subject:"Bug#1067161\: nftables\: BUG\: invalid mapping expression variable"

Bug#1067161: nftables: BUG: invalid mapping expression variable

2024-03-23 Thread Jeremy Sowden

On 2024-03-20, at 14:44:21 +0100, Daniel Gröber wrote:
> On Tue, Mar 19, 2024 at 06:27:11PM +, Jeremy Sowden wrote:
> > On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote:
> > > The nftables config below triggers a BUG.
> > > 
> > > $ nft -f /etc/nftables.conf
> > > BUG: invalid mapping expression variable
> > > nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed.
> > > Aborted
> > > 
> > > Refactoring to using $srvaddr_map instead of having the anonymous
> > > map inline made the bug trigger.
> > 
> > That assertion has since been replaced upstream by a normal
> > error-message:
> > 
> >   /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping 
> > expression variable
> > ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map 
> > $srvaddr_map
> > ~~ 
> > 
> 
> Fair enough then. I do find this a bit of an arbitrary limitation
> however.

Agreed.

> > Because of the way parsing works in nftables, one can't use a
> > symbolic variable in that context.  This, however, will work:
> 
> Yup, that's what I'm doing now. I just keep running into these little
> irritating limitations with nftables and wanted to at least document
> this one somewhere.
> 
> Do you think it's worth forwarding this report upstream anyway? I
> would like to sand off sharp nftables edges such as this.

Also agreed.  Leave it with me.  I'll send a patch or open a report in
the upstream Bugzilla.

> In case you're curios what I was working on: a generic way to have
> isolated v6 service addressess for software that doesn't support
> SO_BINDTODEV (*cough* syncthing *cough*) without hardcoding any
> prefixes https://paste.debian.net/hidden/66c2ef6e/

J.


signature.asc
Description: PGP signature

Bug#1067161: nftables: BUG: invalid mapping expression variable

2024-03-20 Thread Daniel Gröber

Hi Jeremy,

On Tue, Mar 19, 2024 at 06:27:11PM +, Jeremy Sowden wrote:
> On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote:
> > The nftables config below triggers a BUG.
> > 
> > $ nft -f /etc/nftables.conf
> > BUG: invalid mapping expression variable
> > nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed.
> > Aborted
> > 
> > Refactoring to using $srvaddr_map instead of having the anonymous map
> > inline made the bug trigger.
> 
> That assertion has since been replaced upstream by a normal
> error-message:
> 
>   /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping 
> expression variable
> ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map 
> $srvaddr_map
> ~~ 
> 

Fair enough then. I do find this a bit of an arbitrary limitation however.

> Because of the way parsing works in nftables, one can't use a symbolic
> variable in that context.  This, however, will work:

Yup, that's what I'm doing now. I just keep running into these little
irritating limitations with nftables and wanted to at least document this
one somewhere.

Do you think it's worth forwarding this report upstream anyway? I would
like to sand off sharp nftables edges such as this.

In case you're curios what I was working on: a generic way to have isolated
v6 service addressess for software that doesn't support SO_BINDTODEV
(*cough* syncthing *cough*) without hardcoding any prefixes
https://paste.debian.net/hidden/66c2ef6e/

--Daniel



signature.asc
Description: PGP signature

Bug#1067161: nftables: BUG: invalid mapping expression variable

2024-03-19 Thread Jeremy Sowden

On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote:
> Package: nftables
> Version: 1.0.6-2+deb12u2
> Severity: normal
> 
> Dear Maintainer,
> 
> The nftables config below triggers a BUG.
> 
> $ nft -f /etc/nftables.conf
> BUG: invalid mapping expression variable
> nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed.
> Aborted
> 
> Refactoring to using $srvaddr_map instead of having the anonymous map
> inline made the bug trigger.

That assertion has since been replaced upstream by a normal
error-message:

  /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping 
expression variable
ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map 
$srvaddr_map
~~ 


> -- Configuration Files:
> /etc/nftables.conf changed:
> flush ruleset
> define iid_mask6 = :::::
> define srvaddr_map = { ::8384 : 8384 }
> table inet filter {
>   chain input {
>   type filter hook input priority filter;
>   }
>   chain prerouting {
>   type nat hook prerouting priority dstnat;
>   ip6 nexthdr tcp  redirect to ip6 daddr & $iid_mask6 map 
> $srvaddr_map # s/ map.*/{ ::8384 : 8384 }/  works
>   }
>   chain forward {
>   type filter hook forward priority filter;
>   }
>   chain output {
>   type filter hook output priority filter;
>   }
> }

Because of the way parsing works in nftables, one can't use a symbolic
variable in that context.  This, however, will work:

  define iid_mask6 = :::::
  define srvaddr_map = { ::8384 : 8384 }
  table inet filter {
map srvaddr_map {
  typeof ip6 daddr : tcp dport;
  elements = $srvaddr_map
}
chain prerouting {
  type nat hook prerouting priority dstnat;
  ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map
}
  }

or more concisely:

  define iid_mask6 = :::::
  table inet filter {
map srvaddr_map {
  typeof ip6 daddr : tcp dport;
  elements = srvaddr_map = { ::8384 : 8384 }
}
chain prerouting {
  type nat hook prerouting priority dstnat;
  ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map
}
  }

J.


signature.asc
Description: PGP signature

Bug#1067161: nftables: BUG: invalid mapping expression variable

2024-03-19 Thread Daniel Gröber

Package: nftables
Version: 1.0.6-2+deb12u2
Severity: normal

Dear Maintainer,

The nftables config below triggers a BUG.

$ nft -f /etc/nftables.conf
BUG: invalid mapping expression variable
nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed.
Aborted

Refactoring to using $srvaddr_map instead of having the anonymous map
inline made the bug trigger.

Thanks,
--Daniel

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'oldoldstable-updates'), (500, 'oldoldstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-18-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  libc6 2.36-9+deb12u4
ii  libedit2  3.1-20221030-2
ii  libnftables1  1.0.6-2+deb12u2

Versions of packages nftables recommends:
ii  netbase  6.4

Versions of packages nftables suggests:
pn  firewalld  

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
define iid_mask6 = :::::
define srvaddr_map = { ::8384 : 8384 }
table inet filter {
chain input {
type filter hook input priority filter;
}
chain prerouting {
type nat hook prerouting priority dstnat;
ip6 nexthdr tcp  redirect to ip6 daddr & $iid_mask6 map 
$srvaddr_map # s/ map.*/{ ::8384 : 8384 }/  works
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}


-- no debconf information

Bug#1067161: nftables: BUG: invalid mapping expression variable

Bug#1067161: nftables: BUG: invalid mapping expression variable

Bug#1067161: nftables: BUG: invalid mapping expression variable

Bug#1067161: nftables: BUG: invalid mapping expression variable

4 matches

Site Navigation

Mail list logo

Footer information