From: nevola <nevola@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH nft] parser: allow to load stateful ct connlimit elements in sets
Date: Tue, 13 Apr 2021 11:03:41 +0200 [thread overview]
Message-ID: <20210413090341.GA16617@nevthink> (raw)
This patch fixes a syntax error after loading a nft
dump with a set including stateful ct connlimit elements.
Having a nft dump as per below:
table ip nftlb {
set connlimit-set {
type ipv4_addr
size 65535
flags dynamic
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
}
}
The syntax error is shown when loading the ruleset.
root# nft -f connlimit.nft
connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}'
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
^^
connlimit.nft:16000:9-22: Error: syntax error, unexpected string
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
^^^^^^^^^^^^^^
After applying this patch a kernel panic is raised running
nft_rhash_gc() although no packet reaches the set.
The following patch [0] should be used as well:
4d8f9065830e5 ("netfilter: nftables: clone set element expression template")
Note that the kernel patch will produce the emptying of the
connection tracking, so the restore of the conntrack states
should be considered.
[0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2
Signed-off-by: nevola <laura.garcia@zevenet.com>
---
src/parser_bison.y | 11 +++++++++++
tests/shell/testcases/sets/0062set_connlimit_0 | 14 ++++++++++++++
2 files changed, 25 insertions(+)
create mode 100755 tests/shell/testcases/sets/0062set_connlimit_0
diff --git a/src/parser_bison.y b/src/parser_bison.y
index abe11781..c3514f18 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4191,6 +4191,17 @@ set_elem_stmt : COUNTER close_scope_counter
$$->limit.type = NFT_LIMIT_PKT_BYTES;
$$->limit.flags = $3;
}
+ | CT COUNT NUM close_scope_ct
+ {
+ $$ = connlimit_stmt_alloc(&@$);
+ $$->connlimit.count = $3;
+ }
+ | CT COUNT OVER NUM close_scope_ct
+ {
+ $$ = connlimit_stmt_alloc(&@$);
+ $$->connlimit.count = $4;
+ $$->connlimit.flags = NFT_CONNLIMIT_F_INV;
+ }
;
set_elem_expr_option : TIMEOUT time_spec
diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
new file mode 100755
index 00000000..4f95f383
--- /dev/null
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+ set est-connlimit {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ elements = { 84.245.120.167 ct count over 20 }
+ }
+}"
+
+$NFT -f - <<< $RULESET
--
2.20.1
next reply other threads:[~2021-04-13 9:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-13 9:03 nevola [this message]
2021-05-02 21:34 ` [PATCH nft] parser: allow to load stateful ct connlimit elements in sets Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210413090341.GA16617@nevthink \
--to=nevola@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.