bugzilla-daemon at netfilter.org
2017-Aug-23 17:46 UTC
[Bug 1176] New: Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
Bug ID: 1176
Summary: Invalid identifiers produce unhelpful error messages
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at allycomm.com
If an identifier (at least for define and chain) is present in a file processed
by nft, the error message returned does not appear to describe either the cause
of the problem, nor the proper location in the file.
As such, it is exceptionally difficult to find and resolve the case of the
problem.
This is further compounded by the lack of documentation on length of
identifiers.
A typical set of error message looks like:
$ sudo nft -c -f nftables.conf
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: Operation not supported
flush ruleset
^^^^^^^^^^^^^^
I have come to *guess* that at least the "No such file or directory"
errors are
due to invalid (over-length) identifiers. No idea on the "Operation not
supported" error, as of yet.
Expected behavior:
=================
* Invalid identifiers would be caught in the early phases of nft's syntax
validation
* Error messaging would point to the file and line at which the identifier
occurred, not the first "executable" line in the file
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/784c1d32/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-23 17:48 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176 --- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> --- See also bug 1175 related to documenting the limitations. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/d373ee40/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-23 21:04 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
--- Comment #2 from Jeff Kletsky <netfilter at allycomm.com> ---
Unhelpful error message with duplicate chain names:
nftables.conf:3:1-14: Error: Could not process rule: Device or resource busy
flush ruleset
^^^^^^^^^^^^^^
$ cat nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet global {
chain prer_r {
type filter hook prerouting priority -175
}
chain prer_r {
type filter hook prerouting priority -50
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/4beb91f8/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-23 21:15 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
--- Comment #3 from Jeff Kletsky <netfilter at allycomm.com> ---
Unhelpful error messages on chain identifier too long:
nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^
$ cat nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet global {
chain prerouting123456789012345678901. {
type filter hook prerouting priority -175
}
chain prerouting123456789012345678901_ {
type filter hook prerouting priority -50
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/9d1aec24/attachment-0001.html>
bugzilla-daemon at netfilter.org
2017-Aug-23 21:36 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
--- Comment #4 from Jeff Kletsky <netfilter at allycomm.com> ---
Same unhelpful error message if set identifier is too long
nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^
$ cat nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet global {
define identifier123456789212345678931234567894123456789512345678961234. one
define identifier123456789212345678931234567894123456789512345678961234_ one
chain prerouting12345678921234567893. {
type filter hook prerouting priority -175
}
chain prerouting12345678921234567893_ {
type filter hook prerouting priority -50
}
set identifier123456789212345678931. {
type inet_service
}
set identifier123456789212345678931_ {
type inet_service
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/cafb0eba/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-12 10:40 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at nwl.cc
--- Comment #5 from Phil Sutter <phil at nwl.cc> ---
Meanwhile we support names of up to 255 characters, so the last example applies
cleanly.
The error message for duplicate chain name has improved significantly:
nft -f /tmp/test.nft
/tmp/test.nft:9:11-16: Error: Could not process rule: Device or resource busy
chain prer_r {
^^^^^^
While it is basically still EBUSY, location info is correct at least. Maybe it
should be changed to EEXISTS?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/c6c99b08/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 23:59 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/9cc344a7/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-28 11:03 UTC
[Bug 1176] Invalid identifiers produce unhelpful error messages
https://bugzilla.netfilter.org/show_bug.cgi?id=1176
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Upstream commit:
commit 77a92189ecfd061616ad531d386639aab7baaad9
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Aug 2 03:05:25 2020 +0200
netfilter: nf_tables: report EEXIST on overlaps
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/a709a39a/attachment.html>
Possibly Parallel Threads
- [Bug 1188] New: nft fails to parse own output; unable to save-restore active state
- [Bug 1175] New: Document limitations on identifier names
- [Bug 1178] New: Provide better error messaging when a rule can't be executed in its context
- [Bug 1216] New: Error messaging for "interval overlaps with previous one" misidentifies location
- [Bug 1184] New: disable implicit concatenating of elements of sets with flag interval