When evaluating the list of devices, two expressions are possible:

- EXPR_LIST, which is the expected expression type to store the list of
  chain/flowtable devices.

- EXPR_SET, in case that a variable is used to express the device list.
  This is because it is not possible to know if the variable defines
  set elements or devices. Since sets are more common, EXPR_SET is used.

In the latter case, this list expressed as EXPR_SET gets translated to
EXPR_LIST. Before such translation, the EXPR_VARIABLE is evaluated,
therefore all variables are gone and only EXPR_SET_ELEM are possible in
expr_set_to_list().

Remove the EXPR_VALUE and EXPR_VARIABLE cases in expr_set_to_list()
since those are never seen. Add BUG() in case any other expressions than
EXPR_SET_ELEM is seen.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
This can be postponed after 1.1.5 including the JSON regression fix is released.

 src/evaluate.c | 16 +---------------
 1 file changed, 1 insertion(+), 15 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index aaeb7b4e18d4..a2ca3aaea35c 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -5460,27 +5460,13 @@ static struct expr *expr_set_to_list(struct eval_ctx *ctx, struct expr *dev_expr
 		list_del(&expr->list);
 
 		switch (expr->etype) {
-		case EXPR_VARIABLE:
-			expr_set_context(&ctx->ectx, &ifname_type,
-					 IFNAMSIZ * BITS_PER_BYTE);
-			if (!evaluate_expr_variable(ctx, &expr))
-				return false;
-
-			if (expr->etype == EXPR_SET) {
-				expr = expr_set_to_list(ctx, expr);
-				list_splice_init(&expr_list(expr)->expressions, &tmp);
-				expr_free(expr);
-				continue;
-			}
-			break;
 		case EXPR_SET_ELEM:
 			key = expr_clone(expr->key);
 			expr_free(expr);
 			expr = key;
 			break;
-		case EXPR_VALUE:
-			break;
 		default:
+			BUG("invalid expression type %s\n", expr_name(expr));
 			break;
 		}
 
-- 
2.30.2

Expand test with flowtable devices defined with variables to improve
coverage.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../flowtable/0012flowtable_variable_0        | 34 ++++++++++++++++++
 .../dumps/0012flowtable_variable_0.json-nft   | 36 +++++++++++++++++++
 .../dumps/0012flowtable_variable_0.nft        | 14 ++++++++
 3 files changed, 84 insertions(+)

diff --git a/tests/shell/testcases/flowtable/0012flowtable_variable_0 b/tests/shell/testcases/flowtable/0012flowtable_variable_0
index ff35548ed854..71d2638b4976 100755
--- a/tests/shell/testcases/flowtable/0012flowtable_variable_0
+++ b/tests/shell/testcases/flowtable/0012flowtable_variable_0
@@ -9,14 +9,20 @@ ft_deldev() {
 }
 
 iface_cleanup() {
+	ip link del dummy0 &>/dev/null || :
 	ip link del dummy1 &>/dev/null || :
 	if [ "$NFT_TEST_HAVE_ifname_based_hooks" = y ]; then
 		ft_deldev filter1 Main_ft1 dummy1
 		ft_deldev filter2 Main_ft2 dummy1
+		ft_deldev filter3 Main_ft3 dummy0
+		ft_deldev filter3 Main_ft3 dummy1
+		ft_deldev filter4 Main_ft4 dummy0
+		ft_deldev filter4 Main_ft4 dummy1
 	fi
 }
 trap 'iface_cleanup' EXIT
 
+ip link add name dummy0 type dummy
 ip link add name dummy1 type dummy
 
 EXPECTED="define if_main = { lo, dummy1 }
@@ -42,3 +48,31 @@ table filter2 {
 }"
 
 $NFT -f - <<< $EXPECTED
+
+RULESET="define var1 = \"dummy0\"
+define var2 = { dummy1 }
+define var3 = { lo, \$var1, \$var2 }
+
+table filter3 {
+	flowtable Main_ft3 {
+		hook ingress priority filter
+		counter
+		devices = { \$var3 }
+	}
+}"
+
+$NFT -f - <<< $RULESET
+
+RULESET="define var1 = \"dummy0\"
+define var2 = { dummy1 }
+define var3 = { lo, \$var1, \$var2 }
+
+table filter4 {
+	flowtable Main_ft4 {
+		hook ingress priority filter
+		counter
+		devices = \$var3
+	}
+}"
+
+$NFT -f - <<< $RULESET
diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft
index 10f1df98874a..70f039fafbed 100644
--- a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft
+++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.json-nft
@@ -42,6 +42,42 @@
         "prio": 0,
         "dev": "lo"
       }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "filter3",
+        "handle": 0
+      }
+    },
+    {
+      "flowtable": {
+        "family": "ip",
+        "name": "Main_ft3",
+        "table": "filter3",
+        "handle": 0,
+        "hook": "ingress",
+        "prio": 0,
+        "dev": "lo"
+      }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "filter4",
+        "handle": 0
+      }
+    },
+    {
+      "flowtable": {
+        "family": "ip",
+        "name": "Main_ft4",
+        "table": "filter4",
+        "handle": 0,
+        "hook": "ingress",
+        "prio": 0,
+        "dev": "lo"
+      }
     }
   ]
 }
diff --git a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft
index 7863822d754b..b598420a3451 100644
--- a/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft
+++ b/tests/shell/testcases/flowtable/dumps/0012flowtable_variable_0.nft
@@ -12,3 +12,17 @@ table ip filter2 {
 		counter
 	}
 }
+table ip filter3 {
+	flowtable Main_ft3 {
+		hook ingress priority filter
+		devices = { "lo" }
+		counter
+	}
+}
+table ip filter4 {
+	flowtable Main_ft4 {
+		hook ingress priority filter
+		devices = { "lo" }
+		counter
+	}
+}
-- 
2.30.2