Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddSet silently fails (!) when adding IP addresses with too many bytes (without To4() call) #128

Open
bensarifathi opened this issue Sep 7, 2021 · 5 comments
Open

AddSet silently fails (!) when adding IP addresses with too many bytes (without To4() call) #128

bensarifathi opened this issue Sep 7, 2021 · 5 comments

Comments

@bensarifathi
Copy link

bensarifathi commented Sep 7, 2021
edited by stapelberg

Hi am facing trouble when using this package i can't load my rule this is my code :

package main

import (
	"fmt"
	"log"
	"net"

	"github.com/google/nftables"
	"github.com/google/nftables/expr"
)

func main() {
	c := &nftables.Conn{}

	// Basic boilerplate; create a table & chain.
	table := &nftables.Table{
		Family: nftables.TableFamilyIPv4,
		Name:   "ip_filter",
	}
	table = c.AddTable(table)

	myChain := c.AddChain(&nftables.Chain{
		Name:     "filter_chain",
		Table:    table,
		Type:     nftables.ChainTypeFilter,
		Hooknum:  nftables.ChainHookInput,
		Priority: nftables.ChainPriorityFilter,
	})

	set := &nftables.Set{
		Name:    "whitelist",
		Table:   table,
		KeyType: nftables.TypeIPAddr, // our keys are IPv4 addresses
	}

	// Create the set with a bunch of initial values.
	if err := c.AddSet(set, []nftables.SetElement{
		{Key: net.ParseIP("8.8.8.8")},
	}); err != nil {
		log.Fatal(err.Error())
	}

	c.AddRule(&nftables.Rule{
		Table: table,
		Chain: myChain,
		Exprs: []expr.Any{
			// [ payload load 4b @ network header + 16 => reg 1 ]
			&expr.Payload{
				DestRegister: 1,
				Base:         expr.PayloadBaseNetworkHeader,
				Offset:       16,
				Len:          4,
			},
			// [ lookup reg 1 set whitelist ]
			&expr.Lookup{
				SourceRegister: 1,
				SetName:        set.Name,
				SetID:          set.ID,
			},
			//[ immediate reg 0 drop ]
			&expr.Verdict{
				Kind: expr.VerdictDrop,
			},
		},
	})
	if err := c.Flush(); err != nil {
		log.Fatal(err.Error())
	}
	rules, _ := c.GetRule(table, myChain)
	fmt.Println(rules)
}

after executing my code and run the following command : sudo nft list ruleset i expect to found my configured config but i found nothing. is this a compatibility problem ?
@stapelberg
Copy link
Collaborator

I haven’t had a chance to look at your code yet, but I’m using this package on Linux 5.14.1 (latest kernel release) without any issues.

@bensarifathi
Copy link
Author

bensarifathi commented Sep 8, 2021
edited

my previous kernel version was 5.4.0-77-generic so i've decided to update my kernel to 5.14.2-051402-generic but the problem
is still the same.

@stapelberg
Copy link
Collaborator

This part of your code:

	// Create the set with a bunch of initial values.
	if err := c.AddSet(set, []nftables.SetElement{
		{Key: net.ParseIP("8.8.8.8")},
	}); err != nil {
		log.Fatal(err.Error())
	}

…is missing a To4() call:

	// Create the set with a bunch of initial values.
	if err := c.AddSet(set, []nftables.SetElement{
		{Key: net.ParseIP("8.8.8.8").To4()},
	}); err != nil {
		log.Fatal(err.Error())
	}

When I change that, it works.

I don’t know why no error message is generated with the wrong code, though :-/

@stapelberg stapelberg changed the title is this package still compatible with nftables v0.9.3 (Topsy) AddSet silently fails (!) when adding IP addresses with too many bytes (without To4() call) Sep 9, 2021
@bensarifathi
Copy link
Author

@stapelberg indeed now the program work just fine thank you so much.

@pepa65
Copy link

pepa65 commented Dec 30, 2023

I don’t know why no error message is generated with the wrong code, though :-/

Probably because it doesn't check for the length of the []byte but just takes the first 4 (and the 8.8.8.8 are in the last 4).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stapelberg @pepa65 @bensarifathi