From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Asbjørn Sloth Tønnesen" <ast@fiberby.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: nft: segfault after adding to { type ipv4_addr; flags interval; } set
Date: Tue, 19 Jan 2016 19:46:48 +0100 [thread overview]
Message-ID: <20160119184648.GA24758@salvia> (raw)
In-Reply-To: <1452713709.8513.0@x201s.roaming.asbjorn.biz>
On Wed, Jan 13, 2016 at 07:35:09PM +0000, Asbjørn Sloth Tønnesen wrote:
> Hi,
>
> I have been trying to migrate an ipset net:hash set to a nftables set.
> I don't need the nomatch feature of ipset net:hash, a set with network
> prefixes should do just fine. I do need it as a named set through.
>
> A plain type ipv4_addr set can only hold individual addresses, so
> that doesn't work with network prefixes.
>
> I found the flags interval in the bison code, and so I tried
> to test if that would work.
>
> # nft add table testtbl
> # nft add set testtbl testset { type ipv4_addr\; flags interval\; }
> # nft add element testtbl testset { 192.168.3.0/24 }
> > BUG: invalid data expression type prefix
> > nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> > Aborted
> # nft add element testtbl testset { 192.168.3.0-192.168.3.255 }
> > BUG: invalid data expression type range
> > nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> > Aborted
> # nft add element testtbl testset { 192.168.3.0, 192.168.3.255 }
> # nft list tables
> > Segmentation fault
> # nft flush ruleset
> > Segmentation fault
>
> How was the interval flag intended to work?
Just posted several patches on the mailing list, it would be good if
you can intensively test them. They apply on top of the current git
tree.
BTW, deletion is not implemented in nft, but I think it should be easy
to follow up with a patch to make it.
> It would be great if the ipset article on the wiki, could have some info
> on how to migrate separate ipset types to nftables set types.
Would you like to start such article? I can create an account in the
wiki page too, it would be a nice contribution.
Let me know,
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-01-19 18:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-13 19:35 nft: segfault after adding to { type ipv4_addr; flags interval; } set Asbjørn Sloth Tønnesen
2016-01-19 18:46 ` Pablo Neira Ayuso [this message]
2016-01-20 20:55 ` Asbjørn Sloth Tønnesen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160119184648.GA24758@salvia \
--to=pablo@netfilter.org \
--cc=ast@fiberby.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).