From bugzilla-daemon at netfilter.org Sun Apr 5 14:14:12 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Sun, 05 Apr 2020 12:14:12 +0000 Subject: [Bug 1415] New: adjacent ip ranges in vmap causing error Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 Bug ID: 1415 Summary: adjacent ip ranges in vmap causing error Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: generic_dummy at t-online.de The following snippets cause a 'File exists' error: ip saddr vmap { 10.0.1.0/24 : accept, 10.0.2.0/24 : drop } ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.2.0-10.0.2.255 : drop } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Sun Apr 5 14:19:07 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Sun, 05 Apr 2020 12:19:07 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #1 from McFly --- while shifting the begin of the second ip range by one is not causing any error: ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.2.1-10.0.2.255 : drop } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Tue Apr 7 19:42:01 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Tue, 07 Apr 2020 17:42:01 +0000 Subject: [Bug 1416] New: Include a pre-built man page in the distributed tarball Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1416 Bug ID: 1416 Summary: Include a pre-built man page in the distributed tarball Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: chutzpah at gentoo.org Building the man page pulls in some dependencies that have quite a few dependencies on their own. It would be very nice if this was optional, and there was a prebuilt man page included in the original tarball that can be installed. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Tue Apr 7 20:25:52 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Tue, 07 Apr 2020 18:25:52 +0000 Subject: [Bug 1416] Include a pre-built man page in the distributed tarball In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1416 --- Comment #1 from Pablo Neira Ayuso --- This can be included via distcheck-hook ? Would you make a patch for this? Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 00:24:26 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Tue, 07 Apr 2020 22:24:26 +0000 Subject: [Bug 1416] Include a pre-built man page in the distributed tarball In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1416 --- Comment #2 from Patrick McLean --- Created attachment 587 --> https://bugzilla.netfilter.org/attachment.cgi?id=587&action=edit 0001-doc-Include-generated-man-pages-in-dist-tarball.patch This patch was recently posted to the mailing list by an acquaintance: https://marc.info/?l=netfilter-devel&m=158628632031443&w=2 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 08:56:48 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 06:56:48 +0000 Subject: [Bug 1417] New: mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1417 Bug ID: 1417 Summary: mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: critical Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Created attachment 588 --> https://bugzilla.netfilter.org/attachment.cgi?id=588&action=edit example of adjacent ranges causing error After upgrading kernel from 5.5 to 5.6.2 our ruleset which includes mapping packet sizes to counters fails to load. Problem is in adjacent ranges: This fails (with File exists message): counter name ip length map { 0-100 : "c1", 101-200 : "c2" } After increasing start of second range by one it loads ok: counter name ip length map { 0-100 : "c1", 102-200 : "c2" } See attached examples. Probably same bug as: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 08:58:38 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 06:58:38 +0000 Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1417 --- Comment #1 from Karel Rericha --- Created attachment 589 --> https://bugzilla.netfilter.org/attachment.cgi?id=589&action=edit example of non adjacent ranges not causing error -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 11:44:21 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 09:44:21 +0000 Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1417 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Pablo Neira Ayuso --- Please, give a test to this patch: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=72239f2795fab9a58633bd0399698ff7581534a3 Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 11:45:47 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 09:45:47 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Pablo Neira Ayuso --- Please give a try to this patch: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 11:46:04 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 09:46:04 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #3 from Pablo Neira Ayuso --- Please give a try to this patch: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=72239f2795fab9a58633bd0399698ff7581534a3 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 17:19:48 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 15:19:48 +0000 Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1417 --- Comment #3 from Karel Rericha --- I can confirm that after applying this patch to kernel 5.6.2 mapping to adjacent ranges works again. Thanks Pablo. Should I close this bug or lets wait until 5.6 branch will be patched? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 18:50:35 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 16:50:35 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #4 from McFly --- The patch apparantly resolves the reported problem, however seems to have other issues. The following snippet is causing a segmentation fault: ip saddr vmap { 10.0.1.0-10.0.1.255 : accept, 10.0.1.1-10.0.2.255 : drop } The patch was applied to kernel 5.6.3 and nftables 0.9.4 was used. I will cross-check with an unpatched kernel. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 19:25:35 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 17:25:35 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #5 from McFly --- I did some further checks: 1. the problem with the adjacent ip ranges occurs: kernel 5.5.10 -> NO -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 8 19:35:48 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 08 Apr 2020 17:35:48 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #6 from McFly --- I did some further checks: 1. the problem with the adjacent ip ranges occurs (causing the 'File exists' error): kernel 5.5.10 -> no kernel 5.6.2 -> yes kernel 5.6.3 -> yes kernel 5.6.3 with patch -> no i.e. the issue was introduced somewhere between 5.5.10 and 5.6.2 and the patch is fixing it. 2. the problem with overlapping ip ranges (causing the segmentation fault) occurs with kernels 5.5.10, 5.6.3 and the patch does NOT fix it Maybe distinct problems. Shall I report this as a separate bug? