bugzilla-daemon at netfilter.org
2017-Aug-24 00:05 UTC
[Bug 1179] New: vmap and sets cause "BUG: invalid range expression type set"
https://bugzilla.netfilter.org/show_bug.cgi?id=1179 Bug ID: 1179 Summary: vmap and sets cause "BUG: invalid range expression type set" Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at allycomm.com Observed Behavior: ================= Use of sets within a vmap result in the error message: BUG: invalid range expression type set nft: expression.c:1037: range_expr_value_low: Assertion `0' failed. Aborted Expected Behavior: ================= Could use both anonymous and named sets in a vmap No "vmap" anywhere on <http://www.netfilter.org/projects/nftables/manpage.html> No limitations given on the "match" portion of the dictionary in <https://wiki.nftables.org/wiki-nftables/index.php/Dictionaries> Example .nft below, a simplified example of blocking "blackhole" IPv4 addresses, other than the expected ones. Impact: ====== The use of "sets" is crucial for managing non-contiguous ranges of IP addresses that have various outcomes. While the IPv4 blackhole address space is relatively small, there are presently over 88,000 entries in the IPv6 "bogons" list. Assuming that sets will properly scale to this level, it is possible to use individual tests for each of the outcomes. Using the vmap is a preferred option, especially if one can define a "default" match option. To Replicate: ============ table inet global { set blackhole_ipv4 { type ipv4_addr flags interval elements = { 0.0.0.0/8, # "default" 10.0.0.0/8, # RFC 1918 100.64.0.0/10, # bogon-bn-agg.txt 2017-08-17 127.0.0.0/8, # loopback 169.254.0.0/16, # Self-configured DHCP 172.16.0.0/12, # RFC 1918 192.0.0.0/24, # Vendor co-opted print servers 192.0.2.0/24, # NET TEST 192.168.0.0/16, # RFC 1918 192.18.0.0/15, # RFC 2455 (NOT IANA; for Harvard,for BMWG) 192.42.172.0/24, # NeXT-Default: 192.88.99.0/24, # RFC 3068 198.51.100.1/24, # bogon-bn-agg.txt 2017-08-17 203.0.113.0/24, # bogon-bn-agg.txt 2017-08-17 224.0.0.0/3, # bogon-bn-agg.txt 2017-08-17 255.255.255.255 # broadcast } } define if_external_net_ipv4 = { 192.168.0.0/24 } define if_external_addrs_ipv4 = { 192.168.0.100, 192.168.0.255 } chain drop_ext_prerouting_pre_nat { # Configured here for possiblity that the external interface # is on a blackhole net (for testing) # Reexamine after testing completed ip saddr vmap { $if_external_net_ipv4 : continue, @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src } ip daddr vmap { $if_external_addrs_ipv4 : continue, @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst } return } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170824/0b4c2d3c/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-24 00:33 UTC
[Bug 1179] vmap and sets cause "BUG: invalid range expression type set"
https://bugzilla.netfilter.org/show_bug.cgi?id=1179 --- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> --- Should someone come across this and have a similar application, the following appears to meet the use case outlined above. Output from # nft list ruleset table inet global { set blackhole_ipv4 { type ipv4_addr flags interval elements = { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.18.0.0/15, 192.42.172.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0-255.255.255.255 } } chain drop_ext_prerouting_pre_nat { ip saddr != { 192.168.0.0/24 } ip saddr @blackhole_ipv4 log prefix "Unacceptable blackhole src: " drop ip daddr != { 192.168.0.100, 192.168.6.255 } ip daddr @blackhole_ipv4 log prefix "Unacceptable blackhole dst: " drop return } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170824/08126517/attachment-0001.html>
bugzilla-daemon at netfilter.org
2019-Nov-04 06:14 UTC
[Bug 1179] vmap and sets cause "BUG: invalid range expression type set"
https://bugzilla.netfilter.org/show_bug.cgi?id=1179 hart3778avery at gmx.com <hart3778avery at gmx.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hart3778avery at gmx.com --- Comment #2 from hart3778avery at gmx.com <hart3778avery at gmx.com> --- Looks like the buffer overflow. Could somebody confirm? https://mrkortingscode.nl -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191104/4c8909c7/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 23:59 UTC
[Bug 1179] vmap and sets cause "BUG: invalid range expression type set"
https://bugzilla.netfilter.org/show_bug.cgi?id=1179 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kfm at plushkava.net -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/dc039d91/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-29 00:23 UTC
[Bug 1179] vmap and sets cause "BUG: invalid range expression type set"
https://bugzilla.netfilter.org/show_bug.cgi?id=1179 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1461 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/a6e404e8/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-29 10:24 UTC
[Bug 1179] vmap and sets cause "BUG: invalid range expression type set"
https://bugzilla.netfilter.org/show_bug.cgi?id=1179 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Jeff Kletsky from comment #1)> Should someone come across this and have a similar application, the > following appears to meet the use case outlined above. Output from # nft > list ruleset > > table inet global { > set blackhole_ipv4 { > type ipv4_addr > flags interval > elements = { 0.0.0.0/8, 10.0.0.0/8, > 100.64.0.0/10, 127.0.0.0/8, > 169.254.0.0/16, 172.16.0.0/12, > 192.0.0.0/24, 192.0.2.0/24, > 192.18.0.0/15, 192.42.172.0/24, > 192.88.99.0/24, 192.168.0.0/16, > 198.51.100.0/24, 203.0.113.0/24, > 224.0.0.0-255.255.255.255 } > } > > chain drop_ext_prerouting_pre_nat { > ip saddr != { 192.168.0.0/24 } ip saddr @blackhole_ipv4 log prefix > "Unacceptable blackhole src: " drop > ip daddr != { 192.168.0.100, 192.168.6.255 } ip daddr @blackhole_ipv4 log > prefix "Unacceptable blackhole dst: " drop > return > } > }(In reply to Jeff Kletsky from comment #1)> Should someone come across this and have a similar application, the > following appears to meet the use case outlined above. Output from # nft > list ruleset > > table inet global { > set blackhole_ipv4 { > type ipv4_addr > flags interval > elements = { 0.0.0.0/8, 10.0.0.0/8, > 100.64.0.0/10, 127.0.0.0/8, > 169.254.0.0/16, 172.16.0.0/12, > 192.0.0.0/24, 192.0.2.0/24, > 192.18.0.0/15, 192.42.172.0/24, > 192.88.99.0/24, 192.168.0.0/16, > 198.51.100.0/24, 203.0.113.0/24, > 224.0.0.0-255.255.255.255 } > } > > chain drop_ext_prerouting_pre_nat { > ip saddr != { 192.168.0.0/24 } ip saddr @blackhole_ipv4 log prefix > "Unacceptable blackhole src: " drop > ip daddr != { 192.168.0.100, 192.168.6.255 } ip daddr @blackhole_ipv4 log > prefix "Unacceptable blackhole dst: " drop > return > } > }This ruleset works fine here with current nftables snapshot. And the larger one in the initial release it is include a set as a key in a map definition, which is not supported. This is bailing out with: # nft -f /tmp/lala /tmp/lala:37:19-19: Error: syntax error, unexpected @, expecting comma or '}' @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src } ^ /tmp/lala:40:19-19: Error: syntax error, unexpected @, expecting comma or '}' @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst } ^ root at salvia:/home/pablo/devel/scm/git-kernel/korg/nf# vi /tmp/lala root at salvia:/home/pablo/devel/scm/git-kernel/korg/nf# nft -f /tmp/lala /tmp/lala:37:19-19: Error: syntax error, unexpected @, expecting comma or '}' @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src } ^ /tmp/lala:40:19-19: Error: syntax error, unexpected @, expecting comma or '}' @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst } ^ Closing. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/c5246c50/attachment-0001.html>
Apparently Analagous Threads
- [Bug 1380] New: please enable adding networks to named set
- IMAP Client Not Recieving Email (DoveCot + PostFix + IMAP Client)
- Updated status on UEFI compliant version of the pxechn-module
- Asterisk SIP bug with Net2Phone
- Updated status on UEFI compliant version of the pxechn-module