From bugzilla-daemon at netfilter.org Sun Apr 5 14:14:12 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Sun, 05 Apr 2020 12:14:12 +0000
Subject: [Bug 1415] New: adjacent ip ranges in vmap causing error
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Bug ID: 1415
Summary: adjacent ip ranges in vmap causing error
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: generic_dummy at t-online.de
The following snippets cause a 'File exists' error:
ip saddr vmap {
10.0.1.0/24 : accept,
10.0.2.0/24 : drop
}
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.2.0-10.0.2.255 : drop
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Sun Apr 5 14:19:07 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Sun, 05 Apr 2020 12:19:07 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #1 from McFly ---
while shifting the begin of the second ip range by one is not causing any
error:
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.2.1-10.0.2.255 : drop
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Tue Apr 7 19:42:01 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Tue, 07 Apr 2020 17:42:01 +0000
Subject: [Bug 1416] New: Include a pre-built man page in the distributed
tarball
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1416
Bug ID: 1416
Summary: Include a pre-built man page in the distributed
tarball
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: chutzpah at gentoo.org
Building the man page pulls in some dependencies that have quite a few
dependencies on their own. It would be very nice if this was optional, and
there was a prebuilt man page included in the original tarball that can be
installed.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Tue Apr 7 20:25:52 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Tue, 07 Apr 2020 18:25:52 +0000
Subject: [Bug 1416] Include a pre-built man page in the distributed tarball
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1416
--- Comment #1 from Pablo Neira Ayuso ---
This can be included via distcheck-hook ?
Would you make a patch for this? Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 00:24:26 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Tue, 07 Apr 2020 22:24:26 +0000
Subject: [Bug 1416] Include a pre-built man page in the distributed tarball
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1416
--- Comment #2 from Patrick McLean ---
Created attachment 587
--> https://bugzilla.netfilter.org/attachment.cgi?id=587&action=edit
0001-doc-Include-generated-man-pages-in-dist-tarball.patch
This patch was recently posted to the mailing list by an acquaintance:
https://marc.info/?l=netfilter-devel&m=158628632031443&w=2
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 08:56:48 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 06:56:48 +0000
Subject: [Bug 1417] New: mapping to adjacent ranges is causing error in
kernel 5.6, kernel 5.5 works fine
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1417
Bug ID: 1417
Summary: mapping to adjacent ranges is causing error in kernel
5.6, kernel 5.5 works fine
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: karel at unitednetworks.cz
Created attachment 588
--> https://bugzilla.netfilter.org/attachment.cgi?id=588&action=edit
example of adjacent ranges causing error
After upgrading kernel from 5.5 to 5.6.2 our ruleset which includes mapping
packet sizes to counters fails to load. Problem is in adjacent ranges:
This fails (with File exists message):
counter name ip length map { 0-100 : "c1", 101-200 : "c2" }
After increasing start of second range by one it loads ok:
counter name ip length map { 0-100 : "c1", 102-200 : "c2" }
See attached examples.
Probably same bug as:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 08:58:38 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 06:58:38 +0000
Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel
5.6, kernel 5.5 works fine
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1417
--- Comment #1 from Karel Rericha ---
Created attachment 589
--> https://bugzilla.netfilter.org/attachment.cgi?id=589&action=edit
example of non adjacent ranges not causing error
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 11:44:21 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 09:44:21 +0000
Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel
5.6, kernel 5.5 works fine
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1417
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Pablo Neira Ayuso ---
Please, give a test to this patch:
https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=72239f2795fab9a58633bd0399698ff7581534a3
Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 11:45:47 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 09:45:47 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Pablo Neira Ayuso ---
Please give a try to this patch:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 11:46:04 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 09:46:04 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #3 from Pablo Neira Ayuso ---
Please give a try to this patch:
https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=72239f2795fab9a58633bd0399698ff7581534a3
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 17:19:48 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 15:19:48 +0000
Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel
5.6, kernel 5.5 works fine
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1417
--- Comment #3 from Karel Rericha ---
I can confirm that after applying this patch to kernel 5.6.2 mapping to
adjacent ranges works again.
Thanks Pablo.
Should I close this bug or lets wait until 5.6 branch will be patched?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 18:50:35 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 16:50:35 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #4 from McFly ---
The patch apparantly resolves the reported problem, however seems to have other
issues. The following snippet is causing a segmentation fault:
ip saddr vmap {
10.0.1.0-10.0.1.255 : accept,
10.0.1.1-10.0.2.255 : drop
}
The patch was applied to kernel 5.6.3 and nftables 0.9.4 was used. I will
cross-check with an unpatched kernel.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 19:25:35 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 17:25:35 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #5 from McFly ---
I did some further checks:
1. the problem with the adjacent ip ranges occurs:
kernel 5.5.10 -> NO
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 8 19:35:48 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 08 Apr 2020 17:35:48 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #6 from McFly ---
I did some further checks:
1. the problem with the adjacent ip ranges occurs (causing the 'File exists'
error):
kernel 5.5.10 -> no
kernel 5.6.2 -> yes
kernel 5.6.3 -> yes
kernel 5.6.3 with patch -> no
i.e. the issue was introduced somewhere between 5.5.10 and 5.6.2 and the patch
is fixing it.