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 9 02:05:52 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 09 Apr 2020 00:05:52 +0000 Subject: [Bug 1418] New: segfaults when running nft --file foo.nft --echo Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1418 Bug ID: 1418 Summary: segfaults when running nft --file foo.nft --echo Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: chutzpah at gentoo.org Here is the backtrace: mpz_cmp (a=a at entry=0x555555654ce0, b=) at mini-gmp.c:1819 1819 return mpn_cmp (a->_mp_d, b->_mp_d, asize); (gdb) bt #0 mpz_cmp (a=a at entry=0x555555654ce0, b=) at mini-gmp.c:1819 #1 0x00005555555ad790 in expr_value_cmp (p1=p1 at entry=0x5555556ac820, p2=p2 at entry=0x5555556ac828) at segtree.c:832 #2 0x00007ffff7d86f3d in msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820, n=n at entry=2) at msort.c:83 #3 0x00007ffff7d86ea4 in msort_with_tmp (n=2, b=0x5555556ac820, p=0x7fffffffc9a0) at msort.c:53 #4 msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820, n=n at entry=5) at msort.c:53 #5 0x00007ffff7d86ea4 in msort_with_tmp (n=5, b=0x5555556ac820, p=0x7fffffffc9a0) at msort.c:53 #6 msort_with_tmp (p=p at entry=0x7fffffffc9a0, b=b at entry=0x5555556ac820, n=n at entry=10) at msort.c:53 #7 0x00007ffff7d872c2 in msort_with_tmp (n=10, b=0x5555556ac820, p=0x7fffffffc9a0) at msort.c:297 #8 __GI___qsort_r (b=b at entry=0x5555556ac820, n=n at entry=10, s=s at entry=8, cmp=cmp at entry=0x5555555ad760 , arg=arg at entry=0x0) at msort.c:297 #9 0x00007ffff7d8756f in __GI_qsort (b=b at entry=0x5555556ac820, n=n at entry=10, s=s at entry=8, cmp=cmp at entry=0x5555555ad760 ) at msort.c:308 #10 0x00005555555aed85 in interval_map_decompose (set=0x5555556115a0) at segtree.c:978 #11 0x00005555555abaff in nlr_for_each_set (nlr=nlr at entry=0x5555556ac190, cb=cb at entry=0x5555555ab9c0 , cache=0x55555560c340, data=0x0) at monitor.c:193 #12 0x00005555555ac326 in netlink_events_rule_cb (monh=0x7fffffffcce0, type=6, nlh=0x7fffffffcda0) at monitor.c:517 #13 netlink_events_cb (nlh=nlh at entry=0x7fffffffcda0, data=data at entry=0x7fffffffcce0) at monitor.c:890 #14 0x00005555555ad062 in netlink_echo_callback (nlh=nlh at entry=0x7fffffffcda0, data=data at entry=0x7fffffffde10) at monitor.c:924 #15 0x00007ffff7fb6748 in __mnl_cb_run (cb_ctl_array_len=16, cb_ctl_array=0x55555560a5a0 , data=, cb_data=0x5555555ad000 , portid=0, seq=0, numbytes=, buf=0x7fffffffcda0) at callback.c:78 #16 mnl_cb_run2 (buf=buf at entry=0x7fffffffcda0, numbytes=, seq=seq at entry=0, portid=portid at entry=0, cb_data=0x5555555ad000 , data=data at entry=0x7fffffffde10, cb_ctl_array=0x55555560a5a0 , cb_ctl_array_len=16) at callback.c:135 #17 0x00005555555b1aac in mnl_batch_talk (ctx=ctx at entry=0x7fffffffdf70, err_list=err_list at entry=0x7fffffffdf60, num_cmds=num_cmds at entry=161) at mnl.c:433 #18 0x000055555556b6c5 in nft_netlink (nft=nft at entry=0x55555560c2a0, cmds=cmds at entry=0x7fffffffe010, msgs=msgs at entry=0x7fffffffe000, nf_sock=) at libnftables.c:57 #19 0x000055555556bfa8 in nft_run_cmd_from_filename (nft=0x55555560c2a0, filename=0x7fffffffe4ad "/etc/nftables/init.nft") at libnftables.c:508 #20 0x000055555556acb9 in main (argc=, argv=0x7fffffffe1c8) at main.c:455 When it is adding the rules and echoing, the output is kind of mangled. A rule that looks like table inet filter { chain input_XXXXXXX { iifname { "bond0" } ip saddr { 10.0.0.0/8 } ip daddr { 192.168.1.1 } tcp dport { ssh } counter accept } } Gets echoed as add rule inet filter input_XXXXXXX iifname { "bond0", "bond0" } ip saddr { 10.0.0.0/8, 10.0.0.0/8-0xffffffff [invalid type] } ip daddr { 192.168.1.1, 192.168.1.1 } tcp dport { 22, 22 } counter packets 0 bytes 0 accept -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 9 02:06:08 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 09 Apr 2020 00:06:08 +0000 Subject: [Bug 1418] segfaults when running nft --file foo.nft --echo In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1418 Patrick McLean changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |critical -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 9 02:46:22 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 09 Apr 2020 00:46:22 +0000 Subject: [Bug 1418] segfaults when running nft --file foo.nft --echo In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1418 --- Comment #1 from Patrick McLean --- Created attachment 590 --> https://bugzilla.netfilter.org/attachment.cgi?id=590&action=edit ruleset that triggers the segfault OK, I seem to have figured out how to reproduce it reliably. I have some generated rule sets that I am loading, and they attempt to clean up after the last time they were loaded by adding then deleting the tables they create. The first time nft runs, everything works fine, the second time I get the strange output and a segfault. So try running "nft --echo --file test.nft" *twice* and it will cause nft to to echo some strange data and segfault. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 9 02:47:20 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 09 Apr 2020 00:47:20 +0000 Subject: [Bug 1418] segfaults when running nft --file foo.nft --echo In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1418 Patrick McLean changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #590|application/octet-stream |text/plain mime type| | -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 07:54:58 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 05:54:58 +0000 Subject: [Bug 1419] New: abcd Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1419 Bug ID: 1419 Summary: abcd Product: bugzilla Version: other Hardware: x86_64 OS: All Status: ASSIGNED Severity: normal Priority: P5 Component: netfilter bugzilla Assignee: netfilter-buglog at lists.netfilter.org Reporter: 826706276 at qq.com abcd -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 08:15:14 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 06:15:14 +0000 Subject: [Bug 1420] New: abcd Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1420 Bug ID: 1420 Summary: abcd Product: bugzilla Version: other Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: netfilter bugzilla Assignee: 826706276 at qq.com Reporter: 826706276 at qq.com -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 08:16:00 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 06:16:00 +0000 Subject: [Bug 1420] abcd In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1420 Meter <826706276 at qq.