[Bug 1487] New: iptables-nft broken if building with asserts disabled

Mon Dec 28 11:13:46 CET 2020

https://bugzilla.netfilter.org/show_bug.cgi?id=1487

            Bug ID: 1487
           Summary: iptables-nft broken if building with asserts disabled
           Product: iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: jpalus+netfilter at fastmail.com

Created attachment 621
  --> https://bugzilla.netfilter.org/attachment.cgi?id=621&action=edit
fix iptables-nft without asserts

iptables built with asserts disabled (-DNDEBUG in CFLAGS) results in broken
iptables-nft which does not actually save anything (chains not created
automatically, rules not added etc). The reason for such behavior is that nft
code includes processing logic within an assert even though it is meant to only
validate invariants and should be safe to disable.

Specifically following assert breaks persisting of rules/chains:

static void mnl_nft_batch_continue(struct nftnl_batch *batch)
{
       assert(nftnl_batch_update(batch) >= 0);
}

Attached patch with a fix.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201228/f4dd3318/attachment.html>