bugzilla-daemon at netfilter.org
2019-Jul-25 20:09 UTC
[Bug 1358] New: Error when atomically replacing rules with symbolic variables
https://bugzilla.netfilter.org/show_bug.cgi?id=1358
Bug ID: 1358
Summary: Error when atomically replacing rules with symbolic
variables
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: blocker
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: gdouezangrard at gmail.com
Created attachment 567
--> https://bugzilla.netfilter.org/attachment.cgi?id=567&action=edit
master compilation log
OS: Arch Linux
Kernel: Linux 5.2.2-arch1-1-ARCH
nftables: v0.9.1
With the following `/etc/nftables.conf` file:
#!/sbin/nft -f
define ifs = {lo}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
}
}
inet filter input iifname $ifs accept
The atomic rule replacement gives the following error:
$ nft flush ruleset ';' include
'"/etc/nftables.conf"'
In file included from (null):1:17-51:
/etc/nftables.conf:13:19-37: Error: Could not process rule: No such file or
directory
inet filter input iifname $ifs accept
^^^^^^^^^^^^^^^^^^^
On the contrary, the following commands work as expected:
$ nft flush ruleset
$ nft -f /etc/nftables.conf
Reverting to `nftables v0.9.0` also fixes the issue in the case of atomic
replacement.
Through git bisect, the first offending commit found is:
e5382c0 ("src: Support intra-transaction rule references")
Not sure if it is fixed on master or not, I cannot compile it (make error log
as attachment).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190725/b0fc49e4/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-25 20:11 UTC
[Bug 1358] Error when atomically replacing rules with symbolic variables
https://bugzilla.netfilter.org/show_bug.cgi?id=1358 --- Comment #1 from gdouezangrard at gmail.com --- Created attachment 568 --> https://bugzilla.netfilter.org/attachment.cgi?id=568&action=edit sample nftables config -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190725/3942ead2/attachment.html>
bugzilla-daemon at netfilter.org
2019-Oct-07 05:14 UTC
[Bug 1358] Error when atomically replacing rules with symbolic variables
https://bugzilla.netfilter.org/show_bug.cgi?id=1358
Thomas <tad1073 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tad1073 at gmail.com
--- Comment #2 from Thomas <tad1073 at gmail.com> ---
Your rule is outside of the closing brackets.
"#!/sbin/nft -f
define ifs = { lo }
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
}
}
inet filter input iifname $ifs accept"
I should be
"#!/sbin/nft -f
define ifs = { lo }
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
inet filter input iifname $ifs accept
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/f5954961/attachment.html>
bugzilla-daemon at netfilter.org
2019-Oct-07 09:18 UTC
[Bug 1358] Error when atomically replacing rules with symbolic variables
https://bugzilla.netfilter.org/show_bug.cgi?id=1358
gdouezangrard at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #3 from gdouezangrard at gmail.com ---
1. I don't need to test your example to know that it doesn't work. The
fixed
version is the following (I removed the "inet filter input" prefix):
#!/sbin/nft -f
define ifs = { lo }
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname $ifs accept
}
}
2. It is perfectly allowed to "put rules outside of the brackets". It
is
especially useful when rules are generated automatically and imported in the
main configuration file that defines the tables / chains. It's just a
different
syntax for the same thing. Moreover, I already explained in the main report
that it worked properly before, and it worked successfully with nftables v0.9.1
*except* when doing atomic rule replacement.
3. Finally, the issue was solved with the release of nftables v0.9.2.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20191007/dd08702c/attachment.html>
Apparently Analagous Threads
- [Bug 1368] New: The "meta's"
- [Bug 1255] New: nftables SNAT is not working
- [Bug 1371] New: Concatenations Literal sets
- [Bug 1253] New: interface wildcard in variables causes Error: Byteorder mismatch: expected big endian, got host endian
- [Bug 1380] New: please enable adding networks to named set