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 08:17:39 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 06:17:39 +0000 Subject: [Bug 1419] abcd In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1419 Meter <826706276 at qq.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #1 from Meter <826706276 at qq.com> --- abcd -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 08:22:21 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 06:22:21 +0000 Subject: [Bug 1421] New: abcde Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1421 Bug ID: 1421 Summary: abcde Product: conntrack-tools Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: conntrack-daemon Assignee: 826706276 at qq.com Reporter: 826706276 at qq.com abcd -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 08:22:45 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 06:22:45 +0000 Subject: [Bug 1421] abcde In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1421 Meter <826706276 at qq.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 13:02:07 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 11:02:07 +0000 Subject: [Bug 1419] abcd In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1419 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Version|other |unspecified Component|netfilter bugzilla |trash Product|bugzilla |trash Assignee|netfilter-buglog at lists.netf |pablo at netfilter.org |ilter.org | CC| |pablo at netfilter.org -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 13:09:03 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 11:09:03 +0000 Subject: [Bug 1420] abcd In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1420 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pablo at netfilter.org Version|other |unspecified Product|bugzilla |trash Component|netfilter bugzilla |trash -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 13:09:27 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 11:09:27 +0000 Subject: [Bug 1421] abcde In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1421 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Product|conntrack-tools |trash CC| |pablo at netfilter.org Component|conntrack-daemon |trash -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 10 19:00:29 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 10 Apr 2020 17:00:29 +0000 Subject: [Bug 1422] New: iptables-nft fails to check / delete rules in raw table Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Bug ID: 1422 Summary: iptables-nft fails to check / delete rules in raw table Product: iptables Version: 1.6.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: iptables Assignee: netfilter-buglog at lists.netfilter.org Reporter: champetier.etienne at gmail.com See repro steps, I can create a rule in raw table but can't check / delete it # cat /etc/debian_version bullseye/sid # apt info iptables Package: iptables Version: 1.8.4-3 ... # /sbin/iptables --version iptables v1.8.4 (nf_tables) # /sbin/iptables -t raw -L -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination # /sbin/iptables -w2 -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK root at etiennedebian:~# /sbin/iptables -t raw -L -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 CT udp -- * * 0.0.0.0/0 169.254.25.10 udp dpt:53 NOTRACK # /sbin/iptables -w2 -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK iptables: Bad rule (does a matching rule exist in that chain?). # /sbin/iptables -w2 -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK iptables: Bad rule (does a matching rule exist in that chain?). # /sbin/iptables -t raw -L -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 CT udp -- * * 0.0.0.0/0 169.254.25.10 udp dpt:53 NOTRACK I haven't opened a bug on Debian bug tracker as they use latest version I have a bug open on CentOS bugzilla: https://bugs.centos.org/view.php?id=17239 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Sat Apr 11 21:37:31 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Sat, 11 Apr 2020 19:37:31 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 --- Comment #7 from Pablo Neira Ayuso --- (In reply to McFly from comment #6) > I did some further checks: > > 1. the problem with the adjacent ip ranges occurs (causing the 'File exists' > error): > kernel 5.5.10 -> no > kernel 5.6.2 -> yes > kernel 5.6.3 -> yes > kernel 5.6.3 with patch -> no > > i.e. the issue was introduced somewhere between 5.5.10 and 5.6.2 and the > patch is fixing it. Thanks for confirming that the patch that is flying upstream is fixing the issue. > 2. the problem with overlapping ip ranges (causing the segmentation fault) > occurs with kernels 5.5.10, 5.6.3 and the patch does NOT fix it > > Maybe distinct problems. Shall I report this as a separate bug? No need for this, patch has been posted on the mailing list: https://patchwork.ozlabs.org/patch/1269369/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Mon Apr 13 03:25:03 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Mon, 13 Apr 2020 01:25:03 +0000 Subject: [Bug 1423] New: error Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1423 Bug ID: 1423 Summary: error Product: bugzilla Version: other Hardware: i386 OS: RedHat Linux Status: NEW Severity: enhancement Priority: P5 Component: netfilter bugzilla Assignee: netfilter-buglog at lists.netfilter.org Reporter: cxp2760 at 163.com error -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 16:15:19 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 14:15:19 +0000 Subject: [Bug 1422] iptables-nft fails to check / delete rules in raw table In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #1 from Etienne Champetier --- Here the nft output # nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK } } # nft add rule raw OUTPUT tcp dport 42 notrack # nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK tcp dport 42 notrack } } So the rule inserted by iptables-nft is wrong it seems -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 16:16:10 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 