netfilter buglog - Aug 2020 - [Bug 1456] New: Consider eliding empty variables if expanded within an element list

https://bugzilla.netfilter.org/show_bug.cgi?id=1456

            Bug ID: 1456
           Summary: Consider eliding empty variables if expanded within an
                    element list
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: kfm at plushkava.net

This concerns a minor usability issue that I noticed after evaluting some of
the criticism in the GitHub issue referenced by bug 1434. In the GitHub issue,
one critic complains that this sample ruleset does not work as expected:

  define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
  table inet filter {
    chain input {
      type filter hook input priority 0; policy drop;
      tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS,
$EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
    }
  }

Currently, this is not permitted by nft's parser. My first thought was that
the
intended outcome could be achieved by instead declaring:

  define EXTRA_ALLOWED_INCOMING_TCP_PORTS = ""

However, doing so causes the value to be coerced to 0, resulting in:

  tcp dport { 0, 22, 80, 443 } ct state new counter packets 0 bytes 0 accept

Notwithstanding that this isn't a particularly idiomatic way of writing an
nft
ruleset, it seems plausible that other new users might try using internal
variables in this way. Perhaps it would be worth supporting.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/e9a11447/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1456

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1434

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/624ee27e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1456

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to kfm from comment #0)
> This concerns a minor usability issue that I noticed after evaluting some
of
> the criticism in the GitHub issue referenced by bug 1434. In the GitHub
> issue, one critic complains that this sample ruleset does not work as
> expected:
> 
>   define BASE_ALLOWED_INCOMING_TCP_PORTS = {22, 80, 443}
>   define EXTRA_ALLOWED_INCOMING_TCP_PORTS = {}
>   table inet filter {
>     chain input {
>       type filter hook input priority 0; policy drop;
>       tcp dport {$BASE_ALLOWED_INCOMING_TCP_PORTS,
> $EXTRA_ALLOWED_INCOMING_TCP_PORTS} ct state new counter accept
>     }
>   }
I think I fixed this in git, please see:

commit 9297f5b5301b76bb24513b114f905e6fac0a90cd
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Fri Jul 3 13:24:59 2020 +0200

    src: Allow for empty set variable definition

Next version will allow for this kind of empty definition.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/82b87276/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1456

--- Comment #2 from kfm at plushkava.net ---
Thanks. I tested the patch and it appears to work perfectly for a value of {}.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/1a338629/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1456

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Thanks for confirming, closing this ticket.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200828/73b830e0/attachment.html>