2. the problem with overlapping ip ranges (causing the segmentation fault)
occurs with kernels 5.5.10, 5.6.3 and the patch does NOT fix it
Maybe distinct problems. Shall I report this as a separate bug?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 9 02:05:52 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 09 Apr 2020 00:05:52 +0000
Subject: [Bug 1418] New: segfaults when running nft --file foo.nft --echo
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1418
Bug ID: 1418
Summary: segfaults when running nft --file foo.nft --echo
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: chutzpah at gentoo.org
Here is the backtrace:
mpz_cmp (a=a at entry=0x555555654ce0, b=) at mini-gmp.c:1819
1819 return mpn_cmp (a->_mp_d, b->_mp_d, asize);
(gdb) bt
#0 mpz_cmp (a=a at entry=0x555555654ce0, b=) at mini-gmp.c:1819
#1 0x00005555555ad790 in expr_value_cmp (p1=p1 at entry=0x5555556ac820,
p2=p2 at entry=0x5555556ac828) at segtree.c:832
#2 0x00007ffff7d86f3d in msort_with_tmp (p=p at entry=0x7fffffffc9a0,
b=b at entry=0x5555556ac820, n=n at entry=2) at msort.c:83
#3 0x00007ffff7d86ea4 in msort_with_tmp (n=2, b=0x5555556ac820,
p=0x7fffffffc9a0) at msort.c:53
#4 msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820,
n=n at entry=5) at msort.c:53
#5 0x00007ffff7d86ea4 in msort_with_tmp (n=5, b=0x5555556ac820,
p=0x7fffffffc9a0) at msort.c:53
#6 msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820,
n=n at entry=10) at msort.c:53
#7 0x00007ffff7d872c2 in msort_with_tmp (n=10, b=0x5555556ac820,
p=0x7fffffffc9a0) at msort.c:297
#8 __GI___qsort_r (b=b at entry=0x5555556ac820, n=n at entry=10, s=s at entry=8,
cmp=cmp at entry=0x5555555ad760 , arg=arg at entry=0x0) at
msort.c:297
#9 0x00007ffff7d8756f in __GI_qsort (b=b at entry=0x5555556ac820, n=n at entry=10,
s=s at entry=8, cmp=cmp at entry=0x5555555ad760 ) at msort.c:308
#10 0x00005555555aed85 in interval_map_decompose (set=0x5555556115a0) at
segtree.c:978
#11 0x00005555555abaff in nlr_for_each_set (nlr=nlr at entry=0x5555556ac190,
cb=cb at entry=0x5555555ab9c0 , cache=0x55555560c340,
data=0x0) at monitor.c:193
#12 0x00005555555ac326 in netlink_events_rule_cb (monh=0x7fffffffcce0, type=6,
nlh=0x7fffffffcda0) at monitor.c:517
#13 netlink_events_cb (nlh=nlh at entry=0x7fffffffcda0,
data=data at entry=0x7fffffffcce0) at monitor.c:890
#14 0x00005555555ad062 in netlink_echo_callback (nlh=nlh at entry=0x7fffffffcda0,
data=data at entry=0x7fffffffde10) at monitor.c:924
#15 0x00007ffff7fb6748 in __mnl_cb_run (cb_ctl_array_len=16,
cb_ctl_array=0x55555560a5a0 , data=,
cb_data=0x5555555ad000 , portid=0, seq=0,
numbytes=, buf=0x7fffffffcda0) at callback.c:78
#16 mnl_cb_run2 (buf=buf at entry=0x7fffffffcda0, numbytes=,
seq=seq at entry=0, portid=portid at entry=0, cb_data=0x5555555ad000
, data=data at entry=0x7fffffffde10,
cb_ctl_array=0x55555560a5a0 , cb_ctl_array_len=16) at
callback.c:135
#17 0x00005555555b1aac in mnl_batch_talk (ctx=ctx at entry=0x7fffffffdf70,
err_list=err_list at entry=0x7fffffffdf60, num_cmds=num_cmds at entry=161) at
mnl.c:433
#18 0x000055555556b6c5 in nft_netlink (nft=nft at entry=0x55555560c2a0,
cmds=cmds at entry=0x7fffffffe010, msgs=msgs at entry=0x7fffffffe000,
nf_sock=) at libnftables.c:57
#19 0x000055555556bfa8 in nft_run_cmd_from_filename (nft=0x55555560c2a0,
filename=0x7fffffffe4ad "/etc/nftables/init.nft") at libnftables.c:508
#20 0x000055555556acb9 in main (argc=, argv=0x7fffffffe1c8) at
main.c:455
When it is adding the rules and echoing, the output is kind of mangled. A rule
that looks like
table inet filter {
chain input_XXXXXXX {
iifname { "bond0" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.1.1 }
tcp dport { ssh } counter accept
}
}
Gets echoed as
add rule inet filter input_XXXXXXX iifname { "bond0", "bond0" } ip saddr {
10.0.0.0/8, 10.0.0.0/8-0xffffffff [invalid type] } ip daddr { 192.168.1.1,
192.168.1.1 } tcp dport { 22, 22 } counter packets 0 bytes 0 accept
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 9 02:06:08 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 09 Apr 2020 00:06:08 +0000
Subject: [Bug 1418] segfaults when running nft --file foo.nft --echo
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1418
Patrick McLean changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |critical
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 9 02:46:22 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 09 Apr 2020 00:46:22 +0000
Subject: [Bug 1418] segfaults when running nft --file foo.nft --echo
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1418
--- Comment #1 from Patrick McLean ---
Created attachment 590
--> https://bugzilla.netfilter.org/attachment.cgi?id=590&action=edit
ruleset that triggers the segfault
OK, I seem to have figured out how to reproduce it reliably. I have some
generated rule sets that I am loading, and they attempt to clean up after the
last time they were loaded by adding then deleting the tables they create. The
first time nft runs, everything works fine, the second time I get the strange
output and a segfault.
So try running "nft --echo --file test.nft" *twice* and it will cause nft to to
echo some strange data and segfault.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 9 02:47:20 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 09 Apr 2020 00:47:20 +0000
Subject: [Bug 1418] segfaults when running nft --file foo.nft --echo
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1418
Patrick McLean changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #590|application/octet-stream |text/plain
mime type| |
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 07:54:58 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 05:54:58 +0000
Subject: [Bug 1419] New: abcd
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1419
Bug ID: 1419
Summary: abcd
Product: bugzilla
Version: other
Hardware: x86_64
OS: All
Status: ASSIGNED
Severity: normal
Priority: P5
Component: netfilter bugzilla
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: 826706276 at qq.com
abcd
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 08:15:14 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 06:15:14 +0000
Subject: [Bug 1420] New: abcd
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1420
Bug ID: 1420
Summary: abcd
Product: bugzilla
Version: other
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: netfilter bugzilla
Assignee: 826706276 at qq.com
Reporter: 826706276 at qq.com
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 08:16:00 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 06:16:00 +0000
Subject: [Bug 1420] abcd
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1420
Meter <826706276 at qq.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 08:17:39 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 06:17:39 +0000
Subject: [Bug 1419] abcd
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1419
Meter <826706276 at qq.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #1 from Meter <826706276 at qq.com> ---
abcd
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 08:22:21 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 06:22:21 +0000
Subject: [Bug 1421] New: abcde
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1421
Bug ID: 1421
Summary: abcde
Product: conntrack-tools
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: conntrack-daemon
Assignee: 826706276 at qq.com
Reporter: 826706276 at qq.com
abcd
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 08:22:45 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 06:22:45 +0000
Subject: [Bug 1421] abcde
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1421
Meter <826706276 at qq.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 13:02:07 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 11:02:07 +0000
Subject: [Bug 1419] abcd
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1419
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|other |unspecified
Component|netfilter bugzilla |trash
Product|bugzilla |trash
Assignee|netfilter-buglog at lists.netf |pablo at netfilter.org
|ilter.org |
CC| |pablo at netfilter.org
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 13:09:03 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 11:09:03 +0000
Subject: [Bug 1420] abcd
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1420
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pablo at netfilter.org
Version|other |unspecified
Product|bugzilla |trash
Component|netfilter bugzilla |trash
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 13:09:27 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 11:09:27 +0000
Subject: [Bug 1421] abcde
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1421
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Product|conntrack-tools |trash
CC| |pablo at netfilter.org
Component|conntrack-daemon |trash
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 10 19:00:29 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 10 Apr 2020 17:00:29 +0000
Subject: [Bug 1422] New: iptables-nft fails to check / delete rules in raw
table
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Bug ID: 1422
Summary: iptables-nft fails to check / delete rules in raw
table
Product: iptables
Version: 1.6.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: iptables
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: champetier.etienne at gmail.com
See repro steps, I can create a rule in raw table but can't check / delete it
# cat /etc/debian_version
bullseye/sid
# apt info iptables
Package: iptables
Version: 1.8.4-3
...
# /sbin/iptables --version
iptables v1.8.4 (nf_tables)
# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# /sbin/iptables -w2 -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
root at etiennedebian:~# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0
169.254.25.10 udp dpt:53 NOTRACK
# /sbin/iptables -w2 -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# /sbin/iptables -w2 -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j
NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# /sbin/iptables -t raw -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0
169.254.25.10 udp dpt:53 NOTRACK
I haven't opened a bug on Debian bug tracker as they use latest version
I have a bug open on CentOS bugzilla: https://bugs.centos.org/view.php?id=17239
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Sat Apr 11 21:37:31 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Sat, 11 Apr 2020 19:37:31 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
--- Comment #7 from Pablo Neira Ayuso ---
(In reply to McFly from comment #6)
> I did some further checks:
>
> 1. the problem with the adjacent ip ranges occurs (causing the 'File exists'
> error):
> kernel 5.5.10 -> no
> kernel 5.6.2 -> yes
> kernel 5.6.3 -> yes
> kernel 5.6.3 with patch -> no
>
> i.e. the issue was introduced somewhere between 5.5.10 and 5.6.2 and the
> patch is fixing it.
Thanks for confirming that the patch that is flying upstream is fixing the
issue.
> 2. the problem with overlapping ip ranges (causing the segmentation fault)
> occurs with kernels 5.5.10, 5.6.3 and the patch does NOT fix it
>
> Maybe distinct problems. Shall I report this as a separate bug?
No need for this, patch has been posted on the mailing list:
https://patchwork.ozlabs.org/patch/1269369/
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Mon Apr 13 03:25:03 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Mon, 13 Apr 2020 01:25:03 +0000
Subject: [Bug 1423] New: error
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1423
Bug ID: 1423
Summary: error
Product: bugzilla
Version: other
Hardware: i386
OS: RedHat Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: netfilter bugzilla
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: cxp2760 at 163.com
error
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 16:15:19 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 14:15:19 +0000
Subject: [Bug 1422] iptables-nft fails to check / delete rules in raw table
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #1 from Etienne Champetier ---
Here the nft output
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
}
}
# nft add rule raw OUTPUT tcp dport 42 notrack
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
tcp dport 42 notrack
}
}
So the rule inserted by iptables-nft is wrong it seems
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 16:16:10 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 14:16:10 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Etienne Champetier changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|iptables-nft fails to check |iptables-nft raw notrack
|/ delete rules in raw table |rules are wrong
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 18:02:30 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 16:02:30 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #2 from Etienne Champetier ---
Just compiled latest version of iptables
(74ef6f1c16ff672139031330dc71c274300dfb2e) but same result
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 18:19:55 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 16:19:55 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #3 from Pablo Neira Ayuso ---
(In reply to Etienne Champetier from comment #1)
[...]
> meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
You mean it is showing # NOTRACK, right?
That's a missing translation, please, test this patch for iptables:
https://lore.kernel.org/netfilter-devel/20200415161821.119253-1-pablo at netfilter.org/T/#u
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 18:24:01 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 16:24:01 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #4 from Pablo Neira Ayuso ---
(In reply to Pablo Neira Ayuso from comment #3)
> (In reply to Etienne Champetier from comment #1)
> [...]
> > meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
>
> You mean it is showing # NOTRACK, right?
>
> That's a missing translation, please, test this patch for iptables:
>
> https://lore.kernel.org/netfilter-devel/20200415161821.119253-1-
> pablo at netfilter.org/T/#u
or take it from here:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415161821.119253-1-pablo at netfilter.org/
Although patchwork is working a bit slow in responding today.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 18:38:21 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 16:38:21 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #5 from Etienne Champetier ---
Still not working for me :(
# nft flush table ip raw
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
# ./iptables/xtables-nft-multi iptables-nft -t raw -I OUTPUT -p udp -d
169.254.25.10 --dport 53 -j NOTRACK
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK
}
}
# nft flush table ip raw
# ./iptables/xtables-nft-multi iptables-nft -t raw -I OUTPUT -p udp -d
169.254.25.10 --dport 53 -j CT --notrack
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # CT
notrack
}
}
# nft --version
nftables v0.9.4 (Jive at Five)
# ./iptables/xtables-nft-multi iptables-nft --version
iptables v1.8.4 (nf_tables)
# git log --oneline
8d8d2647 (HEAD -> master) extensions: libxt_CT: add translation for NOTRACK
74ef6f1c (origin/master, origin/HEAD) iptables: open eBPF programs in read only
mode
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 18:52:09 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 16:52:09 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #6 from Pablo Neira Ayuso ---
Here it works fine:
# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
root at salvia:/home/pablo# iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10
--dport 53 -j NOTRACK
root at salvia:/home/pablo# nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter
notrack
}
}
Make sure iptables-nft there is not using the old libraries, in my test machine
I have them here:
/usr/lib/xtables/
if you have installed the iptables / nftables package from debian, it might be
that your /usr/lib/xtables/ refers to the extension libraries in
/usr/lib/x86_64-linux-gnu/xtables/.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 18:53:10 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 16:53:10 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #7 from Pablo Neira Ayuso ---
(In reply to Pablo Neira Ayuso from comment #6)
> if you have installed the iptables / nftables package from debian, it might
> be that your /usr/lib/xtables/ refers to the extension libraries in
> /usr/lib/x86_64-linux-gnu/xtables/.
it might be that your xtables-nft-multi refers to
/usr/lib/x86_64-linux-gnu/xtables/
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 19:29:48 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 17:29:48 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #8 from Etienne Champetier ---
Yup, nft is loading libs from /usr/lib/x86_64-linux-gnu/xtables/, I'll rebuild
things until it works !
