[nft PATCH] tests: shell: Prevent lockout in nft-f/0008split_tables_0

2017-11-21 Thread Phil Sutter 
Since packets traverse both tables, the accept rule in the first one is
ineffective due to the second table's drop policy. To prevent lockouts
when running the testsuite via SSH connection, set the second chain's
policy to accept as well.

Fixes: 337c7e0de3d9d ("tests: shell: make sure split table definition works via 
nft -f")
Signed-off-by: Phil Sutter 
---
 tests/shell/testcases/nft-f/0008split_tables_0 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 
b/tests/shell/testcases/nft-f/0008split_tables_0
index 2bc6e46c852a6..dd03545b172ac 100755
--- a/tests/shell/testcases/nft-f/0008split_tables_0
+++ b/tests/shell/testcases/nft-f/0008split_tables_0
@@ -19,7 +19,7 @@ RULESET="table inet filter {
 
 table inet filter {
chain input {
-   type filter hook input priority 1; policy drop;
+   type filter hook input priority 1; policy accept;
}
 }"
 
@@ -37,7 +37,7 @@ EXPECTED="table inet filter {
}
 
chain input {
-   type filter hook input priority 1; policy drop;
+   type filter hook input priority 1; policy accept;
}
 }"
 
-- 
2.13.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nftables: lockout with 0008split_tables_0 test

2017-11-21 Thread Arturo Borrero Gonzalez 
On 21 November 2017 at 19:39, Arturo Borrero Gonzalez
 wrote:
> On 21 November 2017 at 18:09, Florian Westphal  wrote:
>>
>> Yes, thats expected.
>> First ssh base chain gets invoked, which accepts any packet
>> either by verdict or policy.
>>
>> Then next base chain gets consulted which drops the packet.
>>
>> I would suggest to either swap the policies or duplicate the ssh
>> rule into the input chain too.
>
> This is something which is actually confusing our users.
> I just took the time to extend a bit the documentation:
>
> https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
>
> Of course, feel free to edit the docs :-)

Unrelated, but I would like to mention other thing that lacks
documentation: the interaction of packet flows between families/hooks

* Does a packet traversing a chain in the ip family traverse again
chains in the inet family? Same the other way around
* Does a packet accepted in the netdev/ingress family/hook gets
evaluated again in ip/ip6/inet families/hooks?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nftables: lockout with 0008split_tables_0 test

2017-11-21 Thread Arturo Borrero Gonzalez 
On 21 November 2017 at 18:09, Florian Westphal  wrote:
>
> Yes, thats expected.
> First ssh base chain gets invoked, which accepts any packet
> either by verdict or policy.
>
> Then next base chain gets consulted which drops the packet.
>
> I would suggest to either swap the policies or duplicate the ssh
> rule into the input chain too.

This is something which is actually confusing our users.
I just took the time to extend a bit the documentation:

https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains

Of course, feel free to edit the docs :-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: nftables: lockout with 0008split_tables_0 test

2017-11-21 Thread Florian Westphal 
Phil Sutter  wrote:
> Hi,
> 
> This is about tests/shell/testcases/nft-f/0008split_tables_0, which adds
> the following simple ruleset:
> 
> | table inet filter {
> | chain ssh {
> | type filter hook input priority 0; policy accept;
> | tcp dport ssh accept;
> | }
> | }
> | 
> | table inet filter {
> | chain input {
> | type filter hook input priority 1; policy drop;
> | }
> | }
> 
> If applied, it kills my SSH connection. :(

Yes, thats expected.
First ssh base chain gets invoked, which accepts any packet
either by verdict or policy.

Then next base chain gets consulted which drops the packet.

I would suggest to either swap the policies or duplicate the ssh
rule into the input chain too.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html