14:16:10 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Etienne Champetier changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|iptables-nft fails to check |iptables-nft raw notrack |/ delete rules in raw table |rules are wrong -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 18:02:30 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 16:02:30 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #2 from Etienne Champetier --- Just compiled latest version of iptables (74ef6f1c16ff672139031330dc71c274300dfb2e) but same result -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 18:19:55 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 16:19:55 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |pablo at netfilter.org --- Comment #3 from Pablo Neira Ayuso --- (In reply to Etienne Champetier from comment #1) [...] > meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK You mean it is showing # NOTRACK, right? That's a missing translation, please, test this patch for iptables: https://lore.kernel.org/netfilter-devel/20200415161821.119253-1-pablo at netfilter.org/T/#u -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 18:24:01 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 16:24:01 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #4 from Pablo Neira Ayuso --- (In reply to Pablo Neira Ayuso from comment #3) > (In reply to Etienne Champetier from comment #1) > [...] > > meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK > > You mean it is showing # NOTRACK, right? > > That's a missing translation, please, test this patch for iptables: > > https://lore.kernel.org/netfilter-devel/20200415161821.119253-1- > pablo at netfilter.org/T/#u or take it from here: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415161821.119253-1-pablo at netfilter.org/ Although patchwork is working a bit slow in responding today. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 18:38:21 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 16:38:21 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #5 from Etienne Champetier --- Still not working for me :( # nft flush table ip raw # nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; } } # ./iptables/xtables-nft-multi iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK # nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # NOTRACK } } # nft flush table ip raw # ./iptables/xtables-nft-multi iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack # nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter # CT notrack } } # nft --version nftables v0.9.4 (Jive at Five) # ./iptables/xtables-nft-multi iptables-nft --version iptables v1.8.4 (nf_tables) # git log --oneline 8d8d2647 (HEAD -> master) extensions: libxt_CT: add translation for NOTRACK 74ef6f1c (origin/master, origin/HEAD) iptables: open eBPF programs in read only mode -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 18:52:09 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 16:52:09 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #6 from Pablo Neira Ayuso --- Here it works fine: # nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; } } root at salvia:/home/pablo# iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK root at salvia:/home/pablo# nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter notrack } } Make sure iptables-nft there is not using the old libraries, in my test machine I have them here: /usr/lib/xtables/ if you have installed the iptables / nftables package from debian, it might be that your /usr/lib/xtables/ refers to the extension libraries in /usr/lib/x86_64-linux-gnu/xtables/. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 18:53:10 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 16:53:10 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #7 from Pablo Neira Ayuso --- (In reply to Pablo Neira Ayuso from comment #6) > if you have installed the iptables / nftables package from debian, it might > be that your /usr/lib/xtables/ refers to the extension libraries in > /usr/lib/x86_64-linux-gnu/xtables/. it might be that your xtables-nft-multi refers to /usr/lib/x86_64-linux-gnu/xtables/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 19:29:48 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 17:29:48 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #8 from Etienne Champetier --- Yup, nft is loading libs from /usr/lib/x86_64-linux-gnu/xtables/, I'll rebuild things until it works ! Can you confirm that you can check/delete, as this was my initial problem iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo 1 iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo 2 iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo 3 Same with iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack && echo 4 iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack && echo 5 iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j CT --notrack && echo 6 Thanks a lot -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 19:57:23 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 17:57:23 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #9 from Etienne Champetier --- Using '-j CT --notrack' works Using '-j NOTRACK' I still can't check/delete # /usr/local/sbin/iptables-nft -t raw -I OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK && echo ok ok # /usr/local/sbin/nft -s list ruleset table ip raw { chain PREROUTING { type filter hook prerouting priority raw; policy accept; } chain OUTPUT { type filter hook output priority raw; policy accept; meta l4proto udp ip daddr 169.254.25.10 udp dport 53 counter notrack } } # /usr/local/sbin/iptables-nft -t raw -C OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK iptables: Bad rule (does a matching rule exist in that chain?). # /usr/local/sbin/iptables-nft -t raw -D OUTPUT -p udp -d 169.254.25.10 --dport 53 -j NOTRACK iptables: Bad rule (does a matching rule exist in that chain?). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 20:50:43 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 18:50:43 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #10 from Etienne Champetier --- To be clear I confirm your patch fixes the nft display bug, but it doesn't fixes the initial bug for me -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 21:39:17 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 19:39:17 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #11 from Pablo Neira Ayuso --- Ah I see, sorry. Please give a try to this patch. https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415193810.240720-1-pablo at netfilter.org/ Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 21:52:49 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 19:52:49 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #12 from Etienne Champetier --- Perfect, everything is now working If you want you can add Tested-by: Etienne Champetier The last question is if you plan a release soon or if I should just ask maintainers to backport just the patches. Thanks a lot ! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:05:53 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:05:53 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:08:33 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:08:33 +0000 Subject: [Bug 1422] iptables-nft raw notrack rules are wrong In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1422 --- Comment #13 from Pablo Neira Ayuso --- (In reply to Etienne Champetier from comment #12) > The last question is if you plan a release soon or if I should just ask > maintainers to backport just the patches. Phil is on holidays this week. He's got a patchset I would like to see merge upstream for the next release. It might take a few weeks to make the new release. Thanks for reporting! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:10:24 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:10:24 +0000 Subject: [Bug 1423] error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1423 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pablo at netfilter.org Version|other |unspecified Assignee|netfilter-buglog at lists.netf |pablo at netfilter.org |ilter.org | Component|netfilter bugzilla |trash Product|bugzilla |trash -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:14:34 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:14:34 +0000 Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1417 --- Comment #4 from Pablo Neira Ayuso --- (In reply to Karel Rericha from comment #3) > I can confirm that after applying this patch to kernel 5.6.2 mapping to > adjacent ranges works again. > > Thanks Pablo. > > Should I close this bug or lets wait until 5.6 branch will be patched? I'd prefer if you close it once this is fixed in -stable kernels and specify since what -stable kernel this is fixed. Thanks! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:15:19 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:15:19 +0000 Subject: [Bug 1415] adjacent ip ranges in vmap causing error In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1415 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #8 from Pablo Neira Ayuso --- Merged upstream, closing. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:16:09 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:16:09 +0000 Subject: [Bug 1413] Inconsistent EBUSY errors when adding a duplicate element to a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1413 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- EEXIST here would be better, right? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:20:13 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:20:13 +0000 Subject: [Bug 1411] add elements with counter to dynamic sets In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1411 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Pablo Neira Ayuso --- (In reply to Karel Rericha from comment #1) > Looks like this one will be satisfied too, but I will leave it open until I > will be able to test it (kernel 5.7?). That's fine, thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:24:20 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:24:20 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- Hi, I'm not sure I understand, do you mean something like this? nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack This reads as follows: if packets come _from_ IP address 1.1.1.1, the rewrite destination address to 2.2.2.2, and so on. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:25:30 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:25:30 +0000 Subject: [Bug 1409] nft manpage makes confusing reference to logical operators In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1409 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- (In reply to Matthew "Cheetah" Gabeler-Lee from comment #0) > The nft manpage / docs say: > > > Expressions can be combined using binary, logical, relational and other types of > > expressions to form complex or relational (match) expressions > > http://git.netfilter.org/nftables/tree/doc/nft.txt#n680 > > However it's not clear if logical combinations are actually possible? > https://bugzilla.netfilter.org/show_bug.cgi?id=1202#c1 explicitly states > that disjunctions are definitely not supported, so logical OR, and XOR are > right out, and given that I'd say NAND almost certainly is too. The only > combining operator for matches is AND. > > Also, rummaging through the grammar file seems to confirm that there are > only _bitwise_ operators. Please, post examples of what you would like to see in place. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:28:51 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:28:51 +0000 Subject: [Bug 1408] The Check option of iptables does not work as expected In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1408 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- Could you give a try latest iptables? If I understood the problem correctly, it is working here in the most recent iptables release. # iptables-nft -V iptables v1.8.4 (nf_tables) # iptables-nft -t nat -C PREROUTING --proto tcp --dport 80 -j DNAT --to-destination 1.1.1.1:80; echo $? 0 # iptables-nft -t nat -C PREROUTING --proto tcp --dport 80 -j DNAT --to-destination 1.1.1.2:80; echo $? iptables: Bad rule (does a matching rule exist in that chain?). 1 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:30:28 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:30:28 +0000 Subject: [Bug 1407] Segfault with iptables-nft-restore when flush rules included In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1407 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |phil at nwl.cc --- Comment #1 from Pablo Neira Ayuso --- Still broken in git. IIRC, I posted a patchset that fixes. Cc'ing Phil. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Wed Apr 15 23:31:30 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 21:31:30 +0000 Subject: [Bug 1406] nft dies with an assertion of consumed > 0 In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1406 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- I confirm I can reproduce this bug here. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:02:07 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:02:07 +0000 Subject: [Bug 1403] Timeout object with invalid time unit crashes nft In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1403 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- Parser is buggy, patch to fix this available here: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200415220114.585390-1-pablo at netfilter.org/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:04:03 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:04:03 +0000 Subject: [Bug 1402] Race errors with nft In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1402 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- nftables 0.9.0 is almost two years old. Would you please test this with lastest release and confirm you are still experiencing problems. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:07:38 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:07:38 +0000 Subject: [Bug 1401] Discretely resetting anonymous counters is impossible In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1401 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Pablo Neira Ayuso --- Something similar -Z to reset counters would suffice for your use case, correct? Would you submit a patch to improve the flawed areas in this documentation area? That would be greatly appreciated. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:16:15 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:16:15 +0000 Subject: [Bug 1397] What am I doing wrong!? In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1397 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|ASSIGNED |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:17:30 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:17:30 +0000 Subject: [Bug 1396] When rule with 3 concat elements are added, nft list shows only 2 In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1396 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|ASSIGNED |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:22:04 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:22:04 +0000 Subject: [Bug 1391] iptables-nft-restore --test can segfault In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1391 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pablo at netfilter.org, | |phil at nwl.cc --- Comment #1 from Pablo Neira Ayuso --- I observe no crash in the iptables snapshot in git. IIRC, this has been fixed in one of the recent patches from Phil. It would great if we could have a shell test in the tree to cover this one. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:24:49 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:24:49 +0000 Subject: [Bug 1385] Incorrectly evaluated expression with negated ip saddr and negated ip daddr In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1385 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:28:19 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:28:19 +0000 Subject: [Bug 1379] Rule to accept INPUT address range does not block address that are not in range specified In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1379 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID CC| |pablo at netfilter.org Status|NEW |RESOLVED --- Comment #3 from Pablo Neira Ayuso --- Your default policy should be turned to DROP, e.g. iptables -P INPUT DROP Otherwise, packets not matching your rule will just go through. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 00:36:29 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Wed, 15 Apr 2020 22:36:29 +0000 Subject: [Bug 1361] nft segfault on overlapping intervals In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1361 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from Pablo Neira Ayuso --- Works here: # nft -f m m:6:17-25: Error: conflicting intervals specified 144 - 174 : accept, ^^^^^^^^^ m:5:30-13: Error: Could not process rule: File exists icmpv6 type vmap { Fixed by: http://git.netfilter.org/nftables/commit/?id=3e7dad95af69bde12f22af5b1a2bc860ab3da417 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 06:20:03 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 04:20:03 +0000 Subject: [Bug 1409] nft manpage makes confusing reference to logical operators In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1409 --- Comment #2 from Matthew "Cheetah" Gabeler-Lee --- I think it should just say "binary and relational operators"? There aren't any logical operators supported as far as I can tell, unless you count the implicit "and" that happens when chaining expressions one after the other in a rule. Perhaps to be more precise in that case, something along the lines of: Expressions can be combined using binary, relational, and other numeric operators, and combined in a logical "and" by placing multiple expressions in sequence within a rule. I'm not sure that's ideal wording, but I think it's closer. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 10:02:47 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 08:02:47 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #2 from e.lohmann at mdex.de --- Hi Pablo, thanks for your answer. No, what I like to do in RAW is the same I do in NAT Pre/Post. dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite destination address to 2.2.2.2 and so on. snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } This reads as follows: if packets came _from_ IP address 2.2.2.2, the rewrite source address to 1.1.1.1 and so on. With this mechanism we map public ip addresses to private and vice versa. With 2 or more internet access points it's possible that traffic for an address comes in on point A and left the system on point B. The STATEFULL Rules on point B are NOT working if the IP packet is e.g. TCP, ICMP and NOT new. What I try to accomplish in raw is, that this can be done without any conntrack state for all packtes in raw. Right now there is no way to create a map in raw and do address rewrite. Regards, Eike -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 10:20:41 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 08:20:41 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #3 from Pablo Neira Ayuso --- (In reply to e.lohmann from comment #2) > Hi Pablo, > > thanks for your answer. No, what I like to do in RAW is the same I do in NAT > Pre/Post. > > dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } > > This reads as follows: if packets send _to_ IP address 1.1.1.1, the rewrite > destination address to 2.2.2.2 and so on. This rule represents the stateless dnat that you are asking for: nft add rule raw PREROUTING ip daddr set ip saddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack This reads as: set IP destination address based on the map lookup. This maps lookup takes packets sent to IP address 1.1.1.1 and it returns 2.2.2.2, which is used to rewrite the UP destionation. > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the > rewrite source address to 1.1.1.1 and so on. nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack Similar rule as above, but "ip saddr set" is used. [...] > Right now there is no way to create a map in raw and do address rewrite. Did you give a try to the examples above? Thank you. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 10:25:22 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 08:25:22 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #4 from Pablo Neira Ayuso --- (In reply to Pablo Neira Ayuso from comment #3) > (In reply to e.lohmann from comment #2) > > Hi Pablo, > > > > thanks for your answer. No, what I like to do in RAW is the same I do in NAT > > Pre/Post. > > > > dnat to ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } nft add rule raw PREROUTING ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack If you would like to rewrite the destination address based in the existing destination IP address. Map lookups allow for any criteria, including concatenations, e.g. nft add rule raw PREROUTING ip daddr set ip saddr . ip daddr map { 1.1.1.1 . 2.2.2.2 : 3.3.3.3, 1.1.1.2 . 2.2.2.1 : 4.4.4.4 } notrack In this example, if packets are coming from 1.1.1.1 and going to 2.2.2.2, then the IP destination address is rewritten to 3.3.3.3 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 10:33:24 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 08:33:24 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #5 from Pablo Neira Ayuso --- (In reply to Pablo Neira Ayuso from comment #3) [...] > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } > > > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the > > rewrite source address to 1.1.1.1 and so on. > > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2, > 1.1.1.2 : 2.2.2.3 } notrack Assuming the legacy table/chains, you can use posrtouting/mangle for the stateless dnat nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 10:54:00 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 08:54:00 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #6 from Pablo Neira Ayuso --- (In reply to Pablo Neira Ayuso from comment #5) > (In reply to Pablo Neira Ayuso from comment #3) > [...] > > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } > > > > > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the > > > rewrite source address to 1.1.1.1 and so on. > > > > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2, > > 1.1.1.2 : 2.2.2.3 } notrack > > Assuming the legacy table/chains, you can use posrtouting/mangle for the > stateless dnat You will still still to disable conntrack from PREROUTING for stateless dnat, so this would be: nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack The rule above disables conntrack for traffic coming from 1.1.1.1 and 1.1.1.2, then: nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } This rule performs the stateless snat. I can place these examples in the wiki if you like. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 16 10:56:24 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 16 Apr 2020 08:56:24 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #7 from Pablo Neira Ayuso --- (In reply to Pablo Neira Ayuso from comment #6) > (In reply to Pablo Neira Ayuso from comment #5) > > (In reply to Pablo Neira Ayuso from comment #3) > > [...] > > > > snat to ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } > > > > > > > > This reads as follows: if packets came _from_ IP address 2.2.2.2, the > > > > rewrite source address to 1.1.1.1 and so on. > > > > > > nft add rule raw PREROUTING ip saddr set ip saddr map { 1.1.1.1 : 2.2.2.2, > > > 1.1.1.2 : 2.2.2.3 } notrack > > > > Assuming the legacy table/chains, you can use posrtouting/mangle for the > > stateless dnat > > You will still still to disable conntrack from PREROUTING for stateless > dnat, so this would be: This example is actually stateless snat, sorry for the typo. > nft add rule raw PREROUTING ip saddr { 1.1.1.1, 1.1.1.2} notrack > > The rule above disables conntrack for traffic coming from 1.1.1.1 and > 1.1.1.2, then: > > nft add rule mangle POSTROUTING ip saddr set ip saddr map { 1.1.1.1 : > 2.2.2.2, 1.1.1.2 : 2.2.2.3 } > > This rule performs the stateless snat. > > I can place these examples in the wiki if you like. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Fri Apr 17 15:24:31 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Fri, 17 Apr 2020 13:24:31 +0000 Subject: [Bug 1410] STATELESS, rules with notrack into a map In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1410 --- Comment #8 from e.lohmann at mdex.de --- Hi Pablo, both rules are accepted by nft, and I think it will do the job. nft add rule raw PREROUTING ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack nft add rule raw PREROUTING ip saddr set ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } notrack table ip raw { chain PREROUTING { type filter hook prerouting priority -300; policy accept; ip daddr set ip daddr map { 1.1.1.1 : 2.2.2.2, 1.1.1.2 : 2.2.2.3 } notrack ip saddr set ip saddr map { 2.2.2.2 : 1.1.1.1, 2.2.2.3 : 1.1.1.2 } notrack } } > nft add rule raw PREROUTING ip daddr set ip saddr . ip daddr map { 1.1.1.1 . 2.2.2.2 : 3.3.3.3, 1.1.1.2 . 