netfilter buglog - Apr 2023 - [Bug 1671] New: Implicit chains and nesting result in parser_bison.y aborting

https://bugzilla.netfilter.org/show_bug.cgi?id=1671

            Bug ID: 1671
           Summary: Implicit chains and nesting result in parser_bison.y
                    aborting
           Product: nftables
           Version: 0.9.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: netfilter at allycomm.com

I was pleased to read that v0.9.7 provided support for implicit chains. That
feature provides the ability to enhance readability of rule sets by exposing
the "jump-to" chain's contents at the point of the jump.
Unfortunately, I found
that nesting causes a parsing failure that is not traced back to the
"source"
of the problem. The error message is

nft: parser_bison.y:68: open_scope: Assertion `state->scope <
array_size(state->scopes) - 1' failed.
Aborted

While the logic can be written with explicit chains (and potentially a vmap),
being able to "see" the logic in line without jumping around in the
file or to
included files would have added to clarity of the ruleset. 

May be related to https://bugzilla.netfilter.org/show_bug.cgi?id=1485 although
it appears that the referenced patch is already present in v0.9.8 as supplied
by Debian-supplied nftables 0.9.8-3.1+deb11u1


Minimal test case:

# nft -c -f nested-chain-failure.nft
nft: parser_bison.y:68: open_scope: Assertion `state->scope <
array_size(state->scopes) - 1' failed.
Aborted
# nft -c -f without-nest.nft
# exit
exit


Expected behavior:

* Nested, implicit chains could be used
* Any errors would be identified in the "source" (rather than process
abort)

---

$ cat nested-chain-failure.nft 
table inet global {

    chain prerouting_pre_nat {
        type filter hook prerouting priority mangle - 1; policy accept

    iifname eth0 jump {
        ip version 4 jump {
            ip version 4 accept
        }
    }
    }
}

$ cat without-nest.nft
table inet global {

    chain prerouting_pre_nat {
        type filter hook prerouting priority mangle - 1; policy accept

    iifname eth0 jump {
            ip version 4 accept
    }
    }
}

# nft --version
nftables v0.9.8 (E.D.S.)

# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root at front-h2:/usr/local/etc/firewall/nested-chain-bug# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ apt info nftables
Package: nftables
Version: 0.9.8-3.1+deb11u1
Priority: important
Section: net
Maintainer: Debian Netfilter Packaging Team
<pkg-netfilter-team at lists.alioth.debian.org>
Installed-Size: 182 kB

>From `apt source nftables` it appears that the patch referenced in Bug 1485
has
already been applied

    603 
    604 %type <table>                   table_block_alloc table_block
    605 %destructor { close_scope(state); table_free($$); }    
table_block_alloc
    606 %type <chain>                   chain_block_alloc chain_block
subchain_block
    607 %destructor { close_scope(state); chain_free($$); }    
chain_block_alloc
    608 %type <rule>                    rule rule_alloc
    609 %destructor { rule_free($$); }  rule
    610

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230407/50a902f7/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1671

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi,

Recent nft versions provide better error reporting:

# nft -v
nftables v1.0.7 (Old Doc Yak)

# nft -f /tmp/x.nft 
test.nft:7:22-22: Error: too many levels of nesting
            ip version 4 jump {
                            ^

No plans to add support for more than one level of nesting. This feature should
be possible use only in "leaf" chains in a ruleset (I refer to
"leaf" here
assuming you look at the ruleset as a "tree").

If you need more that one nesting level, probably you better look at using
verdict maps, because they use maps in the kernel, which is more convenient
(from performance perspective) way to represent this.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230408/b682d181/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1671

--- Comment #2 from Jeff Kletsky <netfilter at allycomm.com> ---
Thanks for looking at this.

The lack of clear messaging was the issue here. It sounds like there are
complexity, testing, and performance concerns with deeper nesting. If so, I can
use explicit tests or vmap as appropriate.

I'll see if I can build and run a more current version on Debian Bullseye
and
its 5.10 kernel or something in a VM or the like.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230410/09a4330c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1671

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230913/407e0609/attachment.html>