netfilter buglog - Aug 2017 - [Bug 1176] New: Invalid identifiers produce unhelpful error messages

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

            Bug ID: 1176
           Summary: Invalid identifiers produce unhelpful error messages
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter at allycomm.com

If an identifier (at least for define and chain) is present in a file processed
by nft, the error message returned does not appear to describe either the cause
of the problem, nor the proper location in the file.

As such, it is exceptionally difficult to find and resolve the case of the
problem.

This is further compounded by the lack of documentation on length of
identifiers.

A typical set of error message looks like:

$ sudo nft -c -f nftables.conf     
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: No such file or directory
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: Operation not supported
flush ruleset
^^^^^^^^^^^^^^


I have come to *guess* that at least the "No such file or directory"
errors are
due to invalid (over-length) identifiers.  No idea on the "Operation not
supported" error, as of yet.


Expected behavior:
=================
* Invalid identifiers would be caught in the early phases of nft's syntax
validation

* Error messaging would point to the file and line at which the identifier
occurred, not the first "executable" line in the file

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/784c1d32/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

--- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> ---
See also bug 1175 related to documenting the limitations.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/d373ee40/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

--- Comment #2 from Jeff Kletsky <netfilter at allycomm.com> ---
Unhelpful error message with duplicate chain names:

nftables.conf:3:1-14: Error: Could not process rule: Device or resource busy
flush ruleset
^^^^^^^^^^^^^^

$ cat nftables.conf 
#!/usr/sbin/nft -f

flush ruleset

table inet global {

    chain prer_r {
        type filter hook prerouting priority -175
    }

    chain prer_r {
        type filter hook prerouting priority -50
    }

}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/4beb91f8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

--- Comment #3 from Jeff Kletsky <netfilter at allycomm.com> ---
Unhelpful error messages on chain identifier too long:

nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^

$ cat nftables.conf 
#!/usr/sbin/nft -f

flush ruleset

table inet global {

    chain prerouting123456789012345678901. {
        type filter hook prerouting priority -175
    }

    chain prerouting123456789012345678901_ {
        type filter hook prerouting priority -50
    }

}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/9d1aec24/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

--- Comment #4 from Jeff Kletsky <netfilter at allycomm.com> ---
Same unhelpful error message if set identifier is too long

nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^
nftables.conf:3:1-14: Error: Could not process rule: Numerical result out of
range
flush ruleset
^^^^^^^^^^^^^^

$ cat nftables.conf 
#!/usr/sbin/nft -f

flush ruleset

table inet global {

    define identifier123456789212345678931234567894123456789512345678961234. one
    define identifier123456789212345678931234567894123456789512345678961234_ one


    chain prerouting12345678921234567893. {
        type filter hook prerouting priority -175
    }

    chain prerouting12345678921234567893_ {
        type filter hook prerouting priority -50
    }

    set identifier123456789212345678931. {
        type inet_service
    }

    set identifier123456789212345678931_ {
        type inet_service
    }

}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170823/cafb0eba/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #5 from Phil Sutter <phil at nwl.cc> ---
Meanwhile we support names of up to 255 characters, so the last example applies
cleanly.

The error message for duplicate chain name has improved significantly:

nft -f /tmp/test.nft
/tmp/test.nft:9:11-16: Error: Could not process rule: Device or resource busy
    chain prer_r {
          ^^^^^^

While it is basically still EBUSY, location info is correct at least. Maybe it
should be changed to EEXISTS?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/c6c99b08/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/9cc344a7/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1176

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Upstream commit:

commit 77a92189ecfd061616ad531d386639aab7baaad9
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Sun Aug 2 03:05:25 2020 +0200

    netfilter: nf_tables: report EEXIST on overlaps

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/a709a39a/attachment.html>