2.2.2.1 : 4.4.4.4 } notrack Nice possibility to do a rewrite on saddr and daddr inside a map! The stateless snat example in mangle POSTROUTING is also a good idea, thank you for that! Yes please put this into the Wiki, it will help, to understand what is possible with nft. Is it also possible to add a network or range into a map and do a saddr/daddr rewrite? Like it was possible with netmap in iptables? Regards, Eike -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Sat Apr 18 21:11:24 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Sat, 18 Apr 2020 19:11:24 +0000 Subject: [Bug 1423] New: iptables-translate silently discards --ctstate DNAT Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1423 Bug ID: 1423 Summary: iptables-translate silently discards --ctstate DNAT Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: iptables over nftable Assignee: pablo at netfilter.org Reporter: oldium.pro at gmail.com Bug originally reported in the Debian tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932899 I am also affected by the bug. I found the Debian bug, but it looks like that it was ignored, so I am forwarding it here. Original message follows: This appears to be wrong -- the DNAT is "eaten": root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT nft add rule ip filter INPUT ct state counter accept root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT nft add rule ip filter INPUT ct state related,established counter accept I think the output should be root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate DNAT -j ACCEPT nft add rule ip filter INPUT ct status dnat counter accept root at not-omega:~# iptables-translate -t filter -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT nft add rule ip filter INPUT ct state related,established counter accept nft add rule ip filter INPUT ct status dnat counter accept I am new to nftables, so I may have missed something obvious. If so, sorry to bother you! -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Thu Apr 23 15:48:31 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Thu, 23 Apr 2020 13:48:31 +0000 Subject: [Bug 1417] mapping to adjacent ranges is causing error in kernel 5.6, kernel 5.5 works fine In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1417 Karel Rericha changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|ASSIGNED |RESOLVED --- Comment #5 from Karel Rericha --- netfilter: nft_set_rbtree: Drop spurious condition for overlap detection on insertion landed in kernel 5.6.7, closing as RESOLVED/FIXED now. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Mon Apr 27 15:10:02 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Mon, 27 Apr 2020 13:10:02 +0000 Subject: [Bug 1424] New: v0.9.0: segfault when using nft -f and issuing "ruleset flush" twice Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1424 Bug ID: 1424 Summary: v0.9.0: segfault when using nft -f and issuing "ruleset flush" twice Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: eexexiexit at riseup.net Created attachment 591 --> https://bugzilla.netfilter.org/attachment.cgi?id=591&action=edit strace output of the script that segfaults Disclaimer: I am totally new to nftable, so forbid my stupidity. Running this file segfaults on two of my machines (both debian stable "buster"): /tmp/test: #!/usr/sbin/nft -f flush ruleset create table inet fw list table inet fw flush ruleset the same command sequence runs smoothly when issued interactively. kernel message: [ 8841.187933] show_signal_msg: 12 callbacks suppressed [ 8841.187936] test[17806]: segfault at 10 ip 00007f175a76929b sp 00007ffc67e5c940 error 4 in libnftables.so.0.0.0[7f175a763000+47000] [ 8841.190580] Code: ff 48 8b 44 24 28 64 48 33 04 25 28 00 00 00 75 06 48 83 c4 30 5b c3 e8 53 a9 ff ff 0f 1f 00 41 56 41 55 41 54 49 89 fc 55 53 <8b> 7f 10 48 89 f3 e8 2a be ff ff 49 8b 4c 24 40 48 8d 35 e9 0f 04 Segmentation fault uname -a: Linux something 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 GNU/Linux Linux otherthing 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1 (2020-01-26) i686 GNU/Linux /usr/sbin/nft --version: nftables v0.9.0 (Fearless Fosdick) strace is attached. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Mon Apr 27 18:19:58 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Mon, 27 Apr 2020 16:19:58 +0000 Subject: [Bug 1424] v0.9.0: segfault when using nft -f and issuing "ruleset flush" twice In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1424 Pablo Neira Ayuso changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Pablo Neira Ayuso --- (In reply to exit from comment #0) > Created attachment 591 [details] > strace output of the script that segfaults > > Disclaimer: I am totally new to nftable, so forbid my stupidity. > > Running this file segfaults on two of my machines (both debian stable > "buster"): [...] > uname -a: > > Linux something 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) > x86_64 GNU/Linux > > Linux otherthing 4.19.0-8-686-pae #1 SMP Debian 4.19.98-1 (2020-01-26) i686 > GNU/Linux > > /usr/sbin/nft --version: > nftables v0.9.0 (Fearless Fosdick) This version is almost two years old. I think there is a more modern version in debian backports, please have a look. This is working fine here: # nft -v nftables v0.9.4 (Jive at Five) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Tue Apr 28 08:05:33 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Tue, 28 Apr 2020 06:05:33 +0000 Subject: [Bug 1425] New: th not accepted in snat with multiple ip protocols Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1425 Bug ID: 1425 Summary: th not accepted in snat with multiple ip protocols Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: fasnacht at protonmail.ch Hello, For tracking, here's a bug I'm experiencing, with the following, in an inet table: map nat-int-ext-port-v4 { type ipv4_addr . inet_service . inet_proto : inet_service } [...] ip protocol {udp, tcp} snat ip to $host_ipv4_address : ip saddr . th sport . ip protocol map @nat-int-ext-port-v4 I get: Error: transport protocol mapping is only valid after transport protocol match It works fine with restricting ip protocol to one single protocol. Best, Laurent -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla-daemon at netfilter.org Tue Apr 28 17:44:37 2020 From: bugzilla-daemon at netfilter.org (bugzilla-daemon at netfilter.org) Date: Tue, 28 Apr 2020 15:44:37 +0000 Subject: [Bug 1391] iptables-nft-restore --test can segfault In-Reply-To: References: Message-ID: https://bugzilla.netfilter.org/show_bug.cgi?id=1391 Phil Sutter changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #2 from Phil Sutter --- Hi, I just pushed a test case, the problem is indeed fixed meanwhile. Thanks for reporting, Phil -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: