]> git.ipfire.org Git - thirdparty/nftables.git/commit
projects / thirdparty / nftables.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: eee1eee) | patch
netlink_linearize: skip set element expression in flow table key
authorPablo Neira Ayuso <pablo@netfilter.org>
Mon, 31 Oct 2016 13:29:58 +0000 (14:29 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 31 Oct 2016 14:14:24 +0000 (15:14 +0100)
commitfbea4a6f444988124235ca5b035b2e8eb427da4d
treed3f341d934094da6d240c1b722d06956f6fe27cftree | snapshot
parenteee1eeea57358db5b65a79b6b2585c1651f01008commit | diff
netlink_linearize: skip set element expression in flow table key

Anders reports that:

 # nft add rule ip6 filter postrouting \
flow table acct_out \{ meta iif . ip6 saddr timeout 600s counter \}

while the opposite doesn't work:

 # nft add rule ip6 filter postrouting \
flow table acct_out \{ ip6 saddr . meta iif timeout 600s counter \}

netlink_gen_flow_stmt() relies on the flow table key, that is expressed
as a set element. Use the set element key instead to skip the set
element wrap, otherwise get_register() abort execution:

 nft: netlink_linearize.c:650: netlink_gen_expr: Assertion `dreg < ctx->reg_low' failed.

Reported-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/netlink_linearize.c diff | blob | blame | history
tests/py/ip6/flowtable.t [new file with mode: 0644] blob
tests/py/ip6/flowtable.t.payload [new file with mode: 0644] blob
Mirror of git://git.netfilter.org/nftables