* Re: [Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
[not found] ` <bug-1145-20-O7t1kbwESB@https.bugzilla.netfilter.org/>
@ 2017-05-15 12:03 ` Florian Westphal
2017-05-16 11:34 ` Phil Sutter
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2017-05-15 12:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: ian.kumlien
bugzilla-daemon@netfilter.org <bugzilla-daemon@netfilter.org> wrote:
[ Switching to email ]
> https://bugzilla.netfilter.org/show_bug.cgi?id=1145
>
> --- Comment #1 from Ian Kumlien <ian.kumlien@gmail.com> ---
> Is there anything obvious that i'm doing wrong? Is there something else i could
> try?
This boils down to nested sets:
define dnat_host = 10.1.2.3
define dnat_ports = { 1234-1567 }
define port_allow = {
53, # dns
$dnat_ports, # dnat
}
define port_allow_tcp = {
80,
443,
$port_allow
}
define port_allow_udp = {
67, 68, # dhcp
123, 1027, # ntp
$port_allow
}
... which we don't support at the moment.
So, should we
a). expand/'inline' the sets?
(i.e. port_allow_tcp would contain
1234-1567, 53, 80, 443)
b) support lookups within lookups?
This would be needed to support non-anonymous sets within sets.
or
c) never support this? This would probably need some work on parser
to be able to provide a clean error message rather than BUG() ...
Opinions?
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
2017-05-15 12:03 ` [Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed Florian Westphal
@ 2017-05-16 11:34 ` Phil Sutter
0 siblings, 0 replies; 2+ messages in thread
From: Phil Sutter @ 2017-05-16 11:34 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, ian.kumlien
Hi,
On Mon, May 15, 2017 at 02:03:57PM +0200, Florian Westphal wrote:
> bugzilla-daemon@netfilter.org <bugzilla-daemon@netfilter.org> wrote:
>
> [ Switching to email ]
>
> > https://bugzilla.netfilter.org/show_bug.cgi?id=1145
> >
> > --- Comment #1 from Ian Kumlien <ian.kumlien@gmail.com> ---
> > Is there anything obvious that i'm doing wrong? Is there something else i could
> > try?
>
> This boils down to nested sets:
>
> define dnat_host = 10.1.2.3
> define dnat_ports = { 1234-1567 }
>
> define port_allow = {
> 53, # dns
> $dnat_ports, # dnat
> }
> define port_allow_tcp = {
> 80,
> 443,
> $port_allow
> }
> define port_allow_udp = {
> 67, 68, # dhcp
> 123, 1027, # ntp
> $port_allow
> }
>
> ... which we don't support at the moment.
Actually, we do support this kind of nesting: Back in March I sent a
number of patches to fix for nested sets constructed via defines like
above, see a6b75b837f5e8 ("evaluate: set: Allow for set elems to be
sets") and the following two for details.
The reason why above fails though is the use of a range in
dnat_ports. If I drop it from the port_allow define, the above is
accepted and appears correct.
> So, should we
> a). expand/'inline' the sets?
>
> (i.e. port_allow_tcp would contain
> 1234-1567, 53, 80, 443)
This is what I would expect the above to turn into.
> b) support lookups within lookups?
>
> This would be needed to support non-anonymous sets within sets.
Sounds like a nice project, but for the issue at hand I don't think it's
necessary. So maybe get this issue (range in set not allowed) fixed and
postpone the named set in set thing for later? :)
Cheers, Phil
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-16 11:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <bug-1145-20@https.bugzilla.netfilter.org/>
[not found] ` <bug-1145-20-O7t1kbwESB@https.bugzilla.netfilter.org/>
2017-05-15 12:03 ` [Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed Florian Westphal
2017-05-16 11:34 ` Phil Sutter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).