Re: nft ct original oddity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Simon Kirby <sim@xxxxxxxxxx> wrote:

[ moving to nf-devel ]

> I accidentally wrote "ct original" instead of "ct direction original",
> and this broke "nft list ruleset":
> 
> # nft add set filter myset '{ type ipv4_addr; }'
> # nft insert rule filter input ct original ip daddr @myset
> # nft list ruleset
> nft: netlink_delinearize.c:124: netlink_parse_concat_expr: Assertion `consumed > 0' failed.
> Abort

Indeed.

This will fix the immediate problem:

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -329,7 +329,7 @@ static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
                return netlink_error(ctx, loc,
                                     "Lookup expression has no left hand side");
 
-       if (left->len < set->key->len) {
+       if (left->len && left->len < set->key->len) {
                expr_free(left);
                left = netlink_parse_concat_expr(ctx, loc, sreg, set->key->len);
                if (left == NULL)

Pablo, the problem is that ct->key is NFT_CT_SRC, so expr->len is 0, so
we try to parse a concat expression.  Its not until the evaluation step
before we will figure out from context that SRC is asking for an ipv4
address and update the type and expression length.

AFAICS the plan was to stop using NFT_CT_SRC and use NFT_CT_SRC_IP(6)
instead so we have type and length info available directly.

Was there a problem with it (inet family)?



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux