netfilter buglog - Aug 2017 - [Bug 1172] New: chain priority cannot be set by a defined variable

https://bugzilla.netfilter.org/show_bug.cgi?id=1172

            Bug ID: 1172
           Summary: chain priority cannot be set by a defined variable
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter at allycomm.com

To Replicate:

* Create an nft file that contains

define PRI_FILTER    =     0
table inet global {
    chain prerouting {
        type filter hook prerouting priority $PRI_FILTER
        policy drop
}

* "execute" using nft -f <that_file>

Observed Behavior:

tmp:4:46-46: Error: syntax error, unexpected '$', expecting - or number
        type filter hook prerouting priority $PRI_FILTER
                                             ^

Expected Behavior:

priority would be 0


Impact:

For multi-part rule sets, being able to centrally manage the order of execution
is critical for ensuring robustness and correctness. Needing to manage a set of
priorities across not only multiple chains, but also multiple files is error
prone.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170821/5ead04b5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1172

--- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> ---
~/build/nftables$ git log -1
commit d74eed8c9649e9278b69f2cd0fd92f71e3e19cfb (HEAD -> master, tag:
2017-08-19, origin/master, origin/HEAD)
Author: Varsha Rao <rvarsha016 at gmail.com>
Date:   Wed Aug 16 19:48:17 2017 +0530

~/build/libmnl$ git log -1
commit fbe0f33b45abd585eb9f52cb56d751a750667dc6 (HEAD -> master, tag:
2017-08-19, origin/master, origin/HEAD)
Author: Guillaume Nault <g.nault at alphalink.fr>
Date:   Wed Aug 3 12:52:34 2016 +0200

~/build/libnftnl$ git log -1
commit d58998312375de0865091cfc5d00ddd271d9a44c (HEAD -> master, tag:
2017-08-19)
Author: Eric Leblond <eric at regit.org>
Date:   Thu Jul 6 13:58:27 2017 +0100

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/8ee4578b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1172

Tercio Gaudencio Filho <terciofilho at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |terciofilho at gmail.com

--- Comment #2 from Tercio Gaudencio Filho <terciofilho at gmail.com> ---
This error also occurs when setting a chain policy:

define DEFAULT_POLICY = "drop"

add chain ip filter input { type filter hook input   priority 0; policy
$DEFAULT_POLICY; }

This is useful when we have a separated file to override defaults, like:

/etc/nftables.rules:
#----------------------------------------------------------
define DEFAULT_POLICY = "drop"

include "/etc/defaults/nftables.rules"

add chain ip filter input { type filter hook input   priority 0; policy
$DEFAULT_POLICY; }
#----------------------------------------------------------

/etc/defaults/nftables.rules:
#----------------------------------------------------------
redefine DEFAULT_POLICY = "accept"
#----------------------------------------------------------

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190626/af5f0bd1/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1172

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|pablo at netfilter.org         |ffmancera at riseup.net

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Fernando will prepare a patch for this.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/8d943b50/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1172

Fernando F. Mancera <ffmancera at riseup.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Fernando F. Mancera <ffmancera at riseup.net> ---
Implemented. Thanks!

https://git.netfilter.org/nftables/commit/?id=627c451b2351310da9ad82dbdb64747b1fada8e5

https://git.netfilter.org/nftables/commit/?id=dba4a9b4b5fe2c4b6929be799fdb9332fc653e1b

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190809/394f84ba/attachment.html>