[Bug 1355] New: Error parsing JSON config via a pipe to subprocess's stdin
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Jul 21 15:08:19 CEST 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1355
Bug ID: 1355
Summary: Error parsing JSON config via a pipe to subprocess's
stdin
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: tad.ashlock at gmail.com
Created attachment 566
--> https://bugzilla.netfilter.org/attachment.cgi?id=566&action=edit
C++ source file that demonstrates the problem
nft versions tested: 0.5, 0.9.0, 0.9.1
Linux kernel versions: 4.15.0 (Ubuntu 16.04.1), 4.14.120 (custom distro)
I'm fork-exec'ing "nft -f /dev/stdin", passing the configuration string via a
pipe from the parent process. When the configuration string gets larger than
8192 characters, the parser appears to get corrupted at the 8 KiB boundry.
(I've also seen it at the 16 KiB boundary, too.)
This behavior doesn't happen if I pipe the same configuration in from a shell:
"nft -f /dev/stdin <ruleset.txt" works fine.
I've attached a C++ source file that demonstrates the problem. The
configuration string was carefully crafted to cause the problem I'm seeing. To
test that I haven't screwed up the fork-exec pipe to stdin, the demo code also
sends the configuration string to 'tee' and 'sed', each of which writes their
stdin to a separate file. The configuration string is also directly written to
the file 'ruleset.txt' for comparison.
Build & run:
g++ test.cc -o test --std=c++11 -Wall
sudo nft flush ruleset
sudo ./test
sudo nft list ruleset
diff ruleset.txt tee-input.txt
diff ruleset.txt sed-input.txt
=========== START OF OUTPUT (sudo ./test) ==============
executing tee
#!/usr/sbin/nft -f
flush ruleset
#234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[snip]
#234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
#23456789012345678901234567890
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
iifname "lo" ip saddr 10.0.0.0/8 tcp dport ssh accept
}
}
executing sed
executing nft
/dev/stdin:95:42-48: Error: No symbol type information
^^^^^^^
unexpected exit status: 1
=========== END OF OUTPUT ==============
If you now add a space character before "dport" in the source code, rebuild, an
d rerun, the configuration will be parsed without an error.
There's nothing particular about "dport", that's just an arbitrary location I
picked. You can add or delete more comment characters to change which
character is the 8192nd and the error location will change, along with the type
of error.
Adding spaces around each 8 KiB boundary of the configuration appears to be
work-around for this problem.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190721/62aa5c46/attachment.html>
More information about the netfilter-buglog
mailing list