bugzilla-daemon at netfilter.org
2018-Sep-19 08:47 UTC
[Bug 1280] New: meta pkttype incompatible? with ingress
https://bugzilla.netfilter.org/show_bug.cgi?id=1280 Bug ID: 1280 Summary: meta pkttype incompatible? with ingress Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at d9c.eu OS: 4.18.8-arch1-1-ARCH (Archlinux) with statically defined IPv4/IPv6 addresses and nftables 0.9.0 (problem also occurs with kernel 4.14.70) #!/usr/bin/nft -f flush ruleset table netdev ethernet { chain etherfilter { type filter hook ingress device eth0 priority 0; policy accept; pkttype broadcast counter drop } } When using the above ruleset, after some time (10 Minutes - 2 hours, seems to be depending on the background noise like http traffic, ssh brute force attempts, etc.), the system becomes unresponsive for IPv4 traffic (IPv6 still works fine) as if everything is getting dropped. Placing this rule to a "hook prerouting" does not have these problems. I am completly in the dark regarding the reason for this, especially since it is working at first sight. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180919/1f0948fe/attachment.html>
bugzilla-daemon at netfilter.org
2019-Mar-15 18:57 UTC
[Bug 1280] meta pkttype incompatible? with ingress
https://bugzilla.netfilter.org/show_bug.cgi?id=1280 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID CC| |fw at strlen.de Status|NEW |RESOLVED --- Comment #1 from Florian Westphal <fw at strlen.de> --- (In reply to Andreas Fischer from comment #0)> table netdev ethernet { > chain etherfilter { > type filter hook ingress device eth0 priority 0; policy > accept; > pkttype broadcast counter drop > } > }This drops arp packets (they don't appear in the "ip" family). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190315/dce01f7f/attachment.html>
Maybe Matching Threads
- [Bug 1141] New: trace aborts using pkttype on ingress
- [bt full included] imap-login: Panic: file client-common.c: line 272 (client_destroy): assertion failed: (client->create_finished)
- Re: routing between networks on same
- [Bug 1449] New: nft ipv4 set with interval issue
- Re : DMZ and LOG