Bug 1615373

Summary: ss filter expression is broken in iproute 4.16.0
Product: [Fedora] Fedora Reporter: Samuel <samuel>
Component: iprouteAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 28CC: code, psutter, rvokal, samuel, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: iproute-4.17.0-2.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-23 10:32:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Samuel 2018-08-13 13:02:13 UTC
User-Agent:       Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Build Identifier: 

After upgrading iproute to version 4.16.0 a lot of simple filter expressions stopped working. Any expression which includes parentheses on the right-hand-side of a "AND" or "OR" will now give a syntax error. See this simple example:


$ rpm -q iproute
iproute-4.15.0-1.fc28.x86_64

$ ss sport = :22 or \( dport = :22 \)
Netid     State      Recv-Q      Send-Q            Local Address:Port             Peer Address:Port      

$ sudo dnf upgrade iproute -q -y

$ rpm -q iproute
iproute-4.16.0-1.fc28.x86_64

$ ss sport = :22 or \( dport = :22 \)
ss: bison bellows (while parsing filter): "syntax error!" Sorry.
...


This will undoubtedly break applications utilizing ss out there.

Reproducible: Always

Steps to Reproduce:
1. Upgrade iproute to 4.16.0:

   sudo dnf upgrade iproute


2. Use the tool 'ss' with a filter expression with a parentheses-expression on the right-hand side:

   ss sport = :22 or \( dport = :22 \)
Actual Results:  
ss: bison bellows (while parsing filter): "syntax error!" Sorry.
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help          this message
   -V, --version       output version information
   -n, --numeric       don't resolve service names
   -r, --resolve       resolve host names
   -a, --all           display all sockets
   -l, --listening     display listening sockets
   -o, --options       show timer information
   -e, --extended      show detailed socket information
   -m, --memory        show socket memory usage
   -p, --processes     show process using socket
   -i, --info          show internal TCP information
   -s, --summary       show socket usage summary
   -b, --bpf           show bpf filter socket information
   -E, --events        continually display sockets as they are destroyed
   -Z, --context       display process SELinux security contexts
   -z, --contexts      display process and socket SELinux security contexts
   -N, --net           switch to the specified network namespace name

   -4, --ipv4          display only IP version 4 sockets
   -6, --ipv6          display only IP version 6 sockets
   -0, --packet        display PACKET sockets
   -t, --tcp           display only TCP sockets
   -S, --sctp          display only SCTP sockets
   -u, --udp           display only UDP sockets
   -d, --dccp          display only DCCP sockets
   -w, --raw           display only RAW sockets
   -x, --unix          display only Unix domain sockets
       --vsock         display only vsock sockets
   -f, --family=FAMILY display sockets of type FAMILY
       FAMILY := {inet|inet6|link|unix|netlink|vsock|help}

   -K, --kill          forcibly close sockets, display what was closed
   -H, --no-header     Suppress header line

   -A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|unix_dgram|unix_stream|unix_seqpacket|packet|netlink|vsock_stream|vsock_dgram}[,QUERY]

   -D, --diag=FILE     Dump raw information about TCP sockets to FILE
   -F, --filter=FILE   read filter information from FILE
       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
       STATE-FILTER := {all|connected|synchronized|bucket|big|TCP-STATES}
         TCP-STATES := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|closed|close-wait|last-ack|listening|closing}
          connected := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
       synchronized := {established|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing}
             bucket := {syn-recv|time-wait}
                big := {established|syn-sent|fin-wait-{1,2}|closed|close-wait|last-ack|listening|closing}



Expected Results:  
Regular output from ss without a "syntax error".

The offending commit seems to be this one:

https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/misc/ssfilter.y?id=b2038cc0b2403e8c5126cfcf45f6ee48ac549ad0

Comment 1 Phil Sutter 2018-08-15 09:08:03 UTC
Patch series fixing this issue sent upstream: https://marc.info/?l=linux-netdev&m=153424911209369&w=2

Comment 2 Fedora Update System 2018-08-16 12:35:15 UTC
iproute-4.17.0-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59278734d4

Comment 3 Samuel 2018-08-16 14:21:24 UTC
I have tested iproute-4.17.0-2.fc28 and can verify that it solves my problem.

Comment 4 Fedora Update System 2018-08-16 15:25:14 UTC
iproute-4.17.0-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59278734d4

Comment 5 Fedora Update System 2018-08-23 10:32:42 UTC
iproute-4.17.0-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.