netfilter buglog - Apr 2017 - [Bug 1145] New: nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

            Bug ID: 1145
           Summary: nft 0.7: expression.c:966: range_expr_value_low:
                    Assertion '0' failed.
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: ian.kumlien at gmail.com

Created attachment 499
  --> https://bugzilla.netfilter.org/attachment.cgi?id=499&action=edit
file triggering bug

Trying to learn nftables, 

My script now generates coredumps ;)

Example file included.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170415/3aa1966c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #1 from Ian Kumlien <ian.kumlien at gmail.com> ---
Is there anything obvious that i'm doing wrong? Is there something else i
could
try?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170512/1c01cf7a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #2 from Ian Kumlien <ian.kumlien at gmail.com> ---
Ok, so doing:
define generic_ports = { <list of generic ports }
define tcp_ports = { <tcp specific ports>, $generic_ports }

Will never work - it will cause the error shown in the bugreport.

But also:
       map protocol_to_rule {
               type inet_proto : verdict
               elements = {
                       udp: jump udp_rule,
                       tcp: jump tcp_rule,
                       icmp: jump icmp_rule
               }
       }
---

Doesn't work if i want to access it - even if the structure is the same as
something like:
https://wiki.nftables.org/wiki-nftables/index.php/Maps

using nft list table <table> gives you the same result - no reason why it
shouldn't work and the error message makes no sense.

Also, since that doesn't work, i now have multiple instances of:
                ip protocol vmap {
                        tcp: jump tcp_reject_rule,
                        udp: jump udp_reject_rule
                }
                ip6 nexthdr vmap {
                        tcp: jump tcp_reject_rule,
                        udp: jump udp_reject_rule
                }
---

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170607/e118d43e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Thanks for submitting, quick summary on your script file.

This is triggering the bug:

define dnat_ports      = { 1234-1567 }
define port_allow      = {
        53,             # dns
        $dnat_ports,    # dnat
}

that need to be fixed...

Then, if I comment the nested $dnat_ports inside $port_allow, I can see this:

# nft -f rc.nftables-test 
rc.nftables-test:46:17-45: Error: Could not process rule: Invalid argument
                ip protocol @protocol_to_rule;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rc.nftables-test:47:17-45: Error: Could not process rule: Invalid argument
                ip6 nexthdr @protocol_to_rule;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rc.nftables-test:63:17-43: Error: Could not process rule: Invalid argument
                ip protocol @reject_to_rule;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
rc.nftables-test:64:17-43: Error: Could not process rule: Invalid argument
                ip6 nexthdr @reject_to_rule;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^

These are maps, so this should be instead:

                ip protocol vmap @protocol_to_rule

"Invalid argument" is not very good, so we can probably get better
error
reporting here.

Then, dnat is not supported from postrouting:

rc.nftables-test:83:17-77: Error: Could not process rule: Operation not
supported
                iifname $inet_interface tcp dport $dnat_ports dnat $dnat_host
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170616/ec609b21/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #4 from Ian Kumlien <ian.kumlien at gmail.com>
---
> ip protocol vmap @protocol_to_rule
Oh?

I tried some variations on that and it never worked, which is why i did the
rewrite

Thanks, good to know =)
> rc.nftables-test:83:17-77: Error: Could not process rule: Operation not
supported
>                iifname $inet_interface tcp dport $dnat_ports dnat
$dnat_host
Interesting, I have got this to not give me errors, but yes, it's wrong =)

I do however run this with a script that has nft -f at the beginning and I
don't get the same error messages that you get... So I hope that you have a
newer version ;)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170618/5fa336d1/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
[...]
> > rc.nftables-test:83:17-77: Error: Could not process rule: Operation
not supported
> >                iifname $inet_interface tcp dport $dnat_ports dnat
$dnat_host
> 
> Interesting, I have got this to not give me errors, but yes, it's wrong
=)
> 
> I do however run this with a script that has nft -f at the beginning and I
> don't get the same error messages that you get... So I hope that you
have a
> newer version ;)
:)

Yes, newer version is going to provide better error messages. If you want to
give a try to libnftnl and nftables git clones, you can help us test most
recent changes.

Side note: In the midrun we could even provide better ones, more fine grain
even, pointing to the specific part of the rule that triggers the error.

BTW, we still need to have a look at the bug you're hitting with the nested
set
definitions, that should work indeed, will get back to you with some feedback
asap.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170618/bcf61167/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #5)
> [...]
> BTW, we still need to have a look at the bug you're hitting with the
nested
> set definitions, that should work indeed, will get back to you with some
> feedback asap.
http://patchwork.ozlabs.org/patch/777413/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170618/b73cc866/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Patch merged upstream.

http://git.netfilter.org/nftables/commit/?id=bada2f9c182dddf72a6d3b7b00c9eace7eb596c3

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170619/b1c7a015/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

--- Comment #8 from Ian Kumlien <ian.kumlien at gmail.com> ---
Good, thanks!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170619/55437148/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1145

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #9 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Fixed now upstream. Thanks for reporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170707/5d5655a2/attachment.html>