netfilter buglog - Sep 2020 - [Bug 1463] New: nft --json table list ruleset crashes

https://bugzilla.netfilter.org/show_bug.cgi?id=1463

            Bug ID: 1463
           Summary: nft --json table list ruleset crashes
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: Debian GNU/Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: abrian at netapp.com

# nft --json list ruleset
warning: stmt ops xt have no json callback
nft: json.c:169: stmt_print_json: Assertion `__out' failed.
Aborted (core dumped)

# nft --version
nftables v0.9.0 (Fearless Fosdick)

# uname -a
Linux host-deb10-build 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28)
x86_64 GNU/Linux

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/2241a899/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1463

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
it looks like you have loaded a ruleset via iptables-nft, then list it via nft
-j list ruleset. There is just a stub for the xtables extension at this moment.

Is this something you have a usecase for?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/5c9eabb5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1463

abrian at netapp.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|nft --json table list       |nft --json list ruleset
                   |ruleset crashes             |crashes

--- Comment #2 from abrian at netapp.com ---
We have some legacy code that sets up some rules using iptables that would not
be trivial to change to use nft.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/e146e6d8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1463

--- Comment #3 from abrian at netapp.com ---
Here is the resulting ip filter tables that crashes:

# nft list table ip filter
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
                meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn tcp
dport
{ 8082,8083,8084,8085} # #conn src/0 > 20000 counter packets 0 bytes 0 reject
with tcp reset
                meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn tcp
dport
{ 18082,18083,18084,18085} # #conn src/0 > 10000 counter packets 0 bytes 0
reject with tcp reset
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}

# nft --json list table ip filter
warning: stmt ops xt have no json callback
nft: json.c:169: stmt_print_json: Assertion `__out' failed.
Aborted (core dumped)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/b09205a3/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1463

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Could you post your iptables-nft input file?

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/9cee0212/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1463

--- Comment #5 from abrian at netapp.com ---
We do the configuration programmatically, some based on user provided
configuration.  Here are the commands that set up the rules in the example I
provided above:

iptables -A INPUT -p tcp --syn -m multiport --dports 8082,8083,8084,8085 -m
connlimit --connlimit-above 20000 --connlimit-mask 0 -j REJECT --reject-with
tcp-reset
iptables -A INPUT -p tcp --syn -m multiport --dports 18082,18083,18084,18085 -m
connlimit --connlimit-above 10000 --connlimit-mask 0 -j REJECT --reject-with
tcp-reset

ip6tables -A INPUT -p tcp --syn -m multiport --dports 8082,8083,8084,8085 -m
connlimit --connlimit-above 20000 --connlimit-mask 0 -j REJECT --reject-with
tcp-reset
ip6tables -A INPUT -p tcp --syn -m multiport --dports 18082,18083,18084,18085
-m connlimit --connlimit-above 10000 --connlimit-mask 0 -j REJECT --reject-with
tcp-reset

Here are examples of the type of commands we use based on the user's
configuration:

iptables -t nat -A OUTPUT -o $IFACE -p $PROTO --dport $D_PORT -j DNAT
--to-destination :$S_PORT

iptables -t nat -A PREROUTING -i $IFACE -p $PROTO --dport $S_PORT -j REDIRECT
--to-port $D_PORT

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/d1ddacf0/attachment-0001.html>