[Bug 1056] New: nft: Syntax error with dnat as ct state

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Mar 8 18:07:29 CET 2016


https://bugzilla.netfilter.org/show_bug.cgi?id=1056

            Bug ID: 1056
           Summary: nft: Syntax error with dnat as ct state
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: karol at babioch.de

According to a disucssion in IRC dnat (and snat) should be valid states for the
connection tracking , so a rule like the following should actually work:

ct state dnat accept

Apparently this is already implemented. However, right now with nftables
version 0.5 this results in an error:

[root at kvm2 ~]# nft -f /etc/nftables.conf 
/etc/nftables.conf:115:18-21: Error: syntax error, unexpected dnat
    ct state dnat accept            ^^^^

According to fw in the #netfilter IRC this is due to a parser ambiguity:

<aborrero> kbabioch: that seems like a bug, I see support for it in the current
source tree
<fw> aborrero: its because of parser ambiguity

These virtual states are also available in iptables and do work like expected.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160308/ebd1ba3e/attachment.html>


More information about the netfilter-buglog mailing list