From: nevola <nevola@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH nft] parser: allow to load stateful ct connlimit elements in sets
Date: Tue, 13 Apr 2021 11:03:41 +0200 [thread overview]
Message-ID: <20210413090341.GA16617@nevthink> (raw)
This patch fixes a syntax error after loading a nft
dump with a set including stateful ct connlimit elements.
Having a nft dump as per below:
table ip nftlb {
set connlimit-set {
type ipv4_addr
size 65535
flags dynamic
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
}
}
The syntax error is shown when loading the ruleset.
root# nft -f connlimit.nft
connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}'
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
^^
connlimit.nft:16000:9-22: Error: syntax error, unexpected string
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
^^^^^^^^^^^^^^
After applying this patch a kernel panic is raised running
nft_rhash_gc() although no packet reaches the set.
The following patch [0] should be used as well:
4d8f9065830e5 ("netfilter: nftables: clone set element expression template")
Note that the kernel patch will produce the emptying of the
connection tracking, so the restore of the conntrack states
should be considered.
[0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2
Signed-off-by: nevola <laura.garcia@zevenet.com>
---
src/parser_bison.y | 11 +++++++++++
tests/shell/testcases/sets/0062set_connlimit_0 | 14 ++++++++++++++
2 files changed, 25 insertions(+)
create mode 100755 tests/shell/testcases/sets/0062set_connlimit_0
diff --git a/src/parser_bison.y b/src/parser_bison.y
index abe11781..c3514f18 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4191,6 +4191,17 @@ set_elem_stmt : COUNTER close_scope_counter
$$->limit.type = NFT_LIMIT_PKT_BYTES;
$$->limit.flags = $3;
}
+ | CT COUNT NUM close_scope_ct
+ {
+ $$ = connlimit_stmt_alloc(&@$);
+ $$->connlimit.count = $3;
+ }
+ | CT COUNT OVER NUM close_scope_ct
+ {
+ $$ = connlimit_stmt_alloc(&@$);
+ $$->connlimit.count = $4;
+ $$->connlimit.flags = NFT_CONNLIMIT_F_INV;
+ }
;
set_elem_expr_option : TIMEOUT time_spec
diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
new file mode 100755
index 00000000..4f95f383
--- /dev/null
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+RULESET="table ip x {
+ set est-connlimit {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ elements = { 84.245.120.167 ct count over 20 }
+ }
+}"
+
+$NFT -f - <<< $RULESET
--
2.20.1
next reply other threads:[~2021-04-13 9:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-13 9:03 nevola [this message]
2021-05-02 21:34 ` [PATCH nft] parser: allow to load stateful ct connlimit elements in sets Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210413090341.GA16617@nevthink \
--to=nevola@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).