TLDR; patch is fine with me.
Reviewed-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
On Thu, Mar 20, 2025 at 02:33:05PM +0100, Florian Westphal wrote:
> diff --git a/tests/shell/testcases/bogons/nft-f/malformed_map_expr_evaluate_mapping_assert b/tests/shell/testcases/bogons/nft-f/malformed_map_expr_evaluate_mapping_assert
> new file mode 100644
> index 000000000000..c77a9c33e0ad
> --- /dev/null
> +++ b/tests/shell/testcases/bogons/nft-f/malformed_map_expr_evaluate_mapping_assert
> @@ -0,0 +1,6 @@
> +table ip x {
> + map m {
> + typeof ct saddr :ct expectation
Longer story: This is declaration is "correct".
Actually, ct saddr is broken because it is ambiguous, it is there in
the parser for "backwards compatibility", IIRC it can be only used
sanely from rules, ie. ct saddr cannot be used from set/map,
ct original ip saddr should be used instead.
The problem with ct saddr is that length depends on the context, and
having a key with variable size is problematic, the assumption here is
that all keys have fixed size.
> + elements = { * : none}
> + }
> +}
This variant bails out correctly:
table ip x {
map m {
typeof ct original ip saddr : ct expectation
elements = { * : none}
}
}
/tmp/k:4:30-30: Error: Could not process rule: No such file or directory
elements = { * : none}
because "none" ct expectation object does not exist.
