nftables jump <chain> target invalid argument

nftables jump <chain> target invalid argument

[Alex Chapman]

Hi,

When attempting to use the jump target to forward traffic to a newly created chain I get the following error:

[root@home nftables]# nft add rule filter forward ip daddr 9.9.9.9 jump new
<cmdline>:1:1-49: Error: Could not process rule in batch: Invalid argument
add rule filter forward ip daddr 9.9.9.9 jump new
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


[root@home nftables]# nft list table filter
table ip filter {
        chain input {
                 type filter hook input priority 0;
        }

        chain forward {
                 type filter hook forward priority 0;
        }

        chain output {
                 type filter hook output priority 0;
        }

        chain new {
        }
}


Is this the correct use of the command? 

Thanks! 		 	   		  

Re: nftables jump <chain> target invalid argument

[Eric Leblond]

Hello,

On Thu, 2013-11-14 at 16:53 +0000, Alex Chapman wrote:
> Hi,
> 
> When attempting to use the jump target to forward traffic to a newly created chain I get the following error:
> 
> [root@home nftables]# nft add rule filter forward ip daddr 9.9.9.9 jump new
> <cmdline>:1:1-49: Error: Could not process rule in batch: Invalid argument
> add rule filter forward ip daddr 9.9.9.9 jump new
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Looks like an issue. I'm investigating into it.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

[nftables PATCh 0/3] Fix jump operation

[Eric Leblond]

Hello,

The jump operation was not correctly working in nftables. This
small patchset fixes the issue.

BR,
--
Eric

[nftables PATCH 1/3] expression: fix indent

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/expression.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/expression.c b/src/expression.c
index 8cf3f62..71154cc 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -156,7 +156,7 @@ static void verdict_expr_clone(struct expr *new, const struct expr *expr)
 
 static void verdict_expr_destroy(struct expr *expr)
 {
-        xfree(expr->chain);
+	xfree(expr->chain);
 }
 
 static const struct expr_ops verdict_expr_ops = {
-- 
1.8.4.3

[nftables PATCH 2/3] jump: fix logic in netlink linearize.

[Eric Leblond]

Logic in the test was inverted. The result was the jump string
not to be set.

Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk>
Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/netlink_linearize.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index da8be20..e64e92a 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -440,7 +440,8 @@ static void netlink_gen_immediate(struct netlink_linearize_ctx *ctx,
 		nft_rule_expr_set(nle, NFT_EXPR_IMM_DATA, nld.value, nld.len);
 		break;
 	case EXPR_VERDICT:
-		if (nft_rule_expr_is_set(nle, NFT_EXPR_IMM_CHAIN)) {
+		if ((expr->chain != NULL) &&
+		    !nft_rule_expr_is_set(nle, NFT_EXPR_IMM_CHAIN)) {
 			nft_rule_expr_set_str(nle, NFT_EXPR_IMM_CHAIN,
 					      nld.chain);
 		}
-- 
1.8.4.3

[nftables PATCH 3/3] verdict: fix delinearize in case of jump

[Eric Leblond]

The name of the chain was not handled in case of a jump or a goto.
This patch adds parsing of the chain.

Reported-by: Alex Chapman <ajchapman88@hotmail.co.uk>
Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/netlink_delinearize.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 3bb143b..7e4e38c 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -81,9 +81,13 @@ static void netlink_parse_immediate(struct netlink_parse_ctx *ctx,
 	struct stmt *stmt;
 	struct expr *expr;
 
-	if (nft_rule_expr_is_set(nle, NFT_EXPR_IMM_VERDICT))
+	if (nft_rule_expr_is_set(nle, NFT_EXPR_IMM_VERDICT)) {
 		nld.verdict = nft_rule_expr_get_u32(nle, NFT_EXPR_IMM_VERDICT); 
-	else if (nft_rule_expr_is_set(nle, NFT_EXPR_IMM_DATA)) {
+		if  (nft_rule_expr_is_set(nle, NFT_EXPR_IMM_CHAIN)) {
+			nld.chain = nft_rule_expr_get(nle, NFT_EXPR_IMM_CHAIN,
+						      &nld.len);
+		}
+	} else if (nft_rule_expr_is_set(nle, NFT_EXPR_IMM_DATA)) {
 		nld.value = nft_rule_expr_get(nle, NFT_EXPR_IMM_DATA, &nld.len);
 	}
 
-- 
1.8.4.3

Re: [nftables PATCh 0/3] Fix jump operation

[Pablo Neira Ayuso]

On Mon, Nov 18, 2013 at 12:54:42AM +0100, Eric Leblond wrote:
> 
> Hello,
> 
> The jump operation was not correctly working in nftables. This
> small patchset fixes the issue.

Seried applied, thanks a lot Eric!