Hi,
On Fri, Nov 25, 2016 at 10:50:17PM +0100, Phil Sutter wrote:
> Hi,
>
> I have a problem which exposes bugs in both iptables-translate and nft
> and am a bit at a loss with it. But first things first:
>
> | $ iptables-translate -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> | nft add rule ip filter INPUT tcp flags & fin|syn == fin|syn counter drop
>
> This only appears to be fine at first glance. When adding the nftables
> rule, the outcome is this:
>
> | tcp flags & (fin | syn) | fin == fin | syn counter packets 0 bytes 0
>
> Of course, this is obviously wrong. Looking at the output of
> iptables-translate again, it becomes clear that nftables can only
> interpret this the wrong way, categorically because binary AND takes
> precedence over binary OR - so iptables-translate is broken in that it
> should add parentheses like so:
>
> | nft add rule ip filter INPUT tcp flags & (fin|syn) == fin|syn counter drop
>
> And indeed this leads to expected results in nftables ruleset. On the
> other hand what nftables interprets the wrong statement into looks a bit
> fishy as well, but that's another topic - my issue with nftables is
> exposed when I apply my quick hack to resolve this, which is to just
> output the missing parentheses print_tcp_xlate(): iptables-translate
> then outputs the following:
>
> | nft add rule ip filter INPUT tcp flags & (fin|syn) == (fin|syn) counter drop
>
> But nftables in return rejects it:
>
> | <cmdline>:1:45-45: Error: syntax error, unexpected '('
> | add rule ip filter INPUT tcp flags & (syn|fin) == (syn|fin) counter
> | ^
>
> The error message is emitted by the parser (which I am still at war
> with) and in my opinion it should allow the parentheses on the right
> side of that relational expression.
>
> So here's a number of question marks for you:
> * Am I on the right track with adding parentheses to iptables-translate
> output at all?
> * If so, where would I adjust parser_bison.y to allow for them? Maybe
> rhs_expr should be extended to allow for it, but it's so generic I'm
> afraid of side-effects. Or is the better way to add another case to
> relational_expr which explicitly mentions the parentheses around
> rhs_expr?
There used to be parens there indeed, but this got removed when
rhs_expr was introduced. If you look at old nftables releases you
should find it there (well, not exactly in rhs_expr since that was
added recently). So my first suggestion is to restore this in the way
this was before.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
