netfilter buglog - Aug 2020 - [Bug 1450] New: Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset

https://bugzilla.netfilter.org/show_bug.cgi?id=1450

            Bug ID: 1450
           Summary: Using certain simple set combinations with TCP flags
                    causes error in mergesort.c from nft list ruleset
           Product: nftables
           Version: unspecified
          Hardware: arm
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: phillc at gmail.com

When setting up some TCP flag rules I attempted to combine multiple flag
combinations into one rule with a simple set.

The following works perfectly

tcp flags == {syn, syn|ack} accept
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin}  accept
tcp flags & (fin|syn|rst|psh|ack|urg) == psh|ack|fin  accept


It can be applied with nft -f and displays with "nft list ruleset"


However, when trying to do this:

tcp flags == {syn, syn|ack} accept
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack} 
accept

nft -f applies without any error, but running "nft list ruleset"
returns:

BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)


OS: Ubuntu 20.04
Kernel: Ubuntu 5.4.0-1015.15-raspi 5.4.44
nftables/focal,now 0.9.3-2 arm64

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200819/cf478969/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1450

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Patch has been posted, thanks for reporting.

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200819230733.439-1-pablo
at netfilter.org/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200819/99fc39de/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1450

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Upstream commit:

http://git.netfilter.org/nftables/commit/?id=3926a3369bb5ada5c0706dadcbcf938517822a35

Closing. Thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200821/4f5d0ffd/attachment-0001.html>