[Bug 1730] New: nft does not handle IPv6 addresses with embedded IPv4 addresses

Sat Jan 6 15:27:00 CET 2024

https://bugzilla.netfilter.org/show_bug.cgi?id=1730

            Bug ID: 1730
           Summary: nft does not handle IPv6 addresses with embedded IPv4
                    addresses
           Product: nftables
           Version: 1.0.x
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: antonio.ojea.garcia at gmail.com

Originally reported by Lars Ekman in Kubernetes
https://github.com/kubernetes/kubernetes/issues/122611 , all credit to him

The rfc5952 seems to accept "embedded ipv4" addresses, and iptables accept
them, however, nft does not

This works

ip6tables -A INPUT -s fd00::10.0.0.1/128 -j DROP

This does not

nft -v
nftables v1.0.9 (Old Doc Yak #3)
nft add table ip6 test6
nft 'add chain ip6 test6 test6 { type filter hook prerouting priority 0; }'
nft insert rule ip6 test6 test6 ip6 saddr fd00::10.0.0.1 log
Error: syntax error, unexpected log
insert rule ip6 test6 test6 ip6 saddr fd00::10.0.0.1 log

Comment in
https://github.com/kubernetes/kubernetes/issues/122611#issuecomment-1879569171
seems to indicate the problem is in the flex/bison parsers

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240106/26a03710/attachment.html>