[Bug 1396] When rule with 3 concat elements are added, nft list shows only 2

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jan 10 11:29:28 CET 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1396

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Serguei Bezverkhi from comment #0)
> table ip ipv4table {
> 	map cluster-ip-services-set {
> 		type inet_proto . ipv4_addr . inet_service : verdict
> 	}
> 
> 
> 	chain k8s-nat-mark-masq {
> 		ip protocol . ip daddr vmap @cluster-ip-services-set

Not correct.

         ip protocol . ip daddr . th dport vmap @cluster-ip-services-set

or
ip protocol . ip daddr . th dport vmap @cluster-ip-services-set

> 	}
> 
> 	chain k8s-nat-do-mark-masq {
> 		meta mark set 0x00004000 return
> 	}
> }



/home/sparky/x.nft:7:37-60: Error: datatype mismatch, map expects concatenation
of (Internet protocol, IPv4 address, internet network service), mapping
expression has type concatenation of (Internet protocol, IPv4 address)
        ip protocol . ip daddr vmap @cluster-ip-services-set
        ~~~~~~~~~~~~~~~~~~~~~~      ^^^^^^^^^^^^^^^^^^^^^^^^

> the command to add rule to k8s-nat-mark-masq chain is:
> 
> sudo nft add rule ipv4table k8s-nat-mark-masq ip protocol . ip daddr . th
> dport vmap @cluster-ip-services-set
> 
> It does not fail but sudo nft list table ipv4table shows incorrect rule.
> 
> nft -version
> nftables v0.9.3 (Topsy)
> 
> 
> Debug output:
> ip ipv4table k8s-nat-mark-masq 
>   [ payload load 1b @ network header + 9 => reg 1 ]
>   [ payload load 4b @ network header + 16 => reg 9 ]
>   [ payload load 2b @ transport header + 2 => reg 10 ]
>   [ lookup reg 1 set cluster-ip-services-set dreg 0 ]
> 
> ----------------	------------------
> |  0000000020  |	| message length |
> | 00016 | R--- |	|  type | flags  |
> |  0000000000  |	| sequence number|
> |  0000000000  |	|     port ID    |
> ----------------	------------------
> | 00 00 0a 00  |	|  extra header  |
> ----------------	------------------
> ----------------	------------------
> |  0000000292  |	| message length |
> | 02566 | R--- |	|  type | flags  |
> |  0000000001  |	| sequence number|
> |  0000000000  |	|     port ID    |
> ----------------	------------------
> | 02 00 00 00  |	|  extra header  |
> |00014|--|00001|	|len |flags| type|
> | 69 70 76 34  |	|      data      |	 i p v 4
> | 74 61 62 6c  |	|      data      |	 t a b l
> | 65 00 00 00  |	|      data      |	 e      
> |00022|--|00002|	|len |flags| type|
> | 6b 38 73 2d  |	|      data      |	 k 8 s -
> | 6e 61 74 2d  |	|      data      |	 n a t -
> | 6d 61 72 6b  |	|      data      |	 m a r k
> | 2d 6d 61 73  |	|      data      |	 - m a s
> | 71 00 00 00  |	|      data      |	 q      
> |00232|N-|00004|	|len |flags| type|
> |00052|N-|00001|	|len |flags| type|
> |00012|--|00001|	|len |flags| type|
> | 70 61 79 6c  |	|      data      |	 p a y l
> | 6f 61 64 00  |	|      data      |	 o a d  
> |00036|N-|00002|	|len |flags| type|
> |00008|--|00001|	|len |flags| type|
> | 00 00 00 01  |	|      data      |	        
> |00008|--|00002|	|len |flags| type|
> | 00 00 00 01  |	|      data      |	        
> |00008|--|00003|	|len |flags| type|
> | 00 00 00 09  |	|      data      |	        
> |00008|--|00004|	|len |flags| type|
> | 00 00 00 01  |	|      data      |	        
> |00052|N-|00001|	|len |flags| type|
> |00012|--|00001|	|len |flags| type|
> | 70 61 79 6c  |	|      data      |	 p a y l
> | 6f 61 64 00  |	|      data      |	 o a d  
> |00036|N-|00002|	|len |flags| type|
> |00008|--|00001|	|len |flags| type|
> | 00 00 00 09  |	|      data      |	        
> |00008|--|00002|	|len |flags| type|
> | 00 00 00 01  |	|      data      |	        
> |00008|--|00003|	|len |flags| type|
> | 00 00 00 10  |	|      data      |	        
> |00008|--|00004|	|len |flags| type|
> | 00 00 00 04  |	|      data      |	        
> |00052|N-|00001|	|len |flags| type|
> |00012|--|00001|	|len |flags| type|
> | 70 61 79 6c  |	|      data      |	 p a y l
> | 6f 61 64 00  |	|      data      |	 o a d  
> |00036|N-|00002|	|len |flags| type|
> |00008|--|00001|	|len |flags| type|
> | 00 00 00 0a  |	|      data      |	        
> |00008|--|00002|	|len |flags| type|
> | 00 00 00 02  |	|      data      |	        
> |00008|--|00003|	|len |flags| type|
> | 00 00 00 02  |	|      data      |	        
> |00008|--|00004|	|len |flags| type|
> | 00 00 00 02  |	|      data      |	        
> |00072|N-|00001|	|len |flags| type|
> |00011|--|00001|	|len |flags| type|
> | 6c 6f 6f 6b  |	|      data      |	 l o o k
> | 75 70 00 00  |	|      data      |	 u p    
> |00056|N-|00002|	|len |flags| type|
> |00008|--|00002|	|len |flags| type|
> | 00 00 00 01  |	|      data      |	        
> |00008|--|00003|	|len |flags| type|
> | 00 00 00 00  |	|      data      |	        
> |00028|--|00001|	|len |flags| type|
> | 63 6c 75 73  |	|      data      |	 c l u s
> | 74 65 72 2d  |	|      data      |	 t e r -
> | 69 70 2d 73  |	|      data      |	 i p - s
> | 65 72 76 69  |	|      data      |	 e r v i
> | 63 65 73 2d  |	|      data      |	 c e s -
> | 73 65 74 00  |	|      data      |	 s e t  
> |00008|--|00004|	|len |flags| type|
> | 00 00 00 01  |	|      data      |	        
> ----------------	------------------
> ----------------	------------------
> |  0000000020  |	| message length |
> | 00017 | R--- |	|  type | flags  |
> |  0000000002  |	| sequence number|
> |  0000000000  |	|     port ID    |
> ----------------	------------------
> | 00 00 0a 00  |	|  extra header  |
> ----------------	------------------

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200110/681afbd1/attachment.html>

More information about the netfilter-buglog mailing list