[Bug 1071] New: nftables: set does not work within inet table with option flags interval

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue May 31 23:18:55 CEST 2016 

https://bugzilla.netfilter.org/show_bug.cgi?id=1071

            Bug ID: 1071
           Summary: nftables: set does not work within inet table with
                    option flags interval
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: jason.lee.campbell at gmail.com

I'm using nftables to combine my IPv4 and IPv6 into one ruleset, so using a
single inet table. This allows for single line edits, such as when I want to
enable ssh in, instead of editing two separate entries. I imagine separating
the rules would work, but defeats the purpose of allowing only a single line
edit.

I'm to the point that I want to import my text file of blocked IP subnets, so
tried using set within an inet table. To allow subnets, the option flags
interval appears to be required. However, when I check the rules (nft -n -f
firewall.rules) with flags interval, I receive Operation not permitted. Without
the flags interval option, the rule check works, but then unable to add subnets
to the set.

I have run strace on the rule check, and here's the difference I have found.
The last line given in each example differ, where rule check working is
127.0.0.1 and rule check not working is ::ffff:127.0.0.1.

I am using the following versions, compiled today (5/31).

libnftnl-1.0.6-x86_64-1
nftables-e049f92bb7b98dfa218eda2b9b6f14506238abf2-x86_64-1


Without flags interval:

socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(45890), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) =
0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38754), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0


With flags interval:

socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6, "::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(53024), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) =
0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38635), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/130e674d/attachment.html>

More information about the netfilter-buglog mailing list