bugzilla-daemon at netfilter.org
2016-May-31 21:18 UTC
[Bug 1071] New: nftables: set does not work within inet table with option flags interval
https://bugzilla.netfilter.org/show_bug.cgi?id=1071 Bug ID: 1071 Summary: nftables: set does not work within inet table with option flags interval Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: jason.lee.campbell at gmail.com I'm using nftables to combine my IPv4 and IPv6 into one ruleset, so using a single inet table. This allows for single line edits, such as when I want to enable ssh in, instead of editing two separate entries. I imagine separating the rules would work, but defeats the purpose of allowing only a single line edit. I'm to the point that I want to import my text file of blocked IP subnets, so tried using set within an inet table. To allow subnets, the option flags interval appears to be required. However, when I check the rules (nft -n -f firewall.rules) with flags interval, I receive Operation not permitted. Without the flags interval option, the rule check works, but then unable to add subnets to the set. I have run strace on the rule check, and here's the difference I have found. The last line given in each example differ, where rule check working is 127.0.0.1 and rule check not working is ::ffff:127.0.0.1. I am using the following versions, compiled today (5/31). libnftnl-1.0.6-x86_64-1 nftables-e049f92bb7b98dfa218eda2b9b6f14506238abf2-x86_64-1 Without flags interval: socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 getsockname(5, {sa_family=AF_INET6, sin6_port=htons(45890), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 connect(5, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) 0 connect(5, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38754), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 With flags interval: socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 getsockname(5, {sa_family=AF_INET6, sin6_port=htons(53024), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 connect(5, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) 0 connect(5, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38635), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/130e674d/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-31 21:59 UTC
[Bug 1071] nftables: set does not work within inet table with option flags interval
https://bugzilla.netfilter.org/show_bug.cgi?id=1071 --- Comment #1 from JLC <jason.lee.campbell at gmail.com> --- Sorry, the pasted strace results do not differ. I was comparing the wrong lines. Starting at that point, they differ. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/4f935fdd/attachment.html>
bugzilla-daemon at netfilter.org
2016-Jun-06 11:50 UTC
[Bug 1071] nftables: set does not work within inet table with option flags interval
https://bugzilla.netfilter.org/show_bug.cgi?id=1071 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- Please, give a try to 4.7-rc1 and nft 0.6. We have resolved issues with prefixes and named sets in these two releases. Will be passing Linux kernel patches for -stable branches so this propagates backward. Thanks. *** This bug has been marked as a duplicate of bug 1009 *** -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/d769f833/attachment.html>
Possibly Parallel Threads
- Linux 4.2p1 crash during reverse name lookup
- rsync failure with error 12
- Bug#793921: tftpd-hpa: IPv6 address cannonization breaks IPv4
- [Bug 1950] New: sshd tries to bind over and over to ::1 for several seconds
- Bug#793921: tftpd-hpa: IPv6 address cannonization breaks IPv4