Can you confirm that you can check/delete, as this was my initial problem
iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK &&
echo 1
iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK &&
echo 2
iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK &&
echo 3
Same with
iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT
--notrack && echo 4
iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT
--notrack && echo 5
iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT
--notrack && echo 6
Thanks a lot
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 19:57:23 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 17:57:23 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #9 from Etienne Champetier ---
Using '-j CT --notrack' works
Using '-j NOTRACK' I still can't check/delete
# /usr/local/sbin/iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport
53 -j NOTRACK && echo ok
ok
# /usr/local/sbin/nft -s list ruleset
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter notrack
}
}
# /usr/local/sbin/iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport
53 -j NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
# /usr/local/sbin/iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport
53 -j NOTRACK
iptables: Bad rule (does a matching rule exist in that chain?).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 20:50:43 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 18:50:43 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #10 from Etienne Champetier ---
To be clear I confirm your patch fixes the nft display bug, but it doesn't
fixes the initial bug for me
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 21:39:17 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 19:39:17 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #11 from Pablo Neira Ayuso ---
Ah I see, sorry.
Please give a try to this patch.
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415193810.240720-1-pablo at netfilter.org/
Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 21:52:49 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 19:52:49 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #12 from Etienne Champetier ---
Perfect, everything is now working
If you want you can add
Tested-by: Etienne Champetier
The last question is if you plan a release soon or if I should just ask
maintainers to backport just the patches.
Thanks a lot !
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:05:53 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:05:53 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:08:33 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:08:33 +0000
Subject: [Bug 1422] iptables-nft raw notrack rules are wrong
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
--- Comment #13 from Pablo Neira Ayuso ---
(In reply to Etienne Champetier from comment #12)
> The last question is if you plan a release soon or if I should just ask
> maintainers to backport just the patches.
Phil is on holidays this week. He's got a patchset I would like to see merge
upstream for the next release.
It might take a few weeks to make the new release.
Thanks for reporting!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:10:24 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:10:24 +0000
Subject: [Bug 1423] error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1423
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pablo at netfilter.org
Version|other |unspecified
Assignee|netfilter-buglog at lists.netf |pablo at netfilter.org
|ilter.org |
Component|netfilter bugzilla |trash
Product|bugzilla |trash
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:14:34 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:14:34 +0000
Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel
5.6, kernel 5.5 works fine
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1417
--- Comment #4 from Pablo Neira Ayuso ---
(In reply to Karel Rericha from comment #3)
> I can confirm that after applying this patch to kernel 5.6.2 mapping to
> adjacent ranges works again.
>
> Thanks Pablo.
>
> Should I close this bug or lets wait until 5.6 branch will be patched?
I'd prefer if you close it once this is fixed in -stable kernels and specify
since what -stable kernel this is fixed.
Thanks!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:15:19 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:15:19 +0000
Subject: [Bug 1415] adjacent ip ranges in vmap causing error
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1415
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #8 from Pablo Neira Ayuso ---
Merged upstream, closing.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:16:09 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:16:09 +0000
Subject: [Bug 1413] Inconsistent EBUSY errors when adding a duplicate element
to a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1413
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
EEXIST here would be better, right?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:20:13 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:20:13 +0000
Subject: [Bug 1411] add elements with counter to dynamic sets
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1411
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Pablo Neira Ayuso ---
(In reply to Karel Rericha from comment #1)
> Looks like this one will be satisfied too, but I will leave it open until I
> will be able to test it (kernel 5.7?).
That's fine, thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:24:20 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:24:20 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
Hi,
I'm not sure I understand, do you mean something like this?
nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
This reads as follows: if packets come _from_ IP address 1.1.1.1, the rewrite
destination address to 2.2.2.2, and so on.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:25:30 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:25:30 +0000
Subject: [Bug 1409] nft manpage makes confusing reference to logical operators
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1409
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
(In reply to Matthew "Cheetah" Gabeler-Lee from comment #0)
> The nft manpage / docs say:
>
> > Expressions can be combined using binary, logical, relational and other types of
> > expressions to form complex or relational (match) expressions
>
> http://git.netfilter.org/nftables/tree/doc/nft.txt#n680
>
> However it's not clear if logical combinations are actually possible?
> https://bugzilla.netfilter.org/show_bug.cgi?id=1202#c1 explicitly states
> that disjunctions are definitely not supported, so logical OR, and XOR are
> right out, and given that I'd say NAND almost certainly is too. The only
> combining operator for matches is AND.
>
> Also, rummaging through the grammar file seems to confirm that there are
> only _bitwise_ operators.
Please, post examples of what you would like to see in place.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:28:51 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:28:51 +0000
Subject: [Bug 1408] The Check option of iptables does not work as expected
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1408
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
Could you give a try latest iptables? If I understood the problem correctly, it
is working here in the most recent iptables release.
# iptables-nft -V
iptables v1.8.4 (nf_tables)
# iptables-nft -t nat -C PREROUTING --proto tcp --dport 80 -j DNAT
--to-destination 1.1.1.1:80; echo $?
0
# iptables-nft -t nat -C PREROUTING --proto tcp --dport 80 -j DNAT
--to-destination 1.1.1.2:80; echo $?
iptables: Bad rule (does a matching rule exist in that chain?).
