[Bug 1489] "map" doesn't work as expected
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Jan 15 23:27:45 CET 2021
https://bugzilla.netfilter.org/show_bug.cgi?id=1489
--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Alexander.S from comment #3)
> Thank you!
>
> But one more thing.
> Currently, instead of:
>
> add rule ip mangle manout ct direction reply mark set ct original _ip_ daddr
> map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
>
> I use:
>
> add rule ip mangle manout ct direction reply ct original daddr $ext1_ip mark
> set 0x11
> add rule ip mangle manout ct direction reply ct original daddr $ext2_ip mark
> set 0x12
>
> and it works without "ip".
Yes, it's the legacy syntax which cannot be used with set/map/concatenation.
It only works in simple rules like the one above, but for more complex
operations, nft needs the "ip" prefix.
> In
> "https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-
> nftables_in_10_minutes#Ct" examples are also without "ip".
Thanks for spotting this, I have just updated the wiki.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/5d2add06/attachment.html>
More information about the netfilter-buglog
mailing list