On Tue, Feb 18, 2014 at 03:21:47PM +0100, Arturo Borrero Gonzalez wrote:
> On 18 February 2014 11:12, Patrick McHardy <kaber@xxxxxxxxx> wrote:
> >
> > I'm actually not sure nft really could fail if the expression returned
> > from the kernel makes any sense at all.
>
> I did a fast&small test.
>
> What to do in the event reporting if this situation is reached?
> Non-sense rule added to the kernel:
>
> ip filter input 0 0
> [ cmp eq reg 1 0x00000006 ]
> [ payload load 1b @ network header + 9 => reg 1 ]
> [ payload load 2b @ transport header + 1 => reg 2 ]
> [ counter pkts 0 bytes 0 ]
> [ cmp eq reg 1 0x00001600 ]
>
> % nft list table filter
> table ip filter {
> [...]
> }
> netlink: Error: Relational expression has no left hand side
>
>
> netlink: Error: Relational expression size mismatch
Well, that's obviously a broken rule. There is no valid interpretation,
hence we don't need to display one. Reporting the error seems perfectly
fine to me, however event reporting shouldn't abort because of this.
Basically I think - netlink header and attribute parsing errors are
fine to exit. However just real parsing errors, not things like f.i.
unknown address families. Any error during interpretation of these
should only cause the error to be displayed, but nothing more.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
