[Bug 1671] New: Implicit chains and nesting result in parser_bison.y aborting
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Apr 7 19:27:43 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1671
Bug ID: 1671
Summary: Implicit chains and nesting result in parser_bison.y
aborting
Product: nftables
Version: 0.9.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at allycomm.com
I was pleased to read that v0.9.7 provided support for implicit chains. That
feature provides the ability to enhance readability of rule sets by exposing
the "jump-to" chain's contents at the point of the jump. Unfortunately, I found
that nesting causes a parsing failure that is not traced back to the "source"
of the problem. The error message is
nft: parser_bison.y:68: open_scope: Assertion `state->scope <
array_size(state->scopes) - 1' failed.
Aborted
While the logic can be written with explicit chains (and potentially a vmap),
being able to "see" the logic in line without jumping around in the file or to
included files would have added to clarity of the ruleset.
May be related to https://bugzilla.netfilter.org/show_bug.cgi?id=1485 although
it appears that the referenced patch is already present in v0.9.8 as supplied
by Debian-supplied nftables 0.9.8-3.1+deb11u1
Minimal test case:
# nft -c -f nested-chain-failure.nft
nft: parser_bison.y:68: open_scope: Assertion `state->scope <
array_size(state->scopes) - 1' failed.
Aborted
# nft -c -f without-nest.nft
# exit
exit
Expected behavior:
* Nested, implicit chains could be used
* Any errors would be identified in the "source" (rather than process abort)
---
$ cat nested-chain-failure.nft
table inet global {
chain prerouting_pre_nat {
type filter hook prerouting priority mangle - 1; policy accept
iifname eth0 jump {
ip version 4 jump {
ip version 4 accept
}
}
}
}
$ cat without-nest.nft
table inet global {
chain prerouting_pre_nat {
type filter hook prerouting priority mangle - 1; policy accept
iifname eth0 jump {
ip version 4 accept
}
}
}
# nft --version
nftables v0.9.8 (E.D.S.)
# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root at front-h2:/usr/local/etc/firewall/nested-chain-bug# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ apt info nftables
Package: nftables
Version: 0.9.8-3.1+deb11u1
Priority: important
Section: net
Maintainer: Debian Netfilter Packaging Team
<pkg-netfilter-team at lists.alioth.debian.org>
Installed-Size: 182 kB
>From `apt source nftables` it appears that the patch referenced in Bug 1485 has
already been applied
603
604 %type <table> table_block_alloc table_block
605 %destructor { close_scope(state); table_free($$); }
table_block_alloc
606 %type <chain> chain_block_alloc chain_block
subchain_block
607 %destructor { close_scope(state); chain_free($$); }
chain_block_alloc
608 %type <rule> rule rule_alloc
609 %destructor { rule_free($$); } rule
610
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230407/50a902f7/attachment.html>
More information about the netfilter-buglog
mailing list