netfilter buglog - Apr 2017 - [Bug 1142] New: invalid binop operation 6nft

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

            Bug ID: 1142
           Summary: invalid binop operation 6nft
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: other
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter at d9c.eu

Consider the following table:

table inet filter {
        set allowable {
                type ipv6_addr
                flags timeout
        }

        chain input {
                type filter hook input priority 0; policy accept;
                tcp dport telnet set update ip6 saddr &
ffff:ffff:ffff:ffff::
timeout 2m @allowable
        }
}

# nft "add rule inet filter input ip6 saddr & ffff:ffff:ffff:ffff::
@allowable
counter"
BUG: invalid binop operation 6nft: evaluate.c:1418: binop_transfer: Assertion
`0' failed.

# nft add element inet filter allowable { 1:1:1:1:: timeout 1h }
# nft "add rule inet filter input ip6 saddr & ffff:ffff:ffff:ffff::
@allowable
counter"
works!

new ruleset works but is invalid:

table inet filter {
        set allowable {
                type ipv6_addr
                flags timeout
                elements = { 1:1:1:1:: timeout 1h expires 57m23s}
        }

        chain input {
                type filter hook input priority 0; policy accept;
                tcp dport telnet set update ip6 saddr &
ffff:ffff:ffff:ffff::
timeout 2m @allowable
                ip6 saddr @allowable/64 counter packets 3 bytes 212
        }
}

--> Error: Could not process rule: Set 'allowable/64' does not exist

What i basically want to do is a dynamically updating set for ipv6 that
operates on /64 subnets.

Using nftables 0.7 on Archlinux x64 kernel 4.10.5

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170402/842c5b8a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

--- Comment #1 from Andreas Fischer <netfilter at d9c.eu> ---
Any update/confirmation?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170730/e8da01c1/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|pablo at netfilter.org         |phil at nwl.cc
                 CC|                            |phil at nwl.cc

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/962bae10/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|phil at nwl.cc                 |pablo at netfilter.org

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/255ad16b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|pablo at netfilter.org         |phil at nwl.cc
             Status|NEW                         |ASSIGNED

--- Comment #2 from Phil Sutter <phil at nwl.cc> ---
Hi,

(In reply to Andreas Fischer from comment #1)
> Any update/confirmation?
Yes, I can still reproduce this. No idea why nft turns

| ip6 saddr & ffff:ffff:ffff:ffff:: @allowable

into

| ip6 saddr @allowable/64

but it is definitely a bug. I'll see how we can fix this.

Thanks, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/b6cc0d09/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pablo at netfilter.org

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
http://git.netfilter.org/nftables/commit/?id=7c9bef0c03120dd8febd33e213ef2cf5626f9262

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200729/a87059d0/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1142

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Closing, thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200730/177f0040/attachment.html>