1
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:30:28 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:30:28 +0000
Subject: [Bug 1407] Segfault with iptables-nft-restore when flush rules
included
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1407
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |phil at nwl.cc
--- Comment #1 from Pablo Neira Ayuso ---
Still broken in git.
IIRC, I posted a patchset that fixes.
Cc'ing Phil.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Wed Apr 15 23:31:30 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 21:31:30 +0000
Subject: [Bug 1406] nft dies with an assertion of consumed > 0
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1406
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
I confirm I can reproduce this bug here.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:02:07 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:02:07 +0000
Subject: [Bug 1403] Timeout object with invalid time unit crashes nft
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1403
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
Parser is buggy, patch to fix this available here:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415220114.585390-1-pablo at netfilter.org/
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:04:03 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:04:03 +0000
Subject: [Bug 1402] Race errors with nft
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1402
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
nftables 0.9.0 is almost two years old.
Would you please test this with lastest release and confirm you are still
experiencing problems.
Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:07:38 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:07:38 +0000
Subject: [Bug 1401] Discretely resetting anonymous counters is impossible
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1401
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #2 from Pablo Neira Ayuso ---
Something similar -Z to reset counters would suffice for your use case,
correct?
Would you submit a patch to improve the flawed areas in this documentation
area?
That would be greatly appreciated.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:16:15 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:16:15 +0000
Subject: [Bug 1397] What am I doing wrong!?
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1397
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|ASSIGNED |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:17:30 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:17:30 +0000
Subject: [Bug 1396] When rule with 3 concat elements are added, nft list
shows only 2
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1396
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|ASSIGNED |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:22:04 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:22:04 +0000
Subject: [Bug 1391] iptables-nft-restore --test can segfault
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1391
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |pablo at netfilter.org,
| |phil at nwl.cc
--- Comment #1 from Pablo Neira Ayuso ---
I observe no crash in the iptables snapshot in git.
IIRC, this has been fixed in one of the recent patches from Phil.
It would great if we could have a shell test in the tree to cover this one.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:24:49 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:24:49 +0000
Subject: [Bug 1385] Incorrectly evaluated expression with negated ip saddr
and negated ip daddr
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1385
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:28:19 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:28:19 +0000
Subject: [Bug 1379] Rule to accept INPUT address range does not block address
that are not in range specified
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1379
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
CC| |pablo at netfilter.org
Status|NEW |RESOLVED
--- Comment #3 from Pablo Neira Ayuso ---
Your default policy should be turned to DROP, e.g.
iptables -P INPUT DROP
Otherwise, packets not matching your rule will just go through.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 00:36:29 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Wed, 15 Apr 2020 22:36:29 +0000
Subject: [Bug 1361] nft segfault on overlapping intervals
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1361
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Pablo Neira Ayuso ---
Works here:
# nft -f m
m:6:17-25: Error: conflicting intervals specified
144 - 174 : accept,
^^^^^^^^^
m:5:30-13: Error: Could not process rule: File exists
icmpv6 type vmap {
Fixed by:
http://git.netfilter.org/nftables/commit/?id=3e7dad95af69bde12f22af5b1a2bc860ab3da417
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 06:20:03 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 04:20:03 +0000
Subject: [Bug 1409] nft manpage makes confusing reference to logical operators
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1409
--- Comment #2 from Matthew "Cheetah" Gabeler-Lee ---
I think it should just say "binary and relational operators"? There aren't any
logical operators supported as far as I can tell, unless you count the implicit
"and" that happens when chaining expressions one after the other in a rule.
Perhaps to be more precise in that case, something along the lines of:
Expressions can be combined using binary, relational, and other
numeric operators, and combined in a logical "and" by placing
multiple expressions in sequence within a rule.
I'm not sure that's ideal wording, but I think it's closer.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 10:02:47 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 08:02:47 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #2 from e.lohmann at mdex.de ---
Hi Pablo,
thanks for your answer. No, what I like to do in RAW is the same I do in NAT
Pre/Post.
dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite
destination address to 2.2.2.2 and so on.
snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
This reads as follows: if packets came _from_ IP address 2.2.2.2, the rewrite
source address to 1.1.1.1 and so on.
With this mechanism we map public ip addresses to private and vice versa.
With 2 or more internet access points it's possible that traffic for an address
comes in on point A and left the system on point B. The STATEFULL Rules on
point B are NOT working if the IP packet is e.g. TCP, ICMP and NOT new.
What I try to accomplish in raw is, that this can be done without any conntrack
state for all packtes in raw.
Right now there is no way to create a map in raw and do address rewrite.
Regards, Eike
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 10:20:41 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 08:20:41 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #3 from Pablo Neira Ayuso ---
(In reply to e.lohmann from comment #2)
> Hi Pablo,
>
> thanks for your answer. No, what I like to do in RAW is the same I do in NAT
> Pre/Post.
>
> dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
>
> This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite
> destination address to 2.2.2.2 and so on.
This rule represents the stateless dnat that you are asking for:
nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
This reads as: set IP destination address based on the map lookup.
This maps lookup takes packets sent to IP address 1.1.1.1 and it returns
2.2.2.2, which is used to rewrite the UP destionation.
> snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
>
> This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> rewrite source address to 1.1.1.1 and so on.
nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
Similar rule as above, but "ip saddr set" is used.
[...]
> Right now there is no way to create a map in raw and do address rewrite.
Did you give a try to the examples above?
Thank you.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 10:25:22 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 08:25:22 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #4 from Pablo Neira Ayuso ---
(In reply to Pablo Neira Ayuso from comment #3)
> (In reply to e.lohmann from comment #2)
> > Hi Pablo,
> >
> > thanks for your answer. No, what I like to do in RAW is the same I do in NAT
> > Pre/Post.
> >
> > dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
nft add rule raw PREROUTING ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
If you would like to rewrite the destination address based in the existing
destination IP address.
Map lookups allow for any criteria, including concatenations, e.g.
nft add rule raw PREROUTING ip daddr set ip saddr . ip daddr map { 1.1.1.1 .
2.2.2.2 : 3.3.3.3, 1.1.1.2 . 2.2.2.1 : 4.4.4.4 } notrack
In this example, if packets are coming from 1.1.1.1 and going to 2.2.2.2, then
the IP destination address is rewritten to 3.3.3.3
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 10:33:24 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 08:33:24 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #5 from Pablo Neira Ayuso ---
(In reply to Pablo Neira Ayuso from comment #3)
[...]
> > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> >
> > This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> > rewrite source address to 1.1.1.1 and so on.
>
> nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
> 1.1.1.2 : 2.2.2.3 } notrack
Assuming the legacy table/chains, you can use posrtouting/mangle for the
stateless dnat
nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 10:54:00 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 08:54:00 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #6 from Pablo Neira Ayuso ---
(In reply to Pablo Neira Ayuso from comment #5)
> (In reply to Pablo Neira Ayuso from comment #3)
> [...]
> > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> > >
> > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> > > rewrite source address to 1.1.1.1 and so on.
> >
> > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
> > 1.1.1.2 : 2.2.2.3 } notrack
>
> Assuming the legacy table/chains, you can use posrtouting/mangle for the
> stateless dnat
You will still still to disable conntrack from PREROUTING for stateless dnat,
so this would be:
nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack
The rule above disables conntrack for traffic coming from 1.1.1.1 and 1.1.1.2,
then:
nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 }
This rule performs the stateless snat.
I can place these examples in the wiki if you like.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 16 10:56:24 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 16 Apr 2020 08:56:24 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #7 from Pablo Neira Ayuso ---
(In reply to Pablo Neira Ayuso from comment #6)
> (In reply to Pablo Neira Ayuso from comment #5)
> > (In reply to Pablo Neira Ayuso from comment #3)
> > [...]
> > > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
> > > >
> > > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the
> > > > rewrite source address to 1.1.1.1 and so on.
> > >
> > > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2,
> > > 1.1.1.2 : 2.2.2.3 } notrack
> >
> > Assuming the legacy table/chains, you can use posrtouting/mangle for the
> > stateless dnat
>
> You will still still to disable conntrack from PREROUTING for stateless
> dnat, so this would be:
This example is actually stateless snat, sorry for the typo.
> nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack
>
> The rule above disables conntrack for traffic coming from 1.1.1.1 and
> 1.1.1.2, then:
>
> nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 :
> 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
>
> This rule performs the stateless snat.
>
> I can place these examples in the wiki if you like.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Fri Apr 17 15:24:31 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Fri, 17 Apr 2020 13:24:31 +0000
Subject: [Bug 1410] STATELESS, rules with notrack into a map
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1410
--- Comment #8 from e.lohmann at mdex.de ---
Hi Pablo,
both rules are accepted by nft, and I think it will do the job.
nft add rule raw PREROUTING ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2,
1.1.1.2 : 2.2.2.3 } notrack
nft add rule raw PREROUTING ip saddr set ip saddr map { 2.2.2.2 : 1.1.1.1,
2.2.2.3 : 1.1.1.2 } notrack
table ip raw {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 }
notrack
ip saddr set ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 }
notrack
}
}
> nft add rule raw PREROUTING ip daddr set ip saddr . ip daddr map { 1.1.1.1 . 2.2.2.2 : 3.3.3.3, 1.1.1.2 . 2.2.2.1 : 4.4.4.4 } notrack
Nice possibility to do a rewrite on saddr and daddr inside a map!
The stateless snat example in mangle POSTROUTING is also a good idea, thank you
for that!
Yes please put this into the Wiki, it will help, to understand what is possible
with nft.
Is it also possible to add a network or range into a map and do a saddr/daddr
rewrite? Like it was possible with netmap in iptables?
Regards, Eike
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Sat Apr 18 21:11:24 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Sat, 18 Apr 2020 19:11:24 +0000
Subject: [Bug 1423] New: iptables-translate silently discards --ctstate DNAT
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1423
Bug ID: 1423
Summary: iptables-translate silently discards --ctstate DNAT
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: iptables over nftable
Assignee: pablo at netfilter.org
Reporter: oldium.pro at gmail.com
Bug originally reported in the Debian tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932899
I am also affected by the bug. I found the Debian bug, but it looks like that
it was ignored, so I am forwarding it here.
Original message follows:
This appears to be wrong -- the DNAT is "eaten":
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct state counter accept
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
I think the output should be
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate DNAT -j ACCEPT
nft add rule ip filter INPUT ct status dnat counter accept
root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack
--ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
nft add rule ip filter INPUT ct state related,established counter accept
nft add rule ip filter INPUT ct status dnat counter accept
I am new to nftables, so I may have missed something obvious.
If so, sorry to bother you!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Thu Apr 23 15:48:31 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Thu, 23 Apr 2020 13:48:31 +0000
Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel
5.6, kernel 5.5 works fine
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1417
Karel Rericha changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #5 from Karel Rericha ---
netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on
insertion
landed in kernel 5.6.7, closing as RESOLVED/FIXED now.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Mon Apr 27 15:10:02 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Mon, 27 Apr 2020 13:10:02 +0000
Subject: [Bug 1424] New: v0.9.0: segfault when using nft -f and
issuing "ruleset flush" twice
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1424
Bug ID: 1424
Summary: v0.9.0: segfault when using nft -f and issuing
"ruleset flush" twice
Product: nftables
Version: unspecified
Hardware: All
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: eexexiexit at riseup.net
Created attachment 591
--> https://bugzilla.netfilter.org/attachment.cgi?id=591&action=edit
strace output of the script that segfaults
Disclaimer: I am totally new to nftable, so forbid my stupidity.
Running this file segfaults on two of my machines (both debian stable
"buster"):
/tmp/test:
#!/usr/sbin/nft -f
flush ruleset
create table inet fw
list table inet fw
flush ruleset
the same command sequence runs smoothly when issued interactively.
kernel message:
[ 8841.187933] show_signal_msg: 12 callbacks suppressed
[ 8841.187936] test[17806]: segfault at 10 ip 00007f175a76929b sp
00007ffc67e5c940 error 4 in libnftables.so.0.0.0[7f175a763000+47000]
[ 8841.190580] Code: ff 48 8b 44 24 28 64 48 33 04 25 28 00 00 00 75 06 48 83
c4 30 5b c3 e8 53 a9 ff ff 0f 1f 00 41 56 41 55 41 54 49 89 fc 55 53 <8b> 7f 10
48 89 f3 e8 2a be ff ff 49 8b 4c 24 40 48 8d 35 e9 0f 04
Segmentation fault
uname -a:
Linux something 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08)
x86_64 GNU/Linux
Linux otherthing 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1 (2020-01-26) i686
GNU/Linux
/usr/sbin/nft --version:
nftables v0.9.0 (Fearless Fosdick)
strace is attached.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Mon Apr 27 18:19:58 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Mon, 27 Apr 2020 16:19:58 +0000
Subject: [Bug 1424] v0.9.0: segfault when using nft -f and issuing
"ruleset flush" twice
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1424
Pablo Neira Ayuso changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso ---
(In reply to exit from comment #0)
> Created attachment 591 [details]
> strace output of the script that segfaults
>
> Disclaimer: I am totally new to nftable, so forbid my stupidity.
>
> Running this file segfaults on two of my machines (both debian stable
> "buster"):
[...]
> uname -a:
>
> Linux something 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08)
> x86_64 GNU/Linux
>
> Linux otherthing 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1 (2020-01-26) i686
> GNU/Linux
>
> /usr/sbin/nft --version:
> nftables v0.9.0 (Fearless Fosdick)
This version is almost two years old.
I think there is a more modern version in debian backports, please have a look.
This is working fine here:
# nft -v
nftables v0.9.4 (Jive at Five)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Tue Apr 28 08:05:33 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Tue, 28 Apr 2020 06:05:33 +0000
Subject: [Bug 1425] New: th not accepted in snat with multiple ip protocols
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1425
Bug ID: 1425
Summary: th not accepted in snat with multiple ip protocols
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: fasnacht at protonmail.ch
Hello,
For tracking, here's a bug I'm experiencing, with the following, in an inet
table:
map nat-int-ext-port-v4 {
type ipv4_addr . inet_service . inet_proto : inet_service
}
[...]
ip protocol {udp, tcp} snat ip to $host_ipv4_address : ip saddr . th sport . ip
protocol map @nat-int-ext-port-v4
I get:
Error: transport protocol mapping is only valid after transport protocol match
It works fine with restricting ip protocol to one single protocol.
Best,
Laurent
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at netfilter.org Tue Apr 28 17:44:37 2020
From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org)
Date: Tue, 28 Apr 2020 15:44:37 +0000
Subject: [Bug 1391] iptables-nft-restore --test can segfault
In-Reply-To:
References:
Message-ID:
https://bugzilla.netfilter.org/show_bug.cgi?id=1391
Phil Sutter changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Phil Sutter ---
Hi,
I just pushed a test case, the problem is indeed fixed meanwhile.
Thanks for reporting,
Phil
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: