ (*expr)->len);
+ else if ((*expr)->dtype->type != TYPE_INTEGER &&
+ !datatype_equal((*expr)->dtype, dtype))
return stmt_binary_error(ctx, *expr, stmt,
"datatype mismatch: expected %s, "
"expression has type %s",
--
2.11.0
