git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 31 Jul 2023 10:29:55 +0000 (12:29 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 2 Nov 2023 10:56:20 +0000 (11:56 +0100)
commit	104c7c1c64053b4b369c1e8850eebe76cac04af0
tree	97a4210a2baabae1b919380b0fb350d56c8e0643	tree \| snapshot
parent	690c6c956ab0f814c94607763f102ca4135a74f5	commit \| diff

libnftables: Drop cache in -c/--check mode

commit 458e91a954abe4b7fb4ba70901c7da28220c446a upstream.

Extend e0aace943412 ("libnftables: Drop cache in error case") to also
drop the cache with -c/--check, this is a dry run mode and kernel does
not get any update.

This fixes a bug with -o/--optimize, which first runs in an implicit
-c/--check mode to validate that the ruleset is correct, then it
provides the proposed optimization. In this case, if the cache is not
emptied, old objects in the cache refer to scanner data that was
already released, which triggers BUG like this:

BUG: invalid input descriptor type 151665524
nft: erec.c:161: erec_print: Assertion `0' failed.
Aborted

This bug was triggered in a ruleset that contains a set for geoip
filtering. This patch also extends tests/shell to cover this case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/libnftables.c		diff \| blob \| blame \| history
tests/shell/testcases/optimizations/dumps/skip_unsupported.nft		diff \| blob \| blame \| history
tests/shell/testcases/optimizations/skip_unsupported		diff \| blob \| blame \| history