diff options
author | Laura Garcia Liebana <nevola@gmail.com> | 2021-04-13 11:03:41 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-05-02 23:30:13 +0200 |
commit | 2ffb2f44dc541c2ec3265ec80bf6be805cafcf80 (patch) | |
tree | c8db939bf3648ce655662cf090995534e273a3bd /src | |
parent | 7f7d5b999ed3f44ee8aec6b4d48051f048f326ab (diff) |
parser: allow to load stateful ct connlimit elements in sets
This patch fixes a syntax error after loading a nft
dump with a set including stateful ct connlimit elements.
Having a nft dump as per below:
table ip nftlb {
set connlimit-set {
type ipv4_addr
size 65535
flags dynamic
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
}
}
The syntax error is shown when loading the ruleset.
root# nft -f connlimit.nft
connlimit.nft:15997:31-32: Error: syntax error, unexpected ct, expecting comma or '}'
elements = { 84.245.120.167 ct count over 20 , 86.111.207.45 ct count over 20 ,
^^
connlimit.nft:16000:9-22: Error: syntax error, unexpected string
173.212.220.26 ct count over 20 , 200.153.13.235 ct count over 20 }
^^^^^^^^^^^^^^
After applying this patch a kernel panic is raised running
nft_rhash_gc() although no packet reaches the set.
The following patch [0] should be used as well:
4d8f9065830e5 ("netfilter: nftables: clone set element expression template")
Note that the kernel patch will produce the emptying of the
connection tracking, so the restore of the conntrack states
should be considered.
[0]: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=4d8f9065830e526c83199186c5f56a6514f457d2
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/parser_bison.y | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index cc477e65..0a3adbe8 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -4188,6 +4188,17 @@ set_elem_stmt : COUNTER close_scope_counter $$->limit.type = NFT_LIMIT_PKT_BYTES; $$->limit.flags = $3; } + | CT COUNT NUM close_scope_ct + { + $$ = connlimit_stmt_alloc(&@$); + $$->connlimit.count = $3; + } + | CT COUNT OVER NUM close_scope_ct + { + $$ = connlimit_stmt_alloc(&@$); + $$->connlimit.count = $4; + $$->connlimit.flags = NFT_CONNLIMIT_F_INV; + } ; set_elem_expr_option : TIMEOUT time_spec |