[pkg-netfilter-team] Bug#1067161: nftables: BUG: invalid mapping expression variable

Jeremy Sowden azazel at debian.org
Tue Mar 19 18:27:11 GMT 2024 

On 2024-03-19, at 16:00:28 +0100, Daniel Gröber wrote:
> Package: nftables
> Version: 1.0.6-2+deb12u2
> Severity: normal
> 
> Dear Maintainer,
> 
> The nftables config below triggers a BUG.
> 
>     $ nft -f /etc/nftables.conf
>     BUG: invalid mapping expression variable
>     nft: evaluate.c:1797: expr_evaluate_map: Assertion `0' failed.
>     Aborted
> 
> Refactoring to using $srvaddr_map instead of having the anonymous map
> inline made the bug trigger.

That assertion has since been replaced upstream by a normal
error-message:

  /space/azazel/tmp/ruleset.1067161.nft:6:58-69: Error: invalid mapping expression variable
                ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map $srvaddr_map
                                            ~~~~~~~~~~~~~~~~~~~~~~     ^^^^^^^^^^^^

> -- Configuration Files:
> /etc/nftables.conf changed:
> flush ruleset
> define iid_mask6 = ::ffff:ffff:ffff:ffff
> define srvaddr_map = { ::8384 : 8384 }
> table inet filter {
> 	chain input {
> 		type filter hook input priority filter;
> 	}
> 	chain prerouting {
> 		type nat hook prerouting priority dstnat;
> 		ip6 nexthdr tcp  redirect to ip6 daddr & $iid_mask6 map $srvaddr_map # s/ map.*/{ ::8384 : 8384 }/  works
> 	}
> 	chain forward {
> 		type filter hook forward priority filter;
> 	}
> 	chain output {
> 		type filter hook output priority filter;
> 	}
> }

Because of the way parsing works in nftables, one can't use a symbolic
variable in that context.  This, however, will work:

  define iid_mask6 = ::ffff:ffff:ffff:ffff
  define srvaddr_map = { ::8384 : 8384 }
  table inet filter {
    map srvaddr_map {
      typeof ip6 daddr : tcp dport;
      elements = $srvaddr_map
    }
    chain prerouting {
      type nat hook prerouting priority dstnat;
      ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map
    }
  }

or more concisely:

  define iid_mask6 = ::ffff:ffff:ffff:ffff
  table inet filter {
    map srvaddr_map {
      typeof ip6 daddr : tcp dport;
      elements = srvaddr_map = { ::8384 : 8384 }
    }
    chain prerouting {
      type nat hook prerouting priority dstnat;
      ip6 nexthdr tcp redirect to ip6 daddr & $iid_mask6 map @srvaddr_map
    }
  }

J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20240319/76313b76/attachment.sig>

More information about the pkg-netfilter-team mailing list