nftables: nft fails to add rules to chains

nftables: nft fails to add rules to chains

[Laurent Bercot]

  Hello,

  (Platform: Intel Atom (x86_64), Linux 3.19.1, musl 1.1.7,
latest nftables/libnftnl/libmnl from git. All iptables modules
out of the kernel, all necessary nftables modules in.)

  I can flush tables, create tables and create chains with nft
without trouble; however, every time I try and add a rule to
a chain, no matter what chain, no matter in what table, I get
the following error:

  netlink.c:182: Memory allocation failure

  I dug a bit and found that the error always happens when
alloc_nft_expr() is called for the *first* time (which is also
the last, since nft exits at that point...) and it is always
called with the argument "payload".

  What is happening ? Anything I could do to help fix it ?
  Thanks,

-- 
  Laurent

Re: nftables: nft fails to add rules to chains

[Laurent Bercot]

  Bumping, since it looks like there are people from the project
reading this list at this time.

  Any idea on what is happening and how to solve it ? This is
preventing me from using nftables in my project. On the other
hand, if nftables, which is supposed to be the shiny new thing,
is still considered alpha and not to be used yet in real life,
it would be nice to know it ASAP.

  Thanks.

On 19/03/2015 21:24, Laurent Bercot wrote:
>
>   Hello,
>
>   (Platform: Intel Atom (x86_64), Linux 3.19.1, musl 1.1.7,
> latest nftables/libnftnl/libmnl from git. All iptables modules
> out of the kernel, all necessary nftables modules in.)
>
>   I can flush tables, create tables and create chains with nft
> without trouble; however, every time I try and add a rule to
> a chain, no matter what chain, no matter in what table, I get
> the following error:
>
>   netlink.c:182: Memory allocation failure
>
>   I dug a bit and found that the error always happens when
> alloc_nft_expr() is called for the *first* time (which is also
> the last, since nft exits at that point...) and it is always
> called with the argument "payload".
>
>   What is happening ? Anything I could do to help fix it ?
>   Thanks,
>

-- 
  Laurent

Re: nftables: nft fails to add rules to chains

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 673 bytes --]

On Thu, Mar 19, 2015 at 09:24:09PM +0100, Laurent Bercot wrote:
> 
>  Hello,
> 
>  (Platform: Intel Atom (x86_64), Linux 3.19.1, musl 1.1.7,
> latest nftables/libnftnl/libmnl from git. All iptables modules
> out of the kernel, all necessary nftables modules in.)
> 
>  I can flush tables, create tables and create chains with nft
> without trouble; however, every time I try and add a rule to
> a chain, no matter what chain, no matter in what table, I get
> the following error:
> 
>  netlink.c:182: Memory allocation failure

I think this error is bogus. Please, apply this patch to libnftnl and
let us know.  For some reason __init is being ignored, are you using
gcc?


[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 465 bytes --]

diff --git a/src/expr.c b/src/expr.c
index 79782fa..db84d0b 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -29,8 +29,11 @@ struct nft_rule_expr *nft_rule_expr_alloc(const char *name)
 	struct expr_ops *ops;
 
 	ops = nft_expr_ops_lookup(name);
-	if (ops == NULL)
+	if (ops == NULL) {
+		fprintf(stderr, "libnftnl: Expression '%s' not supported\n",
+			name);
 		return NULL;
+	}
 
 	expr = calloc(1, sizeof(struct nft_rule_expr) + ops->alloc_len);
 	if (expr == NULL)

Re: nftables: nft fails to add rules to chains

[Laurent Bercot]

  Hi Pedro,

  Thanks for answering.
  Patch applied, and as expected nft now fails with the messages

libnftnl: Expression 'payload' not supported
netlink.c:182: Memory allocation failure


> I think this error is bogus. Please, apply this patch to libnftnl and
> let us know.  For some reason __init is being ignored, are you using
> gcc?

  I am using gcc (version 4.8.3). However I am not using glibc, but musl,
and I link statically. This is probably the main difference between my
system and the ones you guys are used to.
  Is the "constructor" gcc attribute incompatible with static linking ?
Or is nft using glibc-specific constructs ?

-- 
  Laurent

Re: nftables: nft fails to add rules to chains

[Laurent Bercot]

  And my apologies for mangling your name. -_-
  (I just wrote a mail to a Pedro before replying. Sigh.)

