<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - iptables-nft broken if building with asserts disabled"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1487">1487</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>iptables-nft broken if building with asserts disabled
</td>
</tr>
<tr>
<th>Product</th>
<td>iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>jpalus+netfilter@fastmail.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=621" name="attach_621" title="fix iptables-nft without asserts">attachment 621</a> <a href="attachment.cgi?id=621&action=edit" title="fix iptables-nft without asserts">[details]</a></span>
fix iptables-nft without asserts
iptables built with asserts disabled (-DNDEBUG in CFLAGS) results in broken
iptables-nft which does not actually save anything (chains not created
automatically, rules not added etc). The reason for such behavior is that nft
code includes processing logic within an assert even though it is meant to only
validate invariants and should be safe to disable.
Specifically following assert breaks persisting of rules/chains:
static void mnl_nft_batch_continue(struct nftnl_batch *batch)
{
assert(nftnl_batch_update(batch) >= 0);
}
Attached patch with a fix.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>