bugzilla-daemon at netfilter.org
2014-Feb-21 22:00 UTC
[Bug 908] New: "not" keyword not implemented in nft
https://bugzilla.netfilter.org/show_bug.cgi?id=908
Summary: "not" keyword not implemented in nft
Product: nftables
Version: unspecified
Platform: x86_64
OS/Version: Gentoo
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
AssignedTo: pablo at netfilter.org
ReportedBy: jojkvtma at outlook.com
Estimated Hours: 0.0
nftables-0.099, and current head in GIT define the token NOT, but the parser
does not make use of it anywhere. The iptables rules I am trying to port to
nftables include some which need the ability to invoke a verdict when a given
expression is false, such as
...bunch o' stuff that "should" handle all non-icmp traffic
nft add rule ip filter input not icmp log prefix "Unexpected traffic:
"
or, for a subnet which should be isolated to a specific interface, rejecting
packets claiming to belong to that subnet but coming from a different
interface:
nft add rule ip filter input ip saddr 10.20.30.0/24 not iif eth2 counter
drop
Both of the above currently throw a syntax error:
Error: syntax error, unexpected !
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Feb-22 10:45 UTC
[Bug 908] "not" keyword not implemented in nft
https://bugzilla.netfilter.org/show_bug.cgi?id=908
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> 2014-02-22
11:45:52 CET ---
I have just added an article on this, it was lacking in the nftables HOWTO:
http://wiki.nftables.org/wiki-nftables/index.php/Building_rules_through_expressions
We indeed support this, but it needs to be represented in a different way, eg.
nft add rule filter input tcp dport != 22
Thanks for your report.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Seemingly Similar Threads
- [Bug 1262] New: nft insert rule ignores space in prefix value
- [Bug 1135] New: When used as a script interpreter, nft fails if extra arguments are passed
- [Bug 1359] New: nft 0.9.1 - table family inet, chain type nat, fails to auto-load modules
- [Bug 1228] New: [REGRESSION] nft cannot load big set anymore
- [Bug 1439] New: Atomically updating/reloading a large set with nft -f is excessively slow