netfilter buglog - Nov 2018 - [Bug 1302] New: iptables v1.8.0 (nf_tables) has a problem inverting in-interface and maybe out

https://bugzilla.netfilter.org/show_bug.cgi?id=1302

            Bug ID: 1302
           Summary: iptables v1.8.0 (nf_tables) has a problem inverting
                    in-interface and maybe out
           Product: iptables
           Version: CVS (please indicate timestamp)
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: trever at middleearth.sapphiresunday.org
>From a script that works with plain iptables:
iptables -A INPUT -i \!ppp0 -p udp --destination-port 53 -j ACCEPT

# iptables-nft -A INPUT -i \!ppp0 -p tcp --destination-port 53 -j ACCEPT

does not work!

In part it yields:

iifname "!ppp0" ip protocol tcp counter packets 0 bytes 0 accept

in nft list ruleset

I believe that is supposed to be 

iifname != "ppp0" ip protocol tcp counter packets 0 bytes 0 accept.

I am afraid my attempts at finding why this is have not yielded any good
results.

This is the only thing keeping me from moving to iptables-nft from iptables and
nft from ipset. I suppose one final thing. ipset had swap to swap one live set
for another. I have some very large sometimes drastically change sets and this
helps speed things up tremendously.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181120/b8dd9a84/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1302

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
                 CC|                            |fw at strlen.de
             Status|NEW                         |RESOLVED

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to trever from comment #0)
> From a script that works with plain iptables:
> iptables -A INPUT -i \!ppp0 -p udp --destination-port 53 -j ACCEPT
> 
> # iptables-nft -A INPUT -i \!ppp0 -p tcp --destination-port 53 -j ACCEPT
> 
> does not work!
> 
> In part it yields:
> 
> iifname "!ppp0" ip protocol tcp counter packets 0 bytes 0 accept
> 
> in nft list ruleset
> 
> I believe that is supposed to be 
> 
> iifname != "ppp0" ip protocol tcp counter packets 0 bytes 0
accept.
No, its doing exactly what iptables is doing in this case.
You need to use

\! -i ppp0

(extra-positioned negation) instead.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190714/f2e1fa6e/attachment.html>