bugzilla-daemon at netfilter.org
2017-Oct-06 14:58 UTC
[Bug 1188] New: nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188
Bug ID: 1188
Summary: nft fails to parse own output; unable to save-restore
active state
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at allycomm.com
At least as the man page describes, the output of
# nft list ruleset > ruleset.prod
should be parseable by
# nft -f ruleset.prod
and provide restoration of the state at the time.
"Note that contrary to what one might assume, the output generated by
export is
not parseable by nft -f. Instead, the output of list command serves well for
that purpose."
nft, however, failed to parse its own output in the following case:
$ sudo sh -c 'nft list ruleset > ruleset.prod '
$ sudo nft -f ruleset.prod
ruleset.prod:47:38-46: Error: syntax error, unexpected string, expecting comma
or '}'
::ffff:0.0.0.0/96,
^^^^^^^^^
ruleset.prod:48:30-35: Error: syntax error, unexpected string
2001::/32,
^^^^^^
ruleset.prod:49:30-38: Error: syntax error, unexpected string
2001:10::/28,
^^^^^^^^^
ruleset.prod:50:30-39: Error: syntax error, unexpected string
2001:db8::/32,
^^^^^^^^^^
ruleset.prod:51:30-35: Error: syntax error, unexpected string
2002::/16,
^^^^^^
ruleset.prod:52:30-35: Error: syntax error, unexpected string
3ffe::/16,
^^^^^^
ruleset.prod:53:30-35: Error: syntax error, unexpected string
5f00::/8,
^^^^^^
ruleset.prod:54:30-35: Error: syntax error, unexpected string
fc00::/7,
^^^^^^
ruleset.prod:55:30-35: Error: syntax error, unexpected string
fe80::/10 }
^^^^^^
--- ruleset.prod excerpt ---
43 set blackhole_ipv6 {
44 type ipv6_addr
45 flags interval
46 elements = { ::/127,
47 ::ffff:0.0.0.0/96,
48 2001::/32,
49 2001:10::/28,
50 2001:db8::/32,
51 2002::/16,
52 3ffe::/16,
53 5f00::/8,
54 fc00::/7,
55 fe80::/10 }
56 }
Ubuntu 17.04
4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:46:59 UTC 2017 x86_64 x86_64
x86_64 GNU/Linux
commit b873a1731d2481851c57eab3dcf3e719e9d45b50
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Mon Oct 2 18:20:17 2017 +0200
libmnl$ git log -1
commit fbe0f33b45abd585eb9f52cb56d751a750667dc6
Author: Guillaume Nault <g.nault at alphalink.fr>
Date: Wed Aug 3 12:52:34 2016 +0200
libnftnl$ git log -1
commit 72386012200a96f9bb721ab4ddb5a9325c68c5f7
Author: Varsha Rao <rvarsha016 at gmail.com>
Date: Wed Sep 20 21:53:09 2017 +0530
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171006/3776402b/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-06 16:58 UTC
[Bug 1188] nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188
--- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> ---
Created attachment 508
--> https://bugzilla.netfilter.org/attachment.cgi?id=508&action=edit
tar containing files to reproduce
To Reproduce
===========
* Create a working directory and cd into it
* Unpack attached tar file; to-reproduce.txz (flat files, no subdirectory)
$ sudo nft -f nftables.conf # ruleset loads
$ sudo sh -c 'nft list ruleset > ruleset.out' # Can confirm
contents of
ruleset
$ sudo nft -f ruleset.out
ruleset.out:6:38-46: Error: syntax error, unexpected string, expecting comma or
'}'
::ffff:0.0.0.0/96,
^^^^^^^^^
ruleset.out:7:30-35: Error: syntax error, unexpected string
2001::/32,
^^^^^^
ruleset.out:8:30-38: Error: syntax error, unexpected string
2001:10::/28,
^^^^^^^^^
ruleset.out:9:30-39: Error: syntax error, unexpected string
2001:db8::/32,
^^^^^^^^^^
ruleset.out:10:30-35: Error: syntax error, unexpected string
2002::/16,
^^^^^^
ruleset.out:11:30-35: Error: syntax error, unexpected string
3ffe::/16,
^^^^^^
ruleset.out:12:30-35: Error: syntax error, unexpected string
5f00::/8,
^^^^^^
ruleset.out:13:30-35: Error: syntax error, unexpected string
fc00::/8 }
^^^^^^
