From: Florian Westphal <fw@strlen.de>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 0/3] src: make set-merging less zealous
Date: Sat, 16 Dec 2023 11:11:41 +0100 [thread overview]
Message-ID: <20231216101141.GA23061@breakpoint.cc> (raw)
In-Reply-To: <20231213170650.13451-1-fw@strlen.de>
Florian Westphal <fw@strlen.de> wrote:
> I got a large corpus of various crashes in the set internals code
> tripping over expressions that should not exist, e.g. a range expression
> with a symbolic expression.
>
> From initial investigation it looks like to root cause is the same,
> we have back-to-back declarations of the same set name, evaluation
> is returning errors, but we instist to continue evaluation.
>
> Then, we try to merge set elements and end up merging
> such a 'redefined set' with an erroneous one.
>
> This series adds an initial assertion which helped to make
> crashes easier to backtrace.
>
> Second patch adds a 'errors' flag to struct set and raises
> it once we saw soemthing funky.
>
> Patch 3 also sets/uses this when evaluating the set itself.
>
> Alternative would be to make the lowlevel code more robust
> of these kinds of issues, but that might take a while
> to fix, also because this oce is partially not able to
> indicate errors.
We need to rewrite it, its too picky:
nft add rule t c ip protocol . th dport { tcp . 22, udp . 1 }
nft add rule t c ip protocol . th dport { tcp / 22, udp . 1 }
nft add rule t c ip protocol . th dport { tcp / 22 }
In particular, there is a lot of strange code that causes
this to be evaluated in very different ways.
prev parent reply other threads:[~2023-12-16 10:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-13 17:06 [PATCH nft 0/3] src: make set-merging less zealous Florian Westphal
2023-12-13 17:06 ` [PATCH nft 1/3] intervals: BUG on prefix expressions without value Florian Westphal
2023-12-13 17:06 ` [PATCH nft 2/3] src: do not merge a set with a erroneous one Florian Westphal
2023-12-13 17:06 ` [PATCH nft 3/3] evaluate: don't assert if set->data is NULL Florian Westphal
2023-12-16 10:11 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231216101141.GA23061@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.