libnftables: Drop cache in -c/--check mode

Extend e0aace943412 ("libnftables: Drop cache in error case") to also
drop the cache with -c/--check, this is a dry run mode and kernel does
not get any update.

This fixes a bug with -o/--optimize, which first runs in an implicit
-c/--check mode to validate that the ruleset is correct, then it
provides the proposed optimization. In this case, if the cache is not
emptied, old objects in the cache refer to scanner data that was
already released, which triggers BUG like this:

 BUG: invalid input descriptor type 151665524
 nft: erec.c:161: erec_print: Assertion `0' failed.
 Aborted

This bug was triggered in a ruleset that contains a set for geoip
filtering. This patch also extends tests/shell to cover this case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/libnftables.c b/src/libnftables.c
index 6fc4f7db676096784cbab8afa098b378bc4b89f9..e214abb69cf257fb939e8b7b5611e4adcd9967c4 100644 (file)
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -607,8 +607,10 @@ err:
            nft_output_json(&nft->output) &&
            nft_output_echo(&nft->output))
                json_print_echo(nft);
-       if (rc)
+
+       if (rc || nft->check)
                nft_cache_release(&nft->cache);
+
        return rc;
 }
 
@@ -713,7 +715,8 @@ err:
            nft_output_json(&nft->output) &&
            nft_output_echo(&nft->output))
                json_print_echo(nft);
-       if (rc)
+
+       if (rc || nft->check)
                nft_cache_release(&nft->cache);
 
        scope_release(nft->state->scopes[0]);

diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft
index 43b6578dc70452e6b0c19d7f535ca2ad8ce7e082..f24855e7b5e1e0d4891697bff7a1d23844a143c8 100644 (file)
--- a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft
+++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft
@@ -1,4 +1,15 @@
 table inet x {
+       set GEOIP_CC_wan-lan_120 {
+               type ipv4_addr
+               flags interval
+               elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128,
+                            1.32.207.0/24, 1.32.216.118-1.32.216.255,
+                            1.32.219.0-1.32.222.255, 1.32.226.0/23,
+                            1.32.231.0/24, 1.32.233.0/24,
+                            1.32.238.0/23, 1.32.240.0/24,
+                            223.223.220.0/22, 223.255.254.0/24 }
+       }
+
        chain y {
                ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept
                ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept

diff --git a/tests/shell/testcases/optimizations/skip_unsupported b/tests/shell/testcases/optimizations/skip_unsupported
index 9313c302048c2c2ff422c8089fd44b3998b7e8f6..6baa8280a9b5a2ef309cfe89a18f0bc6bccff838 100755 (executable)
--- a/tests/shell/testcases/optimizations/skip_unsupported
+++ b/tests/shell/testcases/optimizations/skip_unsupported
@@ -3,6 +3,17 @@
 set -e
 
 RULESET="table inet x {
+       set GEOIP_CC_wan-lan_120 {
+               type ipv4_addr
+               flags interval
+               elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128,
+                            1.32.207.0/24, 1.32.216.118-1.32.216.255,
+                            1.32.219.0-1.32.222.255, 1.32.226.0/23,
+                            1.32.231.0/24, 1.32.233.0/24,
+                            1.32.238.0/23, 1.32.240.0/24,
+                            223.223.220.0/22, 223.255.254.0/24 }
+       }
+
        chain y {
                ip saddr 1.2.3.4 tcp dport 80 meta mark set 10 accept
                ip saddr 1.2.3.4 tcp dport 81 meta mark set 11 accept