On Fri, 3 Apr 2020 14:03:51 +0200
Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Thu, Apr 02, 2020 at 11:49:41PM +0200, Pablo Neira Ayuso wrote:
> > This patch adds a lazy check to validate that the first element is not a
> > concatenation. The segtree code does not support for concatenations,
> > bail out with EOPNOTSUPP.
> >
> > # nft add element x y { 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535 }
> > Error: Could not process rule: Operation not supported
> > add element x y { 10.0.0.0/8 . 192.168.1.3-192.168.1.9 . 1024-65535 }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > Otherwise, the segtree code barfs with:
> >
> > BUG: invalid range expression type concat
>
> Hm.
>
> I'm afraid this patch is not enough, the following ruleset crashes
> in old kernels with recent nft:
>
> flush ruleset
>
> table inet filter {
> set test {
> type ipv4_addr . ipv4_addr . inet_service
> flags interval,timeout
> elements = { 1.1.1.1 . 2.2.2.2 . 30 ,
> 2.2.2.2 . 3.3.3.3 . 40 ,
> 3.3.3.3 . 4.4.4.4 . 50 }
> }
>
> chain output {
> type filter hook output priority 0; policy accept;
> ip saddr . ip daddr . tcp dport @test counter
> }
> }
First off, sorry, it didn't occur to me to run new tests on older
kernels. :/
I can't quickly run that on some older kernel right now. For my
understanding, where is it crashing?
--
Stefano
