[Bug 1145] nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Jun 16 18:23:02 CEST 2017
https://bugzilla.netfilter.org/show_bug.cgi?id=1145
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Thanks for submitting, quick summary on your script file.
This is triggering the bug:
define dnat_ports = { 1234-1567 }
define port_allow = {
53, # dns
$dnat_ports, # dnat
}
that need to be fixed...
Then, if I comment the nested $dnat_ports inside $port_allow, I can see this:
# nft -f rc.nftables-test
rc.nftables-test:46:17-45: Error: Could not process rule: Invalid argument
ip protocol @protocol_to_rule;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rc.nftables-test:47:17-45: Error: Could not process rule: Invalid argument
ip6 nexthdr @protocol_to_rule;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rc.nftables-test:63:17-43: Error: Could not process rule: Invalid argument
ip protocol @reject_to_rule;
^^^^^^^^^^^^^^^^^^^^^^^^^^^
rc.nftables-test:64:17-43: Error: Could not process rule: Invalid argument
ip6 nexthdr @reject_to_rule;
^^^^^^^^^^^^^^^^^^^^^^^^^^^
These are maps, so this should be instead:
ip protocol vmap @protocol_to_rule
"Invalid argument" is not very good, so we can probably get better error
reporting here.
Then, dnat is not supported from postrouting:
rc.nftables-test:83:17-77: Error: Could not process rule: Operation not
supported
iifname $inet_interface tcp dport $dnat_ports dnat $dnat_host
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170616/ec609b21/attachment.html>
More information about the netfilter-buglog
mailing list