bugzilla-daemon at netfilter.org
2017-Apr-01 17:59 UTC
[Bug 1140] New: nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Bug ID: 1140 Summary: nft dump invalid (flow table) Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at d9c.eu Hi, test.nft: #!/usr/bin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; ip protocol icmp flow table i4 { icmp type counter } accept ip6 nexthdr icmpv6 flow table i6 { icmpv6 type counter } accept } } eof nft -f test.nft nft list ruleset > test1.nft nft flush ruleset nft -f test1.nft test1.nft:4:33-41: Error: conflicting protocols specified: inet-service vs. icmp flow table i4 { icmp type counter packets 0 bytes 0} accept ^^^^^^^^^ test1.nft: table inet filter { chain input { type filter hook input priority 0; policy accept; flow table i4 { icmp type counter packets 0 bytes 0} accept flow table i6 { icmpv6 type counter packets 0 bytes 0} accept } } I am using nftables v0.7 on ArchLinux x64 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170401/757e1d31/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-31 16:59 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 --- Comment #1 from Andreas Fischer <netfilter at d9c.eu> --- (In reply to Andreas Fischer from comment #0)> Hi, > > test.nft: > #!/usr/bin/nft -f > flush ruleset > > table inet filter { > chain input { > type filter hook input priority 0; > ip protocol icmp flow table i4 { icmp type counter } accept > } > } > eof >After updating from kernel 4.10 to 4.11, this ruleset is now completly broken: /etc/nftables.nft:2:1-2: Error: Could not process rule: Operation not supported table inet filter { ^^ Should i open another bug for this? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170531/e7db0df5/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jul-30 18:59 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 --- Comment #2 from Andreas Fischer <netfilter at d9c.eu> ---> Error: syntax error, unexpected '}' > ip protocol icmp flow table ee { icmp type } accept > ^Apparently nftables expects an actual type, while this would be exaclty the value i would like to have in the flow table. Did i make a stupid mistake? Is this already fixed? Should i close? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170730/a4149418/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-07 14:27 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Harsha Sharma <harshasharmaiitr at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |harshasharmaiitr at gmail.com --- Comment #3 from Harsha Sharma <harshasharmaiitr at gmail.com> --- (In reply to Andreas Fischer from comment #2)> > Error: syntax error, unexpected '}' > > ip protocol icmp flow table ee { icmp type } accept > > ^ > > Apparently nftables expects an actual type, while this would be exaclty the > value i would like to have in the flow table. > > Did i make a stupid mistake? Is this already fixed? Should i close?This seems to work just fine. For the above error if you are using zsh, then try the above commands with bash. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171007/c07a32f9/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-11 13:26 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 --- Comment #4 from Andreas Fischer <netfilter at d9c.eu> --- Since i am running a nft script with "nft -f /etc/nftables.nft", the current shell should not matter at all. Anyways, i have tried with bash and the error remains. Maybe nft 0.8 will solve the problem once it hits Arch repos. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171011/7595f758/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-17 09:54 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Karel Rericha <karel at unitednetworks.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |karel at unitednetworks.cz --- Comment #5 from Karel Rericha <karel at unitednetworks.cz> --- Hi Andreas, I would suggest using stateful objects for now, which works (v0.8, kernel 4.13.7): nft add counter x c-echo-reply nft add rule x y ip protocol icmp counter name icmp type map { echo-reply: "c-echo-reply" } Of course add counters for other types of icmp messages as needed. Karel -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171017/6c39abbc/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-31 18:41 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> --- Flow table syntax is deprecated these days, see: https://wiki.nftables.org/wiki-nftables/index.php/Meters This still works for backward compatibility though, even if it's not the preferred way to instantiate these dynamic sets. A quick test says this is working: # cat /tmp/x.nft flush ruleset table inet filter { chain input { type filter hook input priority 0; ip protocol icmp flow table i4 { icmp type counter } accept ip6 nexthdr icmpv6 flow table i6 { icmpv6 type counter } accept } } # nft -f /tmp/x.nft # nft list ruleset > /tmp/y.nft # nft flush ruleset # nft -f /tmp/y.nft # nft list ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; ip protocol icmp meter i4 size 65535 { icmp type counter } accept ip6 nexthdr ipv6-icmp meter i6 size 65535 { icmpv6 type counter } accept } } Closing this old bug. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200731/89cdb875/attachment.html>
Apparently Analagous Threads
- [Bug 1382] New: nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535
- [Bug 1127] New: running nft command creates lag for forwarded packets
- [Bug 1184] New: disable implicit concatenating of elements of sets with flag interval
- [Bug 1185] New: counter flag proposal for sets and maps
- [Bug 1386] New: nftables.py cmd doesn't read updated counter values after first read