[Bug 1140] nft dump invalid (flow table)

Fri Jul 31 20:41:21 CEST 2020

https://bugzilla.netfilter.org/show_bug.cgi?id=1140

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Flow table syntax is deprecated these days, see:

https://wiki.nftables.org/wiki-nftables/index.php/Meters

This still works for backward compatibility though, even if it's not the
preferred way to instantiate these dynamic sets.

A quick test says this is working:

# cat /tmp/x.nft
flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;
    ip protocol icmp flow table i4 { icmp type counter } accept
    ip6 nexthdr icmpv6 flow table i6 { icmpv6 type counter } accept
  }
}

# nft -f /tmp/x.nft
# nft list ruleset > /tmp/y.nft
# nft flush ruleset 
# nft -f /tmp/y.nft
# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                ip protocol icmp meter i4 size 65535 { icmp type counter }
accept
                ip6 nexthdr ipv6-icmp meter i6 size 65535 { icmpv6 type counter
} accept
        }
}

Closing this old bug.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200731/89cdb875/attachment.html>