Phil reported following assert:
add rule ip6 f o mark set ip6 saddr . ip6 daddr . tcp dport \
map { dead::beef . f00::. 22 : 1 }
nft: netlink_linearize.c:655: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.
This happens because "mark set" will allocate one register (the dreg),
but netlink_gen_concat_expr will populate a lot more register space if
the concat expression strings a lot of expressions together.
As the assert is useful pseudo-reserve the register space as per
concat->len and undo after generating the expressions.
Reported-by: Phil Sutter <phil@xxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/netlink_linearize.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 1c06fc0..716e962 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -241,6 +241,7 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx,
const struct expr *expr,
enum nft_registers dreg)
{
+ int dreg_low = ctx->reg_low;
struct nftnl_expr *nle;
enum nft_registers sreg;
@@ -251,7 +252,10 @@ static void netlink_gen_map(struct netlink_linearize_ctx *ctx,
else
sreg = dreg;
+ /* suppress assert in netlink_gen_expr */
+ ctx->reg_low += netlink_register_space(expr->map->len);
netlink_gen_expr(ctx, expr->map, sreg);
+ ctx->reg_low = dreg_low;
nle = alloc_nft_expr("lookup");
netlink_put_register(nle, NFTNL_EXPR_LOOKUP_SREG, sreg);
--
2.14.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
