[Bug 1489] "map" doesn't work as expected

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jan 15 23:27:45 CET 2021


https://bugzilla.netfilter.org/show_bug.cgi?id=1489

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Alexander.S from comment #3)
> Thank you!
> 
> But one more thing.
> Currently, instead of:
> 
> add rule ip mangle manout ct direction reply mark set ct original _ip_ daddr
> map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
> 
> I use:
> 
> add rule ip mangle manout ct direction reply ct original daddr $ext1_ip mark
> set 0x11
> add rule ip mangle manout ct direction reply ct original daddr $ext2_ip mark
> set 0x12
> 
> and it works without "ip".

Yes, it's the legacy syntax which cannot be used with set/map/concatenation.

It only works in simple rules like the one above, but for more complex
operations, nft needs the "ip" prefix.

> In
> "https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-
> nftables_in_10_minutes#Ct" examples are also without "ip".

Thanks for spotting this, I have just updated the wiki.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/5d2add06/attachment.html>


More information about the netfilter-buglog mailing list