<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Implicit chains and nesting result in parser_bison.y aborting"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1671">1671</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Implicit chains and nesting result in parser_bison.y aborting

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>nftables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>0.9.x

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>x86_64

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Debian GNU/Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>major

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>nft

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>pablo@netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>netfilter@allycomm.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>I was pleased to read that v0.9.7 provided support for implicit chains. That

feature provides the ability to enhance readability of rule sets by exposing

the "jump-to" chain's contents at the point of the jump. Unfortunately, I found

that nesting causes a parsing failure that is not traced back to the "source"

of the problem. The error message is

nft: parser_bison.y:68: open_scope: Assertion `state->scope <

array_size(state->scopes) - 1' failed.

Aborted

While the logic can be written with explicit chains (and potentially a vmap),

being able to "see" the logic in line without jumping around in the file or to

included files would have added to clarity of the ruleset. 

May be related to <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Buggy parsing of malformed rule within implicit chain causes assertion and core dump"

   href="show_bug.cgi?id=1485">https://bugzilla.netfilter.org/show_bug.cgi?id=1485</a> although

it appears that the referenced patch is already present in v0.9.8 as supplied

by Debian-supplied nftables 0.9.8-3.1+deb11u1

Minimal test case:

# nft -c -f nested-chain-failure.nft

nft: parser_bison.y:68: open_scope: Assertion `state->scope <

array_size(state->scopes) - 1' failed.

Aborted

# nft -c -f without-nest.nft

# exit

exit

Expected behavior:

* Nested, implicit chains could be used

* Any errors would be identified in the "source" (rather than process abort)

---

$ cat nested-chain-failure.nft 

table inet global {

    chain prerouting_pre_nat {

        type filter hook prerouting priority mangle - 1; policy accept

    iifname eth0 jump {

        ip version 4 jump {

            ip version 4 accept

        }

    }

    }

}

$ cat without-nest.nft

table inet global {

    chain prerouting_pre_nat {

        type filter hook prerouting priority mangle - 1; policy accept

    iifname eth0 jump {

            ip version 4 accept

    }

    }

}

# nft --version

nftables v0.9.8 (E.D.S.)

# cat /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"

NAME="Debian GNU/Linux"

VERSION_ID="11"

VERSION="11 (bullseye)"

VERSION_CODENAME=bullseye

ID=debian

HOME_URL="<a href="https://www.debian.org/">https://www.debian.org/</a>"

SUPPORT_URL="<a href="https://www.debian.org/support">https://www.debian.org/support</a>"

BUG_REPORT_URL="<a href="https://bugs.debian.org/">https://bugs.debian.org/</a>"

root@front-h2:/usr/local/etc/firewall/nested-chain-bug# cat /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"

NAME="Debian GNU/Linux"

VERSION_ID="11"

VERSION="11 (bullseye)"

VERSION_CODENAME=bullseye

ID=debian

HOME_URL="<a href="https://www.debian.org/">https://www.debian.org/</a>"

SUPPORT_URL="<a href="https://www.debian.org/support">https://www.debian.org/support</a>"

BUG_REPORT_URL="<a href="https://bugs.debian.org/">https://bugs.debian.org/</a>"

$ apt info nftables

Package: nftables

Version: 0.9.8-3.1+deb11u1

Priority: important

Section: net

Maintainer: Debian Netfilter Packaging Team

<<a href="mailto:pkg-netfilter-team@lists.alioth.debian.org">pkg-netfilter-team@lists.alioth.debian.org</a>>

Installed-Size: 182 kB

>From `apt source nftables` it appears that the patch referenced in <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Buggy parsing of malformed rule within implicit chain causes assertion and core dump"

   href="show_bug.cgi?id=1485">Bug 1485</a> has

already been applied

    603 

    604 %type <table>                   table_block_alloc table_block

    605 %destructor { close_scope(state); table_free($$); }    

table_block_alloc

    606 %type <chain>                   chain_block_alloc chain_block

subchain_block

    607 %destructor { close_scope(state); chain_free($$); }    

chain_block_alloc

    608 %type <rule>                    rule rule_alloc

    609 %destructor { rule_free($$); }  rule

    610</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>