FS#75094 - [nftables] regression introduced since 1.0.3 can prevent valid rulesets from loading

Attached to Project: Arch Linux
Opened by Kerin Millar (kerframil) - Friday, 17 June 2022, 03:06 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 17 October 2022, 23:27 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Christian Hesse (eworm)
Sébastien Luttringer (seblu)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Following on from the sub-standard 1.0.3 release, a serious regression remains present. I recently rebooted an Arch box that uses nftables to find that my ruleset, which contains perfectly valid rules incorporating the log keyword, had not been loaded. As such, this is a request to incorporate commit 638af0ceb2b22307098bb2730822e148ef0b9424, which addresses the issue (assuming that 1.0.5 has not been released by the time that this request is considered). Note that the bug is easy enough to trigger that it could plausibly affect many deployed rulesets in the wild.

Additional info:

This report is for nftables-1.0.4-1. The aforementioned commit can be found below.

https://git.netfilter.org/nftables/commit/?id=638af0ceb2b22307098bb2730822e148ef0b9424

Steps to reproduce:

See the test case that the commit introduces.
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Monday, 17 October 2022, 23:27 GMT
Reason for closing:  Fixed
Comment by Sébastien Luttringer (seblu) - Sunday, 31 July 2022, 15:53 GMT
The patched source doesn't build.

```
parser_bison.y: In function 'nft_parse':
parser_bison.y:945:73: error: 'PARSER_SC_FLAGS' undeclared (first use in this function); did you mean 'PARSER_SC_VLAN'?
945 | close_scope_frag : { scanner_pop_start_cond(nft->scanner, PARSER_SC_EXPR_FRAG); };
| ^~~~~~~~~~~~~~~
| PARSER_SC_VLAN
parser_bison.y:945:73: note: each undeclared identifier is reported only once for each function it appears in
```
Comment by Kerin Millar (kerframil) - Sunday, 31 July 2022, 16:16 GMT
Hi Sébastien. Can you go into more detail as to how the sources were prepared? I've been using this patch against nftables-1.0.4 in both Arch Linux and Gentoo since before this bug was filed. That's as built against libnftnl-1.2.2 in both cases. Indeed, it was officially added as a supplemental patch to Gentoo's 1.0.4 package on the 17th June. I just re-tested the PKGBUILD that I knocked up last month and it is building fine.
Comment by Kerin Millar (kerframil) - Sunday, 31 July 2022, 16:35 GMT
Further, the line number (#945) referred to in your error message cannot possibly reference PARSER_SC_FLAGS in the case that the patch has been correctly applied. It's explicitly removed by the commit in question.
Comment by Kerin Millar (kerframil) - Sunday, 31 July 2022, 16:45 GMT
Attaching patch directly, in case that helps.
Comment by Kerin Millar (kerframil) - Tuesday, 09 August 2022, 21:17 GMT
nftables-1.0.5 has now been released which, as the release notes state, "fixes several regressions in the input lexer which broke valid rulesets". I leave it to the applicable maintainers to determine whether they want to fast track 1.0.5 or fix the prior release. The handling of this bug has been disappointing, to say the least.

Loading...