Projects
Mega:24.03:SP1:Everything
nftables
_service:tar_scm:backport-libnftables-Drop-cach...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-libnftables-Drop-cache-in-c-check-mode.patch of Package nftables
From 458e91a954abe4b7fb4ba70901c7da28220c446a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 31 Jul 2023 12:29:55 +0200 Subject: [PATCH] libnftables: Drop cache in -c/--check mode Extend e0aace943412 ("libnftables: Drop cache in error case") to also drop the cache with -c/--check, this is a dry run mode and kernel does not get any update. This fixes a bug with -o/--optimize, which first runs in an implicit -c/--check mode to validate that the ruleset is correct, then it provides the proposed optimization. In this case, if the cache is not emptied, old objects in the cache refer to scanner data that was already released, which triggers BUG like this: BUG: invalid input descriptor type 151665524 nft: erec.c:161: erec_print: Assertion `0' failed. Aborted This bug was triggered in a ruleset that contains a set for geoip filtering. This patch also extends tests/shell to cover this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/libnftables.c | 7 +++++-- .../optimizations/dumps/skip_unsupported.nft | 11 +++++++++++ tests/shell/testcases/optimizations/skip_unsupported | 11 +++++++++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/libnftables.c b/src/libnftables.c index 6fc4f7db..e214abb6 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -607,8 +607,10 @@ err: nft_output_json(&nft->output) && nft_output_echo(&nft->output)) json_print_echo(nft); - if (rc) + + if (rc || nft->check) nft_cache_release(&nft->cache); + return rc; } @@ -713,7 +715,8 @@ err: nft_output_json(&nft->output) && nft_output_echo(&nft->output)) json_print_echo(nft); - if (rc) + + if (rc || nft->check) nft_cache_release(&nft->cache); scope_release(nft->state->scopes[0]); diff --git a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft index 43b6578d..f24855e7 100644 --- a/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft +++ b/tests/shell/testcases/optimizations/dumps/skip_unsupported.nft @@ -1,4 +1,15 @@ table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + chain y { ip saddr 1.2.3.4 tcp dport 80 meta mark set 0x0000000a accept ip saddr 1.2.3.4 tcp dport 81 meta mark set 0x0000000b accept diff --git a/tests/shell/testcases/optimizations/skip_unsupported b/tests/shell/testcases/optimizations/skip_unsupported index 9313c302..6baa8280 100755 --- a/tests/shell/testcases/optimizations/skip_unsupported +++ b/tests/shell/testcases/optimizations/skip_unsupported @@ -3,6 +3,17 @@ set -e RULESET="table inet x { + set GEOIP_CC_wan-lan_120 { + type ipv4_addr + flags interval + elements = { 1.32.128.0/18, 1.32.200.0-1.32.204.128, + 1.32.207.0/24, 1.32.216.118-1.32.216.255, + 1.32.219.0-1.32.222.255, 1.32.226.0/23, + 1.32.231.0/24, 1.32.233.0/24, + 1.32.238.0/23, 1.32.240.0/24, + 223.223.220.0/22, 223.255.254.0/24 } + } + chain y { ip saddr 1.2.3.4 tcp dport 80 meta mark set 10 accept ip saddr 1.2.3.4 tcp dport 81 meta mark set 11 accept -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2