Re: Failing to construct a 'set' for TCP Flag filtering.

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Chris Hall <netfilter@gmch.uk>
Cc: netfilter@vger.kernel.org
Subject: Re: Failing to construct a 'set' for TCP Flag filtering.
Date: Wed, 2 Sep 2020 19:51:33 +0200	[thread overview]
Message-ID: <20200902175133.GA5283@salvia> (raw)
In-Reply-To: <4c39e878-8c4d-24a8-543e-206e1ca0a458@gmch.uk>

[-- Attachment #1: Type: text/plain, Size: 1917 bytes --]

On Wed, Sep 02, 2020 at 05:44:11PM +0100, Chris Hall wrote:
> 
> I have constructed the file 'tryx' containing:
> 
> #---------------------------------------------------
> flush ruleset
> add table ip MAIN
> 
> add set ip MAIN tcp_good_flags { type tcp_flag ; flags constant ; \
> elements = {                  \
>   ( 0 | 0 | 0 |ack| 0 | 0 ),  \
>   ( 0 | 0 | 0 |ack| 0 |urg),  \
>   ( 0 | 0 | 0 |ack|psh| 0 ),  \
>   ( 0 | 0 | 0 |ack|psh|urg),  \
>   ( 0 | 0 |rst| 0 | 0 | 0 ),  \
>   ( 0 | 0 |rst|ack| 0 | 0 ),  \
>   ( 0 | 0 |rst|ack| 0 |urg),  \
>   ( 0 | 0 |rst|ack|psh| 0 ),  \
>   ( 0 | 0 |rst|ack|psh|urg),  \
>   ( 0 |syn| 0 | 0 | 0 | 0 ),  \
>   ( 0 |syn| 0 |ack| 0 | 0 ),  \
>   ( 0 |syn| 0 |ack| 0 |urg),  \
>   ( 0 |syn| 0 |ack|psh| 0 ),  \
>   ( 0 |syn| 0 |ack|psh|urg),  \
>   (fin| 0 | 0 |ack| 0 | 0 ),  \
>   (fin| 0 | 0 |ack| 0 |urg),  \
>   (fin| 0 | 0 |ack|psh| 0 ),  \
>   (fin| 0 | 0 |ack|psh|urg)   \
> } ; }
> 
> list ruleset
> #---------------------------------------------------
> 
> With a view to using this to filter out invalid combinations of TCP flags.
> 
> When I give that to nft I get:
> 
> # nft -f tryx
> table ip MAIN {
>         set tcp_good_flags {
>                 type tcp_flag
>                 flags constant
>                 elements = { ack, 0x30, 0x18, 0x38, rst,
>                              0x14, 0x34, 0x1c, 0x3c, syn,
>                              0x12, 0x32, 0x1a, 0x3a, 0x11,
>                              0x31, 0x19, 0x39 }
>         }
> }
> 
> ...which suggests that all is well so far... but it isn't.  And if I try to
> check the state of the ruleset again:
> 
> # nft list ruleset
> BUG: Unknown expression binop
> nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
> Aborted (core dumped)
> 
> Indeed, nothing seems to work until I 'flush ruleset' again !
> 
> Am I asking for the impossible here ?

It's a bug, I'll apply this patch to git.


[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 621 bytes --]

diff --git a/src/mergesort.c b/src/mergesort.c
index 02094b486aeb..4d5bdbd414db 100644
--- a/src/mergesort.c
+++ b/src/mergesort.c
@@ -44,7 +44,15 @@ static int expr_msort_cmp(const struct expr *e1, const struct expr *e2)
 	case EXPR_MAPPING:
 		return expr_msort_cmp(e1->left, e2->left);
 	case EXPR_BINOP:
-		return expr_msort_cmp(e1->left, e2->left);
+		switch (e2->etype) {
+		case EXPR_VALUE:
+			return expr_msort_cmp(e1->left, e2);
+		case EXPR_BINOP:
+			return expr_msort_cmp(e1->left, e2->left);
+		default:
+			break;
+		}
+		/* fall through */
 	default:
 		BUG("Unknown expression %s\n", expr_name(e1));
 	}

next prev parent reply	other threads:[~2020-09-02 17:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <S1728814AbgIBQSI/20200902161835Z+839@vger.kernel.org>
2020-09-02 16:44 ` Failing to construct a 'set' for TCP Flag filtering Chris Hall
2020-09-02 17:51   ` Pablo Neira Ayuso [this message]
2020-09-03 12:53     ` Chris Hall
2020-09-03 14:24       ` Florian Westphal
2020-09-03 17:44         ` Chris Hall
2020-09-15 15:43       ` 'meta mark' and 'meta mark set' -- any restrictions on their use ? Chris Hall

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:02094b486ae dfblob:4d5bdbd414d )
 OR (
bs:"Re: Failing to construct a 'set' for TCP Flag filtering." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200902175133.GA5283@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter@gmch.uk \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox