bugzilla-daemon at netfilter.org
2019-Mar-24 19:42 UTC
[Bug 1327] New: Cannot use named set for matching IPv4 networks
https://bugzilla.netfilter.org/show_bug.cgi?id=1327
Bug ID: 1327
Summary: Cannot use named set for matching IPv4 networks
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: email at cs-ware.de
I've the following (for this bug report reduced) ruleset in nftables:
table inet filter {
set blocklistssh4 {
type ipv4_addr
}
chain blocklistssh {
}
}
Now, issuing "add rule inet filter blocklistssh ip saddr & 255.0.0.0
@blocklistssh4 drop" causes "nft -f file" to segfault. Issuing
this statement
in "nft -i" reveals the following message and terminates:
BUG: invalid binop operation 6nft: evaluate.c:1515: binop_transfer_handle_lhs:
Assertion `0' failed.
Aborted
However, "add rule inet filter blocklistssh ip saddr & 255.0.0.0 {
192.168.178.0, 192.168.179.0 } drop" works.
# nft -v
nftables v0.9.0 (Fearless Fosdick)
# cat /proc/version
Linux version 4.9.0-8-amd64 (debian-kernel at lists.debian.org) (gcc version
6.3.0
20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.144-3 (2019-02-02)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190324/90550fc3/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-24 19:47 UTC
[Bug 1327] Cannot use (empty) named set for matching IPv4 networks
https://bugzilla.netfilter.org/show_bug.cgi?id=1327
Sven Strickroth <email at cs-ware.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Cannot use named set for |Cannot use (empty) named
|matching IPv4 networks |set for matching IPv4
| |networks
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190324/bc411077/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-24 19:48 UTC
[Bug 1327] Cannot use (empty) named set for matching IPv4 networks
https://bugzilla.netfilter.org/show_bug.cgi?id=1327
--- Comment #1 from Sven Strickroth <email at cs-ware.de> ---
Short addition: if the named set is not empty it works:
nft> list ruleset
table inet filter {
set blocklistssh4 {
type ipv4_addr
elements = { 192.168.178.0, 192.168.179.0 }
}
chain blocklistssh {
}
}
nft> add rule inet filter blocklistssh ip saddr & 255.0.0.0
@blocklistssh4 drop
nft> list ruleset
table inet filter {
set blocklistssh4 {
type ipv4_addr
elements = { 192.168.178.0, 192.168.179.0 }
}
chain blocklistssh {
ip saddr @blocklistssh4/8 drop
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190324/d8f2f9d9/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-26 12:27 UTC
[Bug 1327] Cannot use (empty) named set for matching IPv4 networks
https://bugzilla.netfilter.org/show_bug.cgi?id=1327
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Fixes upstream in git.netfilter.org:
commit f01940d69e2a4d8e9e151da8d4d39f78d08528cf
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Mar 26 13:09:21 2019 +0100
evaluate: skip binary transfer for named sets
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190326/f39902b9/attachment.html>