[PATCH nft 1/2] segtree: remove dummy debug_octx

[PATCH nft 1/2] segtree: remove dummy debug_octx

[Pablo Neira Ayuso]

Fixes a crash with --debug=segtree.

Fixes: 35f6cd327c2e ("src: Pass stateless, numeric, ip2name and handle variables as structure members.")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/expression.h | 3 ++-
 src/rule.c           | 9 ++++++---
 src/segtree.c        | 6 ++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/include/expression.h b/include/expression.h
index b681b67f96f4..6d72f64c4fea 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -455,7 +455,8 @@ extern struct expr *set_expr_alloc(const struct location *loc,
 				   const struct set *set);
 extern int set_to_intervals(struct list_head *msgs, struct set *set,
 			    struct expr *init, bool add,
-			    unsigned int debug_mask, bool merge);
+			    unsigned int debug_mask, bool merge,
+			    struct output_ctx *octx);
 extern void interval_map_decompose(struct expr *set);
 
 extern struct expr *get_set_intervals(const struct set *set,
diff --git a/src/rule.c b/src/rule.c
index a3b2dbdb98a3..dc75c7cd5fb0 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1445,7 +1445,8 @@ static int do_add_setelems(struct netlink_ctx *ctx, struct cmd *cmd,
 
 	if (set->flags & NFT_SET_INTERVAL &&
 	    set_to_intervals(ctx->msgs, set, init, true,
-			     ctx->nft->debug_mask, set->automerge) < 0)
+			     ctx->nft->debug_mask, set->automerge,
+			     &ctx->nft->output) < 0)
 		return -1;
 
 	return __do_add_setelems(ctx, set, init, flags);
@@ -1459,7 +1460,8 @@ static int do_add_set(struct netlink_ctx *ctx, const struct cmd *cmd,
 	if (set->init != NULL) {
 		if (set->flags & NFT_SET_INTERVAL &&
 		    set_to_intervals(ctx->msgs, set, set->init, true,
-				     ctx->nft->debug_mask, set->automerge) < 0)
+				     ctx->nft->debug_mask, set->automerge,
+				     &ctx->nft->output) < 0)
 			return -1;
 	}
 	if (mnl_nft_set_add(ctx, cmd, flags) < 0)
@@ -1556,7 +1558,8 @@ static int do_delete_setelems(struct netlink_ctx *ctx, struct cmd *cmd)
 
 	if (set->flags & NFT_SET_INTERVAL &&
 	    set_to_intervals(ctx->msgs, set, expr, false,
-			     ctx->nft->debug_mask, set->automerge) < 0)
+			     ctx->nft->debug_mask, set->automerge,
+			     &ctx->nft->output) < 0)
 		return -1;
 
 	if (mnl_nft_setelem_del(ctx, cmd) < 0)
diff --git a/src/segtree.c b/src/segtree.c
index e5dfd413ef83..ecf564e5fa07 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -67,8 +67,6 @@ struct elementary_interval {
 	struct expr			*expr;
 };
 
-static struct output_ctx debug_octx = {};
-
 static void seg_tree_init(struct seg_tree *tree, const struct set *set,
 			  struct expr *init, unsigned int debug_mask)
 {
@@ -567,7 +565,7 @@ static void set_insert_interval(struct expr *set, struct seg_tree *tree,
 
 int set_to_intervals(struct list_head *errs, struct set *set,
 		     struct expr *init, bool add, unsigned int debug_mask,
-		     bool merge)
+		     bool merge, struct output_ctx *octx)
 {
 	struct elementary_interval *ei, *next;
 	struct seg_tree tree;
@@ -590,7 +588,7 @@ int set_to_intervals(struct list_head *errs, struct set *set,
 	}
 
 	if (segtree_debug(tree.debug_mask)) {
-		expr_print(init, &debug_octx);
+		expr_print(init, octx);
 		pr_gmp_debug("\n");
 	}
 
-- 
2.11.0

[PATCH nft 2/2] segtree: add missing non-matching segment to set in flat representation

[Pablo Neira Ayuso]

 # cat test.nft
 add set x y { type ipv4_addr; }
 add element x y { 10.0.24.0/24 }
 # nft -f test.nft
 # nft delete element x y { 10.0.24.0/24 }

bogusly return -ENOENT. The closing segment (0.0.0.0 with end flag set
on ) is not added to the set in the example above.

This patch also adds a test to catch this case.

Fixes: 4935a0d561b5 ("segtree: special handling for the first non-matching segment")
Reported-by: Václav Zindulka <vaclav.zindulka@tlapnet.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/segtree.c                                          |  9 ++++++---
 tests/shell/testcases/sets/0035add_set_elements_flat_0 | 10 ++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100755 tests/shell/testcases/sets/0035add_set_elements_flat_0

diff --git a/src/segtree.c b/src/segtree.c
index ecf564e5fa07..8034525fb80b 100644
--- a/src/segtree.c
+++ b/src/segtree.c
@@ -430,16 +430,19 @@ static bool segtree_needs_first_segment(const struct set *set,
 					const struct expr *init, bool add)
 {
 	if (add) {
-		/* Add the first segment in three situations:
+		/* Add the first segment in four situations:
 		 *
 		 * 1) This is an anonymous set.
 		 * 2) This set exists and it is empty.
-		 * 3) This set is created with a number of initial elements.
+		 * 3) New empty set and, separately, new elements are added.
+		 * 4) This set is created with a number of initial elements.
 		 */
 		if ((set->flags & NFT_SET_ANONYMOUS) ||
 		    (set->init && set->init->size == 0) ||
-		    (set->init == init))
+		    (set->init == NULL && init) ||
+		    (set->init == init)) {
 			return true;
+		}
 	} else {
 		/* If the set is empty after the removal, we have to
 		 * remove the first non-matching segment too.
diff --git a/tests/shell/testcases/sets/0035add_set_elements_flat_0 b/tests/shell/testcases/sets/0035add_set_elements_flat_0
new file mode 100755
index 000000000000..d914ba9846ca
--- /dev/null
+++ b/tests/shell/testcases/sets/0035add_set_elements_flat_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+RULESET="add table ip x
+add set x y {type ipv4_addr; flags interval;}
+add element x y { 10.0.24.0/24 }
+"
+
+set -e
+$NFT -f - <<< "$RULESET"
+$NFT delete element x y { 10.0.24.0/24 }
-- 
2.11.0