[Bug 950] New: ct status

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed May 28 20:18:05 CEST 2014 

https://bugzilla.netfilter.org/show_bug.cgi?id=950

           Summary: ct status
           Product: nftables
           Version: unspecified
          Platform: x86_64
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
        AssignedTo: pablo at netfilter.org
        ReportedBy: anarey at gmail.com
   Estimated Hours: 0.0


This is the symbol table for ct status parameter:

 71 static const struct symbol_table ct_status_tbl = {                          
 72         /*                                                                  
 73          * There are more, but most of them don't make sense for filtering. 
 74          */                                                                 
 75         .symbols        = {                                                 
 76                 SYMBOL("expected",      IPS_EXPECTED),                      
 77                 SYMBOL("seen-reply",    IPS_SEEN_REPLY),                    
 78                 SYMBOL("assured",       IPS_ASSURED),                       
 79                 SYMBOL("confirmed",     IPS_CONFIRMED),                     
 80                 SYMBOL("snat",          IPS_SRC_NAT),                       
 81                 SYMBOL("dnat",          IPS_DST_NAT),                       
 82                 SYMBOL("dying",         IPS_DYING),                         
 83                 SYMBOL_LIST_END                                             
 84         },                                                                  
 85 };

We can use correctly: expected, seen-reply, assured, confirmed, dying but there
is a problem with 'snat' and 'dnat' symbol. 
nft doesn't identify these symbols.

Here, an example:

 $ sudo nft add rule ip test input ct status snat
<cmdline>:1:34-37: Error: syntax error, unexpected snat
add rule ip test input ct status snat
                                 ^^^^
The problem is in the parser:

Stack now 0 1 15
Error: popping token "add" (: )
Stack now 0 1
Shifting token error (: )
Entering state 3
Next token is token "snat" (: )
Error: discarding token "snat" (: )
Error: popping token error (: )
Stack now 0 1
Shifting token error (: )
Entering state 3
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Cleanup: discarding lookahead token "end of file" (: )
Stack now 0 1 3
Cleanup: popping token error (: )
Cleanup: popping nterm input (: )
<cmdline>:1:34-37: Error: syntax error, unexpected snat
add rule ip test input ct status snat

## With dnat

Error: popping token "add" (: )
Stack now 0 1
Shifting token error (: )
Entering state 3
Next token is token "dnat" (: )
Error: discarding token "dnat" (: )
Error: popping token error (: )
Stack now 0 1
Shifting token error (: )
Entering state 3
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Cleanup: discarding lookahead token "end of file" (: )
Stack now 0 1 3
Cleanup: popping token error (: )
Cleanup: popping nterm input (: )
<cmdline>:1:34-37: Error: syntax error, unexpected dnat
add rule ip test input ct status dnat
                                 ^^^^

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list