nft: segfault after adding to { type ipv4_addr; flags interval; } set

nft: segfault after adding to { type ipv4_addr; flags interval; } set

[Asbjørn Sloth Tønnesen]

[-- Attachment #1: Type: text/plain, Size: 2732 bytes --]

Hi,

I have been trying to migrate an ipset net:hash set to a nftables set.
I don't need the nomatch feature of ipset net:hash, a set with network
prefixes should do just fine. I do need it as a named set through.

A plain type ipv4_addr set can only hold individual addresses, so
that doesn't work with network prefixes.

I found the flags interval in the bison code, and so I tried
to test if that would work.

# nft add table testtbl
# nft add set testtbl testset { type ipv4_addr\; flags interval\; }
# nft add element testtbl testset { 192.168.3.0/24 }
> BUG: invalid data expression type prefix
> nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> Aborted
# nft add element testtbl testset { 192.168.3.0-192.168.3.255 }
> BUG: invalid data expression type range
> nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> Aborted
# nft add element testtbl testset { 192.168.3.0, 192.168.3.255 }
# nft list tables
> Segmentation fault
# nft flush ruleset
> Segmentation fault

How was the interval flag intended to work?

It would be great if the ipset article on the wiki, could have some info
on how to migrate separate ipset types to nftables set types.
The "Supported features compared to xtables" passes ipset having
been superseeded by the nftables native sets.


Versions:

nftables: c2494dd + debian version 0.5+snapshot20151106-1
libnftnl: 18bd297 + debian version 1.0.5+snapshot20151106-1
kernel: 4.4.0 + 4.3.3


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7509e34 in __gmpz_sub () from /usr/lib/x86_64-linux-gnu/libgmp.so.10
(gdb) bt
#0  0x00007ffff7509e34 in __gmpz_sub () from /usr/lib/x86_64-linux-gnu/libgmp.so.10
#1  0x000000000041a47e in interval_map_decompose (set=0x652b60) at segtree.c:549
#2  0x0000000000414a8c in netlink_get_setelems (ctx=ctx@entry=0x7fffffff8b80, 
    h=h@entry=0x6528b0, loc=0x438b20 <internal_location>, set=set@entry=0x6528a0)
    at netlink.c:1531
#3  0x000000000040750e in cache_init_objects (cmd=CMD_FLUSH, ctx=0x7fffffff8b80)
    at rule.c:84
#4  cache_init (msgs=0x7fffffffdcd0, cmd=CMD_FLUSH) at rule.c:130
#5  cache_update (cmd=CMD_FLUSH, msgs=0x7fffffffdcd0) at rule.c:147
#6  0x000000000040f70a in cmd_evaluate (ctx=0x7fffffffe2c8, cmd=0x652640)
    at evaluate.c:2369
#7  0x000000000042887d in nft_parse (scanner=scanner@entry=0x652590, 
    state=state@entry=0x7fffffffdce0) at parser_bison.y:652
#8  0x00000000004063cd in nft_run (scanner=scanner@entry=0x652590, 
    state=state@entry=0x7fffffffdce0, msgs=msgs@entry=0x7fffffffdcd0) at main.c:231
#9  0x0000000000406022 in main (argc=<optimized out>, argv=<optimized out>)
    at main.c:357

-- 
Best regards
Asbjørn Sloth Tønnesen
Network Engineer
Fiberby ApS - AS42541

Re: nft: segfault after adding to { type ipv4_addr; flags interval; } set

[Pablo Neira Ayuso]

On Wed, Jan 13, 2016 at 07:35:09PM +0000, Asbjørn Sloth Tønnesen wrote:
> Hi,
> 
> I have been trying to migrate an ipset net:hash set to a nftables set.
> I don't need the nomatch feature of ipset net:hash, a set with network
> prefixes should do just fine. I do need it as a named set through.
> 
> A plain type ipv4_addr set can only hold individual addresses, so
> that doesn't work with network prefixes.
> 
> I found the flags interval in the bison code, and so I tried
> to test if that would work.
> 
> # nft add table testtbl
> # nft add set testtbl testset { type ipv4_addr\; flags interval\; }
> # nft add element testtbl testset { 192.168.3.0/24 }
> > BUG: invalid data expression type prefix
> > nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> > Aborted
> # nft add element testtbl testset { 192.168.3.0-192.168.3.255 }
> > BUG: invalid data expression type range
> > nft: netlink.c:323: netlink_gen_data: Assertion `0' failed.
> > Aborted
> # nft add element testtbl testset { 192.168.3.0, 192.168.3.255 }
> # nft list tables
> > Segmentation fault
> # nft flush ruleset
> > Segmentation fault
> 
> How was the interval flag intended to work?

Just posted several patches on the mailing list, it would be good if
you can intensively test them. They apply on top of the current git
tree.

BTW, deletion is not implemented in nft, but I think it should be easy
to follow up with a patch to make it.

> It would be great if the ipset article on the wiki, could have some info
> on how to migrate separate ipset types to nftables set types.

Would you like to start such article? I can create an account in the
wiki page too, it would be a nice contribution.

Let me know,
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nft: segfault after adding to { type ipv4_addr; flags interval; } set

[Asbjørn Sloth Tønnesen]

[-- Attachment #1: Type: text/plain, Size: 994 bytes --]

Hi Pablo,

On Tue, 19 Jan 2016 19:46:48 +0100, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Just posted several patches on the mailing list, it would be good if
> you can intensively test them. They apply on top of the current git
> tree.

Thanks, I will have a look at them, and test em.

> BTW, deletion is not implemented in nft, but I think it should be easy
> to follow up with a patch to make it.

I will need this, so I take a stab at it.

I am currently heading to a ski resort in France, but I expect to
get it tested next week, before I am heading to FOSDEM.
If my colleagues get too boring, I might test them before then.

> > It would be great if the ipset article on the wiki, could have some info
> > on how to migrate separate ipset types to nftables set types.
> 
> Would you like to start such article? I can create an account in the
> wiki page too, it would be a nice contribution.

Sure.

-- 
Best regards
Asbjørn Sloth Tønnesen
Network Engineer
Fiberby ApS - AS42541