[Bug 1292] New: issue with -f fragment option

Sun Nov 11 19:48:19 CET 2018

https://bugzilla.netfilter.org/show_bug.cgi?id=1292

            Bug ID: 1292
           Summary: issue with -f fragment option
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables over nftable
          Assignee: pablo at netfilter.org
          Reporter: arturo at debian.org

>From Debian BTS: https://bugs.debian.org/913088

There seems to be some issues with the '-f' option in iptables-nft.
Apparently is not only in the printing code path but probably also in expr
generation code. See original bug report in debian for more tests and details.

==== 8< ====
Note the output of iptables-translate:

    iptables-translate -A INPUT -f -j DROP
    nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 counter drop

However, if I execute this command:

    iptables -A INPUT -f -j DROP

The following is added (output of 'nft list table filter'):

    table ip filter {
        chain INPUT {
            ...
            ip frag-off & 65311 != 0 counter packets 0 bytes 0 drop
        }
        ...
    }

Note: 65311 (dec) = 0xff1f and not 0x1ffff. Could it be that the byte 
order for the mask is somehow swapped?
==== 8< ====

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181111/51b3e4cd/attachment.html>