netfilter buglog - Aug 2017 - [Bug 1179] New: vmap and sets cause "BUG: invalid range expression type set"

https://bugzilla.netfilter.org/show_bug.cgi?id=1179

            Bug ID: 1179
           Summary: vmap and sets cause "BUG: invalid range expression
                    type set"
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter at allycomm.com

Observed Behavior:
=================
Use of sets within a vmap result in the error message:

BUG: invalid range expression type set
nft: expression.c:1037: range_expr_value_low: Assertion `0' failed.
Aborted

Expected Behavior:
=================
Could use both anonymous and named sets in a vmap

No "vmap" anywhere on
<http://www.netfilter.org/projects/nftables/manpage.html>

No limitations given on the "match" portion of the dictionary in
<https://wiki.nftables.org/wiki-nftables/index.php/Dictionaries>


Example .nft below, a simplified example of blocking "blackhole" IPv4
addresses, other than the expected ones.


Impact:
======
The use of "sets" is crucial for managing non-contiguous ranges of IP
addresses
that have various outcomes. While the IPv4 blackhole address space is
relatively small, there are presently over 88,000 entries in the IPv6
"bogons"
list. 

Assuming that sets will properly scale to this level, it is possible to use
individual tests for each of the outcomes. Using the vmap is a preferred
option, especially if one can define a "default" match option. 


To Replicate:
============

table inet global {

set blackhole_ipv4 {
    type ipv4_addr
    flags interval
    elements = {
        0.0.0.0/8,        # "default"
        10.0.0.0/8,        # RFC 1918
        100.64.0.0/10,         # bogon-bn-agg.txt 2017-08-17
        127.0.0.0/8,        # loopback
        169.254.0.0/16,        # Self-configured DHCP
        172.16.0.0/12,        # RFC 1918
        192.0.0.0/24,        # Vendor co-opted print servers
        192.0.2.0/24,        # NET TEST
        192.168.0.0/16,        # RFC 1918
        192.18.0.0/15,        # RFC 2455 (NOT IANA; for Harvard,for BMWG)
        192.42.172.0/24,    # NeXT-Default:
        192.88.99.0/24,        # RFC 3068
        198.51.100.1/24,     # bogon-bn-agg.txt 2017-08-17
        203.0.113.0/24,     # bogon-bn-agg.txt 2017-08-17
        224.0.0.0/3,         # bogon-bn-agg.txt 2017-08-17
        255.255.255.255        # broadcast
    }
}

define if_external_net_ipv4 = { 192.168.0.0/24 }
define if_external_addrs_ipv4 = { 192.168.0.100, 192.168.0.255 }

chain drop_ext_prerouting_pre_nat {

    # Configured here for possiblity that the external interface
    # is on a blackhole net (for testing)
    # Reexamine after testing completed

    ip saddr vmap { $if_external_net_ipv4 : continue,
                        @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src }

    ip daddr vmap { $if_external_addrs_ipv4 : continue,
                        @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst }

    return

}

}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170824/0b4c2d3c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1179

--- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> ---
Should someone come across this and have a similar application, the following
appears to meet the use case outlined above. Output from # nft list ruleset

table inet global {
    set blackhole_ipv4 {
        type ipv4_addr
        flags interval
        elements = { 0.0.0.0/8, 10.0.0.0/8,
                 100.64.0.0/10, 127.0.0.0/8,
                 169.254.0.0/16, 172.16.0.0/12,
                 192.0.0.0/24, 192.0.2.0/24,
                 192.18.0.0/15, 192.42.172.0/24,
                 192.88.99.0/24, 192.168.0.0/16,
                 198.51.100.0/24, 203.0.113.0/24,
                 224.0.0.0-255.255.255.255 }
    }

    chain drop_ext_prerouting_pre_nat {
        ip saddr != { 192.168.0.0/24 } ip saddr @blackhole_ipv4 log prefix
"Unacceptable blackhole src: " drop
        ip daddr != { 192.168.0.100, 192.168.6.255 } ip daddr @blackhole_ipv4
log prefix "Unacceptable blackhole dst: " drop
        return
    }
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170824/08126517/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1179

hart3778avery at gmx.com <hart3778avery at gmx.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hart3778avery at gmx.com

