From: Florian Westphal <fw@strlen.de>
To: Fernando Fernandez Mancera <fmancera@suse.de>
Cc: "Remy D. Farley" <one-d-wide@protonmail.com>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>
Subject: Re: iptables: zero dereference parsing bitwise operations
Date: Tue, 14 Oct 2025 17:29:11 +0200 [thread overview]
Message-ID: <aO5sR82R-XqueUq-@strlen.de> (raw)
In-Reply-To: <e914fab4-e65d-43d3-a99d-816e8dffd72b@suse.de>
Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> >
> >> Hi Remy, could you share the full output of:
> >>
> >> 'nft --debug=netlink list ruleset'
> >>
> >> This will allow me to understand what is the generated bytecode and an
> >> easy way to reproduce this with libnftnl. I am happy to investigate/fix
> >> this on the nft/libnftnl/kernel side :)
> >
> >
> > Hi Fernando,
> >
> > Not sure if it worth investigating, but here you go.
> >
> >
>
> I have reproduced this and confirmed that the right source register is
> being set (NFT_REG_1) and that libnftnl is reporting it correctly. The
> problem is on nft command line tool side.. I do not think it is worth
> going deeper as it is probably related to nftables not being able to
> delinearize this rule as it is not supported by nft itself.
What the rule is doing is supported, but nft will transform it to use
xor/and, as that will work on all nf_tables versions rather than only
kernels that support NFT_BITWISE_OR.
I think it would be possible to extend netlink_delinerize.c to support
it but its technically not needed.
nft can also not be expected to ever be able to make sense of a ruleset
generated by something else, there is just too much variance to always
be able to map this back to nft grammar.
prev parent reply other threads:[~2025-10-14 15:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 21:16 iptables: zero dereference parsing bitwise operations Remy D. Farley
2025-10-11 13:58 ` Florian Westphal
2025-10-11 20:15 ` Remy D. Farley
2025-10-12 16:46 ` Florian Westphal
2025-10-13 9:04 ` Fernando Fernandez Mancera
2025-10-13 11:43 ` Remy D. Farley
2025-10-14 15:14 ` Fernando Fernandez Mancera
2025-10-14 15:29 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aO5sR82R-XqueUq-@strlen.de \
--to=fw@strlen.de \
--cc=fmancera@suse.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=one-d-wide@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.