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171006/cda351be/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-06 17:01 UTC
[Bug 1188] nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188 --- Comment #2 from Jeff Kletsky <netfilter at allycomm.com> --- Above file created on a "fresh" VM running Ubuntu 17.04 4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:46:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux libmnl$ git log -1 commit fbe0f33b45abd585eb9f52cb56d751a750667dc6 Author: Guillaume Nault <g.nault at alphalink.fr> Date: Wed Aug 3 12:52:34 2016 +0200 libnftnl$ git log -1 commit 39fdce1dd8cd5e614da7668cacc9584c88e33e36 Author: Pablo Neira Ayuso <pablo at netfilter.org> Date: Wed Oct 4 15:22:00 2017 +0200 nftables$ git log -1 commit 22d2010109193e6ee201d7cd4e8aaf5cda4539a0 Author: Anders K. Pedersen <akp at cohaesio.com> Date: Wed Oct 4 14:27:45 2017 +0000 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171006/cf69f5d4/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-06 17:10 UTC
[Bug 1188] nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188
--- Comment #3 from Jeff Kletsky <netfilter at allycomm.com> ---
Adding 'flush ruleset' to the beginning of "ruleset.out" does
not resolve the
issue
$ cat ruleset.out.flush-first
flush ruleset
table inet global {
set blackhole_ipv6 {
type ipv6_addr
flags interval
elements = { ::/96,
::ffff:0.0.0.0/96,
2001::/32,
2001:10::/28,
2001:db8::/32,
2002::/16,
3ffe::/16,
5f00::/8,
fc00::/8 }
}
}
$ sudo nft -f ruleset.out.flush-first
ruleset.out.flush-first:7:38-46: Error: syntax error, unexpected string,
expecting comma or '}'
::ffff:0.0.0.0/96,
^^^^^^^^^
ruleset.out.flush-first:8:30-35: Error: syntax error, unexpected string
2001::/32,
^^^^^^
ruleset.out.flush-first:9:30-38: Error: syntax error, unexpected string
2001:10::/28,
^^^^^^^^^
ruleset.out.flush-first:10:30-39: Error: syntax error, unexpected string
2001:db8::/32,
^^^^^^^^^^
ruleset.out.flush-first:11:30-35: Error: syntax error, unexpected string
2002::/16,
^^^^^^
ruleset.out.flush-first:12:30-35: Error: syntax error, unexpected string
3ffe::/16,
^^^^^^
ruleset.out.flush-first:13:30-35: Error: syntax error, unexpected string
5f00::/8,
^^^^^^
ruleset.out.flush-first:14:30-35: Error: syntax error, unexpected string
fc00::/8 }
^^^^^^
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171006/b01e6015/attachment-0001.html>
bugzilla-daemon at netfilter.org
2017-Oct-09 11:06 UTC
[Bug 1188] nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- Created attachment 510 --> https://bugzilla.netfilter.org/attachment.cgi?id=510&action=edit IPv4-Mapped IPv6 addresses support Attaching patch to fix this. Anything else? :-) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171009/20ee4cb3/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-09 11:13 UTC
[Bug 1188] nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171009/e0118c79/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-09 12:27 UTC
[Bug 1188] nft fails to parse own output; unable to save-restore active state
https://bugzilla.netfilter.org/show_bug.cgi?id=1188
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
http://git.netfilter.org/nftables/commit/?id=fd513de78bc0133f6ba61087be168e2a8d067107
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171009/b4524864/attachment.html>
Apparently Analagous Threads
- [Bug 1176] New: Invalid identifiers produce unhelpful error messages
- [Bug 1178] New: Provide better error messaging when a rule can't be executed in its context
- [Bug 1184] New: disable implicit concatenating of elements of sets with flag interval
- [Bug 1173] New: Documentation/error messages around NAT statements in "inet" tables incorrect
- [Bug 1216] New: Error messaging for "interval overlaps with previous one" misidentifies location