[Bug 1179] New: vmap and sets cause "BUG: invalid range expression type set"
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Aug 24 02:05:35 CEST 2017
https://bugzilla.netfilter.org/show_bug.cgi?id=1179
Bug ID: 1179
Summary: vmap and sets cause "BUG: invalid range expression
type set"
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at allycomm.com
Observed Behavior:
==================
Use of sets within a vmap result in the error message:
BUG: invalid range expression type set
nft: expression.c:1037: range_expr_value_low: Assertion `0' failed.
Aborted
Expected Behavior:
==================
Could use both anonymous and named sets in a vmap
No "vmap" anywhere on <http://www.netfilter.org/projects/nftables/manpage.html>
No limitations given on the "match" portion of the dictionary in
<https://wiki.nftables.org/wiki-nftables/index.php/Dictionaries>
Example .nft below, a simplified example of blocking "blackhole" IPv4
addresses, other than the expected ones.
Impact:
=======
The use of "sets" is crucial for managing non-contiguous ranges of IP addresses
that have various outcomes. While the IPv4 blackhole address space is
relatively small, there are presently over 88,000 entries in the IPv6 "bogons"
list.
Assuming that sets will properly scale to this level, it is possible to use
individual tests for each of the outcomes. Using the vmap is a preferred
option, especially if one can define a "default" match option.
To Replicate:
=============
table inet global {
set blackhole_ipv4 {
type ipv4_addr
flags interval
elements = {
0.0.0.0/8, # "default"
10.0.0.0/8, # RFC 1918
100.64.0.0/10, # bogon-bn-agg.txt 2017-08-17
127.0.0.0/8, # loopback
169.254.0.0/16, # Self-configured DHCP
172.16.0.0/12, # RFC 1918
192.0.0.0/24, # Vendor co-opted print servers
192.0.2.0/24, # NET TEST
192.168.0.0/16, # RFC 1918
192.18.0.0/15, # RFC 2455 (NOT IANA; for Harvard,for BMWG)
192.42.172.0/24, # NeXT-Default:
192.88.99.0/24, # RFC 3068
198.51.100.1/24, # bogon-bn-agg.txt 2017-08-17
203.0.113.0/24, # bogon-bn-agg.txt 2017-08-17
224.0.0.0/3, # bogon-bn-agg.txt 2017-08-17
255.255.255.255 # broadcast
}
}
define if_external_net_ipv4 = { 192.168.0.0/24 }
define if_external_addrs_ipv4 = { 192.168.0.100, 192.168.0.255 }
chain drop_ext_prerouting_pre_nat {
# Configured here for possiblity that the external interface
# is on a blackhole net (for testing)
# Reexamine after testing completed
ip saddr vmap { $if_external_net_ipv4 : continue,
@blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src }
ip daddr vmap { $if_external_addrs_ipv4 : continue,
@blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst }
return
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170824/0b4c2d3c/attachment.html>
More information about the netfilter-buglog
mailing list