[Bug 1450] New: Using certain simple set combinations with TCP flags causes error in mergesort.c from nft list ruleset
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Aug 19 12:22:55 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1450
Bug ID: 1450
Summary: Using certain simple set combinations with TCP flags
causes error in mergesort.c from nft list ruleset
Product: nftables
Version: unspecified
Hardware: arm
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: phillc at gmail.com
When setting up some TCP flag rules I attempted to combine multiple flag
combinations into one rule with a simple set.
The following works perfectly
tcp flags == {syn, syn|ack} accept
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin} accept
tcp flags & (fin|syn|rst|psh|ack|urg) == psh|ack|fin accept
It can be applied with nft -f and displays with "nft list ruleset"
However, when trying to do this:
tcp flags == {syn, syn|ack} accept
tcp flags & (fin|syn|rst|psh|ack|urg) == {ack, psh|ack, fin, fin|psh|ack}
accept
nft -f applies without any error, but running "nft list ruleset" returns:
BUG: Unknown expression binop
nft: mergesort.c:47: expr_msort_cmp: Assertion `0' failed.
Aborted (core dumped)
OS: Ubuntu 20.04
Kernel: Ubuntu 5.4.0-1015.15-raspi 5.4.44
nftables/focal,now 0.9.3-2 arm64
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200819/cf478969/attachment.html>
More information about the netfilter-buglog
mailing list