Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560206

Summary: net-firewall/nftables-0.4: init script ipv6 address substitution on saving corrupts saved ipv6 addresses
Product: Gentoo Linux Reporter: Vladimir Datsevich <bgo>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: mrueg, nvinson234
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Vladimir Datsevich 2015-09-11 11:40:32 UTC
Having a nftables ruleset like the one following, results in corrupted or changed ipv6 addresses (not all) when they are being saved by the nftables init script.

table inet filter {
	set test_ipv6 { 
		type ipv6_addr
		elements = { 2aff:2010::6787:f534, 2aff:2010::bc54:d10e, 2aff:2010::fe6b:dffc}
	}
...
}

results in (/var/lib/nftables/rules-save):

table inet filter {
	set test_ipv6 { 
		type ipv6_addr
		elements = { 2aff:2010::6787/128:f534, 2aff:2010::bc54/128:d10e, 2aff:2010::fe6b/128:dffc}
	}
...
}

Which itself gives an error when nftables starts up:

 * Loading nftables state and starting firewall ...
/var/lib/nftables/rules-save:51:28-53: Error: mapping outside of map context
		elements = { 2aff:2010::6787/128:f534, 2aff:2010::bc54/128:d10e, 2aff:2010::fe6b/128:dffc}
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^
 [ !! ]

When saving the nftables ruleset by hand via nft list ruleset f.e. and then load it again (after a nft flush ruleset) with nft -f everything is working fine.

The nftables init script performs a substitution in /etc/init.d/nftables in lines 130-144 which seems to be the problem:

        nft list tables ${l3f} | while read line; do
            line=$(echo ${line} | sed "s/table/table ${l3f}/")
            # The below substitution fixes an issue where nft -n output may not
            # always be parsable by nft -f.  For example, nft -n might print
            #
            #     ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept
            #
            # but nft -f refuses to parse that string with error:
            #
            #     In file included from internal:0:0-0:
            #     /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule:
            #     Invalid argument
            #     table ip6 filter {
            #     ^^
            echo "$(nft ${SAVE_OPTIONS} list ${line} |\
                    sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}"



Reproducible: Always

Steps to Reproduce:
1. load the described rule
2. run rc-service nftables save
3. restart nftables
Actual Results:  
nftables fails to load the ruleset, all tables are blank

Expected Results:  
nftables should load the rules, the firewall should work as expected
Comment 1 Vladimir Datsevich 2015-09-20 11:36:02 UTC
net-filter/nftables-0.5: the init scripts hasn't changed.
Comment 2 nvinson234 2015-09-26 17:36:06 UTC
I've added an updated ebuild and new init scripts to bug 560920.  I think they will solve this problem as well.
Comment 3 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-11-07 21:35:51 UTC
Should be fixed in >=0.5-r1