bugzilla-daemon at netfilter.org
2020-Aug-19 10:22 UTC
[Bug 1450] New: Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset
https://bugzilla.netfilter.org/show_bug.cgi?id=1450 Bug ID: 1450 Summary: Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset Product: nftables Version: unspecified Hardware: arm OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: phillc at gmail.com When setting up some TCP flag rules I attempted to combine multiple flag combinations into one rule with a simple set. The following works perfectly tcp flags == {syn, syn|ack} accept tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin} accept tcp flags & (fin|syn|rst|psh|ack|urg) == psh|ack|fin accept It can be applied with nft -f and displays with "nft list ruleset" However, when trying to do this: tcp flags == {syn, syn|ack} accept tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack} accept nft -f applies without any error, but running "nft list ruleset" returns: BUG: Unknown expression binop nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed. Aborted (core dumped) OS: Ubuntu 20.04 Kernel: Ubuntu 5.4.0-1015.15-raspi 5.4.44 nftables/focal,now 0.9.3-2 arm64 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200819/cf478969/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-19 23:17 UTC
[Bug 1450] Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset
https://bugzilla.netfilter.org/show_bug.cgi?id=1450 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Patch has been posted, thanks for reporting. https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200819230733.439-1-pablo at netfilter.org/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200819/99fc39de/attachment.html>
bugzilla-daemon at netfilter.org
2020-Aug-21 17:48 UTC
[Bug 1450] Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset
https://bugzilla.netfilter.org/show_bug.cgi?id=1450 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- Upstream commit: http://git.netfilter.org/nftables/commit/?id=3926a3369bb5ada5c0706dadcbcf938517822a35 Closing. Thanks for reporting. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200821/4f5d0ffd/attachment-0001.html>
Reasonably Related Threads
- [PATCH] --omit-dir-changes, qsort<>mergesort issues
- [CENTOS ]IPTABLES - How Secure & Best Practice
- [CENTOS ]IPTABLES - How Secure & Best Practice
- samba with iptables
- [Bug 1086] New: Nftables matching packet header fields and unexpected '(': wrong wiki info or bug?