* Re: BUG: nft cannot "list ruleset" with interval maps
2017-02-08 17:28 ` Pablo Neira Ayuso
@ 2017-02-08 23:51 ` Robert White
2017-02-09 0:11 ` Robert White
2017-02-09 0:24 ` (whoops) " Robert White
2 siblings, 0 replies; 6+ messages in thread
From: Robert White @ 2017-02-08 23:51 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
On 02/08/17 17:28, Pablo Neira Ayuso wrote:
> On Wed, Feb 08, 2017 at 05:00:18PM +0000, Robert White wrote:
>> (please forgive stupid email word wrap)
>>
>> # nft table ip nat
>> # nft map nat dnat_example { type inet_service: ipv4_addr\; flags interval
>> \; }
>> # nft element nat dnat_example { 3476-3480 : 192.168.14.12 }
>> # nft list ruleset
>> table ip nat {
>> map dnat_example {
>> type inet_service : ipv4_addr
>> flags interval
>> nft: mini-gmp.c:4311: mpz_export: Assertion `size > 0 || u->_mp_size == 0'
>> failed.
>> elements = { 3476-Aborted
>>
>> So the entry seems to have gotten in alright but it can't come back out
>> normally. I can tell because a "export json" works
>>
>> # nft export json
>> {"nftables":[{"table":{"name":"nat","family":"ip","flags":0,"use":1}},{"set":{"name":"dnat_example","table":"nat","flags":12,"family":"ip","key_type":13,"key_len":2,"data_type":7,"data_len":4,"set_elem":[{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x0000990d"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x0000940d"}},"data":{"reg":{"type":"value","len":4,"data0":"0x0c0ea8c0"}}},{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}}]}}]}
>>
>>
>> NOTE: interval sets work fine:
>>
>> # nft list ruleset
>> table ip nat {
>> set portrange {
>> type inet_service
>> flags interval
>> elements = { 3776-3780}
>> }
>> }
>
> What nft version are you using? This works fine with nft git
> snapshots. Please, give it a try and confirm.
>
> Thanks.
>
Oh, forgot version info. Duh.
# nft --version
nftables v0.7 (Scrooge McDuck)
# uname -a
Linux touchy.whiterc.com 4.9.6-gentoo #2 SMP PREEMPT Fri Jan 27 12:16:31
-00 2017 x86_64 Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz GenuineIntel
GNU/Linux
This is what is currently being built by gentoo ~arch on a 64 bit platform.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: BUG: nft cannot "list ruleset" with interval maps
2017-02-08 17:28 ` Pablo Neira Ayuso
2017-02-08 23:51 ` Robert White
@ 2017-02-09 0:11 ` Robert White
2017-02-09 0:24 ` (whoops) " Robert White
2 siblings, 0 replies; 6+ messages in thread
From: Robert White @ 2017-02-09 0:11 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
On 02/08/17 17:28, Pablo Neira Ayuso wrote:
> On Wed, Feb 08, 2017 at 05:00:18PM +0000, Robert White wrote:
>> (please forgive stupid email word wrap)
>>
>> # nft table ip nat
>> # nft map nat dnat_example { type inet_service: ipv4_addr\; flags interval
>> \; }
>> # nft element nat dnat_example { 3476-3480 : 192.168.14.12 }
>> # nft list ruleset
>> table ip nat {
>> map dnat_example {
>> type inet_service : ipv4_addr
>> flags interval
>> nft: mini-gmp.c:4311: mpz_export: Assertion `size > 0 || u->_mp_size == 0'
>> failed.
>> elements = { 3476-Aborted
>>
>> So the entry seems to have gotten in alright but it can't come back out
>> normally. I can tell because a "export json" works
>>
>> # nft export json
>> {"nftables":[{"table":{"name":"nat","family":"ip","flags":0,"use":1}},{"set":{"name":"dnat_example","table":"nat","flags":12,"family":"ip","key_type":13,"key_len":2,"data_type":7,"data_len":4,"set_elem":[{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x0000990d"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x0000940d"}},"data":{"reg":{"type":"value","len":4,"data0":"0x0c0ea8c0"}}},{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}}]}}]}
>>
>>
>> NOTE: interval sets work fine:
>>
>> # nft list ruleset
>> table ip nat {
>> set portrange {
>> type inet_service
>> flags interval
>> elements = { 3776-3780}
>> }
>> }
>
> What nft version are you using? This works fine with nft git
> snapshots. Please, give it a try and confirm.
>
> Thanks.
>
The current git head does _not_ throw the ASSERT like the 0.7 release
built by the gentoo installer.
Tested successfully with and without --with-mini-gmp for whatever that's
worth. (tried option both ways because of ASSERT text mentioning
"mini-gmp".)
I also verified that the error _does_ occur with the
nftables-0.7.tar.bz2 file available for download at netfilter.org but
_only_ when built after configure --with-mini-gmp. Excluding that option
removes the error.
So I guess it's good for the next release but verified repeatable with
the current release.