Re: nftables: nft fails to add rules to chains

[Pablo Neira Ayuso]

On Sun, Mar 22, 2015 at 07:45:18PM +0100, Laurent Bercot wrote:
>  Hi Pedro,
> 
>  Thanks for answering.
>  Patch applied, and as expected nft now fails with the messages
> 
> libnftnl: Expression 'payload' not supported
> netlink.c:182: Memory allocation failure
> 
> 
> >I think this error is bogus. Please, apply this patch to libnftnl and
> >let us know.  For some reason __init is being ignored, are you using
> >gcc?
> 
>  I am using gcc (version 4.8.3). However I am not using glibc, but musl,
> and I link statically. This is probably the main difference between my
> system and the ones you guys are used to.
>  Is the "constructor" gcc attribute incompatible with static linking ?

The constructor seems to be ignored with static links, libnftnl needs
a fix.

Re: nftables: nft fails to add rules to chains

[Laurent Bercot]

On 22/03/2015 20:00, Pablo Neira Ayuso wrote:
> The constructor seems to be ignored with static links, libnftnl needs
> a fix.

  OK, I'll try linking dynamically until it's fixed then.
  Thank you!

-- 
  Laurent

Re: nftables: nft fails to add rules to chains

[Pablo Neira Ayuso]

On Sun, Mar 22, 2015 at 08:00:37PM +0100, Laurent Bercot wrote:
> On 22/03/2015 20:00, Pablo Neira Ayuso wrote:
> >The constructor seems to be ignored with static links, libnftnl needs
> >a fix.
> 
>  OK, I'll try linking dynamically until it's fixed then.

Please, manually apply this:

http://patchwork.ozlabs.org/patch/453392/

And provide feedback. Thank you.

nftables feature request: don't fail "flush" on nonexistent tables (was: nftables: nft fails to add rules to chains)

[Laurent Bercot]

On 23/03/2015 12:45, Pablo Neira Ayuso wrote:
> Please, manually apply this:
>
> http://patchwork.ozlabs.org/patch/453392/
>
> And provide feedback. Thank you.

  Done. It's working beautifully. Thank you.

  Now that I can play with nft, I have a feature request:

  I'm saving my rule set in a file, called whenever the rule
set must be applied/reapplied via nft -f. (It's to be applied
whenever my DHCP client obtains a new lease.)
  I would like the rule set file to be the same for the first
time and the subsequent times the rules are applied. It's only
logical.
  I have to "flush table nat" and "flush table filter" at the
beginning of the file, so nft does not duplicate rules on the
second and later invocations.
  Problem is, the first invocation fails on those "flush" lines,
because the tables are not defined yet!

  Is there a way for me to tell nft -f to ignore failures on "flush" ?
I'm ok with an option to nft if you so choose. I'm also ok with a
warning in my logs, provided nft keeps reading the ruleset, does the
job, and exits 0.

  Thanks,

-- 
  Laurent

Re: nftables feature request: don't fail "flush" on nonexistent tables (was: nftables: nft fails to add rules to chains)

[Arturo Borrero Gonzalez]

On 23 March 2015 at 14:32, Laurent Bercot <ska-devel@skarnet.org> wrote:
> On 23/03/2015 12:45, Pablo Neira Ayuso wrote:
>>
>> Please, manually apply this:
>>
>> http://patchwork.ozlabs.org/patch/453392/
>>
>> And provide feedback. Thank you.
>
>
>  Done. It's working beautifully. Thank you.
>
>  Now that I can play with nft, I have a feature request:
>
>  I'm saving my rule set in a file, called whenever the rule
> set must be applied/reapplied via nft -f. (It's to be applied
> whenever my DHCP client obtains a new lease.)
>  I would like the rule set file to be the same for the first
> time and the subsequent times the rules are applied. It's only
> logical.
>  I have to "flush table nat" and "flush table filter" at the
> beginning of the file, so nft does not duplicate rules on the
> second and later invocations.
>  Problem is, the first invocation fails on those "flush" lines,
> because the tables are not defined yet!

perhaps `flush ruleset'.

That doesn't fail if there is no ruleset.

-- 
Arturo Borrero Gonz√°lez

Re: nftables feature request: don't fail "flush" on nonexistent tables

[Laurent Bercot]

On 23/03/2015 20:42, Arturo Borrero Gonzalez wrote:
> perhaps `flush ruleset'.
>
> That doesn't fail if there is no ruleset.

  It's exactly what I was looking for, thanks.

-- 
  Laurent