[nft] possible several bugs in maps

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [nft] possible several bugs in maps
@ 2015-10-09  9:35 Arturo Borrero Gonzalez
  2015-10-09 10:40 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Arturo Borrero Gonzalez @ 2015-10-09  9:35 UTC (permalink / raw)
  To: Netfilter Development Mailing list
  Cc: Pablo Neira Ayuso, Patrick McHardy, Florian Westphal

Hi,

i'm playing with nftables maps and found some issues.

First:

I can add this named map in the CLI but I can't load it from a file.
This can be reproduced with these commands:

% nft flush ruleset
% nft add table t
% nft add map t m { type ipv4_addr : ipv4_addr ; }
% nft add element t m {1.1.1.1: 2.2.2.2 }
% echo "flush ruleset" > test.nft
% nft list ruleset >> test.nft
% nft -f test.nft
test.nft:5:28-46: Error: mapping outside of map context
            elements = { 1.1.1.1 : 2.2.2.2}
                        ^^^^^^^^^^^^^^^^^^^

Second:

I can use ANONYMOUS maps for SNAT:

% nft flush ruleset
% nft add table nat
% nft add chain nat postrouting
% nft add rule nat postrouting snat ip saddr map {1.1.1.1 : 2.2.2.2}
[OK]

But I can't use NAMED maps for SNAT:

% nft flush ruleset
% nft add table nat
% nft add map nat m { type ipv4_addr : ipv4_addr\; }
% nft add element nat m { 1.1.1.1 : 2.2.2.2 }
% nft add chain nat postrouting
% nft add rule nat postrouting snat ip saddr map @m
<cmdline>:1:1-45: Error: Could not process rule: Invalid argument
add rule nat postrouting snat ip saddr map @m
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This seems to be triggered by the kernel (I'm running 4.1, please let
me know if newer versions has this fixed)

best regards!
-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [nft] possible several bugs in maps
  2015-10-09  9:35 [nft] possible several bugs in maps Arturo Borrero Gonzalez
@ 2015-10-09 10:40 ` Pablo Neira Ayuso
  2015-10-09 10:42   ` Patrick McHardy
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2015-10-09 10:40 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez
  Cc: Netfilter Development Mailing list, Patrick McHardy,
	Florian Westphal

On Fri, Oct 09, 2015 at 11:35:32AM +0200, Arturo Borrero Gonzalez wrote:
> Hi,
> 
> i'm playing with nftables maps and found some issues.
> 
> First:
> 
> I can add this named map in the CLI but I can't load it from a file.
> This can be reproduced with these commands:
> 
> % nft flush ruleset
> % nft add table t
> % nft add map t m { type ipv4_addr : ipv4_addr ; }
> % nft add element t m {1.1.1.1: 2.2.2.2 }
> % echo "flush ruleset" > test.nft
> % nft list ruleset >> test.nft
> % nft -f test.nft
> test.nft:5:28-46: Error: mapping outside of map context
>             elements = { 1.1.1.1 : 2.2.2.2}
>                         ^^^^^^^^^^^^^^^^^^^

Known issue, our grammar is invoking the evaluating the elements
before it has actually evaluated the declaration.

> Second:
> 
> I can use ANONYMOUS maps for SNAT:
> 
> % nft flush ruleset
> % nft add table nat
> % nft add chain nat postrouting
> % nft add rule nat postrouting snat ip saddr map {1.1.1.1 : 2.2.2.2}
> [OK]
> 
> But I can't use NAMED maps for SNAT:
> 
> % nft flush ruleset
> % nft add table nat
> % nft add map nat m { type ipv4_addr : ipv4_addr\; }
> % nft add element nat m { 1.1.1.1 : 2.2.2.2 }
> % nft add chain nat postrouting
> % nft add rule nat postrouting snat ip saddr map @m
> <cmdline>:1:1-45: Error: Could not process rule: Invalid argument
> add rule nat postrouting snat ip saddr map @m
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> This seems to be triggered by the kernel (I'm running 4.1, please let
> me know if newer versions has this fixed)

Sigh, I already sent a patch for this to -stable on Sep 11th.

http://marc.info/?l=netfilter-devel&m=144197606028112&w=4

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [nft] possible several bugs in maps
  2015-10-09 10:40 ` Pablo Neira Ayuso
@ 2015-10-09 10:42   ` Patrick McHardy
  0 siblings, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2015-10-09 10:42 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: Arturo Borrero Gonzalez, Netfilter Development Mailing list,
	Florian Westphal

On 09.10, Pablo Neira Ayuso wrote:
> On Fri, Oct 09, 2015 at 11:35:32AM +0200, Arturo Borrero Gonzalez wrote:
> > Hi,
> > 
> > i'm playing with nftables maps and found some issues.
> > 
> > First:
> > 
> > I can add this named map in the CLI but I can't load it from a file.
> > This can be reproduced with these commands:
> > 
> > % nft flush ruleset
> > % nft add table t
> > % nft add map t m { type ipv4_addr : ipv4_addr ; }
> > % nft add element t m {1.1.1.1: 2.2.2.2 }
> > % echo "flush ruleset" > test.nft
> > % nft list ruleset >> test.nft
> > % nft -f test.nft
> > test.nft:5:28-46: Error: mapping outside of map context
> >             elements = { 1.1.1.1 : 2.2.2.2}
> >                         ^^^^^^^^^^^^^^^^^^^
> 
> Known issue, our grammar is invoking the evaluating the elements
> before it has actually evaluated the declaration.

It is? Just had a quick look so I might be wrong, but it seems we're simply
not adding the set to the context before we're evaluating the elements.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-10-09 10:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-09  9:35 [nft] possible several bugs in maps Arturo Borrero Gonzalez
2015-10-09 10:40 ` Pablo Neira Ayuso
2015-10-09 10:42   ` Patrick McHardy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).