[PATCH 1/4] evaluate: verify named map is actually a map

[PATCH 1/4] evaluate: verify named map is actually a map

[Patrick McHardy]

# nft add set filter test { type ipv4_addr; }
# nft filter input ip daddr vmap @test

Before:

<cmdline>:0:0-32: Error: Could not process rule: Invalid argument
filter input ip daddr vmap @test
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

After:

<cmdline>:1:28-32: Error: Expression is not a map
filter input ip daddr vmap @test
                           ^^^^^

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/evaluate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index d24d4cc..651465a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -738,7 +738,8 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 	case EXPR_SYMBOL:
 		if (expr_evaluate(ctx, &map->mappings) < 0)
 			return -1;
-		if (map->mappings->ops->type != EXPR_SET_REF)
+		if (map->mappings->ops->type != EXPR_SET_REF ||
+		    !(map->mappings->set->flags & NFT_SET_MAP))
 			return expr_error(ctx->msgs, map->mappings,
 					  "Expression is not a map");
 		break;
-- 
2.1.0

[PATCH 2/4] evaluate: properly set datatype of map expression

[Patrick McHardy]

The datatype of the map expression is the datatype of the mappings.

# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set ip daddr map @test

Before:

<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type IPv4 address
filter output mark set ip daddr map @test
              ~~~~~~~~~^^^^^^^^^^^^^^^^^^

After:

<cmdline>:1:24-41: Error: datatype mismatch: expected packet mark, expression has type internet network service
filter output mark set ip daddr map @test
              ~~~~~~~~~^^^^^^^^^^^^^^^^^^

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/evaluate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 651465a..2067a01 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -748,7 +748,7 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 		    map->mappings->ops->name);
 	}
 
-	map->dtype = ctx->ectx.dtype;
+	map->dtype = map->mappings->set->datatype;
 	map->flags |= EXPR_F_CONSTANT;
 
 	/* Data for range lookups needs to be in big endian order */
-- 
2.1.0

[PATCH 3/4] evaluate: check that map expressions' datatype matches mappings

[Patrick McHardy]

Catch type errors in map expressions using named maps:

# nft add map filter test { type ipv4_addr : inet_service; }
# nft filter output mark set tcp dport map @test
<cmdline>:1:38-42: Error: datatype mismatch, map expects IPv4 address, mapping expression has type internet network service
filter output mark set tcp dport map @test
                       ~~~~~~~~~     ^^^^^

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/evaluate.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/evaluate.c b/src/evaluate.c
index 2067a01..90c87d0 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -748,6 +748,13 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
 		    map->mappings->ops->name);
 	}
 
+	if (!datatype_equal(map->map->dtype, map->mappings->set->keytype))
+		return expr_binary_error(ctx->msgs, map->mappings, map->map,
+					 "datatype mismatch, map expects %s, "
+					 "mapping expression has type %s",
+					 map->mappings->set->keytype->desc,
+					 map->map->dtype->desc);
+
 	map->dtype = map->mappings->set->datatype;
 	map->flags |= EXPR_F_CONSTANT;
 
-- 
2.1.0

[PATCH 4/4] evaluate: use stmt_evaluate_arg() in all cases

[Patrick McHardy]

When using a symbolic vmap expression, we fail to verify that the map
actually contains verdicts.

Use stmt_evaluate_arg() everywhere to fix this.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 src/evaluate.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 90c87d0..a3484c6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1135,8 +1135,7 @@ static int stmt_evaluate_arg(struct eval_ctx *ctx, struct stmt *stmt,
 
 static int stmt_evaluate_verdict(struct eval_ctx *ctx, struct stmt *stmt)
 {
-	expr_set_context(&ctx->ectx, &verdict_type, 0);
-	if (expr_evaluate(ctx, &stmt->expr) < 0)
+	if (stmt_evaluate_arg(ctx, stmt, &verdict_type, 0, &stmt->expr) < 0)
 		return -1;
 
 	switch (stmt->expr->ops->type) {
@@ -1625,8 +1624,8 @@ static int stmt_evaluate_redir(struct eval_ctx *ctx, struct stmt *stmt)
 static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt)
 {
 	if (stmt->queue.queue != NULL) {
-		expr_set_context(&ctx->ectx, &integer_type, 16);
-		if (expr_evaluate(ctx, &stmt->queue.queue) < 0)
+		if (stmt_evaluate_arg(ctx, stmt, &integer_type, 16,
+				      &stmt->queue.queue) < 0)
 			return -1;
 		if (!expr_is_constant(stmt->queue.queue))
 			return expr_error(ctx->msgs, stmt->queue.queue,
-- 
2.1.0