bugzilla-daemon at netfilter.org
2020-Dec-28 10:13 UTC
[Bug 1487] New: iptables-nft broken if building with asserts disabled
https://bugzilla.netfilter.org/show_bug.cgi?id=1487
Bug ID: 1487
Summary: iptables-nft broken if building with asserts disabled
Product: iptables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: jpalus+netfilter at fastmail.com
Created attachment 621
--> https://bugzilla.netfilter.org/attachment.cgi?id=621&action=edit
fix iptables-nft without asserts
iptables built with asserts disabled (-DNDEBUG in CFLAGS) results in broken
iptables-nft which does not actually save anything (chains not created
automatically, rules not added etc). The reason for such behavior is that nft
code includes processing logic within an assert even though it is meant to only
validate invariants and should be safe to disable.
Specifically following assert breaks persisting of rules/chains:
static void mnl_nft_batch_continue(struct nftnl_batch *batch)
{
assert(nftnl_batch_update(batch) >= 0);
}
Attached patch with a fix.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201228/f4dd3318/attachment.html>