^ permalink raw reply [flat|nested] 6+ messages in thread* (whoops) Re: BUG: nft cannot "list ruleset" with interval maps
2017-02-08 17:28 ` Pablo Neira Ayuso
2017-02-08 23:51 ` Robert White
2017-02-09 0:11 ` Robert White
@ 2017-02-09 0:24 ` Robert White
2017-02-09 10:46 ` Pablo Neira Ayuso
2 siblings, 1 reply; 6+ messages in thread
From: Robert White @ 2017-02-09 0:24 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
On 02/08/17 17:28, Pablo Neira Ayuso wrote:
> On Wed, Feb 08, 2017 at 05:00:18PM +0000, Robert White wrote:
>> (please forgive stupid email word wrap)
>>
>> # nft table ip nat
>> # nft map nat dnat_example { type inet_service: ipv4_addr\; flags interval
>> \; }
>> # nft element nat dnat_example { 3476-3480 : 192.168.14.12 }
>> # nft list ruleset
>> table ip nat {
>> map dnat_example {
>> type inet_service : ipv4_addr
>> flags interval
>> nft: mini-gmp.c:4311: mpz_export: Assertion `size > 0 || u->_mp_size == 0'
>> failed.
>> elements = { 3476-Aborted
>>
>> So the entry seems to have gotten in alright but it can't come back out
>> normally. I can tell because a "export json" works
>>
>> # nft export json
>> {"nftables":[{"table":{"name":"nat","family":"ip","flags":0,"use":1}},{"set":{"name":"dnat_example","table":"nat","flags":12,"family":"ip","key_type":13,"key_len":2,"data_type":7,"data_len":4,"set_elem":[{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x0000990d"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x0000940d"}},"data":{"reg":{"type":"value","len":4,"data0":"0x0c0ea8c0"}}},{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}}]}}]}
>>
>>
>> NOTE: interval sets work fine:
>>
>> # nft list ruleset
>> table ip nat {
>> set portrange {
>> type inet_service
>> flags interval
>> elements = { 3776-3780}
>> }
>> }
>
> What nft version are you using? This works fine with nft git
> snapshots. Please, give it a try and confirm.
>
> Thanks.
>
Missed something.
With 0.7 and without --with-mini-gmp there's a "floating point
exception" instead of the assert, so there was still some shenanigans
happening behind the scenes.
Probably good to push a new release soon. 8-)
--Rob.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: (whoops) Re: BUG: nft cannot "list ruleset" with interval maps
2017-02-09 0:24 ` (whoops) " Robert White
@ 2017-02-09 10:46 ` Pablo Neira Ayuso
0 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-09 10:46 UTC (permalink / raw)
To: Robert White; +Cc: netfilter
On Thu, Feb 09, 2017 at 12:24:24AM +0000, Robert White wrote:
> On 02/08/17 17:28, Pablo Neira Ayuso wrote:
> >On Wed, Feb 08, 2017 at 05:00:18PM +0000, Robert White wrote:
> >>(please forgive stupid email word wrap)
> >>
> >># nft table ip nat
> >># nft map nat dnat_example { type inet_service: ipv4_addr\; flags interval
> >>\; }
> >># nft element nat dnat_example { 3476-3480 : 192.168.14.12 }
> >># nft list ruleset
> >>table ip nat {
> >> map dnat_example {
> >> type inet_service : ipv4_addr
> >> flags interval
> >>nft: mini-gmp.c:4311: mpz_export: Assertion `size > 0 || u->_mp_size == 0'
> >>failed.
> >> elements = { 3476-Aborted
> >>
> >>So the entry seems to have gotten in alright but it can't come back out
> >>normally. I can tell because a "export json" works
> >>
> >># nft export json
> >>{"nftables":[{"table":{"name":"nat","family":"ip","flags":0,"use":1}},{"set":{"name":"dnat_example","table":"nat","flags":12,"family":"ip","key_type":13,"key_len":2,"data_type":7,"data_len":4,"set_elem":[{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x0000990d"}}},{"key":{"reg":{"type":"value","len":2,"data0":"0x0000940d"}},"data":{"reg":{"type":"value","len":4,"data0":"0x0c0ea8c0"}}},{"flags":1,"key":{"reg":{"type":"value","len":2,"data0":"0x00000000"}}}]}}]}
> >>
> >>
> >>NOTE: interval sets work fine:
> >>
> >># nft list ruleset
> >>table ip nat {
> >> set portrange {
> >> type inet_service
> >> flags interval
> >> elements = { 3776-3780}
> >> }
> >>}
> >
> >What nft version are you using? This works fine with nft git
> >snapshots. Please, give it a try and confirm.
> >
> >Thanks.
> >
>
> Missed something.
>
> With 0.7 and without --with-mini-gmp there's a "floating point exception"
> instead of the assert, so there was still some shenanigans happening behind
> the scenes.
>
> Probably good to push a new release soon. 8-)
There will be a new release soon :)
^ permalink raw reply [flat|nested] 6+ messages in thread