--- Comment #2 from hart3778avery at gmx.com <hart3778avery at gmx.com>
---
Looks like the buffer overflow. Could somebody confirm?
https://mrkortingscode.nl

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191104/4c8909c7/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1179

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/dc039d91/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1179

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/a6e404e8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1179

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Jeff Kletsky from comment #1)
> Should someone come across this and have a similar application, the
> following appears to meet the use case outlined above. Output from # nft
> list ruleset
> 
> table inet global {
> 	set blackhole_ipv4 {
> 		type ipv4_addr
> 		flags interval
> 		elements = { 0.0.0.0/8, 10.0.0.0/8,
> 			     100.64.0.0/10, 127.0.0.0/8,
> 			     169.254.0.0/16, 172.16.0.0/12,
> 			     192.0.0.0/24, 192.0.2.0/24,
> 			     192.18.0.0/15, 192.42.172.0/24,
> 			     192.88.99.0/24, 192.168.0.0/16,
> 			     198.51.100.0/24, 203.0.113.0/24,
> 			     224.0.0.0-255.255.255.255 }
> 	}
> 
> 	chain drop_ext_prerouting_pre_nat {
> 		ip saddr != { 192.168.0.0/24 } ip saddr @blackhole_ipv4 log prefix
> "Unacceptable blackhole src: " drop
> 		ip daddr != { 192.168.0.100, 192.168.6.255 } ip daddr @blackhole_ipv4 log
> prefix "Unacceptable blackhole dst: " drop
> 		return
> 	}
> }
(In reply to Jeff Kletsky from comment #1)
> Should someone come across this and have a similar application, the
> following appears to meet the use case outlined above. Output from # nft
> list ruleset
> 
> table inet global {
> 	set blackhole_ipv4 {
> 		type ipv4_addr
> 		flags interval
> 		elements = { 0.0.0.0/8, 10.0.0.0/8,
> 			     100.64.0.0/10, 127.0.0.0/8,
> 			     169.254.0.0/16, 172.16.0.0/12,
> 			     192.0.0.0/24, 192.0.2.0/24,
> 			     192.18.0.0/15, 192.42.172.0/24,
> 			     192.88.99.0/24, 192.168.0.0/16,
> 			     198.51.100.0/24, 203.0.113.0/24,
> 			     224.0.0.0-255.255.255.255 }
> 	}
> 
> 	chain drop_ext_prerouting_pre_nat {
> 		ip saddr != { 192.168.0.0/24 } ip saddr @blackhole_ipv4 log prefix
> "Unacceptable blackhole src: " drop
> 		ip daddr != { 192.168.0.100, 192.168.6.255 } ip daddr @blackhole_ipv4 log
> prefix "Unacceptable blackhole dst: " drop
> 		return
> 	}
> }
This ruleset works fine here with current nftables snapshot.

And the larger one in the initial release it is include a set as a key in a map
definition, which is not supported.

This is bailing out with:

# nft -f /tmp/lala 
/tmp/lala:37:19-19: Error: syntax error, unexpected @, expecting comma or
'}'
                  @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src }
                  ^
/tmp/lala:40:19-19: Error: syntax error, unexpected @, expecting comma or
'}'
                  @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst }
                  ^
root at salvia:/home/pablo/devel/scm/git-kernel/korg/nf# vi /tmp/lala 
root at salvia:/home/pablo/devel/scm/git-kernel/korg/nf# nft -f /tmp/lala 
/tmp/lala:37:19-19: Error: syntax error, unexpected @, expecting comma or
'}'
                  @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src }
                  ^
/tmp/lala:40:19-19: Error: syntax error, unexpected @, expecting comma or
'}'
                  @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst }
                  ^

Closing.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/c5246c50/attachment-0001.html>