bugzilla-daemon at netfilter.org
2017-Apr-15 16:36 UTC
[Bug 1145] New: nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 Bug ID: 1145 Summary: nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed. Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: ian.kumlien at gmail.com Created attachment 499 --> https://bugzilla.netfilter.org/attachment.cgi?id=499&action=edit file triggering bug Trying to learn nftables, My script now generates coredumps ;) Example file included. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170415/3aa1966c/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-12 09:28 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #1 from Ian Kumlien <ian.kumlien at gmail.com> --- Is there anything obvious that i'm doing wrong? Is there something else i could try? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170512/1c01cf7a/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-07 19:36 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #2 from Ian Kumlien <ian.kumlien at gmail.com> --- Ok, so doing: define generic_ports = { <list of generic ports } define tcp_ports = { <tcp specific ports>, $generic_ports } Will never work - it will cause the error shown in the bugreport. But also: map protocol_to_rule { type inet_proto : verdict elements = { udp: jump udp_rule, tcp: jump tcp_rule, icmp: jump icmp_rule } } --- Doesn't work if i want to access it - even if the structure is the same as something like: https://wiki.nftables.org/wiki-nftables/index.php/Maps using nft list table <table> gives you the same result - no reason why it shouldn't work and the error message makes no sense. Also, since that doesn't work, i now have multiple instances of: ip protocol vmap { tcp: jump tcp_reject_rule, udp: jump udp_reject_rule } ip6 nexthdr vmap { tcp: jump tcp_reject_rule, udp: jump udp_reject_rule } --- -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170607/e118d43e/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-16 16:23 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- Thanks for submitting, quick summary on your script file. This is triggering the bug: define dnat_ports = { 1234-1567 } define port_allow = { 53, # dns $dnat_ports, # dnat } that need to be fixed... Then, if I comment the nested $dnat_ports inside $port_allow, I can see this: # nft -f rc.nftables-test rc.nftables-test:46:17-45: Error: Could not process rule: Invalid argument ip protocol @protocol_to_rule; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ rc.nftables-test:47:17-45: Error: Could not process rule: Invalid argument ip6 nexthdr @protocol_to_rule; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ rc.nftables-test:63:17-43: Error: Could not process rule: Invalid argument ip protocol @reject_to_rule; ^^^^^^^^^^^^^^^^^^^^^^^^^^^ rc.nftables-test:64:17-43: Error: Could not process rule: Invalid argument ip6 nexthdr @reject_to_rule; ^^^^^^^^^^^^^^^^^^^^^^^^^^^ These are maps, so this should be instead: ip protocol vmap @protocol_to_rule "Invalid argument" is not very good, so we can probably get better error reporting here. Then, dnat is not supported from postrouting: rc.nftables-test:83:17-77: Error: Could not process rule: Operation not supported iifname $inet_interface tcp dport $dnat_ports dnat $dnat_host ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170616/ec609b21/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-18 10:05 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #4 from Ian Kumlien <ian.kumlien at gmail.com> ---> ip protocol vmap @protocol_to_ruleOh? I tried some variations on that and it never worked, which is why i did the rewrite Thanks, good to know =)> rc.nftables-test:83:17-77: Error: Could not process rule: Operation not supported > iifname $inet_interface tcp dport $dnat_ports dnat $dnat_hostInteresting, I have got this to not give me errors, but yes, it's wrong =) I do however run this with a script that has nft -f at the beginning and I don't get the same error messages that you get... So I hope that you have a newer version ;) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170618/5fa336d1/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-18 10:12 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> --- [...]> > rc.nftables-test:83:17-77: Error: Could not process rule: Operation not supported > > iifname $inet_interface tcp dport $dnat_ports dnat $dnat_host > > Interesting, I have got this to not give me errors, but yes, it's wrong =) > > I do however run this with a script that has nft -f at the beginning and I > don't get the same error messages that you get... So I hope that you have a > newer version ;):) Yes, newer version is going to provide better error messages. If you want to give a try to libnftnl and nftables git clones, you can help us test most recent changes. Side note: In the midrun we could even provide better ones, more fine grain even, pointing to the specific part of the rule that triggers the error. BTW, we still need to have a look at the bug you're hitting with the nested set definitions, that should work indeed, will get back to you with some feedback asap. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170618/bcf61167/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-18 11:14 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #5)> [...] > BTW, we still need to have a look at the bug you're hitting with the nested > set definitions, that should work indeed, will get back to you with some > feedback asap.http://patchwork.ozlabs.org/patch/777413/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170618/b73cc866/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-19 10:41 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> --- Patch merged upstream. http://git.netfilter.org/nftables/commit/?id=bada2f9c182dddf72a6d3b7b00c9eace7eb596c3 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170619/b1c7a015/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jun-19 18:53 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 --- Comment #8 from Ian Kumlien <ian.kumlien at gmail.com> --- Good, thanks! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170619/55437148/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jul-07 10:51 UTC
[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
https://bugzilla.netfilter.org/show_bug.cgi?id=1145 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #9 from Pablo Neira Ayuso <pablo at netfilter.org> --- Fixed now upstream. Thanks for reporting. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170707/5d5655a2/attachment.html>
Seemingly Similar Threads
- [Bug 1042] nft: unable to define a variable using a variable; expression.c:951: range_expr_value_low: Assertion `0' failed
- [Bug 96802] New: Upgrading mesa from 11.0.6 -> 11.2.2 causes graphics deadlock
- [PATCH] Icecast2 - chroot, setuid/gid...
- [Bug 1248] New: The rr-load-balance part doesn't actually work on 0.7
- [Bug 1253] New: interface wildcard in variables causes Error: Byteorder mismatch: expected big endian, got host endian