Bug#1067161: nftables: BUG: invalid mapping expression variable
On 2024-03-20, at 14:44:21 +0100, Daniel Gröber wrote: > On Tue, Mar 19, 2024 at 06:27:11PM +, Jeremy Sowden wrote: > > On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote: > > > The nftables config below triggers a BUG. > > > > > > $ nft -f /etc/nftables.conf > > > BUG: invalid mapping expression variable > > > nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed. > > > Aborted > > > > > > Refactoring to using $srvaddr_map instead of having the anonymous > > > map inline made the bug trigger. > > > > That assertion has since been replaced upstream by a normal > > error-message: > > > > /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping > > expression variable > > ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map > > $srvaddr_map > > ~~ > > > > Fair enough then. I do find this a bit of an arbitrary limitation > however. Agreed. > > Because of the way parsing works in nftables, one can't use a > > symbolic variable in that context. This, however, will work: > > Yup, that's what I'm doing now. I just keep running into these little > irritating limitations with nftables and wanted to at least document > this one somewhere. > > Do you think it's worth forwarding this report upstream anyway? I > would like to sand off sharp nftables edges such as this. Also agreed. Leave it with me. I'll send a patch or open a report in the upstream Bugzilla. > In case you're curios what I was working on: a generic way to have > isolated v6 service addressess for software that doesn't support > SO_BINDTODEV (*cough* syncthing *cough*) without hardcoding any > prefixes https://paste.debian.net/hidden/66c2ef6e/ J. signature.asc Description: PGP signature
Bug#1067161: nftables: BUG: invalid mapping expression variable
Hi Jeremy, On Tue, Mar 19, 2024 at 06:27:11PM +, Jeremy Sowden wrote: > On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote: > > The nftables config below triggers a BUG. > > > > $ nft -f /etc/nftables.conf > > BUG: invalid mapping expression variable > > nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed. > > Aborted > > > > Refactoring to using $srvaddr_map instead of having the anonymous map > > inline made the bug trigger. > > That assertion has since been replaced upstream by a normal > error-message: > > /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping > expression variable > ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map > $srvaddr_map > ~~ > Fair enough then. I do find this a bit of an arbitrary limitation however. > Because of the way parsing works in nftables, one can't use a symbolic > variable in that context. This, however, will work: Yup, that's what I'm doing now. I just keep running into these little irritating limitations with nftables and wanted to at least document this one somewhere. Do you think it's worth forwarding this report upstream anyway? I would like to sand off sharp nftables edges such as this. In case you're curios what I was working on: a generic way to have isolated v6 service addressess for software that doesn't support SO_BINDTODEV (*cough* syncthing *cough*) without hardcoding any prefixes https://paste.debian.net/hidden/66c2ef6e/ --Daniel signature.asc Description: PGP signature
Bug#1067161: nftables: BUG: invalid mapping expression variable
On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote: > Package: nftables > Version: 1.0.6-2+deb12u2 > Severity: normal > > Dear Maintainer, > > The nftables config below triggers a BUG. > > $ nft -f /etc/nftables.conf > BUG: invalid mapping expression variable > nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed. > Aborted > > Refactoring to using $srvaddr_map instead of having the anonymous map > inline made the bug trigger. That assertion has since been replaced upstream by a normal error-message: /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping expression variable ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map $srvaddr_map ~~ > -- Configuration Files: > /etc/nftables.conf changed: > flush ruleset > define iid_mask6 = ::::: > define srvaddr_map = { ::8384 : 8384 } > table inet filter { > chain input { > type filter hook input priority filter; > } > chain prerouting { > type nat hook prerouting priority dstnat; > ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map > $srvaddr_map # s/ map.*/{ ::8384 : 8384 }/ works > } > chain forward { > type filter hook forward priority filter; > } > chain output { > type filter hook output priority filter; > } > } Because of the way parsing works in nftables, one can't use a symbolic variable in that context. This, however, will work: define iid_mask6 = ::::: define srvaddr_map = { ::8384 : 8384 } table inet filter { map srvaddr_map { typeof ip6 daddr : tcp dport; elements = $srvaddr_map } chain prerouting { type nat hook prerouting priority dstnat; ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map } } or more concisely: define iid_mask6 = ::::: table inet filter { map srvaddr_map { typeof ip6 daddr : tcp dport; elements = srvaddr_map = { ::8384 : 8384 } } chain prerouting { type nat hook prerouting priority dstnat; ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map } } J. signature.asc Description: PGP signature
Bug#1067161: nftables: BUG: invalid mapping expression variable
Package: nftables Version: 1.0.6-2+deb12u2 Severity: normal Dear Maintainer, The nftables config below triggers a BUG. $ nft -f /etc/nftables.conf BUG: invalid mapping expression variable nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed. Aborted Refactoring to using $srvaddr_map instead of having the anonymous map inline made the bug trigger. Thanks, --Daniel -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldoldstable-updates'), (500, 'oldoldstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-18-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages nftables depends on: ii libc6 2.36-9+deb12u4 ii libedit2 3.1-20221030-2 ii libnftables1 1.0.6-2+deb12u2 Versions of packages nftables recommends: ii netbase 6.4 Versions of packages nftables suggests: pn firewalld -- Configuration Files: /etc/nftables.conf changed: flush ruleset define iid_mask6 = ::::: define srvaddr_map = { ::8384 : 8384 } table inet filter { chain input { type filter hook input priority filter; } chain prerouting { type nat hook prerouting priority dstnat; ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map $srvaddr_map # s/ map.*/{ ::8384 : 8384 }/ works } chain forward { type filter hook forward priority filter; } chain output { type filter hook output priority filter; } } -- no debconf information